cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Bill_Ng
Bill_Ng inside General Management Topics 2 hours ago
views 101 4

Network interface / topology information

Any one know of a good way to get gateway (physical and vsx) interface and IP information into a report.  Would like to have a quick reference guide for this information instead of having to click into each gateway and jotting it down.  Basically a script or something to be run to gather the info.
aloshukla56
aloshukla56 inside General Management Topics 8 hours ago
views 44 2

option to add a new security gateway object is grayed out in smart dashboard

  Option to add a new security gateway object is grayed out in smart dashboard. What would be the probable issue, 
PhoneBoy
inside General Management Topics 8 hours ago
views 114452 42 133
Admin

R80.x Training Videos

These videos were recorded originally for our partners by Jim Oqvist, but CheckMates members can now access this exclusive content! Introduction Duration R80 Management Training Introduction (view in My Videos) Please note that Ravello blueprints have been discontinued and are no longer available.Most of the labs can be done with the Cloud Demo Mode in R80.x SmartConsole. 00:03:07  Module 1: Introduction to Security Management   R80 Management Training Lesson 1 - Big Picture‌ 00:38:50 R80 Management Training Lesson 2 - Installation‌ 00:33:30 R80 Management Training Lesson 3 - SmartConsole‌ 00:46:50  Module 2: Enhance the Way You Manage Policies   R80 Management Training Lesson 4 - Access Control‌ 00:46:30 R80 Management Training Lesson 5 Threat Prevention Policy‌ 00:30:00 R80 Management Training Lesson 6 - Management API‌ 00:45:45 R80 Management Training Lesson 7 - Logs & Monitoring‌ 00:35:35  Module 3: Multi-Domain Management and Migration to R80   R80 Management Training Lesson 8 - MDSM‌ 00:15:00 R80 Management Training Lesson 9 - Migration‌ 00:13:15
Fulcrum
Fulcrum inside General Management Topics 9 hours ago
views 1384 4

Logging CMA into separate log server

Hello,We have remote site with SMS which we would like to import into another environment with MDM. MDM logs into MLM. However we do have requirement to keep logs of the remote site locally in that location. (geographical/compliance restrictions). Is it possible to log one domain into separate local CP log server post import (not MLM)? Or we do need to get second MLM with 1CLM for that?Everything is on R80.10 
BLD
BLD inside General Management Topics 9 hours ago
views 165 6

Migrate Standalone gateway R80.10 to new R80.30 in different box (Open Server)

We are trying to migrate all the configurations in our current R80.10 open server to a new box with R80.30 (open server).Spent already a few days with all found instructions to no avail. We installed the R80.30 upgrade tools in the 80.10 security gateway. The package is installed at /opt/CPupgrade-tools-R80.30If we run from that path "./migrate export filename.tgz" we get an error.  In the error logs we see that it attempts to run the "pre_upgrade_verifier" (why?). But the package does not contain the pre_upgrade_verifier[20 Sep 11:02:05] [ExecCommandGetOutput] Going to execute command: '"/opt/CPupgrade-tools-R80.30/bin/././pre_upgrade_verifier" -p "/opt/CPsuite-R80/fw1" -c 6.0.4.8 -t 6.0.5.0'[20 Sep 11:02:05] [ExecCommandGetOutput] ERR: Command completed with error code -1[20 Sep 11:02:05] ..<-- ExecCommandGetOutput[20 Sep 11:02:05] [PreupgradeVerifierRunner::exec] ERR: Preupgrade verifier had failed[20 Sep 11:02:05] [PreupgradeVerifierRunner::exec] Preupgrade verifier's output:-------------------------------------"/opt/CPupgrade-tools-R80.30/bin/././pre_upgrade_verifier" -p "/opt/CPsuite-R80/fw1" -c 6.0.4.8 -t 6.0.5.0: No such file or directory------------------------------------- If we the copy the pre_upgrade_verifier from "$FWDIR/bin/upgrade_tools/" to "/opt/CPupgrade-tools-R80.30" and we run "migrate" again, pre_upgrade_verifier obviously fails because it does not support being run from 6.0.4.8 to 6.0.5.0We then tried running "/opt/CPupgrade-tools-R80.30/scripts/migrate_server export -skip_upgrade_tools_check -v R80.30 <output tgz file>". After a few minutes running, it ends with an error, but no indication of a log or anything similar with a description of the error. Disk space has been reduced by 200MB,Can anybody help with this? Thanks!
Richard_Cullum
Richard_Cullum inside General Management Topics 10 hours ago
views 30

Azure partition sizing for Check Point management platform

Hi I've noticed that the tow  R80.10 management servers we deployed in Azure seem to have used default parttioning sizing. I allocated 1TB diskspace to the VM but after the servers built themselves, the /var/log is only 41.65Gb.Is there a way to subsequently change this so I can allocate more space to /var/log? Can I use methods described in sk95566 for Azure deployed images? In future, is there anything that can be done to change this before  Azure builds?
Vladimir
Vladimir inside General Management Topics yesterday
views 14361 25 5

Problem accessing standby cluster member from non-local network

Log shows accepted traffic on SSH and 443, cluster members connected to number of Cisco switches with VLANs in L2 mode.No problem accessing both members from connected network.vMAC in the cluster object IS ENABLED.Any suggestions will be appreciated.Thank you.

Changing IP address of Standalone 80.10 appliance

We have a standalone appliance running 80.10.  We need to change the management IP.I came across a previous inquiry post, but the system in that case was running 77.30 and it turned out they were only wanting to change the IP of an interface that isn't tied to the Security Management.I did go over sk40993 "How to change the IP Address of a Security Management" but that seems to assume that the Security Management is a separate server with it's own IP.In my case there's only one object related to the appliance.  If I change the IP of the object to the new IP, then SmartConsole is unable to push the policy as it then loses connection to the gateway side of the appliance.If I then change the management IP in Gaia, then I lose the SmartConsole connection.  If I then try to reconnect SmartConsole to the appliance, it won't connect.   It is as if the Security Management is still using the original IP.I assume cpstop/cpstart restarts the Security Management server ("api status" seems to show this to be the case) but that doesn't seem to have the Security Management server in the standalone start using the new IP.If I go back to Gaia and change the IP back to the original IP, then I can reconnect SmartConsole to the Security Management.I looked into sk103356 but there's no ICAip in the registry, nor was I able to find any IP reference in said registry.Once I get SmartConsole to be able to connect to the new IP and show connection to the gateway, I can handle any other IP related changes.Originally when I changed the IP from the appliance front panel, I would get locked out of Gaia completely, as the policy wasn't allowing connections to the new IP.   I added an object with the new IP to allow the connection so with either IP configured, I can at least connect to Gaia.How do I fix this short of running the First Time Configuration again?
Sundar_Ramanath
Sundar_Ramanath inside General Management Topics Thursday
views 2397 15 2

R80.10 Gateways drops traffic after policy Install

Having issues with R80.10 gateways, which are dropping traffic after a policy install. Re-installing the policy again brings everything back to normal. Issue specific to R80.10 gateways, have R77.30's which are working fine. Appreciate any inputs in troubleshooting this further.Thanks
esinos
esinos inside General Management Topics Thursday
views 66 1

Anti Malware Blade - Log Definitions

Hello,Checkpoint Anti Malware blade logs some reasons, as far as I understood, these logs mean as anti malware could not process the trafic, and because action is "accept" we need to manually control (or rely on other security products) if these traffic is malicious or not?Could you please share the list of these reasons and definitions?Example log:<13>Sep 18 09:19:58 192.168.100.253 18Sep2019 09:19:58 accept x.x.x.x product: Anti Malware; src: y.y.y.y; s_port: 58780; dst: z.z.z.z; service: 25; proto: tcp; rule: ;LastUpdateTime: 1568787659;Suppressed logs: 1;__policy_id_tag: product=VPN-1 & FireWall-1[db_tag={.............};mgmt=xxxxxx;date=1568709586;policy_name=xxxxxxxxx];has_accounting: 0;i/f_dir: outbound;i/f_name: eth2-03;is_first_for_luuid: 0;logId: -1;log_id: 2;log_sequence_num: 59;log_type: log;log_version: 5;origin_sic_name: CN=xxxxxxxxxxxxxxxx-fw,O=xxxxxxxxxxxxxx..nmyete;reason: Mail processing timeout;received_bytes: 691;sent_bytes: 0;session_id: ;severity: 1; some of Anti malware reasons:Mail processing timeout, CFCHttpClient::ReadResponse() - Request timeoutConnection to center failed: Internal Server Error 
lucafabbri365
lucafabbri365 inside General Management Topics Wednesday
views 431 19 1

