Showing posts with label Checkpoint. Show all posts
Showing posts with label Checkpoint. Show all posts

Monday, April 17, 2017

Check Point Firewall Memory Issue


During regular firewall health check , I found one Check Point firewall cluster has a abnormal virtual memory usage from System Counters - System History view.  The cluster is 5600 Security Appliance.

It looks the memory usage is going up significantly recently. There is no recent changes on hardware, software and configuration except normal firewall changes. I am afraid of Check Point gateway will freeze after this counter reached certain high number based on some SKs such as sk66482, sk110362,

sk35496 lists a bunch of methods how to detect memory leak. In my this specific case, the fix was simple, just installed a latest Jumbo Hotfix 205 for R77.30.

Tuesday, February 21, 2017

Check Point VPN Troubleshooting - IKEView Examples

Recently I went through Check Point VPN troubleshooting process with IKEVIEW tool. To download ikeview tool, please click here or Support Center download link.

The IKEView utility is a Check Point tool created to assist in analysis of the ike.elg (IKEv1) and ikev2.xmll (IKEv2 - supported in R71 and above) files.ike.elg and ikev2.xmll files are useful for debugging Site-to-Site VPN and Check Point Remote Access Client encryption failures.

Saturday, January 21, 2017

Basic Check Point Gaia CLI Commands and Installation Videos (Tips and Tricks)

This post summarises some basic but useful CLI commands  for your daily working reference especially for those who are just starting to configure your Check Point Gaia products. 

For some advanced usage, please check another post  "Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)"  in this blog


1. show version all

FW-CP1>show version all
Product version Check Point Gaia R77.20
OS build 124
OS kernel version 2.6.18-92cp
OS edition 32-bit

Sunday, December 4, 2016

Check Point Appliance Visio Stencils for Downloading

Check Point  released their new products stencils public for downloading. You will not need Check Point account to download. It does not include some old models. Following appliance includes in this 3M file:

  • 2200
  • 3200
  • 4000
  • 5000
  • 12000
  • 13000
  • 15000
  • 21000
  • 23000
  • 41000-61000
  • Accessories
  • SandBlast
  • Smart-1
  • SMB-ROBO


Check Point SK Link sk101866.
Here is Download Link from Check Point Website: http://dl3.checkpoint.com/paid/90/902caf44a13d71e91a35315e4a28caa8/CheckPoint_Stencils_for_Visio.zip?HashKey=1480871979_bb9dd6cf9a98c6bf41f3cd1fd147c855&xtn=.zip



Monday, October 24, 2016

Check Point Firewall USB Installation Step by Step (R77.20 and R77.30)

Customer is asking a new fresh installation on their UTM 272 devices and apparently usb stick or usb cd-rom is best solution. Checkpoint sk65205 explains very detail for all steps. I did follow the Check Point instruction but still got a problem while using USB stick. Here are all my steps I worked on.

1. Preparing USB Stick

I am using a Kingston Traveller G3 8G USB stick which shows supported from Check Point sk92423 (Which USB flash keys work with ISOmorphic Tool).

2. Use ISOMorphic to make a R77.20 bootable USB Stick.

Sunday, October 2, 2016

Check Point 5000 Appliance

Recently received two Check Point 5600 appliance which has R77.30 pre-installed. I have racked them into data center. Both will be used as a cluster to replace existing Check Point UTM devices. It comes with one Sync port, one Mgmt port and eight 10/100/1000base-T ports. Here comes with the picture after console, mgmt and sync ports connected.
Check Point 5600 Appliance Cluster

Monday, September 19, 2016

Increasing Check Point Management Server Log Volume Size

Check Point Gaia LVM
Our Check Point Management Server has been migrated into Virtual Edition platform which is running on Citrix Xen server. Originally it is only 100GB hard drive set for testing.

After running stabilised for a couple of days, I decided to enlarge the log space since 50G logging is definitely not enough.

