| Checkpoint – /var/log full (possible cause) |
Yesterday I realized (after checking the backup of one of my gateways was failing) that the /var/log partition was 100% full:
[Expert@vsx1:0]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current 31G 21G 9.0G 70% /
/dev/md0 289M 130M 145M 48% /boot
tmpfs 32G 0 32G 0% /dev/shm
/dev/mapper/vg_splat-lv_log 146G 146G 0 100% /var/log
Surprinsingly, it used to have … Read more
|
| Checkpoint – Custom application signature ACST |
This time I show you the Checkpoint “Application Control Signature Tool”. This tool allows you to create your own Apps and URL filtering signatures.
For example, I’m using it to block Torrent clients based on the User-Agent, but it is very versatile and you can use it in many ways.
| Security – View HTTP headers using tcpdump |
If you need to trace the HTTP request and response headers by capturing the related packets, you can use tcpdump in this way:
tcpdump -i ens192 -A -s 10240 'tcp port 80' | grep -v IP | egrep --line-buffered "..(GET |\.HTTP\/|POST |HEAD )|^[A-Za-z0-9-]+: " |sed -r 's/..(GET |HTTP\/|POST |HEAD )/\n\n\1/g'
For example, filtering tcp port 80 and 192.168.10.100 IP address:… Read more
|
| Checkpoint – VSX Virtual Memory full – Enable 64 bit |
I manage a 2 node VSX clusterXL environment that hosts 3 firewalls (virtual systems).
Some days ago I came across a problem in which one of them started (or maybe more time ago but not aware) to experience bad performance, outages, timeouts…
Trying to make a failover and move the VS to the other node fixed the problem until … Read more
|
| Checkpoint – Database Revision Control |
“Database Revision Control” is a really useful feature when you are going to make important and/or many changes in the firewall policy, objects…
To make an analogy, DRC are like snapshots (as in the case of VMWare of a virtual machine) of the policies, objects, etc … everything that contains the database of the management server of Checkpoint is backed … Read more
|
| Checkpoint – dropped Reason: UDP packet that belongs to an old session |
Last week I came across a DHCP problem. Devices from certain VLAN were not getting DHCP assigned IP.
Even though firewall policy should have accepted those packets, tcpdump showed Checkpoint gateway was not forwarding them to the destination.
To capture DHCP traffic:
# tcpdump -n -i <interface> port 67 or port 68 -eIncoming interface DHCP tcpdump:
# tcpdump |
| Checkpoint – Delay before password prompt when logging via SSH |
When connecting to checkpoint gateways, there may be a delay of 5 or more seconds when waiting for the password prompt. This is due a reverse DNS lookup that the gateway cannot perform until timeout is reached.
The UseDNS option of the SSH daemon can be disabled to avoid this behaviour:
[Expert@vsx1:0]# |
| Checkpoint – Incrementing virtual system instances to solve cpu overload |
Due to some network infrastructure changes, the traffic passing through my internal FW (a Checkpoint VSX virtual system) started to suffer latency and packet loss.
No change had been made to the Checkpoint VSX, but for any reason, since that network changes, Checkpoint was not processing the traffic succesfully.
Performing a top on the VSX appliance containing the active “iNTERNAL … Read more
|
| Checkpoint VSX: Force VS failover |
There are several reasons to force a failover on a firewall cluster (in this case a virtual system on a 2 node Checkpoint VSX cluster). For example, testing, analyzing or maintenance purposes.
First of all, we can check the cluster and virtual systems states by executing the command on the VS0 (on Gaia clish or expert mode):
[Expert@vsx1:0]# cphaprob 