Search:

I agree that ultimately policy creation and management should/will be automated. Be it should be done so using a methodology such as the one above. Otherwise, you're going to encounter...

You're right that the methodology does not address acceleration. Its about consistency in policy creation and day-to-day management. And I would argue that if your everyday corporate firewall needs...

There are two or three under-the-hood solutions to this problem.

Personally, I prefer the out-in-the-open solution.

The table.def changes are hidden, and you have to remember that you did...

The methodology is open to expansion and is specific to CheckPoint for Simplied Mode and Traditional Mode policy (pre-R80 stuff).. mostly simplified mode. It also does not address several silly...

If you don't see any Control messages, then the firewall didn't fail-over.

It was likely a failure of some other device.

Updated kernel? or still 9 year old tech?

Hows tcpdump? is it 5+ years out of date too?

bash?

The small stuff counts. It the biggest complaint many of my customers have. CheckPoint's...

Are you using a network object with a 32-bit mask instead of a host object for tranny destination?

<pile on>

You should probably reboot your CheckPoint appliances every 24 hours, given that CheckPoint does not use ECC RAM.

Reference: https://en.wikipedia.org/wiki/ECC_memory



5 single...

Nope.. didn't miss anything..

ClusterXL troubleshooting starts with those two commands..

cphaprob -a if
cphaprob -i list

Much clue dust will come bursting forth..

So much bad advice being given..

varera is the only one I see asking reasonable questions..

When troubleshooting ClusterXL, you must always start with the output from the following commands:
...

That won't exactly work.. That scheme will only work in one direction.. from firewall to switch.. and that's assuming the switch isn't smart enough to recognize that; Hey, I should have gotten this...

Resurrection is a real thing. Just look at this thread.. :)

"Native VLAN" is a cisco term for untagged ethernet frames on a trunk interface.

You can configured the base interface and have...

Easy.. Re-architect the network. placement of the ISP and MPLS in relation to each other; treat both services as untrusted.

Make the ISP router, and the MPLS router equal.. place them next to...

Having created some of the best hacks known to man, I know a hack when I see one...

And that's a hack.. logically, if I can do a source of 0.0.0.0/0.0.0.0, then 'Any' should work as well.

So...

I have observed a Palo Alto do the following:

Original Source: Any -> Original Destination: Some subnet or IP -> Translated Source: outgoing Interface (or whatever IP you like) [Hide] .. ...

Are you doing this upgrade for giggles? Or are you actually intending to run R80 in production?

The PIX is sending you all zeros for the Proxy IDs. This is equivalent to CheckPoint's 'One tunnel per gateway pair' in tunnel management.

You'll also see this with Tunnel Interfaces on Cisco...

If FIBMGR sessions are being dropped between cluster members, then you have one of two problems:

1. Your topology is not configured properly.
2. You disabled 'accept control connections' in...

For NTP to work, you must have the following conditions:

1. System time should be within one hour of the NTP server's time.
2. For the secondary cluster member to properly communicate , you...

Unless you're building a VPN tunnel that requires a routing protocol, there is no reason to use VTI.

Setup a standard Star VPN Community and set it to to "One VPN tunnel per Gateway pair".

In...

I can't find any reference for this limitation. Can you provide a link?

What problem are you trying to solve?
There is a likely a better way..

Granted.. Solaris and/or Stonebeat were operational nightmares.




VRRP, even in GAIA, is separate from ClusterXL.
ClusterXL is not aware of VRRP.
VRRP on GAIA operates separate from...

As mentioned, do Hide NAT.. I note the XlateSrc is listed, but not Xlatesrc port.

Also, validate the 192.168.1.1 object.. maybe there is a typo..

These analogies are not even remotely accurate.

VRRP is a dumb protocol. VRRP was created for routers that have no need for statefulness and in fact do not do access control what so ever. RFC...

This is normal..

When you install policy, by default, all VPN keys are flushed and the VPNs have to re-key..

If you watch the logs on the Cisco device, you should notice some IKE IPSec SA...

