cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

Poul_Erik_Overg
Poul_Erik_Overg inside General Management Topics 7 hours ago
views 3173 9 1

vpn r80.20 vsx

I face a situation in a VSX R80.20 environment, where IPsec ESP traffic are send to the broadcast MAC instead of the HSRP multicast MAC of the the adjacent routers.The VPN tunnel is established and other IPsec ESP traffic between the same two VPN terminating gateways are send correctly. 14:40:23.536514 00:12:c1:60:60:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 195.245.193.10 ^ 14.140.181.162: ESP(spi=0x2a89b0a5,seq=0x1), length 100 14:40:31.365572 00#:12:c1:60:60:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 195.245.193.10 ^ 14.140.181.162: ESP(spi=0x2a89b0a5,seq=0x2), length 100 14:40:31.366350 00:12:c1:60:60:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 195.245.193.10 ^ 14.140.181.162: ESP(spi=0x2a89b0a5,seq=0x3), length 100 14:40:31.549969 00:12:c1:60:60:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 195.245.193.10 ^ 14.140.181.162: ESP(spi=0x2a89b0a5,seq=0x4), length 100 Any thoughts?
Kaspars_Zibarts
Kaspars_Zibarts inside General Management Topics 9 hours ago
views 3044 12 2

64 bit kernel on R80.10 VSX gateway

Just curious if someone has upgraded / installed VSX on R80.10. Checkpoint has long insisted that each VS will have 64 bit kernel meaning much desired increase in concurrent connections.I looked at my box in staging are and it still shows 4GB memory on a VS!This is not freshly built VSX but vsx_util upgraded and config pushed out from mgmt, so I wonder if someone has done fresh build or can shed some light on this?
Tobias_Moritz
Tobias_Moritz inside General Management Topics 10 hours ago
views 377 4

TCP start timeout per gateway / service - override global properies

Hello community,there are various timeouts set for the firewall state machine in global properties of the management domain.TCP startTCP sessionTCP endUDP virtual sessionICMP virtual sessionOther IP virtual sessionSCTP startSCTP sessionSCTP endI know that we can override the session timeouts for TCP, UDP, ICMP, other IP and SCTP by modifying the advanced properties of the service object used in the relevant firewall rule.I have a specific usecase, where I want to override the TCP start timeout, without changing it for all gateways in this management domain. Override per gateway would be nice, override per service object even better.As far as I know, this is not possible. Am I right with that? Does anyone know a way to do so?R80.30 T200 Jumbo HFA T50Thank you for your thoughts!
Matthew_Forbes
Matthew_Forbes inside General Management Topics 13 hours ago
views 93 2

Clearing disk space

We currently use R77.30.03 purely for hard drive and media encryption.  Currently we are having issues with /var/log at 100%. Drilling down I can see that /var/log/opt/CPrt-R77/events_db/data9.2/ is using 49G of disk space.  What I really need to know is can I safely delete stuff from here without causing massive damage, or do I need to raise a support case? We also have /var/log/opt/CPrt-R77/events_db/data/  which is sitting at 1.8G and I'm not sure if there is a duplication of folders. Any advice please let me know. Thanks
HristoGrigorov
HristoGrigorov inside General Management Topics yesterday
views 99 2 2

SmartConsole update torture

Until what century am I going to see this message? 😄      

View logs of Cluster switch over

Hello,Where can I see logs about the Cluster XL switch over ? To see the reason why it happened.
Alex_Wu
Alex_Wu inside General Management Topics yesterday
views 3668 23