Windows Update Services with HTTPS inspection enabled

Hello,we are having issues accessing Windows Update with HTTPs Inspection enabled (Check Point R80.20 with Take 87) and "Bypass HTTPS inspection of traffic to well-known software update services" option checked.If, from browser, I try to surf to https://slscr.update.microsoft.com, instead of getting "403 - Forbidden: Access is denied.", I get the "ERR_CONNECTION_RESET" error.Any advice ? Thank you,Luca
Alex_Shpilman
Alex_Shpilman inside General Management Topics Wednesday
views 5277 13

Management R80.20 instability

Since upgrading the management from R80.10 to R80.20 in one of my customers, we had constant instability. This got escalated after applying HFA33, this week I had to open 4-5 cases about different issues.The logging from secure gateways dropsped every couple minutes, due to incorrect calculation of available disk space, newly added log servers don't appear in "logs & monitor" tab and not pushed to the DB, one Cloud Gaurd gateway lost its license, Smart Console was crashing every 10 min. After applying HFA43 today most of the issues resolved, I gave up on the new vsec license pool and came back to the old but working vsec licensing method.Did anyone experience something like this with R80.20? I am now concerned about our other R80.20 deployments.

Migration of a physical remote management server and gateways to a local one with VSX

Greetings everyone, and good day.I am planning to migrate a remote management server, with 2 gateways in a VRRP cluster running version R80.20, to a local existing infrastructure, in order for it to be centralized. This infrastructure was migrated previously from an R75.47 version, and has different VLANS and routing.The local infrastructure is running R80.10 with a few VSX clusters and the relative virtual systems. There is also a dedicated log server running also R80.10.I have an idea on how to perform this migration, but I am looking for corrections and/or validation of the steps I planned, in order to do this properly. I hope this also helps somebody else in my situation.1 - Upgrade of the local management server to R80.20:  a. Snapshot of the management server (SK108902)  b. Upgrade of the CPUSE package to the latest release (SK92449)  c. Upgrade of the management server to R80.20 through CPUSE (SK92449)  d. Test policy installation  e. Installation of the latest jumbo hotfix package for R80.20 (SK137592)  f. Repeat steps A through E for the dedicated log server2 - Migrate objects and policy package to the local management server:  a. Export the remote management server objects through "migrate export" utility (Youtube)  b. Import the remote objects to the local management server through "migrate import" utility (Youtube)  c. Export the remote policy package from the remote management server through these tools  d. Import the remote policy package to the local management server  e. Verify correct import3 - Creation of a new VSX gateway on the local server  a. Create a new virtual machine or appliance acting as VSX gateway  b. Create new cluster containing the 2 virtual systems (The IP for the local VSs should be the same as the remote ones)4 - Integration of the remote gateways in the local infrastructure  a. Reset the SIC of the remote BACKUP gateway and create a new PSK via cpconfig  b. Turn off the local interfaces on the underlying switch except for the management  c. Create SIC on the local management server  d. Policy installation(Begin disservice)  e. CPSTOP on the ACTIVE gateway  f. Turn on local interfaces on the switch for the gateway connected to the local management(Stop disservice)  g. Repeat steps A-D for the remaining gateway I'd be most appreciative for any inputs or thoughts you might have on this approach. Thanks in advance for your help. 
Rahul_Borah
Rahul_Borah inside General Management Topics Wednesday
views 66 1

Trend micro DDI Integration with checkpoint

Hi Expert,  My client wants to Integrate Trend micro DDI with the checkpoint.My concern, Is there any impact of performance in Checkpoint if Trend micro DDI Integrate with the checkpoint.Regards,Rahul

R80.10 to R80.30 Management Server Upgrade

I'm going to be upgrading my management server from R80.10 to R80.30 soon. I know an advanced upgrade to a new server is recommended for the new kernel and file system. I guess I'm just curious how many people are upgrading to R80.30 like that. I've heard from a few other Check Point admins that are just doing in place upgrades. I guess my question is, is it worth the effort to migrate to a new VM in my case?