CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E



Type: Posts; User: ShadowPeak.com

Page 1 of 5 1 2 3 4

Search: Search took 0.01 seconds.

  1. Re: DELL R630 Gaia R77.30 Fresh Install crash viewing Machine Info

    Almost certainly has something to do with the mass storage controller, any kind of compatibility mode or other options for it in the BIOS/setup? Somewhat related:

    I discovered while setting up my...
  2. Re: Benefits of enabling acceleration NAT templates

    This is covered in my book. Unless fwaccel stats -s shows that both Accelerated Conns AND Accelerated Packets are at least 50% (rare in most situations) there is little to be gained by enabling NAT...
  3. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    1Gbps of VPN throughput seems like a bit of a stretch to me for a 4800. A few notes that should help:

    1) I don't see how the box can be rated for 2Gbps AES VPN throughput when all IPSec VPN...
  4. Re: Non HTTP Traffic over HTTP port: Invalid character

    Were you able to check "Capture Packets" on the "HTTP on Non Standard Ports" signature and get a capture of the packet containing the offending character(s)? Do you know what actual illegal...
  5. Replies

    Re: Java Process Consuming High CPU in R80

    Just to clarify some earlier statements I made in this old thread, Check Point now explicitly DOES NOT recommend enabling SMT/Hyperthreading on the SMS, at least for certain Smart-1 appliances whose...
  6. Re: VPN star community but with per peer settings?

    The biggest reason route-based VPNs aren't used was due to their incompatibility with CoreXL. This limitation has finally been lifted for R80.10 gateway.
  7. Re: VPN drops *sometimes* when policy is pushed

    My guess is that the default flush of all IKE Phase 1 SAs upon policy push is causing this situation. If a IPSEC Phase 2 tunnel happens to expire and the IKE Phase 1 tunnel is stuck or has not been...
  8. Anyone have experience with 40Gbit fiber cards for 15000/23000?

    An option on the new 15000 and 23000 series appliances is a 4x10Gbit fiber card:

    Does anyone have experience (good or bad) working with this relatively new NIC? Other than being mentioned in...
  9. Re: IPSec VPN - Unknown SPI for IPSec packet

    Please highlight tran1_key_ike in IKEView (this will show a breakdown of the transform set in the right-hand window) and take a screenshot for both packet 1 and packet 2.

    If you are failing...
  10. Re: Clish- Is it possible to make multiple commands on the same line?

    If you are trying to execute two separate clish commands and have them take effect at the same time as opposed to taking effect independently, you can use the "start transaction" and "commit"...
  11. Replies

    Re: SmartEvent gone in R80

    It has not been fully unified in the new SmartConsole, but it is definitely still there. See screenshot:

  12. Replies

    Re: HW Balancer

    Firewall performance optimization is a tricky business as there are so many different places bottlenecks can occur. I'd suggest trying tune what you have rather than redesigning your whole network. ...
  13. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    Haha missed that one, good catch.
  14. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    I'm not sure how a /32 is going to be handled by the "one VPN tunnel per subnet pair" default VPN Tunnel Sharing setting in the community for IKE Phase2, since the /32 is a not technically a subnet. ...
  15. Re: Confwiz or other tools for Cisco to Check Point migration

    Didn't believe it at first, but I just downloaded the R80.10 iso while being signed out from the Check Point User Center and it worked. Nice tip!
  16. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Yes, this works for both R77.30 and R80.10 gateway:

    echo sim_is_vpn_disabled=1 >> $PPKDIR/boot/modules/simkern.conf

    simkern.conf is the SecureXL equivalent of fwkern.conf and should be...
  17. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Still exploring the intricacies of this myself, everything I'm about to discuss below is still preliminary, my own opinion, and subject to change.

    I assume when you say "SecureXL instances"...
  18. Re: Confwiz or other tools for Cisco to Check Point migration

    Converting the NAT policy going from Cisco to Check Point has always been the hardest part about the conversion process. Hopefully at some point Security Zones will be supported for use in Check...
  19. Re: Confwiz or other tools for Cisco to Check Point migration

    First off, R75.45 is no longer supported. R77.30 is the oldest actively supported release.

