• NGX Basic Debugging
• VPN-1 Power/UTM Dropped Traffic Troubleshooting Document
• fw monitor: A Troubleshooting Tool
• Troubleshooting MTU related issues
• How to Troubleshoot SmartDashboard Connection Issues
• Sync Troubleshooting Guide for ClusterXL – NG-AI and NGX
• Troubleshooting Guide for Content Inspection – Anti Virus Protection
• Anti Virus Signatures Update Process Troubleshooting Flowchart
• SmartDefense Web Intelligence Troubleshooting Guide
• SecurePlatform Debugging for NGX R60
• Handling Core Files
• VPN-1 Power/UTM NGX R65 Debugging with CoreXL
• Analyzing Binary Log Files and Pointers Files
• SmartProvisioning Debugging and Troubleshooting in Versions R65 HFA 40 and later (including R70)
• Certificate Authority Issues – Tips and troubleshooting
• VPN-1 UTM Edge Advanced Troubleshooting Guide
• How to debug SSL Network Extender
• Debugging Connectra Issues
• Debugging SecuRemote/SecureClient
• Practical troubleshooting steps for logging issues
• NGX Advanced Technical Reference Guide (ATRG)
• Advanced Technical Reference Guide (ATRG) for NG
• General troubleshooting advisor for Content Inspection Database Update

Cagdas Ulucan, CCSE+ from Turkey, developed a nice GUI that uses a simple SSH connection to login into your SPLAT-based box and display, change and collect a lot of useful information.

The three shell windows show output of fw monitor, actual fw logging and the main commands, parameters for them can be set using the GUI.

When you click on a button (for example “debug vpn”), you can actually see what commands are issued to the shell, so here you have a learning effect.

The tool has a build-in ftp and syslog server, so produced debug files can the uploaded easily.

At the first moment you’re overwhelmed of all the tabs that address different (troubleshooting) topics, but I think the GUI will improve and Cagdas will find a way to enhance the presentation of his tool.

What is really cool is the cluster view, where you have a windows with two panes, each representing one cluster member. An easy way to send commands to both cluster members and compare the results!

Try his tool, it’s completely free and very very useful.
Send him his suggestion for improvement and make it even better.

Tobias Lachmann

I got the error
resize2fs: Operation not permitted While trying to add group #128
when issuing the resize2fs command.

The solution to this problem: the journal was to small and had to be re-created:

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal\ size
Journal size: 32M

[Expert@firewall]# tune2fs -O ^has_journal /dev/vg_splat/lv_log

[Expert@firewall]# tune2fs -j /dev/vg_splat/log
Creating journal inode:
done

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal\ size
Journal size: 128M

After that do a filesystem check and issue the resize2fs command, which will succeed.

Tobias Lachmann

Go to Policy -> Global Properties -> SmartDashboard Customization. Click on Advanced Configuration.

Change the http_buffers_size from 4096 bytes to a higher value. Since the default number of concurrent connections is 1000 for HTTP, changing the parameter to the maximum of 65500 bytes would only allocate ~ 63 MB for all buffers together, so why not go with the max?

Tobias Lachmann

Not it is not only possible to use URL filtering for blocking or allowing specific sites, but also to determine what exactly is allowed or denied.
For example: allow Facebook in general, but block Facebook games.

The AppWiki database is listing several thousand webbased applications to choose from for use in your policy.

Like DLP, this blade comes with UserCheck technology. This resident (Windows) client allows the gateway to interact with the user. If for example access to YouTube is allowed only for business use and not for personal use, UserCheck can present a dialog to the user asking what’s the intended purpose of visiting the site. If the user confirms that it’s for business, he is allowed to access the site.

At the moment I’m wondering if this is the next big thing….. will customers buy this blade and enforce their very own policy? Will this be a considerable alternative to pure content inspection products like WebWasher? What are the implications for the company security policy? Who’s defining the allow/block lists?

To be honest, I’m not sure at the moment how customers will use the technology.

Maybe for them it’s enough to block one or two specific apps as reason to buy this blade.

Maybe it’s getting as complex as a full-blown IPS solution with a security engineer defining policies and checking logs all day…. and how many companies can afford that?

I guess we have to wait some time to see where it’s going…

Tobias Lachmann

This modules can be shown using lsmod

[Expert@firewall]# lsmod
Module Size Used by Tainted: PF
rtmmod_smp.2.4.21.cp.i686 281120 1
bridge 27680 0 (autoclean) (unused)
vpnmod_smp.2.4.21.cp.i686 1269512 3
fwmod_smp.2.4.21.cp.i686 7858176 11
simmod_smp.2.4.21.cp.i686 827904 1
vpntmod_smp.2.4.21.cp.i686 13808 0 (unused)
e1000 126728 6
bnx2 79432 2
crc32 3592 0 [bnx2]
sg 38092 0 (autoclean) (unused)
microcode 7072 0 (autoclean)
ide-cd 35840 0 (autoclean)
cdrom 33248 0 (autoclean) [ide-cd]
dm-mod 59428 0
keybdev 3048 0 (unused)
mousedev 5688 0 (unused)
hid 22628 0 (unused)
input 5504 0 [keybdev mousedev hid]
ehci-hcd 20968 0 (unused)
usb-uhci 27308 0 (unused)
usbcore 79680 1 [hid ehci-hcd usb-uhci]
ext3 92840 5
jbd 54056 5 [ext3]
cciss 70432 12
sd_mod 14128 0 (unused)
scsi_mod 118312 2 [sg cciss sd_mod]


When Check Point is referring to the firewall kernel, they’re actually talking about this linux kernel modules.

The Check Point kernel itself is composed of several modules, which can be shown using the fw ctl debug -h command.

In NGX we had the following:

• fw “Firewall Module”
• VPN “VPN Module”
• FG-1 “Floodgate-1 QoS Module”
• H323 “VoIP H.323 Module”
• BOA “Malicious Code Protection Module”
• WS “SmartDefense Web Intelligence Module”
• CPAS “Active Streaming Module”
• CLUSTER “ClusterXL Module”
• RTM “SmartView Monitor Module”

Now with R70 and Software Blades, we have some more kernel modules:

• kiss ???
• kissflow ???
• multik ???
• SFT ???
• CI ???
• fw “Firewall Module”
• VPN “VPN Module”
• FG-1 “Floodgate-1 QoS Module”
• H323 “VoIP H.323 Module”
• BOA “Malicious Code Protection Module”
• WS “SmartDefense Web Intelligence Module”
• CPAS “Active Streaming Module”
• CLUSTER “ClusterXL Module”
• RTM “SmartView Monitor Module”

In the moment I have not found any reference for the new modules, no explanation of the modules itself or the modul kernel debugging options.

I opened a service request with Check Point to get this information.

Tobias Lachmann

A very handy tool, try it!

Tobias Lachmann

But where to check what’s the current version?

Easy answer to that:
http://sigcheck.checkpoint.com/Siglist2.txt

Compare your version from SmartView Monitor or avsu_client to the version you see on the above page.

Tobias Lachmann

First, DLP is about unintentional data loss. There are always ways to get data out of a secure area, if it’s by USB drives, HTTPS upload, CD-Rs, steganography or what so ever. It’s nearly impossible to prevent data leaks completely.

But that’s not what DLP is aiming for… it’s for the user that accidental chooses the wrong email-adress or picks the wrong file for uploading on a website. And for that purpose, it’s totally sufficient.

The underlaying engine which does the processing is amazing and you can do all kinds of stuff with the data types. For most of your requirements Check Point brings build-in datatypes, if it’s credit card numbers or social security numbers.

Second: the hard part with DLP is to define a company policy and a list of data that should not leave the company. This is were technical and organizational security meet and the biggest challenge.

Concerning the DLP-1 appliances that I mentioned before, I have some information about the hardware.

The DLP-1 2571 has Dual Core CPU, 4 GB RAM and 500 GB HDD, so it’s pretty much a UTM-1 3070 series appliance with more memory and HDD.

The DLP-1 9571 is based on the Power-1 9075 and comes with 2x QuadCore CPU, 8 GB RAM and 2x 1 TB HDD.

Internal Check Point sources say that by now it’s safe to assume that for real live traffic you have to divide the performance numbers by 4. This will change with the next releases that improve performance.

If you haven’t noticed, DLP-1 appliances come with UserDirectory blade to allow easy connectivity to Activce Directory domains or LDAP directories.

DLP-1 will be able to scan also HTTPS traffic in the near future (Q1/11) and I’m really looking forward to that feature.

If someone has solid hands-on experience with a DLP implementation, please share them with me: blog@lachmann.org

Tobias Lachmann

• Firewall Throughput 1500 Mbps
• VPN Throughput 220 Mbps
• IPS Throughput 720 Mbps
• AV Throughput 100 Mbps

Since I measured only 20 Mbps AV scanning throughput with R71 on a UTM-1 270 appliance, I don’t trust this figures for real rule bases and real live traffic. But anyway, at least good enough for comparison to other Check Point appliances.

The management of this gateway has to be done over a Security Management server of Provider-1, it is not self-managed unlike UTM-1 appliances.

The desktop form factor is quite nice, I’m just wondering about the cooling. The UTM-1 130 appliances use passive cooling, too, and can get pretty hot sometimes.

What’s nice for smaller offices are the build-in 8 LAN ports with GigabitEthernet, so under some circumstances you can eliminate an additional switch in the office. The SG80 has one additional Gigabit WAN port and a Gigabit DMZ port.

As for now I have no info about the hardware in this appliance, nor the operating system. But I think that it is SPLAT based, deriving from the feature set.

The SG80 is comparably low cost for the performance, as it starts at $2500,–

At the moment this appliance can only be configured over the R70.40 version management / SmartConsole.

