Early Availability program R80.20

Check Point is launching an Early Availability (EA) program for it’s upcoming release R80.20 which might be released this summer. There are currently two EA programs available.

Production EA
The Production EA program is for Check Point customers that are willing to run this EA in production environments. These customers are also expected to cooperate directly with R&D.

This program covers  both Security Gateway and Management versions of R80.20.

Continue reading “Early Availability program R80.20”

One year later…again millions of zero-byte files?

Almost a year ago I ran into the CPUSE timeout issue when Saving File Permissions. Last week I ran into a similar problem when creating a snapshot of the same VSX gateway. In a year time this VSX gateway received some newer Jumbo Hotfixes and at this point Jumbo Hotfix Take 286 (GA) was installed. I’ve never received a hotfix from TAC when I had the CPUSE issue back then.  We only had the workaround with manually deleting the temporary files in/opt/CPshrd-R77/CTX/CTX00001/tmp/. So might it be possible the snapshot and CPUSE issues are caused by the same problem?

Continue reading “One year later…again millions of zero-byte files?”

R80.10: fw monitor – new inspection points (eE)

Earlier today a colleague found out that when he used fw monitor on R80.10 he saw two extra inspection points in the output. For years we’ve all seen iIoO but since R80.10 there is eE too! We’ve tried to find documentation about it but basically this is still undocumented.

[vs_0][fw_1] eth1:i[212]: -> (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth1:I[212]: -> (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth3:o[212]: -> (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_1] eth3:O[212]: -> (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_0] eth3:e[212]: -> (TCP) len=212 id=28330
TCP: 3421 -> 443
[vs_0][fw_0] eth3:E[212]: -> (TCP) len=212 id=28330
TCP: 3421 -> 443

We expected the e’s would have something to do with encryption.

Continue reading “R80.10: fw monitor – new inspection points (eE)”

R80.10: Automatic Proxy ARP with Manual NAT rules

When releases like R80.10 hit the spotlights there will always be new features that don’t get immediate attention.

Something that changes with R80.10 is the new ability to enable automatic creation of Proxy ARP for manual NAT rules. Sounds nice, right?

Previously, when you used manual NAT rules with pre-R80.10 Security Gateways, you needed to either add proxy ARP through CLISH or by adding it to local.arp as described in sk30197.  That’s an article every engineer might have dealt with in the past.

Continue reading “R80.10: Automatic Proxy ARP with Manual NAT rules”

Memory leak in CPUSE Build 1272

It seems that the Gaia Deployment Agent, also known as CPUSE, is affected by a memory leak. When monitoring devices we saw memory usage increasing rapidly to almost unhealthy proportions. Most of the time the process was cleaned up and memory usage was restored to normal values. But today unfortunately a customer experienced problems with clients running Identity Awareness agents and some Site-to-site VPNs when DAService crashed and a coredump was created. Though it was part of a cluster no failover was initiated…

Continue reading “Memory leak in CPUSE Build 1272”

The CPUG Papers

A new exciting initiative has been introduced earlier this week: The CPUG Papers. As the authors stated themselves it’s going to be a comprehensive resource, providing clearly written, referenceable documentation that falls between the wonderful discussion information on the CPUG forums, and the detailed technical documentation provided by Check Point.

Continue reading “The CPUG Papers”