This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
praveshnayal
Explorer
‎2023-10-06 09:27 AM
Jump to solution

If management server goes down, will the gateway still be able to filter(accept/deny) the traffic?

If the management server goes down, will the gateway still be able to filter the traffic as per the policy package target installation? Since the policy package resides on the management server I wanted to understand how the gateway could filter the traffic.
0 Kudos
(1)
1 Solution

Accepted Solutions
Tal_Paz-Fridman
Employee
Employee
‎2023-10-06 10:42 AM
Jump to solution

Yes, the Security Gateway keeps working regardless on the Security Management.

When you Install Policy, the policy is sent to the Security Gateway were it is installed "locally".

You can check that the policy is installed using the following commands:

For Access Control Policy use fw stat or cpstat fw commands

For Threat Prevention Policy use fw stat -b AMW command

 

Both will show the policy name and when it was installed 

View solution in original post

(1)
13 Replies
Ruan_Kotze
Advisor
‎2023-10-06 10:20 AM
Jump to solution

Yes, gateways will filter traffic just fine.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-10-06 10:42 AM
Jump to solution

Yes, the Security Gateway keeps working regardless on the Security Management.

When you Install Policy, the policy is sent to the Security Gateway were it is installed "locally".

You can check that the policy is installed using the following commands:

For Access Control Policy use fw stat or cpstat fw commands

For Threat Prevention Policy use fw stat -b AMW command

 

Both will show the policy name and when it was installed 

(1)
Fabz
Contributor
‎2023-10-08 04:22 AM
In response to Tal_Paz-Fridman
Jump to solution

Hi @Tal_Paz-Fridman curious about if the connection is lost between FW and Management. What will happens?

Last time i experinced with this in 80.x all the traffic was blocked by the FW. is it expected behaviour?

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-10-08 04:30 AM
In response to Fabz
Jump to solution

Connection to Security Management Server should not affect the Security Policy that is installed on the Security Gateway.

Perhaps this was a case where connection was lost, SIC was reset which then installs the Initial Policy.

(1)
the_rock
Legend
Legend
‎2023-10-08 05:25 AM
In response to Fabz
Jump to solution

@Tal_Paz-Fridman is 100% right. I would also say if there was a SIC issue, if sic is reset, then by default, it loads initial policy, which pretty muchblocks anything, except web UI on port 443 and ssh.

Tal, PLEASE be safe mate, Im praying for tolerance and peace over there 🕊🕊

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-08 06:22 AM
In response to Fabz
Jump to solution

Btw, I found an old notes I had back in R77 days when customer had this issue and mgmt was down for 3 days, but they told me after all VPN tunnels stayed up and there was no traffic issue. Mind you, there was no cp to cp vpn tunnels, so as @CheckPointerXL said, its possible if mgmt is down for more than 24 hours, if you have any cp to cp s2s vpn tunnels, they may not work. 

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-07 08:09 PM
Jump to solution

What happens is that gateway will enforce latest policy pushed to it from the management server. If mgmt server went down, traffic would still work just fine through the firewall, but huge downside to it is that you would not be able to make any further changes to the policy. as smart console would not be accessible.

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-10-08 12:42 AM
Jump to solution

If i remember correctly, you should pay big attention to CRL fetching. VPN between FW on same management could potentially be disrupted if there is no communication during the 24h fetching period.

Anyone can confirm or not?

(1)
the_rock
Legend
Legend
‎2023-10-08 04:13 AM
In response to CheckPointerXL
Jump to solution

Yes, that rings a bell, though couple of times mgmt was down for a customer, we never had that issue, but it could happen, for sure.

Andy

0 Kudos
genisis__
Mentor Mentor
Mentor
‎2023-10-08 06:39 AM
In response to CheckPointerXL
Jump to solution

This is true; I've had this happen to me before, but that is on the condition that all devices being used are managed from the same Manager.

0 Kudos
the_rock
Legend
Legend
‎2023-10-08 06:58 AM
In response to genisis__
Jump to solution

Never had that happen to me, but what @CheckPointerXL mentioned about CRL is 100% true.

Andy

0 Kudos
genisis__
Mentor Mentor
Mentor
‎2023-10-08 06:37 AM
Jump to solution

Yes.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-09 12:43 PM
Jump to solution

While the gateway will continue to pass traffic per the last installed policy, VPNs will fail after a period of time.
This is because the Internal CA resides on the Management Server and gateways/clients reach out to the CRL to validate the certificate.
For Site-to-Site VPNs, they will continue to work for 24 hours.
Remote Access clients (regardless of auth method) use the CRL and may fail. 

Hope that clears things up.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events