The wizard is a little bit different than for normal gateways, but very straight forward.
They changed the SIC handling here. At creation of the object in SmartDashboard you enter a secret and you can install the policy for this device.
But SIC is not established right away, but status of this object is ‘waiting’.
The administrator in the remote office can install the appliance later and connect to the Security Management with this secret, establishing SIC completely.
It’s a mixture of handling normal gateways and Edge appliances and very nice.
Also the most needed configuration option can be chosen when creating the SG80 object using the wizard.

All in all it’s a very nice approach with this new appliance and I can’t wait to get my hand on one of this boxes to test it.

If you had the possibility to test one, please send your findings to blog@lachmann.org

Tobias Lachmann

UPDATE: The SG80 runs Secure Platform Embedded as operating system. Sounds like a striped down version of SPLAT to me.

We have some improvements here, judging by the resolved issues.

This release is also the first one to handle SG80 gateways.

But, as the Release Notes state, the R70.40 cannot be upgraded to R71. You first have to uninstall it before upgrading. This is not very handy, so I would suggest to upgrade directly to R71.10 and wait for the upcoming R71.20 release, which should also contain the fixes and enhancements.

Tobias Lachmann

fw_antispoofing_enabled=0

Please refer to sk26202 for changing kernel global parameters and sk20364 for making them survive a reboot.

Tobias Lachmann

The devices can be displayed using cphaprob -ia list. A normal ouput will look like this:

[Expert@firewall]# cphaprob -ia list

Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.1 sec

If one or more of the devices have a problem, ClusterXL will do a failover from the active member to the standby member. This is only true as long as the second member has no problem itself. If this is happening, the cluster mechanism decides by its own which is the more suitable machine to handle the traffic and will or will not do a failover.

Failover will also occur if the issue cpstop or cphastop on the active member, stopping all Check Point services or just the ClusterXL related service.

For the purpose of maintenance it can be necessary to move away all the traffic from the active member to the secondary member through initiating a failover, leaving the security policy and services active on the machine.

This can be done by registering a new device and adding it to the list of the processes that must be running for the cluster member to be considered active and putting the new device in the problem state.

Use this command line: cphaprob -d STOP -s problem -t 0 register

If you want to unregister the problematic device and make the cluster member available and active again, just use this: cphaprob -d STOP unregister.

Learn more about the usage of cphaprob from the CLI manual.

Tobias Lachmann

Tobias Lachmann

To clear this up you do the following:

- issue cpstop on the Security Management server
- delete $FWDIR/conf/applications.C,
$FWDIR/conf/applications.C.backup,
$FWDIR/conf/CPMILinksMgr.db
and $FWDIR/conf/CPMILinksMgr.db.private
- issue cpstart
- install policy again
- open SmartView Monitor again

Tobias Lachmann

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on appliances, feel free to send them to blog@lachmann.org

All throughput values are taken from official Check Point materials.

If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

Have a close look of the throughput values of the UTM-1 450 in comparison to the UTM-1 570. The processor power is identical, also the memory. But the throughput values for the UTM-1 450 were measured with NGX R65, the values for the UTM-1 570 were measured with R71. See what a performance boost R71 can be, even on the “old” hardware. Sweet!

UTM-1 130

• Intel Celeron M 600 MHz
• 1 GB RAM
• 80 GB ATA HDD
• Firewall Throughput: 1.5 Gbps
• VPN Throughput: 120 Mbps
• IPS Troughput: 1.0 Gbps

UTM-1 270

• Intel Celeron M 600 MHz
• 1 GB DDR2 RAM 400 MHz
• 160 GB ATA HDD
• Firewall Throughput: 1.5 Gbps
• VPN Throughput: 120 Mbps
• IPS Troughput: 1.0 Gbps

UTM-1 450

• Intel Celeron M 1.5 GHz
• 1 GB RAM
• 80 GB ATA HDD
• Firewall Throughput (R65): 400 Mbps
• VPN Throughput: (R65) 200 Mbps

UTM-1 570

• Intel Celeron M 1.5 GHz
• 1 GB RAM
• 160 GB ATA HDD
• Firewall Throughput: 2.5 Gbps
• VPN Throughput: 300 Mbps
• IPS Troughput: 1.7 Gbps

UTM-1 1070

• Intel Celeron M 1.5 GHz
• 1 GB RAM
• 160 GB ATA HDD
• Firewall Throughput: 3 Gbps
• VPN Throughput: 350 Mbps
• IPS Troughput: 2.2 Gbps

UTM-1 2050

• Intel Pentium 4 3.4 GHz
• 2 GB RAM
• 80 GB ATA HDD
• Firewall Throughput (R65): 2.4 Gbps
• VPN Throughput: (R65) 380 Mbps

UTM-1 2070

• Intel Celeron 440 2.00GHz
• 2 GB RAM
• 160 GB ATA HDD
• Firewall Throughput: 3.5 Gbps
• VPN Throughput: 450 Mbps
• IPS Troughput: 2.7 Gbps

UTM-1 3070

• Intel Core2 Duo E6400 2.13GHz
• 3 GB RAM
• 160 GB ATA HDD
• Firewall Throughput: 4.5 Gbps
• VPN Throughput: 1100 Mbps
• IPS Troughput: 4.0 Gbps

Power-1 5075

• Intel Xeon E5410 2.33GHz (QC)
• 2 GB RAM
• 160 GB ATA HDD
• Firewall Throughput: 9.0 Gbps
• VPN Throughput: 2.4 Gbps
• IPS Troughput: 7.5 Gbps

Power-1 9075

• 2x Intel Xeon E5410 2.33GHz (QC)
• 4 GB RAM
• 2x 160 GB HDD
• Firewall Throughput: 9.0 Gbps
• VPN Throughput: 2.4 Gbps
• IPS Troughput: 7.5 Gbps

Smart-1 25

• Intel Core2 Duo T7400 2.16GHz
• 3 GB RAM
• 4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

First, we can expect R75 GA by the end of the year. No idea what will be included, but maybe we see more improvements from software blades. As Dorit Dor stated some time ago, the introduction of software blades with R70 was the first step in a three-step-approach of a complete architecture re-design within the Check Point products. So personally I think that every new GA release will bring us closer to the goal and will give us additional performance and/or more features.

Second, Check Point seems to plan the content inspection of HTTPS traffic, availability should be around end of Q1/2011. This is a very interesting feature and I’m really locking forward to it. We had lot’s of projects where the customer choose not to use Check Point content scanning but rather a solution like WebWasher, which could inspect also SSL encrypted traffic. I wonder how the handling will be done in detail and how easy the setup will be in comparison with WebWasher etc.

That’s all for now. Wait and see, if these rumors have a valid background.

If you know more details, please do not hesitate and write an email to blog@lachmann.org

Tobias Lachmann

It accepts the mail from the internal system and in the same time sends the data out to the external system besides the last package to complete the mail. When the mail is received by the DLP gateway from the internal server completely, it is scanned for compliance to the DLP policy and if the check is ok, the last packet is transmitted to the external mail server, finishing mail delivery.

If the check is not ok, the last packet is withheld and the gateway shuts down the connection to the external mail server. So basically the mail has left the company, but because of the interrupted transfer, the external mail server is discarding the temp mail that has been deliverd by now.

I’m not sure at the moment that I like this behaviour… I’m thinking about better ways to handle this…. not finished thinking it through by now…. will let you know my thougts.

Tobias Lachmann

It’s sad that it took so long for Check Point to come up with a VPN client for 10.6 and also SNX support for Snow Leopard is not here at the moment.

Hope they’ll fix that soon.

Tobias Lachmann

We made an upgrade of an UTM-1 2050 series appliance to R71 and got massive connectivity problems. Two days later sk42174 came out which helped us fix the problem. Seems that the Linux Kernel starting with R70 assigns new drivers to the NICs, which are incorrect.
The solution for that problem is to change the settings back to the old driver.

For details please refer to the SK and have it in mind when you’re updating older appliances.

Thanks to my employer MCS for giving me the opportunity.

Barry Stiefel accepted my presentations for “Best Practices For The Check Point Appliances” and “Check Point Troubleshooting” and I’m happy to speak again in front of such a great audience.

It turned out last year that half of the attendees were working for Check Point partners, so enormous amount of knowledge and experience there.

Make sure to attend, too!

Where else can you meet people like yourself, dealing with the same topics and the same problems? Benefit from their experience and their solutions.

Check out the conference presentations (work in progress) and meet the speakers.

And please don’t hesitate to speak to me and share some feedback about this blog when you see me in Chur.

Tobias Lachmann

We now have Abra support on all gateway platforms, support for Outlook Web Access (OWA) 2010 over SSL VPN and R71.10 includes the hotfix for the SSL VPN blade, that was mandatory when using this blade with R70.

Please note that the R71.10 upgrade package cannot be installed on gateways with DLP.

Check Point also released complete packages for a fresh installation with R71.10 but they sadly don’t include UTM-1 images.

Tobias Lachmann

The reason for that is that an upgraded systems keeps the old way of detecting viruses, the Proactive detection mode. In this mode, the traffic is trapped by the kernel and forwarded to the security server. The security server then forwards the traffic to the Antivirus engine and the traffic is allowed or blocked, depending on the response of the Antivirus engine. It is necessary to store the whole file first before scanning it.

The new Stream detection mode doesn’t need to store the file for scanning. Stream detection is able to scan uncompressed and compressed traffic while it is passing through the gateways kernel, doing decompression on the fly.

Stream detection mode works only signature-based, whereas Proactice detection mode works with Antivirus signatures and in addition with a sandbox where heuristic behaviour scans are done to detect malware, even if there no signature available at the moment.

Stream detection is default on fresh installations, so that’s why you can see great performance improvement on R71.

The mode can be changed within SmartDasboard -> Antivirus & URL Filtering tab -> Antivirus -> Security Gateway and then choose the desired protocol.

HTTP and SMTP can work with Stream detection mode and Proactive detection mode, POP3 and FTP only work with Proactive detection mode.

While I appreciate the performance improvement which can be gained using Stream detection mode, I think we lower security a little bit by abstain from using Proactive detection mode.

