CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: ShadowPeak.com

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds; generated 12 minute(s) ago.

  1. Replies
    6
    Views
    248

    Re: Advanced Upgrade to R80.30

    You need to run the pre upgrade verifier tool like this on your R77.30 SMS:

    pre_upgrade_verifier -p $FWDIR -c R77.30 -t R80.30

    If you can't find it, download the R80.30 migration utilities from...
  2. Re: Checkpoint Enterprise Software Support Timeline

    It has already been extended once, doubt they will do it again.
  3. Replies
    38
    Views
    12,643

    Re: Java Process Consuming High CPU in R80

    Log_exporter should not have a big effect on CPU utilization. I'd say that amount of CPU and memory usage for SOLR looks about right given that you have 24GB of RAM, as the SMS checks the amount of...
  4. Replies
    38
    Views
    12,643

    Re: Java Process Consuming High CPU in R80

    Run top and hit M. That will sort the list of processes by memory usage, what are the top three processes consuming memory and how much are they consuming? Yes swap space was being used at some...
  5. Replies
    38
    Views
    12,643

    Re: Java Process Consuming High CPU in R80

    As far as CPU speed, I'd say your Smart-1 50 is a bit underpowered for your setup as it only has a Intel Xeon E5410 2.33GHz (Quad Core). You have plenty of RAM though so adding more of it will not...
  6. Replies
    1
    Views
    550

    Re: Natting query

    If the manual rule was added at the top of the NAT policy (prior to any automatic rules) and matches the connection, only that manual rule will apply. You may also need to add a static proxy ARP as...
  7. Sticky: Re: Create and Maintain Your Own Check Point Software Repository

    No Check Point User Center account is required to download iso images any more, try these:
    ...
  8. Re: Received a cleartext packet within an encrypted connection

    Ah yes, the situation I described was "According to the policy, the packet should not have been decrypted". Nice catch.
  9. Re: Received a cleartext packet within an encrypted connection

    Most likely the destination IP address for those two servers they are failing to reach are not part of your own firewall's defined VPN domain. Or the source IP address they are using to initiate the...
  10. Re: VRRP works on which checkpoint version

    Yes you can do that, but my impression is that doing so is not supported. Of course "not supported" isn't the same as "doesn't work" though...
  11. Re: VRRP works on which checkpoint version

    The only real use cases for VRRP over ClusterXL are in my opinion:

    1) Have the need to present more than one Cluster or Virtual IP (Backup Address) on a single physical or logical interface. VRRP...
  12. Re: Threat Prevention is Not Block DNS Reputation Traffic Which High Severity

    There is a bit more to it than that, determine what profile is being applied to the traffic/gateway in question and look here:

    1424
  13. Re: 23500 - expansion cards are not visible .

    Are you running R77.30 on your 23000? If so you do know that there was a special back-ported release of R77.30 for these models right:


    3100, 3200 Appliances
    5100 / 5400 / 5600 / 5800 / 5900...
  14. Re: ERROR in execval: optimization disabled: displacement too large

    In the old days this message generally meant that some kind of fixed internal limit had been exceeded in regards to the policy. In recent releases most of these limits have been raised to a point...
  15. Thread: CPX

    by ShadowPeak.com
    Replies
    2
    Views
    828

    Re: CPX

    Yep Vegas and Vienna, and speaking on the Checkmates break out track Tuesday @1330 for both. Looking forward to it!
  16. Re: fw unloadlocal and routing daemon stopping?

    Running fw unloadlocal also changes the ip_forward kernel variable from 1 to 0. As such only traffic bound for a specific interface IP of the firewall will work, anything trying to route through the...
  17. Re: craig dods blog post about hacking Palo?

    Tough to say what happened, was familiar with Craig via the nifty "Top Talkers" script he wrote some time ago that was mentioned in my book. The resulting LinkedIn discussion thread referencing the...
  18. Re: craig dods blog post about hacking Palo?

    The Wayback Machine will not be denied...

    https://web.archive.org/web/20181219201659/https://www.craigdods.com/hacking-into-palo-alto-networks-support-site-for-fun-and-no-attribution/
  19. Replies
    3
    Views
    724

    Re: No installation targets.

    Try clearing the SmartConsole cache files as described here:

    sk100507: R77.x SmartConsole problems with Security Management Server / Multi-Domain Security Management Server
  20. Re: the grass is not greener on the other side.

    Great read, thanks for posting it.
  21. Re: Show routing table on Domain Based VPNs

    Yes:


    echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |grep -v "+"| awk '{split($0,a,";"); print a[8]}' |sort -ng |uniq | awk...
  22. Re: VPN Remote User with timeouts and low performance

    sk107433: How to change transport method with Endpoint Clients
  23. Replies
    2
    Views
    1,487

    Re: Rate Limiting Rules in R77.20

    In your example the 501st new connection request in the same second will be blocked, regardless of the source IP. I think you are looking for the SecureXL "penalty box" function described here:...
  24. Re: Appliances 5900 R80.10 and bonding interfaces limited throughput

    Great, thanks for the follow-up.
  25. Re: Appliances 5900 R80.10 and bonding interfaces limited throughput

    Please provide output of the following commands run on the firewall from expert mode:

    fwaccel stat
    fwaccel stats -s
    grep -c ^processor /proc/cpuinfo
    /sbin/cpuinfo
    fw ctl affinity -l -r
    sim...
  26. Re: cpview to find out the source and destination that uses the most BW

    Please read my last post again concerning SecureXL.
  27. Re: cpview to find out the source and destination that uses the most BW

    Are you sure this is a single connection and not lots of little ones? Top Connections only shows the top individual connections that consume the most bandwidth, it does not show a summary of which...
  28. Re: cpview to find out the source and destination that uses the most BW

    If you notice a particular Firewall Worker (kernel instance) is overloaded this sk shows you how to identify the connection attributes of the elephant flow causing it.
  29. Re: IPS Protect internal hosts only - recommendation

    Yep IPS was at long last fully integrated with the rest of the Threat Prevention blades in R80.10 gateway. Also Geo Protection was renamed Geo Policy and is no longer part of the IPS blade in...
  30. Re: cpview to find out the source and destination that uses the most BW

    Sounds like you may have an elephant flow, check out sk122013 (Handling heavy connections in CoreXL) for an alternative way to identify what it is via the "Advanced...CoreXL...Instances" screen of...
  31. Re: IPS Protect internal hosts only - recommendation

    Not exactly, if you have an R80.10 gateway IPS can be managed in the same TP profile and policy layer as the other four Threat Prevention blades. As such you can use columns such as Protected Scope...
  32. Replies
    16
    Views
    2,500

    Re: High CPU problem on checkpoint gateway

    Well this is a first for me, adding more SND/IRQ cores actually reduces the performance of fully-accelerated (SXL path) traffic? Beyond engaging Check Point TAC the only explanation could be your...
  33. Replies
    16
    Views
    2,500

    Re: High CPU problem on checkpoint gateway

    So interface affinity is spread between Cores 0 & 3 while fw_0 and fw_1 are running on CPUs 1 and 2 respectively? How does the CPU load distribution look via top when things are "50% slower"?
  34. Replies
    16
    Views
    2,500

    Re: High CPU problem on checkpoint gateway

    Are there three kernel instances or only two? Output from the commands above is conflicting. The first output is missing fw_0, the second shows three kernel instances fighting for 2 CPU's and the...
  35. Replies
    16
    Views
    2,500

    Re: High CPU problem on checkpoint gateway

    Run all commands again in this configuration please.
  36. Replies
    16
    Views
    2,500

    Re: High CPU problem on checkpoint gateway

    You are getting some RX-DRPs which confirms that the lone SND/IRQ core is getting killed due to the high percentage of fully-accelerated traffic. As mentioned you need to drop the number of kernel...
  37. Replies
    16
    Views
    2,500

    Re: High CPU problem on checkpoint gateway

    Huh? That makes no sense, please define what "50% slower" means. If you have a cluster changing the number of kernel instances needs to be handled the same way as code upgrade.

    You may have...
  38. Replies
    16
    Views
    2,500

    Re: High CPU problem on checkpoint gateway

    Yup definitely decrease kernel instances from 3 to 2 with cpconfig. Will help a lot.
  39. Replies
    16
    Views
    2,500

    Re: High CPU problem on checkpoint gateway

    Because you are licensed for only 4 cores, you probably have the default 1/3 split of SND/IRQ cores to Firewall Worker cores. Please provide output of fw ctl affinity -l -r and fwaccel stats -s to...
  40. Re: Original IP address does not come through in a VPN tunnel

    If using the Automatic NAT setup technique (i.e. defining it on the NAT tab of a Host/Network object), the automatic rule(s) created will attempt to NAT traffic to/from that host/network regardless...
  41. Replies
    8
    Views
    2,840

    Re: HPE DL360 Gen9

    Looks like the 366T is just a rebadged Intel® Ethernet Controller I350-AM4, looking at the data sheet for that chipset it does indeed support Multi-Queue for up to 8 queues just like most Intel NIC...
  42. Replies
    10
    Views
    1,310

    Re: ICMP time exceeded are not logged?

    Yes: netstat -s from expert mode.
  43. Replies
    8
    Views
    1,714

    Re: Antispoofing adding static route

    That's why in R80.20 there is a new antispoofing option on the interface topology screen: "Follow routing configuration" or something like that. Now any time a route is added/updated antispoofing...
  44. Re: random drops on checkpoint 5k appliance running R77.30

    Need to run fw ctl zdebug drop while the issue occurring to see what is happening. Have you looked at the logs for the problematic period of time?
  45. Re: Problem with ISP redundancy - sk25152 - Kindly advise

    No the fwx_cache table simply caches NAT rulebase lookups and is not relevant to your problem. I'm assuming it is cleared when an ISP transition occurs. Let's back up though:

    1) Are you...
  46. Re: Original IP address does not come through in a VPN tunnel

    Did you check the "Disable NAT in VPN Community" checkbox on the VPN Community properties?
  47. Re: Any recommendations for dual 10GBASE-T adapters?

    Can't go wrong with Intel.
  48. Re: Issue with site to site vpn to cisco ASA - HELP

    Settings mismatch in IKE Phase 1. Check Encryption Algorithm, Hashing Algorithm, Diffie Hellman group, could be a shared secret typo.
  49. Re: Issue with site to site vpn to cisco ASA - HELP

    Are you seeing a "Main/Aggressive Mode complete" log (key icon) message followed immediately by "No proposal chosen", or are you only seeing "No proposal chosen" over and over again? If the former...
  50. Replies
    1
    Views
    519

    Re: 4k sectors on USB?

    I believe this is fixed in kernel 2.6.34 or later and is mentioned in this thread: ...
  51. Re: Anyone know any way for adding interfaces to cluster via dashboard without clicki

    Just use "Get Interfaces" NOT "Get interfaces with Topology". The former will not touch your antispoofing/topology settings while the latter will.
  52. Replies
    7
    Views
    4,165

    Re: Policy installation takes long time

    You are almost 1GB into swap space, more RAM should help.
  53. Replies
    8
    Views
    1,080

    Re: RCV Overruns on bond interface

    The main issue is RX-DRPs (rx_missed_errors) which indicates insufficient CPU resources on the SND/IRQ cores (CPUs 0 & 1) to empty interface ring buffers in a timely fashion, although the drop...
  54. Replies
    8
    Views
    1,080

    Re: RCV Overruns on bond interface

    A change in load-balancing on the switch to L3/L4 should help balance inbound traffic to the firewall interfaces and help avoid RX-OVR. However you need to provide ethtool -S output for eth2-07 and...
  55. Replies
    7
    Views
    4,165

    Re: Policy installation takes long time

    On R77.30 management operations are single-threaded so there is not much you can do if the CPU is saturated during a policy verification. R80.10 handles this much better.

    One thing you can do is...
  56. Replies
    15
    Views
    4,573

    Re: SecureXL getting disabled

    sip_dynamic_ports is the service halting SecureXL templating. Try searching for that service in your traffic logs, if you see connections being logged with that service name you probably can't...
  57. Replies
    1
    Views
    648

    Re: Secure XL -- Some doubts

    You are talking about "Accept templates" here, these are dynamically formed in SecureXL to save the overhead of a full rulebase lookup for repeated connections having only one attribute that is...
  58. Replies
    5
    Views
    1,603

    Re: Route Based VPN with Cisco router

    You can also switch off just the VPN acceleration function of SecureXL with this command: sim vpn off;fwaccel off;fwaccel on

    All other acceleration functions of SecureXL will remain active, but...
  59. Replies
    8
    Views
    1,080

    Re: RCV Overruns on bond interface

    OK I've seen this before, where the output reported by netstat -ni increments RX-DRP and RX-OVR in lockstep, and it is impossible to determine if the drop issue is a ring buffer overflow (RX-DRP) or...
  60. Replies
    8
    Views
    1,080

    Re: RCV Overruns on bond interface

    Please provide output of netstat -ni, and ethtool -S (interfacename) for all physical interfaces in the bond for further analysis.

    How is your bond interface set for load balancing of traffic...
  61. Re: 5900 and SMT Or Assign particular core to Particular interface

    No, load-balanced ISP Redundancy traffic will always go F2F. This was actually mentioned in my book and there is no workaround. If you configure ISP Redundancy for Primary/Backup instead, traffic...
  62. Re: 5900 and SMT Or Assign particular core to Particular interface

    To help determine reason for high F2F, please provide output of enabled_blades command run on firewall.

    Not sure what the sufficient traffic threshold is for automatic interface affinity to start...
  63. Replies
    15
    Views
    4,573

    Re: SecureXL getting disabled

    Remove Snmp-read-only and icmp-proto. Could also be port 135 service if protocol type is RPC/DCE.
  64. Re: 5900 and SMT Or Assign particular core to Particular interface

    CPUs 0 and 1 are SND/IRQ cores, CPUs 2-7 are Firewall Worker cores.

    You aren't seeing any interfaces being handled by CPU 1 for one of the following reasons:

    1) SecureXL is off (fwaccel stat)...
  65. Re: 5900 and SMT Or Assign particular core to Particular interface

    A 5900 has eight physical cores that will increase to 16 logical cores when SMT is enabled.

    Without SMT, there will be two cores assigned to SND/IRQ functions and six Firewall Worker cores. The...
  66. Replies
    5
    Views
    740

    Re: VPN Problem 10% of User

    Generally you don't need to reboot or failover the firewalls on a regular basis. Tough to say what your VPN problem was, could have been a memory leak or some other kind of bug or resource...
  67. Re: "Max Power" Book Second Edition Released!

    R77.30 and R80.10 are covered side-by-side in the second edition. The first edition is no longer available. There was very little content removed between the first edition and the second edition,...
  68. Replies
    18
    Views
    2,736

    Re: R80.20.M1 Management Release

    Yep there will be a raft of new native Linux tools available due to the kernel update to 3.5.
  69. Re: Somehow Traffic is not passing through tunnel

    A "secret" way to force only the tunnels associated with a certain VPN Community to bypass all acceleration is to simply set the hashing algorithm to SHA-384 for both phases of IKE. The SHA-384...
  70. Re: Somehow Traffic is not passing through tunnel

    As mentioned above load the latest GA jumbo hotfix for your version, almost certainly will fix it. If not you'll probably need to involve Check Point TAC.
  71. Re: IKE Phase 2 Quick mode VPN encryption domain matching process

    The size of the object (i.e. host or network w/ mask) used in the Firewall/Network policy layer permitting the VPN traffic does not matter as far as what is proposed by the Check Point in Phase 2, it...
  72. Re: SMS R77.30 install policy to IP390 (R65 and IPSO4.2) crashed

    Sounds to me like you need to upgrade to 2GB of RAM for sure then, if R65 doesn't work with 1GB of RAM I'm pretty sure R77.30 won't either.

    No special steps you need to take after adding the...
  73. Re: Somehow Traffic is not passing through tunnel

    Try this sequence of commands:

    sim vpn off
    fwaccel off;fwaccel on

    Reset the tunnel, does it still work? If it does that indicates some kind of issue specifically with acceleration of VPN...
  74. Re: Somehow Traffic is not passing through tunnel

    It would be something like this, assume that the VPN peer IP address is 129.82.102.32 and destination IP address on the original packet is 192.168.10.1:

    fw monitor -e "accept host(192.168.10.1) or...
  75. Replies
    8
    Views
    1,038

    Re: VPN Intermittent Connectivity

    True, however Check Point did not add support for IKEv2 until R71 circa 2010, and it really didn't start being commonly used until a few years later at least in my experience.
  76. Re: Somehow Traffic is not passing through tunnel

    Er yes I got that, but is LOC-B actually putting it back into the tunnel? Just because the return traffic shows up at the interface of LOC-B (presumably in a tcpdump which puts the interface in...
  77. Replies
    8
    Views
    1,038

    Re: VPN Intermittent Connectivity

    Thanks for the update, IKEv2 is still (relatively) new and can sometimes cause issues with interoperable VPNs.
  78. Replies
    7
    Views
    4,165

    Re: Policy installation takes long time

    Management version? Standalone or distributed? Kind of important in this case ...
  79. Re: R77.30 to R80.10 Management/SmartEvent upgrade

    It can probably be all left on a VM, however I would recommend the following:

    12 cores MINIMUM, 16+ preferred. Do NOT present the cores to the VM as hyperthreaded/logical cores.
    32GB RAM MINIMUM...
  80. Re: Somehow Traffic is not passing through tunnel

    Make sure the "disable NAT" checkbox is set in the VPN Community settings. Are you sure the reply traffic is really arriving back at the internal interface of LOC-B? And coming back through the...
  81. Re: SMS R77.30 install policy to IP390 (R65 and IPSO4.2) crashed

    Make sure the Monitoring blade is disabled on the firewall objects representing the Nokias, I seem to recall stability problems with the rtm kernel driver on IPSO at one point. 1GB RAM will be...
  82. Re: IKE Phase 2 Quick mode VPN encryption domain matching process

    If acting as the responder, the Check Point will accept a fully-contained subset of that subnet, yes.



    Yes.



    Yes. Just like Cisco.
  83. Replies
    2
    Views
    684

    Re: fwx_xlate_method

    I'd say this is just an informational message and not indicating a problem, although it is a bit confusing in that it is referencing both UDP and TCP for presumably the same packet/operation. Looks...
  84. Re: "Max Power" Book Second Edition Released!

    VSX is not covered. However there is some great free VSX optimization info here:

    https://dreezman.wordpress.com/2015/01/24/corexl-training-youll-love-the-price/
  85. Re: Internal to Internal traffic and application\url blade

    The implicit cleanup rule for an APCL/URLF layer has an action of Accept and you are not allowed to change it on a R77.30 gateway; the default action is Accept because typically the APCL/URLF policy...
  86. Replies
    8
    Views
    1,038

    Re: VPN Intermittent Connectivity

    It is in the group policy, set command is:

    vpn-idle-timeout none

    show command is:

    show run all group-policy | i vpn-idle

    vpn-idle-timeout none
  87. Replies
    8
    Views
    1,038

    Re: VPN Intermittent Connectivity

    Make sure the IKE Phase 1 lifetime (expressed in minutes) and IPSEC Phase 2 lifetime (expressed in seconds) match the settings on the Cisco end.

    Make sure the Cisco has their data lifesize set to...
  88. Re: Internal to Internal traffic and application\url blade

    Yes. If using object "Internet" as the destination in an APCL/URLF layer, it will match all traffic leaving on an interface that is not explicitly marked as Internal in the antispoofing settings. ...
  89. Re: Bandwidth reservation for site to site IPSec VPN

    Yes, but you'll have to enable the QoS blade on your firewall and assign a QoS policy. In the Action field of the QoS policy rule you can define a bandwidth guarantee, and there is also another...
  90. Re: Signs that a RAM upgrade is required

    free -m

    If swap usage reported on the last line is zero a RAM upgrade is probably not required. The bigger the reported swap usage number the more a RAM upgrade will help assuming that Gaia is...
  91. Re: Is it possible to do a Proxy ARP on a whole network?

    You only need to ensure firewall Proxy ARPs occur for NAT addresses you are "plucking" from a subnet directly attached to the firewall. Most typically the so-called "dirty" segment between the...
  92. Replies
    3
    Views
    815

    Re: How many CPU cores 5900 has?

    For future reference the actual processor of a 5900 is a Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz. Not shown at Tobias Lacmann's old site for some reason:...
  93. Replies
    8
    Views
    1,225

    Re: Max Processor Speed

    The Intel Xeon E5530 used in that model has a base speed of 2.4 GHz and a possible turbo speed of 2.66 GHz, I'm assuming they are both showing 2400 because turbo mode is disabled.
  94. Replies
    8
    Views
    1,225

    Re: Max Processor Speed

    The max speed shown is if the processor is operating in "turbo" mode above its base frequency (2.4GHz). Normally a processor cannot operate in turbo mode for long (up to 4GHz in your case) unless...
  95. Replies
    6
    Views
    3,844

    Re: SAM rule expiration sorting

    Anyone still using block rules via fw sam and/or the Smartview Monitor should definitely check out the capabilities of fw samp if SecureXL is enabled. Drops are enforced very early in SecureXL thus...
  96. Replies
    6
    Views
    2,523

    Re: Problem with Packet Loss

    If you weren't tipped so far over into swap space there might be some memory optimizations that could be performed to reduce memory utilization, but that is probably a lost cause given the number of...
  97. Replies
    24
    Views
    7,351

    Re: Checkpoint 5400 100% CPU usage

    Probably to buy a bigger firewall. :-( There may be some other optimization techniques in the book that will help a little, but those two steps would be the big ones.
  98. Replies
    24
    Views
    7,351

    Re: Checkpoint 5400 100% CPU usage

    In my book the stated goal is to have about 50% average utilization on the CPUs during the firewall's busiest period, thus allowing enough "headroom" for the firewall to potentially burst at double...
  99. Replies
    24
    Views
    7,351

    Re: Checkpoint 5400 100% CPU usage

    That looks pretty good as 75% of traffic is now accelerated even when passing iSCSI traffic and 23% is Medium Path, surprised things still feel slow for you with those kind of statistics. Try...
  100. Replies
    24
    Views
    7,351

    Re: Checkpoint 5400 100% CPU usage

    Interrupts in this context mostly refer to the emptying of the NIC ring buffers via the SoftIRQ process. When a SND/IRQ core becomes much more heavily utilized than the others, SecureXL automatic...
Results 1 to 100 of 498
Page 1 of 5 1 2 3 4