Showing results for 
Search instead for 
Did you mean: 
Create a Post
Scalable Platforms (41k/44k/61k/64k)

Discussion on Check Point's High Performance Scalable Platforms, i.e. the 41000, 44000, 61000, and 64000 Appliances.

non-interactive version of asg profile

Is there a way to run a static, non-interactive command for the 61K command "asg profile -p?"

New to use 64k Chassis command asg_***

Interested to know what asg stands for on these 64k chassis.

R80.20 issue with fw monitor - all the buffers are full

Under R80.20 with the latest jumbo hotfix the following error occurs if I start fw monitor: fwmonitor_kiss_add_to_global_buf: all the buffers are full System 12000 appliance: - 8 coreXl instances - approximatly 25000 connections - enough free memory      

Dynamic NAT port allocation on SP systems?

Does anybody use Dynamic NAT port allocation on SP systems ? ( R76SP50 JHFA Take 180 ) We have been using this since Jan 2017 and it is apparently no longer supported!! It is still enabled because nobody told us it was not supported and we have been experiencing all sorts of problems on the chassis.  Check Point silently removed support ? Does anybody know anything about it? SK103656In the additional notes it says: The feature is not supported on R76SP versions and on R80.20SP.  

R76SP50 Take 205 install issues

just wondering if anyone else has seen any issues with Take 205 installation. We are upgrading from Take 62 which had hotfixes on top of it but those were removed successfully prior upgrade very bizarre behavior: trying to install Take to whole standby chassis, SGM-1 goes into continuous reboot cycle. Restore snapshot to all blades on standby chassis and try to install it blade by blade instad. All succeeds. Failover chassis Attempt to update whole chassis at once - fails again on SGM-1 going into continuous reboot cycle. Restore snapshot to all blades on standby chassis. Install succeeds on SGM-1,3 and 4. SGM-2 fails with the same continuous reboot symptom.  Now in the process of reverting snapshot on SGM-2 and will try again But really weird. Anyone else out there with similar issues on SP take installs? Up until now it's always been OK I have to admit.

FIrewall Documentation Elaboration

What is the full form (expansion) of BFM, its mentioned multiple times in the documentation, but i can't find the full form of it.What does it exactly do?References: Please reply soon.

NTP service on scalable platform R76SP.50 doesn't work properly

When configured NTP on R76SP.50 SMO, ntpq CANNOT reach the NTP server and stays in the INIT mode:    

Performance tuning guide for 41K/61K/44K/64K

Is there a performance tuning guide available for 41K/44K/61K/64K systems?


 Hello,  I need know if you can configure bridge between 2 SSMs within the same chassis

Multiple routing domains within VS

I'm wondering if it's possible to have the concept of a VRF or separate routing domain within a VSX virtual system. The virtual system itself is a separate routing domain but I'm talking about multiple routing tables within a single VS. Cisco Nexus has a concept of VDC (Virtual Device Contexts) where multiple VRFs can be created within a single VDC. It's this the kind of functionality that I'm looking for. The platform is 61K chassis (multiple chassis in VSLS with VSX) but perhaps this could be a question for VSX in general.

Tracking Connection Count/limit (asg perf or vsx stat)

Hi Checkmates,I have been stuck determining whether there is a difference in the connection count values (and kernel tables in general). If you run asg perf -vv, you can fetch the concurrent connection of each VS. The output aggregates the connections found across all the blades for that VS If you run "fw vsx stat -l", you can fetch both the connection count and limit. Is fw vsx stat also aggregating all the blades? The values look identical. Is the limit from "fw vsx stat -l" also aggregating the limit of all the blades associated with the VS?

R80.20SP released

As of yesterday (28th of February), R80.20SP has been released.More information can be found here: sk140392Interesting SK's apart from the normal documents that get released upon a new version:- Comparison between R80.20 and R80.20SP - Comparison between R76SP.50 and R80.20SP Note: download is currently not publicly available, but can be requested via: r8020sp_installation@checkpoint.comI wonder tho why it is not publicly available, anybody have an idea why?

Hanging client ports in chassis

Here's a weekend riddle for those running scalable platforms (we're on R76 SP50 T62 with 4 SGMs) 🙂 I need a break now as it took forever to get to the truth. Will be raising case after weekend! In nutshell, we are seeing some connections from a client to domain controller not answered (4 TCP SYNs sent and no response) so we quickly blamed MS/WinOS. But it turned out that chassis was sitting in some strange state regarding some client ports - one SGM thought that connection is idle and correction SGM still had connection in the table. After gigabytes of packet capture we got it - this scenario was created when TCP connection is released from both client and server nearly simultaneously. So somehow connection table update fails on SGMs As always one diagram speaks 1000 words.. thanks as always! I know it's true because after manually deleting connection from blade 1_03 table, all works again on that port.

SP platform issue with NTP status check

When trying to check NTPQ status on Scalable Platform such as R80.20SP getting "refuse".When trying to check from gclish >show ntp current - getting "command not supported".    

DNSEC DNS udp response blocked on 61k R80.10

Hey Community, Maybe you had the same problem.Yesterday DNS guys asked me to check abnormal behavior of DNS queries. They want to use packets up to 4096 bytes according some new rfc standards and they thought it's blocked because they do not get a response.My first thought was about the default inspection settings, but this inspection is inactive (DNS Maximum Request Length).Then with help of fw ctl zdebug + drop I found that returning traffic is blocked. And I found that aggresive aging is enabled for domain-udp object. So when there is no returning traffic within 15 seconds, session is dropped. That's ok.;[vs_1];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=17 x.x.x.x:53 -> x.x.x.x:46661 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 1267;I have created a specific object with increased timeout and aggresive aging disabled.I have then inserted this object into the rule, deleted old object default domain-udp and what I see? I still see drops because of quick aging and I see attempts in the log hitting the old object (domain-udp), which is not present in the rule already. What else, when I search the logs for this p[articular service object(udp-53-no_aggresive_agg) i see hits on domain-udp as well!Is this related to CoreXL?