This decission should be made with careful consideration of the specific setup and customer need. If you use solely Stream detection mode, make sure to have a good Antivirus solution from another vendor running on the end user’s desktop to double-check for malware.

What do you think about the two Antivirus modes? Mail your thoughts to blog@lachmann.org

Tobias Lachmann

I think this is a very nice improvement and worth noticing.

Tobias Lachmann

Now the R7x releases bring us the 2.6 kernel with lots of improvements. A very nice one it the ability to resize (meaning increase!) the partitions and filesystems online, without the need of unmounting them.

[Expert@volvo]# lvresize -L 12GB vg_splat/lv_current
Extending logical volume lv_current to 12.00 GB
Logical volume lv_current successfully resized

[Expert@volvo]# resize2fs /dev/mapper/vg_splat-lv_current
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required
Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3145728 (4k) blocks.
The filesystem on /dev/mapper/vg_splat-lv_current is now 3145728 blocks long.

Please note: this can only be done while increasing the filesystems. Reducing the filesystems requires them to be unmounted!

In that case go with this procedure.

Tobias Lachmann

The interval of pulling the policy is defined over Global Properties -> UTM-1 Edge Gateway -> Update configuration settings every XX minutes

If you want to update an Edge immideately, you can do this be using the WebUI (access your SmartCenter over http://:9283/) or you can use the command line.

The directory /opt/CPEdgecmp-R7x/bin contains the tool swcmd which can be used to issue commands directly to the Edge appliance.

swcmd UpdateNowAll will tell the Edges to update their policy immediately.

swcmd Reboot will reboot the gateway.

Tobias Lachmann

Now I was informed by Brian that some commercial CA don’t sign any longer if the key size is only 1024 bit, you need at least 2048 bit.

How can we change the behaviour of the Check Point while issuing the CSR?

Just go to Global Properties -> SmartDashboard Customination -> Configure -> Certificates and PKI properties.

There we have an option the define the key size for the certificates. Available values are 1024, 2048 and 4096 bit.

Change this value according to your need and the requirements of the CA you chose for signing.

Starting with R71 they standard key size 2048.

Tobias Lachmann

In the past I only enlarged the partition that held the log files because that’s were you have the most data. The procedure was working just fine and I was happy.

A couple of days ago I started updating x50 series appliances from R65 to R71. Even with cleaning up the system of unused files right before the update I got into serious trouble. The cause was that the root partition was nearly about full.

The update process itself came up with no error, but while operating the appliance the root partition was completely full in no time. Especially updating the URL Filterung database, which is now about 370MB, filled the root partition quickly.

When I tried enlarging the root partition with the described procedure I failed.

Resizing requires to unmount the partition before – but you can’t unmount the root partition.

So I had to find another way to modify the partition sizes of the appliance.

Here’s what I did:

I downloaded an ISO-Image of grml, a Linux Live system for sysadmins. Then I modified the ISO to display output on the serial console. You can download this modified ISO here.

I connected an USB-DVD-Drive to the appliance and booted the ISO image.

On the boot screen I added some parameters for the startup process:

Some information and boot options available via keys F2 - F10. http://grml.org/
grml 2010.04 - Release Codename Grmlmonster 2010.04.29
boot: serial debug=noscreen lang=de lvm

When grml was finished, it gave me a console with all the needed tools. LVM was loaded already and I was good to go.

I checked for the volume groups on the hard drive with the vgscan command:

root@grml ~ # vgscan -v
Wiping cache of LVM-capable devices
Wiping internal VG cache
Reading all physical volumes. This may take a while...
Finding all volume groups
Finding volume group "vg_splat"
Found volume group "vg_splat" using metadata type lvm2

Then I activated the logical volumes with vgchange:

root@grml ~ # vgchange -a y
6 logical volume(s) in volume group "vg_splat" now active

You can display the volume group with vgdisplay:

root@grml ~ # vgdisplay
--- Volume group ---
VG Name vg_splat
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 7
VG Access read/write
VG Status resizable
MAX LV 255
Cur LV 6
Open LV 0
Max PV 255
Cur PV 1
Act PV 1
VG Size 72.47 GiB
PE Size 4.00 MiB
Total PE 18553
Alloc PE / Size 7424 / 29.00 GiB
Free PE / Size 11129 / 43.47 GiB
VG UUID dCQA6u-z70X-LIsE-Xhmb-n5ho-ZMrX-JyBePy

You can display the logical volumes with lvscan:

root@grml ~ # lvscan
ACTIVE '/dev/vg_splat/lv_current' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_log' [10.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit

Then I did the resizing of the volumes groups to better values:

root@grml ~ # lvresize -L 11GB /dev/vg_splat/lv_current
Extending logical volume lv_current to 11.00 GiB
Logical volume lv_current successfully resized

root@grml ~ # lvresize -L 25G /dev/vg_splat/lv_log
Extending logical volume lv_log to 25.00 GiB
Logical volume lv_log successfully resized
Keep in mind that you will need some free space for imaging purposes, so don’t use up all the space on the hard drive!

Then a file system check has to be done, followed by the resizing of the file system.

root@grml ~ # e2fsck -f /dev/vg_splat/lv_current
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix? yes

root@grml ~ # resize2fs /dev/vg_splat/lv_log
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_log to 6553600 (4k) blocks.
The filesystem on /dev/vg_splat/lv_log is now 6553600 blocks long.

To finish, deactive the logical volumes:

root@grml ~ # vgchange -a n
0 logical volume(s) in volume group "vg_splat" now active

root@grml ~ # lvscan
inactive '/dev/vg_splat/lv_current' [11.00 GiB] inherit
inactive '/dev/vg_splat/lv_log' [25.00 GiB] inherit
inactive '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit
That’s it. Reboot again and start the Secure Platform.

Check with df -h that you have the desired partition layout:

[Expert@cpmodule]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
11G 1.4G 8.9G 14% /
none 11G 1.4G 8.9G 14% /dev/pts
/dev/hdc1 145M 13M 125M 9% /boot
none 502M 0 502M 0% /dev/shm
/dev/mapper/vg_splat-lv_log
25G 33M 24G 1% /var/log

Tobias Lachmann

Well done guys, well done!

Tobias Lachmann

Tobias Lachmann

But unfortunately, Check Point presents a self-signed certificate from the internal CA to the users.

This warning message can be confusing for the users and even might not work, depending on the company policy and settings in the browser.

The better way is to have a certificate on the gateway that was issued from one of the big CA like Verisign, Thawte etc. and present this to the users.

Because these CAs are known to the browser as trustworthy, no error message appears while connecting.

I’m going to show you how to configure your gateway with a certificate from a 3rd party CA.

1. First, we need to create a trusted CA object under the Servers and OPSEC Applications section.

2. Then we give a name to the CA object and choose OPSEC PKI as CA type.

3. On the next tab you can import the CA certificate from a file.

Here you can also choose to do an automatic enrollment for certificate renewal over three different protocols. However, this isn’t supported by all CA. Personally I don’t do automatic renewals but do it by hand instead every time.

If you uncheck CRL retrieval from HTTP servers, all certificates will be trusted, wether revoked or not. For our purpose it’s ok to have this unchecked.

4. While importing the CA certificate you have to approve it.

5. Now we’re done with the CA object and can actually go to the gateway object.

6. Click on Add to create a new certificate. You’re asked for a Nickname of the certificate which is used in various places in the GUI and in config files. I would suggest to keep it short and descriptive. Choose to enroll this certificate from the CA created in the steps before.

7. At this point a CSR (certificate signing request) is going to be generated. The DN (Distinguished Name) has to be correct for the certificate to be created by the CA, so take good care here!

In our example we sign the certificate by United Internet CA and we have to use this DN for a gateway with the DNS name of fw.test.de

CN=fw.test.de,OU=Comodo InstantSSL,OU=Authorized by United SSL,OU=Authorized by United SSL,O=TEST GmbH,STREET=Test Straße 90,L=Hamburg,ST=Hamburg,OID.2.5.4.17=22159,C=DE
Alternatives DNS are defined as FQDN.

8. After filling in the details a CSR is presented. Copy it to the clipboard are save it to a file and hand it over to the CA you chose for signing. Make sure that the text is copied completely.

9. When the CA give you back your signed certificate, complete the process by selecting the appropriate nickname and click on Complete.

10. Load the certificate, accept it and attach it to the gateway.

11. Now you can choose this certificate to be presented when connecting to SSL Network Extender etc.

To use this certificate in client authentication you have to configure the file $FWDIR/conf/fwauthd.conf.

Change the entry to

900 fwssd in.ahclientd wait 900 ssl:fw.test.de

Tobias Lachmann

Tobias Lachmann

Barry will update the site ongoing to keep you informed about agenda, speakers and other details.

I’m not sure if I can attend CPUGCON this year, but I will try. If I get accepted again as speaker, I might afford the trip.

At the moment I submitted presentations about troubleshooting, DLP, VPN-1 VE and UTM-1 appliances.

We’ll see how many of those can make it to the agenda.

Tobias Lachmann

To access this EA, log into your UserCenter account, go to Products -> Early Availability and choose to register for Discover VPN client.

In the moment the Discovery VPN client is only available for NGX R65 HFA60, a release for R70/R71 will follow shortly. Supported gateway platforms are SecurePlatform, Windows and IPSO 4.2.

The client has support for Windows XP 32 bit with SP2 or SP3, Windows Vista 32 and 64 bit with SP1 and Windows 7 32 and 64 bit, so most of the operating system platforms found in companies are covered.

The following features are not supported at the moment:

• Single Sign-on (SSO)
• “Suggest Connect” Mode (Auto Connect)
• Pre/Post Connect Script
• Entrust Entelligence Support
• Diagnostic Tools
• Compression
• VPN Connectivity to VPN-1 VSX
• DNS Splitting
• “No Office Mode” Connect Mode

But this is OK as it is an EA on the GA version will surely have all those features.

