Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PJ_WONG
Contributor

Managing DAIP Gateway, automatic policy fetch not working

Hi Checkmates,

I'm looking for help with a specific DAIP (Dynamically Assigned IP) behavior. I have a Branch gateway that is a DAIP object, and it must reach the Management Server through an HQ Firewall.

The Setup:

  • Branch: DAIP Gateway (Dynamic IP).

  • HQ Firewall: Acts as the gateway for the Management Server.

  • Path: Branch Firewall → Router → HQ Firewall → Management Server.

  • Connectivity: SIC is established, and I can successfully install policy.

The Problem:

Since this is a DAIP gateway, the Management Server cannot initiate a policy push when the Branch's IP changes. According to sk167474, there is a periodic policy fetch every 4 hours, but it is failing to do so automatically.

To restore the SIC connectivity between Management server and Branch gateway, I will have to run #fw fetch command on the DAIP gateway itself to update the policy. After that the SIC is established until the next IP changes.

Do anyone with DAIP setup face this before? I was expecting the DAIP to be automatic.

I have already spent time with TAC but the issue is not resolved yet.

Thank you.


Best Regards,
PJ

 

 

0 Kudos
13 Replies
simonemantovani

Hello PJ

just few questions to start and to better understand the scenario:

  • The SIC stops to working, or is always fine?
  • Which kind of appliance is the DAIP gateway?
  • At the time that the scheduled fetch of the policy should run, do you have noticed if there is comunication between DAIP gateway and management?
0 Kudos
PJ_WONG
Contributor

Hi simonemantovani,

For your information:

  • The SIC stops to working, or is always fine?

           After I trigger the IP change manually at the DHCP server, the SIC will stop working.

  • Which kind of appliance is the DAIP gateway?

           I am replicating the issue using ESXI, so it is consider open server.

  • At the time that the scheduled fetch of the policy should run, do you have noticed if there is communication between DAIP gateway and management?

           No, I checked SmartConsole logs, there is no logs on CPD port 18191 unless I run fw fetch manually.

To me, it seems like some issue with auto fetch policy on the DAIP gateway, not sure I missed out something, but in the setup I can actually build up the SIC until the IP changes. I am assuming the DAIP gateway is supposed to initiate connection to management server by itself.


Best Regards,
PJ

 
0 Kudos
simonemantovani

Ok,  I would try to test this scenario in a lab, there is no reason why it shouldn't work your DAIP.

I'll made a test too, which version and jhf are you using on management and gateway?

0 Kudos
PJ_WONG
Contributor

Hi simonemantovani,

Appreciate your help on this, I am using R81.20 for management and gateway.

The management server is using hotfix 26, and gateway has no hotfix.

I think I will try to install latest recommended hotfix on it as well.

Thanks.


Best Regards,
PJ

0 Kudos
simonemantovani

Yes, first thing to do on your side: install the ltest hotfix on management and also on the gateway (it's always recommended to install JHF on gateway/management, not only for security reason, but also for bug fixes).

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP

How is the policy of this and the intermediate gateway crafted and what global properties / implied rule choices have been selected or are these all defaults?

Any NAT or VPNs in the picture?

CCSM R77/R80/ELITE
0 Kudos
Stephan_Scholz
Contributor

We are also seeing the issue that automatic policy fetch does not work for DAIP gateways with Full Gaia. We are using R82 JHF60 on both management (SmartCenter server on premise) and gateway.

 

0 Kudos
PJ_WONG
Contributor

Hi Checkmates,

Unfortunately, using the latest recommended hotfix now but still hitting this issue.

Here is how the setup looks like:Network map.png

The HQ CP Firewall is NATing management server IP, so branch will connect to the management server NATed IP.

The global properties / implied rule are stick to default and there is no VPN used.

I tried to modify fetch policy schedule but I could not use my own schedule object:
fetch policy.png

error.png

 

Thanks.


Best Regards,
PJ

 

0 Kudos
simonemantovani

Well, draw is clear; what is not clear is if, after the IP changes, the gateway still generate traffic to the management to fetch the policy at the defined interval.

If you perform this command on the management: rs_db_tool -operation list

I suppose that it never change, because the NAT is performed on the router.

I don't know if you can start a traffic capture on the DAIP gateway, to check if after the IP has changed, traffic to management is still generated.

0 Kudos
Stephan_Scholz
Contributor

You can modify these settings in GUIDBEdit:

Managed Objects -> times -> every_seconds

 

 

0 Kudos
Peter_Elmer
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP

Hello @PJ_WONG , @simonemantovani @Stephan_Scholz 

Stephan has raised the attention on this problem and raised a TAC ticket. We are currently having this TAC ticket being checked by R&D. 

Maybe opening a dedicated ticket with TAC for the issue you @PJ_WONG see is helping TAC + R&D to identify the root cause. 

best regards

peter  

 

PJ_WONG
Contributor

Hi Peter,

Unfortunately the TAC is not responsive to the ticket, but I think I found the solution for my case.

I have to change the management server object in $FWDIR/conf/masters to the NATed IP, then apply sk102712 procedure 2 to make the file immutable.

After that trigger the IP changes, I can still install policy. 

Most likely changing this file will not cause any impact in future, but I could not be certain on this.


Best Regards,
PJ


0 Kudos
Peter_Elmer
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP

Hello @PJ_WONG ,

sorry to hear that TAC has not yet found a solution. 

The workaround you described looks good to me and the sk102712 is supported.

In regards to your concern "how this may impact in the future", it is mentioned in the Upgrade Guide - here the example for R82.10 - you need to backup your configuration files on the management server before starting the upgrade process. 

best regards

pelmer

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events