cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Michael_Thompso
Michael_Thompso inside General Topics 12m ago
views 1282 6

Migrate from Smart-1 HA SMS to Virtual SMS with new IP

Hi all,I am planning on migrating from a Smart-1 77.30 HA SMS to a Virtual 77.30 SMS with a new IP and ideally new hostname. The gateways managed by the smart-1 SMS perform site-to-site vpns and remote access vpns with the checkpoint client. Also, checkpoint utm edge servers and smb devices are managed by the Smart-1 SMS; these devices are also configured with site-to-site VPNs. I have seen other articles that explain that you need to retain the same IP on the new manager, perform configuration changes e.g. licensing, firewall rules, migrate-import, then you can use the new IP. A couple of questions. How do I connect to the new Virtual SMS with the old IP to make those changes when it is not routable to that part of the network? Second what is the correct procedure to perform this migration? Also what would be the rollback?Thanks for your help.
minhhaivietnam
minhhaivietnam inside General Topics 2 hours ago
views 9

Static Nat seems not working with multicast

Hi all,I have a topology running multicast:router1(multicast receiver)----checkpoint r80----router2(RP)---router3(multicast sender)all devices run pim-sm.above network run fine without nat.but when i set static nat on firewall: IP of router1---> translate to a.b.c.dthen on router1, I send "igmp join" toward to RP(router2). On log , i see that igmp packet is forwarded to firewall, but packet is not nated to a.b.c.d (above ip address). And not forwarded through firewall.So my question is if checkpoint r80 supports multicast nat source? If yes , how i can config it? Thank you!!
minhhaivietnam
minhhaivietnam inside General Topics 3 hours ago
views 20 2

ICMP reply does not match a previous request

Hello friends,I have multicast topology like this:Router1(receiver multicast)------>Checkpoint R80------->Router2-----Router3(Multicast sender)All devices run PIM-SM mode.On router1: I join group 239.9.9.9On router2: ping to 239.9.9.9Result: Not successI check log on firewall and see that this error Please help meThanks a alot!!  
Di_Junior
Di_Junior inside General Topics yesterday
views 24

ISP IP Blacklist

Dear MatesThis is not a technical question but it is more like a general question in which I would really appreciate your feedback.We are an ISP, and we provide services to many enterprises, we clients are usually finding the IP address we allocate to them in some blacklists, which sometimes prevents them from using certain services on the Internet, until the IPs are removed from the blacklist.Taking into account that we do not have control over what our clients do to get tham blacklisted, I would like to know whether there is something we as the ISP can do in order to minimize the risk of our clients get blacklisted.Thanks in Advance
sdjohnson2019
sdjohnson2019 inside General Topics yesterday
views 122 4

Upgrade path from R77.30 to R80.30

Hello All,Can you advise me, i have read various docs on Checkpoints website & various knowledge boards.I my initial understanding is that if i wanted to upgrade from R77.30 to R80.30 i would have to build a new server & run through the upgrade verifier, export & import database steps.But as i have started to read more there seems to be a straightforward upgrade path via CPUSE. Or am i reading the the documentation wrong.Thanks for any advise Extract from Installation and Upgrade Guide R80.30From R7X to R80.30:Upgrade the Primary Security Management Server.Perform a clean install of the Secondary Security Management Server.Connect the Secondary Security Management Server to the Primary Security Management Server.Step 2. Why ???? there is no explanation
Chinmaya_Naik
Chinmaya_Naik inside General Topics yesterday
views 127 2

Configure Gaia with TACACS+ Authentication for SmartCosole (Query)

Hi Team,I refer sk101573 (How to configure Gaia OS to work with a TACACS+ server)Below is the configuration details.VMware:12 ProNOTE: We successfully login with GAIA portal using TACACS user (User define in TACACS+ Server).But unable to login with SmartConsole. Configuration Step Taken :File Name : tac_plus.conf (Location : /etc/tacacs+/tac_plus.conf)Step1Step2Step3Step4Step5Configuration for SmartConsole LoginSTep6STep7Step9Unable to find any logs on messages file.Step10As I know for "Authentication to server failed" logs are not generated in the messages file.Please confirm is this a right configuration because ,  we unable to login with Smartconsole but able to login with GAIA portal.Thank you Regards@Chinmaya_Naik
JosephAviles
inside General Topics Friday
views 114 4
Employee

