This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gemechisd
Contributor
‎2024-02-01 10:50 PM
Jump to solution

Ping not working for Newly installed SMS Server

I have installed checkpoint R81.10 SMS for test purpose on Nutanix AHV. Now I can access the installed SMS server through SSH & Browser. But can not able to ping or login through smart console. 

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2024-02-02 06:28 AM
In response to gemechisd
Jump to solution

1) I think this is a layer 2 problem. Can you see the MAC address?
 # arp -an | grep 10.1.75.76

2) If the IP address 10.1.75.76 is a firewall module, a default security policy is installed as long as you have not yet installed a access policy. This means that you cannot ping the fw but you can uninstall the firewall policy and then you can ping the firewall.
# fw unloadlocal

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

0 Kudos
(1)
13 Replies
Franktum
Contributor
‎2024-02-02 12:15 AM
Jump to solution

Hi,

If you have SSH you can launch tcpdump on SMS in order to see whether the ICMPs and SmartConsole traffic are arriving to the machine. In this way you can narrow down the problem.

Regards

0 Kudos
gemechisd
Contributor
‎2024-02-02 05:04 AM
In response to Franktum
Jump to solution

@Franktum 

I have captured any ping traffic using tcpdump on the Newly configured SMS Server. But the ping is not replying

Kindly, check the attached screenshot

Preview file
233 KB
0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2024-02-02 06:28 AM
In response to gemechisd
Jump to solution

1) I think this is a layer 2 problem. Can you see the MAC address?
 # arp -an | grep 10.1.75.76

2) If the IP address 10.1.75.76 is a firewall module, a default security policy is installed as long as you have not yet installed a access policy. This means that you cannot ping the fw but you can uninstall the firewall policy and then you can ping the firewall.
# fw unloadlocal

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
(1)
Lesley
MVP Gold
MVP Gold
‎2024-02-02 01:53 PM
In response to HeikoAnkenbrand
Jump to solution

Machines seem to be in the same network and I see arp request and reply in the capture. 

Are we sure mgmt has been installed and not gateway? What does cpstat mg output show? 

Maybe check with cpconfig -> check GUI clients and option 8

 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-02 06:06 PM
In response to Lesley
Jump to solution

Very good point about running cpstat mg

Best,
Andy
0 Kudos
gemechisd
Contributor
‎2024-02-03 08:38 PM
In response to HeikoAnkenbrand
Jump to solution

@HeikoAnkenbrand 

Thank you. It worked for me after executing the commands you have sent me.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-02 07:08 AM
In response to gemechisd
Jump to solution

I agree with @HeikoAnkenbrand , you should check those things for sure.

Best,

Andy

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-02-03 07:38 AM
Jump to solution

Run fw stat.  If it says anything other than "Local Host is not a Firewall Module", you accidentally configured it as a standalone SMS/firewall, and the firewall default InitialPolicy is blocking your ping and SmartConsole connectivity.  If this is the case you will need to reload and answer correctly with only "Management Server" during the first-time wizard.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
‎2024-02-03 07:45 AM
In response to Timothy_Hall
Jump to solution

Definitely valid point.

Andy

Best,
Andy
0 Kudos
gemechisd
Contributor
‎2024-02-03 08:45 PM
In response to Timothy_Hall
Jump to solution

@Timothy_Hall 

The ping is working for me. But I can't able to login through Smart Console. Check the attached screenshot for fwstat

Our SMS in installed on nutanix AHV with .qcow2 file from checkpoint. 

Preview file
17 KB
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-02-04 01:10 AM
In response to gemechisd
Jump to solution

Which image / file from sk158292 did you use and which ftw selections were made?

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-02-05 05:28 AM
In response to gemechisd
Jump to solution

You have accidentally configured it as a Security Gateway as well as Security Management Server (standalone) as I guessed earlier.  You need to reload and make sure that Security Gateway is unchecked during the first-time wizard.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-02-05 05:39 AM
In response to gemechisd
Jump to solution

100% no doubt about it, you configured it as standalone (fw + mgmt as one machine)

If it was ONLY mgmt, it would show below.

Andy

[Expert@cpazuremgmt:0]# fw stat
Local host is not a FireWall-1 module
[Expert@cpazuremgmt:0]#

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events