Günther W.

Albrecht

Check Point 1100 / 1200R / 600 Appliances

1. USB Flash Firmware Upgrade p. 02

2. SecureXL on 1100 / 1200R / 600 Units p. 06

3. USB First Time Config using autoconf.clish files p. 07

4. CLI license activation and bashUser mode p. 11

5. Using 1100 / 1200R / 600 Demo Units p. 12

6. Users currently connected via RA client VPN p. 17

7. Logs, Debugs and other files p. 18

References and SK´s p. 20

Part 1: USB Flash Firmware Upgrade

The 1100 and 600 series firmware can be upgraded using the WebGUI, but this leaves the
factory default image at the former, lower firmware version, as it only updates the primary
firmware image. So when using “Revert to the factory default image and settings“, the old
firmware version from the factory default image will be used, and the firmware will have to be
upgraded using the WebGUI.

Using a USB Flash device, both the 1100 and 600 series factory default and the primary
firmware can be upgraded at once. This installation procedure works after every reboot if the
USB medium is attached and readable. Details can be found in sk98549 How to Burn
CheckPoint 600 / 1100 Appliances version with Disk-On-Key. CAUTION: Different USB
Flash media may show a different behaviour concerning loading images from USB; for
example, USB Flash that installs a new firmware image successfully on 1100 / 600 may fail to
install with a SG80.

Using a USB Flash device is started by a reboot:

______ __ __ _______ _ _
.' ___ |[ | [ | _ |_ __ \ (_) / |_
/ .' \_| | |--. .---. .---. | | / ] | |__) | .--. __ _ .--. `| |-'
| | | .-. |/ /__\\/ /'`\] | '' < | ___// .'`\ \[ | [ `.-. | | |
\ `.___.'\ | | | || \__.,| \__. | |`\ \ _| |_ | \__. | | | | | | | | |,
`.____ .'[___]|__]'.__.''.___.'[__| \_] |_____| '.__.'[___][___||__]\__/

** MARVELL BOARD: RD-88F6281A LE

U-Boot 1.1.4 (Aug 11 2010 - 13:38:30) Check Point version: 3.4.27

U-Boot code: 00600000 -> 0067FFF0 BSS: -> 006CFB00

Soc: 88F6281 A1 (DDR2)

CPU running @ 1200Mhz L2 running @ 400Mhz
SysClock = 400Mhz , TClock = 200Mhz

DRAM CAS Latency = 5 tRP = 5 tRAS = 18 tRCD=6

DRAM CS[0] base 0x00000000 size 256MB
DRAM Total size 256MB 16bit width

************ Hit 'Ctrl + C' for boot menu ************

Addresses 8M - 0M are saved for the U-Boot usage.

Mem malloc Initialization (8M - 7M): Done
NAND:512 MB
Flash: 0 kB

CPU : Marvell Feroceon (Rev 1)

Streaming disabled
Write allocate disabled

Module 0 is RGMII

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 2 von 23
Module 1 is TDM
USB 0: host mode
PEX 0: interface detected no Link.
Net: egiga0, egiga1 [PRIME]

Reading data from 0xe0000 -- 100% complete.

Verifying CRC for settings area... Done

On the 1200R this looks different:

OCTEON eMMC stage 1 bootloader

Partition: 1, start: 0x0000000000000800, size: 0x0000000000004800

Reading
457576...............................................................................
.....................................................................................
............................................................ Done.
Loaded OCTBOOT2BIN
Branch to stage 2 at:0xFFFFFFFF81004000

U-Boot 2013.07 (Development build, svnversion: u-boot:exported, exec:) (Build time:

Jan 19 2015 - 10:17:06)

Warning: Board descriptor tuple not found in eeprom, using defaults

EVB7000_SFF board revision major:1, minor:0, serial #: unknown
OCTEON CN7010-SCP pass 1.2, Core clock: 1200 MHz, IO clock: 500 MHz, DDR clock: 667
MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x4f804000, size: 0x7fc000
DRAM: 1 GiB
Clearing DRAM...... done
Using default environment

MMC: Octeon MMC/SD0: 1

reading u-boot-octeon_evb7000_sff.bin
______ __ __ _______ _ _
.' ___ |[ | [ | _ |_ __ \ (_) / |_
/ .' \_| | |--. .---. .---. | | / ] | |__) | .--. __ _ .--. `| |-'
| | | .-. |/ /__\\/ /'`\] | '' < | ___// .'`\ \[ | [ `.-. | | |
\ `.___.'\ | | | || \__.,| \__. | |`\ \ _| |_ | \__. | | | | | | | | |,
`.____ .'[___]|__]'.__.''.___.'[__| \_] |_____| '.__.' [___][___||__]\__/

U-Boot 2013.07 (Development build, svnversion: u-boot:exported, exec:) (Build time:

Jan 11 2015 - 17:13:00)
Check Point version: 990170212

************ Hit 'Ctrl + C' for boot menu ************

OCTEON CN7010-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 500 MHz, DDR clock: 667
MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x4e000000, size: 0x2000000
DRAM: 1 GiB
Clearing DRAM...... done
Octeon MMC/SD0: 1
Flash: 0 Bytes
PCIe: Port 0 not in PCIe mode, skipping
PCIe: Port 1 not in PCIe mode, skipping
PCIe: Port 2 not in PCIe mode, skipping
PCI console init succeeded, 1 consoles, 1024 bytes each

PCIe: Port 0 not in PCIe mode, skipping

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 3 von 23
PCIe: Port 1 not in PCIe mode, skipping
PCIe: Port 2 not in PCIe mode, skipping
Type the command 'usb start' to scan for USB storage devices.

mmc1(part 0) is current device

MMC read: dev # 1, address # a80000, count 524288 ... 1024 blocks read: OK
Verifying CRC for settings area... Done

Now the appliances looks at the USB devices:

USB: scanning bus for devices... 3 USB Device(s) found
1 Storage Device(s) found

The USB Flash device is searched for special file names:

Trying to load image (fw1*.img) from USB flash drive using FAT FS
Looking for file_fat_read fw1*.img

** File fw1*.img not found **

** Unable to read "fw1*.img" from usb 0:1 **

Trying to load image (u-boot*.bin) from USB flash drive using FAT FS
Looking for file_fat_read u-boot*.bin

** File u-boot*.bin not found **

** Unable to read "u-boot*.bin" from usb 0:1 **

(*type == CP_GET_TYPE_DSL)

Trying to load image (dsl*.img) from USB flash drive using FAT FS
Looking for file_fat_read dsl*.img

** File dsl*.img not found **

** Unable to read "dsl*.img" from usb 0:1 **

If a valid file is found, it is read in, verified and installed:

Found image file: fw1_dep_r75_983004042_20.img
.....................................................................................
.......................
****** lines have been left out here ******
.......................................................

77987840 bytes read

Verifying image CRC

Header CRC....... : 0x334D3B94

Calculated CRC... : 0x334D3B94

Image CRC verification passed

WARNING: BURNING OF NEW IMAGE STARTED
PLEASE DO NOT PULL OUT THE POWER CORD

First the firmware flash is ereased:

Running flash_erase: nand erase $(primary_offset) $(flash_erase_size)
NAND erase: device 0 offset 0x100000, size 0x1ff00000

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 4 von 23
Erasing at 0x100000 -- 0% complete.
Erasing at 0x600000 -- 1% complete.
Erasing at 0xb20000 -- 2% complete.
****** lines have been left out here ******
Erasing at 0x1ffe0000 -- 100% complete.
OK
Done.

Then the default and primary firmware is stored:

Burning default image

NAND write: device 0 offset 0xbd00000, size 0x4a60000

Writing data at 0xbd00000 -- 0% complete.

Writing data at 0xbdbe000 -- 1% complete.
Writing data at 0xbe7c800 -- 2% complete.
****** lines have been left out here ******
Writing data at 0x1075f800 -- 100% complete.
77987840 bytes written: OK
Saving Environment to NAND...
Erasing Nand...Writing to Nand... done
Done.

Burning primary image

NAND write: device 0 offset 0x100000, size 0x4a60000

Writing data at 0x100000 -- 0% complete.

Writing data at 0x1be000 -- 1% complete.
Writing data at 0x27c800 -- 2% complete.
****** lines have been left out here ******
Writing data at 0x4b5f800 -- 100% complete.
77987840 bytes written: OK
Done.

Now the new firmware images are verified:

NAND read: device 0 offset 0xbd00000, size 0x4a60000

Reading data from 0xbd00000 -- 0% complete.

Reading data from 0xbdbe000 -- 1% complete.
Reading data from 0xbe7c800 -- 2% complete.
****** lines have been left out here ******
Reading data from 0x1075f800 -- 100% complete.
77987840 bytes read: OK
Verifying image CRC

Header CRC....... : 0x334D3B94

Calculated CRC... : 0x334D3B94

Default image CRC verification passed

NAND read: device 0 offset 0x100000, size 0x4a60000

Reading data from 0x100000 -- 0% complete.

Reading data from 0x1be000 -- 1% complete.
Reading data from 0x27c800 -- 2% complete.
****** lines have been left out here ******
Reading data from 0x4b5f800 -- 100% complete.

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 5 von 23
 77987840 bytes read: OK
Verifying image CRC

Header CRC....... : 0x334D3B94

Calculated CRC... : 0x334D3B94

Primary image CRC verification passed

Install/Update Image from USB succeeded.

Please remove USB device.

Press any key to continue...

Now the unit is rebooted and starts from the new primary firmware image. If a backup
from the same firmware version is available, we can restore the backup. Otherwise, we can
also install another firmware version using WebGUI to be able to restore the backup.
When importing backup, the MAC address, firewall type and license are imported as well.
GUI will show all that information imported. This is a "cosmectic" issue that can safely be
ignored. The model logo will revert to the right model logo within 24 hours. If you run
ifconfig, the correct MAC address is shown. Another possibility is to use autoconf.clish
files for configuration as explained in following 3rd part: USB First Time Config using
autoconf.clish files.

Part 2: SecureXL on 1100 / 1200R / 600 Units

The 1100 and 600 series supports SecureXL, and SecureXL is activated by default. As
there is no way to disable it using the WebGUI, sk65015 shows how that can be achieved:
GW-620> fwaccel off

This command switches off SecureXL until the next reboot. To disable SecureXL
permanently, you have to follow these steps:

1. On the Security Gateway 80 / 600 / 1100 appliance, go to /pfrm2.0/etc/ directory:

[Expert@Appliance]# cd /pfrm2.0/etc/

2. Create the special file:

[Expert@Appliance]# touch userScript
Note: the name contains Captial 'S'.

3. Edit the file in Vi editor:

[Expert@Appliance]# vi userScript

4. Add the full path to the command 'fwaccel off':

/opt/fw1/bin/fwaccel off

5. Set the file permissions:

[Expert@Appliance]# chmod 777 userScript

6. Reboot the appliance. SecureXL should be off now - check with 'fwaccel stat' command.

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 6 von 23
Part 3: USB First Time Config using autoconf.clish files

a. How it works
The autoconf.clish files have only barely been documented (in SG80, 1100 Central and
600 Admin Guides and in the 1100 600 Appliance CLI AdvRouting Admin Guide), and
there is no special syntax apart from standard CLISH commands. As it will mostly be used
instead of the First Time Wizard, it is clear which configuration details it contains.

Two kinds of autoconf.clish can be used: A general autoconfiguration CLI script named
autoconf.clish and/or a MAC-specific autoconfiguration CLI script autoconf.XX-XX-XX-
XX-XX.clish with the MAC of the unit in the filename. These files are used as follows:

1. If only a autoconf.clish file is present, it is used for configuration.

2. If only a autoconf.XX-XX-XX-XX-XX.clish with correct MAC is present, it is used for

configuration.

3. Of both an autoconf.clish file and a autoconf.XX-XX-XX-XX-XX.clish with correct

MAC are present, first the general autoconfiguration CLI script and then the MAC-
specific autoconfiguration CLI script is used for configuration, with the MAC-specific
autoconfiguration CLI script being able to re-define settings from the general
autoconfiguration CLI script.

Successfull configuration is shown by a ...Done after running the script:

System Started...
Start running general autoconfiguration CLI script from USB1 ...Done

System Started...
Start running MAC-specific autoconfiguration CLI script from USB1 ...Done

System Started...
Start running general autoconfiguration CLI script from USB1 Start running MAC-
specific autoconfiguration CLI script from USB1 ...Done

If not successful, a log is saved containing the commands and the corresponding errors:
System Started...
Start running general autoconfiguration CLI script from USB1 ... Error.
autoconf.00-1C-7F-70-2F-58.2014-10-07.0931.log was copied to USB1

System Started...
Start running MAC-specific autoconfiguration CLI script from USB1 ... Error.
autoconf.00-1C-7F-70-2F-58.2014-10-07.1706.log was copied to USB1

The USB LED is red when there is a problem running the configuration script. After an
error, the unit is in the First Time Wizard state, but values may have been set that are not

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 7 von 23
shown in First Time Wizard. So a restore default-settings should be issued and the
process repeated after correcting the autoconf.clish file.

b. How it is used
The autoconf.clish files will run if the unit is rebooted in Initial Configuration state. An
already configured unit will have to be reset before new configuration, so here that is done
using the CLI:
GW-620> restore default-settings
Restoring the default settings will delete your current settings and reboot the
appliance
Are you sure you want to continue? (yes/no): y
Restoring factory default settings...

Please wait while the appliance reboots. Please do not pull out the power cable.

Warning - USB device contains image files for the device.

Please remove the device to prevent reverting to that image after reboot, then press
ENTER to continue
GW-620>
GW-620>
Broadcast message from root (Wed Oct 8 08:45:55 2014):

The system is going down for reboot NOW!

INIT: Restarting system.

Now the configuration will be read from autoconf.clish file only. If an existing
configuration has to be changed using autoconf.clish, we can set the unit to run it on next
reboot:

GW-620> set property USB_auto_configuration once

If the unit is rebooted now, values already configured will be overwritten with the values
from autoconf.clish, and some commands may not work at all if intended for First Time
configuration (like adding two Internet connections). After next reboot, autoconf.clish will
not be run. You can also set this so that after every reboot, the unit will run the
autoconf.clish again if present:

GW-620> set property USB_auto_configuration always

c. How it is written
Now we will look at the details of the autoconfig.clish, mixing the file with the
corresponding log messages in italics. We can define the unit name first:
set hostname GW_620
Could not set hostname hostname: Device name can only contain [A-F], [0-9] and '-'
characters

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 8 von 23
The name is wrong, so we have to use a – instead to make it work:

set hostname GW-620

The First Time Wizard at this point lets you set the country also, but that is possible in
CLISH only using the wlan settings; if not using wlan we could issue:
set wlan radio country australia
set wlan disable

# set Time sever settings

The last line is a comment – use the # to structure, comment and explain the file !

set time-zone GMT+01:00(Amsterdam/Berlin/Bern/Rome/Stockholm/Vienna)

Wed Oct 8 08:57:00 GMT+0100 2014
set ntp server primary x.x.x.x
set ntp active on
Wed Oct 8 08:57:00 GMT+0100 2014
set ntp interval 1

After setting the time zone, the estimated current date and time is displayed. The same is
done after setting the NTP Server to on.

# set admin access

set user admin type admin password VeryGoodPassWord
set admin-access web-access-port 4434 allowed-ipv4-addresses any
Changing the access policy - This might block your access to the appliance (although
your current session will be retained)
set admin-access interfaces any access allow

Here, admin password is set – better for security is to set the password-hash instead:

set user admin type admin password-hash $1$CTnQg69e$dwMJPcrB27XnAXUckPW7N0

Now we set the ISP connection:

# set WAN internet connection and GW

add internet-connection interface WAN type static ipv4-address x.x.x.x subnet-mask
255.255.255.0 default-gw y.y.y.y conn-test-timeout 0
Skipped connection test

The connection test will try to reach the ISP, if using value zero, the connection test is
skipped, otherwise, the value is the time limit in seconds.

# set DNS
set dns primary ipv4-address x.x.x.x
set dns secondary ipv4-address y.y.y.y
set dns tertiary ipv4-address 8.8.8.8

After setting the DNS servers, we define the internal networks:

# set internal networks and dhcp
set dhcp server interface LAN1_Switch disable
set interface LAN1_Switch ipv4-address 192.168.x.1 subnet-mask 255.255.255.0

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 9 von 23
set dhcp server interface LAN1_Switch include-ip-pool 192.168.x.1-192.168.x.254
set dhcp server interface LAN1_Switch enable

#set DMZ
set dhcp server interface DMZ disable
set interface DMZ ipv4-address 192.168.y.1 subnet-mask 255.255.255.0

Now we define the WLAN network:

# set WLAN
set wlan ssid MyWLAN
set interface MyWLAN ipv4-address 192.168.z.1 subnet-mask 255.255.255.0
set dhcp server interface MyWLAN include-ip-pool 192.168.z.1-192.168.z.254
set wlan radio country australia
set wlan radio operation-mode 11ng channel auto
set wlan security-type WPA2
set wlan wpa-auth-type password VeryGoodPassWord
set wlan enable

Finally, let us load the units license from UserCenter:

# get the license from UserCenter:
fetch license usercenter

Other configuration steps can be constructed from clish commands. As this procedure
works for 1100 and 600 appliances, it also works for centrally managed 1100 units.
Management server would be configured there as follows:
# set Management Server IP and SIC to fetch certificate and policy:
set sic_init password VeryGoodPassWord
fetch certificate mgmt-ipv4-address x.x.x.x gateway-name GW-1100
fetch policy mgmt-ipv4-address x.x.x.x

With centrally managed 1100 units, the log server is defined in the policy. If a 600 device
should log to a CP Log server, this can only be configured in WebGUI or bash, as there
are no CLISH commands for log server configuration.

After the above autoclish has finished, FW Blade is on with “Hide internal networks
behind the Gateway's external IP address” enabled and User Awareness is on but not
configured, but all other blades are set off. No other Blades, WebServer or Rules
configuration is available in CLISH – only AntiSpam can be enabled:
# set AntiSpam on:
set antispam mode on detection_method content-based log log spam_content_action block
flag_subject_stamp spam

So it is always necessary to configure locally managed 600 / 1100 appliances using the
WebGUI, as only very basic settings are available to autoconf.clish.

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 10 von 23
Part 4: CLI license activation and bashUser mode
The sk93595 resolves issues like “License file cannot be activated through the automatic
online process” or when manual activation of the license file fails with the error message
"Failed to install license: License operation failed. License may not match device."

Cause: Licenses for SG-80 appliances, 600 appliances, and 1100 appliances use the MAC
Address of the WAN interface. Issue is caused when the license was generated using a
different MAC Address.

To resolve this issue, first confirm the MAC Address of the WAN interface on the
appliance via the CLI on the appliance. Run this command:
# fw_printenv hw_mac_addr

In the User Center, locate the Certificate Key with the MAC Address of the WAN
interface as identified in the output. Then, license the MAC Address of the WAN interface
and install the new license. From Expert mode run the command:
# bashUser on

to enable the SCP connectivity (refer to sk52763). Upload the new ActivationFile.xml file
to the appliance over SCP protocol (use WinSCP) and run the following command to
install the new activation file:
# fw activation --offline /<path_to>/ActivationFile.xml

To confirm the new license has been installed, run the command "cplic print" on the
appliance. Two licenses with the same feature set should be displayed.

Note: the command bashUser on changes the default login to be directly to expert mode
instead of cpshell, and it also allows scp connection to the appliance (according to the
Administrator Access restrictions).

When using WinSCP, the default protocol chosen by the application is "SFTP (Allow SCP
fallback)". This option is not supported in Security Gateway 80 and 1100 Appliances.
Change the protocol to the "SCP" option.

To change the shell back when done, issue the command:

# bashUser off

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 11 von 23
Part 5: CP 1100 / 1200R / 600 Appliances as Demo Units
Demonstration units from the 1100 and 600 series have a different licensing compared to
the „bigger“ Appliances. Using Eval Licenses from User Center is not possible – the 1100
and 600 series is licensed offline with the file CPActivationFile.xml, not files
CPLicenseFile.lic and ServiceContract.xml.

As Demo Units often have a year Support and Services, it is easy to use the „real“
licenses. But for Demo use, e.g. as POC at a customers site, another way of licensing is
recommended to be able to always use a 30 Day Trial License instead of the „real“, soon
expired License.

First install as a Demonstration unit

Please do not connect the WAN Port with the Internet at all to rule out „Self Service“ by
pulling the License from UserCenter. In Checkpoint Appliance Wizard, configure the
Admin credentials, country, date and time, unit name, for 1100s also kind of Management.
Then select for Internet Connection „Configure Internet Connection later“:

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 12 von 23
Next is defining the Local and WLAN network and Administrator access. Then you will
see the page:

After clicking on „Next“, a warning appears:

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 13 von 23
Clicking „OK“ here accepts the Trial License, that is also listed on the final first time
configuration summary:

License now looks as shown in the next screenshot; after these steps you now can define
the Internet access in WebGUI.

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 14 von 23
Using it again as a Demonstration unit

The Trial License makes it possible to use all blades and services for 30 days including
Updates. After 30 days, the unit must be reset by a Factory Reset. Backup with Trial
License includes the same, complete with the starting date. Restoring backups – contrary
to Edge/Safe@ – is possible while the Trial License is installed, but Attention: the 1100
and 600 series Backups include the Licenses installed at the time of the Backup! That
makes it necessary – same as with Edge/Safe@ – to configure the box with the Trial
License again after Factory Reset.

Using it as a Demonstration unit with expired license

If the unit has already been used with the „real“ License that now is expired, installing 30
Day Trial License is a bit more complicated. As 1100 and 600 series remember the
installed license even after a Reset to Factory Defaults, the license with expired services –
see picture - must be removed explicitly.

