cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP 12 hours ago
views 90 5

R77.20.87 Jumbo Hotfix Accumulator

They did it again - in addition to sk151574: R77.20.87 for Small and Medium Business Appliances, we now have the fresh new sk153433: R77.20.87 Jumbo Hotfix Accumulator with the new firmware image Build 2960. Nice to have a new build and a list of resolved issues - but for what reason name it Jumbo HF (which it is not, just a plain installation image containing fixed components) ? Or will R77.20.87 stay as a kind of final version for 7x0/9110/14x0 models that will get updated this Jumbo HF way from now on ?
Pedro_Espindola
Pedro_Espindola inside SMB Appliances and SMP yesterday
views 2244 10 1

Version R77.20.87 Build 990172938 not documented

Hello everyone, Does anybody know anything about version R77.20.87 Build 990172938 for SMB appliances? It is not documented but it has a download page and is available in the Firmwares page of the SMP.
slay39
slay39 inside SMB Appliances and SMP Friday
views 132 3

Certificate Revoked error

Hi Checkmates, I cannot login GUI dashbord, it gives "Certificate Revoked" error. when I check revoked certificate I saw that 7 of 27 certificate was revoked.cpca_client lscert -stat Revoked -kind SICcpca_client lscert -stat Valid -kind SICwhen I check the disk situation I saw log directory was full so that I removed old logs. disk situation is okay now but I still cannot login. Should I apply this SK? Solution IDsk20905ProductSecurity Management, Multi-Domain ManagementVersionAllPlatform / ModelAllDate Created02-Tem-2003Last Modified10-Tem-2018
Jesse_Bailey
Jesse_Bailey inside SMB Appliances and SMP Wednesday
views 82 4

New 1200Rs Not Shipped in Anti-Static Bag

I just opened the third sealed 1200R box recently where the pink anti-static bag is folded neatly and lying in the bottom of the box. Just curious if anyone else is seeing this, and about any hypotheses to why they are shipping this way.
duncang
duncang inside SMB Appliances and SMP Wednesday
views 52 3

DAG heartbeat not transmitting over vpn

I have an Exchange 2013 DAG which is connected over a Site-to-Site VPN. Replication works without issue and there is communication between the DAG members on numerous UDP and TCP ports. The only issue is the cluster heartbeat on UDP 3343. This is blocked and shows in the security log as "Connection contains real IP of NATed address". It also shows as the WAN interface and being blocked by the firewall. All other traffic from the blocked server shows as the LAN interface and being allowed by VPN. It appears that the UDP 3343 traffic is not being sent over the VPN, although my expertise is limited and I may be misinterpreting that. I'm fairly certain this is a configuration issue as I didn't have this issue before I upgraded the Checkpoint software and reconfigured the appliance. Any assistance is appreciated. Please don't be too technical as it will go over my head 🙂 Thanks.
Fernando_Hagels
Fernando_Hagels inside SMB Appliances and SMP 2 weeks ago
views 1136 2

How to check the VPN topology that was generated for managed Gaia Embedded appliances?

Hello all: Is there a way to check the loaded VPN topology for a centrally managed Appliance ? in order to verify:VPN Servers and interfacesSubnets or vpn domains in a few words... the equivalent of sk64040 for the Gaia Embedded appliances. the main reason is for troubleshooting purposes... (very helpfull for me on SMB appliances). thanks in advance for your time and comments.
Pawel_Topczewsk
inside SMB Appliances and SMP 2 weeks ago
views 881 3
Employee

Equivalent for "fw tab -f -t vpn_routing"

Hi, Maybe someone wrote some script to translate "fw tab -t vpn_routing" to at least IPv4 digits on SMB devices or to equivalent format as "fw tab -f -t vpn_routing" as it is on regular GAIA devices?
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP 2 weeks ago
views 3114 10 4

R77.20.80, cpdiag and crond

During testing R77.20.80 EA versions, cpdiag was mentioned in the email conversation by CP specialists. I can even search SKs for cpdiag and will even find sk123294 R77.20.80 for Small and Medium Business Appliances in the list of results, but the term/command is not mentioned in the documents visible part (same is true of sk97443: Support Debug Tools) . So what does it really do when used as a command ? Download an update:[Expert@zwelfhundertr]# cpdiagLog path: /opt/fw1/log/cpdiag.elgCPDiag update:Verifying CKCK is 00-1C-7F-...Version is cipbUseProxy is 0Found update, name is cpdiag_991100024.tar.gz, revision is 991100024CPDiag running build: 991100019CPDiag download center build: 991100024Started downloading updated packageDownload completedUpdate returned: 1Launching new versionLog path: /opt/fw1/log/cpdiag.elgThe mentioned log file contains error messages, in my case it is a licensing warning of cosmetic nature..But also a new daemon can be found in top:5247 1 root S 1084 6720 1% 0% /usr/sbin/crondThat is brand new - and we can see what it does call in file /pfrm2.0/etc/crontabs/root:22 1 * * * /storage/cpdiag/bin/cpdiag --periodicSo we now have some new possibilities, as cron jobs need only new line(s) in /pfrm2.0/etc/crontabs/root !
LuisSP
LuisSP inside SMB Appliances and SMP 2 weeks ago
views 1416 5

