Showing posts with label Checkpoint. Show all posts
Showing posts with label Checkpoint. Show all posts

Monday, April 17, 2017

Check Point Firewall Memory Issue

During regular firewall health check , I found one Check Point firewall cluster has a abnormal virtual memory usage from System Counters - System History view.  The cluster is 5600 Security Appliance.

It looks the memory usage is going up significantly recently. There is no recent changes on hardware, software and configuration except normal firewall changes. I am afraid of Check Point gateway will freeze after this counter reached certain high number based on some SKs such as sk66482, sk110362,

sk35496 has a bunch of methods to detect memory leak. In my this case, the fix was simple, just installed a latest Jumbo Hotfix 205 for R77.30.

Tuesday, February 21, 2017

Check Point VPN Troubleshooting - IKEView Examples

Recently I went through Check Point VPN troubleshooting process with IKEVIEW tool. To download ikeview tool, please click here or Support Center download link.

The IKEView utility is a Check Point tool created to assist in analysis of the ike.elg (IKEv1) and ikev2.xmll (IKEv2 - supported in R71 and above) files.ike.elg and ikev2.xmll files are useful for debugging Site-to-Site VPN and Check Point Remote Access Client encryption failures.

Saturday, January 21, 2017

Basic Check Point Gaia CLI Commands and Installation Videos (Tips and Tricks)

This post summarises some basic but useful CLI commands  for your daily working reference especially for those who are just starting to configure your Check Point Gaia products. 

For some advanced usage, please check another post  "Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)"  in this blog

1. show version all

FW-CP1>show version all
Product version Check Point Gaia R77.20
OS build 124
OS kernel version 2.6.18-92cp
OS edition 32-bit

Sunday, December 4, 2016

Check Point Appliance Visio Stencils for Downloading

Check Point  released their new products stencils public for downloading. You will not need Check Point account to download. It does not include some old models. Following appliance includes in this 3M file:

  • 2200
  • 3200
  • 4000
  • 5000
  • 12000
  • 13000
  • 15000
  • 21000
  • 23000
  • 41000-61000
  • Accessories
  • SandBlast
  • Smart-1

Check Point SK Link sk101866.
Here is Download Link from Check Point Website:

Monday, October 24, 2016

Check Point Firewall USB Installation Step by Step (R77.20 and R77.30)

Customer is asking a new fresh installation on their UTM 272 devices and apparently usb stick or usb cd-rom is best solution. Checkpoint sk65205 explains very detail for all steps. I did follow the Check Point instruction but still got a problem while using USB stick. Here are all my steps I worked on.

1. Preparing USB Stick

I am using a Kingston Traveller G3 8G USB stick which shows supported from Check Point sk92423 (Which USB flash keys work with ISOmorphic Tool).

2. Use ISOMorphic to make a R77.20 bootable USB Stick.

Sunday, October 2, 2016

Check Point 5000 Appliance

Recently received two Check Point 5600 appliance which has R77.30 pre-installed. I have racked them into data center. Both will be used as a cluster to replace existing Check Point UTM devices. It comes with one Sync port, one Mgmt port and eight 10/100/1000base-T ports. Here comes with the picture after console, mgmt and sync ports connected.

Check Point 5600 Appliance

Check Point 5600 Appliance Cluster

Monday, September 19, 2016

Increasing Check Point Management Server Log Volume Size

Check Point Gaia LVM
Our Check Point Management Server has been migrated into Virtual Edition platform which is running on Citrix Xen server. Originally it is only 100GB hard drive set for testing.

After running stabilised for a couple of days, I decided to enlarge the log space since 50G logging is definitely not enough.

My old 2014 post "Resize Checkpoint Firewall's Disk/Partition Space (Gaia and Splat Platform)" has some details to enlarge Logical Volume size with existing free space which supposed to be used as snapshots. This post will focus how to add a new disk into your system and enlarge your log logical volume.

Related posts:

Here are all steps related to this task. Those steps also fit into Vmware environment.

Saturday, July 16, 2016

Check Point 1100 Appliance Configuration Step by Step

 photo 1100 Box_zps7kgdt4uz.jpg
Check Point 1100
A couple of months ago, I received Check Point 600 Appliance and did a post regarding basic configuration for 600. It is used to replace replaces the Save@Office models and cannot be managed centrally by a Check Point SmartCenter Server. 1100 appliance is an all-in-one security appliance that offers robust, multi-layered protection with branch offices in mind, including flexible network interfaces and a compact, desktop form factor, which is used to replace the SG80 and the UTM-1 Edge.

Both 600 and 1100 appliances support local management. The SG600 can be centrally managed by Check Point's SMB Management Cloud service. The SG1100 can be managed by standard Check Point management running R75.46 or above. Neither unit can be managed by the old Sofaware SMP product.

Sunday, April 3, 2016

Check Point R80 Public Released to Download - SK108623

Check Point R80 Security Management Server is released on March 31 2016 in SK108623.

R80 Upgrade Verification Service Check Point Community Exchange Point Upgrade/Download Wizard

R80 Downloads


GUI client

Clean Install / Advanced Upgrade for Gaia OS

Complete Management (SmartConsole+Server) installation including all features

Demo version 

Fully working demo version,
with all management components
Available soon

Monday, March 7, 2016

Check Point R80 Management Installation - Part 2 - SmartConsole

In "Check Point R80 Management Installation - Part 1 - Basic Installation", we can see the steps for installing R80 is similar as previous version. This pose will present how to use SmartConsole to connect to R80 management server.

1. Download SmartConsole

You will get a 378M SmartConsole.exe execute file.

2. Prerequisites for Installing SmartConsole
Double click the download SmartConsole file to start the installation. It will require at least four prerequisites:

  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft Visual C++2005 Redistributable Package
  • Microsoft .NET Framework 4.5

Sunday, March 6, 2016

Check Point R80 Management Installation - Part 1 - Basic Installation

Check Point finally announced their R80 Security Management from their website and also by email. Here is the email I got on March 2nd.
Check Point home One Step Ahead
Discover R80
We are very excited to announce R80 Security Management. This platform, a culmination of many years of research and development, was built to anticipate the challenges facing security teams during a time of massive transition in enterprise security. Growing networks, disruptive technologies, and the proliferation of interconnected devices make managing security increasingly complex. We believe the key to managing this complexity is through security consolidation – bringing all security protections and functions under one umbrella.  With R80, this is fully realized:
  • A single platform to manage your entire IT infrastructure.
  • Streamlined interface and task-oriented features (concurrent admin, integrated logs) to help you work faster, smarter.
  • Unified policy management, so you can create and monitor policies harmoniously and efficiently.
  • An extensible platform so you can align security to IT processes & technologies.
  • Integrated threat management to give you better visibility and help speed incidence response.
To learn more about R80, please join our new Exchange Point community where users can ask questions, share API scripts and interact with peers & Check Point experts. As you upgrade to R80, we are committed to partnering with you every step of the way to ensure a successful deployment!
Talisys, an innovator in financial securities processing software, leverages R80 to reduce security management complexity and align processes.
Follow Us     ©2016 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. If you no longer wish to receive email from us, please unsubscribe or write: 959 Skyway Rd, Suite 300, San Carlos, CA 94070. Check Point's Privacy Policy

Thursday, January 28, 2016

Upgrading Check Point Gateway Cluster (R77.30)

Install / Upgrade Checkpoint Full HA (Gateway and Management) is the old post for installing or upgrading to R77.10. This post is recorded for R77.30 upgrading purpose with more details , although all steps are almost same as previous version. 
1. Standalone Check Point Gateway Upgrade
Check Point Product Upgrade is not that complicated and Check Point has provided a couple of ways to do it :
1.1 CPUSE (WebUI)
You will need vaild license and your gateway will need Internet access to connect to Check Point User Center for updating available hotfix/packages list. You also can import the package downloaded manually from Check Point Support site then do installation from CPUSE / WebUI interface.

Saturday, January 23, 2016

Configuring Checkpoint Gateway Forwarding Logs to External Syslog Server

Check Point Management Server is not only the central policy management place for Check Point products, but also holds all Check Point gateways logs. In real environment, external third party log servers sometimes will need to be used to store and analyse those logs, especially for central SIEM systems.

Before R77.30, you will have to forward those logs from Management server to external syslog servers.

Two previous posts have been recorded in this blog to describe the procedures how to forward Check Point logs from Management Server to external syslog server:

Starting from R77.30, Check Point allows gateways directly send the logs to external syslog server without going through Management server.

Here is the steps I tried:



1. Download and Install R77.30 Add-on on Security Management Server

1.1 Download file from the R77.30 Add-On Gaia Legacy Cli link.
You will get a 11M file - Check_Point_R77_30_T204_Add-on_Gaia.tgz
Note: If you are using Google Chrome, you will get a file name Check_Point_R77_30_T204_Add-on_Gaia.gz. This issue mentioned on sk76080 (Google Chrome changes downloaded files from .tgz to .gz). rename gz file to tgz should resolve issue.

1.2 SFTP the the file Check_Point_R77_30_T204_Add-on_Gaia.tgz to Mgmt Server CP Mgmt (

1.3 Using following command install it on CP Mgmt Server

tar -zxvf Check_Point_R77_30_T204_Add-on_Gaia.tgz

2. Define a new Syslog Server
2.1In the Servers and OPSEC Applications object tree, right-click Servers > New > Syslog.
2.2 In the Syslog Properties window, enter or select:
Name: ext-syslog-33
Host: create a new syslog object with name ext-syslog and ip address
Port (Default = 514)
Version (BSD Protocol or Syslog Protocol)

3. From Smart Dashboard, Configuring Gateways to Send Logs to Syslog Servers

To send the logs of a gateway to syslog servers:
2.1 In SmartDashboard, go to gateway Properties -> Logs.
2.2 In the Send logs and alerts to these log server table, click the green button to add syslog servers.
2.3 Click OK then Install policy to the gateway.

4. On Security Gateway(s), permanently enable Syslog in Kernel :
Run following command on gateway or all cluster members:

echo fwsyslog_enable=1 >> $FWDIR/modules/fwkern.conf

Reboot the Security Gateway or cluster members.

5. Verify 

5.1 Verify from gateway:
[Expert@CP-R77.30-2:0]# tcpdump -i eth0 host and udp port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:59:12.231469 IP > SYSLOG authpriv.notice, length: 371
21:59:31.007223 IP > SYSLOG authpriv.notice, length: 340
21:59:44.120324 IP > SYSLOG authpriv.notice, length: 334

5.2 Verify from Syslog server


Saturday, November 28, 2015

Check Point 600 Appliance Basic Setup

The Check Point 600 Appliance is a single, integrated device offering firewall, VPN, IPS, antivirus, application visibility and control, and URL filtering and email security, all in a quiet, compact desktop form factor. This post is presenting a basic set up process for Check Point 640 Wireless ADSL+ Model.

Check Point's 640 Appliance is designed to be plug and play, and very affordable. Currently on CheckPoint Website, sale price for one 640 Wireless ADSL+ Model is US $951 .

Actually all 600 models (620, 640 and 680) use the same compact, fanless desktop chassis and are licensed for different through puts. The 620 has Check Point's full next-generation threat prevention (NGTP) package, and is good for ten users, while the 680 can serve up to 50. The model 640 which is testing in this post can handle up to 25 users.

Eight Gigabit ports handle LAN duties, with two more for WAN and DMZ functions. The appliances all come with an integral 802.11bgn wireless AP and ADSL2+ modem, each of which can be enabled by applying a licence.

It can be configured easily through browser based web interface in a couple minutes through first-time set-up wizard.  It supports Next Generation Threat Prevention software blades which has better protection than Next Generation Firewall. More features introduction is on post "Check Point 600 Features Review".

Check Point 600 Features Review

Check Point 600 set up is quite easy and it is wizard guided. All basic set up can be completed in five minutes then you will get a enterprise level featured firewall. Please check Checkpoint 600 Appliance Basic Setup for how to do initial set up in five minutes.

Here are some features Check Point 600 appliance has:

1. Get access your appliance from anywhere

This feature is quite useful to the users who is behind the firewall or proxy and have limited access to Internet. You can register your device with Check Point smbrelay domain to get a unique web and cli log in link. It can bypass your client side firewalls and proxy settings since it is using https protocol. Do not forget to enable Internet access to your appliance. By default, your 600 appliance will deny all Internet access to itself for security reason.
This service is provided by Check Point’s Reach My Device service. Two links will be displayed under Reach My Device section:

To allow the access to your device from Internet:

  1. Register your device from the "DDNS & Device Access" screen;
  2. Make sure your IP address ( is permitted from the "Administrator Access" screen.

Check Point 600 Appliance also provides SSH access to device itself.
pi@raspberrypi:~$ ssh -l admin
admin@'s password:
fetch           - Fetch operation
set             - Set operation
fw              - VPN-1/FireWall-1 commands
cpwd_admin      - cpwd_admin commands
show            - Display operation
upgrade         - Upgrade the software image of the system
revert          - Revert the system to the previous software image or to factory-defaults
backup          - Create a backup file
restore         - Restore previous system settings
test            - Test operation
shell           - Switch to expert mode
resize          - Set terminal settings to current window size
expert          - Switch to expert mode
cpshell         - Start cpshell
cpstart         - Start Firewall services
cpstop          - Stop Firewall services
cphaprob        - Defines critical process of High Availability
cphastart       - Enables High Availability on the appliance
cphastop        - Disables High Availability on the appliance
cpstat          - Display Check Point statistics info
ping            - Ping
traceroute      - Traceroute
arp             - arp
top             - Provide a view of process activity in real time
uptime          - Display the time since the last boot
netstat         - Display networking information
sim             - SecureXL Implementation Module commands
vpn             - Control VPN
dynamic_objects - Configure/Display dynamic objects
reboot          - Use to reboot the system
ver             - Show Check Point firewall version
tcpdump         - Packet analyzer
nslookup        - Name server lookup
cpinfo          - Check Point Support Information
sleep           - Sleep, pause for a time equal to the total of the args given
exit            - Exit from shell
add             - Add operation
delete          - Delete operation
send            - Set operation
find            - Display operation
connect         - Set operation
update          - Set operation
reconnect       - Set operation
Gateway-ID-640> show configuration
# Configure a persistent domain name for the device
set dynamic-dns provider "DynDns"
# Configure DNS and Domain settings for the device
set dns proxy "enable" resolving "on"
set dns mode "internet"
# HTTPS categorization
<Outputs Omitted>