My old 2014 post "Resize Checkpoint Firewall's Disk/Partition Space (Gaia and Splat Platform)" has some details to enlarge Logical Volume size with existing free space which supposed to be used as snapshots. This post will focus how to add a new disk into your system and enlarge your log logical volume.

Related posts:



Here are all steps related to this task. Those steps also fit into Vmware environment.

Saturday, July 16, 2016

Check Point 1100 Appliance Configuration Step by Step

Check Point 1100 Appliance
A couple of months ago, I received Check Point 600 Appliance and did a post regarding basic configuration for 600. It is used to replace replaces the Save@Office models and cannot be managed centrally by a Check Point SmartCenter Server. 1100 appliance is an all-in-one security appliance that offers robust, multi-layered protection with branch offices in mind, including flexible network interfaces and a compact, desktop form factor, which is used to replace the SG80 and the UTM-1 Edge.

Both 600 and 1100 appliances support local management. The SG600 can be centrally managed by Check Point's SMB Management Cloud service. The SG1100 can be managed by standard Check Point management running R75.46 or above. Neither unit can be managed by the old Sofaware SMP product.



Sunday, April 3, 2016

Check Point R80 Public Released to Download - SK108623

Check Point R80 Security Management Server is released on March 31 2016 in SK108623.





R80 Upgrade Verification Service Check Point Community Exchange Point Upgrade/Download Wizard

R80 Downloads

SmartConsole

GUI client

Clean Install / Advanced Upgrade for Gaia OS

Complete Management (SmartConsole+Server) installation including all features

Demo version 

Fully working demo version,
with all management components
Available soon



Monday, March 7, 2016

Check Point R80 Management Installation - Part 2 - SmartConsole

In "Check Point R80 Management Installation - Part 1 - Basic Installation", we can see the steps for installing R80 is similar as previous version. This pose will present how to use SmartConsole to connect to R80 management server.

1. Download SmartConsole


You will get a 378M SmartConsole.exe execute file.

2. Prerequisites for Installing SmartConsole
Double click the download SmartConsole file to start the installation. It will require at least four prerequisites:

  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft .NET Framework 4.5

Sunday, March 6, 2016

Check Point R80 Management Installation - Part 1 - Basic Installation

Check Point finally announced their R80 Security Management from their website and also by email. Here is the email I got on March 2nd.
Check Point home One Step Ahead
Banner
Discover R80
We are very excited to announce R80 Security Management. This platform, a culmination of many years of research and development, was built to anticipate the challenges facing security teams during a time of massive transition in enterprise security. Growing networks, disruptive technologies, and the proliferation of interconnected devices make managing security increasingly complex. We believe the key to managing this complexity is through security consolidation – bringing all security protections and functions under one umbrella.  With R80, this is fully realized:
  • A single platform to manage your entire IT infrastructure.
  • Streamlined interface and task-oriented features (concurrent admin, integrated logs) to help you work faster, smarter.
  • Unified policy management, so you can create and monitor policies harmoniously and efficiently.
  • An extensible platform so you can align security to IT processes & technologies.
  • Integrated threat management to give you better visibility and help speed incidence response.
To learn more about R80, please join our new Exchange Point community where users can ask questions, share API scripts and interact with peers & Check Point experts. As you upgrade to R80, we are committed to partnering with you every step of the way to ensure a successful deployment!
CUSTOMER SPOTLIGHT
Talisys, an innovator in financial securities processing software, leverages R80 to reduce security management complexity and align processes.
Follow Us     ©2016 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. If you no longer wish to receive email from us, please unsubscribe or write: 959 Skyway Rd, Suite 300, San Carlos, CA 94070. Check Point's Privacy Policy

Thursday, January 28, 2016

Upgrading Check Point Gateway Cluster (R77.30)

Install / Upgrade Checkpoint Full HA (Gateway and Management) is the old post for installing or upgrading to R77.10. This post is recorded for R77.30 upgrading purpose with more details , although all steps are almost same as previous version. 
1. Standalone Check Point Gateway Upgrade
Check Point Product Upgrade is not that complicated and Check Point has provided a couple of ways to do it :
1.1 CPUSE (WebUI)
You will need vaild license and your gateway will need Internet access to connect to Check Point User Center for updating available hotfix/packages list. You also can import the package downloaded manually from Check Point Support site then do installation from CPUSE / WebUI interface.


