Thursday, December 27, 2012

Installation / Upgrade Wizard

I am not sure if it is a Christmas miracle, but it's definitely a great present from Check Point.

We now have Upgrade Wizard on Check Point Support Portal, a tool that helps you choosing your upgrade path and installation sources fro bot appliances and open platform.

Great job, Check Point!!!

Tuesday, December 4, 2012

No memory policy installation failure - resolved

I have faced a nasty issue lately with one of my VSX customers. After a certain IPS update the customer has lost ability to push policy to one of Virtual Systems. There was an error: "Load on Module failed - no memory". Strangely, it was just a single VS amont tens of others managed by the same CMA.

They have rebooted the VSX cluster hoping to fix the situation, but it only made it much worse. On the standby physical member the problematic VS was not even loaded, as pushed policy could not be anymore fetched. The cluster was broken, and the member went to "down" state.

Surprisingly, the first case one can find in SecureKnowledge, sk40768, has saved the day. There is a parameter related to showing rule's UUID in the logs, one has to switch it off as the solution case describes.

Once we have applied the solution, policy could be pushed without a problem. The second cluster member was still down, with weird interface probing errors and VS failed to run. We have had to reboot it, and after that everything came back to normal.

Lessongs learned:

1. Do no believe policy installation errors, they can be extremely misleading.
2. Do not rush into rebooting VSX cluster members, that could back-fire.
3. Do DB Revision Control before updating IPS, that would allow you to roll back quickly, if any issue with policy installation.

Friday, November 9, 2012

SPLAT R75.40 is not available for 4400 appliance

A colleague of mine has recently discovered an unfortunate fact SPLAT R75.40 has no support for 4400 appliance.

Everything works fine with R75.30, but after upgrading to R75.40 appliance status in SPLAT WebUI shows  error code = INITIALIZE_CP_SENSORS_FAILED message. There is a SecureKnowledge case SK79800 mentioning incorrect drivel load. Unfortunately specific drivers are missing for 4400 appliance.

After numerous hours spent in resolution and a support call, the issue is still there. In fact, Check Point has confirmed that R75.40 SPLAT does not work properly on 4400. 

One can use either GAIA R75.40 flavor or upgrade to R75.45. The last option obviously requires Management side upgrade as well.

Monday, October 15, 2012

Finally, 10GB HP NIC is supported with Check Point

Miracles happen, even in technology world. I was informed today Check Point finally has  10 GBps optical card supported with HP hardware.

Tree years ago not having any 10 GB NIC supported with Check Point almost killed one of my VSX projects, where HP HW was planned to be used. There was a case with Check Point solution center, multiple meetings with CP executives and other numerous efforts to un-block the situation, and nothing really happened. Check Point han several 10GB NICs, but none of them were made by HP. And as you know, HP does not support "foreign" parts on their servers.

Long story short, that is no longer a case. If you are planning to run R75.40 on HP, you can have this card working in fully supported configuration. If you are running VSX, there is a driver for R67 you must use.

Update: Well, my joy must be a bit premature. According to the official specs, this card is only supported with G6 and G7 HP servers. And as you may know, G7 has end of sales by the October 2012.

Update 2: HP confirmes the mentioned card will not be supported with Gen8 line. Great news, Check Point and HP, great news indeed. /sarcasm/

Tuesday, September 25, 2012

E75.x Endpoint Connect Client: decrypting config file

Endpoint Connect is quite different from SecureClient, you know that. Latter has VPN site configuration in users.C file, and by default it is stored as cleartext.

E75.X client stores VPN configuration on Trac.conf file, and it is encrypted by default. If you are trying to troubleshoot some site creation issues or just curious, it might be interesting to be able to decrypt the configuration file.

This is what you need to do:

1. Login to your laptop as an administrator and locate E75.X files. Usually they are under %Program Files/CheckPoint/Endpoint Connect/ folder. Find there Trac.defaults file

2. Stop VPN client (close GUI) and then stop Check Point Endpoint Security VPN service

3. Open Trac.defaults file to edit, find OBSCURE_FILE parameter and change its value from 1 to 0.

4. Start VPN service and then the client. Trac.config file is now readable.

Wednesday, September 12, 2012

Tufin revolution - part of CPUG 2012

Have you see Tufin revolution banner?

Come to CPUG 2012 conference to witness that revolution in motion. Tufin is sponsoring CPUG conference and is going to announce a new exiting revolutionary way to manage your firewalls.

It is not too late to register.

Next Generation FW war is not so cold anymore?

PAN and Check Point are known to attack each other. If I understand it correctly, PAN is chasing Check Point customers for years. I guess, we need to thank them for it. That is the main reason Check Point was so aggressive to introduce Identity Awareness and Application Control features. Anti-Bot software blade is taking the race even further.