2. Guest Wireless Network with Hotspot

This feature will add extra virtual access point for your guests. You can use customized web portal to grant user access based on user groups you created on local database or Active directory database.

3. Enterprise Level Security Features

You will get all following enterprise level features if you have license. Some of them you wont be able to see in other vendor's similar level products:
  • Firewall
  • Application Control & UTL Filtering
  • User Awareness
  • QoS
  • Intrusion Prevention 
  • Anti-Virus
  • Anti-Spam
  • Remote Access
  • Site-to-Site VPN
Security Dashboard

During the testing, I have enabled Firewall, Applications & URL Filtering, IPS, Anti-Virus and Anti-Bot those five bladed to check how effective they are.

4. Easy to Set up Policy for Access, Threat Prevention and VPN

Check Point 600 appliance provides pre-defined policy for you to select. For example, for firewall access policy, you can easily choose between Strict and Standard for your needs. You do not have to go to deep to define your own policy one by one. There are switches to let you choose on or off for each blade.

Access Policy

Threat Prevention


5. User Awareness Support Active Directory or Browser Based Authentication

The user awareness blade links usernames to machines, allowing security policies to be applied to user identities. Support for remote workers is excellent: they can connect using Check Point's mobile desktop client, a remote app for iOS and Android, SSL VPNs and L2TP.
User Awareness

6. Rich Reporting and Monitoring functions

The appliance can generate hourly, daily, weekly and monthly reports showing all network activity, top web categories, security threats and intrusion alerts. Each report also provides a bandwidth analysis and descriptions of events and application types but you can only print and not export them.


Wednesday, October 21, 2015

Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)

With my most populous post "Basic Checkpoint Gaia CLI Commands (Tips and Tricks)", I would like to
collect some more advanced troubleshooting commands used in my daily work into this post. Actually, some of commands are not only for Checkpoint Gaia, it will be for SPLAT or IPSO platform as well. This post will keep updating as soon as I have something new.

1. fw ctl chain

Check Checkpoint Security Gateway packet inspection order/chain. For more details, check the post "How Firewalls (Security Gateways) Handle the Packets?"

in chain (18):
        0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (in) (ipopt_strip)
        1: -7d000000 (f1796f10) (00000003) vpn multik forward in
        2: - 2000000 (f177cb70) (00000003) vpn decrypt (vpn)
        3: - 1fffff8 (f1787c00) (00000001) l2tp inbound (l2tp)
        4: - 1fffff6 (f2886ca0) (00000001) Stateless verifications (in) (asm)
        5: - 1fffff5 (f28bce30) (00000001) fw multik misc proto forwarding
        6: - 1fffff2 (f17a4df0) (00000003) vpn tagging inbound (tagging)
        7: - 1fffff0 (f177a150) (00000003) vpn decrypt verify (vpn_ver)
        8: - 1000000 (f29049c0) (00000003) SecureXL conn sync (secxl_sync)
        9:         0 (f282f810) (00000001) fw VM inbound  (fw)
        10:         1 (f28a6b30) (00000002) wire VM inbound  (wire_vm)
        11:   2000000 (f177b5e0) (00000003) vpn policy inbound (vpn_pol)
        12:  10000000 (f2902cb0) (00000003) SecureXL inbound (secxl)
        13:  7f600000 (f287ab70) (00000001) fw SCV inbound (scv)
        14:  7f730000 (f2a13500) (00000001) passive streaming (in) (pass_str)
        15:  7f750000 (f2c0bef0) (00000001) TCP streaming (in) (cpas)
        16:  7f800000 (f2885890) (ffffffff) IP Options Restore (in) (ipopt_res)
        17:  7fb00000 (f2fac050) (00000001) HA Forwarding (ha_for)
out chain (15):
        0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (out) (ipopt_strip)
        1: -78000000 (f1796ef0) (00000003) vpn multik forward out
        2: - 1ffffff (f1779a10) (00000003) vpn nat outbound (vpn_nat)
        3: - 1fffff0 (f2c0bd70) (00000001) TCP streaming (out) (cpas)
        4: - 1ffff50 (f2a13500) (00000001) passive streaming (out) (pass_str)
        5: - 1ff0000 (f17a4df0) (00000003) vpn tagging outbound (tagging)
        6: - 1f00000 (f2886ca0) (00000001) Stateless verifications (out) (asm)
        7:         0 (f282f810) (00000001) fw VM outbound (fw)
        8:         1 (f28a6b30) (00000002) wire VM outbound  (wire_vm)
        9:   2000000 (f1779c30) (00000003) vpn policy outbound (vpn_pol)
        10:  10000000 (f2902cb0) (00000003) SecureXL outbound (secxl)
        11:  1ffffff0 (f17887b0) (00000001) l2tp outbound (l2tp)
        12:  20000000 (f177d5b0) (00000003) vpn encrypt (vpn)
        13:  7f700000 (f2c0e340) (00000001) TCP streaming post VM (cpas)
        14:  7f800000 (f2885890) (ffffffff) IP Options Restore (out) (ipopt_res)

