cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
SMB Appliances and SMP

Have a question about our Small Business Security and Branch Office Security solutions? This is where to ask! This includes the 600, 700, 900, 1400, and 1500 Series appliances, Security Management Portal, and legacy SMB appliances (UTM-1 EDGE, Safe@).

HristoGrigorov
HristoGrigorov inside SMB Appliances and SMP yesterday
views 8609 19 3

SFWD process crash

Hi,has any of you ran into something like this:[cpWatchDog 2765 1744478736]@RD6281[18 May  9:20:47] [ERROR] Process SFWD terminated abnormally : Unhandled signal 11 (SIGSEGV). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[18 May  9:21:47] [SUCCESS] SFWD started successfully (pid=3551)[cpWatchDog 2765 1744478736]@RD6281[18 May  9:35:25] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[18 May  9:36:25] [SUCCESS] SFWD started successfully (pid=4359)[cpWatchDog 2765 1744478736]@RD6281[20 May  9:41:20] [ERROR] Process SFWD terminated abnormally : Unhandled signal 11 (SIGSEGV). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[20 May  9:42:20] [SUCCESS] SFWD started successfully (pid=18894)[cpWatchDog 2765 1744478736]@RD6281[20 May 16:12:09] [ERROR] Process SFWD terminated abnormally : Unhandled signal 11 (SIGSEGV). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[20 May 16:13:09] [SUCCESS] SFWD started successfully (pid=20929)[cpWatchDog 2765 1744478736]@RD6281[21 May  8:50:27] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[21 May  8:51:27] [SUCCESS] SFWD started successfully (pid=25168)[cpWatchDog 2765 1744478736]@RD6281[21 May  9:14:11] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[21 May  9:15:11] [SUCCESS] SFWD started successfully (pid=25918)[cpWatchDog 2765 1744478736]@RD6281[21 May 10:54:58] [ERROR] Process SFWD terminated abnormally :Unhandled signal 11 (SIGSEGV). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[21 May 10:55:58] [SUCCESS] SFWD started successfully (pid=27458)[cpWatchDog 2765 1744478736]@RD6281[21 May 12:35:14] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[21 May 12:36:14] [SUCCESS] SFWD started successfully (pid=29000)[cpWatchDog 2765 1744478736]@RD6281[22 May 14:53:05] [ERROR] Process SFWD terminated abnormally : Unhandled signal 6 (). Core dumped.[cpWatchDog 2765 1744478736]@RD6281[22 May 14:54:05] [SUCCESS] SFWD started successfully (pid=5887)
HristoGrigorov
HristoGrigorov inside SMB Appliances and SMP Thursday
views 77 1

About those mysterious R77.20 builds...

So, we all know and see those mysterious R77.20 builds uploaded lately and because I am "brave" enough I decided to give them a try:   1. Build 990172984 code named "private build" Boots really slow! It actually reboots few times in a row until it finally gives up and ends with a peculiar message in /var/log/messages about configuring WiFi on a Wired appliance. Once it boots it works well until load average goes above 3.00 at which time either sfwd process will crash or cluster fail-over will happen. The interesting thing here is that R&D incorporated some kind of logic to interrupt endless reboots. Nice.   2. Build 990172993 code named "Private fix" This one fixes the reboot-loop bug and is the first build ever that was able to survive 3.00+ load average test. The only problem is that above such load averages all site-to-site VPN tunnels die but this is more like side effect of the fact that they all run on the already overloaded core 0. This build is also pretty efficient in memory consumption. The only very minor issue I found is that it will sometime fail to connect to SNMP socket on boot.   3. Build 990173003 code named "customer fix" I have only tested this for a day but it appears to be as stable as 993 and the SNMP problem no longer appears. It is early to say anything yet but looks promising so far. --- So, if you have the guts give them a try. 😉
BLD
BLD inside SMB Appliances and SMP Thursday
views 443 21

1550 Appliance unexpected reboots

Hi.We have had the appliance for a few weeks.In the past 5 days our notification logs show 3 "unexpected reboot" notices. We have had no power or other issues in our site. How can we get more information to find the cause of these reboots? We have found nothing in the logs. Do logs survive a reboot?Firmaware version is R80.20 (992000668)Thanks. 
PhoneBoy
inside SMB Appliances and SMP Thursday
views 140 3 4
Admin

