cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Josh_Dill
Josh_Dill inside General Management Topics 10 hours ago
views 25 1

Identity Awareness setup

Hi All,I will be setting up Identity Awareness in an R80.10 MDS environment. We will be using Identity collects to communicate with the DCs and provide what is in the security logs to the firewall. After reading the documentation I have some questions regarding setup and usage. Thanks in advance: 1) I have read the following identity collection requirement:"Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles." If an account unit is created in the domain (checkpoint local domain NOT active directory) and applied to the firewall object under firewall properties - others - user directory. Is that all I need to perform this requirement?2) There is no way to apply an account unit I created in global directory (at least not that I can find). Does this mean I cannot use global rules with identity awareness since the global account unit would not be assigned to the firewall to perform global lookups? 3) Is there anyway to create rules for individual users opposed to groups? Thanks,Josh
Vincent_Bacher
Vincent_Bacher inside General Management Topics 11 hours ago
views 29011 15 8

Will (Smart)Workflow come back?

Hello together,i am wondering if there are any news, if and when (Smart)Workflow will come back.Does anybody have news about that?Best regardsVincent
Heath_Mote
Heath_Mote inside General Management Topics 15 hours ago
views 2773 12

R80.20.M2 Management - Finalizing Stuck at 99% During Policy Installs

Setup is 2x Management Server 5150 with dedicated SmartEvent server all running R80.20.M2 pushing policy to a single 5800 HA ClusterXL setup all running R80.10. The management and cluster are located at the same site. The access/threat policy takes less than 3 minutes to succeed on the cluster but the 99% finalizing status takes a very long time to complete. I've just pushed a policy and it again finished in 3 minutes but has been stuck at 99% finalizing for the past 45 minutes... Is anyone else experiencing this after updating your management to R80.20.M2 or R80.20 in general?
stallwoodj
stallwoodj inside General Management Topics 16 hours ago
views 17

Endpoint client policy updates

Hi, I have a customer who has a central NPM/EPM server (R77.30) to manage their firewall and endpoint estate. They have an additional Endpoint Security Policy Server which faces the internet for clients in the field, and this works okay.I was wondering if by putting a reverse proxy (e.g. NGINX) in front of the private EPM, we could in R80 replace the functionality of the current policy server, to save on support costs? ThanksJamie
Arthur_DENIS1
Arthur_DENIS1 inside General Management Topics 16 hours ago
views 42

SmartView web access for firewall policy

Hi,I get one question from one of my customer.Smartview (webased) is a great tools and used for accessing the logs from read-only user. That's nice.But there is existing way to access to the access policy by the same way ?Currently we use the web_api_show_package.sh script to export in HTML, but this is not really easy to access to the html file for the policy and Smartview for log... Thanks for your help guys!Arthur
Sumedh_Gujar
Sumedh_Gujar inside General Management Topics 17 hours ago
views 399 8 1

Behavior of HA cluster when SYN link is down

Hi,I am bit confused in behavior of HA cluster. We have configured HA cluster between our 2 firewalls (12400 and R77.30). We have point to point link between these 2 firewalls for syncing. When this link goes down our Active firewall goes to down state and Standby firewall goes to Active state, which we can see in cphaprob stat command. I just want to confirm whether this is the normal behavior of Checkpoint firewalls in HA mode. Or like Cisco HSRP, both firewalls should go to Active Active mode. Thank youSumedh
Bishal_Upadhyay
Bishal_Upadhyay inside General Management Topics 20 hours ago
views 85 8

How to import Management Server VM configuration to Appliance(Smart-1 410) ?

Hi Everyone,I am trying to import configuration of Management server VM which has R80.20 OS; to the Smart-1 410 Appliance having same OS and same build number.I guess "System backup" will not work here since they are of different products.Hence I tried to use "migrate export and import method" but while trying to import into the appliance, the error pops out as "Database migration between Standalone and Management only machines is not supported".Any suggestions will be highly appreciable. With Regards,Bishal Upadhyay
Blason_R
Blason_R inside General Management Topics 20 hours ago
views 211 10

