You are on page 1of 11

SecurePlatform Security Gateway freezes, crashes, or reboots randomly, core dump files are not created

eventSubmit_doGoviewsolutiondetails=&s olutionid=sk31511&js_peid=P-114a7bc3b09-10006&partition=General&product=SecurePlatform,

Critical error messages and logs olutionid=sk33219

Analyzing cpinfo by infoView olutionid=sk52780&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=CPInfo%22

Change HA mgmt status from CLI olutionid=sk34495&js_peid=P-114a7bc3b09-10006&partition=Expert&product=Security

Kernel debug parameters olutionid=sk33285&js_peid=P-114a7bc3b09-10006&partition=General&product=Security

Cool checkpoint commands -ziskat kernel parameter: fw ctl get int fwlddist_buf_size

Connectra web portal files Login: /opt/CPcvpn-R75/phpincs/LoginPage.php

/opt/CPcvpn-R75/htdocs/Login/Login.css Zmena SSLVPN portal port: /opt/CPcvpn-R75/var/wiProfile: :tcpt_outgoing_port (443)

How to Debug Secure Client issues olutionid=sk44330&js_peid=P-114a7bc3b09-10006&partition=Expert&product=Security

What is WatchDog? olutionid=skI1914

What are the VPN daemon (vpnd) command options olutionid=sk602 How to troubleshoot failovers in ClusterXL olutionid=sk56202&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Cluster

Statistiky Vysvetlivky k jednotlivym uzazatelom #cpstat CP stats [Expert@cpmodule]# cpstat -f all fw

Interface table --------------------------------|Name|Dir|Accept|Drop|Reject|Log| --------------------------------|eth0|in | 650| 0| 0| 3| |eth0|out| 680| 0| 0| 1| |eth1|in | 0| 173| 0| 5| |eth1|out| 0| 0| 0| 0| --------------------------------| | | 1330| 173| 0| 9|


ISP link table -----------------|Name|Status|Role| ----------------------------------hmem - block size: hmem - requested bytes: hmem - initial allocated bytes: hmem - initial allocated blocks: hmem - initial allocated pools: hmem - current allocated bytes: hmem - current allocated blocks: hmem - current allocated pools: hmem - maximum bytes: hmem - maximum pools: hmem - bytes used: hmem - blocks used: --More-4096 20971520 20971520 0 0 20971520 5115 5 31457280 512 1709976 525

#fw ctl pstat firewall-1 stats.. pamat, inspect, connections, packets [Expert@cpmodule]# fw ctl pstat Hash kernel memory (hmem) statistics: Total memory allocated: 6291456 bytes in 1535 4KB blocks using 1 pool Total memory bytes used: 111416 unused: 6180040 (98.23%) peak: 253680 Total memory blocks used: 59 unused: 1476 (96%) peak: 93 Allocations: 2807675 alloc, 0 failed alloc, 2805577 free System kernel memory (smem) statistics: Total memory bytes used: 8616108 peak: 9191484 Blocking memory bytes used: 196576 peak: 213172 Non-Blocking memory bytes used: 8419532 peak: 8978312 Allocations: 522409 alloc, 0 failed alloc, 522230 free, 0 failed free Kernel memory (kmem) statistics: Total memory bytes used: 2429332 peak: 3027596 Allocations: 2982493 alloc, 0 failed alloc, 2980218 free, 0 failed free Kernel stacks: 0 bytes total, 0 bytes stack size, 0 stacks, 0 peak used, 0 max stack bytes used, 0 min stack bytes used, 0 failed stack calls INSPECT: 23154360 packets, 620258087 operations, 7042944 lookups, 0 record, 197214487 extract Cookies: 55641139 total, 0 alloc, 0 free, 22315091 dup, 315688042 get, 24785793 put, 11513069 len, 10602 cached len, 0 chain alloc, 0 chain free Connections: 148473 total, 107539 TCP, 27134 UDP, 13800 ICMP, 0 other, 63 anticipated, 62 recovered, 8 concurrent, 273 peak concurrent, 55977060 lookups Fragments: 21218 fragments, 10602 packets, 14 expired, 0 short, 0 large, 0 duplicates, 0 failures NAT: 4884574/0 forw, 6963979/0 bckw, 11799051 tcpudp, 49502 icmp, 146537-146557 alloc

#fwaccel statistiky securexl

Konfiguracia sietoviek


Log files

cpca.elg Check Point Certificate Authority logs dtlsd.elg Policy Server Logging daemon logs dtpsd.elg Policy Server logs fwd.elg FireWall-1 daemon logs fwm.elg FireWall-1 Management logs mdq.elg SMTP Security Server dequeue logs vpnd.elg VPN daemon logs


Practical troubleshooting steps for logging issues olutionid=sk38848&js_peid=P-114a7bc3b09-10006&partition=General&product=Security

SecureClient desktop rules

Hotfix install Rozbalit package Spustit ./Unixinstall

Troubleshooting Office Mode olutionid=sk30550&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=SecureClient%22

Performance analysis for Security Gateway R65 / R70 / R71 olutionid=sk33781

How to verify that the hotfix is installed correctly? olutionid=sk33613&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Security

Practical troubleshooting steps for logging issues olutionid=sk38848&js_peid=P-114a7bc3b09-10006&partition=General&product=Security

FAQ contract file olutionid=sk33089&js_peid=P-114a7bc3b09-10006&partition=General&product=Security

Management High Availability Synchronization Status olutionid=sk26142

Remote Access Licensing - Clarifications olutionid=sk43329&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Endpoint

Performance analysis in VPN-1 Power/UTM NGX R65 and Security Gateway R70 olutionid=sk33781

General troubleshooting advisor for Content Inspection Database Update olutionid=sk34385 Troubleshooting URL Filtering Updates olutionid=sk35196&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=UTM-1

Changing smartcenter name olutionid=sk42071&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Security

Setting up ICA management tool olutionid=sk30501

Server load balancing -> Connect control -> FW_admin guide

Manual NAT Vytvor $FWDIR/conf/local.arp + global properties merge manual arp entries olutionid=sk30197&js_peid=P-114a7bc3b09-10006&partition=Gold/Platinum&product=ClusterXL

ICA Je zalozena na hostname. Zmena IP nema vplyv treba zmenit hostname resolving /etc/hosts + IP v dashboard


[Oversimplified Executive Summary] -A upgrade_export contains just Check Point configuration -A backup is an upgrade_export plus SPLAT OS configuration -A snapshot is a backup plus binary files, both Check Point and SPLAT OS -As a general rule of thumb, if your restoring on the same hardware a snapshot would be the easiest to use since it contains the most info and an upgrade_export would be the worst, since you'd have to manually restore the most stuff.

[upgrade_export] -It doesn't backup any OS (i.e. SPLAT) settings, it only backup up Check Point settings -It will let you export on one OS and then import on a different OS (i.e. go from Windows to SPLAT) -You can upgrade_import on different hardware (i.e. go from IBM to HP) -You can restore an export from an older version to a newer version of Check Point. A SPLAT backup/restore requires that you have the exact same versions. Note that when upgrading from an older to newer version, you must use the newer version's upgrade_export utility to create the export file. -It restores the product list as well. The SPLAT restore command won't restore the Check Point settings if you don't have the exact same products (and product versions) installed.

[backup] -A SPLAT backup will back up both the SPLAT OS settings as well as the Check Point settings -Basically it's an upgrade_export with OS settings added in -Restoring a backup file requires the exact same software installation. I.e. you can't restore a backup from R55 on to R60 (the HFA level must match as well). The installed product list must match as well. Note that you can still restore the OS settings even if your installed Check Point product list doesn't match. -The SPLAT OS settings are hardware specific. If you restore the system settings you must restore on the same hardware. However, if you only restore the Check Point settings you can restore on different hardware. Restoring just the Check Point settings is essentially the same thing as doing an "upgrade_import" of an exported file.


-A snapshot is even better than a backup since it contains binary files. I.e. you can revert from R60 to R55 with a snapshot. The downside to this is that a snapshot file is much larger than an upgrade_export or backup file. -A snapshot can also roll you forward for minor software changes. For example if I revert from R60 HFA05 to HFA01 I can later revert back to R60 HFA05 from R60 HFA01 -A snapshot cannot revert to a newer major release of Check Point. I.e. you can't revert from R55 to R60. -If you're reinstalling SPLAT on the same hardware you don't have to install any HFA's or change any configuration. Simply reverting to your saved snapshot file will restore all configurations and HFAs. The only stipulation is that the major software version must match. I.e. a R60 snapshot file will only work on a R60 install (regardless of HFA level). -You can only revert on the same hardware, since the snapshot file contains hardware specific SPLAT settings.

[An exception to the rules] -If you're feeling lucky I've noticed that you can actually restore a backup file or snapshot file on different hardware as long as you: -Delete "/etc/sysconfig/hwconf" (this is automatically re-created during the reboot) -In the case of a snapshot file also delete "/etc/modules.conf" -Backups don't contain this file -modules.conf controls which drivers are loaded -This is be automatically re-created during the reboot -Remove the "hwaddr" lines from /etc/sysconfig/netconf.C -Reboot -You must remove the hwaddr lines since the firewall will use the MAC addresses stored in the snapshot/backup file, not your network card's physical MAC addresses. You can verify which MAC addresses you're using with these commands: ifconfig |grep HWaddr -This shows which MACs you're currently using grep hwaddr /etc/sysconfig/hwconf -This should contains your NICs' physical MAC addresses. If in doubt, delete this file, reboot and this file will be automatically created on startup. grep hwaddr /etc/sysconfig/netconf.C -This shows which MACs your server is configured to use. If there are no "hwaddr" lines, then your NIC's physical MACs will be used. If

there are no "hwaddr" lines you can create them by running "cpnetconf store". -To remove the hwaddr lines in "/etc/sysconfig/netconf.C" run these commands: cd /etc/sysconfig cpstop mv netconf.C netconf.C.old grep -v hwaddr netconf.C.old >netconf.C rm /etc/sysconfig/hwconf reboot

To Debug HTTP Security Server PID: $FWDIR/tmp To debug HTTP Security Server run the following commands: To start writing debug information:
fw debug in.ahttpd on FWAHTTPD_LEVEL=3

To stop writing debug information:

fw debug in.ahttpd off FWAHTTPD_LEVEL=3

output $FWDIR/log/ahttpd.elg

Global-policy-firewall- security server http server ak sa autentifikujem cez user authentication mozem si vybrat destinations kam sa dostanem

Https proxy


When trying to configure URI Resource with UFP for HTTPS traffic, the configuration fails. SmartView tracker shows the error message, "Invalid characters in request".

Solution This procedure configures the HTTP Security Server to work with HTTPS: 1) Define a Security Server for https reject rule: Set resource to "Enforce URI capabilities". Select all in connection methods (including Tunneling). Set the URI type to UFP. Set the Match Action to "Blocked". NOTE: When the warning pops up, click "OK". 2) Define an accept rule for https. 3) In Global properties > SmartDashboard Customization > Advanced Configuration > Configure > FireWall-1 > Web Security > HTTP Protocol: Check http_connection__method_proxy and http_connection_method_tunneling.

4) In each client browser, define the FW-1 as a proxy. For Internet Explorer, open a browser. Select Tools->Internet Option->Connections->Lan settings->Proxy server Advance. In Security, define the FW-1 address and port (443). 5) Install the Policy.