Showing results for 
Search instead for 
Did you mean: 
Create a Post

Gaia HealthCheck Script v7.01 released

Check Point released v7.01 of it's Gaia HealthCheck Script. Script author: @Nathan_Davieau (LinkedIn profile) What's new: Added self-update routine Added logger calls to write script statuses to /var/log/messages Added check for Active SMS/DMS Minor code improvements Download Package Link Date script v7.01 12Sep2019

dhcp responses over vlans from Gaia dhcpd

I would like to know if anyone has successfully configured dhcp in Gaia to serve addresses over vlans.  In our case, a 3100 running R80.30.  The eth2 interface leads to some wireless access points, and dhcp is configured in Gaia to lease addresses.  All is well.  However, we wish to make the distinction between SSIDs by trunking vlans from the WAPs to the 3100.  So we remove the address from eth2; and instead make 4 vlans, with various vlan IDs, and dhcp scopes for each subinterface.  Trunking is configured at the WAPs and the switch and the 3100.  We now see requests come from the WAPs over the correct vlan, reach the 3100, get processed by dhcpd (confirmed in /var/log/messages,) but the reply packet never leaves the firewall.  We cannot see it with fw monitor, with fw ctl zdebug, or in the logs.  Case opened with Support 6-0001773135 but no magic yet.Has anyone else been able to make dhcp in Gaia work over vlans?  Thanks.
inside Maestro 6 hours ago
views 111 4

Difference between the Secure Network Distributor (SND) and CoreXL Dynamic dispatcher?

Can someone please give a clear explanation, what is the difference between the Secure Network Distributor (SND) and CoreXL Dynamic dispatcher?
pandersson inside VSX 11 hours ago
views 58 4

Failed to find any routes on the machine

Hello. I get this message when trying to create a VSX cluster "Error: Failed to find any routes on the machine".The information in sk144832 does not help, as there are no aliases.Neither does sk92556, which happens if I just try to add one singlenode(Failed to resolve Management Virtual System NIC).Boxes are new out of the box, and have almost no configuration at all.Mainly ip-address and default route, and one additionas I added for testing.I had a couple of bonds, but removed them to see if it made a difference.Does anybody know what to do with this ?(I will ask CheckPoint as soon as support contract is activated)/Per 

Connectivity issues from standby gateway after R80.10 -> R80.30 upgrade

Good day,I have recently completed an upgrade from R80.10 to R80.30 (Management + 2 gateways in HA cluster).  The upgrade itself was successful but I have noticed one issue on the standby gateway.  We cannot ping or do NSlookups etc from the standby node.  License checks also fails on this node.What I have attempted thus far:Set the "fw ctl set int fwha_forw_packet_to_not_active 1" on both gatewaysFollowed the guidance in sk147093 (fw ctl zdebug output matched that in the SK, as per below, IP sanitised)121670435;[cpu_1];[SIM-207375815];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x10, cdir=0) -> dropping packet, conn: [<,2022,,88,6>][PPK0];@;121670435;[cpu_1];[SIM-207375815];sim_pkt_send_drop_notification: (0,0) received drop, reason: general reason, conn: It is important to note that all connectivity is restored when I do a fw unloadlocal.  There has also been no changes to either NAT or firewall policies.I've found a couple of posts on Checkmates describing similiar issue, but unfortunately no resolution apart from the steps above.I will also log a TAC case, but hoping to hear if anyone has experienced similiar issues after an upgrade?Thanks,Ruan 

Smart-1 625 and R80.10

Hoping someone can clarify for me whether I should be able to re-image a Smart-1 625 with R80.10?   It picks up the USB but the 625 is not listed in the boot options.  I would have expected to see it in option 4 with the other Smart-1 models (Smart-1 5/25/50/200/400/525/3000/5050/5150).  I selected option 4 anyway, the installation starts then it tells me it's unable to find the driver.  My contact at Check Point tells me R80.10 is listed as a supported version in the Smart-1 625 release notes tho personally I can't find any RN for this appliance.  The R80.10 supported platforms list doesn't include the 625 but then again it doesn't include the 525 so I'm unsure how accurate it is.   Can anyone help?
Alex_Gilis inside VSX yesterday
views 155 5

