cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
mukai
mukai inside General Management Topics 6 hours ago
views 116 2

migrate R75.40 to R80.30 Failed

migrate from R75.40 to R80.30Export succeeded with migrate toolImport to R80.30 failed and FWM process does not startContents of migrate log/opt/CPshrd-R80.30/log/migrate-xxxx・・[14 Oct 1:52:24] [ExecCommandGetOutput] Going to execute command: '/opt/CPsuite-R80.30/fw1/bin/upgrade_phase -d 41e821a0-3720-11e3-aa6e-0800200c9fde -s end'[14 Oct 2:10:51] [ExecCommandGetOutput] ERR: Command completed with error code 4[14 Oct 2:10:51] ..<-- ExecCommandGetOutput[14 Oct 2:10:51] [CommandRunner::exec] Command's output:-------------------------------------Failed to upgrade phase-------------------------------------[14 Oct 2:10:51] [CommandRunner::exec] ERR: Command execution had failed[14 Oct 2:10:51] .<-- CommandRunner::exec[14 Oct 2:10:51] <-- ConditionalExecutor::exec[14 Oct 2:10:51] [ActivitiesManager::exec] ERR: Activity 'ConditionalExecutor' failed[14 Oct 2:10:51] [ActivitiesManager::exec] WRN: Activities execution finished with errors[14 Oct 2:10:51] [ActivitiesManager::exec] WRN: Activities 'ConditionalExecutor' have failed[14 Oct 2:10:51] [ActivitiesManager::exec] Designated exit code is 1[14 Oct 2:10:51] --> CleanupManager::Instance[14 Oct 2:10:51] <-- CleanupManager::Instance[14 Oct 2:10:51] --> CleanupManager::DoCleanup[14 Oct 2:10:51] [CleanupManager::DoCleanup] Starting to perform cleanup[14 Oct 2:10:51] .--> DirCleaner::exec[14 Oct 2:10:51] [DirCleaner::exec] Going to remove directory '/opt/CPsuite-R80.30/fw1/tmp/migrate/'[14 Oct 2:10:51] .<-- DirCleaner::exec[14 Oct 2:10:51] .--> ImportFailureMarker::exec[14 Oct 2:10:51] [ImportFailureMarker::exec] Checking if cleaner is active[14 Oct 2:10:51] [ImportFailureMarker::exec] Cleaner is active, starting cleanup[14 Oct 2:10:51] [ImportFailureMarker::exec] Checking migrate's exit code[14 Oct 2:10:51] [ImportFailureMarker::exec] Migration had failed, creating a marker file[14 Oct 2:10:51] ..--> UpgradeMacroReplacer::Instance[14 Oct 2:10:51] ..<-- UpgradeMacroReplacer::Instance[14 Oct 2:10:51] [ImportFailureMarker::exec] Created a marker file[14 Oct 2:10:51] .<-- ImportFailureMarker::exec[14 Oct 2:10:51] [CleanupManager::DoCleanup] Completed the cleanup[14 Oct 2:10:51] <-- CleanupManager::DoCleanup end Please tell me the solution  
Michael-Polevoy
Michael-Polevoy inside General Management Topics 11 hours ago
views 338 8

Upgrading Checkpoint management to R80.X from R77.30

Hi All I have a 17 years old Checkpoint standalone management server, was originally 4.1 and was upgrade through the years to R77.30.I would like to upgrade the management server to R80.X I was able to export and import the configuration on a new R80.10 server, but the CPM service was not started.I was found it is related to the ICA.I understand I would need to upgrade the ICA certificate to a new version. (SHA-256)I have many VPNs the relays on this ICA. In addition, I have many users in the internal database, that are using user certificates for remote access authentication, issued by the ICA.What would be the best way to update the ICA certificate without causing problems to the VPNs and the user authentication?Best regards,Michael 
cp-bc123
cp-bc123 inside General Management Topics 12 hours ago
views 65 2 1

Sip traffic Inspection

Hello, I am fairly new to checkpoint. I am looking for commands or settings that will allow me to do following.  1- how can I check if sip traffic passing thru checkpoint is being inspected?2- how can I clear a specific sip session from firewall session table?3- How can I disable sip alg if there is any?4- where should I check if sip packets are being dropped but it's not showing up in the logs? any command to verify packets are being dropped?  Thank you in advance.
Vlad_Tonne
inside General Management Topics 16 hours ago
views 76 6 1
Employee

