CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E



Type: Posts; User: serlud

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Re: Deleting Object that is part of multiple rules

    Normaly you do not need manually delete this object in any rule , but if this object only one in src. or dst. after delete you will have any in those rules. (at least it works so in R77.30)
  2. Replies

    Re: Delete specific logfile entries

    You can store firewall logs localy, but you will not be able to use SmartTracker or SmartLog (without additional steps..)
  3. Replies

    Re: R77.30 Jumbo HFA 216 not seen in installer

    Now you can install HFA216 without any problem ( I hope).

    Connection error - means that you gateway DA agent do not have any connections to checkpoint - and DA agent can not provide complite list...
  4. Replies

    Re: R77.30 Jumbo HFA 216 not seen in installer

    You have to use several other commands (to complite DA manual install):

    tar -zxvf DeploymentAgent
    rpm -Uhv --force CPda-00-00.i386.rpm
    killall -v clish clishd
    tellpm process:confd
  5. Replies

    Re: Gaia R77.30 static routing problem

    Have you install some jumbohotfix on R77.30 ?

    We do not have such problem ..

    XXXX-1> show route static
    Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
    O - OSPF...
  6. Replies

    Re: sk93587- monitord high CPU

    Have the same issue on R77.30 with Jumbo Hotfix Accumulator take_67 is installed, see sk106162.

    Accoriding CP sk102988 I do not should see this problem at all (they write -- fixed in R77.30 ) .
  7. Re: HP DL 380 G8, MDS,MLM in place update to R77.30 take 67 - failed.

    Checkpoint has sk106708 -Some HP Open Servers fail to start after upgrade to R77.30 Gaia OS ,
    but we do not have a problem with update from R77.20 to R77.30 (using standart...
  8. Re: HP DL 380 G8, MDS,MLM in place update to R77.30 take 67 - failed.

    I hope information below will answer you question:
    Product Name ProLiant DL380p Gen8

    Controller Status OK
    Serial Number XXXXX
    Model HP Smart Array P420i Controller
    Firmware Version 5.42 ...
  9. Re: HP DL 380 G8, MDS,MLM in place update to R77.30 take 67 - failed.

    We are using HP Ilo board (it is console in your case) every time for any update or hotfix installation, - HDD not found. (not a GRUB command prompt.)
  10. Replies

    Re: HP Gen 9 Server Support for Gaia

    It will be great if CP can update HCL with correct information about fiber or copper.
    All NICs with *T* at the end support Copper , but not Fiber.

    Current status on CP Web:

    HP Ethernet 1Gb...
  11. Replies

    Re: Client VPN certificate expire alert

    Could you clarify which cetrificate you mean?

    If VPN certificate on Checkpoint Gateway (for VPN blade), than with any policy installation you get an notice - Certificate expiered on xxxxx . If...
  12. Replies

    MDS restore R77.30 take 67 problem.

    We have tested our current mds_backup and mds_restore in our test lab.
    Both works without any errors.
    After start MDS in test lab we could not see all firewall objects on MDS level. ( Following...
  13. HP DL 380 G8, MDS,MLM in place update to R77.30 take 67 - failed.

    Last year we have updated our MDS,MLM Smart Ev and Smart Reporter to R77.30 take67 form R77.20.

    During evalution and update we have got the same throuble on Open Server HP DL 380 G8 , RAID 0+1 or...
  14. Re: R77.30 Cluster ID and Cluster mac_magic and fwha_mac_forward_magic issue?

    Checkpoint has confirmed that this is only *cosmetic* issue. It seems that since R77.30 ClusterXL works only on firewall instance 0.
    Still do not know , why I have to upload cpinfo for this my case..
  15. R77.30 Cluster ID and Cluster mac_magic and fwha_mac_forward_magic issue?

