Support Center > Search Results > SecureKnowledge Details
Multi-Queue hotfix for Security Gateway R75.47 and lower
Solution

Table of Contents:

  • Introduction
  • Notes
  • Supported network interface cards
  • Hotfix installation for R70.50
  • Hotfix installation for R71.50
  • Hotfix installation for R75.40
  • Hotfix installation for R75.40VS
  • Hotfix installation for R75.45
  • Hotfix installation for R75.45 - for DLP Inspection on Mirror Port
  • Hotfix installation for R75.46
  • Hotfix installation for R75.47

 

Introduction

Today, each network interface card has one traffic queue that is handled by one CPU at a time.

Since the Secure Network Dispatcher (SND) - SecureXL and CoreXL dispatcher is running on the CPU cores that handle the traffic queues, user cannot use more CPU cores for acceleration than the number of network interface cards passing the traffic.

Multi-Queue lets the user configure more than one traffic queue for each network interface card, which allows using more CPU cores for acceleration. Multi-Queue is supported on network interface cards that use igb or ixgbe drivers.

Refer to the Multi-Queue Guide for more details:

 

Notes

  • Multi-Queue feature is integrated into R76, R77 and above.
    For other versions, a Multi-Queue package (hotfix) is provided in order to add the Multi-Queue feature.

    Note: Multi-Queue hotfix was not integrated into R75.46 / R75.47 versions.

  • Multi-Queue hotfix is available for R70.50 / R71.50 / R75.40 / R75.40VS / R75.45 / R75.46 / R75.47 versions.
    Other versions must be upgraded to one of the above versions (in order to get the most stable, secure and robust system).

  • The Multi-Queue hotfix does not depend on any other Check Point hotfix, and other Check Point hotfixes do not depend on the Multi-Queue hotfix.

  • If an older version of Multi-Queue hotfix is installed on the Security Gateway, then the hotfix and its configuration will be lost during the upgrade from one Check Point version to another (e.g., from R70.50 to R75.40). This hotfix must be installed after upgrading in order to add the Multi-Queue functionality. Once the Multi-Queue hotfix is installed, user must configure the Multi-Queue again.

  • Before uninstalling the Multi-Queue hotfix, it is necessary to completely disable the Multi-Queue on all interfaces (run the cpmq set command - disable the Multi-Queue on each interface).

 

Supported network interface cards

 

Multi-Queue is supported only on machines that run SecurePlatform or Gaia operating system, and only for network interface cards that use igb (1 GbE) and ixgbe (10 GbE) drivers. This statement applies to Check Point Security Appliances and to Open Servers.

 

  1. Check Point Security Appliances running SecurePlatform / Gaia OS

    1 GbE cards

    Expansion Card Model CPAC-2-1F CPAC-4-1F CPAC-4-1C CPAC-4-1C-L CPAC-8-1C CPAC-8-1C-L CPAC-12-1C-21000 CPAC-12-1F-21000
    Ethernet Controller Intel
    82580EB
    Intel
    82580
    Intel
    82580EB
    Intel
    82580EB
    Intel
    82580EB
    Intel
    82580EB
    Intel
    82576EB
    Intel
    82576EB
    Ethernet Controller Speed 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE 1 GbE
    Driver Type igb igb igb igb igb igb igb igb
    Supported Platforms 4200
    4400
    4600
    4800
    12200
    12400
    12600
    13500
    13800
    4200
    4400
    4600
    4800
    12200
    12400
    12600
    13500
    13800
    4200
    4400
    4600
    4800
    12200
    12400
    12600
    13500
    13800
    4800
    12200
    12400
    12600
    13500
    13800
    21400
    21600
    21700
    21800
    21400
    21600
    21700
    21800

