cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

How to tell SIC Reset NOT to fetch topology

When upgrading our R77 gateways to R80.20 using blink, we have to Reset the SIC. When doing this on the R80.20 SmartCenter, the SmartCenter fetches the topology from the gateway and re-arranges the Antispoofing definitions, which is highly undesirable. Is there a way to prevent that the SmartCenter fetches the topology

how to Check Managed Gateway quota

GreetingsI'm looking for some commands to show Exactly how many GW are being managed from the SM view .I need this to compare with the Licensing capabilities of my mgmt .The count is quite simple with "normal" gw and clusters but it could be quite tricky in enviroment with VSX .The best command i've found is:cplic check -p fw1 -c cluster-1But i'm not sure this is showing Exactly the count i need .Any suggestions?

SmartMove Index was out of range error for Netscreen

Doing some testing with the SmartMove tool. Ran a couple SRX configs (xml format) through it and had no issues. but when testing Netscreen configs (txt format) get "Index was out of range. Must be non-negative and less than the size of the collection" . This happens almost immediately when the tool starts running and provides no logs. so it's hard to try to figure what is causing the problem. Looked around and couldn't find any information so any info would be appreciated
Josh_Dill
Josh_Dill inside General Management Topics Thursday
views 102 3

Identity Awareness setup

Hi All,I will be setting up Identity Awareness in an R80.10 MDS environment. We will be using Identity collects to communicate with the DCs and provide what is in the security logs to the firewall. After reading the documentation I have some questions regarding setup and usage. Thanks in advance: 1) I have read the following identity collection requirement:"Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles." If an account unit is created in the domain (checkpoint local domain NOT active directory) and applied to the firewall object under firewall properties - others - user directory. Is that all I need to perform this requirement?2) There is no way to apply an account unit I created in global directory (at least not that I can find). Does this mean I cannot use global rules with identity awareness since the global account unit would not be assigned to the firewall to perform global lookups? 3) Is there anyway to create rules for individual users opposed to groups? Thanks,Josh

SmartView web access for firewall policy

Hi,I get one question from one of my customer.Smartview (webased) is a great tools and used for accessing the logs from read-only user. That's nice.But there is existing way to access to the access policy by the same way ?Currently we use the web_api_show_package.sh script to export in HTML, but this is not really easy to access to the html file for the policy and Smartview for log... Thanks for your help guys!Arthur

Reverting back an upgrade to R80.10 from R77.30

Hi folks.I'm in the middle of testing the upgrade steps required to get our R77.30 VSX Gateways from R77.30 to R80.10We've already done the management side which is already on R80.10. I've tested upgrading a gateway (all be it in VMware) using vsx_util upgrade on the management side and cpuse on the gateway side which is all fine.What i'm really struggling to find are procedures for rolling back if we need to, so my question is.... is it possible to uninstall or revert back to R77.30 on the gateway ?
Marcel_Wildenbe
Marcel_Wildenbe inside General Management Topics Wednesday
views 3071 30 3

upgrade to R80.20 failed

Hi CheckMates,Last night, I have tried to upgrade our MDS from R80.10 to R80.20.I have ran into a few issues, but the most aggravating was when the installer got stuck and I had to reboot in order to get any further, the snapshot that was made by the installer was not removed and a new attempt is telling me there is no free space enough.CP support tells me to run MDS export, do a fresh install en import, but I would like to avoid the hassle and just remove the LV.Can I remove this Logical Volume and if so, how do I do that?It is GAIA running on VMware 5.5. So it is using LVM for Snapshots. "show snapshots" is showing no snapshots, but lvm_manager shows me lv_fcd_new of 300 GB, non configurable, containing: Factory defaults volume, which was not present prior to the upgrade.
Sarayut_Romsuk
Sarayut_Romsuk inside General Management Topics Wednesday
views 2356 9 1

Can't install policy due to gateways obj don't show in policy target

After my customer restored backup by use upgrade_import to new Mgmt(Gaia R77.30), They can't install policy because Firewall gateways object don't show up in policy target. Please advise me to solved this issues.Note: Sic status is communicating / SMS can ping to the gateways as normal.I tried with SK77821 already but no luck.Look like gateway object don't show in Smartview monitor too.
Blason_R
Blason_R inside General Management Topics Tuesday
views 2870 13

Captive portal for linux SSH or Terminal windows

Hi there,Is anyone aware if any mechanism exists to leverage Identity awareness when I would like to pass through Firewall with captive Portal enabled while using SSH or Linux with no GUI Terminal?With browser Yes it's pretty much possible; but what if the GUI is not available? Thanks and Regards,Blason R
Hugo_vd_Kooij
Hugo_vd_Kooij inside General Management Topics Tuesday
views 102 1 2

A request for an in-depth session on the backend of R80

Hi, When I read articles like sk157932 : "Accept" traffic statistics are not displayed in the Access Control view then I could appreciate a session about how the backend things are designed and how they interact. This article explains some of it but I think a in-depth session on Check Mates would be a good idea to understand a lot more of how everything works in the backend where al the data is stored. I can deduct a lot from seperate articles but puttin g it all together would a good idea in my view. Let me know your thoughts on this. Regards, Hugo.
Sumedh_Gujar
Sumedh_Gujar inside General Management Topics Tuesday
views 522 9 1

Behavior of HA cluster when SYN link is down

Hi,I am bit confused in behavior of HA cluster. We have configured HA cluster between our 2 firewalls (12400 and R77.30). We have point to point link between these 2 firewalls for syncing. When this link goes down our Active firewall goes to down state and Standby firewall goes to Active state, which we can see in cphaprob stat command. I just want to confirm whether this is the normal behavior of Checkpoint firewalls in HA mode. Or like Cisco HSRP, both firewalls should go to Active Active mode. Thank youSumedh
Vincent_Bacher
Vincent_Bacher inside General Management Topics Monday
views 29086 15 8

Will (Smart)Workflow come back?

Hello together,i am wondering if there are any news, if and when (Smart)Workflow will come back.Does anybody have news about that?Best regardsVincent
Heath_Mote
Heath_Mote inside General Management Topics Monday
views 2805 12

R80.20.M2 Management - Finalizing Stuck at 99% During Policy Installs

Setup is 2x Management Server 5150 with dedicated SmartEvent server all running R80.20.M2 pushing policy to a single 5800 HA ClusterXL setup all running R80.10. The management and cluster are located at the same site. The access/threat policy takes less than 3 minutes to succeed on the cluster but the 99% finalizing status takes a very long time to complete. I've just pushed a policy and it again finished in 3 minutes but has been stuck at 99% finalizing for the past 45 minutes... Is anyone else experiencing this after updating your management to R80.20.M2 or R80.20 in general?

Endpoint client policy updates

Hi, I have a customer who has a central NPM/EPM server (R77.30) to manage their firewall and endpoint estate. They have an additional Endpoint Security Policy Server which faces the internet for clients in the field, and this works okay.I was wondering if by putting a reverse proxy (e.g. NGINX) in front of the private EPM, we could in R80 replace the functionality of the current policy server, to save on support costs? ThanksJamie

How to import Management Server VM configuration to Appliance(Smart-1 410) ?

Hi Everyone,I am trying to import configuration of Management server VM which has R80.20 OS; to the Smart-1 410 Appliance having same OS and same build number.I guess "System backup" will not work here since they are of different products.Hence I tried to use "migrate export and import method" but while trying to import into the appliance, the error pops out as "Database migration between Standalone and Management only machines is not supported".Any suggestions will be highly appreciable. With Regards,Bishal Upadhyay