Below are some of the most useful commands for the administration within the Gaia CLISH. show commands save config save the current configuration show commands shows all commands show allowed-client all show allowed clients show arp dynamic all displays the dynamic arp entries show arp proxy all shows proxy arp show arp static all displays … Read more

Upgrading a CheckPoint Manager from R65.4 to R7x

NGX R65 HFA40 is a standard HFA and can be installed both on Security Gateways and on SmartCenter servers. R65.4 is a Management-based package that in addition to NGX R65 HFA40, also contains various new features and plug-ins. Upgrading from R65.4 can present some significant issues, due the release being a dead end. You will … Read more

Upgrade/Install Check Point Solaris using only the iso file

When upgrading or installing Check Point on a Solaris platform rather then having to use the physical Check Point software CD, the following method allows you install/upgrade your Check Point software directly from the *.iso.  Steps 1. Copy the iso file to your firewall / manager2. Run the following commands lofiadm -a <path>/<filename>.iso /dev/lofi/1mount -F … Read more

Check Point – A look at SecureID Files

In order to to enable SecureID authentication you will need to generate an ‘sdconf.rec’ file from your ACE SERVER.You will then need to copy this file to the the  ‘/var/ace‘ directory of your Check Point Firewall (if the directory does not exsist create one). At the point that your ACE SERVER and your ACE AGENT … Read more

Check Point Tool – dbdel ver3.1 is pleased to release dbdel ver3.1. This is basically a wrapper for Check Points existing dbver tool, but allows you to remove 100`s of Database Revisions with one simple command string. Unlike dbver where you have to add each database revision id. This allows you to add the amount your want to remove and … Read more

How do I create an IPSO backup via clish ?

The following will show you how to save a full IPSO backup via the clish CLI. This will backup all of the operating system configuration such as routes, proxy arps, interface settings etc. Backup  This will create a backup within the  /var/backup/ directory called ipso-backup_[date].tgz clish -c “set backup manual filename ipso-backup”clish -c “set backup … Read more

Change an IP address on a IPSO Nokia Firewall via clish

Below shows you the commands required to change the IP address of an interface within clish on a IPSO Nokia gateway, add interface eth1c0 address IP [NEW IP]/[NETMASK] delete interface eth1c0 address [OLD IP] set interface eth1 speed 100M duplex full active on set interface eth1c0 enable Below gives you an example : nokia-firewall[admin]# clish … Read more

A Quick Guide to Check Points OPSEC LEA

This guide will outline OPSEC LEA and how it works within a Check Point Infrastructure. What is OPSEC LEA ? The OPSEC LEA (Log Export API) provides the ability to pull logs from a Check Point device based on the OPSEC SDK. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which … Read more

Endpoint Connect MEP Tutorial

This guide will explain the various steps required to set up Enpoint Connect using a Multiple Entry Point setup. Ok, so to start with Endpoint Connect is Check Points new Remote Access VPN Client other then SSL Network Extender is the only client supported on Windows 7 64-Bit. The main problem with SNX (SSL Network … Read more

Check Point Remote Access VPN Features

There are a number of Check Point Remote Access VPN terms and features. This guides attempts to explain them. Main Features Office ModeOffice mode allows your remote VPN user to receive an IP address designated by the Check Point Gateway, internal DHCP server or radius server. Visitor Mode Visitor Mode allows your VPN client to … Read more

Port not Listening when Check Points Vistor Mode is Enabled

You may find when you enable vistor mode on the Check Point object that the port is not listening when you run the command netstat -anp | grep vpnd | grep [your port] This can be down to one of the following : The devices management GUI is also listening on that port. For SPLAT … Read more

How do I debug VPND on Check Point ?

To debug VPND run the following command : vpn debug trunc To disable the debug run the commands : vpn debug off; vpn debug ikeoff To view the logs run the command : cd $FWDIR/log ; tail -f ike.elg vpnd.elg  

How do I debug ClusterXL at the Kernel level ?

Once you have exhusted the cphaprob commands and packet captures have been run for port UDP/8116 all to no avail you may want to run a debug on ClusterXL. The steps are detailed below : Enable debugging fw ctl debug -xfw ctl debug -buf 4096fw ctl debug -m cluster allfw ctl kdebug-f > file_name.txt Disable … Read more

How can I check that my Check Point Cluster is in Sync ?

All “true” clusters require that certain attributes are syncronised. So that in the event of a failover the newly promoted node can continue where the other node left off. In order to ensure that the State Tables of all your nodes within your Check Point Cluster are syncronised you will need to check the #VALS … Read more

How do I Uninstall / Install the Connectra Plugin ?

First of all check to see if the Connectra Plugin is installed. [Expert@R65-Manager]# fwm verThis is Check Point SmartCenter Server NGX (R65) HFA_50, Hotfix 650 – Build 011Installed Plug-ins: Connectra NGX R62CM Uninstall To uninstall follow these steps : Run the plug in clean up ultility /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier Then remove the package rpm -e CPPIconnectra-R65-00 Reboot … Read more

Check Point Clustering

ClusterXL Check Point’s ClusterXL is a software-based Load Sharing and High Availability solution that distributes traffic between clusters of redundant Security Gateways High AvailabilityAllows for an Active-Standby setup were one node (Active) passes all the traffic. In the event of failure the Standby node will be promoted to the Active node. New Mode – Both … Read more

Create a Basic Route Based VPN between 2 Check Point Firewalls

Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces. In this example both Firewalls are managed by the same manager. The gateways are : Site A – External Inside Site B … Read more

How do I Create an SSL VPN on a Check Point Gateway ?

 Below shows you the steps in order to create an SSL VPN on a Check Point Gateway : Create a new network object. This will be used as the remote users IP address. Name this “net_office-mode-IPs” Within the Check Point Object under Tolopogy > VPN Domain add your local domain. Within the Check Point Object … Read more

Create Certificate Based Site to Site VPN between 2 Check Point Gateways

This example will show you how to create a certificate based VPN between 2 Check Point firewalls which are managed via different Smart Centre Servers. Please note that simplified mode VPN was used along with the Check Point version being R65. Site A Create VPN Community Within your Gateway Object add you local domain to … Read more

Securing Client Authentication on a Check Point Gateway

By default Client Authentication allows you to authenticate using HTTP (on port 900) or Telnet (on port 259). Both of which can pose security risks due to the username and passwords being sent un-encrypted. To secure Client Authenitcation follow the following steps : Change the following line in $FWDIR/conf/fwauthd.conf, 900     fwssd       in.ahclientd    wait    900 to … Read more

Allow Domain/DNS-based objects through Check Point Firewall

In order to to allow domain based objects through a Check Point firewall we need to understand how the domain objects actually work. When a packet hits a rule with a domain based object the Check Point does a reverse DNS looking up on the IP address against the domain object to see if they … Read more

Endpoint Connect Installation / Troubleshooting Guide

What is EndPoint Connect ? Check Point`s Endpoint Connect software provides a number of client side security based features such as Anti-virus/Anti-spyware. Firewall/Email Protection, Program Control and Remote Access VPN. This document will only details and discuss the Remote Access VPN section of the Endpoint Connect Software. Note : This document will refer to the … Read more

Check Point Web Visualization Only Provides Part of Policy

When using the Check Point Web Visualization tool and trying to obtain the policy for a Cluster object you may receive one of the following errors/issues : The policy is saved as an .html file but it is only showing part of the policy. You receive one of the following errors when running the Web … Read more

I am unable to clear the VPN SA`s using the vpn tu command

If you are unable to clear the VPN SA`s using the “vpn tu” command you may want to try using the following commands vpn shell /show/tunnels/ike/peer/[remote gw ip] vpn shell /show/tunnels/ipsec/peer/[remote gw ip] vpn shell /tunnels/delete/IKE/peer/[remote gw ip] vpn shell /tunnels/delete/IPsec/peer/[remote gw ip] The reason to this can be down to a number of issues … Read more

ClusterXL Active Attention / Interface Active Check Error

This article will provide the required troubleshooting steps for resolving the issue of the “Interface Active Check” error within ClusterXL. First of all you spot there is an error within ClusterXL using the following command, root@firewall # cphaprob stat Cluster Mode:   Legacy High Availability (Active Up) Number     Unique Address  Assigned Load   State 1   100%            … Read more