1GB to 10GB interface upgrade

Hello everyone, I have a task to upgrade a firewall appliance from 1GB to 10GB on their interfaces. The issue I  have is this appliance is running r75.30 on SPLAT. I haven't used SPLAT in a very long time. Does anyone know what the commands even are to do this?  Another question is what is the SPLAT command to get the configuration of the appliance. In GAIA its simply show configuration. Don't know what the command is in SPLAT. Any help is appreciated. Thanks.    Regards!
REconfigure
REconfigure inside General Topics Friday
views 111 1 5

fw ctl conntab - R80.20 strange behaviour - random TCP session timeout values

Hi Community!after upgrading to R80.20 i verified the session tables of our fw gateways, with the "fw ctl conntab" command.I found out that all upgraded gateways have random TCP session timeouts for a session displayed, and not the actually configured value for the service.I checked it on more than 20 different gw´s it´s always the same. for a global value of 7200 sec, there is sometimes 4642 or even as low as 1058 sec, or higher 7205 etc. in the output next to the TTL - same rule/same service.In older versions like 77.20 it´s always exactly the configured value for example 7200sec in the output.Can anyone verify this, is this only cosmetic or could this lead to sessions falling out of the table to soon?Attached you can find screenshots with example output of a R77.20 and R80.20 gateway. 
Anderson_DaSilv
Anderson_DaSilv inside General Topics Friday
views 16

CloudGuard ARM Template

Hi Community,I am trying to deploy cloudguard in Azure via ARM templates, but I am hitting an issue with the artifacts location parameters.As I can see in the template, the artifacts location is no longer hard coded, instead it is using the deployment function to call the artifacts uri.Long store short, when I run the template installation from local files on my computer, I get the error below saying that the templateLink doesn't exist:Apprantly it happens because the deployment function does not respond with the templateLink information if you run the deployment using local templates.Anyone ran into this issue before? Trying to install r80.30 using ARM template version below:"templateVersion": "20190805"thanks in advance.
jfabian
jfabian inside General Topics Friday
views 88 1

Problem with VPN AMAZON(AWS) ​​CHECK POINT

I have several VPNs against AWS, it happens that at random there is no more traffic.   When the fault occurs, there are the following symptoms:  -Up Tunnel -Phase 1 and Phase 2 established   The problem is resolved when we restart Ike at the checkpoint (vpn tu - 7), but after a while it happens again. The configuration of my Tunnel is as follows:  IKv1 Phase I.  -Encryption Algorithm: AES-128 -Data Integrity: SHA1 Diffie-Hellman group: Group 2 (1024bit)  Phase II -AES-128 Data Integrity: SHA1 IKE Security Association (Phase2): Use perfect Forward Secrecy (group 2) Ike Phase I. Renegotiate IKE Security associations every (minutes): 480  IPsec (Phase 2): Renegotiate IPsec security associations every (seconds): 3600 Nat: Disable NAT inside the VPN community DPD configured in the Cluster and AWS Community VPI and Ping interfaces on static routes Tunnel Management -Permanent tunnels: establish permanent tunnels: in all the tunnels of the community.  -VPN Tunnel Sharing: One VPN tunnel per Gateway pair. VPN ROUTING: to center or, even the center, other satellites, the Internet and other VPN objectives DPD configured in the Cluster and AWS Community VPI and Ping interfaces on static routes when I see the records, it's dropping by rule clean up please your support, the tac still does not find the cause
Rajput_Arvind
Rajput_Arvind inside General Topics Friday
views 73 3

Splunk Support with R80.10

Hi All, We are upgrading MDS from R77.30 to R80.10. Currently Splunk is integrated with R77.30 MDS. Do we need to perform any step on R80.10 MDS to make the Splunk work with R80.10 CMA. Some document says Splunk Add-On for Checkpoint needs to be installed on Splunk itself. But some document says Log exporter also needs to be installed on R80.10 MDS. Please share your thoughts. Thanks,Arvind Singh
sdjohnson2019
sdjohnson2019 inside General Topics Friday
views 58 3