Web API - setting track level

Hi CheckMates,   Encountered an issue with Management API while creating a rule via Web API. Trying to set track level according to https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/set-access-rule~v1.5%20   , track field is able to receive "log"  (even though it seems not to be documented). However, it automatically switches on "Accounting" log feature as well. Trying to adjust the accounting setting results in an error.   Any thoughts how it can be resolved?   Sent payload that creates a rule with logging enabled plus accounting: payload_For_API = { "layer": "Network", "position": "top", "name": "API 1", "action": "Accept", "destination": "hst_dst_1.10.1.100", "service": "Kubernetes1", "enabled": True, "source": "Any", "track": "log"}   Trying to use track.type (as in https://community.checkpoint.com/t5/Policy-Management/change-to-Track-setting-in-policy/m-p/47958#M2929) results in  {'code': 'generic_err_invalid_parameter_name', 'message': 'Unrecognized parameter [track.type]'}   Trying to configure track using additional fields: {'code': 'generic_err_invalid_parameter', 'message': 'Invalid parameter for [track]. The invalid value [ "accounting" : False }] should be replaced by one of the following values: [none, log, extended log, detailed log]'} or: {'code': 'generic_err_invalid_parameter', 'message': 'Invalid parameter for [track]. The invalid value [ "log" , {"accounting" : False }] should be replaced by one of the following values: [none, log, extended log, detailed log]'}   Thanks, Vlad Tonne
HoogliBoogli
HoogliBoogli inside General Management Topics 18 hours ago
views 107 5

How to exports admin accounts

Hi,I want to export all my admin accounts from GAIA 77.30 an import in GAIA 80.10. How can I do this on cli?Thanks for your help.
Dan_Roddy
Dan_Roddy inside General Management Topics yesterday
views 547 5

Migrate Endpoint Management from R77.30.03 to R80.10

When we licensed Endpoint the only option was to manage it from R77.30.03.  Now I want to migrate management to R80.10 that is also used to manage all our R80.10 gateways.  So I want to import a policy with objects into the R80.10 database.

VPN between Checkpoint and Mikrotik based on certificates

Greetings friends!I'm still new to the Checkpoint community. We just started integrating Checkpoint solution in our company. I have a question about VPN tunnels S2S.We have three offices (A, B, C). In each of the offices there is Internet and external static IPs. In offices A and B we use the Checkpoint Appliance 3100 with Gaia R80.10, and in office C we use Kerio Control gateway. VPN Site-2-Site are established between the three gateways (A, B, C) and this works "more or less", but this is not the case now.We have several small offices (D, E, F) (for example, warehouses and very small offices of 2-5 employees). These offices have an external dynamic IP address (DAIP). It’s expensive to buy Checkpoint solutions for these offices, but VPN is needed there.We decided to install other gateways in these offices - Mikrotik. And now we are trying to establish VPN between office B and D.As far as I know, if the remote gateway has an external dynamic IP address (DAIP), then VPN tunnel can only be established on the basis of certificates (Pre-shared secret does not work in this case).I found article on how to do this HowTo Set Up Certificate Based VPNs with Check Point Appliances  But this article describes how to do this if both gateways are Checkpoint.Using the information from this article and the "trial and error" method and a lot of a lot of Google, we almost managed to do it.In the IPSec settings for checkpoint, you need to specify for the second side (Mikrotik) only which certification authority issued the certificate and string with DN.However, in Mikrotik, to establish VPN tunnel, you need to specify both certificates, Mikrotik and remote gateway (Checkpoint). But I don’t understand how I can do export certificate from the Checkpoint gateway so that we can transfer it to Mikrotik.Can you tell me how to do this? Or maybe we chose the wrong path?Thanks in advance for your help.P.S. Sorry for my english.
whiz8
whiz8 inside General Management Topics yesterday
views 63

Smartendpoint R80.20 HA Pair

 I have an existing SmartEndpoint managing endpoint and I want to build HA pair. Once I build the HA pair, how do the endpoints know about the Standby SmartEndpoint? If the Active one is gone, how does the endpoint connect to standby since it uses IP addresses to connect to the active one? 