Saturday, January 23, 2016

Configuring Checkpoint Gateway Forwarding Logs to External Syslog Server

Check Point Management Server is not only the central policy management place for Check Point products, but also holds all Check Point gateways logs. In real environment, external third party log servers sometimes will need to be used to store and analyse those logs, especially for central SIEM systems.

Before R77.30, you will have to forward those logs from Management server to external syslog servers.

Two previous posts have been recorded in this blog to describe the procedures how to forward Check Point logs from Management Server to external syslog server:



Starting from R77.30, Check Point allows gateways directly send the logs to external syslog server without going through Management server.

Here is the steps I tried:

Diagram:


Saturday, November 28, 2015

Check Point 600 Appliance Basic Setup

The Check Point 600 Appliance is a single, integrated device offering firewall, VPN, IPS, antivirus, application visibility and control, and URL filtering and email security, all in a quiet, compact desktop form factor. This post is presenting a basic set up process for Check Point 640 Wireless ADSL+ Model.

Check Point's 640 Appliance is designed to be plug and play, and very affordable. Currently on CheckPoint Website, sale price for one 640 Wireless ADSL+ Model is US $951 .

Actually all 600 models (620, 640 and 680) use the same compact, fanless desktop chassis and are licensed for different through puts. The 620 has Check Point's full next-generation threat prevention (NGTP) package, and is good for ten users, while the 680 can serve up to 50. The model 640 which is testing in this post can handle up to 25 users.

Eight Gigabit ports handle LAN duties, with two more for WAN and DMZ functions. The appliances all come with an integral 802.11bgn wireless AP and ADSL2+ modem, each of which can be enabled by applying a licence.

It can be configured easily through browser based web interface in a couple minutes through first-time set-up wizard.  It supports Next Generation Threat Prevention software blades which has better protection than Next Generation Firewall. More features introduction is on post "Check Point 600 Features Review".

Check Point 600 Features Review

Check Point 600 set up is quite easy and it is wizard guided. All basic set up can be completed in five minutes then you will get a enterprise level featured firewall. Please check Checkpoint 600 Appliance Basic Setup for how to do initial set up in five minutes.

Here are some features Check Point 600 appliance has:

1. Get access your appliance from anywhere

This feature is quite useful to the users who is behind the firewall or proxy and have limited access to Internet. You can register your device with Check Point smbrelay domain to get a unique web and cli log in link. It can bypass your client side firewalls and proxy settings since it is using https protocol. Do not forget to enable Internet access to your appliance. By default, your 600 appliance will deny all Internet access to itself for security reason.
This service is provided by Check Point’s Reach My Device service. Two links will be displayed under Reach My Device section:




Wednesday, October 21, 2015

Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)

With my most populous post "Basic Checkpoint Gaia CLI Commands (Tips and Tricks)", I would like to
collect some more advanced troubleshooting commands used in my daily work into this post. Actually, some of commands are not only for Checkpoint Gaia, it will be for SPLAT or IPSO platform as well. This post will keep updating as soon as I have something new.