Super Seven Performance Assessment Commands, SMB Edition

Most of the commands @Timothy_Hall came up with for troubleshooting performance on regular gateways work as-is on SMB appliances.One required modification as the Busybox version of netstat doesn't support the required option, but you can get the information another way. I will admit that I'm not sure how useful these commands are on an SMB appliance given the limited tuning options on SMB appliances.That said, I took a few minutes to figure it out and document it on the off chance it is. These commands must be executed in expert mode.Should work whether the appliance is locally or centrally managed. fwaccel statfwaccel stat -sgrep -c ^processor /proc/cpuinfoawk '/:/ { print($1,$5, $13) }' < /proc/net/devfw ctl affinity -l -rfw ctl multik statcpstat os -f multi_cpu -o 1 -c 5  
humt
humt inside SMB Appliances and SMP Wednesday
views 197 2

Firmare automatic upgrade not working

I am trying to upgrade firmware but it is not updating automatic. When i ask CP support. CP told to contact your supplier. And now supplier is not replying. No contact details except email. Please help me if anyone. It is really ridiculous when we purchase and we don't have control on the product. I am become looser after i purchase this product from Amazon becuase no support from anywhere where in market selling 3 years warranty. 
TomShanti
TomShanti inside SMB Appliances and SMP Tuesday
views 169 4

Strange SSL certificate when connecting to GAiA web portal on 1400 appliance

Hi community, when connecting to my GAiA web portal on a 1400 appliance I get this certificate: Issued to: SSL-ServerIssued by: SSL-ServerValid until: 01.10.2024 This is neither one of the certificates shown in the Web-UI -> Device -> Installed certificates nor is it the certificated stored in /tmp/flash on the appliance. Can anyone give me a hint where this certificate comes from ? Thanks and regardsThomas
Amir_Ayalon
inside SMB Appliances and SMP Tuesday
views 2420 49 7
Employee

SMB - New Product announcement - 1500 Series Security Gateways

Hi All We are happy to announce The release of the new 1500 series security gateways for SMBs. Our first Models to be announced are the 1550 and 1590 gateways which set new standards of protection against the most advanced fifth-generation cyber attacks. The 1550 and 1590 gateways are powered by Check Point’s R80 release. R80 is the industry’s most advanced security management software, and includes multi-layered next-generation protection from both known threats and zero-day attacks using the award-winning SandBlast™ Zero-Day Protection, plus antivirus, anti-bot, IPS, app control, URL filtering and identity awareness.    The 1500 Security Gateways offer integrated, multi-layered security in a compact desktop form factor. Setup can be done in minutes using pre-defined security policies and our step-by-step configuration wizard. Check Point 1500 Security Gateways are conveniently manageable both locally via a Web interface and centrally by means of a cloud-based Check Point Security Management Portal (SMP) or R80 Security Management. The new 1500 series empowers Small and Midsize businesses with Enterprise Grade Security: 100% block score for malware prevention for email and web, exploit resistance and post-infection catch rate, as seen in the NSS Labs’ recent Breach Prevention Systems (BPS) Group Test Up to 2 times more performance from previous generations. The 1550 Gateway offers 450Mbps of threat prevention performance, and the 1590 Gateway offers 660Mbps The 1550 provides maximum firewall throughput of 2Gbps and the 1590 provides maximum firewall throughput of 4Gbps The 1550 features six 1GbE ports and the 1590 features ten 1GbE ports. Check Point WatchTower mobile application, enables IT staff to monitor their networks and quickly mitigate security threats on the go from their mobile device Out-of-the-box zero-touch provisioning allows for under 1-minute setup IoT devices discovery and recognition for accurate security policy definition.   Want to know more ? Visit the 1500 Series Security Gateways SK https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157412   And the R80.20 for Small and Medium Business Appliances https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk159173     For full product specifications, visit:  https://www.checkpoint.com/products/small-business-security/     Amir Ayalon | SMB Project Management Team LeaderCheck Point SW Technologies. | ( +972-733-79-8629| Mobile: +972-545-787673 * amiray@checkpoint.com
Krolik
Krolik inside SMB Appliances and SMP Monday
views 321 9

GPL source code for ROUTER CHECK POINT 600 L-50WD SG-80A

Hello everybody,Where I can find Your GPL sources? I bought ROUTER CHECK POINT 600 L-50WD SG-80A and I would like to obtain FOSS source code for embedded software.Can You help me?Regards,Pawel
patarun91
patarun91 inside SMB Appliances and SMP Saturday
views 197 2

How ISP redundancy does work

I have configured two ISPs on one of my gateway , I have assigned 70% and 30% weight age on each ISP.I just wanted to understand what algorithm is follow to maintain this. Regards,Arun Pathak
HristoGrigorov
HristoGrigorov inside SMB Appliances and SMP a week ago
views 199 2

Clarification on Mobile Access availability in 15xx series

Dear CheckPoint, I found contradiction in your documentation about 15xx series appliances:   1. In this document https://www.checkpoint.com/downloads/products/1500-security-gateway-datasheet.pdf you mention that Mobile Access is available and extent can be purchased for it (CPSB-MOB-50).   2. But in sk159173 we read: The following R77.20.87 Known Limitations still apply to R80.20: Unsupported features: Mobile Access   May you please clarify which one of these is right ?
Shawn_Fletcher
Shawn_Fletcher inside SMB Appliances and SMP a week ago
views 158

1550 identity sharing and drops from failed identity lookups?