Removing is only possibly using CLI, by deleting License (and SIC with 1100) during
Reset, but staying with the current Firmware Version (to Revert to the factory default
image and settings, use revert to factory-defaults):
1100er > restore default-settings preserve-sic no preserve-license no
Restoring the default settings will delete your current settings and reboot the
appliance
Are you sure you want to continue? (yes/no): y
Restoring factory default settings...
Please wait while the appliance reboots. Please do not pull out the power cable.
1100er >
Broadcast message from root (Thu Sep 18 09:29:02 2014):

The system is going down for reboot NOW!

INIT: Restarting system.
¦

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 15 von 23
 ______ __ __ _______ _ _
.' ___ |[ | [ | _ |_ __ \ (_) / |_
/ .' \_| | |--. .---. .---. | | / ] | |__) | .--. __ _ .--. `| |-'
| | | .-. |/ /__\\/ /'`\] | '' < | ___// .'`\ \[ | [ `.-. | | |
\ `.___.'\ | | | || \__.,| \__. | |`\ \ _| |_ | \__. | | | | | | | | |,
`.____ .'[___]|__]'.__.''.___.'[__| \_] |_____| '.__.' [___][___||__]\__/

** MARVELL BOARD: RD-88F6281A LE

U-Boot 1.1.4 (Jun 9 2013 - 15:20:21) Check Point version: 983002041

U-Boot code: 00600000 -> 0067FFF0 BSS: -> 006CFCE0

************ Hit 'Ctrl + C' for boot menu ************

Flash: 0 kB
set device[0x21] gpio[3] hi
set device[0x21] gpio[4] hi
set device[0x20] gpio[7] hi
set device[0x20] gpio[1] hi
set device[0x20] gpio[3] hi
set device[0x20] gpio[0] hi
set device[0x20] gpio[4] hi
set device[0x20] gpio[2] hi
set device[0x20] gpio[5] hi
set device[0x21] gpio[2] hi
set device[0x21] gpio[5] hi
set device[0x20] gpio[6] low
set device[0x21] gpio[5] hi
set device[0x20] gpio[6] hi
set device[0x21] gpio[0] low
set device[0x21] gpio[6] low
set device[0x21] gpio[0] hi
set device[0x21] gpio[6] hi
set device[0x21] gpio[7] low
set device[0x21] gpio[1] low
set device[0x21] gpio[7] hi
set device[0x21] gpio[1] hi
set device[0x21] gpio[3] low
set device[0x21] gpio[4] low

CPU : Marvell Feroceon (Rev 1)

Streaming disabled
Write allocate disabled

Module 0 is RGMII
Module 1 is TDM

USB 0: host mode

PEX 0: PCI Express Root Complex Interface
PEX interface detected Link X1
Net: egiga0, egiga1 [PRIME]

Reading data from 0xe0000 -- 100% complete.

Verifying CRC for settings area... Done

Reading data from 0x18500000 -- 100% complete.

/* Wireless region code */
USB: scanning bus for devices... 2 USB Device(s) found
0 Storage Device(s) found

Wireless device found...

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 16 von 23
NAND read: device 0 offset 0x100000, size 0x800000
Reading data from 0x900000 -- 100% complete.
8388608 bytes read: OK
Saving Environment to NAND...
Erasing Nand...Writing to Nand... done
## Booting image at 02000200 ...
Image Name: Linux-2.6.22.18
Created: 2014-08-05 17:27:50 UTC
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 5790000 Bytes = 5.5 MB
Load Address: 00008000
Entry Point: 00008000
Verifying Checksum ... OK
OK

Starting kernel ...

Uncompressing
Linux................................................................................
.....................................................................................
.....................................................................................
....... done, booting the kernel.
INIT: version 2.86 booting

Booting Check Point RD-6281-A User Space...

INIT: Entering runlevel: 3
...................................................................................
System Started...

1100er login:

Now, the Checkpoint Appliance Wizard can be used for configuration as explained above.

Part 6: Users currently connected via RA client VPN

The sk102803 explains how you can see the number of users currently connected via
Client-to-Site VPN on Locally Managed 600 / 1100 / Security Gateway-80 appliance.

Follow these steps:

1. Connect over SSH to the Locally Managed 600 / 1100 / SG-80 appliance.

2. Log in to Expert mode.

3. Run the following command:

# pep show user all

This will display a table containing all users which are currently connected with their
corresponding IP addresses (in Hexadecimal format).

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 17 von 23
Part 7: Logs, Debugs and other files
1. Important logs:
/var/log/log/sfwd.el*
/var/log/messages
/var/log/log/cpwd.elg
/var/log/log/boot_log.elg
/fwtmp/temp_boot_log

Security logs are stored in folders under /var/log/log/local/ in CP Logs

format, a data file and log pointers, so you can not read them

Please connect with SSH to the 600 and supply

from CLISH: #show diag
collect cpinfo (#cpinfo -z -o <filename>).
In addition, if there's a core file please collect it too
(check through #ls -l /logs in expert Mode)

2. Upgrade logs:
Log files of the upgrade and the upgrades auto-generated clish file is in directory:
/pfrm2.0/post_upgrade
and a log file in: /tmp/post_upgrade.log and /logs/backup_settings

3. In /opt/fw1/boot/ the file ha_boot.conf contains the Cluster Mode settings:

ha_installed 1 ccp_mode broadcast

4. In /pfrm2.0/config2/fw1/conf/custom_logserver_ip.txt we find the IP of the

external Log server.

5. Files used in debugs:

VPN debugging (sk62482):
Output steht in $FWDIR/log/sfwd.elg und $FWDIR/log/ike.elg.

Start VPND debugging and VPN IKE debugging: # vpn debug trunc
Start VPND debugging at the maximal level: # vpn debug on TDERROR_ALL_ALL=5
(Start VPN IKE debugging: # vpn debug ikeon)

Stop VPND debugging: # vpn debug off

Stop VPN IKE debugging: # vpn debug ikeoff

There is a debug rotation which will overwrite the old information, so this can
be left on for a time…

6. How to collect captures and look for drops:

- In Expert mode, collect packet capture using the command:
# fw monitor –e “accept;” –o packet.cap

- Capture file will be located in the root folder of the device

- In a second shell run:

# fwaccel off
# fw ctl zdebug + drop > drops.txt

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 18 von 23
 - Reproduce the issue to see drops and relevant packet capture

- Stop capture in both shells using control-C

- Start SecureXL again:

# fwaccel on

7. How to debug all:

- In Expert mode, start the debug of the main Security Daemon:
# fw debug sfwd on TDERROR_ALL_ALL=5

- Replicate the issue

- Disable the Debug:

# fw debug sfwd off TDERROR_ALL_ALL=0

- The debug file we require is: $FWDIR/log/sfwd.elg

8. How to debug IPS, Application Control and Anti-Virus update failure (sk95134):
- In Expert mode, start the debug of the main Security Daemon:
# fw debug sfwd on TDERROR_ALL_CIU=5
# fw debug sfwd on TDERROR_ALL_OnlineUpdateLib=5
# fw debug sfwd on TDERROR_ALL_FDT=5
- Perform an online update either from GUI or from CLI by running:
o To force an Anti-Virus update:
o # online_update_cmd -b AV -o update
o To force an Application Control update:
o # online_update_cmd -b APPI -o update
o To force an IPS update:
o # online_update_cmd -b IPS - o update
- Wait for a while, until the update process fails.

- Disable the debug: # fw debug sfwd off

- Collect the log files: $FWDIR/log/sfwd.el*

The database for online update is
/pfrm2.0/share/lua/5.1/app/i18n/eng/model/bladeUpdateStatus.dictionary
You can see its information by running the pt bladeUpdateStatus command
online_update_cmd -b <Blade name> -o <Operation> [-f <OfflinePackageFilename>]
Blade name is one of: APPI, AV, AB, IPS
Operation is one of: check, reconf, update, markForUpdate, offlineUpdate
Offline package filename is mandatory only if operation is offlineUpdate

9. Blade Status and Configuration files:

- Blades status and licensing: /opt/fw1/conf/blades.xml
- Blades enabled (1) / disabled (0): /opt/fw1/conf/active_blades.txt
- VPN client config: /opt/fw1/trac_client_1.ttm ; /opt/fw1/vpn_client_1.ttm

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 19 von 23
References:
Check Point 1100 and 600 Appliance CLI and Advanced Routing Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=26395)

Check Point 1100 Appliance Centrally Managed Administration Guide

(http://supportcontent.checkpoint.com/documentation_download?ID=23999)

Check Point 1100 Appliance Locally Managed Administration Guide

(http://supportcontent.checkpoint.com/documentation_download?ID=25040)

Check Point 1200R Appliance Centrally Managed Administration Guide

(http://supportcontent.checkpoint.com/documentation_download?ID=40316)

Check Point 600 Appliance Administration Guide

(http://supportcontent.checkpoint.com/documentation_download?ID=24000)

SKs concerning firmware versions:

sk93307 Check Point R75.20 HFA 1 for 1100 Appliance
sk94227 Check Point R75.20 HFA 25 for 600 / 1100 Appliance and Security Gateway 80
sk95589 Check Point R75.20 HFA 30 (R75.20.30) for 600 / 1100 Appliance and Security Gateway 80
sk97186 Check Point R75.20 HFA 40 (R75.20.40) for 600 / 1100 Appliance and Security Gateway 80
sk97766 R75.20.x releases of Check Point 600_1100 Appliances
sk98158 Check Point R75.20 HFA 41 (R75.20.41) for 600 / 1100 Appliance and Security Gateway 80
sk98309 Check Point R75.20 HFA 42 (R75.20.42) for 600 / 1100 Appliance and Security Gateway 80
sk98332 Security enhancements for 600_1100 Appliance and Security Gateway 80
sk98404 Check Point R75.20 HFA 50 (R75.20.50) for 600 / 1100 Appliance and Security Gateway 80
sk100442 Check Point R75.20 HFA 60 (R75.20.60) for 600 / 1100 Appliance and Security Gateway 80
sk101972 Check Point R75.20 HFA 65 (R75.20.65) for 600 / 1100 Appliance and Security Gateway 80
sk102731 Check Point R75.20 HFA 66 (R75.20.66) for 600 / 1100 Appliance and Security Gateway 80
sk103151 Check Point R75.20 HFA 67 (R75.20.67) for 600 / 1100 Appliance and Security Gateway 80 Appliance
sk103152 Check Point R75.20 HFA 51 (R75.20.51) for 600 / 1100 Appliance and Security Gateway 80
sk103735 Check Point R75.20 HFA 69 (R75.20.69) for 600 / 1100 Appliance and Security Gateway 80 Appliance
sk105379 Check Point R77.20 for 600 / 1100 / 1200R Appliance
sk105380 Check Point R77.20 for 600 / 1100 / 1200R Appliance Known Limitations

The following is a list of the more important 600 / 1100 SKs:

sk44233 DCE-RPC Interface UUID do not pass through Security Gateway, despite the rulebase that allows such traffic
sk52763 Connection to Security Gateway 80 or 1100 Appliance with WinSCP fails
sk53580 How to remove Alias IP address from Security Gateway 80_600_1100 appliance without reboot
sk60793 Configuring Security Gateways to allow connection of networks to a PPTP server while using Hide-NAT (GRE and Hide-NAT
support)

