cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Kevin_Orrison
Kevin_Orrison inside General Management Topics 2 hours ago
views 28 2

R80.10 to R80.30 Management Server Upgrade

I'm going to be upgrading my management server from R80.10 to R80.30 soon. I know an advanced upgrade to a new server is recommended for the new kernel and file system. I guess I'm just curious how many people are upgrading to R80.30 like that. I've heard from a few other Check Point admins that are just doing in place upgrades. I guess my question is, is it worth the effort to migrate to a new VM in my case?
lucafabbri365
lucafabbri365 inside General Management Topics 8 hours ago
views 272 10

Windows Update Services with HTTPS inspection enabled

Hello,we are having issues accessing Windows Update with HTTPs Inspection enabled (Check Point R80.20 with Take 87) and "Bypass HTTPS inspection of traffic to well-known software update services" option checked.If, from browser, I try to surf to https://slscr.update.microsoft.com, instead of getting "403 - Forbidden: Access is denied.", I get the "ERR_CONNECTION_RESET" error.Any advice ? Thank you,Luca
Daniel_Taney
Daniel_Taney inside General Management Topics yesterday
views 908 4

PDP/PEP Identity Sharing Not In Sync?

I will likely open a TAC case on this, but we noticed today that one GW using identity sharing today seems to not be fully in sync with the PDP. For example, if I run pep show user all |grep <username> on the PDP, I am able to see a record existing for that user. However, when I go to the GW acting as the PEP, the same command returns no entries. It seems completely random as to the users impacted, but it is definitely messing with some App Control rules from working!I've tried using pdp update all and pdp control sync to try to force updates. I have also tried pushing policy again to both GW. Has anyone else ever seen this? Are they any other commands or troubleshooting recommended before possibly engaging TAC?From the PDP Gateway:pep show pdp allCommand: root->show->pdp->all-----------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-----------------------------------------------------------------------| Incoming | 127.0.0.1 | 0 | Connected | 460 | 21Feb2019 6:16:33 |-----------------------------------------------------------------------From the PEP Gateway with Identity Sharing enabled to sync identities with the GW above:pep show pdp allCommand: root->show->pdp->all-------------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-------------------------------------------------------------------------| Incoming | IP OF PDP GW | 0 | Connected | 391 | 8Apr2019 5:25:44 |-------------------------------------------------------------------------| Incoming | 127.0.0.1 | 0 | Connected | 0 | 8Apr2019 5:16:48 |-------------------------------------------------------------------------| Outgoing | IP OF PDP GW | 0 | Connected | N/A | 8Apr2019 5:17:08 |-------------------------------------------------------------------------
Sundar_Ramanath
Sundar_Ramanath inside General Management Topics yesterday
views 2309 14 2

R80.10 Gateways drops traffic after policy Install

Having issues with R80.10 gateways, which are dropping traffic after a policy install. Re-installing the policy again brings everything back to normal. Issue specific to R80.10 gateways, have R77.30's which are working fine. Appreciate any inputs in troubleshooting this further.Thanks

Changing IP address of Standalone 80.10 appliance

We have a standalone appliance running 80.10.  We need to change the management IP.I came across a previous inquiry post, but the system in that case was running 77.30 and it turned out they were only wanting to change the IP of an interface that isn't tied to the Security Management.I did go over sk40993 "How to change the IP Address of a Security Management" but that seems to assume that the Security Management is a separate server with it's own IP.In my case there's only one object related to the appliance.  If I change the IP of the object to the new IP, then SmartConsole is unable to push the policy as it then loses connection to the gateway side of the appliance.If I then change the management IP in Gaia, then I lose the SmartConsole connection.  If I then try to reconnect SmartConsole to the appliance, it won't connect.   It is as if the Security Management is still using the original IP.I assume cpstop/cpstart restarts the Security Management server ("api status" seems to show this to be the case) but that doesn't seem to have the Security Management server in the standalone start using the new IP.If I go back to Gaia and change the IP back to the original IP, then I can reconnect SmartConsole to the Security Management.I looked into sk103356 but there's no ICAip in the registry, nor was I able to find any IP reference in said registry.Once I get SmartConsole to be able to connect to the new IP and show connection to the gateway, I can handle any other IP related changes.Originally when I changed the IP from the appliance front panel, I would get locked out of Gaia completely, as the policy wasn't allowing connections to the new IP.   I added an object with the new IP to allow the connection so with either IP configured, I can at least connect to Gaia.How do I fix this short of running the First Time Configuration again?
Heather_Lewis
Heather_Lewis inside General Management Topics yesterday
views 122 5