Re-image.. re-install.. from scratch.. take nothing along except the contents from 'show configuration"..

There are two ways to make ClusterXL go Split Brain..

1. Different Magic MAC on each cluster member.
2. The switch is dropping all Multicast and Broadcast frames for all firewall interfaces;...

SIC is based on PKI. So no IP addresses involved, except the Management Server.. Names only. Notice how you can't change the name of the gateway once SIC is initialized.

Test SIC Status is an...

Over thinking is the proposed solution.

It would be simpler to just trade in the old 5070 appliance and purchase an identical 12400 appliance and implement a normal, universally supportable...

If you know the source IP, then you can Hide NAT it..

You can not Hide NAT 'Any' Source.


OutsideIP/OutsideNetwork -> PublicServerIP -> Any ; InternalIP(Hide) -> PrivateServerIP (or...

VRRP Yes.

Clustering NO.

Modern CheckPoint code requires the platforms be identical. Mostly because of CoreXL. CoreXL worker 01 on cluster member A state syncs to worker 01 on cluster member...

I've encountered a problem involving cphamcset.

Firewalls are a range from R65 to R71 managed by R77.20.. It's clear that later versions of CheckPoint Management compiling policy for earlier...

Your interfaces use Dynamic ARP by default. When you want to transmit a packet, your host looks up the MAC address of the locally connected recipients in it's own ARP table. If no entry exists, it...

'fw ctl arp' displays the proxy ARPs handled by the firewall kernel module. This use to be only for ClusterXL only, but I believe this now applies to single gateway firewalls as well in more recent...

I'm gonna inject a tangent..

Is clustering in AWS a reasonable architectural decision? The two cluster members have to be in the same Availability Zone.
If Amazon takes down the availability...

I see three options.

1. Deploy a separate VPN solution into the VPC, such as a CheckPoint Firewall for AWS..
2. Multiple Internet facing interfaces on the CheckPoint cluster.
3. XXX - Build a...

A. If you're routing multicast, then fix your IGMP.
B. If you're not routing multicast, then disable IGMP.

Enabling broadcast mode is not the same as disabling IGMP. Yes, the switch will...

I'm not aware of GAIA having a service that would send out the advertisements required for IPv6 autoconfguration (SLAAC). In linux, this is RADVD, but I could see CheckPoint adding it to...

Ahh.. You don't have a overall architectural issue, you have an Service Level problem within you network team.

But, you do also have a architectural issue, or lack thereof, since you mention they...

1. What is impractical about keeping your customers segmented from each other? It's simple linear scaling..
2. Is the segmentation a selling point or a requirement that has been placed on you by...

You misunderstand.

The fwm and other processes are all 32-bit and single-threaded. Meaning each 32-bit process only sees a 4GB memory space. Regardless of the OS mode, 32-bit or 64-bit.. And...

Support is being an idiot. Do not follow the silly recommendation given to you. "Lets change the whole environment in response to one undiagnosed metric." Put that shotgun down Cowboy.

Is that...

Human psychological weakness is the true reason why most active/active clusters exist.

The real result is that lots of additional complexity is introduced, and with lots of additional failure...

From a thread in 2010.. https://www.cpug.org/forums/archive/index.php/t-14821.html

Active/Active clusters do not improve performance. The decision function actually robs the cluster of...

Simple answer.. No..

You should only apply the hotfixes listed in CPUSE..

You may find that you have to uninstall any hotfixes applied outside of CPUSE when you need to install a CPUSE hotfix...

I see multiple problems here.

1. You state bridge mode, but then list that you have IP addresses on eth0 and eth1 interfaces. In bridge mode, you'd only have an IP address on the bridge...

When you build test VMs for CheckPoint, do 80 GB minimum HDD.. better to do 120GB minimum.. thin provision to save space..

What kind of CPU is in this box? And how many? cat /proc/cpuinfo

2 core license, Firewall, IPS, URL filtering, VPN, Mobility and Identity Aware enabled.

