News | CheckMates

Kamiar Sh in Installation, Maintenance, and Upgrades10 hours ago (Show more)

Hi , I have 3 cluster gateways managed by Gaia R77.30(complex network with 300 site-site VPNs and multiple server ) and I want to update IPS on each gateway and these are my questions: 1- what pre-requisite needed before starting update? 2- what potential impact should I expect? 3-and how to troubleshoot if any impact happen ? 4-is there any… (Show more)

2 repliesShow more activity

Lari Luoma

(to Kamiar Sh) 35 minutes ago (Show more Show less)

1. Check Point User Center credentials and Internet access from the SmartConsole machine needed in R77.30 (for manual IPS update). In R80.20 you can specify whether you want to run the manual update from SC-machine, management server or gateway. SmartEvent is highly recommended for IPS reporting and visibility. 2.To minimize impact and false…

Actions

Vasil Genov in Management10 hours ago (Show more)

Is there a way to migrate object and polocy database from r77.20 to r80.10

Hi all, relatively new to this, so in short, is there a way to export object database and firewall policy database form r77.20 to r80.10. We are replacing old FWs to new ones and we want to keep the same setup. We have new gateways and new management server. thanks in advance.

2 repliesShow more activity

Lari Luoma

(to Vasil Genov) 1 hour ago (Show more Show less)

1. Download the management Server Migration Tool (R77.x to R80.10) from the below SK: Check Point R80.10 2. Untar the tgz to a temp directory on your management server 3. Go to your temp directory and run: ./migrate export [name_of_the_export] 4. copy the [name_of_the_export].tgz to a newly installed R80.10 SMS (first time wizard must be run)…

Actions

Jozko Mrkvicka in Installation, Maintenance, and Upgrades2 months ago (Show more)

Migration of clusters from single SMS to multiple MDS

Hello mates, I would like to have your opinion and some insight to the problematic which I am facing at the moment. We have R77.30 SMS with 10 clusters. All of those 10 clusters are included in MyIntranet meshed community. On every cluster we have rule that will allow any connection from all other gateways within MyIntranet VPN community. … (Show more)

7 repliesShow more activity

Jozko Mrkvicka (to Jozko Mrkvicka) 1 hour ago (Show more Show less)

Another fun fuct (well, not really funny, as it happened in production already) was that we hit Gateway's SIC certificate is getting revoked every few days . It turned out that we added loop routes only for gateways, not for SMSes. So we have deleted all not needed clusters without any issue, but in fact we faced active - active state of SMS…

Actions

Alex Gilis in Policy Management4 days ago (Show more)

VPN with DAIP, certificates and permanent tunnels

I followed the superb walkthrough written by Danny Jung in order to establish a VPN between a Checkpoint 700 series (locally managed) and a central cluster of 5600 series gateways running R80.10. While the setup worked, I encountered a rather strange issue, I could not troubleshoot a lot due to time and location constraints, and the customer… (Show more)

2 repliesShow more activity

Maarten Sjouw (to Alex Gilis) 2 hours ago (Show more Show less)

When you reboot, does the 700 get a new IP every time? If so this would explain why you see this issue, it takes time for the 5600's to establish a tunnel as it does not know the IP at first, the DAIP gateway reports to the management server what it's new IP is. Also the gateway finds out by the new tunnel being built by the remote site, but it…

Actions

Kevin Orrison in Policy Management5 hours ago (Show more)

Automatic NAT installed on Two Firewalls

When you perform automatic NAT on an object, you have two options. You can select a single firewall/cluster or All. Is there any way you can select two or something like Policy targets using automatic? The only way I can find is by doing manual NAT rules. It looks like it will let you do Policy Targets.

1 replyShow more activity

Maarten Sjouw (to Kevin Orrison) 2 hours ago (Show more Show less)

Automatic NAT is limited to either Policy Targets or 1 Specifiable Gateway. This is the limit. Indeed Manual does not have this limitation, you can select all the targets you want. I smell an RFE.

Actions

Bob Delinsky in Installation, Maintenance, and Upgrades2 weeks ago (Show more)

Export CMA's from Multi-domain and import into a new SMS

I have a client that is moving away from a managed service provider that manages two of their gateway clusters (R77.30) via Multi Domain(Provider-1). The client wishes to build an internal SMS and manage the gateways themselves going forward. I am having trouble finding a Check Point SK for exporting CMA's from Multi-domain and importing into a… (Show more)

6 repliesShow more activity

Maarten Sjouw (to Bob Delinsky) 2 hours ago (Show more Show less)

Bob, You should have built a MDSM in ESX and and SMS next to it, the MDSM to import the |CMA and the Secondary SMS to move the CMA to a SMS. There are a lot of problems, these can happen lets say 2 weeks after running all ok and then all the sudden it breaks. So please do rethink your way forward. Regards, Maarten.