    On new Cluster R77.30 (with take_67 ) we have implement sk25977 (Connecting multiple clusters to the same network segment (same VLAN, same switch))

    [Expert@XXX:0]# cphaconf cluster_id set 1...
  16. Replies

    Re: High utilization 55.7%wa on VSX 77.20 ?

    If you have HA environment (cluster) you can reboot standby member, wait till it came back and will have standby status, then reboot active member.
    This will temporary clean RAM from CP software...
  17. Replies

    Re: HP Gen 9 Server Support for Gaia

    We have tried to install GA R77.30 on HP DL 360 and 380 (with RAID 5, RAID 6). (installation of R77.20 crash avery attemp - possible reason not correct RAID dirver)
    Installation works without any...
  18. Re: Is an appliance more secure than an open server?

    In case of physical access to CP appliance , you can just remove HDD from it and mount it on any Linux server (system) , than you will have the same possibliity to reset password without clean...
  19. Replies

    Re: Migrating a VPN Cluster from R70 to R77.20

    Probably the best way is open case by checkpoint, they have to improve E80.xx
  20. Replies

    Re: Firewalls not logging all traffic

    Do you see any others logs from this firewall? (if not firewall can save log localy , for exampe in case of high load )

    Do you see with fw monitor or tcpdump that server establish new connection...
  21. Re: AutoBackup with migrtae export or the upgrade_export

    Normaly on MDS, you have just used mds_backup every day and store it in some other place.. (we are using crontab to start our own script which run mds_backup)
    In case of any problem on any CMAs you...
  22. Replies

    Re: HP Gen 9 Server Support for Gaia

    According our SE, Gen9 will be supported *very soon*.
  23. Re: The Secondary Management server is not syncing with Firewall

    Secondary management server can not sync with any firewalls , it should only sync with primary management server.Check connectioviry between primary and secondary management server -Provide some more...
  24. Replies

    Re: Connecting WRT54G To Checkpoint Firewall

    Please provide full IP info:

    1. Your laptop IP/netmask default gateway. (if you have x.x.x.x/24 default x.x.x.y/24)
    2. WRT54G IP/netmask (connected to your laptop) x.x.x.y/24
    3. WRT54G...
  25. Re: Log Consolidation stoped working after in place upgrade from R77.10 to R77.20

    We have resolve this problem.

    solution was :

    [Expert@XXX:0]#$CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database
    [Expert@XXX:0]#delete* from...
  26. Re: Log Consolidation stoped working after in place upgrade from R77.10 to R77.20

    Thanks for reply.

    Today was not my *lucky* day, we have the same status..

    I have also tested 2 *solutions* from CP - also without any success:
  27. Replies

    Re: Docs on snmp_xlate?

    I think, that *snmp_xlate* is just small CP program to create snmpd.conf file and can not be used to extend the any SNMP capabilities:
    Usage: /bin/snmp_xlate prefix snmp-conf-file.

    You can start...
  28. Log Consolidation stoped working after in place upgrade from R77.10 to R77.20

    We have Smart Event Intro and Smart Reporter on the same system. This system connected to our MDS and MLM.
    After in place upgrade from R77.10 to R77.20 all log consolodation stop working. Smart...
  29. Re: Does creation of new VS impact running VSX environment?

    It should be safe to create (or delete) new VS. (we have never got any problem with normal VSX in HA mode ).
  30. Re: Managing growing filesystem on MDSM (R75.46)- /dev/mapper/vg_splat-lv_current

    I have just tested one command solutiion on our test MDS - and it works for all (known) PV version:

    2 examples:

    1. delete 2013 year logs for all CMA (customer)
    rm ...
  31. Re: Managing growing filesystem on MDSM (R75.46)- /dev/mapper/vg_splat-lv_current

    In your case it is quit easy:
    login to MDS in expert mode and than
    1. cd /var/log/mds_logs/CUST1-MGMT/log (as I remember is should be the same as cd /opt/CPmds-RXX/customer/CPsuite-RXX/fw1/log/ )...
  32. Replies

    Re: Appliance vs open server?