CPM is not running

Just upgraded R80.10 to R80.20, found...CPM is not running.[Expert@SmartCenter:0]# $MDS_FWDIR/scripts/server_status.shChecking server status. Please wait...17:10:03,889 INFO com.checkpoint.management.cpm.Cpm.enableLocalSic:143 [main] - Enabling local sic. Setting cp.ssl_local.certificate.chec k=locallog4j:ERROR setFile(null,true) call failed.java.io.FileNotFoundException: /opt/CPsuite-R80.20/fw1/log/cpm.elg (No such file or directory) at java.io.FileOutputStream.open0(Native Method) at java.io.FileOutputStream.open(FileOutputStream.java:286) at java.io.FileOutputStream.<init>(FileOutputStream.java:226) at java.io.FileOutputStream.<init>(FileOutputStream.java:144) at org.apache.log4j.FileAppender.setFile(FileAppender.java:290) at org.apache.log4j.RollingFileAppender.setFile(RollingFileAppender.java:194) at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:164) at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:257) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:133) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:97) at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:689) at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:647) at org.apache.log4j.PropertyConfigurator.configureRootCategory(PropertyConfigurator.java:544) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:440) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:334) at org.apache.log4j.PropertyWatchdog.doOnChange(PropertyConfigurator.java:717) at org.apache.log4j.helpers.FileWatchdog.checkAndConfigure(FileWatchdog.java:89) at org.apache.log4j.helpers.FileWatchdog.<init>(FileWatchdog.java:58) at org.apache.log4j.PropertyWatchdog.<init>(PropertyConfigurator.java:709) at org.apache.log4j.PropertyConfigurator.configureAndWatch(PropertyConfigurator.java:400) at com.checkpoint.infrastructure.logging.TdLogConfig.setTdLogConfigFilePath(TdLogConfig.java:15) at com.checkpoint.management.cpm.Cpm.setTdLogConfigFile(Cpm.java:84) at com.checkpoint.management.cpm.Cpm.main(Cpm.java:110)log4j:ERROR setFile(null,true) call failed.java.io.FileNotFoundException: /opt/CPsuite-R80.20/fw1/log/install_policy.elg (No such file or directory) at java.io.FileOutputStream.open(FileOutputStream.java:286) at java.io.FileOutputStream.<init>(FileOutputStream.java:226) at java.io.FileOutputStream.<init>(FileOutputStream.java:144) at org.apache.log4j.FileAppender.setFile(FileAppender.java:290) at org.apache.log4j.RollingFileAppender.setFile(RollingFileAppender.java:194) at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:164) at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:257) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:133) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:97) at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:689) at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:647) at org.apache.log4j.PropertyConfigurator.parseCatsAndRenderers(PropertyConfigurator.java:568) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:442) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:334) at org.apache.log4j.PropertyWatchdog.doOnChange(PropertyConfigurator.java:717) at org.apache.log4j.helpers.FileWatchdog.checkAndConfigure(FileWatchdog.java:89) at org.apache.log4j.helpers.FileWatchdog.<init>(FileWatchdog.java:58) at org.apache.log4j.PropertyWatchdog.<init>(PropertyConfigurator.java:709) at org.apache.log4j.PropertyConfigurator.configureAndWatch(PropertyConfigurator.java:400) at com.checkpoint.infrastructure.logging.TdLogConfig.setTdLogConfigFilePath(TdLogConfig.java:15) at com.checkpoint.management.cpm.Cpm.setTdLogConfigFile(Cpm.java:84) at com.checkpoint.management.cpm.Cpm.main(Cpm.java:110)log4j:ERROR setFile(null,true) call failed.java.io.FileNotFoundException: /opt/CPsuite-R80.20/fw1/log/dbsync.elg (No such file or directory) at java.io.FileOutputStream.open(FileOutputStream.java:286) at java.io.FileOutputStream.<init>(FileOutputStream.java:226) at java.io.FileOutputStream.<init>(FileOutputStream.java:144) at org.apache.log4j.FileAppender.setFile(FileAppender.java:290) at org.apache.log4j.RollingFileAppender.setFile(RollingFileAppender.java:194) at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:164) at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:257) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:133) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:97) at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:689) at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:647) at org.apache.log4j.PropertyConfigurator.parseCatsAndRenderers(PropertyConfigurator.java:568) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:442) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:334) at org.apache.log4j.PropertyWatchdog.doOnChange(PropertyConfigurator.java:717) at org.apache.log4j.helpers.FileWatchdog.checkAndConfigure(FileWatchdog.java:89) at org.apache.log4j.helpers.FileWatchdog.<init>(FileWatchdog.java:58) at org.apache.log4j.PropertyWatchdog.<init>(PropertyConfigurator.java:709) at org.apache.log4j.PropertyConfigurator.configureAndWatch(PropertyConfigurator.java:400) at com.checkpoint.infrastructure.logging.TdLogConfig.setTdLogConfigFilePath(TdLogConfig.java:15) at com.checkpoint.management.cpm.Cpm.setTdLogConfigFile(Cpm.java:84) at com.checkpoint.management.cpm.Cpm.main(Cpm.java:110)log4j:ERROR setFile(null,true) call failed.java.io.FileNotFoundException: /opt/CPsuite-R80.20/fw1/log/install_policy.elg (No such file or directory) at java.io.FileOutputStream.open(FileOutputStream.java:286) at java.io.FileOutputStream.<init>(FileOutputStream.java:226) at java.io.FileOutputStream.<init>(FileOutputStream.java:144) at org.apache.log4j.FileAppender.setFile(FileAppender.java:290) at org.apache.log4j.RollingFileAppender.setFile(RollingFileAppender.java:194) at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:164) at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:257) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:133) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:97) at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:689) at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:647) at org.apache.log4j.PropertyConfigurator.parseCatsAndRenderers(PropertyConfigurator.java:568) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:442) at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:334) at org.apache.log4j.PropertyWatchdog.doOnChange(PropertyConfigurator.java:717) at org.apache.log4j.helpers.FileWatchdog.checkAndConfigure(FileWatchdog.java:89) at org.apache.log4j.helpers.FileWatchdog.<init>(FileWatchdog.java:58) at org.apache.log4j.PropertyWatchdog.<init>(PropertyConfigurator.java:709) at org.apache.log4j.PropertyConfigurator.configureAndWatch(PropertyConfigurator.java:400) at com.checkpoint.infrastructure.logging.TdLogConfig.setTdLogConfigFilePath(TdLogConfig.java:15) at com.checkpoint.management.cpm.Cpm.setTdLogConfigFile(Cpm.java:84) at com.checkpoint.management.cpm.Cpm.main(Cpm.java:110)Failed to check status, cpm server is probably down[Expert@SmartCenter:0]#

Management Server High-CPU post upgrade to R80.30 from R80.10

About a month ago, I upgrade my Smart-1 410 model Management Server from R80.10 to R80.30 and installed Take 50 immediately. I did an upgrade, not a clean install. I had a few issues with high CPU and contacted support and we ended up installing Take 76 on my management server to address a high-CPU issue with Java. This seems to have corrected the high-CPU from Java issue. I still had high-CPU from postgres processes. After a few hours, those settled down and it operated normally the rest of the week. On Saturday, I had the processors spike to near-100% and stay that way until late Monday/early Tuesday and then it cleared up again. It was the postgres processes that were consuming the processor. While observing it, postgres process consume the processor for about 45 minutes out of every hour with a break of about 15 minutes. This is enough to have my Indeni monitoring put the management server into cooldown and start monitoring it again only to have it spike while in cool down and therefore Indeni stops its normal interrogation and limits it to only CPU and Memory monitoring. I have tried to address this with support and they don't have any further guidance for me thus far. This is the third weekend since my upgrade where this process has happened.This screams of some scheduled process that is running that takes high-CPU, but I don't know what it might be. I may have just reached the end of the cycle for this week as it has been almost 20 minutes since the CPU stopped being high this time. But it generally has been 2-3 days of mostly high-CPU on my management server starting sometime on Saturday.Thank you for any guidance or assistance in what I should check to figure out what is causing this high-CPU condition each week.
prisciltetchou
prisciltetchou inside General Management Topics yesterday
views 214 7

issue when generating trying to generate a candidate list with CDT

Hello All,  Please I need help to use CDT. I installed it on our SMS but I cannot generate a candidate list in basic mode. I typed the command: ./CentralDeploymentTool -generate testgen.csv IP_SMSThe only modification I made in the CentralDeploymentTool.xml file is my Email address that I added. see below the log: Thu Nov 14 10:32:52 2019 *D*: Split /opt/CPcdt/CentralDeploymentTool to filename CentralDeploymentTool , directory /opt/CPcdt/ Thu Nov 14 10:32:52 2019 *E*: The SendTo setting in the CentralDeploymentTool.xml file is not empty, but an email server is not configured in Gaia. Notification email will not be sent. Thu Nov 14 10:32:53 2019 *D*: CPUSE RPM build: 1809 Thu Nov 14 10:32:53 2019 *D*: CDT process started (entered init) with these command line arguments: Thu Nov 14 10:32:53 2019 *D*: Split /opt/CPcdt/CentralDeploymentTool to filename CentralDeploymentTool , directory /opt/CPcdt/ Thu Nov 14 10:32:53 2019 *D*: Executable directory: /opt/CPcdt/ Thu Nov 14 10:32:53 2019 *D*: 0: ./CentralDeploymentTool Thu Nov 14 10:32:53 2019 *D*: 1: -generate Thu Nov 14 10:32:53 2019 *D*: 2: testgen.csv Thu Nov 14 10:32:53 2019 *D*: 3: 10.224.6.43 Thu Nov 14 10:32:53 2019 *D*: CDT started with these configurations: Logger file level: 0 Screen file level: 1 Syslog level: 999 DA path: /sysimg/CPwrapper/linux/CPda/CPda-00-00.i386.rpm Max parallel remote operations: 5 Max machines in batch: -1 Last time to start a new batch: 31/12/2099 23:59 PerformCUUpgrade: 1 Restore original state: 0 Mail address: priscille.tetchou-tchonta@sogeti.com Thu Nov 14 10:32:53 2019 *A*: Central Deployment Tool (version 1.7 build #990180531) Thu Nov 14 10:32:53 2019 *A*: ====================================================== Thu Nov 14 10:32:53 2019 *A*: Current execution logs are in: /var/log/CPcdt/logs_2019-11-14-10-32-52/ Thu Nov 14 10:32:53 2019 *D*: The configured time zone is: CET Thu Nov 14 10:32:53 2019 *D*: Command Summary: Command = /bin/dbget snap:show:current:version Return code = 0 Output = R80.20 Thu Nov 14 10:32:53 2019 *D*: currentOSVersion=R80.20 Thu Nov 14 10:32:53 2019 *D*: CurrentBuild= 1809 MinimumDaBuildNumber= 1271 MaximumDaBuildNumber= -1 Thu Nov 14 10:32:53 2019 *D*: Starting parse arguments for deployment plan execution mode. Thu Nov 14 10:32:53 2019 *E*: Enter the deployment plan file path and try again. Thu Nov 14 10:32:53 2019 *N*: Total execution time: 0 hours 0 minutes 1 seconds Thu Nov 14 10:32:53 2019 *D*: CDT process ending with return code 108 Thu Nov 14 10:32:53 2019 *D*: Running /sbin/pidof CentralDeploymentTool Thu Nov 14 10:32:53 2019 *D*: Command Summary: Command = /sbin/pidof CentralDeploymentTool Return code = 0 Output = 16488 Thu Nov 14 10:32:53 2019 *D*: Split /opt/CPcdt/CentralDeploymentTool to filename CentralDeploymentTool , directory /opt/CPcdt/ Help please!!

Setup CheckPoint Security Management R80.30 on HP DL360 Gen 10

Dear all,I have a server HP DL360 Gen 10 but i cannot setup CheckPoint Security Management R80.30 on it.I use usb some vendor(kingston,adata) and DVD driver but cannot setup in Intelligent Provisioning mode of server.And when i setup by bios follow step of check point, it is not toolink : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108200Every one have exp with HP GEN 10 DL360 ? Thank you, 
Mark_Layton
Mark_Layton inside General Management Topics Friday
views 183 1 1

SMS log backup / archiving script?

Howdy All - we need to:archive our SMS logs for at least one yearneed to backup SMS logs daily to support a failureWe have about 20 GB a day of logs and growing, on a physical SMS server. This is similar to the direction that we have been doing:https://www.cpug.org/forums/archive/index.php/t-6952.html But want to know - Is there a better way to compress the files? Like 7zip or RAR? Gzip's compression was much larger in comparison. I see in 80.30 you can use xz which is better. I don't suspect there is a way to install 3rd party app?But really, more generally, how are others doing their SMS log compressing, backup, and archiving?  
pnorman821
pnorman821 inside General Management Topics Thursday
views 152 6

Promoting a secondary SC to be the primary SC

Hi All,I am trying to run through a process to promote the secondary SC server to be the primary SC server in the MGMT HA cluster. This is R80.20 Take 103 on both members.I have just started the process and have encountered a question/issue:[Expert@[hostname_of_sec_mgmt_server]:0]# cd $FWDIR/bin[Expert@[hostname_of_sec_mgmt_server]:0]# ./promote_utilBinding to localhost...DoneOpening database... Failed to open database in R/W mode (Management Server is not active)Is the above an expected response or is it something that needs to be fixed before continuing?I know that this is the standby mgmt server in the cluster, later on in the process it asks you to make it the the primaryThe procedure  is from the R80 Security Mgmt Administration GuideThanks, Paul Norman
Don_Paterson
Don_Paterson inside General Management Topics Thursday
views 14606 19 6

NAT Templates - SecureXL

Is it recommended to turn NAT Templates on?Why is it not on by default?[Expert@GW:0]# fwaccel statAccelerator Status : onAccept Templates : enabledDrop Templates : disabledNAT Templates : enabledNMR Templates : enabledNMT Templates : enabled

Single Management Server?

I am building out a test environment right now and have a question, can a single server act as both the management server and the Endpoint management server?  I built a VM of R80.20 and both the SmartConsole and Endpoint Console work (after enabling Endpoint blade).  Here is why I am asking, I am looking to deploy Endpoint soon, no firewall or VPN yet.  Eventually I will be adding 3 gateways and VPN access.  Do I need a stand alone management server or will the combined MGMT/Endpoint server work?  I realize this is not the best for redundancy, but I work at a very small company.  Thanks for the help.  Greg
Muhammad_Patel
Muhammad_Patel inside General Management Topics a week ago
views 839 8

Moving Full HA R77.30 to R80.30 distributed on new gateways and open server management

Hi Community,One of my clients currently has a Full HA environment running R77.30 on 4600 appliances. They have now purchased two 5100 appliances and a single open server to migrate from the full HA environment to the distributed environment on R80.30.Has anyone got experience with this or a recommended method? I was thinking to do a migrate export/import however would this also pull the gateway configuration given the HA setup or not? If it doesn't pull the gateway configuration then I guess I could use this export to get the new management server up and running. Then extract the clish configuration from the 4600 appliances relating to the gateways specifically to build the new 5100 gateways?Also they have a 3200 standalone appliance on R77.30 which also needs to be upgraded to R80.30, anyone know if they operate okay on R80.30 as standalone. Thanks in advance..