cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
PP26
PP26 inside General Management Topics Friday
views 217 14

How to advance Upgrade Smart-1 210 SMS r77.30 to 80.20

Hi Mates I am planning an upgrade of SMS (Smart-1 210) from r77.30 to 80.20. We have SmartLog/SmartEvent/Management server running on this single smart appliance . I am planning to use   "Upgrading a Standalone from R80.10 and lower with Advanced Upgrade"  as per the guide. So following that guide I have done the preverifier/import and resolved all issues for database to be imported to r80.20, now when I come to actual upgrade, as per the above article I have 2 options as belowStep 3 of 10: Get the R80.20 StandaloneCurrent OSAvailable optionsGaiaYou can:Upgrade to R80.20 with the CPUSE.Perform a clean install of the R80.20 Standalone I asked checkpoint TAC about first Option "Upgrade with CPUSE" as that links back to one of the upgrade methods using which while doing upgrade from Gaia using CPUSE the preverifier etc is all automatic and hence they said since you are using Advance method you need to go for Perform Clean Install and not the Upgrade using CPUSE. I agree to this point. When I researched that second option "Perform a clean installed of R80.20 Standalone" to check what is the exact procedure to upgrade it takes me to below link"Installing the Gaia Operating System on Check Point Appliances" so now on this page there are clearly below options <SNIP>To install a clean Gaia Operating System on a Check Point appliance, you can:Restore your Check Point appliance to Factory Defaults. This removes all configurations.Perform a clean install of the supported Gaia image with one of these options:Bootable USB device.CPUSE (if Gaia is already installed) - select the desired Check Point version and perform Clean Install. See sk92449 for detailed steps<SNIP>  I would like to go for Options of CPUSE (if Gaia is already installed) and I asked TAC about procedure for that and if that is possible as per given on the guide, but he said it is impossible and said any fresh install will need to be done via bootable USB (he said this is the only option). As per him  "CPUSE (if Gaia is already installed)  "Gaia" means version 80.x" but when I argued that why would someone upgrade from same version and also the guide bring you here from the original page where we are trying to upgrade from Gaia 77.30 then he said he will check and confirm.I also clearly states in the Release Notes, under section SUpported Upgrade path that there are three methods to upgrade Management server as below (CPUSE Clean Install is one of them)<SNIP>From R75.4x, R75.40VS, R76, R77.x, R77.20 EP6.0/EP6.1/EP6.2, R77.30.01, R77.30.02, R77.30.03, R80, R80.10 and R80.20.M1 to R80.20*:Check Point ProductSupported MethodsSecurity GatewaySecurity Management ServerMulti-Domain ServerCloudGuard ControllerCPUSE UpgradeCPUSE Clean InstallAdvanced Upgrade<SNIP> I just wanted to confirm here about if the fresh install of Gaia 80-.20 can be done from r77.30 using CPUSE ? Which r80.20 from download page (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122485#Downloads ) should be used for this ? Clean Install (this is an ISO) ? Or CPUSE UPgrade (tgz)  I would really appreciate your help please

SmartView Monitor Threshold not synchronized alert

Hi all,We are running R80.20 and I have just configured Global Threshold settings in SmartView Monitor.One of the settings I have left on is 'Synchronization state' and each time I do a policy installation it triggers an alert to say the two Mgmt servers are not synchronized (see below): HeaderDateHour: 13Sep2019 14:46:44; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 1; Action:  ; Origin: Primary Mgmt; IfDir: <; IfName: N/A; Alert: mail; OriginSicName: N/A; System Alert message: Management Server on Secondary Mgmt is not synchronized; Object: Secondary Mgmt; Event: Exception; Parameter: sync_status; Condition: is ; Current value: Not synchronized; ProductName: System Monitor; ProductFamily: Network;Is this normal behaviour because for a very short time they are out of sync and is there a way to not alert on a policy installation as is happening for me?Many thanksAlex 
Steve_Vowles
Steve_Vowles inside General Management Topics Friday
views 606 5 1

UDM server with R80.10 Management

Has anyone installed User and Device Management (UDM) portal working with a separate Management server?That is MDM on one VM and Main Management server separate to that.From what I read it is a supported option and from HF4 is meant to work with R80.10.However the documentation is dreadful and I cannot see how the two boxes communicate (for R80.10 the API is mentioned, but I cannot see how the UDM knows about it's separate Management Server. There is a config file to point it at a CMA/Management, but not a standard Smartcenter.Steve V.
TheRealDiZ
TheRealDiZ inside General Management Topics Thursday
views 89 3

SmartConsole Radius Access - R80.20

Hi Guys, Simple question for you today, maybe someone has already tried to configure it or at least think about it: Is it possible to define SmartConsole administrators (AD/RADIUS) not user by user instead using a group?When you have several you user you have to configure each user everytime.. under SmartConsole --> Managed & Settings --> Administrators. Let me know!
Martin_Valenta
Martin_Valenta inside General Management Topics Thursday
views 3341 22 2

Clean install vs upgrade

Is there any SK or documentation page, where would be summarized benefits of clean installation vs upgrade via CPUSE ?
PhoneBoy
inside General Management Topics Thursday
views 113843 41 132
Admin

