cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Avigdor_Sharon
Avigdor_Sharon inside General Management Topics 3 hours ago
views 526 5 1

supporting SMB appliances

Will R80 support the SMB appliances such as the 1100 series?
Maarten_Sjouw
Maarten_Sjouw inside General Management Topics yesterday
views 1233 10 1

Multi-domain Admin user authentication to AD?

Is there a possibility to use ad AD connection to authenticate Admin users for a Multi Domain environment? Currently we use a TacAcs solution but this mean an additional server in between the MDS and the AD.
TOM_MORAN
TOM_MORAN inside General Management Topics yesterday
views 63 2

retrive logs from a firewall after Management station has been disconnected

Hi I have a log question. If the Management Station is disconnected from  the firewall due to  ISP outages, The firewall logs locally.When the Management station reconnects does it:1) download the local logs of the firewall automatically (I do not believe it does)2) do we have to download the logs manually ?    a) is there a procedure for this, noting obvious  Any help is appreciated    
Vlad_Tonne
inside General Management Topics yesterday
views 127 8 1
Employee

Web API - setting track level

Hi CheckMates,   Encountered an issue with Management API while creating a rule via Web API. Trying to set track level according to https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/set-access-rule~v1.5%20   , track field is able to receive "log"  (even though it seems not to be documented). However, it automatically switches on "Accounting" log feature as well. Trying to adjust the accounting setting results in an error.   Any thoughts how it can be resolved?   Sent payload that creates a rule with logging enabled plus accounting: payload_For_API = { "layer": "Network", "position": "top", "name": "API 1", "action": "Accept", "destination": "hst_dst_1.10.1.100", "service": "Kubernetes1", "enabled": True, "source": "Any", "track": "log"}   Trying to use track.type (as in https://community.checkpoint.com/t5/Policy-Management/change-to-Track-setting-in-policy/m-p/47958#M2929) results in  {'code': 'generic_err_invalid_parameter_name', 'message': 'Unrecognized parameter [track.type]'}   Trying to configure track using additional fields: {'code': 'generic_err_invalid_parameter', 'message': 'Invalid parameter for [track]. The invalid value [ "accounting" : False }] should be replaced by one of the following values: [none, log, extended log, detailed log]'} or: {'code': 'generic_err_invalid_parameter', 'message': 'Invalid parameter for [track]. The invalid value [ "log" , {"accounting" : False }] should be replaced by one of the following values: [none, log, extended log, detailed log]'}   Thanks, Vlad Tonne
Kaspars_Zibarts
Kaspars_Zibarts inside General Management Topics yesterday
views 5289 14 2

Revisions Management in R80.x

There is a "tiny-not-a-lot-of-explanation" sk113615 about changes made between R77.x and R80.x.And before you say Tim Hall‌ - there was not a lot in the new book Problem is that there are no automated means to control number of versions you keep so it keeps growing indefinitely (unless you remember to do manual purge) and also you cannot turn it off even if you wanted to. Due to the complexity of the network (MDS with many CMAs plus couple of VSX clusters and VSes stretching over multiple CMAs) I'd rather rely on good old MDS backup than revisions.And now we have hit some wall where purge on MDS simply fails - it sits at stage 3/3 forever and eventually gets "server restart" errorI will raise an SR but would be great to have a bit more insight of R80 revision management / troubleshootingI also wonder how much this will impact MDS backup size (as it has been growing like crazy)
mukai
mukai inside General Management Topics yesterday
views 163 3

migrate R75.40 to R80.30 Failed

migrate from R75.40 to R80.30Export succeeded with migrate toolImport to R80.30 failed and FWM process does not startContents of migrate log/opt/CPshrd-R80.30/log/migrate-xxxx・・[14 Oct 1:52:24] [ExecCommandGetOutput] Going to execute command: '/opt/CPsuite-R80.30/fw1/bin/upgrade_phase -d 41e821a0-3720-11e3-aa6e-0800200c9fde -s end'[14 Oct 2:10:51] [ExecCommandGetOutput] ERR: Command completed with error code 4[14 Oct 2:10:51] ..<-- ExecCommandGetOutput[14 Oct 2:10:51] [CommandRunner::exec] Command's output:-------------------------------------Failed to upgrade phase-------------------------------------[14 Oct 2:10:51] [CommandRunner::exec] ERR: Command execution had failed[14 Oct 2:10:51] .<-- CommandRunner::exec[14 Oct 2:10:51] <-- ConditionalExecutor::exec[14 Oct 2:10:51] [ActivitiesManager::exec] ERR: Activity 'ConditionalExecutor' failed[14 Oct 2:10:51] [ActivitiesManager::exec] WRN: Activities execution finished with errors[14 Oct 2:10:51] [ActivitiesManager::exec] WRN: Activities 'ConditionalExecutor' have failed[14 Oct 2:10:51] [ActivitiesManager::exec] Designated exit code is 1[14 Oct 2:10:51] --> CleanupManager::Instance[14 Oct 2:10:51] <-- CleanupManager::Instance[14 Oct 2:10:51] --> CleanupManager::DoCleanup[14 Oct 2:10:51] [CleanupManager::DoCleanup] Starting to perform cleanup[14 Oct 2:10:51] .--> DirCleaner::exec[14 Oct 2:10:51] [DirCleaner::exec] Going to remove directory '/opt/CPsuite-R80.30/fw1/tmp/migrate/'[14 Oct 2:10:51] .<-- DirCleaner::exec[14 Oct 2:10:51] .--> ImportFailureMarker::exec[14 Oct 2:10:51] [ImportFailureMarker::exec] Checking if cleaner is active[14 Oct 2:10:51] [ImportFailureMarker::exec] Cleaner is active, starting cleanup[14 Oct 2:10:51] [ImportFailureMarker::exec] Checking migrate's exit code[14 Oct 2:10:51] [ImportFailureMarker::exec] Migration had failed, creating a marker file[14 Oct 2:10:51] ..--> UpgradeMacroReplacer::Instance[14 Oct 2:10:51] ..<-- UpgradeMacroReplacer::Instance[14 Oct 2:10:51] [ImportFailureMarker::exec] Created a marker file[14 Oct 2:10:51] .<-- ImportFailureMarker::exec[14 Oct 2:10:51] [CleanupManager::DoCleanup] Completed the cleanup[14 Oct 2:10:51] <-- CleanupManager::DoCleanup end Please tell me the solution  

Upgrading Checkpoint management to R80.X from R77.30

Hi All I have a 17 years old Checkpoint standalone management server, was originally 4.1 and was upgrade through the years to R77.30.I would like to upgrade the management server to R80.X I was able to export and import the configuration on a new R80.10 server, but the CPM service was not started.I was found it is related to the ICA.I understand I would need to upgrade the ICA certificate to a new version. (SHA-256)I have many VPNs the relays on this ICA. In addition, I have many users in the internal database, that are using user certificates for remote access authentication, issued by the ICA.What would be the best way to update the ICA certificate without causing problems to the VPNs and the user authentication?Best regards,Michael 
cp-bc123
cp-bc123 inside General Management Topics Wednesday
views 107 2 1

Sip traffic Inspection

Hello, I am fairly new to checkpoint. I am looking for commands or settings that will allow me to do following.  1- how can I check if sip traffic passing thru checkpoint is being inspected?2- how can I clear a specific sip session from firewall session table?3- How can I disable sip alg if there is any?4- where should I check if sip packets are being dropped but it's not showing up in the logs? any command to verify packets are being dropped?  Thank you in advance.
HoogliBoogli
HoogliBoogli inside General Management Topics Wednesday
views 141 5

How to exports admin accounts

Hi,I want to export all my admin accounts from GAIA 77.30 an import in GAIA 80.10. How can I do this on cli?Thanks for your help.
Dan_Roddy
Dan_Roddy inside General Management Topics Tuesday
views 547 5

Migrate Endpoint Management from R77.30.03 to R80.10

When we licensed Endpoint the only option was to manage it from R77.30.03.  Now I want to migrate management to R80.10 that is also used to manage all our R80.10 gateways.  So I want to import a policy with objects into the R80.10 database.

VPN between Checkpoint and Mikrotik based on certificates

Greetings friends!I'm still new to the Checkpoint community. We just started integrating Checkpoint solution in our company. I have a question about VPN tunnels S2S.We have three offices (A, B, C). In each of the offices there is Internet and external static IPs. In offices A and B we use the Checkpoint Appliance 3100 with Gaia R80.10, and in office C we use Kerio Control gateway. VPN Site-2-Site are established between the three gateways (A, B, C) and this works "more or less", but this is not the case now.We have several small offices (D, E, F) (for example, warehouses and very small offices of 2-5 employees). These offices have an external dynamic IP address (DAIP). It’s expensive to buy Checkpoint solutions for these offices, but VPN is needed there.We decided to install other gateways in these offices - Mikrotik. And now we are trying to establish VPN between office B and D.As far as I know, if the remote gateway has an external dynamic IP address (DAIP), then VPN tunnel can only be established on the basis of certificates (Pre-shared secret does not work in this case).I found article on how to do this HowTo Set Up Certificate Based VPNs with Check Point Appliances  But this article describes how to do this if both gateways are Checkpoint.Using the information from this article and the "trial and error" method and a lot of a lot of Google, we almost managed to do it.In the IPSec settings for checkpoint, you need to specify for the second side (Mikrotik) only which certification authority issued the certificate and string with DN.However, in Mikrotik, to establish VPN tunnel, you need to specify both certificates, Mikrotik and remote gateway (Checkpoint). But I don’t understand how I can do export certificate from the Checkpoint gateway so that we can transfer it to Mikrotik.Can you tell me how to do this? Or maybe we chose the wrong path?Thanks in advance for your help.P.S. Sorry for my english.
whiz8
whiz8 inside General Management Topics Tuesday
views 96

Smartendpoint R80.20 HA Pair

 I have an existing SmartEndpoint managing endpoint and I want to build HA pair. Once I build the HA pair, how do the endpoints know about the Standby SmartEndpoint? If the Active one is gone, how does the endpoint connect to standby since it uses IP addresses to connect to the active one? 

Disconnected sessions preventing upgrade from R80.20 to R80.30

 Hello Checkmates,  I am upgrading a Check Point Management Server from R80.20 to R80.30 Everything works fine during upgrade. The Webui is restarted But we can't connect to the Management Server. Turns out that CPM has not initialized properly. [Expert@DCTSMS:0]# /opt/CPsuite-R80.30/fw1/scripts/cpm_status.shCheck Point Security Management Server is during initialization We see that in the $FWDIR/log/cpm.elg file, that there are several logs worth investigating.One of them : ERROR fts.solr.Jpa2SolrManagerImpl [main]: SOLR is completely out of sync!!! more than 5000 jpa2FtsRecords are out of sync. ... leads us to sk116014 : CPM process initialization is slow after backup restoreBut this time, it's not slow,  it's super slow. 3 hours and no progress (of the size of the cpm.elg file). We find that in this file, there are lines like : Caused by: CpmGeneralException{base='com.checkpoint.management.is.exceptions.CpmGeneralException: java.lang.SecurityException: Tried to open non existing session with id d16200d0-e68e-42b5-ad37-1a4da8f3b5de', errorCode='CP_ERR_UNSPECIFIED', errorFamily='null', messageForUser='null', message='java.lang.SecurityException: Tried to open non existing session with id d16200d0-e68e-42b5-ad37-1a4da8f3b5de'}        at com.checkpoint.management.object_store.fts.solr.Jpa2SolrManagerImpl.syncJpaDbWithFtsIndex(Jpa2SolrManagerImpl.java:688)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl.syncJpaDbWithFtsIndex_aroundBody194(ObjectStoreSessionImpl.java:3600)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl$AjcClosure195.run(ObjectStoreSessionImpl.java:1)        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)        at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:79)        at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:7)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl.syncJpaDbWithFtsIndex(ObjectStoreSessionImpl.java:2500)        at com.checkpoint.management.object_store.ObjectStoreImpl.syncJpaDbWithFtsIndex_aroundBody14(ObjectStoreImpl.java:56)        at com.checkpoint.management.object_store.ObjectStoreImpl$AjcClosure15.run(ObjectStoreImpl.java:1)        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)        at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:79)        at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:7)        at com.checkpoint.management.object_store.ObjectStoreImpl.syncJpaDbWithFtsIndex(ObjectStoreImpl.java:83)        ... 32 moreCaused by: java.lang.SecurityException: Tried to open non existing session with id d16200d0-e68e-42b5-ad37-1a4da8f3b5de        at com.checkpoint.management.object_store.ObjectStoreSessionImpl.isPublished_aroundBody192(ObjectStoreSessionImpl.java:542)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl$AjcClosure193.run(ObjectStoreSessionImpl.java:1)        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)        at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:79)        at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:7)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl.isPublished(ObjectStoreSessionImpl.java:1010)        at com.checkpoint.management.object_store.fts.solr.Jpa2SolrManagerImpl.syncJpaDbWithFtsIndex(Jpa2SolrManagerImpl.java:304)========================So it seems that session ID d16200d0-e68e-42b5-ad37-1a4da8f3b5de is non existent and causing problems regarding CPM initialization.  I try to suppress this session ID using the method I have seen on one of the forums : mgmt_cli discard --port 443 uid d16200d0-e68e-42b5-ad37-1a4da8f3b5deUsername: sc-adminPassword:code: "generic_server_error"message: "Management server failed to execute command"============================================================It doesn't work. Meanwhile, I have noticed that, indeed, there is a ghost session in the Smartcenter that we can't suppress using Smartconsole (or even GUIDBedit).  See attached file. I have tried to remove ghost session using the psql_client command...  But I don't know how to proceed.Any help ?  Thanks,                               Gilles  

PMTR-23492, PRJ-2847 Added support for Internal CA certificate replacement.

Can anybody shed some light on "PMTR-23492, PRJ-2847 Added support for Internal CA certificate replacement." as stated in the sk153152.
PhoneBoy
inside General Management Topics Sunday
views 115857 43 134
Admin

R80.x Training Videos

These videos were recorded originally for our partners by Jim Oqvist, but CheckMates members can now access this exclusive content! Introduction Duration R80 Management Training Introduction (view in My Videos) Please note that Ravello blueprints have been discontinued and are no longer available.Most of the labs can be done with the Cloud Demo Mode in R80.x SmartConsole. 00:03:07  Module 1: Introduction to Security Management   R80 Management Training Lesson 1 - Big Picture‌ 00:38:50 R80 Management Training Lesson 2 - Installation‌ 00:33:30 R80 Management Training Lesson 3 - SmartConsole‌ 00:46:50  Module 2: Enhance the Way You Manage Policies   R80 Management Training Lesson 4 - Access Control‌ 00:46:30 R80 Management Training Lesson 5 Threat Prevention Policy‌ 00:30:00 R80 Management Training Lesson 6 - Management API‌ 00:45:45 R80 Management Training Lesson 7 - Logs & Monitoring‌ 00:35:35  Module 3: Multi-Domain Management and Migration to R80   R80 Management Training Lesson 8 - MDSM‌ 00:15:00 R80 Management Training Lesson 9 - Migration‌ 00:13:15