CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: ShadowPeak.com

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds; generated 28 minute(s) ago.

  1. Replies
    3
    Views
    142

    Re: How many CPU cores 5900 has?

    For future reference the actual processor of a 5900 is a Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz. Not shown at Tobias Lacmann's old site for some reason:...
  2. Replies
    8
    Views
    310

    Re: Max Processor Speed

    The Intel Xeon E5530 used in that model has a base speed of 2.4 GHz and a possible turbo speed of 2.66 GHz, I'm assuming they are both showing 2400 because turbo mode is disabled.
  3. Replies
    8
    Views
    310

    Re: Max Processor Speed

    The max speed shown is if the processor is operating in "turbo" mode above its base frequency (2.4GHz). Normally a processor cannot operate in turbo mode for long (up to 4GHz in your case) unless...
  4. Replies
    6
    Views
    428

    Re: SAM rule expiration sorting

    Anyone still using block rules via fw sam and/or the Smartview Monitor should definitely check out the capabilities of fw samp if SecureXL is enabled. Drops are enforced very early in SecureXL thus...
  5. Replies
    6
    Views
    466

    Re: Problem with Packet Loss

    If you weren't tipped so far over into swap space there might be some memory optimizations that could be performed to reduce memory utilization, but that is probably a lost cause given the number of...
  6. Replies
    24
    Views
    708

    Re: Checkpoint 5400 100% CPU usage

    Probably to buy a bigger firewall. :-( There may be some other optimization techniques in the book that will help a little, but those two steps would be the big ones.
  7. Replies
    24
    Views
    708

    Re: Checkpoint 5400 100% CPU usage

    In my book the stated goal is to have about 50% average utilization on the CPUs during the firewall's busiest period, thus allowing enough "headroom" for the firewall to potentially burst at double...
  8. Replies
    24
    Views
    708

    Re: Checkpoint 5400 100% CPU usage

    That looks pretty good as 75% of traffic is now accelerated even when passing iSCSI traffic and 23% is Medium Path, surprised things still feel slow for you with those kind of statistics. Try...
  9. Replies
    24
    Views
    708

    Re: Checkpoint 5400 100% CPU usage

    Interrupts in this context mostly refer to the emptying of the NIC ring buffers via the SoftIRQ process. When a SND/IRQ core becomes much more heavily utilized than the others, SecureXL automatic...
  10. Replies
    24
    Views
    708

    Re: Checkpoint 5400 100% CPU usage

    Sync network & memory look fine.



    CPU 2 is slammed to 100% mostly in kernel/system space while CPU 1 is 78% idle; so technically the overall firewall CPU load is 59%. Enabling the Dynamic...
  11. Replies
    24
    Views
    708

    Re: Checkpoint 5400 100% CPU usage

    The underlying 5400 processor does not support it at all, SMT is not deliberately disabled by Check Point:


    https://ark.intel.com/products/77775/Intel-Pentium-Processor-G3420-3M-Cache-3_20-GHz
    ...
  12. Replies
    24
    Views
    708

    Re: Checkpoint 5400 100% CPU usage

    The 5400 does not support SMT/Hyperthreading, support for SMT starts with the 5800 model and higher.

    Please provide the output of the following commands for further diagnosis, ideally run when the...
  13. Replies
    6
    Views
    466

    Re: Problem with Packet Loss

    Your firewall is 2.5GB into swap space against RAM of only 4GB. Upgrading to 8GB of RAM will definitely help. A lot.
  14. Replies
    6
    Views
    466

    Re: Problem with Packet Loss

    Is this a Full HA configuration? In other words do you not have a separate SMS that you connect into with the SmartDhasboard and the two 4400's are basically self-managed? If so the two boxes are...
  15. Replies
    9
    Views
    270

    Re: Appliance slot map

    In any kind of collocation smart/remote hands situation, color-coded network cables and/or a labelmaker are your best friend. Having a picture of the system/rack is a must as well.
  16. Re: SAP and First Packet isn't SYN (R75.45)

    From my book:
  17. Re: Tenable Scan opening ports dynamically on GW

    As mentioned earlier typically these high ports are used by security server processes to "fold" connections during a "process space trip" as I coined it in my book. Typically the only connections...
  18. Replies
    13
    Views
    596

    Re: ISP throughput

    Run top while the bandwidth is topping out at 80Mbps (during a speed test or something), is the firewall CPU 100% utilized during this period? If so you may be able to do some tuning to improve...
  19. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    Please contact your Check Point SE for access to the SK, posting the contents of an SK here at CPUG (or anywhere else) is prohibited.
  20. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    See sk111293: "Unable to get idle-time workstation locking policy" error in SmartConsole GUI clients. Many different possible causes for this one.
  21. Re: Bandwidth throttling/limiting per user or per Mobile Access blade.