Check Point Logging Troubleshooting Guide

Below are some basic guidelines for troubleshooting Check Point Logging issues. Please note : This guide does not cover issues with any OPSEC LEA based issues. Please note : The FWD (Firewall Daemon) is responsible for sending and receiving the Check Point Logs on port tcp/257. {loadposition content_lock}   logs being sent to the manager … Read more

Check Point Per User IP Assignment Using ipassignment.conf

In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is : $FWDIR/conf/ipassignment.conf This article we will outline some of the possible gotcha`s and also run through the required steps. Within this example we will … Read more

SmartView Monitor shows device status as Problem

Issue Within the Smartview Monitor you may find that the device status is shown as “Problem”. Within Smartview Monitor you are unable to find any further details for what is causing the issue. Troubleshooting Steps This article isn’t a solution to the issue but more of a pointer to a stepping stone on finding what … Read more

Check Point is changing SYN packets to ACKs ?

Issue The initial SYN packets from your client to your server are  translated by your Firewall into ACK packets. This in turn  prevents the initial 3 way handshake establishing. Below shows an example, Inbound 15:32:19.546115 I > S 2292544025:2292544025(0) win 49640 <mss 1460,nop,wscale 0,nop,nop,sackOK> (DF) 15:32:22.924625 I > S 2292544025:2292544025(0) win … Read more

IPSO Configuration Sets

IPSO configuration sets allow you to change (or save) your systems complete current configuration. Allowing you to choose the required configuration (set) of your firewall with a few simple commands. This is useful for importing in configurations from other devices rather then setting up a box from scratch. Configuration Set directory The active configuration file … Read more

Check Point Backups

Oversimplified Executive Summary -A upgrade_export contains just Check Point configuration -A backup is an upgrade_export plus SPLAT OS configuration -A snapshot is a backup plus binary files, both Check Point and SPLAT OS -As a general rule of thumb, if your restoring on the same hardware a snapshot would be the easiest to use since … Read more

Shell Script – Check Point Backup

This script will determine which operating system is running then backup the OS accordingly, once complete it will securely send it to the manager. The script is based on R65 and all backups will be sent to “/var/tmp/backups” on the manager. Each time the backup is run it will write a system log confirming if … Read more

SmartView Monitor incorrectly shows status as Disconnected

Issue The SmartView Monitor shows the status of your gateway as “Disconnected”. It takes for ages before your gateway shows as “Connected. No AMON (Application Monitoring) packets (tcp/18192) are leaving the SmartCentre Server for the gateway. Solution This can be down to issues within the Database files for the SmartView Monitor. Below will show you … Read more

Check Point Solaris – Wrapper completed with error code 239

Issue On Solaris 8 or Solaris 9, installing Check Point package fails with either : /var/opt/cp_tmp/CPsuite-R65/install/request: /var/opt/cp_tmp/CPsuite-R65/install/request: cannot openpkgadd: ERROR: request script did not complete successfullyInstallation of <CPsuite-R65> failed. or /opt/CPInstLog/Wrapper_R65.elg contains[25/02 11:52:36]  Installing “Primary SmartCenter”[25/02 11:52:55]  Installing of “Primary SmartCenter” failed ![25/02 11:52:57]  Fail to install: Primary SmartCenter! See application usage format.[25/02 11:52:57]  Wrapper … Read more

Check Point Upgrade to R70: status=1 Patch installation failed

Issue When upgrading to R70 on SPLAT you may receive the following error, CPwrapper: Wrapper part one completed successfully, data saved Upgrading the operating system. Preparing to upgrade Check Point Products. status=1 Exiting .. Patch installation failed. Please Note : This refers to a copied iso file which has been copied to the device and … Read more


This guide attempts to explain Proxy ARP upon the Check Point SPLAT platform. 1. What is Proxy ARP ? There are 2 ways to get a packet to a device. Route the packet to the device. Add a proxy ARP entry so that the network host answers to the ARP queries for IP addresses not … Read more

Invalid MD5 digest – BGP Traffic Through Check Point

Issue When allowing eBGP traffic through a Check Point Firewall you may receive the following error message on your BGP peered routers. (This error may occur at the point of pushing a policy to your Check Point Firewall), TCP-6-BADAUTH: Invalid MD5 digest from [Source IP]:[Source Port] to [Dest IP]:179 Solution This is down to the … Read more