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 20 von 23
sk62482 How to debug VPN issues on Security Gateway 80_600_1100 appliances
sk62822 Link Selection probing feature is not supported on Security Gateway 80_600_1100 appliances
sk65015 How to disable SecureXL permanently on Security Gateway 80_600_1100 appliance
sk66381 How to configure Management behind NAT in Security Gateway 80 / 1100 Appliance setup
sk69726 VPN Routing does not work and traffic to other satellites leaves in_clear_when setting up SmartLSM profile in Star Community
appliance
sk86321 How to debug FWD daemon
sk87520 600 Appliance - How to connect to the office using Check Point Remote Access (VPN) clients
sk87522 600 Appliance - How to connect to the office using SSL VPN
sk87523 600 Appliance - How to connect to the office using Windows VPN client (L2TP client)
sk90342 Check Point 1100 Appliance Known Limitations
sk91842 Check Point 600 Appliance Known Limitations
sk92445 Check Point 600 Appliance
sk92446 Check Point 1100 Appliance
sk92741 Gaia Embedded OS features
sk92809 Supported 3G and 4G/LTE Modems with Check Point 600 / 1100 / 1200R appliances
sk93200 SIP traffic is blocked by IPS default policy on 600_1100 appliance
sk93532 Invalid certificate_error when trying to establish a Site-to-site VPN with locally managed Check Point 600 or 1100
sk93566 DAIP/LSM 1100/SG80 has connectivity issues with Security Management / Log server
sk93588 How to create_Allow and Forward_rule on 600 and 1100 locally managed appliances
sk93595 How to resolve the 'License may not match device' error
sk93613 How to enable Remote Desktop from specific host on the Internet to a server behind 600_1100 appliance
sk93746 Connection on TCP port 443 is blocked on 600 and 1100 appliances
sk93776 How to uninstall R75.47 from upgraded Security Management Server that manages Security Gateway 80 and 1100 appliances
with WLAN or VAP interfaces through SmartProvisioning
sk94028 Configuring Site-to-Site VPN between a Locally Managed 600_1100 appliance and an R75 Security Gateway using certificate
sk95009 Failure to establish SIC or push policy to 1100 appliance
sk95134 How to debug IPS, Application Control and Anti-Virus update failure on 600_1100 appliances
sk95208 MIB files location in 600 and 1100 appliances
sk95236 GUI not showing the correct MAC or firewall type after importing backup
sk95448 600_1100 appliance does not send logs to Log Server
sk95769 Configuring Proxy ARP for Manual NAT on Locally Managed 600_1100 appliances
sk95770 Changing the priority of Internet connections on Locally Managed 600_1100 appliances
sk95969 List of Implied Rules for R75.20.X
sk96189 How to debug random reboot issues on 600/1100 Locally Managed appliance
sk97286 Policy installation in WebUI or CLI fails on Security Gateway 80 appliance
sk97519 1100 Appliance does not send logs to a Security Management server behind NAT
sk97867 Policy installation on 1100 Appliances from SmartDashboard fails when there are more than 10 objects of 1100 gateways defined
sk97949 SmartView Tracker logs shows that X11 traffic was rejected as "Attack Name: X11 Enforcement Violation"
sk98089 Application Control_URL Filtering logs from 600_1100 appliance show only some URLs from the session when using_Extended
Log
sk98157 Centrally managed 1100 appliance with multiple external interfaces fails to re-establish VPN tunnel

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 21 von 23
sk98190 How to configure Route-Based VPN with BGP on Locally managed 600_1100 appliance
sk98487 Website partially loads if users are behind 600_1100 gateway
sk98549 How to Burn CheckPoint 600_1100 Appliances version with Disk-On-Key
sk98604 No valid SA when creating VPN tunnel between 600 appliance and 3rd party gateway
sk98606 Policy fetch fails or Policy Install fails on Centrally Managed 1100 appliance with "Error loading security policy"
sk98858 DHCP daemon saves dhcpd.conf.LANx file incorrectly on 1100_600_Security Gateway 80 appliance
sk98981 Client cannot reach resources on the remote site
sk99015 Policy installation onto Centrally Managed 1100 appliance fails due to over-sized 'local.cfg' file
sk99055 Source IP address is natted on Check Point 600_1100 appliance
sk99117 How to configure DHCP Option 66 on Check Point 600_1100 appliances
sk99131 ADSL fails to connect in CP600_1100
sk99132 Setting SNX connection timeout in 600_1100 appliances for R75.20 HFA50
sk100236 DHCP is not providing an IP address on Locally managed 600_1100 appliances
sk100242 Although DDNS on the Locally Managed 600_1100 appliance renewed the IP address, VPN clients still connect to the previous
IP
sk100245 Site-to-Site VPN between 600_1100 appliance and Safe@Office device does not pass traffic
sk100270 Unable to establish connectivity when configuring a Route Based VPN for Locally Managed 600_1100 appliance
sk100278 C2S not connecting to updated IP when using DDNS
sk100306 Some web sites are not blocked by URL Filtering on Locally Managed 600_1100 appliance
sk100307 How to verify the version of Check Point MIB file on Security Gateway 80_600_1100 appliances
sk100313 How to configure PPTP passthrough on 600_1100 appliances
sk100316 VPN Tunnel status is 'Down' in Locally Managed 600_1100 appliances GUI even though the VPN tunnel is up
sk100471 When trying to access a web sites located behind a Locally Managed 600_1100 appliance, user is redirected to appliances Web
GUI
sk100509 How to use Windows 8.1 Check Point Mobile VPN plugin to connect to locally managed 1100/600
sk100519 Security Management Portal for Check Point 600 Appliance
sk100565 1100 Appliance does not send logs to Security Management server
sk100577 Traffic stops passing through a Site-to-site VPN tunnel with 600_1100 appliance
sk101066 How to configure external WAP with inspection on 600_1100 appliance
sk101131 Wrong routing decisions on Appliance 1100_600
sk101187 In strict mode, Nodes behind 600_1100 appliance are unable to access resources behind remote gateway through VPN tunnel
sk101307 600_1100 appliance hangs_freezes, fails to update software blades
sk101460 How to configure Site to Site with overlapping encryption networks
sk101433 BGP_Peer x.x.x.x not configured_error on CLI when trying to configure Internal BGP peer on 600_1100_Security Gateway 80
sk101466 Configure L2TP connection from Windows 7 client to Locally Managed 600_1100 appliance
sk101535 When trying to establish C2S VPN, connection gets stuck at 43% with error "Connection failed "No response from gateway for
1st packet""
sk101469 Site to Site VPN fails when locally managed 600_1100 or Edge is Natted behind another machine
sk101568 VPN tunnel fails to recover between locally managed 600_1100 appliance on DAIP and centrally managed gateway
sk101666 Allowed inbound rule blocked on rule 0 for locally managed Check Point 600 appliance
sk101828 Remote Access client connects successfully to Centrally Managed 600_1100_Security Gateway 80 appliance, but is not able to
sk101850 How to define Administrator's access to 600_1100 appliance from WAN in a secure manner

