Archive for the ‘UTM-1’ Category

resize2fs: Operation not permitted While trying to add group #128

Monday, August 30th, 2010

Today I tried to increase the logical volume on a UTM-1 appliance as described before in this blog.

I got the error
resize2fs: Operation not permitted While trying to add group #128
when issuing the resize2fs command.

The solution to this problem: the journal was to small and had to be re-created:

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal\ size
Journal size: 32M

[Expert@firewall]# tune2fs -O ^has_journal /dev/vg_splat/lv_log

[Expert@firewall]# tune2fs -j /dev/vg_splat/log
Creating journal inode:
done

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal\ size
Journal size: 128M

After that do a filesystem check and issue the resize2fs command, which will succeed.

Tobias Lachmann

Posted in Appliance, Secure Platform, UTM-1 | No Comments »

Appliance hardware – updated

Tuesday, August 10th, 2010

Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to blog@lachmann.org

All throughput values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Have a close look of the throughput values of the UTM-1 450 in comparison to the UTM-1 570. The processor power is identical, also the memory. But the throughput values for the UTM-1 450 were measured with NGX R65, the values for the UTM-1 570 were measured with R71. See what a performance boost R71 can be, even on the “old” hardware. Sweet!

UTM-1 130

  • Intel Celeron M 600 MHz
  • 1 GB RAM
  • 80 GB ATA HDD
  • Firewall Throughput: 1.5 Gbps
  • VPN Throughput: 120 Mbps
  • IPS Troughput: 1.0 Gbps

UTM-1 270

  • Intel Celeron M 600 MHz
  • 1 GB DDR2 RAM 400 MHz
  • 160 GB ATA HDD
  • Firewall Throughput: 1.5 Gbps
  • VPN Throughput: 120 Mbps
  • IPS Troughput: 1.0 Gbps

UTM-1 450

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 80 GB ATA HDD
  • Firewall Throughput (R65): 400 Mbps
  • VPN Throughput: (R65) 200 Mbps

UTM-1 570

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 2.5 Gbps
  • VPN Throughput: 300 Mbps
  • IPS Troughput: 1.7 Gbps

UTM-1 1070

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 3 Gbps
  • VPN Throughput: 350 Mbps
  • IPS Troughput: 2.2 Gbps

UTM-1 2050

  • Intel Pentium 4 3.4 GHz
  • 2 GB RAM
  • 80 GB ATA HDD
  • Firewall Throughput (R65): 2.4 Gbps
  • VPN Throughput: (R65) 380 Mbps

UTM-1 2070

  • Intel Celeron 440 2.00GHz
  • 2 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 3.5 Gbps
  • VPN Throughput: 450 Mbps
  • IPS Troughput: 2.7 Gbps

UTM-1 3070

  • Intel Core2 Duo E6400 2.13GHz
  • 3 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 4.5 Gbps
  • VPN Throughput: 1100 Mbps
  • IPS Troughput: 4.0 Gbps

Power-1 5075

  • Intel Xeon E5410 2.33GHz (QC)
  • 2 GB RAM
  • 160 GB ATA HDD
  • Firewall Throughput: 9.0 Gbps
  • VPN Throughput: 2.4 Gbps
  • IPS Troughput: 7.5 Gbps

Power-1 9075

  • 2x Intel Xeon E5410 2.33GHz (QC)
  • 4 GB RAM
  • 2x 160 GB HDD
  • Firewall Throughput: 9.0 Gbps
  • VPN Throughput: 2.4 Gbps
  • IPS Troughput: 7.5 Gbps

Smart-1 25

  • Intel Core2 Duo T7400 2.16GHz
  • 3 GB RAM
  • 4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Posted in OpenServer, Power-1, Smart-1, UTM-1 | Comments Off

UTM-1 1050 and 2050 network problems

Wednesday, July 21st, 2010

So, what is the problem about? Well, NIC connections stay up for about 1 or 2 minutes, then they’re down for about 5 minutes.