    10 GbE cards

    Expansion Card Model CPPWR-2-10SRF CPPWR-2-10LRF CPAC-2-10F CPAC-4-10F CPAC-4-10F-21000 CPAC-ACCL-4-10F-21000*
    Ethernet Controller Intel
    82598EB
    Intel
    82598EB
    Intel
    82598
    Intel
    82599EB
    Intel
    82599EB
    Intel
    82599EB
    Ethernet Controller Speed 10 GbE 10 GbE 10 GbE 10 GbE 10 GbE 10 GbE
    Driver Type ixgbe ixgbe ixgbe ixgbe ixgbe ixgbe
    Supported Platforms Power 507x
    Power 907x
    Power 110xx
    Power 507x
    Power 907x
    Power 110xx
    4800
    12200
    12400
    12600
    13500
    13800
    12200
    12400
    12600
    13500
    13800
    13800
    21400
    21600
    21700
    21800
    21400
    21600
    21700
    21800
    Note: 'CPAC-ACCL-4-10F-21000' is a Security Acceleration Module (SAM108).

    Fail Open cards (also known as Bypass cards)

    Expansion Card Model CPAC-4-1C-BP CPAC-4-1FSR-BP CPAC-4-1FLR-BP CPAC-2-10FSR-BP CPAC-2-10FLR-BP
    Ethernet Controller Intel
    82580EB
    Intel
    82580EB
    Intel
    82580EB
    Intel
    82599ES
    Intel
    82599ES
    Ethernet Controller Speed 1 GbE 1 GbE 1 GbE 10 GbE 10 GbE
    Driver Type igb igb igb ixgbe ixgbe
    Supported Platforms 4200
    4400
    4600
    4800
    12200
    12400
    12600
    13500
    13800
    Smart-1 225
    Smart-1 3050
    Smart-1 3150
    4200
    4400
    4600
    4800
    12200
    12400
    12600
    13500
    13800
    Smart-1 225
    Smart-1 3050
    Smart-1 3150
    4200
    4400
    4600
    4800
    12200
    12400
    12600
    13500
    13800
    Smart-1 225
    Smart-1 3050
    Smart-1 3150
    4800
    12200
    12400
    12600
    13500
    13800
    Smart-1 225
    Smart-1 3050
    Smart-1 3150
    4800
    12200
    12400
    12600
    13500
    13800
    Smart-1 225
    Smart-1 3050
    Smart-1 3150


  2. IP Appliances running Gaia OS

    Multi-Queue is supported on IP1280, IP2450 machines for the XMC 1 GbE network interface cards.

  3. Open Servers running SecurePlatform / Gaia OS

    To check, which driver is used by an interface, run:

    [Expert@FW]# ethtool -i <interface_name>

 

Hotfix installation for R70.50

Follow these instructions for installing the Multi-Queue hotfix:

  1. Download the FireWall hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/fw/").

  2. Download the SecureXL hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/sim/").

  3. Download the Linux kernel RPM (with necessary NIC drivers igb v2.4.13 and ixgbe v3.1.17) to your Security Gateway into some directory (in our example, "/path_to_hotfix/kernel/"):

    1. Check if the CPU supports Physical Address Extension (PAE):

      [Expert@HostName]# (cat /proc/cpuinfo | grep 'flags' | awk 'NR==1' | grep -qi 'pae' && echo PAE) || (echo No-PAE)

    2. Check the current kernel edition:

      [Expert@HostName]# uname -r

    3. If the CPU supports PAE, and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit PAE kernel from here.

    4. If the CPU does not support PAE (output was 'No-PAE'), and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit noPAE kernel from here.


  4. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/fw/
    [Expert@HostName]# tar -zxvf fw1_HOTFIX_FLO_HF_HA50_042.tgz

  5. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_HOTFIX_FLO_HF_HA50_042_730042004_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  6. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  7. Unpack the SecureXL hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/sim/
    [Expert@HostName]# tar -zxvf sim_HOTFIX_FLO_HF_HA50_042.tgz

  8. Install the SecureXL hotfix:

    [Expert@HostName]# ./sim_HOTFIX_FLO_HF_HA50_042_730042001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  9. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  10. Install the Linux kernel(s) with NIC drivers:

    [Expert@HostName]# cd /path_to_hotfix/kernel/
    [Expert@HostName]# rpm -Uvh --force kernel*.rpm