Dynamic objects in ISP Redundancy R80.30

How stable are dynamic objects in R80.30?  We need to do ISP redundancy and, while we could use automatic hide NAT, we would need a separate hide NAT for internal and guest segments so we can't use the "hide behind gateway" option.  We opened a TAC case in March were told that dynamic objects were the only way to achieve this.  sk25152 was provided which we've used in previous versions, with less than reliable results.

Migrate from Smart-1 HA SMS to Virtual SMS with new IP

Hi all,I am planning on migrating from a Smart-1 77.30 HA SMS to a Virtual 77.30 SMS with a new IP and ideally new hostname. The gateways managed by the smart-1 SMS perform site-to-site vpns and remote access vpns with the checkpoint client. Also, checkpoint utm edge servers and smb devices are managed by the Smart-1 SMS; these devices are also configured with site-to-site VPNs. I have seen other articles that explain that you need to retain the same IP on the new manager, perform configuration changes e.g. licensing, firewall rules, migrate-import, then you can use the new IP. A couple of questions. How do I connect to the new Virtual SMS with the old IP to make those changes when it is not routable to that part of the network? Second what is the correct procedure to perform this migration? Also what would be the rollback?Thanks for your help.
PP26
PP26 inside General Management Topics Friday
views 312 14

How to advance Upgrade Smart-1 210 SMS r77.30 to 80.20

Hi Mates I am planning an upgrade of SMS (Smart-1 210) from r77.30 to 80.20. We have SmartLog/SmartEvent/Management server running on this single smart appliance . I am planning to use   "Upgrading a Standalone from R80.10 and lower with Advanced Upgrade"  as per the guide. So following that guide I have done the preverifier/import and resolved all issues for database to be imported to r80.20, now when I come to actual upgrade, as per the above article I have 2 options as belowStep 3 of 10: Get the R80.20 StandaloneCurrent OSAvailable optionsGaiaYou can:Upgrade to R80.20 with the CPUSE.Perform a clean install of the R80.20 Standalone I asked checkpoint TAC about first Option "Upgrade with CPUSE" as that links back to one of the upgrade methods using which while doing upgrade from Gaia using CPUSE the preverifier etc is all automatic and hence they said since you are using Advance method you need to go for Perform Clean Install and not the Upgrade using CPUSE. I agree to this point. When I researched that second option "Perform a clean installed of R80.20 Standalone" to check what is the exact procedure to upgrade it takes me to below link"Installing the Gaia Operating System on Check Point Appliances" so now on this page there are clearly below options <SNIP>To install a clean Gaia Operating System on a Check Point appliance, you can:Restore your Check Point appliance to Factory Defaults. This removes all configurations.Perform a clean install of the supported Gaia image with one of these options:Bootable USB device.CPUSE (if Gaia is already installed) - select the desired Check Point version and perform Clean Install. See sk92449 for detailed steps<SNIP>  I would like to go for Options of CPUSE (if Gaia is already installed) and I asked TAC about procedure for that and if that is possible as per given on the guide, but he said it is impossible and said any fresh install will need to be done via bootable USB (he said this is the only option). As per him  "CPUSE (if Gaia is already installed)  "Gaia" means version 80.x" but when I argued that why would someone upgrade from same version and also the guide bring you here from the original page where we are trying to upgrade from Gaia 77.30 then he said he will check and confirm.I also clearly states in the Release Notes, under section SUpported Upgrade path that there are three methods to upgrade Management server as below (CPUSE Clean Install is one of them)<SNIP>From R75.4x, R75.40VS, R76, R77.x, R77.20 EP6.0/EP6.1/EP6.2, R77.30.01, R77.30.02, R77.30.03, R80, R80.10 and R80.20.M1 to R80.20*:Check Point ProductSupported MethodsSecurity GatewaySecurity Management ServerMulti-Domain ServerCloudGuard ControllerCPUSE UpgradeCPUSE Clean InstallAdvanced Upgrade<SNIP> I just wanted to confirm here about if the fresh install of Gaia 80-.20 can be done from r77.30 using CPUSE ? Which r80.20 from download page (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122485#Downloads ) should be used for this ? Clean Install (this is an ISO) ? Or CPUSE UPgrade (tgz)  I would really appreciate your help please

