cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Resetting SIC after adding secondary Management server and doing failover

Hello,We have just finished installing a secondary management server (R80.20). Everything was fully synced and we did the first failover to the secondary management server.We were not able to install any policies on the firewalls from the secondary management server once it was active. A test of the SIC communication showed that this was failing. We reset the SIC communication on both security gateways in one cluster and then we were able to install a policy from the active management server.We did a fail back to the primary management server. Once that was active I was able to install a policy to the same security gateway cluster with out have to reset SIC.Can anyone tell me if this is normal when installing a secondary management server, that SIC needs to be reset on all the security gateways so that they will respond to both the primary and secondary management server?Many thanks,Michael
Muhammad_Ali
Muhammad_Ali inside General Management Topics yesterday
views 2030 8

Can't Discard "SmartView Tracker" sessions on R80.20 SmartConsole

Is there any way to discard the old "SmartView Tracker" sessions on R80.20 SmartConsole? The only option I get is "Disconnect" and that is also disabled. Find attached the screen shot below:Can't Discard Sessionwhereas I can "Discard" and "Take over" sessions for SmartConsole as shown below:Can Discard & Takeover SessionI have gone through the discussion on https://community.checkpoint.com/t5/General-Management-Topics/clear-disconnected-sessions/td-p/33027 and also followed the scriptable solutions to discard sessions in sk133872 and sk113955 but none of them help. Secondly, when I run the below two commands mentioned on sk133872, I don't even see the active/opened sessions either? I want to get the UID so I can try deleting by using mgmt_cli discard uid UID-NUMBER -r true suggested on sk133872, but I get below output when I run both commands.psql_client cpm postgres -c "select applicationname,objid,creator,state,numberoflocks,numberofoperations,creationtime,lastmodifytime from worksession where state = 'OPEN' and (numberoflocks != '0' or numberofoperations != '0');"ANDpsql_client cpm postgres -c "select applicationname,objid,creator,state,numberoflocks,numberofoperations,creationtime,lastmodifytime from worksession where state != 'PUBLISHED' and state != 'DISCARDED' and (numberoflocks != '0' or numberofoperations != '0');"
kmadhura15
kmadhura15 inside General Management Topics yesterday
views 52 2

Is it possible to take snapshot backup on a remote server directly?

Hello, Does anyone know if it is possible to take snapshot backup on a remote server directly? We are having disk space issues one of the gateways and its not possible to take the snapshot backup on the gateway due to that. I wanted to know if we can directly take the backup on a remote server.Appreciate the help!
Vladimir
Vladimir inside General Management Topics yesterday
views 70 6

The database contains objects with non-Unicode characters

When Pre-Upgrade Verifier indicates that "The database contains objects with non-Unicode characters", the corresponding SK directs us to download and execute this utility on a PC running SmartConsole: Check_Point_R80_Encoding_Detection_sk109795.zip The results are then supposed to be defined in db_encoding.txt But since we are not prompted for the management server's IP or credentials, I suspect that this utility is detecting encoding on local machine, not the Management Server. So if you have multiple workstations with different encoding on each, indicated result may be one of many, but we are not aware of that at this point. Can someone explain to me what the outcome of the situation described above would be? Thank you, Vladimir
Robert_Decker
inside General Management Topics yesterday
views 4076 8 6
Employee++

Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

Currently, the only way to move the policy and its associated objects from the R80.10 SMC to R80.10 CMA is to use Management API based tool - ExportImportPolicyPackage.You can also migrate from one R80.10 CMA to another R80.10 CMA, as long as the source CMA has not assigned a global policy.Follow the instructions to download, instal and use the tool.Use a "-h" command line switch to see all available usage options.It is supported both on Windows and Linux machines, with Python version 2.7.9 (or 2.7.14) installed.The tool is an open source, so you are welcome to contribute your ideas and improvements.We also have an active thread here on CheckMates - https://community.checkpoint.com/docs/DOC-1938.It’s recommended to test the migration first in lab and to follow the below disclaimer for checking if this option is feasible or not due to too many problematic objects in the Management server database.Notice: There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.Robert.
31
31 inside General Management Topics yesterday
views 48 1

Upgrade steps for management server from R77.30 to R 80.30

Hi , I am planning to Upgrade the Checkpoint management server from version R 77.30 to R 80.30 . but unable to find any related document . kindly suggest any material for the same .
Sangeeth_N
Sangeeth_N inside General Management Topics yesterday
views 77 5

Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx

Hi I am trying to establish a VPN with an interoperable device[Sophos]. As checked, all the VPN parameters are matching. The VPN itself is not getting established and I am able to find the below mentioned log in SmartLog :Informational Exchange Received Delete IKE-SA from Peer: xx.xx.xx.xx; Cookies: xxxxxxxxxxxxxxxxxxxxxxxxxxxAny idea regarding why this issue occurred.
kmadhura15
kmadhura15 inside General Management Topics yesterday
views 116 3

TCP connection failure port=18191 [error no. 10]

Hello,I have a setup with two gateways in a cluster. The management interfaces of the gateways and SMS are in the range of 62.112.170.x. They are running on R80.10. I added a static NAT to an object in the 10.253.100.x range for the standby gateway, which would NAT the IP to IP address of management interface of standby server. I pushed the policy and after that for any policy I try to push, I get the error for tcp connection failure. I am not able to make any changes now since they cannot be applied to the standby gateway anymore. Any suggestions on how to solve this issue?
sukrui
sukrui inside General Management Topics yesterday
views 107 6

Power supply status dummy

I have 5600 appliance with version R80.20.it has two power supply.When I look with command below ,it says dummy both of them. What can I do about that?[Expert@Gateway:0]# cpstat os -f power_supplyPower Supply--------------|Index|Status|--------------| 1|Dummy || 2|Dummy |--------------

R80.30 upgrade from R80.10

We upgraded from R80.10 to R80.30 this last weekend. The process is well documented, although we wasted time when we got to the global Smart Event server, as detailed below... Some notes from our experience:Preloading kernel module drivers for VirtSCSI and VirtPCI.'R80.30 Management Server Migration Tool' is referenced in documentation as being 'Upgrade Tools'.License management via Smart Update is again problematic, use CLI Preloading kernel module drivers for VirtSCSI and VirtPCI.Our compute nodes use Linux KVM so we were previously limited in R80.10 to using the VirtIO Block drivers ( /dev/vda). This unfortunately doesn't support TRIM/DISCARD/UNMAP, so we were primarily looking forward to a more modern kernel to gain access to storage using VirtIO SCSI.We amended /etc/modprobe.conf to include additional drivers:alias scsi_hostadapter ccissalias scsi_hostadapter1 ata_piixalias scsi_hostadapter2 ahcialias scsi_hostadapter3 virtio_pcialias scsi_hostadapter4 virtio_scsiThen rebuilt the kernel:cd /bootmkinitrd initrd-3.10.0-693cpx86_64.img 3.10.0-693cpx86_64 -v -fImplemented Ceph object size aligned (4 MiB) partitioning structure:Disk /dev/sda: 419430400sSector size (logical/physical): 512B/512BPartition Table: gptNumber Start End Size File system Name Flags 1 8192s 622591s 614400s ext3 boot 2 622592s 9011199s 8388608s linux-swap(v1) 3 9011200s 419430366s 410419167s lvmDisk /dev/sdb: 209715200sSector size (logical/physical): 512B/512BPartition Table: gptNumber Start End Size File system Name Flags 1 8192s 209715200s 209706975s lvmWe use pvemove and pvextend to separate the operating system and PostgreSQL from logging and temporary file management:[Expert@fwcpm1:0]# lvdisplay -m | grep -e 'LV Path' -e 'LV Size'; lvdisplay -m | grep -A 3 -e 'Logical extents ' LV Path /dev/vg_splat/lv_current LV Size 195.69 GiB Logical extents 0 to 6261: Type linear Physical volume /dev/sda3 Physical extents 0 to 6261 LV Path /dev/vg_splat/lv_log LV Size 99.97 GiB Logical extents 0 to 3198: Type linear Physical volume /dev/sdb1 Physical extents 0 to 3198 We ran in to a problem when we attempted assembling the kernel, booted using a CentOS 7 rescue environment. I assume this to be an undocumented security feature; albeit resulting in one having to disconnect the drive and reattach it using either IDE or AHCI emulation, when assembling the kernel boot image. Question: Is there a Check Point recovery boot image with which one can package the Gaia 3.10 kernel? Check Point R80.10 - CPU utilisation - Multi Domain Log Server:Check Point R80.30 - CPU utilisation - Multi Domain Log Server Great performance improvement with us running it on Ceph... 'R80.30 Management Server Migration Tool' is referenced in documentation as being 'Upgrade Tools'Spent way too long puzzling through the wrong tool. The documentation references the required tool as being 'Upgrade Tools'.https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Guide/html_frameset.htm Upgrading Multi-Domain Upgrading Multi-Domain Servers in High Availability from R80.20, R80.10, and lower Upgrading Multi-Domain Servers in High Availability from R80.20, R80.10, and lower with Migration Upgrading a Dedicated SmartEvent Server Upgrading a Dedicated SmartEvent Server from R80.20, R80.10, and lower with Migration: R80.30 Home Page:https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144293 The tool I wasted time with was the 'Upgrade Tools package', instead of the 'R80.30 Management Server Migration Tool'. License management via Smart Update is again problematic, use CLIRunning SmartUpdate (connect to domain, menu and then 'manage licenses and packages') reveals every vSec license being attached to the gateway within the domain, for each domain:The CLI method is ultimately faster and more reliable:Connect to the primary MDS server and obtain the relevant CMA IP address by running 'mdsstat'Switch to the domain by running mdsenv x.x.x.xRemove expiring or expired licenses by getting the signature and then removing it:cplic print -xcplic del <signature>Import the new license, eg cplic put -l <file.lic>Assign available licenses to gateways: vsec_central_license RegardsDavid Herselman
kfirash
kfirash inside General Management Topics Thursday
views 88 3

Proxy ARP on Checkpoint R80.10

Hi,After Upgrading our gateways and management to r80.10 we start facing with a wired problem.The gateway doesn't send arp reply to the router and we have to configure manually proxy-arp on GAIA.i wonder if it's related only to the version itself or if there is any configuration or hotfix that can solve this issue. We Don't use Automatic NAT for network and we using static NAT for specific external resources and hide nat for LAN group . Enable Check Point ClusterXL for Bridge Active/Standby...==========================================================Check Point ClusterXL for Bridge Active/Standby is currently disabled.
paulastya
paulastya inside General Management Topics Thursday
views 153 8

Upgrading the Checkpoint VSX cluster (VSLS) from R77.30 to R80.10 with Clean install

We are going to upgrade the Checkpoint VSX Cluster from R77.30 to R80.10 with a clean install on a 13500 appliances. The Management Gateway is already upgraded to R80.20 version. My question is can we do the clean installation of VSX cluster using the CPUSE ?While checking the documentation I found the following, From R75.40, R75.45, R75.46, R75.47, R75.40VS, R76, R77, R77.10, R77.20, R77.30 to R80.10:ComponentSupported MethodsSecurity Management ServerCPUSE UpgradeCPUSE Clean InstallAdvanced Database MigrationMulti-Domain ServerSecurity GatewayCPUSE UpgradeCPUSE Clean InstallVSXCPUSE Upgrade (from R77 only)Earlier versions: Use instructions in sk101518CloudGuard ControllerCPUSE Upgrade (from R77.30 only) So, the documentation says that CPUSE upgrade is possible not clarified about the Clean installation.

Network Group locked for deletion

Hi Guys,an API script adding new hosts then editing a group object has broken for some reason, session was disconnected but not discarded so seems that has locked the group and i'm not able to publish or discard the locked changes anymore, following script didn't help:#!/bin/bashmgmt_cli login -r true > id.txt; current_sid=$(mgmt_cli show session -s id.txt -f json | $CPDIR/jq/jq .uid); for sid in $(mgmt_cli -s id.txt show sessions details-level full -f json | $CPDIR/jq/jq '.objects[] | select ( .["application"] | contains ("WEB_API")) | .uid' | grep -v ${current_sid}); do mgmt_cli discard uid ${sid} -s id.txt ; done; mgmt_cli logout -s id.txtwould anyone please advise in that ?i've attached the locked object and the sessional list
Jerry
Jerry inside General Management Topics Wednesday
views 222 6

Logs Indexing Error (R80.30) SmartLog

what you think folks? having that since upgrade (last weekend) ... any idea how to fix that?
Jesus_Cano
Jesus_Cano inside General Management Topics Wednesday
views 1170 9

Smart1-210 maximum memory RAM

Hi,We have a Smart1-210, with the default memory RAM (8GB). It has 2 slots (4+4). Whats the maximum memory capacity for this appliance? wi need to increase memory to upgrade to R80.xThis appliance supports 16GB? 24GB?