    Check out the new SmartMove tool for easily converting Cisco configs to Check Point: sk115416: How to...
  20. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    How many gateways is the R77.30 SMS managing? Is this 1490 now the second gateway being managed? If so you may have triggered what I call the "NAT Bomb" if you have left the Install on Gateway set...
  21. Re: Why CheckPoint is sending Proxy ID to Cisco

    What is the error after Phase1 Main mode completes? No proposal chosen?
  22. Re: Why CheckPoint is sending Proxy ID to Cisco

    Check Point to Cisco Interoperable VPN is the easiest combination to get working in my experience. Much easier than doing one with Juniper/Fortinet/Sonicwall which are ridiculously picky about Phase...
  23. Re: Why CheckPoint is sending Proxy ID to Cisco

    You have "one VPN tunnel per gateway pair" set on the VPN Tunnel Sharing screen of your VPN community, or on the VPN Advanced screen of the Cisco Interoperable Device object.
  24. Re: IPSEC tunnel see Phase1 and Phase 2 details from CLI

    Not sure, could be a bitmask indicating what protocols are in use or a key for referencing the actual settings in another table somewhere. Poked around for awhile in /lib/ files and some other...
  25. Re: IPSEC tunnel see Phase1 and Phase 2 details from CLI

    Did you try passing -f as an option?
  26. Re: IPSEC tunnel see Phase1 and Phase 2 details from CLI

    The table you need to look in is MSPI_by_methods. May want to check out "sk104760: ATRG: VPN Core" when you get a chance, long but very useful reading.
  27. Replies

    Re: Packet Flow in Checkpoint Firewall

    Check Point has created some great documents explaining packet flows for R77 gateway here:

    Doesn't appear to be an equivalent document for R80.10 gateway just yet...
  28. Replies

    Re: IPSEC kicking in before PBR

    For posterity, the inability of SecureXL to deal with PBR has been rectified in R77.30 jumbo hotfix take 99+, but support for this feature must still be enabled with the "sim feature pbrroute on"...
  29. Replies

    Re: 100% CPU using SmartView Web?

    Yes, see this thread:


    SOLR is run with reduced CPU priority (NI) so if literally any...
  30. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Gotta love replying to my own very old post...

    One can dump all the known VPN domains and their associated peers from the vpn_routing table which is used by vpnd to determine if traffic is...
  31. Re: Newbie Question - What Does Prob Stands For?

    Always thought it was cphaprobe, then shortened to old Windows 8.3 character limit (i.e. cphaprob.exe)
  32. Re: R80.10 performance on standalone 4200

    For Full HA operation while activating any reasonable number of gateway blades, yes. Thankfully RAM was bumped up a lot in the new generation of appliance hardware.
  33. Re: R80.10 performance on standalone 4200

    The biggest constraint with the lower-end 2012 series of appliances in regard to a standalone setup was not CPU power, but amount of RAM. The original version of the 2200 shipped with 2GB of RAM,...
  34. Replies

    Sticky: Re: Latest CCSA R80 exam information

    90 minutes to complete 100 questions, all multiple-choice at this level at least. 80% of the exam material comes right out of the official lecture and lab books, remaining 20% are real-world...
  35. Re: Application Control with cleanup rule in Firewall policy

    I'm assuming you are referring to R77.30 or earlier management.

    The connection that will carry the application data must be explicitly permitted first by the main firewall policy based on IP...
  36. Replies

    Re: Explanation on PXL traffic

    I can only report what has worked for my customers and I in a general sense. Will there be exceptions and perhaps differences of opinion of the effectiveness of tuning adjustments or how the...
  37. Replies

    Re: Explanation on PXL traffic

    The Medium Path (PXL) is not really documented other than the fact that it exists, but while researching my book I did manage to uncover some of its secrets.

    As you stated PXL traffic is processed...
  38. Replies

    Re: Check Point firewall flow

    By default if the destination IP address is being NATted it is performed on the client/inbound side of the firewall kernel (i->I) prior to routing by IP.

    If the source IP address is being NATted...
  39. Re: Security Management Performance on VMware

    If I'm reading your post correctly the SMS in ESXi with the performance problem is running R77.30 and not R80.10.