Issue with 12000, VSX, VSWITCH & R80.30

I will open a case for this but I wonder if someone has seen this already.I upgraded a 12600 VSX cluster from R80.20 Take 47 to R80.30. All went well but there was a strange issue afterwards.Two VS talk to each other via a "front" VSWITCH used for inter-VS communication. These VS also have "back" VSWITCH for the networks which are located behind them. I'd rather use tagged interfaces but it's another story and there's a reason why they're present.After upgrade to Take 19, some traffic never makes it through a backend LAN on VS-A to the backend of VS-B. In Smart Console, the traffic is seen as accepted. With fw monitor, the traffic is seen but stays in the "i" part on VS-B.The weird thing is that only specific protocols didn't go through, for the other ones we could see the full "iI-oO" and they worked normally. Failing protocols were RDP & HTTPS, but maybe there were others (no HTTPS inspection blade runs on any of the VS, and this is internal traffic only).Now the interesting bit: uninstalling Take 19 actually solves the issue. We tried with the second cluster member which exhibited the exact same behaviour: OK with R80.30.0, fails with R80.30.19.We're now in full production on both systems with R80.30 and no Take. I guess I will need to replicate issue with TAC but it's challenging as we need to install the Take on a production system and take live traces which isn't always easy to arrange, so I thought I'd check if anyone here would have seen that kind of behavior and had an idea.The chassis themselves are all OK in terms of CPU, RAM, I/O and so on so I think it's really a software issue.
naren_nd inside VSX Saturday
views 59

Virtual FW on 15400 appliance_urgent help needed

Business asked me to implement a single virtual firewall on Checkpoint 15400 appliance as per the attached network topology. The idea is to achieve end-to-end secure connectivity for O365 applications. In future, there will be additional virtual firewalls on the existing VSX and another VSX gateway for achieving HA. But as of now, only one virtual firewall. I have the following concerns and do not have clarity whether it can be done or not. Appreciate if someone can throw some light. 1> Can I connect two physical ports from the Nexus 9000 switch (ACI switch) to the VSX gateway in bond?2> Can I configure virtual firewall’s external segment in layer 3 and the internal segment as layer-2? As per the network topology, the virtual firewall running at DC will be connected to HQ over the point-to-point layer-2 link.3> Does virtual firewall support IP sec VPN over Layer 2 point-to-point link (DC to HQ)?4> Does virtual FW support dynamic routing if IP Sec VPN configured? What are the pros and cons?5> your views and best practice around FW participating in the end-to-end BGP routing? Is any performance impact if BGP runs on Virtual FW?6> While creating a virtual system on single VSX member, should I create virtual switch or router because the virtual firewall will be using a BGP routing protocol7> Does Checkpoint FW support VPC between Nexus 9k switches and virtual FW to form Link Aggregation?8> Do FW shape the traffic when it passes the traffic from its 10 Gbps interface to 1 Gbps layer 2 links?
Maik inside VSX Saturday
views 166 6

VSX on open server deployments

Hey guys, Just a small question, out of curiosity. Is it possible to set up an open server as a VSX installation? Also if it works theoretically, has anyone ever done this? I could imagine that some sort of issues could come up with such a deployment.Yes - it does not really makes sense in a productive way. I am thinking about lab environments in order to get more hands on experience with VSX (+ maybe MDM). Currently I don't have a lab up and running where I could verify this. Searching the web also did not help me to find the answer. Best regards,Maik