  11. Reboot the Security Gateway:

    [Expert@HostName]# reboot

  12. For further details refer to the Multi-Queue Guide.

 

Hotfix installation for R71.50

Follow these instructions for installing the Multi-Queue hotfix:

  1. Download the FireWall hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/fw/").

  2. Download the SecureXL hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/sim/").

  3. Download the Linux kernel RPM (with necessary NIC drivers igb v2.4.13 and ixgbe v3.1.17) to your Security Gateway into some directory (in our example, "/path_to_hotfix/kernel/"):

    1. Check if the CPU supports Physical Address Extension (PAE):

      [Expert@HostName]# (cat /proc/cpuinfo | grep 'flags' | awk 'NR==1' | grep -qi 'pae' && echo PAE) || (echo No-PAE)

    2. Check the current kernel edition:

      [Expert@HostName]# uname -r

    3. If the CPU supports PAE, and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit PAE kernel from here.

    4. If the CPU does not support PAE (output was 'No-PAE'), and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit noPAE kernel from here.


  4. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/fw/
    [Expert@HostName]# tar -zxvf fw1_HOTFIX_FLINT_HF_HA50_019.tgz

  5. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_HOTFIX_FLINT_HF_HA50_019_976019004_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  6. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  7. Unpack the SecureXL hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/sim/
    [Expert@HostName]# tar -zxvf sim_HOTFIX_FLINT_HF_HA50_019.tgz

  8. Install the SecureXL hotfix:

    [Expert@HostName]# ./sim_HOTFIX_FLINT_HF_HA50_019_976019001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  9. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  10. Install the Linux kernel(s) with NIC drivers:

    [Expert@HostName]# cd /path_to_hotfix/kernel/
    [Expert@HostName]# rpm -Uvh --force kernel*.rpm

  11. Reboot the Security Gateway:

    [Expert@HostName]# reboot

  12. For further details refer to the Multi-Queue Guide.

 

Hotfix installation for R75.40

Note: it is strongly recommended to upgrade from R75.40 to R75.40VS or to R75.45

  1. Download the FireWall hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/").

  2. Download the Linux kernel RPM (with necessary NIC drivers igb v2.4.13 and ixgbe v3.1.17) to your Security Gateway into some directory (in our example, "/path_to_hotfix/"):

    1. Check if the CPU supports Physical Address Extension (PAE):

      [Expert@HostName]# (cat /proc/cpuinfo | grep 'flags' | awk 'NR==1' | grep -qi 'pae' && echo PAE) || (echo No-PAE)

    2. Check the current kernel edition:

      [Expert@HostName]# uname -r

    3. If the CPU supports PAE, and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit PAE kernel from here.

    4. If the CPU does not support PAE (output was 'No-PAE'), and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit noPAE kernel from here.

    5. If the output of 'uname -r' command shows '2.6.18-92cpx86_64', then download the 64-bit kernel from here.

    Note: if both kernel editions (32-bit and 64-bit) need to be used, then download both kernels.

  3. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/
    [Expert@HostName]# tar -zxvf fw1_wrapper_HOTFIX_FIBER_HF_BASE_092.tgz

  4. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_wrapper_HOTFIX_FIBER_HF_BASE_092_986092002_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  5. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  6. Install the Linux kernel(s) with NIC drivers:

    [Expert@HostName]# cd /path_to_hotfix/
    [Expert@HostName]# rpm -Uvh --force kernel*.rpm

  7. Reboot the Security Gateway:

    [Expert@HostName]# reboot

  8. For further details refer to the Instructions for Multi-Queue hotfix for R75.40.

 

Hotfix installation for R75.40VS

Follow these instructions for installing the Multi-Queue hotfix:

  1. Download the FireWall hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/").

  2. Download the Linux kernel RPM (with necessary NIC drivers igb v2.4.13 and ixgbe v3.1.17) to your Security Gateway into some directory (in our example, "/path_to_hotfix/"):

    1. Check if the CPU supports Physical Address Extension (PAE):

      [Expert@HostName]# (cat /proc/cpuinfo | grep 'flags' | awk 'NR==1' | grep -qi 'pae' && echo PAE) || (echo No-PAE)

    2. Check the current kernel edition:

      [Expert@HostName]# uname -r

    3. If the CPU supports PAE, and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit PAE kernel from here.

    4. If the CPU does not support PAE (output was 'No-PAE'), and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit noPAE kernel from here.

