blog.lachmann.org

My Check Point blog – Notes from a CCSE+

Check Point Processes and Daemons

Check Point released a lovely SK article which describes all the processes and daemons that you can find on your system.

I consider this article a very valuable ressource and recommend that you keep a copy nearby if you deal with Check Point products on a daily basis. And if you don’t deal with them on a daily basis – keep the article even closer as reference.

Tobias Lachmann

R77.10 released – upgrade now

Check Point released the version R77.10 on January 15th.

With this release it is possible to upgrade from R75.47 installations and get the benefits of the new version.

For R77 installations the upgrade to R77.10 is highly recommended, since the many bug fixes that were integrated in R75.47 are now available in the R77 release train. Check the Release Map for details.

Also, we have new features like Mobile Access blade on VSX installations, which work quite nice.

I would highly recommend this upgrade if you’re on R76 or R77.

Tobias Lachmann

Limitation of CLISH when copying backup with SCP

When you define a scheduled backup with GAiA WebUI and choose SCP transfer, you’re able to provide a directory on the target system to where the backup package will be transfered.

In certain situations you can not use the WebUI, for instance when using the gateway with VSX, where the WebUI is disabled and you have to deal with CLISH only.

CLISH has a nasty limitation when configuring this backups with SCP transfer as you can not provide the target directory. Instead the backup file is transfered to /var/CPbackup/backups

This is not very clever, as this directory is located on the root partition which is always quite short of disk space.

Check Point acknowledged this problem and R&D stated that there is “currently no time frame for this issue to be resolved”.

What a pitty!

So the poor administrator is left with the only option – creating a symbolic link for the directory and have it pointed to somewhere else (presumeably a directory in the /var partition).

No quite nice – but a least a work around.

Tobias Lachmann

Dynamic IP address (DAIP) Security Gateways – Problem getting Default route from DHCP

I spend an awful amount of time solving this problem with lots of TAC ressources involved.

The scenario:

A 4400 appliance was supposed to be deployed on an Internet access delivered through a cable modem.

This cable modem only assigns IP addresses from DHCP.

So the Security Gateway has to receive it’s IP address for external interface along with information on the default route.

With a freshly installed R77 on the appliance I was not able to get this setup running.

The IP address was assigned to the interface every time, but no change in the routing table. And therefore no default route and no Internet connection.

Reason for that behaviour, as it turns out, is a special mechanism the prohibits routes to be added from the “Kernel side”. All configuration should be done from WebUI or CLISH instead of kernel level (as for example in Expert mode).

Dhclient runs on operating system level. Since the dhclient is the program that is responsible to assign the IP address to the interface and set the routing, it is affected by this as well.

The solution to this is easy. Just enable Kernel Routes from WebUI or on CLISH type set kernel-routes on.

Enable Kernel Route Options

You can find this option in GAiA WebUI Advanced Mode under Routing Options.

After enabling this option and restarting the Routing Daemon, you will get an IP address from DHCP and the default route will be set.

Tobias Lachmann

New Error in GAIA Backup

While working with R75.40 you may have stumbled across sk79020.

The SecureKnowledge article describes how SCP transfers of backup files are failing because the installed openssh package does not support the needed command line switch "-u".

There is a fix available for the error described in sk79020 that consists of new openssh packages for GAIA. These packages are already integrated in R75.45.

But recently I found a new error in R75.45 backup when configured with SCP transfer.

Although there is no limitation described in any article and the WebUI let’s you configure it, we have no support for usernames with a hyphen "-" in it when it comes to copying the backup package with SCP.

This will lead to an error where the backup package is created but not transfered without any further error message.

So make sure your usernames are hyphen-free and enjoy the new GAIA+ feature backup.

Tobias Lachmann

New version of Hardware Compatibility List (HCL) available

There a new version of Check Point Hardware Compatibility List (HCL) available.

We have a better usability as you can filter the list with various options, like vendor or date of certification.

