Search:

First of all, it needs to be supported by Check Point. So you want to consult the relevant compatibility list at https://www.checkpoint.com/support-services/hcl/

What is the easiest way to count the numer of objects in a Group (R77.30)?

Is there a way to customize the General Overview of "Logs and Monitor" in R80.10 that it looks like the R77.30 SmartEvent Overview --> View --> All

many thnx for your quick response.
Here we go:
[Expert@1100prfw101:0]# ethtool -S eth2-07
NIC statistics:
rx_packets: 2186714449
tx_packets: 2028555817
rx_bytes: 2003239137553
...

in the meantime we have this situation:

netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
Mgmt 1500 0 40148390 ...

Don't let you mislead by the massive higher number of packets on eth2-08 compared to eth2-07. eth2-08 was the single physical IF before we introduced the bond interface. And we did not reset or...

The vpnd.elg file is located on the F irewall module in $FWDIR/log
However, when you log in via WINSCP, you don't have the local environment.
Then you find the *.elg file in /opt/CPsuite-R77/fw1/log

The Load Balancing Method is default (Layer 2)
The physical interfaces in bond1 are eth2-07 and eth2-08.
If we compare the number of packets on both physical interfaces for the last 24 hours, we...

Go to $FWDIR/log on both firewalls and perform the following commands:

vpn debug on
vpn debug ikeon

Let the debug run for some time and check if the file $FWDIR/log/ike.elg is growing.

Then...

On a clustered 15400 Appliance (R77.30 hfa 312), on the external interface eth2-08 we observed a receive overrun rate of 0.008 percent. The interface run at 1 Gbps speed and is connected to a Cisco...

Is there a way to set the default shell on Gaia for a group of Radius users to /bin/bash, while another group of Radius users would get /bin/clish

I need to migrate the external interface of an active/standby cluster (R77.30) in a production environment to a bonded interface.
What would be the recommended steps to keep downtime at a minimum?

Thx for your replies, that's clear so far.

What is the decision process on the local CP Gateway?
On one side, we have the source IP of the encryption rule, on the other hand we have the entries...

Blocking individual IP addresses is does not help prevent attacks from botnets, since you will never be fast enough to adopt to their dynamics.
A properly designed security policy combined with the...

How does the IKE quick mode negotiation processs for the encryption domain work in detail on a Check Point Gateway (R77).

Let's take the following example:

The encryption domain for the local...

from the Console in expert mode do a "dmesg grep | Vendor"

And it's really fast ...

Sicne the WebGUI CPUSE-based installation of the HFA 302 failed on a member of a productive cluster (could not uninstall HFA 216), we decided to re-install that gateway...

We observe a weired behaviour on a VRRP Cluster (R77.30, HFA 302) in the sense that bootp packets generated by Wireless Clients are no longer forwarded.
The cluster gets the bootp packets from a...

First suggestion would be: Provide a version in combination with the ISOmorphic tool. The actual usage of blink requires to copy the blink images and the blink utility (plus an optional answers.xml)...

In the meantime i used the blink mechanism twice with the same kit:
blink.tgz MD5 44439258b2692912fecff1be4a74a15b
blink_image_1.0_Check_Point_R77.30_GA_SHA2_T3_Jumbo_T292.tgz MD5...

I have to migrate rules from another firewall vendor, where the packet leaves the firewall on the same interface (egress interface) as it has entered the firewall (ingress interface).
As far as I...

Just re-imaged a 12400 to R77.30 Jumbo take 292 using the blink mechanism, didi the initial configuration and modified some system configs.
Now I want to clear the whole gaia config using the...

Make sure that you enable your GUI Client in cpconfig:

Expert@yourMgmtServer:0]# cpconfig
This program will let you re-configure
your Check Point Security Management Server configuration.

...

Got it finally, the listen address in the sshd_config file needs to be commented out:

ListenAddress 172.16.100.102 --> does not work

#ListenAddress 172.16.100.102 --> does work

It's a new 15400 cluster running standard fw and R77.30 Jumbo Take 292

Here is some more stuff:
Expert@mygateway:0]# netstat -anp | grep :22
tcp 0 0 172.16.100.102:22 ...

Just replaced a 12400 Cluster with new 15400 HW.
All is fine, except that the cluster member accept ssh connection only on the Mgmt interface.

When I log in to the gateway and try to do a local...

The protocol type was set to MMS, this is also indicated in the zdebug output:rolleyes:

Problem solved: The UDP service had a non-matching protocol type assigned. Set Protocol type to none

Here is the debug output:

;[cpu_5];[fw4_0];fw_log_drop_ex: Packet proto=17 172.16.254.236:44134 -> 64.62.142.12:7351 dropped by fw_conn_post_inspect Reason: Handler 'mms_code' drop;

What is the...

When you upgrade to a cluster, be aware that the certificate is now isued to the cluster object, not to the individual cluster members node.
There is mayba an older node based cert causing trouble.

In Smartview Tracker we get a weired drop on a accept rule.

The rule looks as follows:

Nr.<tab>Source<tab>Destination<tab>Service<tab>Action...

Well understodd, and fits perfectly to my needs.
Remember that we talk about "old" gw HW and "new" gw HW. When we do the SIC reset, it because of the new gw HW. On the old gw HW, we do no SIC-reset,...

just to be sure, A DB Revision saves as well the SIC trust. So if I create a DB-revision, then perform a SIC reset (because i changed the HW). Then I have to rollback for some reason to my old HW,...

A group with exclusion (let say Group-A) is built from 2 other groups, where group-A = Group-B minus Group-C.

sk71200 states that "Using SecureXL Templates for NAT traffic is critical to achieve high session rate for NAT". In contrast, SecureXL templates for NAT are disabled by default.

What benefits or...

The GRE-Tunnel is completely transparent to the Firewall. However, since both routers (Tunnel Endpoints) can start a communication, you must make sure that your firewall rule allows true...

Yes, these commands make much more sense and let you eaysily correct the database.
BTW: The sem_fw_policies and sem_network_objects are indeed related to SmartEvent. I did a db re-sync according to...

Yes, correct. And it's always a good idea to create a backup prior to upgrade (VMware snapshot, Gaia snapshot, etc.):cool:

Expert@fwmgmt:0]# grep -e $'^\t\t: (' -e comment $FWDIR/conf/objects_5_0.C | grep -e ": (.*" -e "comments (.*" -o | grep -e [[:cntrl:]] -e "["$'\x80'"-"$'\x9F'"]" -e ": (.*" | grep comments -B 1...

The report of the pre_upgrade_verifier reports:

ERRORS
To create a working environment, the errors must be fixed
Objects with non-Unicode characters

Description:
The database contains...

SmartEvent is a very useful tool when you're dealing with IPS and Antibot Blades. It's functionality has obviously not been ported to R80.*, which makes R80.10 much less valuable for our operation...

I have written a script which copies the backup files to an archive server and deletes the local backups, while keping a selectable number of copies.
Drop me a PM if you are interested

Firewall Clustering should always happen due to availability and redundancy, and never due to performance reasons. If performance is an issue, there is always a box big enough to handle the traffic.

We manage 3 Check Point Clusters (all R77.30 Take 216) from a SmartCenter. From time to time, the hitcount in SmartDashboard stops increasing. This is true for only one (the biggest) of the 3...

The CPDA is the repository where CPUSE stores its updates. I strongly discourage you to delete something in there

prob stands prob(ably) for "probing"

We should build a site to site VPN from a single homed CP R77.30 gateway to a dual homed 3rd party gateway. The VPN should automatically fail over if the primary IP of the 3rd party gets unavailable....

Lucky looser, we have got Tufin ;-)

Hm, we noticed that the hitcounts of other rules were NOT correct either.
Most, but not all of the rules did not display the actual hitcount data. many of the hitcounts were 2-3 days behind.
After...

What does the error message on FW2 exactly say, when the packet is dropped?

No, due to the following reasons
- This is a production environment, which need approval by CAB to install a new hotfix
- The problem is not that big that it's worth the effort
- Hotfix 272 (and...

Added a new rule at the end of the policy (R77.30 take 216) with a time object.
Although the rule matches traffic, the hitcount stays at zero and never increases.
The object has a time object with...

R77.30 gateway acts as a DHCP server. Clients get their IP address when no policy is loaded on the gateway.
As soon as the policy is loaded, clients get no longer an IP address.
What minimum policy...

this morning, a bunch of Antibot Events popped up saying that the Anti-bot Blade prevented Communination with C&C site 13.107.4.52. The protection name is Operator.Trickbot.dh.
Reverse Lookup shows...

All Smart*** GUI Windows can be manually adjusted to any size, except the SmartEvent GUI window, which refuses to shrink below a certain size.
Is this a feature or a bug?

Solved

this is one of th nasty "features" of simplified mode, that VPN is always preferred over any other rule, where source and destination match.
The get the stuff running, we had to add an...

After converting the policy from traditional to simplified mode, we run into a weird problem we didn't have before.

We have a site to site VPN with HPE, and its encryption domain consists of a...

What was the question?

If you're looking for a professional, standalone IPAM tool you might look at Infoblox

See sk33224

It means that you cannot encrypt everything within your community. Before the VPN Tunnel is established (or needs to be re-established) the 2 gateways need to exchange the relavent parameters using...

Thanks folks for your input
The policy is now converted and clean, it will go live soon
The problems we had were caused by 2 elements:


A partners encryption domain overlapped with internal...

While testing the new, converted policy we had some side effects we can't explain.
We have all site to site VPN rules at the top of the policy.
Somewhere further down, we have the following rule:
...

Does Gaia R77.30 support the use of ssh option "ProxyCommand"

SmartView Tracker filter accepts a subnet mask length, e.g. 192.168.100.0/26

https://www.cpug.org/forums/showthread.php/22030-Export-SmartDashboard-objects-to-a-text-file?highlight=confwiz

might help

Consider the case you have several Site-to-Site VPNs, and on a specific VPN you see that you receive malware.
What is the fastest way to shut down that specific VPN?

And yep, this was the exact reason. We needed to re-name the new SmartCenter due legal issues, since one financial company was bought by the other ;-)

The attached Doc might help

Cheers
1278

A drawing might help

The R80.10 release notes state that the "traditional to simplified VPN mode conversion" is not supported. Does this mean, that traditional mode VPNs are no longer supported as well?

Got it
> sigcheck.checkpoint.com
Server: 172.16.5.4
Address: 172.16.5.4#53

Non-authoritative answer:
sigcheck.checkpoint.com canonical name =...

We notice from the log files, that our SmartCenter (R77.30 Take 216) periodically tries to connect directly to external hosts 193.247.167.145 and 193.247.167.139 via http. These destinations are...

Last week we installed HFA 216 on top of R77.30, since then, the problem has not been reproduced

When working with passwords, PSKs and other keys, it's usually a good idea to store them centrally in a safe place.
I'm sure you did that, didn't you?

Check Points URL Filtering and Application Control Functions are not that powerful as those of specialized manufacturers such as Bluecot or McAfee Webgateway (amongst others).
The Check Point...

Just getting the interfaces is not enough, you need to define the virtual Cluster Interface in the Topology manually

Hm, the SKs described above do not seem to match.
I just installed the policy, and agin, fwaccel was turned off.

The proposed commands show:

Expert@test:0]# fwaccel test -v -stat
Accelerator...

After carefully watching our environment we can state the following:

1. SecureXL is definitely turned off when, and only when a policy is installed
2- SecureXL is NOT ALWAYS turned off when a...

Environment:
2 Node 12400 Cluster with vrrp
Blades: Firewall, ClusterXL, IPSec VPN, Qos
R77.30 JHFA 185
SecureXL enabled

Since a couple of days, we notice that the CPU time from the acive node...

Is there a way to convert an "Externally Managed Check Point Gateway" to a "Check Point Gateway", meaning internally managed by my SmartCenter.
Maybe using guidbedit?

Issue resolved

The wonderful damned Clish output is not able to show the full line of information, since it shows just "Jumbo Hotfix Accumulator General Availability ...":

test> show installer...

Thanks mate for your support.
Unfortunately, the recommended actions did not change anything. I still do not see the newly imported package.
I even do not see the lates HFA 185, which is actually...

How the installer sees its DB:

test> show installer status
Agent: enabled
Build number: 1272 (agent build is up to date)
Network connection: connected
Update from cloud: ...

imported the Jumbo HFA 216 succesfully using installer, but "show installer packages imported" does not list the new HFA package.
trying to re-import fails, with error "package already imported"...

And did I get this right that IKEv2 is NOT SUPPORTED with traditional VPN mode?

Subnet negotiation Failures in Phase 2 are quite common.
Be aware that the encryption domain definition MUST match exactly at both ends. Check Point does by default supernetting of adjacent...

In order to mount an NFS remote share, we need to run the portmapper on the local Gaia system.
How can we start it

When we configure QoS in the way, that connections using a specific Service are limited to a maximum bandwith during office hours, but can use unlimited bandwidth during the night.
Lets say a backup...

Is there a way to determine what type of login was performed by Check Point Admins? ReadWrite or Readonly.
If we have a look in SmartView Tracker --> Management, we that the admin has logged in, but...

So you say that is't even started? Any log entries in /var/log/messages which might help?

As the scrips states, you should not edit crontab, but enter the job definition in clish. Did you?

In the Appliances price list you can order a HA Configuration, consisting of a Primary (100% price) and a HA (80 % price) Appliance, but only up to the 5900 Series.
For all bigger appliances, the HA...

Since all Office 365 traffic is SSL encrypted (https), how can the Application Control Blade recognize that it's Office 365 traffic?

Problem solved
the Check Point User needs full admin privs in order to be able to "Write" to disk when storing a view

On a monitoring Desktop we use SmartView Monitor to display the status of our gateways on a big screen.
We use a local windows user (secmonitor) to run the SmartView GUI.
We customize our view and...

I would strongly reccommend to migrate both the SmartCenter AND the Cluster to Gaia.

The easiest way would be to build a complete new, isolated infrastructure consisting of a new SmartCenter (can...

If you populate the topology section of a host, you are able to use multiple IP Addresses for that object in a rule-base. Might make sense for Router objects or hosts with multiple NICs
HTH

Before entering the high sophisticated level of troubleshooting your firewall it might be worse checking basic things such as network connectivity.
Have you had a look at the Network switch...

Basically, you need to make sure that you are in the right CMA context, and then run the command:

fwm load <policy> <target>, where <policy> ist the (case sensitive) name of the <policy>.W file,...

Well, if it comes to troubleshooting wit dozens of VPNs, you might need an answer to the question: "What subnets do I really annouce to VPN peer XY". You cant't answer that question specifically,...