Showing results for 
Search instead for 
Did you mean: 
Post a Question

Tracking Connection Count/limit (asg perf or vsx stat)

Hi Checkmates,I have been stuck determining whether there is a difference in the connection count values (and kernel tables in general). If you run asg perf -vv, you can fetch the concurrent connection of each VS. The output aggregates the connections found across all the blades for that VS If you run "fw vsx stat -l", you can fetch both the connection count and limit. Is fw vsx stat also aggregating all the blades? The values look identical. Is the limit from "fw vsx stat -l" also aggregating the limit of all the blades associated with the VS?

DNSEC DNS udp response blocked on 61k R80.10

Hey Community, Maybe you had the same problem.Yesterday DNS guys asked me to check abnormal behavior of DNS queries. They want to use packets up to 4096 bytes according some new rfc standards and they thought it's blocked because they do not get a response.My first thought was about the default inspection settings, but this inspection is inactive (DNS Maximum Request Length).Then with help of fw ctl zdebug + drop I found that returning traffic is blocked. And I found that aggresive aging is enabled for domain-udp object. So when there is no returning traffic within 15 seconds, session is dropped. That's ok.;[vs_1];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=17 x.x.x.x:53 -> x.x.x.x:46661 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 1267;I have created a specific object with increased timeout and aggresive aging disabled.I have then inserted this object into the rule, deleted old object default domain-udp and what I see? I still see drops because of quick aging and I see attempts in the log hitting the old object (domain-udp), which is not present in the rule already. What else, when I search the logs for this p[articular service object(udp-53-no_aggresive_agg) i see hits on domain-udp as well!Is this related to CoreXL?

R80.20SP released

As of yesterday (28th of February), R80.20SP has been released.More information can be found here: sk140392Interesting SK's apart from the normal documents that get released upon a new version:- Comparison between R80.20 and R80.20SP - Comparison between R76SP.50 and R80.20SP Note: download is currently not publicly available, but can be requested via: r8020sp_installation@checkpoint.comI wonder tho why it is not publicly available, anybody have an idea why?

Want to know more about Check Point 44000 Next Generation Firewalls?

The Check Point UserTalk is dedicated to bringing real world customer experiences to light for you. The webinar is designed to getting you closer to the end user and an opportunity for you to have your pressing questions answered. Join this week's UserTalk with ProSiebenSat.1 Media SE: When: Thursday 18 April at 11am CET With: Andreas Mang, Senior Network and Firewall Manager, ProSiebenSat.1 Media SE About: Check Point 44000 Next Generation Firewalls & Check Point SmartEvent ProSiebenSat.1 Media is the leading entertainment player in Germany. This media and e-commerce company brings free and pay TV channels to 45 million TV households in Germany, Austria and Switzerland every day. Hear their story, ask your questions and learn how the Check Point solutions help prevent downtime for ProSiebenSat.1 Media in the always-on media industry. REGISTER NOW!


Hello, I need know if you can configure bridge between 2 SSMs within the same chassis

How to disable "command auditing" in Scalable Platform versions (R76SP.XX, R80.20SP)?

For consistent CLI output analysis after switching between users in CLI, we need to disable the "Command auditing" feature but cannot find how. Is it possible?The feature is described in the attached guide page 178.
phlrnnr inside Scalable Platforms (41k/44k/61k/64k) 2019-03-01
views 3676 15 6

Will SP code ever get migrated into main R80.x code train?

As our environment grows, I become more and more interested in the different Scalable Platform / chassis options that Checkpoint offers. The idea intrigues me a bit for quickly and easily growing as we need more processing power. I love the idea of running VSX on a pair of chassis and just spinning up VSs for each FW use case I have in a datacenter. However, one of the things that holds me back the most is that these platforms have their own code train that is completely separate from the standard R80.x (and even R77.30) code trains that all other appliances / open servers can run.We are using R80.10 and will likely soon move to R80.20 now that it is GA as there are features there we want to use. However, I'm concerned about the lack of feature parity between the different code bases. Are there plans to integrate the SP code train into the standard code train? If so, what is the timeline for that on the roadmap?I'll bet Check Point could sell a lot more chassis if the code/features had parity.

How can I find hotfix take installed on my 61000?

