topic Re: CheckPoint Gateway backup in Firewall and Security Management

CheckPoint Gateway backup

katsarasd — Mon, 12 May 2025 10:41:04 GMT

Hello,

Our environment consists of 2 Checkpoint Clusters (External & Internal Firewall) where each cluster comprises of three nodes. Also we've got two SMS servers in Active-Standby. All Gateways as well as management Servers are on 81.20 version. My issue is that when i am trying to backup gateway config via TFTP server this works only for active members, for standby nodes this fails. I am able to backup both SMS without any issue. Is there something i am missing. Fyi, TFTP Server is on the same subnet as the management network of all gateways. Also i've created the firewall policies required. Could you please assist on what i am missing?

Thanks in advance

Re: CheckPoint Gateway backup

_Val_ — Mon, 12 May 2025 10:44:28 GMT

@katsarasd I moved your post to the more appropriate space and also fixed the label.

In the cluster, connections from Standby member through a cluster interface may fail because they are NAT-ed behind VIP.

There are two options here:
1. use a private interface to open a connection to a backup server

2. Apply a workaround mentioned in sk169975

I would suggest the second option, as it is much simpler to move forward and does not require any network change.

Re: CheckPoint Gateway backup

katsarasd — Mon, 12 May 2025 10:57:10 GMT

Hello @_Val_

TFTP Server is on the same subnet as gateways management interface. Is there something additional i need to specify ?

Re: CheckPoint Gateway backup

_Val_ — Mon, 12 May 2025 11:05:40 GMT

Even if it is on the same network, if the GW is communicating with it on a cluster interface, it will be NAT-ed behind a VIP address. Did you read the SK I suggested?

Re: CheckPoint Gateway backup

AkosBakos — Mon, 12 May 2025 11:07:39 GMT

You are abe to ping the TFTP server from the STANDBY member?

Re: CheckPoint Gateway backup

katsarasd — Mon, 12 May 2025 11:08:55 GMT

Yes standby members can ping tftp server

Re: CheckPoint Gateway backup

AkosBakos — Mon, 12 May 2025 11:16:10 GMT

Maybe can you do a telnet test to the TFTP server? Maybe there is a service which is not TFTP, and you can make a test. Only the TFTP is failing?

Akos

Re: CheckPoint Gateway backup

katsarasd — Mon, 12 May 2025 11:26:29 GMT

I tried nc -v <server ip address> rdp port
for active member connection works
for standby members connection timeout

Re: CheckPoint Gateway backup

_Val_ — Mon, 12 May 2025 11:27:48 GMT

As I already mentioned, look into the SK. You will have to create No-NAT rule for the standby to work.

Re: CheckPoint Gateway backup

katsarasd — Mon, 12 May 2025 11:34:27 GMT

Sorry, but i am bit confused.

The cause of the issue of the sk169975
is of the no-nat rules. You mention above that i'll need to create no-nat rules for standby, it's not clear to me. sorry for the trouble.

Re: CheckPoint Gateway backup

the_rock — Mon, 12 May 2025 11:41:11 GMT

Appears as Val had said its just a simple no-nat rule, thats it, does not need any other network changes.

Andy

Re: CheckPoint Gateway backup

_Val_ — Mon, 12 May 2025 13:43:04 GMT

No worries, the SK is indeed describing a bit different case, but it does have a link to the solution you need: sk34180

Please check it is clear enough, and let me know if it helps.

Re: CheckPoint Gateway backup

the_rock — Mon, 12 May 2025 14:04:08 GMT

Hey @katsarasd

I did some more checking on this and found below sk...not sure if it may apply to you, but worth confirming.

Andy

https://support.checkpoint.com/results/sk/sk181866