cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

David_Spencer
David_Spencer inside General Management Topics 28m ago
views 221 8 1

in.emaild.mta high cpu usage

I'm seeing extremely high CPU usage form the in.emaild.mta that past 2 days. No significant changes have been made. Currently it's consuming %120 of cpu (5400, dual core). I've tried rebooting and failing over.  I'm not seeing much in the queue when running >tecli show emulator queue, but there are 4 items that are stack in there (we are using cloud), cloud queue is rolling through fast as well. I'm a little lost as to why the cpu usage has shot up. looking at the logs we're not seeing any significant increase in mail traffic.   fw ctl multik stat ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 1 | 4738 | 9502 1 | Yes | 0 | 4738 | 9609     
Traian-Cojocari
Traian-Cojocari inside General Management Topics 2 hours ago
views 94 2

Ansible task failing

Hello! I am trying to add an rule to the checkpoint management server (in AWS) through Ansible.If I use the module "cp_mgmt_access_rule" it gives me the error "Relevant hotfix is not installed on Check Point server. See sk114661 on Check Point Support Center." I already installed the latest update, how can I solve this problem? Manager Node Environment: Centos 8, Ansible 2.9.2, Python 3.6.8 (Not using 2.7.9+ because of EOL)
Tom_Cripps
Tom_Cripps inside General Management Topics 2 hours ago
views 149 7

Upgrading to R80.30 has caused one fw_worker to be stuck at 100%

Hi,Since our upgrade to 80.30, our standby member in our cluster has had a fw_worker stuck at 100% cpu, it isn't a particular fw_worker it can change, when one drops another one takes it place essentially. We're also now seeing that when we attempt policy installations we lose "GAiA" in essence as is presented with the raw Bash shell as you would see if booted in maintenance mode.Anything obvious stick out to anyone?Tom
weimin
inside General Management Topics 2 hours ago
views 44 1
Employee

sic status issue

Hi Everyone,      Now found one issue that the SIC status is not normal sometimes. It shows "secure internal communication is not operational with "fwi2n". Verify that SIC is initailized or was not reset".  See below picture . And recovered automatically after a few minutes. The gateway and SMC both are R80.10 version. During the issue period, can't push policy to this gateway.  I tried to rest the SIC, still face same issue.     
Daniel_Serrano1
Daniel_Serrano1 inside General Management Topics 2 hours ago
views 31 1

CPM fail start

Someone could guide me through this problem.When I couldn't access the smartconsole, I checked the processes by running a cpwd_admin list and found that the cpm process is terminated. So I stopped it and when I started it it showed me the following error, which refers to the java libraries, I looked for information but I can't find anything to fix it.Regards.
libin
libin inside General Management Topics 4 hours ago
views 94 1

Mobile Access Role for Local users

Hi all,Regarding Unified Policy for Mobile Access, if I create access role with the local users. why should I integrate identity awareness in the gateway for the access role to work since here I am calling only the local users.Is it mandatory that the gateway should always connect to the AD for the access role which has local users or only for the first time identity awareness is required?
Tbgaz
Tbgaz inside General Management Topics 6 hours ago
views 20

Changing ISP - With/Without Topology

Hi,We are changing our backup ISP and we have got the process in place but just wanted to triple check that on the cluster object we select 'get interfaces without topology' after the IP change instead of 'with topology'. It's just a simple interface IP/NAT/ARP rule change. Having looked on here, it seems that 'with topology' isn't the way to go!
ceyhun
ceyhun inside General Management Topics yesterday
views 103 1

Combining two different management server configurations

 I have the following structure.Location A => Management + Gateway (Cluster) (R77.30)Location B => Management + Gateway (Cluster) (R80.10)We want the management server at location A to be disabled and the structure at that location is managed from the Management server at location B.There are thousands of objects, many S2S and hundreds of NAT rules on the Management server at location A. How do we transfer objects on this management to management at location B, or how to plan scenario for the transition. I want to gather management on location Management Server at location B. How can I do that? I'm waiting for your comments and ideas. Finally, unfortunately I do not have an MDS license. Thanks
Arthur_DENIS1
Arthur_DENIS1 inside General Management Topics yesterday
views 179 5

Strange log - Originating from against

Hi,I found a strange and recurring log "originating from against" for the blade IPS - see screenshotNo behavior, but a lot of this for all our firewall.Firewall and MGMT are running version R80.20 Any idea for that point ?Thanks,Arthur
Prince_Osei_Wia
Prince_Osei_Wia inside General Management Topics yesterday
views 6822 10 3

Having problem with my clusterXL: Error message "HA module not started" after cphaprob stat.

Cluster XL is enabled using cpconfig#cphaprob statHA module not started
Anu_Cherian
Anu_Cherian inside General Management Topics yesterday
views 22053 31 1

Site to Site VPN between Checkpoint and Palo Alto Firewalls

Hi All,We have a requirement to setup Site-to-Site vpn between our Checkpoint FW and customer Palo Alto FW. I have created one, but the issue is IKE phase 2 fails. I have confirmed the negotiation parameters with my customer engineer and it looks like everything is in order. What could be the possible issue?I used VPN tu and SmartView  monitor to view but to no success. Any advices will be highly appreciatedThank you so much
kb1
kb1 inside General Management Topics yesterday
views 39 1

Can someone share a guide to migrate from one management server to a new one for R80.20

So the primay management server we have has been very problematic for us (its a smart-1 225 appliance ), the secondary is working fine, most of the time we would have problems with the primary as in there would be smartconsole connection issues, active/standby issues, etc so we are fed up with the server and are going to replace it with a new one, so want to know how the migration is done from the old one to new one in case im being tasked to do it, just need to be directed to the exact SK article or any other link that would show detailed steps on how to accomplish that.
Oskar_Svedman
Oskar_Svedman inside General Management Topics yesterday
views 114 5

How to control traffic from remote offices

Hi, I need some tips/recommendations how to control access from remote offices.Today one main headquarter with all servers behind with two 3200.20 small remote offices using 730 SMB firewalls with VPN to the 3200.I want to control so only Windows AD joined computers have full access through the vpn tunnel.All other devices should have limited access, for example printers, thin clients etc.I can see 3 different approaches:1. Control the vpn traffic in the 3200 firewall with user awareness.2. Control the vpn traffic in the 730 firewalls (I think they also have user awareness with an Active Directory connection)3. Setup 802.1x wired authentication in all remote switches and control the traffice with different vlans.What would you do and why?
Andreas_Aust
Andreas_Aust inside General Management Topics yesterday
views 166 5 1

When will LSMcli support 1500 Appliance

Hi, is there a roadmap when LSMcli will support 1500 Appliance ?
Nick_Doropoulos
Nick_Doropoulos inside General Management Topics Wednesday
views 148 3 3

A question on SIC

Considering that SIC uses certificates can I confirm that there is no keep-alive mechanism involved in the protocol at all (in the sense of the manager sending any keep-alive packets to the gateway at a certain frequency)? Please note that this question is purely educational and that there is no issue that needs to be resolved.Thanks in advance.