Download Print this page

Check Point R80.20 Manual

Check Point R80.20 Manual

Next generation security gateway

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

28 December 2020

NEXT GENERATION

SECURITY GATEWAY

R80.20

Guide

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the R80.20 and is the answer not in the manual?

Questions and answers

Summary of Contents for Check Point R80.20

Page 1 28 December 2020 NEXT GENERATION SECURITY GATEWAY R80.20 Guide...
Page 2 Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Page 3: Important Information
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Certifications For third party independent certification of Check Point products, see the Check Point Certifications page https://www.checkpoint.com/products-solutions/certified-check-point-solutions/. Check Point R80.20 For more about this release, see the R80.20 home page...
Page 4 Load-Balancing Methods (on page 293) - "Domain" and "Round Trip" load balancing methods are supported for Logical Servers 22 September 2019 Added to the applicable topics: Warning - The R80.20 ClusterXL does support the Load Sharing modes (R80.20 Known Limitation MB-30) 26 March 2019 Updated: •...
Page 5: Smartconsole Toolbars
What's New Button (left bottom corner of SmartConsole) Description and Keyboard Shortcut Open a tour of the SmartConsole Objects and Validations Tabs (right side of SmartConsole) Description Objects Manage security and network objects Validations Validation warnings and errors Next Generation Security Gateway Guide R80.20...
Page 6 System Information Area (bottom of SmartConsole) Description Task List Management activities, such as policy installation tasks Server Details The IP address of the Security Management Server Connected The administrators that are connected to the Security Management Server Users Next Generation Security Gateway Guide R80.20...
Page 7: Table Of Contents
HSM Appliance Server ....................87 (A) Installing the Gemalto HSM Simplified Client Software Packages on the Check Point Security Gateway ...................... 88 (B) Establishing a Trust Link between the Check Point Security Gateway and the Gemalto HSM Appliance Server ....................88...
Page 8 Configuring HTTPS Inspection on the Check Point Security Gateway to Work with the Gemalto HSM Appliance Server ................. 90 Additional Actions for a Gemalto HSM Appliance Server .......... 91 Disabling Communication from the Check Point Gateway to the Gemalto HSM Appliance Server ........................
Page 9 Use Case - Application & URL Filtering Ordered Layer ..........138 Rule Matching in the Access Control Policy ............139 Examples of Rule Matching ..................139 Best Practices for Access Control Rules ..............142 Installing the Access Control Policy ................ 143 Analyzing the Rule Base Hit Count ................
Page 10 Configuring Threat Extraction Settings ..............191 Configuring a Malware DNS Trap ................192 Exception Rules ...................... 193 The Check Point ThreatCloud ................... 195 Updating IPS Protections ..................196 Threat Prevention Scheduled Updates ..............197 Updating Threat Emulation ..................197 To Learn More About Threat Prevention ..............197 Creating Shared Policies ....................
Page 11 About SecureXL......................239 Configuring SecureXL ..................... 241 To Learn More About SecureXL ................242 Multi-Queue ......................242 ClusterXL........................243 The Need for Clusters ..................... 243 ClusterXL Solution ....................243 IPv6 Support for ClusterXL ..................244 How ClusterXL Works ..................... 244 Installation and Platform Support................
Page 12 To Learn More About Data Loss Prevention ............289 ConnectControl - Server Load Balancing ..............291 ConnectControl Packet Flow ..................291 Logical Server Types ....................292 Persistent Server Mode .................... 292 Persistent Server Timeout ..................293 Load-Balancing Methods ..................293 Server Availability .....................
Page 13 Overview of CPView ....................356 CPView User Interface..................... 356 Using CPView ......................356 dynamic_objects ....................... 358 cpwd_admin ......................360 cpwd_admin config ....................362 cpwd_admin del ...................... 365 cpwd_admin detach ....................366 cpwd_admin exist ....................367 cpwd_admin flist..................... 368 cpwd_admin getpid ....................369 cpwd_admin kill ......................
Page 14 Module 'cluster' (ClusterXL) ..................581 Module 'cmi_loader' (Context Management Interface/Infrastructure Loader) ... 583 Module 'CPAS' (Check Point Active Streaming) ............584 Module 'cpcode' (Data Loss Prevention - CPcode) ............ 585 Module 'dlpda' (Data Loss Prevention - Download Agent for Content Awareness) ..586 Module 'dlpk' (Data Loss Prevention - Kernel Space) ..........
Page 15 Module 'WS_SIP' (Web Intelligence VoIP SIP Parser) ..........624 Module 'WSIS' (Web Intelligence Infrastructure) ............626...
Page 16: Terms
2. Check Point Software Blade that inspects the Event Policy. 2. In Media Encryption, a network traffic for malicious bot software.
Page 17 IPv6 traffic. Installed on Security organizational security policy. Gateways for significant performance improvements. Security Gateway A computer that runs Check Point software to inspect traffic and enforces Security Policies for connected network resources. Security Management Server A computer that runs Check Point software to manage the objects and policies in Check Point environment.
Page 18: Check Point Next Generation Security Gateway Solution
To configure an effective security solution, you must understand how to configure the Next Generation Security Gateway features, and how to add rules to your security policy. This guide helps you understand the general principles of the Check Point Next Generation Security Gateway, and how to configure it.
Page 19 Check Point Next Generation Security Gateway Solution Section Chapter Feature Mobile Access IPsec VPN Anti-Bot Creating a Threat Prevention Policy (on page Anti-Virus 168) Threat Emulation Threat Extraction Configuring HTTPS Inspection (on page HTTPS Inspection Creating Shared Policies 199) (on page 198)
Page 20: Components Of The Check Point Firewall Solution
Security Management Server - The application that manages, stores, and distributes the security policy to Security Gateways. • SmartConsole - A Check Point GUI application used to manage security policies, monitor products and events, install updates, provision new devices and appliances, and manage a multi-domain environment.
Page 21: Mirror And Decrypt
(promiscuous) mode to accept the decrypted and mirrored traffic from your Security Gateway, or Cluster. R80.20 Security Gateway, or Cluster works only with Recorder, which is directly connected to a designated physical network interface (NIC) on the Check Point Gateway, or Cluster Members. Next Generation Security Gateway Guide R80.20...
Page 22 Read and follow the Mirror and Decrypt Requirements (on page 24). each Prepare the Security Gateway, or cluster member (on page 26). Configure the Mirror and Decrypt in the Security Gateway, or Cluster object in SmartConsole (on page 27). Next Generation Security Gateway Guide R80.20...
Page 23 Source MAC address of the decrypted and mirrored packets the Security Gateway and Cluster Members send Mirror only of all traffic MAC address of the designated physical interface. Mirror and Decrypt of HTTPS 00:00:00:00:00:00: traffic Next Generation Security Gateway Guide R80.20...
Page 24: Mirror And Decrypt Requirements
You must configure the HTTPS Inspection Rule Base. Access Rules for traffic you wish to Mirror and Decrypt: • You must create special rules in the Access Control Policy for the traffic you wish to mirror and decrypt. Next Generation Security Gateway Guide R80.20...
Page 25: Configuring Mirror And Decrypt In Gateway Mode
Recorder, or Packet-Broker that works in a monitor (promiscuous) mode. Flow of the decrypted and mirrored traffic from the Security Gateway (1) to the Recorder, or Packet-Broker (2). eth4 Designated physical interface on the Security Gateway (1). Next Generation Security Gateway Guide R80.20...
Page 26: Preparing The Security Gateway
Note - To apply the configuration from the file and make it persistent, install an Access Control Policy on the cluster object. You install the Access Control Policy later, after the required configuration steps in the SmartConsole. Next Generation Security Gateway Guide R80.20...
Page 27: Configuring Mirror And Decrypt In Smartconsole
From the top toolbar, click Update (or press Ctrl+S) to save the changes in the database. Close the SmartDashboard. To activate the Mirror and Decrypt: Step Description In SmartConsole, open the object of the Security Gateway, or Cluster. Next Generation Security Gateway Guide R80.20...
Page 28 1. Read the text carefully. 2. Check I agree to the terms and conditions. 3. Click OK to accept and close the disclaimer. In the Mirror gateway traffic to interface field, select the designated physical interface. Next Generation Security Gateway Guide R80.20...
Page 29 In the top right corner of this pop up window, click New Layer. Layer Editor window opens. From the navigation tree of the Layer Editor window, click General. In the Blades section, make sure you select only the Firewall. Next Generation Security Gateway Guide R80.20...
Page 30 • Source - *Any • Destination - *Any • VPN - *Any • Services & Applications - *Any • Action - Must contain Accept Track - None • • Install On - *Policy Targets Next Generation Security Gateway Guide R80.20...
Page 31 Install On - Must contain one of these objects: • *Policy Targets (this is the default) • The Security Gateway, or Cluster object, whose version is R80.20 Important: • In the Mirror and Decrypt rules, you must select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.
Page 32: Configuring Mirror And Decrypt In Vsx Mode
Flow of the decrypted and mirrored traffic from the VSX Gateway (1) to the Recorder, or Packet-Broker (2). eth4 Designated physical interface on the VSX Gateway (1). Virtual System (3) connects directly to this physical interface. wrp128 One of the virtual interfaces on the Virtual System (3). Next Generation Security Gateway Guide R80.20...
Page 33 Important - It is not supported to change the designated physical interface with the vsx_util R80.20 VSX change_interfaces command (for information about this command, see the Administration Guide https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_VSX_Admin R80.20 Command Line Interface Reference Guide Guide/html_frameset.htm https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_Refere nceGuide/html_frameset.htm). Next Generation Security Gateway Guide R80.20...
Page 34: Preparing The Vsx Gateway
Note - To apply the configuration from the file and make it persistent, install an Access Control Policy on the VSX cluster object. You install the Access Control Policy later, after the required configuration steps in the SmartConsole. Next Generation Security Gateway Guide R80.20...
Page 35: Configuring Mirror And Decrypt In Smartconsole For One Virtual System
Configure the HTTPS Inspection Rule Base. Configuring HTTPS Inspection For details, see (on page 199). From the top toolbar, click Update (or press Ctrl+S) to save the changes in the database. Close the SmartDashboard. Next Generation Security Gateway Guide R80.20...
Page 36 To configure the Mirror and Decrypt rules: Best Practice: We recommend you to configure a new separate Access Control Layer to contain Mirror and Decrypt rules. Alternatively, you can configure the Mirror and Decrypt rules in the regular Rule Base. Next Generation Security Gateway Guide R80.20...
Page 37 In Access Control section, you see the Network Layer and the new Access Control Layer. Click OK to save the changes and close the Policy window. In SmartConsole, at the top, click the tab of the applicable policy. Next Generation Security Gateway Guide R80.20...
Page 38 Install On - Must contain one of these objects: • • *Policy Targets (this is the default) • The Virtual System object, whose version is R80.20 Important: • In the Mirror and Decrypt rules, you must select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.
Page 39 If in a Mirror and Decrypt rule you set the Track to Log, then you can filter the logs for this rule by the Access Rule Name, which contains the configured string: <M&D>, <M&d>, <m&D>, or <m&d>. Next Generation Security Gateway Guide R80.20...
Page 40: Configuring Mirror And Decrypt In Smartconsole For Several Virtual Systems
In the Shared Policies section, click HTTPS Inspection. In the middle of the page, click Open HTTPS Inspection Policy in SmartDashboard. The Legacy SmartDashboard opens. Configure the HTTPS Inspection Rule Base. Configuring HTTPS Inspection For details, see (on page 199). Next Generation Security Gateway Guide R80.20...
Page 41 6. In the Security Zone field, leave the default None. 7. Click OK. To activate the Mirror and Decrypt in the object of each Virtual System: Step Description In SmartConsole, open the Virtual System object. Next Generation Security Gateway Guide R80.20...
Page 42 In SmartConsole top left corner, click Menu > Manage policies and layers. Select the existing policy and click Edit (the pencil icon). Alternatively, create a new policy. From the navigation tree of the Policy window, click General. Next Generation Security Gateway Guide R80.20...
Page 43 • Source - *Any • Destination - *Any VPN - *Any • Services & Applications - *Any • • Action - Must contain Accept • Track - None • Install On - *Policy Targets Next Generation Security Gateway Guide R80.20...
Page 44 Install On - Must contain one of these objects: • *Policy Targets (this is the default) • The objects of Virtual Systems, whose version is R80.20 Important: • In the Mirror and Decrypt rules, you must select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.
Page 45: Mirror And Decrypt Logs
Partial mirroring (HTTPS Security Gateway started to decrypt the traffic, but stopped later inspection Bypass) due to a Bypass rule (for example, a rule with a Category). Therefore, the mirrored connection is not complete. Next Generation Security Gateway Guide R80.20...
Page 46: Icap Client
Advanced ICAP Client Configuration ..............Introduction to ICAP From R80.20, ICAP Client functionality is available in Security Gateway, or Cluster. Background The Internet Content Adaptation Protocol (ICAP) is a lightweight HTTP-like protocol, which is used to extend transparent proxy servers. This frees up resources and standardizes the way in which new features are implemented.
Page 47 ICAP sends an error to the Client. • ICAP sends a block page to the Client. For example, you can present a Check Point UserCheck page from the Threat Emulation, Anti-Virus, or URL Filtering Software Blades. Data Modification Modification of the HTTP content.
Page 48 The ICAP Client component (4) forwards the block message from the ICAP Server component (5) to the Client computer (1). Example data flow in Server Response Modification (RESPMOD) mode Item Description The Client computer. Next Generation Security Gateway Guide R80.20...
Page 49 ICAP Client. Bad composition. ICAP Server needs encapsulated sections different from those in the request. Server error. Error on the ICAP Server, such as "out of disk 5yz Server error codes space". Next Generation Security Gateway Guide R80.20...
Page 50 Service overloaded. The ICAP server has exceeded a maximum connections limit associated with this service. The ICAP Client should not exceed this limit in the future. ICAP version not supported by server. Next Generation Security Gateway Guide R80.20...
Page 51: Icap Client In Check Point Security Gateway
ICAP Client ICAP Client in Check Point Security Gateway The ICAP Client functionality in your Check Point Security Gateway or Cluster enables it to interact with an ICAP Server responses, modify their content, and block the matched HTTP connections. In addition, you can add an ICAP Server decision to the enforcing logic (on page 70) on your Security Gateway, or Cluster.
Page 52: Icap Client User Disclaimer
You agree to indemnify and hold harmless Check Point from any and all claims and/or demands related to the violation of any data protection laws and regulation, or to the inappropriate use or implementation of this feature.
Page 53: Configuring Icap Client In Gateway Mode
Fetch the local policy with the fw fetch localhost command.  Note - If one of the ICAP configuration parameters is not configured correctly, SmartConsole shows an error with the name of the applicable parameter. Next Generation Security Gateway Guide R80.20...
Page 54: Configuring Icap Client In Vsx Mode
Fetch the local policy with the fw fetch localhost command (in the context of this  Virtual System). Note - If one of the ICAP configuration parameters is not configured correctly, SmartConsole shows an error with the name of the applicable parameter. Next Generation Security Gateway Guide R80.20...
Page 55: The Icap Client Configuration File
ICAP Client The ICAP Client Configuration File The ICAP Client configuration file on Check Point Security Gateway ($FWDIR/conf/icap_client_blade_configuration.C) contains a number of sections. Each section contains the applicable parameters. Some parameters accept only string values (notice the double-quotes). Some parameters accept only integer values.
Page 56 ICAP Client configuration file. 4. Add the new message for the UserCheck Block page. 5. Click OK. 6. Install the Access Control Policy on the Security Gateway. Default: "Blocked Message - Access Control" Next Generation Security Gateway Guide R80.20...
Page 57 HTTP payload to its original destination, except for the last (constant size) HTTP payload. Based on the verdict from the ICAP Server, ICAP Client sends or does not send this last HTTP payload. Default: 0 Next Generation Security Gateway Guide R80.20...
Page 58 Defines the port on the ICAP :icap_servers () - :port () 65535 Server. Default: 1344 Plain-text string Defines the name of the ICAP :icap_servers () - :service () up to 32 service. characters Default: "echo" Next Generation Security Gateway Guide R80.20...
Page 59 Default: close Integer from 1 to Defines the ICAP Client timeout :icap_servers () - :timeout () (2^32)-1 (in seconds). After this time passes, the ICAP Client sends a reset to the ICAP Server. Default: 61 Next Generation Security Gateway Guide R80.20...
Page 60 :icap_servers () - :x_headers () • "false" X-Server-IP - :x_server_ip () • "true" • "false" - Does not process this X-Header. • "true" - Adds the destination IP address (proxy's IP address or resolving HTTP Hostname). Default: "false" Next Generation Security Gateway Guide R80.20...
Page 61 "exclude" - ICAP Client does send the IP addresses in the IP ranges (see below) to the ICAP Server Default: "none" Controls the network filter rules :network_filter_rules_ip4 () for source and destination IPv4 addresses. Next Generation Security Gateway Guide R80.20...
Page 62 Defines the destination IPv4 :network_filter_rules_ip4 () - :dst_ip_ranges () addresses. Each rule can contain only one :dst_ip_ranges () parameter. The :dst_ip_ranges () parameter can contain more than one :min_ip () and :max_ip () parameters. Next Generation Security Gateway Guide R80.20...
Page 63 Defines the source IPv6 :network_filter_rules_ip6 () - :src_ip_ranges () addresses. Each rule can contain only one :src_ip_ranges () parameter. The :src_ip_ranges () parameter can contain more than one :min_ip () and :max_ip () parameters. Next Generation Security Gateway Guide R80.20...
Page 64 Defines the destination IPv6 :network_filter_rules_ip6 () - addresses. :dst_ip_ranges () Each rule can contain only one :dst_ip_ranges () parameter. The :dst_ip_ranges () parameter can contain more than one :min_ip () and :max_ip () parameters. Next Generation Security Gateway Guide R80.20...
Page 65 • [:network_filter_rules_ip4 ()] OR [:network_filter_rules_ip6 ()] [:src_ip_ranges ()] AND [:dst_ip_ranges ()] • • In the :src_ip_ranges () parameter, [:min_ip ()] OR [:max_ip ()] • In the :dst_ip_ranges () parameter, [:min_ip ()] OR [:max_ip ()] Next Generation Security Gateway Guide R80.20...
Page 66 ICAP Client If the result of these logical operations is TRUE and :rules_type ("include"), then ICAP Client works. If the result of these logical operations is TRUE and :rules_type ("exclude"), then ICAP Client does work. Next Generation Security Gateway Guide R80.20...
Page 67: Example Of The Icap Client Configuration File
:port (1344) :service ("echo") :proto ("icap") :modification_mode ("respmod") :transp ("3rd_cpas") :failmode (close) :timeout (120) :max_conns (250) :user_check_action (2) :x_headers ( :x_client_ip ("true") :x_server_ip ("true") :x_authenticated_user ("true") :authentication_source ("WinNT") :rules_type ("include") :network_filter_rules_ip4 ( :src_ip_ranges ( Next Generation Security Gateway Guide R80.20...
Page 68 AND destined to IPv4 (10.1.0.1 OR 10.1.0.2 ... OR 10.1.255.255) • Rule 2 All traffic that arrives from IPv4 (10.0.0.21 OR 10.0.0.22 ... OR 10.0.0.24) AND destined to any IPv4 address • In the :network_filter_rules_ip6 (): [:src_ip_ranges ()] AND [:dst_ip_ranges ()] Next Generation Security Gateway Guide R80.20...
Page 69 ICAP Client • Rule 1 All traffic that arrives from IPv6 (2001:db8:5:f101::11 OR 2001:db8:5:f101::12 ... OR 2001:db8:5:f101::15) AND destined to IPv6 (2001:db8:6:f101::1 OR 2001:db8:6:f101::2 ... OR 2001:db8:6:f101::20) Next Generation Security Gateway Guide R80.20...
Page 70: Advanced Icap Client Configuration
To adjust the enforcement according to ICAP response headers from an ICAP Server, you can configure specific HTTP headers. When ICAP Client on Check Point Security Gateway receives these HTTP headers, the Security Gateway blocks the matched HTTP connections. See the Draft RFC - ICAP Extensions https://tools.ietf.org/html/draft-stecher-icap-subid-00.
Page 71 ID. Currently, 0 is returned for all threats. ResolutionID: 0: File was not repaired. 1: File was repaired. 2: Violating part was removed (usually used if a Next Generation Security Gateway Guide R80.20 file was removed from a container).
Page 72 For example, the virus name or the policy violation description. It may contain spaces and should not be quoted. It must not contain semicolons, because it is terminated by the final semicolon of the header definition. Next Generation Security Gateway Guide R80.20...
Page 73 This header is available only if the content was scanned, and some violations were found. Contains the applied X-ICAP-Profile X-ICAP-Profile: Proxy workflow's name (user profile). This header is available only if the file was scanned. Next Generation Security Gateway Guide R80.20...
Page 74 [Expert@GW:0]# dmesg | grep append_icap_unwrap_headers [fw6_0];append_icap_unwrap_headers: ==> new icap_unwrap_headers array is: [ X-Virus-ID ; X-Violations-Found ; X-Infection-Found ; X-Response-Info ; X-Response-Desc ;] [fw4_0];append_icap_unwrap_headers: ==> new icap_unwrap_headers array is: [ X-Virus-ID ; X-Violations-Found ; X-Infection-Found ; X-Response-Info ; Next Generation Security Gateway Guide R80.20...
Page 75 # fw ctl set str icap_unwrap_append_header_str 'X-Violations-Found' c) # fw ctl set str icap_unwrap_append_header_str 'X-Infection-Found' 2. Print the list of the configured HTTP headers: # fw ctl set str icap_unwrap_append_header_str '__print__' # dmesg | grep append_icap_unwrap_headers Next Generation Security Gateway Guide R80.20...
Page 76: Configuring Additional Https Status Code, Which Icap Client Sends In Respmod
[Expert@GW:0]# fw ctl set str icap_append_status_code_str '__print__' [Expert@GW:0]# dmesg | grep icap_client_append_status_code [fw6_0];icap_client_append_status_code: ==> new 'status code' array is: [ 1 ; 2 ;] [fw4_0];icap_client_append_status_code: ==> new 'status code' array is: [ 1 ; 2 ;] [Expert@GW:0]# Next Generation Security Gateway Guide R80.20...
Page 77 # fw ctl set str icap_append_status_code_str '1' b) # fw ctl set str icap_append_status_code_str '2' 2. Print the list of the configured server status codes: # fw ctl set str icap_append_status_code_str '__print__' # dmesg | grep icap_client_append_status_code Next Generation Security Gateway Guide R80.20...
Page 78: Configuring Connection Timeout For Icap Connections
0 - Security Gateway does not reuse the ICAP Client-to-Server connections • 1 - Security Gateway reuses the ICAP Client-to-Server connections - each connection is reused and not closed after handling the successful ICAP requests • Default value: 1 Next Generation Security Gateway Guide R80.20...
Page 79: Configuring Icap Client Data Trickling Parameters
• Trickling at the End In the mode, Check Point Security Gateway supports the 204 status code (with the HTTP header "Allow: 204", for HTTP reply "No change / Unmodified"). • There is still an applicative timeout (:icap_servers () - :timeout) of the ICAP session that user needs to define according to the icap-service demand, after which the fail-action follows.
Page 80 Name icap_blade_trickling_threshold_mb Content-Length Description Specifies the threshold in megabytes. Only if the HTTP Content-Length of the original HTTP connection is greater than this threshold, Trickling from the Start is activated. Type Integer Default value Next Generation Security Gateway Guide R80.20...
Page 81 The ICAP Client does not send only the last 16 kilobytes of the file before it gets the verdict from the ICAP Server. • The ICAP Client sends all other files to the original HTTP destination in the HTTP connection byte-rate. Next Generation Security Gateway Guide R80.20...
Page 82: Hardware Security Module (Hsm)
These keys are created during the initialization of the HTTPS Inspection daemon on the Security Gateway with 1024-bit, 2048-bit, or 4096-bit length. You can use the Gemalto Luna SP SafeNet HSM to work with the Check Point Security Gateway. The SafeNet Cryptographic Engine enables the SafeNet Network HSM functionality by providing: •...
Page 83: The Check Point Environment With Gemalto Safenet Hsm Appliance
Note - Check Point Security Gateway uses the Gemalto HSM Appliance Server only for outbound HTTPS Inspection. Workflow for Setting Up Your HSM Environment Use this workflow to configure your Check Point Gateway to work with the HSM Appliance Server: Step Description Extract the Gemalto Help package (on page 84).
Page 84: Step 1: Extracting The Gemalto Help Package
Configure the Gemalto HSM Client workstation (on page 85). Create the CA Certificate on the Gemalto HSM Appliance Server (on page 86). Configure the Check Point Security Gateway to work with the Gemalto HSM Appliance Server> (on page 87). Step 1: Extracting the Gemalto Help Package The Gemalto configuration documents have to be used to configure the Gemalto HSM environment.
Page 85: Step 3: Configuring The Gemalto Hsm Client Workstation
Disable the client source IP address validation by NTLS upon an NTLA client connection: lunash:> ntls ipcheck disable Note - This will allow HSM Appliance Server to accept traffic from Check Point Cluster members that is hidden behind Cluster VIP address, and from Check Point Security Gateways hidden behind NAT.
Page 86: Step 4: Creating The Ca Certificate On The Gemalto Hsm Appliance Server
2.7 (for example: Red Hat 5 or lower, Gaia R77.20 or lower). In such case, follow the instructions in Establishing a Trust Link between the Check Point Security Gateway and the Gemalto HSM Appliance Server (on page 88).
Page 87: Step 5: Configuring The Check Point Security Gateway To Work With The Gemalto Hsm Appliance Server
Configure HTTPS Inspection on the Security Gateway to work with the Gemalto HSM Appliance Server (on page 90). Note - If you have a Check Point Cluster environment, do this procedure on each cluster member. Next Generation Security Gateway Guide R80.20...
Page 88: (A) Installing The Gemalto Hsm Simplified Client Software Packages On The Check Point Security Gateway
Note - Software Subscription or Active Support plan is required to download this package https://www.checkpoint.com/support-services/support-plans/. Copy the software package to the Check Point Security Gateway to some directory. Connect to the command line on the Check Point Security Gateway. Log in to the Expert mode.
Page 89 Notes: • Use the IP address of the interface that connects to the HSM Appliance. In a Check Point cluster, use the IP address of the cluster member, and not the Cluster Virtual IP address. • The private key file is created and written to: IP Address of CP /usr/safenet/lunaclient/cert/client/<...
Page 90: Configuring Https Inspection On The Check Point Security Gateway To Work With The Gemalto Hsm Appliance Server
In addition, see Appliance Server (on page 91). Procedure: Note - If you have a Check Point Cluster environment, do this procedure on each cluster member. Step Description Connect to the command line on the Security Gateway. Log in to the Expert mode.
Page 91: Additional Actions For A Gemalto Hsm Appliance Server
Deleting a Trust Link with the HSM Appliance Server If you need to establish new Trust Link between a Check Point Security Gateway and an HSM Appliance Server, you have to delete the current Trust Link. For example, when you replace or reconfigure a Check Point Security Gateway, or an HSM Appliance Server.
Page 92: Configuring A Second Interface On A Gemalto Hsm Appliance For Ntls
Monitoring HTTPS Inspection on Check Point Gateway When Working with the Gemalto HSM Appliance Server When HTTPS Inspection daemon wstlsd initializes on Check Point Gateway, it checks whether this Security Gateway is configured to with the Gemalto HSM Appliance Server.
Page 93: Smartconsole Logs
HSM connected to 1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configura tion.C file on Security Gateway. 2. Security Gateway was able to connect to the HSM Appliance Server. Next Generation Security Gateway Guide R80.20...
Page 94 • There is no trust or no connectivit y with HSM server • Login to HSM partition failed • Error importing certificate from HSM server • Error generating key pair on HSM server Next Generation Security Gateway Guide R80.20...
Page 95: Snmp
HTTPS Inspection feature is not configured on Security Gateway. To get HTTPS Inspection status description, query this SNMP object: SNMP OID Returned strings Explanation HTTPS Inspection feature is httpsInspectionStatusDescrip HTTPS configured on Security Gateway. tion Inspection is .1.3.6.1.4.1.2620.1.54.2 Next Generation Security Gateway Guide R80.20...
Page 96 To get HSM configuration status description, query this SNMP object: SNMP OID Returned strings Explanation The value of the :enabled() hsmStatus.hsmEnabledDescript HSM is enabled for HTTPS attribute is set to "yes" in the inspection .1.3.6.1.4.1.2620.1.54.3.2 $FWDIR/conf/hsm_configuratio n.C file on Security Gateway. Next Generation Security Gateway Guide R80.20...
Page 97 Security Gateway. Security Gateway was able to access Accessible its partition on HSM Appliance Server. Not Accessible Security Gateway was not able to access its partition on HSM Appliance Server due to an error. Next Generation Security Gateway Guide R80.20...
Page 98 All these conditions were met: .1.3.6.1.4.1.2620.1.54.3.5 1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuratio n.C file on Security Gateway. 2. Security Gateway was able to connect to the HSM Appliance Server. Next Generation Security Gateway Guide R80.20...
Page 99 HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "hsmStatus.hsmEnabled = HSM enabled" and "hsmStatus.outboundStatus = HSM off", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled. Next Generation Security Gateway Guide R80.20...
Page 100 HSM server Note - The conditions for the returned strings are calculated on Security Gateway during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get Next Generation Security Gateway Guide R80.20...
Page 101: Cpstat Https_Inspection
[Expert@GW:0]# cpstat https_inspection -f all HTTPS inspection status (On/Off): HTTPS inspection status description: HTTPS Inspection is on HSM enabled (Enabled/Disabled): Enabled HSM enabled description: HSM is enabled for HTTPS inspection HSM partition access (Accessible/Not Accessible): Accessible Next Generation Security Gateway Guide R80.20...
Page 102 Security Gateway. Explanation about HSM configuration status: Item Possible returned Explanation strings The value of the :enabled() attribute is set to HSM enabled Enabled (Enabled/Disab "yes" in the led) $FWDIR/conf/hsm_configuration.C file on the Security Gateway. Next Generation Security Gateway Guide R80.20...
Page 103 The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway. Important - In such cases, outbound HTTPS Inspection works without the HSM Appliance Server, and SSL keys are stored on the Security Gateway. Next Generation Security Gateway Guide R80.20...
Page 104 Important - In such case, outbound HTTPS library failed Inspection will not work, and HTTPS traffic will • not pass. There is no trust or no connectivity with HSM server • Login to HSM partition failed Next Generation Security Gateway Guide R80.20...
Page 105 HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "HSM enabled (Enabled/Disabled) = Enabled" and "Outbound status (HSM on/HSM off/HSM error) = HSM off", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled. Next Generation Security Gateway Guide R80.20...
Page 106 "HSM enabled (Enabled/Disabled) = Enabled" and "Outbound status description = Outbound HTTPS inspection works without the HSM", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled. Next Generation Security Gateway Guide R80.20...
Page 107: Creating An Access Control Policy
This feature is supported only for Security Gateways R77.20 and above. Once selected, the range of IP addresses behind the internal interface is automatically calculated every second (default value) without the need for the administrator to click Get Interfaces and install a policy. Next Generation Security Gateway Guide R80.20...
Page 108: Introducing The Unified Access Control Policy
Allows users in specified networks, to use a specified application, but prevents downloading files larger than a specified size. You can use all these objects in one rule: • Security Zones • Services • Applications and URLs Next Generation Security Gateway Guide R80.20...
Page 109: Creating A Basic Access Control Policy
Action Track Install On Applications Admin Access to Admins (Access Gateways-group Accept Policy Targets Gateways Role) Stealth Gateways-group Drop Alert Policy Targets Critical subnet Internal Finance Accept CorpGW R&D Tech support TechSupport Remote1-web HTTP Accept Alert Remote1GW Next Generation Security Gateway Guide R80.20...
Page 110: Use Case - Inline Layer For Each Department
Rule Base. You can delegate ownership of different Layers to different administrators. No Name Source Destination Services & Content Action Track Applications Critical subnet Internal Finance Accept SMTP Mail NOT internal SMTP Accept network (Group) R&D department R&D Roles TechSupport Layer Next Generation Security Gateway Guide R80.20...
Page 111 Best Practice - Have an explicit cleanup rule as the last rule in each Inline Layer and Ordered Layer. Another Inline Layer, for the QA department. More general rules for the whole organization. One or more rules. Next Generation Security Gateway Guide R80.20...
Page 112: Creating Application Control And Url Filtering Rules
• Action - Select Accept • Track - Select Log • Install On - Keep it as Policy Targets for or all gateways, or choose specific Security Gateways on which to install the rule Next Generation Security Gateway Guide R80.20...
Page 113: Blocking Applications And Informing Users
Add one or more Time objects to a rule to make it active only during specified times. The example rule below: • Allows access to streaming media during non-peak business hours only. • Limits the upload throughput for streaming media in the company to 1 Gbps. Next Generation Security Gateway Guide R80.20...
Page 114: Using Identity Awareness Features In Rules
To do this, add two new rules to the Rule Base: 1. Create a rule and include these components: • Source - The Identified_Users access role Next Generation Security Gateway Guide R80.20...
Page 115: Blocking Sites
An Access Role that represents all identified users in the organization ( • FreeMovies A custom application for a site named • You want to block sites that can cause liability issues for everyone within your organization. Next Generation Security Gateway Guide R80.20...
Page 116: Blocking Url Categories
You want to block sites related to pornography. Blocking Applications and Informing Users. The procedure is similar to In the Rule Base, add a rule similar to this: • Source - The Identified_Users access role Next Generation Security Gateway Guide R80.20...
Page 117: Ordered Layers And Inline Layers
Simplify the management of the Policy by delegating ownership of different Layers to different administrators. • Improve performance by reducing the number of rules in a Layer. Order of Rule Enforcement in Inline Layers The Ordered Layer can contain Inline Layers. Next Generation Security Gateway Guide R80.20...
Page 118: Order Of Rule Enforcement In Ordered Layers
If the Action of the matching rule is Drop, the gateway stops matching against later rules in the Policy Rule Base and drops the packet. If the Action is Accept, the gateway continues to check rules in the next Ordered Layer. Item Description Ordered Layer 1 Ordered Layer 2 Next Generation Security Gateway Guide R80.20...
Page 119: Creating An Inline Layer
The name of the Inline Layer shows in the Action cell of the rule. sub-rules 6. Under the parent rule of the Inline Layer, add 7. Make sure there is an explicit cleanup rule as the last rule of the Inline Layer (on page 122). Next Generation Security Gateway Guide R80.20...
Page 120: Creating A Ordered Layer
We recommend the name Application. b) In the Blades section, select Applications & URL Filtering. c) Click OK and the Layer Editor window closes. d) Click OK and the Policy window closes. 6. Publish the session. Next Generation Security Gateway Guide R80.20...
Page 121: Enabling Access Control Features
Applications & URL Filtering • Content Awareness • Mobile Access 6. Click OK. To enable the Access Control features on an Inline Layer: 1. In SmartConsole, click Security Policies. 2. Select the Ordered Layer. Next Generation Security Gateway Guide R80.20...
Page 122: Types Of Rules In The Rule Base
Drop action), you can change the action of the implicit cleanup rule to Accept in the Layer Editor. For R77.30 or earlier versions Security Gateways, the action of the implicit rule depends on the Next Generation Security Gateway Guide R80.20...
Page 123 It shows only the implied rules, not the explicit rules. Configuring the Implicit Cleanup Rule To configure the Implicit Cleanup Rule: 1. In SmartConsole, click Menu > Manage Policies and Layers. 2. In the left pane, click Layers. Next Generation Security Gateway Guide R80.20...
Page 124: Administrators For Access Control Layers
2. Right-click the required policy and click Edit. The policy properties window opens. 3. In the Threat Prevention box, click the + sign. 4. Select the layer you want to include in this policy package. Next Generation Security Gateway Guide R80.20...
Page 125: Visual Division Of The Rule Base With Sections
Used in policies - Policy packages that use the Layer • Mode: Ordered - An Ordered Layer. In a Multi-Domain Security Management environment, it  includes global rules and a placeholder for local, Domain rules. Next Generation Security Gateway Guide R80.20...
Page 126: The Columns Of The Access Control Rule Base
In the Source and Destination columns of the Access Control Policy Rule Base, you can add Network objects including groups of all types. Here are some of the network objects you can include: • Network • Host Next Generation Security Gateway Guide R80.20...
Page 127: Vpn Column
Mobile Access to the Network Check Point Mobile Access lets remote users easily and securely use the Internet to connect to internal networks. Remote users start a standard HTTPS request to the Mobile Access Security Gateway, and authenticate with one or more secure authentication methods.
Page 128: Services & Applications Column
Mobile Applications for Mobile Access • Web sites • Default categories of Internet traffic • Custom groups or categories that you create, that are not included in the Check Point Application Database. Service Matching matches IP protocol port number The Firewall identifies (...
Page 129 2. Configure Match application on ‘Any’ port when used in ‘Block’ rule: • blocked Selected - This is the default. If an application is in the Rule Base, the application is matched to port. Next Generation Security Gateway Guide R80.20...
Page 130 If you used a regular expression in the URL, click URLs are defined as Regular Expressions. Note - If the application or site URL is defined as a regular expression you must use the correct syntax. 7. Click OK. Next Generation Security Gateway Guide R80.20...
Page 131: Content Column
International Bank Account Numbers - IBAN • Source Code - JAVA • U.S. Social Security Numbers - According to SSA • Salary Survey Terms File type examples: • Viewer File - PDF • Executable file Next Generation Security Gateway Guide R80.20...
Page 132: Actions Column
Note - Content Awareness and Data Loss Prevention (DLP) both use Data Types. However, they have different features and capabilities. They work independently, and the Security Gateway enforces them separately. R80.20 Data Loss Prevention Administration Guide To learn more about DLP, see the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_DataLossPr evention_AdminGuide/html_frameset.htm...
Page 133 Internet browser add-ons and plug-ins. • Shows a message on the computer when it cannot be shown in the Internet browser. To Learn More About UserCheck R80.20 Next Generation Security Gateway Guide To learn more about UserCheck, see the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_NextGenSec urityGateway_Guide/html_frameset.htm.
Page 134: Tracking Column
Critical Risk Block Message Block risky executables (2) Block download InternalZone Internet Uncategorized Download Drop of executable Traffic High Risk files from Executable uncategorized File and high risk sites Credit card data (3-4) Next Generation Security Gateway Guide R80.20...
Page 135: Use Case - Inline Layer For Web Traffic
Internet Accept None the Internet Allow local Local Branch Internet branch to access Web Access the internet Policy directly Access Noti... once a day per applic... Web Servers Web Servers InternalZone Web Servers protection Next Generation Security Gateway Guide R80.20...
Page 136: Use Case - Content Awareness Ordered Layer
This use case shows a Policy that controls the upload and download of data from and to the organization. There is an explanation of some of the rules below the Rule Base. No Name Source Destination Services & Content Action Track Applications Regulatory compliance Next Generation Security Gateway Guide R80.20...
Page 137 Rule 1 controls executable files, which are File Types. The File Type rule is higher in the Rule Base than rules with Content Types (Rules 2 to 7). This improves the efficiency of the Rule Base, because File Types are matched sooner than Content Types. Next Generation Security Gateway Guide R80.20...
Page 138: Use Case - Application & Url Filtering Ordered Layer
Log all applications Internet Allow Rule Explanation Liability sites- Blocks traffic to sites and applications in the custom Potential_liability Blocked Message group. The UserCheck is shown to users and explains why their traffic is blocked. Next Generation Security Gateway Guide R80.20...
Page 139: Rule Matching In The Access Control Policy
142). This is to make the explanations of rule matching clearer. Rule Base Matching - Example 1 For this Rule Base: Source Destination Services & Content Action Applications InternalZone Internet ftp-pasv Download Drop executable file Executable file Accept Gambling (Category) Drop Accept Next Generation Security Gateway Guide R80.20...
Page 140 Look for the first rule that matches: • Rule 1 - Possible match. • Rule 2 - No match. • Rule 3 - No match. • Rule 4 - Match. HTTP Body Examine the file. Data: PDF file. Next Generation Security Gateway Guide R80.20...
Page 141 Look for the first rule that matches: • Rule 1 – Possible match. • Rule 2 – No match. • Rule 3 – Match. HTTP Body Examine the file. Content: Executable file. Next Generation Security Gateway Guide R80.20...
Page 142: Best Practices For Access Control Rules
9. Disable a rule when working on it. Enable the rule when you want to use it. Disabled rules do not affect the performance of the Gateway. To disable a rule, right click in the No. column of the rule and select Disable. Next Generation Security Gateway Guide R80.20...
Page 143: Installing The Access Control Policy
Security Management Server makes sure that it can install the policy on all cluster members before it begins the installation. If the policy cannot be installed on one of the members, policy installation fails for all of them. Next Generation Security Gateway Guide R80.20...
Page 144: Analyzing The Rule Base Hit Count
Keep Hit Count data up to - Select one of the time range options. The default is 3 months. • Data is kept in the Security Management Server database for this period and is shown in the Hits column. 4. Click OK. 5. Install the Policy. Next Generation Security Gateway Guide R80.20...
Page 145: Configuring The Hit Count Display
2. Select Hit Count and one of these options (you can repeat this action to configure more options): • Timeframe - Select All, 1 day, 7 days, 1 month, or 3 months • Display - Select Percentage, Value, or Level Next Generation Security Gateway Guide R80.20...
Page 146: Preventing Ip Spoofing
If an incoming packet to B has a source IP address in network 192.168.33.0, the packet is blocked, because the source address is spoofed. When you configure Anti-Spoofing protection on a Check Point Security Gateway interface, the Anti-Spoofing is done based on the interface topology. The interface topology defines where the interface Leads To (for example, External (Internet) or Internal), and the Security Zone of interface.
Page 147 12. Configure Anti-Spoofing exceptions (optional). For example, configure addresses, from which packets are not inspected by Anti-Spoofing: a) Select Don't check packets from. b) Select an object from the drop-down list, or click New to create a new object. Next Generation Security Gateway Guide R80.20...
Page 148: Anti-Spoofing Options
A Security Gateway can use these procedures to translate IP addresses in your network: • Static NAT - Each internal IP address is translated to a different public IP address. The Firewall can allow external traffic to access internal resources. Next Generation Security Gateway Guide R80.20...
Page 149: To Learn More About Nat
1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway. The Gateway Properties window opens. 2. From the navigation tree, click UserCheck. The UserCheck page opens. 3. Make sure Enable UserCheck for active blades is selected Next Generation Security Gateway Guide R80.20...
Page 150 By default, the portal uses a certificate from the Check Point Internal Certificate Authority (ICA). This might generate warnings if the user browser does not recognize Check Point as a trusted Certificate Authority. To prevent these warnings, import your own certificate from a recognized external authority.
Page 151: Blocking Applications And Informing Users
Any, also blocks traffic to and from the Captive Portal. UserCheck for Access Control Default Messages These are the default UserCheck messages in the Access Tools > UserCheck page of the Access Control Policy: Name Action Type Description Access Approval Inform Next Generation Security Gateway Guide R80.20...
Page 152: Creating A Usercheck Interaction Object
Use the Insert field variables. These include fields for Content Awareness (on page 153). 7. In the Settings tab, configure optional settings. For example: • Fallback Action - For a Block action type, when UserCheck notification cannot be displayed, this action is taken. Next Generation Security Gateway Guide R80.20...
Page 153: Example Usercheck Message Using Field Variables
1. Select the Action cell of a rule in the Access Control Policy, and click More. 2. In the Action Settings window, select the UserCheck Frequency. The options are: • Once a day • Once a week Next Generation Security Gateway Guide R80.20...
Page 154: Usercheck Settings
The website or application is blocked, even if the user does not see the notification. External Portal - Redirect the user to External Portal - Select this to redirect users to an • external portal, not on the gateway. Next Generation Security Gateway Guide R80.20...
Page 155: Usercheck Cli
- user hits database options Examples: • To show all UserCheck interaction objects, run: usrchk hits list all • To clear the incidents for a specified user, run: usrchk hits clear user <username> Next Generation Security Gateway Guide R80.20...
Page 156: Revoking Incidents
SmartConsole Logs & Monitor view Logs tab will show the user's activity, and that the actions were revoked afterwards. Administrators can use the usrchk command of the CLI to revoke incidents for one user, all users, or a specified interaction object (on page 155). Next Generation Security Gateway Guide R80.20...
Page 157: Usercheck Client
4. Install the UserCheck client on the endpoint computers. 5. Make sure that the UserCheck clients can connect to the gateway and receive notifications. UserCheck Requirements UserCheck Client Requirements R80.30 Release Notes in the http://downloads.checkpoint.com/dc/download.htm?ID=65044 Next Generation Security Gateway Guide R80.20...
Page 158 Option Comparison Requires Manual Multi- Client Still works Level Recommended User Trust Site Remains after for... (one time) Signed? Gateway Required? Changes File Very Single Security name Simple Gateway based deployments Next Generation Security Gateway Guide R80.20...
Page 159 2. Rename the MSI using this syntax: UserCheck_~ GWname .msi GWname Where - is the DNS name of the gateway. Optional: Use UserCheck_~ GWname-port .msi port Where is the port number of notifications. For example, UserCheck_~mygw-18300.msi. Next Generation Security Gateway Guide R80.20...
Page 160 The identity of the AD Server for the UserCheck client is written in the Active Directory and given to all clients. Note - The entire configuration is written under a hive named Check Point under the Program Data branch in the AD database that is added in the first run of the tool. Adding this hive does not affect other AD based applications or features.
Page 161 1. Go to Start > All Programs > Administrative Tools > DNS. 2. Go to Forward lookup zones and select the applicable domain. 3. Go to the _tcp subdomain. 4. Right click and select Other new record. Next Generation Security Gateway Guide R80.20...
Page 162 2. Connect manually to all of the servers that are configured, verify their fingerprints, and click Trust on the fingerprint verification dialog box. 3. Configure the client to manually connect to the requested servers (use the Settings window). Next Generation Security Gateway Guide R80.20...
Page 163 The first time that the client connects to the gateway, it asks for verification from the user and approval of the fingerprint. Next Generation Security Gateway Guide R80.20...
Page 164 Email notifications are sent for SMTP incidents and the Portal is used for HTTP incidents. UserCheck and Check Point Password Authentication You can see and edit Check Point users from Users and Administrators in the navigation tree. To enable Check Point password authentication: SmartConsole Configuration 1.
Page 165: Blade Settings
To activate the Inspection Settings, install the Access Control Policy. Note - In a pre-R80 SmartConsole, Inspection Settings are configured as IPS Protections. Configuring Inspection Settings To configure Inspection Settings: 1. In SmartConsole, go to the Manage & Settings > Blades view. Next Generation Security Gateway Guide R80.20...
Page 166 3. If you edited the profile attributes, click OK to save the changes. To add a new Inspection Settings profile: 1. In the Profiles view, click New. 2. In the New Profile window that opens, edit the profile attributes: 3. Click OK. Next Generation Security Gateway Guide R80.20...
Page 167 Service - select Port/Range, TCP or UDP, and enter a destination port number or a range of port numbers • Install On - select a gateway on which to install the exception 3. Click OK. To enforce the changes, install the Access Control Policy. Next Generation Security Gateway Guide R80.20...
Page 168: Creating A Threat Prevention Policy
Threat Emulation - This innovative solution quickly inspects files and runs them in a virtual sandbox to discover malicious behavior. Discovered malware is prevented from entering the network. The ThreatCloud Emulation service reports to the ThreatCloud and automatically shares the newly identified threat information with other Check Point customers. •...
Page 169: Ips
It gives another layer of security on top of Check Point firewall technology. IPS protects both clients and servers, and lets you control the network usage of certain applications. The hybrid IPS detection engine provides multiple defense layers, which allows it excellent detection and prevention capabilities of known threats and in many cases future attacks as well.
Page 170: Anti-Bot
Identifying Bot Infected Computers The Anti-Bot Software Blade uses these procedures to identify bot infected computers: • Identify the C&C addresses used by criminals to control bots Next Generation Security Gateway Guide R80.20...
Page 171: Anti-Virus
The Anti-Virus Software Blade scans incoming and outgoing files to detect and prevent these threats, and provides pre-infection protection from malware contained in these files. The Anti-Virus blade is also supported by the Threat Prevention API. Next Generation Security Gateway Guide R80.20...
Page 172: Sandblast
• After the threat is caught, a signature is created for the new (previously unknown) malware which turns it into a known and documented malware. The new attack information is Next Generation Security Gateway Guide R80.20...
Page 173 Creating a Threat Prevention Policy automatically shared with Check Point ThreatCloud to block future occurrences of similar threats at the gateway. If the file is found not to be malicious, you can download the file after the emulation is complete.
Page 174: Assigning Administrators For Threat Prevention
You can create rich and customizable views and reports for log and event monitoring, which inform key stakeholders about security activities. For each log or event, you can see a lot of useful information from the ThreatWiki and IPS Advisories about the malware, the virus or the attack. Next Generation Security Gateway Guide R80.20...
Page 175: Out-Of-The-Box Protection From Threats
2. In the General Properties > Network Security tab, click IPS. 3. Follow the steps in the wizard that opens. 4. Click OK. 5. Click OK in the General Properties window. 6. Install Policy (on page 178). Next Generation Security Gateway Guide R80.20...
Page 176 The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page. 3. Select the Emulation Location. 4. Click Next. The Summary page opens. 5. Click Finish to enable Threat Emulation and close the First Time Configuration Wizard. 6. Click OK. Next Generation Security Gateway Guide R80.20...
Page 177 7. Install Policy (on page 178). Using Cloud Emulation Files are sent to the Check Point ThreatCloud over a secure SSL connection for emulation. The emulation in the ThreatCloud is identical to emulation in the internal network, but it uses only a small amount of CPU, RAM, and disk space of the Security Gateway.
Page 178: Installing The Threat Prevention Policy
Gateways, the policy is not installed on other targets of the same version. 4. Click OK. Introducing Profiles Check Point Threat Prevention provides instant protection based on pre-defined Threat Prevention Profiles. You can also configure a custom Threat Prevention profile to give the exact level of protection that the organization needs.
Page 179: Optimized Protection Profile Settings
Medium Do not have a critical effect on Activate protections that have a or lower performance effect on performance. Severity Protect against important Protect against threats with a severity of Medium or above threats Next Generation Security Gateway Guide R80.20...
Page 180: Predefined Rule
Software Blades in your environment and create an effective Rule Base. You can also directly update the Rule Base from this page. You can add more exceptions that prevent or detect specified protections or have different tracking settings. Next Generation Security Gateway Guide R80.20...
Page 181: The Threat Prevention Policy
MTA rule, which is created when MTA is enabled on the gateway. Action Enforcement in Multiple-Layered Security Policies These examples show which action the gateway enforces when a connection matches rules in more than one Ordered Layers. Next Generation Security Gateway Guide R80.20...
Page 182 The strictest action is: Block combined with the minimum nesting level/scanning time, or Allow combined with the maximum nesting level/scanning time, or If both Block and Allow are matched, the enforced action is Block. Next Generation Security Gateway Guide R80.20...
Page 183: Threat Prevention Rule Base
There are no implied rules in this Rule Base, traffic is allowed or not allowed based on how you configure the Rule Base. For example, A rule that is set to the Prevent action, blocks activity and communication for that malware. Next Generation Security Gateway Guide R80.20...
Page 184: Creating Threat Prevention Rules
Activate the applicable Client and Server protections. c) Configure the IPS protection categories to exclude from this profile. Note - These categories are different from the protections in the Additional Activation page. 9. Click OK. 10. Install Policy. Next Generation Security Gateway Guide R80.20...
Page 185: Blocking Viruses
• Active - According to profile settings - Selected by default. Protections are activated according to the settings in the General page of the Profile. This is the Check Point recommended configuration. Set activation as staging mode - Newly updated protections remain in staging mode until you change their configuration.
Page 186: Configuring Anti-Bot Settings
Track - The type of log you want to get when the gateway detects malware on this  scope. Install On - Keep it as Policy Targets or select Gateways to install the rule on.  4. Install the Threat Prevention policy (on page 178). Next Generation Security Gateway Guide R80.20...
Page 187 4. Install the Threat Prevention policy (on page 178). Disabling a Protection on One Server Scenario: The protection Backdoor.Win32.Agent.AH blocks malware on windows servers. How can I change this protection to for one server only? detect Next Generation Security Gateway Guide R80.20...
Page 188: Configuring Threat Emulation Settings
Do this procedure for each interface that goes to the DMZ. If there is a conflict between the Threat Emulation settings in the profile and for the Security Gateway, the profile settings are used. Next Generation Security Gateway Guide R80.20...
Page 189 These are the options to select the emulation images: • To use the emulation environments recommended by Check Point security analysts, click Use Check Point recommended emulation environments • To select other images for emulation, that are closest to the operating systems for the computers in your organization, click Use the following emulation environments Next Generation Security Gateway Guide R80.20...
Page 190 The Gateway Properties window opens. 2. From the Network Security tab, select SandBlast Threat Emulation. The Threat Emulation First Time Configuration Wizard opens and shows the Emulation Location page. 3. Select Locally on a Threat Prevention device. Next Generation Security Gateway Guide R80.20...
Page 191: Configuring Threat Extraction Settings
4. Configure these Threat Extraction Settings: • General • Advanced. 5. Click OK. Note - You can configure some of the Threat Extraction features in a configuration file, in addition to the CLI and GUI. See sk114613 http://supportcontent.checkpoint.com/solutions?id=sk114613. Next Generation Security Gateway Guide R80.20...
Page 192: Configuring A Malware Dns Trap
6. Enter the IP address for the DNS trap. 7. Optional: Add Internal DNS Servers to identify the origin of malicious DNS requests. 8. Click OK and close the Threat Prevention profile window. 9. Install the Threat Prevention policy. Next Generation Security Gateway Guide R80.20...
Page 193: Exception Rules
OK. 5. Install Policy. Note - You cannot set an exception rule to an inactive protection or an inactive blade. Blade Exceptions You can also configure an exception for an entire blade. Next Generation Security Gateway Guide R80.20...
Page 194 3. Select the Above, Below, or Bottom option according to where you want to place the exception. 4. In the Protection/Site column, select Blades from the drop-down menu. 5. Select the blade you want to exclude. 6. Install Policy. Next Generation Security Gateway Guide R80.20...
Page 195: The Check Point Threatcloud
Updating Threat Emulation ................Check Point ThreatCloud is a dynamically updated service that is based on an innovative global network of threat sensors and organizations that share threat data and collaborate to fight against modern malware. Customers can send their own threat data to the ThreatCloud and benefit from increased security and protection and enriched threat intelligence.
Page 196: Updating Ips Protections
Creating a Threat Prevention Policy This is an example of an event that was detected by a Check Point Security Gateway. It includes the event ID, URL, and external IP addresses. Note that the data does not contain confidential data or internal resource information.
Page 197: Threat Prevention Scheduled Updates
7. Click OK and then install the Threat Prevention policy. To Learn More About Threat Prevention R80.20 Threat Prevention To learn more about configuring a Threat Prevention Policy, see the Administration Guide https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_ThreatPreve ntion_AdminGuide/html_frameset.htm. Next Generation Security Gateway Guide R80.20...
Page 198: Creating Shared Policies
HTTPS Inspection is enabled on one or more Gateways. Inspection Settings You can configure Inspection Settings (on page 165) for the Firewall: • Deep packet inspection settings • Protocol parsing inspection settings • VoIP packet inspection settings Next Generation Security Gateway Guide R80.20...
Page 199: Configuring Https Inspection
The packets are encrypted again and sent to the destination. Connection is not inspected Firewall HTTPS Firewall validates inspects Matches a rule? request certificate request Next Generation Security Gateway Guide R80.20...
Page 200: Configuring Gateways To Inspect Outbound And Inbound Https
Outbound Inspection - Generate a new certificate for the Security Gateway. • Inbound Inspection - Import the certificate for the internal server. 3. Configure the HTTPS Inspection Rule Base. 4. Install the Access Control Policy. Next Generation Security Gateway Guide R80.20...
Page 201 Importing an Outbound CA Certificate You can import a CA certificate that is already deployed in your organization or import a CA certificate created on one Security Management Server to use on another Security Management Server. Next Generation Security Gateway Guide R80.20...
Page 202 CA certificate used by HTTPS Inspection as a trusted CA. You can distribute the CA with different distribution mechanisms such as Windows GPO. This adds the generated CA to the trusted root certificates repository on client computers. Next Generation Security Gateway Guide R80.20...
Page 203 2. Click HTTPS Inspection > Step 3. 3. Select Enable HTTPS Inspection. 4. Import server certificates for servers behind the organization Security Gateways (on page 204). 5. Define an HTTPS Inspection policy: • Create rules Next Generation Security Gateway Guide R80.20...
Page 204 The HTTPS Inspection rules are applied to all the Software Blades that have HTTPS Inspection enabled. These are the Software Blades that support HTTPS Inspection: • Access Control • Application Control • URL Filtering • Content Awareness • Threat Prevention • Next Generation Security Gateway Guide R80.20...
Page 205 The inbound rules use a different certificate for each internal server. You can also create bypass rules for traffic that is sensitive and is not inspected. Make sure that the bypass rules are at the top of the HTTPS Inspection Rule Base. Next Generation Security Gateway Guide R80.20...
Page 206 Check Point dynamically updates a list of approved domain names of services from which content is always allowed. This option makes sure that Check Point updates or other 3rd party software updates are not blocked. For example, updates from Microsoft, Java, and Adobe.
Page 207 To learn more about these options, see the Help. Click ? in the HTTPS Validation page. Showing HTTPS Inspection Logs The predefined log query for HTTPS Inspection shows all HTTPS traffic that matched the HTTPS Inspection policy, and was configured to be logged. Next Generation Security Gateway Guide R80.20...
Page 208: Configuring The Geo Policy
IP addresses to countries. You can configure different Geo policies that block or allow traffic for different countries. Private IP addresses are allowed unless the connection is explicitly blocked. Check Point control connections (such as between Security Gateways and the Security Management Server) are always allowed, regardless of the Geo Policy.
Page 209 2. From the Edited Policy drop-down list, select a policy. The rules of the selected Geo Policy show. 3. Make changes to the policy. 4. Publish the changes and install the Access Control Policy. Next Generation Security Gateway Guide R80.20...
Page 210: Adding Users To The Policy
Identity Awareness uses this information to apply access permissions to the connection. • Identity Collector - Identity Collector is a Windows-based application which collects information about identities and their associated IP addresses and sends it to Check Point firewalls for identity enforcement. Identity Collector supports these sources: •...
Page 211: Enabling Identity Awareness
Using the Identity Awareness Configuration Wizard Use the Identity Awareness Configuration wizard to configure how the Security Gateway gets information about users and computers. The wizard automatically creates an Account Unit (on page 217). Next Generation Security Gateway Guide R80.20...
Page 212: Creating Access Roles
4. Click OK. 5. Install the policy. Creating Access Roles After you enable Identity Awareness, you create Access Role objects. You can use Access Role objects as source and/or destination parameter in a rule. Access Role Next Generation Security Gateway Guide R80.20...
Page 213: Using Identity Awareness In The Access Control Policy
You can also configure the Accept action to redirect traffic from an unidentified user to a Captive Portal. Sample gateway workflow with Identity Awareness The gateway inspects traffic that starts from a source that matches the Access Role object and tries to identify the user. Next Generation Security Gateway Guide R80.20...
Page 214: Redirecting To A Captive Portal
This table shows sample Identity Awareness rules for a Firewall Rule Base. (The VPN, Track and Time columns are not shown. Track is set to Log, and VPN and Time are set to Any.) Next Generation Security Gateway Guide R80.20...
Page 215 4. Internet access - Allows HTTP and HTTPS traffic from the Guests and All_Domain_Users Access Role objects to the Internet. Domain users are identified by Identity Awareness or they authenticate to the Captive Portal. Guests authenticate to the Captive Portal. Next Generation Security Gateway Guide R80.20...
Page 216: Using User Directory
Security Gateway - Queries LDAP user information, retrieves CRLs, and does bind operations for authentication Security Management Server - Uses User Directory to manage user information LDAP server - Server that holds one or more Account Units Next Generation Security Gateway Guide R80.20...
Page 217: Account Units
Objects Management (on page 219) - Configure the LDAP server for the Security Management Server to query and the branches to use • Authentication (on page 219) - Configure the authentication scheme for the Account Unit 3. Click OK. 4. Install the Access Control Policy. Next Generation Security Gateway Guide R80.20...
Page 218 In the New Host window opens, enter the settings for the LDAP server. c) Click OK. 3. Enter the login credentials and the Default priority. 4. Select access permissions for the Check Point Gateways: Read data from this server •...
Page 219 (only one query is necessary for the group objects) Allowed authentication schemes - Select one or more authentication schemes allowed to • authenticate users in this Account Unit - Check Point Password, SecurID, RADIUS, OS Password, or TACACS • Users' default values - The default settings for new LDAP users: •...
Page 220: Enabling User Directory
To manage LDAP information from SmartDashboard: 1. In SmartConsole, go to Manage & Settings > Blades. 2. Click Configure in SmartDashboard. SmartDashboard opens. 3. From the object tree, select Servers and OPSEC. 4. Double-click the Account Unit. Next Generation Security Gateway Guide R80.20...
Page 221: To Learn More About Adding Users To The Policy
To Learn More About Adding Users to the Policy To learn more about adding users to the Policy, see these guides: R80.20 Identity Awareness Administration Guide • https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_IdentityA wareness_AdminGuide/html_frameset.htm R80.20 Security Management Administration Guide • https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Security Managing User Accounts Management_AdminGuide/html_frameset.htm Search for Next Generation Security Gateway Guide R80.20...
Page 222: Logging And Monitoring
CHAPT ER 1 6 Logging and Monitoring In This Section: Log Analysis ...................... Views and Reports ..................... To Learn More About Logging and Monitoring ..........Next Generation Security Gateway Guide R80.20...
Page 223: Log Analysis
Make sure that in the Type column, Send Logs and Alerts is selected. 4. Optional - In the In case one of the above log servers is unreachable, send logs to, add backup servers. To complete the configuration: 1. Click Publish. Next Generation Security Gateway Guide R80.20...
Page 224 Logging and Monitoring 2. Install the Access Control Policy. Next Generation Security Gateway Guide R80.20...
Page 225: Enabling Log Indexing
The General Properties window opens. 3. In the Management tab, select Logging & Status. 4. From the navigation tree, click Logs. 5. Select Enable Log Indexing. 6. Click OK. 7. Click Publish. 8. From Menu, select Install Database. Next Generation Security Gateway Guide R80.20...
Page 226: Sample Log Analysis
3. In the Security Policies > Access Control > Policy view, select a rule with the Drop action. 4. In the bottom pane, click Logs. This shows the logs for connections that were dropped by the specific rule. 5. Double-click a log. The Log Details window opens. Next Generation Security Gateway Guide R80.20...
Page 227: Tracking Options
Upload bytes, Download bytes, and browse time. Note - When upgrading from R77.xx or from R80 versions to R80.20, there are changes to the behavior of the options in the Track column. To learn more see sk116580 http://supportcontent.checkpoint.com/solutions?id=sk116580.
Page 228 Logging and Monitoring Next Generation Security Gateway Guide R80.20...
Page 229: Log Sessions
By default, after a session continues for three hours, the Security Gateway starts a new session log. You can change this in SmartConsole from the Manage & Settings view, in Blades > Application & URL Filtering > Advanced Settings > General > Connection unification. Next Generation Security Gateway Guide R80.20...
Page 230: Views And Reports
SmartConsole > Logs & Monitor • SmartView Web Application - for generating and editing views in a browser: <Server IP> https:// /smartview/ <Server IP> is IP address of the Security Management Server or SmartEvent server. Next Generation Security Gateway Guide R80.20...
Page 231: Enabling Views And Reports
The Thumbnails view is the default for the Favorites, Recent and Logs views and reports. Scheduled Tasks - See and edit scheduled tasks. Archive - Completed and in-progress tasks for generating and exporting views, reports, logs and templates. Next Generation Security Gateway Guide R80.20...
Page 232: Views
A report has multiple pages, and applies to the time that the report is generated. There are several predefined reports, and you can create new reports. A report gives more details than a view. Reports can be customized, filtered, generated and scheduled. You cannot drill down into a report. Next Generation Security Gateway Guide R80.20...
Page 233 You can customize and generate a report, and specify the report time period, the same way you did for views. In the query search bar, you can define custom queries using the GUI tools or manually enter a query. Next Generation Security Gateway Guide R80.20...
Page 234: Automatic View And Report Updates
Automatic View and Report Updates SmartEvent automatically downloads new predefined views and reports, and downloads updates to existing predefined ones. To allow this, make sure the management server has internet connectivity to the Check Point Support Center. Next Generation Security Gateway Guide R80.20...
Page 235: Opening A View Or Report
Alternatively, click Open and from inside the view or report click Options > Export to PDF or Export to Excel. To see your exported views and reports: 1. Add a new tab. Click +. 2. Go to Tasks > Archive. Next Generation Security Gateway Guide R80.20...
Page 236: Scheduling A View Or Report
2. Click the + tab to open a new tab. 3. Select Tasks > Scheduled. To Learn More About Logging and Monitoring R80.20 Logging and Monitoring To learn more about logging and monitoring, see the Administration Guide https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_LoggingAnd Monitoring_AdminGuide/html_frameset.htm Next Generation Security Gateway Guide R80.20...
Page 237 Logging and Monitoring Next Generation Security Gateway Guide R80.20...
Page 238: Maximizing Network Performance And Redundancy
ClusterXL • VRRP Cluster These are software based features that are included in the Check Point operating systems. It is not necessary to purchase additional hardware to use them. CoreXL In a Security Gateway with CoreXL enabled, the Firewall kernel is replicated multiple times. Each replicated instance runs on one processing core.
Page 239: Configuring Corexl
Medium path - Packets that require deeper inspection. It is not necessary for the Firewall to inspect these packets, they can be offloaded and do not use the slow path. For example, packets that are inspected by IPS cannot use the accelerated path and can be offloaded to the Next Generation Security Gateway Guide R80.20...
Page 240 A new connection that matches the other 4 tuples is processed on the accelerated path because it matches the template. The Firewall does not inspect the new connection and the Firewall connection rates are increased. Next Generation Security Gateway Guide R80.20...
Page 241: Configuring Securexl
Security Gateway. No additional configuration is required temporarily Starting from R80.20, you can disable the SecureXL only . The SecureXL starts automatically when you start Check Point services (with the cpstart (on page 347) command), or reboot the Security Gateway. Important: •...
Page 242: To Learn More About Securexl
Sample Multi-Queue Configuration This sample configuration shows how CoreXL, SecureXL and Multi-Queue can help to use more CPU cores for SNDs to accelerate network traffic. There is a Security Gateway with two six core Next Generation Security Gateway Guide R80.20...
Page 243: Clusterxl
The Security Gateway between the organization and the world must remain open under all circumstances. ClusterXL Solution ClusterXL is a Check Point software-based cluster solution for Security Gateway redundancy and Load Sharing. A ClusterXL Security Cluster contains identical Check Point Security Gateways. •...
Page 244: Ipv6 Support For Clusterxl
Internet IPv6 Support for ClusterXL R80.20 ClusterXL supports High Availability clusters for IPv6. IPv6 status information is synchronized and the IPv6 clustering mechanism is activated during failover. However, IPv6 is not supported for Load Sharing clusters. Also, you cannot define IPv6 addresses for synchronization interfaces.