We made an upgrade of an UTM-1 2050 series appliance to R71 and got massive connectivity problems. Two days later sk42174 came out which helped us fix the problem. Seems that the Linux Kernel starting with R70 assigns new drivers to the NICs, which are incorrect.
The solution for that problem is to change the settings back to the old driver.

For details please refer to the SK and have it in mind when you’re updating older appliances.

Posted in R71, Secure Platform, UTM-1 | Comments Off

Online partition resizing on UTM-1 appliances

Thursday, June 24th, 2010

Under SPLAT with 2.4 linux kernel (NGX R65) you had to follow a slightly complicated procedure to resize the partitions and the filesystems on an UTM-1 appliance.

Now the R7x releases bring us the 2.6 kernel with lots of improvements. A very nice one it the ability to resize (meaning increase!) the partitions and filesystems online, without the need of unmounting them.

[Expert@volvo]# lvresize -L 12GB vg_splat/lv_current
Extending logical volume lv_current to 12.00 GB
Logical volume lv_current successfully resized

[Expert@volvo]# resize2fs /dev/mapper/vg_splat-lv_current
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required
Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3145728 (4k) blocks.
The filesystem on /dev/mapper/vg_splat-lv_current is now 3145728 blocks long.

Please note: this can only be done while increasing the filesystems. Reducing the filesystems requires them to be unmounted!

In that case go with this procedure.

Tobias Lachmann

Posted in Secure Platform, UTM-1 | Comments Off

Update to R71 – enlarging UTM-1 appliance root partitions

Friday, June 18th, 2010

In one of my previous blog entries I described a way to enlarge partitions of UTM-1 appliances. This was necessary especially for the older x50 series appliances, as they had a smaller hard drive and a bad partition layout.

In the past I only enlarged the partition that held the log files because that’s were you have the most data. The procedure was working just fine and I was happy.

A couple of days ago I started updating x50 series appliances from R65 to R71. Even with cleaning up the system of unused files right before the update I got into serious trouble. The cause was that the root partition was nearly about full.

The update process itself came up with no error, but while operating the appliance the root partition was completely full in no time. Especially updating the URL Filterung database, which is now about 370MB, filled the root partition quickly.

When I tried enlarging the root partition with the described procedure I failed.

Resizing requires to unmount the partition before – but you can’t unmount the root partition.

So I had to find another way to modify the partition sizes of the appliance.

Here’s what I did:

I downloaded an ISO-Image of grml, a Linux Live system for sysadmins. Then I modified the ISO to display output on the serial console. You can download this modified ISO here.

I connected an USB-DVD-Drive to the appliance and booted the ISO image.

On the boot screen I added some parameters for the startup process:

Some information and boot options available via keys F2 - F10. http://grml.org/
grml 2010.04 - Release Codename Grmlmonster 2010.04.29
boot: serial debug=noscreen lang=de lvm

When grml was finished, it gave me a console with all the needed tools. LVM was loaded already and I was good to go.

I checked for the volume groups on the hard drive with the vgscan command:

root@grml ~ # vgscan -v
Wiping cache of LVM-capable devices
Wiping internal VG cache
Reading all physical volumes. This may take a while...
Finding all volume groups
Finding volume group "vg_splat"
Found volume group "vg_splat" using metadata type lvm2

Then I activated the logical volumes with vgchange:

root@grml ~ # vgchange -a y
6 logical volume(s) in volume group "vg_splat" now active

You can display the volume group with vgdisplay:

root@grml ~ # vgdisplay
--- Volume group ---
VG Name vg_splat
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 7
VG Access read/write
VG Status resizable
MAX LV 255
Cur LV 6
Open LV 0
Max PV 255
Cur PV 1
Act PV 1
VG Size 72.47 GiB
PE Size 4.00 MiB
Total PE 18553
Alloc PE / Size 7424 / 29.00 GiB
Free PE / Size 11129 / 43.47 GiB
VG UUID dCQA6u-z70X-LIsE-Xhmb-n5ho-ZMrX-JyBePy

