Showing results for 
Search instead for 
Did you mean: 
Create a Post

How to Upgrade a Cloudguard VMSS (Scaleset) Solution from R80.20 --> R80.30 in Azure

As R80.10 and R80.20 images are soon to be delisted from the Azure Marketplace, I put together a step-by-step guide with screenshots on how to upgrade a Cloudguard VMSS (Scale Set) from R80.20 to R80.30 in Microsoft Azure - with R80.20 Management. This "how-to" is based on the new procedure from the Admin Guide which you can find here: Your feedback and comments are appreciated. 
Marcel_Wildenbe inside General Management Topics yesterday
views 3939 31 3

upgrade to R80.20 failed

Hi CheckMates,Last night, I have tried to upgrade our MDS from R80.10 to R80.20.I have ran into a few issues, but the most aggravating was when the installer got stuck and I had to reboot in order to get any further, the snapshot that was made by the installer was not removed and a new attempt is telling me there is no free space enough.CP support tells me to run MDS export, do a fresh install en import, but I would like to avoid the hassle and just remove the LV.Can I remove this Logical Volume and if so, how do I do that?It is GAIA running on VMware 5.5. So it is using LVM for Snapshots. "show snapshots" is showing no snapshots, but lvm_manager shows me lv_fcd_new of 300 GB, non configurable, containing: Factory defaults volume, which was not present prior to the upgrade.

Anti-Bot & Anti-Virus, IPS update error on Standby Member

Anti-Bot & Anti-Virus and/or IPS on Check Point (R80.20) standby node report error "Error: Update failed. Contract entitlement check failed. Could not reach ''..." while updating.Details1. From standby node - Gaia web console => "Check for Updates", I get the error: "Could not connect to the Check Point Cloud. Check your connection settings..."2. From standby node, tests from SSH (sk83520) :- curl_cli -v -k => most of the time it doesn't work (timeout); sometimes it works.- curl_cli to any other URL => most of the time it doesn't work (timeout), sometimes it works.- ping public FQDN => most of the time it doesn't work (timeout), sometimes it works.- On active node => it works, always.3. From standby node, I can reach Internet gateway, and the other active node => no internal communication issues.4. Already verified and applied sk43807 (all points with the exception of point 4).fwha_forw_packet_to_not_active parameter is enabled on both nodes.5. Licenses are OK (sk98665); with the exception of command cpstat antimalware -f update_status that is returning the error below (the same I'm seeing from SmartConsole):AB Update status: up-to-date AB Update description: Gateway is up to date. Database version: 1906061756. Package date: Thu Jun 6 11:00:00 2019 AB Next update description: The next update will be run as scheduled. AB DB version: 1906061756 AV Update status: failed AV Update description: Update failed. Contract entitlement check failed. Could not reach "". Check proxy configuration on the gateway. AV Next update description: The next try will be within one hour. AV DB version: 1906070837I already read these CheckMates posts:- Update failed. Contract entitlement check failed- Problem accessing standby cluster member from non-local networkAny advice ? Thank you very much,Luca

Proxy ARP on R80.20

Hello We have for sometime now been trying getting our Checkpoint Firewall to 1 to 1 NAT our VOIP phones.What we just found out was that if we configure a 1 to 1 NAT rule like a /23 subnet to /23 subnet the firewall does not Proxy ARP the NAT subnet in case. A NAT rule with a /32 to /32 mask on it them will not work either.However if we configure a 1 to 1 NAT rule wtih host objects like 1 host to 1 other host, the Proxy ARP works just fine.This SK: seems not aplicable on R80.20 since the variable of: $CP_AUTO_ARP_FOR_MANUAL_NAT_RULES is already "1" Is this a bug or what?  //Johan
Ugur_Urel inside General Management Topics Thursday
views 237 6

Full HA cluster upgrade from R77.30 to R80.30

Hello,We have two 5200 appliances running as R77.30 Full HA Cluster. We are planning to upgrade to version R80.30. In the Installation and Upgrade documentation ( Checkpoint says that, first upgrade the primary server then clean install the secondary server. This procedure is for upgrading from R77.30 specifically. If upgrading from R80 and above it seems that secondary management server can be upgraded directly.( these appliances are Full HA cluster and have security gateway running, what will happen when we first upgrade primary server and reboot? The secondary server will go active as R77.30 and after primary server rebooted can it become active and co-exists in the cluster together with R77.30? Also is there any other procedure to upgrade without clean installing the secondary server?I will be very pleased if someone can give more detailed procedure about the upgrade.Thanks in advance.   
CJ2019 inside General Management Topics Wednesday
views 230 5

CP Smartconsole loading very slow

We recently patched our CP mgmt server to latest jumbo hotfix Take 103.Console access is painfully slow since then.I can see memory being swapped.CPMGMT:0]# free -mtotal used free shared buff/cache availableMem: 15911 9011 387 525 6513 5731Swap: 16527 498 16029On console memory is at 60%Also noticed Java process is using 32% memory at all times3784 admin 39 19 12.105g 4.991g 34576 S 4.7 32.1 332:56.10 java4216 admin 20 0 178472 62096 11896 S 2.0 0.4 140:01.77 cpsead3050 admin 20 0 36388 11788 7512 S 1.7 0.1 1:42.86 confd Anyone experiencing the same problem?CJ  
jeffp inside General Management Topics Tuesday
views 138 1

URL Filtering - Uncategorized Category

Hi -  We have been hit with a number of targeting phishing emails lately and although our users are trained there are still times when one of them will click a link that they shouldn't.We have noticed that most if not all of the domains that are being used are newly registered which leads us to believe that using the URL filter and blocking the "Uncategorized" category would prevent our users from reaching the site.Are any of you blocking the "Uncategorized" category ?If you are blocking the "Uncategorized" category are you having problems with users not being able to access legitimate sites? 
mdjmcnally inside General Management Topics Tuesday
views 165 3

VSX Managmet IP Address Change to a new Interface as well

I have an existing VSX Cluster on R77,30 managed from MDS on R77.30VS0 and Management Server are on the same Subnet so no connectivity issues.All working correctly. However due to changing of ISP and the fact that we use a Public IP Range from our ISP for the MDS then when migrating to R80.20 MDS then will be moving to a new IP Range.   Thinking it will be easier to move the Management IP to the new Network in advance of the Management Migration rather then trying to do both the Migration and Management IP address change in one go,I am happy on adding an Interface to the New MDS Management Network into the VS0 which will have IP addresses in the New MDS Network.I am then placing routes to the New Interface IP in the new MDS Management Network on my existing MDS Server so that it routes to the MDS Management Network IP addresses of the VSX Cluster via the individual Interface IP addresses in the existing MDS to get to New_MDS_Network_Member_1 IP go via Old_MDS_Network_Member_1 IP as next hop and New_MDS_Network_Member_2 IP go via Old_MDS_Network_Member_2 IP as next hopSo this will give the existing MDS connectivity to the New MDS Network Range via each specific member.I understand that need to use the vsx_util change_mgmt_subnet command to change the IP address of the Cluster MembersAlso understand about turning off vsx on the individual boxes when reconfigure the members. My question is that will the vsx_util change_mgmt_subnet actually remove the existing MDS Network Configuration from the Cluster or will it leave that alone and is then down to me using the CLISH on the members to simply set the Management Network as the New Management Interface.  I will already have the Interfaces configured on the VSX prior to changing the Management IP over.  Will still need the existing Management Interfaces IP in place to be able to connect to the new MDS Management Interfaces on the Cluster.I believe from the documentation and that should leave the details in place and that is going to the individual boxes in question to configure the IP etc on the boxes via Console Cable or LOM Card.Is the first time changing the Management IP on a VSX System so want to make sure that have understood correctly.Thank you for your assistanceMichael   
Stephen_Hames inside General Management Topics Tuesday
views 17605 4 1

Home Lab Setup - How are you doing it?

Hi All,I'm looking to set up a lab at home so I can start to familiarise myself with R80.10, as we currently use R77.30 at work, and some of the API features of R80.10 look rather attractive.  Ideally I would like to be able to maintain it as a long-running setup so that I can build it up over time.  (Thinking of a management VM, and a pair of gateway VMs.)Am curious how you have your home labs set up, and how you approach the licensing...Thanks,Stephen Hames
jboco inside General Management Topics Tuesday
views 652 7

CPD showing "Terminated" status

Hi,Is there someone that can help me with this problem? One of our gateways (R77.20) is having an issue with cpd.When I checked the cpwd_admin list, it is showing that CPD is in T status. I already stopped/start and rebooted the gateway but still no luck.cpstat showed that we can't established session with AMON and TCP ports 18192 and 18191 aren't listening. [Expert@NGA-COM01-FWL01:0]# cpwd_admin listAPP        PID    STAT  #START  START_TIME             MON  COMMANDCPD        0      T     6       [15:04:27] 3/10/2019   N    cpd [Expert@NGA-COM01-FWL01:0]# cpstat osFailed to establish session with AMON server at [Expert@NGA-COM01-FWL01:0]# netstat -an | grep 18192[Expert@NGA-COM01-FWL01:0]# netstat -an | grep 18191 Regards, J

Extract SMTP TLS certificate from management

Hi Folks , I have two environments - data-centers . One with MTA enabled on Checkpoint gateway and other without .Now , I am in a process to enable MTA in the other environment as well . However the mail exchange service owners no longer have the private keys of the SMTP/TLS certificate used in my first environment , and I am interested in re-using that SMTP/TLS certificate in our another environment . Is there a way to extract the SMTP/TLS certificate used in the MTA setting of the Gateway ? Does the gateway , or management stores the certificate (.pfx / .pkcs7 / .pkcs12) , from where I can extract these to be re-used in other Gateways ?
Rafael_Lima1 inside General Management Topics Monday
views 1719 17

Legitimate traffic being blocked - R80.20

After migration to R80.20 we are having a legitimate traffic being blocked, filtering via "fw ctl zdebug drop", we receive the following log:@;2731325746;[cpu_9];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:45242 -> y.y.y.y:443 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabledWe opened a SR and passed us the SK33328, which was done but did not work, we still have connection problems sometimes.The traffic is from an apache server to an nginx, TCP / 443Anyone else went through this and could help?
karth1ck inside General Management Topics a week ago
views 184 1

schannel: failed to receive handshake, need more data

 Hi guys i have 2 GW , A and B. I'm able to access the GUI of GW A but not GW B.Below is the curl output. Kindly advise.* Rebuilt URL to:* Trying* TCP_NODELAY set* Connected to ( port 443 (#0)* schannel: SSL/TLS connection with port 443 (step 1/3)* schannel: disabled server certificate revocation checks* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.* schannel: using IP address, SNI is not supported by OS.* schannel: sending initial handshake data: sending 147 bytes...* schannel: sent initial handshake data: sent 147 bytes* schannel: SSL/TLS connection with port 443 (step 2/3)* schannel: failed to receive handshake, need more data* Operation timed out after 300735 milliseconds with 0 out of 0 bytes received* Closing connection 0* schannel: shutting down SSL/TLS connection with port 443* schannel: clear security context handlecurl: (28) Operation timed out after 300735 milliseconds with 0 out of 0 bytes received
G_W_Albrecht inside General Management Topics a week ago
views 1149 8

CPUSE Deployment Agent build 1669 shows a strange image

Blink image of Check Point Now R80.20 Jumbo HF T13 is now available for download. File Name: blink_image_Check_Point_Now_R80.20_JHF_T13.tgz Package Size: 2433.5 MB Release Date: 20-Mar-2019 But what is this ? GW R80.20 3.1 has take 11, a R80.20 JT 13 i never did find...
scottikon inside General Management Topics a week ago
views 189 1

Failed to connect. "secondary management must be initially synced before connecting"

I have a colleague who has taken an export from the active primary management server and after he has imported in to his lab management server is unable to log in with the following error displayed in SmartConsole: = "Failed to connect. Secondary management must be initially synced before connecting." Has anyone seen this before or ideas about resolving. Not sure if there is a flag or switch we can update so it thinks it synchronised.  Kind RegardsScott