Showing results for 
Search instead for 
Did you mean: 
Create a Post
Daniel_Morin inside General Management Topics 4 hours ago
views 85 1

Changing IP address of Standalone 80.10 appliance

We have a standalone appliance running 80.10.  We need to change the management IP.I came across a previous inquiry post, but the system in that case was running 77.30 and it turned out they were only wanting to change the IP of an interface that isn't tied to the Security Management.I did go over sk40993 "How to change the IP Address of a Security Management" but that seems to assume that the Security Management is a separate server with it's own IP.In my case there's only one object related to the appliance.  If I change the IP of the object to the new IP, then SmartConsole is unable to push the policy as it then loses connection to the gateway side of the appliance.If I then change the management IP in Gaia, then I lose the SmartConsole connection.  If I then try to reconnect SmartConsole to the appliance, it won't connect.   It is as if the Security Management is still using the original IP.I assume cpstop/cpstart restarts the Security Management server ("api status" seems to show this to be the case) but that doesn't seem to have the Security Management server in the standalone start using the new IP.If I go back to Gaia and change the IP back to the original IP, then I can reconnect SmartConsole to the Security Management.I looked into sk103356 but there's no ICAip in the registry, nor was I able to find any IP reference in said registry.Once I get SmartConsole to be able to connect to the new IP and show connection to the gateway, I can handle any other IP related changes.Originally when I changed the IP from the appliance front panel, I would get locked out of Gaia completely, as the policy wasn't allowing connections to the new IP.   I added an object with the new IP to allow the connection so with either IP configured, I can at least connect to Gaia.How do I fix this short of running the First Time Configuration again?
Bill_Ng inside General Management Topics 8 hours ago
views 40 3

Network interface / topology information

Any one know of a good way to get gateway (physical and vsx) interface and IP information into a report.  Would like to have a quick reference guide for this information instead of having to click into each gateway and jotting it down.  Basically a script or something to be run to gather the info.
Vladimir inside General Management Topics 13 hours ago
views 14272 23 5

Problem accessing standby cluster member from non-local network

Log shows accepted traffic on SSH and 443, cluster members connected to number of Cisco switches with VLANs in L2 mode.No problem accessing both members from connected network.vMAC in the cluster object IS ENABLED.Any suggestions will be appreciated.Thank you.
Sundar_Ramanath inside General Management Topics yesterday
views 2382 15 2

R80.10 Gateways drops traffic after policy Install

Having issues with R80.10 gateways, which are dropping traffic after a policy install. Re-installing the policy again brings everything back to normal. Issue specific to R80.10 gateways, have R77.30's which are working fine. Appreciate any inputs in troubleshooting this further.Thanks
esinos inside General Management Topics yesterday
views 62 1

Anti Malware Blade - Log Definitions

Hello,Checkpoint Anti Malware blade logs some reasons, as far as I understood, these logs mean as anti malware could not process the trafic, and because action is "accept" we need to manually control (or rely on other security products) if these traffic is malicious or not?Could you please share the list of these reasons and definitions?Example log:<13>Sep 18 09:19:58 18Sep2019 09:19:58 accept x.x.x.x product: Anti Malware; src: y.y.y.y; s_port: 58780; dst: z.z.z.z; service: 25; proto: tcp; rule: ;LastUpdateTime: 1568787659;Suppressed logs: 1;__policy_id_tag: product=VPN-1 & FireWall-1[db_tag={.............};mgmt=xxxxxx;date=1568709586;policy_name=xxxxxxxxx];has_accounting: 0;i/f_dir: outbound;i/f_name: eth2-03;is_first_for_luuid: 0;logId: -1;log_id: 2;log_sequence_num: 59;log_type: log;log_version: 5;origin_sic_name: CN=xxxxxxxxxxxxxxxx-fw,O=xxxxxxxxxxxxxx..nmyete;reason: Mail processing timeout;received_bytes: 691;sent_bytes: 0;session_id: ;severity: 1; some of Anti malware reasons:Mail processing timeout, CFCHttpClient::ReadResponse() - Request timeoutConnection to center failed: Internal Server Error 
lucafabbri365 inside General Management Topics Wednesday
views 402 19 1

Windows Update Services with HTTPS inspection enabled

Hello,we are having issues accessing Windows Update with HTTPs Inspection enabled (Check Point R80.20 with Take 87) and "Bypass HTTPS inspection of traffic to well-known software update services" option checked.If, from browser, I try to surf to, instead of getting "403 - Forbidden: Access is denied.", I get the "ERR_CONNECTION_RESET" error.Any advice ? Thank you,Luca
Alex_Shpilman inside General Management Topics Wednesday
views 5272 13

Management R80.20 instability

Since upgrading the management from R80.10 to R80.20 in one of my customers, we had constant instability. This got escalated after applying HFA33, this week I had to open 4-5 cases about different issues.The logging from secure gateways dropsped every couple minutes, due to incorrect calculation of available disk space, newly added log servers don't appear in "logs & monitor" tab and not pushed to the DB, one Cloud Gaurd gateway lost its license, Smart Console was crashing every 10 min. After applying HFA43 today most of the issues resolved, I gave up on the new vsec license pool and came back to the old but working vsec licensing method.Did anyone experience something like this with R80.20? I am now concerned about our other R80.20 deployments.

Migration of a physical remote management server and gateways to a local one with VSX

Greetings everyone, and good day.I am planning to migrate a remote management server, with 2 gateways in a VRRP cluster running version R80.20, to a local existing infrastructure, in order for it to be centralized. This infrastructure was migrated previously from an R75.47 version, and has different VLANS and routing.The local infrastructure is running R80.10 with a few VSX clusters and the relative virtual systems. There is also a dedicated log server running also R80.10.I have an idea on how to perform this migration, but I am looking for corrections and/or validation of the steps I planned, in order to do this properly. I hope this also helps somebody else in my situation.1 - Upgrade of the local management server to R80.20:  a. Snapshot of the management server (SK108902)  b. Upgrade of the CPUSE package to the latest release (SK92449)  c. Upgrade of the management server to R80.20 through CPUSE (SK92449)  d. Test policy installation  e. Installation of the latest jumbo hotfix package for R80.20 (SK137592)  f. Repeat steps A through E for the dedicated log server2 - Migrate objects and policy package to the local management server:  a. Export the remote management server objects through "migrate export" utility (Youtube)  b. Import the remote objects to the local management server through "migrate import" utility (Youtube)  c. Export the remote policy package from the remote management server through these tools  d. Import the remote policy package to the local management server  e. Verify correct import3 - Creation of a new VSX gateway on the local server  a. Create a new virtual machine or appliance acting as VSX gateway  b. Create new cluster containing the 2 virtual systems (The IP for the local VSs should be the same as the remote ones)4 - Integration of the remote gateways in the local infrastructure  a. Reset the SIC of the remote BACKUP gateway and create a new PSK via cpconfig  b. Turn off the local interfaces on the underlying switch except for the management  c. Create SIC on the local management server  d. Policy installation(Begin disservice)  e. CPSTOP on the ACTIVE gateway  f. Turn on local interfaces on the switch for the gateway connected to the local management(Stop disservice)  g. Repeat steps A-D for the remaining gateway I'd be most appreciative for any inputs or thoughts you might have on this approach. Thanks in advance for your help. 
Rahul_Borah inside General Management Topics Wednesday
views 61 1

Trend micro DDI Integration with checkpoint

Hi Expert,  My client wants to Integrate Trend micro DDI with the checkpoint.My concern, Is there any impact of performance in Checkpoint if Trend micro DDI Integrate with the checkpoint.Regards,Rahul

R80.10 to R80.30 Management Server Upgrade

I'm going to be upgrading my management server from R80.10 to R80.30 soon. I know an advanced upgrade to a new server is recommended for the new kernel and file system. I guess I'm just curious how many people are upgrading to R80.30 like that. I've heard from a few other Check Point admins that are just doing in place upgrades. I guess my question is, is it worth the effort to migrate to a new VM in my case?

PDP/PEP Identity Sharing Not In Sync?

I will likely open a TAC case on this, but we noticed today that one GW using identity sharing today seems to not be fully in sync with the PDP. For example, if I run pep show user all |grep <username> on the PDP, I am able to see a record existing for that user. However, when I go to the GW acting as the PEP, the same command returns no entries. It seems completely random as to the users impacted, but it is definitely messing with some App Control rules from working!I've tried using pdp update all and pdp control sync to try to force updates. I have also tried pushing policy again to both GW. Has anyone else ever seen this? Are they any other commands or troubleshooting recommended before possibly engaging TAC?From the PDP Gateway:pep show pdp allCommand: root->show->pdp->all-----------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-----------------------------------------------------------------------| Incoming | | 0 | Connected | 460 | 21Feb2019 6:16:33 |-----------------------------------------------------------------------From the PEP Gateway with Identity Sharing enabled to sync identities with the GW above:pep show pdp allCommand: root->show->pdp->all-------------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-------------------------------------------------------------------------| Incoming | IP OF PDP GW | 0 | Connected | 391 | 8Apr2019 5:25:44 |-------------------------------------------------------------------------| Incoming | | 0 | Connected | 0 | 8Apr2019 5:16:48 |-------------------------------------------------------------------------| Outgoing | IP OF PDP GW | 0 | Connected | N/A | 8Apr2019 5:17:08 |-------------------------------------------------------------------------

