cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Abhishek_Kumar1
Abhishek_Kumar1 inside CloudGuard IaaS yesterday
views 76 4

Static NAT configuration with Load balacer in Azure Vsec

HI All we have R80.20 deployed on Azure Cloud, we have to configure Staic NAT with multiple server.Where request coming with 443 and SSH, we have approx 100 servers which needs to configure Static NAT.Can we configure same as AWS where we can add secondary IP on both firewall and attched public IP with firewall external subnet through the load balacer and configure static NAT.Or if we have anu other option?Please provide me solution for the same. RegardsAbhishek
andy_currigan
andy_currigan inside CloudGuard IaaS yesterday
views 38 1

Cloudguard backend routing problem

We're installing a CloudGuard IaaS High Availability using the latest deployment guide.We experience problem on the internal routing, the internal load balancer, automatically created with the template, seems not to route the traffic to the cloudguard appliance.On the management we do not see any traffic logs but if we configure a cluster ip address on the checkpoint backend network  using the address that should be configured to the backend-lb (.4) suddenly we see the traffic on the management, even the traffic from internet...The routing table assigned to the backend subnets and the routing on the checkpoint are configured as described on the guide. (strange that checkpoint route to a phantomatic .1 address and the internal subnets route to the backend loadbalancer ip .4)Any idea how to debug and solve this problem?ThanksAndy 
Adrian_Dittmann
Adrian_Dittmann inside CloudGuard IaaS Thursday
views 111 1

Support for Datacenter Objects in NAT Policy and Network Groups

Hello guys, i hope i chose the right forum.We have connected a Cisco ACI to a R80.20 Management System and are using dynamic Datacenter Objects in the Firewall Policy.sk128612 says that Data Center Objects are not supported in NAT Policy and Network Groups.This considerably limits the function of the ACI for us.Will this "known limitation" fixed in the future or is it not possbile from the technical point of view? I am looking forward to your answers!Best regards,Adrian
Constantin_Pop
Constantin_Pop inside CloudGuard IaaS Wednesday
views 500 9

Azure NIC issues - possibly waagent related

Hi all,  I noticed recurring issues with the Azure CP R80.20 cluster and was wondering if anyone else had this behavior.Basically the interfaces related to Azure Accelerated Networking unregister and may come up with a different name which breaks the traffic completely.Although this was supposed to be solved by Jumbo HF take 17 it occurred again.I believe it may be related to outdated buggy version of the Microsoft Azure Linux Agent (waagent) v2.2.11 installed on the VM (the last available version is v2.2.42)Now waiting for my SR to be picked up...Two other issues with the agent that are resolved in newer version:-agent's logs filling up the Azure Serial Console making it unusable-does not use the configured proxy serverEntries in /var/log/messages: kernel: kernel: hv_netvsc 000d3a25-c27e-000d-3a25-c27e000d3a25 eth0: Data path switched from VF: enP1p0s2 kernel: kernel: hv_netvsc 000d3a25-c27e-000d-3a25-c27e000d3a25 eth0: VF unregistering: enP1p0s2 kernel: kernel: [SIM4];cphwd_api_forward_packet: sim_mgr_prepare_packet failed kernel: kernel: [SIM4];simlinux_br_port: dev == NULL !!!!!  
Abhishek_Singh1
Abhishek_Singh1 inside CloudGuard IaaS Wednesday
views 218 2

Azure VMSS R80.30 issue

Hi Mates,  I have deployed the VMSS solution with custom blades and everything looks fine from management, gateway, policy perspective.  On the day of actual cutover of traffic from traditional cluster to the VMSS Lb, it failed really bad 🙂 . The traffic we are testing is EAST - West, with no NAT needed. On investigation, I could see the the initial traffic reaching the destination sever and response coming to my VMSS gateway... But for some reason the response / reply is not reaching the source machine. ( and I know it's not lb persistence issue, since added persistence with client up &port -> all the traffic is passing thru one gateway) I have checked all the routing, NSG, etc --- everything is pretty much same, since we are just changing the routes to point to the new vmss lb, instead of old cluster lb ...  I can see that eth0 - in vmss instance has ipforwarding as false in Azure ,  also eth1 doesnot has the default NSG attached... Is this correct?? Anyone faced same issue?? Do let me know if I am missing something in the VMSS deployment. Tx, Abhishek
Eugene_Tcheby
inside CloudGuard IaaS Saturday
views 177 4
Employee+

