Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

Tom_Cripps inside General Management Topics an hour ago
views 233 9

Upgrading to R80.30 has caused one fw_worker to be stuck at 100%

Hi,Since our upgrade to 80.30, our standby member in our cluster has had a fw_worker stuck at 100% cpu, it isn't a particular fw_worker it can change, when one drops another one takes it place essentially. We're also now seeing that when we attempt policy installations we lose "GAiA" in essence as is presented with the raw Bash shell as you would see if booted in maintenance mode.Anything obvious stick out to anyone?Tom
Paul_Hewitson inside General Management Topics 2 hours ago
views 228 9

Upgrade Volume too small

I have an R77.30 Log server which is due for upgrade for R80.20. It is an open server on ESXi Vmware.The upgrade volume is too small to take a snapshot.a) How can I increase the "upgrade volume" sizeb) Is it automatically calculated as I cannot actually see an upgrade volumec) I imagine this is going to prevent me from performing a major version upgrade to R80.20?I can't currently replicate this as all other customer servers and my lab server have an upgrade volume larger than lv_current. If I simply add disk will this resolve itself? It may be in this state due to multiple upgrades over the years. My last resort is fresh install, but it's difficult because the box is remote.LVM overview============Size(GB) Used(GB) Configurable Description lv_current 11 6 yes Check Point OS and productslv_log 48 29 yes Logs volume upgrade 0 N/A no swap 8 N/A no Swap volume size free 12 N/A no Unused space ------- ---- total 79 N/A no Total size Expert@servername:0]# fdisk -lDisk /dev/sda: 85.8 GB, 85899345920 bytes255 heads, 63 sectors/track, 10443 cylindersUnits = cylinders of 16065 * 512 = 8225280 bytesDevice Boot Start End Blocks Id System/dev/sda1 * 1 38 305203+ 83 Linux/dev/sda2 39 1082 8385930 82 Linux swap / Solaris/dev/sda3 1083 10443 75192232+ 8e Linux LVM[Expert@servername:0]# pvsPV VG Fmt Attr PSize PFree /dev/sda3 vg_splat lvm2 a- 71.69G 12.69G[Expert@servername:0]# lvsLV VG Attr LSize Origin Snap% Move Log Copy%lv_current vg_splat -wi-ao 11.00Glv_log vg_splat -wi-ao 48.00G servername> show snapshotsCreation of an additional restore point will need 6.464GAmount of space available for restore points is 0.59G
pete_a inside General Management Topics 3 hours ago
views 51 4

Unable to update through CPUSE

I am trying to run an update to R80.10 Jumbo hotfix FA (take249) on a security management server but every time it completes it's download it immediate fails statingStatus:The package failed to download at Mon Jan 20 17:01:43 2020Reason of failure: Does not match Expected SHA1  Is this anything others have seen, or anyone potentially know what I can do to fix? Cheers,  Pete

Ansible task failing

Hello! I am trying to add an rule to the checkpoint management server (in AWS) through Ansible.If I use the module "cp_mgmt_access_rule" it gives me the error "Relevant hotfix is not installed on Check Point server. See sk114661 on Check Point Support Center." I already installed the latest update, how can I solve this problem? Manager Node Environment: Centos 8, Ansible 2.9.2, Python 3.6.8 (Not using 2.7.9+ because of EOL)
Andreas_Aust inside General Management Topics Saturday
views 230 6 1

When will LSMcli support 1500 Appliance

Hi, is there a roadmap when LSMcli will support 1500 Appliance ?
Tbgaz inside General Management Topics Saturday
views 72 1

Changing ISP - With/Without Topology

Hi,We are changing our backup ISP and we have got the process in place but just wanted to triple check that on the cluster object we select 'get interfaces without topology' after the IP change instead of 'with topology'. It's just a simple interface IP/NAT/ARP rule change. Having looked on here, it seems that 'with topology' isn't the way to go!
libin inside General Management Topics Saturday
views 154 2

Mobile Access Role for Local users

Hi all,Regarding Unified Policy for Mobile Access, if I create access role with the local users. why should I integrate identity awareness in the gateway for the access role to work since here I am calling only the local users.Is it mandatory that the gateway should always connect to the AD for the access role which has local users or only for the first time identity awareness is required?
kb1 inside General Management Topics Friday
views 64 2

Is there a way for me to find the application and associated ports being used by the firewalls?

so we have a bunch of firewall and since we dont have any records of the applications that arebeing used, im being tasked along with my colleague to find the port numbers associated with the applications used in the firewalls? we do use firemon here and i did generate a report for one of the firewalls here but i dont think it shows the ports for the applications, does firemon have that functionality if not how do i accomplish this task? i mean there are a 1000 applications or more being used and need to figure that out for each application so it definitely is a very tedious process.

in.emaild.mta high cpu usage

I'm seeing extremely high CPU usage form the in.emaild.mta that past 2 days. No significant changes have been made. Currently it's consuming %120 of cpu (5400, dual core). I've tried rebooting and failing over.  I'm not seeing much in the queue when running >tecli show emulator queue, but there are 4 items that are stack in there (we are using cloud), cloud queue is rolling through fast as well. I'm a little lost as to why the cpu usage has shot up. looking at the logs we're not seeing any significant increase in mail traffic.   fw ctl multik stat ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 1 | 4738 | 9502 1 | Yes | 0 | 4738 | 9609     
inside General Management Topics Friday
views 95 1

sic status issue

Hi Everyone,      Now found one issue that the SIC status is not normal sometimes. It shows "secure internal communication is not operational with "fwi2n". Verify that SIC is initailized or was not reset".  See below picture . And recovered automatically after a few minutes. The gateway and SMC both are R80.10 version. During the issue period, can't push policy to this gateway.  I tried to rest the SIC, still face same issue.     

CPM fail start

Someone could guide me through this problem.When I couldn't access the smartconsole, I checked the processes by running a cpwd_admin list and found that the cpm process is terminated. So I stopped it and when I started it it showed me the following error, which refers to the java libraries, I looked for information but I can't find anything to fix it.Regards.
ceyhun inside General Management Topics Thursday
views 145 1

Combining two different management server configurations

 I have the following structure.Location A => Management + Gateway (Cluster) (R77.30)Location B => Management + Gateway (Cluster) (R80.10)We want the management server at location A to be disabled and the structure at that location is managed from the Management server at location B.There are thousands of objects, many S2S and hundreds of NAT rules on the Management server at location A. How do we transfer objects on this management to management at location B, or how to plan scenario for the transition. I want to gather management on location Management Server at location B. How can I do that? I'm waiting for your comments and ideas. Finally, unfortunately I do not have an MDS license. Thanks

Strange log - Originating from against

Hi,I found a strange and recurring log "originating from against" for the blade IPS - see screenshotNo behavior, but a lot of this for all our firewall.Firewall and MGMT are running version R80.20 Any idea for that point ?Thanks,Arthur
Prince_Osei_Wia inside General Management Topics Thursday
views 6859 10 3

Having problem with my clusterXL: Error message "HA module not started" after cphaprob stat.

Cluster XL is enabled using cpconfig#cphaprob statHA module not started
Anu_Cherian inside General Management Topics Thursday
views 22097 31 1

Site to Site VPN between Checkpoint and Palo Alto Firewalls

Hi All,We have a requirement to setup Site-to-Site vpn between our Checkpoint FW and customer Palo Alto FW. I have created one, but the issue is IKE phase 2 fails. I have confirmed the negotiation parameters with my customer engineer and it looks like everything is in order. What could be the possible issue?I used VPN tu and SmartView  monitor to view but to no success. Any advices will be highly appreciatedThank you so much