cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Re: SMB - New Product announcement - 1500 Series Security Gateways

Which build are you running?

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

This is Check Point's 1470 Appliance R77.20.87 - Build 973

Re: SMB - New Product announcement - 1500 Series Security Gateways

Good to know, but it seems that build is not GA yet.

0 Kudos
Employee
Employee

Re: SMB - New Product announcement - 1500 Series Security Gateways

I've not seen anything about it - will the new units be manageable via API?

0 Kudos
Admin
Admin

Re: SMB - New Product announcement - 1500 Series Security Gateways

Using R80.30+ central management? Yes.
Self managed? No.
0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

Btw, I started to be a bit confused here. May be there shall be two forum sections under SMB. One for those running R77.20 and one for R80.20 ?

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

Then we need much more flavors - locally managed SMB, SMP managed SMB.... Better just mention in the post what you talk about 😊 !

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

Hristo,

What version of code are you running on the 14xx?  We have a couple in production with all blades enabled and I have had both of them lock up no access from internal/external, very hard to troubleshoot because I do not currently have OOB connected

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

Hi Hristo,

What blades do you have running on the 14xx and do you use identity awareness?

We have a couple 14xx and they have locked up in the field and we have to reboot to bring them back.

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

Hello Kevin,

Yes, I am using IA blade. Also IPS one. What firmware are you using ? Also, are there any *core* or *panic* files in /logs directory after reboot ?

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

I am running  R77.20.87 - Build 973. Centrally managed. Depending on the traffic, enabling all blades might be overkill. Think if you can disable some of them until you resolve the problem.

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

 

root@CP1550:/# lscpu
Architecture: aarch64
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 2
NUMA node(s): 1
Vendor ID: ARM
Model: 1
Model name: Cortex-A72
Stepping: r0p1
BogoMIPS: 50.00
L1d cache: 32K
L1i cache: 48K
L2 cache: 512K
NUMA node0 CPU(s): 0-3
Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 cpuid
root@CP1550:/#

 

After opening mine (no wifi) I discovered a micro sd card reader (hurray!) and a unpopulated mini pcie slot. I'm assuming this is where a wifi nic would go. I of course tried putting in a pcie to msata board with a msata EVO 860. no joy so far.

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

oh and here is the SD card populated.

Mine has a single partition with ext4 on it.

[Expert@CP1550]# mount | grep kali
/dev/mmcblk0p1 on /mnt/kali type ext4 (rw,relatime,data=ordered)
proc on /mnt/kali/kali-chroot/proc type proc (rw,relatime)
sysfs on /mnt/kali/kali-chroot/sys type sysfs (rw,relatime)
devpts on /mnt/kali/kali-chroot/dev/pts type devpts (rw,relatime,gid=4,mode=620,ptmxmode=000)
[Expert@CP1550]#

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

Insert that SSD drive and paste last few lines from 'dmesg' output here. 

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

Its not that easy. I've been reading a lot on arm. Basically arm doesn't have a PNP pci buss like x86 does. Arm has something called Device Tree which if I understand correctly mean you basically pre-map out all the io and memory locations for each device.

 

That being said.. before and after doesn't show any difference. lspci always shows the same output as well.

 

root@CP1550:/# lspci -v
00:00.0 PCI bridge: Marvell Technology Group Ltd. Device 0110 (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 50
Memory at f8000000 (64-bit, non-prefetchable) [size=1M]
Bus: primary=00, secondary=01, subordinate=ff, sec-latency=0
Capabilities: [40] Power Management version 3
Capabilities: [50] MSI: Enable- Count=1/32 Maskable+ 64bit+
Capabilities: [70] Express Root Port (Slot-), MSI 00
Capabilities: [b0] MSI-X: Enable- Count=1 Masked-
Capabilities: [100] Advanced Error Reporting
Capabilities: [158] #19
Capabilities: [1a8] Transaction Processing Hints
Capabilities: [23c] L1 PM Substates
Kernel driver in use: pcieport
lspci: Unable to load libkmod resources: error -12

root@CP1550:/#

 

The libkmod error is due to missing information in /lib/modules/$(uname -a)/ dir.

here is a lsblk. Bold is Micro SD.

root@CP1550:/# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
mmcblk0 179:0 0 29.7G 0 disk
`-mmcblk0p1 179:1 0 29.7G 0 part
mmcblk1 179:32 0 3.7G 0 disk
|-mmcblk1p1 179:33 0 48M 0 part
|-mmcblk1p2 179:34 0 1M 0 part
|-mmcblk1p3 179:35 0 720M 0 part
|-mmcblk1p4 179:36 0 48M 0 part
|-mmcblk1p5 179:37 0 1M 0 part
|-mmcblk1p6 179:38 0 720M 0 part
|-mmcblk1p7 179:39 0 300M 0 part
|-mmcblk1p8 179:40 0 650M 0 part
|-mmcblk1p9 179:41 0 1M 0 part
|-mmcblk1p10 179:42 0 1M 0 part
`-mmcblk1p11 179:43 0 1.3G 0 part
mmcblk1boot0 179:64 0 2M 0 disk
mmcblk1boot1 179:96 0 2M 0 disk
mmcblk1rpmb 179:128 0 512K 0 disk
root@CP1550:/#

I'll post some pics of the tear down shortly.

Re: SMB - New Product announcement - 1500 Series Security Gateways

@G_W_Albrecht I noticed NAT templates are enabled on your 1550. Was it like that by default or you activated it explicitly ?

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

I do not think i did enable it myself - but it has been a while now i since did my explorations 😉

Re: SMB - New Product announcement - 1500 Series Security Gateways

A final stage of testing was changing from SMP managed to centrally managed (and back and forth...) - now it is centrally managed, the acceleration settings are default and fwaccel stat shows: 
+-----------------------------------------------------------------------------+
|Id|Name |Status |Interfaces |Features |
+-----------------------------------------------------------------------------+
|0 |SND |enabled |WAN,LAN1,wlan0 |Acceleration,Cryptography |
| | | | |Crypto: Tunnel,UDPEncap,MD5, |
| | | | |SHA1,NULL,3DES,DES,CAST, |
| | | | |CAST-40,AES-128,AES-256,ESP, |
| | | | |LinkSelection,DynamicVPN, |
| | | | |NatTraversal,AES-XCBC,SHA256 |
+-----------------------------------------------------------------------------+

Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled

So it seems Accept and NAT Templates are on by default.

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

Nice. But I wonder if Drop templates can be enabled ?

0 Kudos

Re: SMB - New Product announcement - 1500 Series Security Gateways

NAT Templates are enabled by default starting in R80.20, regardless of fresh install or upgrade.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos