Month: August 2015

SecureXL accelerated traffic overview

by

Ever wonder about how much of your firewalls traffic is being accelerated ?
There is a nifty little command, which quickly delivers a overview.

——————————————–
CP1> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

[Expert@CP1:0]# fwaccel stats -s
Accelerated conns/Total conns : 0/47 (0{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
Accelerated pkts/Total pkts : 0/2137973 (0{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
F2Fed pkts/Total pkts : 711845/2137973 (33{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
PXL pkts/Total pkts : 1426128/2137973 (66{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
QXL pkts/Total pkts : 0/2137973 (0{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
[Expert@CP1:0]#
——————————————–

F2Fed = Forwarded to Firewall (Slow path) Packet is passed to the CoreXL and to one of the Core FW instances for full processing. (If SecureXL is disabled, this is the default path for all packets)
PXL – Technology name for combination of SecureXL and PSL. (Forwarded to medium path)
QXL – Technology name for combination of SecureXL and QoS (R77.10 and above).

 

Further info on ATRG: SecureXL  SK98722

Change clish to bash – and back.

by

If you want to use winscp to transfer files, to and from Checkpoint, you might have run into this error.

winscp

This happens because winscp needs bash (or simular) in order to log on.
You can however change this, with the following command.
Notice that you will jump directly to Expert mode (which is bash) when loggin on.

Go to Expert mode
———————————————————–
CP1> expert
Enter expert password: ***********

Warning! All configuration should be done through clish
You are in expert mode now.

Expert@CP1> chsh -s /bin/bash admin
———————————————————–

Exit the cli console, and try to log on again.
Remember, that your normal admin user, now will enter Expert mode the moment you log on.

———————————————————–
login as: admin
This system is for authorized use only.
admin@192.168.11.1’s password:
Last login: Sat Aug 22 21:53:00 2015 from 192.168.11.109
[Expert@CP1:0]#
———————————————————–

Now try to connect with winscp, using your admin (now expert mode) credentials.

winscp 2

—————————————————————————————————————————-

Q:   OK I GOT THIS !  BUT HOW DO I CHANGE IT BACK TO GAIA CLISH ?

Good question !

The command is almost the same, only the directory of shell is different.

———————————————————–

[Expert@CP1:0]# chsh -s /etc/cli.sh admin
Changing shell for admin.
Shell changed.
[Expert@CP1:0]#exit
logout

(Try to login again)

login as: admin
This system is for authorized use only.
admin@192.168.11.1’s password:
Last login: Sat Aug 22 21:53:23 2015 from 192.168.11.109
CP1>
———————————————————–

And now the shell is back to Gaia Clish.


You might also be interested in  Change your clish to bash – from cli

Creating bond interfaces on Gaia

by

To provide extended redundancy or throughput, you can bond interfaces.

From Gaia Clish:
Bond interface

 

 

From the webui
(but not if you are running vsx)

Click “Add Bond”
wbond1

Chose the required interfaces, and set the Bond Group and Operation mode

  • Round Robin – Selects the active slave interfaces sequentially.
  • 802.3ad – Dynamically uses active slaves to share the traffic load using the IEEE 802.3ad LACP protocol.
  • XOR – Selects the algorithm for slave selection according to the TCP/IP Layer (“Layer 2”, or “Layer 3+4”).
    wbond2

And finally set the ip address.
wbond3

Sync Redundancy in ClusterXL – Just because you could, does it then mean that you should ?

by

SK92804 – Sync Redundancy in ClusterXL.
If you have ever worked with Checkpoint Cluster, my guess is that you have been using ClusterXL.

When creating a Checkpoint cluster, you will notice that you have the possibility to create more than one sync interface.
In Cluster properties, > topology, you have the option to define the network, and what it is used for.
1st Sync is defined on eth2
1

and i just created a 2nd Sync network, using eth4 on both node.

3
BUT… this could potential be the cause of issues.

Versions affected: R70,R71,R75,R76,R77,R77.10,R77.20,R77.30

Checkpoint states that while being able to create multiple sync interfaces in the SmartDashboard, you should not do so.
By design (And real life expirence..) configuring multiple synchronization networks does not provide 100{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540} sync redundancy.

It is still possible to configure multiple sync networks in SmartDashboard, but this is for unique special cases where the cluster administrator is unable to create Bond interfaces.

So Checkpoint advices you to Bond interfaces, if you want to use multiple nics for sync redundancy.

CPUSE requires a valid license for updates. SK94508

by 
You have just installed a new checkpoint, and have not yet installed the licences... 
You want to update IPS, but recieve an error when trying...   BUGGER !
 Checkpoint have released SK94508 to deal with the problem.

"CPUSE requires a valid license for downloads and updates. 
The trial license is currently active and will expire on DD-MMM-YYY HH:MM:SS" message in Gaia Portal 
('Upgrades (CPUSE)' pane / 'Software Updates' pane - 'Status and Actions' - "Important Messages" section at the top)

Debug of Gaia Software Updates Agent daemon (per sk92449) shows in /opt/CPInstLog/DeploymentAgent.log:
DEBUG: The user has not authorized downloads, not performing update.

Solution:
Log in to Expert mode, and perform cpstop.
Edit $CPDIR/tmp/mis_Objects.C

Modify 
from
: (DownloadAccess
   :allow_download_content (false)
to
: (DownloadAccess
   :allow_download_content (true)
Save the file.

Run CPSTART.