Showing results for 
Search instead for 
Did you mean: 
Create a Post
kasper777 inside General Management Topics 4 hours ago
views 43 1

Dmz question

Hii have a checkpoint 730if I’m connecting a device to the dmz port, will I need a vpn in order to connect from outside?
Duane_Toler inside General Management Topics 15 hours ago
views 42

IKE certificate auto-renewal failure

Last night, I had a customer's gateway fail VPN authentication suddenly.  A quick VPN debug showed the IKE certificate was expired!  I checked SmartConsole and yep, the IKE certificate on the SmartCenter was expired!(gateway is R77.30, mgmt R80.20; yes upgrades are scheduled, that's not the issue here)IKE certificates are supposed to auto-renew by cpca at 75% expiry, yes? I haven't had issues with certificate auto-renewals in a very very long time, so this was a major surprise.  I found another gateway certificate that will expire in 5 days, so I manually renewed it (along with the problematic gateway), then pushed policy to all gateways.  I checked all other gateways and they are good into 2020 and 2021, so I have time to make any repairs if needed.With R80.20 management, is there something new I missed or some behavior change?  The ICA was still valid (through year 2030), all gateways and management system times are current and valid (sync with known good NTP servers).  I checked all hosts date and time to be sure!Management R80.20 was a migrate from R77.30, which has been working very well for 15+ years.  No corruption or strange issues over time.I haven't found any smoking-gun SK articles about this (I have seen the SHA-1/SHA-256 articles, sk103840, but that doesn't seem relevant).  sk59510 does not apply because this is site-to-site VPN, not Remote Access.  Manually renewing in SmartConsole was error-free, as it should be, so other SKs regarding renewal errors don't apply. This is an odd one... anyone seen this lately, or have insight? 
Sundar_Ramanath inside General Management Topics 15 hours ago
views 2370 15 2

R80.10 Gateways drops traffic after policy Install

Having issues with R80.10 gateways, which are dropping traffic after a policy install. Re-installing the policy again brings everything back to normal. Issue specific to R80.10 gateways, have R77.30's which are working fine. Appreciate any inputs in troubleshooting this further.Thanks
David_Won inside General Management Topics 15 hours ago
views 37

Smartevent upgraded to R80.10: Now how do I exclude alerts?

Upgraded our Smart Event server yesterday from R77.30 to R80.10.Lost all of our config unfortunately so now I have to put all of our exclusions in and whatnot. The problem is that in the old version I could just select an alert from the Smartevent client and then say to exclude or create an exceptioon. I can't find this anywhere int he new version. I found where to click to bring up the event policy editor but that's not what I'm looking for. I want to be able to click on the alert and change it. Having to manually enter in all of the details is a step backward from where we were at. 2nd question. What happened to the ticketing system. I used to close out events from my timeline by closing the ticket. That way the other sysadmins would know it's taken care of. I can't find this functionality anywhere.
esinos inside General Management Topics 18 hours ago
views 50 1

Anti Malware Blade - Log Definitions

Hello,Checkpoint Anti Malware blade logs some reasons, as far as I understood, these logs mean as anti malware could not process the trafic, and because action is "accept" we need to manually control (or rely on other security products) if these traffic is malicious or not?Could you please share the list of these reasons and definitions?Example log:<13>Sep 18 09:19:58 18Sep2019 09:19:58 accept x.x.x.x product: Anti Malware; src: y.y.y.y; s_port: 58780; dst: z.z.z.z; service: 25; proto: tcp; rule: ;LastUpdateTime: 1568787659;Suppressed logs: 1;__policy_id_tag: product=VPN-1 & FireWall-1[db_tag={.............};mgmt=xxxxxx;date=1568709586;policy_name=xxxxxxxxx];has_accounting: 0;i/f_dir: outbound;i/f_name: eth2-03;is_first_for_luuid: 0;logId: -1;log_id: 2;log_sequence_num: 59;log_type: log;log_version: 5;origin_sic_name: CN=xxxxxxxxxxxxxxxx-fw,O=xxxxxxxxxxxxxx..nmyete;reason: Mail processing timeout;received_bytes: 691;sent_bytes: 0;session_id: ;severity: 1; some of Anti malware reasons:Mail processing timeout, CFCHttpClient::ReadResponse() - Request timeoutConnection to center failed: Internal Server Error 
lucafabbri365 inside General Management Topics yesterday
views 368 19 1

Windows Update Services with HTTPS inspection enabled

Hello,we are having issues accessing Windows Update with HTTPs Inspection enabled (Check Point R80.20 with Take 87) and "Bypass HTTPS inspection of traffic to well-known software update services" option checked.If, from browser, I try to surf to, instead of getting "403 - Forbidden: Access is denied.", I get the "ERR_CONNECTION_RESET" error.Any advice ? Thank you,Luca
Sean_Roth inside General Management Topics yesterday
views 61

R80 Clear Old Sessions Script

This is for made for MDS but it should work on a regular management server too. Our MDS on R80.10 doesn't clear out old sessions when an admin uses SmartConsole. New sessions are created when admins log in and the old sessions just stick around, continually building up. That makes the sessions tab ugly to look at and makes it hard to find that session with locks that is giving you trouble that you want to discard. This script removes all sessions that are logged out and have no changes (so a lock with no changes will get cleared too). I would have gone by locks instead of changes but when sessions are queried, locks is always at least 1. That might be a bug. The usage is <scriptname> <days to save> <Y/N prompt for user & pw if needed>.   For the option to prompt user & pw: in my experience, sometimes root login to a domain fails but the user login works. So if a Y is specified, then the script will try root login first, and if one fails, the script will prompt the user for a username & password to use instead (leaving the option blank or using anything that isn't a Y will result in root login attempts only). In my environment, I used crontab to schedule the script as follows, and it works great: <script> 0 N Use this script at your own risk. It works great for me but I cannot guarantee it is safe to use in your environment.
Alex_Shpilman inside General Management Topics yesterday
views 5256 13

Management R80.20 instability

Since upgrading the management from R80.10 to R80.20 in one of my customers, we had constant instability. This got escalated after applying HFA33, this week I had to open 4-5 cases about different issues.The logging from secure gateways dropsped every couple minutes, due to incorrect calculation of available disk space, newly added log servers don't appear in "logs & monitor" tab and not pushed to the DB, one Cloud Gaurd gateway lost its license, Smart Console was crashing every 10 min. After applying HFA43 today most of the issues resolved, I gave up on the new vsec license pool and came back to the old but working vsec licensing method.Did anyone experience something like this with R80.20? I am now concerned about our other R80.20 deployments.

Migration of a physical remote management server and gateways to a local one with VSX

Greetings everyone, and good day.I am planning to migrate a remote management server, with 2 gateways in a VRRP cluster running version R80.20, to a local existing infrastructure, in order for it to be centralized. This infrastructure was migrated previously from an R75.47 version, and has different VLANS and routing.The local infrastructure is running R80.10 with a few VSX clusters and the relative virtual systems. There is also a dedicated log server running also R80.10.I have an idea on how to perform this migration, but I am looking for corrections and/or validation of the steps I planned, in order to do this properly. I hope this also helps somebody else in my situation.1 - Upgrade of the local management server to R80.20:  a. Snapshot of the management server (SK108902)  b. Upgrade of the CPUSE package to the latest release (SK92449)  c. Upgrade of the management server to R80.20 through CPUSE (SK92449)  d. Test policy installation  e. Installation of the latest jumbo hotfix package for R80.20 (SK137592)  f. Repeat steps A through E for the dedicated log server2 - Migrate objects and policy package to the local management server:  a. Export the remote management server objects through "migrate export" utility (Youtube)  b. Import the remote objects to the local management server through "migrate import" utility (Youtube)  c. Export the remote policy package from the remote management server through these tools  d. Import the remote policy package to the local management server  e. Verify correct import3 - Creation of a new VSX gateway on the local server  a. Create a new virtual machine or appliance acting as VSX gateway  b. Create new cluster containing the 2 virtual systems (The IP for the local VSs should be the same as the remote ones)4 - Integration of the remote gateways in the local infrastructure  a. Reset the SIC of the remote BACKUP gateway and create a new PSK via cpconfig  b. Turn off the local interfaces on the underlying switch except for the management  c. Create SIC on the local management server  d. Policy installation(Begin disservice)  e. CPSTOP on the ACTIVE gateway  f. Turn on local interfaces on the switch for the gateway connected to the local management(Stop disservice)  g. Repeat steps A-D for the remaining gateway I'd be most appreciative for any inputs or thoughts you might have on this approach. Thanks in advance for your help. 
Vladimir inside General Management Topics yesterday
views 14211 22 5

