Search:

Can't believe that I've not worked on Checkpoint for over two years. Now I am just working on PaloAlto. Anyway, here is my script I use to backup my MDS R77.30 every two days. I use cron to...

After twenty years, our environment is finally free of checkpoint products. We celebrate by having several shots of cognac.

Cisco Firepower Thread Defense (FTD) has something similar to SIC but much simpler. It is called a "one time password" that both the Firepower Management Center (FMC) and the gateway FTD must match.

we successfully migrated our main datacenter from Checkpoint over to PAN two weeks ago. We collapsed three checkpoint Clusters into a single pair of PAN firewalls using multitple virtual routers. ...

I would NOT worry about this. I am glad Cisco will be very happy to acquire PAN.

I've been using Checkpoint since 2000 at the start of Checkpoint 4.1, patriot boxes, Provider-1 4.1 on Solaris, SPLAT when it first came out as "Black CD" and so on up until R80....

We...

All of my systems were shutdown "properly" using "/sbin/halt".

I have another system that was up for 371 days and when I reboot it yesterday, it took 30 minutes for the fsck to run:

Checking...

Thank you for the explaination.

However, I just tested Hide NAT the source and it does not work either :-(. If the NTP servers are directly connected to the FW, it will not work.

I have NOT done that yet but even if the above works, it will not resolve my issue because in Linux client 10.0.1.1 host I have this in the /etc/ntp.conf file:

server 192.168.1.2 iburst
server...

environment: checkpoint R77.30 with HFA_216 on clusterXL H/A. There is NO NAT in this environment, only routing.

- NTP servers sitting on DMZ: 192.168.1.1/24, 192.168.1.2/24 and 192.168.1.3/24....

This is what I am seeing on my R77.30 GAIA Provider-1:

[Expert@lab-p1-mc:0]# tune2fs -l /dev/mapper/vg_splat-lv_current | egrep -i 'check|mount'
Last mounted on: <not available>
Default...

My R77.30 GAIA has been up for 710 days. I think if I reboot this firewall, it will take about 20 minutes for fsck to complete.

How do I determine if fsck will be performed on the next reboot on...

Thank you very much. That fixed it. My was the 2nd option. The previous engineer did that and he left the company four years ago :-(

Thanks again.

I have an Provider-1 in my environment running R77.30.

I've been told by security folks that my Provider-1 is using proxy server to get to the following sites:

usercenter.checkpoint.com:443...

11GB is definitely an issue. Check to see how many revision control you have in the database? Those can add up very quickly.

What is the file size of the mds_backup? It should be less than 2GB. I think there are "known" issues if the file size is > 2GB but checkpoint has claimed that the issue has been fixed. Mine...

Are you using checkpoint backup command or "mds_backup" command? For Checkpoint MDS system, "mds_backup" method is the way to go, IMHO. That's what I've been doing for the past 15 years.

Thank you for the feedback. I am hoping that it will extend until September 2020 when we're moving out of our existing DC and into a much smaller DC. By then, all of our firewalls at the new...

What was the original end date of support for R77.30 and how many times has it been extended?

My understanding is that R77.30 end date of support is May 2019 but has been extended to September...

What is the likelihood that Checkpoint will support R77.30 beyond September 2019. I just need this thing to run until Apr 2020 when we are going to shutdown our existing DC and move into the cloud....

Your configuration does not seem to be correct. You had:

Encryption domain on checkpoint side:
A: 192.168.254.0/24
B: 3.3.3.3/25
C: 3.3.3.128/25

encryption domain on ASA end:
A:...

There is a -o option that writes it to a file. I think you need to use that option.

That being said, it is very dangerous to use "fw ctl zdebug" because you may crash the firewall. See this link...

This is the idiotic about Checkpoint. they took away wget utilities. In R65/R71 and even R75, there is an add-on package that you can install to get wget but no more with R77.30 and above. Why...

That's the problem. Multicast is not easy to setup. Not difficult but it is no cake walk. Even when the OP gets it to work. What is he going to do when it stops working or he leaves the company...

LOL... I love your answer. You must be working for Checkpoint, no?

I've not dealt with Checkpoint multicast since R75.47 and my recommendation is to stay away from checkpoint multicast. Checkpoint TAC does not have the expertise to help you when you run into issue....

netstat -rnv

I thought that with Linux or GAIA or IPSO for that matter, "fw unloadlocal" WILL stop routing because of this:

before "fw unloadlocal":
# cat /proc/sys/net/ipv4/ip_forward
1

after "fw...

This is the problem:

/dev/mapper/vg_splat-lv_current
18578172 15204696 2429760 87% /

you have 18.5GB in the / directory with about 2.4GB available. I am pretty sure /opt is sub directory of...

It makes no difference between straight through or cross cables. The NIC card can detect both.

Why not moving your Sync interface to another un-used port?

Cisco FirePower is really awful and I have first hand experience with it myself. Version 6.2.3(7) has been released two weeks ago and it has even more bugs than version 6.2.3(6). some of the bugs...

This is a very good rant article: https://www.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/

The answer is yes IF you setup the site-to-site VPN in "traditonal mode" instead of "simplified mode (aka VPN community)". In traditional mode, Checkpoint does not see the Cisco VPN peer as part of...

FYI: cisco has discontinued Cisco ACS and replaced it with ISE. ISE is pretty much the same as Cisco ACS under the hood. Cisco has decided to combine both ISE and ACS into a single box to reduce...

Is this me for the firmware on the NIC is really old? I don't have 5800 but my looks much newer even though my NIC is already three years old:

ethtool -i eth8
driver: igb
version: 4.1.2...

These are Gig ports so you should NOT do anything to it. It should work at 1G out of the box.

As I've mentioned before, look like Checkpoint is using cheap ass hardware. Look like the sync port...

It could be the NIC itself. Checkpoint is notoriously known for using cheap hardware.

Wow, that look exactly what I had. I probably posted this on CPUG almost two years ao :-)

Actually December 2016: ...

I have a Provider-1 with a single CMA running R77.30 with JHFA_216. The CMA manages about 8 pairs of ClusterXL running H/A also R77.30 with JHFA_216.

I am in the processing of cleaning unused...

I assume that you also have this command on your Cisco switches:

port-channel load-balance src-dst-ip

On Cisco newer switches, you also see this:

port-channel load-balance...

A few questions for you:

1- Is SecureXL enabled?
2- How do you perform the test? Are you using Iperf to do this test?


My guess is that you might have a sim affinity issue based on the...

Unfortunately, this is one of the problems when you use Checkpoint as a VPN device. You would not have this problem if you were using Cisco IOS routers or ASA.

You can work around the problem by...

that is not true. In both Cisco IOS and ASA, you can set phase 2 specifically to a particular tunnel. If you do not set it, it will take the global default. See below

lab(config)#crypto map vpn...

sorry, it's been a long day.

I looked at the script and I know the author of the script. He used to work for Nokia TAC in Otawa :-)

how is the script going to help me here? It says nothing...

Yes, I am 100% positively. I confirmed it with tcpdump, only a single connection, TWICE.

If I disabled SecureXL, it will make the problem worse right? I don't think I want to do that in my...

I still do not understand what you're trying to get at. Let me explain again.

I have sqlnet connection between host 1.1.1.1/24 and host 2.2.2.2/24. It consumes about 800Mbps.

When I run...

How is the sk122013 going to help me? I am only looking for the connections that use the most BW, not fixing it. is it possible with cpview?

I already tried that before asking the forum :-(. I know a source and destination that uses 700Mbps, out of the 772Mbps shown in cpview but it does not show up in top connections :-(

Below is my cpview output. I can see 772Mbps but I would like to find out the source and destination IPs that use the most BW. Where do I find that in cpview? I look under network--> protocols and...

Active/Standby clusterXL in R77.30 with JHFA_216. I am not using any dynamic routing protocol but why is the firewall is talking to each other over tcp port 2010 on the SYNC interface:...

Tasks: 162 total, 1 running, 161 sleeping, 0 stopped, 0 zombie
Cpu0 : 2.0%us, 0.0%sy, 0.0%ni, 7.8%id, 0.0%wa, 0.0%hi, 90.2%si, 0.0%st
Cpu1 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si,...

Sorry, that's what happen when you have cut and paste. There is no fw_2, only fw_0 and fw_1

Here is the info you asked when I use cpconfig to change the CPU from 3 to 2:

[Expert@gw-1:0]# fwaccel stats -s
Accelerated conns/Total conns : 4794/4821 (99%)
Accelerated pkts/Total pkts :...

1- I used cpconfig to change the number of cores from 3 to 2
2- reboot both gateways at the same time
3- run cphaprob state on both gateways and confirmed active/standby

Now instead of getting...

YES, I know how to change it. I made the change and shutdown both firewalls at the same time. I wait for gw-1 to fully come up and then power up gw-2. The box has plenty of memory 32GB RAM
...

Actually I just did and it made the problem worse. Now everything is 50% slower :-(. Had to revert back my change.

[Expert@gw-1:0]# fw ctl affinity -l -r
CPU 0: eth3 eth4 eth11 eth13 eth0 eth1
CPU 1: fw_2
CPU 2: fw_1
CPU 3: fw_0
CPU 4:
CPU 5:
CPU 6:
CPU 7:
All: rtmd fwd in.ahclientd mpdaemon...

still looking for suggestions on this.

A pair of R77.30 with HFA_216 clusterXL in Active/Standby on Dell PowerEdge R710 with 405 license. Only fw blade is enabled as confirmed with "enabled_blades" output.

I have a 10G interfaces on...

Here is my opinion about Checkpoint Management High Availability.

It is a piece of junk. I first experienced with it in 2004/2005 with NG AI and it is nothing but trouble. Even when I had the...

so I suppose the new image Check_Point_R77.30_Install_and_Upgrade_T5.Gaia.iso will fix this issue?

TIA

run into a very weird issue over the weekend. I have a Dell R720 with 64GB RAM and 8 CPUs with quad-core

I installed R77.30 using the image Check_Point_R77.30_T204_Install_and_Upgrade.Gaia.iso. ...

Can you share your ASA VPN configuration?

this is what I am seeing in the log, among other things. It is definitely related to the fingerprint. I think the cert gets regenerated.

[CPD 23194 2013005504]@p1[18 Jul 12:44:16] certificate...

yes, the fingerprint actually changes. The validity dates look the same.

I am running Provider-1 R77.30 with JHFA205 on Open Servers and it's been running fine for over 18 months.

Today, when I login into the P-1 via the Dashboard, it prompts me for a new Fingerprint...

This is what I don't understand. If I buy an open servers and install Checkpoint on it, SMT has to be disabled but it is enabled on Checkpoint appliances. After all, Checkpoint appliances are...

I disagree with that statement. Unfortunately, we are living in a real world and software, especially Checkpoint Software, is written by human and it has a lot flaws. Checkpoint seems to have more...

In checkpoint VPN setup, I only see the followings:

in Diffie-Hellman group: Group 1, group 2 group 5, group 14, group 19 group 20

In Data Integrity: AES-XCBC, MD5, SHA1, SHA256, SHA384

...

New? It was released back in 2005. I wouldn't say it is "new". In Internet time, it is like an eternity :-(

How do you verify this on Cisco devices such as router or ASA? Which show commands?

I don't think you can use 3 interfaces. 802.3AD supports only 2, 4, or 8 interfaces.

.

if there is no link between the switches, how does the bond work?

I would change the mode from "round-robin" to "Active-Standby" because this is SYNC interface.



This works very well under the assumption that spanning tree is working properly on the switches....

Proxy server

you're making the problem more complicated than it is. Any reasons why you use proxy ARP instead of just telling the ISP to route the /26 directly to your router VIP. That way, there is no need for...

It is a stupid design by Checkpoint appliances. the Mgmt and Sync interfaces labeled on the appliances can be used just for about anything. It has no meaning whatsoever. You can combine the Mgmt...

