cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Scalable Platforms (41k/44k/61k/64k)

Discussion on Check Point's High Performance Scalable Platforms, i.e. the 41000, 44000, 61000, and 64000 Appliances.

Chassis performance monitoring

Just wondering if there is any interest at all in this as we are about to give up on our chassis. I wrote a script that created nicely grouped MRTG (yes yes, I'm old as a dinosaur!) graphs regarding chassis. You get chassis level view on CPU and Backplane usage on all SGMs CPUs stats will have any CoreXL config included and will cater for Hyperthreading by placing siblings next to each other   Then you have "VS overview" stats across all VSes with four main KPIs (throughput, Concurrect connections, CPS and PPS)   And lastly "per VS" view where you can select any VS that you have configured   and then get per SGM and total stats for all KPIs above plus virtual memory usage (since it's still 32bit kernel so you need to watch out, especially on VSX)   None of the "off-shelf" tools that we had didn't really cater for "chassis" plus VSX matrix so I ended up going back to MRTG  as it gave me one screen collections that I wanted. But now we are about to give up on chassis after 4 years so this will go to bin.. If there's any interest out there I could polish those scripts and dump them here.

Performance tuning guide for 41K/61K/44K/64K

Is there a performance tuning guide available for 41K/44K/61K/64K systems?

Chassis shutdown

I found  only shut down of SSM and  SGM module. What is command for shutting down the standby chassis appliance?

Adding second SSM to 41k fails

Case is going in tomorrow but I just wondered if anyone had actually gone through process of adding second SSM to 41/61k? There's no need to point out that CP always recommends to buy two SSMs from start. Sometimes $$ are not there. We followed the process described in admin guide. What happens is that chassis internal network interface eth2-CIN seems to "loose" mask setting on SGM. Before adding SSM eth2-CIN is correctly turned off and has correct IP with /25 mask. After running add command and SGM reboot, interface state is active but mask is gone! So SGM is unable to communicate to anything on that CIN.                                  Eth1-CIN still works as expected. As pointed out before it looks all good before we start:

non-interactive version of asg profile

Is there a way to run a static, non-interactive command for the 61K command "asg profile -p?"

New to use 64k Chassis command asg_***

Interested to know what asg stands for on these 64k chassis.

R80.20 issue with fw monitor - all the buffers are full

Under R80.20 with the latest jumbo hotfix the following error occurs if I start fw monitor: fwmonitor_kiss_add_to_global_buf: all the buffers are full System 12000 appliance: - 8 coreXl instances - approximatly 25000 connections - enough free memory      

Dynamic NAT port allocation on SP systems?

Does anybody use Dynamic NAT port allocation on SP systems ? ( R76SP50 JHFA Take 180 ) We have been using this since Jan 2017 and it is apparently no longer supported!! It is still enabled because nobody told us it was not supported and we have been experiencing all sorts of problems on the chassis.  Check Point silently removed support ? Does anybody know anything about it? SK103656In the additional notes it says: The feature is not supported on R76SP versions and on R80.20SP.  

R76SP50 Take 205 install issues

just wondering if anyone else has seen any issues with Take 205 installation. We are upgrading from Take 62 which had hotfixes on top of it but those were removed successfully prior upgrade very bizarre behavior: trying to install Take to whole standby chassis, SGM-1 goes into continuous reboot cycle. Restore snapshot to all blades on standby chassis and try to install it blade by blade instad. All succeeds. Failover chassis Attempt to update whole chassis at once - fails again on SGM-1 going into continuous reboot cycle. Restore snapshot to all blades on standby chassis. Install succeeds on SGM-1,3 and 4. SGM-2 fails with the same continuous reboot symptom.  Now in the process of reverting snapshot on SGM-2 and will try again But really weird. Anyone else out there with similar issues on SP take installs? Up until now it's always been OK I have to admit.

FIrewall Documentation Elaboration

What is the full form (expansion) of BFM, its mentioned multiple times in the documentation, but i can't find the full form of it.What does it exactly do?References:https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk139172&partition=Advanced&product=Scalablehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157512&partition=Advanced&product=Scalablehttps://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157512&partition=Advanced&product=Scalable Please reply soon.

NTP service on scalable platform R76SP.50 doesn't work properly

When configured NTP on R76SP.50 SMO, ntpq CANNOT reach the NTP server and stays in the INIT mode:    

SSM BRIDGE IN CHASSIS 41K

 Hello,  I need know if you can configure bridge between 2 SSMs within the same chassis

Multiple routing domains within VS

I'm wondering if it's possible to have the concept of a VRF or separate routing domain within a VSX virtual system. The virtual system itself is a separate routing domain but I'm talking about multiple routing tables within a single VS. Cisco Nexus has a concept of VDC (Virtual Device Contexts) where multiple VRFs can be created within a single VDC. It's this the kind of functionality that I'm looking for. The platform is 61K chassis (multiple chassis in VSLS with VSX) but perhaps this could be a question for VSX in general.

Tracking Connection Count/limit (asg perf or vsx stat)

Hi Checkmates,I have been stuck determining whether there is a difference in the connection count values (and kernel tables in general). If you run asg perf -vv, you can fetch the concurrent connection of each VS. The output aggregates the connections found across all the blades for that VS If you run "fw vsx stat -l", you can fetch both the connection count and limit. Is fw vsx stat also aggregating all the blades? The values look identical. Is the limit from "fw vsx stat -l" also aggregating the limit of all the blades associated with the VS?

R80.20SP released

As of yesterday (28th of February), R80.20SP has been released.More information can be found here: sk140392Interesting SK's apart from the normal documents that get released upon a new version:- Comparison between R80.20 and R80.20SP - Comparison between R76SP.50 and R80.20SP Note: download is currently not publicly available, but can be requested via: r8020sp_installation@checkpoint.comI wonder tho why it is not publicly available, anybody have an idea why?