Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

Bill_Ng inside General Management Topics 4 hours ago
views 74 2

Job scheduler for CDT

Is it possible to create a cron job for CDT? I created a script file to run.  Here are the contents.#!/bin/bash -fsource /opt/CPshared/5.0/tmp/ -generate /opt/CPcdt/test.csvI get the following error in my Main_log.elg file when I ran the script through the job scheduler.DB Operations error has occurred:Error code 20 - Error querying the management database.No execute permissions for one of the required files. See the additional details below.Details:--------The file 'ifconfig' doesn't have execute permission.************************************************Wed Jan 22 15:34:46 2020 *D*: Running /sbin/pidof CentralDeploymentToolWed Jan 22 15:34:46 2020 *D*:Command Summary:Command = /sbin/pidof CentralDeploymentToolReturn code = 0Output = 20239
inside General Management Topics 10 hours ago
views 1609 6 10

CDT v1.6 is GA!

Hi all,I am very happy to announce the release of version 1.6 of the CDT - Central Deployment Tool, which now also supports VSX.Version 1.6 introduces the following new features, as well as bug fixes and minor additions: VSX support – including gateways, HA clusters and VSLS clusters Customized RMA backup & restore - add additional files to the backup Resume mode – quickly resume after resolving issues with failed deployment plans CloudGuard support - Gateways and CloudGuard Controllers R80.10 and above Version 1.6 will also be included in version releases starting R80.30 on all Security Management and Multi-Domain Management machines. Please visit sk111158 for download and usage instructions.Any comments or suggestions for CDT will be appreciated!
kobilevi inside General Management Topics 10 hours ago
views 25

Gaia applaince -15600 Lab

helloi need to reclaim my network to lab, i have 2 checkpoint 15600 that connect with cluster and 1 server that manage the friewalls   what is the best practice to build this lab ?i need server that running smartdashbord too? thanks
inside General Management Topics 12 hours ago
views 8990 31 16

Domain Objects (FQDN) - An Unofficial ATRG

In 2018 I wrote an internal (Check Point) unofficial ATRG that covers Domain Objects in a lot more detail than sk120633 covers. I've discussed this document with our developers and confirmed all the details and was given permission to share this on CheckMates!    The attached document contains basic info on types of domain objects, Information on how domains are looked up and how often, cache of results, and troubleshooting steps with some API to confirm your usage.    This has since been updated to show the changes in 80.20 where the service, in my opinion, is super optimized and awesome!   Thanks for reading!   For the full list of White Papers, go here. 
DavidCr inside General Management Topics yesterday
views 63 2

RADIUS Authentication problems with some Domains

Hello, In our company, we've got a MultiDomain Server with many domains inside it and I'm facing a really strange problem ...Today, I've configured the access via a Radius Server (FortiAuthenticator), which is NOW redirecting the authentication requests to a Domain Controller. Furthermore, before today, we could enter the MDS using local users placed on the FortiAuthenticator. Let's say I've just added a new step between the FortiAuthenticator and the Domain Controller, before that, the authentication was just made by the FortiAuthenticator (configured as a Radius Server in the MDS).Additionally, in our company we've got a HA solution based on an Active-Passive nodes, and two environments, lets call them North and South. Here is the thing, when I access the MDS with my Domain Controller username I can log into the Northern Nodes, but not into the Southern Nodes. In stead I got prompted with "Failed to connect to the server ...". Am I missing something? Is this a network problem, routing, firewalls... ? I don't really know how the authentication flows, so It might be.Thank you!!! David.
Anu_Cherian inside General Management Topics yesterday
views 22220 32 1

Site to Site VPN between Checkpoint and Palo Alto Firewalls

Hi All,We have a requirement to setup Site-to-Site vpn between our Checkpoint FW and customer Palo Alto FW. I have created one, but the issue is IKE phase 2 fails. I have confirmed the negotiation parameters with my customer engineer and it looks like everything is in order. What could be the possible issue?I used VPN tu and SmartView  monitor to view but to no success. Any advices will be highly appreciatedThank you so much

R80.10 Error Validation: The main group must contain IP-based objects only

Hi guysWe built up a test MDS to test the migration from R77.30 to R80.10. After some problems during the import, which we solved, we could start R80.10. But now we have the problem, that there are validation errors shown in the Dashboard for some groups with exceptions. The error messages are: "The main group must contain IP-based objects only" or "The exception group must contain IP-based objects only". Also we have same error messages for the exception group.We use this groups for the topology. So I understand, that it's not allowed to use other sub groups in the main or exception group in an exception group. But if I delete the sub groups, the error doesn't disappear. When I create a new exception group with belongs a main group with sub groups, I don't get this error. Has someone made the same experience and solved the problems? Thanks for your help.
GuilletB inside General Management Topics Tuesday
views 408 12

R80.10 management server with r77.30 log servers

Hi, I have for the moment two Appliances ST-150-00 Under r77.30 who are used for Network Policy manager/endpoint Policy manager/logging.I have already build 2 new open server Under r80.10 as our new manager servers only and enable the High availability. Pre-Upragde_verification is fine.My wish is to import my database from r77.30 to r80.10 but keep logs under our old Appliance. The goal is during the upgrade process to keep our old server running for production with all gateways connected on it. and after the import of the db, under new management server connect only one Gateway,  for test.1, Is it possible to have a different version Under the log server and the network Policy manager?2, which steps should be done?Many thanks for your support.
jacneto inside General Management Topics Tuesday
views 122 1 1

Hit Count in R80.x

Have anyone here already reset the Hit Count in R80.x "following" sk111162 without run step1? Asking because the necessity of backup/delete the history files on the security gateways plus run cpstop/cpstart just to reset a counter sounds too much to me. Does anyone know the implication of run step 2 without 1?
Vladimir inside General Management Topics Tuesday
views 4873 19 1

Behavior of the subscription blade policies after expiration

Please advise on how are the policies and rules created for IPS, DLP, AV, AB, APPC, URLF, etc., will behave should the client's subscription lapse.Thank  you,Vladimir
David_Spencer inside General Management Topics Tuesday
views 565 13 2

in.emaild.mta high cpu usage

I'm seeing extremely high CPU usage form the in.emaild.mta that past 2 days. No significant changes have been made. Currently it's consuming %120 of cpu (5400, dual core). I've tried rebooting and failing over.  I'm not seeing much in the queue when running >tecli show emulator queue, but there are 4 items that are stack in there (we are using cloud), cloud queue is rolling through fast as well. I'm a little lost as to why the cpu usage has shot up. looking at the logs we're not seeing any significant increase in mail traffic.   fw ctl multik stat ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 1 | 4738 | 9502 1 | Yes | 0 | 4738 | 9609     
libin inside General Management Topics Monday
views 182 3

Mobile Access Role for Local users

Hi all,Regarding Unified Policy for Mobile Access, if I create access role with the local users. why should I integrate identity awareness in the gateway for the access role to work since here I am calling only the local users.Is it mandatory that the gateway should always connect to the AD for the access role which has local users or only for the first time identity awareness is required?

Integrate EPS standalone in R80.30 SMS

I believe this was addressed in the past, but I'd like to check the status on this.Since the integration of full-featured EPS into the R80.20/30 management, is there now an "easy" way to export EPS policies and packages to integrate them into an existing SMS. It would allow single management server along with log consolidation.I put "easy" between quotes because each migration is still a challenge, but I'm thinking of something along the lines of the R80.X migration tools.This is relevant to the many customers who come from the R77.30.03 world where it was necessary to maintain a separate server and could now benefit from integration.
Tbgaz inside General Management Topics Monday
views 181 2

Changing ISP - With/Without Topology

Hi,We are changing our backup ISP and we have got the process in place but just wanted to triple check that on the cluster object we select 'get interfaces without topology' after the IP change instead of 'with topology'. It's just a simple interface IP/NAT/ARP rule change. Having looked on here, it seems that 'with topology' isn't the way to go!
Tom_Cripps inside General Management Topics Monday
views 346 10

Upgrading to R80.30 has caused one fw_worker to be stuck at 100%

Hi,Since our upgrade to 80.30, our standby member in our cluster has had a fw_worker stuck at 100% cpu, it isn't a particular fw_worker it can change, when one drops another one takes it place essentially. We're also now seeing that when we attempt policy installations we lose "GAiA" in essence as is presented with the raw Bash shell as you would see if booted in maintenance mode.Anything obvious stick out to anyone?Tom