    Assuming you are using Office Mode to assign IP addresses to your RA clients, you need to enable the QoS blade, then in QoS policy specify source as the Office Mode subnet, then in QoS Action specify...
  22. Replies
    10
    Views
    467

    Re: checkpoint appliance and microburst

    Check status of Ethernet flow control function on the 1Gig interface.
  23. Re: RX-DRP / RX-OVR (FIFO Errors) / ClusterXL State change during policy install

    Thanks for the update. You could also try enabling Multi-Queue on the problematic interfaces (not sure why I didn't mention that option before) but if all the firewall's CPUs are heavily loaded...
  24. Replies
    3
    Views
    176

    Re: Disable NAT rules using Script

    Your SMS code version is? Are the NAT rules you want to disable automatically generated, manually created, or both?
  25. Replies
    13
    Views
    596

    Re: ISP throughput

    Are you sure the 1180 is linking to your router at Gig speed and not Fast Ethernet? Any network errors on the 1180 (netstat -ni), or on the router interface (show interface)?
  26. Replies
    10
    Views
    467

    Re: checkpoint appliance and microburst

    I assume you are referring to this:

    https://en.wikipedia.org/wiki/Micro-bursting_%28networking%29

    This is more a function of Gaia and its NIC drivers emptying the network ring buffers via...
  27. Re: How to install policy with comms from mgmt server blocked by antispoofing

    fw ctl set int fw_local_interface_anti_spoofing 0

    I don't think you need to turn this off in SecureXL as well. Frankly you have something else seriously wrong if you need to disable this, and I...
  28. Re: Under Freeze state in Cphaprob state

    This is the Cluster under Load (CUL) function which is enabled by default on R77.30 and later gateways. The active member was experiencing high CPU load or recently had policy installed to it. For...
  29. Re: How to install policy with comms from mgmt server blocked by antispoofing

    Obviously you didn't see my CPX presentation. ;)

    fw ctl set int fw_antispoofing_enabled 0
    sim feature anti_spoofing off ; fwaccel off ; fwaccel on
  30. Replies
    1
    Views
    105

    Re: ethtool -g Exp1-1 10Gig interface

    Increasing ring buffer sizes is a last resort to combat excessive (IMHO >0.1%) RX-DRPs. If excessive RX-DRPs are encountered, the right way to address it is by increasing the number of SND/IRQ cores...
  31. Replies
    2
    Views
    141

    Re: R77.30, NTP and NAT issue

    When it is not working, something in Gaia/Linux is "eating" the NTP packet as it is not appearing at o. So it has nothing to do with Check Point firewall code or SecureXL. Is the firewall...
  32. Replies
    3
    Views
    552

    Re: Hi everybody

    Welcome! Feel free to jump in and participate.
  33. Re: Problem routing between star communities (R77.30)

    I don't know if VPN Routing is possible with non-Check Point satellites, you may need to employ Policy-Based Routing (PBR) to force traffic to go the right way at the hub. Remember that the order of...
  34. Re: Verification Error - Policy Failure

    What is the version of management and gateway? My guess is R80+ management and R77.30 gateway.

    Are you able to successfully install just the Access Control policy without Threat Prevention (TP)? ...
  35. Re: Confirm Policy Override Question/Problem

    The "two boxes vertically stacked" icon shown in the warning represents the cluster object, which logically represents all individual physical members of the cluster in the SmartConsole. Note that...
  36. Replies
    1
    Views
    209

    Re: High cpu, what is the cause?

    What version of firewall code are you running and what Jumbo HFA?

    The fastest way to find "elephant flows" that are pounding the CPU is to run cpview on the active firewall and select...
  37. Re: RX-DRP / RX-OVR (FIFO Errors) / ClusterXL State change during policy install

    Not directly, no. Since VRRP is being used, all ClusterXL is dealing with for the most part is state synchronization and reporting the firewall code's status to VRRP. A flap in ClusterXL (really...
  38. Replies
    32
    Views
    5,023

    Re: Java Process Consuming High CPU in R80

    Thanks for the update, a bottleneck in the disk channel is usually the biggest cause of poor SMS performance. Even in R80.10+.
  39. Re: Something weird issue with mssql connection

    You'll need to run a tcpdump on the firewall's external interface with -e filtered for port 1433 and arp. Is the port 1433 packet leaving? Was it NATted as expected? Is the firewall answering the...
  40. Replies
    6
    Views
    303

    Re: Dual NAT

    I'm assuming the term "dual NAT" is being used to describe the NATing of both source and destination IP address in the same packet. This is referred to as "bi-directional NAT" when it happens with...
  41. Re: Strange connection disruption 30minutes + after policy install

    You can do it beforehand but disabling SecureXL on a firewall with 8 or more cores without a good reason is a bit risky, as it may cause a noticeable performance impact. I think it would be better...
  42. Re: Strange connection disruption 30minutes + after policy install

    Could be, as a recalculation of most tables held by SecureXL is performed at that time. I'd try the fwaccel off trick immediately after policy install to help isolate the issue.
  43. Re: Strange connection disruption 30minutes + after policy install

    Please PM me and I'll send you the presentation. After CPX Bangkok it will be publicly posted.
  44. Re: Strange connection disruption 30minutes + after policy install

    Your first order of business is trying to determine if the stoppage is a Gaia issue (ARP, routing, NIC card, etc.) or a Check Point issue (SecureXL, INSPECT, NAT, ClusterXL, etc). In other which...
  45. Re: MTU issues: packets are always fragmented by firewall!

    I stand corrected, got this situation confused with TSO issues mentioned in sk41942. Very bad memories of that one, enough to briefly mention it in my book.
  46. Re: MTU issues: packets are always fragmented by firewall!

    Er yes that is by design, MTU stands for Maximum Transmission Unit. It only controls the frame size for frames leaving/transmitting. Incoming frames can be larger than the MTU and will be accepted...
  47. Replies
    12
    Views
    1,096

    Re: Anyone attending CPX360 2018?

    Uh, I cannot confirm nor deny your assertion. Must have been hypnotized by the Blue Man Group show last night...

    I'm at CPX360 Vegas right now and will be kicking off the CheckMates Community Use...
  48. Re: Urgent problem with checkpoint to fortigate VPN

    Good summary, in general Juniper/Fortinet/Sonicwall are very picky about the Proxy-IDs (subnets) they will accept in a Phase 2 proposal, and it must be a exact match. Check Point and Cisco do not...
  49. Re: Installation failed. Reason: Load on module failed - no memory

    This is a rather generic error message indicating that the firewall could not complete the atomic load of the policy into the kernel for some reason. It could be due to lack of memory on the...
  50. Re: MTU issues: packets are always fragmented by firewall!

    Must be some function of IPS, try running ips off and retest to see if the reduction in packet size persists. Don't forget to turn IPS back on with ips on when you are done!
  51. Re: MTU issues: packets are always fragmented by firewall!

    Assuming your tcpdump output is accurate, IP did not fragment the packets because the offset field for all the packets you think are fragmented is zero. My guess is the TCP segments within were...
  52. Re: Smart Dashboard login issue R77.30 open server.

    Are you sure it was configured as management only and not management+gateway? What does command fw stat show?

    If it is just management, is process fwm up and running? ps -ef | grep fwm If not...
  53. Re: Asymmentric Routing when accessing gateway cluster members?

    OK so is the cluster healthy? Is is reporting active/standby when running cphaprob stat? How about cphaprob -a if, is the sync interface detected and working?
  54. Re: Asymmentric Routing when accessing gateway cluster members?

    When making SSH/HTTPS connections to the cluster members, make sure you are using the dedicated/fixed IP address on the firewall interface "facing" (or closest to) where the SSH/HTTPS is being...
  55. Replies
    2
    Views
    253

    Re: The Old Guard at CPX360 Barcelona

    Got to meet Bhav and Val in person for the first time, and had a great time in Barcelona!
  56. Replies
    12
    Views
    1,096

    Re: Anyone attending CPX360 2018?

    Barcelona and Vegas for me, and I'll be presenting.
  57. Replies
    9
    Views
    1,259

    Re: Database Revision Ques

    Restoring a revision in R77.30 only reverts the configuration on the SMS, it does not change anything on the gateways until policy is reinstalled to them. So restoring a database revision will undo...
  58. Re: "Max Power" Book Second Edition Released!

    The book was created via the publisher CreateSpace which is a division of Amazon, so the only format directly allowed for handheld readers is for Kindles (as you might suspect). Unfortunately the...
  59. Re: Goodbye Check Point, hello Guardicore, wish me luck, etc

    Good luck Val, and I'll see you at CPX Barcelona!
  60. "Max Power" Book Second Edition Released!

    The second edition of my book "Max Power: Check Point Firewall Performance Optimization" has been released. Fully updated for R80.10, this edition includes several new chapters along with a new...
  61. Replies
    5
    Views
    718

    Re: CCSM exam materials

    The CCSM book is the lecture material and lab exercises used by an ATC to run an official CCSM class attended by students. There can sometimes be special areas of emphasis in the courseware vs. the...
  62. Replies
    9
    Views
    1,186

    Re: Hide NAT Address Range

    I believe you are referring to the static pre-allocation of available Hide NAT ports amongst the various CoreXL Firewall Workers. Quoted from the second edition of my book:



    If it is not that,...
  63. Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Check Point just posted their response to this:

    sk122205: Check Point Response to Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
  64. Replies
    5
    Views
    718

    Re: CCSM exam materials

    Start here:

    https://www.checkpoint.com/downloads/professional-services/training/SecurityMasterStudyGuide.pdf

    Some Check Point ATCs may have residual hardcopy CCSM coursebooks, there are two...
  65. Replies
    9
    Views
    1,186

    Re: Hide NAT Address Range

    Yes what I call a "many to fewer" Hide NAT has been possible since R75, and is presented in my new book in the context of avoiding the 50k concurrent connection limit through a single Hide NAT...
  66. Replies
    25
    Views
    1,859

    Re: R80.10 in VMware

    Will the reimage process be quantum-locked and only able to move forward if it is not currently being observed by any living entity (or another reimage process)? Might make one weep...
  67. Replies
    5
    Views
    662

    Re: Checkpoint CPU question

    1) Hmm really should install the latest GA Jumbo HFA for R77.30 (Take 286) but not really required to help solve your performance problem given the limited number of blades you have enabled.

    2) So...
  68. Replies
    5
    Views
    662

    Re: Checkpoint CPU question

    1) Right there is your main issue. SecureXL is on but you are getting practically zero acceleration or templating. Maybe something we can fix and improve performance quite a bit, please provide...
  69. Replies
    25
    Views
    1,859

    Re: R80.10 in VMware

    Isn't that part of the CDT?

    sk111158: Central Deployment Tool (CDT)
  70. Replies
    5
    Views
    662

    Re: Checkpoint CPU question

    Firewall code & HFA version?

    Also if you provide the output of all these commands I should be able to provide some advice:

    fwaccel stat
    fwaccel stats -s
    fw ctl affinity -l -r
    sim affinity -l...
  71. Replies
    32
    Views
    5,023

    Re: Java Process Consuming High CPU in R80

    Plenty of RAM, no swap space usage. This assumes of course that the Smart-1 has not been rebooted since the last slow period(s).



    A total of 43.61% CPU time is nice'd (has a lower priority) in...
  72. Replies
    32
    Views
    5,023

    Re: Java Process Consuming High CPU in R80

    Please provide output of following (ideally while access is slow):

    free -m
    mpstat 2 5
    iostat 2 5
    /sbin/cpuinfo
  73. Re: legacy client auth connectivity HTTPS

    Yeah my guess is that the firewall's certificate is signed with SHA1 and the user's browser won't allow it.
  74. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    So the Fortinet by default will try to roll-up/aggregate multiple Phase 2 tunnels into a 0.0.0.0/0 universal tunnel and that's why it was deleting the SAs. As I mentioned above it must try to do...
  75. Replies
    9
    Views
    2,441

    Sticky: Re: Latest CCSA R80 exam information

    Check Point discontinued physical coursebooks at the end of February this year, prior to that the student could choose either hardcopy or e-copy. The e-kits are DRM-protected and must be viewed in...
  76. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    You've received plenty of them along with a fair amount of speculation. There have been requests to run commands and post their output here and to check certain things, and you've mostly ignored...
  77. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Domain objects are terrible and can easily cause problems like this, try to move rules using them as far down as possible in the policy to avoid problems. The handling of domain objects was...
  78. Replies
    32
    Views
    5,023

    Re: Java Process Consuming High CPU in R80

    Personally I wouldn't want to do R80+ management on anything lower than a Smart-1 225 which has 4 cores and 16GB of RAM. It will certainly work on a Smart-1 205 or 210 but the performance will not...
  79. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Try turning off SecureXL during a problem period (fwaccel off) and see if that instantly resolves it, that helps pin down specifically where the problem is. You could preemptively turn it off and...
  80. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Default ARP cache size is 4096 in modern Gaia versions and should not be increased unless necessary.

    Overall this just smells like a network-level issue which can stymie Check Point support...
  81. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    This sounds like it might be a ARP/network issue, read on...



    Just because tcpdump shows traffic hitting an interface does not mean that Gaia picked up the packet off the wire and processed it,...
  82. Replies
    6
    Views
    1,000

    Re: IPsec VPN with Palo Alto Firewall

    What are the Proxy-IDs configured under "IPSec Tunnel" on the Palo Alto end? If there aren't any I think it will try to do a universal tunnel (0.0.0.0/0).

    Pretty sure the Palo Alto handles Phase...
  83. Replies
    32
    Views
    5,023

    Re: Java Process Consuming High CPU in R80

    This tool was included in R77.30, so it should be in R80 as well, just run CPLogInvestigator. It will cause a bit of load, but only on the Security Management Server which won't affect the gateways....
  84. Replies
    13
    Views
    854

    Re: Not responding to arp-who-has

    I plan to attend CPX Vegas, whether it will be as more than just an attendee remains to be seen. :-)
  85. Replies
    13
    Views
    854

    Re: Not responding to arp-who-has

    Great, thanks for the update!
  86. Replies
    13
    Views
    854

    Re: Not responding to arp-who-has

    Because the outbound connections are all almost certainly being hidden behind the firewall's NIC address. It will always respond for that one.
  87. Replies
    13
    Views
    854

    Re: Not responding to arp-who-has

    Turn off clustering from cpconfig. You accidentally enabled it.
  88. Re: HELP - dropped by fw_runfilter_ex Reason: F_INDOM

    Don't use domain objects. Their implementation has been improved somewhat in R80.10 but I've been burned enough times over the years to just avoid them as a matter of course.
  89. Replies
    2
    Views
    321

    Re: VPN IP renew 900 seconds

    VPN clients can go away at any time without logging off and performing an explicit release, which is why the value is so low by default. To change it go to your gateway object in the SmartDashboard...
  90. Replies
    3
    Views
    434

    Re: Well Hello There!

    Welcome, feel free to jump in and participate!
  91. Re: R80: object explorer: unused objects

    Yes the automatic NAT rule was always deleted, but I've seen that break other things. Even if the unused object was not referenced anywhere, its NAT was actually needed for something else to work.
  92. Replies
    9
    Views
    616

    Re: fw ctl zdebug command question

    If you happen to know the Firewall Worker instance number you want to monitor (fw ctl affinity -l -r), you can also confine the zdebug to a particular Firewall Worker core like this:

    fw -i...
  93. Re: R80: object explorer: unused objects

    As Tomer says, the unused objects are safe to delete in R80+ management.

    However in R77.30 and earlier management a nasty situation I've run into before is having an object come up as unused, and...
  94. Replies
    7
    Views
    499

    Re: Slow SSL VPN Reason

    Sort of, IPSec VPNs can potentially be handled by SecureXL in the Accelerated Path while SSL cannot which may have accounted for some of the discrepancy you observed. Also SSL imposes an additional...
  95. Replies
    7
    Views
    499

    Re: Slow SSL VPN Reason

    The situation is much better now due to Multicore SSL which was introduced in R77.20, and multicore IPSec VPN introduced in R80.10. Prior to these features only one Firewall Worker core (CoreXL...
  96. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Thanks for the tip, I remember trying to get zdebug to output timestamps at some point in the past and failing. Pretty sure that attempt was for a release older than R77.30 though.
  97. Replies
    32
    Views
    5,023

    Re: Java Process Consuming High CPU in R80

    The CPLogInvestigator tool presents much more polished statistics:

    [Expert@fw:0]# CPLogInvestigator


    Thank you for using log investigator tool.
    ...
  98. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    I don't think zdebug itself can print timestamps. So either you could do a full debug with the drop flag (fw ctl debug 0; fw ctl debug -buf 32000; fw ctl debug -m fw + drop; fw ctl kdebug -T -f >...
  99. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Not a bad idea to try enabling it at least, since the Fortigate is asking for it in IKE Phase 1 packet 1. Having DPD active can help correct certain situations and this might be one of them.


    ...
  100. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    OK looked at the IKE.elg with ikeview, couple of observations in order of likelihood:

    1) There are multiple Phase 2 tunnels starting for all the different combinations of subnets/Proxy-IDs. I...
Results 1 to 100 of 498
Page 1 of 5 1 2 3 4