2. Proxy Arp

a. Use the Gaia portal.
Network Management -> Arp -> Proxy ARP

b. Use the command line (in Gaia):
add arp proxy ipv4-address interface eth0 real-ipv4-address

Actually the GAIA command above convert it automatically to a file called local.arp

c. Use the command line (in expert mode):
Then insert the information directly to /opt/CPsuite-R76/fw1/conf/local.arp
echo " 00:0c:29:f1:b7:74" >> $FWDIR/conf/local.arp

Verify the changes after a policy push with command "fw ctl arp":

[Expert@CP1:0]# fw ctl arp
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-33-07-ae interface
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15
 ( at 00-1c-7f-32-cc-15

FW-GAIA> show arp proxy all
IP Address              MAC Address / Interface         Real IP Address           eth0

Reference: Checkpoint SPLAT Manual Proxy ARP Configuration Example

3. fw ctl zdebug drop

lists all dropped packets in real time gives an explanation why the packet is dropped


  • tcpdump port 257   , <– on the firewall, this will allow you to see if the logs are passing from the firewall to the manager, and what address they are heading to.
  • tcpdump -i WAN.15  <- to capture everything on this interface
  • tcpdump -i eth1.16 icmp  <– to capture just PINGs on this interface
  • tcpdump -i  Mgmt -vvv -s0 -w tcpdumpfile.log   <– this captures the FULL packets to a file usefull for wireshark the -s0 stops the files being shortened
  • tcpdump -i INT port 67   <– view dhcp requests
  • tcpdump -eP -nni any host <-disable both name and service port resolution while performing a capture, by using the -nn option; -e Print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11. -p--no-promiscuous-mode.
  • tcpdump -i any  <- any can be used to tell tcpdump to listen on all interfaces
  • tcpdump -n  <- disable to lookup and translate hostnames and ports.

Reference: Understanding TCPDUMP Output

5. FW Monitor

  • fw monitor -e 'accept host(;'   <-- Show packets with IP as SRC or DST
  • fw monitor -e 'accept src= and dst=;' <--Show all packets from to
  • fw monitor -pi ipopt_strip -e 'accept udpport(53);' <--Show UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
  • fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);' <-- Show UPD traffic from or to unprivileged ports, only show post-out
  • fw monitor -e 'accept net(,24) and tracert;' <--Show Windows traceroute (ICMP, TTL<30) from and to network
  • fw monitor -v 23 -e 'accept tcpport(80);' <--Show Capture web traffic for VSX virtual system ID 23
  • fw monitor -e 'accept ip_p=50 and ifid=0;' <--Show all ESP (IP protocol 50) packets on the interface with the ID 0. (List interfaces and corresponding IDs with fw ctl iflist)
  • srfw monitor -o output_file.cap <--Show traffic on a SecuRemote/SecureClient client into a file. srfw.exe is in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)

6. VPN tu

vpn tu  or  vpn tunnelutil

********** Select Option **********

(1)  List all IKE SAs
(2)  List all IPsec SAs
(3)  List all IKE SAs for a given peer (GW) or user (Client)
(4)  List all IPsec SAs for a given peer (GW) or user (Client)
(5)  Delete all IPsec SAs for a given peer (GW)
(6)  Delete all IPsec SAs for a given User (Client)
(7)  Delete all IPsec+IKE SAs for a given peer (GW)
(8)  Delete all IPsec+IKE SAs for a given User (Client)
(9)  Delete all IPsec SAs for ALL peers and users
(0)  Delete all IPsec+IKE SAs for ALL peers and users