Problem accessing standby cluster member from non-local network

Log shows accepted traffic on SSH and 443, cluster members connected to number of Cisco switches with VLANs in L2 mode.No problem accessing both members from connected network.vMAC in the cluster object IS ENABLED.Any suggestions will be appreciated.Thank you.
Rahul_Borah inside General Management Topics yesterday
views 55 1

Trend micro DDI Integration with checkpoint

Hi Expert,  My client wants to Integrate Trend micro DDI with the checkpoint.My concern, Is there any impact of performance in Checkpoint if Trend micro DDI Integrate with the checkpoint.Regards,Rahul

R80.10 to R80.30 Management Server Upgrade

I'm going to be upgrading my management server from R80.10 to R80.30 soon. I know an advanced upgrade to a new server is recommended for the new kernel and file system. I guess I'm just curious how many people are upgrading to R80.30 like that. I've heard from a few other Check Point admins that are just doing in place upgrades. I guess my question is, is it worth the effort to migrate to a new VM in my case?

PDP/PEP Identity Sharing Not In Sync?

I will likely open a TAC case on this, but we noticed today that one GW using identity sharing today seems to not be fully in sync with the PDP. For example, if I run pep show user all |grep <username> on the PDP, I am able to see a record existing for that user. However, when I go to the GW acting as the PEP, the same command returns no entries. It seems completely random as to the users impacted, but it is definitely messing with some App Control rules from working!I've tried using pdp update all and pdp control sync to try to force updates. I have also tried pushing policy again to both GW. Has anyone else ever seen this? Are they any other commands or troubleshooting recommended before possibly engaging TAC?From the PDP Gateway:pep show pdp allCommand: root->show->pdp->all-----------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-----------------------------------------------------------------------| Incoming | | 0 | Connected | 460 | 21Feb2019 6:16:33 |-----------------------------------------------------------------------From the PEP Gateway with Identity Sharing enabled to sync identities with the GW above:pep show pdp allCommand: root->show->pdp->all-------------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-------------------------------------------------------------------------| Incoming | IP OF PDP GW | 0 | Connected | 391 | 8Apr2019 5:25:44 |-------------------------------------------------------------------------| Incoming | | 0 | Connected | 0 | 8Apr2019 5:16:48 |-------------------------------------------------------------------------| Outgoing | IP OF PDP GW | 0 | Connected | N/A | 8Apr2019 5:17:08 |-------------------------------------------------------------------------

Changing IP address of Standalone 80.10 appliance

We have a standalone appliance running 80.10.  We need to change the management IP.I came across a previous inquiry post, but the system in that case was running 77.30 and it turned out they were only wanting to change the IP of an interface that isn't tied to the Security Management.I did go over sk40993 "How to change the IP Address of a Security Management" but that seems to assume that the Security Management is a separate server with it's own IP.In my case there's only one object related to the appliance.  If I change the IP of the object to the new IP, then SmartConsole is unable to push the policy as it then loses connection to the gateway side of the appliance.If I then change the management IP in Gaia, then I lose the SmartConsole connection.  If I then try to reconnect SmartConsole to the appliance, it won't connect.   It is as if the Security Management is still using the original IP.I assume cpstop/cpstart restarts the Security Management server ("api status" seems to show this to be the case) but that doesn't seem to have the Security Management server in the standalone start using the new IP.If I go back to Gaia and change the IP back to the original IP, then I can reconnect SmartConsole to the Security Management.I looked into sk103356 but there's no ICAip in the registry, nor was I able to find any IP reference in said registry.Once I get SmartConsole to be able to connect to the new IP and show connection to the gateway, I can handle any other IP related changes.Originally when I changed the IP from the appliance front panel, I would get locked out of Gaia completely, as the policy wasn't allowing connections to the new IP.   I added an object with the new IP to allow the connection so with either IP configured, I can at least connect to Gaia.How do I fix this short of running the First Time Configuration again?

Dynamic objects in ISP Redundancy R80.30

How stable are dynamic objects in R80.30?  We need to do ISP redundancy and, while we could use automatic hide NAT, we would need a separate hide NAT for internal and guest segments so we can't use the "hide behind gateway" option.  We opened a TAC case in March were told that dynamic objects were the only way to achieve this.  sk25152 was provided which we've used in previous versions, with less than reliable results.