Disconnected sessions preventing upgrade from R80.20 to R80.30

 Hello Checkmates,  I am upgrading a Check Point Management Server from R80.20 to R80.30 Everything works fine during upgrade. The Webui is restarted But we can't connect to the Management Server. Turns out that CPM has not initialized properly. [Expert@DCTSMS:0]# /opt/CPsuite-R80.30/fw1/scripts/cpm_status.shCheck Point Security Management Server is during initialization We see that in the $FWDIR/log/cpm.elg file, that there are several logs worth investigating.One of them : ERROR fts.solr.Jpa2SolrManagerImpl [main]: SOLR is completely out of sync!!! more than 5000 jpa2FtsRecords are out of sync. ... leads us to sk116014 : CPM process initialization is slow after backup restoreBut this time, it's not slow,  it's super slow. 3 hours and no progress (of the size of the cpm.elg file). We find that in this file, there are lines like : Caused by: CpmGeneralException{base='com.checkpoint.management.is.exceptions.CpmGeneralException: java.lang.SecurityException: Tried to open non existing session with id d16200d0-e68e-42b5-ad37-1a4da8f3b5de', errorCode='CP_ERR_UNSPECIFIED', errorFamily='null', messageForUser='null', message='java.lang.SecurityException: Tried to open non existing session with id d16200d0-e68e-42b5-ad37-1a4da8f3b5de'}        at com.checkpoint.management.object_store.fts.solr.Jpa2SolrManagerImpl.syncJpaDbWithFtsIndex(Jpa2SolrManagerImpl.java:688)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl.syncJpaDbWithFtsIndex_aroundBody194(ObjectStoreSessionImpl.java:3600)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl$AjcClosure195.run(ObjectStoreSessionImpl.java:1)        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)        at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:79)        at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:7)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl.syncJpaDbWithFtsIndex(ObjectStoreSessionImpl.java:2500)        at com.checkpoint.management.object_store.ObjectStoreImpl.syncJpaDbWithFtsIndex_aroundBody14(ObjectStoreImpl.java:56)        at com.checkpoint.management.object_store.ObjectStoreImpl$AjcClosure15.run(ObjectStoreImpl.java:1)        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)        at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:79)        at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:7)        at com.checkpoint.management.object_store.ObjectStoreImpl.syncJpaDbWithFtsIndex(ObjectStoreImpl.java:83)        ... 32 moreCaused by: java.lang.SecurityException: Tried to open non existing session with id d16200d0-e68e-42b5-ad37-1a4da8f3b5de        at com.checkpoint.management.object_store.ObjectStoreSessionImpl.isPublished_aroundBody192(ObjectStoreSessionImpl.java:542)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl$AjcClosure193.run(ObjectStoreSessionImpl.java:1)        at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)        at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:79)        at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:7)        at com.checkpoint.management.object_store.ObjectStoreSessionImpl.isPublished(ObjectStoreSessionImpl.java:1010)        at com.checkpoint.management.object_store.fts.solr.Jpa2SolrManagerImpl.syncJpaDbWithFtsIndex(Jpa2SolrManagerImpl.java:304)========================So it seems that session ID d16200d0-e68e-42b5-ad37-1a4da8f3b5de is non existent and causing problems regarding CPM initialization.  I try to suppress this session ID using the method I have seen on one of the forums : mgmt_cli discard --port 443 uid d16200d0-e68e-42b5-ad37-1a4da8f3b5deUsername: sc-adminPassword:code: "generic_server_error"message: "Management server failed to execute command"============================================================It doesn't work. Meanwhile, I have noticed that, indeed, there is a ghost session in the Smartcenter that we can't suppress using Smartconsole (or even GUIDBedit).  See attached file. I have tried to remove ghost session using the psql_client command...  But I don't know how to proceed.Any help ?  Thanks,                               Gilles  

PMTR-23492, PRJ-2847 Added support for Internal CA certificate replacement.

Can anybody shed some light on "PMTR-23492, PRJ-2847 Added support for Internal CA certificate replacement." as stated in the sk153152.
PhoneBoy
inside General Management Topics Sunday
views 115801 43 134
Admin

R80.x Training Videos

These videos were recorded originally for our partners by Jim Oqvist, but CheckMates members can now access this exclusive content! Introduction Duration R80 Management Training Introduction (view in My Videos) Please note that Ravello blueprints have been discontinued and are no longer available.Most of the labs can be done with the Cloud Demo Mode in R80.x SmartConsole. 00:03:07  Module 1: Introduction to Security Management   R80 Management Training Lesson 1 - Big Picture‌ 00:38:50 R80 Management Training Lesson 2 - Installation‌ 00:33:30 R80 Management Training Lesson 3 - SmartConsole‌ 00:46:50  Module 2: Enhance the Way You Manage Policies   R80 Management Training Lesson 4 - Access Control‌ 00:46:30 R80 Management Training Lesson 5 Threat Prevention Policy‌ 00:30:00 R80 Management Training Lesson 6 - Management API‌ 00:45:45 R80 Management Training Lesson 7 - Logs & Monitoring‌ 00:35:35  Module 3: Multi-Domain Management and Migration to R80   R80 Management Training Lesson 8 - MDSM‌ 00:15:00 R80 Management Training Lesson 9 - Migration‌ 00:13:15
Eugene_Tcheby
inside General Management Topics Saturday
views 165 2 2
Employee+

How to Upgrade a Cloudguard VMSS (Scaleset) Solution from R80.20 --> R80.30 in Azure

As R80.10 and R80.20 images are soon to be delisted from the Azure Marketplace, I put together a step-by-step guide with screenshots on how to upgrade a Cloudguard VMSS (Scale Set) from R80.20 to R80.30 in Microsoft Azure - with R80.20 Management. This "how-to" is based on the new procedure from the Admin Guide which you can find here: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/html_frameset.htm?topic=documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/216060 Your feedback and comments are appreciated. 
Marcel_Wildenbe
Marcel_Wildenbe inside General Management Topics Saturday
views 4043 31 3

upgrade to R80.20 failed

Hi CheckMates,Last night, I have tried to upgrade our MDS from R80.10 to R80.20.I have ran into a few issues, but the most aggravating was when the installer got stuck and I had to reboot in order to get any further, the snapshot that was made by the installer was not removed and a new attempt is telling me there is no free space enough.CP support tells me to run MDS export, do a fresh install en import, but I would like to avoid the hassle and just remove the LV.Can I remove this Logical Volume and if so, how do I do that?It is GAIA running on VMware 5.5. So it is using LVM for Snapshots. "show snapshots" is showing no snapshots, but lvm_manager shows me lv_fcd_new of 300 GB, non configurable, containing: Factory defaults volume, which was not present prior to the upgrade.

Anti-Bot & Anti-Virus, IPS update error on Standby Member

Anti-Bot & Anti-Virus and/or IPS on Check Point (R80.20) standby node report error "Error: Update failed. Contract entitlement check failed. Could not reach 'updates.checkpoint.com'..." while updating.Details1. From standby node - Gaia web console => "Check for Updates", I get the error: "Could not connect to the Check Point Cloud. Check your connection settings..."2. From standby node, tests from SSH (sk83520) :- curl_cli -v -k https://updates.checkpoint.com/ => most of the time it doesn't work (timeout); sometimes it works.- curl_cli to any other URL => most of the time it doesn't work (timeout), sometimes it works.- ping public FQDN => most of the time it doesn't work (timeout), sometimes it works.- On active node => it works, always.3. From standby node, I can reach Internet gateway, and the other active node => no internal communication issues.4. Already verified and applied sk43807 (all points with the exception of point 4).fwha_forw_packet_to_not_active parameter is enabled on both nodes.5. Licenses are OK (sk98665); with the exception of command cpstat antimalware -f update_status that is returning the error below (the same I'm seeing from SmartConsole):AB Update status: up-to-date AB Update description: Gateway is up to date. Database version: 1906061756. Package date: Thu Jun 6 11:00:00 2019 AB Next update description: The next update will be run as scheduled. AB DB version: 1906061756 AV Update status: failed AV Update description: Update failed. Contract entitlement check failed. Could not reach "updates.checkpoint.com". Check proxy configuration on the gateway. AV Next update description: The next try will be within one hour. AV DB version: 1906070837I already read these CheckMates posts:- Update failed. Contract entitlement check failed- Problem accessing standby cluster member from non-local networkAny advice ? Thank you very much,Luca

Proxy ARP on R80.20

Hello We have for sometime now been trying getting our Checkpoint Firewall to 1 to 1 NAT our VOIP phones.What we just found out was that if we configure a 1 to 1 NAT rule like a /23 subnet to /23 subnet the firewall does not Proxy ARP the NAT subnet in case. A NAT rule with a /32 to /32 mask on it them will not work either.However if we configure a 1 to 1 NAT rule wtih host objects like 1 host to 1 other host, the Proxy ARP works just fine.This SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114395&partition=Advanced&product=Security seems not aplicable on R80.20 since the variable of: $CP_AUTO_ARP_FOR_MANUAL_NAT_RULES is already "1" Is this a bug or what?  //Johan