Upgrading a Checkpoint Cloudguard VMSS (Scaleset) from R80.20 --> R80.30 in Azure

Cross posting from "General Management Topics"  As R80.10 and R80.20 images are soon to be delisted from the Azure Marketplace, I put together a step-by-step guide with screenshots on how to upgrade a Cloudguard VMSS (Scale Set) from R80.20 to R80.30 in Microsoft Azure - with R80.20 Management. This "how-to" is based on the new procedure from the Admin Guide which you can find here: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/html_frameset.htm?topic=documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/216060 Your feedback and comments are appreciated.  Find original post below https://community.checkpoint.com/t5/General-Management-Topics/How-to-Upgrade-a-Cloudguard-VMSS-Scaleset-Solution-from-R80-20/m-p/64866#M9996  
Itamar-cohen
inside CloudGuard IaaS Saturday
views 331 7
Employee

Planned Delisting Announcement for CloudGuard IaaS in Azure and AWS

Dear All,   Soon we intend to begin a process in Azure and AWS to remove R80.20 listings/images from the marketplace. In both platforms, there are already R80.30 listings/images available and we recommend to upgrade to this latest version. R80.10 and R80.20 listings in Google Cloud Platform were already removed.   R80.30 brings with it a performance boost and stability improvements. It is also important to mention that R80.20 GOGO based version JHF new content is not planned (only security fixes will be provided) and all new JHF will be introduced for R80.30.   Please note the following Current users that are already deployed with R80.20 will still be able to use their offerings and will be supported R80.20, once removed, won't be available to customers in the marketplace Customers with a legitimate business need for R80.20 or R80.10 (e.g. in final POC process) will need to contact us in order to get access to these images/listings once they will be removed. R80.30 Gateways can be managed by deploying a jumbo hotfix on older Management Servers starting from R80.20 Jumbo Hotfix take 91 and above & R80.10 Jumbo Hotfix take 225 and above (see sk149272 for more information). Index for upgrade documentation was created for your convenience - sk162365   If any concern is raised or more information is needed, please contact us.   Thank you
Michael_Hightow
Michael_Hightow inside CloudGuard IaaS a week ago
views 249 2 1

Installing Hotfixes to Azure Installations

Hello, Are there any unique restrictions, best practices, etc... for installing hotfixes to a R80.10 IaaS Cluster in Azure?I'm very familiar with managing this on-prem but not quite sure about this scenario in Azure since everything was deployed from a template.Thanks in advance.
natureson
natureson inside CloudGuard IaaS 2 weeks ago
views 272 4

PPPoE connection problem (CP3200)

Hi Mates,I have a problem with PPPoE connection to ISP on my CP3200 HW appliance. Everything`s work fine on Cisco router with these settings:interface Dialer1mtu 1492ip address negotiatedip mtu 1480ip nat outsideencapsulation pppdialer pool 1dialer-group 1ppp authentication chap callinppp chap hostname ******@***ppp chap password 0 ****ip virtual-reassemblyinterface GigabitEthernet0/0/0.20encapsulation dot1Q 20ip address 192.168.*.1 255.255.255.0ip nat insideip tcp adjust-mss 1196 (*non standart value, but provided from ISP and works fine)ip ospf 1 area 4ip virtual-reassemblyAs you can see we`ve set required parameteres (such as adjust-mss and MTUs) and this is working fine on Cisco router, but i need to connect my ISP connection directly to CP3200. I`ve created PPPoE interface and it is connecting normally but the issue is that clients doesn`t have Web access, only pings (ICMP) works fine. Currently we don`t have any stricts in policy it just set to Allow all, and we use typical ethernet interface facing to Internet everythings work but not with PPPoE. So, how i can adjust mss values on interfaces to make HTTP sessions establishing normally. Thank you very much.
Javier_Hijas
inside CloudGuard IaaS 2 weeks ago
views 3950 6 11
Employee+