    5. If the output of 'uname -r' command shows '2.6.18-92cpx86_64', then download the 64-bit kernel from here.

    Note: if both kernel editions (32-bit and 64-bit) need to be used, then download both kernels.

  3. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/
    [Expert@HostName]# tar -zxvf fw1_wrapper_HOTFIX_HF_MULTI_QUEUE_001.tgz

  4. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_wrapper_HOTFIX_HF_MULTI_QUEUE_001_000001014_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  5. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  6. Install the Linux kernel(s) with NIC drivers:

    [Expert@HostName]# rpm -Uvh --force kernel*.rpm

  7. Reboot the Security Gateway:

    [Expert@HostName]# reboot

  8. For further details refer to the Multi-Queue Guide.

 

Hotfix installation for R75.45

Follow these instructions for installing the Multi-Queue hotfix:

  1. Download the FireWall hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/fw/").

  2. Download the SecureXL hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/sim/").

  3. Download the Linux kernel RPM (with necessary NIC drivers igb v2.4.13 and ixgbe v3.1.17) to your Security Gateway into some directory (in our example, "/path_to_hotfix/kernel/"):

    1. Check if the CPU supports Physical Address Extension (PAE):

      [Expert@HostName]# (cat /proc/cpuinfo | grep 'flags' | awk 'NR==1' | grep -qi 'pae' && echo PAE) || (echo No-PAE)

    2. Check the current kernel edition:

      [Expert@HostName]# uname -r

    3. If the CPU supports PAE, and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit PAE kernel from here.

    4. If the CPU does not support PAE (output was 'No-PAE'), and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit noPAE kernel from here.

    5. If the output of 'uname -r' command shows '2.6.18-92cpx86_64', then download the 64-bit kernel from here.

    Note: if both kernel editions (32-bit and 64-bit) need to be used, then download both kernels.

  4. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/fw/
    [Expert@HostName]# tar -zxvf fw1_wrapper_HOTFIX_FOXX_HF_HA45_030.tgz

  5. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_wrapper_HOTFIX_FOXX_HF_HA45_030_986030001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  6. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  7. Unpack the SecureXL hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/sim/
    [Expert@HostName]# tar -zxvf sim_HOTFIX_FOXX_HF_HA45_030.tgz

  8. Install the SecureXL hotfix:

    [Expert@HostName]# ./sim_HOTFIX_FOXX_HF_HA45_030_986030001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  9. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  10. Install the Linux kernel(s) with NIC drivers:

    [Expert@HostName]# cd /path_to_hotfix/kernel/
    [Expert@HostName]# rpm -Uvh --force kernel*.rpm

  11. Reboot the Security Gateway:

    [Expert@HostName]# reboot

  12. For further details refer to the Multi-Queue Guide.

 

Hotfix installation for R75.45 - for DLP Inspection on Mirror Port

Introduction:

The "Multi-Queue" hotfix ('FireWall' part) was merged into the "DLP" hotfix, in order to allow the installation of both hotfixes on the same machine.

Background:

The Check Point R75.45 Data Loss Prevention Hotfix lets DLP use "Monitor Mode" on Gaia OS, or "SPAN port scanning" on SecurePlatform OS.

After you install the DLP hotfix, the DLP Security Gateway can run scans simultaneously - SMTP scan on SPAN ports, and scan e-mails sent from Outlook clients to the DLP Security Gateway with an Add-In.

You can enable the Anti-Bot, IPS and Application Control Software Blades with this Hotfix, for demonstration purposes only.

Note: SMTP or HTTP Tap Mode can be deployed as a supportable configuration on DLP-1 appliances. For other Security Gateways (and appliances), after this hotfix is applied and Tap mode enabled, it can only serve as a Demo. The Security Gateway cannot replace a production firewall.

Follow these instructions for installing the Multi-Queue/DLP hotfix:

  1. Download the DLP hotfix from here to your Desktop / Laptop computer.

    Open the downloaded ZIP archive Check_Point_R75.45_DLP_hotfix.zip.

    Copy the hotfix file itself fw1_wrapper_HOTFIX_R75_45_DLP_HF_001_986004002_1 from your Desktop / Laptop computer to your DLP Security Gateway into some directory (in our example, "/path_to_hotfix/dlp/").

  2. Download the SecureXL hotfix from here to your DLP Security Gateway into some directory (in our example, "/path_to_hotfix/sim/").

  3. Download the Linux kernel RPM (with necessary NIC drivers igb v2.4.13 and ixgbe v3.1.17) to your DLP Security Gateway into some directory (in our example, "/path_to_hotfix/kernel/"):

    1. Check if the CPU supports Physical Address Extension (PAE):

      [Expert@HostName]# (cat /proc/cpuinfo | grep 'flags' | awk 'NR==1' | grep -qi 'pae' && echo PAE) || (echo No-PAE)

    2. Check the current kernel edition:

      [Expert@HostName]# uname -r

    3. If the CPU supports PAE, and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit PAE kernel from here.

    4. If the CPU does not support PAE (output was 'No-PAE'), and the output of 'uname -r' command shows '2.6.18-92cp', then download the 32-bit noPAE kernel from here.

    5. If the output of 'uname -r' command shows '2.6.18-92cpx86_64', then download the 64-bit kernel from here.

    Note: if both kernel editions (32-bit and 64-bit) need to be used, then download both kernels.

  4. Install the DLP hotfix:

    [Expert@HostName]# cd /path_to_hotfix/dlp/
    [Expert@HostName]# ./fw1_wrapper_HOTFIX_R75_45_DLP_HF_001_986004002_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  5. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  6. Unpack the SecureXL hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/sim/
    [Expert@HostName]# tar -zxvf sim_HOTFIX_FOXX_HF_HA45_030.tgz

  7. Install the SecureXL hotfix:

    [Expert@HostName]# ./sim_HOTFIX_FOXX_HF_HA45_030_986030001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  8. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  9. Install the Linux kernel(s) with NIC drivers:

    [Expert@HostName]# cd /path_to_hotfix/kernel/
    [Expert@HostName]# rpm -Uvh --force kernel*.rpm

  10. Reboot the DLP Security Gateway:

    [Expert@HostName]# reboot

  11. For further details:

 

Hotfix installation for R75.46

Follow these instructions for installing the Multi-Queue hotfix:

  1. Contact Check Point Support to get Multi-Queue hotfix packages.

  2. Transfer the FireWall hotfix to your Security Gateway into some directory (in our example, "/path_to_hotfix/fw/").

  3. Transfer the SecureXL hotfix to your Security Gateway into some directory (in our example, "/path_to_hotfix/sim/").

  4. Transfer the Linux kernel RPMs (with necessary NIC drivers igb v2.4.13 and ixgbe v3.1.17) to your Security Gateway into some directory (in our example, "/path_to_hotfix/kernel/"):

    1. Check if the CPU supports Physical Address Extension (PAE):

      [Expert@HostName]# (cat /proc/cpuinfo | grep 'flags' | awk 'NR==1' | grep -qi 'pae' && echo PAE) || (echo No-PAE)

    2. Check the current kernel edition:

      [Expert@HostName]# uname -r

    3. If the CPU supports PAE, and the output of 'uname -r' command shows '2.6.18-92cp', then you need to install the 32-bit PAE kernel.

    4. If the CPU does not support PAE (output was 'No-PAE'), and the output of 'uname -r' command shows '2.6.18-92cp', then you need to install the 32-bit noPAE kernel.

