Checkpoint   Checkpoint – Nagios plugin to monitor VS active connections



Having our Checkpoint VSX Virtual System active connections under control can be very important to avoid problems, configure a higher connection limit, be ready for growth (and so scalate our environment)…

Nagios and SNMP can be used to configure a VS connection monitor plugin:
Checkpoint - Nagios plugin to monitor VS active connections 1

Steps needed to configure the plugin:

  1. SNMP OID for virtual systems active connections
  2. Develop an script
Read more

Checkpoint   Checkpoint – Schedule management database backup



The upgrade_tools (or the migrate command) is a powerful and simple tool that allows us to perform a backup of our Checkpoint database, objects, policies…

Backing up periodically the Checkpoint configuration allows us to recover quickly from a disaster by setting up a new SMS (Security Management Server). This involves two steps:

Script that exports the Checkpoint configuration

This could … Read more

Checkpoint   Checkpoint – SNMP return 0 value when querying virtual systems



When trying to perform SNMP queries in an VSX environment, data related to virtual systems may be returned always as 0 value. By default, R77.10 and R77.20 vsx systems behave this way. For example, this is an SNMP query to get the concurrent connections of the phisical VSX and its virtual systems:

# /usr/bin/snmpwalk -v1 -c public 10.0.5.5 vsxCountersConnNum
CHECKPOINT-MIB::vsxCountersConnNum.1.0 
Read more

Checkpoint   Checkpoint – Automatic NAT vs Manual NAT



NAT (Network Address Translation) can be configured in our Checkpoint FW in 2 two different ways: Manual or Automatic

Automatic NAT

To configure the automatic NAT, the SERVER object properties has a NAT section.
So for example, if we want our host with internal private IP 10.10.50.50 to be published in Internet with public IP 80.80.100.100:

Checkpoint host general properties

Checkpoint host NAT properties

(I we only wanted Read more

Checkpoint   Checkpoint VSX: Force VS failover



There are several reasons to force a failover on a firewall cluster (in this case a virtual system on a 2 node Checkpoint VSX cluster). For example, testing, analyzing or maintenance purposes.

First of all, we can check the cluster and virtual systems states by executing the command on the VS0 (on Gaia clish or expert mode):

[Expert@vsx1:0]# cphaprob 
Read more