Check Point Firewalls

Issue When trying to run an upgrade_export from a Provider-1 you get the following error, Failed to export. Please close all Check Point clients. If the failure to export persists, stop all Check Point Services and run the upgrade_export command again. Solution Note: The upgrade_export command is run from the $FWDIR/bin/upgrade_tools directory of the CMA. … Read more

Issue Check Point have now replaced the “Support Key Exchange for subnets” with “VPN Tunnel Sharing” for Traditional mode VPNs. The problem this causes is when you upgrade to R65 is that the “Support Key Exchange for subnets”  setting isn’t transferred. With all Traditional VPN`s being set to “One VPN tunnel per subnet pair” as … Read more

If you firewall isn’t Gratuitous ARPing when it fails over, you will need to edit the file $FWDIR/boot/modules/fwkern.conf, and add the following line (if it doesn’t exist create it), fwha_use_arp_packet_queue=1 Then reboot the machine.

How do i reset SIC ?  Go into the CLI of the Firewall and type cpconfig then choose Secure Internal Communication. You will then be prompted to enter a passcode. Enter anything it doesnt matter. Then exit cpconfig using option 10. cpfw[admin]# cpconfig This program will let you re-configure your Check Point products configuration. Configuration … Read more

The following steps will allow HFA30 to install on flash based system if the /opt has less then 400mb. Before we start you should ideally have the following free, /opt = 212184 /prevserve = 480694 mkdir ~/hfa30 cd ~/hfa30 tar xzvf ~/VPN-1_R65_HFA_30.ipso.tgz rm ~/VPN-1_R65_HFA_30.ipso.tgz df -k The output from df -k should now show over … Read more

To enable and disable the voyager please see below, To enable ipso[admin]#clishNokiaIP390:102> set voyager daemon-enable tNokiaIP390:103> save configNokiaIP390:104> exit To disable ipso[admin]#clishNokiaIP390:102> set voyager daemon-enable fNokiaIP390:103> save configNokiaIP390:104> exit      

Issue When trying to log into Smart Portal on a pre-R65 Check Point firewall using Internet Explorer 7, you are unable to log in. Resolution Within Internet Explorer disable MS XML.This can be done via Tools > internet Options >Advanced > Security, and untick “Enable native XML HTTP support”.

Below shows you the process of installing a new Check Point package via the CLI, cp1[admin]# newpkg -m IPSO_wrapper_R65.tgzEnter pathname to the packages [ or ‘exit’ to exit ]: /var/emhome/adminLoading Package ListPackage Description: Check Point Suite wrapper package NGX R65Would you like to :1. Install this as a new package2. Upgrade from an old package3. … Read more

To enable debugging (which will write an event to the messages file and console upon a critical device failure) run the following syntax, ipso[admin]# ipsctl -w net:log:partner:status:debug 1 To turn off the console output, enter the following, ipso[admin]# ipsctl -w net:log:sink:console 0

Below are the common IPSO commands that can be used, IPSO commands newimage Installs IPSO OS from the local machine newpkg -m localhost Check Point package Install clish IPSO OS CLI ipsctl -a displays all of the IPSO Settings and Values ipsctl -a ifphys:eth-s5p1:errors|more display errors on eth-s5p1 ipsctl -w net:ip:tcp:default_mss 1460 Change MSS to … Read more

Below shows you how to factory reset a Nokia IPSO,  Nokia[admin]# ls bin     cdrom   dev     image   proc    tmp     var bootmgr config  etc     opt     sbin    usr     web Nokia[admin]# cd config Nokia[admin]# ls active  db Nokia[admin]# rm active Nokia[admin]# ls db Nokia[admin]# reboot On reboot select bootmgr to start the wizard,  Verifying DMI Pool Data …….. 1   … Read more

Below will show you how to install a IPSO image using the bootmgr, this can be useful if you have lost your password, or cannot get into the IPSO CLI for what ever reason. Reboot Device and on startup press 1 1   Bootmgr 2   IPSO Default: 1 Starting bootmgr Loading boot manager.. Install the image … Read more

Problem You find that your gateway is blocking SSH connections and showing in the logs even though you have the ssh and ssh_version_2 protocols added to your rule. message_info: SSH version 1.x is not allowed Reason On closer inspection when you look at the ssh_version_2 protocol object it says in the comment, Secure Shell, version … Read more

HFA stands for Hot fix accumulator. Which is a bit like a Windows Service Pack but for your Check Point Firewall.The documentation from the Check Point site on how to install these, is very good, and also contains the IPSO installation instructions. Below are the basic instructions on how to install the latest HFA 30 … Read more

To create a static route script, create a file in /etc/init.d/ with the routes included. Below is an example, #!/bin/bash /sbin/route add -host 192.168.1.25 gateway 10.1.1.25/sbin/route add -host 192.168.1.19 gateway 10.1.1.19 exit 0 Then link this to the startup script, by running, ln -s /etc/init.d/staticroutes /etc/rc3.d/S68Staticroutes You can then do the same for the static … Read more

If you cannot delete the administrator via cpconfig, or the fwm commands then remove the administrator (the complete line) from the following file /$FWDIR/conf/fwmusers

Issue There may be a time where you install the wrong policy onto a Check Point Firewall. This can block your connections, and screw which traffic is allowed through the firewall. Resolution These steps will show you how to remove and reinstall the correct policy via the CLI on the manager (SCS), 1. First of … Read more

Method 1 Even though this maybe more of an article for the Linux area, the only reason I came across this is trying to move the output of a upgrade_export from my SPLAT box, so hence it being under Firewalls – Check Point. If you keep getting prompted with a password box when trying to … Read more

Stealth Rule The first rule in the rule base which prevents access to the firewall itself. Implicit Drop / Clean Up Rule This is added by the firewall at the bottom of the rule base. Its role is to drop any traffic that hasn’t been matched to any of the previous rules.