Showing posts with label Checkpoint. Show all posts
Showing posts with label Checkpoint. Show all posts

Thursday, January 25, 2018

Check Point R80.10 Test Lab in Cloud (Azure)

Check Point and Microsoft has a test drive for R80.10 lab. The lab has been designed very well to understand Check Point architecture and features To summarize what I have got, I recorded the lab video on my laptop and put them together.

1. Log Into Azure
This lab is being run within the Microsoft Azure public cloud infrastructure.
5 VMs:
1. Internal Client: Win-Victim : Windows server, smartconsole client, chrome,
2. Gateway&Mgmt server: standalone R80.10 Gateway and Mgmt server on same VM
3. Web Server: Ububtu  used to do web testing
4. Active Director: Win-DC
5. Pen test Tool: Kali

Saturday, December 9, 2017

Check Point 1100 SIP Configuration and Troubleshooting Dropped the packets due to "Violated Unidirectional Connection"

One request came up for a simple internet SIP connection to SIP provide Goldline. There are VoIP devices involved in this task, such as Cisco Router AS5350 and IP PBX, also Check Point 1100 firewall used to protect this connection.


Monday, April 17, 2017

Check Point Firewall Memory Issue

During regular firewall health check , I found one Check Point firewall cluster has a abnormal virtual memory usage from System Counters - System History view.  The cluster is 5600 Security Appliance.

It looks the memory usage is going up significantly recently. There is no recent changes on hardware, software and configuration except normal firewall changes. I am afraid of Check Point gateway will freeze after this counter reached certain high number based on some SKs such as sk66482, sk110362,

sk35496 lists a bunch of methods how to detect memory leak. In my this specific case, the fix was simple, just installed a latest Jumbo Hotfix 205 for R77.30.

Tuesday, February 21, 2017

Check Point VPN Troubleshooting - IKEView Examples

Recently I went through Check Point VPN troubleshooting process with IKEVIEW tool. To download ikeview tool, please click here or Support Center download link.

The IKEView utility is a Check Point tool created to assist in analysis of the ike.elg (IKEv1) and ikev2.xmll (IKEv2 - supported in R71 and above) files.ike.elg and ikev2.xmll files are useful for debugging Site-to-Site VPN and Check Point Remote Access Client encryption failures.

Saturday, January 21, 2017

Basic Check Point Gaia CLI Commands and Installation Videos (Tips and Tricks)

This post summarises some basic but useful CLI commands  for your daily working reference especially for those who are just starting to configure your Check Point Gaia products. 

For some advanced usage, please check another post  "Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)"  in this blog

1. show version all

FW-CP1>show version all
Product version Check Point Gaia R77.20
OS build 124
OS kernel version 2.6.18-92cp
OS edition 32-bit

Sunday, December 4, 2016

Check Point Appliance Visio Stencils for Downloading

Check Point  released their new products stencils public for downloading. You will not need Check Point account to download. It does not include some old models. Following appliance includes in this 3M file:

  • 2200
  • 3200
  • 4000
  • 5000
  • 12000
  • 13000
  • 15000
  • 21000
  • 23000
  • 41000-61000
  • Accessories
  • SandBlast
  • Smart-1

Check Point SK Link sk101866.
Here is Download Link from Check Point Website:

Monday, October 24, 2016

Check Point Firewall USB Installation Step by Step (R77.20 and R77.30)

Customer is asking a new fresh installation on their UTM 272 devices and apparently usb stick or usb cd-rom is best solution. Checkpoint sk65205 explains very detail for all steps. I did follow the Check Point instruction but still got a problem while using USB stick. Here are all my steps I worked on.

1. Preparing USB Stick

I am using a Kingston Traveller G3 8G USB stick which shows supported from Check Point sk92423 (Which USB flash keys work with ISOmorphic Tool).

2. Use ISOMorphic to make a R77.20 bootable USB Stick.

Sunday, October 2, 2016

Check Point 5000 Appliance

Recently received two Check Point 5600 appliance which has R77.30 pre-installed. I have racked them into data center. Both will be used as a cluster to replace existing Check Point UTM devices. It comes with one Sync port, one Mgmt port and eight 10/100/1000base-T ports. Here comes with the picture after console, mgmt and sync ports connected.
Check Point 5600 Appliance Cluster

Monday, September 19, 2016

Increasing Check Point Management Server Log Volume Size

Check Point Gaia LVM
Our Check Point Management Server has been migrated into Virtual Edition platform which is running on Citrix Xen server. Originally it is only 100GB hard drive set for testing.