Upgrade R77.30 to R80.10 Database Import issue

Hi Team,I am facing an issue while importing database for upgrade in R77.30. This is I am importing database from R77.30 to R77.30 and below is the error messages. Can someone pls help? [24 Jun 11:39:29] [ExecCommandGetOutput] ERR: Command completed with error code 1[24 Jun 11:39:29] ...<-- ExecCommandGetOutput[24 Jun 11:39:29] [CommandRunner::exec] Command's output:-------------------------------------Execution finished with errors. See log file '/opt/CPshrd-R77/log/PItpi-import_install.elg' for further detailsExecution has finished-------------------------------------[24 Jun 11:39:29] [CommandRunner::exec] ERR: Command execution had failed[24 Jun 11:39:29] ..<-- CommandRunner::exec[24 Jun 11:39:29] .<-- PluginsInstallationRunner::InstallPlugin[24 Jun 11:39:29] [PluginsInstallationRunner::exec] ERR: Failed to install plugin[24 Jun 11:39:29] <-- PluginsInstallationRunner::exec[24 Jun 11:39:29] [ActivitiesManager::exec] ERR: Activity 'PluginsInstallationRunner' failed[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities execution finished with errors[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities 'PluginsInstallationRunner' have failed[24 Jun 11:39:29] [ActivitiesManager::exec] Designated exit code is 1**************************************************[Expert@mgmt-server:0]# more /opt/CPshrd-R77/log/PItpi-import_install.elg[24 Jun 11:39:24][24 Jun 11:39:24] *****************************************************************[24 Jun 11:39:24] ********************* Log session beginning *********************[24 Jun 11:39:24] *****************************************************************[24 Jun 11:39:24] [writeExecCommandTolog] Program executed as: /opt/CPPItpi-R77/bin/uacRunner -p PItpi -import_install[24 Jun 11:39:24] [writeEnvInfoToLog] Binary was build for Linux OS[24 Jun 11:39:24] [writeEnvInfoToLog] Management type of machine is 'Smc'[24 Jun 11:39:24] [writeOptionsToLog] Base name is: PItpi[24 Jun 11:39:24] [writeOptionsToLog] Product name is: PItpi[24 Jun 11:39:24] [writeOptionsToLog] Main run flag is: -import_install[24 Jun 11:39:24] [writeOptionsToLog] Runner working directory is: /opt/CPPItpi-R77[24 Jun 11:39:24] [writeOptionsToLog] Main run option is of type: Default[24 Jun 11:39:24] [runDefaultActivities] Running default activities[24 Jun 11:39:24] [PluginSpecs::PluginSpecs] Initializing plugin specs with '/opt/CPPItpi-R77/conf/specs.conf'[24 Jun 11:39:24] [ActivitiesManager::exec] Starting activities execution[24 Jun 11:39:24] [ActivitiesManager::exec] Executing activity 'PluginDefaultDbMaker'[24 Jun 11:39:24] [copyPluginDBtoManagement] Removing directory '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi' if it exists[24 Jun 11:39:24] [copyPluginDBtoManagement] Creating directory '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi'[24 Jun 11:39:29] [copyPluginDBtoManagement] Copying plugin default directory from '/opt/CPPItpi-R77/conf/defaultDatabase' to '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi'[24 Jun 11:39:29] [copyPluginDBtoManagement] ERR: Failed to copy plugin default directory[24 Jun 11:39:29] [ActivitiesManager::exec] ERR: Activity 'PluginDefaultDbMaker' failed[24 Jun 11:39:29] [ActivitiesManager::exec] Rolling back previous activities[24 Jun 11:39:29] [ActivitiesManager::exec] Rolling back activity 'PluginDefaultDbMaker'[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities execution finished with errors[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities 'PluginDefaultDbMaker' have failed[24 Jun 11:39:29] [ActivitiesManager::exec] Designated exit code is 1
Alan_Kong
Alan_Kong inside General Management Topics 20 hours ago
views 8637 8 3

Unable to install CheckPoint VPN E80.83

Failed to install checkpoint VPN e80.83 on windows 10 pro. I encountered this error:Error 26630. Failed to copy driverWhile installing virtual network adapter and installling network driver. Previously I had some virtual network adapter issue in e80.82 and wanted to resolve it by installing e80.83.i am the administrator for the system so I do not understand why I cannot install the program. Any help would be greetly appreciated.
HeikoAnkenbrand
HeikoAnkenbrand inside General Management Topics yesterday
views 88 1 4

R80.20 Updatable Domain Objects and CLI Commands

An updatable object (new in R80.20 and above) is a network object that represents an external service, such as Office 365, AWS, GEO locations and more. External services providers publish lists of IP addresses, or Domains, or both, to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect. You can use an updatable object in the Access Control policy as a source, or a destination. I didn't find anything on the CLI commands in the documentation. Here my knowledge from the reverse engineering. In 80.20 and above you can run the tool "domains_tool" to show domain object informations. # domains_tool -d update.microsoft.com => show which IP is associated to a domain object # domains_tool -ip 1.2.3.4 => search and privide a list of domains for IP For more informations about updatable object see sk131852.

Inbound https inspection only

Hello, I wanted to turn on Inbound https inspection only and not outbound. Is there a way to do this?Going through documentation it says when you enable https inspection on the gateways, it creates an outbound CA certificate as well which means outbound https inspection is enabled as well. Thanks,Chandru
Prince_Osei_Wia
Prince_Osei_Wia inside General Management Topics yesterday
views 4284 7 3

Having problem with my clusterXL: Error message "HA module not started" after cphaprob stat.

Cluster XL is enabled using cpconfig#cphaprob statHA module not started

Secondary MDS upgrade fails "Upgrading Products" at 58% using CPUSE

Upgrade of secondary mds from r80.10 to r80.20 fails at 58% "Upgrading products" . Upgrade of primary mds was successful using CPUSE.
Blason_R
Blason_R inside General Management Topics Friday
views 3414 11

R80.20 fresh install fails on Vmware ESXI

Hello ,When I installs R80.20 on vmware ESXI which is on dell server with RAID 5 it installs successfully but after reboot it gives the error "no operating system found". The hard disk size is 4.5TB. Anyone have face this kind of issue. Please let me know any workaround/solution if any. R80.10 with HDD less than 2 TB successful.

Management server relocation

Hello,We need to relocate the management server from a DC that is closing to a new DC environment. We are running the management server as a virtual machine. Currently we have a single management server.I was wondering if anyone following scenario is possible or if anyone has experience with such a task:Set up new management server in the new DC using a temporary license.Configure the management server as a secondary management server.Failover the to make the new management server the active server.Move the license to the new management server.Remove old management server.I have concerns about this process as with a temporary license.Normally you cannot download and upgrade the new management server to the same version as the old management server. Is it possible to manually import the jumbo Hot fix packages and install them when using a temporary license?Can I form the management HA when using a temporary license?Many thanks,Michael