Showing results for 
Search instead for 
Did you mean: 
Create a Post
Sangeeth_N inside General Management Topics 2 hours ago
views 29 4

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Hi I am trying to establish a VPN with an interoperable device[Sophos]. As checked, all the VPN parameters are matching. The VPN itself is not getting established and I am able to find the below mentioned log in SmartLog :Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx; Cookies: xxxxxxxxxxxxxxxxxxxxxxxxxxxAny idea regarding why this issue occurred.

R80.30 upgrade from R80.10

We upgraded from R80.10 to R80.30 this last weekend. The process is well documented, although we wasted time when we got to the global Smart Event server, as detailed below... Some notes from our experience:Preloading kernel module drivers for VirtSCSI and VirtPCI.'R80.30 Management Server Migration Tool' is referenced in documentation as being 'Upgrade Tools'.License management via Smart Update is again problematic, use CLI Preloading kernel module drivers for VirtSCSI and VirtPCI.Our compute nodes use Linux KVM so we were previously limited in R80.10 to using the VirtIO Block drivers ( /dev/vda). This unfortunately doesn't support TRIM/DISCARD/UNMAP, so we were primarily looking forward to a more modern kernel to gain access to storage using VirtIO SCSI.We amended /etc/modprobe.conf to include additional drivers:alias scsi_hostadapter ccissalias scsi_hostadapter1 ata_piixalias scsi_hostadapter2 ahcialias scsi_hostadapter3 virtio_pcialias scsi_hostadapter4 virtio_scsiThen rebuilt the kernel:cd /bootmkinitrd initrd-3.10.0-693cpx86_64.img 3.10.0-693cpx86_64 -v -fImplemented Ceph object size aligned (4 MiB) partitioning structure:Disk /dev/sda: 419430400sSector size (logical/physical): 512B/512BPartition Table: gptNumber Start End Size File system Name Flags 1 8192s 622591s 614400s ext3 boot 2 622592s 9011199s 8388608s linux-swap(v1) 3 9011200s 419430366s 410419167s lvmDisk /dev/sdb: 209715200sSector size (logical/physical): 512B/512BPartition Table: gptNumber Start End Size File system Name Flags 1 8192s 209715200s 209706975s lvmWe use pvemove and pvextend to separate the operating system and PostgreSQL from logging and temporary file management:[Expert@fwcpm1:0]# lvdisplay -m | grep -e 'LV Path' -e 'LV Size'; lvdisplay -m | grep -A 3 -e 'Logical extents ' LV Path /dev/vg_splat/lv_current LV Size 195.69 GiB Logical extents 0 to 6261: Type linear Physical volume /dev/sda3 Physical extents 0 to 6261 LV Path /dev/vg_splat/lv_log LV Size 99.97 GiB Logical extents 0 to 3198: Type linear Physical volume /dev/sdb1 Physical extents 0 to 3198 We ran in to a problem when we attempted assembling the kernel, booted using a CentOS 7 rescue environment. I assume this to be an undocumented security feature; albeit resulting in one having to disconnect the drive and reattach it using either IDE or AHCI emulation, when assembling the kernel boot image. Question: Is there a Check Point recovery boot image with which one can package the Gaia 3.10 kernel? Check Point R80.10 - CPU utilisation - Multi Domain Log Server:Check Point R80.30 - CPU utilisation - Multi Domain Log Server Great performance improvement with us running it on Ceph... 'R80.30 Management Server Migration Tool' is referenced in documentation as being 'Upgrade Tools'Spent way too long puzzling through the wrong tool. The documentation references the required tool as being 'Upgrade Tools'. Upgrading Multi-Domain Upgrading Multi-Domain Servers in High Availability from R80.20, R80.10, and lower Upgrading Multi-Domain Servers in High Availability from R80.20, R80.10, and lower with Migration Upgrading a Dedicated SmartEvent Server Upgrading a Dedicated SmartEvent Server from R80.20, R80.10, and lower with Migration: R80.30 Home Page: The tool I wasted time with was the 'Upgrade Tools package', instead of the 'R80.30 Management Server Migration Tool'. License management via Smart Update is again problematic, use CLIRunning SmartUpdate (connect to domain, menu and then 'manage licenses and packages') reveals every vSec license being attached to the gateway within the domain, for each domain:The CLI method is ultimately faster and more reliable:Connect to the primary MDS server and obtain the relevant CMA IP address by running 'mdsstat'Switch to the domain by running mdsenv x.x.x.xRemove expiring or expired licenses by getting the signature and then removing it:cplic print -xcplic del <signature>Import the new license, eg cplic put -l <file.lic>Assign available licenses to gateways: vsec_central_license RegardsDavid Herselman
kfirash inside General Management Topics yesterday
views 88 3