Actions

Jason Tan in General Product Topics8 months ago (Show more)

IPSec VPN - Link Selection

Currently, I had two IPSec VPNs, using ISP A and B to go out, respectively on a third-party firewall. The peers were third-party firewalls too. Assuming I wanted to migrate to Check Point firewall platform. Does Check Point firewall R80.10 support this kind of setup? If yes, where should I configure under IPSec VPN -> Link Selection subsection,… (Show more)

7 repliesShow more activity

Maarten Sjouw (to Pathy Muyisa) 2 hours ago (Show more Show less)

About 2 years ago I was in the works to change the external IP of one of our customers and they had quite some 3rd party VPN's (s2s) with other vendor equipment. To arrange a big bang change when you have 5 or more 3rd parties involved located all over the world, you know this will be impossible to achieve. What we came up with was a 2 month…

Actions

Jason Carrillo in General Product Topics1 month ago (Show more)

R80.20 Managing R80.10 Gateway - CPU Increase

After upgrading our MDS and MLM to R80.20, we are seeing average CPU increases across all of clusters after pushing policy to the gateways. It has become very apparent on one of our firewalls that is licensed for four cores. The four gateways I am seeing this on are open hardware. I do have a pair of appliance based clusters that do not seem to… (Show more)

39 repliesShow more activity

Jason Carrillo (to Jason Carrillo) 3 hours ago (Show more Show less)

A VM lab (one four core VM + clone of our production management) didn't yield any conclusive results. Using iperf to generate traffic, we didn't see any noticeable increase in CPU nor any of the latency in ICMP we were seeing in our production environment after the policy installation. We are going to be installing the R80.10 hotfix that will…

Actions

Josh B in Logging, Monitoring, Reporting, and Event Analysis5 days ago (Show more)

Blank mail alerts after upgrade to R80.10

Prior to upgrading a security management server to R80.10 and the latest jumbo hotfix, I had email alerts for certain events (CPU usage & and policy install, for example) working as desired using sk25941 & sk38929. After the upgrade, the emails are still received but the body of the email is blank. Does anyone have any ideas what to check?

5 repliesShow more activity

Josh B (to Josh B) 5 hours ago (Show more Show less)

In case anyone else finds this, this is a known issue at the moment that I'm told stared after JHF 121. TAC says a fix is being worked on.

Actions

Abdu Toku in General Product Topics1 day ago (Show more)

Disable CoreXL?

I have a R80.20 installation. Is it possible to disable CoreXL for a performance test.

3 repliesShow more activity

Heiko Ankenbrand marked Dameon Welch-Abernathy's reply as helpful

Vincent Bacher in Logging, Monitoring, Reporting, and Event Analysis10 months ago (Show more)

Healthcheck script results

Hello mates, i just used the healthcheck script on a productive system to see if it's useful and just got the first unsightly result: +-----------------------+-------------------------------+---------------+ | Memory | Physical Memory | WARNING | | | Swap Memory |… (Show more)

9 repliesShow more activity

Diego Lopez (to Timothy Hall) 5 hours ago (Show more Show less)

Anytime I run the healthcheck scrip on my Primary Smart Center running R80.20 on VMWare Hypervisor, I keep seeing WARNING for Zombie processes -- cpm.sh +-----------------------+ | Processes | +-----------------------+ 1 zombie processes found. PID COMMAND 17393 [cpm.sh] <defunct> Thank you folks, -DL

Actions

a85e246b-c9e5-45b5-b86e-a00e392e57ca in General Product Topics8 hours ago (Show more)

ClusterXL Formation

Hi Guys, I would like to seek for your expertise to check if my cluster have formed. I am a bit confused and no idea why in my Smart-1, cluster is showing an error but based on CLI, I can say that my 2x CP gateways is acting master and non-master meaning cluster is formed right? But some information is showing that it is down or lost of sync is… (Show more)

2 repliesShow more activity

Timothy Hall

(to a85e246b-c9e5-45b5-b86e-a00e392e57ca) 5 hours ago (Show more Show less)

Please provide output of commands cphaprob -a if and cphaprob -l list for both cluster members. You have a pnote failure in the cluster (probably a network interface mismatch or disconnect of some kind). -- Second Edition of my "Max Power" Firewall Book Now Available at http://www.maxpowerfirewalls.com

Actions

Kaspars Zibarts in Policy Management1 month ago (Show more)

O365 access filtering in R80.10

Challenge description: our user general internet access is limited to proxy only or very specific "whitelisted" IPs could be accessed directly bypassing proxy, i.e O365. Up until October we were able to script simple network group with all O365 IPv4 addresses based on XML information from MS. That has been streamedlined now and many services have… (Show more)

26 repliesShow more activity

Brian Deutmeyer (to Kaspars Zibarts) 7 hours ago (Show more Show less)

We integrated the MS PAC into ours, which says send all published MS IP space direct and everything else to the proxy. Good luck!

Actions