CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: ShadowPeak.com

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Re: Show routing table on Domain Based VPNs

    Yes:


    echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |grep -v "+"| awk '{split($0,a,";"); print a[8]}' |sort -ng |uniq | awk...
  2. Re: VPN Remote User with timeouts and low performance

    sk107433: How to change transport method with Endpoint Clients
  3. Replies
    2
    Views
    265

    Re: Rate Limiting Rules in R77.20

    In your example the 501st new connection request in the same second will be blocked, regardless of the source IP. I think you are looking for the SecureXL "penalty box" function described here:...
  4. Re: Appliances 5900 R80.10 and bonding interfaces limited throughput

    Great, thanks for the follow-up.
  5. Re: Appliances 5900 R80.10 and bonding interfaces limited throughput

    Please provide output of the following commands run on the firewall from expert mode:

    fwaccel stat
    fwaccel stats -s
    grep -c ^processor /proc/cpuinfo
    /sbin/cpuinfo
    fw ctl affinity -l -r
    sim...
  6. Re: cpview to find out the source and destination that uses the most BW

    Please read my last post again concerning SecureXL.
  7. Re: cpview to find out the source and destination that uses the most BW

    Are you sure this is a single connection and not lots of little ones? Top Connections only shows the top individual connections that consume the most bandwidth, it does not show a summary of which...
  8. Re: cpview to find out the source and destination that uses the most BW

    If you notice a particular Firewall Worker (kernel instance) is overloaded this sk shows you how to identify the connection attributes of the elephant flow causing it.
  9. Re: IPS Protect internal hosts only - recommendation

    Yep IPS was at long last fully integrated with the rest of the Threat Prevention blades in R80.10 gateway. Also Geo Protection was renamed Geo Policy and is no longer part of the IPS blade in...
  10. Re: cpview to find out the source and destination that uses the most BW

    Sounds like you may have an elephant flow, check out sk122013 (Handling heavy connections in CoreXL) for an alternative way to identify what it is via the "Advanced...CoreXL...Instances" screen of...
  11. Re: IPS Protect internal hosts only - recommendation

    Not exactly, if you have an R80.10 gateway IPS can be managed in the same TP profile and policy layer as the other four Threat Prevention blades. As such you can use columns such as Protected Scope...
  12. Re: High CPU problem on checkpoint gateway

    Well this is a first for me, adding more SND/IRQ cores actually reduces the performance of fully-accelerated (SXL path) traffic? Beyond engaging Check Point TAC the only explanation could be your...
  13. Re: High CPU problem on checkpoint gateway

    So interface affinity is spread between Cores 0 & 3 while fw_0 and fw_1 are running on CPUs 1 and 2 respectively? How does the CPU load distribution look via top when things are "50% slower"?
  14. Re: High CPU problem on checkpoint gateway

    Are there three kernel instances or only two? Output from the commands above is conflicting. The first output is missing fw_0, the second shows three kernel instances fighting for 2 CPU's and the...
  15. Re: High CPU problem on checkpoint gateway

    Run all commands again in this configuration please.
  16. Re: High CPU problem on checkpoint gateway

    You are getting some RX-DRPs which confirms that the lone SND/IRQ core is getting killed due to the high percentage of fully-accelerated traffic. As mentioned you need to drop the number of kernel...
  17. Re: High CPU problem on checkpoint gateway

    Huh? That makes no sense, please define what "50% slower" means. If you have a cluster changing the number of kernel instances needs to be handled the same way as code upgrade.

    You may have...
  18. Re: High CPU problem on checkpoint gateway

    Yup definitely decrease kernel instances from 3 to 2 with cpconfig. Will help a lot.
  19. Re: High CPU problem on checkpoint gateway

    Because you are licensed for only 4 cores, you probably have the default 1/3 split of SND/IRQ cores to Firewall Worker cores. Please provide output of fw ctl affinity -l -r and fwaccel stats -s to...
  20. Re: Original IP address does not come through in a VPN tunnel

    If using the Automatic NAT setup technique (i.e. defining it on the NAT tab of a Host/Network object), the automatic rule(s) created will attempt to NAT traffic to/from that host/network regardless...
  21. Replies
    8
    Views
    1,096

    Re: HPE DL360 Gen9

    Looks like the 366T is just a rebadged Intel® Ethernet Controller I350-AM4, looking at the data sheet for that chipset it does indeed support Multi-Queue for up to 8 queues just like most Intel NIC...
  22. Replies
    10
    Views
    372

    Re: ICMP time exceeded are not logged?

    Yes: netstat -s from expert mode.
  23. Replies
    8
    Views
    729

    Re: Antispoofing adding static route

    That's why in R80.20 there is a new antispoofing option on the interface topology screen: "Follow routing configuration" or something like that. Now any time a route is added/updated antispoofing...
  24. Re: random drops on checkpoint 5k appliance running R77.30

    Need to run fw ctl zdebug drop while the issue occurring to see what is happening. Have you looked at the logs for the problematic period of time?
  25. Re: Problem with ISP redundancy - sk25152 - Kindly advise

    No the fwx_cache table simply caches NAT rulebase lookups and is not relevant to your problem. I'm assuming it is cleared when an ISP transition occurs. Let's back up though:

    1) Are you...
  26. Re: Original IP address does not come through in a VPN tunnel

    Did you check the "Disable NAT in VPN Community" checkbox on the VPN Community properties?
  27. Re: Any recommendations for dual 10GBASE-T adapters?

    Can't go wrong with Intel.
  28. Re: Issue with site to site vpn to cisco ASA - HELP

    Settings mismatch in IKE Phase 1. Check Encryption Algorithm, Hashing Algorithm, Diffie Hellman group, could be a shared secret typo.
  29. Re: Issue with site to site vpn to cisco ASA - HELP

    Are you seeing a "Main/Aggressive Mode complete" log (key icon) message followed immediately by "No proposal chosen", or are you only seeing "No proposal chosen" over and over again? If the former...
  30. Replies
    1
    Views
    198

    Re: 4k sectors on USB?

    I believe this is fixed in kernel 2.6.34 or later and is mentioned in this thread: ...
  31. Re: Anyone know any way for adding interfaces to cluster via dashboard without clicki

    Just use "Get Interfaces" NOT "Get interfaces with Topology". The former will not touch your antispoofing/topology settings while the latter will.
  32. Replies
    7
    Views
    1,369

    Re: Policy installation takes long time

    You are almost 1GB into swap space, more RAM should help.
  33. Replies
    8
    Views
    416

    Re: RCV Overruns on bond interface

    The main issue is RX-DRPs (rx_missed_errors) which indicates insufficient CPU resources on the SND/IRQ cores (CPUs 0 & 1) to empty interface ring buffers in a timely fashion, although the drop...
  34. Replies
    8
    Views
    416

    Re: RCV Overruns on bond interface

    A change in load-balancing on the switch to L3/L4 should help balance inbound traffic to the firewall interfaces and help avoid RX-OVR. However you need to provide ethtool -S output for eth2-07 and...
  35. Replies
    7
    Views
    1,369

    Re: Policy installation takes long time

    On R77.30 management operations are single-threaded so there is not much you can do if the CPU is saturated during a policy verification. R80.10 handles this much better.

    One thing you can do is...
  36. Replies
    15
    Views
    2,916

    Re: SecureXL getting disabled

    sip_dynamic_ports is the service halting SecureXL templating. Try searching for that service in your traffic logs, if you see connections being logged with that service name you probably can't...
  37. Replies
    1
    Views
    287

    Re: Secure XL -- Some doubts

    You are talking about "Accept templates" here, these are dynamically formed in SecureXL to save the overhead of a full rulebase lookup for repeated connections having only one attribute that is...
  38. Replies
    5
    Views
    475

    Re: Route Based VPN with Cisco router

    You can also switch off just the VPN acceleration function of SecureXL with this command: sim vpn off;fwaccel off;fwaccel on

    All other acceleration functions of SecureXL will remain active, but...
  39. Replies
    8
    Views
    416

    Re: RCV Overruns on bond interface

    OK I've seen this before, where the output reported by netstat -ni increments RX-DRP and RX-OVR in lockstep, and it is impossible to determine if the drop issue is a ring buffer overflow (RX-DRP) or...
  40. Replies
    8
    Views
    416

    Re: RCV Overruns on bond interface

    Please provide output of netstat -ni, and ethtool -S (interfacename) for all physical interfaces in the bond for further analysis.

    How is your bond interface set for load balancing of traffic...
  41. Re: 5900 and SMT Or Assign particular core to Particular interface

    No, load-balanced ISP Redundancy traffic will always go F2F. This was actually mentioned in my book and there is no workaround. If you configure ISP Redundancy for Primary/Backup instead, traffic...
  42. Re: 5900 and SMT Or Assign particular core to Particular interface

    To help determine reason for high F2F, please provide output of enabled_blades command run on firewall.

