cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

yishola
yishola inside General Management Topics yesterday
views 243 7

R80.10 -> R80.20/30 Management upgrade issues

Hi There,I've tried various upgrade paths for my VM Management server (R80.10 take 462) to R80.20 or R80.30 without success. I've increased the disk space and extended existing space with lvm_manager - still no joys. Tried cli and cpuse and the errors are always about insufficient disk space. I seem to have a lot of space.Tried migrate export and space issue persists. Tried snapshot and though system says I need 9gb for snapshot (and I have 33gb free), snapshot is unsuccessful.What I am looking for is a process by which I can upgrade the server without CheckPoint snapshot or backup. I can use VM Snapshot as fallback in case I need to.LVM overview============                     Size(GB)     Used(GB)       Configurable    Descriptionlv_current  20                  9                    yes                     Check Point OS and productslv_log          20                15                   yes                     Logs volumeupgrade     22                N/A                 no                      Reserved for version upgradeswap           5                 N/A                 no                      Swap volume sizefree             33               N/A                 no                      Unused space------- ----total 100 N/A no Total size  

Cast (chromecast and Apple AirPlay) from different networks

Hi.I am setting up one Apple TV and one Chromecast in one of our conference rooms.They will be connected to our "device network". People should then be able to cast and share screen from "Internal Networks" as well from "Guest Network" and "PDA/Phone Network" to these devices.I guess I somehow have to enable multicast forward and then create rules allowing unicast to those devices from the different networks?Anyone who has any experience and can share some tips how to do this?Running R80.30 HAThanks/Tobias 
Azaad
Azaad inside General Management Topics yesterday
views 52 3

Unable to run R80.x Pre_Upgrade_Verifier on R77.30 MGMT window platfrom

I am Unable to run R80.x Pre_Upgrade_Verifier on R77.30 MGMT window platfrom which i want to convert to R80.30 Gaia I checked permissions,MD5sum evrythingPLease help me in this 
Milos_Jovovic
Milos_Jovovic inside General Management Topics Thursday
views 1828 12

RAVPN Checkpoint securID authentication forwarding to RSA authentication manager

Hello Team,I was going through integration of securID RSA Auth. Manager with CheckPoint Cluster (2x5200 NGGW's with 77.30 Gaia on it).Made one object for checkpoint agent on RSA auth. manager console (with ip of CP cluster). What name i have to put here? There is written to put name of securID agent object in CheckPoint smart dashboard. What is that name (securID server object? or someting else?). I have configured External user profile with match-all-users option (is this correct? we need to forward all auth request to RSA Auth. manager. In CheckPoint endpoint security vpn client we have three fields (username, PIN and token)). We have one passphrase (PIN and token), for one user. Is this only one factor or two? I am confused here. I have configured this external user group to be part of new user group securid_user_grupa:I have put authentication sheme securid for this external user profile:I have put this user group in remote access community for RAVPN connections:I have put the same sdconf.rec file on both gw's in cluster (active and standby) on path /var/ace/Installed policy and authentication does not work, zero packets going from CP cluster to RSA auth. manager.In vpn debug log files there is error “Access denied - wrong user name or password”.It is like CP tries to authenticate users in internal user database in MGMT server.I off course put in GW>>>VPNClient>Auth.>>>auth sheme to securID (chose securID server object).Do I have to do cpstop/cpstart on gw's to make this work?Eny suggestion? Maybe I have to change in external user profile type to match by domain?Do i have to check this box omit domain name when auth. users?Thanks Everyone for help.Any help would be appreciated a lot.
Don_Paterson
Don_Paterson inside General Management Topics Wednesday
views 14744 21 7

NAT Templates - SecureXL

Is it recommended to turn NAT Templates on?Why is it not on by default?[Expert@GW:0]# fwaccel statAccelerator Status : onAccept Templates : enabledDrop Templates : disabledNAT Templates : enabledNMR Templates : enabledNMT Templates : enabled
Moe_89
Moe_89 inside General Management Topics Wednesday
views 3465 7

"Certificate revoked" error when trying to login to SmartConsole. Cause: Corruption caused by unpredictable circumstances ?