Page 245: High Availability And Load Sharing In Clusterxl
Upon Security Gateway recovery, you can maintain the current Active Security Gateway (Active Up), or to change to the highest priority Security Gateway (Primary Up). ClusterXL High Availability mode supports both IPv4 and IPv6. Next Generation Security Gateway Guide R80.20...
Page 246 For instructions, see sk162637 https://supportcontent.checkpoint.com/solutions?id=sk162637. • To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.20, follow these steps in the same maintenance window: a) Upgrade the ClusterXL to R80.20. b) Install the required R80.20 Jumbo Hotfix Accumulator. For instructions, see sk162637 https://supportcontent.checkpoint.com/solutions?id=sk162637.
Page 247 All cluster member interfaces facing the same direction must be in the same network. For example, there must not be a router between cluster members. The Security Management Server can be located anywhere, and should be routable to either the internal or external cluster addresses. Next Generation Security Gateway Guide R80.20...
Page 248 192.168.10.100, and the internal IP address is 10.10.0.100. Defining the Synchronization Network The previous illustration shows a synchronization interface with a unique IP address on each Cluster Member - IP 10.0.10.1 on Member_A and IP 10.0.10.2 on Member_B. Next Generation Security Gateway Guide R80.20...
Page 249 For instructions, see sk162637 https://supportcontent.checkpoint.com/solutions?id=sk162637. • To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.20, follow these steps in the same maintenance window: a) Upgrade the ClusterXL to R80.20. b) Install the required R80.20 Jumbo Hotfix Accumulator. For instructions, see sk162637 https://supportcontent.checkpoint.com/solutions?id=sk162637.
Page 250 For instructions, see sk162637 https://supportcontent.checkpoint.com/solutions?id=sk162637. • To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.20, follow these steps in the same maintenance window: a) Upgrade the ClusterXL to R80.20. b) Install the required R80.20 Jumbo Hotfix Accumulator. For instructions, see sk162637 https://supportcontent.checkpoint.com/solutions?id=sk162637.
Page 251 For example, fwd process failed, or Security Policy is uninstalled on a Cluster Member. • Cluster Members do not receive Cluster Control Protocol (CCP) packets from their peer Cluster Member. For more on failovers, see sk62570 http://supportcontent.checkpoint.com/solutions?id=sk62570. Next Generation Security Gateway Guide R80.20...
Page 252 Maximizing Network Performance and Redundancy Next Generation Security Gateway Guide R80.20...
Page 253: Configuring Clusterxl
For instructions, see sk162637 https://supportcontent.checkpoint.com/solutions?id=sk162637. • To upgrade a ClusterXL that works in a Load Sharing mode from a lower version to R80.20, follow these steps in the same maintenance window: a) Upgrade the ClusterXL to R80.20. b) Install the required R80.20 Jumbo Hotfix Accumulator. For instructions, see sk162637 https://supportcontent.checkpoint.com/solutions?id=sk162637.
Page 254 1. Computers on the internal network 10.10.2.0/24 should be configured with Default Gateway IP 10.10.2.100 2. Computers on the external network 192.168.2.0/24 should be configured with Default Gateway IP 192.168.2.100 3. For Proxy ARP configuration, see sk30197 http://supportcontent.checkpoint.com/solutions?id=sk30197 Configuring Cluster Addresses on Different Subnets 4. Also see Next Generation Security Gateway Guide R80.20...
Page 255 Maximizing Network Performance and Redundancy Configuring the CCP Transport Mode on the Cluster Members From R80.20, the Cluster Control Protocol (CCP) has four modes: Mode Description Automatic The CCP mode changes automatically between Multicast, Broadcast, and Unicast to find the optimized CCP mode according to network state.
Page 256 [Expert@Member2:0]# Configuring the Cluster Object and Members The Check Point Appliance or Open Server Wizard is recommended for enterprise grade appliances and open server platforms. To create a new cluster with the Appliance or Open Server Wizard: 1. In SmartConsole, right-click Check Point in the Network Objects tree.
Page 257: Vrrp Cluster
VRRP master for all VRIDs. This means that you must configure each priority deltas VRID to monitor every other VRRP-enabled interface. You must also configure allow failover to the backup node when the VRID on any interface does a failover. Next Generation Security Gateway Guide R80.20...
Page 258: How Vrrp Failover Works
This is a simple VRRP use case, where Security Gateway 1 is the VRRP Master, and Security Gateway 2 is the VRRP Backup. Virtual Router redundancy is available only for connections to and from the internal network. There is no redundancy for external network traffic. Next Generation Security Gateway Guide R80.20...
Page 259 Maximizing Network Performance and Redundancy Item Description VRRP Master Security Gateway VRRP Backup Security Gateway Virtual Router VRID 5 - Virtual IP Address (Backup Address) is 192.168.2.5 Internal Network and hosts Next Generation Security Gateway Guide R80.20...
Page 260: Preparing A Vrrp Cluster
This lets you use host names as an alternative to IP addresses or DNS servers. Configuring Network Switches Best Practice - If you use the Spanning Tree protocol on Cisco switches connected to Check Point VRRP clusters, we recommend that you enable PortFast. PortFast sets interfaces to the Spanning Tree forwarding state, which prevents them from waiting for the standard forward-time interval.
Page 261 This section includes shows you how to configure the global settings. Global settings apply to all Virtual Routers. Configure these VRRP global settings: Step Description In the navigation tree, click one of these: High Availability > VRRP. • High Availability >Advanced VRRP. • Next Generation Security Gateway Guide R80.20...
Page 262: Configuring Monitored Circuit/Simplified Vrrp - Gaia Portal
This section includes the basic procedure for configuring a Virtual Router using the Gaia Portal. To add a new Virtual Router: Step Description In the navigation tree, click High Availability > VRRP. Configure the VRRP Global Settings (on page 261). In the Virtual Routers section, click Add. Next Generation Security Gateway Guide R80.20...
Page 263 VRRP Master, if all cluster members have a Priority of zero. When this option is enabled, Priority Delta should be set equal to the Priority value, so that Priority will become zero, if an interface goes down. Next Generation Security Gateway Guide R80.20...
Page 264: Configuring The Vrrp Security Gateway Cluster In Smartconsole
The address is removed from the Backup Address table. Click Save. Configuring the VRRP Security Gateway Cluster in SmartConsole 1. From the Networks Objects tree, select Check Point > Security Cluster > Check Point appliance/ Open Server. The Security Gateway Cluster Creation window opens 2.
Page 265: Configuring Vrrp Rules For The Security Gateway
R80.20 Performance Tuning Administration Guide • CoreXL, SecureXL and Multi-Queue - https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Perform anceTuning_AdminGuide/html_frameset.htm R80.20 ClusterXL Administration Guide • ClusterXL - https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_ClusterX L_AdminGuide/html_frameset.htm R80.20 Gaia Administration Guide • VRRP, including Advanced VRRP - https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Gaia_Ad minGuide/html_frameset.htm Next Generation Security Gateway Guide R80.20...
Page 266: Simplifying Security For Private Clouds
VSX incorporates the same patented Stateful Inspection and Software Blades technology used in the Check Point Security Gateway product line. Administrators manage VSX using a Security Management Server or a Multi-Domain Server, delivering unified management architecture for enterprises and service providers.
Page 267: How Vsx Works
Security Gateway has interfaces to the perimeter router and to the network it protects. Item Description Internet Router Security Gateways Network VSX Virtual Network Topology Deploy one VSX Gateway with four Virtual Systems to protect multiple networks. Next Generation Security Gateway Guide R80.20...
Page 268 Warp Links. Virtual interfaces and network cables connect the Virtual Systems and the Virtual Switch. Virtual Switch. Connects all the Virtual Systems to the Internet router. Networks Next Generation Security Gateway Guide R80.20...
Page 269: Vsx Architecture And Concepts
CHAPT ER 2 1 VSX Architecture and Concepts In This Section: Virtual Devices ....................Interfaces ......................Clusters...................... Next Generation Security Gateway Guide R80.20...
Page 270: Virtual Devices
By providing Layer 2 connectivity, a Virtual Switch connects Virtual Systems and facilitates sharing a common physical interface without segmenting the existing IP network. As with a physical switch, each Virtual Switch maintains a forwarding table with a list of MAC addresses and their associated ports. Next Generation Security Gateway Guide R80.20...
Page 271: Interfaces
The main interface types in VSX are: • Physical interface • VLAN interface • Warp Link Item Description Item Description Internet Security Management Server Router Virtual Switch Physical interface Warp Link VLAN Switch Virtual System 1 Next Generation Security Gateway Guide R80.20...
Page 272: Vsx Clusters
A VSX Cluster has two or more identical, interconnected VSX Gateways for continuous data synchronization and transparent failover. Virtual System Load Sharing (VSLS) enhances throughput by distributing Virtual Systems, with their traffic load, among multiple, redundant machines. Next Generation Security Gateway Guide R80.20...
Page 273 VSLS provides an excellent scalability solution, allowing administrators to add additional physical members to an existing VSLS cluster as traffic loads and performance requirements increase. Next Generation Security Gateway Guide R80.20...
Page 274 Virtual Systems switches to standby, and synchronizes with the newly active Virtual System. In the event that an individual active Virtual System fails, it immediately fails over to its standby peer and one of its backup peers becomes the standby, synchronizing with the newly active peer. Next Generation Security Gateway Guide R80.20...
Page 275: Configuring A Vsx Cluster
Step 5: Configure the Policy and enable features on the Virtual Systems You will need the command line interface to add more members, remove members, and upgrade members. Many advanced cluster management procedures require the command line. Next Generation Security Gateway Guide R80.20...
Page 276: Step 1 - Creating A Vsx Cluster
1. Open SmartConsole. If you are using Multi-Domain Security Management, open SmartConsole from the Domain Management Server in which you are creating the cluster. 2. From the click New and then select VSX > Cluster. Next Generation Security Gateway Guide R80.20...
Page 277 The list shows all interfaces currently defined on the VSX Gateway or VSX Cluster object. To configure a VLAN Trunk: Select one or more interfaces to define them as VLAN Trunks. You can clear an interface to remove the VLAN Trunk assignment. Next Generation Security Gateway Guide R80.20...
Page 278 If the process ends unsuccessfully, click View Report to view the error messages. Refer to the troubleshooting steps for more information 2. In SmartConsole, double-click the new VSX Cluster object. Next Generation Security Gateway Guide R80.20...
Page 279: Step 2 - Creating A Virtual Switch
VSX Gateway. Defining Network Configuration The Virtual System Network Configuration page allows you to define internal and external interfaces as well as the IP address topology located behind the internal interface. Next Generation Security Gateway Guide R80.20...
Page 280: Step 4 - Creating A New Virtual System 2
Define the Policy and enable features on the Virtual Systems. The procedures for this are the same as on a Security Gateway. R80.20 Security Management Administration Guide For more about Security Policies, see the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_SecurityMa nagement_AdminGuide/html_frameset.htm. Next Generation Security Gateway Guide R80.20...
Page 281: To Learn More About Vsx
Simplifying Security for Private Clouds To Learn More About VSX R80.20 VSX To learn more about simplifying security for private clouds using VSX, see the Administration Guide https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_VSX_Admin Guide/html_frameset.htm Next Generation Security Gateway Guide R80.20...
Page 282: Securing Data
Some data is sensitive because of corporate requirements and legal regulations. The Check Point Data Loss Prevention Software Blade (DLP) lets you use the Firewall to prevent users from sending sensitive data to external networks. DLP helps you implement an automated corporate policy that catches sensitive and protected data before it leaves your organization.
Page 283: Using A Mail Relay And Mail Server
Security Gateway to access a mail server and a mail relay. We recommend that you use different computers for a mail server and a mail relay. For more R80.20 Data Loss Prevention Administration Guide about other deployments, see the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_DataLossPr evention_AdminGuide/html_frameset.htm...
Page 284: Adding Data Owners
1. In SmartConsole, go to Manage & Settings > Blades. 2. In the Data Loss Prevention section, click Configure in SmartDashboard. SmartDashboard opens and shows the My Organization page in the Data Loss Prevention tab. 3. From the navigation tree, select Policy. Next Generation Security Gateway Guide R80.20...
Page 285: Using Dlp With Microsoft Exchange
6. Optional: Click Add and add more users to send notification emails to. 7. Use the default notification email message, or click Customize and enter the message. The default message is: The Check Point Data Loss Prevention system has found traffic which matches a rule 8.
Page 286: Dlp Rule Base
Network objects that will get the rule of the security policy. The Policy Targets Install On option installs the rule on all firewall gateways. Time Time period that DLP enforces this rule. Category DLP category for this rule. Next Generation Security Gateway Guide R80.20...
Page 287: Dlp Rule Exceptions
Prevent The Firewall blocks the data. Note: Check Point does not recommend using the Prevent action as a first choice. The action may prove disruptive. To improve the accuracy of rule matches, set rules to Prevent only when you have tested them with the less strict actions over a reasonable amount of time.
Page 288: Sample Rule Base
You can use the Follow Up flag in SmartConsole for the DLP rules. If you find one or more incidents that you want to change or fine-tune, set the Data Type or rule to Follow Up. Next Generation Security Gateway Guide R80.20...
Page 289: Analyzing Dlp Incidents In The Logs
SmartConsole Logs & Monitor view. They provide advanced analysis tools with filtering, charts, and statistics of all events that pass through enabled Security Gateways. To Learn More About Data Loss Prevention To learn more about securing data, see these guides: R80.20 Data Loss Prevention Administration Guide • https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_DataLos sPrevention_AdminGuide/html_frameset.htm.
Page 290 Securing Data Next Generation Security Gateway Guide R80.20...
Page 291: Connectcontrol - Server Load Balancing
ConnectControl - Server Load Balancing ConnectControl is a Check Point solution for balancing the traffic that passes through Check Point Security Gateway or Cluster towards servers behind the Check Point Security Gateway or Cluster. ConnectControl does not consume more memory or CPU processing power on Security Gateway or Cluster Members.
Page 292: Logical Server Types
Web servers. ConnectControl directs an HTTP client to one server for all requests. This allows clients to fill forms without the data loss that occurs if different servers take the requests. Next Generation Security Gateway Guide R80.20...
Page 293: Persistent Server Timeout
The round trip method is a good choice if there are large variations in the traffic load on your network or when load balancing over WAN connections. Important - This method is supported for Logical Servers. For more information, see sk31162 http://supportcontent.checkpoint.com/solutions?id=sk31162. Next Generation Security Gateway Guide R80.20...
Page 294: Server Availability
Select a Balance Method (on page 293) that fits your environment. 7. Add the Load Balancing rule to the Access Control Policy Rule Base: Source Destination Services & Applications Action Logical Server object Load-balanced Services Accept *Any User Auth Client Auth Next Generation Security Gateway Guide R80.20...
Page 295 9. Click Menu > Global properties > ConnectControl. 10. Configure the Server Persistency (on page 293) and Server Availability (on page 294) settings that fit your environment. 11. Click OK. 12. Install the Access Control Policy on this cluster object. Next Generation Security Gateway Guide R80.20...
Page 296: Ipv6 Neighbor Discovery
2. On the Security Management Server: Create user defined tables in the applicable user.def file (see sk98239 http://supportcontent.checkpoint.com/solutions?id=sk98239). Example: $ifndef __user_def__ $define __user_def__ \\ User defined INSPECT code allowed_ethernet_protocols={ <0x44,0x44> ); dropped_ethernet_protocols={ <0x4,0x4> ); endif /*__user_def__*/ 3. In SmartConsole: Install the Access Control Policy. Next Generation Security Gateway Guide R80.20...
Page 297 On the Security Gateway, the value of the kernel parameter fwaccept_unknown_protocol is 1 • OR in the user.def file, protocol is in the allowed_ethernet_protocols table • AND in the user.def file, protocol is NOT in the dropped_ethernet_protocols table Next Generation Security Gateway Guide R80.20...
Page 298: Deploying A Security Gateway In Monitor Mode
Deploying a Security Gateway in Monitor Mode You can configure Monitor Mode on a Check Point Security Gateway interface. This lets the Check Point Security Gateway listen to traffic from a Mirror Port or Span Port on a connected switch. Use the Monitor Mode to analyze network traffic without changing the production environment.
Page 299: Configuring Link State Propagation (Lsp)
On a Check Point Appliances that run as a Security Gateway or ClusterXL Cluster Members, you can bind together in Bridge mode two physical ports on a Check Point Line Card. When the link state for one bridged slave port goes down, the other bridged slave port also goes down. This lets a switch detect and react faster to a link failure on the other side of a bridge or another part of the network.
Page 300 >" interface_name5 interface_name6 fw_lsp_pair3="< >" interface_name7 interface_name8 fw_lsp_pair4="< >" Example: fw_lsp_pair1="eth1,eth2" fw_lsp_pair2="eth3,eth4" Save the changes in the file and exit the Vi editor. each Reboot the Security Gateway or Cluster Member. Next Generation Security Gateway Guide R80.20...
Page 301 # fw ctl get str fw_lsp_pair3 # fw ctl get str fw_lsp_pair4 For more information: See sk108121: How to configure Link State Propagation (LSP) in a Bridge interface on Gaia OS and SecurePlatform OS http://supportcontent.checkpoint.com/solutions?id=sk108121. Next Generation Security Gateway Guide R80.20...
Page 302: Troubleshooting Specific Problems
CHAPT ER 2 4 Troubleshooting Specific Problems In This Section: Resetting SIC in Security Gateways ..............Resetting SIC in Security Gateways See: • sk65764: How to reset SIC http://supportcontent.checkpoint.com/solutions?id=sk65764 • sk30579: How to troubleshoot SIC http://supportcontent.checkpoint.com/solutions?id=sk30579 Next Generation Security Gateway Guide R80.20...
Page 303: Security Before Firewall Activation
Monitoring Security ................... Unloading Default Filter or Initial Policy ............. Troubleshooting: Cannot Complete Reboot ............To protect the Security Gateway and network, Check Point Security Gateway has baseline security: Baseline Security Name of Policy Description Boot Security Security during boot process.
Page 304: Boot Security
Uses Boot Filter: a) Drops all incoming packets that have the same source IP addresses as the IP addresses assigned to the Security Gateway interfaces b) Allows all outbound packets from the Security Gateway Next Generation Security Gateway Guide R80.20...
Page 305: Selecting The Default Filter
Make sure to connect to the Security Gateway over a serial console. If the new Default Filter Policy fails and blocks all access through the network interfaces, you can unload that Default Filter Policy and install the working policy. Reboot the Security Gateway. Next Generation Security Gateway Guide R80.20...
Page 306: Defining A Custom Default Filter
Security Before Firewall Activation Defining a Custom Default Filter Administrators with Check Point INSPECT language knowledge can define customized Default Filters. Important - Make sure your customized Default Filter policy does not interfere with the Security Gateway boot process. Step Description Make sure to configure and install a Security Policy on the Security Gateway.
Page 307: Using The Default Filter For Maintenance
Maintains the Connections table, so that after you run the cpstart command, you do not experience dropped packets because they are "out of state" Note - Only security rules that do not use user space processes continue to work. Next Generation Security Gateway Guide R80.20...
Page 308: The Initial Policy
Security Gateway during Check Point product upgrades, when a SIC certificate is reset on the Security Gateway, or in the case of a Check Point product license expiration. Note - During a Check Point upgrade, a SIC certificate reset, or license expiration, the Initial Policy overwrites the user-defined policy.
Page 309: Monitoring Security
Gateway. Restart the computer before you install policy and run: $FWDIR/bin/fw stat If the output shows defaultfilter for the Default Filter status and InitialPolicy for the installed policy, the computer is running on the default, pre-Firewall security. Next Generation Security Gateway Guide R80.20...
Page 310: Unloading Default Filter Or Initial Policy
Do this only if you are sure that the security of the Default Filter or Initial Policy is not required. To unload the Default Filter locally: fw unloadlocal <gateway> To unload an Initial Policy from a remote Security Management Server: fwm unload gateway Where is the name of the gateway object. Next Generation Security Gateway Guide R80.20...
Page 311: Troubleshooting: Cannot Complete Reboot
Set the Default Filter to not load again: VERSION a) cd /opt/CPsuite-< >/fw1/ b) ./fwboot bootconf set_def In the $FWDIR/boot/boot.conf file, examine the value of the DEFAULT_FILTER_PATH: VERSION a) cd /opt/CPsuite-< >/fw1/ b) grep DEFAULT_FILTER_PATH boot/boot.conf Reboot the Security Gateway. Next Generation Security Gateway Guide R80.20...
Page 312: Command Line Reference
........................ cpstop ....................... cpview ....................... dynamic_objects....................cpwd_admin ............................................fwboot bootconf ....................sam_alert......................usrchk ....................... R80.20 Command Line Interface Reference Guide See the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_CLI_Refere nceGuide/html_frameset.htm. Below is a limited list of applicable commands. Next Generation Security Gateway Guide R80.20...
Page 313: Comp_Init_Policy
(on page 436) • fwboot default (on page 533) Syntax [Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-u | -U] [Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-g | -G] Parameters Parameter Description The command runs with the last used parameter. Parameters Next Generation Security Gateway Guide R80.20...
Page 314 -rw-r--r-- 1 admin root 33104 Jun 13 16:34 local.db -rw-r--r-- 1 admin root 26763 Jun 13 16:34 local.dcerpc_service -rw-r--r-- 1 admin root 0 Jun 13 16:34 local.device_settings_transactions -rw-r--r-- 1 admin root 4 Jun 13 16:34 local.domain_objects_for_web_applications Next Generation Security Gateway Guide R80.20...
Page 315 -rw-r----- 1 admin root 14743 Jun 13 16:34 manifest.C -rw-r--r-- 1 admin root 7381 Jun 13 16:34 policy.info -rw-r--r-- 1 admin root 2736 Jun 13 16:34 policy.map -rw-r--r-- 1 admin root 51 Jun 13 16:34 sig.map Next Generation Security Gateway Guide R80.20...
Page 316 -rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg6 -rw-rw---- 1 admin root 0 Jul 19 19:51 local.magic -rw-rw---- 1 admin root 3 Jul 19 19:51 local.set -rw-rw---- 1 admin root 51 Jul 19 19:51 sig.map [Expert@GW:0]# Next Generation Security Gateway Guide R80.20...
Page 317: Control_Bootsec
2. Executes the $FWDIR/bin/comp_init_policy -g command that: a) Removes the attribute :InitialPolicySafe (true) from the section ": (FW1" in the Check Point Registry (the $CPDIR/registry/HKLM_registry.data file) b) Generates the Initial Policy files in the $FWDIR/state/local/FW1/ directory Next Generation Security Gateway Guide R80.20...