    Not sure what the sufficient traffic threshold is for automatic interface affinity to start...
  43. Replies
    15
    Views
    2,916

    Re: SecureXL getting disabled

    Remove Snmp-read-only and icmp-proto. Could also be port 135 service if protocol type is RPC/DCE.
  44. Re: 5900 and SMT Or Assign particular core to Particular interface

    CPUs 0 and 1 are SND/IRQ cores, CPUs 2-7 are Firewall Worker cores.

    You aren't seeing any interfaces being handled by CPU 1 for one of the following reasons:

    1) SecureXL is off (fwaccel stat)...
  45. Re: 5900 and SMT Or Assign particular core to Particular interface

    A 5900 has eight physical cores that will increase to 16 logical cores when SMT is enabled.

    Without SMT, there will be two cores assigned to SND/IRQ functions and six Firewall Worker cores. The...
  46. Replies
    5
    Views
    338

    Re: VPN Problem 10% of User

    Generally you don't need to reboot or failover the firewalls on a regular basis. Tough to say what your VPN problem was, could have been a memory leak or some other kind of bug or resource...
  47. Re: "Max Power" Book Second Edition Released!

    R77.30 and R80.10 are covered side-by-side in the second edition. The first edition is no longer available. There was very little content removed between the first edition and the second edition,...
  48. Replies
    18
    Views
    1,374

    Re: R80.20.M1 Management Release

    Yep there will be a raft of new native Linux tools available due to the kernel update to 3.5.
  49. Re: Somehow Traffic is not passing through tunnel

    A "secret" way to force only the tunnels associated with a certain VPN Community to bypass all acceleration is to simply set the hashing algorithm to SHA-384 for both phases of IKE. The SHA-384...
  50. Re: Somehow Traffic is not passing through tunnel

    As mentioned above load the latest GA jumbo hotfix for your version, almost certainly will fix it. If not you'll probably need to involve Check Point TAC.
  51. Re: IKE Phase 2 Quick mode VPN encryption domain matching process

    The size of the object (i.e. host or network w/ mask) used in the Firewall/Network policy layer permitting the VPN traffic does not matter as far as what is proposed by the Check Point in Phase 2, it...
  52. Re: SMS R77.30 install policy to IP390 (R65 and IPSO4.2) crashed

    Sounds to me like you need to upgrade to 2GB of RAM for sure then, if R65 doesn't work with 1GB of RAM I'm pretty sure R77.30 won't either.

    No special steps you need to take after adding the...
  53. Re: Somehow Traffic is not passing through tunnel

    Try this sequence of commands:

    sim vpn off
    fwaccel off;fwaccel on

    Reset the tunnel, does it still work? If it does that indicates some kind of issue specifically with acceleration of VPN...
  54. Re: Somehow Traffic is not passing through tunnel

    It would be something like this, assume that the VPN peer IP address is 129.82.102.32 and destination IP address on the original packet is 192.168.10.1:

    fw monitor -e "accept host(192.168.10.1) or...
  55. Replies
    8
    Views
    430

    Re: VPN Intermittent Connectivity

    True, however Check Point did not add support for IKEv2 until R71 circa 2010, and it really didn't start being commonly used until a few years later at least in my experience.
  56. Re: Somehow Traffic is not passing through tunnel

    Er yes I got that, but is LOC-B actually putting it back into the tunnel? Just because the return traffic shows up at the interface of LOC-B (presumably in a tcpdump which puts the interface in...
  57. Replies
    8
    Views
    430

    Re: VPN Intermittent Connectivity

    Thanks for the update, IKEv2 is still (relatively) new and can sometimes cause issues with interoperable VPNs.
  58. Replies
    7
    Views
    1,369

    Re: Policy installation takes long time

    Management version? Standalone or distributed? Kind of important in this case ...
  59. Re: R77.30 to R80.10 Management/SmartEvent upgrade

    It can probably be all left on a VM, however I would recommend the following:

    12 cores MINIMUM, 16+ preferred. Do NOT present the cores to the VM as hyperthreaded/logical cores.
    32GB RAM MINIMUM...
  60. Re: Somehow Traffic is not passing through tunnel

    Make sure the "disable NAT" checkbox is set in the VPN Community settings. Are you sure the reply traffic is really arriving back at the internal interface of LOC-B? And coming back through the...
  61. Re: SMS R77.30 install policy to IP390 (R65 and IPSO4.2) crashed

    Make sure the Monitoring blade is disabled on the firewall objects representing the Nokias, I seem to recall stability problems with the rtm kernel driver on IPSO at one point. 1GB RAM will be...
  62. Re: IKE Phase 2 Quick mode VPN encryption domain matching process

    If acting as the responder, the Check Point will accept a fully-contained subset of that subnet, yes.



