topic Gateway in red on smartconsole in Firewall and Security Management

Gateway in red on smartconsole

EricB84 — Tue, 23 Apr 2024 08:22:09 GMT

hi,

We have two gateway in cluster.

the first gateway is in red.

I think I can't add or modify existing rule...

I don"t understand why there is a gateway in red, there is no modification...

I have only the admin account, to access to smartconsole R80.30 and webpage gaia portal R80.30.

and expert password.

I don"t have password cli to access to Gateway directly in cli.

How I can resolve this gateway in green ?

without break the other gateway or block access completly the compagny on rules on outside...

thanks you very Much

Eric

Re: Gateway in red on smartconsole

_Val_ — Tue, 23 Apr 2024 08:33:32 GMT

R80.30 is out of support for a while now.

As the error show, you have an issue with ClusterXL on one of the gateways. You need GW access to troubleshoot. If you can access GW WebUI, use the same credentials to access it via SSH or console

Re: Gateway in red on smartconsole

Vincent_Bacher — Tue, 23 Apr 2024 08:39:23 GMT

Beside of the unsupported release:

The red cross icon can have many reasons. What tells the little popup when moving the mouse over it?

Re: Gateway in red on smartconsole

EricB84 — Tue, 23 Apr 2024 09:02:16 GMT

hi vincent

thanks for your help

it's in attached files

I don"t know how to connect directly to gateway

it's ok by management console only but not more

Re: Gateway in red on smartconsole

EricB84 — Tue, 23 Apr 2024 09:26:44 GMT

hi val

I have this message to connect to the first gateway
I have find the password for the second gateway and it's ok !

for the first I have this message :

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
XX:XX:XX:XX.......
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending key in /home/admin/.ssh/known_hosts:2
RSA host key for 10.38.204.24 has changed and you have requested strict checking.

Re: Gateway in red on smartconsole

_Val_ — Tue, 23 Apr 2024 09:55:45 GMT

Ignore this warning for now. Connect to the first GW via SSH and run "cphaprob stat" command

Re: Gateway in red on smartconsole

EricB84 — Tue, 23 Apr 2024 11:15:32 GMT

Cluster Mode: High Availability (Primary Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 1.1.1.1 0% DOWN fw1-CKP
2 1.1.1.2 100% ACTIVE fw2-CKP

Active PNOTEs: IAC

Last member state change event:
Event Code: CLUS-110800
State change: INIT -> DOWN
Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Event time: Tue Apr 9 09:59:29 2024

Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Interface eth3 is down (Cluster Control Protocol packets are not received)
Event time: Thu Apr 4 13:23:37 2024

Cluster failover count:
Failover counter: 13
Time of counter reset: Mon Aug 23 07:42:39 2021 (reboot)

I have find this topic to remove the fw to cluster, and add again

https://support.checkpoint.com/results/sk/sk88360

it's possible ?

it's dont block all the lan, if there is only one fw active in the cluster ?

thanks

Re: Gateway in red on smartconsole

Vincent_Bacher — Tue, 23 Apr 2024 12:14:25 GMT

"Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)"

So the interface configurations should be checked and compared between both nodes.
Seems like there is an interface configured in SmartConsole objects topology and on one of the nodes but not on the other.

Re: Gateway in red on smartconsole

Vincent_Bacher — Tue, 23 Apr 2024 12:18:29 GMT

You may use as well commands like

cphaprob -a if
fw getifs

and see output.
Or at least, connect to the Gaia Web Interface and Check / Compare Interface Configs of both nodes.

Re: Gateway in red on smartconsole

the_rock — Tue, 23 Apr 2024 12:32:21 GMT

Just try this from smart console, as per my screenshot and see what it shows you. And yes, send output of cphaprob -a if from both members, as well as output from cpconfig

Andy

Re: Gateway in red on smartconsole

EricB84 — Tue, 23 Apr 2024 12:46:06 GMT

I have the solution !

in fact the interface in our backbone was shut

Im connect to cisco 4500, and shut, no shut and it's work now

all is green

but I don"t understand our configuration.

we have a cable rj45 between two gateway type sync

two cables directly in backbone cisco, with an interco vlan

and two other cables for the stack switch in another vlan, (same as the vlan for the smart console)

I don"t understand why there is an interco with backbone, and a cable between two gw.

thanks

Re: Gateway in red on smartconsole

Vincent_Bacher — Tue, 23 Apr 2024 12:50:42 GMT

@EricB84 wrote:
I have the solution !

Congrats! 🙂

@EricB84 wrote:
I don"t understand why there is an interco with backbone, and a cable between two gw.

Kindly explain what exactly you mean with interco with backbone

brV

Re: Gateway in red on smartconsole

EricB84 — Tue, 23 Apr 2024 13:01:29 GMT

we have a

cisco 4500 *2 : backbone of the compagny (who are connected all other switch by fiber)

and a stack of 5 switch in it room

and two checkpoint

there is a link between two checkpoint for the SYNC => I think it's for HA

but there is a cable between checkpoint checkpoint and each backbone cisco on vlan interco 100 : vlan not routed (just to isolate of other vlan)

and two others cables in another vlan (the same of smartconsole vm) goes to each backbone cisco

I don"t understand the configuration.

why there is a link between two gw type sync

and interco with backbone of the company

Re: Gateway in red on smartconsole

Vincent_Bacher — Tue, 23 Apr 2024 13:16:15 GMT

First of all i would identity the interfaces on the Checkpoint devices connected to each other and those connected to your interco.
Then i would have a look at the topology of the object in SmartConsole.
I guess, somebody has configured two interfaces as sync interfaces. What should work in theory i guess but officially it's not a supported setup afaik.
Supported sync redundancy is to do that using bond interfaces.

Re: Gateway in red on smartconsole

the_rock — Tue, 23 Apr 2024 13:34:14 GMT

I agree with everything @Vincent_Bacher said. Just for the context, would you mind run below commands on both members and send as text file attachments.

Andy

cphaprob roles

cphaprob state

cpconfig

cphaprob -a if

cphaprob syncstat

cphaprob -i list

cphaprob -l list

cphaprob show_failover

cphaprob mvc