Latest Jumbo hotfix Take 143 is not avaliable – yet

If you take a look at sk106162, you will notice that the latest Jumbo Hotfix should have been avaliable, since 21’th of April.
And it might be, if one contact Checkpoint Support, and request the hotfix.

For all others, who prefer grapping it from the Checkpoint Cloud, we have to wait a bit longer.
Although Checkpoint states that it is avaliable, you cant find it, when searching for it with the webui.

143

 

 

 

 

Checkpoint could of cause have changed the naming context, but i doubth it.
I find it more likely, that someone just forgot to “publish” the download… it has happend before.

New Jumbo hotfix R77.30 – Take 128

Jumbo hotfix for R77.30 Take 128 is avaliable, and has been for a while.

Take 143 should according to checkpoint be avaliable too, but so far i cant find it in the cloud.

 

The latest Jumbo package for R77.30 is at sk106162.
jumbo1

 

 

 

 

At current writing the latest version is Take_128, but you don’t have to contact Check Point Support to get the file.
Take_117

 

 

 

 

Checkpoint follows a consistent nameing strategy, so if we know the name of a previous Jumbo package, we can figure out the name of the new one.

One of the earlier versions was  Check_Point_R77_20_JUMBO_HF_1_Bundle_T117.tgz

But we are looking for a JH for R77.30, so we will change the name a bit. We also know, that the latest Take, is 128.

So the current Jumbo Hotfix name is : Check_Point_R77_30_JUMBO_HF_1_Bundle_T128.tgz

Now go to the webui > Upgrades > Status and Actions > and choose “Add hotfixes from the cloud”

jumbo1

 

 

 

 

 

 

 

paste the name of the current Jumbo hotfix take in, and search. Click the link to add the file to your reposotory.

jumbo2

 

 

 

 

 

Now the Jumbo Hotfix is visible in your CPUSE webui, and you can download and install it.

jumbo3

R80 has been released

Checkpoints new Major upgrade R80 is now avaliable.

Take a look at sk108623 for further info – and if you choose to upgrade rather than performing a clean install, remember to take a good look at sk91060 first.  (Removing old Check Point packages and files after an upgrade)

 

So whats new with R80.

The most valuable feature imo. is that several administrators can work in parallel, on the same security policy. This has been a limitation earlier, as large scale deployments often required several different administrators to perform security tasks on the same ruleset. This has not been possible, as only one administrator at a time could write to the database.

(Looking forward to test this feature !)

Checkpoint write on their website:

  • Multiple administrators can log-in and work in read-write mode on the same security policy without interrupting each other’s work.
  • A new advanced locking mechanism is introduced, enabling concurrent administration.
  • Objects that one administrator manages can be locked from overwrites or conflicts by other administrators.

 

This all looks good, but be aware, that things have changed a bit. Be prepared for the new look, get to know it, and embrace it….

 

Notice, that at this moment, the R80 is not visible when using the “Upgrade wizard” at checkpoints website.

Search for R80 in the “Support Center” og follow my link here  “Download Checkpoint R80”

New Jumbo hotfix Take 117

Its been a while since my last post, so here’s a short one about Jumbo packages.

 

The latest Jumbo package for R77.30 is at sk106162.
jumbo1

 

 

 

At current writing the latest version is Take_117, but you don’t have to contact Check Point Support to get the file.
Take_117

 

 

 

Checkpoint follows a consistent nameing strategy, so if we know the name of a previous Jumbo package, we can figure out the name of the new one.

One of the earlier versions was  Check_Point_R77_20_JUMBO_HF_1_Bundle_T94.tgz

But we are looking for a JH for R77.30, so we will change the name a bit. We also know, that the latest Take, is 117.

So the current Jumbo Hotfix name is : Check_Point_R77_30_JUMBO_HF_1_Bundle_T117.tgz

 

Now go to the webui > Upgrades > Status and Actions > and choose “Add hotfixes from the cloud”

jumbo1

 

 

 

 

 

 

paste the name of the current Jumbo hotfix take in, and search. Click the link to add the file to your reposotory.

jumbo2

 

 

 

 

 

Now the Jumbo Hotfix is visible in your CPUSE webui, and you can download and install it.

jumbo3

 

SecureXL accelerated traffic overview

Ever wonder about how much of your firewalls traffic is being accelerated ?
There is a nifty little command, which quickly delivers a overview.

——————————————–
CP1> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

[Expert@CP1:0]# fwaccel stats -s
Accelerated conns/Total conns : 0/47 (0%)
Accelerated pkts/Total pkts : 0/2137973 (0%)
F2Fed pkts/Total pkts : 711845/2137973 (33%)
PXL pkts/Total pkts : 1426128/2137973 (66%)
QXL pkts/Total pkts : 0/2137973 (0%)
[Expert@CP1:0]#
——————————————–

F2Fed = Forwarded to Firewall (Slow path) Packet is passed to the CoreXL and to one of the Core FW instances for full processing. (If SecureXL is disabled, this is the default path for all packets)
PXL – Technology name for combination of SecureXL and PSL. (Forwarded to medium path)
QXL – Technology name for combination of SecureXL and QoS (R77.10 and above).

 

Further info on ATRG: SecureXL  SK98722

Change clish to bash – and back.

If you want to use winscp to transfer files, to and from Checkpoint, you might have run into this error.

winscp

 

This happens because winscp needs bash (or simular) in order to log on.
You can however change this, with the following command.
Notice that you will jump directly to Expert mode (which is bash) when loggin on.

Go to Expert mode
———————————————————–
CP1> expert
Enter expert password: ***********

Warning! All configuration should be done through clish
You are in expert mode now.

Expert@CP1> chsh -s /bin/bash admin
———————————————————–

Exit the cli console, and try to log on again.
Remember, that your normal admin user, now will enter Expert mode the moment you log on.

———————————————————–
login as: admin
This system is for authorized use only.
admin@192.168.11.1’s password:
Last login: Sat Aug 22 21:53:00 2015 from 192.168.11.109
[Expert@CP1:0]#
———————————————————–

Now try to connect with winscp, using your admin (now expert mode) credentials.

winscp 2

 

—————————————————————————————————————————-

Q:   OK I GOT THIS !  BUT HOW DO I CHANGE IT BACK TO GAIA CLISH ?

Good question !

The command is almost the same, only the directory of shell is different.

———————————————————–

[Expert@CP1:0]# chsh -s /etc/cli.sh admin
Changing shell for admin.
Shell changed.
[Expert@CP1:0]#exit
logout

(Try to login again)

login as: admin
This system is for authorized use only.
admin@192.168.11.1’s password:
Last login: Sat Aug 22 21:53:23 2015 from 192.168.11.109
CP1>
———————————————————–

And now the shell is back to Gaia Clish.

Creating bond interfaces on Gaia

To provide extended redundancy or throughput, you can bond interfaces.

From Gaia Clish:
Bond interface

 

 

From the webui
(but not if you are running vsx)

Click “Add Bond”
wbond1

Chose the required interfaces, and set the Bond Group and Operation mode

  • Round Robin – Selects the active slave interfaces sequentially.
  • 802.3ad – Dynamically uses active slaves to share the traffic load using the IEEE 802.3ad LACP protocol.
  • XOR – Selects the algorithm for slave selection according to the TCP/IP Layer (“Layer 2”, or “Layer 3+4”).
    wbond2

And finally set the ip address.
wbond3

Sync Redundancy in ClusterXL – Just because you could, does it then mean that you should ?

SK92804 – Sync Redundancy in ClusterXL.
If you have ever worked with Checkpoint Cluster, my guess is that you have been using ClusterXL.

When creating a Checkpoint cluster, you will notice that you have the possibility to create more than one sync interface.
In Cluster properties, > topology, you have the option to define the network, and what it is used for.
1st Sync is defined on eth2
1

and i just created a 2nd Sync network, using eth4 on both node.

3
BUT… this could potential be the cause of issues.

Versions affected: R70,R71,R75,R76,R77,R77.10,R77.20,R77.30

Checkpoint states that while being able to create multiple sync interfaces in the SmartDashboard, you should not do so.
By design (And real life expirence..) configuring multiple synchronization networks does not provide 100% sync redundancy.

It is still possible to configure multiple sync networks in SmartDashboard, but this is for unique special cases where the cluster administrator is unable to create Bond interfaces.

So Checkpoint advices you to Bond interfaces, if you want to use multiple nics for sync redundancy.

CPUSE requires a valid license for updates. SK94508

You have just installed a new checkpoint, and have not yet installed the licences... 
You want to update IPS, but recieve an error when trying...   BUGGER !
 Checkpoint have released SK94508 to deal with the problem.

"CPUSE requires a valid license for downloads and updates. 
The trial license is currently active and will expire on DD-MMM-YYY HH:MM:SS" message in Gaia Portal 
('Upgrades (CPUSE)' pane / 'Software Updates' pane - 'Status and Actions' - "Important Messages" section at the top)

Debug of Gaia Software Updates Agent daemon (per sk92449) shows in /opt/CPInstLog/DeploymentAgent.log:
DEBUG: The user has not authorized downloads, not performing update.

Solution:
Log in to Expert mode, and perform cpstop.
Edit $CPDIR/tmp/mis_Objects.C

Modify 
from
: (DownloadAccess
   :allow_download_content (false)
to
: (DownloadAccess
   :allow_download_content (true)
Save the file.

Run CPSTART.