    Yes.



    Yes. Just like Cisco.
  63. Replies
    2
    Views
    296

    Re: fwx_xlate_method

    I'd say this is just an informational message and not indicating a problem, although it is a bit confusing in that it is referencing both UDP and TCP for presumably the same packet/operation. Looks...
  64. Re: "Max Power" Book Second Edition Released!

    VSX is not covered. However there is some great free VSX optimization info here:

    https://dreezman.wordpress.com/2015/01/24/corexl-training-youll-love-the-price/
  65. Re: Internal to Internal traffic and application\url blade

    The implicit cleanup rule for an APCL/URLF layer has an action of Accept and you are not allowed to change it on a R77.30 gateway; the default action is Accept because typically the APCL/URLF policy...
  66. Replies
    8
    Views
    430

    Re: VPN Intermittent Connectivity

    It is in the group policy, set command is:

    vpn-idle-timeout none

    show command is:

    show run all group-policy | i vpn-idle

    vpn-idle-timeout none
  67. Replies
    8
    Views
    430

    Re: VPN Intermittent Connectivity

    Make sure the IKE Phase 1 lifetime (expressed in minutes) and IPSEC Phase 2 lifetime (expressed in seconds) match the settings on the Cisco end.

    Make sure the Cisco has their data lifesize set to...
  68. Re: Internal to Internal traffic and application\url blade

    Yes. If using object "Internet" as the destination in an APCL/URLF layer, it will match all traffic leaving on an interface that is not explicitly marked as Internal in the antispoofing settings. ...
  69. Re: Bandwidth reservation for site to site IPSec VPN

    Yes, but you'll have to enable the QoS blade on your firewall and assign a QoS policy. In the Action field of the QoS policy rule you can define a bandwidth guarantee, and there is also another...
  70. Re: Signs that a RAM upgrade is required

    free -m

    If swap usage reported on the last line is zero a RAM upgrade is probably not required. The bigger the reported swap usage number the more a RAM upgrade will help assuming that Gaia is...
  71. Re: Is it possible to do a Proxy ARP on a whole network?

    You only need to ensure firewall Proxy ARPs occur for NAT addresses you are "plucking" from a subnet directly attached to the firewall. Most typically the so-called "dirty" segment between the...
  72. Replies
    3
    Views
    382

    Re: How many CPU cores 5900 has?

    For future reference the actual processor of a 5900 is a Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz. Not shown at Tobias Lacmann's old site for some reason:...
  73. Replies
    8
    Views
    569

    Re: Max Processor Speed

    The Intel Xeon E5530 used in that model has a base speed of 2.4 GHz and a possible turbo speed of 2.66 GHz, I'm assuming they are both showing 2400 because turbo mode is disabled.
  74. Replies
    8
    Views
    569

    Re: Max Processor Speed

    The max speed shown is if the processor is operating in "turbo" mode above its base frequency (2.4GHz). Normally a processor cannot operate in turbo mode for long (up to 4GHz in your case) unless...
  75. Replies
    6
    Views
    1,571

    Re: SAM rule expiration sorting

    Anyone still using block rules via fw sam and/or the Smartview Monitor should definitely check out the capabilities of fw samp if SecureXL is enabled. Drops are enforced very early in SecureXL thus...
  76. Replies
    6
    Views
    968

    Re: Problem with Packet Loss

    If you weren't tipped so far over into swap space there might be some memory optimizations that could be performed to reduce memory utilization, but that is probably a lost cause given the number of...
  77. Replies
    24
    Views
    2,417

    Re: Checkpoint 5400 100% CPU usage

    Probably to buy a bigger firewall. :-( There may be some other optimization techniques in the book that will help a little, but those two steps would be the big ones.
  78. Replies
    24
    Views
    2,417

    Re: Checkpoint 5400 100% CPU usage

    In my book the stated goal is to have about 50% average utilization on the CPUs during the firewall's busiest period, thus allowing enough "headroom" for the firewall to potentially burst at double...
  79. Replies
    24
    Views
    2,417

    Re: Checkpoint 5400 100% CPU usage

    That looks pretty good as 75% of traffic is now accelerated even when passing iSCSI traffic and 23% is Medium Path, surprised things still feel slow for you with those kind of statistics. Try...
  80. Replies
    24
    Views
    2,417

    Re: Checkpoint 5400 100% CPU usage

    Interrupts in this context mostly refer to the emptying of the NIC ring buffers via the SoftIRQ process. When a SND/IRQ core becomes much more heavily utilized than the others, SecureXL automatic...
  81. Replies
    24
    Views
    2,417

    Re: Checkpoint 5400 100% CPU usage

    Sync network & memory look fine.



