New Jumbo hotfix Take 117

Its been a while since my last post, so here’s a short one about Jumbo packages.

 

The latest Jumbo package for R77.30 is at sk106162.
jumbo1

 

 

 

At current writing the latest version is Take_117, but you don’t have to contact Check Point Support to get the file.
Take_117

 

 

 

Checkpoint follows a consistent nameing strategy, so if we know the name of a previous Jumbo package, we can figure out the name of the new one.

One of the earlier versions was  Check_Point_R77_20_JUMBO_HF_1_Bundle_T94.tgz

But we are looking for a JH for R77.30, so we will change the name a bit. We also know, that the latest Take, is 117.

So the current Jumbo Hotfix name is : Check_Point_R77_30_JUMBO_HF_1_Bundle_T117.tgz

 

Now go to the webui > Upgrades > Status and Actions > and choose “Add hotfixes from the cloud”

jumbo1

 

 

 

 

 

 

paste the name of the current Jumbo hotfix take in, and search. Click the link to add the file to your reposotory.

jumbo2

 

 

 

 

 

Now the Jumbo Hotfix is visible in your CPUSE webui, and you can download and install it.

jumbo3

 

Run ssh from cmd

If your are working with x-nix machines, chances are that you either use a Mac og a linux distribution.
But for those of us, where this is not an option, we have for years been forced to use putty.exe or winscp. These are of cause great tools, but it´s with envy that i watch my collegues when they connect with ssh directly form a terminal on their mac.

The other day i stumpled upon openssh for windows.
http://sourceforge.net/projects/opensshwindows/?source=recommended
http://opensshwindows.sourceforge.net/

The version that i installed is OpenSSHWindows53p1-2.msi

Download it and run the install, in my case it installed to   C:\Program Files (x86)\OpenSSH for Windows

Now the fun part – make openssh run from any commandline.

    1. rightclick “computer” and choose properties.
    2. Choose Adcanced system settings
    3. Choose Enviroment variables
    4. in systemvariables, fint “Path” and choose “Edit”
    5. copy the installation path of openssh (notice that you have to go into the “bin” directory to find the *.exe files)
    6. Paste the full path, and use semicolon as seperator “;”  ;C:\Program Files (x86)\OpenSSH for Windows\bin

miljøvariabler

 

press “OK” and close the windows.
now open a cmd window and type ssh.

The output should look somthing like this.

ssh

 

The commands are very easy   ssh admin@xxx.xxx.xxx.xxxssh2

 

I hope that this can make your daily work slightly less anoying when working with ssh.

Have a great weekend.

SecureXL accelerated traffic overview

Ever wonder about how much of your firewalls traffic is being accelerated ?
There is a nifty little command, which quickly delivers a overview.

——————————————–
CP1> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

[Expert@CP1:0]# fwaccel stats -s
Accelerated conns/Total conns : 0/47 (0%)
Accelerated pkts/Total pkts : 0/2137973 (0%)
F2Fed pkts/Total pkts : 711845/2137973 (33%)
PXL pkts/Total pkts : 1426128/2137973 (66%)
QXL pkts/Total pkts : 0/2137973 (0%)
[Expert@CP1:0]#
——————————————–

F2Fed = Forwarded to Firewall (Slow path) Packet is passed to the CoreXL and to one of the Core FW instances for full processing. (If SecureXL is disabled, this is the default path for all packets)
PXL – Technology name for combination of SecureXL and PSL. (Forwarded to medium path)
QXL – Technology name for combination of SecureXL and QoS (R77.10 and above).

 

Further info on ATRG: SecureXL  SK98722

Change clish to bash – and back.

If you want to use winscp to transfer files, to and from Checkpoint, you might have run into this error.

winscp

This happens because winscp needs bash (or simular) in order to log on.
You can however change this, with the following command.
Notice that you will jump directly to Expert mode (which is bash) when loggin on.

Go to Expert mode
———————————————————–
CP1> expert
Enter expert password: ***********

Warning! All configuration should be done through clish
You are in expert mode now.

