cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

GuilletB
GuilletB inside General Management Topics 30m ago
views 48 2

R80.10 management server with r77.30 log servers

Hi, I have for the moment two Appliances ST-150-00 Under r77.30 who are used for Network Policy manager/endpoint Policy manager/logging.I have already build 2 new open server Under r80.10 as our new manager servers only and enable the High availability. Pre-Upragde_verification is fine.My wish is to import my database from r77.30 to r80.10 but keep logs under our old Appliance. The goal is during the upgrade process to keep our old server running for production with all gateways connected on it. and after the import of the db, under new management server connect only one Gateway,  for test.1, Is it possible to have a different version Under the log server and the network Policy manager?2, which steps should be done?Many thanks for your support.

display all static nat host

Hello Experts, i want to get the list of all static nat host in my CMA R80.10 .Is there a way to display all the static nat hosts ...Any scripts or other ways .. Thanks a lot .

R80.XX Environment Simulation service vs R80.x Pre-Upgrade Verifier

Dear Community,Would you please explain the difference regarding the information provided by online upgrade simulation service and pre_upgrade_verifier script from migration tools.Do they provide the same information regarding the readiness of management database for the upgrade? For me it looks that online service is worth using a long before the upgrade when you only start preparation and have enough time to fix all the issues. While pre_upgrade_verifier seems to be the tool for use during the upgrade process to ensure  you`re safe to proceed.Are there any benefits of online simulation service, for example, more detailed suggestions how to fix particular error/warning, etc?Thanks in advance for help.Regards,Kirill 
Charles_Palmer
Charles_Palmer inside General Management Topics yesterday
views 151 4

Management Server High-CPU post upgrade to R80.30 from R80.10

About a month ago, I upgrade my Smart-1 410 model Management Server from R80.10 to R80.30 and installed Take 50 immediately. I did an upgrade, not a clean install. I had a few issues with high CPU and contacted support and we ended up installing Take 76 on my management server to address a high-CPU issue with Java. This seems to have corrected the high-CPU from Java issue. I still had high-CPU from postgres processes. After a few hours, those settled down and it operated normally the rest of the week. On Saturday, I had the processors spike to near-100% and stay that way until late Monday/early Tuesday and then it cleared up again. It was the postgres processes that were consuming the processor. While observing it, postgres process consume the processor for about 45 minutes out of every hour with a break of about 15 minutes. This is enough to have my Indeni monitoring put the management server into cooldown and start monitoring it again only to have it spike while in cool down and therefore Indeni stops its normal interrogation and limits it to only CPU and Memory monitoring. I have tried to address this with support and they don't have any further guidance for me thus far. This is the third weekend since my upgrade where this process has happened.This screams of some scheduled process that is running that takes high-CPU, but I don't know what it might be. I may have just reached the end of the cycle for this week as it has been almost 20 minutes since the CPU stopped being high this time. But it generally has been 2-3 days of mostly high-CPU on my management server starting sometime on Saturday.Thank you for any guidance or assistance in what I should check to figure out what is causing this high-CPU condition each week.
txa
txa inside General Management Topics yesterday
views 41 1

Connect Gateway DAIP and the management in local behind an external firewall with IP public

I need to connect a DAIP Gateway to the security console that is in the internal network of an external firewall managed by the same console. Later I will need to make a VPN IPsec between the firewall with DAIP and the external firewall with public ip through certificates.Thank you!
Niko
Niko inside General Management Topics yesterday
views 70 4

Refresh Categorization

Hello together,sometimes the CheckPoint needs some time to override a wrong categorized website. Is there any feature or command to refresh the list of overrided categorization?
avramidisv
avramidisv inside General Management Topics yesterday
views 61 1

SIC reset on a remote Branch Gateway

Hi everyone,.Can somebody tell me what is the best case scenario to reset my SIC on a remote Branch Gateway R80.30?Is it possible to reset it remotely ? I would not like to loose the remote control and the management of the gateway.And what about the regular IP forward and firewall process of the gateway? I am aware that some CK gateway services will be restarted after i exit the cpconfig.So, Is it a non IP forward disruptive process or a disruptive process? Thank you in advance.
RAGHU_K
RAGHU_K inside General Management Topics yesterday
views 71 2