A customer was unable to login to smartconsole with error "certificate revoked". Followed sk113744 which resolved the issue. But the given cause of the issue is "Corruption caused by unpredictable circumstances". What does that even mean ? Does anyone know the actual reason for this issue ?
Larry_Birch
Larry_Birch inside General Management Topics Wednesday
views 310 9 1

SonicWall Migration

Has anyone had any experience in migrating SonicWall policies into Check Point?  How do this as easily as possible, and lessons learned.  I understand that SmartMove will not work.  Thank you.
Kevin_Werner
Kevin_Werner inside General Management Topics Tuesday
views 2894 9 1

80.10 to 80.20 Pre-Upgrade Verifier

I'm attempting to run the 80.20 pre-upgrade verification script on my 80.10 management server, but nothing appears to be happening when I execute it.  I've run the tool in the past with no issues so I am assuming there is a problem with my syntax.   I'm running ./pre_upgrade_verifier -p $FWDIR -c R80 -t R80.20 and am not getting an output.  The help doesn't list 80.10 as a possibility for the currently installed version so I'm partially wondering if its not supported.where the Currently installed version is one of the following:NGX_R65 (aliases: 6.0.1.0)R70 (aliases: R70_R70, 6.0.1.6)R71 (aliases: R71_R71, 6.0.1.7)R75 (aliases: R75_R75, 6.0.2.0)R75.20 (aliases: R75.20_R75.20, 6.0.2.1)R75.40 (aliases: R75.40_R75.40, 6.0.2.5)R75.40VS (aliases: R75.40VS_R75.40VS, 6.0.3.0)R76 (aliases: R76_R76, 6.0.3.5)R77 (aliases: R77_R77, 6.0.4.0)R80 (aliases: R80_R80, 6.0.4.8)The file permissions for the entire upgrade pack are below-rw-r----- 1 admin root 19141755 Jan 22 10:00 Check_Point_R80.20_Gaia_SecurePlatform_Migration_Tools.tgz-rwxr-xr-x 1 105 80 893915 Dec 6 03:52 gtar-rwxr-xr-x 1 105 80 241318 Dec 6 03:52 gzip-rwxr-xr-x 1 105 80 9210256 Dec 6 03:52 ips_upgrade_tool-rwxr-xr-x 1 105 80 4636 Dec 6 03:52 mgmt_puv.sh-rwxr-xr-x 1 105 80 14529536 Dec 6 03:52 migrate-rw-r--r-- 1 105 80 70783 Dec 6 03:52 migrate.conf-rw-r--r-- 1 105 80 107 Dec 6 03:52 plugin_pack.conf-rwxr-xr-x 1 105 80 8388116 Dec 6 03:52 plugin_upgrade_matcher-rwxr--r-- 1 105 80 19175 Dec 6 03:52 ppidb.conf-rwxr-xr-x 1 105 80 20965372 Dec 6 03:52 pre_upgrade_verifier-rwxr-xr-x 1 105 80 1468920 Dec 6 03:52 puv_report_generator
Daniel_Taney
Daniel_Taney inside General Management Topics Tuesday
views 290 12

Need To Perform Mass Modification Of All User Accounts Expiration Dates

It came to my attention today that I have a large number of user accounts expiring on 1/1/2020. Given the number, it would be best to update these en masse. I have seen a couple other posts where some folks were accomplishing this using a series of API requests / changes. However, I also came across this older sk article: sk522 Can anyone comment whether this is still a valid method on an R80.30 SMS? I'm not opposed to going the API route if necessary, but this method seems to accomplish the same thing in a single command. Thanks! Dan 

NAT Loopback configuration problem in R80.10

Hi I have problem to configure a hairpin NAT (NAT Loopback) on my system. I have a local Lan that is 192.168.0.0/24On the wan side I have xx.xx.xx.107 that is where all “normal” traffic is using without any problem. I have xx.xx.xx.122 where I NAT https to an internal server.I can access the https NAT server from an external IPWhen I try to access the https external IP from an internal IP on the Lan side (192.168.0.0/24) it is not possible to access the service. In the log file for the access control policy I get an entry that the client is going out to access the external ip. I do not get a log entry for denied or allowed for the access back to the https service. I have been reading the https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110019But I do not it to work. The config I have in my NAT rules is according to the attached picture. What is it that I am missing?Is my NAT rules in the incorrect order?
Vladimir
Vladimir inside General Management Topics Monday
views 256 8

Identity awareness logging only logon and logoff events.

