R80 has been released

Checkpoints new Major upgrade R80 is now avaliable.

Take a look at sk108623 for further info – and if you choose to upgrade rather than performing a clean install, remember to take a good look at sk91060 first.  (Removing old Check Point packages and files after an upgrade)

So whats new with R80.

The most valuable feature imo. is that several administrators can work in parallel, on the same security policy. This has been a limitation earlier, as large scale deployments often required several different administrators to perform security tasks on the same ruleset. This has not been possible, as only one administrator at a time could write to the database.

(Looking forward to test this feature !)

Checkpoint write on their website:

  • Multiple administrators can log-in and work in read-write mode on the same security policy without interrupting each other’s work.
  • A new advanced locking mechanism is introduced, enabling concurrent administration.
  • Objects that one administrator manages can be locked from overwrites or conflicts by other administrators.

This all looks good, but be aware, that things have changed a bit. Be prepared for the new look, get to know it, and embrace it….

Notice, that at this moment, the R80 is not visible when using the “Upgrade wizard” at checkpoints website.

Search for R80 in the “Support Center” at Checkpoint


New Jumbo hotfix Take 117

Its been a while since my last post, so here’s a short one about Jumbo packages.


The latest Jumbo package for R77.30 is at sk106162.




At current writing the latest version is Take_117, but you don’t have to contact Check Point Support to get the file.




Checkpoint follows a consistent nameing strategy, so if we know the name of a previous Jumbo package, we can figure out the name of the new one.

One of the earlier versions was  Check_Point_R77_20_JUMBO_HF_1_Bundle_T94.tgz

But we are looking for a JH for R77.30, so we will change the name a bit. We also know, that the latest Take, is 117.

So the current Jumbo Hotfix name is : Check_Point_R77_30_JUMBO_HF_1_Bundle_T117.tgz


Now go to the webui > Upgrades > Status and Actions > and choose “Add hotfixes from the cloud”








paste the name of the current Jumbo hotfix take in, and search. Click the link to add the file to your reposotory.







Now the Jumbo Hotfix is visible in your CPUSE webui, and you can download and install it.



Run ssh from cmd

If your are working with x-nix machines, chances are that you either use a Mac og a linux distribution.
But for those of us, where this is not an option, we have for years been forced to use putty.exe or winscp. These are of cause great tools, but it´s with envy that i watch my collegues when they connect with ssh directly form a terminal on their mac.

The other day i stumpled upon openssh for windows.

The version that i installed is OpenSSHWindows53p1-2.msi

Download it and run the install, in my case it installed to   C:\Program Files (x86)\OpenSSH for Windows

Now the fun part – make openssh run from any commandline.

    1. rightclick “computer” and choose properties.
    2. Choose Adcanced system settings
    3. Choose Enviroment variables
    4. in systemvariables, fint “Path” and choose “Edit”
    5. copy the installation path of openssh (notice that you have to go into the “bin” directory to find the *.exe files)
    6. Paste the full path, and use semicolon as seperator “;”  ;C:\Program Files (x86)\OpenSSH for Windows\bin



press “OK” and close the windows.
now open a cmd window and type ssh.

The output should look somthing like this.



The commands are very easy   ssh admin@xxx.xxx.xxx.xxxssh2


I hope that this can make your daily work slightly less anoying when working with ssh.

Have a great weekend.

SecureXL accelerated traffic overview

Ever wonder about how much of your firewalls traffic is being accelerated ?
There is a nifty little command, which quickly delivers a overview.

CP1> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

[Expert@CP1:0]# fwaccel stats -s
Accelerated conns/Total conns : 0/47 (0%)
Accelerated pkts/Total pkts : 0/2137973 (0%)
F2Fed pkts/Total pkts : 711845/2137973 (33%)
PXL pkts/Total pkts : 1426128/2137973 (66%)
QXL pkts/Total pkts : 0/2137973 (0%)

F2Fed = Forwarded to Firewall (Slow path) Packet is passed to the CoreXL and to one of the Core FW instances for full processing. (If SecureXL is disabled, this is the default path for all packets)
PXL – Technology name for combination of SecureXL and PSL. (Forwarded to medium path)
QXL – Technology name for combination of SecureXL and QoS (R77.10 and above).