In addition, Discovery VPN client has features that Endpoint Connect is offering, like better Location Awareness, Automatic Site Detection, better Roaming etc.

A hotfix has to be installed on the gateway to enable Discovery support, no changes at the SmartCenter are needed. The configuration has no Discovery specific details, just a normal SecureClient configuration. If you have an exisiting deployment, nothing has to be changed.

I will test this client in the next weeks. If you have done so, please feel free to send comments to blog@lachmann.org and share your experience.

Personally I miss support for Mac OS 10.4, 10.5 and 10.6 very much. Especially media related companies such as advertisement agencies, print and TV producers use Mac OS as operating system, so this is a significant number of users.

Sadly, Check Point hasn’t these operating systems in the same focus as the Windows OS. This leads to the point where the customers change from SecureClient to IPSecuritas, a freeware VPN client. Using this client means more work for the client administrators, as settings can’t be distributed in the way it is done with SecureClient for Mac OS.

Tobias Lachmann

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on UTM-1 appliances, feel free to send them to blog@lachmann.org

UTM-1 130

• Intel Celeron M 600 MHz
• 1 GB RAM
• 80 GB ATA HDD

UTM-1 270

• Intel Celeron M 600 MHz
• 1 GB DDR2 RAM 400 MHz
• 160 GB ATA HDD

UTM-1 450

• Intel Celeron M 1.5 GHz
• 1 GB RAM
• 80 GB ATA HDD

UTM-1 570

• Intel Celeron M 1.5 GHz
• 1 GB RAM
• 160 GB ATA HDD

UTM-1 1070

• Intel Celeron M 1.5 GHz
• 1 GB RAM
• 160 GB ATA HDD

UTM-1 2050

• Intel Pentium 4 3.4 GHz
• 2 GB RAM
• 80 GB ATA HDD

UTM-1 2070

• Intel Celeron 440 2.00GHz
• 2 GB RAM
• 160 GB ATA HDD

UTM-1 3070

• Intel Core2 Duo E6400 2.13GHz
• 3 GB RAM
• 160 GB ATA HDD

Power-1 5070

• Intel Xeon E5410 2.33GHz (QC)
• 2 GB RAM
• 80 GB ATA HDD

Smart-1 25

• Intel Core2 Duo CPU T7400 2.16GHz
• 3 GB RAM
• 4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Register for the EA within your Usercenter account. Go to Products and then Early Availability. Register for Avatar EA and download the software and documentation.

I have waited for this EA for a while and I’m very curious. There are rumours that the licensing will also be changed and I hope it’s more affordable than the current pricing.

Tobias Lachmann

While Windows has arp -d * as a working command to delete all entries at once, under Linux and therefor SPLAT you have to try something different.

This little script will do the job for you:

#!/bin/bash
for arpentries in `awk -F ' ' '
{ if ( $1 ~ /[0-9{1,3}].[0-9{1,3}].[0-9{1,3}].[0-9{1,3}]/ )
print $1 }' /proc/net/arp`
do
arp -d $arpentries
done


Tobias Lachmann

In the past we had

• Expert Access to SecureKnowledge
• Newsletter
• Logo rights

Now they added

• Access to level-3 TAC support engineers

I’m not sure what this means. I deal a lot with the TAC in Israel as part of my daily work, but never encountered a “level-3″ engineer. Normally your call is handled by a support engineer and, if escalated, handed over to an escalation engineer. And maybe a diamond engineer from the diamond support team assists. Would we interesting to know what “level-3″ means.

Anyway, the goal is clear: give the higher certified people direct access to support engineers that have the same level.

In addidtion, Check Point changed the handling of calls from Check Point Certified Master Architects (CCMA). Now they get escalation priority while opening a case. Also a good thing, as a CCMA is so highly trained that he could easily work as escalation support engineer with Check Point. If a CCMA opens a case, it must be severe.

The community demanded such priviliges for skilled people a long time (see CPUG board for the discussion) I’m glad that Check Point now made a step forward!

Tobias Lachmann

UPDATE: Pierre Lamy, Technical Lead of Ottawa TAC, pointed out what tiers/levels exist. A level-3 engineer is the normal support engineer who’s handling a case opened with Israel TAC.

The solution is to disable scheduled backup through the WebUI.

Then go to the /var/CPbackup/conf directory and delete the file backup_sched.conf.

Afterwards open the WebUI again and re-configure scheduled backup.

Next time the backup runs everything will be OK and files are transfered to another server with SCP.

Tobias Lachmann

As the release notes show, modifications were made for the new N-series appliances, along with some bug fixing.

The most interesting details:

- support for Endpoint Connect clients
- support for new USB modems
- times based rules are now supported

In the release notes some more features are listed, but with a reference that they will only work with hardware version 1.4.
I guess that is the hardware version of the new N-series appliances.

Nice features supporting hardware version 1.4

- 802.11n support
- GigabitEthernet support
- ore firewall throughput
- more VPN tunnels
- support for some more USB modems

Tobias Lachmann

For the 500 and 1500 user DLP blade a 2-Core-Container is needed. For the unlimited user DLP blade you need a 8-Core-Container.
The size of the blade is determined by the number of users behind the gateway!

So that would mean you need an SG201 container (included: gateway for up to 500 users) for the CPSB-DLP-500 blade.

For the CPSB-DLP-1500 blade a SG203U pre-defined system is needed, to allow more than 500 users.

For the CPSB-DLP-U blade a SG801 container is needed.

So the solution for 500 users will cost $3000 for the blade and $6500 for the container, so $9500 in total.

The solution for 1500 users will cost $7000 for the blade, $14000 for the container, so $21000 in total.

The unlimited solution will cost $12000 for the blade and $18000 for the container, so $30000 in total.

This is the pure software side, you will also need hardware, for example an open server for additional $4000.

If we look at the appliance solution DLP-1 2571 we’ll find that it is limited to 1500 users but costs only $14990.

In case your organization need DLP protection for up to 500 users, a solution with software running on an open server is about $1500 cheaper. If you need up to 1500 users, you pay $10000 more with an open server solution than for the DLP-1 2571. Lot’s of money….. but still worth thinking about it because of the higher performance you will get from an open server.

More easy with the DLP-1 9571 that you need for unlimited users, as the appliances costs $49900. The software solution on an open server is only $34000, that is about $16000 cheaper.

What’s the baseline here? Well, carefully think about your setup before you buy. Think about performance limitations you may encounter with an appliance. Think about the cost for the 2nd and 3rd year… and then make your decision!

Tobias Lachmann

The only work-around would be to configure on the firewall object -> Logs and Masters -> Required Free Disc Space together with the option Do not delete log files from the last X days.

By configuring a very high value for required free disc space you could have the script run every day and with the other option prevent it from deleting the needed logs.

OR – you could implement a short script:

[Expert@fw1]# cat /usr/bin/del_logs.sh
#!/bin/bash
/usr/bin/find /var/log/opt/CPsuite-R65/fw1/*.log* -ctime +217 -print -exec rm -f {} \;

The parameter ctime is the amount of days for the logs to keep.

Run the script with cron:

[Expert@fw1]# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.19431 installed on Mon May 10 10:21:33 2010)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
42 11 * * * /usr/bin/del_logs.sh
50 2 * * 1,2,3,4,5,6,7 backup_util sched

Now you’re able to delete the old logs as you like. If you backup your firewall or SmartCenter to your local disc, maybe you want to do this with your backups, too?

Tobias Lachmann

Now I was asked to provide a how-to about building this kind of UTM-1 Full Cluster from scratch.

Actually this is very easy. Building UTM-1 clusters was supported from the start, but the SmartCenter could only reside on one appliance. With the introduction of NGX R65 with Messaging Security, we also got SmartCenter High-Availability for free.

In our setup we assume that we have two appliances, one primary and one secondary. Setup both with the normal First Time Configuration Wizard.

Make sure to install the primary on as locally managed and primary cluster member.

The secondary appliance is also installed as locally managed but as secondary cluster member.

On the secondary appliance you also have to fill in a SIC secret to establish the communication later.

After completing the First Time Configuration Wizards on both appliances, connect with the SmartDashboard to the primary UTM-1 appliance.

Now the wizard for configuring the cluster pops up. When defining the secondary cluster member, fill in the SIC secret entered in the WebUI wizard.

Fill in all the details that reflect your cluster. Make sure to have at least one dedicated sync network.

Topology could look like this afterwards:

Now you can define rules, push the policy and make the cluster work. After that check the Management HA in the SmartDashboard:

This picture shows that both cluster members have a SmartCenter installed and are working in Management High-Availability mode.

That’s it for building an UTM-1 cluster with Management High Availability – also known as UTM-1 Full Cluster.

Tobias Lachmann

By now I don’t know why these limitations exist, but I would rate them as servere. Especially Office Mode is a must-have while working with Client-2-Site VPNs.

Pricing seems to be $140 for a 4GB Abra stick and $210 for a 8GB Abra stick. I’m not sure if we have to purchase an additional Endpoint Security license (container + VPN) when Abra is able to do Office mode, but I think so. That’s the way you have to license Endpoint Connect at the moment.

I will now play around with Abra a little bit and come back with more information in a couple of days.

Tobias Lachmann

UTM-1 270 mit GigabitEthernet-Uplink to the Internet and GigabitEthernet-Link to the internal network. 4 Servers mit GigabitEthernet as clients running HTTrack website copier in the internal network. I used HTTrack to download several website at the same time, creating a mixture of HTML, graphic, archives and executables content.

The UTM-1 270 was installed out-of-the box using the wizard. I activated VPN, SmartView Monitor and Antivirus in addition the moduls already activated as standard.

The rulebase had two rules, on allowing access to the systems from a management client outside the network and one rule for allowing access to the Internet for the servers. No NAT was used, no additional settings.

With NGX R65 with Messaging Security (HFA25) I had an average throughput of 1,026,474 Bytes / sec while running with 100% CPU load for a couple of minutes.

With NGX R65 with Messaging Security (HFA70) I had an average throughput of 1,094,563 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R70 I had an average throughput of 1,647,257 Bytes / sec while running with 100% CPU load for a couple of minutes.

With R71 I had an average throughput of 1,999,611 Bytes / sec while running with 100% CPU load for a couple of minutes.

My test maybe not so accurate as the ones that Check Point is doing, but I thing the traffic blend reflects the behaviour of normal users really good.

And, having 2x the performance with Antivirus scanning on the same hardware is pretty impressive! The improvement really shows, how nice! I also recognized that R71 comes with a new AV engine with has the name KSS, maybe Kaspersky?

This is enough performance to use modern DSL lines or direct links completely, not only partial. So I would recommend this release to everyone who still uses content scanning on an UTM-1 appliance and has performance problems.

Tobias Lachmann

Here’s the baseline from what we know by now:

- 5x more firewall throughput than X-series appliances
- 5x more VPN throughput than X-Series appliances
- 7x more concurrent connections than X-series appliances
- GigabitEthernet-Ports instead of FastEthernet
- 3G connectivity build-in
- two flavours: 32 users and unlimited users, 8 users and 16 user only with X-series
- 4x more VPN tunnels (SA)
- unlimited Remote Access profiles
- 802.11b/b/n support (UTM-1 Edge NW)
- 802.11z wireless security support
- no build-in ADSL-modem available
- new 8.1 firmware for all models (not available by now on support pages)

The complete specification can be found here.

An UTM-1 Edge N32 is $200 more expensive as an old X32 and costs $1400 instead of $1200, same applies to the NU which is now $2200 instead of $2000 for XU.

If you take in consideration how much more power you can get, the $200 more are totally fine with me.

Will be interesting to see how the firmware developed from 8.0.42 to 8.1. Hopefully it’s available soon.

Tobias Lachmann

The use now SecureXL to accelerate connections and state that they now can deliver up to 4 time more firewall throughput and connection rate and up to 3 times more IPS throughput. Some limitations apply to SecureXL as described in the R70 Performance Optimization Guide so we have to see how this works with real life rulebases.

But the biggest change to me is the performance enhancement with Antivirus, where Check Point speaks of up to 15! times more throughput and up to 80 times more connection rate.

This is done by the new Stream Detection Mode. As you may remember from my previous post, AntiVirus suffered from the bad HDD performance on UTM-1 appliances, as every file had to be downloaded to the disc, scanned and then delivered to the client. Now the inspection is done as the traffic passes through the gateway and they do a pattern matching as far as I understood. Makes perfectly sense that this way of traffic inspection improves performance. Unclear is for me at the moment how compressed content is handled. I can’t see now other way than storing the archive to disc, uncompress it and then scan the content. Not sure how they handle this – on the fly seems unlikely.

Anyway, I will test this in the next days to get my own results and will check the processes and disc accesses while doing so, which will hopefully gives an explanation.

By the way: URL Filtering is handled differently, too. Now the connections are handled in the kernel space and no longer folded into the security server. This will improve performance and will change the way we can debug this blade.

If Check Point can keep the promises on performance while running R71 on UTM-1 appliances, I will be deeply impressed. Remember that the appliances are sold for some years now and have less powerful hardware, compared to standard OpenServers. Would be a great thing for all of us the protect the investment in the appliances!

Tobias Lachmann

If you work with NTP servers sync on SPLAT, you should also set the timezone to get correct date/time and daylight saving. Unfortunately, this can’t be done in the WebUI. So first configure your NTP servers in the WebUI. Then access the command line and execute sysconfig. Use option 4 to go to time settings and then option 1 for setting the time zone according to your location.

Verify that you got the correct time using the WebUI.

Tobias Lachmann

Tobias Lachmann

• First change to the directory $FWDIR/uf/sc/update/incoming.
• Delete all the files beginning with “sfcontrol”. The file “sfcontrol” itself is the database, all the others are differentials and status infos.
• Run cpstop and cpstart for a restart of the services that controll URL Filtering.
• Go to your SmartDashboard, change to the “Content Inspection” tab and click on “Update Databases Now”.

It will take awhile to download to whole database, but you can watch this process while checking the files and sizes in the directory.

While debugging URL Filtering in general, you may stumble over sk35196 which describes several procedures with the avsu_client command and optional parameters. Please note that Check Point changed the URL Filtering provider, I think with HFA50, from SurfControl to SecureComputing. This engine change comes together with a change in the parameters when you call avsu_client. The application name “URL Filtering” does not provide valid output when you use the SecureComputing engine, you have to use “URL Filtering2″ to get actual results from the installation.

avsu_client -app "URL Filtering" fetch
failed to fetch signature update
err_str=Failed. Message from module: "Server has no available updates".
info=
Local version is date

avsu_client -app "URL Filtering2" fetch
signature file up to date
err_str=Succeeded. Existing signature is up-to-date.
info=
Local version is date

Sadly just calling avsu_client gives no explanation about the changed parameters, it only lists “URL Filtering”.

Tobias Lachmann

I will test the upgrade from R70.30 to R71 today and get back to you with more feedback.

Tobias Lachmann

What has happened?

Well, he was openly speaking in the Check Point User Group (CPUG) forum about the new software blade licensing and what he liked and disliked about it. Instead of appreciating open feedback, Check Point got angry about this.

We had hard times selling the advantages of software blades to the customers and nearly no one bought the upgrade.
That’s why Check Point changed the cost for upgrades in the end, because of all the negative feedback.

So, what’s my point about this?

Like Shakespeare said: “Don’t shoot the messenger!”

Partners and also certified professionals are brand ambassadors for Check Point in front of the customers.

So maybe it’s a good idea to get their feedback before major changes are announced and involve them as soon as possible in the process of development.

As for me, I had some really good conversations with guys from product management and development. They asked me about my customers, how they use the products and what I can and cannot sell to the customers. About the necessity of certain features and so on. And I appreciate this and I think this is the absolutely right way.

But unfortunately, as events have shown, this is not the way Check Point is following with everybody…. sad.

Tobias Lachmann

PS: The make the picture complete: since upgrade to software blades is free and we have great new features with the R70.x versions, we can easily argue the upgrade to the customer.

There we have a nice list of possible error messages together with a short explanation why this error occured.

I’m missing hints on how to resolve the issue or to a related sk. But all in all a very usefull article you should bookmark for further reference.

Tobias Lachmann

By now I got some inside info about the name, very funny. Abra was the original code name for this project. The final product should stick with the naming convention and be a “something-1″. So it came to USB-1. This was decided by a high level authority within Check Point, so the name was brought into the GUIs. But after a while they discovered that Abra was the better name to place the product in the market and so it was allowed to stay. But at this time, it was to late to change the GUIs as they were delivered with HFA of R70.

Will be interesting to see how the market reacts to Abra, but I would predict good feedback for this product. Better and easier as setting up notebooks and vpn clients for users or external contractors, just give them a stick and there they go.

Only the import/export feature could be better. In my opinion the stick should act transparent on a PC with Endpoint Security Media Encryption installed, as normal USB sticks do. So in the company transfer data to Abra and work on them later at home. And if you loose the stick, everything is still encrypted.

I’m curious how the product will evolve but I’m expecting more good things to come.

Tobias Lachmann

So, why did I choose this headline? Why asking the question, when not to use UTM-1 appliances?

Well, Check Point promoted Messaging Security at the beginning, later one the Total Security Package which offered Antispan, Antivirus and URL-Filtering. The idea to have all this functions together on one gateway that has to deal with the network traffic anyway sounded smart. And it is, believe me. What was not smart was to ability to use these functions on every gateway… which customers did.
The UTM-1 270 for example has a Celeron M 60 MHz CPU in it, together with only 1 GB of RAM. The 570 series has a Celeron M with 1.5 GHz CPU and also 1 GB RAM. Could you really believe that this hardware is capable of dealing with Firewall rules, VPN, SmartCenter functions and all the Content Inspection at once? Turns out they can’t. We’ve seen enormous CPU loads in the field, together with tremendous utilisation of I/O. The installation of a policy nearly took down the systems and users experienced connection loss from that. The reason for the later seems to be that at the beginning Check Point started to many instances of the security servers for the scanning. This was fixed in a HFA and is actually no longer existing. But the bad I/O performance still remains. Well, every intercepted download has to be writen to the harddrive and scanned. If it’s compressed, it had to be uncompressed before scanning. This creates high load for sure.

Even the bigger UTM-1 2050 appliances had only a Pentium 4 mit 3.4 GHz and 2 GB of RAM in it. More powerful, true. But not really enough power anyway. And I/O still sucked.

Ok, let’s get back to the initial question. When should I use an UTM-1 appliance?

I think that these appliances do their best job purely as Firewall and/or VPN gateway. We like to use them in dedicated customer environments like Web Shops our web server housings. Depending on customers need and prerequisits you can deploy the appliances a single gateway or HA-cluster. Managed by a bigger SmartCenter or self-managed, together with Management HA.

When should I not use an UTM-1 appliance?

In case you want to use content inspection, stick with a software license and run it on an OpenServer. There you can increase the memory and use dual-core CPUs. You can get better harddisc performance with specialised controllers and maybe just add more discs and have a RAID 0. Since they introduced the new Multi-Core licensing where you pay for the amount of CPUs you want to use, this is getting really affordable. The SG203-U license togehter with the desired content inspection blades is the best combination, even for demanding environments.

Oh, I forgot one thing: when you buy an UTM-1 appliance, you have to stick with the number of network interface. On an OpenServer, just add additional network cards as needed until all slots are filled. Even GE or 10GE is no big deal.

So, the use of an UTM-1 appliance depends on the scenario where you want to deploy it. Carefully think about it and then choose your solution. Have in mind that an appliance may be cheaper thaen software plus OpenServer hardware. But if your users complain about the performance, handling only a few service calls can eat up the safings from an appliance.

