cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

nycc3883
nycc3883 inside General Management Topics yesterday
views 54 5

Multiple WAN IP for IPSEC

I have 5 public static IP.1 IP attach cluster, 2 IP attach each member.Remaining 2 IP, i would like to use it as IPsec to serve as primary and secondary.Is it possible? Please advise
Nicholas_Moore
Nicholas_Moore inside General Management Topics yesterday
views 178 5

Smart Console Cannot log into R80.30 Management Server

For the last several months my team has been unable to reliably log into Smart Console.  We receive the following error messages:"The operation timed out."  and"An error occurred receiving the HTTP response to https://xxxxxxx/cpmws/LoginSvcRemote?wsdl. This could be due to the service endpoint binding not use the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details."We have Diamond support.  We have no answers.  Has anyone else experienced anything like this?  We have been locked out for minutes, hours and days at a time.  There doesn't appear to be any urgency from support to get this resolved.  

SmartTasks-documentation ?!?

Hi,Has anyone been able to find any documentation about the new SmartTasks-feature introduced in R80.40(besides the sparse information in the CP_R80.40_SecurityManagement_AdminGuide.pdf) ?I was hoping to find something at the API-page but not yet... (https://sc1.checkpoint.com/documents/latest/api_reference/index.html) Cheers 

Changing the hostname of gateway and policy target in R88.20

Hi,We have R80.20(4600) checkpoint cluster running in production and we have policy package suppose with the name of testfirewall_package and policy target as IIAAACFWECTEST(This is name of cluster firewall).we have approx 100 plus rules in policy package. we are planning to migrate to new checkpoint model 6800 . we need to keep all the IP as same but with different hostname and need to push the same policy package(we have 100 plus rule in this policy package)  1.our planning is to don't delete gateway object , just reset the SIC with new hostname and change the gateway name with new hostname(name of both gateway object as well as cluster name).----will it allow me to change to new hostname??2.if i change the gateway object name(cluster name) to new name, will the policy installation target change with new name gateway automatically???....if not is there any option to change policy target as whole instead of doing manually one by one. 
Dima_M
inside General Management Topics Thursday
views 93 1
Employee+

Automate your everyday tasks with SmartTasks

In R80.40 we introduced SmartTasks, a powerful feature that further expands the openness and extensibility approach. SmartTasks saves admins valuable time by automating routine tasks with pre-defined or customizable actions. A SmartTask is a combination of trigger and action. Triggers are events – currently defined in terms of existing management operations, such as install policy or publish Actions are automatic responses that take place after a trigger is fired, such as running a script, posting a web request. Below you can find the first SmartTask we created (more to come soon). To start using it, just import the SmartTask into your R80.40 Security Management Server. You're  very welcome to check out the scripts, modify and create your own SmartTasks.   SmartTask - Validate Session Name Format
Dima_M
inside General Management Topics Thursday
views 106 1 1
Employee+

SmartTask - Validate Session Name Format

  This SmartTask validates that every published session has specific name format. To achieve it, SmartTask runs on each publish operation attempt, extracts the session name format specified in the custom data field and validates it against the actual session name.   You can download the attached SmartTask in txt format and import it to your Security Management Server. Right after import, you'll find the SmartTask itself in Manage and Settings > SmartTasks, the script it uses resides in Scripts Repository (Gateways & Servers > Scripts).     In this example, we want session name to start with ticket number (CR). To achieve that, We configure a SmartTask that will run before a session is published and run a script that will validate that the session name prefix matches our format. If it doesn't, the script will indicate to abort the publish operation.              

Management server behind NAT: cannot get logs from one cluster

Hello,R80.40 Management Server behind NAT managing three clusters: two on-site R77.30s and one remote R77.20 (1450 appliances).NAT on the Management is configured as per below:The internal IP of the Management Server is in the subnet shared between two on-site clusters.I have no issues pushing the policy to all three clusters. I also successfully receive logs from the remote cluster and one on-site cluster listed in "Install on Gateway" field, however I do not get logs from the third cluster.'netstat -nap' on the problematic cluster shows that it tries to access the NATed IP. I went through sk100583 and sk129933, and tried to play with routing (routing NATed IP to the working cluster) but it doesn't seem to help.My question is: shall "Install on Gateway" be set to All?Thank you. 
Jorge_Chavez
Jorge_Chavez inside General Management Topics Wednesday
views 102 1

Migration tool R80.10 to R80.30

Hi,Can someone point me in the right direction?  I'm looking for instructions on where to download migration tools on my SMS, and what the command are to verify.thanks
Rafael_Lima1
Rafael_Lima1 inside General Management Topics Wednesday
views 2477 14

Problem after migration to R80.20 - ClusterXL

After migrating from version R80.10 to version R80.20, our cluster presents the following messages.Feb 25 16:40:45 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 25 16:40:46 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedFeb 26 06:55:33 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 26 06:55:33 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedFeb 26 13:49:52 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 26 13:49:52 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedIn this cluster the backup traffic passes, causing a high consumption, before the migration we had the same consumption, but did not occur messages / errors.Another thing, we are verifying a connectivity problem on our servers and the time is similar to that listed in the above messages. Can these messages identify traffic disruption? We have seen that it does not occur on all servers, but in the most sensitive the connection is interrupted, causing serious problems on servers that use NFS.Another detail, we are getting the following message when executing the "show cluster failover" command, but we did not run the cpstop on the gatewaysFWINTRA1> show cluster failoverLast cluster failover event:Transition to new ACTIVE: Member 1 -> Member 2Reason: FULLSYNC PNOTE - cpstopEvent time: Tue Feb 26 15:02:13 2019Cluster failover count:Failover counter: 4Time of counter reset: Mon Feb 11 21:30:31 2019 (reboot)Cluster failover history (last 20 failovers since reboot/reset on Mon Feb 11 21:30:31 2019):No. Time: Transition: CPU: Reason:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 Tue Feb 26 15:02:13 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop2 Tue Feb 26 13:49:52 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop3 Tue Feb 26 06:55:33 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop4 Mon Feb 25 16:40:45 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop_______________________________________________________________________________________________FWINTRA2> show cluster failoverLast cluster failover event:Transition to new ACTIVE: Member 1 -> Member 2Reason: FULLSYNC PNOTE - cpstopEvent time: Tue Feb 26 15:02:13 2019Cluster failover count:Failover counter: 4Time of counter reset: Mon Feb 11 21:30:31 2019 (reboot)Cluster failover history (last 20 failovers since reboot/reset on Mon Feb 11 21:30:31 2019):No. Time: Transition: CPU: Reason:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 Tue Feb 26 15:02:13 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop2 Tue Feb 26 13:49:52 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop3 Tue Feb 26 06:55:33 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop4 Mon Feb 25 16:40:45 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstopEnvironment:Check Point's software version R80.20 - Build 255kernel: R80.20 - Build 014JHF Take: 17OpenServer - Dell PowerEdge R730
Abdullahi_Said
Abdullahi_Said inside General Management Topics Wednesday
views 1733 11

"Failed to connect to database"

Hi I keep on getting an error message "Failed to connect to database" when I select cpconfig>gui client (3). For the management server.It would be much appreciated if anyone could help me.Dameon Welch-Abernathy‌Thank you  
checklock
checklock inside General Management Topics Tuesday
views 7312 10 1

Blocking list of domain names (FQDN) with R80.10

I want to block a list of domain names (example.com, google.com, customurl1.com, customurl2.com, customurl3.com, and so forth) using Checkpoint Firewall R80.10. This has proven challenging, though. I want to block the domain names from being resolved at the DNS level, even if it has no IP address assigned to it yet.The two options appear to be to use:Application Control & URL FilteringBlock domains using Domain ObjectsIs there a clear-cut solution to perform what I am trying to achieve? Documentation has left me feeling unclear. I want to know what the proper approach for doing this is.
Vincent_Bacher
Vincent_Bacher inside General Management Topics Tuesday
views 2646 5 5

SmartMove and Cisco Security Contexts

Hello mates,if you have an old Cisco ASA appliance using security contexts, are you able to use SmartMove for migration to Checkpoint? I did not see anything related to that in the knowledge base.Has anybody already done this so far?I believe migrating a cisco asa using security contexts leads to use VSX on the checkpoint gateway, right?Any hint is appreciatedbest regardsVincent

NAT Loopback configuration problem in R80.10

Hi I have problem to configure a hairpin NAT (NAT Loopback) on my system. I have a local Lan that is 192.168.0.0/24On the wan side I have xx.xx.xx.107 that is where all “normal” traffic is using without any problem. I have xx.xx.xx.122 where I NAT https to an internal server.I can access the https NAT server from an external IPWhen I try to access the https external IP from an internal IP on the Lan side (192.168.0.0/24) it is not possible to access the service. In the log file for the access control policy I get an entry that the client is going out to access the external ip. I do not get a log entry for denied or allowed for the access back to the https service. I have been reading the https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110019But I do not it to work. The config I have in my NAT rules is according to the attached picture. What is it that I am missing?Is my NAT rules in the incorrect order?
fw_ctl
fw_ctl inside General Management Topics Tuesday
views 237 8

Best (simplest) way to export policy from old CMA to new all R80.20

As above - I have a requirement to migrate a policy package (Gaia config not important) from existing CMA in MDS domain #1 to new CMA in domain#2. (same mds)I have looked into multiple methods, such as ofiller/dumper, cp_merge, etc etc. What are peoples tried and tested method as i don't see an official SK or supported methodology.    
kb1
kb1 inside General Management Topics Monday
views 193 5

can anyone share a document related to troubleshooting of management servers?

Was on a troubleshooting session with checkpoint and she seemed to use a bunch of complicated commands which i could not make notes of for the management server, apparently there was a solr service issue with the primary server and she issued a bunch of commands to find that out and then ultimately restart that process(there was also apparently a problem with cpm and she found that out by issuing another complicated command since when i used cpwd_admin list it showed cpm running so this part confuses the heck out of me) and then used a lot of other commands to make sure the servers are successfully synced with each other, so would be helpful if i get a document(im assuming all of this is CCSE level) that would state all complicated commands along with the explanation. Regards.