Thursday, February 29, 2024

Subnet Mask

 








Posted by at

Tuesday, February 27, 2024

Troubleshooting Traffic across Firewalls

 

First Shell:
tcpdump -penni <external_interface> host <IP> and host <IP> -s0 -w /var/log/TCPExternal.pcap
 
Second Shell:
tcpdump -penni <internal_interface> host <IP> and host <IP>  -s0 -w /var/log/TCPInternal.pcap

Third Shell:
fw monitor -F "0,0,<DST IP>,0,0" -F "<DST IP>,0,0,0,0" -o /var/log/<GW_name>_fw_monitor_bidirectional_traffic.pcap

Fourth Shell:
fw ctl zdebug + drop > traffic_drops.txt

Posted by at

Thursday, January 18, 2024

subnetting on checkpoint

 

https://jodies.de/ipcalc

Address: 192.168.0.1 11000000.10101000.00000000 .00000001

Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
=>
Network:   192.168.0.0/24        11000000.10101000.00000000 .00000000 (Class C)
Broadcast: 192.168.0.255         11000000.10101000.00000000 .11111111
HostMin:   192.168.0.1           11000000.10101000.00000000 .00000001
HostMax:   192.168.0.254         11000000.10101000.00000000 .11111110
Hosts/Net: 254                   (Private Internet)


Should you ever forget intricacies of the subnetting Checkpoint bothered not to strip subnetting calculator from their Splat – ipcalc, so use it and litter not your memory with useless info.Given subnet show the 1st Ip (network) :

# ipcalc -n 192.168.34.45/27
NETWORK=192.168.34.32

Given subnet show the last IP (broadcast) :

# ipcalc -b 192.168.34.45/27
BROADCAST=192.168.34.63

Be careful though what you feed as no proof-reading is done by the ipcalc :

# ipcalc -b 192.168.34.45/33
BROADCAST=255.255.255.255
Posted by at

Thursday, January 11, 2024

 
[Expert@myfirewall]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Device Name: Recovery Delay
Current state: OK

Device Name: CoreXL Configuration
Current state: OK

Registered Devices:

Device Name: Fullsync
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1.31105e+06 sec

Device Name: Policy
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1.31105e+06 sec

Device Name: routed
Registration number: 2
Timeout: none
Current state: OK
Time since last report: 164.8 sec

Device Name: cxld
Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 102116 sec
Process Status: UP

Device Name: fwd
Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 102116 sec
Process Status: UP

Device Name: cphad
Registration number: 5
Timeout: 30 sec
Current state: OK
Time since last report: 4.1131e+06 sec
Process Status: UP

Device Name: VSX
Registration number: 6
Timeout: none
Current state: OK
Time since last report: 4.1131e+06 sec

Device Name: Init
Registration number: 7
Timeout: none
Current state: OK
Time since last report: 4.1131e+06 sec

Device Name: Local Probing
Registration number: 8
Timeout: none
Current state: OK
Time since last report: 185.2 sec

[Expert@myfirewall]# 

Posted by at

Friday, January 5, 2024

Fixes to R81.20

 
FIXES
1. Set grub2 password
myfirewall01> set grub2-password
Enter new grub2 password: 
Enter new grub2 password (again): 
myfirewall01> 


2. Update TRAC File

/var/opt/CPsuite-R81.20/fw/conf/trac_client_1.ttm
make a backup copy of file
      )
                :automatic_mep_topology (
                        :gateway (
                                :map (
                                        :false (false)
                                        :true (true)
                                        :client_decide (false)     [ change from Client_Decide to False]
                                )
                                :default (false)  [ change from True to False]
                        )
                )


3. Fix http2
Description:
Similar change was successfully implemented and tested on the lower region (TestVPN)

1. Disable HTTP2 Header Length on myfirewall01 and myfirewall02
To disable http2:
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1
cpstop;cpstart

To enable http2 again:
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 0
cpstop;cpstart
No production impact, low risk.


Posted by at

Wednesday, December 6, 2023

Troubleshooting - High CPU - Memory

 

  1. Contents of spike detective folder /var/log/spike_detective/*
  2. Screenshot of top -H
  3. CPinfo file as per sk92739 - In order to extract the file please run the following command:
    • # cpinfo -d -D -z -o /var/log/<gwname>.cpinfo
  4. HCP file as per sk171436 - "HealthCheck Point (HCP) Release Updates" - In order to extract the file please run the following command:
  5. # hcp -r all --include-wts yes
Posted by at

Wednesday, November 8, 2023

Reset - Multi-queue, dynamic balancing, and flow director to default values

 

 Please, perform the steps in this order:

  1. Set the Multiqueue to auto first:
    • # mq_mng --set-mode auto
  2. Enable Dynamic balancing:
    • # dynamic_balancing -o enable
    • No need to change the coreXL instances in cpconfig since dynamic balancing will take care of that after its enabled.
  3. Enable Flow Director:
    • # ethtool -K eth1-01 ntuple on
  4. Reboot member and repeat on the other firewall.

Posted by at
Subscribe to: Comments (Atom)