Yes, I've done it. You can do the following on the R77.30 with JHFA 216:

on the /etc/ssh/sshd_config

1- from

#Subsystem sftp /usr/libexec/openssh/sftp-server

to

Now I remember why the 13500 has this problem. It was an upgrade from R75.47 to R77.30. Everything else was a "fresh" install.

Should not have drunk the Checkpoint Kool Aid....

thank you...

[Expert@OpenSrvgw1:0]# lsattr /etc/ntp.conf
------------- /etc/ntp.conf
[Expert@OpenSrvgw1:0]#

[Expert@CP13500gw1:0]# lsattr /etc/ntp.conf
------i------ /etc/ntp.conf
[Expert@CP13500gw1:0]#...

Then how do explain the fact that on the Power-1 11065, the current CPU speed is always shown at 2400MHz, the same as max Speed, ALL THE TIMES. Is it because there is no turbo with CPU running on...

On my 13500 appliances:
dmidecode -t processor | grep -i "speed"
Max Speed: 4000 MHz
Current Speed: 2600 MHz
Max Speed: 4000 MHz
Current Speed: 2600 MHz



On...

Good morning,

I have to point the IP address of the NTP servers to two different NTP servers IP addresses. I've made the change in GAIA, restart NTP service with "set ntp active off/on" and also...

It is working. Great job!!!!!

Look like your script does not work on the Provider-1 system. Am I missing something? See below:

[Expert@mds:0]# fwm mds ver
This is Check Point Multi-Domain Security Management R77.30 - Build...

I am still looking for solutions on this.

Or perhaps the traffic could not get accelerated by Checkpoint firewalls. There are quite a few that Checkpoint knows about.

Let say that step #1 and step #2 are done like you suggested and still has high CPU, what is the next step?

It seems like checkpoint is moving the goal post on this one. This issue is even in r80 and R80.10 as well. Last time I checked the SK, didn't see either R80 or R80.10 listed in there.

Why can't...

A question and few comments:

1- How do you if DD is enable on the firewalls? Can you provide the output of the command "fw ctl multik get_mode"?

- Enable DD might make the issue worse in other...

I can't disagree with you on this. Checkpoint is the "cheapest" company I've ever come across. Back in 2011, when I had to RMA one the checkpoint appliances, I (the customer) had to pay for the...

Completely agreed with your above statement. However, the OP said "Hi all, i'm starting a project where i'll be moving a CMA out of one MDS into a completely different MDS"

Based on that...

When you change the IP address of the CMA, don't you have to break SIC on the gateways anyway and re-SIC with the new CMA?

I've done quite a bit of these on NGx R65 and R70 but not since. It is a very simple process, not got-cha.

yes, you have to remove global policy from the existing prior to the migration. In...

did you do this from the router: ping IP_PRTG_sever source-interface lo 192.168.0.1

Do a "show flow exporter" and "show flow interface" and share your output here.

it works on GAIA, didn't ask for "are you sure"
[Expert@P1:0]# mdsenv 192.168.1.1
[Expert@P1:0]# cprid_util -server 192.168.1.2 -verbose rexec -rcmd bash -c 'reboot'

I don't have 1100 or 1430 so I don't have experiences with them. if they are the same as checkpoint running on open servers, I would do something like this:

1- have a centralized linux system for...

LOL... you need to provide mor information that just "its not working"

PRTG server: 10.2.0.1
L3 switch: 10.2.0.2
CP-FW Internal interface: 10.2.0.254
CP-FW External interface: 123.0.0.254...

1- create a loopback interface on the Internet router with private IP address
2- add a static route on the Internet router for the PRTG server: ip route x.x.x.x 255.255.255.255...

yes, Shadow did say it my bad. Not having enough coffee in the morning.

I sincerely doubt you will get 200Mbps with the ISP doing the hide NAT or PAT (as Cisco calls it). I have a Cisco 3945...

This will NOT work if you have NAT in place. How are you going to test this if the PC behind the 1100 has RFC_1918 address space? Unless you're talking about NAT'ing on the ISP router.


Another...