| Checkpoint – Policy installation failed. Error code: 0-2000040 |
This morning i have come across a Checkpoint problem: No way to perform a succesful policy installation in any of the several virtual system gateways I have in my environment.
As you can see the returning error is: Policy installation failed on the gateway. If the problem persists contact Check Point support [Error code: 0-2000040].
Fortunately i found a generic … Read more
|
| Checkpoint – /var/log full (possible cause) |
Yesterday I realized (after checking the backup of one of my gateways was failing) that the /var/log partition was 100% full:
[Expert@vsx1:0]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current 31G 21G 9.0G 70% /
/dev/md0 289M 130M 145M 48% /boot
tmpfs 32G 0 32G 0% /dev/shm
/dev/mapper/vg_splat-lv_log 146G 146G 0 100% /var/log
Surprinsingly, it used to have … Read more
|
| Checkpoint – Useful SNMP OIDs to monitor (VSX) |
It is very important to keep your Checkpoint environment monitored. Given that it offers a wide variety of SNMP data, I have collected some of the (in my opinion) most useful OIDs MIBs. Altough I use Icinga and Grafana (as you can see the related outputs in this post), almost any monitoring system can be used to get … Read more
|
| Checkpoint – Unexpected high cpu usage and SecureXL |
Last monday I realized that the cpu was very high on one of my Checkpoint VSX nodes.
Looking at my Icinga graphs it seemed it started on friday at 3 o’clock:
Running a top directly on the VSX, I delimited the high to one of the virtual systems that runs on that VSX. In this image the fwk2 threads that … Read more
|
| Checkpoint – VSX Virtual Memory full – Enable 64 bit |
I manage a 2 node VSX clusterXL environment that hosts 3 firewalls (virtual systems).
Some days ago I came across a problem in which one of them started (or maybe more time ago but not aware) to experience bad performance, outages, timeouts…
Trying to make a failover and move the VS to the other node fixed the problem until … Read more
|
| Checkpoint – GAIA commands to check backup status and logs |
I have configured my VSX appliances to perfom scheduled backups every week. Today, my icinga monitoring system has raised an alert informing that VSX2 backup has failed.
GAIA provides some commands to get useful data about the execution of the backup processes.
Show the the latest successful backup
vsx2:0> show backup last-successful
Backup Type: local ( latest )
Backup |
| Checkpoint – Incrementing virtual system instances to solve cpu overload |
Due to some network infrastructure changes, the traffic passing through my internal FW (a Checkpoint VSX virtual system) started to suffer latency and packet loss.
No change had been made to the Checkpoint VSX, but for any reason, since that network changes, Checkpoint was not processing the traffic succesfully.
Performing a top on the VSX appliance containing the active “iNTERNAL … Read more
|
| Checkpoint – Proxy ARP for manual NAT on VSX |
In my post Checkpoint – Automatic NAT vs Manual NAT I explained both types of NAT clarifying that the Manual NAT makes neccesary the Proxy ARP entry configuration. This example is for a Checkpoint VSX cluster scenario.
This is an example that was used:
The IP that should be configured to answer to ARP request is the 80.80.100.100 (No server … Read more
|
| Checkpoint – Nagios plugin to monitor ARP table in VSX |
When suffering random network interruptions, a possible cause (and diffcult to find) is our firewall ARP table overflow. In Checkpoint systems, the Linux kernel Gaia is based on would log messages like "kernel: neighbour table overflow" to /var/log/messages.
After living two small crisis due to this problem (network scanning software and mask B networks are dangerous for the … Read more
|
| Checkpoint – Nagios plugin to monitor VS active connections |
Having our Checkpoint VSX Virtual System active connections under control can be very important to avoid problems, configure a higher connection limit, be ready for growth (and so scalate our environment)…
Nagios and SNMP can be used to configure a VS connection monitor plugin:
Steps needed to configure the plugin:
