CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: cciesec2006

Page 1 of 5 1 2 3 4

Search: Search took 0.05 seconds.

  1. Replies
    6
    Views
    581

    Re: NAT assistance

    Thank you for the explaination.

    However, I just tested Hide NAT the source and it does not work either :-(. If the NTP servers are directly connected to the FW, it will not work.
  2. Replies
    6
    Views
    581

    Re: NAT assistance

    I have NOT done that yet but even if the above works, it will not resolve my issue because in Linux client 10.0.1.1 host I have this in the /etc/ntp.conf file:

    server 192.168.1.2 iburst
    server...
  3. Replies
    6
    Views
    581

    NAT assistance

    environment: checkpoint R77.30 with HFA_216 on clusterXL H/A. There is NO NAT in this environment, only routing.

    - NTP servers sitting on DMZ: 192.168.1.1/24, 192.168.1.2/24 and 192.168.1.3/24....
  4. Replies
    4
    Views
    413

    Re: fsck on the next reboot in R77.30

    This is what I am seeing on my R77.30 GAIA Provider-1:

    [Expert@lab-p1-mc:0]# tune2fs -l /dev/mapper/vg_splat-lv_current | egrep -i 'check|mount'
    Last mounted on: <not available>
    Default...
  5. Replies
    4
    Views
    413

    fsck on the next reboot in R77.30

    My R77.30 GAIA has been up for 710 days. I think if I reboot this firewall, it will take about 20 minutes for fsck to complete.

    How do I determine if fsck will be performed on the next reboot on...
  6. Re: Checkpoint Provider-1 and Proxy server configuration

    Thank you very much. That fixed it. My was the 2nd option. The previous engineer did that and he left the company four years ago :-(

    Thanks again.
  7. Checkpoint Provider-1 and Proxy server configuration

    I have an Provider-1 in my environment running R77.30.

    I've been told by security folks that my Provider-1 is using proxy server to get to the following sites:

    usercenter.checkpoint.com:443...
  8. Re: MDS R77.30 restore. Some unexpected things.

    11GB is definitely an issue. Check to see how many revision control you have in the database? Those can add up very quickly.
  9. Re: MDS R77.30 restore. Some unexpected things.

    What is the file size of the mds_backup? It should be less than 2GB. I think there are "known" issues if the file size is > 2GB but checkpoint has claimed that the issue has been fixed. Mine...
  10. Re: MDS R77.30 restore. Some unexpected things.

    Are you using checkpoint backup command or "mds_backup" command? For Checkpoint MDS system, "mds_backup" method is the way to go, IMHO. That's what I've been doing for the past 15 years.
  11. Re: Checkpoint Enterprise Software Support Timeline

    Thank you for the feedback. I am hoping that it will extend until September 2020 when we're moving out of our existing DC and into a much smaller DC. By then, all of our firewalls at the new...
  12. Re: Checkpoint Enterprise Software Support Timeline

    What was the original end date of support for R77.30 and how many times has it been extended?

    My understanding is that R77.30 end date of support is May 2019 but has been extended to September...
  13. Checkpoint Enterprise Software Support Timeline

    What is the likelihood that Checkpoint will support R77.30 beyond September 2019. I just need this thing to run until Apr 2020 when we are going to shutdown our existing DC and move into the cloud....
  14. Re: VPN Tunnel is UP but traffic is getting dropped

    Your configuration does not seem to be correct. You had:

    Encryption domain on checkpoint side:
    A: 192.168.254.0/24
    B: 3.3.3.3/25
    C: 3.3.3.128/25

    encryption domain on ASA end:
    A:...
  15. Re: How to output fw ctl zdebug + drop to a file ?

    There is a -o option that writes it to a file. I think you need to use that option.