Further info on ATRG: SecureXL  SK98722

Change clish to bash – and back.

If you want to use winscp to transfer files, to and from Checkpoint, you might have run into this error.


This happens because winscp needs bash (or simular) in order to log on.
You can however change this, with the following command.
Notice that you will jump directly to Expert mode (which is bash) when loggin on.

Go to Expert mode
CP1> expert
Enter expert password: ***********

Warning! All configuration should be done through clish
You are in expert mode now.

Expert@CP1> chsh -s /bin/bash admin

Exit the cli console, and try to log on again.
Remember, that your normal admin user, now will enter Expert mode the moment you log on.

login as: admin
This system is for authorized use only.
admin@’s password:
Last login: Sat Aug 22 21:53:00 2015 from

Now try to connect with winscp, using your admin (now expert mode) credentials.

winscp 2



Good question !

The command is almost the same, only the directory of shell is different.


[Expert@CP1:0]# chsh -s /etc/cli.sh admin
Changing shell for admin.
Shell changed.

(Try to login again)

login as: admin
This system is for authorized use only.
admin@’s password:
Last login: Sat Aug 22 21:53:23 2015 from

And now the shell is back to Gaia Clish.

You might also be interested in  Change your clish to bash – from cli

Creating bond interfaces on Gaia

To provide extended redundancy or throughput, you can bond interfaces.

From Gaia Clish:
Bond interface



From the webui
(but not if you are running vsx)

Click “Add Bond”

Chose the required interfaces, and set the Bond Group and Operation mode

  • Round Robin – Selects the active slave interfaces sequentially.
  • 802.3ad – Dynamically uses active slaves to share the traffic load using the IEEE 802.3ad LACP protocol.
  • XOR – Selects the algorithm for slave selection according to the TCP/IP Layer (“Layer 2”, or “Layer 3+4”).

And finally set the ip address.

Sync Redundancy in ClusterXL – Just because you could, does it then mean that you should ?

SK92804 – Sync Redundancy in ClusterXL.
If you have ever worked with Checkpoint Cluster, my guess is that you have been using ClusterXL.

When creating a Checkpoint cluster, you will notice that you have the possibility to create more than one sync interface.
In Cluster properties, > topology, you have the option to define the network, and what it is used for.
1st Sync is defined on eth2

and i just created a 2nd Sync network, using eth4 on both node.

BUT… this could potential be the cause of issues.

Versions affected: R70,R71,R75,R76,R77,R77.10,R77.20,R77.30

Checkpoint states that while being able to create multiple sync interfaces in the SmartDashboard, you should not do so.
By design (And real life expirence..) configuring multiple synchronization networks does not provide 100% sync redundancy.

It is still possible to configure multiple sync networks in SmartDashboard, but this is for unique special cases where the cluster administrator is unable to create Bond interfaces.

So Checkpoint advices you to Bond interfaces, if you want to use multiple nics for sync redundancy.

CPUSE requires a valid license for updates. SK94508

You have just installed a new checkpoint, and have not yet installed the licences... 
You want to update IPS, but recieve an error when trying...   BUGGER !
 Checkpoint have released SK94508 to deal with the problem.

"CPUSE requires a valid license for downloads and updates. 
The trial license is currently active and will expire on DD-MMM-YYY HH:MM:SS" message in Gaia Portal 
('Upgrades (CPUSE)' pane / 'Software Updates' pane - 'Status and Actions' - "Important Messages" section at the top)

Debug of Gaia Software Updates Agent daemon (per sk92449) shows in /opt/CPInstLog/DeploymentAgent.log:
DEBUG: The user has not authorized downloads, not performing update.

Log in to Expert mode, and perform cpstop.
Edit $CPDIR/tmp/mis_Objects.C

: (DownloadAccess
   :allow_download_content (false)
: (DownloadAccess
   :allow_download_content (true)
Save the file.