Now, this may sound funny to some of you that know me, but here it is: We are running Security Checkup in our environment and the 15400 all-in-one box that was configured to accept the traffic from the span port, blades enabled and IA configured. IA is working in terms of seeing AD objects when trying to define roles and we see the logon and logoff events in a SmartLog. AD query is working with adlog a dc and adlog a q ip returning proper values. There are, however no user or machine IDs int the rest of the logs. I am not involved in the hands-on aspects of this project due to rather dramatically expanded responsibilities in my current role, but would like to lend a hand to my guys that are involved with it. SE that Check Point assigned to the case stated that he has seen this behavior in one more Security Checkup he was running, but that the root cause was never determined. Another question is this: when running security checkup with all-in-one, does it make sense to have IA configured or is it better to have Identity Logging configured on the box. Is there a case where both should be configured?   Let me know if you have any suggestions. Thank you, Vladimir
Mod

Check Point Infinity Portal Admin Guide

Infinity Portal (https://portal.checkpoint.com) is Check Point's new cloud web management for its security services. Current services include CloudGuard SaaS, CloudGuard Connect and Endpoint Cloud Management. More services coming soon.   The new admin guide is available at https://sc1.checkpoint.com/documents/WebAdminGuides/EN/Infinity_Portal/Default.htm   Looking forward to get your feedback on Check Point's cloud solutions and cloud-based management!

SmartConsole update torture

Until what century am I going to see this message? 😄      
Rafael_Lima1
Rafael_Lima1 inside General Management Topics a week ago
views 1755 11

Problem after migration to R80.20 - ClusterXL

After migrating from version R80.10 to version R80.20, our cluster presents the following messages.Feb 25 16:40:45 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 25 16:40:46 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedFeb 26 06:55:33 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 26 06:55:33 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedFeb 26 13:49:52 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 26 13:49:52 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedIn this cluster the backup traffic passes, causing a high consumption, before the migration we had the same consumption, but did not occur messages / errors.Another thing, we are verifying a connectivity problem on our servers and the time is similar to that listed in the above messages. Can these messages identify traffic disruption? We have seen that it does not occur on all servers, but in the most sensitive the connection is interrupted, causing serious problems on servers that use NFS.Another detail, we are getting the following message when executing the "show cluster failover" command, but we did not run the cpstop on the gatewaysFWINTRA1> show cluster failoverLast cluster failover event:Transition to new ACTIVE: Member 1 -> Member 2Reason: FULLSYNC PNOTE - cpstopEvent time: Tue Feb 26 15:02:13 2019Cluster failover count:Failover counter: 4Time of counter reset: Mon Feb 11 21:30:31 2019 (reboot)Cluster failover history (last 20 failovers since reboot/reset on Mon Feb 11 21:30:31 2019):No. Time: Transition: CPU: Reason:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 Tue Feb 26 15:02:13 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop2 Tue Feb 26 13:49:52 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop3 Tue Feb 26 06:55:33 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop4 Mon Feb 25 16:40:45 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop_______________________________________________________________________________________________FWINTRA2> show cluster failoverLast cluster failover event:Transition to new ACTIVE: Member 1 -> Member 2Reason: FULLSYNC PNOTE - cpstopEvent time: Tue Feb 26 15:02:13 2019Cluster failover count:Failover counter: 4Time of counter reset: Mon Feb 11 21:30:31 2019 (reboot)Cluster failover history (last 20 failovers since reboot/reset on Mon Feb 11 21:30:31 2019):No. Time: Transition: CPU: Reason:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 Tue Feb 26 15:02:13 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop2 Tue Feb 26 13:49:52 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop3 Tue Feb 26 06:55:33 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop4 Mon Feb 25 16:40:45 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstopEnvironment:Check Point's software version R80.20 - Build 255kernel: R80.20 - Build 014JHF Take: 17OpenServer - Dell PowerEdge R730
compengin
compengin inside General Management Topics a week ago
views 199 3

identity collector and Gateway entegration error

Hello all;I set up identity collector windows 10. ı install agent, create querypool and I see AD on Gateway. I generated client secret key ( GW > identity awerness > identity collector ) but when i try it, i see "wrong shared secret" error. I try sk122686, but not fix yet.