What throughput were you hoping to...

1. What features do you have enabled on this gateway/cluster? (ie: IPS, App Control, URL filtering, DLP etc. )
2. Is the gateway and/or cluster in 64-bit mode?
3. In this GAIA?
4. can you...

R77 has a new tool called cpview.

Use it to get some visibility into the overall performance of the box. Number of connection setups a second (cps) etc.
Feel free to post some of those numbers..

Did you also notice that the Mgmt port is a 100 meg? While the rest are Gig..
Found that one when I plugged into a Gig only switch..

ethtool -i Mgmt

The SG80, 600 and 1100 are ARM CPU based. They have their own train of code based on R75.20.
The latest I'm aware of is R75.20.66.

I had very problem today..
Turned out that the clock on the remote gateway was way off..

The Checkpoint configuration is very intuitive. It should be configured based on the layer 3 headers of the packets that will be transmitted and received in the tunnel.

Even though you'll be...

You can't resize the original install; Well maybe you can, but you should involve a linux systems engineer to do that.

Two methods.

1. Export the config. reload the OS. import the config....

R77.10 and earlier have a crappy 10G driver...
ixgbe 3.1.17..

Upgrade to R77.20.. Upgrades the driver (increases performance) and gives you reboot survival ring buffer settings (lowers CPU...

In CheckPoint land, it's always best to use what CheckPoint calls a Domain Based VPN.. VTI's don't give you any redundancy, unless you use a routing protocol. In addition, if you don't setup NAT...

1. On HP servers, you have to remove/kick out the built-in DVD drive in order to boot from a USB optical drive.
2. May I ask why you're installing a dead operating system?

I'm curious to know what you mean by noisy.

I remember a story about a DBA that considered his DB IDS to be noisy. So he switched it off. Turns out, the reason it was noisy, was because a...

CheckPoint still does not support AH..
Not that anyone would do so.. Never actually seen a need for it.. Nor have a seen anyone run, in production, anything other than tunnel mode ESP..

May I...

It took 9 months for R77.10 VE to be released, following the the release of R77.10.

How long will it take of the R77.20 VE hotfix to be released?

So.. sometime around February of next year...

Has anyone noticed any hits on the Bash IPS Protection? Any logs from that Protection at all?

Review the HCL. http://www.checkpoint.com/services/techsupport/hcl/

Note that multiple platforms are only supported on GAIA. You'll find this to be the case more and more as time passes.
And...

Simplest and least impactful method is to add two NAT rules near the top of your NAT policy..

Local Encryption Domain; Remote Encryption Domain; Any -> Original; Original; Original..
Remote...

May I ask why you're still running SecurePlatform?

I don't see you mention whether you're using SecuRemote/SecureClient/EndPoint/Mobile VPN etc.

In order to use split DNS with CheckPoint VPN clients, you must define the internal domain name to be...

Is Check Point Virtual Edition Dead?

Most recent version of VE with Hypervisor support was R75.40, and a review of the Docs for R75.45, R75.46, and R75.47 shows no mention of VE.

I can't find...

By default, traffic does not NAT as it passes through a CheckPoint firewall.

By default, there is one exception to that rule. Traffic that originates from a cluster member, will be NAT'd behind...

Also, make sure you do not rename the interfaces in topology. The interfaces names in the cluster object's topology must match the real interfaces reported by the gateway's OS.

Renaming...

Yes, create a group with all the source IP addresses using subnet/host objects.

Rule of thumb, Anti-Spoofing should match the routing table.

Please don't do this.. Such a disgusting solution. Clutters up SmartView Monitor amongst other things.


There are two solutions:


1. Implicit behavior; assumes Anti-spoofing and routing...

In tracker, expose the xlate and NAT fields.

then check/modify your NAT rules to prevent NAT.

Connect Control might be able to do that.

You'd be better off getting a load balancer.

You can also hack together a solution using dynamic objects, but you didnt hear that from me.

What version of Check Point?

Have you checked the Resolved Issues of more recent versions?