You can display the logical volumes with lvscan:

root@grml ~ # lvscan
ACTIVE '/dev/vg_splat/lv_current' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_log' [10.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit

Then I did the resizing of the volumes groups to better values:

root@grml ~ # lvresize -L 11GB /dev/vg_splat/lv_current
Extending logical volume lv_current to 11.00 GiB
Logical volume lv_current successfully resized

root@grml ~ # lvresize -L 25G /dev/vg_splat/lv_log
Extending logical volume lv_log to 25.00 GiB
Logical volume lv_log successfully resized
Keep in mind that you will need some free space for imaging purposes, so don’t use up all the space on the hard drive!

Then a file system check has to be done, followed by the resizing of the file system.

root@grml ~ # e2fsck -f /dev/vg_splat/lv_current
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix? yes

Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vg_splat/lv_current: ***** FILE SYSTEM WAS MODIFIED *****
/dev/vg_splat/lv_current: 26973/655360 files (0.1% non-contiguous), 384238/1310720 blocks

root@grml ~ # resize2fs /dev/vg_splat/lv_current
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_current to 2883584 (4k) blocks.
The filesystem on /dev/vg_splat/lv_current is now 2883584 blocks long.

root@grml ~ # e2fsck -f /dev/vg_splat/lv_log
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix? yes

Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information

/dev/vg_splat/lv_log: ***** FILE SYSTEM WAS MODIFIED *****
/dev/vg_splat/lv_log: 56/1310720 files (3.6% non-contiguous), 49409/2621440 blocks

root@grml ~ # resize2fs /dev/vg_splat/lv_log
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_log to 6553600 (4k) blocks.
The filesystem on /dev/vg_splat/lv_log is now 6553600 blocks long.

To finish, deactive the logical volumes:

root@grml ~ # vgchange -a n
0 logical volume(s) in volume group "vg_splat" now active

root@grml ~ # lvscan
inactive '/dev/vg_splat/lv_current' [11.00 GiB] inherit
inactive '/dev/vg_splat/lv_log' [25.00 GiB] inherit
inactive '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit
That’s it. Reboot again and start the Secure Platform.

Check with df -h that you have the desired partition layout:

[Expert@cpmodule]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
11G 1.4G 8.9G 14% /
none 11G 1.4G 8.9G 14% /dev/pts
/dev/hdc1 145M 13M 125M 9% /boot
none 502M 0 502M 0% /dev/shm
/dev/mapper/vg_splat-lv_log
25G 33M 24G 1% /var/log

Tobias Lachmann

Posted in Secure Platform, Troubleshooting, UTM-1 | Comments Off

Using 3rd party certificates for your SSL VPN

Tuesday, June 8th, 2010

With Check Point software it’s very easy to configure client authentication over https or SSL VPN with the SSL Network Extender (SNX).

But unfortunately, Check Point presents a self-signed certificate from the internal CA to the users.

This warning message can be confusing for the users and even might not work, depending on the company policy and settings in the browser.

The better way is to have a certificate on the gateway that was issued from one of the big CA like Verisign, Thawte etc. and present this to the users.

Because these CAs are known to the browser as trustworthy, no error message appears while connecting.

I’m going to show you how to configure your gateway with a certificate from a 3rd party CA.

1. First, we need to create a trusted CA object under the Servers and OPSEC Applications section.

Creating a trusted CA object

2. Then we give a name to the CA object and choose OPSEC PKI as CA type.

CA properties

3. On the next tab you can import the CA certificate from a file.

OPSEC PKI properties

Here you can also choose to do an automatic enrollment for certificate renewal over three different protocols. However, this isn’t supported by all CA. Personally I don’t do automatic renewals but do it by hand instead every time.

If you uncheck CRL retrieval from HTTP servers, all certificates will be trusted, wether revoked or not. For our purpose it’s ok to have this unchecked.

