cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Hanging client ports in chassis

Here's a weekend riddle for those running scalable platforms (we're on R76 SP50 T62 with 4 SGMs) 🙂 I need a break now as it took forever to get to the truth. Will be raising case after weekend! In nutshell, we are seeing some connections from a client to domain controller not answered (4 TCP SYNs sent and no response) so we quickly blamed MS/WinOS. But it turned out that chassis was sitting in some strange state regarding some client ports - one SGM thought that connection is idle and correction SGM still had connection in the table. After gigabytes of packet capture we got it - this scenario was created when TCP connection is released from both client and server nearly simultaneously. So somehow connection table update fails on SGMs As always one diagram speaks 1000 words.. thanks as always! I know it's true because after manually deleting connection from blade 1_03 table, all works again on that port.

Multiple routing domains within VS

I'm wondering if it's possible to have the concept of a VRF or separate routing domain within a VSX virtual system. The virtual system itself is a separate routing domain but I'm talking about multiple routing tables within a single VS. Cisco Nexus has a concept of VDC (Virtual Device Contexts) where multiple VRFs can be created within a single VDC. It's this the kind of functionality that I'm looking for. The platform is 61K chassis (multiple chassis in VSLS with VSX) but perhaps this could be a question for VSX in general.

SP platform issue with NTP status check

When trying to check NTPQ status on Scalable Platform such as R80.20SP getting "refuse".When trying to check from gclish >show ntp current - getting "command not supported".

Tracking Connection Count/limit (asg perf or vsx stat)

Hi Checkmates,I have been stuck determining whether there is a difference in the connection count values (and kernel tables in general). If you run asg perf -vv, you can fetch the concurrent connection of each VS. The output aggregates the connections found across all the blades for that VS If you run "fw vsx stat -l", you can fetch both the connection count and limit. Is fw vsx stat also aggregating all the blades? The values look identical. Is the limit from "fw vsx stat -l" also aggregating the limit of all the blades associated with the VS?

DNSEC DNS udp response blocked on 61k R80.10

Hey Community, Maybe you had the same problem.Yesterday DNS guys asked me to check abnormal behavior of DNS queries. They want to use packets up to 4096 bytes according some new rfc standards and they thought it's blocked because they do not get a response.My first thought was about the default inspection settings, but this inspection is inactive (DNS Maximum Request Length).Then with help of fw ctl zdebug + drop I found that returning traffic is blocked. And I found that aggresive aging is enabled for domain-udp object. So when there is no returning traffic within 15 seconds, session is dropped. That's ok.;[vs_1];[tid_3];[fw4_3];fw_log_drop_ex: Packet proto=17 x.x.x.x:53 -> x.x.x.x:46661 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 1267;I have created a specific object with increased timeout and aggresive aging disabled.I have then inserted this object into the rule, deleted old object default domain-udp and what I see? I still see drops because of quick aging and I see attempts in the log hitting the old object (domain-udp), which is not present in the rule already. What else, when I search the logs for this p[articular service object(udp-53-no_aggresive_agg) i see hits on domain-udp as well!Is this related to CoreXL?

R80.20SP released

As of yesterday (28th of February), R80.20SP has been released.More information can be found here: sk140392Interesting SK's apart from the normal documents that get released upon a new version:- Comparison between R80.20 and R80.20SP - Comparison between R76SP.50 and R80.20SP Note: download is currently not publicly available, but can be requested via: r8020sp_installation@checkpoint.comI wonder tho why it is not publicly available, anybody have an idea why?
Admin

Want to know more about Check Point 44000 Next Generation Firewalls?

The Check Point UserTalk is dedicated to bringing real world customer experiences to light for you. The webinar is designed to getting you closer to the end user and an opportunity for you to have your pressing questions answered. Join this week's UserTalk with ProSiebenSat.1 Media SE: When: Thursday 18 April at 11am CET With: Andreas Mang, Senior Network and Firewall Manager, ProSiebenSat.1 Media SE About: Check Point 44000 Next Generation Firewalls & Check Point SmartEvent ProSiebenSat.1 Media is the leading entertainment player in Germany. This media and e-commerce company brings free and pay TV channels to 45 million TV households in Germany, Austria and Switzerland every day. Hear their story, ask your questions and learn how the Check Point solutions help prevent downtime for ProSiebenSat.1 Media in the always-on media industry. REGISTER NOW!

SSM BRIDGE IN CHASSIS 41K

Hello, I need know if you can configure bridge between 2 SSMs within the same chassis

How to disable "command auditing" in Scalable Platform versions (R76SP.XX, R80.20SP)?

For consistent CLI output analysis after switching between users in CLI, we need to disable the "Command auditing" feature but cannot find how. Is it possible?The feature is described in the attached guide page 178.
phlrnnr
phlrnnr inside Scalable Platforms (41k/44k/61k/64k) 2019-03-01
views 3970 15 6

Will SP code ever get migrated into main R80.x code train?

As our environment grows, I become more and more interested in the different Scalable Platform / chassis options that Checkpoint offers. The idea intrigues me a bit for quickly and easily growing as we need more processing power. I love the idea of running VSX on a pair of chassis and just spinning up VSs for each FW use case I have in a datacenter. However, one of the things that holds me back the most is that these platforms have their own code train that is completely separate from the standard R80.x (and even R77.30) code trains that all other appliances / open servers can run.We are using R80.10 and will likely soon move to R80.20 now that it is GA as there are features there we want to use. However, I'm concerned about the lack of feature parity between the different code bases. Are there plans to integrate the SP code train into the standard code train? If so, what is the timeline for that on the roadmap?I'll bet Check Point could sell a lot more chassis if the code/features had parity.

How can I find hotfix take installed on my 61000?

Hi CheckMates!I've been trying to figure out a consistent way to collect the hotfix take for the Hotfix Accumulator installed on my 61000.Some of my chassis are running R76SP40 (Yes..I know it's old) and R76SP50.Dameon Welch-Abernathy‌ I read your post here What Version/Patch Level Do I Have Installed? The following SK article specifically indicates that the information does not pertain to the SP code How to check which Hotfixes are installed on a Check Point machine It seems like once I get my hands on R80.20SP, I can leverage cpinfo -y all to get the take information? For the time being, what could I use instead?I've tried asg_hf_installer verify, but it only appears to work on SP50.

SGM randomly reboots

Hi,Anyone experiencing the same issue? We have a dual chassis setup. We did not notice that the SGM reboots before applying the hotfix. After applying the HFA_105, the SGM reboots randomly without any error. We already raised this to TAC but so far no definite explanation. Thanks

Scalable platform and support plans

Hi,I'm working on a project involving 44k platforms. The customer would like to have a direct access to the TAC with onsite replacement.The PREMIUM support plan with the ONSITE option could fit his needs.Since the remplacement of a 44K is much more complex than the replacement of an appliance, I was wondering if the ONSITE option was available for the scalable platform.Thanks for your answers.Benoit

Factory default SGM

Hi all,An easy question where I did not find a solution for, but know it exists.How do you factory reset a SGM? The goal is to erase the config, so you can start rebuilding the chassis from scratch.For the SSM I know you have to run "system reload manufacturing-defaults", but what do you have to do for 1 or multiple SGM's, to reset them to factory default.I don't want to reinstall the ISO from USB/CD/DVD.Thanks!Kind regards,Sean

Maestro Presentation file.

Hello, How can i get Maestro Hyperscale presentation file?Kind Regards, Amaraa