Top Configuration Issues To Look Out For In Check Point Firewalls

We have been running a webinar for a while now that discusses the top configuration-related mistakes we see people making with Check Point firewalls. Some of the sessions I ran myself!

Since many attendees asked for a document detailing the tips, we thought we’d make it available here.

Top checks to run regularly on your firewalls (once a month or so):

  • Make sure NTP is not just configured but actually works. For example, in Gaia, you should go into clish, run “show ntp servers” and then go into expert mode. Once there, run “ntpdate -u <ntp_server_ip>” for each NTP server configured. Look for errors like “no server suitable for synchronization found”.
  • Compare static routing tables between members of a cluster. We suggest running “netstat -rn | wc -l” as a first step to see if the number of routes is the same.
  • Compare the CoreXL configuration across cluster members using “fw ctl multik stat”. Note that if your ClusterXL is in Ready state (shown in the output of “cphaprob stat”) it may be because the CoreXL configuration is different between the members of the cluster.
  • Compare the SecureXL configuration across cluster members using “fwaccel stat”. Note that the only other way for you to know there is a configuration difference is to see a massive spike in CPU usage on the secondary cluster member when it becomes active.
  • Make sure that no one has left debug on as it can really hog the CPU. To disable debug at the kernel level, run “fw ctl debug 0”. At the user level you need to use the “fw debug” command as described by Kellman Meghu.

In the webinar we go through a few more checks we recommend doing regularly. Come join us, it’s free!