CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: ShadowPeak.com

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Re: Something weird issue with mssql connection

    You'll need to run a tcpdump on the firewall's external interface with -e filtered for port 1433 and arp. Is the port 1433 packet leaving? Was it NATted as expected? Is the firewall answering the...
  2. Replies
    6
    Views
    134

    Re: Dual NAT

    I'm assuming the term "dual NAT" is being used to describe the NATing of both source and destination IP address in the same packet. This is referred to as "bi-directional NAT" when it happens with...
  3. Re: Strange connection disruption 30minutes + after policy install

    You can do it beforehand but disabling SecureXL on a firewall with 8 or more cores without a good reason is a bit risky, as it may cause a noticeable performance impact. I think it would be better...
  4. Re: Strange connection disruption 30minutes + after policy install

    Could be, as a recalculation of most tables held by SecureXL is performed at that time. I'd try the fwaccel off trick immediately after policy install to help isolate the issue.
  5. Re: Strange connection disruption 30minutes + after policy install

    Please PM me and I'll send you the presentation. After CPX Bangkok it will be publicly posted.
  6. Re: Strange connection disruption 30minutes + after policy install

    Your first order of business is trying to determine if the stoppage is a Gaia issue (ARP, routing, NIC card, etc.) or a Check Point issue (SecureXL, INSPECT, NAT, ClusterXL, etc). In other which...
  7. Re: MTU issues: packets are always fragmented by firewall!

    I stand corrected, got this situation confused with TSO issues mentioned in sk41942. Very bad memories of that one, enough to briefly mention it in my book.
  8. Re: MTU issues: packets are always fragmented by firewall!

    Er yes that is by design, MTU stands for Maximum Transmission Unit. It only controls the frame size for frames leaving/transmitting. Incoming frames can be larger than the MTU and will be accepted...
  9. Replies
    12
    Views
    469

    Re: Anyone attending CPX360 2018?

    Uh, I cannot confirm nor deny your assertion. Must have been hypnotized by the Blue Man Group show last night...

    I'm at CPX360 Vegas right now and will be kicking off the CheckMates Community Use...
  10. Re: Urgent problem with checkpoint to fortigate VPN

    Good summary, in general Juniper/Fortinet/Sonicwall are very picky about the Proxy-IDs (subnets) they will accept in a Phase 2 proposal, and it must be a exact match. Check Point and Cisco do not...
  11. Re: Installation failed. Reason: Load on module failed - no memory

    This is a rather generic error message indicating that the firewall could not complete the atomic load of the policy into the kernel for some reason. It could be due to lack of memory on the...
  12. Re: MTU issues: packets are always fragmented by firewall!

    Must be some function of IPS, try running ips off and retest to see if the reduction in packet size persists. Don't forget to turn IPS back on with ips on when you are done!
  13. Re: MTU issues: packets are always fragmented by firewall!

    Assuming your tcpdump output is accurate, IP did not fragment the packets because the offset field for all the packets you think are fragmented is zero. My guess is the TCP segments within were...
  14. Re: Smart Dashboard login issue R77.30 open server.

    Are you sure it was configured as management only and not management+gateway? What does command fw stat show?

    If it is just management, is process fwm up and running? ps -ef | grep fwm If not...
  15. Re: Asymmentric Routing when accessing gateway cluster members?

    OK so is the cluster healthy? Is is reporting active/standby when running cphaprob stat? How about cphaprob -a if, is the sync interface detected and working?
  16. Re: Asymmentric Routing when accessing gateway cluster members?

    When making SSH/HTTPS connections to the cluster members, make sure you are using the dedicated/fixed IP address on the firewall interface "facing" (or closest to) where the SSH/HTTPS is being...
  17. Replies
    2
    Views
    180

    Re: The Old Guard at CPX360 Barcelona

    Got to meet Bhav and Val in person for the first time, and had a great time in Barcelona!
  18. Replies
    12
    Views
    469

    Re: Anyone attending CPX360 2018?

    Barcelona and Vegas for me, and I'll be presenting.
  19. Replies
    9
    Views
    1,085

    Re: Database Revision Ques

    Restoring a revision in R77.30 only reverts the configuration on the SMS, it does not change anything on the gateways until policy is reinstalled to them. So restoring a database revision will undo...
  20. Re: "Max Power" Book Second Edition Released!

    The book was created via the publisher CreateSpace which is a division of Amazon, so the only format directly allowed for handheld readers is for Kindles (as you might suspect). Unfortunately the...
  21. Re: Goodbye Check Point, hello Guardicore, wish me luck, etc

    Good luck Val, and I'll see you at CPX Barcelona!
  22. "Max Power" Book Second Edition Released!

    The second edition of my book "Max Power: Check Point Firewall Performance Optimization" has been released. Fully updated for R80.10, this edition includes several new chapters along with a new...
  23. Replies
    5
    Views
    324

    Re: CCSM exam materials

    The CCSM book is the lecture material and lab exercises used by an ATC to run an official CCSM class attended by students. There can sometimes be special areas of emphasis in the courseware vs. the...
  24. Replies
    9
    Views
    887

    Re: Hide NAT Address Range

    I believe you are referring to the static pre-allocation of available Hide NAT ports amongst the various CoreXL Firewall Workers. Quoted from the second edition of my book:



    If it is not that,...
  25. Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Check Point just posted their response to this:

    sk122205: Check Point Response to Meltdown and Spectre (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754)
  26. Replies
    5
    Views
    324

    Re: CCSM exam materials

    Start here:

    https://www.checkpoint.com/downloads/professional-services/training/SecurityMasterStudyGuide.pdf

    Some Check Point ATCs may have residual hardcopy CCSM coursebooks, there are two...
  27. Replies
    9
    Views
    887

    Re: Hide NAT Address Range

    Yes what I call a "many to fewer" Hide NAT has been possible since R75, and is presented in my new book in the context of avoiding the 50k concurrent connection limit through a single Hide NAT...
  28. Replies
    25
    Views
    1,107

    Re: R80.10 in VMware

    Will the reimage process be quantum-locked and only able to move forward if it is not currently being observed by any living entity (or another reimage process)? Might make one weep...
  29. Replies
    5
    Views
    488

    Re: Checkpoint CPU question

    1) Hmm really should install the latest GA Jumbo HFA for R77.30 (Take 286) but not really required to help solve your performance problem given the limited number of blades you have enabled.

    2) So...
  30. Replies
    5
    Views
    488

    Re: Checkpoint CPU question

    1) Right there is your main issue. SecureXL is on but you are getting practically zero acceleration or templating. Maybe something we can fix and improve performance quite a bit, please provide...
  31. Replies
    25
    Views
    1,107

    Re: R80.10 in VMware

    Isn't that part of the CDT?

    sk111158: Central Deployment Tool (CDT)
  32. Replies
    5
    Views
    488

    Re: Checkpoint CPU question

    Firewall code & HFA version?

    Also if you provide the output of all these commands I should be able to provide some advice:

    fwaccel stat
    fwaccel stats -s
    fw ctl affinity -l -r
    sim affinity -l...
  33. Replies
    31
    Views
    3,770

    Re: Java Process Consuming High CPU in R80

    Plenty of RAM, no swap space usage. This assumes of course that the Smart-1 has not been rebooted since the last slow period(s).



    A total of 43.61% CPU time is nice'd (has a lower priority) in...
  34. Replies
    31
    Views
    3,770

    Re: Java Process Consuming High CPU in R80

    Please provide output of following (ideally while access is slow):

    free -m
    mpstat 2 5
    iostat 2 5
    /sbin/cpuinfo
  35. Re: legacy client auth connectivity HTTPS

    Yeah my guess is that the firewall's certificate is signed with SHA1 and the user's browser won't allow it.
  36. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    So the Fortinet by default will try to roll-up/aggregate multiple Phase 2 tunnels into a 0.0.0.0/0 universal tunnel and that's why it was deleting the SAs. As I mentioned above it must try to do...
  37. Replies
    9
    Views
    1,972

    Sticky: Re: Latest CCSA R80 exam information

    Check Point discontinued physical coursebooks at the end of February this year, prior to that the student could choose either hardcopy or e-copy. The e-kits are DRM-protected and must be viewed in...
  38. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    You've received plenty of them along with a fair amount of speculation. There have been requests to run commands and post their output here and to check certain things, and you've mostly ignored...
  39. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Domain objects are terrible and can easily cause problems like this, try to move rules using them as far down as possible in the policy to avoid problems. The handling of domain objects was...
  40. Replies
    31
    Views
    3,770

    Re: Java Process Consuming High CPU in R80

    Personally I wouldn't want to do R80+ management on anything lower than a Smart-1 225 which has 4 cores and 16GB of RAM. It will certainly work on a Smart-1 205 or 210 but the performance will not...
  41. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Try turning off SecureXL during a problem period (fwaccel off) and see if that instantly resolves it, that helps pin down specifically where the problem is. You could preemptively turn it off and...
  42. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    Default ARP cache size is 4096 in modern Gaia versions and should not be increased unless necessary.

    Overall this just smells like a network-level issue which can stymie Check Point support...
  43. Re: Freezes/Lock-Out on our firewall that have CP puzzled.

    This sounds like it might be a ARP/network issue, read on...



    Just because tcpdump shows traffic hitting an interface does not mean that Gaia picked up the packet off the wire and processed it,...
  44. Replies
    6
    Views
    509

    Re: IPsec VPN with Palo Alto Firewall

    What are the Proxy-IDs configured under "IPSec Tunnel" on the Palo Alto end? If there aren't any I think it will try to do a universal tunnel (0.0.0.0/0).

    Pretty sure the Palo Alto handles Phase...
  45. Replies
    31
    Views
    3,770

    Re: Java Process Consuming High CPU in R80

    This tool was included in R77.30, so it should be in R80 as well, just run CPLogInvestigator. It will cause a bit of load, but only on the Security Management Server which won't affect the gateways....
  46. Replies
    13
    Views
    674

    Re: Not responding to arp-who-has

    I plan to attend CPX Vegas, whether it will be as more than just an attendee remains to be seen. :-)
  47. Replies
    13
    Views
    674

    Re: Not responding to arp-who-has

    Great, thanks for the update!
  48. Replies
    13
    Views
    674

    Re: Not responding to arp-who-has

    Because the outbound connections are all almost certainly being hidden behind the firewall's NIC address. It will always respond for that one.
  49. Replies
    13
    Views
    674

    Re: Not responding to arp-who-has

    Turn off clustering from cpconfig. You accidentally enabled it.
  50. Re: HELP - dropped by fw_runfilter_ex Reason: F_INDOM

    Don't use domain objects. Their implementation has been improved somewhat in R80.10 but I've been burned enough times over the years to just avoid them as a matter of course.
  51. Replies
    2
    Views
    219

    Re: VPN IP renew 900 seconds

    VPN clients can go away at any time without logging off and performing an explicit release, which is why the value is so low by default. To change it go to your gateway object in the SmartDashboard...
  52. Replies
    3
    Views
    301

    Re: Well Hello There!

    Welcome, feel free to jump in and participate!
  53. Re: R80: object explorer: unused objects

    Yes the automatic NAT rule was always deleted, but I've seen that break other things. Even if the unused object was not referenced anywhere, its NAT was actually needed for something else to work.
  54. Replies
    9
    Views
    435

    Re: fw ctl zdebug command question

    If you happen to know the Firewall Worker instance number you want to monitor (fw ctl affinity -l -r), you can also confine the zdebug to a particular Firewall Worker core like this:

    fw -i...
  55. Re: R80: object explorer: unused objects

    As Tomer says, the unused objects are safe to delete in R80+ management.

    However in R77.30 and earlier management a nasty situation I've run into before is having an object come up as unused, and...
  56. Replies
    7
    Views
    316

    Re: Slow SSL VPN Reason

    Sort of, IPSec VPNs can potentially be handled by SecureXL in the Accelerated Path while SSL cannot which may have accounted for some of the discrepancy you observed. Also SSL imposes an additional...
  57. Replies
    7
    Views
    316

    Re: Slow SSL VPN Reason

    The situation is much better now due to Multicore SSL which was introduced in R77.20, and multicore IPSec VPN introduced in R80.10. Prior to these features only one Firewall Worker core (CoreXL...
  58. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Thanks for the tip, I remember trying to get zdebug to output timestamps at some point in the past and failing. Pretty sure that attempt was for a release older than R77.30 though.
  59. Replies
    31
    Views
    3,770

    Re: Java Process Consuming High CPU in R80

    The CPLogInvestigator tool presents much more polished statistics:

    [Expert@fw:0]# CPLogInvestigator


    Thank you for using log investigator tool.
    ...
  60. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    I don't think zdebug itself can print timestamps. So either you could do a full debug with the drop flag (fw ctl debug 0; fw ctl debug -buf 32000; fw ctl debug -m fw + drop; fw ctl kdebug -T -f >...
  61. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Not a bad idea to try enabling it at least, since the Fortigate is asking for it in IKE Phase 1 packet 1. Having DPD active can help correct certain situations and this might be one of them.


    ...
  62. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    OK looked at the IKE.elg with ikeview, couple of observations in order of likelihood:

    1) There are multiple Phase 2 tunnels starting for all the different combinations of subnets/Proxy-IDs. I...
  63. Re: Question regarding failover in ClusterXL (and not only)

    Don't worry the second edition of Max Power will remind you, :-) I call process space on the firewall the "fourth path" (in addition to SXL, PXL & F2F) and will be covering it extensively.
  64. Replies
    2
    Views
    349

    Re: CZ/GR Greetings

    Welcome! Feel free to jump in and participate.
  65. Re: Question regarding failover in ClusterXL (and not only)

    Anything being done in a user space process on the active firewall that fails will not survive the failover. Anything tracked in the kernel (which is most operations including all the ones you...
  66. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Just because an external entity like Wireshark thinks a packet is malformed when encryption is involved is not enough to go on. Your packet capture doesn't help much because all Quick mode...
  67. Re: Checkpoint to Fortigate IPSEC tunnel (SPIs being deleted)

    Need to see overall packet flow of Quick Mode to know more. Are you saying that Phase 1 completes (6 packets), then Quick Mode/Phase 2 completes (3 packets) and then the malformed packet occurs?
    ...
  68. Re: DELL R630 Gaia R77.30 Fresh Install crash viewing Machine Info

    Almost certainly has something to do with the mass storage controller, any kind of compatibility mode or other options for it in the BIOS/setup? Somewhat related:

    I discovered while setting up my...
  69. Re: Benefits of enabling acceleration NAT templates

    This is covered in my book. Unless fwaccel stats -s shows that both Accelerated Conns AND Accelerated Packets are at least 50% (rare in most situations) there is little to be gained by enabling NAT...
  70. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    1Gbps of VPN throughput seems like a bit of a stretch to me for a 4800. A few notes that should help:

    1) I don't see how the box can be rated for 2Gbps AES VPN throughput when all IPSec VPN...
  71. Re: Non HTTP Traffic over HTTP port: Invalid character

    Were you able to check "Capture Packets" on the "HTTP on Non Standard Ports" signature and get a capture of the packet containing the offending character(s)? Do you know what actual illegal...
  72. Replies
    31
    Views
    3,770

    Re: Java Process Consuming High CPU in R80

    Just to clarify some earlier statements I made in this old thread, Check Point now explicitly DOES NOT recommend enabling SMT/Hyperthreading on the SMS, at least for certain Smart-1 appliances whose...
  73. Re: VPN star community but with per peer settings?

    The biggest reason route-based VPNs aren't used was due to their incompatibility with CoreXL. This limitation has finally been lifted for R80.10 gateway.
  74. Re: VPN drops *sometimes* when policy is pushed

    My guess is that the default flush of all IKE Phase 1 SAs upon policy push is causing this situation. If a IPSEC Phase 2 tunnel happens to expire and the IKE Phase 1 tunnel is stuck or has not been...
  75. Anyone have experience with 40Gbit fiber cards for 15000/23000?

    An option on the new 15000 and 23000 series appliances is a 4x10Gbit fiber card:



    Does anyone have experience (good or bad) working with this relatively new NIC? Other than being mentioned in...
  76. Re: IPSec VPN - Unknown SPI for IPSec packet

    Please highlight tran1_key_ike in IKEView (this will show a breakdown of the transform set in the right-hand window) and take a screenshot for both packet 1 and packet 2.

    If you are failing...
  77. Re: Clish- Is it possible to make multiple commands on the same line?

    If you are trying to execute two separate clish commands and have them take effect at the same time as opposed to taking effect independently, you can use the "start transaction" and "commit"...
  78. Replies
    3
    Views
    347

    Re: SmartEvent gone in R80

    It has not been fully unified in the new SmartConsole, but it is definitely still there. See screenshot:

    1315
  79. Replies
    6
    Views
    501

    Re: HW Balancer

    Firewall performance optimization is a tricky business as there are so many different places bottlenecks can occur. I'd suggest trying tune what you have rather than redesigning your whole network. ...
  80. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    Haha missed that one, good catch.
  81. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    I'm not sure how a /32 is going to be handled by the "one VPN tunnel per subnet pair" default VPN Tunnel Sharing setting in the community for IKE Phase2, since the /32 is a not technically a subnet. ...
  82. Re: Confwiz or other tools for Cisco to Check Point migration

    Didn't believe it at first, but I just downloaded the R80.10 iso while being signed out from the Check Point User Center and it worked. Nice tip!
  83. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Yes, this works for both R77.30 and R80.10 gateway:


    echo sim_is_vpn_disabled=1 >> $PPKDIR/boot/modules/simkern.conf

    simkern.conf is the SecureXL equivalent of fwkern.conf and should be...
  84. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Still exploring the intricacies of this myself, everything I'm about to discuss below is still preliminary, my own opinion, and subject to change.



    I assume when you say "SecureXL instances"...
  85. Re: Confwiz or other tools for Cisco to Check Point migration

    Converting the NAT policy going from Cisco to Check Point has always been the hardest part about the conversion process. Hopefully at some point Security Zones will be supported for use in Check...
  86. Re: Confwiz or other tools for Cisco to Check Point migration

    First off, R75.45 is no longer supported. R77.30 is the oldest actively supported release.

    Check out the new SmartMove tool for easily converting Cisco configs to Check Point: sk115416: How to...
  87. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    How many gateways is the R77.30 SMS managing? Is this 1490 now the second gateway being managed? If so you may have triggered what I call the "NAT Bomb" if you have left the Install on Gateway set...
  88. Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    What is the error after Phase1 Main mode completes? No proposal chosen?
  89. Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    Check Point to Cisco Interoperable VPN is the easiest combination to get working in my experience. Much easier than doing one with Juniper/Fortinet/Sonicwall which are ridiculously picky about Phase...
  90. Re: Why CheckPoint is sending 0.0.0.0/ 0.0.0.0 Proxy ID to Cisco

    You have "one VPN tunnel per gateway pair" set on the VPN Tunnel Sharing screen of your VPN community, or on the VPN Advanced screen of the Cisco Interoperable Device object.
  91. Re: IPSEC tunnel see Phase1 and Phase 2 details from CLI

    Not sure, could be a bitmask indicating what protocols are in use or a key for referencing the actual settings in another table somewhere. Poked around for awhile in /lib/ files and some other...
  92. Re: IPSEC tunnel see Phase1 and Phase 2 details from CLI

    Did you try passing -f as an option?
  93. Re: IPSEC tunnel see Phase1 and Phase 2 details from CLI

    The table you need to look in is MSPI_by_methods. May want to check out "sk104760: ATRG: VPN Core" when you get a chance, long but very useful reading.
  94. Replies
    13
    Views
    26,553

    Re: Packet Flow in Checkpoint Firewall

    Check Point has created some great documents explaining packet flows for R77 gateway here:



    Doesn't appear to be an equivalent document for R80.10 gateway just yet...
  95. Replies
    7
    Views
    1,342

    Re: IPSEC kicking in before PBR

    For posterity, the inability of SecureXL to deal with PBR has been rectified in R77.30 jumbo hotfix take 99+, but support for this feature must still be enabled with the "sim feature pbrroute on"...
  96. Replies
    1
    Views
    384

    Re: 100% CPU using SmartView Web?

    Yes, see this thread:

    https://www.cpug.org/forums/showthread.php/21804-Java-Process-Consuming-High-CPU-in-R80?p=94899#post94899

    SOLR is run with reduced CPU priority (NI) so if literally any...
  97. Re: Third free "Max Power" Addendum with R80.10 Tips/Tricks Now Available!

    Gotta love replying to my own very old post...

    One can dump all the known VPN domains and their associated peers from the vpn_routing table which is used by vpnd to determine if traffic is...
  98. Re: Newbie Question - What Does Prob Stands For?

    Always thought it was cphaprobe, then shortened to old Windows 8.3 character limit (i.e. cphaprob.exe)
  99. Re: R80.10 performance on standalone 4200

    For Full HA operation while activating any reasonable number of gateway blades, yes. Thankfully RAM was bumped up a lot in the new generation of appliance hardware.
  100. Re: R80.10 performance on standalone 4200

    The biggest constraint with the lower-end 2012 series of appliances in regard to a standalone setup was not CPU power, but amount of RAM. The original version of the 2200 shipped with 2GB of RAM,...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4