Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

johnnyringo inside General Management Topics 3 hours ago
views 19

Deployment failure in GCP - 504 Resource Error, Timeout expired.

We're having zero luck deploying the CheckPoint CloudGuard IaaS R80.30 High Availability in our enterprise GCP account.  In the GCP Deployment Manager, the deployment hangs for 30 minutes, eventually getting this error:{"ResourceType":"runtimeconfig.v1beta1.waiter","ResourceErrorCode":"504","ResourceErrorMessage":"Timeout expired."}I also get the same error if I launch the standalone gateway with External IP requested.  As a work-around, I can set the External IP to "None", watch the deployment succeed, then add it later.I do not have any problems deploying in my personal GCP account, so fairly certain this is a permissions or connectivity issue relating to API calls. 
inside General Management Topics 7 hours ago
views 8861 29 16

Domain Objects (FQDN) - An Unofficial ATRG

In 2018 I wrote an internal (Check Point) unofficial ATRG that covers Domain Objects in a lot more detail than sk120633 covers. I've discussed this document with our developers and confirmed all the details and was given permission to share this on CheckMates!    The attached document contains basic info on types of domain objects, Information on how domains are looked up and how often, cache of results, and troubleshooting steps with some API to confirm your usage.    This has since been updated to show the changes in 80.20 where the service, in my opinion, is super optimized and awesome!   Thanks for reading!   For the full list of White Papers, go here. 
DavidCr inside General Management Topics 7 hours ago
views 10

RADIUS Authentication problems with some Domains

Hello, In our company, we've got a MultiDomain Server with many domains inside it and I'm facing a really strange problem ...Today, I've configured the access via a Radius Server (FortiAuthenticator), which is NOW redirecting the authentication requests to a Domain Controller. Furthermore, before today, we could enter the MDS using local users placed on the FortiAuthenticator. Let's say I've just added a new step between the FortiAuthenticator and the Domain Controller, before that, the authentication was just made by the FortiAuthenticator (configured as a Radius Server in the MDS).Additionally, in our company we've got a HA solution based on an Active-Passive nodes, and two environments, lets call them North and South. Here is the thing, when I access the MDS with my Domain Controller username I can log into the Northern Nodes, but not into the Southern Nodes. In stead I got prompted with "Failed to connect to the server ...". Am I missing something? Is this a network problem, routing, firewalls... ? I don't really know how the authentication flows, so It might be.Thank you!!! David.

Save Backupfile to Unix Server through VPN Connection

Hi Checkmates,i want to configure on the SecurityGateway (Checkpoint Appliance 3100)  automatic Backup Job.The Destination is a central Unixserver in the Headquater by SCP connection through VPN Connection configured on this SecurityGateway. The SecurityGateway have more Interfaces and also one Interfaces to the Internet with static public IP-Address. This public IP-Address is also the MGMT IP of the Security Gateway. The Destination BackupServer have a private IP-Adress and is only reachable over the VPN-Connection.If I start the Backupjob the Backup is not successfully. If I check in the same time on the Backupserver the connections, then I see, the Gateway comes with the public IP and maybe this is the problem. My Question is, how to configure the Backupjob that the Securitygateway use another source IP (his private IP not the public MGMT IP-Address. 
Florian_Ruch inside General Management Topics yesterday
views 796 7

R80.10 Error Validation: The main group must contain IP-based objects only

Hi guysWe built up a test MDS to test the migration from R77.30 to R80.10. After some problems during the import, which we solved, we could start R80.10. But now we have the problem, that there are validation errors shown in the Dashboard for some groups with exceptions. The error messages are: "The main group must contain IP-based objects only" or "The exception group must contain IP-based objects only". Also we have same error messages for the exception group.We use this groups for the topology. So I understand, that it's not allowed to use other sub groups in the main or exception group in an exception group. But if I delete the sub groups, the error doesn't disappear. When I create a new exception group with belongs a main group with sub groups, I don't get this error. Has someone made the same experience and solved the problems? Thanks for your help.
GuilletB inside General Management Topics yesterday
views 401 12

R80.10 management server with r77.30 log servers

Hi, I have for the moment two Appliances ST-150-00 Under r77.30 who are used for Network Policy manager/endpoint Policy manager/logging.I have already build 2 new open server Under r80.10 as our new manager servers only and enable the High availability. Pre-Upragde_verification is fine.My wish is to import my database from r77.30 to r80.10 but keep logs under our old Appliance. The goal is during the upgrade process to keep our old server running for production with all gateways connected on it. and after the import of the db, under new management server connect only one Gateway,  for test.1, Is it possible to have a different version Under the log server and the network Policy manager?2, which steps should be done?Many thanks for your support.
jacneto inside General Management Topics yesterday
views 88 1 1

Hit Count in R80.x

Have anyone here already reset the Hit Count in R80.x "following" sk111162 without run step1? Asking because the necessity of backup/delete the history files on the security gateways plus run cpstop/cpstart just to reset a counter sounds too much to me. Does anyone know the implication of run step 2 without 1?
Vladimir inside General Management Topics yesterday
views 4854 19 1