But that was a cold war two years ago. It was a feature race. Now the tention seems to get more and more hit.

PAN has hired mythbusters to show some rather humiliating competitive analysis.

Check Point did not go so far, but take look at this site, "Facts or Hype". The argument is getting hotter.

I wonder when it finally makes to court. What do you think?

Sunday, September 9, 2012

Wednesday, August 22, 2012

GAiA tricks - mounting DVD

One more thing missing in GAiA is DVD/CD mount point. If you try to do mount /mnt/cdrom on GAiA, you get an error, because of the two reasons:

1. There is not mount point
2. fstab does not have corresponding info.

Let's make it work again.

1. Open fstab to edit with "vi /etc/fstab" and add there the following:

/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0

2. create /mnt/cdrom folder for using as a mount point: mkdir /mnt/cdrop

Now you are ready to mount your DVD or CD to the machine.

Sunday, August 19, 2012

GAiA tricks - enabling sftp

GAiA is supposed to be more superior and generally better OS than SPLAT. In some aspects it is. But for someone used to work with SPLAT it may also be a hustle. A lot of things are done differently there. I am starting series of posts for GAiA tricks.

Today let's make SFTP work.

If you have ever tried SFTP with GAiA, it does not work for a very simple reason: it is disabled. To enable it, you have to do the following:

  1. Create a new user for SFTP access with default bash shell. Alternatively change admin shell to bash. If you do not know how to do that, check chsh command.
  2. Access Expert mode and open to edit sshd_config file: vi /etc/ssh/sshd_config
  3. Uncomment the following string:
    #Subsystem sftp /usr/libexec/openssh/sftp-server
    and save the file.
  4. Run /etc/init.d/sshd restart
Now enjoy SFTP working again.

Update: As Dameon D. Welch-Abernathy tells me on FB, there is SK for that: SK82281

Update 2: After some rather intensive discussion in one of LinkedIn groups, I have to make a clarification. SCP is working on GAiA same way it was with SPLAT. If you are using WinSCP client, it tries SFTP but falls back to SCP if there is a problem. That means, to transfer files with WinSCP client, you only need to perform step 1 from above. With WinSCP it is not so different from SPLAT.

But if you are not using Windows and/or want to run explicitly SFTP and not SCP, you still have to perform the whole procedure.

Friday, August 17, 2012

Check Point User Group conference 2012 - come along!

Annual CPUG conference will start on 17th of September. It is not yet too late to register, so hurry up and come along!

If you come, check out our intensive classes. I will be happy to see you on my Check Point Best Practices course.

See you there.

Friday, August 10, 2012

MDM R75.40 GAiA based - some gotchas

I have installed a new MDM server (a.k.a Provider-1 MDS) today, and it is R75.40 GAiA based thing.

It was quite interesting experience, considering this is the first GAiA version of MDM. There are some minor things you may want to know.

1. Idle timeout can only be set from WebUI. But even there, it does not seem to work. It did not work for me, although I might be doing something wrong.
2. mds commands are ONLY available from expert shell and not from CLISH. That is a shame, considering, timeout is not exactly OK.
3. Said that, the first configuration and MDS roles are both done from WebUI now.
4. Expert password can only be saved if you set in in CLISH and then log off. If you just reboot, as I did, it is lost, and you have to re-define it again. Such an ugly bug.
5. SmartLog is complaining about having not enough space to start. It might be just my lab server, but I have an impression it reads free space on /opt wrongly.

Feel free to share your own experience.

Update: MDS commands are actually working from CLISH after reboot. What's a relief...

Monday, July 16, 2012

Check Point announces R75.40VS - new VSX

You may know already that long waited VSX with Software Blades support is finally out.

It is called now Check Point Virtual Systems. It is based on GAiA R75.40 and supports almost all Software Blades, except for Mobile Access Portal.

There are many other interesting features, such as physical-to-virtual conversion wizard and SNMP monitoring per VS.

Mind while it is GAiA based, clustering is only ClusterXL.

UPDATE: apparently it is not exactly OUT yet, nothing is available for download...

Tuesday, July 10, 2012

How to reset SIC for a Virtual System

In a very rare occasion you may have SIC issues with a VSX-based security system. In most of the cases it surfaces as a communication failure for one or several Virtual Systems.

It would be quite easy to fix failing SIC in case of a physical FW: you just need to reset in on both MGMT and GW side and to re-initialize it from the SmartDashboard.

In case of VS it is not that easy. You should follow the procedure, explained in SK34098. But before I will give you a short overview of the procedure, there are three important points to mention:

1. Do not try to reset SIC with the physical members of your VSX cluster. It will lead to even bigger problems, and will not help to restore SIC on a particular VS.
2. Follow the procedure bellow only if you are absolutely sure these is no communication problems, and local time settings on both GW and MGMT are fine. Remember, this procedure is the last resort, and if you do not follow it carefully, you may cause even more damage.
3. If any of the mentioned bellow does not seem familiar to you or if you have any doubt, call your support contact and ask them for help.

Said that, let's fix the issue.

Step 1: Identify ID number of the failing VS.
Step 2: Reset SIC for this VS on GW side. To do that, run the following command:

fw vsx sic reset {VS_ID}

Step 3: SIC reset on MGMT side. Go to the target CMA (one managing the problematic VS) by typing the following command on MDS console:

mdsenv {CMA_NAME}

Identify SIC name for the VS. To do that, run

cpca_dbutil print InternalCA | grep {Virtual_System_Name}

Note: the SK mentioned above describes an alternative way involving ICA Management tool Web-UI. You can do that, it does not matter. I believe my way is faster.

Once you get the full SIC name, run the following command:

cpca_client revoke_cert -n CN={VS_SIC_Name}

Step 4: Recreating SIC. Open SmartDashboart to target CMA and double-click on the problematic VS. Press OK button. On this step SIC should be re-created successfully.

You may want to install policy on this VS once all's done.

Wednesday, July 4, 2012

CPUG Europe materials are available online

It will be the fifth time for CPUG Europe Conference this year. We have started in 2008, and each time it is great fun and lots of things to learn.

I hope to see this year in Switzerland.

Sincerely yours,

Valeri Loukine

Monday, July 2, 2012

Firewall race - who will be a winner?

We all remember announcement of Check Point 61000 appliance the last year.

The specs were quite impressive that time: up to 200 Gbps throughput, 70M concurrent connections. Who could possibly need more that that?

Apparently someone does need more. Otherwise how would you explain the latest Fortigate announcement of new updated 5000 series?

The highest model, FortiGate-5140B, according to its specs, is capable of  getting up to 480 Gbps throughput and 132M sessions.

The question is what nest to expect. Would Check Point retaliates with even bigger box or someone else steps into the race, like PAN, Juniper of even Cisco?

What do you think?

Wednesday, June 27, 2012

Performance analysis for Check Point firewalls

Lately I have came across a brilliant SK article about performance analysis in Check Point environment, sk33781 

The article thoroughly discuss various indicators and parameters of FW configuration:

  • RAM and Kernel memory
  • CPU usage
  • SW and HW interrupts
  • sim affinity
  • FW connection table
  • NIC configuration and driver's settings

I am planning to use it as a reference in my Performance Optimization training.

Take a look, you may find it very useful. Ming you need User Center account to access the case.

Tuesday, June 26, 2012

Safari is not supported with Check Point client authentication

Have you ever tried to use Client Authentication through Safari browser? I have, and it does not work. Well, sometimes it does. There are even some SecureKnowledge cases about it, like sk40327.

But with one of my customer using VSX and SSL encyption instead of plain HTTP you could authenticate through any browser but Safari. The issue was platform independent. iPad, Mac or even Windows, Safari could not authenticate, period.

A user gets the initial auth page and types in a username, but instead of password prompt on gets an empty error page.

I have opened a support case, and guess what? Here is the official answer, quoted for my support case:

"...after consulting with R&D, I can officially assure you that using Safari on client authentication with VSX R67 version is not supported.

The only officially supported browser when using client authentication is Internet Explorer.
This statement is relevant for all Check Point versions."

Cool, right?

That said, I expect Check Point to make this statement publicly available as a new SK and/or part of the Release Notes.

Friday, June 22, 2012

DDOS Protector - details are public now

Check Point has finally published details about newest DDOS Protector appliances I was mentioning earlier.

There are 7 different models available.

As Check Point describes, DDoS Protector is capable of stopping today's advanced DDoS attacks including:

  • Vulnerability-based attacks that exploit server application weaknesses including Web, Mail, DNS, FTP, SIP, SQL server vulnerabilities
  • Non-vulnerability-based attacks that misuse server resources, such as
    • Application DoS – HTTP , SIP, and other flood attacks
    • Authentication defeat - brute force attacks
    • Information theft – application scanning
  • DoS/DDoS flood attacks that misuse network bandwidth resources
  • Rapid response and real-time update of custom filters to protect against emerging attacks
  Press Release and Data Sheet for the appliances are available on the product page.

Monday, June 18, 2012

ClusterXL: Sync on VLAN interfaces

We all know Sync network in cluster configuration should be isolated from the rest of production networks, or, as Check Point calls it in the documentation, "secured". Reason for that is that sync interfaces have no security policy enforced and can be used to penetrate your FW cluster.

Nevertheless sometimes you have to do Sync over VLAN interface instead of a physical NIC.

If you do so, you might bare in mind sk34574. As described there, ClusterXL requires to use the lowerst VLAN tag for Sync interface.