    5. If the output of 'uname -r' command shows '2.6.18-92cpx86_64', then you need to install the 64-bit kernel.

    Note: if both kernel editions (32-bit and 64-bit) need to be used, then you need to install both kernels.

  5. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/fw/
    [Expert@HostName]# tar -zxvf fw1_wrapper_HOTFIX_FOXX_HF_HA46_033.tgz

  6. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_wrapper_HOTFIX_FOXX_HF_HA46_033_986033001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  7. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  8. Unpack the SecureXL hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/sim/
    [Expert@HostName]# tar -zxvf sim_HOTFIX_FOXX_HF_HA46_033.tgz

  9. Install the SecureXL hotfix:

    [Expert@HostName]# ./sim_HOTFIX_FOXX_HF_HA46_033_986033001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  10. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  11. Install the Linux kernel(s) with NIC drivers:

    [Expert@HostName]# cd /path_to_hotfix/kernel/
    [Expert@HostName]# rpm -Uvh --force kernel*.rpm

  12. Reboot the Security Gateway:

    [Expert@HostName]# reboot

  13. For further details refer to the Multi-Queue Guide.

 

Hotfix installation for R75.47

Note: This hotfix was integrated into Take_3 of sk95827 - Jumbo Hotfix Accumulator for R75.47 (fiat_hf_base_026).

Follow these instructions for installing the Multi-Queue hotfix:

  1. Contact Check Point Support to get Multi-Queue hotfix packages.

  2. Transfer the FireWall hotfix to your Security Gateway into some directory (in our example, "/path_to_hotfix/fw/").

  3. Transfer the SecureXL hotfix to your Security Gateway into some directory (in our example, "/path_to_hotfix/sim/").

  4. Transfer the Linux kernel RPMs (with necessary NIC drivers igb v2.4.13 and ixgbe v3.1.17) to your Security Gateway into some directory (in our example, "/path_to_hotfix/kernel/"):

    1. Check if the CPU supports Physical Address Extension (PAE):

      [Expert@HostName]# (cat /proc/cpuinfo | grep 'flags' | awk 'NR==1' | grep -qi 'pae' && echo PAE) || (echo No-PAE)

    2. Check the current kernel edition:

      [Expert@HostName]# uname -r

    3. If the CPU supports PAE, and the output of 'uname -r' command shows '2.6.18-92cp', then you need to install the 32-bit PAE kernel.

    4. If the CPU does not support PAE (output was 'No-PAE'), and the output of 'uname -r' command shows '2.6.18-92cp', then you need to install the 32-bit noPAE kernel.

    5. If the output of 'uname -r' command shows '2.6.18-92cpx86_64', then you need to install the 64-bit kernel.

    Note: if both kernel editions (32-bit and 64-bit) need to be used, then you need to install both kernels.

  5. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/fw/
    [Expert@HostName]# tar -zxvf fw1_wrapper_HOTFIX_FOXX_HF_HA47_022.tgz

  6. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_wrapper_HOTFIX_FOXX_HF_HA47_022_986022001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  7. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  8. Unpack the SecureXL hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/sim/
    [Expert@HostName]# tar -zxvf sim_HOTFIX_FOXX_HF_HA47_022.tgz

  9. Install the SecureXL hotfix:

    [Expert@HostName]# ./sim_HOTFIX_FOXX_HF_HA47_022_986022001_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  10. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  11. Install the Linux kernel(s) with NIC drivers:

    [Expert@HostName]# cd /path_to_hotfix/kernel/
    [Expert@HostName]# rpm -Uvh --force kernel*.rpm

  12. Reboot the Security Gateway:

    [Expert@HostName]# reboot

  13. For further details refer to the Multi-Queue Guide.

 


 

Related Solution: sk86721 - Check Point response to PASTEBIN claim that Check Point Firewalls are vulnerable to simple SYN flooding.

This solution is about products that are no longer supported and it will not be updated
Applies To:
  • 01063229 , 01105692 , 01136322 , 01152862 , 01152866 , 01207359 , 01064673 , 01118844 , 01064555
  • 01219068 , 01345201

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment