This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
wilbfcpl
Contributor
‎2026-01-24 06:58 PM

scp backup fails NMBCK9999, ERROR_HOST_BASE_AUTH errors, but manual scp copy works

New to Checkpoint and looking to setup a virtual lab as a learning sandbox. The virtual lab network has a  Stand-Alone Gaia 81.20 firewall running OpenSSH 7.8 and a virtual Windows 2019 server running OpenSSH 7.7 and SmartConsole 81.20. 

Is there a recommended OpenSSH key exchange setting for a Gaia 81.20 stand-alone system to have scp backup to a Windows Server OpenSSH host?

As indicated in SK 183807,   manual scp copy commands work from the virtual 81.20 Check Point Stand-Alone system to the Windows Server 2019 OpenSSH 7.7 host. However automated backups fail every time with errors on the Windows host citing key mismatch and the Stand-Alone 81.20 firewall reporting NMBCK9999 errors from the command line along with the Gaia browser portal showing ERR_HOST_BASED_AUTH.

The Stand-Alone 81.20 system ssh-keyscan of the Windows Server reports ECDSA key, but after attempting to run the "add backup scp" command the Windows Host event log shows an unable to negotiate no matching key type error with the ECDSA ecdsa-sha2-nistp256 as the key offering from the Stand-Alone 81.20 system.  On the Stand-Alone 81.20 console the error message says NMBCK999 Unable to validate remote server identity, unable to exchange encryption keys"

The problem appears similar to that described in SK 183807 Cannot perform a Secure Copy Protocol backup to a new remote SCP backup server via Gaia Portal. SK 183807 recommends contacting Check Point support however, I do not yet have access to a support account.

Thank you,

Wil B.

Labels
0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2026-01-26 08:50 AM

What the internal notes on that SK say is to make sure the correct remote host fingerprint is in /home/admin/.ssh/known_hosts.
Specifically, the remote key should be added with the following command: 

ssh-keyscan -t rsa <remote_server_IP> >> /home/admin/.ssh/known_hosts

 

0 Kudos
(1)
wilbfcpl
Contributor
‎2026-01-26 02:16 PM
In response to PhoneBoy

Thank you for the help. A just found a seemingly relevant thread that suggested creating admin user keys on the Check Point Stand-Alone firewall. 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-26 03:02 PM
In response to wilbfcpl

Im fairly sure that is what you need to do.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
wilbfcpl
Contributor
‎2026-01-27 06:24 AM
In response to the_rock

Thanks. The keys reported on the Windows Host via ssh-add -L do not match the keys reported on the Gaia 81.20 Stand-Alone Firewall and the keys on the firewall vary by the command used to identify them.

On the Windows 2019 host running OpenSSH, the  ssh-add -L  command shows two ecdsa-sha2-nistp384 keys and one rsa key.

The keys reported on the Gaia 81.20 firewall differ depending on the mechanism:
ssh-keyscan <Windows server ip> reports an ecdsa-sha2-nistp384 key and an ssh-ed25519 key
show ssh hba all shows two ssh-rsa keys and an ecdsa-sha2-nistp384 key
cat known_hosts shows two ssh-rsa keys and an ecdsa-sha2-nistp384 key


0 Kudos
wilbfcpl
Contributor
‎2026-01-27 06:46 AM
In response to wilbfcpl

Manual scp and ssh commands and automatic ftp backup from the virtual Gaia 81.20 Stand-Alone Firewall to the Windows Host Server work fine so far, however automatic scp backup has failed with the errors cited in the original post.

My goal is a sandbox lab where I can take a backup image generated by our real world Quantum 6200B Gaia 81.20 Stand-Alone Firewall physical hardware unit, review and edit it, and restore the resulting backup onto the sandbox Gaia 81.20 Stand-Alone Firewall and its lab network.

The Check Point Lab Rapid Deployment Guide chapter from the Packt Publishing book Check point Firewall Administration by Vladimir Yakovlev provided inspiration for the sandbox lab. However, its virtual lab does not use a Stand-Alone Firewall and the lab Windows Server SmartConsole host does not have OpenSSH installed. Also our real-world network contains VLANs managed by a parent agency distinct from our locally maintained Quantum 6200B Gaia 81.20 Stand-Alone Firewall.
 

0 Kudos
wilbfcpl
Contributor
‎2026-01-29 04:53 AM
In response to wilbfcpl

Thanks for the support, PhoneBoy and the_rock. My Windows 2019 Server OpenSSH setup is worng so I will revisit it and try scp backup again. Meanwhile manual scp copies and FTP backup work, so that's a start. 
 

the_rock
MVP Diamond
MVP Diamond
‎2026-01-29 04:55 AM
In response to wilbfcpl

Definitely keep us posted how it goes.

Hope it works out at the end.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
wilbfcpl
Contributor
‎2026-02-18 07:18 AM
In response to the_rock

Thanks for the support. The automated backup finally worked when the Windows 2019 Server Backup Host provided an OpenSSH ssh ecdsa key with length 256 matching the offering from the Check Point Stand Alone firewall. 
As a follow up effort, I will try to establish automatic sftp backup through the appropriate Gaia 81.20 Jumbo HotFix, and then hopefully install Web Smart Console. 
Thanks again.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events