Showing results for 
Search instead for 
Did you mean: 
Create a Post
Sarath_M inside CloudGuard IaaS yesterday
views 52 1

How to put a CloudGuard VM in maintenance mode during resize using lvm_manager?

We have deployed the VM with a size of 350 GB initially. The sk111089 mentions to complete the remaining steps by following sk95566. But sk95566 mentions in Important notes to put the device in Maintenance mode.I can only see normal mode in /boot/grub/menu.1st file.Is it sufficient to run cpstop command to make sure no other process interferes when I run lvm_manager?Any considerations that i have to take for VM's in cluster?
Fareed_Farooqu1 inside CloudGuard IaaS Tuesday
views 48

cloudguard interface _rename issue

HiWe are deploying cloudguard R80.20 in Azure as per sk110194 and are noticing extra interfaces with '_rename' in them. Instead of eth0 and eth1 we see total of 4 interfaceseth0 eth1eth2_renameeth3_renameOutput of ifconfig isifconfig -a | grep -v grep | grep HWaddr | awk '{print $1,$5}'eth0 00:0D:3A:7E:82:B6 state -oneth1 00:0D:3A:7E:87:40 state -oneth2_rename 00:0D:3A:7E:87:40 state -oneth3_rename 00:0D:3A:7E:82:B6 state -offHas anyone came across this issue? R80.10 does not have this issue.Thanks
Martin_Valenta inside CloudGuard IaaS Monday
views 199 3

Revision history for autoprovision-addon

I'm unable to find any SK, which would be documenting autoprovision-addon which is used for deployments in Azure, AWS,GC. Only reference is a link to AWS, where is this addon stored and available to download.No information about current versions and changes done, when version of addon is increased.
Prashant_Bhardw inside CloudGuard IaaS Sunday
views 83 1

CheckPoint CloudGuard Support for NSX-T 2.4

Hello All- I am looking for the Cloud Guard Support for NSX-T. Below are my requirements in specific.Does Check Point officially supports Cloud Guard with NSX-T version 2.4, I know it supports as Service Insertion at the Edge(sk139213) with version 2.3. However it says later version also supported but couldn't get any documented affirmation. I also see the CP partnership with NSX-T 2.4 from VMware site and through an announcement published in Check Pont Blog Also with NSX-T does CheckPoint CloudGarud support service insertion & inspection for East-West, Micro segmentation traffic. If it supported, where could I find supported documentation. Else, Is there any official announcement for EA, GA release dates for the NSX-T 2.4 versionThanks in Advance!!!-PB
Ranokarno_Ranok inside CloudGuard IaaS a week ago
views 18412 6 6

Build Azure CloudGuard using Terraform

Hi Expert,Anyone can advise how can we build a Vsec CloudGuard using Terraform code.something that can mapped original ARM template as attached.Best Regards,Rano
Eric_Merillat inside CloudGuard IaaS a week ago
views 2463 2 4

Identity Awareness Troubleshooting

Trying to troubleshoot some IA issues. Doing a pep show user query usr command is showing a TTL counter of 0. What exactly do the Time to live, Cached time, TTL counter, and Time left mean in this command. Have scoured google, the support site, and these forums I am not finding any explanation of this output.Thanks in advance!
Krishna inside CloudGuard IaaS a week ago
views 592 2

The NAT issue on CP firewall deployed in the Azure

We have built tunnel between the CP firewall (FW1) in Azure and CP firewall(FW2) in On-Primese.The FW1 is a cluster and has two gateways in it. IP of gateway 1 is, IP of gateway 2 is and IP of Cluster is Gateway 1 is activeThe tunnel initiation traffic/Phase 1 traffic is sent by the FW2 from port 500 to port 500 of FW 1.We have done packet capture on the gateway 1 of FW1 and found that the the FW1 is receiving the traffic on cluster IP sent by the FW2, both source and destination ports are 500.The gateway1 of the FW1 is replying to the FW2 from port 500 to port 500 of FW2In the next packet while the gateway 1 IP is getting translated to the cluster IP i.e, from to the source port is also getting translated from port 500 to random port. Below are the logs collected from gateway 1[vs_0][fw_0] eth0:o[180]: X.X.X.X -> (UDP) len=180 id=20396UDP: 500 -> 500[vs_0][fw_0] eth0:o[180]: -> X.X.X.X (UDP) len=180 id=10087UDP: 500 -> 500[vs_0][fw_0] eth0:O[180]: -> X.X.X.X (UDP) len=180 id=10087UDP: 12410 -> 500 Due to this the phase 1 of the tunnel is not getting established and the tunnel is not forming. Kindly provide a solution to this.
Daniel_Snyder inside CloudGuard IaaS 2 weeks ago
views 1569 18 1

Azure Scale Set Gateways Disappeared from Policy

We have deployed Azure Cloudguard Scale Set and have an interesting issue where our gateways are no longer present in the console. I looked at the auto-provision log and all I can see is the gateways are stuck in 'INITIALIZING' state. I know if I re-image them they will come back online but that also requires a slight rebuild of the gateway. Has anyone dealt with this and know how to reconnect the gateway to the manager without the redeploy?Failed scale set log entries during gateway sync:2019-01-24 21:22:36,179 MONITOR INFO {firewall #1}: INITIALIZING2019-01-24 21:22:36,203 MONITOR INFO {firewall #2}: INITIALIZINGOur working scale set looks like the following in the same log during gateway sync:2019-01-24 21:22:36,203 MONITOR INFO updating: {firewall #1} 2019-01-24 21:22:36,204 MONITOR INFO {firewall #1}: COMPLETE2019-01-24 21:22:36,204 MONITOR INFO {firewall #2} 2019-01-24 21:22:36,256 MONITOR INFO {firewall #2} : COMPLETENo issues with the auto-provision connectivity in general and no changes on our Azure side. These gateways were in my console at one point and then just disappeared and can't seem to find out why and a way to get them back in without a redeploy. Thanks in advance!** UPDATE **Looks like during a gateway sync the instances in the scale set could not be found (even though they existed and still do) and were deleted from the manager. However the firewalls still function but I am unable to manage them or push policy to them. Not sure how to get them back in to the policy without doing a re-image?
Cyprien_Leseurr inside CloudGuard IaaS 2 weeks ago
views 2602 22

Can we avoid the promiscuous mode for vSEC clustering ?

I work since few weeks on the virtualization of checkpoint security gateways. And to allow HA protocol (CCP) in order to create a clusterXL, I had to enabled the promiscuous mode on vmware.So I was wondering if there was not another solution.If not, is there some best pratices to avoid route causes on datacenters (packet loss for example) ?
Alejandro_Ferna inside CloudGuard IaaS 2 weeks ago
views 1911 6

Inspecting and detecting original source address of TCP NLB inbound traffic

Hello,I have a AWS TCP Network Load Balancer with proxy protocol v2 enabled. This LB routes the traffic to a logical server IP with a group of internal web servers. The ports it use are 30080 and 30443, configured as TCP service with HTTP/S protocol but it seems that IPS are not inspecting this traffic.Futhermore, I can see the real client IP address in the web server's log, so it seems proxy protocol are working, but in the Checkpoint log I only see the internal LB addresses so I can not differentiate between real traffic and LB health check traffic. I appreciate any kind of suggestion or hint.Thank you, regards!
inside CloudGuard IaaS 3 weeks ago
views 1539 2

publishing routes to On-Prem via Express Route

Hi, I have a customer who is building a Hub-And-Spoke infrastructure in Azure. We added a Cluster-HA in his HUB vNet in order to route all the traffic from spokes vNets via the Custer to On-Prem and vice versa. The customer has an Express Route in the HUB spoke to access the On-Prem networks. The Azure Virtual GW publish to On-Prem the networks of the HUB vNet. This is more an Azure questions , How can I make the Express Route Virtual GW to publish the spokes vNets to On-Prem ? I added a UDR on the GatewaySubnet to route traffic to the spokes via the CG Cluster but that route doesn't propagate to On-Prem. Someone told me that the Express Route Virtual GW should also see the Peered vNets subnets and publish them but we don't see it. If anyone did something similar in other customers , please advise, Regards, Nir
Nicolas_Daems1 inside CloudGuard IaaS 3 weeks ago
views 1644 3

Cloudgaard Azure and Remote Access

Hi, I'm trying to setup a Remote Access VPN (Check Point Mobile on Windows) on Azure.This Azure Gateway is connected to another Check Point Gateway with a Site-to-Site VPN. This communication is working fineThe Mobile VPN Client are able to connect but no traffic is reaching the Azure Firewall (tcpdump / fw monitor). The VPN setup is not configured to route all traffic to the gateway so only the remote access community shoud be reachable. I can see that the Endpoint receive the route correctly (route print) but when trying to reach the gateway no traffic is detected.I guess there is an issue with the UDR on Azure but I don't know how the VPN subnet needs to be defined:Do we need to define the VPN subnet on Azure Subnet ?If we need to define the subnet to Azure what route should we defined on this subnet ?Do we need to route the traffic to Frontend or Backend interfaceAny help will be appreciatedThank youNicolas
Martin_Valenta inside CloudGuard IaaS 3 weeks ago
views 1745 3

autoprovision on domain with already existing gateways

Trying to enable autoprovision on one domain, but this domain is having already some gateways in it. I've configured it and all is failing on API calls like this:File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/", line 1888, in __call__2019-05-24 07:27:14,130 MONITOR INFO raise Exception('failed API call: %s%s' % (command, msg))2019-05-24 07:27:14,131 MONITOR INFO Exception: failed API call: show-simple-gateway: Requested object [xxx] not found I didn't found any documentation, that this cannot be done..also waiting on TAC response.. @Javier_Hijas any insight on this?
Tiago_Sousa inside CloudGuard IaaS 3 weeks ago
views 1341 2

AWS price increase

Any idea of why there was such price increases on aws:Thank you for subscribing to "CloudGuard IaaS R80.20 Security Gateway - NGTP PAYG".We are writing to notify you that Check Point Software Technologies, Inc. has increased the hourly pricing on the following instance types for "CloudGuard IaaS R80.20 Security Gateway - NGTP PAYG".c5.9xlarge - Previous: 1.89 / New: 6.0c5.large - Previous: 0.69 / New: 0.75c5.4xlarge - Previous: 1.39 / New: 2.8c5.18xlarge - Previous: 1.89 / New: 11.5c5.2xlarge - Previous: 1.08 / New: 1.4Thank you for subscribing to "CloudGuard IaaS Security Management".We are writing to notify you that Check Point Software Technologies, Inc. has increased the hourly pricing on the following instance types for "CloudGuard IaaS Security Management".m5.12xlarge - Previous: 0.49 / New: 1.4m5.4xlarge - Previous: 0.49 / New: 1.4m5.24xlarge - Previous: 0.49 / New: 1.4
Blason_R inside CloudGuard IaaS 3 weeks ago
views 3679 8

Site-Site Tunnel between Azure Gateway and On-prem CP Gateway

Hi Team, Curious to know if Azure GW can be managed trough On-prem Management server? I guess it should because eventually it would speak with gateway on CP Ports. As well as can we configure Tunnel between Azure & On-prem CP again managed with Onprem Management server? Or is it better to have Separate Mgmt server on Azure?