It is very important to keep your Checkpoint environment monitored. Given that it offers a wide variety of SNMP data, I have collected some of the (in my opinion) most useful OIDs MIBs. Altough I use Icinga and Grafana (as you can see the related outputs in this post), almost any monitoring system can be used to get … Read more
Running a top directly on the VSX, I delimited the high to one of the virtual systems that runs on that VSX. In this image the fwk2 threads that … Read more
If you need to trace the HTTP request and response headers by capturing the related packets, you can use tcpdump in this way:
tcpdump -i ens192 -A -s 10240 'tcp port 80' | grep -v IP | egrep --line-buffered "..(GET |\.HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " |sed -r 's/..(GET |HTTP\/|POST |HEAD )/\n\n\1/g'
For example, filtering tcp port 80 and 192.168.10.100 IP address:… Read more
I manage a 2 node VSX clusterXL environment that hosts 3 firewalls (virtual systems).
Some days ago I came across a problem in which one of them started (or maybe more time ago but not aware) to experience bad performance, outages, timeouts…
Trying to make a failover and move the VS to the other node fixed the problem until … Read more
“Database Revision Control” is a really useful feature when you are going to make important and/or many changes in the firewall policy, objects…
To make an analogy, DRC are like snapshots (as in the case of VMWare of a virtual machine) of the policies, objects, etc … everything that contains the database of the management server of Checkpoint is backed … Read more
I have configured my VSX appliances to perfom scheduled backups every week. Today, my icinga monitoring system has raised an alert informing that VSX2 backup has failed.
GAIA provides some commands to get useful data about the execution of the backup processes.
Show the the latest successful backup
… Read more
vsx2:0> show backup last-successful Backup Type: local ( latest ) Backup
Last week I came across a DHCP problem. Devices from certain VLAN were not getting DHCP assigned IP.
Even though firewall policy should have accepted those packets, tcpdump showed Checkpoint gateway was not forwarding them to the destination.
To capture DHCP traffic:
# tcpdump -n -i <interface> port 67 or port 68 -e
Incoming interface DHCP tcpdump:
… Read more
When connecting to checkpoint gateways, there may be a delay of 5 or more seconds when waiting for the password prompt. This is due a reverse DNS lookup that the gateway cannot perform until timeout is reached.
The UseDNS option of the SSH daemon can be disabled to avoid this behaviour:
Save a backup of the sshd_config file
… Read more
Due to some network infrastructure changes, the traffic passing through my internal FW (a Checkpoint VSX virtual system) started to suffer latency and packet loss.
No change had been made to the Checkpoint VSX, but for any reason, since that network changes, Checkpoint was not processing the traffic succesfully.
Performing a top on the VSX appliance containing the active “iNTERNAL … Read more
This post tries to be a simple explanation of the Hide NAT and Static NAT concepts.
Given the following simple company network let’s see how this NAT types could fit in this scenario:
- We need the web server to be published, so it needs to be accesible from the Internet
- We need all the workstations to be able to browse