R80.x Training Videos

These videos were recorded originally for our partners by Jim Oqvist, but CheckMates members can now access this exclusive content! Introduction Duration R80 Management Training Introduction (view in My Videos) Please note that Ravello blueprints have been discontinued and are no longer available.Most of the labs can be done with the Cloud Demo Mode in R80.x SmartConsole. 00:03:07  Module 1: Introduction to Security Management   R80 Management Training Lesson 1 - Big Picture‌ 00:38:50 R80 Management Training Lesson 2 - Installation‌ 00:33:30 R80 Management Training Lesson 3 - SmartConsole‌ 00:46:50  Module 2: Enhance the Way You Manage Policies   R80 Management Training Lesson 4 - Access Control‌ 00:46:30 R80 Management Training Lesson 5 Threat Prevention Policy‌ 00:30:00 R80 Management Training Lesson 6 - Management API‌ 00:45:45 R80 Management Training Lesson 7 - Logs & Monitoring‌ 00:35:35  Module 3: Multi-Domain Management and Migration to R80   R80 Management Training Lesson 8 - MDSM‌ 00:15:00 R80 Management Training Lesson 9 - Migration‌ 00:13:15

Adding interfaces to gateway on management server

HiI have added an IP address to an additional interface on a live gateway cluster R80.10, via Gaia.When adding additional interface for a new DMZ on the Management server R80.20, Gateway cluster properties what is the best way to "get interfaces" "with or without topology"?Hopefully not causing an outage.Thanks

Dynamic objects in ISP Redundancy R80.30

How stable are dynamic objects in R80.30?  We need to do ISP redundancy and, while we could use automatic hide NAT, we would need a separate hide NAT for internal and guest segments so we can't use the "hide behind gateway" option.  We opened a TAC case in March were told that dynamic objects were the only way to achieve this.  sk25152 was provided which we've used in previous versions, with less than reliable results.
Stuart_Street
Stuart_Street inside General Management Topics Wednesday
views 1897 19 1

Connections dropped during Connectivity Upgrade

Hello,I am upgrading our firewalls from R77.30 to R80.10. We have 17 ClusterXL clusters in high availability mode. Each cluster has two members running the GAIA OS on VMWare. I’m attempting to use the connectivity upgrade method to minimise disruption.  To create enough space to copy  the installation file “Check_Point_R80.10_T421_Fresh_Install_and_Upgrade_from_R7X.tgz” onto the firewall and import it I have had to:expand the hard drive size (in VMWare vSphere)expand the /dev/sda3 partition,resize the physical volume,then use lvm_manager to expand the lv_log volumeDuring these steps you need to reboot the firewall a number of times. This is fine when upgrading the standby cluster member. Then after that I use the cphacu commands to failover to the newly upgraded cluster member. So far so good and no disruption to the network. Then when I expand the hard drive size etc on the former active member and reboot it, it becomes the active member again. This is a hard failover and any open connections are dropped. You need to reboot 3 times and each time we failover over to the upgraded member and back causing disruption on the network.Running cphaprob stat on the upgraded member shows that it is in the ready state because “another member was detected with a lower fw version.” Running cphaprob stat on the non-upgraded member only shows the local firewall and it is in the active state.How can I perform the upgrades without dropping any connections? I.e. once we have failed over to the upgraded member, I want it to stay the active member until the other firewall is upgraded, surviving reboots of the other firewall.
Nick_Doropoulos
Nick_Doropoulos inside General Management Topics Wednesday
views 8078 7 4

Is traditional VPN mode supported in R80.20?

Hi guys,I know that in theory, R80.20 should support traditional VPN mode but that it doesn't support the option to convert traditional to simplified.However, after exporting the database to R80.20 with the instructions outlined in this link (Installation and Upgrade Guide R80.20.M1 ), I am then getting the following output:Title: Firewall policies with Traditional VPN mode-----* Description: Traditional mode refers to legacy VPN policy, which was replaced by Simplified VPN (first introduced at 2002 in version NG FP3). Please change the below policies by using one of the methods:Convert your Firewall policies: In SmartConsole, go to Policy > Convert To > Simplified VPN, and follow the wizard instructions.In your Firewall policy, delete rules that contain the actions Encrypt or Client Encrypt. If you have a specific case in which you have to use Traditional VPN mode, please contact Check Point support.Could anybody be able to provide an explanation for this please?Many thanks.
Sundar_Ramanath
Sundar_Ramanath inside General Management Topics Tuesday
views 2158 8 2

R80.10 Gateways drops traffic after policy Install

Having issues with R80.10 gateways, which are dropping traffic after a policy install. Re-installing the policy again brings everything back to normal. Issue specific to R80.10 gateways, have R77.30's which are working fine. Appreciate any inputs in troubleshooting this further.Thanks

NTP and version

Gents and Galls, We are having an issue with time. For on of our customers we are forwarding logs to a SOC SIEM solution. From the guys running that platform we are getting complaints that we do not keep all gateways on the same time. All gateways are running NTP, however as we support customers globally on Internet connections from many different suppliers, there is no single NTP server that we can use. In these case we mostly use pool.ntp.org the only problem there is that Check Point forces you to enter a version. Why is this a problem? When you set the primary with lets say version 3 and a secondary with version 4. The primary will get a server from the pool, will it run V3? who knows?  What we found is that most of the times when we add 2 NTP servers like pool.ntp.org and uk.pool.ntp.org it still fails to work properly. So one of the primary questions would be: Why is Check Point forcing us to add a version? Yes we could setup our own NTP server, however before I have that properly setup and running it takes me about a month.

Web Visualization Tool output

HI, I output Config using Web Visualization Tool.But IPv6 related settings were not output.Is there a way to check this? Best,
Vincent_Bacher
Vincent_Bacher inside General Management Topics Monday
views 30284 22 8

Will (Smart)Workflow come back?

Hello together,i am wondering if there are any news, if and when (Smart)Workflow will come back.Does anybody have news about that?Best regardsVincent