SmartView Monitor Threshold not synchronized alert

Hi all,We are running R80.20 and I have just configured Global Threshold settings in SmartView Monitor.One of the settings I have left on is 'Synchronization state' and each time I do a policy installation it triggers an alert to say the two Mgmt servers are not synchronized (see below): HeaderDateHour: 13Sep2019 14:46:44; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 1; Action:  ; Origin: Primary Mgmt; IfDir: <; IfName: N/A; Alert: mail; OriginSicName: N/A; System Alert message: Management Server on Secondary Mgmt is not synchronized; Object: Secondary Mgmt; Event: Exception; Parameter: sync_status; Condition: is ; Current value: Not synchronized; ProductName: System Monitor; ProductFamily: Network;Is this normal behaviour because for a very short time they are out of sync and is there a way to not alert on a policy installation as is happening for me?Many thanksAlex 
Steve_Vowles
Steve_Vowles inside General Management Topics Friday
views 628 5 1

UDM server with R80.10 Management

Has anyone installed User and Device Management (UDM) portal working with a separate Management server?That is MDM on one VM and Main Management server separate to that.From what I read it is a supported option and from HF4 is meant to work with R80.10.However the documentation is dreadful and I cannot see how the two boxes communicate (for R80.10 the API is mentioned, but I cannot see how the UDM knows about it's separate Management Server. There is a config file to point it at a CMA/Management, but not a standard Smartcenter.Steve V.
TheRealDiZ
TheRealDiZ inside General Management Topics Thursday
views 111 3

SmartConsole Radius Access - R80.20

Hi Guys, Simple question for you today, maybe someone has already tried to configure it or at least think about it: Is it possible to define SmartConsole administrators (AD/RADIUS) not user by user instead using a group?When you have several you user you have to configure each user everytime.. under SmartConsole --> Managed & Settings --> Administrators. Let me know!
Martin_Valenta
Martin_Valenta inside General Management Topics Thursday
views 3435 22 2

Clean install vs upgrade

Is there any SK or documentation page, where would be summarized benefits of clean installation vs upgrade via CPUSE ?
PhoneBoy
inside General Management Topics Thursday
views 114041 41 132
Admin

R80.x Training Videos

These videos were recorded originally for our partners by Jim Oqvist, but CheckMates members can now access this exclusive content! Introduction Duration R80 Management Training Introduction (view in My Videos) Please note that Ravello blueprints have been discontinued and are no longer available.Most of the labs can be done with the Cloud Demo Mode in R80.x SmartConsole. 00:03:07  Module 1: Introduction to Security Management   R80 Management Training Lesson 1 - Big Picture‌ 00:38:50 R80 Management Training Lesson 2 - Installation‌ 00:33:30 R80 Management Training Lesson 3 - SmartConsole‌ 00:46:50  Module 2: Enhance the Way You Manage Policies   R80 Management Training Lesson 4 - Access Control‌ 00:46:30 R80 Management Training Lesson 5 Threat Prevention Policy‌ 00:30:00 R80 Management Training Lesson 6 - Management API‌ 00:45:45 R80 Management Training Lesson 7 - Logs & Monitoring‌ 00:35:35  Module 3: Multi-Domain Management and Migration to R80   R80 Management Training Lesson 8 - MDSM‌ 00:15:00 R80 Management Training Lesson 9 - Migration‌ 00:13:15

Adding interfaces to gateway on management server

HiI have added an IP address to an additional interface on a live gateway cluster R80.10, via Gaia.When adding additional interface for a new DMZ on the Management server R80.20, Gateway cluster properties what is the best way to "get interfaces" "with or without topology"?Hopefully not causing an outage.Thanks