Check Point: Migrate Provider-1 R55 CMA to R65 Smart Centre Server

Below are the steps required to migrate a Provider-1 CMA to a Smart Centre Server. This tutorial was based on exporting and migrating from R55 to R65 and will involve the following steps,   1. Export the CMA on the Provider-1 2. Import the CMA into Smart Centre 3. Export and detach license 4. Update the Smart Centre Object … Read more

Check Point – Provider-1 Export / Failed to export Error

Issue When trying to run an upgrade_export from a Provider-1 you get the following error, Failed to export. Please close all Check Point clients. If the failure to export persists, stop all Check Point Services and run the upgrade_export command again. Solution Note: The upgrade_export command is run from the $FWDIR/bin/upgrade_tools directory of the CMA. … Read more

Check Point: Upgrade to R65 from R55 Causes Traditional Mode Issues

Issue Check Point have now replaced the “Support Key Exchange for subnets” with “VPN Tunnel Sharing” for Traditional mode VPNs. The problem this causes is when you upgrade to R65 is that the “Support Key Exchange for subnets”  setting isn’t transferred. With all Traditional VPN`s being set to “One VPN tunnel per subnet pair” as … Read more

Check Point – Enabling Gratious ARP (Failover)

If you firewall isn’t Gratuitous ARPing when it fails over, you will need to edit the file $FWDIR/boot/modules/fwkern.conf, and add the following line (if it doesn’t exist create it), fwha_use_arp_packet_queue=1 Then reboot the machine.

Check Point – How to Reset SIC

How do i reset SIC ?  Go into the CLI of the Firewall and type cpconfig then choose Secure Internal Communication. You will then be prompted to enter a passcode. Enter anything it doesnt matter. Then exit cpconfig using option 10. cpfw[admin]# cpconfig This program will let you re-configure your Check Point products configuration. Configuration … Read more

Nokia: Install HFA30 to Diskless/Flash-based Check Point Firewall

The following steps will allow HFA30 to install on flash based system if the /opt has less then 400mb. Before we start you should ideally have the following free, /opt = 212184 /prevserve = 480694 mkdir ~/hfa30 cd ~/hfa30 tar xzvf ~/VPN-1_R65_HFA_30.ipso.tgz rm ~/VPN-1_R65_HFA_30.ipso.tgz df -k The output from df -k should now show over … Read more

Check Point – Desktop Policy / Split Tunnelling

Desktop Policy / Split Tunneling In the world of Check Point remote access there are 2 types of clients that are used for remote VPN access. They are, Secure Remote – Basic Free client Secure Client – Non-free licensed client allowing the enforcement of desktop policies. Desktop Policy Within the Desktop Policy Tab of your … Read more

IPSO – Enable / Disable Voyager

To enable and disable the voyager please see below, To enable ipso[admin]#clishNokiaIP390:102> set voyager daemon-enable tNokiaIP390:103> save configNokiaIP390:104> exit To disable ipso[admin]#clishNokiaIP390:102> set voyager daemon-enable fNokiaIP390:103> save configNokiaIP390:104> exit      

SPLAT – Unable to log into Smart Portal

Issue When trying to log into Smart Portal on a pre-R65 Check Point firewall using Internet Explorer 7, you are unable to log in. Resolution Within Internet Explorer disable MS XML.This can be done via Tools > internet Options >Advanced > Security, and untick “Enable native XML HTTP support”.

IPSO – Installing a Check Point Package

Below shows you the process of installing a new Check Point package via the CLI, cp1[admin]# newpkg -m IPSO_wrapper_R65.tgzEnter pathname to the packages [ or ‘exit’ to exit ]: /var/emhome/adminLoading Package ListPackage Description: Check Point Suite wrapper package NGX R65Would you like to :1. Install this as a new package2. Upgrade from an old package3. … Read more

IPSO – Turn off Console Logging

To enable debugging (which will write an event to the messages file and console upon a critical device failure) run the following syntax, ipso[admin]# ipsctl -w net:log:partner:status:debug 1 To turn off the console output, enter the following, ipso[admin]# ipsctl -w net:log:sink:console 0

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial