cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
paulastya
paulastya inside General Management Topics 40m ago
views 108 6

Upgrading the Checkpoint VSX cluster (VSLS) from R77.30 to R80.10 with Clean install

We are going to upgrade the Checkpoint VSX Cluster from R77.30 to R80.10 with a clean install on a 13500 appliances. The Management Gateway is already upgraded to R80.20 version. My question is can we do the clean installation of VSX cluster using the CPUSE ?While checking the documentation I found the following, From R75.40, R75.45, R75.46, R75.47, R75.40VS, R76, R77, R77.10, R77.20, R77.30 to R80.10:ComponentSupported MethodsSecurity Management ServerCPUSE UpgradeCPUSE Clean InstallAdvanced Database MigrationMulti-Domain ServerSecurity GatewayCPUSE UpgradeCPUSE Clean InstallVSXCPUSE Upgrade (from R77 only)Earlier versions: Use instructions in sk101518CloudGuard ControllerCPUSE Upgrade (from R77.30 only) So, the documentation says that CPUSE upgrade is possible not clarified about the Clean installation.
Ravindra_Katrag
Ravindra_Katrag inside General Management Topics an hour ago
views 28 1

Admin Not to be Blocked in Case of DOS

HiI am running a Compliance Check on all of My Checkpoint Firewalls. I am running R77.30 on all appliances (Management + Gateway)I would like to know if there is any way to Setup "Admin" not to be blocked in case of a DOS
Ravindra_Katrag
Ravindra_Katrag inside General Management Topics yesterday
views 3233 6

SSH Version Check

helloI am new to checkpoint and I would like to know how can I check which SSH version is being configured in the checkpoint devices.Currently I have VSX clusters running R75.40VS and R77.30.Usually, if I want to check the SSH version I can change SSH protocol version in putty to 1 and try to login to the VSX device.But if I want to check which SSH version that is allowed in the VSX devices, How Can I do that?Also, if I want to configure SSH Version 1 on the VSX device how can i do that?Your Help would be much appreciated.
Kamil_Kolo
Kamil_Kolo inside General Management Topics yesterday
views 137 3

Updating to R80.20 Jumbo Hotifx Take 87 loses SSH capability

When I updated the management server to R80.20 Jumbo Hotfix Accumulator General Availability (Take 87), I lose the ability to SSH to the Management server. I can gain the access to the SSH login, but as soon as I enter the "login as:" credential, it immediately closes the putty session. Please keep in mind that this environment is in AWS and requires a ppk file (putty generated private key from pem file) in order to access the SSH session. Is there some kind of error with a known hosts file with putty sessions or some other issue that I am running into? The session drops after this and never enters the cli prompt:
Daniel_Taney
Daniel_Taney inside General Management Topics yesterday
views 814 3

PDP/PEP Identity Sharing Not In Sync?

I will likely open a TAC case on this, but we noticed today that one GW using identity sharing today seems to not be fully in sync with the PDP. For example, if I run pep show user all |grep <username> on the PDP, I am able to see a record existing for that user. However, when I go to the GW acting as the PEP, the same command returns no entries. It seems completely random as to the users impacted, but it is definitely messing with some App Control rules from working!I've tried using pdp update all and pdp control sync to try to force updates. I have also tried pushing policy again to both GW. Has anyone else ever seen this? Are they any other commands or troubleshooting recommended before possibly engaging TAC?From the PDP Gateway:pep show pdp allCommand: root->show->pdp->all-----------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-----------------------------------------------------------------------| Incoming | 127.0.0.1 | 0 | Connected | 460 | 21Feb2019 6:16:33 |-----------------------------------------------------------------------From the PEP Gateway with Identity Sharing enabled to sync identities with the GW above:pep show pdp allCommand: root->show->pdp->all-------------------------------------------------------------------------| Direction | IP | ID | Status | Users | Connect time |-------------------------------------------------------------------------| Incoming | IP OF PDP GW | 0 | Connected | 391 | 8Apr2019 5:25:44 |-------------------------------------------------------------------------| Incoming | 127.0.0.1 | 0 | Connected | 0 | 8Apr2019 5:16:48 |-------------------------------------------------------------------------| Outgoing | IP OF PDP GW | 0 | Connected | N/A | 8Apr2019 5:17:08 |-------------------------------------------------------------------------
kfirash
kfirash inside General Management Topics yesterday
views 27

Proxy ARP on Checkpoint R80.10

Hi,After Upgrading our gateways and management to r80.10 we start facing with a wired problem.The gateway doesn't send arp reply to the router and we have to configure manually proxy-arp on GAIA.i wonder if it's related only to the version itself or if there is any configuration or hotfix that can solve this issue. We Don't use Automatic NAT for network and we using static NAT for specific external resources and hide nat for LAN group . Enable Check Point ClusterXL for Bridge Active/Standby...==========================================================Check Point ClusterXL for Bridge Active/Standby is currently disabled.
sukrui
sukrui inside General Management Topics Sunday
views 79 1

Appliance Sizing with https inspection

Hello all,I have open server firewall with version R77.30 in distributed environment. We are using full NGTP spesifications without https inspection now.When I run cpsizeme on open server, appliance sizing tool recommends 5600 appliance(utilization:%15-25) and 6500 appliance(utilization %10-20). But sk88160 say cpsizeme is not supported on open platforms, so is that recommendetions wrong?Also we want to migrate this open server to checkpoint appliances. And then we will upgrade the version to R80.20 and will use https inspeciton. According to this new situation which appliance will we select ?
Ants
Ants inside General Management Topics Friday
views 109 2

Custom Gaia Script not working

Hi All,So.. I am trying to do a simple script copy task and need a second pair of eyes please as i cannot get it working..My goal is to set a cron task to run a script once a day and copy the newest file (pdf reports automatically created daily) from folderA (MY_DIR) to folderB (DEST) on the R80.10 CMA (logged in as admin)---------------------------------------------#!/bin/bashMY_DIR="/var/tmp/"DEST="/home/admin/"FILEEXT="pdf"NEWEST=`ls -tr1d "${MY_DIR}"*.${FILEEXT} | tail -1`if [ -z "${NEWEST}" ] ; thenecho "No file to copy"exit 1elseecho "Copying ${NEWEST}"cp -p "${NEWEST}" "${DEST}"fi---------------------------------------------but when running the script i get the following error..[Expert@CMA:0]# ./sascopy.shCopying ls -tr1d "${MY_DIR}"=*.${FILEEXT} | tail -1cp: cannot stat `ls -tr1d "${MY_DIR}"=*.${FILEEXT} | tail -1': No such file or directory[Expert@CMA:0]#If I run 'ls -tr1d /var/tmp/ | tail -1' manually I can see the file and output is the full dir listing.I suspect this line here to be the problem.. NEWEST=`ls -tr1d "${MY_DIR}"*.${FILEEXT} | tail -1`thanks in advanceants
Marco_Valenti
Marco_Valenti inside General Management Topics Wednesday
views 957 4 2

audit log

Hey allHas anyone encountered this issue before? searching through the changes in audit log seems that the number of security rule involved by the change is not reported , if you copy the entire message from the audit log you can have a rule uid but is not a very "fast way" to retrieve this information.Thanks in advance
Vincent_Bacher
Vincent_Bacher inside General Management Topics Wednesday
views 29826 20 8

Will (Smart)Workflow come back?

Hello together,i am wondering if there are any news, if and when (Smart)Workflow will come back.Does anybody have news about that?Best regardsVincent
Rafael_Lima1
Rafael_Lima1 inside General Management Topics Wednesday
views 1026 15

Legitimate traffic being blocked - R80.20

After migration to R80.20 we are having a legitimate traffic being blocked, filtering via "fw ctl zdebug drop", we receive the following log:@;2731325746;[cpu_9];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:45242 -> y.y.y.y:443 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabledWe opened a SR and passed us the SK33328, which was done but did not work, we still have connection problems sometimes.The traffic is from an apache server to an nginx, TCP / 443Anyone else went through this and could help?
kmadhura15
kmadhura15 inside General Management Topics Tuesday
views 102 2

TCP connection failure port=18191 [error no. 10]

Hello,I have a setup with two gateways in a cluster. The management interfaces of the gateways and SMS are in the range of 62.112.170.x. They are running on R80.10. I added a static NAT to an object in the 10.253.100.x range for the standby gateway, which would NAT the IP to IP address of management interface of standby server. I pushed the policy and after that for any policy I try to push, I get the error for tcp connection failure. I am not able to make any changes now since they cannot be applied to the standby gateway anymore. Any suggestions on how to solve this issue?
Tbgaz
Tbgaz inside General Management Topics Tuesday
views 39 1

NAT for VPN Tunnel

Hi. I have setup a VPN tunnel to a third party who will connect to a proxy server that will collect logs from our internal devices. This proxy server sits on our DMZ.On the Advanced VPN Properties window for the VPN community I selected the 'Disable NAT inside the VPN community' setting but have been told by the third party that they're having NAT issues.I then deselected it as per their suggestion but nothing has changed (there aren't any NAT rules for the DMZ on our end).I'm not sure what's going wrong. Another tunnel we use does disable NAT inside the community so not sure which option is correct/how to proceed.Any ideas would be appreciated!

status on cloud-based SmartCenter service. doofus alert!!

Hello -- where do I locate status on SmartCenter management-as-a-service? I recall this was recently released specifically for endpoint, and I understand work continues on SmartCenter gateway management in cloud.I tried various searches that couldn't find anything that I would expect. "smartcenter cloud", " cloud- based smartcenter", "management as-a-service" all returned nothing relevant.I'm hoping I just missed the boat and there's an obvious place where info resides.In addition, target release dates and info on EA programs would be appreciated.please advise. thanks -Garrett

Managemnet High Availablity

I have two server: Smart-1 5150 and Dell PowerEdge R730. Can they build management HA? I found that sk39345 does not describe restriction in different performance device. Does it mean that there is no restriction? Meanwhile, I am wonder that can it enable management cluster function as gateway after initialization?