Page 318 [Expert@GW:0]# [Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data :InitialPolicySafe (true) [Expert@GW:0]# [Expert@GW:0]# ls -l total 0 [Expert@GW:0]# Example - Enabling the boot security [Expert@GW:0]# cd $FWDIR/state/local/FW1/ [Expert@GW:0]# [Expert@GW:0]# pwd /opt/CPsuite-R80.20/fw1/state/local/FW1 [Expert@GW:0]# [Expert@GW:0]# control_bootsec -g Enabling boot security Next Generation Security Gateway Guide R80.20...
Page 319 -rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg6 -rw-rw---- 1 admin root 0 Jul 19 20:22 local.magic -rw-rw---- 1 admin root 3 Jul 19 20:22 local.set -rw-rw---- 1 admin root 51 Jul 19 20:22 sig.map [Expert@GW:0]# Next Generation Security Gateway Guide R80.20...
Page 320: Cp_Conf
Command Line Reference cp_conf Description Configures or reconfigures a Check Point product installation. The available options for each Check Point computer depend on the configuration and installed products. Syntax cp_conf adv_routing <options> auto <options> corexl <options> fullha <options> ha <options>...
Page 321 Command Line Reference Parameter Description options Manages the Check Point SNMP Extension on this Security snmp < > Gateway. Note - Do not use these outdated commands. To configure R80.20 Gaia Administration Guide SNMP, see the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminG uides/EN/CP_R80.20_Gaia_AdminGuide/html_frameset.htm System Management...
Page 322: Cp_Conf Auto
Description Shows and controls which of Check Point products start automatically during boot. Note - This command corresponds to the option Automatic start of Check Point Products in the cpconfig (on page 331) menu. Important - In cluster, you must configure all the Cluster Members in the same way.
Page 323: Cp_Conf Corexl
For more information, see the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Performanc eTuning_AdminGuide/html_frameset.htm. Important: This command is for Check Point use only. To configure CoreXL, use the Check Point CoreXL • option in the cpconfig (on page 331) menu. • After all changes in CoreXL configuration on the Security Gateway, you must reboot it.
Page 324 KERN6_INSTANCE_NUM IPV6_INSTALLED CORE_OVERRIDE [Expert@MyGW:0]# [Expert@MyGW:0]# reboot ..[Expert@MyGW:0]# fw ctl multik stat ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes 1 | Yes 2 | Yes [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 325: Cp_Conf Fullha
Deletes the Full High Availability peer from the configuration. del_peer Disables the Full High Availability on this computer. disable Shows the Full High Availability state on this computer. state Example [Expert@Cluster_Member:0]# cp_conf fullha state FullHA is currently enabled [Expert@Cluster_Member:0]# Next Generation Security Gateway Guide R80.20...
Page 326: Cp_Conf Ha
Description Enables or disables cluster membership on this Security Gateway. Important - This command is for Check Point use only. To configure cluster membership, you must use the cpconfig (on page 331) command. R80.20 ClusterXL Administration Guide For more information, see the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_ClusterXL_...
Page 327: Cp_Conf Intfs
DMZ <Name of Interface> external <Name of Interface> internal <Name of Interface> Parameter Parameter Description Shows the list of configured interfaces. Configures the topology of the specified interface: • auxiliary • • external • internal Next Generation Security Gateway Guide R80.20...
Page 328: Cp_Conf Lic
Full Path to License Adds a license from the specified Check Point license file. add -f < File You get this license file in the Check Point User Center. > This is the same command as the cplic db_add. Host Date Adds the license manually.
Page 329 Command Line Reference Next Generation Security Gateway Guide R80.20...
Page 330: Cp_Conf Sic
SmartConsole Activation Key Resets the one-time SIC activation key. init < > [norestart] You can specify not to restart Check Point services. Shows the current state of the SIC Trust. state Example [Expert@MyGW:0]# cp_conf sic state Trust State: Trust established [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 331: Cpconfig
Command Line Reference cpconfig Description This command starts the Check Point Configuration Tool. This tool lets you configure specific settings for the installed Check Point products. Important - In cluster, you must configure all the Cluster Members in the same way.
Page 332 For more information, see the Tuning Administration Guide https://sc1.checkpoint.com/documents/R80.20_GA/ WebAdminGuides/EN/CP_R80.20_PerformanceTunin g_AdminGuide/html_frameset.htm. Enable Check Point ClusterXL for Bridge Enables and disables Check Point ClusterXL for Active/Standby Bridge mode. This change requires a reboot of the Security Gateway. Disable Check Point ClusterXL for Bridge 80.20 Installation and...
Page 333 SNMP Extension PKCS#11 Token Random Pool Secure Internal Communication Disable cluster membership for this gateway Enable Check Point Per Virtual System State Enable Check Point ClusterXL for Bridge Active/Standby Check Point CoreXL (10) Automatic start of Check Point Products (11) Exit Enter your choice (1-11) : Next Generation Security Gateway Guide R80.20...
Page 334: Cpinfo
Command Line Reference cpinfo Description A utility that collects diagnostics data on your Check Point computer at the time of execution. It is mandatory to collect these data when you contact Check Point Support https://www.checkpoint.com/support-services/contact-support/ about an issue on your Check Point computer.
Page 335: Cplic
Command Line Reference cplic The cplic command lets you manage Check Point licenses. You can run the cplic command in Gaia Clish or in Expert Mode. License Management is divided into three types of commands: Licensing Commands Applies To Description...
Page 336 Command Line Reference Parameters Description options Prints details of the installed Check Point licenses on the local Check > (on print < Point computer. page 341) options > (on page Installs and attaches licenses on a Check Point computer. put <...
Page 337: Cplic Check
Checks how many SecuRemote users are allowed. {-S | -SRusers} Feature Feature, for which license information is requested. < > Example from a Management Server [Expert@MGMT]# cplic print -p Host Expiration Primitive-Features W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites Next Generation Security Gateway Guide R80.20...
Page 338 [Expert@GW]# Example from a Cluster Member [Expert@MGMT]# cplic check cluster-u cplic check 'cluster-u': license valid [Expert@MGMT]# [Expert@MGMT]# cplic check -c cluster-u cplic check 'cluster-u': 9 licenses [Expert@MGMT]# Next Generation Security Gateway Guide R80.20...
Page 339: Cplic Contract
Command Line Reference cplic contract Description Deletes the Check Point Service Contract from the local Check Point computer. Installs the Check Point Service Contract on the local Check Point computer. Notes: • For more information about Service Contract files, see sk33089: What is a Service Contract File? http://supportcontent.checkpoint.com/solutions?id=sk33089...
Page 340: Cplic Del
Command Line Reference cplic del Description Deletes a Check Point license on a host, including unwanted evaluation, expired, and other licenses. This command can delete a license on both local computer, and on remote managed computers. Syntax cplic del {-h | -help} cplic [-d] del [-F <Output File>] <Signature>...
Page 341: Cplic Print
Command Line Reference cplic print Description Prints details of the installed Check Point licenses on the local Check Point computer. Note - On a Security Gateway, this command prints all installed licenses (both Local and Central). Syntax cplic print {-h | -help} cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output File>] [{-p |...
Page 342: Cplic Put
Description Installs one or more Local licenses on a Check Point computer. Note - You get the license details in the Check Point User Center. Syntax cplic put {-h | -help} cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -select}] [-F <Output File>] [{-P | -Pre-boot}] [{-k | -kernel-only}] -l <License File>...
Page 343 A string listing the SKU and the Certificate Key of the license. The SKU/features SKU of the license summarizes the features included in the license. For example: CPSB-SWB CPSB-ADNC-M CK0123456789ab Example [Expert@HostName:0]# cplic put -l License.lic Host Expiration SKU 192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab [Expert@HostName:0]# Next Generation Security Gateway Guide R80.20...
Page 344: Cpprod_Util
This utility lets you work with Check Point Registry ($CPDIR/registry/HKLM_registry.data) without manually opening it: • Shows which Check Point products and features are enabled on this Check Point computer. • Enables and disables Check Point products and features on this Check Point computer.
Page 345 Command Line Reference cpprod_util > /tmp/output_of_cpprod_util.txt 2>&1 Example: Example 1- Showing a list of all installed Check Point Products Packages on a Security Gateway [Expert@MyGW:0]# cpprod_util CPPROD_GetInstalledProducts CPFC MGMT SecurePlatform CPinfo DIAG PPACK CVPN [Expert@MyGW:0]# Example 2 - Checking if this Check Point computer is configured as a StandAlone...
Page 346 Command Line Reference [Expert@MyGW:0]# Example 10 - Checking if this Security Gateway is configured with IPv6 addresses [Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6 [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 347: Cpstart
Manually starts all Check Point processes and applications. Syntax cpstart [-fwflag {–default | -proc | -driver}] Parameters Important - These parameters are for Check Point internal use. To not use them, unless Check Point Support explicitly instructs you to do so. Parameter Description...
Page 348: Cpstat
Command Line Reference cpstat Description Displays the status and statistics information of Check Point applications. Syntax cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o <Polling Interval> [-c <Count>] [-e <Period>]] <Application Flag> Note - You can write the parameters in the syntax in any desired order.
Page 349 You must use this parameter together with the "-o < >" parameter. Count You can use this parameter together with the "-c < >" parameter. Example: cpstat os -f perf -o 2 -c 2 -e 60 Next Generation Security Gateway Guide R80.20...
Page 350 - The SmartEvent blade information • cpsead - The SmartEvent Correlation Unit information • ls - The Log Server information • PA - The Provisioning Agent information These flavors are available for the application flags -------------------------------------------------------------- Next Generation Security Gateway Guide R80.20...
Page 351 |dlp |default, dlp, exchange_agents, fingerprint| -------------------------------------------------------------- |ctnt |default -------------------------------------------------------------- |antimalware |default, scanned_hosts, scanned_mails, |subscription_status, update_status, |ab_prm_contracts, av_prm_contracts, |ab_prm_contracts, av_prm_contracts -------------------------------------------------------------- |threat-emulation |default, general_statuses, update_status, | |scanned_files, malware_detected, |scanned_on_cloud, malware_on_cloud, |average_process_time, emulated_file_size, | |queue_size, peak_size, Next Generation Security Gateway Guide R80.20...
Page 352 Address|IPv6 Len| -------------------------------------------------------------------------------------------------- ------------------ |eth0|192.168.30.40|255.255.255.0| 0.0.0.0| |eth1| 172.30.60.80|255.255.255.0| 0.0.0.0| |eth2| 0.0.0.0| 0.0.0.0| 0.0.0.0| |eth3| 0.0.0.0| 0.0.0.0| 0.0.0.0| |eth4| 0.0.0.0| 0.0.0.0| 0.0.0.0| |eth5| 0.0.0.0| 0.0.0.0| 0.0.0.0| |eth6| 0.0.0.0| 0.0.0.0| 0.0.0.0| |eth7| 0.0.0.0| 0.0.0.0| 0.0.0.0| -------------------------------------------------------------------------------------------------- Next Generation Security Gateway Guide R80.20...
Page 353 CPU Usage (%): CPU Queue Length: CPU Interrupts/Sec: CPUs Number: Disk Servicing Read\Write Requests Time: - Disk Requests Queue: Disk Free Space (%): Disk Total Free Space (Bytes): 12659716096 Disk Available Free Space (Bytes): 11606188032 Next Generation Security Gateway Guide R80.20...
Page 354 Command Line Reference Disk Total Space (Bytes): 20477751296 [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 355: Cpstop
Manually stops all Check Point processes and applications. Syntax cpstop [-fwflag {–default | -proc | -driver}] Parameters Important - These parameters are for Check Point internal use. To not use them, unless Check Point Support explicitly instructs you to do so. Parameter Description -fwflag –default...
Page 356: Cpview
Overview of CPView Description CPView is a text based built-in utility on a Check Point computer. CPView Utility shows statistical data that contain both general system information (CPU, Memory, Disk space) and information for different Software Blades (only on Security Gateway).
Page 357 Description Saves the current page to a file. The file name format is: cpview process ID number of captures cpview_< >.cap< > Shows a tooltip with CPView options. Space bar Immediately refreshes the statistics. Next Generation Security Gateway Guide R80.20...
Page 358: Dynamic_Objects
To delete the specific existing dynamic object (and all ranges of IP addresses assigned to it): dynamic_objects -do <object_name> • To delete all the existing dynamic objects (and all ranges of IP addresses assigned to them): dynamic_objects -e Next Generation Security Gateway Guide R80.20...
Page 359 -n bigserver -r 192.168.2.20 192.168.2.40 -a Example - Update the ranges of IP addresses assigned to the dynamic object named "bigserver" from the current range to the new range 192.168.2.60-192.168.2.80 dynamic_objects -u bigserver -r 192.168.2.60 192.168.2.80 Next Generation Security Gateway Guide R80.20...
Page 360: Cpwd_Admin
The Check Point WatchDog (cpwd) is a process that invokes and monitors critical processes such as Check Point daemons on the local computer, and attempts to restart them if they fail. Among the processes monitored by Watchdog are fwm, fwd, cpd, cpm, DAService, java_solr, log_indexer, and others.
Page 361 374) See sk97638 http://supportcontent.checkpoint.com/solutions?id=sk97638. Starts the WatchDog monitoring. start_monitor (on page 376) options > (on page Stops a monitored process. stop < 377) See sk97638 http://supportcontent.checkpoint.com/solutions?id=sk97638. stop_monitor (on page Stops the WatchDog monitoring. 379) Next Generation Security Gateway Guide R80.20...
Page 362: Cpwd_Admin Config
These are the available configuration parameters and the accepted values: Configuration Accepted Values Description Parameter Text string up to 128 On VSX Gateway, configures the CTX value that is default_ctx characters assigned to monitored processes, for which no CTX is specified. Next Generation Security Gateway Guide R80.20...
Page 363 The value of the zero_timeout must be greater than the value of the timeout. The WatchDog saves the user defined configuration parameters in the $CPDIR/registry/HKLM_registry.data file in the ": (Wd_Config" section: ("CheckPoint Repository Set" : (SOFTWARE : (CheckPoint Next Generation Security Gateway Guide R80.20...
Page 364 : 12 [Expert@HostName:0]# [Expert@HostName:0]# cpstop ; cpstart [Expert@HostName:0]# [Expert@HostName:0]# cpwd_admin config -r cpWatchDog doesn't have configuration parameters [Expert@HostName:0]# [Expert@HostName:0]# cpstop ; cpstart [Expert@HostName:0]# [Expert@HostName:0]# cpwd_admin config -p cpWatchDog doesn't have configuration parameters [Expert@HostName:0]# Next Generation Security Gateway Guide R80.20...
Page 365: Cpwd_Admin Del
WatchDog stops monitoring the detached process, but the process stays alive. • The cpwd_admin list command does not show the deleted process anymore. • This change applies until all Check Point services restart during boot, or with the cpstart command. Syntax cpwd_admin del -name <Application Name> [-ctx <VSID>]...
Page 366: Cpwd_Admin Detach
WatchDog stops monitoring the detached process, but the process stays alive. • The cpwd_admin list command does not show the detached process anymore. • This change applies until all Check Point services restart during boot, or with the cpstart command. Syntax cpwd_admin detach -name <Application Name> [-ctx <VSID>]...
Page 367: Cpwd_Admin Exist
Command Line Reference cpwd_admin exist Description • Checks whether the WatchDog process cpwd is alive. Syntax cpwd_admin exist Example [Expert@HostName:0]# cpwd_admin exist cpwd_admin: cpWatchDog is running [Expert@HostName:0]# Next Generation Security Gateway Guide R80.20...
Page 368: Cpwd_Admin Flist
Shows how the WatchDog monitors this process (see the explanation for the cpwd_admin): • Y - Active monitoring • N - Passive monitoring Shows which command the WatchDog run to start this process. COMMAND Example [Expert@HostName:0]# cpwd_admin flist /opt/CPshrd-R80.20/tmp/cpwd_list_3209472813.lst [Expert@HostName:0]# Next Generation Security Gateway Guide R80.20...
Page 369: Cpwd_Admin Getpid
Syntax cpwd_admin getpid -name <Application Name> [-ctx <VSID>] Parameters Parameter Description Application Name Name of the monitored Check Point process as you see in the output < > of the cpwd_admin list command in the leftmost column APP. Examples: •...
Page 370: Cpwd_Admin Kill
Terminates the WatchDog process cpwd. Important - Do not run this command unless explicitly instructed by Check Point Support or R&D to do so. To restart the WatchDog process, you must restart all Check Point services with the cpstop and cpstart commands.
Page 371: Cpwd_Admin List
HISTORYD 5410 [18:14:15] 23/5/2018 cpview_historyd SXL_STATD 5413 [18:14:15] 23/5/2018 sxl_statd 5420 [18:14:15] 23/5/2018 MPDAEMON 5436 [18:14:16] 23/5/2018 mpdaemon /opt/CPshrd-R80.20/log/mpdaemon.elg /opt/CPshrd-R80.20/conf/mpdaemon.conf CI_CLEANUP 0 5626 [18:14:26] 23/5/2018 avi_del_tmp_files CIHS 5628 [18:14:26] 23/5/2018 ci_http_server -j -f Next Generation Security Gateway Guide R80.20...
Page 372 [18:14:26] 23/5/2018 60/5 PATH = /opt/CPsuite-R80.20/fw1/bin/avi_del_tmp_files COMMAND = avi_del_tmp_files -------------------------------------------------------------------------------- CIHS 5628 [18:14:26] 23/5/2018 60/5 PATH = /opt/CPsuite-R80.20/fw1/bin/ci_http_server COMMAND = ci_http_server -j -f /opt/CPsuite-R80.20/fw1/conf/cihs.conf -------------------------------------------------------------------------------- 5640 [18:14:26] 23/5/2018 60/5 PATH = /opt/CPsuite-R80.20/fw1/bin/fw COMMAND = fwd -------------------------------------------------------------------------------- 6330 [18:14:28] 23/5/2018 60/5 PATH = /opt/CPsuite-R80.20/fw1///bin/rad...
Page 373: Cpwd_Admin Exist
Prints the status of actively monitored processes on the screen (see the explanation about the active monitoring in cpwd_admin). Syntax cpwd_admin monitor_list Example [Expert@HostName:0]# cpwd_admin monitor_list cpwd_admin: FILE_NAME NO_MSG_TIMES LAST_MSG_TIME CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2018 [Expert@HostName:0]# Next Generation Security Gateway Guide R80.20...
Page 374: Cpwd_Admin Start
On VSX Gateway, specifies the context of the applicable Virtual -ctx < > System. Full Path to The full path (with or without Check Point environment variables) to -path "< the executable including the executable name. Must enclose in Executable >"...
Page 375 > - Tries to restart the process the specified number of < times • u - Tries to restart the process unlimited number of times Example For the list of process and the applicable syntax, see sk97638 http://supportcontent.checkpoint.com/solutions?id=sk97638. Next Generation Security Gateway Guide R80.20...
Page 376: Cpwd_Admin Start_Monitor
Starts the active WatchDog monitoring. WatchDog monitors the predefined processes actively. See the explanation for the cpwd_admin. Syntax cpwd_admin start_monitor Example [Expert@HostName:0]# cpwd_admin start_monitor cpwd_admin: CPWD has started to perform active monitoring on Check Point services/processes [Expert@HostName:0]# Next Generation Security Gateway Guide R80.20...
Page 377: Cpwd_Admin Stop
On VSX Gateway, specifies the context of the applicable Virtual -ctx < > System. Full Path to The full path (with or without Check Point environment variables) to -path "< the executable including the executable name. Must enclose in Executable >"...
Page 378 Command Line Reference Example For the list of process and the applicable syntax, see sk97638 http://supportcontent.checkpoint.com/solutions?id=sk97638. Next Generation Security Gateway Guide R80.20...
Page 379: Cpwd_Admin Stop_Monitor
Stops the active WatchDog monitoring. WatchDog monitors all processes only passively. See the explanation for the cpwd_admin. Syntax cpwd_admin stop_monitor Example [Expert@HostName:0]# cpwd_admin stop_monitor cpwd_admin: CPWD has stopped performing active monitoring on Check Point services/processes [Expert@HostName:0]# Next Generation Security Gateway Guide R80.20...
Page 380 • Fetches the policy from the Management Server, peer Cluster Member, or local directory. • Fetches the specified Security or Audit log files from the specified Check Point computer. • Shows the list of interfaces and their IP addresses. •...
Page 381 Audit log files ($FWDIR/log/*.adtlog*) from the specified Check Point computer. Shows the list with this information: getifs (on page 441) • The name of interfaces, to which the Check Point Firewall kernel attached. • The IP addresses assigned to the interfaces. options hastat <...
Page 382 Uninstalls all policies from the Security Gateway or Cluster Member. options > (on Executes the offline Unified Policy. up_execute < page 517) options Shows the Security Gateway major and minor version number > (on page 520) ver < and build number. Next Generation Security Gateway Guide R80.20...
Page 383: Fw -I
For details and additional parameters for any of these commands, refer to the corresponding entry for each command. Example - Show the Connections table for CoreXL FW instance #1 fw -i 1 tab -t connections Next Generation Security Gateway Guide R80.20...
Page 384: Fw Amw
Management Server: fw [-d] amw fetch -f -c [-i] [-n] [-r] • To fetch the Threat Prevention policy from the specified Check Point computer(s): fw [-d] amw fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...] • To fetch the Threat Prevention policy stored locally on the Security Gateway:...
Page 385 On a Cluster Member, specifies to ignore this option: For gateway clusters, if installation on a cluster member fails, do not install on that cluster. Note - Use this parameter if a peer Cluster Member is Down. Next Generation Security Gateway Guide R80.20...
Page 386 Command Line Reference Parameter Description Master 1 Master 2 > ...] Specifies the Check Point computer(s), from which to fetch the < > [< Threat Prevention policy. You can fetch the Threat Prevention policy from the Management Server, or a peer Cluster Member.
Page 387: Fw Ctl
> (on page 402) Shows formatted list of current connections from the conntab < Connections kernel table (ID 8158). options > (on page 406) Generates statistics report about Check Point Active cpasstat < Streaming (CPAS). options Generates kernel debug messages from Check Point >...
Page 388 > (on page 411) get < iflist (on page 413) Shows the list with this information: • The name of interfaces, to which the Check Point Firewall kernel attached. • The internal numbers of the interfaces in the Check Point Firewall kernel.
Page 389 Syntax fw [-d] ctl arp [-h] [-n] Parameters Parameter Description Runs the command in debug mode. Use only if you troubleshoot the command itself. Shows the built-in help. Specifies not to resolve hostnames. Next Generation Security Gateway Guide R80.20...
Page 390 - Calculates the IOCTL flow statistics. Limit • > - Specifies the time limit (in seconds) for the < benchmark. Default is 10 seconds. Maximum is 200 seconds. • stop - Stops the current lock benchmark. Next Generation Security Gateway Guide R80.20...
