CHECKPOINT - cluster ID and magic MAC

It may happen to connect multiple Checkpoint clusters on the same LAN segment
In this case you need to know the cluster ID in order to prevent issues with the two clusters interacting together.

here is how:

R77.30 and above

Easy

[Expert@Member_HostName]# cphaconf cluster_id get

Example output:
cphaconf cluster_id: 154 

Before R77.30

[Expert@HostName]# fw ctl get int fwha_mac_magic 

[Expert@HostName]# fw ctl get int fwha_mac_forward_magic

Configuring different IDs

R77.30

Easy

[Expert@Member_HostName]# cphaconf cluster_id set 200

Before R77.30

[Expert@HostName]# fw ctl set int fwha_mac_magic VALUE_1
[Expert@HostName]# fw ctl set int fwha_mac_forward_magic VALUE_2

CheckPoint - MTA postfix queue management

If you enable the MTA agent on a Checkpoint firewall you may have situations where you need to look at the queue and verify how mails are flowing.

Here are a few commands to keep in mind

Show current queue
[Expert@HostName:0]# /opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p

Show one mail from queue:
(5632E28B0044 is an example
Queue ID from the current queue)
[Expert@HostName:0]# /opt/postfix/usr/sbin/postcat -c /opt/postfix/etc/postfix/ -q 5632E28B0044 | less

Hardware Diagnostic Tool from pendrive

To run the Diagnostic Tool from a USB drive:

1. Download the Diagnostic Tool package to a computer:

   - For UTM 270 and UTM 130 appliances (https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSub mit_doGetdcdetails=&fileid=27631)

   - For all other appliances (https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSub mit_doGetdcdetails=&fileid=25346)

2. Download the ISOmorphic tool to a computer (http://supportcontent.checkpoint.com/solutions?id=sk65205).

How to exlude some networks from VPN tunnel

In some case it’s necessary to exclude a networks (or single IP address) in VPN tunnel. It’s possible using the crypt.def file, placed on the Security Management Server.

On the Security Management Server there is no only one crypt.def file, but there is one for each version of firewall we need to make the change. To know the details please refer to the sk 98241.

First of all create a backup file with the following command (in expert mode)

[Expert@HostName]# cd $FWDIR/lib

[Expert@HostName]# cp $FWDIR/lib/crypt.def  $FWDIR/lib/crypt.def_BKP 

Then open the current “crypt.def” file

[Expert@HostName]# vi crypt.def 

At the end of file you find this string :

Where to find malware samples

If you are looking for malware samples , as I sometimes do,  you can try the following websites that i have found in an article a few days ago.

It is the beginning of a list that I hope to increase over time

• The Zoo
• Malware analysis
• Malware Domain List

Checkpoint Gaia - editing the internal database

Every now and then I get this error when running Checkpoint services

myhost> cpstat os
 fw_ipaddr_both: Unable to resolve ipaddr for myhost

Failed to establish session with AMON server at 127.0.0.1:18192

Why does it occur? I still have not found out a root cause.
The entry for myhost is missing in the file /etc/hosts. If you edit the file you will lose your changes with a reboot.
So I have found a workaround to fix it and get services running

You first check that the initial database does not have what you are looking for:

Expert # dbget hosts:v4:myhost:address

Then you run these commands to write directly into the database:

Expert # dbset  hosts:v4:myhost t

Expert # dbset  hosts:v4:myhost:address 1.2.3.4

final touch . Save your fix and recreate the /etc/hosts file.

Expert #  dbset :save
Expert #  /bin/hosts_xlate hosts /etc/hosts < /config/active

You are all set. the entry is permanent in file /etc/hosts

Instructions to check how a hotfix was installed

 From GAIA PORTAL

1. Navigate to "Upgrades (CPUSE)" pane (in Gaia R77.20 and above) / to "Software Updates" pane (in Gaia R77.10 and lower) - click on "Status and Actions" page.
2. Near the blue "Help" icon, click on "Showing Recommended packages" - select "Installed".
3. Hotfix statuses are:
   

   Hotfix was installed	How it is displayed	Status	Package Type
   via Legacy CLI	Grayed out (right-click menu is not supported)	Installed	Legacy Mini Wrapper
   via CPUSE	Available (right-click menu is fully supported)	Installed, self-test passed	Wrapper

 From CLISH

 
Run the following command in Clish:

• Gaia Software Updates Agent versions 802 and above:
  HostName:0> show installer packages installed
• Gaia Software Updates Agent versions 747 and lower:
  HostName:0> show installer installed_packages

Hotfix statuses are:

Hotfix was installed	Status
via Legacy CLI	Installed (Legacy)
via CPUSE	Installed

'confd' process consumes CPU at high level on Gaia OS due to large size of Gaia Database

          Symptoms

• Gaia machine does not respond to SNMP requests, and /var/log/messages file repeatedly shows:
  snmpd: Error: Timeout waiting for response from database server
  
• Gaia Cloning Groups can not be synchronized.
  
• Output of "top" command / or "ps auxw" command shows that "confd" process consumes CPU at high level on Gaia OS
  
  
  Solution
  
  
  This problem was fixed. The fix is included in:
  
• Check Point R77.30 and higher
• Jumbo Hotfix Accumulator for R77.20 - since Take_86
• Jumbo Hotfix Accumulator for R77.10 - since Take_116
• Jumbo Hotfix Accumulator for R77 - since Take_41
• Jumbo Hotfix Accumulator for R76 - since Take_64For lower supported versions, Check Point Support can supply a Hotfix.

However if you don't want to install the hotfix immediately but need to fix this issue, read along.....

VPN clientless – compatibility of SNX (SSL network extender) with Windows 10 – Jannuary 2016

Browser compatibility with Windows 10 to utilize SNX is shown in the following table:

Solve many problems with Security Management - clean cache Dashboard

The below article provides solution for different scenarios when problem arises between SmartConsole and Security /Multi-Domain Management server. These problems are not a connectivity issue. Please see the below symptoms and follow the solution.