cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Rob_Napholz
Rob_Napholz inside General Management Topics 3 hours ago
views 21 1

live date of FW

I would like to determine the date a firewall was installed on the network.On the MGMT, I can call an API to determine the date the object was created.but how can I determine the date on the gateway ? I thought about checking /etc/.wizard_accepted but this is the build date. Can I determine when SIC was established ? what files are touched ?
Vincent_Bacher
Vincent_Bacher inside General Management Topics 10 hours ago
views 26

questions about converting from traditional mode to simplified mode

Hi mates,i know that i can convert a traditional mode vpn using wizard.So far so good.Now i have the challenge to convert round about 2000 communities. Which means hard work doing that manually.Does anybody know any automatism helping here out?Customer is going nuts thinking about doing all communities manually.Any ideas and help is highly appreciatedbest regardsVincent
Martijn
Martijn inside General Management Topics 11 hours ago
views 49 4

Route based VPN support and SmartLSM

Hi All,One of our customers has several remote sites with 14xx appliances managed by SmartLSM. This is working as it should, so no problems there.Customer has a internet connection configured on the WAN interface and MPLS connection configured on LAN4. We have configured this MPLS connection as the secondary ISP so we have ISP redundancy in case the WAN connection is down. Users can connect to the internet through the central site and central gateway via MPLS.But in the situation the MPLS connection is down, the 14xx appliance should setup a VPN connection to the central gateway so corporate resources that are available through the MPLS connection and are now available through the VPN connection.The only way I can think of to get this working is VTI's, route based VPN's and static routes with a higher metric. I know we can configure this on a 14xx appliance when it is locally managed. But can I configure route based VPN's on a 14xx appliance when it is centrally managed by SmartLSM? It looks only domain based VPN is supported.Any ideas?Regards,Martijn.
Maik
Maik inside General Management Topics 13 hours ago
views 105 14

"cpconfig" => "Administrator" does not show the options to list all admins

Hello guys,I have the following issue...When I execute the cpconfig command on a R80.20 log server (dedicated log server with SmartEvent + Correlation Unit blades enabled - if that information is required) I simply do not see any way to list and possibly delete SmartConsole admins. The second option of the cpconfig command, "Administrator" just shows the following text: "Do you want to add an administrator (y/n) [y] ?"We have a few admins that are configured via a Radius server on the CP mgmt server and linked via the DB install to the log server. However; for testing purposes I needed to create a GUI admin for the log server which is just present there - exactly this one needs to get deleted now as it is not needed anymore. As the cpconfig command does not give me the possibility to change or even view all configured GUI admins I'm not sure how to proceed further.The Manage & Settings > Permissions & Adminustrators > Administrators tab within the SmartConsole of the management server seems to not show admins that were configured via cpconfig from the log servers perspective.Is there any way to manually delete a GUI user which is just present on the log server or in general?Thanks and best regards,MaikPS: I already tried to resync the management database with the hope that the logging db would get overwritten and therefore removed the "temp admin". Unfortunately this did not work. I'm still able to log in with this temp user.
Ryan_St__Germai
Ryan_St__Germai inside General Management Topics 14 hours ago
views 453 5 2

R80.20 Gaia 3.10 and IPv6

I noticed that a known limitation of the 3.10 kernel is no IPv6 support. We are planning on doing a fresh install of this release on new hardware in the coming months. While we do not actually use IPv6 we do have IPv6 addresses assigned to our gateways and several objects along with their IPv4 addresses. We were previously in the process of migrating but hit a snag with our upstream provider. Since 3.10 does not support IPv6 will we run into issues when migrating to the new hardware or will we not have an issue since we dont actually process IPv6 traffic just have IPv6 addresses assigned?I guess simple answer is remove the IPv6 addresses. When we do eventually migrate to IPv6 it would be nice to not have to re-add the addresses though.Thanks!
Juan_Carlos
Juan_Carlos inside General Management Topics 15 hours ago
views 2614 9

Automate Administrators creation on R80.10 SMS

Hello,I need to find a way to automate Administrators creation with RADIUS authentication on several Security Sanagement Servers. I don't want the RADIUS administrator to connect on each Security Management Server to creates the Administrators (he is not allowed to do that). I have tried to use the API but unfortunately I got the following message telling me it's not supported :[sms]# mgmt_cli --port <PORT> -u <USER> -p <PASSWORD> add administrator name "<NAME>" authentication-method "radius" radius-server "<RADIUS_SERVER>"code: "err_inappropriate_domain_type"message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."Executed command failed. Changes are discarded.[sms]#Any idea/trick that I could use to achieve what I want to do?Thanks
Ademt
Ademt inside General Management Topics yesterday
views 25

Remove gateway from Smartconsole error

Hello,I tried to create a Cluster object using wizard. At the end of procedure smart console crashed and after restarting it and login I could see that the cluster object way created but it appeared as it has no memmbers. Both gaetway status way thath there are not part of the cluster. I deleted cluster object from smart console but i couldn't access gateway objects through smart console anymore. Now, i cannont add them to another cluster object nor can I delete them from the smartconsole because from the smartconsole view they are still part of the cluster which does not exist.Any help regarding this? BR,Adem
Don_Paterson
Don_Paterson inside General Management Topics yesterday
views 255 6 1

Legacy SmartConsole Apps

Its about the SmartUpdate, SmartEvent, SmartView Monitor and SmartDashboard (and dare I say SmartView Tracker) legacy apps.When will they be fully consolidated into the R80.x SmartConsole? (not asking about SmartView Tracker in this instance).In the meantime it could perhaps be beneficial to have the launch options (links) all grouped together in one place, perhaps the Application Menu, as is the case with SmartUpdate (although the legacy app name is not exposed)?Of course the existing links in their current locations are valid and only a short orientation period is required to learn them but to give the optimisation and efficiency in administration the links grouped together might be better for now.Don

import https inspection inbound certificate by mgmt_cli

dear checkmates,we are using free ssl certificate for our https inspection and we needs to renew every 60 days the inbound certificate used for https inpection, we would like to reimport automatically ,or via script, the certificates inside the management. can you suggest us a way using API or mgmt_cli command? if it exists.thanks
Philipp_Schiff
Philipp_Schiff inside General Management Topics yesterday
views 365 7

Upgrade to R80.20 M1 from R80.10

Hi,I tried an upgrade on VMWare Workstation from a clean install of R80.10.I just imported the customer's database and then upgraded via CPUSE to R80.20 M1.After installation the machine reboots but get stuck at the boot menu. If I follow the instructions i come into a loop and then I'm back at that screen again.Anyone else had this?Thanks,Philipp
Blason_R
Blason_R inside General Management Topics yesterday
views 99 8

Upgrade R77.30 to R80.10 Database Import issue

Hi Team,I am facing an issue while importing database for upgrade in R77.30. This is I am importing database from R77.30 to R77.30 and below is the error messages. Can someone pls help? [24 Jun 11:39:29] [ExecCommandGetOutput] ERR: Command completed with error code 1[24 Jun 11:39:29] ...<-- ExecCommandGetOutput[24 Jun 11:39:29] [CommandRunner::exec] Command's output:-------------------------------------Execution finished with errors. See log file '/opt/CPshrd-R77/log/PItpi-import_install.elg' for further detailsExecution has finished-------------------------------------[24 Jun 11:39:29] [CommandRunner::exec] ERR: Command execution had failed[24 Jun 11:39:29] ..<-- CommandRunner::exec[24 Jun 11:39:29] .<-- PluginsInstallationRunner::InstallPlugin[24 Jun 11:39:29] [PluginsInstallationRunner::exec] ERR: Failed to install plugin[24 Jun 11:39:29] <-- PluginsInstallationRunner::exec[24 Jun 11:39:29] [ActivitiesManager::exec] ERR: Activity 'PluginsInstallationRunner' failed[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities execution finished with errors[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities 'PluginsInstallationRunner' have failed[24 Jun 11:39:29] [ActivitiesManager::exec] Designated exit code is 1**************************************************[Expert@mgmt-server:0]# more /opt/CPshrd-R77/log/PItpi-import_install.elg[24 Jun 11:39:24][24 Jun 11:39:24] *****************************************************************[24 Jun 11:39:24] ********************* Log session beginning *********************[24 Jun 11:39:24] *****************************************************************[24 Jun 11:39:24] [writeExecCommandTolog] Program executed as: /opt/CPPItpi-R77/bin/uacRunner -p PItpi -import_install[24 Jun 11:39:24] [writeEnvInfoToLog] Binary was build for Linux OS[24 Jun 11:39:24] [writeEnvInfoToLog] Management type of machine is 'Smc'[24 Jun 11:39:24] [writeOptionsToLog] Base name is: PItpi[24 Jun 11:39:24] [writeOptionsToLog] Product name is: PItpi[24 Jun 11:39:24] [writeOptionsToLog] Main run flag is: -import_install[24 Jun 11:39:24] [writeOptionsToLog] Runner working directory is: /opt/CPPItpi-R77[24 Jun 11:39:24] [writeOptionsToLog] Main run option is of type: Default[24 Jun 11:39:24] [runDefaultActivities] Running default activities[24 Jun 11:39:24] [PluginSpecs::PluginSpecs] Initializing plugin specs with '/opt/CPPItpi-R77/conf/specs.conf'[24 Jun 11:39:24] [ActivitiesManager::exec] Starting activities execution[24 Jun 11:39:24] [ActivitiesManager::exec] Executing activity 'PluginDefaultDbMaker'[24 Jun 11:39:24] [copyPluginDBtoManagement] Removing directory '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi' if it exists[24 Jun 11:39:24] [copyPluginDBtoManagement] Creating directory '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi'[24 Jun 11:39:29] [copyPluginDBtoManagement] Copying plugin default directory from '/opt/CPPItpi-R77/conf/defaultDatabase' to '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi'[24 Jun 11:39:29] [copyPluginDBtoManagement] ERR: Failed to copy plugin default directory[24 Jun 11:39:29] [ActivitiesManager::exec] ERR: Activity 'PluginDefaultDbMaker' failed[24 Jun 11:39:29] [ActivitiesManager::exec] Rolling back previous activities[24 Jun 11:39:29] [ActivitiesManager::exec] Rolling back activity 'PluginDefaultDbMaker'[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities execution finished with errors[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities 'PluginDefaultDbMaker' have failed[24 Jun 11:39:29] [ActivitiesManager::exec] Designated exit code is 1
DFR_
DFR_ inside General Management Topics Monday
views 60

Site-Site Tunnel with NAT to a second Tunnel

Hello all,I'm in no way a experienced admin of Check Point, this is a situation that I was tasked with because no one else would take it.I'm used to work with palo and asa devices, so I might be missing something here.This is the basic layout: Due to whatever policies, 10.13.1.x can't be connected directly to 1.1.1.1, so the solution was to create the tunnel between devices 1 and 2.Device 1 is a Fortinet that I have no control over.The tunnel between device 2 and 10.13.1.x already exists and is ok.I have assigned 172.31.221.201 to a internal interface on device 2, that is a Check Point device, and created access and nat rules that I can see applied on logs when I telnet one of the allowed ports from 10.13.1.11 to 172.31.201.82Phase 1 is ok, but the admin of device 1 says it sees device 2 trying to negotiate the 10.13.1.x subnet but not 172.31.221.x on phase 2. Is there any way I can force 2 to negotiate only the wanted subnet?Should I create a new gateway object for this new tunnel and set the topology to this address? On a palo device I would create a new IKE gateway for each tunnel I want to establish. Is this the same logic on Check Point?Thank you for any help you provide.

R77.30 - rpm command is not working.

Hello guys, i need help with "rpm" command. If i started command 'rpm -qa ntp' causes session to hang indefinitely. How can i check, what wrong with this command?
Vladimir
Vladimir inside General Management Topics Monday
views 3101 16 1

Behavior of the subscription blade policies after expiration

Please advise on how are the policies and rules created for IPS, DLP, AV, AB, APPC, URLF, etc., will behave should the client's subscription lapse.Thank you,Vladimir

System Recovery GAIA R77.30 on HW / Appliance Model: 4200.

There is a system failure on the Security Gateway. After a reboot, the gateway does not function. How can I restore the file system to a stable state and not lose the current system configuration (For example, interfaces, routing, hostname)? We do not have backups of the system before this fault.* Software Product Line: Security Gateway* HW/Appliance Type: Enterprise Appliances* HW/Appliance Model: 4200* Operating System: Gaia* Version: R77.30