Hi CheckMates!I've been trying to figure out a consistent way to collect the hotfix take for the Hotfix Accumulator installed on my 61000.Some of my chassis are running R76SP40 (Yes..I know it's old) and R76SP50.Dameon Welch-Abernathy‌ I read your post here What Version/Patch Level Do I Have Installed? The following SK article specifically indicates that the information does not pertain to the SP code How to check which Hotfixes are installed on a Check Point machine It seems like once I get my hands on R80.20SP, I can leverage cpinfo -y all to get the take information? For the time being, what could I use instead?I've tried asg_hf_installer verify, but it only appears to work on SP50.

SGM randomly reboots

Hi,Anyone experiencing the same issue? We have a dual chassis setup. We did not notice that the SGM reboots before applying the hotfix. After applying the HFA_105, the SGM reboots randomly without any error. We already raised this to TAC but so far no definite explanation. Thanks

Scalable platform and support plans

Hi,I'm working on a project involving 44k platforms. The customer would like to have a direct access to the TAC with onsite replacement.The PREMIUM support plan with the ONSITE option could fit his needs.Since the remplacement of a 44K is much more complex than the replacement of an appliance, I was wondering if the ONSITE option was available for the scalable platform.Thanks for your answers.Benoit

Factory default SGM

Hi all,An easy question where I did not find a solution for, but know it exists.How do you factory reset a SGM? The goal is to erase the config, so you can start rebuilding the chassis from scratch.For the SSM I know you have to run "system reload manufacturing-defaults", but what do you have to do for 1 or multiple SGM's, to reset them to factory default.I don't want to reinstall the ISO from USB/CD/DVD.Thanks!Kind regards,Sean

Maestro Presentation file.

Hello, How can i get Maestro Hyperscale presentation file?Kind Regards, Amaraa

upgrade R76SP.30 to R76SP.50

hello evry one i want to upgrade dual chassis 41000 run actualy R76SP.30 to R76SP.50 because R76SP.30 is end of life .my output :[Global] FW-VSX-ch01-01:0:ACTIVE > asg stat -v --------------------------------------------------------------------------------| VSX System Status - 41000 |--------------------------------------------------------------------------------| Chassis Mode | Primary Up (Chassis 1) || Up time | 273 days, 11:21:48 hours || SGMs | 2 / 2 || Virtual Systems | 9 || Version | R76SP.30 (Build Number 47) |--------------------------------------------------------------------------------| VS ID: 0 VS Name: FW-VSX |--------------------------------------------------------------------------------| Chassis 1 ACTIVE |--------------------------------------------------------------------------------| SGM ID State Process FW Policy Date || 1 (local) UP Enforcing Security 13Sep18 15:25 |--------------------------------------------------------------------------------| Chassis 2 STANDBY |--------------------------------------------------------------------------------[Expert@FW-VSX-ch01-01:0:ACTIVE]# cphaprob state -------------------------------------------------------------------------------- | VS ID: 0 VS Name: FW-MAI-FRPAR-CHA-DCH-03-P | -------------------------------------------------------------------------------- | Chassis 1 | -------------------------------------------------------------------------------- | SGM ID State Process FW Policy Date | | 1 (local) ACTIVE | -------------------------------------------------------------------------------- | Chassis 2 | -------------------------------------------------------------------------------- | SGM ID State Process FW Policy Date | | 1 ACTIVE | -------------------------------------------------------------------------------- [Expert@FW-VSX-ch01-01:0:ACTIVE]#as i see on checkpoint documentation the upgrade will be done directly from the chassis. My question is the vsx and vs are managed by server management . could you please tel me if there is a required action from the server management after the upgrade from the chassis. if you have any experiance for this upgrade you are welcomBest regards

upgrade R76SP.50 + HTF

Hello we have upgrade our chassis K41 to R76SP50 + HTF on the chassis1 and chassis2 at the end of the upgradewhy there is a difference in the build version between chassis 1 and chassis 2:chassis 1 SP50 Build 068chassis 2 SP50 Build 092best regards

Next R76SP.50 Jumbo hotfix?

Take_105 dates back from November, any idea when the next one might be released?Running on Take_96 but would like to avoid to make two upgrades in a short time if the next one will be available soon.