(Q)  Quit 

7. Disk/File/Folder Commands

Checkpoint SK60080 displays some solutions to resolve excessive disk consumption on SPLAT/Gaia/IPSO/Lunix OS system. Here are some helpful commands:
a. df -h  (view the partition table and its associated utilization)
b. du -h --max-depth=1 /opt | sort -n -r   (examine disk space utilization at directory-level)
c. ls -1 $FWDIR/conf/db_versions/repository/ | wc -l   (check the number of database revisions on a Security Management server)
d. ls -l $RTDIR/distrib/* | wc -l  (counts the number of records)
e. evstop & evstart (Stop / start the Eventia / SmartEvent)
f. rm -r $RTDIR/distrib/* (Purge this directory of stale records)
g. ls -lR /var/log/dump/usermode/   (Find and delete old core dump files)
h. ls -lR /var/crash/  (Find and delete old core dump files)
i. rm $FWDIR/log/2009*.log*  (removes all old log files for year 2009)

8. Connections

CP-1> fw tab -t connections -s
HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             connections                      8158    77   948     179

The NAME Id is the actual table number. 
The VALS colum is the current number of connections that are in the connections table at the time the command was run. 
The PEAK number is the max number of connections that have been recorded since the last reboot. 
The SLINKS table is a table of symbolic link that point to the real connection entry. There are usually 4 symbolic links per connection. This way no matter which direction the packet comes, there will be an entry for it. There is more to it than that, but that is the general idea.

CP-1> fw ctl pstat

System Capacity Summary:
  Memory used: 8% (62 MB out of 696 MB) - below watermark
  Concurrent Connections: 0% (79 out of 24900) - below watermark
  Aggressive Aging is in detect mode

Hash kernel memory (hmem) statistics:
  Total memory allocated: 71303168 bytes in 17408 (4096 bytes) blocks using 1 pool
  Total memory bytes  used:  9703728   unused: 61599440 (86.39%)   peak: 18891512
  Total memory blocks used:     2665   unused:    14743 (84%)   peak:     4705
  Allocations: 198489371 alloc, 0 failed alloc, 198382561 free

System kernel memory (smem) statistics:
  Total memory  bytes  used: 117769900   peak: 120093268
  Total memory bytes wasted:   996590
    Blocking  memory  bytes   used:  2530356   peak:  2557584
    Non-Blocking memory bytes used: 115239544   peak: 117535684
  Allocations: 433810 alloc, 28 failed alloc, 432937 free, 0 failed free
  vmalloc bytes  used: 114086588 expensive: no

Kernel memory (kmem) statistics:
  Total memory  bytes  used: 56103032   peak: 66020104
  Allocations: 198922588 alloc, 28 failed alloc
               198815489 free, 0 failed free
  External Allocations: 0 for packets, 0 for SXL

        90753187 total, 0 alloc, 0 free,
        7839 dup, 2107678 get, 160176 put,
        91154457 len, 0 cached len, 0 chain alloc,
        0 chain free

        231169 total, 7807 TCP, 4665 UDP, 182351 ICMP,
        36346 other, 0 anticipated, 3 recovered, 79 concurrent,
        948 peak concurrent

        0 fragments, 0 packets, 0 expired, 0 short,
        0 large, 0 duplicates, 0 failures

        80509/0 forw, 5266/0 bckw, 85750 tcpudp,
        16 icmp, 10440-949656 alloc

        Version: new
        Status: Able to Send/Receive sync packets
        Sync packets sent:
         total : 864451,  retransmitted : 0, retrans reqs : 15,  acks : 1826
        Sync packets received:
         total : 3614413,  were queued : 30, dropped by net : 15
         retrans reqs : 0, received 11745 acks
         retrans reqs for illegal seq : 0
         dropped updates as a result of sync overload: 0
        Callback statistics: handled 11588 cb, average delay : 1,  max delay : 5

9. Check Point SecureXL

To enable SecureXL, run the command:
CP[admin]# fwaccel on

To disable SecureXL, run the command:
CP[admin]# fwaccel off

Note: The fwaccel off command is not persistent and SecureXL will be enabled again after a reboot of the system. SecureXL can be permanently disabled through the CPconfig utility.