I've deployed 2 1550 appliances so far with permanent vpn tunnels to 21800. Both have required rules to bypass app control to get working due to errors like this on fw ctl zedebug dropExample - this drops@;745809;26Nov2019 20:32:25.035701;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=17 172.18.50.12:64344 -> Pxxx.xxx.xxx.xxx:53 dropped by fwhold_expires Reason: held chain expired; Even with bypass rules for App control i constantly get identity fetch failed which appears to drop some traffic - even though SmartLog doesnt reflect.... (i'm having VOIP issues, this example below is a VOIP phone/VOIP server communication)@;10284017;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284317;[cpu_0];[fw4_0];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284349;[cpu_1];[fw4_1];[IPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284349;[cpu_1];[fw4_1];[IPPxxx.xxx.xxx.xxx:5252 -> 172.18.20.144:5200] [ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284349;[cpu_3];[fw4_3];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed;@;10284374;[cpu_2];[fw4_2];[ERROR]: ida_cmi_async_fetch_log_cb: the identity fetch failed; The idea would be the 21800 central gateway uses Identity Collector Server with ISE to get identities and then share them to remote site gateways (R80.20 embedded doesn't support identity collector - that would have been nice) on 21800 (running R80.20 jumbo 103 pdp connections pep shows| Outgoing | IPXXX.XXXX | 15105 | STJ-BrantfordKC | Single Gateway | Disconnected | Remote | No | on 1550 - some network info has come over - so it must have connected at some pointpep show network pdpTrying to run main_pep--------------------------------------------------------| Network | Mask | Related PDPs |--------------------------------------------------------| 172.28.138.0 | 255.255.255.0 | <21800IP,0>; |--------------------------------------------------------(and many more network lines) pep show network registrationTrying to run main_pep------------------| Network | Mask |------------------nothing pep sh user allTrying to run main_pepCommand: root->show->user->allID (PDP; UID) Username@Machine CID (IP, PacketID) PT=============================================================================================================nothing  So far nothing but issues with 1550's compared to 1450's... a bit dissapointed.... Anyways open to any ideas since SMB appliance issues never seem to be a priority for TAC... thx     
Patrick_Tuttle1
Patrick_Tuttle1 inside SMB Appliances and SMP a week ago
views 336 10

1590 Upgrading Ques

Hello CheckMates; We are evaluating the SMB 1500 (R80.20) and I went to test the upgrading method using smart update and realized I cannot find the tgz file only the img file. Is this method going away? or is it because the code is new that it takes a little while for it show up in tgz format ?These devices would be rolled out in a SCADA environment without access to the internet so doing upgrades from the Manager would be preferable. Thanks-pat
matthieu_euzen
matthieu_euzen inside SMB Appliances and SMP a week ago
views 169 1

Display URLs in local logs

Hello everybody,Could you please help me with the following problem?I'm currently in possession of a Check Point 1550 Appliance.I don't have any licence for the smartconsole, however I would like to know if the URLs could be displayed in the local logs thanks to the SSL inspection.Thanks in advance for your help!
Raj_Khatri
Raj_Khatri inside SMB Appliances and SMP a week ago
views 195 3

ISP Redundancy

Is ISP Redundancy supported on centrally managed gateways?  I don't see the option in R80.20 management console, in the Other section of the gateway.  However, ISP Redundancy option exists on firewall WebUI in the Internet section.When viewing non-SMB firewalls in management console, the ISP Redundancy options exist in the Other section of the gateway.
Daniel_Bourne
Daniel_Bourne inside SMB Appliances and SMP 2 weeks ago
views 178 1

Replacing 1100 with 3000 series. Export site to site VPN settings?

We are upgrading a device in one of our remote offices from an 1100 (R77.20) to a 30000 (R80.XX)  appliance.  there are about 25 site to site VPN's currently configured on this device.  I realise that it isn't possible to restore a config from the 1100 to the 30000, but can I export the site to site VPN settings, preshared keys etc?  I really do not want to have to recreate all of those VPN rules.Thanks