Checkpoint   Checkpoint – dropped Reason: UDP packet that belongs to an old session



Problem

Last week I came across a DHCP problem. Devices from certain VLAN were not getting DHCP assigned IP.

Even though firewall policy should have accepted those packets, tcpdump showed Checkpoint gateway was not forwarding them to the destination.

To capture DHCP traffic:

# tcpdump -n -i <interface> port 67 or port 68 -e

Incoming interface DHCP tcpdump:

# tcpdump 
Read more

Checkpoint   Checkpoint – Incrementing virtual system instances to solve cpu overload



Due to some network infrastructure changes, the traffic passing through my internal FW (a Checkpoint VSX virtual system) started to suffer latency and packet loss.

No change had been made to the Checkpoint VSX, but for any reason, since that network changes, Checkpoint was not processing the traffic succesfully.

Performing a top on the VSX appliance containing the active “iNTERNAL … Read more

Checkpoint   Checkpoint – Hide NAT vs Static NAT



This post tries to be a simple explanation of the Hide NAT and Static NAT concepts.
Given the following simple company network let's see how this NAT types could fit in this scenario:

Hide Static NAT example scenario

  • We need the web server to be published, so it needs to be accesible from the Internet
  • We need all the workstations to be able to browse
Read more

Checkpoint   Checkpoint – Reinstall SMS using configuration backup



Last week my smartcenter server became corrupted (the filesystem) and I could not install any fw policy (checkpoint software could not find some needed inodes).

Fortunately I perform periodically checkpoint configuration backups (using the migrate export utility) this way -> Checkpoint – Schedule management database backup

These are the steps to get a working SMS again:

  1. Pre install steps
  2. Install
Read more

Checkpoint   Checkpoint – Proxy ARP for manual NAT on VSX



In my post Checkpoint – Automatic NAT vs Manual NAT I explained both types of NAT clarifying that the Manual NAT makes neccesary the Proxy ARP entry configuration. This example is for a Checkpoint VSX cluster scenario.

This is an example that was used:
Checkpoint host general properties
Checkpoint NAT rule

The IP that should be configured to answer to ARP request is the 80.80.100.100 (No server … Read more

Checkpoint   Checkpoint – Nagios plugin to monitor ARP table in VSX



When suffering random network interruptions, a possible cause (and diffcult to find) is our firewall ARP table overflow. In Checkpoint systems, the Linux kernel Gaia is based on would log messages like "kernel: neighbour table overflow" to /var/log/messages.

After living two small crisis due to this problem (network scanning software and mask B networks are dangerous for the … Read more

Checkpoint   Checkpoint – Nagios plugin to monitor VS active connections



Having our Checkpoint VSX Virtual System active connections under control can be very important to avoid problems, configure a higher connection limit, be ready for growth (and so scalate our environment)…

Nagios and SNMP can be used to configure a VS connection monitor plugin:
Checkpoint - Nagios plugin to monitor VS active connections 1

Steps needed to configure the plugin:

  1. SNMP OID for virtual systems active connections
  2. Develop an script
Read more

Checkpoint   Checkpoint – SNMP return 0 value when querying virtual systems



When trying to perform SNMP queries in an VSX environment, data related to virtual systems may be returned always as 0 value. By default, R77.10 and R77.20 vsx systems behave this way. For example, this is an SNMP query to get the concurrent connections of the phisical VSX and its virtual systems:

# /usr/bin/snmpwalk -v1 -c public 10.0.5.5 vsxCountersConnNum
CHECKPOINT-MIB::vsxCountersConnNum.1.0 
Read more

Checkpoint   Checkpoint – Automatic NAT vs Manual NAT



NAT (Network Address Translation) can be configured in our Checkpoint FW in 2 two different ways: Manual or Automatic

Automatic NAT

To configure the automatic NAT, the SERVER object properties has a NAT section.
So for example, if we want our host with internal private IP 10.10.50.50 to be published in Internet with public IP 80.80.100.100:

Checkpoint host general properties

Checkpoint host NAT properties

(I we only wanted Read more