IKE certificate auto-renewal failure

Last night, I had a customer's gateway fail VPN authentication suddenly.  A quick VPN debug showed the IKE certificate was expired!  I checked SmartConsole and yep, the IKE certificate on the SmartCenter was expired!(gateway is R77.30, mgmt R80.20; yes upgrades are scheduled, that's not the issue here)IKE certificates are supposed to auto-renew by cpca at 75% expiry, yes? I haven't had issues with certificate auto-renewals in a very very long time, so this was a major surprise.  I found another gateway certificate that will expire in 5 days, so I manually renewed it (along with the problematic gateway), then pushed policy to all gateways.  I checked all other gateways and they are good into 2020 and 2021, so I have time to make any repairs if needed.With R80.20 management, is there something new I missed or some behavior change?  The ICA was still valid (through year 2030), all gateways and management system times are current and valid (sync with known good NTP servers).  I checked all hosts date and time to be sure!Management R80.20 was a migrate from R77.30, which has been working very well for 15+ years.  No corruption or strange issues over time.I haven't found any smoking-gun SK articles about this (I have seen the SHA-1/SHA-256 articles, sk103840, but that doesn't seem relevant).  sk59510 does not apply because this is site-to-site VPN, not Remote Access.  Manually renewing in SmartConsole was error-free, as it should be, so other SKs regarding renewal errors don't apply. This is an odd one... anyone seen this lately, or have insight? 
lsuastegui inside Access Control Products Friday
views 79 2

Checkpoint Site-to-Site VPN with Opnsense 19.7

Hi there, I'm trying to establish a VPN site to site with an Opnsense 19.7 . The VPN is established, but has a strange behavior (latencia, desconexiones) , both firewalls are in the same Network. I am looking for a VPN Compatibility Matrix where check if this "opnsense" firewall is certified to function with a checkpoint.If anyone knows anything, any help will be helpful.   Thanks for the help
Tom_Hallberg inside VSX Friday
views 96 4

affinity vsx 15600 r80.20

Hi There are 32 CPU's without HT enabled on a 15600.I have done the following with sim affinity -s:eth3-01: CPU 2eth3-02: CPU 5eth3-03: CPU 6eth3-04: CPU 0eth1-01: CPU 1eth2-01: CPU 3eth2-02: CPU 4And with fw ctl affinity -d -s -fwkall 25 I was hopping to get all VS to share CPU 7-31, but the outcome was the following:VS_0 fwk: CPU 4 5 6 7 8 9 10 11 12 13 14 15 19 20 21 22 23 24 25 26 27 28 29 30 31VS_1 fwk: CPU 4 5 6 7 8 9 10 11 12 13 14 15 19 20 21 22 23 24 25 26 27 28 29 30 31So what happend with cpu 16-18 😞MQ aint enabled, but I was thinking if MQ are enabled on onboard interfacescpmq getActive mlx5_core interfaces:eth2-01 [Off]eth2-02 [Off]Active ixgbe interfaces:eth1-01 [Off]eth3-01 [Off]eth3-02 [Off]eth3-03 [Off]eth3-04 [Off] What am I missing? I can ofcource manually set with fw ctl affinity -d -s -vsid and so on.. but then if I add a new VS I need to manually fix the affinity for that one.   

R80.20 issue with fw monitor - all the buffers are full

Under R80.20 with the latest jumbo hotfix the following error occurs if I start fw monitor: fwmonitor_kiss_add_to_global_buf: all the buffers are full System 12000 appliance: - 8 coreXl instances - approximatly 25000 connections - enough free memory      
TAEKBOM_Kim inside Access Control Products Friday
views 102 2

Can we use QoS function reliably?

Hi guys,I want to know 2 things before using QoS1. Does the QoS function load the CPU, Memory? 2. Customer references using the QoS feature. I am currently running below:Appliance:Check Point 5800 ApplianceSecurity Management:Smart-1 405Version (Firmware):R80.10 Cheers🙂

Low throughput from 4200 appliance

We have a CheckPoint 4200 appliance running as our gateway/firewall. Our WAN speed is 1Gbps, but we can only seem to get 100Mbps throughput from the appliance.I have connected a computer directly to our WAN-connection to confirm WAN speed, and without going through the firewall i get the correct speed (1Gbps). The WAN interface (eth1) says "Link Speed: 1000Mbps / Full Duplex".I have been monitoring with CPview on the firewall, and I have not seen "Total Mbits/sec" go above 102 Mbps. To me it seems like speed is capped at 100Mbps. I am wondering what the cause of this can be, and what steps should I do to troubleshoot this issue? Appreciate any help.