Wednesday, November 21, 2018

Checkpoint smartcenter - manage size of $FWDIR/log/postgres.elg

In the last few months I have started migrating to R80.10 software and I found an interesting issue with the postgres sql database on smartcenter
No rotation of log file has been added to /etc/cpshell/log_rotation.conf so file , over time, can grow to any size until it fills up all disk space

Simple work around until Checkpoint fixes it


  • edit /etc/cpshell/log_rotation.conf file adding this line 
  • log_start list to verify that your change is visible 
  • cpstop && cpstart on management 
If $FWDIR/log/postgres.elg file is way too BIG I did this fix:

after cpstop you issue cat /dev/null > $FWDIR/log/postgres.elg and file is zeroed



Friday, September 28, 2018

Checkpoint how to clear all tables of IA

The following command  clears all pdp and pep tables on security gateway:

fw tab -t pdp_sessions -t pdp_super_sessions -t pdp_super_sessions -t pdp_encryption_keys -t pdp_whitelist -t pdp_timers -t
pdp_expired_timers -t pdp_ip -t pdp_net_reg -t pdp_net_db -t pdp_cluster_stat -t pep_pdp_db -t pep_networks_to_pdp_db -t
pep_net_reg -t pep_reported_network_masks_db -t pep_port_range_db -t pep_async_id_calls -t pep_client_db -t
pep_identity_index -t pep_revoked_key_clients -t pep_src_mapping_db -t pep_log_completion -x -y


 This commands causes temporary disconnection for all traffic passing the firewall, so use it with caution

Wednesday, April 18, 2018

Checkpoint firewall reimaging via USB disk

Just as a reminder of the options when the serial cable connection messes up the screen

Monday, November 27, 2017

Top CheckPoint CLI commands

This post is a summary of some of the most important Checkpoint commands taken by Checkpoint Community (CheckMates)



fw ctl zdebug drop used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....). USE WITH EXTREME CAUTION 
cpstat fw quickly see stats of number of connections (accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)
fw tab -s -t connections


allowed me to quickly see how much load is (and was i.e "peak" ) on the FW
cphaprob stat used to see state of cluster
fwaccel stats -s to check acceleration status on FW
cphaprob -a if


used to do troubleshooting cluster, verify all interfaces are UP and the Virtual IP address for the cluster interfaces

Friday, October 20, 2017

Policy installation failed after cluster configuration

A few day ago, I've created a new cluster on a mgmt that already manage other clusters.

On this new cluster the only interface configured was the MGMT, the other interfaces were all in shut and not configured, so in topology I defined the MGMT interface as cluster interface.

After creation of the cluster I tried to install policy and the policy installation failed.

This is a classic issue, the cluster always needs a sync interface so in topology I changed the interface and defined it as Sync, although it's not sync if.

After this change everything was ok and I was able to install policy.

Sunday, August 20, 2017

Easy ways to get your IP address on a Linux box

Here are some easy ways to obtain your IP address on a Linux box


  • dig +short myip.opendns.com @resolver1.opendns.com
  • curl -s http://whatismyip.akamai.com/
  • curl -s icanhazip.com


Tuesday, July 18, 2017

Checkpoint R80.10 management upgrade

When you decide to upgrade your R77.30 Checkpoint management to R80.10 please keep in mind a number of points ( also reported in sk114739).

The first step of the upgrade process will run the Pre-Upgrade verification tool ( that you could also run by downloading the utilities from CP website).

  • One typical error, if you are not from the US, is to have non-Unicode chars in multiple files. In R80 you had to fix all these issues. Now with R80.10 all you need to do is create a file $FWDIRconf/db_encoding.txt with your encoding ( i.e. WINDOWS-1252) and no error message should appear

If you want to know where non-UNICODE chars are you can run this command

grep --color='auto' -P -n "[\x80-\xFF]" file 


  • Next you could have modified files under $FWDIR/lib such as implied_rules.def or crypt.def. These files will be replaced when upgrading.
Thus you need to make a backup of these files and reapply changes after upgrade is completed.