Behavior of the subscription blade policies after expiration

Please advise on how are the policies and rules created for IPS, DLP, AV, AB, APPC, URLF, etc., will behave should the client's subscription lapse.Thank  you,Vladimir
David_Spencer inside General Management Topics yesterday
views 535 13 2

in.emaild.mta high cpu usage

I'm seeing extremely high CPU usage form the in.emaild.mta that past 2 days. No significant changes have been made. Currently it's consuming %120 of cpu (5400, dual core). I've tried rebooting and failing over.  I'm not seeing much in the queue when running >tecli show emulator queue, but there are 4 items that are stack in there (we are using cloud), cloud queue is rolling through fast as well. I'm a little lost as to why the cpu usage has shot up. looking at the logs we're not seeing any significant increase in mail traffic.   fw ctl multik stat ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 1 | 4738 | 9502 1 | Yes | 0 | 4738 | 9609     
libin inside General Management Topics Monday
views 182 3

Mobile Access Role for Local users

Hi all,Regarding Unified Policy for Mobile Access, if I create access role with the local users. why should I integrate identity awareness in the gateway for the access role to work since here I am calling only the local users.Is it mandatory that the gateway should always connect to the AD for the access role which has local users or only for the first time identity awareness is required?

Integrate EPS standalone in R80.30 SMS

I believe this was addressed in the past, but I'd like to check the status on this.Since the integration of full-featured EPS into the R80.20/30 management, is there now an "easy" way to export EPS policies and packages to integrate them into an existing SMS. It would allow single management server along with log consolidation.I put "easy" between quotes because each migration is still a challenge, but I'm thinking of something along the lines of the R80.X migration tools.This is relevant to the many customers who come from the R77.30.03 world where it was necessary to maintain a separate server and could now benefit from integration.
Tbgaz inside General Management Topics Monday
views 157 2

Changing ISP - With/Without Topology

Hi,We are changing our backup ISP and we have got the process in place but just wanted to triple check that on the cluster object we select 'get interfaces without topology' after the IP change instead of 'with topology'. It's just a simple interface IP/NAT/ARP rule change. Having looked on here, it seems that 'with topology' isn't the way to go!
Tom_Cripps inside General Management Topics Monday
views 334 10

Upgrading to R80.30 has caused one fw_worker to be stuck at 100%

Hi,Since our upgrade to 80.30, our standby member in our cluster has had a fw_worker stuck at 100% cpu, it isn't a particular fw_worker it can change, when one drops another one takes it place essentially. We're also now seeing that when we attempt policy installations we lose "GAiA" in essence as is presented with the raw Bash shell as you would see if booted in maintenance mode.Anything obvious stick out to anyone?Tom
kb1 inside General Management Topics Monday
views 175 1 1

Can someone share a guide to migrate from one management server to a new one for R80.20

So the primay management server we have has been very problematic for us (its a smart-1 225 appliance ), the secondary is working fine, most of the time we would have problems with the primary as in there would be smartconsole connection issues, active/standby issues, etc so we are fed up with the server and are going to replace it with a new one, so want to know how the migration is done from the old one to new one in case im being tasked to do it, just need to be directed to the exact SK article or any other link that would show detailed steps on how to accomplish that.

Upgrade Volume too small

I have an R77.30 Log server which is due for upgrade for R80.20. It is an open server on ESXi Vmware.The upgrade volume is too small to take a snapshot.a) How can I increase the "upgrade volume" sizeb) Is it automatically calculated as I cannot actually see an upgrade volumec) I imagine this is going to prevent me from performing a major version upgrade to R80.20?I can't currently replicate this as all other customer servers and my lab server have an upgrade volume larger than lv_current. If I simply add disk will this resolve itself? It may be in this state due to multiple upgrades over the years. My last resort is fresh install, but it's difficult because the box is remote.LVM overview============Size(GB) Used(GB) Configurable Description lv_current 11 6 yes Check Point OS and productslv_log 48 29 yes Logs volume upgrade 0 N/A no swap 8 N/A no Swap volume size free 12 N/A no Unused space ------- ---- total 79 N/A no Total size Expert@servername:0]# fdisk -lDisk /dev/sda: 85.8 GB, 85899345920 bytes255 heads, 63 sectors/track, 10443 cylindersUnits = cylinders of 16065 * 512 = 8225280 bytesDevice Boot Start End Blocks Id System/dev/sda1 * 1 38 305203+ 83 Linux/dev/sda2 39 1082 8385930 82 Linux swap / Solaris/dev/sda3 1083 10443 75192232+ 8e Linux LVM[Expert@servername:0]# pvsPV VG Fmt Attr PSize PFree /dev/sda3 vg_splat lvm2 a- 71.69G 12.69G[Expert@servername:0]# lvsLV VG Attr LSize Origin Snap% Move Log Copy%lv_current vg_splat -wi-ao 11.00Glv_log vg_splat -wi-ao 48.00G servername> show snapshotsCreation of an additional restore point will need 6.464GAmount of space available for restore points is 0.59G