Issue in Importing Management Server Migrate Export File on a CMA

Hi! Guys, I have a Management Server running in R80.20 Gaia. Also, I have an MDS setup with multiple CMAs running on it.Now am trying to Migrate my Management Server's Database (policies & objects) to a new CMA in my MDS. I will keep the same hostname & IP-address as like in the Management Server on my CMA.  To achieve this, i followed the below steps:1) Took a Migrate Export  file from the Management Server# ./migrate export MGMT-DELHI_Mig_Exp 2) On my MDS Setup, i have created a CMA from the mgmt_cli utility & didn't started it for the first time.[Expert@PRIMARY-MDS:0]# mgmt_cli add domain name Domain-DELHI servers.ip-address 10.10.10.20 servers.name MGMT-DELHI servers.multi-domain-server PRIMARY-MDS servers.skip-start-domain-server true 3) Copied the Migrate Export File (MGMT-DELHI_Mig_Exp.tgz)  on to the MDS device in /home/admin directory. 4) Using the cma_migrate command, am trying to import the Migrate Export file on the newly created CMA.[Expert@PRIMARY-MDS:0]# cma_migrate /home/admin/MGMT-DELHI_Mig_Exp.tgz /opt/CPmds-R80.20/customers/MGMT-DELHI/CPsuite-R80.20/fw1 5) cma_migrate Command executed successfully, but on my newly created CMA am unable to see the policies or objects which are there in my Management Server. Anybody faced this issue before or is there any other way around to achieve my requirement.? Command Output of cma_migrate FYR:[Expert@PRIMARY-MDS:0]# cma_migrate /home/admin/MGMT-DELHI_Mig_Exp.tgz /opt/CPmds-R80.20/customers/MGMT-DELHI/CPsuite-R80.20/fw1Your Multi-Domain Server should NOT be running while you import.cma_migrate will now stop the Multi-Domain Server.Do you want to continue [yes/no] ? yesStopping Domain Management ServersInitialize stopping of Domain Management Servers: 1 out of 2Initialize stopping of Domain Management Servers: 2 out of 2[2] Done /opt/CPmds-R80.20/scripts/wrap_proc_run /opt/CPmds-R80.20/scripts/mdsstop_customer MGMT-DELHI[1] + Done /opt/CPmds-R80.20/scripts/wrap_proc_run /opt/CPmds-R80.20/scripts/mdsstop_customer MGMT-SRV-BNGNumber of Domain Management Servers stopped so far: 2 out of 2Removing Virtual IPs ..Stopping Multi-Domain ServerStop Search Infrastructure...Stopping RFL ...cpwd_admin:successful Detach operationStopping Solr ...cpwd_admin:successful Detach operationStop SmartView ...Stopping SmartView ...cpwd_admin:successful Detach operationStop Search Infrastructure...Stop Log Indexer... MGMT-SRV-BNGStop SmartLog Server... MGMT-SRV-BNGStop Search Infrastructure...Stop Log Indexer... MGMT-DELHIStop SmartLog Server... MGMT-DELHIStop Log Indexer...cpwd_admin:Process INDEXER (pid=63824) stopped with command "kill 63824". Exit code 0.Stop SmartLog Server...cpwd_admin:Process SMARTLOG_SERVER terminatedevstop: Stopping product - SmartEvent Serverevstop: Stopping product - SmartEvent Correlation UnitCheck Point SmartEvent Correlation Unit is not runningcpwd_admin:Process FWM terminatedcpwd_admin:Process FWD terminatedStopping CPM Server ...cpwd_admin:Process CPD terminatedcpwd_admin: cpWatchDog killedMulti-Domain Server stoppedStarting Multi-Domain Server onlyStarting cpWatchDogStarting CPM Server ...[1] 84696CPM Server is running.Start Search Infrastructure...index mode was set to truestartsearch: dbsync does not run on Multi-Domain Security Managementcpwd_admin:Process SOLR started successfully (pid=85453)Starting RFL ...cpwd_admin:Process RFL started successfully (pid=85490)Starting SmartView ...cpwd_admin:Process SMARTVIEW started successfully (pid=85553)Start Log Indexer...cpwd_admin:Process INDEXER started successfully (pid=86232)Start SmartLog Server...cpwd_admin:Process SMARTLOG_SERVER started successfully (pid=86830)Multi-Domain Server StartedWaiting for CPM server...Check Point Security Management Server is during initializationWaiting for CPM server...Waiting for CPM server...Check Point Security Management Server is during initializationWaiting for CPM server...Check Point Security Management Server is running and readyCPM server startedAre you sure you want to migrate the management at /home/admin/MGMT-DELHI_Mig_Exp.tgzinto the Domain Management Server /opt/CPmds-R80.20/customers/MGMT-DELHI/CPsuite-R80.20/fw1 [yes/no] ? yesVerifying data before importing. Please wait ...Source management version detected:R80.20======================================================================>>> Executing Source Version Upgrade Path Checker======================================================================>>> Executing Source Version cma_migrate Path Checker======================================================================>>> Executing Domains Without Management Servers Test======================================================================>>> Executing Domains With No Hosting Multi Domain Servers Test======================================================================>>> Executing Enable For Global Use on cma_migrate Feature Test======================================================================>>> Executing Global Policy on Source Database Detector======================================================================>>> Executing Multiple Domain Management Servers with the same ICA Keys Detector======================================================================>>> Executing Firmware References Detector======================================================================>>> Executing VSX Objects Detector======================================================================>>> Executing Domain Servers Missing From Database======================================================================>>> Executing Missing Domain Server DirectoriesPre-migrate verification ended successfully.A log file was created: /opt/CPmds-R80.20/customers/MGMT-DELHI/CPsuite-R80.20/fw1/log/pre_migrate.elgProceeding with migration.Migration completed successfully.[Expert@PRIMARY-MDS:0]# 

How to configure SNMP for connect with PRTG.

Hello, How to connect Checkpoint gateway to PRTG network monitoring tool by SNMP.It gives that error.
prisciltetchou
prisciltetchou inside General Management Topics Wednesday
views 294 8

issue when generating trying to generate a candidate list with CDT

Hello All,  Please I need help to use CDT. I installed it on our SMS but I cannot generate a candidate list in basic mode. I typed the command: ./CentralDeploymentTool -generate testgen.csv IP_SMSThe only modification I made in the CentralDeploymentTool.xml file is my Email address that I added. see below the log: Thu Nov 14 10:32:52 2019 *D*: Split /opt/CPcdt/CentralDeploymentTool to filename CentralDeploymentTool , directory /opt/CPcdt/ Thu Nov 14 10:32:52 2019 *E*: The SendTo setting in the CentralDeploymentTool.xml file is not empty, but an email server is not configured in Gaia. Notification email will not be sent. Thu Nov 14 10:32:53 2019 *D*: CPUSE RPM build: 1809 Thu Nov 14 10:32:53 2019 *D*: CDT process started (entered init) with these command line arguments: Thu Nov 14 10:32:53 2019 *D*: Split /opt/CPcdt/CentralDeploymentTool to filename CentralDeploymentTool , directory /opt/CPcdt/ Thu Nov 14 10:32:53 2019 *D*: Executable directory: /opt/CPcdt/ Thu Nov 14 10:32:53 2019 *D*: 0: ./CentralDeploymentTool Thu Nov 14 10:32:53 2019 *D*: 1: -generate Thu Nov 14 10:32:53 2019 *D*: 2: testgen.csv Thu Nov 14 10:32:53 2019 *D*: 3: 10.224.6.43 Thu Nov 14 10:32:53 2019 *D*: CDT started with these configurations: Logger file level: 0 Screen file level: 1 Syslog level: 999 DA path: /sysimg/CPwrapper/linux/CPda/CPda-00-00.i386.rpm Max parallel remote operations: 5 Max machines in batch: -1 Last time to start a new batch: 31/12/2099 23:59 PerformCUUpgrade: 1 Restore original state: 0 Mail address: priscille.tetchou-tchonta@sogeti.com Thu Nov 14 10:32:53 2019 *A*: Central Deployment Tool (version 1.7 build #990180531) Thu Nov 14 10:32:53 2019 *A*: ====================================================== Thu Nov 14 10:32:53 2019 *A*: Current execution logs are in: /var/log/CPcdt/logs_2019-11-14-10-32-52/ Thu Nov 14 10:32:53 2019 *D*: The configured time zone is: CET Thu Nov 14 10:32:53 2019 *D*: Command Summary: Command = /bin/dbget snap:show:current:version Return code = 0 Output = R80.20 Thu Nov 14 10:32:53 2019 *D*: currentOSVersion=R80.20 Thu Nov 14 10:32:53 2019 *D*: CurrentBuild= 1809 MinimumDaBuildNumber= 1271 MaximumDaBuildNumber= -1 Thu Nov 14 10:32:53 2019 *D*: Starting parse arguments for deployment plan execution mode. Thu Nov 14 10:32:53 2019 *E*: Enter the deployment plan file path and try again. Thu Nov 14 10:32:53 2019 *N*: Total execution time: 0 hours 0 minutes 1 seconds Thu Nov 14 10:32:53 2019 *D*: CDT process ending with return code 108 Thu Nov 14 10:32:53 2019 *D*: Running /sbin/pidof CentralDeploymentTool Thu Nov 14 10:32:53 2019 *D*: Command Summary: Command = /sbin/pidof CentralDeploymentTool Return code = 0 Output = 16488 Thu Nov 14 10:32:53 2019 *D*: Split /opt/CPcdt/CentralDeploymentTool to filename CentralDeploymentTool , directory /opt/CPcdt/ Help please!!
Matthew_Forbes
Matthew_Forbes inside General Management Topics Wednesday
views 175 3

Clearing disk space

We currently use R77.30.03 purely for hard drive and media encryption.  Currently we are having issues with /var/log at 100%. Drilling down I can see that /var/log/opt/CPrt-R77/events_db/data9.2/ is using 49G of disk space.  What I really need to know is can I safely delete stuff from here without causing massive damage, or do I need to raise a support case? We also have /var/log/opt/CPrt-R77/events_db/data/  which is sitting at 1.8G and I'm not sure if there is a duplication of folders. Any advice please let me know. Thanks

Migrate from distributed R75 (smart-1 + 2 clustered IP appliances) to R80.30 Full HA Cluster (5400)

Hi team.I´m going to upgrade a customer environment with the following:2 IP appliances with IPSO and R75 version with IP Clustering1 Smart 1 appliance (I have no information about the model) also with R75 version.The approach will be migrate from distributed to a Full HA environment moving to a 5400 appliances, and upgrading to R80.30 version.I´ve reviewed sk33896 "How to migrate a distributed SmartCenter to a Full HA Cluster", but it appears to only apply wit SPLAT, also searched SKs relevant to r80.x with Gaia without success.My plan is to upgrade the SM to R80.30 in a lab environmnent, export the configuration and then import the configuration in the 5400 appliances (with R80.30 fresh install), building the Full HA cluster.Is there any guide lines that should be followed in order to acomplish this?Many thanks in advance.Best regards.
Poul_Erik_Overg
Poul_Erik_Overg inside General Management Topics Wednesday
views 3206 10 1

vpn r80.20 vsx

I face a situation in a VSX R80.20 environment, where IPsec ESP traffic are send to the broadcast MAC instead of the HSRP multicast MAC of the the adjacent routers.The VPN tunnel is established and other IPsec ESP traffic between the same two VPN terminating gateways are send correctly. 14:40:23.536514 00:12:c1:60:60:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 195.245.193.10 ^ 14.140.181.162: ESP(spi=0x2a89b0a5,seq=0x1), length 100 14:40:31.365572 00#:12:c1:60:60:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 195.245.193.10 ^ 14.140.181.162: ESP(spi=0x2a89b0a5,seq=0x2), length 100 14:40:31.366350 00:12:c1:60:60:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 195.245.193.10 ^ 14.140.181.162: ESP(spi=0x2a89b0a5,seq=0x3), length 100 14:40:31.549969 00:12:c1:60:60:08 ^ Broadcast, ethertype IPv4 (0x0800), length 134: 195.245.193.10 ^ 14.140.181.162: ESP(spi=0x2a89b0a5,seq=0x4), length 100 Any thoughts?
GGiorgakis
GGiorgakis inside General Management Topics Tuesday
views 106 1

Is there any solution in gaia to test bandwidth ?

Is there any solution in gaia to test bandwidth ?
thientq053
thientq053 inside General Management Topics Tuesday
views 292 4

Setup CheckPoint Security Management R80.30 on HP DL360 Gen 10

Dear all,I have a server HP DL360 Gen 10 but i cannot setup CheckPoint Security Management R80.30 on it.I use usb some vendor(kingston,adata) and DVD driver but cannot setup in Intelligent Provisioning mode of server.And when i setup by bios follow step of check point, it is not toolink : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108200Every one have exp with HP GEN 10 DL360 ? Thank you,