CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: ShadowPeak.com

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Replies
    5
    Views
    47

    Re: Antispoofing adding static route

    That's why in R80.20 there is a new antispoofing option on the interface topology screen: "Follow routing configuration" or something like that. Now any time a route is added/updated antispoofing...
  2. Re: random drops on checkpoint 5k appliance running R77.30

    Need to run fw ctl zdebug drop while the issue occurring to see what is happening. Have you looked at the logs for the problematic period of time?
  3. Re: Problem with ISP redundancy - sk25152 - Kindly advise

    No the fwx_cache table simply caches NAT rulebase lookups and is not relevant to your problem. I'm assuming it is cleared when an ISP transition occurs. Let's back up though:

    1) Are you...
  4. Re: Original IP address does not come through in a VPN tunnel

    Did you check the "Disable NAT in VPN Community" checkbox on the VPN Community properties?
  5. Re: Any recommendations for dual 10GBASE-T adapters?

    Can't go wrong with Intel.
  6. Re: Issue with site to site vpn to cisco ASA - HELP

    Settings mismatch in IKE Phase 1. Check Encryption Algorithm, Hashing Algorithm, Diffie Hellman group, could be a shared secret typo.
  7. Re: Issue with site to site vpn to cisco ASA - HELP

    Are you seeing a "Main/Aggressive Mode complete" log (key icon) message followed immediately by "No proposal chosen", or are you only seeing "No proposal chosen" over and over again? If the former...
  8. Replies
    1
    Views
    109

    Re: 4k sectors on USB?

    I believe this is fixed in kernel 2.6.34 or later and is mentioned in this thread: ...
  9. Re: Anyone know any way for adding interfaces to cluster via dashboard without clicki

    Just use "Get Interfaces" NOT "Get interfaces with Topology". The former will not touch your antispoofing/topology settings while the latter will.
  10. Re: Policy installation takes long time

    You are almost 1GB into swap space, more RAM should help.
  11. Replies
    8
    Views
    284

    Re: RCV Overruns on bond interface

    The main issue is RX-DRPs (rx_missed_errors) which indicates insufficient CPU resources on the SND/IRQ cores (CPUs 0 & 1) to empty interface ring buffers in a timely fashion, although the drop...
  12. Replies
    8
    Views
    284

    Re: RCV Overruns on bond interface

    A change in load-balancing on the switch to L3/L4 should help balance inbound traffic to the firewall interfaces and help avoid RX-OVR. However you need to provide ethtool -S output for eth2-07 and...
  13. Re: Policy installation takes long time

    On R77.30 management operations are single-threaded so there is not much you can do if the CPU is saturated during a policy verification. R80.10 handles this much better.

    One thing you can do is...
  14. Replies
    15
    Views
    2,655

    Re: SecureXL getting disabled

    sip_dynamic_ports is the service halting SecureXL templating. Try searching for that service in your traffic logs, if you see connections being logged with that service name you probably can't...
  15. Replies
    1
    Views
    174

    Re: Secure XL -- Some doubts

    You are talking about "Accept templates" here, these are dynamically formed in SecureXL to save the overhead of a full rulebase lookup for repeated connections having only one attribute that is...
  16. Replies
    5
    Views
    318

    Re: Route Based VPN with Cisco router

    You can also switch off just the VPN acceleration function of SecureXL with this command: sim vpn off;fwaccel off;fwaccel on

    All other acceleration functions of SecureXL will remain active, but...
  17. Replies
    8
    Views
    284

    Re: RCV Overruns on bond interface

    OK I've seen this before, where the output reported by netstat -ni increments RX-DRP and RX-OVR in lockstep, and it is impossible to determine if the drop issue is a ring buffer overflow (RX-DRP) or...
  18. Replies
    8
    Views
    284

    Re: RCV Overruns on bond interface

    Please provide output of netstat -ni, and ethtool -S (interfacename) for all physical interfaces in the bond for further analysis.