Dynamic objects in ISP Redundancy R80.30

How stable are dynamic objects in R80.30?  We need to do ISP redundancy and, while we could use automatic hide NAT, we would need a separate hide NAT for internal and guest segments so we can't use the "hide behind gateway" option.  We opened a TAC case in March were told that dynamic objects were the only way to achieve this.  sk25152 was provided which we've used in previous versions, with less than reliable results.

Migrate from Smart-1 HA SMS to Virtual SMS with new IP

Hi all,I am planning on migrating from a Smart-1 77.30 HA SMS to a Virtual 77.30 SMS with a new IP and ideally new hostname. The gateways managed by the smart-1 SMS perform site-to-site vpns and remote access vpns with the checkpoint client. Also, checkpoint utm edge servers and smb devices are managed by the Smart-1 SMS; these devices are also configured with site-to-site VPNs. I have seen other articles that explain that you need to retain the same IP on the new manager, perform configuration changes e.g. licensing, firewall rules, migrate-import, then you can use the new IP. A couple of questions. How do I connect to the new Virtual SMS with the old IP to make those changes when it is not routable to that part of the network? Second what is the correct procedure to perform this migration? Also what would be the rollback?Thanks for your help.
PP26 inside General Management Topics Friday
views 333 14

How to advance Upgrade Smart-1 210 SMS r77.30 to 80.20

Hi Mates I am planning an upgrade of SMS (Smart-1 210) from r77.30 to 80.20. We have SmartLog/SmartEvent/Management server running on this single smart appliance . I am planning to use   "Upgrading a Standalone from R80.10 and lower with Advanced Upgrade"  as per the guide. So following that guide I have done the preverifier/import and resolved all issues for database to be imported to r80.20, now when I come to actual upgrade, as per the above article I have 2 options as belowStep 3 of 10: Get the R80.20 StandaloneCurrent OSAvailable optionsGaiaYou can:Upgrade to R80.20 with the CPUSE.Perform a clean install of the R80.20 Standalone I asked checkpoint TAC about first Option "Upgrade with CPUSE" as that links back to one of the upgrade methods using which while doing upgrade from Gaia using CPUSE the preverifier etc is all automatic and hence they said since you are using Advance method you need to go for Perform Clean Install and not the Upgrade using CPUSE. I agree to this point. When I researched that second option "Perform a clean installed of R80.20 Standalone" to check what is the exact procedure to upgrade it takes me to below link"Installing the Gaia Operating System on Check Point Appliances" so now on this page there are clearly below options <SNIP>To install a clean Gaia Operating System on a Check Point appliance, you can:Restore your Check Point appliance to Factory Defaults. This removes all configurations.Perform a clean install of the supported Gaia image with one of these options:Bootable USB device.CPUSE (if Gaia is already installed) - select the desired Check Point version and perform Clean Install. See sk92449 for detailed steps<SNIP>  I would like to go for Options of CPUSE (if Gaia is already installed) and I asked TAC about procedure for that and if that is possible as per given on the guide, but he said it is impossible and said any fresh install will need to be done via bootable USB (he said this is the only option). As per him  "CPUSE (if Gaia is already installed)  "Gaia" means version 80.x" but when I argued that why would someone upgrade from same version and also the guide bring you here from the original page where we are trying to upgrade from Gaia 77.30 then he said he will check and confirm.I also clearly states in the Release Notes, under section SUpported Upgrade path that there are three methods to upgrade Management server as below (CPUSE Clean Install is one of them)<SNIP>From R75.4x, R75.40VS, R76, R77.x, R77.20 EP6.0/EP6.1/EP6.2, R77.30.01, R77.30.02, R77.30.03, R80, R80.10 and R80.20.M1 to R80.20*:Check Point ProductSupported MethodsSecurity GatewaySecurity Management ServerMulti-Domain ServerCloudGuard ControllerCPUSE UpgradeCPUSE Clean InstallAdvanced Upgrade<SNIP> I just wanted to confirm here about if the fresh install of Gaia 80-.20 can be done from r77.30 using CPUSE ? Which r80.20 from download page ( ) should be used for this ? Clean Install (this is an ISO) ? Or CPUSE UPgrade (tgz)  I would really appreciate your help please