Finally I want to mention some things that are unique to the UTM-1 appliances and that you loose when choosing SPLAT on OpenServer. First the image management, which is quite good. Easy to use and perfect for rollback operations after major changes in your environment. Second the ability to crash recover an appliance through the front panel and the use of a prepared USB stick to deploy the initial configuration. Very cool feature for remote locations.

Hopefully we’ll see performance improvements with upcoming GAIA even on single core machines through new code, so that we can use the UTM-1 appliances with all features again. Wait and see..

Tobias Lachmann

Basically it’s an extension of the gateways capability to intercept and scan emails, http and ftp traffic and react to the content found. Works kinda like the antivirus scanning that we know for some time now. So it’s transparent to the users and the mail/web servers that are part of the communication.

The administrator defines a policy for his content and the direction where it is send. For example you can block mails to recipients outside your organisation if an attachment to that mail derives from a template which is used for confidential content. Or the attachment or the mail itself contains some keywords that are suspicios if they are used too many times. Because of the predefined data-types, Check Point speaks of 250 by now, I found it very easy to be going with this in a short period of time.

The action for the rules can be just logging, prevention of sending the content or asking the user what to do. As always, Check Point has a client for Windows operating systems only by now. This clients notifies the user with a popup that something has been blocked. The user can decide to send it anyway, discard or review the incident. Also it can be configured that the user has to type a justification for sending, if the mail is caught by the policy at first.

If you’re not using a resident client on your machine, an email notification is the second way to notify the user. The email informs you and is offering links where you can click. The links points to an application on the gateway, reachable over a webserver. Depending on your decision, the content is released or held back. As an alternative you can reply to this notification email and add keywords to the subject. The gateway will see this keyword when the mail goes through it and follow your decision.

All in all I find this solution easy to configure and implement. But to be sure we have to wait until GA of DLP. Interesting will be, how good the custom configuration of data types and rules will be. DLP has the possibility to create own types by using regular expressions. But as you might know, working with RE can be a pain in the ass.

So, in what flavors is this DLP solution offered? Well, we have two appliances, DLP-1 2571 and DLP-1 9571. The smaller one states that it can process 70.000 messages per hour and has a througput of 700 MBit/s. The bigger one 350.000 messages ans 2.5 GBit/s. As this are marketing numbers, we should cut them in half – at least. To be sure, we should assume only 1/4 the capacity stated, judging by the experience with UTM-1 appliances and Messaging Security in the past. The smaller appliances has a price of $14990 for the first year and $7000 for the following years, the bigger $49990 for the first and $12000 for the following years.

Or you have your DLP solution on your normal perimeter gateway, which I find more useful. We have three blades, CPSB-DLP-500, CPSB-DLP1500 and CPSB-DLP-U. The last part stands for the number of recommended users, but I’m not sure if there’s some kind of enforcement like with ip addresses at the gateway blades. We’ll have to wait for licensing info on that topic. The 500 user blade is $3000, the 1500-blade is $7000 and unlimited users come for $12000. The DLP is a service blade, so the numbers are per year.

If someone want’s to use this, and I bet many companies will, I think that the best solution is to buy a software blade container together with the DLP-blade and run it on an OpenServer under SPLAT. SPLAT is the only supported platform by the way. The server is about $4000 for a HP DL360, IBM 3350 M2 or similar, $12500 for a 4 core container and $3000-$12000 for the desired blade. For the first year this is starting at $19500 and $5250 for the following years. The advantage that I see in contrast to the appliances is more performance through cores, memory and hard discs. Especially hard dics performance was the bottleneck that we saw on most appliances running other content inspection software like Messaging Security etc.

So, what’s the bottom line:
First of all, I’m excited and think this is a good product. Unlike other new releases like SmartProvisioning, SmartWorkflow etc. I think this solution is ready to be used from the start. And second I’m curios how customers will use this solution. I think we can expect some demanding requirements for rules we havn’t even thought of by now

Start checking out DLP here or in the pricelist.

As soon as I get this to work in an live environment, I will post my findings!

Tobias Lachmann

the new R70.30 is available. See the release notes here
All in all some minor fixes. The biggest point is the possibility to use sub-CAs for SSL-VPN, which was not possible in the past.

Other improvements include Windows 7 support for SmartWorkflow and some Non-English regional formats for map visualization.

Tobias Lachmann

I’m back from my parental leave, which lasted till the end of March. During that period, I spend all the time with my son but no time with this blog.

Now I’m back at work and I see interesting things everyday that give me inspirations for articles, so expect new content soon.

What also happended is that I gained the CCSE R70 certification for contributing to the new CCSE exam. Thanks Ken Finley, this is greatley appreciated! Now I’m done with re-certification until CCSE+ comes out.

Bye for now

Tobias Lachmann

What it does is the mapping from IP addresses to countries over a database (not sure yet which database CP bought) and then block connections by countries.

You can block connections TO or FROM a specific country and you can also define exceptions for that rules, like with other IPS protections. The actual policy of blocking/allowing is displayed in a world map overview and gives an easy overview.

When traffic is examined and blocked by Geo Protection, we get nice logs entries in SmartView Tracker.

This feature is also good for logging, as you can just accept any traffic but log the connections and determine this way, what countries access the resources behind the firewall or were your users get their webpages from.

Only catch here is licensing: this only works with R70.20 SmartCenter und Gateways which have both proper R70 Software Blade licensing. But hey, it’s free of charge and some sort of bonus to those who converted their licenses already

I hope they put more features into Geo Protection or link it to normal IPS protections and/or the rulebase. Cool scenarios we can think of….

Tobias Lachmann

Jan 15 13:44:08 fw1 kernel: Neighbour table overflow.

This refers to the ARP cache a.k.a. Neighbour table.

If you’re running a gateway with lot’s of interfaces or big subnets, you might see many nodes over Layer-2, so communication to them fills your ARP table and sometimes overflows it, which can lead to connectivity errors.

The ARP cache table has a maximum size, which can be displayed with cat /proc/sys/net/ipv4/neigh/default/gc_thresh3.
You can verify the actual amount of ARP entries either with arp -an | wc -l or with ip neighbor show |wc -l. Proxy ARP entries are only displayed when using the arp command.

Periodically and automatically the entries in the ARP cache are verified. At a specified interval, a garbage collector is running and removes entries that are no longer used. The interval can be verified with cat /proc/sys/net/ipv4/neigh/default/gc_interval, by default it’s 30 seconds.

The garbage collector is controlled by three variables:
gc_thresh1, which is the minimum number of entries in the ARP cache. If the actual number of entries are below this value, the garbage collector will not run.

gc_thresh2, which is the soft maximum number of entries. If the actual number of entries is above this value for more than 5 seconds, the garbage collector will run.

gc_thresh3, which is the hard maximum number of entries. If the actual number of entries is above this value, the garbage collector with immediately run.

gc_thresh3 is also the maximum value of ARP entries that can be kept in the table.

The default values are quite low, so you might want to increase them.

You can do this on the fly with the following CLI commands:

sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
sysctl -w net.ipv4.neigh.default.gc_thresh1=1024

This does not survice a reboot.

To survive a reboot, add this lines in the /etc/sysctl.conf file

net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024

Afterwards run the command sysctl -p for the changes to take effect and then reboot.

Tobias Lachmann

Fix for this was to disable the scheduled backup on the command line with backup -e off.
Then I was able to edit all the settings through the WebUI again and backup is working now.

This seems to be an error in R70.20, because we had another customer with this error who upgraded from R70.1 to R70.20 and it was working with R70.1

Tobias Lachmann

Judging by the settings, this USB-1 is the SecureWorkspace/VPN-Client that comes on a secured USB stick and enables you to connect securely to your company without the need to install software on a client computer.

Will be interessting to see when this is officially released and what the feature set will look like.

Tobias Lachmann

Normally SIC certificates are automatically renewd 15 month before expiration.To determine if you have a problem that needs to be fixed, verify the expiration date of your SIC certificates and follow the procedure in the sk43744.

Please note that the command line cpca_client lscert -stat Valid -kind SIC is not a valid alternative, as it produces an ouput with wrong dates, so you have to use the ICA web.

Tobias Lachmann

After configuration, a table with the association of IP and user name is held on the SmartCenter and this information, if available, is displayed in the log entries on SmartView Tracker.

Configuration is done an SmartCenter object -> Logs and Masters -> Identity Logging. Only a few things to fill in.

It’s easy, but I would have expected to find an LDAP accounting unit here, like you configure AD servers within SmartDirectory.
Just for using Identity Logging, this is easy to implement. When you have already a SmartDirectory configuration, you’re doing the job twice.

This feature is only available with R70.20 on a SmartCenter which works with Software Blade licenses. A little incentive for those who changed to the new licenses

Tobias Lachmann

This error was reported to Check Point and is acknowledged. They will fix it in the next days and publish new Upgrade calculator and Upgrade matrix.

No big deal really, as you always get CoreXL accelleration with R70. SecureXL might no be necessary for most users, taking the aspect of performance.

Tobias Lachmann

Just run /usr/sbin/dmidecode | grep "Product Name"

Sample output:

[Expert@xxx-fw1]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: U-30-00
Product Name:

[Expert@yyy-cp1]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: C6P_UTM
Product Name: NSA-1086

Here are the translation for the information under the field Product Name:

• P-20-00 -> Power-1 9070 Appliance
• P-10-00 -> Power-1 5070 Appliance
• U-40-00 -> UTM-1 3070 Appliance
• U-30-00 -> UTM-1 2070 Appliance
• U-20-00 -> UTM-1 1070 Appliance
• U-15-00 -> UTM-1 570 Appliance
• U-10-00 -> UTM-1 270 Appliance
• U-5-00 -> UTM-1 130 Appliance
• C6P_UTM -> UTM-1 2050 Appliance
• C6_UTM -> UTM-1 1050 Appliance
• C2_UTM -> UTM-1 450 Appliance

Tobias Lachmann

I also had a couple a phone calls with developers and product managers in the past month, were they wanted me to share my experience with specific products and also my opinion about new products and recent changes with them.

So you can really say: Check Point is listening!

I’m really glad they’re doing this and I think this is the right way to be more sucessful – side by side with the partners and customers, listening to their needs.

Check Point: keep on with the good work!

Tobias Lachmann

When you install SecurePlatform, all partitions have fixed sizes except for /var which gets the remaining free space after the creation of the other partitions. Because logs are stored in /var/opt/CPsuite-R70/fw1/log, there’s rarely trouble with disc space.

The UTM-1 appliance work different as they use the Logical Volume Manager (LVM) for handling the partitions. The LVM is assigning the hard disc space to the partitions and allows resizing of partitions.

However, the filesystem is untouched when you resize a partition. So following sk33179 doesn’t give you additional space for your logs.

To achieve this goal you first have to resize the partitions:

1. View the name of the log partition with lvdisplay, most likely, this name is /dev/vg_splat/lv_log.
2. Then resize with
   lvresize -L 30GB /dev/vg_splat/lv_log.
   In this example the partition is resized to 30GB.

Reboot the appliance with serial console attached. Access the boot menu by pressing a key when prompted and boot into maintenance mode.

Then execute this commands:

umount /dev/mapper/vg_splat-lv_log
e2fsck -f /dev/mapper/vg_splat-lv_log
resize2fs /dev/mapper/vg_splat-lv_log

This modifies the filesystem and brings it to the new partition size.
Reboot the appliance afterwards and verify with the df -h command that you accomplished the resizing of partition and filesystem correctly.

Tobias Lachmann

Tobias Lachmann

Now he wants to manage more sites and brought up the question, if he can use a SmartCenter unlimited license he already owns. Just purchasing normal support for SCT-U is cheaper than buying an SXA license and the needed support for this license.

I don’t know if Check Point license policy is allowing that use, but from a technical point of view we can verify if this works.
For that reason, we have to take a look inside the cp.macro file. This file has all the definitions of features and licenses.
On SecurePlatform, you find this file under /var/opt/CPshrd-R70/conf/cp.macro

If we look in the license for an UTM-1 2070, we find these two strings: CPMP-UAPP-1-NGX CPXP-SXA-2-NGX
The first is for the appliance itself, the second is the management extension for two additional sites.

Let’s break down the first one:
For CPMP-UAPP-1-NGX, we have the following relevant entry:
MACRO ::CPMP-UAPP-1-NGX CPMP-UAPP-module-base-NGX CPMP-UAPP-management-base-NGX CPVP-UAPP-1-NGX

That means that actually the string is a macro itself and consists of CPMP-UAPP-module-base-NGX, CPMP-UAPP-management-base-NGX and CPVP-UAPP-1-NGX.

Let’s focus on CPMP-UAPP-management-base-NGX:
cp.macro has this definition for it:
MACRO ::CPMP-UAPP-management-base-NGX CPMP-SCT-1-NGX CPFW-AM-U-NGX CPMP-HA-MGMT-NGX CPMP-SMPO-NGX CPMP-EVRX-U-NGX

So this is another macro for the SmartCenter (CPMP-SCT-1), SmartDirectory (CPFW-AM-U), Management-HA (CPMP-HA-MGMT), SmartPortal (CPMP-SMPO) and Eventia Reporter (CPMP-EVRX-U).

We go for the SmartCenter part:
MACRO ::CPMP-SCT-1-NGX CPMP-EMC-1-NGX

Again a macro, so we need to investigate CPMP-EMC-1-NGX:
MACRO ::CPMP-EMC-1-NGX fw1:6.0:lcontrol fw1:6.0:vpnmgmt fw1:6.0:vpnstrong fw1:6.0:remote1 fw1:6.0:cluster-u

Now we’re close to the final answers

The macro fw1:6.0:lcontrol has this definitions:
MACRO fw1:6.0:lcontrol mgmtcore fwmgmt cpui qosmgmt cmpmgmt dbvr_unlimit cluster-u
This breaks down to:

MACRO fw1:6.0:mgmtcore cmd
+--#DESCRIPT#fw1:6.0:cmd#Saving a file from the log viewer

cluster-u
+--#DESCRIPT#fw1:6.0:cluster-u#Unlimited number of clusters for HA

Finally, we have found out the management related features hidden in the license:

Policy User Interface
FireWall-1 Log Viewer
Saving a file from the log viewer
System Status User Interface
RTM User Interface
INSPECT code generation
INSPECT compiler
Policy Versioning
Compression management
Unlimited number of clusters for HA

But it is not said, how many sites can be managed.
This information is in the last “big” macro CPMP-EMC-1-NGX, coded in
fw1:6.0:remote1
#DESCRIPT#fw1:6.0:remote#Allows remote management

So you can manage one site with this license, e.g. the UTM-1 appliance can manage itself.
But the UTM-1 2070 comes with a 3 managed sites license.

This is defined in the CPXP-SXA-2-NGX addition to the UTM-1 license:
MACRO ::CPXP-SXA-2-NGX fw1:6.0:remote2 fw1:6.0:cpxmgmt
#DESCRIPT#CPXP-SXA-2-NGX#SmartCenter Extension for 2 additional sites; version: NGX; 3DES

We have remote1 and remote2, which comes to the count of 3 managed sites.

So, back to the initial question: can we use a SCT-U license for extending the managed sites of an UTM-1?

MACRO ::CPMP-SCT-U-NGX CPMP-EMC-U-NGX
#DESCRIPT#CPMP-SCT-U-NGX#SmartCenter for an unlimited number of gateways;version: NGX; 3DES

Again, look into the next macro CPMP-EMC-U-NGX

MACRO ::CPMP-EMC-U-NGX fw1:6.0:controlx fw1:6.0:vpnstrong
#DESCRIPT#CPMP-EMC-U-NGX#Enterprise Management Console for an unlimited number of gateways; version: NGX; 3DES

From there we go into fw1:6.0:controlx:

MACRO fw1:6.0:controlx control vpnmgmt

And further onto control:

MACRO fw1:6.0:control remote lcontrol

We know the “lcontrol” macro from our investigation before, also the “remote” keyword.

#DESCRIPT#fw1:6.0:remote#Allows remote management
As “remote” comes without any number, this means unlimited management.

To answer the question we began with: YES, you can use an unlimited SmartCenter license as an extension of the management capabilities of an UTM-1 appliance.
From a technial point of view.

I will open a call with Check Point to make sure that this is actually permitted within the license regulations.

As you can see, licensing within Check Point products is complicated through the use of so many macros, but in the end it comes to a limited number of features that are encoded in the licenses.

If you will, you can chase down also the new Software Blade licenses with this scheme to see, what is actually enforced.

Tobias Lachmann

UPDATE: Check Point just confirmed that the use of a SmartCenter license on a UTM-1 appliance is not permitted to extend the amount of managed sites. You have to stick with the SXA extensions or build up a separate SmartCenter.

SecurePlatform
Image Management / Snapshots
Well, we have Gaia coming sooner or later. What I really would like to see in there is the Image Management of the UTM-1 Appliances. Better to handle as Snapshots for most tasks. A really great evolution would be a combination of both. Being able to create and store images locally, as well as taking snaphots/images and storing them over the net using SSH.
Could make data recovery even more easy.
Why not add a dialog during SPLAT installation, where you can choose to use Image Management with LVM or stay with the old partitioning. If Image Management is chosen, you should decide for yourself, how the space should be divided between /var and the image partition.

Time and Date settings
Why can I set NTP parameters together with the GMT in the WebUI, but need to go to the CLI to set time zone?
This should also appear in the WebUI.

Administrator Accounts
I’d like to choose on creation which shell the accounts should use (bash or cpshell) and what the idle timeout of a session should be. Also the ability to scp something to the box using this account should be an option to enable here.

SNMP
The SNMP settings should be configured using the WebUI. Also I’d like to have a download link to the current MIB on the box.

SmartConsole
Adding objects
The new icon with the “+” sign on each cell is very helpful for quick-adding of objects. I’d like to have the opportunity to add a new object, too

Window resizing
Some dialog boxes can’t be resized. Normally these fixed size dialog boxes have too much content and you must use scroll bars to see the content. Examples: Global Properties, Firewall object page, network object page. All windows should be resizable.

Gateway Topology
I have to maintain a gateway cluster with more then 150 interfaces. Whenever I need to make a change to the interface configuration, I have to scroll to the entire list to find the right entry, since the list is unsorted. Not funny.
I’d like to have the ability to sort the list by clicking on the column header.

Troubleshooting
InfoView
We really need a more up to date and stable version of InfoView. Normally I need to try 2-3 times before I can open a cpinfo file because the tool crashes. As far as I known it’s not maintained any longer, but all support partner really need this!

Endpoint Security
SecureClient / Endpoint Connect
Endpoint Connect should be the successor of SecureClient, but it isn’t really. EC lacks the personal firewall feature. For most SME customers the old SecureClient Desktop Policy feature was all they needed. Check Point should understand that Endpoint Security is not the answer to all demands.

Licensing
Check Point does not offer a maintained, up to date VPN client without any costs. For using Endpoint Connect, a Endpoint Security Secure Access license is necessary if you want to use OfficeMode.
Like Cisco, also Check Point should give away a full blown VPN-Client for free!

OS support
Parts of Endpoint Security run on Windows 7? Congratulations. But why do we still have to struggle with VPN clients for MacOS or Linux? Why do we have to use an actual OS like Snow Leopard with a very, very old VPN client like SecureClient?
I think that before integrating new features into Endpoint Security and all other products that have to be installed on clients, you should make sure that you have support for all common OS. Windows XP, Vista, 7 as well as MacOS 10.4, 10.5 and 10.6. Also a client for Linux (Debian, RedHat/CentOS, Ubuntu) should be available.