    That being said, it is very dangerous to use "fw ctl zdebug" because you may crash the firewall. See this link...
  16. Replies
    6
    Views
    754

    Re: Wget in Gaia R77.30

    This is the idiotic about Checkpoint. they took away wget utilities. In R65/R71 and even R75, there is an add-on package that you can install to get wget but no more with R77.30 and above. Why...
  17. Replies
    6
    Views
    716

    Re: multicast issue

    That's the problem. Multicast is not easy to setup. Not difficult but it is no cake walk. Even when the OP gets it to work. What is he going to do when it stops working or he leaves the company...
  18. Replies
    6
    Views
    716

    Re: multicast issue

    LOL... I love your answer. You must be working for Checkpoint, no?
  19. Replies
    6
    Views
    716

    Re: multicast issue

    I've not dealt with Checkpoint multicast since R75.47 and my recommendation is to stay away from checkpoint multicast. Checkpoint TAC does not have the expertise to help you when you run into issue....
  20. Re: How do I check the routing table through command line? In checkpoint ?

    netstat -rnv
  21. Re: fw unloadlocal and routing daemon stopping?

    I thought that with Linux or GAIA or IPSO for that matter, "fw unloadlocal" WILL stop routing because of this:

    before "fw unloadlocal":
    # cat /proc/sys/net/ipv4/ip_forward
    1

    after "fw...
  22. Replies
    3
    Views
    3,076

    Re: Disk space on SMS

    This is the problem:

    /dev/mapper/vg_splat-lv_current
    18578172 15204696 2429760 87% /

    you have 18.5GB in the / directory with about 2.4GB available. I am pretty sure /opt is sub directory of...
  23. Re: HA Failover appears to be caused by sync interface

    It makes no difference between straight through or cross cables. The NIC card can detect both.

    Why not moving your Sync interface to another un-used port?
  24. Re: the grass is not greener on the other side.

    Cisco FirePower is really awful and I have first hand experience with it myself. Version 6.2.3(7) has been released two weeks ago and it has even more bugs than version 6.2.3(6). some of the bugs...
  25. the grass is not greener on the other side.

    This is a very good rant article: https://www.reddit.com/r/networking/comments/9363af/cisco_firepower_rant/
  26. Replies
    3
    Views
    860

    Re: Simultaneous SSLVPN & IPSEC VPN

    The answer is yes IF you setup the site-to-site VPN in "traditonal mode" instead of "simplified mode (aka VPN community)". In traditional mode, Checkpoint does not see the Cisco VPN peer as part of...
  27. Replies
    1
    Views
    773

    Re: Checkpoint User roles with Cisco ISE

    FYI: cisco has discontinued Cisco ACS and replaced it with ISE. ISE is pretty much the same as Cisco ACS under the hood. Cisco has decided to combine both ISE and ACS into a single box to reduce...
  28. Re: HA Failover appears to be caused by sync interface

    Is this me for the firmware on the NIC is really old? I don't have 5800 but my looks much newer even though my NIC is already three years old:

    ethtool -i eth8
    driver: igb
    version: 4.1.2...
  29. Re: HA Failover appears to be caused by sync interface

    These are Gig ports so you should NOT do anything to it. It should work at 1G out of the box.

    As I've mentioned before, look like Checkpoint is using cheap ass hardware. Look like the sync port...
  30. Re: HA Failover appears to be caused by sync interface

    It could be the NIC itself. Checkpoint is notoriously known for using cheap hardware.
  31. Replies
    6
    Views
    1,689

    Re: Hotfix and Migration tool

    Wow, that look exactly what I had. I probably posted this on CPUG almost two years ao :-)

    Actually December 2016: ...
  32. have you ever seen this and how do you go about solving it?

    I have a Provider-1 with a single CMA running R77.30 with JHFA_216. The CMA manages about 8 pairs of ClusterXL running H/A also R77.30 with JHFA_216.

    I am in the processing of cleaning unused...
  33. Re: Appliances 5900 R80.10 and bonding interfaces limited throughput

    I assume that you also have this command on your Cisco switches:

    port-channel load-balance src-dst-ip

    On Cisco newer switches, you also see this:

    port-channel load-balance...
  34. Re: Appliances 5900 R80.10 and bonding interfaces limited throughput

    A few questions for you:

    1- Is SecureXL enabled?
    2- How do you perform the test? Are you using Iperf to do this test?


    My guess is that you might have a sim affinity issue based on the...
  35. Replies
    1
    Views
    622

    Re: VPN - Encryption Domain

    Unfortunately, this is one of the problems when you use Checkpoint as a VPN device. You would not have this problem if you were using Cisco IOS routers or ASA.

    You can work around the problem by...
  36. Re: Issue with site to site vpn to cisco ASA - HELP

    that is not true. In both Cisco IOS and ASA, you can set phase 2 specifically to a particular tunnel. If you do not set it, it will take the global default. See below

    lab(config)#crypto map vpn...
  37. Re: cpview to find out the source and destination that uses the most BW

    sorry, it's been a long day.

    I looked at the script and I know the author of the script. He used to work for Nokia TAC in Otawa :-)

    how is the script going to help me here? It says nothing...
  38. Re: cpview to find out the source and destination that uses the most BW

    Yes, I am 100% positively. I confirmed it with tcpdump, only a single connection, TWICE.

    If I disabled SecureXL, it will make the problem worse right? I don't think I want to do that in my...
  39. Re: cpview to find out the source and destination that uses the most BW

    I still do not understand what you're trying to get at. Let me explain again.

    I have sqlnet connection between host 1.1.1.1/24 and host 2.2.2.2/24. It consumes about 800Mbps.

    When I run...
  40. Re: cpview to find out the source and destination that uses the most BW

    How is the sk122013 going to help me? I am only looking for the connections that use the most BW, not fixing it. is it possible with cpview?
  41. Re: cpview to find out the source and destination that uses the most BW

    I already tried that before asking the forum :-(. I know a source and destination that uses 700Mbps, out of the 772Mbps shown in cpview but it does not show up in top connections :-(
  42. cpview to find out the source and destination that uses the most BW

    Below is my cpview output. I can see 772Mbps but I would like to find out the source and destination IPs that use the most BW. Where do I find that in cpview? I look under network--> protocols and...
  43. Replies
    0
    Views
    471

    FIBMGR. Why is it there?

    Active/Standby clusterXL in R77.30 with JHFA_216. I am not using any dynamic routing protocol but why is the firewall is talking to each other over tcp port 2010 on the SYNC interface:...
  44. Replies
    16
    Views
    2,449

    Re: High CPU problem on checkpoint gateway

    Tasks: 162 total, 1 running, 161 sleeping, 0 stopped, 0 zombie
    Cpu0 : 2.0%us, 0.0%sy, 0.0%ni, 7.8%id, 0.0%wa, 0.0%hi, 90.2%si, 0.0%st
    Cpu1 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si,...
  45. Replies
    16
    Views
    2,449

    Re: High CPU problem on checkpoint gateway

    Sorry, that's what happen when you have cut and paste. There is no fw_2, only fw_0 and fw_1
  46. Replies
    16
    Views
    2,449

    Re: High CPU problem on checkpoint gateway

    Here is the info you asked when I use cpconfig to change the CPU from 3 to 2:

    [Expert@gw-1:0]# fwaccel stats -s
    Accelerated conns/Total conns : 4794/4821 (99%)
    Accelerated pkts/Total pkts :...
  47. Replies
    16
    Views
    2,449

    Re: High CPU problem on checkpoint gateway

    1- I used cpconfig to change the number of cores from 3 to 2
    2- reboot both gateways at the same time
    3- run cphaprob state on both gateways and confirmed active/standby

    Now instead of getting...
  48. Replies
    16
    Views
    2,449

    Re: High CPU problem on checkpoint gateway

    YES, I know how to change it. I made the change and shutdown both firewalls at the same time. I wait for gw-1 to fully come up and then power up gw-2. The box has plenty of memory 32GB RAM
    ...
  49. Replies
    16
    Views
    2,449

    Re: High CPU problem on checkpoint gateway

    Actually I just did and it made the problem worse. Now everything is 50% slower :-(. Had to revert back my change.
  50. Replies
    16
    Views
    2,449

    Re: High CPU problem on checkpoint gateway

    [Expert@gw-1:0]# fw ctl affinity -l -r
    CPU 0: eth3 eth4 eth11 eth13 eth0 eth1
    CPU 1: fw_2
    CPU 2: fw_1
    CPU 3: fw_0
    CPU 4:
    CPU 5:
    CPU 6:
    CPU 7:
    All: rtmd fwd in.ahclientd mpdaemon...
  51. Replies
    16
    Views
    2,449

    Re: High CPU problem on checkpoint gateway

    still looking for suggestions on this.
  52. Replies
    16
    Views
    2,449

    High CPU problem on checkpoint gateway

    A pair of R77.30 with HFA_216 clusterXL in Active/Standby on Dell PowerEdge R710 with 405 license. Only fw blade is enabled as confirmed with "enabled_blades" output.