    On R77.30 and earlier SMS's, it is all about the fwm process. Run commands...
  40. Replies

    Re: VPN S2S CheckPoint x Aker

    Just because the VPN tunnel can establish doesn't mean the IKE Phase 1 SA Lifetime (expressed in minutes on Check Point) and the Phase 2/IPsec SA Lifetime (expressed in seconds on Check Point)...
  41. Replies

    Re: VPN Daemon

    There should not be an outage with existing VPN tunnels by restarting vpnd, and vpnd is a child process of fwd so it will be restarted instantly if it is killed or dies. In contrast some other...
  42. Replies

    Re: VPN Daemon

    Once tunnels are up and running, they are handled directly in the kernel. vpnd's job is mainly to handle IKE negotiations with peers. So killing or restarting the vpnd process should not impact...
  43. Replies

    Re: This is a test

    You talking about a certain survey email?
  44. Re: VPN Remote User with timeouts and low performance

    Your test ping is to, but your fw monitor is filtering on I guess I'm a bit confused about what IP addresses are involved here as far as client's office mode IP address,...
  45. Re: VPN Remote User with timeouts and low performance

    Uh yeah, 50% packet loss in your Remote Access VPN tunnels is probably going to cause a performance problem. There is massive packet loss in the RA VPN tunnel but latency is pretty stable (at least...
  46. Re: VPN Remote User with timeouts and low performance

    The single-core limitation for processing Remote Access SSL/TLS and IPSec has been around since the beginning, end enabling the DD has zero effect on it.
  47. Re: VPN Remote User with timeouts and low performance

    If your VPNs are using SSL/TLS (or IPSec for that matter) they can only be processed on one CPU core by default which is a classic bottleneck. Symptoms of this will be your lead firewall worker core...
  48. Re: r80.10 api generic_err_invalid_syntax

    Yeah, couldn't remember if the shell would consider those colons "special" and require quoting or not. Thanks for the followup.
  49. Re: r80.10 api generic_err_invalid_syntax

    My guess is because you are invoking curl from a command shell you need to quote the embedded double-quotes and maybe even the colons like this:

    curl --insecure -XPOST...
  50. Re: Stateful Ispection Status on Gateway - Drop out of state TCP

    Incidentally, this value can be toggled on the fly right on the firewall without having to change the checkbox in the SmartConsole and push policy. Very handy if the box is checked (so out of state...
  51. Re: Management Server lost connection to Security Gateway

    Check my posting here:


    You probably need to do the equivalent of clearing the SmartView...
  52. Re: random issues with identifying users

    Sure, several things will cause the seemingly random "no mapping" behavior you are seeing. On a user's workstation that currently does not have a mapping run "echo %LOGONSERVER%" to see which DC...
  53. Re: How do you troubleshoot issue like this without impacting production?

    Under cpview->Advanced->CoreXL->Global is counter "Conns create failed" nonzero after experiencing the issue? Does this counter actively increment while experiencing the issue?

    This sounds kind...
  54. Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Also just FYI the tool used to convert Traditional Mode VPNs to Simplified Mode VPNs no longer exists in R80 management and later, so the time to make the conversion from Traditional to Simplified...
  55. Re: What are the recommended protocols for s2s vpn today?

    Er yes, but that's not purely a technical issue. :-)
  56. Re: Antispoofing/Topology Not Appearing in Interface Properties

    Is the object type a "Check Point Host" instead of a "Check Point Gateway" like it should be?
  57. Re: What are the recommended protocols for s2s vpn today?

    Obviously the "most secure" would involve cranking all algorithms to their maximum values. However I'd postulate that the following is "reasonable" in today's world, others may disagree:

    Phase 1:...
  58. Replies

    Re: GUI port ?

    Oh right my bad, I thought you were asking how to access the Mobile Access Blade VPN web portal.
  59. Replies

    Re: GUI port ?

    I think the command is "mpclient list" to see what services are registered to use 443, if MAB isn't listed there you'll get that error.
  60. Replies

    Re: GUI port ?

