New Jumbo Hotfix for R77.30 – Take 145 – but not avaliable though checkpoint cloud yet.

10 May Checkpoint released a new jumbo hotfix. Take 145 – but its still not possible to download it form checkpoint cloud.

This time I have created a SR with Checkpoint, so the problem would be fixed.
Checkpoint support told me, that “We recently discovered som issues with the CPUSE package for the latest Jumbo Take 145.”
Checkpoint are currently working on fixing the issue, but if you need the update please contact Checkpoint through a Service Request, or get your Partner to do it for you.
Checkpoint Support will provide you with a legacy install package, until the CPUSE package has been fixed.

 

Tribute to our soldiers – where ever you are from

The invictus games just recently finished.
https://invictusgamesfoundation.org
We salute you all – every last one of you, for the sacrifice you made for your country, and for our freedom !

Four days of sport. Hundreds of inspiring stories. Thousands of cheering spectators. Thank you to Invictus Games Orlando 2016 for putting on such an incredible event.

Opslået af Invictus Games på 15. maj 2016

 

“It matters not how strait the gate,
      How charged with punishments the scroll,
I am the master of my fate,
      I am the captain of my soul.”

Latest Jumbo hotfix Take 143 is not avaliable – yet

If you take a look at sk106162, you will notice that the latest Jumbo Hotfix should have been avaliable, since 21’th of April.
And it might be, if one contact Checkpoint Support, and request the hotfix.

For all others, who prefer grapping it from the Checkpoint Cloud, we have to wait a bit longer.
Although Checkpoint states that it is avaliable, you cant find it, when searching for it with the webui.

143

 

 

 

 

Checkpoint could of cause have changed the naming context, but i doubth it.
I find it more likely, that someone just forgot to “publish” the download… it has happend before.

New Jumbo hotfix R77.30 – Take 128

Jumbo hotfix for R77.30 Take 128 is avaliable, and has been for a while.

Take 143 should according to checkpoint be avaliable too, but so far i cant find it in the cloud.

 

The latest Jumbo package for R77.30 is at sk106162.
jumbo1

 

 

 

 

At current writing the latest version is Take_128, but you don’t have to contact Check Point Support to get the file.
Take_117

 

 

 

 

Checkpoint follows a consistent nameing strategy, so if we know the name of a previous Jumbo package, we can figure out the name of the new one.

One of the earlier versions was  Check_Point_R77_20_JUMBO_HF_1_Bundle_T117.tgz

But we are looking for a JH for R77.30, so we will change the name a bit. We also know, that the latest Take, is 128.

So the current Jumbo Hotfix name is : Check_Point_R77_30_JUMBO_HF_1_Bundle_T128.tgz

Now go to the webui > Upgrades > Status and Actions > and choose “Add hotfixes from the cloud”

jumbo1

 

 

 

 

 

 

 

paste the name of the current Jumbo hotfix take in, and search. Click the link to add the file to your reposotory.

jumbo2

 

 

 

 

 

Now the Jumbo Hotfix is visible in your CPUSE webui, and you can download and install it.

jumbo3

R80 has been released

Checkpoints new Major upgrade R80 is now avaliable.

Take a look at sk108623 for further info – and if you choose to upgrade rather than performing a clean install, remember to take a good look at sk91060 first.  (Removing old Check Point packages and files after an upgrade)

So whats new with R80.

The most valuable feature imo. is that several administrators can work in parallel, on the same security policy. This has been a limitation earlier, as large scale deployments often required several different administrators to perform security tasks on the same ruleset. This has not been possible, as only one administrator at a time could write to the database.

(Looking forward to test this feature !)

Checkpoint write on their website:

  • Multiple administrators can log-in and work in read-write mode on the same security policy without interrupting each other’s work.
  • A new advanced locking mechanism is introduced, enabling concurrent administration.
  • Objects that one administrator manages can be locked from overwrites or conflicts by other administrators.

This all looks good, but be aware, that things have changed a bit. Be prepared for the new look, get to know it, and embrace it….

Notice, that at this moment, the R80 is not visible when using the “Upgrade wizard” at checkpoints website.

Search for R80 in the “Support Center” at Checkpoint

sk108623

New Jumbo hotfix Take 117

Its been a while since my last post, so here’s a short one about Jumbo packages.

 

The latest Jumbo package for R77.30 is at sk106162.
jumbo1

 

 

 

At current writing the latest version is Take_117, but you don’t have to contact Check Point Support to get the file.
Take_117

 

 

 

Checkpoint follows a consistent nameing strategy, so if we know the name of a previous Jumbo package, we can figure out the name of the new one.

One of the earlier versions was  Check_Point_R77_20_JUMBO_HF_1_Bundle_T94.tgz

But we are looking for a JH for R77.30, so we will change the name a bit. We also know, that the latest Take, is 117.

So the current Jumbo Hotfix name is : Check_Point_R77_30_JUMBO_HF_1_Bundle_T117.tgz

 

Now go to the webui > Upgrades > Status and Actions > and choose “Add hotfixes from the cloud”

jumbo1

 

 

 

 

 

 

paste the name of the current Jumbo hotfix take in, and search. Click the link to add the file to your reposotory.

jumbo2

 

 

 

 

 

Now the Jumbo Hotfix is visible in your CPUSE webui, and you can download and install it.

jumbo3

 

Run ssh from cmd

If your are working with x-nix machines, chances are that you either use a Mac og a linux distribution.
But for those of us, where this is not an option, we have for years been forced to use putty.exe or winscp. These are of cause great tools, but it´s with envy that i watch my collegues when they connect with ssh directly form a terminal on their mac.

The other day i stumpled upon openssh for windows.
http://sourceforge.net/projects/opensshwindows/?source=recommended
http://opensshwindows.sourceforge.net/

The version that i installed is OpenSSHWindows53p1-2.msi

Download it and run the install, in my case it installed to   C:\Program Files (x86)\OpenSSH for Windows

Now the fun part – make openssh run from any commandline.

    1. rightclick “computer” and choose properties.
    2. Choose Adcanced system settings
    3. Choose Enviroment variables
    4. in systemvariables, fint “Path” and choose “Edit”
    5. copy the installation path of openssh (notice that you have to go into the “bin” directory to find the *.exe files)
    6. Paste the full path, and use semicolon as seperator “;”  ;C:\Program Files (x86)\OpenSSH for Windows\bin

miljøvariabler

 

press “OK” and close the windows.
now open a cmd window and type ssh.

The output should look somthing like this.

ssh

 

The commands are very easy   ssh admin@xxx.xxx.xxx.xxxssh2

 

I hope that this can make your daily work slightly less anoying when working with ssh.

Have a great weekend.

SecureXL accelerated traffic overview

Ever wonder about how much of your firewalls traffic is being accelerated ?
There is a nifty little command, which quickly delivers a overview.

——————————————–
CP1> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

[Expert@CP1:0]# fwaccel stats -s
Accelerated conns/Total conns : 0/47 (0{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
Accelerated pkts/Total pkts : 0/2137973 (0{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
F2Fed pkts/Total pkts : 711845/2137973 (33{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
PXL pkts/Total pkts : 1426128/2137973 (66{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
QXL pkts/Total pkts : 0/2137973 (0{660587945da3d28a1fd29f93b9f96b8a9cf4237460baa7c708dfe4eec8fd0540})
[Expert@CP1:0]#
——————————————–

F2Fed = Forwarded to Firewall (Slow path) Packet is passed to the CoreXL and to one of the Core FW instances for full processing. (If SecureXL is disabled, this is the default path for all packets)
PXL – Technology name for combination of SecureXL and PSL. (Forwarded to medium path)
QXL – Technology name for combination of SecureXL and QoS (R77.10 and above).

 

Further info on ATRG: SecureXL  SK98722

Change clish to bash – and back.

If you want to use winscp to transfer files, to and from Checkpoint, you might have run into this error.

winscp

This happens because winscp needs bash (or simular) in order to log on.
You can however change this, with the following command.
Notice that you will jump directly to Expert mode (which is bash) when loggin on.

Go to Expert mode
———————————————————–
CP1> expert
Enter expert password: ***********

Warning! All configuration should be done through clish
You are in expert mode now.

Expert@CP1> chsh -s /bin/bash admin
———————————————————–

Exit the cli console, and try to log on again.
Remember, that your normal admin user, now will enter Expert mode the moment you log on.

———————————————————–
login as: admin
This system is for authorized use only.
admin@192.168.11.1’s password:
Last login: Sat Aug 22 21:53:00 2015 from 192.168.11.109
[Expert@CP1:0]#
———————————————————–

Now try to connect with winscp, using your admin (now expert mode) credentials.

winscp 2

—————————————————————————————————————————-

Q:   OK I GOT THIS !  BUT HOW DO I CHANGE IT BACK TO GAIA CLISH ?

Good question !

The command is almost the same, only the directory of shell is different.

———————————————————–

[Expert@CP1:0]# chsh -s /etc/cli.sh admin
Changing shell for admin.
Shell changed.
[Expert@CP1:0]#exit
logout

(Try to login again)

login as: admin
This system is for authorized use only.
admin@192.168.11.1’s password:
Last login: Sat Aug 22 21:53:23 2015 from 192.168.11.109
CP1>
———————————————————–

And now the shell is back to Gaia Clish.


You might also be interested in  Change your clish to bash – from cli

Creating bond interfaces on Gaia

To provide extended redundancy or throughput, you can bond interfaces.

From Gaia Clish:
Bond interface

 

 

From the webui
(but not if you are running vsx)

Click “Add Bond”
wbond1

Chose the required interfaces, and set the Bond Group and Operation mode

  • Round Robin – Selects the active slave interfaces sequentially.
  • 802.3ad – Dynamically uses active slaves to share the traffic load using the IEEE 802.3ad LACP protocol.
  • XOR – Selects the algorithm for slave selection according to the TCP/IP Layer (“Layer 2”, or “Layer 3+4”).
    wbond2

And finally set the ip address.
wbond3