1. fw ctl chain

Check Checkpoint Security Gateway packet inspection order/chain. For more details, check the post "How Firewalls (Security Gateways) Handle the Packets?"

in chain (18):
        0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (in) (ipopt_strip)
        1: -7d000000 (f1796f10) (00000003) vpn multik forward in
        2: - 2000000 (f177cb70) (00000003) vpn decrypt (vpn)
        3: - 1fffff8 (f1787c00) (00000001) l2tp inbound (l2tp)
        4: - 1fffff6 (f2886ca0) (00000001) Stateless verifications (in) (asm)
        5: - 1fffff5 (f28bce30) (00000001) fw multik misc proto forwarding
        6: - 1fffff2 (f17a4df0) (00000003) vpn tagging inbound (tagging)
        7: - 1fffff0 (f177a150) (00000003) vpn decrypt verify (vpn_ver)
        8: - 1000000 (f29049c0) (00000003) SecureXL conn sync (secxl_sync)
        9:         0 (f282f810) (00000001) fw VM inbound  (fw)
        10:         1 (f28a6b30) (00000002) wire VM inbound  (wire_vm)
        11:   2000000 (f177b5e0) (00000003) vpn policy inbound (vpn_pol)
        12:  10000000 (f2902cb0) (00000003) SecureXL inbound (secxl)
        13:  7f600000 (f287ab70) (00000001) fw SCV inbound (scv)
        14:  7f730000 (f2a13500) (00000001) passive streaming (in) (pass_str)
        15:  7f750000 (f2c0bef0) (00000001) TCP streaming (in) (cpas)
        16:  7f800000 (f2885890) (ffffffff) IP Options Restore (in) (ipopt_res)
        17:  7fb00000 (f2fac050) (00000001) HA Forwarding (ha_for)
out chain (15):
        0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: -78000000 (f1796ef0) (00000003) vpn multik forward out
        2: - 1ffffff (f1779a10) (00000003) vpn nat outbound (vpn_nat)
        3: - 1fffff0 (f2c0bd70) (00000001) TCP streaming (out) (cpas)
        4: - 1ffff50 (f2a13500) (00000001) passive streaming (out) (pass_str)
        5: - 1ff0000 (f17a4df0) (00000003) vpn tagging outbound (tagging)
        6: - 1f00000 (f2886ca0) (00000001) Stateless verifications (out) (asm)
        7:         0 (f282f810) (00000001) fw VM outbound (fw)
        8:         1 (f28a6b30) (00000002) wire VM outbound  (wire_vm)
        9:   2000000 (f1779c30) (00000003) vpn policy outbound (vpn_pol)
        10:  10000000 (f2902cb0) (00000003) SecureXL outbound (secxl)
        11:  1ffffff0 (f17887b0) (00000001) l2tp outbound (l2tp)
        12:  20000000 (f177d5b0) (00000003) vpn encrypt (vpn)
        13:  7f700000 (f2c0e340) (00000001) TCP streaming post VM (cpas)
        14:  7f800000 (f2885890) (ffffffff) IP Options Restore (out) (ipopt_res)

Checkpoint Gateway SSH Connection Intermittenly Slow Issue - CONFD CPU High

When Gaia released at R75.40 on 2012, our Checkpoint firewalls have been adopted it right away with an upgrade. Since then we have upgraded to R77.10, R77.20 and recently planing to R77.30. The new version's experience was quite good, but just recently we are starting to feel the Gaia CLI and Porttal is getting slower and slower. 

Symptoms:
For example, the ssh login process is taking a couple of minutes to show the prompt. WebUi is consistently showing lost database connection when saving any changes. You will have to re-login again to WebUI. SNMP Monitoring shows your device is up and reachable by ping but could not poll any SNMP information. After a couple of minutes, sometimes, it may take more than 10 minutes or longer, everything goes back normal. It did not happen all the time, just a couple of times per day. Most of times, log in, snmp access are fine.

Also some times, you will find out save config command will cause database timeout issue too.

FW-CP2> save config
NMSCFD0026  Timeout waiting for response from database server.



Wednesday, August 26, 2015

Check Point Error: Partial Overlapping Encryption Domains When Verifying or Installing Policy

Usually when your firewall policy is not configured properly, Checkpoint SmartDashboard will notify you with useful details when you verify or install it. But sometimes, those information will make you feel lost. I met one case recently.

I worked on one IPSec VPN configuration  from my vpn gateway fw-ras to customer's gateway. The interesting traffic is from Customer public ip to our server's public ip address 20.153.121.59 which is NAT-ed to internal ip address 10.1.106.59. On my gateway's vpn domain includes this public ip 20.153.121.59 and Internal Segment 10.1.106.x/24.

The VPN works fine. Customer was able to reach us through IPSec VPN Tunnel. By the way I am using default NAT behaviour which is NAT happening on client side. The issue I met is the Partial Overlapping Encryption Domains warning message when I verified and installed policy.




Symptons:

Here is screenshots and copied error / warning messages:


"Network Security Policy 'Standard' was prepared on Wed Aug 26 13:36:44 2015.

The following errors and warnings exist: The gateways fw-ras and vpnm have partial overlapping encryption domains. Therefore, Endpoint Connect users will not support MEP configuration SecureRemote/SecureClient users will not be able to create site. If any of the GWs should not be exported to SR/SC, please remove it from the RemoteAccess community or uncheck the exportable for SR box. The overlapping domain include : 10.1.72.14 - 10.1.72.16 The exclusive domain of fw-ras include: 20.153.121.59 - 20.153.121.62 The exclusive domain of vpnm include: 10.1.240.0 - 10.1.240.255"

Basically it mentioned some ip addresses are used in multiple vpn domains, especially in RemoteAccess community. But I double checked both gateways fw-ras and vpnm, their encryption domains are not overlapping at all.

Interesting things, if I removed  20.153.121.59 from vpn encryption domain of gateway fw-ras, this error/warning message disappeared. But IPSec vpn configuration will need this public ip address to make sure the traffic can be encrypted and sent to customer's gateway.


Solutions:

Good thing in the message is it mentioned "If any of the GWs should not be exported to SR/SC, please remove it from the RemoteAccess community or uncheck the exportable for SR box". Since the gateway fw-ras is not in RemoteAccess community, the only option for me is to uncheck the exportable for SR box.

I found the option in the gateway's properties window -> IPSec VPN -> Traditional mode configuration...:



After unchecked the Exportable for SecuRemote/SecureClient, the installation is flawless.

Reference:

sk101986 - "The gateways XXX and YYY have partial overlapping encryption domains" error during Policy Verification


Checkpoint Monitord Process Consumes Excess Memory

During a regular review firewall mem and cpu usage, I found some of Checkpoint UTM272 R77.10 gateways are using lots memory and ssh / snmp access seems slow sometimes. With the TOP command , I am able to sort the mem / cpu usage and see who is hogging the resources.

The result of finding is monitord service. Monitord server is used by device sensors to monitor hardware and saves data into DB file stored on local. Before R76, it will keep one year data in DB. After R76, it only keeps 3 months history to save devices resources during process the data. In my case, the DB file is more than 350M which cause monitord service consumes lots memory to process DB file. Although we are using R77.10, it seems upgrading to R771.10, not fresh installation,  wont reset your DB file structure.

There is workaround provided at SK93587. Here are all steps I recorded to fix this.