Proxy ARP on Checkpoint R80.10

Hi,After Upgrading our gateways and management to r80.10 we start facing with a wired problem.The gateway doesn't send arp reply to the router and we have to configure manually proxy-arp on GAIA.i wonder if it's related only to the version itself or if there is any configuration or hotfix that can solve this issue. We Don't use Automatic NAT for network and we using static NAT for specific external resources and hide nat for LAN group . Enable Check Point ClusterXL for Bridge Active/Standby...==========================================================Check Point ClusterXL for Bridge Active/Standby is currently disabled.
paulastya inside General Management Topics yesterday
views 150 8

Upgrading the Checkpoint VSX cluster (VSLS) from R77.30 to R80.10 with Clean install

We are going to upgrade the Checkpoint VSX Cluster from R77.30 to R80.10 with a clean install on a 13500 appliances. The Management Gateway is already upgraded to R80.20 version. My question is can we do the clean installation of VSX cluster using the CPUSE ?While checking the documentation I found the following, From R75.40, R75.45, R75.46, R75.47, R75.40VS, R76, R77, R77.10, R77.20, R77.30 to R80.10:ComponentSupported MethodsSecurity Management ServerCPUSE UpgradeCPUSE Clean InstallAdvanced Database MigrationMulti-Domain ServerSecurity GatewayCPUSE UpgradeCPUSE Clean InstallVSXCPUSE Upgrade (from R77 only)Earlier versions: Use instructions in sk101518CloudGuard ControllerCPUSE Upgrade (from R77.30 only) So, the documentation says that CPUSE upgrade is possible not clarified about the Clean installation.

Network Group locked for deletion

Hi Guys,an API script adding new hosts then editing a group object has broken for some reason, session was disconnected but not discarded so seems that has locked the group and i'm not able to publish or discard the locked changes anymore, following script didn't help:#!/bin/bashmgmt_cli login -r true > id.txt; current_sid=$(mgmt_cli show session -s id.txt -f json | $CPDIR/jq/jq .uid); for sid in $(mgmt_cli -s id.txt show sessions details-level full -f json | $CPDIR/jq/jq '.objects[] | select ( .["application"] | contains ("WEB_API")) | .uid' | grep -v ${current_sid}); do mgmt_cli discard uid ${sid} -s id.txt ; done; mgmt_cli logout -s id.txtwould anyone please advise in that ?i've attached the locked object and the sessional list
sukrui inside General Management Topics Wednesday
views 98 5

Power supply status dummy

I have 5600 appliance with version has two power supply.When I look with command below ,it says dummy both of them. What can I do about that?[Expert@Gateway:0]# cpstat os -f power_supplyPower Supply--------------|Index|Status|--------------| 1|Dummy || 2|Dummy |--------------
Jerry inside General Management Topics Wednesday
views 221 6

Logs Indexing Error (R80.30) SmartLog

what you think folks? having that since upgrade (last weekend) ... any idea how to fix that?
Jesus_Cano inside General Management Topics Wednesday
views 1164 9

Smart1-210 maximum memory RAM

Hi,We have a Smart1-210, with the default memory RAM (8GB). It has 2 slots (4+4). Whats the maximum memory capacity for this appliance? wi need to increase memory to upgrade to R80.xThis appliance supports 16GB? 24GB?

Admin Not to be Blocked in Case of DOS

HiI am running a Compliance Check on all of My Checkpoint Firewalls. I am running R77.30 on all appliances (Management + Gateway)I would like to know if there is any way to Setup "Admin" not to be blocked in case of a DOS

How to specity a Session Name and Description in a mgmt_cli publish

I can't seem to find the syntax anywhere for adding a session name and description so that I can publish from the cli. Any help would be appreciated. mgmt_cli publish -s id.txt---------------------------------------------Time: [18:46:50] 20/8/2019---------------------------------------------"Publish operation" failed (100%)tasks:- task-id: "01234567-89ab-cdef-b80c-135154317141"task-name: "Publish operation"status: "failed"progress-percentage: 100suppressed: falsetask-details:- fault-message: "Publish cannot be performed without entering a session name and description."
inside General Management Topics Tuesday
views 112445 40 132

