Checkpoint NG/NGX




fw ctl zdebug drop - Check Point firewall ultimate debug command

Check Point provided us many ways to debug issues. Some are easier, some are harder. The first thing to do when you have dropped traffic is to see whether the packets are being dropped by the firewall or not. The first impulse is to look at SmartView Tracker's logs and …



Do not miss Netflow capability of Check Point Gaia R77 and above

Do not miss Netflow capability of Check Point Gaia R77 and above. In the past measuring the traffic passing through firewall wasn't easy - you had to either query interface counters via SNMP or run custom Bash scripts on the firewall itself to get interface statistics. The problem with both of …



How to know Checkpoint UTM Appliance model from the cli

Many times you get to work on some UTM appliance remotely via ssh and need to know which exact model it is. It takes just one cli Expert level command to know: dmidecode | grep "Product Name". Then you go and compare the output with the UTM models table which Tobias …



Undocumented command to install policy on Locally managed Checkpoint UTM 1100 series appliance

I was trying the other day to exclude on UTM 1180 gateway some IP address and service combination from being encrypted inside VPN tunnel and noted that any changes you do to the firewall files on the CLI, in this case - crypt.def, do not take effect . It is actually …



How to know if a license or a subscription is about to expire for Check Point product

There are two ways to be warned when some license or subscription based service from Check Point is about to expire: - Every time we login into the SmartUpdate (part of the SmartConsole suite) if there are any licenses/services to expire within next 30 days we’ll see a pop …



Overlooked but nice utility from Checkpoint - cpview

Checkpoint has made available starting with R77.30 this helpful diagnostics and debug utility called cpview of which not many are aware. This is basically a Bash script that runs a bunch of native Checkpoint commands in the background and displays the output on the terminal while updating the data …



Checkpoint Mobile Access support for SHA-256 SSL certificates

The new era of sha-256 (as opposed to sha-1) signed SSL certificates is slowly gaining the pace, not without a gentle push from the browser providers . And Checkpoint is catching up in its new version R77.30 for Open Servers. While on both versions - 77.20 and 77.30 cpopenssl …



SNMP in Gaia default community string

Configuring SNMP in Gaia as opposed to SPLAT has been made much simpler. So simple that it is easy to overlook that default configured read-only community is public . So , it is a good idea to change it while enabling SNMP: set snmp agent on set snmp agent-version any set …



Convert Checkpoint SPLAT routes into Gaia route configuration commands

` Hi there, not much of a script , just the one-liner to turn output of the Secure Platform cli command route/ip route list into the ready for copy&paste; list of Gaia clish commands. Be aware I am not doing any error checking, so examine the final result before applying to …



Checkpoint SNX 75 does work on Mac OS X 10.8 Mountain Lion

While not mentioned explicitly in Release Notes for SNX 75 (it lists there only Mac OS X 10.7, 10.7.1, 10.7.2 Lion, 32-bit and 64-bit as supported versions) , it does work with new version of Apple Mac. Yesterday I did it for R71.40 and it …