CPUSE Clish

Hello All,I have a task of upgrading some Checkpoint firewalls none of the firewalls have internet connectivity from the CPUSE software, but i have managed to download the updated software to my laptop & then import to the firewalls.But one firewall is not playing ball, in the CPUSE GUI it doesnt even have the IMPORT option. R77.30 Deployment Agent build 1677.But i can import the software via the backup software panel, so the software is on the firewall in the following path/var/log/CPbackup/backups/Check_Point_R77_30_JUMBO_HF_1_Bundle_T345_FULL.tgz &/var/log/CPbackup/backups/Check_Point_R77_30_JUMBO_HF_1_Bundle_T345_FULL.tarSo i am now trying too follow the document below.https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449#How%20to%20work%20with%20CPUSE%20-%20How%20to%20install%20a%20CPUSE%20packageHostName:0> lock database overrideImport the package from the hard disk:Note: When import completes, this package is deleted from the original location.Import package from hard disk ???????? How ?? To me this doc bypasses the most import bit of info ???I will keep looking for info aswell. TaAny ideas, Thanks anyone.
GGiorgakis
GGiorgakis inside General Topics Friday
views 70 1

Identity awareness communication

Does Identity awareness use communication over TLS1.0/1.1/1.2 using AES-128/256 algorithms against the Domain Controllers?
Matt_Taber
Matt_Taber inside General Topics Thursday
views 4131 7 18

HTTPS Categorization ... a drama

Thought I would share a situation we dealt with yesterday and into the wee early morning hours of today.We started receiving reports that users were having intermittent issues with multiple google.com sites (drive, cse, apps, etc.).   While troubleshooting with curl and openssl on the cli, we discovered that the issue was the app/url blade was dropping connections (erroneously) on some Google IP addresses(dropped by: fwpslglue_chain Reason: PSL Drop: ASPII_MT in fw ctl zdebug drop), while correctly passing the traffic on others.For those that don't know, with HTTPS Categorization (not Inspection) the determining factor that the gateways use for a permit or drop is the CN in the certificate that is returned from the server.  It does not (supposedly) rely on IP addresses.  It doesn't see the FQDN being requested as it's encrypted traffic.After hours (and multiple shift changes) working with support there was still no solution in sight.  We rolled back APP/URL policies to a know good date to no avail.  We failed over, we rebooted, and failed back over.  We cleared out the APP/URL local cache on the gateways and set them to clear on policy installation.  Running debugs on app/url, and rad, etc......We performed packet captures on both the working and non working traffic.  We pulled the cert (*.google.com) out of the capture and verified the certs were identical in both the working and not working captures.  We, as well as CP support were surprised that the certs were identical.  If the CN is the deciding factor, why would an identical cert behave differently based on what IP address the FQDN was resolving to?  We thought for sure the cert would be different.At this point we debugged wstlsd while still running curl/openssl tests.  To our surprise, none of our test traffic was showing up in the debug.  Finally, this tipped of our support rep and the magic command came was issued:fw tab -t cptls_server_cn_cache -x -y"The cache saves mapping between IP+Port to CN (Certificate's Canonical Name) and a flag if the CN is valid. The table will go up to 10,000 entries and be cleared automatically to make room for new entries."There's not much in the support portal regarding this cache.  Only pertinent match was: sk120775Eureka, after running this command we were fully functional on all the Google IPs we were testing.  There either had to be:1) A miscategorized association between IP+Port & CN2) A corrupted entry for the aboveAfter we resolved this it was apparent why a failover/reboot/failover did not resolve anything, the connections/caches all stayed in sync/active with the invalid information.After so many hours (11 I think?) chasing this down, we did not pursue a RCA on why the cache entries were victimizing us.  We were just glad we found them and could go to bed.Hopefully someone will run across this article and it saves their bacon (and 11 hours).TL;DR: HTTPS Categorization doesn't use IP addresses directly for categorization purposes, but it sure does cache them.
NetworkEngg09
NetworkEngg09 inside General Topics Thursday
views 83 1

Policy from a Gateway to a new Management Server

Hello Checkpoint Experts, I need some direction on the following issue:We have had to rebuild our Security Management Server because the VM was accidentally deleted, and guess what, with no backup of the Management Server so, it cannot be restored. We are in the process of building the new management server now and I am wondering how can i get the Policies which are currently active on the Gateways back on the management server.Please advise. Note: the Gateways are in production and are working fine at the moment.RegardsRishi