The list for the certified systems in the last year is rather short but has the most important vendors listed.

Current Check Point Hardware Compatibility List for systems certified in the last year

Current Check Point Hardware Compatibility List for systems certified in the last year

When it comes to choosing a system I would go for Dell or HP. Maybe some day I will post about my favorite hardware configuration.

Please just don’t have a look at the list itself but follow the link to the specific system as well. There you will find more information about hardware configuration and some times also limitations or recommendations specific to this hardware. Import for getting the hard drive controller operating or for getting network interface cards to work.

Tobias Lachmann

Configuring SNMP on GAIA

My post from October 2011 about configuring SNMP settings on Secure Platform (SPLAT) is one of the most read in this blog.

Now I want to add a new How-To for configuring SNMP on Check Point GAIA – which is quite simple.

System Management - SNMP on Check Point GAIA WebUI

System Management – SNMP on Check Point GAIA WebUI

Just select SNMP menu item from System Management menu.

SNMP Setting von Check Point GAIA WebUI

SNMP Setting von Check Point GAIA WebUI

Then check the box for enabling the SNMP Agent, check the box for all the interfaces where you want the SNMP Agent to listen and press Apply.

Then configure your SNMP community as needed and press Apply under this section again.
 

Don’t forget to create a rule to allow SNMP access to your Security Gateway in your security policy and install it to get SNMP data.

If you don’t like the WebUI you might also configure the SNMP settings from the CLISH command line.

set snmp agent on
set snmp agent-version any
set snmp community ThisIsSoSecret read-only
add snmp address 192.168.1.1


We most recent SNMP MIB can be found on a GAIA installation with R75.45 at /opt/CPshrd-R75.40/lib/snmp/chkpnt.mib
 

Tobias Lachmann

Configuring BGP in High Availability Environments with GAIA

In my last post I wrote a quick How-To on configuring BGP between a Security Gateway and a Cisco Router. Today we’re going to extend this setup to full High Availability.

As shown in the overview picture, we now have two routers involved in the BGP. These two routers provide a HSRP (Hot Standby Router Protocol) IP address for the Security Gateways as Default Gateway. The Security Gateways are clustered using ClusterXL.

Redundant Setup with Cisco Router and Check Point Security Gateways speaking BGP

Redundant Setup with Cisco Router and Check Point Security Gateways speaking BGP

When you install a R75.45 from scratch you will find that you run into trouble as the routed routing daemon in GAIA has a bug when it comes to a HA configuration.

Check Point has acknowledged this problem and provides a new version of routed since 20th November.

The old version has the following information:

[Expert@fw1]# cpvinfo /bin/routed

[** Version info attributes of '/bin/routed' **

[Build Number = 986000037
Major Release = NGX
Minor Release = gaia_fiber_adp_ea

 

The new version has the following information:

[[Expert@fw1]# cpvinfo /bin/routed

[** Version info attributes of '/bin/routed' **

[Build Number = 986003002
Major Release = NGX
Minor Release = foxx_hf_ha45_003

 
With the fixed version of routed there are only little changes that have to be done to configure the Security Gateways running GAIA for High Availability and BGP in addition to the configuration of a non redundant setup.

First thing is to configure the BGP Router-ID for every Security Gateway to have the ClusterXL IP address in it.

Configuring BGP Router ID in Check Point GAIA WebUI

Configuring BGP Router ID in Check Point GAIA WebUI

Then you have to edit the BGP peer group and add both Cisco Router aka BGP peers. Don't forget to set the local address to the physical IP address of the specific gateway.

Add Peer Group Details on Check Point GAIA WebUI

Add Peer Group Details on Check Point GAIA WebUI

To complete the description details here are the Cisco configuration for both routers in this scenario.

Router A:

interface Loopback0
ip address 192.168.200.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.100.2 255.255.255.0
standby 0 preempt
standby 1 ip 192.168.100.1
standby 1 priority 40
!
interface GigabitEthernet0/1
ip address 10.10.10.2 255.255.255.0
!
router bgp 12345
bgp router-id 192.168.200.2
bgp log-neighbor-changes
neighbor BGP_TEST peer-group
neighbor BGP_TEST remote-as 12345
neighbor BGP_TEST description iBGP Session between Core and Security Gateway
neighbor BGP_TEST update-source Loopback0
neighbor 192.168.100.100 peer-group BGP_TEST
!
address-family ipv4
redistribute connected
redistribute static
neighbor BGP_TEST soft-reconfiguration inbound
neighbor 192.168.100.100 activate
exit-address-family
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.200.3 255.255.255.255 192.168.100.3


Router B:
interface Loopback0
ip address 192.168.200.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.100.3 255.255.255.0
standby preempt
standby 1 ip 192.168.100.1
standby 1 priority 50
!
interface FastEthernet0/1
ip address 10.10.10.3 255.255.255.0
!
router bgp 12345
bgp router-id 192.168.200.3
bgp log-neighbor-changes
timers bgp 60 180 180
neighbor BGP_TEST peer-group
neighbor BGP_TEST remote-as 12345
neighbor BGP_TEST description iBGP Session between Core and Security Gateway
neighbor BGP_TEST update-source Loopback0
neighbor 192.168.100.100 peer-group BGP_TEST
!
address-family ipv4
redistribute connected
redistribute static
neighbor BGP_TEST soft-reconfiguration inbound
neighbor 192.168.100.100 activate
no auto-summary
no synchronization
exit-address-family
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.200.2 255.255.255.255 192.168.100.2


Tobias Lachmann

Configuring BGP between Router and Security Gateway running GAIA

Today we’ll have a look at advanced routing and how we can exchange routing information using the BGP protocol between a Check Point Security Gateway running GAIA and a Cisco router.

It is common practice to use Internal Routing Protocols (IGPs) like ISIS or OSPF for carrying your infrastructure addresses and Border Gateway Protocol (BGP) for carrying Internet prefixes.

I found a very good presentation from Philip Smith who works for Cisco and explains BGP best practices in detail.

We assume that we have the following setup: a router, connected to the Internet on one hand and to a Security Gateway on the other hand. The Security Gateway should tell the router which network it protects using BGP.

Lab Setup for connecting a Check Point Security Gateway to a router using BGP

Lab Setup for connecting a Check Point Security Gateway to a router using BGP

In this setup we have the following routing information on the Security Gateway:

firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 178
C 127.0.0.0/8 is directly connected, lo
C 192.168.100.0/24 is directly connected, eth1
C 200.200.200.0/24 is directly connected, Mgmt


And this is the routing table for the router:

router#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override


Gateway of last resort is 10.10.10.2 to network 0.0.0.0


S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0


Note that the router is using a loopback IP address for establishing the BGP sessions. See the BGP best practices presentation referenced above for detailed explanation about this.

Now we configure our (Cisco) Router for an internal BGP (iBGP) session.

interface Loopback0
ip address 192.168.200.200 255.255.255.255
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.100.100 255.255.255.0
duplex auto
speed auto
!
router bgp 12345
bgp router-id 192.168.200.200
bgp log-neighbor-changes
neighbor BGP_TEST peer-group
neighbor BGP_TEST remote-as 12345
neighbor BGP_TEST description iBGP Session between Core and Security Gateway
neighbor BGP_TEST update-source Loopback0
neighbor 192.168.100.1 peer-group BGP_TEST
!
address-family ipv4
redistribute connected
redistribute static
neighbor BGP_TEST soft-reconfiguration inbound
neighbor 192.168.100.1 activate
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2


At this point the router tries to establish a BGP session with our Security Gateway and tells it about his own connected and static routes.

But the Security Gateway isn’t answering the BGP requests so let’s move on to the configuration of GAIA.

There are different ways to configure BGP, in this example we use the WebUI for it.

First login and change the view to Advanced so that you’re able to see all the menu items in the WebUI.

Changing the Check Point GAIA WebUI to Advanced View

Changing the Check Point GAIA WebUI to Advanced View


Then choose BGP from Advanced Routing menu.
Choose BGP from Advanced Routing Menu on Check Point GAIA WebUI

Choose BGP from Advanced Routing Menu on Check Point GAIA WebUI

On the BGP menu, first check the configuration of the router ID. In our example we use the real IP address of the Security Gateways external interface.

The next part is to change the Local System Identification.

Change_the BGP Local_System_Identification on Check Point GAIA WebUI

Change_the BGP Local_System_Identification on Check Point GAIA WebUI

As shown in the lab setup overview, our AS is 12345.

Save the change. Configuration page looks now like this.

BGP settings of Check Point GAIA WebUI

BGP settings of Check Point GAIA WebUI

Now we will add a peer group which will contain our Cisco router as peer.

Add_a BGP Peer_Group on Check Point GAIA WebUI

Add_a BGP Peer_Group on Check Point GAIA WebUI

Enter the peer AS numer. If it is equal to your own AS number, the page will show the peer group type as Internal, otherwise as External.

Add a BGP Peer Group on Check Point GAIA WebUI

Add a BGP Peer Group on Check Point GAIA WebUI

Then we enter the IP address of the Security Gateways external interface again as Local Address.

And last we add the specific peer by clicking on add peer.

AS lock while adding BGP peer in Check Point GAIA WebUI

AS lock while adding BGP peer in Check Point GAIA WebUI

Add BGP peer in Check Point GAIA WebUI

Add BGP peer in Check Point GAIA WebUI

When you click on Show Advanced Settings you’ll see various options including Logging and Trace Options. I recommend to turn them all on. The information can be found in /var/log/routed.log and the output looks like this:

[Expert@firewall]# tail -f /var/log/routed.log
Nov 16 15:28:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 48
Nov 16 15:29:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 1
Nov 16 15:30:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 6
Nov 16 15:31:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 6
Nov 16 15:40:18 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 60
Nov 16 15:40:18 bgp_send: sending 19 bytes to 192.168.200.200 (Routing AS 12345)
Nov 16 15:40:18
Nov 16 15:40:18 BGP SEND 192.168.100.1+43878 -> 192.168.200.200+179
Nov 16 15:40:18 BGP SEND message type 4 (KeepAlive) length 19


Advanced Logging and Trace Options in Check Point GAIA WebUI

Advanced Logging and Trace Options in Check Point GAIA WebUI

Overview of Peer Group configuration in Check Point GAIA WebUI

Overview of Peer Group configuration in Check Point GAIA WebUI

Close all configuration dialogs by clicking Save.

Advanced Routing -> BGP menu on Check Point GAIA WebUI

Advanced Routing -> BGP menu on Check Point GAIA WebUI

Now we’ll have a look at the routing table of our Cisco router. Will we see the routes from the Security Gateway?

router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override


Gateway of last resort is 10.10.10.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0


Nothing has changed here????

Let’s have a look at the Security Gateway:

firewall> show route bgp
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


No learned routes here!

Checking the operating system routing table in expert mode:

[Expert@firewall]# ip route
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.1
200.200.200.0/24 dev Mgmt proto kernel scope link src 200.200.200.200
default via 192.168.100.100 dev eth1 proto cprd


Nothing here, either. Let’s check again in CLISH:

firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 1117
B H 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 294
C 127.0.0.0/8 is directly connected, lo
B H 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 294
C 192.168.100.0/24 is directly connected, eth1
B H 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 294
C 200.200.200.0/24 is directly connected, Mgmt


Here we see BGP routes learned from the router, but the routes are marked “hidden”. Which means the routing process knows about them because he got the information from the BGP peer, but is not passing this information along to the routing table of the Security Gateway.

To solve the task of distributing routes via BGP, we have to configure some more option in GAIA WebUI.

Select Route Redistribution from Advanced Routing menu.

Route Redistribution menu from Check Point GAIA WebUI

Route Redistribution menu from Check Point GAIA WebUI

In our example we want to redistribute the routes from the connected interfaces through BGP, so select Add from Redistibute Interfaces.

Redistribute_Interfaces menu from Check PoinT GAIA WebUI

Redistribute_Interfaces menu from Check PoinT GAIA WebUI

Then select to which routing process you want to distribute to.

Redistribute_Interfaces_Choose_Protocol on Check Point GAIA WebUI

Redistribute_Interfaces_Choose_Protocol on Check Point GAIA WebUI

Then select which interface(s) you want to redistribute.

Redistribute_Interfaces_Choose_Interface on Check Point GAIA WebUI

Redistribute Interfaces Choose Interface on Check Point GAIA WebUI

Then enter a metric and click Save.

Redistribute All Interfaces on Check Point GAIA WebUI

Redistribute All Interfaces on Check Point GAIA WebUI

From this point on you will redistribute your routes over BGP to the Cisco router.

Redistribute All Interfaces Summary on Check Point GAIA WebUI

Redistribute All Interfaces Summary on Check Point GAIA WebUI

Let’s check with the router:

router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override


Gateway of last resort is 10.10.10.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0
B 200.200.200.0/24 [200/100] via 192.168.100.1, 00:00:31


At this point we achieved our goals, routes from the Security Gateway are distributed to the router using BGP.

But what to do if we want to import routes from the router into the Security Gateway?

In this case we have to define Inbound Route Filters. Select the appropriate menu from WebUI.

Inbound Route Filter Menu on Check Point GAIA WebUI

Inbound Route Filter Menu on Check Point GAIA WebUI

Then we need to define a BGP Policy for routes to import. Click on Add BGP Policy.

Inbound Route Filters Add BGP Policy on Check Point GAIA WebUI

Inbound Route Filters Add BGP Policy on Check Point GAIA WebUI

Define which routes to accept. In our case we accept all routes from peers in AS 12345.

Inbound Route Filters - Add BGP Policy - Detail  on Check Point GAIA WebUI

Inbound Route Filters – Add BGP Policy – Detail on Check Point GAIA WebUI

The summary show you the new BGP policy and from that point on your Security Gateway accepts routes send by BGP from the Cisco router.

The routing tables looks like this:

firewall> show route bgp
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 58
B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 58


firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed


S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 669
B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 62
C 127.0.0.0/8 is directly connected, lo
B 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 62
C 192.168.100.0/24 is directly connected, eth1
B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 62
C 200.200.200.0/24 is directly connected, Mgmt

The last thing I want to show to you are some helpful options or buttons.

Under Advanced Routing -> Routing Options you will find trace options for routing.

Route Options on Check Point GAIA WebUI

Route Options on Check Point GAIA WebUI

I suggest you turn them on increase the size for the trace files.

Route Options - Trace Options on Check Point GAIA WebUI

Route Options – Trace Options on Check Point GAIA WebUI

Don’t forget to apply the setting with the button on top of this page!

Last thing is the way to restart the routing daemon. The button can be found on the bottom of the Route Options page.

Restart Routing Daemon on Check Point GAIA WebUI

Restart Routing Daemon on Check Point GAIA WebUI



I hope you liked this little How-To on BGP.

Tobias Lachmann

Performance impact of IPv6

At the Mini CPX here in Cologne the guys from Spirent presented some performance testing along with Check Point.

Really interesting stuff and cool technology!

During the presentation I wondered how much impact we would see on Check Point firewalls when instead of IPv4 packets IPv6 packets are processed.

Apparently, when it comes to the payload, there’s no change. If it is HTTP over IPv4 or HTTP over IPv6 – doesn’t matter.

But the processing of the IPv6 addresses take a little bit longer and there is a noticeable performance drop of about 10%. Quite neglectable in my opinion.

The other part is connection table, where you actually have to store the 128 bit long IPv6 IP address. In comparison to a 32 bit long IPv4 address this will consume 4 times more memory. From what I’ve learned so far we don’t actually see this number, but a decrease of about 40% in maximum connections.

The relevance for real live installations is quite low. First we have increased connection capacity due to 64-bit GAIA operating system. Second the amount of IPv6 traffic in normal installation will not come near to any numbers that we see with IPv4 at the moment. And if it does, you should do a PoC along with Check Point and maybe Spirent first to make sure you’re choosing the right solution for your multi-gigabit IPv6 troughput.

Tobias Lachmann

Watch out for different version of Check Point’s GAIA operating system

Please have in mind that we have different GAIA versions out there.

We have GAIA and we have GAIA+ – which brings some new features and improvments and should be the one that is installed when building new systems from scratch.

On CLISH you can determine the version with the command show version all.

The following build numbers are know so far:

  • latest EA: 264
  • GA: 338
  • 2nd GA: 339
  • GAIA+: 65

To be honest: I’m not happy about this different versions. Makes life harder and when you connect to a system you don’t know, you have to make sure which version you’re on.

And for sure we can expect more version like GAIA++, GAIA enhanced or whatever Check Point wants to call it. Keeps confunsing engineers as we as customers.
Also, as seen with GAIA+, you can’t go from one version to another like that. So your GAIA installation cannot be upgraded to GAIA+. In worst case you have to re-do the installation.

Tobias Lachmann

Configuring GAIA – differences between CLISH and WebUI

Maybe you made your first steps with GAIA, the all new Check Point operating system, and found yourself at the point where you needed to go into “Expert mode” as used in SPLAT.

Just typing expert will give you the message that you need to define the expert password first by issuing set expert-password plain.

Having done that, you can enter expert mode as you like.

But unfortunately this configuration doesn’t survive a reboot.

Why? Because configuration made in CLISH are not persistent and survive a reboot unless you issue the save config command which writes the changes to the central configuration database.

When you work with the WebUI, changes are saved as soon as you press the button Apply.

Please have this in mind when configuring your GAIA from CLISH.

Tobias Lachmann

Comparison of RPM packets from R75 to R75.40 SPLAT/GAIA

Recently I spend some time looking closer on changes made to GAIA in comparison to Secure Platform (SPLAT).

I freshly installed some different version of R75 (R75 up to R75.40) and took note of the version numbering of the installed RPM packages.

It is interesting to see when a specific version of a package was introduced and how long it has been unchanged throughout the versions.

Please find the full details here:

Comparison of RPM packages for Check Point Secure Platform / GAIA

As you can see, GAIA is based on much newer package version. Even R75.40 SPLAT hasn’t many changes to packages although it shares the same version number as the GAIA build.

Tobias Lachmann

GAIA – Configuring EA Take 5

After we finished installation, it is time to configure the system over the WebUI using the First Time Configuration Wizard.

Step 1 – Login

Here we use the passwort defined during installation instead of “admin/admin” as in old installations.

Check Point GAIA First Time Configuration Wizard WebUI


Step 2 – Welcome Screen

Check Point GAIA First Time Configuration Wizard WebUI


Step 3 – Configure Date and Time


Check Point GAIA First Time Configuration Wizard WebUI


Step 4 – Device Name and DNS


Check Point GAIA First Time Configuration Wizard WebUI


Step 5 – Network Connection

Note that you can configure a DHCP Server for this interface to serve the clients

Check Point GAIA First Time Configuration Wizard WebUI


Step 6 – Product Selection

Here you can choose wether to do a standalone installation with gateway and management on the same machine, or a distributed installation. When your system is a security gateway and part of a cluster, you can choose wether to use ClusterXL for clustering or have a VRRP cluster. The later is a feature that Check Point took from the IPSO.


Check Point GAIA First Time Configuration Wizard WebUI


If you install a security management, you can choose if this a primary or secondary server – or a Log Server / SmartEvent Server.


Check Point GAIA First Time Configuration Wizard WebUI


Step 7 – Create a cpconfig_administrator for use in SmartConsole


Check Point GAIA First Time Configuration Wizard WebUI


Step 8 – Define the IP addresses of GUI clients


Check Point GAIA First Time Configuration Wizard WebUI


Step 9 – Review and Finish


Check Point GAIA First Time Configuration Wizard WebUI


Check Point GAIA First Time Configuration Wizard WebUI


Step 10 – Installation and configuration

I like that at this point the system gives you feedback what kind of action it is performing at the moment and what the progress is.


Check Point GAIA First Time Configuration Wizard WebUI


Step 11 – Configuration is finished

Check Point GAIA First Time Configuration Wizard WebUI


On this point you setup your system, in our case a Security Management server.

Now we can install SmartConsole and login to the server.

Tobias Lachmann

GAIA – Installing EA Take 5 on VMware ESX

I want to share with you my experiences on the Early Availability version of GAIA, the new Check Point operating system.

Besides some upgrade testing I did a new installation in a virtual machine on a VMware ESX server.

Step 1 – Welcome screen

Check Point GAIA EA Take 5 Installation


Step 2 – Hardware Scan Details

Please note that GAIA recognizes that it is running on VMware and will automatically installed the VMware tools!

Check Point GAIA EA Take 5 Installation


Step 3 – Keyboard selection

Check Point GAIA EA Take 5 Installation


Step 4 – Disk information

The installer detected my disks and is automatically creating a software RAID 1 out of it. Very nice. If you want to use a hardware RAID instead, you have to leave the installer at this point, configure your hardware RAID and start over again. Then the hardware RAID will be presented to the installer as one single drive.

Check Point GAIA EA Take 5 Installation


Step 5 – Partitipons Configuration

We waited so long for that kind of feature! Especially working with UTM-1 appliance led to problems during software upgrades when some partitions where heaviley used. I wrote some articles about this in my blog on how to enlarge partitions to solve the problems while upgrading. Good that we can now change/correct the partition layout.

Check Point GAIA EA Take 5 Installation


Step 6 – Passwort for “admin” account

In SPLAT you had the pre-defined account “admin” with the password “admin” when the installation was done. Change of password had to be done while using the first time configuration wizard over the WebUI. From a security perspective this approach is much better.

Check Point GAIA EA Take 5 Installation


Step 7 – Management Interface

Check Point GAIA EA Take 5 Installation


Step 8 – Confirmation before formatting and installing

Check Point GAIA EA Take 5 Installation


Step 9 to 12 – Formatting and installing

Check Point GAIA EA Take 5 Installation


Check Point GAIA EA Take 5 Installation


Check Point GAIA EA Take 5 Installation


Check Point GAIA EA Take 5 Installation

You’re done!

First boot into GAIA

Please note that you can boot into 32 bit mode and also 64 bit mode.

Check Point GAIA EA Take 5 Installation


Starting the system – now whith “colored” progress bar

Check Point GAIA EA Take 5 Installation


Console login screen

The system doesn’t reveal any longer the version information and IP address and port for management access. Instead you can disply a banner, like in this screenshot

Check Point GAIA EA Take 5 Installation


After logging into the system with the password defined in step 6 you will get the message that the configuration has to be done through the First Time Wizard in WebUI.

Check Point GAIA EA Take 5 Installation


That’s it for installing GAIA EA take 5. Quite nice. Quite easy. Lot’s of changes under the hood and a really good approach.

Tobias Lachmann

GAIA early availability take 4

Today I received an E-Mail with the download links for the GAIA early availability packages.

It took Check Point over two weeks to check my “application” for the EA program.

I wonder how the select the ones who will get access to this program.

Still pissed that I had to wait until this day to get hands on GAIA.


Tobias Lachmann

PS.: my friend Valeri Loukine has a review on the GAIA EA in his blog