After running stabilised for a couple of days, I decided to enlarge the log space since 50G logging is definitely not enough.

My old 2014 post "Resize Checkpoint Firewall's Disk/Partition Space (Gaia and Splat Platform)" has some details to enlarge Logical Volume size with existing free space which supposed to be used as snapshots. This post will focus how to add a new disk into your system and enlarge your log logical volume.

Related posts:

Here are all steps related to this task. Those steps also fit into Vmware environment.

Saturday, July 16, 2016

Check Point 1100 Appliance Configuration Step by Step

Check Point 1100 Appliance
A couple of months ago, I received Check Point 600 Appliance and did a post regarding basic configuration for 600. It is used to replace replaces the [email protected] models and cannot be managed centrally by a Check Point SmartCenter Server. 1100 appliance is an all-in-one security appliance that offers robust, multi-layered protection with branch offices in mind, including flexible network interfaces and a compact, desktop form factor, which is used to replace the SG80 and the UTM-1 Edge.

Both 600 and 1100 appliances support local management. The SG600 can be centrally managed by Check Point's SMB Management Cloud service. The SG1100 can be managed by standard Check Point management running R75.46 or above. Neither unit can be managed by the old Sofaware SMP product.

Sunday, April 3, 2016

Check Point R80 Public Released to Download - SK108623

Check Point R80 Security Management Server is released on March 31 2016 in SK108623.

R80 Upgrade Verification Service Check Point Community Exchange Point Upgrade/Download Wizard

R80 Downloads


GUI client

Clean Install / Advanced Upgrade for Gaia OS

Complete Management (SmartConsole+Server) installation including all features

Demo version 

Fully working demo version,
with all management components
Available soon

Monday, March 7, 2016

Check Point R80 Management Installation - Part 2 - SmartConsole

In "Check Point R80 Management Installation - Part 1 - Basic Installation", we can see the steps for installing R80 is similar as previous version. This pose will present how to use SmartConsole to connect to R80 management server.

1. Download SmartConsole

You will get a 378M SmartConsole.exe execute file.

2. Prerequisites for Installing SmartConsole
Double click the download SmartConsole file to start the installation. It will require at least four prerequisites:

  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft .NET Framework 4.5

Sunday, March 6, 2016

Check Point R80 Management Installation - Part 1 - Basic Installation

Check Point finally announced their R80 Security Management from their website and also by email. Here is the email I got on March 2nd.
Check Point home One Step Ahead
Discover R80
We are very excited to announce R80 Security Management. This platform, a culmination of many years of research and development, was built to anticipate the challenges facing security teams during a time of massive transition in enterprise security. Growing networks, disruptive technologies, and the proliferation of interconnected devices make managing security increasingly complex. We believe the key to managing this complexity is through security consolidation – bringing all security protections and functions under one umbrella.  With R80, this is fully realized:
  • A single platform to manage your entire IT infrastructure.
  • Streamlined interface and task-oriented features (concurrent admin, integrated logs) to help you work faster, smarter.
  • Unified policy management, so you can create and monitor policies harmoniously and efficiently.
  • An extensible platform so you can align security to IT processes & technologies.
  • Integrated threat management to give you better visibility and help speed incidence response.
To learn more about R80, please join our new Exchange Point community where users can ask questions, share API scripts and interact with peers & Check Point experts. As you upgrade to R80, we are committed to partnering with you every step of the way to ensure a successful deployment!
Talisys, an innovator in financial securities processing software, leverages R80 to reduce security management complexity and align processes.
Follow Us     ©2016 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. If you no longer wish to receive email from us, please unsubscribe or write: 959 Skyway Rd, Suite 300, San Carlos, CA 94070. Check Point's Privacy Policy

Thursday, January 28, 2016

Upgrading Check Point Gateway Cluster (R77.30)

Install / Upgrade Checkpoint Full HA (Gateway and Management) is the old post for installing or upgrading to R77.10. This post is recorded for R77.30 upgrading purpose with more details , although all steps are almost same as previous version. 
1. Standalone Check Point Gateway Upgrade
Check Point Product Upgrade is not that complicated and Check Point has provided a couple of ways to do it :
1.1 CPUSE (WebUI)
You will need vaild license and your gateway will need Internet access to connect to Check Point User Center for updating available hotfix/packages list. You also can import the package downloaded manually from Check Point Support site then do installation from CPUSE / WebUI interface.

Saturday, January 23, 2016

Configuring Checkpoint Gateway Forwarding Logs to External Syslog Server

Check Point Management Server is not only the central policy management place for Check Point products, but also holds all Check Point gateways logs. In real environment, external third party log servers sometimes will need to be used to store and analyse those logs, especially for central SIEM systems.

