Great video as always!. Was always apprehensive about using fw monitor in production, but this video has given some confidence. So was working with Checkpoint TAC two weeks ago troubleshooting some issue on R80.20 and they ran fw monitor and stopped it after the capture. Suddenly CPU0 spiked to 100% and crashed the 6800 firewall. After going through the crash logs, they identified a bug with the fw monitor process not getting terminated properly and suggested we upgrade to R80.40. We applied a HF for now and will be upgrading soon. Would also love to see a video about CoreXL and multi queue tuning on VSX..
Thank you! Ye commands such fw monitor is something to use carfully within a prod enviroment. Its getting better as its dosn´t require fwaccel off anymore on the new versions. Within VSX is something to be extra carefull as you need to check the specific vs. If you need to use it on something u need to turn of securexl, then check how much of your traffic is actually accelerated. Done the misstake on a VS that i tought was fine as its only hade 20-30% load and 4 instanses allocated but as only FW blade was used more or less 98% of all traffic was accelerated. Meaning the VS did go up to 400% load and started to throw traffic when we started to debug :( Multi queue is more or less not an issue anymore. on R80.30 3.10 its on by default and fixing pretty much itself :D Even better in R80.40 HFA something with dynamic dispatcher (only on appliances so far), so alot of the tweaking is going away! Honestly i would not go for R80.40 just yet for critical infra. I try to wait untill the HFA is above 100 (but i do use open servers so its more problematic then appliances) Same for VSX i would go for R80.30 latest GA and then upgrade to R80.40 in a month or two. For mgmt upgrade to R80.40 should be no issue. Regarding videos, ye i think its time to start to show more VSX stuff. I tought most of you guys was going for CCSA but most seams to have alot more experiance and want to see the more cool stuff :)
@@MagnusHolmberg-NetSec Yeah, I would say the most important thing is always use some filter. Capture all traffic in production can cause dropping of packets and then you will be punished :) Btw, in this Danny's tool. If I want to check for source and destination do you just add two host IPs?
When it comes to debug/strange behaviors, involve the TAC quickly, dont wait hours/days for it. They have so much more information and SK that you as a customer or partner dont have access to.
Thank you! Yes i will be doing a video regarding tcpdump. I will do a few videos before that, need to cover the vpn part as it has been requested by alot of ppl.
Hi Magnus. Danny's tool used ip_p=6 and ip_p=11 when you chose TCP and UDP. Protocol 6 is TCP but protocol 11 is NVP-II. Shouldn't it be protocol number 17 for UDP instead?
Thank you! Are you going for a CCSA certificate :)? We are almost done with the content covered within the CCSA. Have some topics left regarding smartevent, compliance and backup solutions.
@@dikshasrivastava9771 aha nice! When I first wrote ccsa (was R71 then ) i passed with 1% :) I thought it was pretty hard but it has been very helpfully. Make sure to check the study guide so you know what more is covered. This serie is focus on actually working with the stuff and not only taking the certification. I bring up most but not everything and I am planning to make ~10 or so videos more on this level. www.checkpoint.com/downloads/professional-services/training/r80-system-administrator-study-guide.pdf
Hi Magnus. A query, in your example I think you are trying to export all the logs to a ".cap" file, is that true? That extension is only to be able to open the file in a Wireshark, right? Could you tell me how I should apply the command, if what I'm looking for is to export all the logs, to a simple TXT file, with the name of "November" for example? Could you give me that scope, please. Thanks. 🙈
Hi, I think what you are looking for is log exporter. Here you can send all our logs to something else then check point, in most cases a siem system. But log exporter allows you to export it was syslog messages. supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323 If not, well maybe check out the video I made about the log types :)
@@MagnusHolmberg-NetSec Thanks for the reply. Basically what I am looking for is that all the logs that normally the result of applying a "fw monitor" gives you, I can send it to a notepad, in such a way that it allows me to read it better, because I want to apply some changes in the Firewall, and I want to make a comparison of what happens applying and not applying a particular policy, since I currently have problems with a VOIP scenario.
@@ranghelsoto6516 not sure if possible, notepad isn’t really fast to search big files in. Save the screen output from putty or your terminal window then you will get a .txt file :) Generally when it comes to check point. Don’t use the default sip object in the rulebase. Create standard TCP-5060 objects so check point don’t do a lot of strange things to the package. (More or less always issues with voip if using the sip objects in the rulebase)
How is it possible to trace VPN traffic? I would like to see the unencrypted packets on VPN interface or make sure the packets are being sent. As far as I know fw monitor can't do this...
Thank you! Yes I will make one or two with site to site vpn. Thinking of showing one within your own mgmt and one that is towards a partner. As VPN within r80.40 is changed to the better maybe I also need to do one with the differences