    I have a 10G interfaces on...
  53. Re: Management Server HA two different data centers?

    Here is my opinion about Checkpoint Management High Availability.

    It is a piece of junk. I first experienced with it in 2004/2005 with NG AI and it is nothing but trouble. Even when I had the...
  54. Replies
    5
    Views
    1,687

    Re: install R77.30 on Open Server

    so I suppose the new image Check_Point_R77.30_Install_and_Upgrade_T5.Gaia.iso will fix this issue?

    TIA
  55. Replies
    5
    Views
    1,687

    install R77.30 on Open Server

    run into a very weird issue over the weekend. I have a Dell R720 with 64GB RAM and 8 CPUs with quad-core

    I installed R77.30 using the image Check_Point_R77.30_T204_Install_and_Upgrade.Gaia.iso. ...
  56. Re: Issue with site to site vpn to cisco ASA - HELP

    Can you share your ASA VPN configuration?
  57. Replies
    6
    Views
    1,088

    Re: a very strange issue today

    this is what I am seeing in the log, among other things. It is definitely related to the fingerprint. I think the cert gets regenerated.

    [CPD 23194 2013005504]@p1[18 Jul 12:44:16] certificate...
  58. Replies
    6
    Views
    1,088

    Re: a very strange issue today

    yes, the fingerprint actually changes. The validity dates look the same.
  59. Replies
    6
    Views
    1,088

    a very strange issue today

    I am running Provider-1 R77.30 with JHFA205 on Open Servers and it's been running fine for over 18 months.

    Today, when I login into the P-1 via the Dashboard, it prompts me for a new Fingerprint...
  60. Re: 5900 and SMT Or Assign particular core to Particular interface

    This is what I don't understand. If I buy an open servers and install Checkpoint on it, SMT has to be disabled but it is enabled on Checkpoint appliances. After all, Checkpoint appliances are...
  61. Replies
    5
    Views
    734

    Re: VPN Problem 10% of User

    I disagree with that statement. Unfortunately, we are living in a real world and software, especially Checkpoint Software, is written by human and it has a lot flaws. Checkpoint seems to have more...
  62. Replies
    1
    Views
    983

    VPN in Checkpoint R80.10

    In checkpoint VPN setup, I only see the followings:

    in Diffie-Hellman group: Group 1, group 2 group 5, group 14, group 19 group 20

    In Data Integrity: AES-XCBC, MD5, SHA1, SHA256, SHA384

    ...
  63. Replies
    8
    Views
    1,028

    Re: VPN Intermittent Connectivity

    New? It was released back in 2005. I wouldn't say it is "new". In Internet time, it is like an eternity :-(
  64. Replies
    8
    Views
    1,028

    Re: VPN Intermittent Connectivity

    How do you verify this on Cisco devices such as router or ASA? Which show commands?
  65. Replies
    5
    Views
    1,201

    Re: Sync bonding?

    I don't think you can use 3 interfaces. 802.3AD supports only 2, 4, or 8 interfaces.

    .

    if there is no link between the switches, how does the bond work?
  66. Replies
    5
    Views
    1,201

    Re: Sync bonding?

    I would change the mode from "round-robin" to "Active-Standby" because this is SYNC interface.



    This works very well under the assumption that spanning tree is working properly on the switches....
  67. Re: Need help to implement the Carbon black through Checkpoint

    Proxy server
  68. Re: ISP Circuit Change and Check Point- assistance request

    you're making the problem more complicated than it is. Any reasons why you use proxy ARP instead of just telling the ISP to route the /26 directly to your router VIP. That way, there is no need for...
  69. Replies
    6
    Views
    1,061

    Re: Mgmt and Sync ports

    It is a stupid design by Checkpoint appliances. the Mgmt and Sync interfaces labeled on the appliances can be used just for about anything. It has no meaning whatsoever. You can combine the Mgmt...
  70. Re: Is it possible to SFTP files off of Gaia?