Before R77.30, you will have to forward those logs from Management server to external syslog servers.

Two previous posts have been recorded in this blog to describe the procedures how to forward Check Point logs from Management Server to external syslog server:

Starting from R77.30, Check Point allows gateways directly send the logs to external syslog server without going through Management server.

Here is the steps I tried:


Saturday, November 28, 2015

Check Point 600 Appliance Basic Setup

The Check Point 600 Appliance is a single, integrated device offering firewall, VPN, IPS, antivirus, application visibility and control, and URL filtering and email security, all in a quiet, compact desktop form factor. This post is presenting a basic set up process for Check Point 640 Wireless ADSL+ Model.

Check Point's 640 Appliance is designed to be plug and play, and very affordable. Currently on CheckPoint Website, sale price for one 640 Wireless ADSL+ Model is US $951 .

Actually all 600 models (620, 640 and 680) use the same compact, fanless desktop chassis and are licensed for different through puts. The 620 has Check Point's full next-generation threat prevention (NGTP) package, and is good for ten users, while the 680 can serve up to 50. The model 640 which is testing in this post can handle up to 25 users.

Eight Gigabit ports handle LAN duties, with two more for WAN and DMZ functions. The appliances all come with an integral 802.11bgn wireless AP and ADSL2+ modem, each of which can be enabled by applying a licence.

It can be configured easily through browser based web interface in a couple minutes through first-time set-up wizard.  It supports Next Generation Threat Prevention software blades which has better protection than Next Generation Firewall. More features introduction is on post "Check Point 600 Features Review".

Check Point 600 Features Review

Check Point 600 set up is quite easy and it is wizard guided. All basic set up can be completed in five minutes then you will get a enterprise level featured firewall. Please check Checkpoint 600 Appliance Basic Setup for how to do initial set up in five minutes.

Here are some features Check Point 600 appliance has:

1. Get access your appliance from anywhere

This feature is quite useful to the users who is behind the firewall or proxy and have limited access to Internet. You can register your device with Check Point smbrelay domain to get a unique web and cli log in link. It can bypass your client side firewalls and proxy settings since it is using https protocol. Do not forget to enable Internet access to your appliance. By default, your 600 appliance will deny all Internet access to itself for security reason.
This service is provided by Check Point’s Reach My Device service. Two links will be displayed under Reach My Device section:

Wednesday, October 21, 2015

Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)

With my most populous post "Basic Checkpoint Gaia CLI Commands (Tips and Tricks)", I would like to
collect some more advanced troubleshooting commands used in my daily work into this post. Actually, some of commands are not only for Checkpoint Gaia, it will be for SPLAT or IPSO platform as well. This post will keep updating as soon as I have something new.

1. fw ctl chain

Check Checkpoint Security Gateway packet inspection order/chain. For more details, check the post "How Firewalls (Security Gateways) Handle the Packets?"

in chain (18):
        0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (in) (ipopt_strip)
        1: -7d000000 (f1796f10) (00000003) vpn multik forward in
        2: - 2000000 (f177cb70) (00000003) vpn decrypt (vpn)
        3: - 1fffff8 (f1787c00) (00000001) l2tp inbound (l2tp)
        4: - 1fffff6 (f2886ca0) (00000001) Stateless verifications (in) (asm)
        5: - 1fffff5 (f28bce30) (00000001) fw multik misc proto forwarding
        6: - 1fffff2 (f17a4df0) (00000003) vpn tagging inbound (tagging)
        7: - 1fffff0 (f177a150) (00000003) vpn decrypt verify (vpn_ver)
        8: - 1000000 (f29049c0) (00000003) SecureXL conn sync (secxl_sync)
        9:         0 (f282f810) (00000001) fw VM inbound  (fw)
        10:         1 (f28a6b30) (00000002) wire VM inbound  (wire_vm)
        11:   2000000 (f177b5e0) (00000003) vpn policy inbound (vpn_pol)
        12:  10000000 (f2902cb0) (00000003) SecureXL inbound (secxl)
        13:  7f600000 (f287ab70) (00000001) fw SCV inbound (scv)
        14:  7f730000 (f2a13500) (00000001) passive streaming (in) (pass_str)
        15:  7f750000 (f2c0bef0) (00000001) TCP streaming (in) (cpas)
        16:  7f800000 (f2885890) (ffffffff) IP Options Restore (in) (ipopt_res)
        17:  7fb00000 (f2fac050) (00000001) HA Forwarding (ha_for)
out chain (15):
        0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: -78000000 (f1796ef0) (00000003) vpn multik forward out
        2: - 1ffffff (f1779a10) (00000003) vpn nat outbound (vpn_nat)
        3: - 1fffff0 (f2c0bd70) (00000001) TCP streaming (out) (cpas)
        4: - 1ffff50 (f2a13500) (00000001) passive streaming (out) (pass_str)
        5: - 1ff0000 (f17a4df0) (00000003) vpn tagging outbound (tagging)
        6: - 1f00000 (f2886ca0) (00000001) Stateless verifications (out) (asm)
        7:         0 (f282f810) (00000001) fw VM outbound (fw)
        8:         1 (f28a6b30) (00000002) wire VM outbound  (wire_vm)
        9:   2000000 (f1779c30) (00000003) vpn policy outbound (vpn_pol)
        10:  10000000 (f2902cb0) (00000003) SecureXL outbound (secxl)
        11:  1ffffff0 (f17887b0) (00000001) l2tp outbound (l2tp)
        12:  20000000 (f177d5b0) (00000003) vpn encrypt (vpn)
        13:  7f700000 (f2c0e340) (00000001) TCP streaming post VM (cpas)
        14:  7f800000 (f2885890) (ffffffff) IP Options Restore (out) (ipopt_res)