usercheck block page don't load to some local hosts

Firewall NGTX 1490 with R77.20.86.Hi again checkmate. I have another case: the usercheck blocking page is only loaded on some local hosts in your browsers. On computers with problems, only an internal 500 server error appears in browsers. I do not find a pattern in such behavior. The version of the browsers is the same, I tried with different browsers but the error persists.The last thing I did was uninstall extensions in Chrome but it did not work, then I used the ethernet interface (I was using wifi) and, surprisingly, the user verification lock page could be loaded in the browser. So I disabled Ethernet and again enabled Wi-Fi, but assigned another IP address and again the usercheck lock page appeared. I think that something inside the firewall is wrong (some table maybe) and is linked to the IP address. I'm going to try another problematic computer to confirm my suspicions.Any ideas please?
Rafal_NIedbala
Rafal_NIedbala inside SMB Appliances and SMP 2 weeks ago
views 58 2

IPSec instability with IKEv2

Hello,There is sk (112160) about instability ikev2 prior R80.10. How to read it in context SMB appliances where firmware is in version R77.20.xxDo we suppose to build ike v2 tunnels on 1400 appliances or it is not recommended?? Rafal
HristoGrigorov
HristoGrigorov inside SMB Appliances and SMP 3 weeks ago
views 870 2

SecureXL stats on SMB

I am wondering if SecureXL stats on SMB are calculated correctly. The reason for that is the fact that drop templates are not supported but it seem to me like they are included in the total packets counter. Same applies to NAT packets although these are probably not shifting stats as much as dropped ones. I mean, if I am trying to fine tune SecureXL I need it to only count packets that are eligible for acceleration and then split them into F2Fed, PXL and SXL percentages. I agree that knowing how much of the total traffic is accelerated is also useful sometimes. But with drop templates disabled it just hides the real picture.
Gladstone_Abati
Gladstone_Abati inside SMB Appliances and SMP 3 weeks ago
views 797 1

Changing WAN IP addressed due to swtching to a new ISP on 1120 cluster running R77.20

Hello All I was under the assumption that when you change the WAN IP address due to ISP change, that will break the VPN due to peer ip change.The history of all of this is that my client has an HA pair of 1120 appliance cluster in Nigeria on R77.20 and are in the process of changing their ISP. Now there is a VPN link between Nigeria which is the satelite, and London cluster which is an HA 5000 cluster on R77.30 the hub, all managed by an R80.10 virtual management server.I have managed to split the Nigerian cluster, and placed one of the cluster members on the new ISP WAN IP. Now I want to move the other cluster member which hosts the VPN link between Nigeria and London, to the new ISP WAN IP. My query is how do I reinstall the VPN link, should it break due to the WAN IP change?I contacted Checkpoint TAC and they refered me to their local office and they categorically stated that I would need SmartLSM to reinitialise the SIC between the Nigerian cluster running R77.20 and the centrally management server running R80.10.Any information moving this case forward would be appreciated.Kind regards. Gladstone Abati-George.
Constant
Constant inside SMB Appliances and SMP 4 weeks ago
views 2158 9

VPN Remote Access - Enable Visitor Mode on This Interface

Hi Team,We have 14 public IP addresses bound to our WAN port.The public IP of the wan is A.B.C.1.We want to dedicated the IP A.B.C.2 for the remote access VPN. This IP (A.B.C.2) is not assigned to any internet.We have performed the following change:Device > Advanced > Advanced Settings >- VPN Remote Access - Enable Visitor Mode on This Interface = A.B.C.2Despite this configuration, the firewall is not responding to vpn requests from remote users.I have performed the following test:- With a tcpdump on WAN interface, I have observed that the gateway does not answer the ARP Requests related to the IP A.B.C.2My question is:Can we assign an IP does not belong to an external interface in the option "Device > Advanced > Advanced Settings > VPN Remote Access - Enable Visitor Mode on This Interface"? Regards
Miguel_Barrios
Miguel_Barrios inside SMB Appliances and SMP a month ago
views 1602 4 2

Sizing SMB Appliances

Is there any application or documentation to perform a correct sizing for SMB (700/1400) appliances???previously the "Check Point Sizing Tool" allowed to do this in a simple way with the smb appliances, but not anymore. (imo Big mistake by CP for the partners).
Chonyi
Chonyi inside SMB Appliances and SMP a month ago
views 1202 4

Site-To-Site VPN with NAT on localy managed SMB device

Hello,Im having issue with hide nat on localy managed 1200R. I need traffic to have hide NATed source and than enter the tunnel. What happens is that traffic is being NATed but then it just exits wan port without entering the tunnel.Any ideas how to get this sorted? Thank you.