    Yes, I've done it. You can do the following on the R77.30 with JHFA 216:

    on the /etc/ssh/sshd_config

    1- from

    #Subsystem sftp /usr/libexec/openssh/sftp-server

    to
  71. Re: Checkpoint 13500 appliances and NTP servers

    Now I remember why the 13500 has this problem. It was an upgrade from R75.47 to R77.30. Everything else was a "fresh" install.

    Should not have drunk the Checkpoint Kool Aid....

    thank you...
  72. Re: Checkpoint 13500 appliances and NTP servers

    [Expert@OpenSrvgw1:0]# lsattr /etc/ntp.conf
    ------------- /etc/ntp.conf
    [Expert@OpenSrvgw1:0]#

    [Expert@CP13500gw1:0]# lsattr /etc/ntp.conf
    ------i------ /etc/ntp.conf
    [Expert@CP13500gw1:0]#...
  73. Replies
    8
    Views
    1,219

    Re: Max Processor Speed

    Then how do explain the fact that on the Power-1 11065, the current CPU speed is always shown at 2400MHz, the same as max Speed, ALL THE TIMES. Is it because there is no turbo with CPU running on...
  74. Replies
    8
    Views
    1,219

    Re: Max Processor Speed

    On my 13500 appliances:
    dmidecode -t processor | grep -i "speed"
    Max Speed: 4000 MHz
    Current Speed: 2600 MHz
    Max Speed: 4000 MHz
    Current Speed: 2600 MHz



    On...
  75. Checkpoint 13500 appliances and NTP servers

    Good morning,

    I have to point the IP address of the NTP servers to two different NTP servers IP addresses. I've made the change in GAIA, restart NTP service with "set ntp active off/on" and also...
  76. Replies
    3
    Views
    1,320

    Re: Common Check Point Commands (ccc)

    It is working. Great job!!!!!
  77. Replies
    3
    Views
    1,320

    Re: Common Check Point Commands (ccc)

    Look like your script does not work on the Provider-1 system. Am I missing something? See below:

    [Expert@mds:0]# fwm mds ver
    This is Check Point Multi-Domain Security Management R77.30 - Build...
  78. Replies
    10
    Views
    1,537

    Re: checkpoint appliance and microburst

    I am still looking for solutions on this.
  79. Replies
    24
    Views
    7,256

    Re: Checkpoint 5400 100% CPU usage

    Or perhaps the traffic could not get accelerated by Checkpoint firewalls. There are quite a few that Checkpoint knows about.
  80. Replies
    24
    Views
    7,256

    Re: Checkpoint 5400 100% CPU usage

    Let say that step #1 and step #2 are done like you suggested and still has high CPU, what is the next step?
  81. Replies
    0
    Views
    577

    sk93587- monitord high CPU - ranting

    It seems like checkpoint is moving the goal post on this one. This issue is even in r80 and R80.10 as well. Last time I checked the SK, didn't see either R80 or R80.10 listed in there.

    Why can't...
  82. Replies
    24
    Views
    7,256

    Re: Checkpoint 5400 100% CPU usage

    A question and few comments:

    1- How do you if DD is enable on the firewalls? Can you provide the output of the command "fw ctl multik get_mode"?

    - Enable DD might make the issue worse in other...
  83. Replies
    9
    Views
    978

    Re: Appliance slot map

    I can't disagree with you on this. Checkpoint is the "cheapest" company I've ever come across. Back in 2011, when I had to RMA one the checkpoint appliances, I (the customer) had to pay for the...
  84. Re: Moving CMA from one MDS env to a different one

    Completely agreed with your above statement. However, the OP said "Hi all, i'm starting a project where i'll be moving a CMA out of one MDS into a completely different MDS"

    Based on that...
  85. Re: Moving CMA from one MDS env to a different one

    When you change the IP address of the CMA, don't you have to break SIC on the gateways anyway and re-SIC with the new CMA?
  86. Re: Moving CMA from one MDS env to a different one