Checkpoint Gateway SSH Connection Intermittenly Slow Issue - CONFD CPU High

When Gaia released at R75.40 on 2012, our Checkpoint firewalls have been adopted it right away with an upgrade. Since then we have upgraded to R77.10, R77.20 and recently planing to R77.30. The new version's experience was quite good, but just recently we are starting to feel the Gaia CLI and Porttal is getting slower and slower. 

For example, the ssh login process is taking a couple of minutes to show the prompt. WebUi is consistently showing lost database connection when saving any changes. You will have to re-login again to WebUI. SNMP Monitoring shows your device is up and reachable by ping but could not poll any SNMP information. After a couple of minutes, sometimes, it may take more than 10 minutes or longer, everything goes back normal. It did not happen all the time, just a couple of times per day. Most of times, log in, snmp access are fine.

Also some times, you will find out save config command will cause database timeout issue too.

FW-CP2> save config
NMSCFD0026  Timeout waiting for response from database server.

Wednesday, August 26, 2015

Check Point Error: Partial Overlapping Encryption Domains When Verifying or Installing Policy

Usually when your firewall policy is not configured properly, Checkpoint SmartDashboard will notify you with useful details when you verify or install it. But sometimes, those information will make you feel lost. I met one case recently.

I worked on one IPSec VPN configuration  from my vpn gateway fw-ras to customer's gateway. The interesting traffic is from Customer public ip to our server's public ip address which is NAT-ed to internal ip address On my gateway's vpn domain includes this public ip and Internal Segment 10.1.106.x/24.

The VPN works fine. Customer was able to reach us through IPSec VPN Tunnel. By the way I am using default NAT behaviour which is NAT happening on client side. The issue I met is the Partial Overlapping Encryption Domains warning message when I verified and installed policy.


Here is screenshots and copied error / warning messages:

"Network Security Policy 'Standard' was prepared on Wed Aug 26 13:36:44 2015.

The following errors and warnings exist: The gateways fw-ras and vpnm have partial overlapping encryption domains. Therefore, Endpoint Connect users will not support MEP configuration SecureRemote/SecureClient users will not be able to create site. If any of the GWs should not be exported to SR/SC, please remove it from the RemoteAccess community or uncheck the exportable for SR box. The overlapping domain include : - The exclusive domain of fw-ras include: - The exclusive domain of vpnm include: -"

Basically it mentioned some ip addresses are used in multiple vpn domains, especially in RemoteAccess community. But I double checked both gateways fw-ras and vpnm, their encryption domains are not overlapping at all.

Interesting things, if I removed from vpn encryption domain of gateway fw-ras, this error/warning message disappeared. But IPSec vpn configuration will need this public ip address to make sure the traffic can be encrypted and sent to customer's gateway.


Good thing in the message is it mentioned "If any of the GWs should not be exported to SR/SC, please remove it from the RemoteAccess community or uncheck the exportable for SR box". Since the gateway fw-ras is not in RemoteAccess community, the only option for me is to uncheck the exportable for SR box.

I found the option in the gateway's properties window -> IPSec VPN -> Traditional mode configuration...:

After unchecked the Exportable for SecuRemote/SecureClient, the installation is flawless.


sk101986 - "The gateways ZZZ and YYY have partial overlapping encryption domains" error during Policy Verification