Version numbering
I nearly lost it with the Endpoint Security version numbers, since it’s not any longer corresponding to the other products. Keep the version numbering more simple.

That’s it for now, but for sure I will extend my wish list in the next days… so much things CP needs to take care of.

Happy XMAS, everybody.

Tobias Lachmann

Ok, what happened? In the User Center I found a container and some blades. I checked the container and licensed it by assigning an IP address to the container. Then I attached the blades to the container. Afterwards I clicked on “Get license” and had my license file. I also got my contract file, too.

Then the nightmare happened when I installed the license to the customer system during our installation. Nothing worked! And by saying “nothing”, I mean “nothing”. Not even firewall was working! A total disaster, we had to rollback the whole stuff.

After spending 3 days with Support and Account Services from Check Point we found the error: through my procedure I had just licensed a container, without any blades. Attaching blade to a container and issuing “Get license” does nothing to the license. You have to attach the blades to the container and then license the whole package. Only this creates an valid license.

At the moment I haven’t made up my mind completely. Was it my fault? Am I to stupid to understand how to produce a correct license? Or is the User Center just working unexpected?

By the way: Total Security licenses are a total mess, too. We had several cases were (using NGX licenses) the AntiSpam, AntiVirus or URL Filtering module stopped working or updating because of license issues. The sad part is here, that all customers bought proper licenses and the User Center displayed all items correctly.

I really wish they will fix that….

Tobias Lachmann

Check out the What’s new page, the Release Notes, the Known Limitations and the Resolved Issues.

R70.20 is like the HFA60 for NGX R65 from the bugfixing side plus some added features.
Highly recommended for installation.

Tobias Lachmann

Tobias Lachmann

The R70 exam is under NDA restriction, so I can’t go into detail or tell you about specific question.

But some general things can be said:

- we now have a tough time frame – 130 questions in 120 minutes!
- the questions are now more detailed and have good pictures which help a lot; but the scenarios are more complex
- you actually have real live questions which occur in the daily work
- all topics from the course are covered and you have to know more details about the product and general security methods
- it’s not like to old CCSA exam, it’s more like the CCSE actually

Sadly, some things haven’t changed:

- still questions that can’t be answered correctly
- questions with two! answers that have the same text -> which one will be judged as correct?
- answers like “1,2 and 4 are correct” -> here I found that no answer had the number X in it, which is also correct; kind of misleading
- lot’s of questions that need to be re-phrased to make sense; especially for non-native speakers some of them are very hard to understand

I took the exam without practicing and passed. But this is truly not recommended! At least you should buy the student handbook from the training courses to know all the topics. Remember, the course has now 5 days instead of the 2 it had before.

Will be interesting to see, how the CCSE goes.
I submitted some questions for this exam to Check Point. If I’m lucky, they will accept some of this questions. The promised reward was gaining the CCSE R70 certification.
If this works, I’m of the hook

Tobias Lachmann

Judging by the features that are shown on the project page, it will be based on Linux / SPLAT and many features of the Nokia Voyager will the transfered to the WebUI.
I was able to get some rumours from Check Point, that acknowledge this guess.

At the moment there’s no code available for customers or partners, but I’ll keep you posted as things develop in the next month.

Tobias Lachmann

I thing this is very cool indeed and everyone should considering visiting one of the events, either in Atlanta, New York City or Chicago.

Find more details on the conference website: CPUG On Tour

Tobias Lachmann

PS: Barry, thanks for having my picture on the frontpage. I like the caption of the photo

Check Point provided me with a new R70.1 upgrade package which I will test in the next days. Sadly, the updated package hasn’t made it to the download page so far, there you can still get the old -buggy- version.

Hopefully they re-relase this upgrade package soon.

If they don’t and you experience problems while upgrading, please ask support for the fix and refer to SR 11-72334871.

UPDATE: Check Point released a SecureKnowledge article for this issue: sk43340

UPDATE 2: Today I spoke to the support guys again. I convinced them that this fix is interesting for everybody with a UTM-1 installation and HFA50 out there, which are quite a lot people, I guess. Now they’re thinking about changing the SK entry and adding a direct download link to the fixed packet.

UPDATE 3: Support will release a new article for this issue including the download links: sk43350. At the moment the sk is not publicly available

Tobias Lachmann

Tobias Lachmann

Tobias Lachmann

This article states that in SPLAT there’s a recursive soft link (/opt/CPsuite-R65/fw1/PA/conf/PA/PA) after installing two of the following HFAs to the machine: HFA30, HFA40 or HFA50.

When upgrading to R70, this softlink causes the error leading the software to become instable.
The solution is to delete the link before upgrading to R70 (rm -f /opt/CPsuite-R65/fw1/PA/conf/PA/PA).

Please have that in mind when you plan to upgrade to R70.

Tobias Lachmann

Check Point just confirmed this and stated, that some rpm packages are not updated which produces the error.
When you upgrade directly from NGX R65 with Messaging Security, the error is not occuring.

We’ll see what the solution from the developers for this problem will be. Since this is a general problem, I hope for new upgrade packages instead of some fixes to be applied afterwards. Seems cleaner to me….

I keep you informed

Tobias Lachmann

The output is very nice, shows the reason for the drop and can easily be filtered with the grep command for IP addresses:

fw_log_drop: Packet proto=17 10.255.253.21:20031 -> 10.255.253.255:20031 dropped by fw_antispoof_log Reason: Address spoofing

fw_log_drop: Packet proto=6 192.243.119.238:80 -> 91.96.46.174:49543 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN

Since this is realtime debug output, you need to have live traffic through the firewall to see if a packet is dropped. When you try to investigate the reason for a drop of an older connection, you have to go the SmartView Tracker.

Tobias Lachmann

There’s an easy way to solve this problem. Just issue the command set port adsl auto-sra mode disable on the CLI or over the WebUI following Setup->Tools->Command.

BTW: after updating the DSL firmware, it is recommended to totally disconnect the appliance from power instead of just rebooting.

Tobias Lachmann

If you use the CPshell as login shell, the command is

IDLE 999

When you are in expert mode or changed the login shell to bash, the command is

UNSET TMOUT

The first command sets the timeout to 999 seconds, the second one disables the timeout.

Tobias Lachmann

The firewall has a limit for it’s maximum concurrent connections. This is necessary to limit the amount of memory allocated.

But if you reach the limit, the firewall stops to accept new connections. You may experience this as a partial loss of connectivity.

To check the number of actual connections and the peak value, run fw tab -t connections -s on the command line

[Expert@fw1]# fw tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 108437 166360 378754

The memory allocation and use of connections can also be shown with fw ctl pstat.

[Expert@fw1]# fw ctl pstat

Machine Capacity Summary:
Memory used: 12% (203MB out of 1604MB) - below low watermark
Concurrent Connections: 15% (79242 out of 499900) - below low watermark
Aggressive Aging is not active

If your concurrent connections are near the limit, you can increase the number using the SmartDashboard. Just edit the properties of the gateway object under capacity optimization and set a higher value. Please note that the memory allocation will also increase when you change something here, so make sure you’ve got enough free memory.

Tobias Lachmann

I bought a used Huawei E220 from eBay and connected it the the box.

Then you go to the WebUI and choose Network -> Ports. There you can see that a USB device is connected to the UTM-1 Edge Appliance.

Click on Edit.

Now you can verify that the modem is recognized.

Click on Edit again to get to the properties of the USB modem.

Choose the right modem type from the Drop-Down menu. A list of all supported modem can be found here.

The APN is specific for the telecom provider you’re using, in this example it’s Deutsche Telekom T-D1 and the value is “internet.t-d1.de”

The PIN is specific for the SIM card that you’re using.

After applying the settings to the USB modem, you configure the device as primary Internet Connection.

The username for T-D1 is “t-d1″.

The password is also “t-d1″.

The number to be dialed is *99#

After a few seconds the box has logged into the internet through the USB modem and you can use the connection like any other internet access.

I find this very useful, for example for temporay access on an exhibition or for home users where no DSL is available.

Since it includes many fixed issues, it should be considered worth installing.

Tobias Lachmann

I had same articles about Check Point topics in this magazine, written in german:

• SecurePlattform auf der Kommandzeile
• Check Point Firewall Troubleshooting

Really basic stuff, actually, but worth noticing.

I’ve you’re into Solaris or MySQL, check out the “Admin Tipps & Tricks” in the other issues of the magazine. Usually they’re located on the last pages. Use the link above to access current and older magazines.

Tobias Lachmann

I expected this HFA earlier, but for some reasons the deployment was postponed again

Tobias Lachmann

With R70.1 the new feature of hardware monitoring for appliances was introduced. The was missing for so long and I’m glad is had been build into the WebUI now. But unfortunately this is only working when you do a completely new installation.

When you upgrade a NXG R65 installation on a UTM-1 to R70 and then onwards to R70.1 some files get corrupted.

Support is currently working on this, I’ll keep you posted.

Tobias Lachmann

The first presentation is purely for beginners:  Troubleshooting in the Check Point environment, Part I

The second one, which was more liked by the crowd at CPUGCON, is really advanced troubleshooting: Troubleshooting in the Check Point environment, Part II

I benefit from my daily work with a Check Point Collaborative Support Provider (CCSP) for these two presentations, as they reflect the things I’m constantly facing.

From the project side, I did lot’s of migrations from distributed Check Point installations to Check Point UTM-1 Full-Cluster. This means that the firewall / vpn part is working in active/standby cluster and we have also Management High Availability with the two SmartCenters. This is described in the presentation: Migration from a Distributed Environment to a UTM-1 Cluster

Best regards

Tobias Lachmann

After spending more than 8 years working with Check Point products, I thought it may be a good idea to let the world know my findings from time to time.

Becoming an expert means making errors and trying out things… but who says that two persons need to make the same (bad) experience? Maybe someone can just read this blog and find the solution he’s looking for….

For more information about myself, check out the speakers page on CPUGCON website.

Tobias Lachmann

Me at Check Point User Group Conference 2009