    How is your bond interface set for load balancing of traffic...
  19. Re: 5900 and SMT Or Assign particular core to Particular interface

    No, load-balanced ISP Redundancy traffic will always go F2F. This was actually mentioned in my book and there is no workaround. If you configure ISP Redundancy for Primary/Backup instead, traffic...
  20. Re: 5900 and SMT Or Assign particular core to Particular interface

    To help determine reason for high F2F, please provide output of enabled_blades command run on firewall.

    Not sure what the sufficient traffic threshold is for automatic interface affinity to start...
  21. Replies
    15
    Views
    2,655

    Re: SecureXL getting disabled

    Remove Snmp-read-only and icmp-proto. Could also be port 135 service if protocol type is RPC/DCE.
  22. Re: 5900 and SMT Or Assign particular core to Particular interface

    CPUs 0 and 1 are SND/IRQ cores, CPUs 2-7 are Firewall Worker cores.

    You aren't seeing any interfaces being handled by CPU 1 for one of the following reasons:

    1) SecureXL is off (fwaccel stat)...
  23. Re: 5900 and SMT Or Assign particular core to Particular interface

    A 5900 has eight physical cores that will increase to 16 logical cores when SMT is enabled.

    Without SMT, there will be two cores assigned to SND/IRQ functions and six Firewall Worker cores. The...
  24. Replies
    5
    Views
    216

    Re: VPN Problem 10% of User

    Generally you don't need to reboot or failover the firewalls on a regular basis. Tough to say what your VPN problem was, could have been a memory leak or some other kind of bug or resource...
  25. Re: "Max Power" Book Second Edition Released!

    R77.30 and R80.10 are covered side-by-side in the second edition. The first edition is no longer available. There was very little content removed between the first edition and the second edition,...
  26. Replies
    18
    Views
    796

    Re: R80.20.M1 Management Release

    Yep there will be a raft of new native Linux tools available due to the kernel update to 3.5.
  27. Re: Somehow Traffic is not passing through tunnel

    A "secret" way to force only the tunnels associated with a certain VPN Community to bypass all acceleration is to simply set the hashing algorithm to SHA-384 for both phases of IKE. The SHA-384...
  28. Re: Somehow Traffic is not passing through tunnel

    As mentioned above load the latest GA jumbo hotfix for your version, almost certainly will fix it. If not you'll probably need to involve Check Point TAC.
  29. Re: IKE Phase 2 Quick mode VPN encryption domain matching process

    The size of the object (i.e. host or network w/ mask) used in the Firewall/Network policy layer permitting the VPN traffic does not matter as far as what is proposed by the Check Point in Phase 2, it...
  30. Re: SMS R77.30 install policy to IP390 (R65 and IPSO4.2) crashed

    Sounds to me like you need to upgrade to 2GB of RAM for sure then, if R65 doesn't work with 1GB of RAM I'm pretty sure R77.30 won't either.

    No special steps you need to take after adding the...
  31. Re: Somehow Traffic is not passing through tunnel

    Try this sequence of commands:

    sim vpn off
    fwaccel off;fwaccel on

    Reset the tunnel, does it still work? If it does that indicates some kind of issue specifically with acceleration of VPN...
  32. Re: Somehow Traffic is not passing through tunnel

    It would be something like this, assume that the VPN peer IP address is 129.82.102.32 and destination IP address on the original packet is 192.168.10.1:

    fw monitor -e "accept host(192.168.10.1) or...
  33. Replies
    8
    Views
    301

    Re: VPN Intermittent Connectivity

    True, however Check Point did not add support for IKEv2 until R71 circa 2010, and it really didn't start being commonly used until a few years later at least in my experience.
  34. Re: Somehow Traffic is not passing through tunnel

    Er yes I got that, but is LOC-B actually putting it back into the tunnel? Just because the return traffic shows up at the interface of LOC-B (presumably in a tcpdump which puts the interface in...
  35. Replies
    8
    Views
    301

    Re: VPN Intermittent Connectivity

    Thanks for the update, IKEv2 is still (relatively) new and can sometimes cause issues with interoperable VPNs.
  36. Re: Policy installation takes long time

    Management version? Standalone or distributed? Kind of important in this case ...
  37. Re: R77.30 to R80.10 Management/SmartEvent upgrade

    It can probably be all left on a VM, however I would recommend the following:

    12 cores MINIMUM, 16+ preferred. Do NOT present the cores to the VM as hyperthreaded/logical cores.
    32GB RAM MINIMUM...
  38. Re: Somehow Traffic is not passing through tunnel

    Make sure the "disable NAT" checkbox is set in the VPN Community settings. Are you sure the reply traffic is really arriving back at the internal interface of LOC-B? And coming back through the...
  39. Re: SMS R77.30 install policy to IP390 (R65 and IPSO4.2) crashed

    Make sure the Monitoring blade is disabled on the firewall objects representing the Nokias, I seem to recall stability problems with the rtm kernel driver on IPSO at one point. 1GB RAM will be...
  40. Re: IKE Phase 2 Quick mode VPN encryption domain matching process

    If acting as the responder, the Check Point will accept a fully-contained subset of that subnet, yes.



    Yes.



    Yes. Just like Cisco.
  41. Replies
    2
    Views
    190

    Re: fwx_xlate_method

    I'd say this is just an informational message and not indicating a problem, although it is a bit confusing in that it is referencing both UDP and TCP for presumably the same packet/operation. Looks...
  42. Re: "Max Power" Book Second Edition Released!

    VSX is not covered. However there is some great free VSX optimization info here:

    https://dreezman.wordpress.com/2015/01/24/corexl-training-youll-love-the-price/
  43. Re: Internal to Internal traffic and application\url blade

    The implicit cleanup rule for an APCL/URLF layer has an action of Accept and you are not allowed to change it on a R77.30 gateway; the default action is Accept because typically the APCL/URLF policy...
  44. Replies
    8
    Views
    301

    Re: VPN Intermittent Connectivity

    It is in the group policy, set command is:

    vpn-idle-timeout none

    show command is:

    show run all group-policy | i vpn-idle

    vpn-idle-timeout none
  45. Replies
    8
    Views
    301

    Re: VPN Intermittent Connectivity

    Make sure the IKE Phase 1 lifetime (expressed in minutes) and IPSEC Phase 2 lifetime (expressed in seconds) match the settings on the Cisco end.

    Make sure the Cisco has their data lifesize set to...
  46. Re: Internal to Internal traffic and application\url blade

    Yes. If using object "Internet" as the destination in an APCL/URLF layer, it will match all traffic leaving on an interface that is not explicitly marked as Internal in the antispoofing settings. ...
  47. Re: Bandwidth reservation for site to site IPSec VPN

    Yes, but you'll have to enable the QoS blade on your firewall and assign a QoS policy. In the Action field of the QoS policy rule you can define a bandwidth guarantee, and there is also another...
  48. Re: Signs that a RAM upgrade is required

    free -m

    If swap usage reported on the last line is zero a RAM upgrade is probably not required. The bigger the reported swap usage number the more a RAM upgrade will help assuming that Gaia is...
  49. Re: Is it possible to do a Proxy ARP on a whole network?

    You only need to ensure firewall Proxy ARPs occur for NAT addresses you are "plucking" from a subnet directly attached to the firewall. Most typically the so-called "dirty" segment between the...
  50. Replies
    3
    Views
    284

    Re: How many CPU cores 5900 has?

    For future reference the actual processor of a 5900 is a Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz. Not shown at Tobias Lacmann's old site for some reason:...
  51. Replies
    8
    Views
    450

    Re: Max Processor Speed

    The Intel Xeon E5530 used in that model has a base speed of 2.4 GHz and a possible turbo speed of 2.66 GHz, I'm assuming they are both showing 2400 because turbo mode is disabled.
  52. Replies
    8
    Views
    450

    Re: Max Processor Speed

    The max speed shown is if the processor is operating in "turbo" mode above its base frequency (2.4GHz). Normally a processor cannot operate in turbo mode for long (up to 4GHz in your case) unless...
  53. Replies
    6
    Views
    1,013

    Re: SAM rule expiration sorting

    Anyone still using block rules via fw sam and/or the Smartview Monitor should definitely check out the capabilities of fw samp if SecureXL is enabled. Drops are enforced very early in SecureXL thus...
  54. Replies
    6
    Views
    704

    Re: Problem with Packet Loss

    If you weren't tipped so far over into swap space there might be some memory optimizations that could be performed to reduce memory utilization, but that is probably a lost cause given the number of...
  55. Replies
    24
    Views
    1,529

    Re: Checkpoint 5400 100% CPU usage

    Probably to buy a bigger firewall. :-( There may be some other optimization techniques in the book that will help a little, but those two steps would be the big ones.
  56. Replies
    24
    Views
    1,529

    Re: Checkpoint 5400 100% CPU usage

    In my book the stated goal is to have about 50% average utilization on the CPUs during the firewall's busiest period, thus allowing enough "headroom" for the firewall to potentially burst at double...
  57. Replies
    24
    Views
    1,529

    Re: Checkpoint 5400 100% CPU usage

    That looks pretty good as 75% of traffic is now accelerated even when passing iSCSI traffic and 23% is Medium Path, surprised things still feel slow for you with those kind of statistics. Try...
  58. Replies
    24
    Views
    1,529

    Re: Checkpoint 5400 100% CPU usage

    Interrupts in this context mostly refer to the emptying of the NIC ring buffers via the SoftIRQ process. When a SND/IRQ core becomes much more heavily utilized than the others, SecureXL automatic...
  59. Replies
    24
    Views
    1,529

    Re: Checkpoint 5400 100% CPU usage

    Sync network & memory look fine.



    CPU 2 is slammed to 100% mostly in kernel/system space while CPU 1 is 78% idle; so technically the overall firewall CPU load is 59%. Enabling the Dynamic...
  60. Replies
    24
    Views
    1,529

    Re: Checkpoint 5400 100% CPU usage

    The underlying 5400 processor does not support it at all, SMT is not deliberately disabled by Check Point:


    https://ark.intel.com/products/77775/Intel-Pentium-Processor-G3420-3M-Cache-3_20-GHz
    ...
  61. Replies
    24
    Views
    1,529

    Re: Checkpoint 5400 100% CPU usage

    The 5400 does not support SMT/Hyperthreading, support for SMT starts with the 5800 model and higher.

    Please provide the output of the following commands for further diagnosis, ideally run when the...
  62. Replies
    6
    Views
    704

    Re: Problem with Packet Loss

    Your firewall is 2.5GB into swap space against RAM of only 4GB. Upgrading to 8GB of RAM will definitely help. A lot.
  63. Replies
    6
    Views
    704

    Re: Problem with Packet Loss

    Is this a Full HA configuration? In other words do you not have a separate SMS that you connect into with the SmartDhasboard and the two 4400's are basically self-managed? If so the two boxes are...
  64. Replies
    9
    Views
    383

    Re: Appliance slot map

    In any kind of collocation smart/remote hands situation, color-coded network cables and/or a labelmaker are your best friend. Having a picture of the system/rack is a must as well.
  65. Re: SAP and First Packet isn't SYN (R75.45)

    From my book:
  66. Re: Tenable Scan opening ports dynamically on GW

    As mentioned earlier typically these high ports are used by security server processes to "fold" connections during a "process space trip" as I coined it in my book. Typically the only connections...
  67. Replies
    13
    Views
    1,034