For example, if you are using eth.1.10, eth1.20 and eth.30, you can only configure eth1.10 for cluster synchronization.

In case you did it wrong, cphaprob -a if will report you the following:
Warning: Sync will not function since there aren't any sync(secured) interfaces 

 In this case it is not enough to re-configure VLANs and re-push policy. If you picked the wrong interface first, you will have to re-initialize ClusterXL on your physical machines. To do that, go to cponfig and remove clustering, then start it again from there. Reboots are required.

Thursday, June 14, 2012

Check Point to launch DDOS Protector

Check Point is having partner's session as we speak where it introduces DDOS Protector - HW based product, not available in SW form.

Press release is to be sent out soon.

Wednesday, June 13, 2012

Official upgrade matrix for Check Point products

As you may know, navigating between the major and minor versions of Check Point is not easy. Many of us, myself included, are using these maps, courtesy of Patrick Waters.

Although Patrick's maps are great, they are not official and a bit out dated, considering the author partied with check Point on 2011.

If you are looking for an official upgrade matrix, there is a better resource in the UserCenter. Please mind it is available for download to registered users only.

Good luck with your upgrades.

Tuesday, May 15, 2012

Next Generation security features - are you using them?

Next Generation firewalls - this term is buzzing for some time now. In Check Point world it is presented by the following features:

Application Control
Identity Awareness

What features from the list are used in your security systems? What about your customers? Thanks for sharing

Thursday, May 10, 2012

GAiA: ClusterXL magic mac settings - same as before

GAiA is Linux RH based, and it has system 2.6.18 kernel.  And Check Point ClusterXL is still the same as before.

If you are upgrading to GAiA or installing in fresh in a cluster configuration, you may need to take care of so-called "magic mac" settings.

To remind you briefly, "magic mac" is an artificial MAC address used in CCP, Cluster Control Protocol, responsible for probing, messaging and sync communications in ClusterXL. Once you have more than one cluster in the same network, you have to change magic mac settings starting from the second cluster and up.

Some details about the change is mentioned in SK66527.

GAiA or SPLAT, it makes no difference. If you are using ClusterXL and not VRRP, follow the mentioned solution.

For those who do not have the access, here is a quick HOWTO:

First, make sure your magic mac are default. To check that, run fw ctl get int fwha_mac_magic and fw ctl get int fwha_mac_forward_magic commands, as in the example bellow:

# fw ctl get int fwha_mac_magic
fwha_mac_magic = 254
# fw ctl get int fwha_mac_forward_magic
fwha_mac_forward_magic = 253

The default settings are, as shown 254 and 253.

On the second cluster you will have to do the following:

On each of the Cluster Modules
1. cd $FWDIR/boot/modules
2. create the fwkern.conf file by: # vi fwkern.conf
3. Add the required parameters and values as given below:

Mind the numbers marked bold should be unique on each cluster you are making changes and non equal to default.
4. Save the fwkern.conf
5. Verify the fwker.conf is correctly configured by: # more fwkern.conf
6. Reboot the Module
7. Verify the new mac magic setups correctly configured by:
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
8. Verify the Cluster Module status by:
# cphaprob stat

 And just a reminder, if you are using VRRP instead of ClusterXL, you do not have to do any of the above.

Tuesday, May 8, 2012

GAiA: sysconfig disabled, migration tools are still there

If Google is correct, some of you are looking for details about GAiA in this blog.

In particular, about sysconfig. On SPLAT it is "one script for all" tool, that allows  you configuring most of OS and Check Point parameters. But is you are trying to get it on GAiA, here is what you get:

This command is not active

This is made by design, as GAiA provides you IPSO-like experience. Although sysconfig binary is still present, it seems to be completely disabled. CLI is configured to use CLISH instead.

If you are new to CLISH, I advise you to start reading "GAiA Administration manual", chapter 3 or" IPSO 6.2 CLI reference guide" for the matter.

Concerning more advanced tools, like migrate export/import scrypts, there are not too many changes. You find them in the usual place, $FWDIR/bin/updrade_tools, with unchanged syntax.

Care to learn CCSA R75 in my ATC?

Hi all!

I still have some places available in CCSA R75 class planned to start on 19.06.2012. Please feel free to register through our ATC site.

If you need accommodation in the area, just let me know here or through contact form on the web site, I will ask our office coordinator to provide you some options.

We cannot provide any visa support in case you require one, sorry.

Thursday, May 3, 2012

CCMSE is not required to pass CCMA after all

Hi all!

For some time I have been posing about CCMA prerequisites in this blog, more than once. Forget what has been said.

I have got a message from Ken Finley, Check Point Certification Program Manager. It is about my inquiry about CCMSE being a prerequisite for CCMA certification. The final official answer is CCMSE NOT REQUIRED.

