This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nikolai_Zhitkov
Participant
‎2018-11-16 02:52 AM

Problems with 80.10 gateway.

Hi,

I have some difficulties with our new GW 5400 80.10.  

Topology: SMS server (80.20) is behind the 4400 gateway (77.30), static nat. Site-to-site star connection between all gateways.  Center gws 4400 and 5400. 

My SMS server shows "connection with gw is lost", but the.SMS gets FW logs from GW and GW receive politics. Also in the Smart View Tracker, I see CPD protocol with internal SMS IP address as a destination. The SMS successfully receive statuses from other gateways.

The second problem is: Afer push policies to gws all non-checkpoint vpn connections are down and after 5 minutes they are restored. 

In the Tracker I see an error - local interface spoofing. Gateway try to send "esp" to all Interoperable devices from it's external ip, but through the internal interface. I think the root of the problem is such a routing.

Does anyone have any ideas?

Thanks in advice. 

Nick

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2018-11-16 03:05 AM

The second issue seems as the topology is incorrectly defined.

For the first one, can you check if SIC is working? Are both GW and SMS at the same location? Which GW is doing NAT static for SMS? How is ti configured? TO work properly, you need to do automatic NAT, hope that's the case

0 Kudos
Nikolai_Zhitkov
Participant
‎2018-11-16 03:14 AM
In response to _Val_

The first. SIC is working (I've tested it from gw properties). SMS is behind other gw (4400 77.30). 4400 GW is doing automatic static NAT. 5400 is in a remote location and connected to 4400 via site-to-site vpn.

The second. Topology looks right. That interface is defined as internal and security zone is defined as internal. 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-11-16 06:00 AM
In response to Nikolai_Zhitkov

On the NAT tab for the SMS object, do you have "Apply for Security Gateway control connections" checked?  You need to if the SMS control traffic is being NATted, also see sk100583: Troubleshooting "SmartCenter behind NAT" issues.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Nikolai_Zhitkov
Participant
‎2018-11-16 07:00 AM
In response to Timothy_Hall

Sms does not receive only status from only ONE (5400) gateway. It successfully receives all data from other gateways and receives all data from 5400 except status information.

I believe that problem is on the 5400 (BykGW) side.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events