Page 391 [fw4_2];Number of samples taken: 8624 [fw4_0]; [fw4_2];Interval Name % of total cpu Total TU Average TU Max TU sampled [fw4_0];BENCHMARKER [fw4_0];=================================== [fw4_0];Type: FW LOCK STATISTICS [fw4_0];General info [fw4_0];------------- [fw4_0];TU = Time Units [fw4_2];----------------------------------- --------------- --------- ----------- --------------- Next Generation Security Gateway Guide R80.20...
Page 392 [fw4_1]; [fw4_1];fw VM outbound 21603 7201 10692 [fw4_1]; [fw4_1];fw post VM outbound 14574 4858 7545 [fw4_1]; [fw4_1];QoS outbound offload chain modul 9051 3017 4689 [fw4_1]; [fw4_1];QoS slowpath outbound chain mod 95691 31897 38586 [fw4_1]; Next Generation Security Gateway Guide R80.20...
Page 393 [fw4_1];fw post VM inbound 10275 5137 7584 [fw4_1]; [fw4_1];fw accounting inbound [fw4_1]; [fw4_1];QoS slowpath inbound chain mod 64650 32325 39846 [fw4_1]; [fw4_1];passive streaming (in) 4272 2136 3072 [fw4_1]; [fw4_1];TCP streaming (in) 5577 2788 3363 [fw4_1]; Next Generation Security Gateway Guide R80.20...
Page 394 [fw4_2];fw accounting inbound 51537 1182 [fw4_2]; [fw4_2];QoS slowpath inbound chain mod 4392585 43925 82623 [fw4_2]; [fw4_2];passive streaming (in) 289659 2896 5013 [fw4_2]; [fw4_2];TCP streaming (in) 66417 2766 [fw4_2]; [fw4_2];IP Options Restore (in) 31596 1215 [fw4_2]; Next Generation Security Gateway Guide R80.20...
Page 395 [fw4_0];IP Options Restore (out) 1839 [fw4_0]; [fw4_0];BENCHMARKER [fw4_0];=================================== [fw4_0];Type: INBOUND PACKETS STATISCITCS [fw4_0];General info [fw4_0];------------- [fw4_0];TU = Time Units [fw4_0];Calibration: number of TU in one second 2399455273 [fw4_0];Testing period in TU: 23997573677 [fw4_0];Number of samples taken: 7 Next Generation Security Gateway Guide R80.20...
Page 396 [fw4_2];Calibration: number of TU in one second 2398783828 [fw4_2];Testing period in TU: 24000292567 [fw4_2];Number of samples taken: 1 [fw4_2];Interval Name % of total cpu Total TU Average TU Max TU sampled [fw4_2];----------------------------------- --------------- --------- ----------- --------------- Next Generation Security Gateway Guide R80.20...
Page 397 [fw4_2];QoS outbound offload chain modul 47829 47829 47829 [fw4_2]; [fw4_2];QoS slowpath outbound chain mod 10530 10530 10530 [fw4_2]; [fw4_2];fw accounting outbound [fw4_2]; [fw4_2];TCP streaming post VM 1533 1533 1533 [fw4_2]; [fw4_2];IP Options Restore (out) [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 398 Syntax fw [-d] ctl block Parameters Parameter Description Runs the command in debug mode. Use only if you troubleshoot the command itself. Removes the block of all connections. Blocks all connections. Next Generation Security Gateway Guide R80.20...
Page 399 7f000000 (ffffffff8b807970) (00000001) fw accounting outbound (acct) 7f700000 (ffffffff8b17cb10) (00000001) TCP streaming post VM (cpas) 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (out) (ipopt_res) 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out) 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver) Next Generation Security Gateway Guide R80.20...
Page 400 Command Line Reference [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 401 0000000000000000 0000000000000000 0000000000000000 0000000000000000 None RTM2 RTM2 0000000000000000 0000000000000000 FFFFFFFF8B014970 0000000000000000 None SPII SPII FFFFFFFF8B412060 0000000000000000 FFFFFFFF8B41AF40 FFFFFFFF8B4016A0 None FFFFFFFF8A965440 0000000000000000 FFFFFFFF8AA4CC40 0000000000000000 Special FFFFFFFF8AA60490 Connectivity level 1: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 None [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 402 Filters the output by the specified Destination IP address. -dip=< Address in Decimal Format > Port Number Filters the output by the specified Destination Port number. -dport=< in Decimal Format See IANA Service Name and Port Number Registry > https://www.iana.org/assignments/service-names-port-numbers/ser vice-names-port-numbers.xhtml. Next Generation Security Gateway Guide R80.20...
Page 403 Ifnsin=1, Ifnsout=1, conn modules: Authentication, FG-1> [Expert@MyGW:0]# Example 4 - Filter by a source port [Expert@MyGW:0]# fw ctl conntab -sport=54201 <(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP); 3600/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481), Ifncin=1, Ifncout=1, conn modules: Authentication, FG-1> [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 404 SPort: 54201; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: -1; Ifnsout: 1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network; Next Generation Security Gateway Guide R80.20...
Page 405 SPort: 44966; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type: 131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network; [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 406 Command Line Reference fw ctl cpasstat Description Generates statistics report about Check Point Active Streaming (CPAS). Syntax fw [-d] ctl cpasstat [-r] Parameters Parameter Description Runs the command in debug mode. Use only if you troubleshoot the command itself. Resets the counters.
Page 407 Number of SYNs dropped (no route/mem) .... Number of retransmissions ......SACK stats: SACK recovery episodes ......SACK retransmit segments ......SACK retransmit bytes ......SACK options received ......SACK options sent ........ Applications Counters: ====================== [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 408 Command Line Reference fw ctl debug and fw ctl kdebug Description Generates kernel debug messages from Check Point Firewall kernel to a debug buffer. R80.20 Next Generation Security Gateway Administration Guide For more information, see the https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_NextGenSec Kernel Debug on Security Gateway urityGateway_Guide/html_frameset.htm...
Page 409 Number of HTTP POST requests bypassed due to internal errors ..0 Number of HTTP POST requests rejected due to large data size limit ... 0 Number of HTTP POST requests rejected due to internal errros ..0 Next Generation Security Gateway Guide R80.20...
Page 410 | Total number of asynchronous IA queries |-----------------------------------------------+-------------+-------------| Number of known users (Asynchronous) |-----------------------------------------------+-------------+-------------| Number of unknown final (Asynchronous) |-----------------------------------------------+-------------+-------------| Number of timed out queries (Asynchronous)| |-----------------------------------------------+-------------+-------------| Number of failed queries (Asynchronous) |---------------------------------------------------------------------------| [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 411 Specifies to search for this kernel parameter in this order: 1. In $FWDIR/modules/fw_*.o 2. In $PPKDIR/modules/sim_*.o Example for an integer kernel parameter [Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit -a fw_kdprintf_limit = 100 SIM: fw_kdprintf_limit = 100 [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 412 Example for a string kernel parameter [Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset -a fileapp_default_encoding_charset = 'UTF-8' SIM: Failed to get from ppak [Expert@MyGW:0]# Related SK article sk33156: Creating a file with all the kernel parameters and their values http://supportcontent.checkpoint.com/solutions?id=sk33156 Next Generation Security Gateway Guide R80.20...
Page 413 Command Line Reference fw ctl iflist Description Shows the list with this information: • The name of interfaces, to which the Check Point Firewall kernel attached. • The internal numbers of the interfaces in the Check Point Firewall kernel. Notes: •...
Page 414 Security Policy. You must run one of these commands: fw fetch (on page 437), or cpstart (on page 347). Syntax fw [-d] ctl install Parameters Parameter Description Runs the command in debug mode. Use only if you troubleshoot the command itself. Next Generation Security Gateway Guide R80.20...
Page 415 Command Line Reference fw ctl leak Description Generates leak detection report. This report is for Check Point use only. Important - This command save the report into the active /var/log/messages file and the dmesg buffer. Syntax fw [-d] ctl leak {-h | -help} [{-a | -A}] [-t <Internal Object Type>] [-o <Internal Object ID>]...
Page 416 [Expert@MyGW:0]# fw ctl leak -s [Expert@MyGW:0]# [Expert@MyGW:0]# dmesg [fw4_0];fwleak_report: type chain - 0 objects [fw4_0];fwleak_report: type cookie - 0 objects [fw4_0];fwleak_report: type kbuf - 0 objects [fw4_0];fwleak_report: type connh - 0 objects [fw4_1];fwleak_report: type chain - 0 objects Next Generation Security Gateway Guide R80.20...
Page 417 Sep 12 16:09:50 2018 MyGW kernel: [fw4_2];fwleak_report: type cookie - 0 objects Sep 12 16:09:50 2018 MyGW kernel: [fw4_2];fwleak_report: type kbuf - 0 objects Sep 12 16:09:50 2018 MyGW kernel: [fw4_2];fwleak_report: type connh - 0 objects [Expert@MyGW:0] [Expert@MyGW:0]# cp -v /var/log/messages{,_LEAK_DETECTION} `/var/log/messages' -> `/var/log/messages_LEAK_DETECTION' [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 418 Shows statistics for IPv4 (-v 4) traffic only, or for IPv6 (-v 4) traffic only. -v 4 -v 6 Default is to show statistics for both IPv4 and IPv6 traffic. Example 1 - fw ctl pstat [Expert@MyGW:0]# fw ctl pstat System Capacity Summary: Next Generation Security Gateway Guide R80.20...
Page 419 2170606 free, 0 failed free External Allocations: 0 for packets, 7303643 for SXL Cookies: 91808 total, 0 alloc, 0 free, 2 dup, 91808 get, 0 put, 182258 len, 909 cached len, 0 chain alloc, Next Generation Security Gateway Guide R80.20...
Page 420 Etm multik chain: 0 Vs message: 0 Vs_kill: 0 Forward before encrypt(F2F) kernel: 0 Forward before encrypt(F2F) userspace: 0 Async index req: 0 Accel ACK info: 0 SXL Device State Info: 0 Async ADP call: 0 Next Generation Security Gateway Guide R80.20...
Page 421 Zeco: 0 data mapped, 0 data unmapped, 0 shared info mapped, 0 shared info unmapped cut through: 0, non linear skbs: 0, shared skbs: 0 data alloc from pool: 0, data alloc not from pool: 0 fwmultik enqueue stats: Next Generation Security Gateway Guide R80.20...
Page 422 Async ADP call: 0 fwmultik enqueue fail stats: Inbound packet kernel: 0 Outbound packet kernel: 0 Inbound packet userspace: 0 Outbound packet userspace: 0 Multik message kernel: 0 Multik message userspace: 0 F2P packet kernel: 0 Next Generation Security Gateway Guide R80.20...
Page 423 INSTANCE 2: multik_forwarding: 0 fwmultik dispatch reason: not selected: 0 arbitray: 0 conn: 0 multik tag: 0 sxl tag: 0 param: 0 Sync: Run "cphaprob syncstat" for cluster sync statistics. [Expert@MyGW:0]# fw ctl pstat Next Generation Security Gateway Guide R80.20...
Page 424 17227 Allocations: 2197354 alloc, 0 failed alloc, 2158448 free System kernel memory (smem) statistics: Total memory bytes used: 913975068 peak: 1165010872 Total memory bytes wasted: 7883999 Blocking memory bytes used: 4896272 peak: 6916084 Next Generation Security Gateway Guide R80.20...
Page 425 0 total, 0 TCP, 0 UDP, 0 ICMP, 0 other, 0 anticipated, 0 recovered, -3 concurrent, 0 peak concurrent Fragments: 0 fragments, 0 packets, 0 expired, 0 short, 0 large, 0 duplicates, 0 failures NAT: Next Generation Security Gateway Guide R80.20...
Page 426 0, pkt_localsrc_match: 0 FWMULTIK STAT: VS 0 info: Zeco: 0 data mapped, 0 data unmapped, 0 shared info mapped, 0 shared info unmapped cut through: 0, non linear skbs: 0, shared skbs: 0 Next Generation Security Gateway Guide R80.20...
Page 427 Async index req: 0 Accel ACK info: 0 SXL Device State Info: 0 Async ADP call: 0 FWMULTIK GLOBAL STAT: VS 0 info: multik_forwarding: 0 fwmultik dispatch reason: not selected: 0 arbitray: 0 conn: 0 Next Generation Security Gateway Guide R80.20...
Page 428 Hash kernel memory (hmem) statistics: Total memory allocated: 742391808 bytes in 181248 (4096 bytes) blocks using 1 pool Total memory bytes used: unused: 742391808 (100.00%) peak: 68247020 Total memory blocks used: unused: 181248 (100%) peak: 17227 Next Generation Security Gateway Guide R80.20...
Page 429 0 fragments, 0 packets, 0 expired, 0 short, 0 large, 0 duplicates, 0 failures NAT: 0/0 forw, 0/0 bckw, 0 tcpudp, 0 icmp, 0-0 alloc Sync: Run "cphaprob syncstat" for cluster sync statistics. [Expert@MyGW:0]# fw ctl pstat Next Generation Security Gateway Guide R80.20...
Page 430 Specifies the name of the integer kernel parameter. < Parameter > Integer Value < > Specifies the integer value for the integer kernel parameter. Name of String Kernel Parameter > Specifies the name of the string kernel parameter. < Next Generation Security Gateway Guide R80.20...
Page 431 [Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str icap_unwrap_append_header_str = '' [Expert@MyGW:0]# Related SK articles • sk26202: Changing the kernel global parameters for Check Point Security Gateway http://supportcontent.checkpoint.com/solutions?id=sk26202 • sk33156: Creating a file with all the kernel parameters and their values http://supportcontent.checkpoint.com/solutions?id=sk33156...
Page 432 Total num of c2s|s2c FFconns ....0 | 0 Total num of c2s|s2c saved packets ..0 | 0 Total num of c2s|s2c bytes requests ..0 | 0 Total num of c2s|s2c saved bytes ..0 | 0 Next Generation Security Gateway Guide R80.20...
Page 433 Concurrent num of c2s|s2c connections ..0 | 0 Packets: Total num of c2s|s2c data packets ..2567 | 0 Total c2s|s2c data packets in bytes ..130518 | 0 FastForward Counters: ===================== FF connection: Next Generation Security Gateway Guide R80.20...
Page 434 0 | 0 Total num of c2s|s2c saved packets ..0 | 0 Total num of c2s|s2c bytes requests ..0 | 0 Total num of c2s|s2c saved bytes ..0 | 0 [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 435 Security Policy. You must run one of these commands: fw fetch (on page 437), or cpstart (on page 347). Syntax fw [-d] ctl uninstall Parameters Parameter Description Runs the command in debug mode. Use only if you troubleshoot the command itself. Next Generation Security Gateway Guide R80.20...
Page 436: Fw Defaultgen
Note - If the Default Filter policy file already exists, the command creates a backup copy $FWDIR/state/default.bin.bak (and $FWDIR/state/default.bin6.bak) Example [Expert@MyGW:0]# fw defaultgen Generating default filter defaultfilter: Compiled OK. defaultfilter: Compiled OK. Backing up default.bin as default.bin.bak hostaddr(MyGW) failed Backing up default.bin6 as default.bin6.bak [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 437: Fw Fetch
To fetch the policy from a peer Cluster Member, and, if it fails, then from the Management • Server: fw [-d] fetch -f -c [-i] [-n] [-r] To fetch the policy from the specified Check Point computer(s): • fw [-d] fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...] •...
Page 438 Command Line Reference Parameter Description Master 1 Master 2 > ...] Specifies the Check Point computer(s), from which to fetch the < > [< policy. You can fetch the policy from the Management Server, or a peer Cluster Member. Notes: •...
Page 439: Fw Fetchlogs
Notes: • This command moves the specified log files from the $FWDIR/log/ directory on the specified Check Point computer. Meaning, it deletes the specified log files on the specified Check Point computer after it copies them successfully. • This command moves the specified log files to the $FWDIR/log/ directory on the local Check Point computer, on which you run this command.
Page 440 This command renames the log files it fetched from the specified Check Point computer. The new log file name is the concatenation of the Check Point computer's name (as configured in SmartConsole), two underscore (_) characters, and the original log file name (for example: MyGW__2018-06-01_000000.log).
Page 441: Fw Getifs
Command Line Reference fw getifs Description Shows the list with this information: • The name of interfaces, to which the Check Point Firewall kernel attached. • The IP addresses assigned to the interfaces. Note: • This list shows only interfaces that have IP addresses assigned on them.
Page 442: Fw Hastat
Command Line Reference fw hastat Description Shows information about Check Point computers in High Availability configuration and their states. Note - The fw hastat command is outdated: • On cluster members, run the Gaia Clish command show cluster state, or the Expert mode command cphaprob state.
Page 443 Command Line Reference Next Generation Security Gateway Guide R80.20...
Page 444: Fw Isp_Link
2. Open the Security Gateway or Cluster object. 3. From the left tree, click Other > ISP Redundancy. Changes the state of the specified ISP Link to DOWN. down Changes the state of the specified ISP Link to UP. Next Generation Security Gateway Guide R80.20...
Page 445: Fw Kill
If you do not specify the signal explicitly, the command sends Signal 15 (SIGTERM). Note - Processes can ignore some signals. Name of Process > Specifies the name of the Check Point process to kill. < Example fw kill fwd...
Page 446: Fw Lichosts
Shows the output in the hexadecimal format. Example [Expert@MyGW:0]# fw lichosts License allows an unlimited number of hosts [Expert@MyGW:0] Related SK article sk10200 - 'too many internal hosts' error in /var/log/messages on Security Gateway http://supportcontent.checkpoint.com/solutions?id=sk10200. Next Generation Security Gateway Guide R80.20...
Page 447: Fw Log
Command Line Reference fw log Description Shows the content of Check Point log files - Security ($FWDIR/log/*.log) or Audit ($FWDIR/log/*.adtlog). Syntax fw log {-h | -help} fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c <Action>] [{-f | -t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert Name> | all}] [-l] [-m {initial | semi | raw}] [-n] [-o] [-p] [-q] [-S] [-s "<Start Timestamp>"] [-e "<End Timestamp>"]...
Page 448 Show a semi-colon (;) after a field value Shows the High Level Log key. Origin Shows only logs that were generated by the Security Gateway with the -h < > specified IP address or object name (as configured in SmartConsole). Next Generation Security Gateway Guide R80.20...
Page 449 Does not perform resolution of the port numbers in the log file (this is the default behavior). This significantly speeds up the log processing. Shows the names of log header fields. Shows the Sequence Number. Next Generation Security Gateway Guide R80.20...
Page 450 If you do not specify the log file explicitly, the command opens the $FWDIR/log/fw.log log file. You can specify a switched log file. Date and Time format Part of timestamp Format Example Date only MMM DD, YYYY June 11, 2018 Next Generation Security Gateway Guide R80.20...
Page 451 Action performed on this Action • accept connection • dropreject • encrypt • decrypt • vpnroute • keyinst • authorize • deauthorize • authcrypt • Object name of the Security Origin MyGW Gateway that generated this Next Generation Security Gateway Guide R80.20...
Page 452 Object name or IP address MyHost of the connection's source computer Object name or IP address MyFTPServer of the connection's destination computer Name of the connection's proto protocol Source port of the sport_svc 64933 connection Next Generation Security Gateway Guide R80.20...
Page 453 <max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; description: Contracts; reason: Could not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and Proxy configuration on the gateway.; Severity: 2; status: Failed; version: 1.0; failure_impact: Contracts may be out-of-date; update_service: 1; ProductName: Security Gateway/Management; ProductFamily: Network; Next Generation Security Gateway Guide R80.20...
Page 454 64933; ProductFamily: Network; [Expert@MyGW:0]# Example 6 - Show only log entries from 0 to 10 (counting from the beginning of the log file) [Expert@MyGW:0]# fw log -l -x 0 -y 10 ..[Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 455: Fw Logswitch
The remote computer can be a Security Gateway, a Log Server, or a Security Management Server in High Availability deployment. • You can specify the remote managed computer by its main IP address or Object Name as configured in SmartConsole. Next Generation Security Gateway Guide R80.20...
Page 456 If you specify the name of the switched log file, then the name of the saved log file is: <Gateway_Object_Name>__<Specified_Log_Name>.log • When this command copies the log file from the remote computer, it compresses the file. Next Generation Security Gateway Guide R80.20...
Page 457 /opt/CPsuite-R80.20/fw1/log/MyGW__2018-06-13_185451.log [Expert@MGMT:0] Example 4 - Switching the active Security log on a managed Security Gateway and copying the switched log [Expert@MGMT:0]# fw logswitch -h MyGW + Log file has been switched to: 2018-06-13_185451.log [Expert@MGMT:0]# Next Generation Security Gateway Guide R80.20...
Page 458 Command Line Reference [Expert@MGMT:0]# ls $FWDIR/log/*.log /opt/CPsuite-R80.20/fw1/log/fw.log /opt/CPsuite-R80.20/fw1/log/MyGW__2018-06-13_185451.log [Expert@MGMT:0]# [Expert@MyGW:0]# ls $FWDIR/log/*.log /opt/CPsuite-R80.20/fw1/log/fw.log /opt/CPsuite-R80.20/fw1/log/2018-06-13_185451.log [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 459: Fw Lslogs
- The file name • size - The file size • stime - The time the log file was created (this is the default option) • etime - The time the log file was closed Next Generation Security Gateway Guide R80.20...
Page 460 If you run this command on a Security Management Server or Target Domain Management Server, then < > is the applicable object's name or main IP address of the Check Point Computer as configured in SmartConsole. • If you run this command on a Security Gateway or Cluster Member, Target then <...
Page 461 Example 6 - Showing only log files specified by the patterns, from a managed Security Gateway [Expert@MGMT:0]# fw lslogs -f "2018-06-14*" -f '2018-06-15*' 192.168.3.53 Size Log file name 11KB 2018-06-15_000000.adtlog 11KB 2018-06-15_000000.log 2018-06-14_000000.log 2018-06-14_000000.adtlog [Expert@MGMT:0]# Next Generation Security Gateway Guide R80.20...
Page 462: Fw Mergefiles
CLI session. Shows the built-in usage. {-h | -help} Removes duplicate entries. Sorts the merged file by the Time field in log records. Next Generation Security Gateway Guide R80.20...
Page 463 -rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2018-Sep-Merged.logLuuidDB -rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2018-Sep-Merged.logaccount_ptr -rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2018-Sep-Merged.loginitial_ptr -rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2018-Sep-Merged.logptr [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 464: Fw Monitor
• Each time you run the FW Monitor, it compiles its temporary policy files ($FWDIR/tmp/monitorfilter.*). • From R80.20, the FW Monitor is able to show the traffic accelerated with SecureXL. Limitations: • In R80.20 without the Jumbo Hotfix Accumulator: FW Monitor shows TCP [SYN] packets of accelerated connections only at Pre-Inbound (small "i").