Expert@CP1> chsh -s /bin/bash admin
———————————————————–

Exit the cli console, and try to log on again.
Remember, that your normal admin user, now will enter Expert mode the moment you log on.

———————————————————–
login as: admin
This system is for authorized use only.
admin@192.168.11.1’s password:
Last login: Sat Aug 22 21:53:00 2015 from 192.168.11.109
[Expert@CP1:0]#
———————————————————–

Now try to connect with winscp, using your admin (now expert mode) credentials.

winscp 2

—————————————————————————————————————————-

Q:   OK I GOT THIS !  BUT HOW DO I CHANGE IT BACK TO GAIA CLISH ?

Good question !

The command is almost the same, only the directory of shell is different.

———————————————————–

[Expert@CP1:0]# chsh -s /etc/cli.sh admin
Changing shell for admin.
Shell changed.
[Expert@CP1:0]#exit
logout

(Try to login again)

login as: admin
This system is for authorized use only.
admin@192.168.11.1’s password:
Last login: Sat Aug 22 21:53:23 2015 from 192.168.11.109
CP1>
———————————————————–

And now the shell is back to Gaia Clish.


You might also be interested in  Change your clish to bash – from cli

Creating bond interfaces on Gaia

To provide extended redundancy or throughput, you can bond interfaces.

From Gaia Clish:
Bond interface

 

 

From the webui
(but not if you are running vsx)

Click “Add Bond”
wbond1

Chose the required interfaces, and set the Bond Group and Operation mode

  • Round Robin – Selects the active slave interfaces sequentially.
  • 802.3ad – Dynamically uses active slaves to share the traffic load using the IEEE 802.3ad LACP protocol.
  • XOR – Selects the algorithm for slave selection according to the TCP/IP Layer (“Layer 2”, or “Layer 3+4”).
    wbond2

And finally set the ip address.
wbond3

Sync Redundancy in ClusterXL – Just because you could, does it then mean that you should ?

SK92804 – Sync Redundancy in ClusterXL.
If you have ever worked with Checkpoint Cluster, my guess is that you have been using ClusterXL.

When creating a Checkpoint cluster, you will notice that you have the possibility to create more than one sync interface.
In Cluster properties, > topology, you have the option to define the network, and what it is used for.
1st Sync is defined on eth2
1

and i just created a 2nd Sync network, using eth4 on both node.

3
BUT… this could potential be the cause of issues.

Versions affected: R70,R71,R75,R76,R77,R77.10,R77.20,R77.30

Checkpoint states that while being able to create multiple sync interfaces in the SmartDashboard, you should not do so.
By design (And real life expirence..) configuring multiple synchronization networks does not provide 100% sync redundancy.

It is still possible to configure multiple sync networks in SmartDashboard, but this is for unique special cases where the cluster administrator is unable to create Bond interfaces.

So Checkpoint advices you to Bond interfaces, if you want to use multiple nics for sync redundancy.

CPUSE requires a valid license for updates. SK94508

You have just installed a new checkpoint, and have not yet installed the licences... 
You want to update IPS, but recieve an error when trying...   BUGGER !
 Checkpoint have released SK94508 to deal with the problem.

"CPUSE requires a valid license for downloads and updates. 
The trial license is currently active and will expire on DD-MMM-YYY HH:MM:SS" message in Gaia Portal 
('Upgrades (CPUSE)' pane / 'Software Updates' pane - 'Status and Actions' - "Important Messages" section at the top)

Debug of Gaia Software Updates Agent daemon (per sk92449) shows in /opt/CPInstLog/DeploymentAgent.log:
DEBUG: The user has not authorized downloads, not performing update.

Solution:
Log in to Expert mode, and perform cpstop.
Edit $CPDIR/tmp/mis_Objects.C

Modify 
from
: (DownloadAccess
   :allow_download_content (false)
to
: (DownloadAccess
   :allow_download_content (true)
Save the file.

Run CPSTART.