    Usually it is 443 but with /sslvpn appended to the URL. The multiportal daemon parses it then gets the browser connected to the MAB portal.
  61. Replies

    Re: weird tcpdump output

    Yup, loopback test frames coming from the switch trying to implement ECTP. These can be disabled with the "no keepalive" command on Cisco. More info here:
  62. Replies

    Re: weird tcpdump output

    Probably some kind of pure Layer 2 frame with no Layer 3 protocol present, try adding -e to your tcpdump to see if more data is provided for these "timestamp only" lines.
  63. Re: How to emergency shut down a specific VPN

    Actually a SAM rule blocking traffic from the VPN peer's routable IP address would do the job quickly and easily; SAM rules trump everything from what I've seen, even implied rules allowing stuff...
  64. Re: Exporting Objects from Management Server

    Equivalent of Web Visualization Tool for R80+ is "show package" - a script tool to present a policy package over HTML pages. For R80 Management you need to download an updated copy of the script...
  65. Re: How to emergency shut down a specific VPN

    From the SmartView Monitor add a Suspicious Activity Rule matching all source networks on the peer side of the VPN and hit the Enforce button, traffic matching the SAM rule will start being killed...
  66. Re: ClusterXL : connection drop when Policy Push

    As I mentioned earlier in the thread, it could be a SecureXL sync issue, what happens with rematch set and SecureXL disabled?
  67. Replies

    Re: fw ctl affinity -l -r -v -a

    Yes and no, one can use "fw ctl affinity" as detailed in my book to move core functions around on the fly. However the overall allocation of SND/IRQ and Firewall Worker Cores cannot be changed...
  68. Replies

    Re: fw ctl affinity -l -r -v -a

    I wouldn't mess around with manual sim affinity, just run cpconfig, select CoreXL, and configure 4 firewall instances. After a boot there will be 4 SND/IRQ cores and 4 Firewall Worker cores. If...
  69. Replies

    Re: fw ctl affinity -l -r -v -a

    Look like you are fine right now as far as RX-DRP; based on very high SXL % a 4/4 split is definitely recommended to forestall any future issues.
  70. Replies

    Re: fw ctl affinity -l -r -v -a

    First off, make sure there are not actually 8 physical cores with hyperthreading enabled. Run /sbin/cpuinfo to check this. If hyperthreading is on turn it off.

    If you only have basic firewall...
  71. Replies

    Re: Traffic selectors unacceptable

    What you are seeing is the IKEv2 equivalent of an IKEv1 Phase 2 failure to negotiate Proxy-IDs/subnets and has nothing to do with sk102437. How have you defined the following:

    1) Interesting...
  72. Re: Checking if the return traffic is working

    Set "Accounting" in the Track column of the rule and reinstall policy. When the connection ends (or every 10 minutes by default, whichever comes first) the "Accept" record becomes an "Account"...
  73. Re: ClusterXL : connection drop when Policy Push

    There were quite a few enhancements to SecureXL in R80.10, and SecureXL has to resync its own copies of various state tables to the main ones managed by the Firewall Worker Cores when policy is...
  74. Replies

    Re: Java Process Consuming High CPU in R80

    I assume we are talking about a R80+ Security Management Server here; as an experiment at a customer site we played around with core allocations in VMWare and measured perceived SmartConsole and...
  75. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Hmm I don't know a direct way to do a search like that, however vpnd internally uses the vpn_routing state table to decide which SA a packet matches based on its source and destination IP addresses,...
  76. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Pages 144-146: Commands "vpn tu mstats" and "vpn tu tlist" can be used to monitor the state of the multi-core IPSec VPN feature in R80.10+. See the SK here for more details: sk118097: MultiCore...
  77. Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Hi Everyone,

    I've posted the third free addendum to my "Max Power: Check Point Firewall Performance Optimization" book at http://www.maxpowerfirewalls.com. This 34-page PDF addendum includes the...
  78. Replies

    Re: How to ping an Office Mode IP?

    Not sure if this applies to Endpoint Security, but there is a "Enable back connections (from gateway to client)" checkbox on the Global Properties Remote Access screen that is not enabled by default....
  79. Replies

    Re: SAM rules exception

    Suspicious Activity Rules were originally intended to be used temporarily in an IDS intruder shunning situation and to be fast-acting (i.e. a policy install is not required to enforce them). There...
  80. Re: Residual CCSE/CCSM Courseware For Sale

    No interest so to ebay they go...also selling my CCSA R80 and CCSA R80v2 instructor hardcopies on ebay as well. Marked up and worn but readable...
  81. Replies

    Re: Check Point firewall flow

    Hadn't seen that new SK, thanks for the tip! Very informative.
  82. Re: Export SmartDashboard objects to a text file

    Depending on the versions involved can you use confwiz? Or cp_merge and only do object export/import?
  83. Re: NAT being used as destination-Dropped for spoofing

    Are you sure the traffic is actually bouncing back from the router? Little-known fact: antispoofing is enforced in the outbound interface direction as well and if this happens you'll see an Accept...
  84. Replies

    Re: Check Point firewall flow

    Please see my post here and the followups:

  85. Replies

    Re: Internal Firewall Antispoofing?

    You should be able to go to the Topology screen of the firewall object, edit each interface separately and define whether it is Internal or External on the Topology tab.

    As far as which...
  86. Re: Confusion Between the various levels of access

    In the classes I teach I spend a fair amount of time talking about the "Gaia OS side of the house" which is Red Hat Linux with some OS enhancements added by Check Point, and the "Check Point side of...
  87. Replies

    Re: Question On Protocol and ClusterXL

    A blade is just a software feature, IPS looks for known hostile attacks against clients and servers. The advanced properties of a service is here, and we are asumming the Protocol Type field is...
  88. Re: ClusterXL unexpected/hidden failover

    Try this undocumented command option for a nice concise history of ClusterXL failovers, great when trying to figure out if there is a pattern:

    Your firewall can be statically routed with no...
  89. Residual CCSE/CCSM Courseware For Sale

    I have the following residual hardcopy courseware for sale, all courseware is unused and still sealed in the original shrink wrap:

    6 Check Point Security Master (CCSM) R77 - List price $600 USD. ...
  90. Replies

    Sticky: Re: Latest CCSE R77 exam information

    Looks like it, this is the exam list I see on Pearson/VUE here in the USA that can be scheduled:

    156-115.77 Check Point Certified Security Master
    156-215.77 Check Point Certified Security...
  91. Re: ClusterXL unexpected/hidden failover

    /var/log/messages or $FWDIR/log/fwd.elg, also try sniffing around any other .elg files in the $FWDIR/log directory that were touched around that time. Could also try the .elg files in $CPDIR/log but...
  92. Re: R80.10- Policy Disappearing- Please help

    Doubt it, but you mentioned removing the CPMILinks file earlier which I don't believe is valid on R80+ anymore the way it was in R77.XX.
  93. Re: R80.10- Policy Disappearing- Please help

    Oops that's the old one for R77.XX and earlier, here is the R80+ one:

    sk112058: Gateways & Servers view in R80 SmartConsole does not show statuses
  94. Re: R80.10- Policy Disappearing- Please help

    Just to clarify, the R80+ equivalent of clearing the SMS SmartConsole cache files (applications.C and CPMILinksMgr.db) in the event firewall statuses are not working or displaying incorrectly is...
  95. Replies

    Re: VPN issue - invalid certificate

    The clocks getting messed up was a long shot but I thought I'd mention it.

    To look at the CRL URL, open the firewall/cluster object in SmartDashboard and select IPSec VPN. Under the Certificate...
  96. Replies

    Re: VPN issue - invalid certificate

    How is the CRL URL expressed in the various firewall certificates? My guess is that the CRL cannot be retrieved when you have failed over and because there is CRL caching, nothing bad will happen...
  97. Re: ClusterXL unexpected/hidden failover

    Look for events of type "Control" (a grey wrench icon) in SmartView Tracker; "Type" is a very skinny column and hard to find for filtering. In SmartLog and R80+ the filter query is type:Control...
  98. Replies

    Re: FW Monitor - Seeing only small i

    Either SecureXL is on, you are filtering based only on the pre-NAT destination address and not seeing anything after i as the destination address is NATted between i and I, or the packet is being...
  99. Re: traditional mode VPN still supported in R80.10?

    There is a checkbox for "VPN Traditional Mode" when editing the Network Policy Layer for upgraded policy packages but it seems to be greyed out. It appears that Traditional Mode policies can be...
  100. Replies

    Re: Cluster stopped passing traffic

    Right so I'd suggest starting 30 minutes before the outage and then start stepping forward one minute at a time watching CPU and network statistics. Kind of hard to describe what to look for...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4