Page 465 Important - Make sure to enclose the INSPECT filter expression correctly in single quotes (ASCII value 39) or double quotes (ASCII value 34). Note - In R80.20, the FW Monitor filters do apply to the accelerated traffic. Next Generation Security Gateway Guide R80.20...
Page 466 • <Protocol Number> - Specifies the IANA Protocol Number https://www.iana.org/assignments/protocol-numbers/protocol-num bers.xhtml Notes: • This parameter exists only in R80.20 Jumbo Hotfix Accumulator Take 49 and above (sk137592 http://supportcontent.checkpoint.com/solutions?id=sk137592). • This parameter uses the Kernel Debug Filters (on page 563): •...
Page 467 -m e - Pre-Outbound VPN only (before the packet enters a VPN Chain Module in the outbound direction) • -m E - Post-Outbound VPN only (after the packet passes through a VPN Chain Module in the outbound direction) Next Generation Security Gateway Guide R80.20...
Page 468 The format of this output file is the same format used by tools like snoop (refer to RFC 1761 https://www.rfc-editor.org/info/rfc1761). You can later analyze the captured traffic with the same FW Monitor tool, or with special tools like Wireshark. Next Generation Security Gateway Guide R80.20...
Page 469 The "-a" parameter specifies to use absolute chain positions. This parameter changes the chain ID from a relative value (which only makes sense with the matching output from the fw ctl chain (on page 399) command) to an absolute value. Next Generation Security Gateway Guide R80.20...
Page 470 -u - Prints connection's Universal-Unique-ID (UUID) for each packet • -s - Prints connection's Session UUID (SUUID) for each packet Note - It is only possible to print the UUID, or the SUUID - not both. Next Generation Security Gateway Guide R80.20...
Page 471 >,< >,< >,< >,< Number >" Note - This parameter exists only in R80.20 Jumbo Hotfix Accumulator Take 49 and above (sk137592 http://supportcontent.checkpoint.com/solutions?id=sk137592). VSID On a VSX Gateway or VSX Cluster Member, captures the packets on the -v < >...
Page 472 Read 3 inbound packets and 0 outbound packets [Expert@MyGW:0]# Example 3 - Insert the FW Monitor chain is before the chain #2 and capture only three Pre-Inbound packets [Expert@MyGW:0]# fw ctl chain in chain (15): Next Generation Security Gateway Guide R80.20...
Page 473 [vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228 id=37575 TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce [vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022 TCP: 51702 -> 22 ..A. seq=e6c995ce ack=34e2af31 Next Generation Security Gateway Guide R80.20...
Page 474 [Expert@MyGW:0]# Example - List of Chain Modules with the FW Monitor, when you do not change the default capture positions [Expert@MyGW:0]# fw ctl chain in chain (17): 0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in) Next Generation Security Gateway Guide R80.20...
Page 475 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct) 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas) 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res) 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out) 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver) [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 476: Fw Repairlog
Command Line Reference fw repairlog Description Check Point Security log and Audit log files are databases, with special pointer files. If these log pointer files become corrupted (which causes the inability to read the log file), this command can rebuild them:...
Page 477: Fw Sam
To add or cancel a SAM rule according to criteria: [Expert@HostName:0]# fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>] [-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e <key=val>]+ [-r] -{n|i|I|j|J} <Criteria> Next Generation Security Gateway Guide R80.20...
Page 478 For more information about enabling SIC, refer to the OPSEC API Specification. • fw vsx showncs -vs <VSID> On VSX Gateway, run the command to show the SIC name for the relevant Virtual System. Next Generation Security Gateway Guide R80.20...
Page 479 You can use this syntax only on Security Management Server or Domain Management Server. localhost • - Specifies to enforce the action on this local Check Point computer (on which the fw sam command is executed). You can use this syntax only on Security Gateway or StandAlone. Gateways •...
Page 480 Notes: • Matching connections are dropped. • Each inhibited connection is logged according to the log type. Bypasses new connections with the specified parameters. Quarantines new connections with the specified parameters. Next Generation Security Gateway Guide R80.20...
Page 481 Protocol • subdstpr < > < > < > key=val • generic < > Criteria Explanation for the < > syntax: Parameter Description Matches the Source IP address of the connection. src < > Next Generation Security Gateway Guide R80.20...
Page 482 Source IP address is assigned according to the netmask. Netmask Matches the Destination IP address and protocol of subdstpr < > < > Protocol connections. < > Destination IP address is assigned according to the netmask. Next Generation Security Gateway Guide R80.20...
Page 483 Matches the GTP connections based on the specified keys generic < >+ and provided values. Multiple keys are separated by the plus sign (+). Available keys are: • service=gtp • imsi • msisdn • • tunl_dst • tunl_dport • tunl_proto Next Generation Security Gateway Guide R80.20...
Page 484: Fw Sam_Policy' And 'Fw6 Sam_Policy
In Cluster, you must configure the SecureXL in the same way on all the Cluster Members. Syntax for IPv4 fw [-d] sam_policy add <options> batch del <options> get <options> fw [-d] samp add <options> batch del <options> get <options> Next Generation Security Gateway Guide R80.20...
Page 485 Adds or deletes many Rate Limiting rules at a time. options Deletes one configured Rate Limiting rule one at a time. > (on page del < 498) options > (on page Shows all the configured Rate Limiting rules. get < 500) Next Generation Security Gateway Guide R80.20...
Page 486 Runs the command in debug mode. Use only if you troubleshoot the command itself. Note - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session. Next Generation Security Gateway Guide R80.20...
Page 487 Name of the Group object - Specifies that the rule should be enforced on all Security Gateways that are members of this Group object (the object name must be as defined in the SmartConsole). Next Generation Security Gateway Guide R80.20...
Page 488 Specifies the IP Filter Arguments for the SAM rule (you must use at least one of these options): Source IP Source Mask Destination [-C] [-s < >] [-m < >] [-d < Destination Mask Port Protocol >] [-M < >] [-p < >] [-r < >] Next Generation Security Gateway Guide R80.20...
Page 489 Specifies the protocol number (see IANA Protocol -r < > Numbers) https://www.iana.org/assignments/protocol-numbers/prot ocol-numbers.xhtml Quota Filter Arguments Explanation for the syntax for Rate Limiting rules: Argument Description Specifies to compile and load the quota rule to the flush true SecureXL immediately. Next Generation Security Gateway Guide R80.20...
Page 490 ASnnnn nnnn The valid syntax is , where is a number unique to the specific organization. Notes: • Default is: source-negated false • The source-negated true processes all source except types, the specified type. Next Generation Security Gateway Guide R80.20...
Page 491 The valid syntax is , where is a number unique to the specific organization. Notes: • Default is: destination-negated false • The destination-negated true will process all destination types except the specified type Next Generation Security Gateway Guide R80.20...
Page 492 IP protocol number and range of TCP/UDP port numbers from 1 to 65535 Notes: • Default is: service-negated false • The service-negated true will process all traffic except the traffic with the specified protocols and ports Next Generation Security Gateway Guide R80.20...
Page 493 IP address, and not cumulatively for this rule. • source-service Counts connections, packets, and bytes for specific source IP address, and for specific IP protocol and destination port, and not cumulatively for this rule. Next Generation Security Gateway Guide R80.20...
Page 494 This rule does not expire (the timeout parameter is not specified). To cancel it, you must delete it explicitly. • This rule applies to packets from the Autonomous System number 64500 (asn:AS64500). • This rule applies to packets from source IPv6 addresses FFFF:C0A8:1100/120 (cidr:[::FFFF:C0A8:1100]/120). Next Generation Security Gateway Guide R80.20...
Page 495 This rule counts connections, packets, and bytes for traffic only from sources that match this rule, and not cumulatively for this rule. • This rule will not be compiled and installed on the SecureXL immediately, because it does not include the flush true parameter. Next Generation Security Gateway Guide R80.20...
Page 496 Use the same set of parameters and values as described in 'fw sam_policy add' and 'fw6 sam_policy add' (on page 486). Terminate each line with a Return (ASCII 10 - Line Feed) character. • End the batch mode: Write EOF and press Enter. Next Generation Security Gateway Guide R80.20...
Page 497 -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources" quota service any source range:172.16.7.13-172.16.7.13 new-conn-rate 5 del <501f6ef0,00000000,cb38a8c0,0a0afffe> add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80 Next Generation Security Gateway Guide R80.20...
Page 498 Enables the debug mode for the fw command. By default, writes to the screen. Note - If you use this parameter, then redirect the output to a file, or use the script command to save the entire CLI session. Next Generation Security Gateway Guide R80.20...
Page 499 2 seconds. It is a good practice to specify a short timeout period for the flush-only rules. This prevents accumulation of rules that are obsolete in the database. Next Generation Security Gateway Guide R80.20...
Page 500 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v '<Value>'}] [-n]] Parameters Note - All these parameters are optional. Parameter Description Runs the command in debug mode. Use only if you troubleshoot the command itself. Next Generation Security Gateway Guide R80.20...
Page 501 Example 2 - Output in the list format [Expert@GW:0]# fw samp get -l <5ac3965f,00000000,3403a8c0,0000264a> target timeout 2147483647 action notify name Test\ Rule comment Notify\ about\ traffic\ from\ 1.1.1.1 originator John\ Doe src_ip_addr 1.1.1.1 req_type Next Generation Security Gateway Guide R80.20...
Page 502 [Expert@MyGW:0]# [Expert@MyGW:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655' operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 503: Fw Showuptables
[270000165] > <4 [270000166] > _____________________________ up_0_negate_compound 9116 <COLUMN_ID COMPOUND_CLOB_PTR > _____________________________ up_0_clob_id_to_rnum 9110 <COLUMN_ID ,CLOB_TYPE ,UUID RULES > <Service Application ,27 ,1017e024-0000-0000-0000-000000000000 [1 - 1] > <Service Application ,27 ,1017e025-0000-0000-0000-000000000000 [1 - 1] > Next Generation Security Gateway Guide R80.20...
Page 504 [270000164] [270000165] [270000166] > <Application [270000164] [270000165] [270000166] > <General Application [270000164] [270000165] [270000166] > _____________________________ up_0_dst_ip_intvl 9102 <FROM_ADDRESS ,TO_ADDRESS RULES ,INDEX > <0.0.0.0 ,255.255.255.255 [1 - 2] [16777215 - 16777215] ,0 > _____________________________ Next Generation Security Gateway Guide R80.20...
Page 505 <Service ,4 ,97aeb416-9aea-11d5-bd16-0090272ccb30 [270000166] > ----- GENERAL TABLES ----- _____________________________ ip_range_to_dynobj2 9142 <FROM_ADDRESS ,TO_ADDRESS INDEX > _____________________________ dynobj_to_ip_ranges2 9145 <UUID RANGES > _____________________________ dynobj_to_ip_ranges1 9141 <UUID RANGES > _____________________________ unresolved_dynobjs2 9144 <UUID IS_IN_ACCESS_RULEBASE ,DYNOBJ_TYPE > Next Generation Security Gateway Guide R80.20...
Page 506 _____________________________ sslIns_rb_dst_intvl_list <FROM_ADDRESS ,TO_ADDRESS RULES ,INDEX > _____________________________ ip_range_to_dynobj_kbufs1 9140 <INDEX CLOB_LIST > _____________________________ ip_range_to_dynobj_kbufs2 9143 <INDEX CLOB_LIST > _____________________________ sslIns_rb_src_intvl_list <FROM_ADDRESS ,TO_ADDRESS RULES ,INDEX > <0.0.0.0 ,255.255.255.255 [1 - 1] ,0 > [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 507: Fw Stat
Specifies the name of the Security Gateway or Cluster Member object (as < > defined in SmartConsole), from which to show the information. Use this parameter only on the Management Server. This requires the established SIC with that Check Point computer. Next Generation Security Gateway Guide R80.20...
Page 508 DATE TOTAL REJECT DROP ACCEPT MyGW >eth0 MyGW_Policy 12Sep2018 16:34:56 : 120113 120113 MyGW <eth0 MyGW_Policy 12Sep2018 16:34:56 : 10807 10807 MyGW >eth2 MyGW_Policy 12Sep2018 16:34:56 : MyGW <eth2 MyGW_Policy 12Sep2018 16:34:56 : [Expert@MGMT:0]# Next Generation Security Gateway Guide R80.20...
Page 509: Fw Tab
Shows formatted kernel table data in the common format. This is the default. Entry Specifies the entry in the kernel table. -e < > Important - Each kernel table has its own internal format. Next Generation Security Gateway Guide R80.20...
Page 510 (as defined in SmartConsole), from which to show the information. Use this parameter only on the Management Server. This requires the established SIC with that Check Point computer. If you do not use this parameter, the default is localhost. Example 1 - Show the summary of all kernel tables...
Page 511 Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 53901; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 192.168.204.1; SPort_1: 53901; Dest_1: 192.168.204.40; DPort_1: 22; Protocol_1: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network; Next Generation Security Gateway Guide R80.20...
Page 512 000001df, 00000000, 5b9a3832, 00030000, 3503a8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 00000800, 08000000, 00000080, 00000000, 00000000, 33410370, ffffc200, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 3600/3600> [fw_1] <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000, Next Generation Security Gateway Guide R80.20...
Page 513 00000000, 10000000, 04000084, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 39/40> [fw_2] <00000001, c0a80334, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011> (00000805) Table fetched in 3 chunks [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 514: Fw Unloadlocal
..[Expert@MyGW:0]# [Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge net.ipv6.conf.bond0.forwarding = 1 net.ipv6.conf.eth1.forwarding = 1 net.ipv6.conf.eth3.forwarding = 1 net.ipv6.conf.eth2.forwarding = 1 net.ipv6.conf.eth4.forwarding = 1 net.ipv6.conf.eth5.forwarding = 1 net.ipv6.conf.eth0.forwarding = 1 Next Generation Security Gateway Guide R80.20...
Page 515 = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 0 [Expert@MyGW:0]# [Expert@MyGW:0]# fw fetch localhost Installing Security Policy My_Policy on all.all@MyGW Fetching Security Policy from localhost succeeded Next Generation Security Gateway Guide R80.20...
Page 516 Command Line Reference [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 517: Fw Up_Execute
• UDP = 17 • ICMP = 1 See IANA - Protocol Numbers https://www.iana.org/assignments/protocol-numbers/protocol-numb ers.xhtml. Important - This parameter is always mandatory. Source IP Source IP address. src=< > dst=<Destination IP> Destination IP address. Next Generation Security Gateway Guide R80.20...
Page 518 Rulebase execution ended successfully. Overall status: ---------------- Active clob mask: 0 Required clob mask: 0 Match status: MATCH Match action: Accept Per Layer: ------------ Layer name: Network Layer id: 0 Match status: MATCH Next Generation Security Gateway Guide R80.20...
Page 519 Command Line Reference Match action: Accept Matched rule: 2 Possible rules: 2 16777215 [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 520: Fw Ver
If you do not specify the full path explicitly, this command saves the output file in the current working directory. Example 1 [Expert@MyGW:0]# fw ver -k This is Check Point's software version R80.20 - Build 123 [Expert@MyGW:0]# Example 2 [Expert@MyGW:0]# fw ver -k This is Check Point's software version R80.20 - Build 123...
Page 521: Fwboot Bootconf
Command Line Reference fwboot bootconf Description Configures Check Point boot options. Important - Most of these commands are for Check Point use only. Syntax [Expert@HostName:0]# $FWDIR/boot/fwboot bootconf <options> corexl <options> cpuid <options> default <options> fwboot_ipv6 <options> fwdefault <options> ha_conf <options>...
Page 522 Shows the internal memory address of the registration function for the multik_reg options > (on specified CoreXL FW instance. < page 539) Loads the Firewall driver for CoreXL during boot. post_drv options > (on < page 540) Next Generation Security Gateway Guide R80.20...
Page 523: Fwboot Bootconf
Shows the number of overriding CPU cores. get_core_override The SMT (HyperThreading) feature (sk93000 http://supportcontent.checkpoint.com/solutions?id=sk93000) uses this configuration to set the number of CPU cores after reboot. Note - In the $FWDIR/boot/boot.conf file, refer to the value of the CORE_OVERRIDE. Next Generation Security Gateway Guide R80.20...
Page 524 > Configures the number of overriding CPU cores. set_core_override < The SMT (HyperThreading) feature (sk93000 http://supportcontent.checkpoint.com/solutions?id=sk93000) uses this configuration to set the number of CPU cores after reboot. Note - In the $FWDIR/boot/boot.conf file, refer to the value of the CORE_OVERRIDE. Next Generation Security Gateway Guide R80.20...
Page 525 To configure CoreXL, use the cpconfig menu. number Configures the number of IPv6 CoreXL FW instances. set_kern6num < > Notes: • In the $FWDIR/boot/boot.conf file, refer to the value of the KERN6_INSTANCE_NUM. • To configure CoreXL, use the cpconfig menu. Next Generation Security Gateway Guide R80.20...
Page 526: Fwboot Corexl
In addition, see the fwboot bootconf (on page 523) command. Important: • The configuration commands are for Check Point use only. To configure CoreXL, use the Check Point CoreXL option in the cpconfig (on page 331) menu. • After all changes in CoreXL configuration on the Security Gateway, you must reboot it.
Page 527 CPU cores. Sets the default configuration for CoreXL. default Returns the default number of IPv4 CoreXL FW instances for def_instance4_count this Security Gateway. Example: [Expert@MyGW:0]# $FWDIR/boot/fwboot corexl def_instance4_count [Expert@MyGW:0]# echo $? [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 528 1 - CoreXL is enabled Example: [Expert@MyGW:0]# $FWDIR/boot/fwboot corexl installed [Expert@MyGW:0]# echo $? [Expert@MyGW:0]# Returns the maximal allowed number of IPv4 CoreXL FW max_instance4_count instances for this Security Gateway. Example: [Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_instance4_count [Expert@MyGW:0]# echo $? [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 529 [Expert@MyGW:0]# echo $? [Expert@MyGW:0]# Returns the total maximal allowed number of CoreXL FW max_instances_64bit instances for a Security Gateway that runs Gaia with 64-bit kernel. Example: [Expert@MyGW:0]# $FWDIR/boot/fwboot corexl max_instances_64bit [Expert@MyGW:0]# echo $? [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 530 Updates the value of the vmalloc parameter in the vmalloc_recalculate /boot/grub/grub.conf file. Returns 1 if at least one feature is configured, which CoreXL unsupported_features does not support. Example: [Expert@MyGW:0]# $FWDIR/boot/fwboot corexl unsupported_features corexl unsupported feature: QoS is configured. [Expert@MyGW:0]# echo $? [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 531: Fwboot Cpuid
3 2 1 0 [Expert@MyGW:0]# Counts the number of available CPUs on this Security Gateway. The command stores the returned number as its exit code. Example: [Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -n [Expert@MyGW:0]# echo $? [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 532 Command Line Reference Parameter Description Counts the number of possible CPU cores. --possible The command stores the returned number as its exit code. Example: [Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --possible [Expert@MyGW:0]# echo $? [Expert@MyGW:0]# Next Generation Security Gateway Guide R80.20...
Page 533: Fwboot Default
Specifies the full path and name of the Default Filter policy file. < File The default is $FWDIR/boot/default.bin > Example [Expert@MyGW:0]# $FWDIR/boot/fwboot default $FWDIR/boot/default.bin FW-1: Default filter installed successfully [Expert@MyGW:0]# [Expert@MyGW:0]# fw stat HOST POLICY DATE localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0] [Expert@MyGW:0] Next Generation Security Gateway Guide R80.20...
Page 534: Fwboot Fwboot_Ipv6
Command Line Reference fwboot fwboot_ipv6 Description Shows the internal memory address of the hook function for the specified CoreXL FW instance. This command is for Check Point use only. Syntax [Expert@HostName:0]# $FWDIR/boot/fwboot fwboot_ipv6 <Number of CoreXL FW instance> hook [-d]...
Page 535: Fwboot Fwdefault
Specifies the full path and name of the Default Filter policy file. < File The default is $FWDIR/boot/default.bin > Example [Expert@MyGW:0]# $FWDIR/boot/fwboot fwdefault $FWDIR/boot/default.bin FW-1: Default filter installed successfully [Expert@MyGW:0]# [Expert@MyGW:0]# fw stat HOST POLICY DATE localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0] [Expert@MyGW:0] Next Generation Security Gateway Guide R80.20...
Page 536: Fwboot Ha_Conf
Command Line Reference fwboot ha_conf Description Configures the cluster mechanism during boot. This command is for Check Point use only. Important: 80.20 Installation and Upgrade Guide • To install a cluster, see the R https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_Installati on_and_Upgrade_Guide/html_frameset.htm. R80.20 ClusterXL Administration Guide •...
Page 537: Fwboot Ht
Command Line Reference fwboot ht Description Shows and configures the SMT (HyperThreading) feature (sk93000 http://supportcontent.checkpoint.com/solutions?id=sk93000) boot options. Important - The configuration commands are for Check Point use only. To configure SMT (HyperThreading) feature, follow sk93000 http://supportcontent.checkpoint.com/solutions?id=sk93000. Syntax [Expert@HostName:0]# $FWDIR/boot/fwboot ht --core_override [<number>]...
Page 538 If you get 0 - System does not support the SMT. The possible causes are: • The system's CPU does not support the SMT. • The SMT is disabled in the system's BIOS. • The SMT is disabled in software. Next Generation Security Gateway Guide R80.20...
Page 539: Fwboot Multik_Reg
Description Shows the internal memory address of the registration function for the specified CoreXL FW instance. This command is for Check Point use only. Syntax [Expert@HostName:0]# $FWDIR/boot/fwboot multik_reg <Number of CoreXL FW instance> {ipv4 | ipv6} [-d] Parameters...
Page 540: Fwboot Post_Drv
Important - If you run this command, Security Gateway can block all traffic. In such case, you must connect to the Security Gateway over a console and restart Check Point services with the cpstop and cpstart commands. Alternatively, you can reboot the Security Gateway.
Page 541: Sam_Alert
Inhibits (drops or rejects) connections that match the specified criteria and closes all existing connections that match the specified criteria. Matches the source address of connections. -src Matches the destination address of connections. -dst Next Generation Security Gateway Guide R80.20...
Page 542 Specifies the originator for the SAM rule. -o < > Default is sam_alert. Specifies the log type for connections that match the specified -l {r | a} criteria: • r - Regular • a - Alert Default is None. Next Generation Security Gateway Guide R80.20...
