CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: testing features in R77.30

  1. #1
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default testing features in R77.30

    Just finish building a clusterXL R77.30 in my lab (a pair of Power-1 11065) and trying out testing a few things and here is what I've noticed:

    1- same issue with Oracle RMAN. It will peg one of the CPUs under SecureXL until I applied my work-around. I don't know if Checkpoint will eventually address this, doubtful

    2- same issue with Microsoft DFSR. DFSR traffic is not accelerated and goes through the slow path and spike the CPUs. I have an active case opened with checkpoint in R75.47. Unlike like Oracle, there is no fix that I am aware of

    3- If you have a lot of Oracle and Microsoft DFSR in your environment, enable IPS is asking for trouble, IMHO. You're asking for trouble.

    A few things to consider when running dynamic routing protocols on Checkpoint firewalls in R77.30:

    1- I notice that OSPF failed to come up from time to time after a cpstop;cpstart unless I reboot both firewalls at the same time. That means an outage. Btw, my ospf environment is a combination of Checkpoint, Cisco and Juniper

    2- do not try to push too much multicast traffics through the firewall. In my test, multicast traffics will stop passing the firewall at some point. You're better off with GRE tunnels for your multicast traffics across the firewalls

    3- There is a delay in the firewalls allowing multicast traffics to pass through in clusterXL, not VRRP. This is the same behavior I am seeing in R75.47 ClusterXL.

    4- If you happen to perform cpstop;cpstart on both gateways, one at the time, there is a good chance that multicast will stop working altogether. That means another outage. The fix for this, just like R75.47, is to remove pim configuration on both firewalls and reboot both of them at the same time. Once both of them come back online, apply the PIM configuration on both of them in order to restore service.

    I only spend a few hours playing with these features and that's what I observed. If someone think otherwise or want to add to this thread, please do so. I love to hear from you.

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: testing features in R77.30

    Good news, it's just these advanced features you tested are not that used on most production scenarios.

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: testing features in R77.30

    Quote Originally Posted by laf_c View Post
    Good news, it's just these advanced features you tested are not that used on most production scenarios.
    LOL. That is true but it is bet NOT to use them at all or you will not be able to sleep at night :-(

  4. #4
    Join Date
    2015-12-23
    Posts
    47
    Rep Power
    0

    Default Re: testing features in R77.30

    have you enabled Dynamic Dispatcher? it's disabled by default. run this command to verify.

    [Expert@HostName]# fw ctl multik get_mode

Similar Threads

  1. Bonding supported features
    By jolti05 in forum R77.30
    Replies: 16
    Last Post: 2016-04-08, 08:01
  2. Next generation firewall features
    By varera in forum Feedback To Check Point: Suggestions And Requests
    Replies: 0
    Last Post: 2012-05-15, 04:32
  3. Grenada features
    By slowfood in forum VPN-1 VSX
    Replies: 0
    Last Post: 2012-05-11, 04:39
  4. SmartUpdate features?
    By AllanKjśr in forum CCSE NGX R65 Exam 156-315.65
    Replies: 2
    Last Post: 2009-06-05, 03:32
  5. UTM Features on ResOS?
    By hotice_ in forum Resilience
    Replies: 0
    Last Post: 2008-03-04, 15:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •