cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

Jerry
Jerry inside General Management Topics 4 hours ago
views 87 12 1

Security Management Server is not running (after migration 77.30->80.30)

any clues what steps to take in order to bring CPM/FWM live again? few facts:   Product Name: Check Point Security Management ServerMajor version: 6Minor version: 0Build number: 993000001Is started: 0Active status: activeStatus: Security Management Server is not running [Expert@cpm:0]# cpwd_admin listAPP PID STAT #START START_TIME MON COMMANDCPVIEWD 21947 E 1 [10:56:04] 11/11/2019 N cpviewdCPVIEWS 21950 E 1 [10:56:04] 11/11/2019 N cpview_servicesCPD 21965 E 1 [10:56:04] 11/11/2019 N cpdFWD 22054 E 1 [10:56:05] 11/11/2019 N fwd -nFWM 0 T 1 [10:56:05] 11/11/2019 N fwmSTPR 22071 E 1 [10:56:05] 11/11/2019 N status_proxyCLOUDGUARD 22104 E 1 [10:56:05] 11/11/2019 N vsec_controller_startCPM 22451 E 1 [10:56:06] 11/11/2019 N /opt/CPsuite-R80.30/fw1/scripts/cpm.sh -sSOLR 22505 E 1 [10:56:06] 11/11/2019 N java_solr /opt/CPrt-R80.30/conf/jetty.xmlRFL 22560 E 1 [10:56:06] 11/11/2019 N LogCoreSMARTVIEW 22608 E 1 [10:56:06] 11/11/2019 N SmartViewINDEXER 22684 E 1 [10:56:06] 11/11/2019 N /opt/CPrt-R80.30/log_indexer/log_indexerSMARTLOG_SERVER 22730 E 1 [10:56:06] 11/11/2019 N /opt/CPSmartLog-R80.30/smartlog_serverDASERVICE 23082 E 1 [10:56:07] 11/11/2019 N DAService_script   1. migration from 77.30 to 80.30 was done based on https://community.checkpoint.com/t5/General-Management-Topics/R77-30-to-R80-10-SMS-Migration/td-p/36384  2. new SMS is on different IP address than the old one - we need to remain with new SMS on new IP address as the old one is still up&running and serves 77.30 clusters 3. goal is to have new SMS with content from old one with new Cluster. 4. wanted to reach out to TAC but 1st I believe is the so called "best practice" to ask your mates ... so I did 🙂   thanks for all your hints   Jerry
Bjoern_Baumann
Bjoern_Baumann inside General Management Topics 7 hours ago
views 358 3 2

Where can I find more information on Check Points integration to Arista MSS solution?

I just found the solution brief (https://www.checkpoint.com/downloads/Partners/arista-solution-brief.pdf) and this YouTube video (https://www.youtube.com/watch?v=WEoC7ezPbVY).
Rodarcqu
Rodarcqu inside General Management Topics 8 hours ago
views 17

vlan consumption customer report

 Hello, Am trying to create a custom report with the ip range 10.10.3.0/24 I want to see all that was consumed during a month by that network is that possible?  I do not want take just one sample I want it takes all the resources that consumed the network traffic during a month and show them all of them in a single column not just a sample.    Best Regards,
Blason_R
Blason_R inside General Management Topics 11 hours ago
views 250 6

Failed to upgrade R77.30 to R80.30 on Smart-1 210 appliance

Hi Guys,Sometime back I tried upgrading Smart-1 210 from R77.30 to R8.10. PUV showed no warning.However, it failed at POST upgrade and here are the logs I am seeing.Return code = 0Output =[2019-11-05 - 17:57:01][3233 7021]:about to copy file /etc/fstab to /etc/fstab.orig[2019-11-05 - 17:57:06][3233 7021]:/bin/dbset :save command summary:Return code = 0Output =[2019-11-05 - 17:57:06][3233 7021]:About to execute command: /bin/bash -x /mnt/fcd/post.sh upgrade /mnt/fcd >> /var/log/install_Major_R80.30_Mgmt_T200_1_detailed.log 2>&1[2019-11-05 - 17:57:06][3233 7021]:Command /bin/bash -x /mnt/fcd/post.sh upgrade /mnt/fcd >> /var/log/install_Major_R80.30_Mgmt_T200_1_detailed.log 2>&1 execution failed, exit code=1[2019-11-05 - 17:57:06][3233 7021]:Failed on Major_Post_Install_Script[2019-11-05 - 17:57:06][3233 7021]:About to execute command: /bin/mount | /bin/grep -w "/mnt/fcd" | awk '{print $1}'[2019-11-05 - 17:57:06][3233 7021]:/bin/mount | /bin/grep -w "/mnt/fcd" | awk '{print $1}' command summary:Return code = 0Output = /dev/mapper/vg_splat-lv_fcd_new[2019-11-05 - 17:57:06][3233 7021]:About to execute command: /bin/umount -l /mnt/fcd[2019-11-05 - 17:57:06][3233 7021]:/bin/umount -l /mnt/fcd command summary:Return code = 0Output =[2019-11-05 - 17:57:06][3233 7021]:About to execute command: /usr/sbin/lvremove -fvv /dev/mapper/vg_splat-lv_fcd_new[2019-11-05 - 17:57:06][3233 7021]:Command /usr/sbin/lvremove -fvv /dev/mapper/vg_splat-lv_fcd_new execution failed, exit code=5[2019-11-05 - 17:57:06][3233 7021]:Command output: Setting global/locking_type to 1File-based locking selected.Setting global/locking_dir to /var/lock/lvmUsing logical volume(s) on command lineLocking /var/lock/lvm/V_vg_splat WB/dev/ramdisk: No label detected/dev/sda: size is 3907029168 sectors/dev/md0: size is 0 sectors/dev/vg_splat/lv_fcd_GAIA: No label detected/dev/ram: No label detected/dev/sda1: No label detected/dev/vg_splat/lv_fcd_NGSE: No label detected/dev/ram2: No label detected/dev/sda2: No label detected/dev/vg_splat/lv_fcd_R75.47sg: No label detected/dev/ram3: No label detected/dev/sda3: lvm2 label detected/dev/vg_splat/hwdiag: No label detected/dev/ram4: No label detected/dev/vg_splat/lv_log: No label detected/dev/ram5: No label detected/dev/root: No label detected/dev/ram6: No label detected/dev/vg_splat/lv_SNAPSHOT_8APR17: No label detected/dev/ram7: No label detected/dev/vg_splat/lv_B4R8030: No label detected/dev/ram8: No label detected/dev/vg_splat/lv_fcd_new: No label detected/dev/ram9: No label detected/dev/ram10: No label detected/dev/ram11: No label detected/dev/ram12: No label detected/dev/ram13: No label detected/dev/ram14: No label detected/dev/ram15: No label detected/dev/sda3: lvm2 label detected/dev/sda3: lvm2 label detectedCan't remove open logical volume "lv_fcd_new"Unlocking /var/lock/lvm/V_vg_splat[2019-11-05 - 17:57:06][3233 7021]:About to execute command: lsof | grep $( dmsetup info -c | awk '/vg_splat-lv_fcd_new/ {printf("%d,%d\n",$2,$3)}') | awk '{print($2)}' | sort -u | while read pid; do kill -9 $pid; done[2019-11-05 - 17:57:17][3233 7021]:About to execute command: /usr/sbin/lvremove -fvv /dev/mapper/vg_splat-lv_fcd_new[2019-11-05 - 17:57:17][3233 7021]:Command /usr/sbin/lvremove -fvv /dev/mapper/vg_splat-lv_fcd_new execution failed, exit code=5[2019-11-05 - 17:57:17][3233 7021]:Command output: Setting global/locking_type to 1File-based locking selected.Setting global/locking_dir to /var/lock/lvmUsing logical volume(s) on command lineLocking /var/lock/lvm/V_vg_splat WB/dev/ramdisk: No label detected/dev/sda: size is 3907029168 sectors/dev/md0: size is 0 sectors/dev/vg_splat/lv_fcd_GAIA: No label detected/dev/ram: No label detected/dev/sda1: No label detected/dev/vg_splat/lv_fcd_NGSE: No label detected/dev/ram2: No label detected/dev/sda2: No label detected/dev/vg_splat/lv_fcd_R75.47sg: No label detected/dev/ram3: No label detected/dev/sda3: lvm2 label detected/dev/vg_splat/hwdiag: No label detected/dev/ram4: No label detected/dev/vg_splat/lv_log: No label detected/dev/ram5: No label detected/dev/root: No label detected/dev/ram6: No label detected/dev/vg_splat/lv_SNAPSHOT_8APR17: No label detected/dev/ram7: No label detected/dev/vg_splat/lv_B4R8030: No label detected/dev/ram8: No label detected/dev/vg_splat/lv_fcd_new: No label detected/dev/ram9: No label detected/dev/ram10: No label detected/dev/ram11: No label detected/dev/ram12: No label detected/dev/ram13: No label detected/dev/ram14: No label detected/dev/ram15: No label detected/dev/sda3: lvm2 label detected/dev/sda3: lvm2 label detectedCan't remove open logical volume "lv_fcd_new"Unlocking /var/lock/lvm/V_vg_splat[2019-11-05 - 17:57:17][3233 7021]:volume cleanup failed.[2019-11-05 - 17:57:17][3233 7021]:remaining open files:[2019-11-05 - 17:57:17][3233 7021]:failed to remove partition
Tobias_Karsbo
Tobias_Karsbo inside General Management Topics 15 hours ago
views 43 1

Block emal to recipient in CheckPoint MTA

Hi.In our previous "Mail Gateway" I had the ability to block incoming mail to specific recipients, like inactive mailboxes and so.Doing so, the mail gateway did not need to scan the mail or relay it to the exchange server.It just dropped the mail.We are now using CheckPoint as MTA.Is there a way to do that in CheckPoint?Like a "Black List" but for internal recipients.Thanks./Tobias
Vladimir
Vladimir inside General Management Topics 18 hours ago
views 95 3

R80++ upgrade replacing topology definitions

Encountered this at one of my clients: In R77.30 they had multiple interfaces defined as "External" in topology. I do not want to debate how and if it was wrong to do so, but the fact remains that the upgrade process changed those to "this network":  
Tobias_Moritz
Tobias_Moritz inside General Management Topics 18 hours ago
views 180 3

TCP start timeout per gateway / service - override global properies

Hello community,there are various timeouts set for the firewall state machine in global properties of the management domain.TCP startTCP sessionTCP endUDP virtual sessionICMP virtual sessionOther IP virtual sessionSCTP startSCTP sessionSCTP endI know that we can override the session timeouts for TCP, UDP, ICMP, other IP and SCTP by modifying the advanced properties of the service object used in the relevant firewall rule.I have a specific usecase, where I want to override the TCP start timeout, without changing it for all gateways in this management domain. Override per gateway would be nice, override per service object even better.As far as I know, this is not possible. Am I right with that? Does anyone know a way to do so?R80.30 T200 Jumbo HFA T50Thank you for your thoughts!
Al_Marti
Al_Marti inside General Management Topics yesterday
views 979 8 2

R80.20 install on Power-1 5070

For various reasons we would like to get more life out of a pair of Power-1 5070 appliances and run R80.20 on them. Officially Checkpoint does not support R80.20 on the hardware which is understandable. But there is still a lot of life left the hardware and I would like to just run it as an open server hardware gateway cluster since it is really just x64 server hardware.When booting from the R80.20 gateway fresh install ISO it recognizes that it is a 5070 and aborts the install as per the attached screen shot.    I was hoping that some configuration in the BIOS was allowing the installation package to determine the hardware was a 5070,  so I obtained the BOIS ROM password and booted into the BIOS.  Unfortunately after scouring the BIOS I don't see anything that would refer to a 5070 or P-10-00.Does anyone have any other ideas on how the installation package is identifying the hardware as a 5070?I have taken apart the installation package and think I have found the file that triggers the installation abort condition:./hwdiag/system/base/appliance_configuration.xmland can just change the following:<model manufacturer="CheckPoint" type="P-10-00" blocked="true"><name>Power-1 5070</name> </model>to<model manufacturer="CheckPoint" type="P-10-00" blocked="false"> <name>Power-1 5070</name> </model>and then just rebuild the installation package with mkisofs,  but that is more of a hack rabbit hole than I want to go down.Anyways if anyone else some ideas please let me know.Thanks,Al
Niko
Niko inside General Management Topics Saturday
views 100 1

Amazon Web Services Dynamic IP-Adress

Hello everyone,is there any feature for the Firewall Blade, where I can add a dynamic object for a link??Issue: A programm needs a connection to Amazon Web Services, but AWS is changing the IP-Adress about every 2 days. I´m using SmartDashboard R77.30.Thank you in advance 
Maria_Pologova
Maria_Pologova inside General Management Topics Friday
views 6683 6 3

Install database process

Hello.I'm struggling to find information about what "Install Database" in R77.30 actually does. I understand that it is necessary to install database after configuring Mail Alerts, Log servers, something that is related to management components. Is it the same process that happens when Management Servers are being synchronized upon policy installation?I hope you could give me some insight or share links where I could read about this.Thank you in advance.

R80.10 to R80.30 upgrade

Hello, How can i upgrade from CPUSE R80.10 to R80.30 on COUSE. Is this just only Clean install option after downloading "R80.30 Fresh Install and Upgrade for Security Gateway file"?

IPS update- error occured while checking update in R80.10

Earlier in my environment IPS update was working fine.I have one console server which is connected to my internal(HA mode) and external(HA mode) firewall.When I installed some duplicate policies on my external firewall, I observed IPS is getting error like- error occurred while checking update on both internal and external firewall. I run Manual update still getting the same error. Any suggestion to resolve this. 

R80.20 CDT Versus SmartUpdate (FIGHT!)

Hello all,First post so please take it easy on me...Why can't we upgrade managed firewalls (Service Packs and various updates) through a SmartUpdate-like utility?  Forgive me if this has been asked before. >AntiSpoofing

SmartConsole R80.30 Installation stuck at 36% (Windows 10)

Hi everyone,I'm struggling with the installation of SmartConsole R80.30.I start the commandline with administrative rights and execute Check_Point_SmartConsole_R80_30_jumbo_HF_B20_Win.exeThe install directory does not exist and the installation starts but stops at 36%.Does anyone experience the same issue?Best regards,Maurice