    Since 2001 we are usning only open sever (include SUN , Dell, HP , IBM) and never have finger pointing problem.
    Now we using HP DL 380 G8 servers (90%) and HP DL 360 G8 , because it is much cheaper...
  33. Re: eth0 disapeared after installing new fiber card

    Since 2003 we are using only HP open server , mostly DL380 but also DL360 and DL320. We have never problem with recognition of 2 (old version) or 4 onboard card, but usually we do not use them and...
  34. Thread: CLI command

    by serlud

    Re: CLI command

    Firewall without SIC has *Initial Policy* - only connection to firewall (ssh and Webui) accepted, routing enabled.
    Firewall with default policy (you policy I hope) have only rules which you have...
  35. Replies

    Re: Check Point R77.20

    We start to use GAIA since R75. but even with this *brand-new-best* OS you will have to have a trouble duiring upgrade.
    CP give you several ways to upgrade, but not all of them are working.
  36. Thread: policy too slow

    by serlud

    Re: policy too slow

    It seems that you have to wait till CP R80 version will be avaible.
  37. Re: you can not access the SmartDashboard, message GUI

    Apr 25 09:27:23 fwmanager kernel: hda: dma_intr: error=0x40 { UncorrectableError }, LBAsect=76672724, high=4, low=9563860, sector=524560
    Apr 25 09:27:23 fwmanager kernel: end_request: I/O error, dev...
  38. Re: you can not access the SmartDashboard, message GUI

    1. Check free diskspace (df -k)
    2. Check /var/log/messages file for some strange errors.(for example hdd errors..)
    3. Check status of Management Server -> cpstat mg , cpwd_admin list

  39. Replies

    Re: problems after installing licenses

    If you have install just normal firewall (wihtout Management ) on this VM than
    You have to install following normal (not VE) licence on this GAIA VM -- >> Security Gateway Container (1 core) ...
  40. Replies

    Re: How to wipe appliance HDD

    In this case customer just need to use open server platform and do not have any problem with wipe any HDDs in CP appliance..
  41. Replies

    Re: CPU utilization high

    Please , provide more information about you env..

    CP Appliance model, ISP , CP version, Active blade, size of security and NAT policy..... and so on..
  42. Replies

    Re: "Load on module failed - no memory" R75.46

    We get tired to make SSH connection and clean tables on all our 250 Clusters and had change size of affected table:

    Practical solution :
    echo string_dictionary_table_limit=98304 >>...
  43. Replies

    Re: ISP redundancy and site to site vpn routes

    The best way is to use ISP redundancy (or better ISP load sharing) which provided by both ISPs (normaly theiy used BGP routing protocol) .

    How to just for example
    ISP redundancy -...
  44. Re: Smart 1-50 management server upgrade R75.40 SPLAT to R77.10 GAIA

    Try to increase timeout :

    Solution ID: sk32973 How to adjust the value of FireWall-1 Control Connection Timeout
  45. How to find out a total numbers of IPsec peers or tunnels configured on gateway?

    We have a task to present a total number of VPN tunnels on each gateway. (or number of Interoperable Devices in CMAs)

    This information can be found by running command *cpstat vpn -f all* on...
  46. Re: Site to Site VPN while allowing external communication?

    Try this >>
    #define NON_VPN_TRAFFIC_RULES (dst=
  47. Re: Site to Site VPN while allowing external communication?

    Try crypt.def file first (make backup first: example in folder $FWDIR/lib/ run following *cp crypt.def cpypt.def.origr7540*), it should work for R75.40..

    ( replace 0 with your config
  48. Replies

    Re: How limit rules are applied?

    Yes , but you have to create one rule for every singe user in this subner with limit 1 mbps..
  49. Re: RX errors increasing on External Interface of Splat firewall

    RX errors mean that your NIC is receiving malformed frames from the transmitting switchport.

    Frame errors mean CRC failures on receipt of a frame. The root cause of this could be a bad cable, or a...
  50. Re: How can we have Internet Traffic in the checkpoint VPN

    You do not need to put ANY in Enc. domain on any your gateway, just define correct LANs for each office and central and use following VPN routing:

    To center, or through the center to other...
  51. Re: dropped by vpn_encrypt_chain Reason: no reason

    You can try to disable impl. rules (controll connections is enabled on Global properties)
    Please be very carefull with exp. rules in this case.

    Do you make ping through VPN tunnel? (-when I try...
  52. Re: R76 Gaia SIC Error on Secondary Management Server

    It seems that HA has works only on Windows SmartCenter system (according to your expierence),
    We also stop using HA for MDS (not SmartCenter) since 2007 due to HA sync problems between CMAs and...
  53. Replies

    Re: tcpreplay on firewall

    After start tcpdump and pressing Ctrl+C you should also see folliowing output:

    [Expert@XXX]# tcpdump -i eth1 -w /var/tmp/test
    tcpdump: listening on eth1

    24259 packets received by filter
  54. Replies

    Re: tcpreplay on firewall

    It can be:

    1. Customer firewall has SecureXL on (status can be checked with *fwaccel stat* command) - In this case tcpdump can not have all networks packets .
    [Expert@XXX]# fwaccel stat...
  55. Re: Streaming Engine: TCP Out of Sequence - Out of sequence TCP packet retransmission

    We also have the same error (after changing track to log -default was none)

    Action Drop
    Protection Name TCP Out of Sequence
    Attack Streaming Engine: TCP Out of Sequence
    Attack Information...
  56. Replies

    Re: how to cluster on R75 using gaia ?

    Following has works with SecPlat (at least for R55-R70) , and also should work without any problem with GAIA (I hope)

    Real testab output :
    testlab> ver
    Product version Check Point Gaia R75.45...
  57. Thread: Check Point R77

    by serlud

    Re: Check Point R77

    Disagree with following reasons:

    1. CP do not infrom any major customer about any changes in GA ISO R77. - just the same silent (without any notice) change like HFA 40 for R65,..

    2. You can...
  58. Thread: Check Point R77

    by serlud

    Re: Check Point R77

    Please also provide build number which you have used - 225, 230 or 237 .

    Stability and happiness can vary depend on build number..
  59. Replies

    Re: Making a firewall and network neutral router

    Have you try 2 following commands ?
    fw unloadlocal
    echo 1 > /proc/sys/net/ipv4/ip_forward

    Should works but I have not tested this with GAIA.
  60. Replies

    Re: Interface SYNC in flapping on switch

    1. Have you changed CCP *cphaconf set_ccp broadcast* on both cluster members?

    2. Do you have SYNC on lowest VLAN ? vlan 2871
    Best way to use just dedicates SYNC interface or it should have...
  61. Replies

    Re: Established connections in firewall acl

    You have to create one rule :

    source :any dest: DMZ_WEB_server service: http action: accept track :log

    with this rule your server will not be able to open any...
  62. Re: Missing all local users and groups after upgrade from R75.10 to any version

    You can try to use *fwm dbexport* to export users and group on R75.10 and *fwm dbimport* to import them back on R75.xx.
  63. Re: Adding New interface into IPSO cluster - Nokia

    Normaly not. (no downtime).
  64. Re: Reg: Response from server (return traffic) is denied in Cleanup rule.

    You can try following :

    If a service or custom service port is defined with a "Source Port" (Under Advanced set to 1-65536) and is applied in a Security Policy rule, it will disable SecureXL from...
  65. Re: DHCP Relay Configuration, Dropped - No bootp relay on in interface

    We have configure DHCP relay only on interfaces (eth1.xxx and eth1.vvv) which connected to DHCP client. But we do not have bond interfaces - just normal one with VLANs: eth1.xxx ...eth3.ccc.
  66. Re: Looking for Home CheckPoint Unit with R75 or above

    All of them have the same hardware, but CPU frequency (performance) is different depend on model.. (CPU frequency of 680 > tnan 640 >620 )
  67. Replies

    Re: 2 Gateway objects with identical IP's

    It can work but I really disluck any duplication for CP cluster objects which will be used for SIC , certioficates and so on..

    For your case I preffer to manualy change blades config in case of...
  68. Replies

    Re: Changing certificate for SNX portal

    Just write your own feedback..
  69. Re: Reg: Response from server (return traffic) is denied in Cleanup rule.

    It is aslo *depend* on your ISP, traffic (MS will never accelarated ), usage of VPN .
    Some times you will get better performance without SecureXL. just check CPU usage with and withour SecureXL.
  70. Replies

    Re: 2 Gateway objects with identical IP's

    Why you would like to have second 'Checkpoint gateway' object?

    In case of DRP you can just install your *DRP rulebaseB* on your single firewall. (you can change you active policy at any time from...
  71. Replies

    Re: No Nic's afterinstalled R76 on secureplatform

    Have you found this NIC in HCL ? (if not than contact our SE to make a new *request for enhance* and add this NIC to HCL wait 1-2 years and use your server.)
    I have found only following:
  72. Re: How to find Gateway Status using MDSCMD via CLI

    Try to use cpmistat (change mdsevn first)
    [Expert@MDSXXX]# cpmistat -o schema


    cpmistat [-d][-o {snmp|oid|schema}] -r {fw|vpn|fg|ha|os|mg|wac|ls} netobj

    -d: Debug mode
  73. Replies

    Re: Failover happens during policy installation

    Depend on you situation you can use 2 following workaround:

    1. CPHAD and or FWD problem stat duirimg policy install (check control logs in SmartView Tracker : you should see some thing like :...
  74. Replies

    Re: Restore from SPLAT backup - versioning?

    You have to install only last (the same as you have) version and than restore (if it will works)

    But the best way is clean install of firewall and configuration or clean install of management...
  75. Replies

    Re: cpwatchdog process hangs up while starting

    Select manataince mode , check HDD free space , /var/log/messages .. try to find and resolve your problem...
  76. Replies

    Re: Placing SCS in your network

    Best way is to place in DMZ with official-public IPs.

    In case of wrong policy - you can direct connect you PC to DMZ and change policy.
  77. Re: 21400 - what hardware part controls routing/OSPF???

    You can try to make clean install of R76 on *bad* member and see if problem disappeart. (if you already have not try this method : *I've reloaded the OS several times on this device* )

    But I think...
  78. Re: Check Point R75.47 is now available for download!

    Any news about R76.10 and R77 ?
  79. Replies

    Re: Multiple certificates tie to a Gateway

    It is not possible ..

    PS: you can only replace default certificate with our own (somewhere created) certificate.
  80. Re: CP SmartCenter HDD partition for R75.45 (Linux)

    Normaly you do not need change or modify (modification is not possible in SecPlat) default partitions on management server.

    PS: make good working backup for your management server and use some...
  81. Replies

    Re: SmartUpdate Not Showing Correct Version Info

    In SmartUpdate rigth click on gateway and run *Get Gateway Data* - this should update SmartUPdate database with current version you are running on gateway.

    If your upgrade was not done by using...
  82. FWM crashed every 5-10 mit with relocation error after upgrade

    We had SmartEvent Intro and Smart Reporter R71.40 on the same open server.
    It was connected to our MDS as global object, and have several local admins (can be set in cpconfig).

    First upgrade was...
  83. Replies

    Re: Migrating from SPLAT to GAIA

    1. Upgrade your management first to at least R75.45 - Try never use management with low version than firewall > it will prevent 1000 problems.

    2. Preffered way : new GAIA R75.45 installation from...
  84. Replies

    Re: SK26202 Editing MAC Address

    Absolut correct, do not use * fw ctl set * just edit fwkern.conf :

    vi $FWDIR/boot/modules/fwkern.conf
    - add line:
    parameter=<value in hex>

  85. Replies

    Re: DHCP on SecurePlatform

    Standart Checkpoint firewall (open server or so on, SecPlat or GAIA) support both:
    1. DHCP server.
    2. DHCP relay.

    Example for SecPalt:

    Choose a configuration item ('e' to exit):...
  86. Re: Migration of (Globel policy & CMA) Provider-1 to another Provider-1

    The same problem - just add execute permition to gtar and also to gzip:
    chmod +x gtar
    chmod +x gzip

    (or just for all files in the location :chmod +x * )
  87. Re: Migration of (Globel policy & CMA) Provider-1 to another Provider-1

    Change permition for mds_restore (make it executable):

    chmod +x mds_restore
    and try again.

    [Expert@]# ls -la
    -rw-rw---- 1 root root 0 Jun 4 13:36 test...
  88. Replies

    Re: No Consolidation Tab in SmartReporter

    Probably you do not have correlaion unit on you system.

    Provide us with your output for *evconfig* command

    Example (SmartEVentia Intro (IPS only) and Smart Reporter on the same HP server )...
  89. Replies

    Re: No relevant data found

    Have you added an new Consolidation sessions on Smart Reporter? (SmartReporter GUI > Management > Consolidation > Create New)

    PS: Please also install datebase on you firewall management server...
  90. Re: Error in Sync Connection State between two gateway

    Normaly you should have one option with *cluster* (if you have normal firewal-gateway cluster, without management blade)
    Example for Check Point Gaia R75.45

    Configuration Options:...
  91. Re: Error in Sync Connection State between two gateway

    It seems that 1 cluster is not configured as cluster member.
    Please provide output of cpconfig command for both cluster . (just what you see after run *cpconfig* )
  92. Replies

    Re: TCP session timeout for Clusters

    As I know *TCP timeout* managed only by management server (TCP services properties) and can not be changed localy on gateway ( kernel values).
  93. Replies

    Re: TCP session timeout for Clusters

    1. You have manual create all TCP ( with timeout 3000 ) protocols you are using by this Cluster and install policy..

    2. You can not use “Global Properties” - it will change timeout for all...
  94. Re: Does anyone know if GAIA R75.46 support NFS version 4 using TCP?

    Sorry, but seems to be *no one*... (
  95. Re: View Sync state from command line (Provider-1)

    Log in to the Primary MDS

    go to CMA: mdsenv <Primary-CMA>

    Run the command : cpmistat -o schema -r mg <Secondary-CMA>

    Example of synchronized state:
  96. Re: Error in Sync Connection State between two gateway

    Try to troubleshoot you SYNC interface , make ping from both Cluster members, tcpdump on other member and so on..
    Try to chnage CCP to broadcast ( we never use multicast mode due to 1000 problems)
  97. Replies

    Re: R70 "Free Upgrade" Check Point Promo Discussion

    PhoneBoy, when CP will pulish and produce price for 16 core firewall SG1601?
    Till now only CPSG-P1607 exist in price list .
  98. Replies

    Re: Hardware issue... 5 boxes in 2 weeks

    If you have very old *~* power supply unit, than you can try to replace them with new *+-* power supply (constant voltage) unit and see if it helps..

    Which type of *+-* power supply (constant...
  99. Replies

    Re: Edge N VPN Troughput - Only arround 6mbit?

    We have one Edge N (not cluster) as VPN backup for MPLS connection in one small office with about 150 PC (not servers).
    One day we have a problem with MPLS and Edge N start to *works*, at ones it...
  100. Replies

    Re: R70 "Free Upgrade" Check Point Promo Discussion

    1. I never talk about CoreXL or FW threads , just about affintiy or SMP irg affinity or *sim affinity* which get 2 CPU-Core limit after SB *free* migration...
    2. SG20x -means you can use only 2...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4