    CPU 2 is slammed to 100% mostly in kernel/system space while CPU 1 is 78% idle; so technically the overall firewall CPU load is 59%. Enabling the Dynamic...
  82. Replies
    24
    Views
    2,417

    Re: Checkpoint 5400 100% CPU usage

    The underlying 5400 processor does not support it at all, SMT is not deliberately disabled by Check Point:


    https://ark.intel.com/products/77775/Intel-Pentium-Processor-G3420-3M-Cache-3_20-GHz
    ...
  83. Replies
    24
    Views
    2,417

    Re: Checkpoint 5400 100% CPU usage

    The 5400 does not support SMT/Hyperthreading, support for SMT starts with the 5800 model and higher.

    Please provide the output of the following commands for further diagnosis, ideally run when the...
  84. Replies
    6
    Views
    968

    Re: Problem with Packet Loss

    Your firewall is 2.5GB into swap space against RAM of only 4GB. Upgrading to 8GB of RAM will definitely help. A lot.
  85. Replies
    6
    Views
    968

    Re: Problem with Packet Loss

    Is this a Full HA configuration? In other words do you not have a separate SMS that you connect into with the SmartDhasboard and the two 4400's are basically self-managed? If so the two boxes are...
  86. Replies
    9
    Views
    488

    Re: Appliance slot map

    In any kind of collocation smart/remote hands situation, color-coded network cables and/or a labelmaker are your best friend. Having a picture of the system/rack is a must as well.
  87. Re: SAP and First Packet isn't SYN (R75.45)

    From my book:
  88. Re: Tenable Scan opening ports dynamically on GW

    As mentioned earlier typically these high ports are used by security server processes to "fold" connections during a "process space trip" as I coined it in my book. Typically the only connections...
  89. Replies
    13
    Views
    1,427

    Re: ISP throughput

    Run top while the bandwidth is topping out at 80Mbps (during a speed test or something), is the firewall CPU 100% utilized during this period? If so you may be able to do some tuning to improve...
  90. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    Please contact your Check Point SE for access to the SK, posting the contents of an SK here at CPUG (or anywhere else) is prohibited.
  91. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    See sk111293: "Unable to get idle-time workstation locking policy" error in SmartConsole GUI clients. Many different possible causes for this one.
  92. Re: Bandwidth throttling/limiting per user or per Mobile Access blade.

    Assuming you are using Office Mode to assign IP addresses to your RA clients, you need to enable the QoS blade, then in QoS policy specify source as the Office Mode subnet, then in QoS Action specify...
  93. Replies
    10
    Views
    790

    Re: checkpoint appliance and microburst

    Check status of Ethernet flow control function on the 1Gig interface.
  94. Re: RX-DRP / RX-OVR (FIFO Errors) / ClusterXL State change during policy install

    Thanks for the update. You could also try enabling Multi-Queue on the problematic interfaces (not sure why I didn't mention that option before) but if all the firewall's CPUs are heavily loaded...
  95. Replies
    3
    Views
    328

    Re: Disable NAT rules using Script

    Your SMS code version is? Are the NAT rules you want to disable automatically generated, manually created, or both?
  96. Replies
    13
    Views
    1,427

    Re: ISP throughput

    Are you sure the 1180 is linking to your router at Gig speed and not Fast Ethernet? Any network errors on the 1180 (netstat -ni), or on the router interface (show interface)?
  97. Replies
    10
    Views
    790

    Re: checkpoint appliance and microburst

    I assume you are referring to this:

    https://en.wikipedia.org/wiki/Micro-bursting_%28networking%29

    This is more a function of Gaia and its NIC drivers emptying the network ring buffers via...
  98. Re: How to install policy with comms from mgmt server blocked by antispoofing

    fw ctl set int fw_local_interface_anti_spoofing 0

    I don't think you need to turn this off in SecureXL as well. Frankly you have something else seriously wrong if you need to disable this, and I...
  99. Re: Under Freeze state in Cphaprob state

    This is the Cluster under Load (CUL) function which is enabled by default on R77.30 and later gateways. The active member was experiencing high CPU load or recently had policy installed to it. For...
  100. Re: How to install policy with comms from mgmt server blocked by antispoofing

    Obviously you didn't see my CPX presentation. ;)

    fw ctl set int fw_antispoofing_enabled 0
    sim feature anti_spoofing off ; fwaccel off ; fwaccel on
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4