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 22 von 23
sk102046 When select Turn on QoS Logging checkbox, selection not saved in Centrally Managed 600_1100_Security Gateway 80 object
sk102069 Remote Access VPN users are unable to access internal network resources through 600_1100 appliance via resource DNS name
sk102087 Access Role containing a network object is not enforced on 1100 Gateway
sk102126 When attempt to login to appliance WebUI, see following error: "Login attempt is denied because 'admin' user already logged in"
sk102187 Endpoint Connect client connects to Locally Managed 600_1100 appliance, but disconnects after 20 seconds, if SecureXL is
enabled
sk102208 When remote access users connect to the local 600_1100 VPN server, one of the sides is unable to hear anything
sk102296 How to activate inspection on internal traffic (1100_600 appliances)
sk102367 Running port scans on 600 and 1100 appliances show 443 with no servers defined
sk102400 Unable to activate software blades in the object of Centrally Managed 600_1100 appliance
sk102526 Pushing policy to 1100 appliance from SmartProvisioning fails with "CPRID error #1" or "CPRID error #2"
sk102559 Bridge mode 600_1100 URLF_APP traffic is not redirected correctly_Redirect action rule 1953 (outgoing)
sk102567 ADLog command fails when adding network exclusion to ADQuery on 1100 Appliance
sk102803 How to see users currently connected via Client-to-Site VPN on Locally Managed 600_1100_Security Gateway-80 appliance
sk102819 Policy installation on Centrally Managed 600_1100 appliance fails with_Installation failed. Reason_IP = X.X.X.X is not
available
sk102834 Activate 600_1100 (Locally managed) while disconnected from internet
sk102836 L2TP VPN connection to Locally Managed 600_1100_Security Gateway 80 appliance disconnects every 2 minutes
sk102947 Policy installation on Security Gateway 80_600_100 appliance fails with_ERROR_target Name_of_Object is prohibited
sk103210 A certificate error pops-up when open a Microsoft Outlook 2007/2010
sk103215 1100 Appliance managed by Smart Provisioning/Smart LSM sends logs to internal IP address of Security Management
sk103288 Policy installation on 1100 appliance fails with 'Load on Module failed - failed to load Security Policy' after IPS update
sk103368 Internal URLs are not resolved from internal DNS server for Remote Access Clients for locally managed 600/1100
sk103413 Changes in custom_logserver_ip are not saved after reboot on 600 / 1100
sk103423 Access to web sites fails with multiple "Internal System Error" logs from Application Control / URL Filtering
sk103495 Active Directory Server fails with "no matches found" error
sk103497 600 / 1100 appliance fails to connect to Cloud Services Server with log "Web server error ... attempt to perform arithmetic on
local 'hbInterval' (a nil value)"
sk103565 Permanent VPN Tunnel between 600 / 1100 appliance and Check Point Security Gateway is reported as 'Down'
sk103973 Unable to establish a VPN between Microsoft Azure and a 600 / 1100 / Security Gateway 80 Appliance
sk104082 Unable to establish incoming SIP calls through Locally Managed 600 / 1100 appliance when using two separate external servers
for SIP and RTP
sk104095 RC4 cipher is allowed for Inbound HTTPS inspection
sk104599 DHCP Relay functionality over VPN on 600 / 1100 appliance stops working after fail-over from ADSL to Cellular Modem (3G)
sk104783 "malloc failed: Cannot allocate memory" failure during policy installation on 600 / 1100 / Security Gateway 80 appliance
sk104999 Migration from Edge device to Check Point 600 / 1100 appliance
sk105537 Security Management Portal R12 for Check Point 600 / 1100 / 1200R Appliances
sk106290 Security Management Portal R12 for Check Point 600 / 1100 / 1200R Appliances Known Limitations
sk106348 Working with VLANs on 600 / 1100 / 1200R appliances and Edge / Safe@Office devices
sk106367 Policy installation fails on 1100 / 1200R appliance when using Threat Prevention rules installed on cluster

Günther W. Albrecht: CheckPoint 1100 / 1200R / 600 Un- (or barely) documented Features 15.3.4 / Seite 23 von 23