1. Before applied the workaround, monitord is using 42.5% MEM.


top - 10:56:37 up 10 days,  1:08,  1 user,  load average: 0.00, 0.06, 0.43
Tasks:  83 total,   3 running,  80 sleeping,   0 stopped,   0 zombie
Cpu(s):  1.2%us,  1.1%sy,  0.0%ni, 97.3%id,  0.2%wa,  0.1%hi,  0.1%si,  0.0%st
Mem:    957272k total,   947392k used,     9880k free,     2772k buffers
Swap:  2096472k total,    43292k used,  2053180k free,   209280k cached
%MEM   PID USER      PR  NI  VIRT  RES  SHR S %CPU    TIME+  COMMAND             
 5.0  4226 admin     15   0  263m  47m  11m S  0.4  59:12.98 cpd                 
 0.1  2782 admin     15   0  2172 1084  836 R  0.2   0:00.05 top                 
 0.8  3988 admin     15   0 24344 7956 5780 S  0.2  22:38.83 snmpd               
 1.4  3947 admin     16   0 33796  13m 7964 S  0.1   2947:10 confd               
42.5  3952 admin     15   0  400m 397m 2332 S  0.1 119:05.53 monitord            
 0.1  3545 admin     18   0  1708  688  584 S  0.1   2:38.13 syslogd             
 0.1     1 admin     15   0  2040  580  548 S  0.0   0:01.47 init                
 0.0     2 admin     RT  -5     0    0    0 S  0.0   0:00.00 migration/0         
 0.0     3 admin     15   0     0    0    0 S  0.0   0:00.67 ksoftirqd/0         
 0.0     4 admin     RT  -5     0    0    0 S  0.0   0:00.00 watchdog/0          
 0.0     5 admin     10  -5     0    0    0 S  0.0   0:01.56 events/0                                                                                             

Sunday, August 16, 2015

Checkpoint Gateway Lost SIC After Jumbo Hotfix Installed

Our Checkpoint Products are stilling sitting at R77.10. Checkpoint has release Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021).

The installation procedures from Command Line is quite simple:
  1. Transfer the Jumbo Hotfix Accumulator to the machine /var/tmp folder
  2. Unpack the Jumbo Hotfix Accumulator:

    [Expert@CP-1]# cd /var/tmp
    [Expert@CP-1]# tar zxvf Check_Point_R77.10.linux.tgz
  3. Install the Jumbo Hotfix Accumulator:
    [Expert@CP-1]# ./UnixInstallScript

    Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
  4. Reboot the machine.
  5. Verify Installation with Command "cpinfo -y all"

Symptoms: 


I followed those steps and installed this Jumbo Hotfix on both cluster members at the same time also rebooted them at the same time. But after waited a couple of minutes, one of cluster members shows disconnected from Smartview Monitor.


When I ssh-ed into device and checked cluster status it shows ok. Also I were able to reach management server interface from problem cluster member. From the output of "cpinfo -y all " also shows the hotfix has been installed correctly. 

[Expert@CP-DMZ-1:0]# cpinfo -y all
------------------------
Hotfix versions
------------------------
[FW1] 
  HOTFIX_R77_10 
  HOTFIX_R77_HF_HA10_005 
  HOTFIX_GYPSY_HF_BASE_021 

[SecurePlatform] 
  HOTFIX_R77_10_GAIA_GHOST_833 
  HOTFIX_GYPSY_HF_BASE_021 

[SPSHARED] 
  No hotfixes..

[CVPN] 
  HOTFIX_R77_10 
  HOTFIX_GYPSY_HF_BASE_021 

[PPACK] 
  HOTFIX_R77_10 
  HOTFIX_GYPSY_HF_BASE_021 

[CPinfo] 
  No hotfixes..

[SmartLog] 
  HOTFIX_R77_10 

[rtm] 
  No hotfixes..

Troubleshooting:


I went back to SmartDashboard and checked SIC status and found it was out of SIC. I was confusing what could cause the SIC lost from this cluster member. Should I reset SIC?

SmartView Tracker saved me this time. There is one log shows firewall policy inconsistencies existing between cluster members.


Number:             7250420
Date:                 16Aug2015
Time:                 10:09:07
Origin:               CP-DMZ-1
Type:                 Log
Action:              
Information:       sync: Inconsistencies exist between policies installed on the cluster members. Please reinstall the policy on the cluster.
Product:             Security Gateway/Management
Product Family: Network
Policy Info:         Policy Name: defaultfilter
                          Created at: Sun Aug 16 07:12:25 2015
                          Installed from: CP-Management

Solutions:

I quickly pushed policy to cluster and it was failed because SIC error as shown below.


Amazing thing is this firewall policy push resolved SIC issue. Both firewall cluster members show green and OK status in Smartview Monitor. 

NetSec Youtube Videos