Checkpoint   Checkpoint – Policy installation failed. Error code: 0-2000040



This morning i have come across a Checkpoint problem: No way to perform a succesful policy installation in any of the several virtual system gateways I have in my environment.

As you can see the returning error is: Policy installation failed on the gateway. If the problem persists contact Check Point support [Error code: 0-2000040].

Fortunately i found a generic … Read more

Checkpoint   Checkpoint – /var/log full (possible cause)



Yesterday I realized (after checking the backup of one of my gateways was failing) that the /var/log partition was 100% full:

[Expert@vsx1:0]# df -h
Filesystem 			Size 	Used 	Avail 	Use% 	Mounted on
/dev/mapper/vg_splat-lv_current 31G 	21G 	9.0G 	70% 	/
/dev/md0 			289M 	130M 	145M 	48% 	/boot 
tmpfs 				32G 	0 	32G 	0% 	/dev/shm
/dev/mapper/vg_splat-lv_log 	146G 	146G 	0 	100% 	/var/log

Surprinsingly, it used to have … Read more

Checkpoint   Checkpoint – Custom application signature ACST



This time I show you the Checkpoint “Application Control Signature Tool”. This tool allows you to create your own Apps and URL filtering signatures.
For example, I’m using it to block Torrent clients based on the User-Agent, but it is very versatile and you can use it in many ways.

Downloading the tool

Visit the following SK103051 and download it. … Read more

Checkpoint   Checkpoint – Useful SNMP OIDs to monitor (VSX)



It is very important to keep your Checkpoint environment monitored. Given that it offers a wide variety of SNMP data, I have collected some of the (in my opinion) most useful OIDs MIBs. Altough I use Icinga and Grafana (as you can see the related outputs in this post), almost any monitoring system can be used to get … Read more

Checkpoint   Checkpoint – Unexpected high cpu usage and SecureXL



Last monday I realized that the cpu was very high on one of my Checkpoint VSX nodes.
Looking at my Icinga graphs it seemed it started on friday at 3 o’clock:

Running a top directly on the VSX, I delimited the high to one of the virtual systems that runs on that VSX. In this image the fwk2 threads that … Read more

Security   Security – View HTTP headers using tcpdump



If you need to trace the HTTP request and response headers by capturing the related packets, you can use tcpdump in this way:

 tcpdump -i ens192 -A -s 10240 'tcp port 80' | grep -v IP | egrep --line-buffered "..(GET |\.HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " |sed -r 's/..(GET |HTTP\/|POST |HEAD )/\n\n\1/g'

For example, filtering tcp port 80 and 192.168.10.100 IP address:… Read more

Checkpoint   Checkpoint – VSX Virtual Memory full – Enable 64 bit



Symptoms

I manage a 2 node VSX clusterXL environment that hosts 3 firewalls (virtual systems).
Some days ago I came across a problem in which one of them started  (or maybe more time ago but not aware) to experience bad performance, outages, timeouts…

Trying to make a failover and move the VS to the other node fixed the problem until … Read more

Checkpoint   Checkpoint – Database Revision Control



“Database Revision Control” is a really useful feature when you are going to make important and/or many changes in the firewall policy, objects…

To make an analogy, DRC are like snapshots (as in the case of VMWare of a virtual machine) of the policies, objects, etc … everything that contains the database of the management server of Checkpoint is backed … Read more

Checkpoint   Checkpoint – GAIA commands to check backup status and logs



I have configured my VSX appliances to perfom scheduled backups every week. Today, my icinga monitoring system has raised an alert informing that VSX2 backup has failed.

Icinga monitoring checkpoint VSX backups

GAIA provides some commands to get useful data about the execution of the backup processes.

last-successful

Show the the latest successful backup

vsx2:0> show backup last-successful
Backup Type: local ( latest )
Backup 
Read more

Checkpoint   Checkpoint – dropped Reason: UDP packet that belongs to an old session



Problem

Last week I came across a DHCP problem. Devices from certain VLAN were not getting DHCP assigned IP.

Even though firewall policy should have accepted those packets, tcpdump showed Checkpoint gateway was not forwarding them to the destination.

To capture DHCP traffic:

# tcpdump -n -i <interface> port 67 or port 68 -e

Incoming interface DHCP tcpdump:

# tcpdump 
Read more