To check the number of accelerated connection and other SecureXL statistics: CP[admin]# netstat -f
To check the number of accelerated SA (VPN traffic): CP[admin]# netstat -s
To check overall SecureXL statistics:  CP[admin]# fwaccel stat

10.View Checkpoint Log from CLI

expert mode 
fw log -n | morefw log -n -f | https
normal mode without pipe

11. Revision Control Versions Location on Management Server

[Expert@CP-Management]# cd /opt/CPsuite-R75.20/fw1/conf/db_versions/repository/
[Expert@CP-Management]# ls1  11  12  13  14  15  16  17  18  2  3  4  5  6  7  8  9
All version are in those number directories. Actual version info is in versioning_db.fws
[Expert@CP-Management]# cd database/ 
[Expert@CP-Management]# lsversioning_db.fws

12. Change user cli between BASH and CLISH

HostName> set user admin shell /bin/bash
HostName> save config
[Expert@HostName]# dbset passwd:admin:shell /etc/
[Expert@HostName]# dbset :save
chsh -s /bin/bash admin
chsh -s /etc/ admin
for SPLAT the default shell is /bin/cpshell which is not showing from /etc/shells file.
chsh -s /bin/cpshell admin
[admin@CP-Management ~]$ cat /etc/shells
[admin@CP-Management ~]$ chsh
Changing shell for root.
New shell [/bin/cpshell]: /bin/bash
Shell changed.

13. Enable SFTP in Gaia

[Expert@HostName]# vi  /etc/ssh/sshd_config 
Uncomment the 'sftp-server' line by deleting the pound '#' character: 
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp /usr/libexec/openssh/sftp-server
[Expert@HostName]# /etc/init.d/sshd restart
Note: Please check my previous post: Enable SFTP to Checkpoint Gaia OS System for more details.

14. Installation of Hotfixes on Gaia or SPLAT

[Expert@HostName]# tar -zxvf Check_Point_Hotfix_VERSION_OS_sk104443.tgz
[Expert@HostName]# ./SecurePlatform_HOTFIX_NAME
[Expert@HostName]# reboot
Steps to Installation a Jumbo Hotfix for R77.20 on Cluster Environment:
a. install a hotfix on standby cluster member (CP2) then reboot it
b. failover from active cluster member (CP1) to standby cluster (CP2) after standby cluster finished rebooting
c. install hotfix on CP1 and reboot it.

[Expert@FW-CP2:0]# md5sum Check_Point_R77.20.linux.tgz 
d788583cf44389b83b0dd6990cb53f63  Check_Point_R77.20.linux.tgz

[Expert@FW-CP2:0]# tar -zxvf Check_Point_R77.20.linux.tgz 


[Expert@FW-CP2:0]# ./UnixInstallScript 


Welcome to Check Point R77_20_JUMBO_HF installation 
Verifying installation environment for R77_20_JUMBO_HF...Done!
The following components will be installed:
* R77_20_JUMBO_HF

Installation program is about to stop all Check Point Processes.

Do you want to continue (y/n) ? y
Stopping Check Point Processes...Done!
Installing Security Gateway / Security Management R77_20_JUMBO_HF...Done!

Installing GAIA R77_20_JUMBO_HF...Done!

Installing Performance Pack R77_20_JUMBO_HF...Done!

Installing Mobile Access R77_20_JUMBO_HF...Done!


Package Name                                                    Status
------------                                                    ------
Security Gateway / Security Management R77_20_JUMBO_HF          Succeeded

GAIA R77_20_JUMBO_HF                                            Succeeded

Performance Pack R77_20_JUMBO_HF                                Succeeded

Mobile Access R77_20_JUMBO_HF                                   Succeeded


Installation program completed successfully.

Do you wish to reboot your machine (y/n) ? y

Broadcast message from admin (pts/2) (Mon Oct 26 16:37:44 2015):

The system is going down for reboot NOW!

Broadcast message from admin (pts/2) (Mon Oct 26 16:37:44 2015):

The system is going down for reboot NOW!


15. SSH Timeout Solutions

a. Increasing the timeout
set inactivity-timeout 720

b. Ignore Hangup
[Expert@R76GaiaGate1:0]# fw monitor -e "accept host(;" -o test.cap & [1] 27524
[Expert@R76GaiaGate1:0]# ps -aux | grep "fw monitor"
admin 27524 0.7 2.1 88268 21256 pts/2 S 14:09 0:00 fw monitor -e accept host(; -o test.cap

Disown the process with this command, specifying the PID:

disown 27524

Closing, or having the SSH session end due to timeout will no longer send a hangup to this process, since it is no longer a child process of the SSH session.

A new SSH session or console session can be started later, and the process can be killed manually to stop it.

kill 27524

[Expert@R76GaiaGate1:0]# nohup fw ctl kdebug -T -f -o debug.txt -m 10 -s 50000 & [1] 30209
nohup: appending output to 'nohup.out'

This example is creating cyclic debug files, 10 files, with a maximum of 50000Kb. Again, the PID is displayed, and the output of the command is piped to the text file 'nohup.out'.

The SSH session can be ended with "exit" or timed out, and the hangup sent to this child process will be ignored, the debug will continue running until we log in again and manually kill the PID.

16. ClusterXL Troubleshooting

16.1 Force a failover

This creates a pnote (problem notification) that is in problem state at current cluster member and force a failover to another member:
cphaprob -d fail -s problem -t 0 register
Verify it's in problem state with
cphaprob stat
cphaprob -i list
(you should see 'fail' in problem state)

Once you've finished your testing, run these two to reset it:
cphaprob -d fail -s ok reportcphaprob -d fail unregister
Reference: CheckPoint HA: How to force a failover (ClusterXL/VRRP)

16.2 cphaprob commands and troubleshooting ClustXL Problem

FW-CP2 is fine. But FW-CP1 shows problem on the clustxl status.
[Expert@FW-CP2:0]# cphaprob -a if 

Required interfaces: 5

Required secured interfaces: 1

eth1       UP                    non sync(non secured), multicast

eth2       UP                    sync(secured), multicast
Mgmt       UP                    non sync(non secured), multicast
eth3       UP                    non sync(non secured), multicast  (eth3.106  )
eth3       UP                    non sync(non secured), multicast  (eth3.102  )

Virtual cluster interfaces: 6



FW-CP1> cphaprob -i list

Built-in Devices:

Device Name: Interface Active Check

Current state: problem

Device Name: HA Initialization

Current state: OK

Device Name: Recovery Delay

Current state: OK

Registered Devices:

Device Name: Synchronization

Registration number: 0
Timeout: none
Current state: OK
Time since last report: 64196.3 sec

Device Name: Filter

Registration number: 1
Timeout: none
Current state: OK
Time since last report: 63492.1 sec

Device Name: cphad

Registration number: 2
Timeout: none
Current state: OK
Time since last report: 2.68138e+06 sec

Device Name: fwd

Registration number: 3
Timeout: none
Current state: OK
Time since last report: 2.68137e+06 sec

Device Name: routed

Registration number: 4
Timeout: none
Current state: OK
Time since last report: 62898.8 sec

Usually it was caused by the connection between firewall interface port and  switch port. UDP port 8116 will help us to find out which one is not sending the keep-alive packets:

Cluster Control Protocol (CCP) runs on UDP port 8116, and allows cluster members to report their own states and learn about the states of other members, by sending keep-alive packets (applies only to ClusterXL clusters). Also CCP keeps cluster member sync state.

Following tcpdump shows cluster member 1 (00:00:00:00:fe:00) and cluster member 2 (00:00:00:00:fe:01) both are sending 8116 CCP packets. That is normal. If you only see one sending, you will have to check another one's switch port vlan configuration. You may miss one vlan on switch trunk port, which has happened to me.

[Expert@FW-CP2:0]# tcpdump -enni eth3.102 port 8116
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3.102, link-type EN10MB (Ethernet), capture size 96 bytes
11:13:17.497801 00:00:00:00:fe:01 > 01:00:5e:5b:66:0e, ethertype IPv4 (0x0800), length 92: > UDP, length 50
11:13:17.597743 00:00:00:00:fe:01 > 01:00:5e:5b:66:0e, ethertype IPv4 (0x0800), length 76: > UDP, length 34
11:13:17.676067 00:00:00:00:fe:00 > 01:00:5e:5b:66:0e, ethertype IPv4 (0x0800), length 76: > UDP, length 34
11:13:17.676182 00:00:00:00:fe:00 > 01:00:5e:5b:66:0e, ethertype IPv4 (0x0800), length 92: > UDP, length 50

Note: Previous Troubleshooting Post - Checkpoint Cluster Member Down because interfaces show partially up

17. Permanent Change Global Kernel Parameters Value
Global kernel parameters exist to control (customize) the behavior of Security Gateway (kernel parameters are located in $FWDIR/boot/modules/fw*mod* kernel modules).

This control (customization) can be done on-the-fly using the fw ctl set int command (change takes effect immediately). However, the value of the kernel parameter returns to its default value after a reboot. At times, it may be required to control (customize) the behavior of Security Gateway permanently. In addition, it is necessary for some kernel parameters to be changed upon boot. fwkern.conf file is the one which holds all those kernel parameters value. If it is not existing in your system, you will need to create it manually.

The Security Gateway must be rebooted after any change in the $FWDIR/boot/modules/fwkern.conf file.

[Expert@CP1:0]# cat /opt/CPsuite-R77/fw1/boot/modules/fwkern.conf 

Useful Checkpoint KBs:

  1. sk97638 - Check Point Processes and Daemons
  2. sk98348 - Best Practices - Security Gateway Performance


  1. Check Point/SPLAT/Network Debug Cheat Sheet
  2. A tcpdump Primer with Examples
  3. Check Point fw monitor cheat sheet – 20141028
  4. Check Point CLI Reference Card – 20150617 by Jens Roesen
  5. Upgrading ClusterXL Deployments(R77)