R80.x Training Videos

These videos were recorded originally for our partners by Jim Oqvist, but CheckMates members can now access this exclusive content! Introduction Duration R80 Management Training Introduction LITHIUM.OoyalaPlayer.addVideo('https:\/\/\/static\/v4\/production\/', 'lia-vid-hoNWpnaDE6yhvyj8O5mAWQnPpaZuYM19w900h720r810', 'hoNWpnaDE6yhvyj8O5mAWQnPpaZuYM19', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"900px","height":"720px"});(view in My Videos) Please note that Ravello blueprints have been discontinued and are no longer available.Most of the labs can be done with the Cloud Demo Mode in R80.x SmartConsole. 00:03:07 Module 1: Introduction to Security Management R80 Management Training Lesson 1 - Big Picture‌ 00:38:50 R80 Management Training Lesson 2 - Installation‌ 00:33:30 R80 Management Training Lesson 3 - SmartConsole‌ 00:46:50 Module 2: Enhance the Way You Manage Policies R80 Management Training Lesson 4 - Access Control‌ 00:46:30 R80 Management Training Lesson 5 Threat Prevention Policy‌ 00:30:00 R80 Management Training Lesson 6 - Management API‌ 00:45:45 R80 Management Training Lesson 7 - Logs & Monitoring‌ 00:35:35 Module 3: Multi-Domain Management and Migration to R80 R80 Management Training Lesson 8 - MDSM‌ 00:15:00 R80 Management Training Lesson 9 - Migration‌ 00:13:15
Rafael_Lima1 inside General Management Topics Tuesday
views 1093 16

Legitimate traffic being blocked - R80.20

After migration to R80.20 we are having a legitimate traffic being blocked, filtering via "fw ctl zdebug drop", we receive the following log:@;2731325746;[cpu_9];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:45242 -> y.y.y.y:443 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabledWe opened a SR and passed us the SK33328, which was done but did not work, we still have connection problems sometimes.The traffic is from an apache server to an nginx, TCP / 443Anyone else went through this and could help?

SSH Version Check

helloI am new to checkpoint and I would like to know how can I check which SSH version is being configured in the checkpoint devices.Currently I have VSX clusters running R75.40VS and R77.30.Usually, if I want to check the SSH version I can change SSH protocol version in putty to 1 and try to login to the VSX device.But if I want to check which SSH version that is allowed in the VSX devices, How Can I do that?Also, if I want to configure SSH Version 1 on the VSX device how can i do that?Your Help would be much appreciated.

Updating to R80.20 Jumbo Hotifx Take 87 loses SSH capability

When I updated the management server to R80.20 Jumbo Hotfix Accumulator General Availability (Take 87), I lose the ability to SSH to the Management server. I can gain the access to the SSH login, but as soon as I enter the "login as:" credential, it immediately closes the putty session. Please keep in mind that this environment is in AWS and requires a ppk file (putty generated private key from pem file) in order to access the SSH session. Is there some kind of error with a known hosts file with putty sessions or some other issue that I am running into? The session drops after this and never enters the cli prompt:

PDP/PEP Identity Sharing Not In Sync?

I will likely open a TAC case on this, but we noticed today that one GW using identity sharing today seems to not be fully in sync with the PDP. For example, if I run pep show user all |grep <username> on the PDP, I am able to see a record existing for that user. However, when I go to the GW acting as the PEP, the same command returns no entries. It seems completely random as to the users impacted, but it is definitely messing with some App Control rules from working!I've tried using pdp update all and pdp control sync to try to force updates. I have also tried pushing policy again to both GW. Has anyone else ever seen this? Are they any other commands or troubleshooting recommended before possibly engaging TAC?From the PDP Gateway:pep show pdp allCommand: root->show->pdp->all-----------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-----------------------------------------------------------------------| Incoming | | 0 | Connected | 460 | 21Feb2019 6:16:33 |-----------------------------------------------------------------------From the PEP Gateway with Identity Sharing enabled to sync identities with the GW above:pep show pdp allCommand: root->show->pdp->all-------------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-------------------------------------------------------------------------| Incoming | IP OF PDP GW | 0 | Connected | 391 | 8Apr2019 5:25:44 |-------------------------------------------------------------------------| Incoming | | 0 | Connected | 0 | 8Apr2019 5:16:48 |-------------------------------------------------------------------------| Outgoing | IP OF PDP GW | 0 | Connected | N/A | 8Apr2019 5:17:08 |-------------------------------------------------------------------------