    Re: ISP throughput

    Run top while the bandwidth is topping out at 80Mbps (during a speed test or something), is the firewall CPU 100% utilized during this period? If so you may be able to do some tuning to improve...
  68. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    Please contact your Check Point SE for access to the SK, posting the contents of an SK here at CPUG (or anywhere else) is prohibited.
  69. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    See sk111293: "Unable to get idle-time workstation locking policy" error in SmartConsole GUI clients. Many different possible causes for this one.
  70. Re: Bandwidth throttling/limiting per user or per Mobile Access blade.

    Assuming you are using Office Mode to assign IP addresses to your RA clients, you need to enable the QoS blade, then in QoS policy specify source as the Office Mode subnet, then in QoS Action specify...
  71. Replies
    10
    Views
    655

    Re: checkpoint appliance and microburst

    Check status of Ethernet flow control function on the 1Gig interface.
  72. Re: RX-DRP / RX-OVR (FIFO Errors) / ClusterXL State change during policy install

    Thanks for the update. You could also try enabling Multi-Queue on the problematic interfaces (not sure why I didn't mention that option before) but if all the firewall's CPUs are heavily loaded...
  73. Replies
    3
    Views
    276

    Re: Disable NAT rules using Script

    Your SMS code version is? Are the NAT rules you want to disable automatically generated, manually created, or both?
  74. Replies
    13
    Views
    1,034

    Re: ISP throughput

    Are you sure the 1180 is linking to your router at Gig speed and not Fast Ethernet? Any network errors on the 1180 (netstat -ni), or on the router interface (show interface)?
  75. Replies
    10
    Views
    655

    Re: checkpoint appliance and microburst

    I assume you are referring to this:

    https://en.wikipedia.org/wiki/Micro-bursting_%28networking%29

    This is more a function of Gaia and its NIC drivers emptying the network ring buffers via...
  76. Re: How to install policy with comms from mgmt server blocked by antispoofing

    fw ctl set int fw_local_interface_anti_spoofing 0

    I don't think you need to turn this off in SecureXL as well. Frankly you have something else seriously wrong if you need to disable this, and I...
  77. Re: Under Freeze state in Cphaprob state

    This is the Cluster under Load (CUL) function which is enabled by default on R77.30 and later gateways. The active member was experiencing high CPU load or recently had policy installed to it. For...
  78. Re: How to install policy with comms from mgmt server blocked by antispoofing

    Obviously you didn't see my CPX presentation. ;)

    fw ctl set int fw_antispoofing_enabled 0
    sim feature anti_spoofing off ; fwaccel off ; fwaccel on
  79. Replies
    1
    Views
    181

    Re: ethtool -g Exp1-1 10Gig interface

    Increasing ring buffer sizes is a last resort to combat excessive (IMHO >0.1%) RX-DRPs. If excessive RX-DRPs are encountered, the right way to address it is by increasing the number of SND/IRQ cores...
  80. Replies
    2
    Views
    202

    Re: R77.30, NTP and NAT issue

    When it is not working, something in Gaia/Linux is "eating" the NTP packet as it is not appearing at o. So it has nothing to do with Check Point firewall code or SecureXL. Is the firewall...
  81. Replies
    3
    Views
    756

    Re: Hi everybody

    Welcome! Feel free to jump in and participate.
  82. Re: Problem routing between star communities (R77.30)

    I don't know if VPN Routing is possible with non-Check Point satellites, you may need to employ Policy-Based Routing (PBR) to force traffic to go the right way at the hub. Remember that the order of...
  83. Re: Verification Error - Policy Failure

    What is the version of management and gateway? My guess is R80+ management and R77.30 gateway.