    I've done quite a bit of these on NGx R65 and R70 but not since. It is a very simple process, not got-cha.

    yes, you have to remove global policy from the existing prior to the migration. In...
  87. Re: Rule for Netflow logging of Internet Router

    did you do this from the router: ping IP_PRTG_sever source-interface lo 192.168.0.1

    Do a "show flow exporter" and "show flow interface" and share your output here.
  88. Replies
    3
    Views
    650

    Re: Script to Restart Remote Gateways

    it works on GAIA, didn't ask for "are you sure"
    [Expert@P1:0]# mdsenv 192.168.1.1
    [Expert@P1:0]# cprid_util -server 192.168.1.2 -verbose rexec -rcmd bash -c 'reboot'
  89. Replies
    3
    Views
    650

    Re: Script to Restart Remote Gateways

    I don't have 1100 or 1430 so I don't have experiences with them. if they are the same as checkpoint running on open servers, I would do something like this:

    1- have a centralized linux system for...
  90. Re: Rule for Netflow logging of Internet Router

    LOL... you need to provide mor information that just "its not working"

    PRTG server: 10.2.0.1
    L3 switch: 10.2.0.2
    CP-FW Internal interface: 10.2.0.254
    CP-FW External interface: 123.0.0.254...
  91. Re: Rule for Netflow logging of Internet Router

    1- create a loopback interface on the Internet router with private IP address
    2- add a static route on the Internet router for the PRTG server: ip route x.x.x.x 255.255.255.255...
  92. Replies
    13
    Views
    3,123

    Re: ISP throughput

    yes, Shadow did say it my bad. Not having enough coffee in the morning.

    I sincerely doubt you will get 200Mbps with the ISP doing the hide NAT or PAT (as Cisco calls it). I have a Cisco 3945...
  93. Replies
    13
    Views
    3,123

    Re: ISP throughput

    This will NOT work if you have NAT in place. How are you going to test this if the PC behind the 1100 has RFC_1918 address space? Unless you're talking about NAT'ing on the ISP router.


    Another...
  94. Output of 'top' command on Gaia OS shows that 'monitord' process consumes high CPU

    checkpoint gateways is R77.30 with JHFA 216 in ClusterXL H/A mode. Just today, both gateways have high CPU and monitord is the root cause. the /var/log/db file on both gateways is about 130MB.
    ...
  95. Replies
    13
    Views
    3,123

    Re: ISP throughput

    LOL... He did that in his initial post. "I have a locally managed 1180. We just upgraded the internet pipe from 30 to 200 Mbps. Off the ISP router I see 200 Mbps, but when I plug the ISP router into...
  96. Replies
    10
    Views
    1,537

    Re: checkpoint appliance and microburst

    On a 10Gig interface:
    ethtool -a eth0
    Pause parameters for eth0:
    Autonegotiate: on
    RX: on
    TX: on


    On a 1Gig interface:
    ethtool -a eth8
  97. Replies
    10
    Views
    1,537

    Re: checkpoint appliance and microburst

    I have a very interesting issue. I have 1350 appliances with R77.30 with latest GA JHFA.

    I see a lot of drops and rx-drop on the 10G interface even though peaks around 800Mbps. However, if I...
  98. Replies
    10
    Views
    1,537

    Re: checkpoint appliance and microburst

    Has anyone seen this problem with checkpoint firewall running either open servers or Checkpoint appliances? I can't be the only one with this issue.
  99. Re: Site-to-Site VPN intermittent Connectivity

    something like this: let say you have site-2-site vpn between checkpoint and ASA with 10.0.0.0/24 is the network behind checkpoint and 192.168.1.0/24 is network behind the ASA

    nat (inside) 1 0 0...
  100. Re: Site-to-Site VPN intermittent Connectivity

    on the Cisco side, do this:

    term mon
    debug crypto isakmp
    debug crypto ipsec

    show crypto isakmp
    show crypto ipsec sa | b checkpoint_IP_Peer

    Is the Cisco ASA doing NAT? If NAT is...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4