Page 543 -dst Matches either the source or destination address of -any connections. Matches specific source, destination, protocol and port. -srv Example See sk110873: How to configure Security Gateway to detect and prevent port scan http://supportcontent.checkpoint.com/solutions?id=sk110873. Next Generation Security Gateway Guide R80.20...
Page 544: Usrchk
• Clear hits for a specified user: UserName usrchk hits clear user < > • Clear hits for a specified interaction object: Name of UserCheck Interaction usrchk hits clear uci < Object > Next Generation Security Gateway Guide R80.20...
Page 545 Debug Topics and Severity: Topic Name Severity usrchk debug set < > < > The available Debug Topics are: • • Check Point Support provides more specific topics, based on the reported issue The available Severities are: • • critical • events •...
Page 546 • You can only run a command that contains " " if: • Identity Awareness is enabled on the Security Gateway. • User object is used in the same policy rules as UserCheck objects. Next Generation Security Gateway Guide R80.20...
Page 547: Working With Kernel Parameters On Security Gateway
CHAPT ER 2 6 Working with Kernel Parameters on Security Gateway In This Section: Introduction to Kernel Parameters ..............FireWall Kernel Parameters ................SecureXL Kernel Parameters ................Next Generation Security Gateway Guide R80.20...
Page 548: Introduction To Kernel Parameters
In VSX Gateway, the configured values of kernel parameters apply to all existing Virtual Systems and Virtual Routers. Security Gateway gets the names and the default values of the kernel parameters from these kernel module files: • $FWDIR/modules/fw_kern_64.o • $FWDIR/modules/fw_kern_64_v6.o • $PPKDIR/modules/sim_kern_64.o • $PPKDIR/modules/sim_kern_64_v6.o Next Generation Security Gateway Guide R80.20...
Page 549: Firewall Kernel Parameters
To change the internal default behavior of Firewall or to configure special advanced settings for Firewall, you can use Firewall kernel parameters. The names of applicable Firewall kernel parameters and their values appear in various SK articles in Support Center http://supportcenter.checkpoint.com, and provided by Check Point Support. Important •...
Page 550 To set a value for a Firewall kernel parameter Important - This change does not survive reboot. Step Description Connect to the command line on your Security Gateway. Log in to Gaia Clish or the Expert mode. Next Generation Security Gateway Guide R80.20...
Page 551 To clear the current value from a Firewall kernel parameter Important - This change does not survive reboot. Step Description Connect to the command line on your Security Gateway. Log in to Gaia Clish or the Expert mode. Next Generation Security Gateway Guide R80.20...
Page 552 $FWDIR/modules/fwkern.conf • $FWDIR/modules/vpnkern.conf The exact instructions are provided in various SK articles in Support Center http://supportcenter.checkpoint.com, and provided by Check Point Support. Step Description Connect to the command line on your Security Gateway. Log in to the Expert mode. See if the configuration file already exists: [Expert@MyGW:0]# ls -l $FWDIR/modules/fwkern.conf...
Page 553 For a string kernel parameter, run: Name of String Kernel Parameter fw ctl get str < > [-a] For more information, see sk26202: Changing the kernel global parameters for Check Point Security Gateway http://supportcontent.checkpoint.com/solutions?id=sk26202. Next Generation Security Gateway Guide R80.20...
Page 554: Securexl Kernel Parameters
To change the internal default behavior of SecureXL or to configure special advanced settings for SecureXL, you can use SecureXL kernel parameters. The names of applicable SecureXL kernel parameters and their values appear in various SK articles in Support Center http://supportcenter.checkpoint.com, and provided by Check Point Support. Important •...
Page 555 Save the changes in the file and exit the Vi editor. Reboot the Security Gateway. Important - In cluster, this can cause a failover. Connect to the command line on your Security Gateway. Log in to Gaia Clish or the Expert mode. Next Generation Security Gateway Guide R80.20...
Page 556 For a string kernel parameter, run: Name of String Kernel Parameter fw ctl get str < > [-a] For more information, see sk26202: Changing the kernel global parameters for Check Point Security Gateway http://supportcontent.checkpoint.com/solutions?id=sk26202. Next Generation Security Gateway Guide R80.20...
Page 557: Kernel Debug On Security Gateway
Stop the kernel debug. In this step, you configure Security Gateway to stop writing the debug messages into an output file. Restore the default kernel debug In this step, you restore the default kernel debug settings. options. Next Generation Security Gateway Guide R80.20...
Page 558 <Number of Cyclic Files> [-s <Size of Each Cyclic File in KB>] • To start the collection of the kernel debug into an output file: fw ctl kdebug -T -f > /<Path>/<Name of Output File> Next Generation Security Gateway Guide R80.20...
Page 559 • String length is up to 50 characters. Name of Debug Specifies the name of the kernel debug module, for which you print or -m < configure the debug flags. Module > Next Generation Security Gateway Guide R80.20...
Page 560 This is a parameter. • When you use this parameter, the Security Gateway cannot apply the specified INSPECT filter to the accelerated traffic. • Kernel Debug Filters For new debug filters, see (on page 563). Next Generation Security Gateway Guide R80.20...
Page 561 • When you press CTRL+C. • When you run the fw ctl debug 0 command. • When you run the fw ctl debug -x command. • When you kill the fw ctl kdebug process. Next Generation Security Gateway Guide R80.20...
Page 562 >, it deletes the oldest files. The valid values are: Number of Cyclic Files • < > - from 1 to 999 • Size of Each Cyclic File in KB < > - from 1 to 2097150 Next Generation Security Gateway Guide R80.20...
Page 563: Kernel Debug Filters
> <1-65535> Destination IP IPv4 or IPv6 fw ctl set str simple_debug_filter_daddr_< > "< address Address >" Destination Ports fw ctl set int simple_debug_filter_dport_< > <1-65535> Protocol Number fw ctl set int simple_debug_filter_proto_< > <0-254> Next Generation Security Gateway Guide R80.20...
Page 564 For information about the Protocol Numbers, see IANA - Protocol Numbers https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. To configure debug filter of the type "By an IP address parameter": This debug filter lets you filter by one IP address. Next Generation Security Gateway Guide R80.20...
Page 565 192.168.20.30 from any Source Port to Destination IP address 172.16.40.50 to Destination Port 80 (192.168.20.30:<Any> --> 172.16.40.50:80). Run these commands before you start the kernel debug: fw ctl set int simple_debug_filter_off 1 fw ctl set str simple_debug_filter_saddr_1 "192.168.20.30" fw ctl set str simple_debug_filter_daddr_2 "172.16.40.50" Next Generation Security Gateway Guide R80.20...
Page 566 80 Important - In the above example, the indexes <N> of the kernel parameters are different simple_debug_filter_saddr_<N> and simple_debug_filter_daddr_<N> because we want the debug filter to match both directions of this connection. Next Generation Security Gateway Guide R80.20...
Page 567: Kernel Debug Procedure
On a Host Security Appliance with the installed Falcon Acceleration Cards: /var/log/kernel_debug_unified.txt Example - Connection 192.168.20.30:<Any> --> 172.16.40.50:80 [Expert@GW:0]# fw ctl debug 0 Defaulting all kernel debugging options Debug state was reset to default. Next Generation Security Gateway Guide R80.20...
Page 568 Defaulting all kernel debugging options Debug state was reset to default. [Expert@GW:0]# [Expert@GW:0]# fw ctl set int simple_debug_filter_off 1 [Expert@GW:0]# [Expert@GW:0]# ls -l /var/log/kernel_debug.txt -rw-rw---- 1 admin root 1630619 Apr 12 19:49 /var/log/kernel_debug.txt [Expert@GW:0]# Next Generation Security Gateway Guide R80.20...
Page 569: Kernel Debug Procedure With Connection Life Cycle
Kernel Debug on Security Gateway Kernel Debug Procedure with Connection Life Cycle Introduction R80.20 introduces a new debug tool called Connection Life Cycle. This tool generates a formatted debug output file that presents the debug messages hierarchically by connections and packets: •...
Page 570 Example: -o /var/log/kernel_debug_formatted.txt Debug Output File > Procedure Important - In cluster, perform these steps on all the Cluster Members in the same way. Step Description Connect to the command line on the Security Gateway. Next Generation Security Gateway Guide R80.20...
Page 571 Set operation succeeded Set operation succeeded Set operation succeeded Set operation succeeded Set operation succeeded Set operation succeeded Set operation succeeded Initialized kernel debugging buffer to size 8192K Set operation succeeded Capturing started... [Expert@GW:0]# Next Generation Security Gateway Guide R80.20...
Page 572 [+]{---------------------------------------------------------- packet begins ------------------------------------------------------ Opened the second hierarchy level to see the packets of this connection: Connection with 1st packet already in handling so no conn details [-]{++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++ ;26Nov2018 13:02:06.736016;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is INBOUND; Next Generation Security Gateway Guide R80.20...
Page 573 ;26Nov2018 13:02:06.736104;[cpu_2];[fw4_1];#fwconnoxid_msg_get_cliconn: warning - failed to get connoxid message.; ;26Nov2018 13:02:06.736107;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is entering CPAS_ENTER; ;26Nov2018 13:02:06.736110;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting CPAS_EXIT; ;26Nov2018 13:02:06.736113;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is exiting CHAIN_MODULES_EXIT; ;26Nov2018 13:02:06.736116;[cpu_2];[fw4_1];Packet 0xffff8101ea45e680 is ACCEPTED; ;26Nov2018 13:02:06.770652;[cpu_2];[fw4_1];Packet 0xffff8101ea128580 is INBOUND; Next Generation Security Gateway Guide R80.20...
Page 574: Kernel Debug Modules And Debug Flags
Module 'cluster' (ClusterXL) (on page 581) • Module 'cmi_loader' (Context Management Interface/Infrastructure Loader) (on page 583) • Module 'CPAS' (Check Point Active Streaming) (on page 584) • Module 'cpcode' (Data Loss Prevention - CPcode) (on page 585) • Module 'dlpda' (Data Loss Prevention - Download Agent, Content Awareness module) (on page 586) •...
Page 575: Module 'Upis' (Unified Policy Infrastructure)
Module 'VPN' (Site-to-Site VPN and Remote Access VPN) (on page 620) • Module 'WS' (Web Intelligence) (on page 622) • Module 'WS_SIP' (Web Intelligence VoIP SIP Parser) (on page 624) • Module 'WSIS' (Web Intelligence Infrastructure) (on page 626) Next Generation Security Gateway Guide R80.20...
Page 576: Module 'Accel_Apps' (Accelerated Applications)
Syntax: fw ctl debug -m accel_apps + {all | < >} Flag Description Messages from the lite Content Inspection (Anti-Virus) module av_lite Messages from the lite Context Management Interface/Infrastructure module cmi_lite General errors error General warnings warning Next Generation Security Gateway Guide R80.20...
Page 577: Module 'Accel_Pm_Mgr' (Accelerated Pattern Match Manager)
Description Operations in the Accelerated Pattern Match Manager module debug General errors and failures error Internal flow of functions flow General failures to submit the data for analysis submit_erro General warnings and failures warning Next Generation Security Gateway Guide R80.20...
Page 578: Module 'Appi' (Application Control Inspection)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Application Control and URL Filtering for SSL urlf_ssl Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 579: Module 'Boa' (Boolean Analyzer For Web Intelligence)
Operations in the BOA module flow General information info Information about internal locks in the FireWall kernel lock Memory allocation operations memory Internal hash tables spider Statistics stat Memory allocation when processing streamed data stream General warnings warning Next Generation Security Gateway Guide R80.20...
Page 580: Module 'Ci' (Content Inspection)
Use only for very limited important debug prints, so it can be used in a loaded track environment - Content-Disposition, Content-Type, extension validation, extension matching URL filters and URL cache Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 581: Module 'Cluster' (Clusterxl)
Syntax: fw ctl debug -m cluster + {all | < >} Notes: • To print all synchronization operations in Check Point cluster in the debug output, enable these debug flags: • The 'sync' debug flag in the debug module 'fw' (on page 591) •...
Page 582 ClusterXL state machine and other clustering configuration parameters) Reports of cluster internal timers timer Sending trap messages from the cluster kernel to the RouteD daemon about trap Master change Next Generation Security Gateway Guide R80.20...
Page 583: Module 'Cmi_Loader' (Context Management Interface/Infrastructure Loader)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 584: Module 'Cpas' (Check Point Active Streaming)
Also see the debug flag 'sync' in the debug module 'fw' (on page 591) TCP processing messages TCP processing messages - more detailed description tcpinfo Reports of internal timer ticks timer Warning - Prints many messages, without real content General warnings warning Next Generation Security Gateway Guide R80.20...
Page 585: Module 'Cpcode' (Data Loss Prevention - Cpcode)
• Module 'dlpk' (on page 587) • Module 'dlpuk (on page 588) Flag Description Resolving of names and IP addresses for Check Point logs cplog Creation of CSV files Prints the function that called the CPcode module echo General errors...
Page 586: Module 'Dlpda' (Data Loss Prevention - Download Agent For Content Awareness)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 587: Module 'Dlpk' (Data Loss Prevention - Kernel Space)
Module 'dlpda' (on page 586) • Module 'dlpuk (on page 588) Flag Description HTTP Proxy, connection redirection, identity information, Async DLP inspection General errors error User identity, connection identity, Async identity DLP rulebase match rulebase Counter statistics stat Next Generation Security Gateway Guide R80.20...
Page 588: Module 'Dlpuk' (Data Loss Prevention - User Space)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 589: Module 'Fg' (Floodgate-1 - Qos)
Currently is not used time Reports of internal timer ticks timers Warning - Prints many messages, without real content URL and URI for QoS classification Prints additional information (used with other debug flags) verbose Next Generation Security Gateway Guide R80.20...
Page 590: Module 'Fileapp' (File Application)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') File upload operations upload Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 591: Module 'Fw' (Firewall)
Operations in the debug filters (on page 563) dfilter Processing of Data Loss Prevention connections DNS tunnels dnstun DNS queries domain DDoS attack mitigation (part of IPS) Check Point kernel attachment (access to kernel is shown as log entries) driver Next Generation Security Gateway Guide R80.20...
Page 592 Event App features (DNS, HTTP, SMTP, FTP) event Expiration issues (time-outs) in dynamic kernel tables Packet filtering performed by the Check Point kernel and all data loaded into filter kernel Processing of FTP Data connections (used to call applications over FTP Data - i.e., Anti-Virus)
Page 593 Connection profiler for Firewall Priority Queues (see sk105762 prof http://supportcontent.checkpoint.com/solutions?id=sk105762) Driver queue (for example, cluster synchronization operations) This debug flag is crucial for the debug of Check Point cluster synchronization issues QoS (FloodGate-1) Resource Advisor policy (for Application Control, URL Filtering, and others)
Page 594 Prints the name of an interface for incoming connection from Threat Emulation Machine Currently is not used tlsparser Processing of Universal Alcatel "UA" connections Processing of UserCheck connections in Check Point cluster User Space communication with Kernel Space (most useful for configuration user and VSX debug) Currently is not used...
Page 595: Module 'Gtp' (Gprs Tunneling Protocol)
GTPv0 / GTPv1 parsing parse GTPv2 parsing parse2 Policy installation policy GTPv0 / GTPv1 dispatching state GTPv2 dispatching state2 Processing of GTP connections in SecureXL GTP T-PDU tpdu GTPv0 / GTPv1 update PDP context update Next Generation Security Gateway Guide R80.20...
Page 596: Module 'H323' (Voip H.323)
H225 call signaling messages (SETUP, CONNECT, RELEASE COMPLETE, and so h225 H245 control signaling messages (OPEN LOGICAL CHANNEL, END SESSION h245 COMMAND, and so on) Internal errors init H225 RAS messages (REGISTRATION, ADMISSION, and STATUS REQUEST / RESPONSE) Next Generation Security Gateway Guide R80.20...
Page 597: Module 'Icap_Client' (Internet Content Adaptation Protocol Client)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Data Trickling mode trick Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 598: Module 'Idapi' (Identity Awareness Api)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 599: Module 'Kiss' (Kernel Infrastructure)
Multi-threaded context - memory allocation, reference count mtctx Internal parsing operations on packets packet Perl Compatible Regular Expressions (execution, memory allocation) pcre Pattern Matcher compilation and execution Pattern Matcher DFA (dumping XMLs of DFAs) pmdump Next Generation Security Gateway Guide R80.20...
Page 600 Kernel thread that supplies low level APIs to the kernel thread thread Internal timers timers User Space platform memory usage usrmem Virtual buffer vbuf General warnings warning Kernel Worker - queuing and dequeuing worker Next Generation Security Gateway Guide R80.20...
Page 601: Module 'Kissflow' (Kernel Infrastructure Flow)
Also see the Module 'kiss' (on page 599). Flag Description Pattern Matcher (pattern compilation) compile Pattern Matcher (Deterministic Finite Automaton) compilation and execution General errors error Memory allocation operations memory Pattern Matcher - general information General warnings warning Next Generation Security Gateway Guide R80.20...
Page 602: Module 'Malware' (Threat Prevention)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 603: Module 'Multik' (Multi-Kernel Inspection - Corexl)
Cross-instance quota table (used by the Network Quota feature) quota Routing of packets route Starting and stopping of CoreXL FW instances, establishment of relationship state between CoreXL FW instances Temporary connections temp_conns Cross-instance Unique IDs MultiCore VPN (see sk118097 vpn_multik http://supportcontent.checkpoint.com/solutions?id=sk118097) Next Generation Security Gateway Guide R80.20...
Page 604: Module 'Mux' (Multiplexer For Applications Traffic)
Kernel Debug on Security Gateway Module 'MUX' (Multiplexer for Applications Traffic) R80.20 introduces a new layer between the Streaming layer and the Applications layer - MUX (Multiplexer). Applications are registered to the Streaming layer through the MUX layer. The MUX layer chooses to work over PSL (passive streaming) or CPAS (active streaming).
Page 605: Module 'Nrb' (Next Rule Base)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 606: Module 'Psl' (Passive Streaming Library)
Syntax: fw ctl debug -m PSL + {all | < >} Also see the Module 'MUX' (on page 604). Flag Description General errors error Processing of packets Processing of TCP streams tcpstr Processing of TCP sequence numbers General warnings warning Next Generation Security Gateway Guide R80.20...
Page 607: Module 'Rad_Kernel' (Resource Advisor - Kernel Space)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 608: Module 'Rtm' (Real Time Monitoring)
Prints messages for each connection (when a new connection is handled by the con_conn RTM module) Thesamedebug flags as 'per_conn' Check Point kernel attachment (access to kernel is shown as log entries) driver General errors Importing of the data from other kernel modules (FireWall, QoS)
Page 609 Kernel Debug on Security Gateway Next Generation Security Gateway Guide R80.20...
Page 610: Module 'Seqvalid' (Tcp Sequence Validator And Translator)
List of Debug Flags Syntax: fw ctl debug -m seqvalid + {all | < >} Flag Description General errors error TCP sequence validation and translation seqval Currently is not used sock General warnings warning Next Generation Security Gateway Guide R80.20...
Page 611: Module 'Sft' (Stream File Type)
List of Debug Flags Syntax: fw ctl debug -m SFT + {all | < >} Flag Description General errors error Fatal errors fatal General information info Rule match, database, connection processing, classification General warnings warning Next Generation Security Gateway Guide R80.20...
Page 612: Module 'Sgen' (Struct Generator)
Struct Generator engine operations on objects engine General errors error Fatal errors fatal Operations on fields field General types macros general General information info Loading of macros load Serialization while loading the macros serialize General warnings warning Next Generation Security Gateway Guide R80.20...
Page 613: Module 'Synatk' (Accelerated Syn Defender)
Syntax: fw ctl debug -m synatk + {all | < >} Flag Description TCP SYN Cookie cookie General errors error Dump of the radix tree radix_dump radix_match Matched items in the radix tree Operations in the radix tree radix_modif General warnings warning Next Generation Security Gateway Guide R80.20...
Page 614: Module 'Uc' (Usercheck)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning URL patterns, UserCheck incidents, connection redirection webapi Next Generation Security Gateway Guide R80.20...
Page 615: Module 'Up' (Unified Policy)
Prints the debug subject of each debug message subject Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Currently is not used urlf_ssl Prints additional information (used with other debug flags) verbose VPN classifier Next Generation Security Gateway Guide R80.20...
Page 616 Kernel Debug on Security Gateway Flag Description Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 617: Module 'Upconv' (Unified Policy Conversion)
Prints how much memory is used for character sets Lookup of characters tree Conversion of UTF-7 characters to a Unicode characters utf7 Conversion of UTF-8 characters to a Unicode characters utf8 General warnings warning Next Generation Security Gateway Guide R80.20...
Page 618: Module 'Upis' (Unified Policy Infrastructure)
Information about policy installation for Unified Policy application upapp Information about policy installation for CMI Update application update Prints additional information (used with other debug flags) verbose VPN classifier Prints the VSID of the debugged Virtual System Next Generation Security Gateway Guide R80.20...
Page 619: Flag Description
Kernel Debug on Security Gateway Flag Description General warnings warning Next Generation Security Gateway Guide R80.20...
Page 620: Module 'Vpn' (Site-To-Site Vpn And Remote Access Vpn)
Various status counters (typically for real-time Monitoring) counters Traffic acceleration issues (in hardware) cphwd Check Point kernel attachment (access to kernel is shown as log entries) driver Errors that should not happen, or errors that critical to the working of the VPN module...
Page 621 Does not apply anymore Only on Security Gateway that runs on Windows OS: Information related to IPSec NIC interaction General warnings warn Does not apply anymore Interaction with Accelerator Cards (AC II / III / IV) Next Generation Security Gateway Guide R80.20...
Page 622: Module 'Ws' (Web Intelligence)
Handling of global structure (usually, related to policy) global General information info IOCTL control messages (communication between the kernel and daemons, ioctl loading and unloading of the FireWall) Memory pool allocation operations mem_pool Memory allocation operations memory Next Generation Security Gateway Guide R80.20...
Page 623: Subject Prints The Debug Subject Of Each Debug Message
Prints the debug subject of each debug message subject Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Session UUID uuid Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 624: Error General Errors
Session layer session Stateful Protocol Inspection Infrastructure (INSPECT streaming) spii HTTPS Inspection ssl_insp SSL Tunneling (SSLT) sslt Memory usage statistics stat Stream virtualization stream Prints the debug subject of each debug message subject Next Generation Security Gateway Guide R80.20...
Page 625 Kernel Debug on Security Gateway Flag Description Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Session UUID uuid Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...
Page 626: Verbose Prints Additional Information (Used With Other Debug Flags)
Prints the timestamp for each debug message (changes when you enable the timestamp debug flag 'coverage') Prints additional information (used with other debug flags) verbose Prints the VSID of the debugged Virtual System General warnings warning Next Generation Security Gateway Guide R80.20...

Save PDF