    Are you able to successfully install just the Access Control policy without Threat Prevention (TP)? ...
  84. Re: Confirm Policy Override Question/Problem

    The "two boxes vertically stacked" icon shown in the warning represents the cluster object, which logically represents all individual physical members of the cluster in the SmartConsole. Note that...
  85. Replies
    1
    Views
    293

    Re: High cpu, what is the cause?

    What version of firewall code are you running and what Jumbo HFA?

    The fastest way to find "elephant flows" that are pounding the CPU is to run cpview on the active firewall and select...
  86. Re: RX-DRP / RX-OVR (FIFO Errors) / ClusterXL State change during policy install

    Not directly, no. Since VRRP is being used, all ClusterXL is dealing with for the most part is state synchronization and reporting the firewall code's status to VRRP. A flap in ClusterXL (really...
  87. Replies
    32
    Views
    6,204

    Re: Java Process Consuming High CPU in R80

    Thanks for the update, a bottleneck in the disk channel is usually the biggest cause of poor SMS performance. Even in R80.10+.
  88. Re: Something weird issue with mssql connection

    You'll need to run a tcpdump on the firewall's external interface with -e filtered for port 1433 and arp. Is the port 1433 packet leaving? Was it NATted as expected? Is the firewall answering the...
  89. Replies
    6
    Views
    449

    Re: Dual NAT

    I'm assuming the term "dual NAT" is being used to describe the NATing of both source and destination IP address in the same packet. This is referred to as "bi-directional NAT" when it happens with...
  90. Re: Strange connection disruption 30minutes + after policy install

    You can do it beforehand but disabling SecureXL on a firewall with 8 or more cores without a good reason is a bit risky, as it may cause a noticeable performance impact. I think it would be better...
  91. Re: Strange connection disruption 30minutes + after policy install

    Could be, as a recalculation of most tables held by SecureXL is performed at that time. I'd try the fwaccel off trick immediately after policy install to help isolate the issue.
  92. Re: Strange connection disruption 30minutes + after policy install

    Please PM me and I'll send you the presentation. After CPX Bangkok it will be publicly posted.
  93. Re: Strange connection disruption 30minutes + after policy install

    Your first order of business is trying to determine if the stoppage is a Gaia issue (ARP, routing, NIC card, etc.) or a Check Point issue (SecureXL, INSPECT, NAT, ClusterXL, etc). In other which...
  94. Re: MTU issues: packets are always fragmented by firewall!

    I stand corrected, got this situation confused with TSO issues mentioned in sk41942. Very bad memories of that one, enough to briefly mention it in my book.
  95. Re: MTU issues: packets are always fragmented by firewall!

    Er yes that is by design, MTU stands for Maximum Transmission Unit. It only controls the frame size for frames leaving/transmitting. Incoming frames can be larger than the MTU and will be accepted...
  96. Replies
    12
    Views
    1,254

    Re: Anyone attending CPX360 2018?

    Uh, I cannot confirm nor deny your assertion. Must have been hypnotized by the Blue Man Group show last night...

    I'm at CPX360 Vegas right now and will be kicking off the CheckMates Community Use...
  97. Re: Urgent problem with checkpoint to fortigate VPN

    Good summary, in general Juniper/Fortinet/Sonicwall are very picky about the Proxy-IDs (subnets) they will accept in a Phase 2 proposal, and it must be a exact match. Check Point and Cisco do not...
  98. Re: Installation failed. Reason: Load on module failed - no memory

    This is a rather generic error message indicating that the firewall could not complete the atomic load of the policy into the kernel for some reason. It could be due to lack of memory on the...
  99. Re: MTU issues: packets are always fragmented by firewall!

    Must be some function of IPS, try running ips off and retest to see if the reduction in packet size persists. Don't forget to turn IPS back on with ips on when you are done!
  100. Re: MTU issues: packets are always fragmented by firewall!

    Assuming your tcpdump output is accurate, IP did not fragment the packets because the offset field for all the packets you think are fragmented is zero. My guess is the TCP segments within were...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4