cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Jesus_Cano
Jesus_Cano inside General Management Topics 2 hours ago
views 104 10

VPN is going down

Hi, We Just configured a VPN between Checkpoint R80.10 and Fortigate. The VPN is up and traffic is flowing. The issue is that sometime the tunnel stop processing traffic and we need to renew in order to work again. So why the tunnel goes down? its because inactivity?
David_Spencer
David_Spencer inside General Management Topics 5 hours ago
views 19 1

SIP over TLS non standard ports

Starting a couple days ago I've been having problems with some of our video conferencing applications.We use RP1cloud as our VC service. Normally we would see traffic on tcp5061 head out accepted. Now i'm seeing traffic dropped with the gateway as the target on non SIP ports alongside the normal traffic. See non standard ports here. The drops are destined to our external IP, and accepts are to the VC cloud service:The drop logs show the followingIn order to allow the inspection of encrypted SIP over TLS connections, please add the 'sip_tls_with_server_certificate' service to the relevant rule,make sure that the 'sip_tls_authentication' service is removed from the rule and configure TLS on the corresponding SIP Server object I found the following SK related to this VoIP Configuration message, however i'm unsure if it's viable for this situation:https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk150792 No changes have been made on the firewall between when it was and wasn't working. Anyone have thoughts on the behaviour change? I'm unsure why I'm seeing the odd TCP ports being listed in the SIP_tls_authentication service.
Network_Engine2
Network_Engine2 inside General Management Topics 5 hours ago
views 390 2

Is it possible to upgrade API version 1.1 to 1.3?

I'm using R80.10 with API version 1.1 and there's a command i need to perform and it only exists on version 1.3 and above.Is there an option to upgrade only the API without upgrading the whole system?

R80.10 > R80.20 with Depolyment Agent Build 1728

Hi,I am in the middle of the upgrade from R77.30 to R80.20. The last days my testing was OK and everything prepared for the upgrade.Today I was not able to get R80.10 upgraded to R80.20. R77.30 > R80.10 was working. So I wondered what has changed since my testings.I found out that today Deployment Agent Build 1728 was installed on my Management Server. So I tried to switch back to Build 1677. After that i was able to run the r80.20 upgrade.Maybe this helps someone.
Sumedh_Gujar
Sumedh_Gujar inside General Management Topics 13 hours ago
views 561 11 1

Behavior of HA cluster when SYN link is down

Hi,I am bit confused in behavior of HA cluster. We have configured HA cluster between our 2 firewalls (12400 and R77.30). We have point to point link between these 2 firewalls for syncing. When this link goes down our Active firewall goes to down state and Standby firewall goes to Active state, which we can see in cphaprob stat command. I just want to confirm whether this is the normal behavior of Checkpoint firewalls in HA mode. Or like Cisco HSRP, both firewalls should go to Active Active mode. Thank youSumedh

R80.20 Management and vpn domain Edge N

Hello,We plan to update MGMT (MDS) R77.30 to R80.20. This MGMT manages geteways including Edge N/X. Edge N is referred to as supported by R80.20. But when testing we found out that to Edge N not transmitted vpn domain behind central cluster and traffic inside tunnel does not work. Has anyone faced this issue? While there is a temporary solution to transfer these devices to local management or to the dedicated MGMT R77.30.Andrey
Arthur_DENIS1
Arthur_DENIS1 inside General Management Topics yesterday
views 215 3

SmartView web access for firewall policy

Hi,I get one question from one of my customer.Smartview (webased) is a great tools and used for accessing the logs from read-only user. That's nice.But there is existing way to access to the access policy by the same way ?Currently we use the web_api_show_package.sh script to export in HTML, but this is not really easy to access to the html file for the policy and Smartview for log... Thanks for your help guys!Arthur

Export rulebase with informations in Summary tab - like Ticket Number

Hi all,I like to know if it is possible to export the rulebase in way, that the information in in the Summary tab, like Ticket Number will also be exported. Thanks alot for your help and best reagrds,Christian
Sagar_Manandhar
Sagar_Manandhar inside General Management Topics yesterday
views 3035 12 3

Script to run migrate export backup

hi,How can we schedule the migrate export backup everyday and push it to another server with the backup file name with date. Tried with job scheduler but there we find some limitation.Regards,Sagar Manandhar

How to tell SIC Reset NOT to fetch topology

When upgrading our R77 gateways to R80.20 using blink, we have to Reset the SIC. When doing this on the R80.20 SmartCenter, the SmartCenter fetches the topology from the gateway and re-arranges the Antispoofing definitions, which is highly undesirable. Is there a way to prevent that the SmartCenter fetches the topology

how to Check Managed Gateway quota

GreetingsI'm looking for some commands to show Exactly how many GW are being managed from the SM view .I need this to compare with the Licensing capabilities of my mgmt .The count is quite simple with "normal" gw and clusters but it could be quite tricky in enviroment with VSX .The best command i've found is:cplic check -p fw1 -c cluster-1But i'm not sure this is showing Exactly the count i need .Any suggestions?

SmartMove Index was out of range error for Netscreen

Doing some testing with the SmartMove tool. Ran a couple SRX configs (xml format) through it and had no issues. but when testing Netscreen configs (txt format) get "Index was out of range. Must be non-negative and less than the size of the collection" . This happens almost immediately when the tool starts running and provides no logs. so it's hard to try to figure what is causing the problem. Looked around and couldn't find any information so any info would be appreciated
Josh_Dill
Josh_Dill inside General Management Topics Thursday
views 104 3

Identity Awareness setup

Hi All,I will be setting up Identity Awareness in an R80.10 MDS environment. We will be using Identity collects to communicate with the DCs and provide what is in the security logs to the firewall. After reading the documentation I have some questions regarding setup and usage. Thanks in advance: 1) I have read the following identity collection requirement:"Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles." If an account unit is created in the domain (checkpoint local domain NOT active directory) and applied to the firewall object under firewall properties - others - user directory. Is that all I need to perform this requirement?2) There is no way to apply an account unit I created in global directory (at least not that I can find). Does this mean I cannot use global rules with identity awareness since the global account unit would not be assigned to the firewall to perform global lookups? 3) Is there anyway to create rules for individual users opposed to groups? Thanks,Josh

Reverting back an upgrade to R80.10 from R77.30

Hi folks.I'm in the middle of testing the upgrade steps required to get our R77.30 VSX Gateways from R77.30 to R80.10We've already done the management side which is already on R80.10. I've tested upgrading a gateway (all be it in VMware) using vsx_util upgrade on the management side and cpuse on the gateway side which is all fine.What i'm really struggling to find are procedures for rolling back if we need to, so my question is.... is it possible to uninstall or revert back to R77.30 on the gateway ?
Marcel_Wildenbe
Marcel_Wildenbe inside General Management Topics Wednesday
views 3086 30 3

upgrade to R80.20 failed

Hi CheckMates,Last night, I have tried to upgrade our MDS from R80.10 to R80.20.I have ran into a few issues, but the most aggravating was when the installer got stuck and I had to reboot in order to get any further, the snapshot that was made by the installer was not removed and a new attempt is telling me there is no free space enough.CP support tells me to run MDS export, do a fresh install en import, but I would like to avoid the hassle and just remove the LV.Can I remove this Logical Volume and if so, how do I do that?It is GAIA running on VMware 5.5. So it is using LVM for Snapshots. "show snapshots" is showing no snapshots, but lvm_manager shows me lv_fcd_new of 300 GB, non configurable, containing: Factory defaults volume, which was not present prior to the upgrade.