Horrible idea.

Either way, you have to load Splat on the box.. And then transfer a huge snapshot file. Versus load splat, transfer a small backup, and restore it, per documented procedure.
...

Short answer, No. A syn packet that enters in one firewall/cluster, if the policy allows, will be accepted. But the return packet, the syn/ack, will be quashed by the other separate...

There are a few ways to gain legitimate access to file downloads.

1. True up your software subscription.

2. Acquire a CCSE certification. I don't recall if CCSA gives access to downloads; It...

R65 and Older

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowproductpage&productTab=downloads&product=388


Legacy GUIs
...

1. Validate your routing table is in sync/same.

'ip route list' on both cluster members

2. Validate layer 2 connectivity.

Check ARP table for ARP entry of endpoint/gateway.

tcpdump and...

Using ethtool should give more detail on the specific rx error. It can mean that the firewall is receiving more packets than it can process. Read up on SecureXL and CoreXL.

I recommend you...

It's all in the errors..

No response from peer.

The remote side is not responding. I recommend you conduct a tcpdump on the CheckPoint. 'tcpdump -nn -i External [or whatever interface is...

In Tracker, be sure to expose the four Xlate fields. The VPN might be keying up Properly, but then when you send traffic, you might be NATing.
Also, make sure you're routing the traffic out the...

There are some ways CheckPoint could make this process more efficient. The gateway's OS and CheckPoint configuration are separate.

I generally explain it this way. CheckPoint takes a little...

If the switch is not consistently passing multicast frames, then anything that depends on multicast will fail.

What version of code are you running?

May I ask why you're running VRRP instead of...

DO NOT DO IT. The stability of a CheckPoint L2 firewall is less than stellar. The last one I had the misforture to deal with, had to rebooted daily.

You might can an IPS protection (CheckPoint IPS or other) that limits the size of ICMP requests; or cisco ACL etc.

If you dont have a requirement to use a routing protocol (BGP, OSPF), then create a VPN as you normally would using a VPN community. Then adjust the VPN Community's Advanced settings to do One...

This is CheckPoint's mistaken idea about VLAN tagging. I can only think they got it from the cisco world where a native vlan defaults to 1 on a trunk interface. They didnt realize the default...

After you create your automatic NAT, create a manual NAT rule at the top of the NAT rulebase.

I don't entirely understand your explanation. I did understand that you're trying to eliminate one of these two interfaces; Mgmt or DATA.

The primary principle of Anti-spoofing is, Anti-Spoofing...

Whenever I hear of cluster stability issues, I always look at the switches first.

If switches have IGMP enabled, and environment is not doing multicast routing, then disable IGMP; or use static...

CheckPoint management servers do not like it when two CheckPoint objects have common IP addresses.

The correct strategy to follow is to duplicate the management server and the firewall/cluster...

The Instructions on the download page are clear...

The package should be usable for both GAIA and SecurePlatform via WebUI. Maybe phoneboy can get some clarity on the problem.

Check Point does not support VPN fail-over for non-CheckPoint gateways.

That being said, you could get something working using VTI and routing protocols.

Or you could simply buy small...

Did you reboot both cluster members after changing the sync configuration?

Any time I reconfigure the ClusterXL behavior, I reboot.
For example, if you remove/decommision an interface, reboot to...

Options:

1. If both ends are CheckPoint, then use a One Tunnel per Gateway Pair.
2. If both ends are CheckPoint, try setting the tunnel to Permanent.
3. Validate that the subnets/host in the...

CheckPoint's SIC and ICA (Internal CA) are based on PKI and SSL/TLS.

I recommend you go learn about PKI and SSL/TLS. Because then you'll also have a foundational knowledge.

1. I assume you've adjusted the magic numbers on this cluster; 0x15 and some other number, 0x16?.. The switch port for the other cluster member may have a MAC like 0000.0000.1501.. If you haven't...

Quite a lot comes up when I search for 'MTU'. Specifically, a bad behavior with 10G and TSO when changing MTU.