Here is the short email conversation we have had:

VL: What are the prerequisites for CCMA? It is stated on the web site that CCSA, CCSE and CCMSE are all required. Is this indeed the case? Is CCMSE mandatory for CCMA?
KF: To be eligible for CCMA now, requires CCSA and CCSE r70 series. CCMSE is not required but highly recommended. CCMSE is now both MDM and MDS.

VL:Website still has CCMSE as a prerequisite. Is it an error? 

KF: Affirmative!

So, lads and gents, this sums it.

CCMSE is recommended but not required, Check Point Web site states it wrong after all.

Tuesday, April 24, 2012

Care for checking out GAiA's source code?

Hi all!

As we all know now, R75.40 is released, and as part of it GAiA is now out. Do you want to have some pieces of its source code? If yes, you may want to look into License.txt file on the installation DVD.

This document mentions parts of SecurePlatform and GAiA to be subjects of GNU GPL, GNU LGPL and BSD license.

That means one can request source code, and Check Point has to provide it.

Well, you will not get any source code for security products, but some OS pieces might be interesting as well. In particular, dynamic routing binaries, VRRP related files, etc. If so, check the license file I have mentioned and feel free to email your requests to

Thursday, April 12, 2012

Upgrade to R71.10 on SPLAT fails if done with local ISO mount

Hi all!

Just a quick note, mostly for myself to remember.

Apparently if you are doing an upgrade to R71.10 with ISO file, the installation wrapper un-mounts and mounts back the CDROM for whatever reason. So if you are using my advice about mounting local ISO files as a CDROM, beware - the upgrade will fail.

As it has just happened to me. That was unexpected, indeed.

Tuesday, April 10, 2012

Configuring span port with R75.x, how to

If you would like to demonstrate Check Point products to your customers or to make some trials in the production environment without risking of breaking something, it might be handy to use a span port.

This post is not about how to make a span port on your network switch, it is about proper configuration of your Check Point box.

To simplify things, let's assume you are running a standalone installation (quite useful for new product trials). You have to have two physical network interfaces: one for management and GUI connections, the other one to connect to a mirror port.

When installing the box, you need to assign an IP address to MGMT interface. Leave the second NIC unnumbered.

Once you have installed Check Point products on the box, you have to configure the second NIC to be ready for span port connectivity. To do that, go to sysconfig / network configurations / configure connection and choose "Define as connected to a mirror port".

This setting will create a new bridge interface with your second NIC in it.

In case you are running GAIA EA (as I am doing as we speak), sysconfig there is disabled. You have to go to GAIA WebUI. Enable the second NIC there and create a new bridge manually, then add NIC to it.

This is all for OS related configuration, the rest is in the SmartDashboard GUI.

When defining topology of your FW, set up MGMT interface as external, but disable anti-spoofing. The second unnumbered interface should have "undefined" topology.

Install policy, enable features you want to test. Now you are good to go.

Just one more tip. If you want good visibility on your internal network security situation, define span port for internal, not external interface of your actual production FW.

Monday, April 9, 2012

CPUG members to meet on CPX, Belrin

Hi all CPUG members and followers.

As you may know, the relations between the vendor and CPUG are rather cold, so there will not be an official booth at CPX. But who cares. We are the great community of brilliant professionals and experts. Lets do something about it :-)

I suggest we have an informal meeting in Berlin on 30th of May, in the evening, during or just after Check Point fun event. It would be nice to put faces to the names, to share some thoughts and opinions.

Please let me know if you think this is a good idea. If you like it, we will find a way.

Also, just to remind you, CPUG Europe 2012 registration is already open. If you cannot make it to CPX 2012 in Berlin, see you on CPUG 2012 in Chur, Switzerland.

Tuesday, April 3, 2012

Check Point site is unavailable due to a registration issue

Some of us may have problem to access Check Point main portal and UserCenter site since yesterday. As The Register reports, this has nothing to do with an attack. It was a registration issue.

For those who cannot make it work yet (mine is back to normal):

You can try to work this around by some means:

1. Try IPv6, that works for the main portal
2. Use instead of just
3. Access Check Point portal by its external IP address: is not available though.
To access it use or

Tuesday, March 20, 2012

SPLAT WebUI port customization with R75

One of my favorite commands on SPLAT is webui. It allows you to set WEbUI on a custom port, if you like. For example, to set it on port 4434 you just need to run the following: webui enable 4434

But be careful, with R75 and up the behavior has been changed. Even if you set it up on a custom port as described above, it will get back to default 443 after reboot.

This is quite annoying, especially if you have Mobile Access Blade with SSL portal running on your GW. But no worries, there is another place, rather unusual, where you can set it up right.

For your R75 and R75.X objects, go to SmartDashboard, then double click to the managed object and choose SecurePlatform tab.

In the "Main URL" field add your port, as shown on the picture above. Push policy, now it is all good.

Tuesday, March 13, 2012

ClusterXL flapping troubleshooting - short HOWTO

ClusterXL is one of the most interesting and yet not easy to handle parts of the Check Point products. This post is to summarize some basic troubleshooting steps when dealing with cluster instability.

Symptops: FW SPLAT based cluster is "flapping". Members periodically change status from Active/Standby to Down. In SmartView Tracker logs you can see entries about "member 1 is down" members 2 changes state to active" as well as messages of connectivity problems with cluster interfaces:

cluster_info: (ClusterXL) member 2 ( is down (Interface Active Check on member 2 ( detected a problem (14 interfaces required, only 13 up).)
cluster_info: (ClusterXL) interface Mgmt of member 2 ( is down (receive up, transmit down) 


There are some basic steps for fixing it quickly.

1. Check if there is any other Check Point cluster connected to the same IP network. If there is, change so-called "magic MAC" numbers, as described in SK25977. Aplly the solution, reboot the cluster. Check if the issue is now fixed. If not, go to the step 2.

2. Check your cluster is runnign in multicast mode. To do that, run

# cphaprob -a if
You should have something to the following output:

High Availability interfaces (cphaprob -a if)
Required interfaces: 4
Required secured interfaces: 1

eth0       UP                    non sync(non secured), multicast
eth1       UP                    sync(secured), multicast
eth2       UP                    non sync(non secured), multicast
eth3       UP                    non sync(non secured), multicast

If you have broadcast for interfaces instead of multicast, there is something wrong with physical interfaces, cabling and switching. Otherwise to to the step 3.

3. Be sure IGMP snooping is disabled on the adjacent switch. ClusterXL uses CCP in multicast mode by default, so IGMP registration won't work on the switch side. You have to have IGMP snooping disabled globally on the switch or at least for the specific NIC ports connected to the cluster.

Once IGMP snooping is disabled, this should stop flapping. Reasons are mentioned in ClusterXL R75.20 Administration Guide on the page 31.

In case you cannot disable IGMP snooping on the switch, the last option is to switch CCP from multicast to broadcast.

To do that, run

cphaconf set_ccp broadcast  

You will have to reboot the cluster again.  As mentioned in the comments, reboot is not required to activate the feature.

All, if you have something to add to this, please be my guest and comment at will.

Monday, March 5, 2012

The qurious case of CCMA certification

Last year I have mentioned CCMA certification twice: in January and in May.

The first post was about CCMSE to be a new per-requisite for CCMA certification.  Later that year I had to make a second post about CCMSE being just a recommendation and not a requirement for CCMA.

It would be unwise to think the story has ended there. Behold,

CCMSE is back. You have to certify both MDM and VSX to be able to continue to CCMA path.

Dear Check Point. Please make up your mind and stick to it.

Sincerely yours,..

P.S. Just after I posted this I have found a great post from Danny Jung: CCMA's diary. That's a great one, take a look.

Wednesday, February 29, 2012

Check Point Price List is no longer public

I was (not exactly pleasantly) surprised this morning to find out Check Point Price list access now requires valid User Center account.

Japanese part is still in public zone, but not the regular price list. Not anymore.

I do know it takes only 2 minutes to set up a new account to access price list. In my personal case I use partner quote tools for years.

But what about any new and/or potential customers, Check Point? Why should you have to limit access to the major reference tool?

What's the point?

Tuesday, February 28, 2012

3D Reporting tool, quick HOWTO and tips

As I have mentioned recently, Check Point has release so called 3D Analysis tool to help partner in showing added values of Check Point technologies by analyzing live production traffic.

Although this tool is a great thing, there are some tips and tricks to make it work even better:

1. Licensing. The downloadable tool from Check Point has an expired license. Use your quick eval license on it.
2. Tapping. The official guide mentions tapping on the external interface of the cusotmer's FW. In this case bandwidth utilization will not show internal hosts. Identity Awareness information will also be unavailable. You may want to mirror the internal interface of the customer FW, in case topology in place is simple.
3. DLP policy is not set to customer's case. Do not forget to configure email domain properly before deploying the tool.
4. identity Awareness is not activated. If you want to enable it, mind p.2. Also do not forget to arrange connectivity to AD from the physical machine hosting 3D VM tool.
5. Policy installation. VM does not have any policy installed when you start it, do not forget this tiny detail.

If you have some other tips, please kindly share them in the comments.

Friday, February 24, 2012

Gaia public EA, first impression

As you may already know, long expected Check Point Gaia has finally made the first public EA.

I am currently playing with it, and it seems quite interesting. Here are my first notes for the matter.

Finally, Google Chrome is support for WebUI, although my old Firefox 3.6 on OSX is not. The first time wizard loos quite nice, and it finally recognizes the platform, VMware Fusion in my case.

VRRP is indeed part of the release, all praise Check Point for that!

When installing, you can see much more detailed progress

Once system is up, you get WebUI overview page. It is too big to put it here, but there are some detais I would like to point out. There is a feedback area in the GUI. You can just mark something you like or not with the smiley faces, You can also send the text feedback form the tool.

 Check Point listens, isn't it nice?

One last picture for today, in the use management section one is able to set a lot of accessibility and management roles. Each part of MGMT interface can be set to full rights or read only.

Now, what about kernel? It is still RH Linux based, 2.6 version. I have installed 64 Bit version, and it seems to do its job so far.

CLI is set to clish, and you get bash in expert mode. cpshell is still there, but some of the commands do not work. As I am still in the earliest curiosity stage, RTFM step is not done yet, so it might be a user error.

I am planning to dig into the most expected features: dynamic routing, VRRP, extended kernel memory, etc. New posts to come.

Monday, February 20, 2012

VSX - no logs from some of Virtual Systems

Last weekend I was assisting my customer in migrating VSX cluster to a new HW. The migration went smooth, but there was a weird problems - some Virtual Systems on the new cluster were not sending logs to their log servers.

I am facing this problem more than once, so I guess someone else can have this too. Here are some tips, what to do.

The issue itself might be related to VS creation process, as mentioned in sk43973 and sk61545 (both solutions are about the same problem). Although the case claims the issue is fixed in VSX R67 GA, I have experienced in on R67.10

First, check you do not have any issue with cpld process on bpth sides: VSX and CMA. Check the processes are up.

Then see if VS is actually talking to its CMA. To do that, run netstat -na. If logs are being sent, you will see an established connection between CMA and VS on port 257. Detailed explanation about how to do it can be found in sk38848.

Now, this is the key point. If you have the established connections, logs are coming. Install DB on your log server and re-open SmartView Tracker client, you should now see them.

If connection is not established, something is quite wrong with the logging process. In my last case, certain Virtual System was not sending logs, if active on the first cluster member, but was sending them after a failover. CPSTOP/CPSTART did not fix the issue, but the reboot of the cluster did.

If you cannot afford rebooting the cluster, you can try killing cplogd - special daemon responsible for logging in VSX environment. To do that use "kill -9 " command from the expert shell.

So, the recommendations are:

1. Check connectivity and communication on port 257.
2. If there is traffic from VS, install DB on the log server.
3. If there is no communication between VSX and CMA, reboot the cluster members one by one.
4. If neither one of the steps helped, open a support case and describe all you did thoroughly.

Good luck

Monday, February 13, 2012

Check Point releases new demo tool for partners

Check Point has released so-called 3D Security Analysis Report Tool. Partners can download this tool from the partners' portal.

The idea is to allow a simple and straight forward demonstration of Check Point most recent security features, such as IPS, DLP, Identity Awareness and others, without intrusive operation in the end customer's networks.

The tool includes a special GUI client and a virtual machine with pre-installed Check Point FW. 

One can connect the virtual appliance to a mirrored port to inspect the passing traffic. Later on an automatic report can be generated from the collected information.

A sample report is available here.

Monday, February 6, 2012

CPUG Europe 2012 - are you coming?

Have you mentioned already that CPUG Europe 2012 registration is already open?

Annual CPUG European conference will take place in Chur, Switzerland starting 17th of September. 

Early registration is available till July 17th, and you can save extra EU50, if attended the last year.

See you all in Chur, guys!

Thursday, February 2, 2012

Check Point releases R75.20 VE

Check Point has announced  R75.20 VE release on its Twitter account . This means that (almost) the latest functionality is now available as Virtual Edition.

 Just two days ago you could only download R70 VE lacking many of the recent and most interesting features such as Application Control, SSL inspection, etc.

Funny enough, R75.20 is not yet listed on the official page, but can be already downloaded form User Center.

Monday, January 30, 2012

R70 to R75 upgrade - resolved

Hi all!

In one of my previous posts I have mentioned some troubles concerning R70 to R75 upgrade, blaming (together with CP support engineers) IPS database.

In fact the issue was related to something completely different. The customer has had a time object, like one on the picture.

As you can see, the second, not the first "Restrict" checkbox is enabled. If the first checkbox is not marked, this object causes policy compilation failure on R75. Mind it was working just fine on R70.

Friday, January 20, 2012

UTM 27x HD free space upgrade issue

I have performed R75.10 to R75.20 upgrade on UTM 27x yesterday for one of my customers. It was not smooth.

The customer has a "classic" UTM cluster: both MGMT HA and FW ClusterXL HA are configured.

The upgrade went smooth on the secondary node, but failed on the primary one.

Short troubleshooting has shown it failed because of lack of free space on the main partition. I have mentined several disturbing issues:

1. HD space is apparently not monitored. 

Root partition only contains binaries and configuration files. On this particular system HD is partitioned to provide around 10 GB for root partition and around 80 GB for /var/opt/log one. In our case root was used for at least 70%, and in the middle of DB conversion it jumped to 100%. Apparently you should have this partition used for not more then 50-60% to succeed with upgrade to R75.20. It does not seem that the upgrade script monitors this particular part of the hard drive at all.

2. Upgrade script does report cause of the failure.

The appliance can only be upgraded via WebUI. You cannot even un-cjeck safe upgrade option. If failed, it automatically reverts to the pre-upgrade image, and there are no logs left to see what went wrong.

This issue is quite similar to IPSO flash based upgrade troubles, which is bad considering that IPSO usually fails an upgrade with 1 GB flash but succeeds with 2 GB. Come one, Check Point, how comes you need 3-4 GB of free space on the main partition to upgrade a standalone UTM system? That should not be right.

Tuesday, January 17, 2012

Riddle: Check Point User Group, but not CPUG

I have came across a quite interesting Check Point event: Check Point User Group gathering in Omaha.

Considering CPUG to Check Point relations do not exist, I hardly believe this event to be related to CPUG at all.

The question is whether Barry ownes the name "Check Point User Group". I sure think Check Point does not.

What do you say?

Update: Barry tells me he only own CPUG trademark, but not "Check Point User Group", so case is closed.

Monday, January 16, 2012

R7x to R75 upgrade - policy compilation issue

I have written already about some issues concerning upgrade and/or migration to R7x.

It is time to mention even more of them.

If you are upgrade or migrate your R65, R70 or R71 MGMT station to R75, brace yourself. In many cases you will not be able to compile policy anymore. The issue is related to incorrect handling of IPS configuration files.

Symptoms: you will get at least one of the error messages bellow:

  • The Converter failed to convert policy. Possibly wrong policy name. Policy_Name
  • INTERNAL ERROR in execval: optimization disabled: displacement too large
  • ERROR: function undefined Network Security cpp: line Line_Number Error: Redefining defined variable 'ADP_ENABLE_SLAMMER_PROT' /opt/CPNGXCMP-R7X/conf/updates.def

Sometimes policy compilation fails for existing FWs with "old" versions, R65, R70 or R71. In other situations the problem only surfaces when you lift your FWs to R75. To be absolutely sure your upgrade went well, and you do not have the described symptoms, create a dummy FW object with the target software version and try to push policy on it. If it fails on connectivity, you are the lucky one.

To fix the situation, according to SK61326, you will have to open a support request. Support engineer will provide you with "proper" files. You will then have to replace them manually, one by one.

Now, imagine you have this issue over multiple CMAs in Multi-Domain environment...

Tuesday, January 10, 2012

Client Authentication on VSX with SSL support

If you ever want to enable Client Authentication on VSX with SSL support, here are some tips for you.

First, read carefully SK37001 and How-To-Install-3rd-party-SSL-Certificate.pdf document from Check Point support site.

You will have to modify cpauthd.conf in order to enable SSL-based client authentication. Mind in VSX environment you can do it either globally (for all Virtual System at once) or per VS. The last on is the recommended way. The file is located in $FWDIR/CTX/CTX00xxx/conf/ folder, where xxx is VS ID.

Change file configuration as marked in underlined bold bellow:

        :clauth_port (259) 
    :clauth_http_port (443)       << change listening port 
    :clauth_http_ssl (1)          << enable SSL 
    :clauth_http_wap (0) 
    :clauth_http_nickname (Your certificate Nickname) << put third party certificate

Mind you will have to prepare a third party certificate to use. Some CAs, such as Verisign do not accept default Check Point CSR. You will have to increase the key size to at least 2048. To do that go to Global properties / SmartDashboard Customization / Advanced Configuration and change host_certs_key_size parameter to the required number.

Do not forget to install the certificate on VS as described in "How to" document.

All mentioned changes will be in effect after reboot of your VSX boxes.

Wednesday, January 4, 2012

Software Blade training sessions in my ATC

I am happy to announce that Check Point is providing two training session in Dimension Data's ATC in Lausanne: 13.02 to 15.02 and 15.02 to 17.02.

Quoting the official Check Point announce:

Training is delivered using our new, cutting-edge Training Blades and includes:

  • In-depth study of Check Point Application Control, Identity Awareness, URL Filtering, DLP and IPS Software Blades
  • Hands-on lab exercises based on real life scenarios and support cases
  • Exams that extend your Check Point certification by another year

You are welcome to attend, it is only $200 for two and a half days of training and exams!