4. While importing the CA certificate you have to approve it.

Accept CA certificate

5. Now we’re done with the CA object and can actually go to the gateway object.

Gateway properties

6. Click on Add to create a new certificate. You’re asked for a Nickname of the certificate which is used in various places in the GUI and in config files. I would suggest to keep it short and descriptive. Choose to enroll this certificate from the CA created in the steps before.

Certificate properties

7. At this point a CSR (certificate signing request) is going to be generated. The DN (Distinguished Name) has to be correct for the certificate to be created by the CA, so take good care here!

Generate CSR

In our example we sign the certificate by United Internet CA and we have to use this DN for a gateway with the DNS name of fw.test.de

CN=fw.test.de,OU=Comodo InstantSSL,OU=Authorized by United SSL,OU=Authorized by United SSL,O=TEST GmbH,STREET=Test Straße 90,L=Hamburg,ST=Hamburg,OID.2.5.4.17=22159,C=DE
Alternatives DNS are defined as FQDN.

8. After filling in the details a CSR is presented. Copy it to the clipboard are save it to a file and hand it over to the CA you chose for signing. Make sure that the text is copied completely.

CSR view

9. When the CA give you back your signed certificate, complete the process by selecting the appropriate nickname and click on Complete.

Gateway properties

10. Load the certificate, accept it and attach it to the gateway.

Accept certificate

11. Now you can choose this certificate to be presented when connecting to SSL Network Extender etc.

Clientless VPN configuration


VPN Clients configuration

To use this certificate in client authentication you have to configure the file $FWDIR/conf/fwauthd.conf.

Change the entry to

900 fwssd in.ahclientd wait 900 ssl:fw.test.de

Tobias Lachmann

Posted in General, SSL Network Extender, UTM-1, VPN-1 | Comments Off

UTM-1 hardware

Tuesday, May 25th, 2010

Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.
If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on UTM-1 appliances, feel free to send them to blog@lachmann.org

UTM-1 130

  • Intel Celeron M 600 MHz
  • 1 GB RAM
  • 80 GB ATA HDD

UTM-1 270

  • Intel Celeron M 600 MHz
  • 1 GB DDR2 RAM 400 MHz
  • 160 GB ATA HDD

UTM-1 450

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 80 GB ATA HDD

UTM-1 570

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD

UTM-1 1070

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD

UTM-1 2050

  • Intel Pentium 4 3.4 GHz
  • 2 GB RAM
  • 80 GB ATA HDD

UTM-1 2070

  • Intel Celeron 440 2.00GHz
  • 2 GB RAM
  • 160 GB ATA HDD

UTM-1 3070

  • Intel Core2 Duo E6400 2.13GHz
  • 3 GB RAM
  • 160 GB ATA HDD

Power-1 5070

  • Intel Xeon E5410 2.33GHz (QC)
  • 2 GB RAM
  • 80 GB ATA HDD

Smart-1 25

  • Intel Core2 Duo CPU T7400 2.16GHz
  • 3 GB RAM
  • 4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Posted in General, OpenServer, Power-1, Secure Platform, Smart-1, UTM-1 | Comments Off

How to build an UTM-1 cluster with SmartCenter HA (aka Full Cluster)

Sunday, May 9th, 2010

Maybe you’ve seen my presentation on CPUGCON 2009 about migration to an UTM-1 cluster from a distributed environment.

Now I was asked to provide a how-to about building this kind of UTM-1 Full Cluster from scratch.

Actually this is very easy. Building UTM-1 clusters was supported from the start, but the SmartCenter could only reside on one appliance. With the introduction of NGX R65 with Messaging Security, we also got SmartCenter High-Availability for free.

In our setup we assume that we have two appliances, one primary and one secondary. Setup both with the normal First Time Configuration Wizard.

Make sure to install the primary on as locally managed and primary cluster member.

The secondary appliance is also installed as locally managed but as secondary cluster member.

On the secondary appliance you also have to fill in a SIC secret to establish the communication later.

After completing the First Time Configuration Wizards on both appliances, connect with the SmartDashboard to the primary UTM-1 appliance.

Now the wizard for configuring the cluster pops up. When defining the secondary cluster member, fill in the SIC secret entered in the WebUI wizard.

Fill in all the details that reflect your cluster. Make sure to have at least one dedicated sync network.

Topology could look like this afterwards:

Now you can define rules, push the policy and make the cluster work. After that check the Management HA in the SmartDashboard:

This picture shows that both cluster members have a SmartCenter installed and are working in Management High-Availability mode.

That’s it for building an UTM-1 cluster with Management High Availability – also known as UTM-1 Full Cluster.

Tobias Lachmann

Posted in CPUG, General, Secure Platform, UTM-1 | Comments Off

R71 performance on UTM-1 appliances

Tuesday, May 4th, 2010

As mentioned before, the UTM-1 appliance had performance trouble when doing content scanning and I would not recommend doing this in this machines. Now R71 claimes to give a big boost by new methods of scanning. I tested the performance improvement of the new R71 release with the following setup:

UTM-1 270 mit GigabitEthernet-Uplink to the Internet and GigabitEthernet-Link to the internal network. 4 Servers mit GigabitEthernet as clients running HTTrack website copier in the internal network. I used HTTrack to download several website at the same time, creating a mixture of HTML, graphic, archives and executables content.

The UTM-1 270 was installed out-of-the box using the wizard. I activated VPN, SmartView Monitor and Antivirus in addition the moduls already activated as standard.

The rulebase had two rules, on allowing access to the systems from a management client outside the network and one rule for allowing access to the Internet for the servers. No NAT was used, no additional settings.

With NGX R65 with Messaging Security (HFA25) I had an average throughput of 1,026,474 Bytes / sec while running with 100% CPU load for a couple of minutes.

With NGX R65 with Messaging Security (HFA70) I had an average throughput of 1,094,563 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R70 I had an average throughput of 1,647,257 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R71 I had an average throughput of 1,999,611 Bytes / sec while running with 100% CPU load for a couple of minutes.

My test maybe not so accurate as the ones that Check Point is doing, but I thing the traffic blend reflects the behaviour of normal users really good.

And, having 2x the performance with Antivirus scanning on the same hardware is pretty impressive! The improvement really shows, how nice! I also recognized that R71 comes with a new AV engine with has the name KSS, maybe Kaspersky?

This is enough performance to use modern DSL lines or direct links completely, not only partial. So I would recommend this release to everyone who still uses content scanning on an UTM-1 appliance and has performance problems.

Tobias Lachmann

Posted in Content Inspection, General, Software Blades, UTM-1 | Comments Off

When to use UTM-1 appliances – and when not – Part II

Monday, May 3rd, 2010

Last week the R71 software version was released. One of the most interesting things for me was the performance improvement they promised on appliances.

The use now SecureXL to accelerate connections and state that they now can deliver up to 4 time more firewall throughput and connection rate and up to 3 times more IPS throughput. Some limitations apply to SecureXL as described in the R70 Performance Optimization Guide so we have to see how this works with real life rulebases.

But the biggest change to me is the performance enhancement with Antivirus, where Check Point speaks of up to 15! times more throughput and up to 80 times more connection rate.

This is done by the new Stream Detection Mode. As you may remember from my previous post, AntiVirus suffered from the bad HDD performance on UTM-1 appliances, as every file had to be downloaded to the disc, scanned and then delivered to the client. Now the inspection is done as the traffic passes through the gateway and they do a pattern matching as far as I understood. Makes perfectly sense that this way of traffic inspection improves performance. Unclear is for me at the moment how compressed content is handled. I can’t see now other way than storing the archive to disc, uncompress it and then scan the content. Not sure how they handle this – on the fly seems unlikely.

Anyway, I will test this in the next days to get my own results and will check the processes and disc accesses while doing so, which will hopefully gives an explanation.

By the way: URL Filtering is handled differently, too. Now the connections are handled in the kernel space and no longer folded into the security server. This will improve performance and will change the way we can debug this blade.

If Check Point can keep the promises on performance while running R71 on UTM-1 appliances, I will be deeply impressed. Remember that the appliances are sold for some years now and have less powerful hardware, compared to standard OpenServers. Would be a great thing for all of us the protect the investment in the appliances!

Tobias Lachmann

Posted in Software Blades, UTM-1 | Comments Off

R71 released

Friday, April 30th, 2010

The version R71 was released. See this article for details. The release notes can be found here.

I will test the upgrade from R70.30 to R71 today and get back to you with more feedback.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, UTM-1, VPN-1 | Comments Off

When to use UTM-1 appliances – and when not

Sunday, April 18th, 2010

In the year 2007 Check Point introduced the UTM-1 appliances. We sold a lot of these, because they had a good value for the money and they were an easy way to quickly deploy stand-alone cluster setups.
The old software license for a gateway with unlimited IP addresses was more expensive than a UTM-1, when you included also the hardware to run the gateway on. And UTM-1 appliances brought more with them for free. On example is SmartDirectory to get user data out of LDAP-Directories/ADs, another is Management High-Availability to sync primary and secondary SmartCenter running on the appliances.

So, why did I choose this headline? Why asking the question, when not to use UTM-1 appliances?

Well, Check Point promoted Messaging Security at the beginning, later one the Total Security Package which offered Antispan, Antivirus and URL-Filtering. The idea to have all this functions together on one gateway that has to deal with the network traffic anyway sounded smart. And it is, believe me. What was not smart was to ability to use these functions on every gateway… which customers did.
The UTM-1 270 for example has a Celeron M 60 MHz CPU in it, together with only 1 GB of RAM. The 570 series has a Celeron M with 1.5 GHz CPU and also 1 GB RAM. Could you really believe that this hardware is capable of dealing with Firewall rules, VPN, SmartCenter functions and all the Content Inspection at once? Turns out they can’t. We’ve seen enormous CPU loads in the field, together with tremendous utilisation of I/O. The installation of a policy nearly took down the systems and users experienced connection loss from that. The reason for the later seems to be that at the beginning Check Point started to many instances of the security servers for the scanning. This was fixed in a HFA and is actually no longer existing. But the bad I/O performance still remains. Well, every intercepted download has to be writen to the harddrive and scanned. If it’s compressed, it had to be uncompressed before scanning. This creates high load for sure.

Even the bigger UTM-1 2050 appliances had only a Pentium 4 mit 3.4 GHz and 2 GB of RAM in it. More powerful, true. But not really enough power anyway. And I/O still sucked.

Ok, let’s get back to the initial question. When should I use an UTM-1 appliance?

I think that these appliances do their best job purely as Firewall and/or VPN gateway. We like to use them in dedicated customer environments like Web Shops our web server housings. Depending on customers need and prerequisits you can deploy the appliances a single gateway or HA-cluster. Managed by a bigger SmartCenter or self-managed, together with Management HA.

When should I not use an UTM-1 appliance?

In case you want to use content inspection, stick with a software license and run it on an OpenServer. There you can increase the memory and use dual-core CPUs. You can get better harddisc performance with specialised controllers and maybe just add more discs and have a RAID 0. Since they introduced the new Multi-Core licensing where you pay for the amount of CPUs you want to use, this is getting really affordable. The SG203-U license togehter with the desired content inspection blades is the best combination, even for demanding environments.

Oh, I forgot one thing: when you buy an UTM-1 appliance, you have to stick with the number of network interface. On an OpenServer, just add additional network cards as needed until all slots are filled. Even GE or 10GE is no big deal.

So, the use of an UTM-1 appliance depends on the scenario where you want to deploy it. Carefully think about it and then choose your solution. Have in mind that an appliance may be cheaper thaen software plus OpenServer hardware. But if your users complain about the performance, handling only a few service calls can eat up the safings from an appliance.

Finally I want to mention some things that are unique to the UTM-1 appliances and that you loose when choosing SPLAT on OpenServer. First the image management, which is quite good. Easy to use and perfect for rollback operations after major changes in your environment. Second the ability to crash recover an appliance through the front panel and the use of a prepared USB stick to deploy the initial configuration. Very cool feature for remote locations.

Hopefully we’ll see performance improvements with upcoming GAIA even on single core machines through new code, so that we can use the UTM-1 appliances with all features again. Wait and see..

Tobias Lachmann

Posted in UTM-1 | Comments Off

Determine UTM-1 appliance series from CLI

Thursday, January 7th, 2010

If you want to know which appliance series you have, you can use a command line tool to determine this information.

Just run /usr/sbin/dmidecode | grep "Product Name"

Sample output:

[Expert@xxx-fw1]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: U-30-00
Product Name:

[Expert@yyy-cp1]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: C6P_UTM
Product Name: NSA-1086

Here are the translation for the information under the field Product Name:

  • P-20-00 -> Power-1 9070 Appliance
  • P-10-00 -> Power-1 5070 Appliance
  • U-40-00 -> UTM-1 3070 Appliance
  • U-30-00 -> UTM-1 2070 Appliance
  • U-20-00 -> UTM-1 1070 Appliance
  • U-15-00 -> UTM-1 570 Appliance
  • U-10-00 -> UTM-1 270 Appliance
  • U-5-00 -> UTM-1 130 Appliance
  • C6P_UTM -> UTM-1 2050 Appliance
  • C6_UTM -> UTM-1 1050 Appliance
  • C2_UTM -> UTM-1 450 Appliance

Tobias Lachmann

Posted in General, UTM-1 | Comments Off

Enlarging UTM-1 partitions

Friday, January 1st, 2010

Some users may experience problems with full partitions on Check Point UTM-1 appliances, most likely with the partition holding the log files as this partition is small, especially at the first appliance series.

When you install SecurePlatform, all partitions have fixed sizes except for /var which gets the remaining free space after the creation of the other partitions. Because logs are stored in /var/opt/CPsuite-R70/fw1/log, there’s rarely trouble with disc space.

The UTM-1 appliance work different as they use the Logical Volume Manager (LVM) for handling the partitions. The LVM is assigning the hard disc space to the partitions and allows resizing of partitions.

However, the filesystem is untouched when you resize a partition. So following sk33179 doesn’t give you additional space for your logs.

To achieve this goal you first have to resize the partitions:

  1. View the name of the log partition with lvdisplay, most likely, this name is /dev/vg_splat/lv_log.
  2. Then resize with
    lvresize -L 30GB /dev/vg_splat/lv_log.
    In this example the partition is resized to 30GB.

Reboot the appliance with serial console attached. Access the boot menu by pressing a key when prompted and boot into maintenance mode.

Then execute this commands:

umount /dev/mapper/vg_splat-lv_log
e2fsck -f /dev/mapper/vg_splat-lv_log
resize2fs /dev/mapper/vg_splat-lv_log

This modifies the filesystem and brings it to the new partition size.
Reboot the appliance afterwards and verify with the df -h command that you accomplished the resizing of partition and filesystem correctly.

Tobias Lachmann

Posted in Secure Platform, UTM-1 | Comments Off

Check Point R70.20 is now available

Sunday, December 20th, 2009

The release R70.20 is now available. I checked the documentation and found that it contains many important fixes as well as new features. Especially it takes care of the new multicore licensing scheme, that has been introduced by Check Point.

Check out the What’s new page, the Release Notes, the Known Limitations and the Resolved Issues.

R70.20 is like the HFA60 for NGX R65 from the bugfixing side plus some added features.
Highly recommended for installation.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, UTM-1, VPN-1 | Comments Off

Update: Hardware Monitoring on UTM-1 appliances

Wednesday, December 2nd, 2009

Check Point found the error and described it as follows:
While installing NGX R65 HFA50, the net-snmp packages are updates to 5.3.1.0 version. When upgrading to R70.1, it tries to upgrade to net-snmp-5.0.9 version, which fails since newer packages are installed.

Check Point provided me with a new R70.1 upgrade package which I will test in the next days. Sadly, the updated package hasn’t made it to the download page so far, there you can still get the old -buggy- version.

Hopefully they re-relase this upgrade package soon.

If they don’t and you experience problems while upgrading, please ask support for the fix and refer to SR 11-72334871.

UPDATE: Check Point released a SecureKnowledge article for this issue: sk43340

UPDATE 2: Today I spoke to the support guys again. I convinced them that this fix is interesting for everybody with a UTM-1 installation and HFA50 out there, which are quite a lot people, I guess. Now they’re thinking about changing the SK entry and adding a direct download link to the fixed packet.

UPDATE 3: Support will release a new article for this issue including the download links: sk43350. At the moment the sk is not publicly available

Tobias Lachmann

Posted in Troubleshooting, UTM-1 | Comments Off

NGX R65 HFA60 available

Wednesday, December 2nd, 2009

The latest Hotfix Accumulator, HFA60 for NGX R65 is available.
At the moment only for Check Point partner, but public release will follow shortly.
The release notes show a huge amount of fixed issues, including some content scanning problems I’ve seen before in the wild.
So the installation of HFA60 is greatly recommended!

Tobias Lachmann

Posted in General, Secure Platform, UTM-1 | Comments Off

Hardware Monitoring on UTM-1 appliances

Sunday, November 22nd, 2009

The hardware monitoring feature on UTM-1 appliances, available since R70.1, is missing when upgrading the appliance from NGX R65 with Messaging Security HFA50.

Check Point just confirmed this and stated, that some rpm packages are not updated which produces the error.
When you upgrade directly from NGX R65 with Messaging Security, the error is not occuring.

We’ll see what the solution from the developers for this problem will be. Since this is a general problem, I hope for new upgrade packages instead of some fixes to be applied afterwards. Seems cleaner to me….

I keep you informed

Tobias Lachmann

Posted in Troubleshooting, UTM-1 | Comments Off

Error in upgrade process from NGX R65 to R70.1 on UTM-1

Wednesday, October 21st, 2009

Today I got the confirmation that Check Point was able to reproduce an error reported by me.

With R70.1 the new feature of hardware monitoring for appliances was introduced. The was missing for so long and I’m glad is had been build into the WebUI now. But unfortunately this is only working when you do a completely new installation.

When you upgrade a NXG R65 installation on a UTM-1 to R70 and then onwards to R70.1 some files get corrupted.

Support is currently working on this, I’ll keep you posted.

Tobias Lachmann

Posted in UTM-1 | Comments Off

Presentations from Check Point User Group Conference (CPUGCON) 2009

Wednesday, October 21st, 2009

I think I get started with this blog by posting links to the presentations I held on the Check Point User Group Conference in Chur, Switzerland.

The first presentation is purely for beginners:  Troubleshooting in the Check Point environment, Part I

The second one, which was more liked by the crowd at CPUGCON, is really advanced troubleshooting: Troubleshooting in the Check Point environment, Part II

I benefit from my daily work with a Check Point Collaborative Support Provider (CCSP) for these two presentations, as they reflect the things I’m constantly facing.

From the project side, I did lot’s of migrations from distributed Check Point installations to Check Point UTM-1 Full-Cluster. This means that the firewall / vpn part is working in active/standby cluster and we have also Management High Availability with the two SmartCenters. This is described in the presentation: Migration from a Distributed Environment to a UTM-1 Cluster

Best regards

Tobias Lachmann

Posted in CPUG, Secure Platform, Troubleshooting, UTM-1, UTM-1 Edge, VPN-1 | Comments Off