custom-script example for autoprovision of autoscale gateways

This file is to be used as an example for autoscale and VMSS groups that require custom settings on the gateway at provisioning time. These script rely on Check Point API and professional services are usually recommended for complex customizations.
Andreas_Ahrnby
Andreas_Ahrnby inside CloudGuard IaaS 2 weeks ago
views 307 6

CloudGuard for NSX

Hi,im running a few CloudGuard for nsx instances with the latest template (R80.10). Is it possible to update the gateways to get the latest “take” thru CPUSE?Is there any knowledge when a new template with R80.20 or R80.30 will be available? 
Abhishek_Singh1
Abhishek_Singh1 inside CloudGuard IaaS 3 weeks ago
views 320 5

Checkpoint VMSS deployment - Auto-provision test fails

Hi Guys , I am deploying the Checkpoint VMSS solution in Azure .For some reason the autoprovison test is failing with the below error -.Traceback (most recent call last):File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4160, in <module>rc = main(sys.argv)File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4135, in maintest()File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4047, in testcls.test(cls, name=name, management=config['management']['name'], **c)File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 1995, in test'GET', '/subscriptions/' + options['subscription'])File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 411, in armwith self.get_token() as token:File "/etc/fw/Python/lib/python2.7/contextlib.py", line 17, in __enter__return self.gen.next()File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 355, in get_tokenheaders=headers, pool=self.pool, max_time=self.max_time)File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 108, in requestmax_time)File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 190, in request_curlraise CurlException(headers, args_no_auth)CurlException: curl: (60) SSL certificate problem: self signed certificate in certificate chainMore details here: http://curl.haxx.se/docs/sslcerts.html Any idea what could be the issue ? I am using the latest autoprovision.cfg - version 509 
Gerard_O_Connor
Gerard_O_Connor inside CloudGuard IaaS 3 weeks ago
views 261 2

CloudGuard R80.30 and ESX

Hi, A query as it relates to vlan tagging in CloudGuard R80.30 in an ESX environment. There is a limitation in ESX of 10 NIC per virtual machine. I have been trying to do VLAN tagging on the CloudGuard vm, however the traffic does not appear to reach the virtual network.Looking through Secure Knowledge, we have identified a  for a known limitation in CloudGuard on ESX all the way to R80.10, the ID is '00525805', the sk that we located this in was 'sk126952'.Is this still a known  limitation in R80.30.Thanks.
Abhishek_Singh1
Abhishek_Singh1 inside CloudGuard IaaS 3 weeks ago
views 351 10

Checkpoint Vsec ClusterXL deployment in Azure with Active/Active - Loadsharing mode

Hi guys , I am looking for a solution to implement Active-Active (Load sharing)  clusterXL in Azure , but didn't find any templates  . Does checkpoint Vsec in Azure doesnot support this by design , or , What changes it would require to support this config ? Thanks!
Richard_Cullum
Richard_Cullum inside CloudGuard IaaS 3 weeks ago
views 207 1

Azure partition sizing for Check Point management platform

Hi I've noticed that the tow  R80.10 management servers we deployed in Azure seem to have used default parttioning sizing. I allocated 1TB diskspace to the VM but after the servers built themselves, the /var/log is only 41.65Gb.Is there a way to subsequently change this so I can allocate more space to /var/log? Can I use methods described in sk95566 for Azure deployed images? In future, is there anything that can be done to change this before  Azure builds?