This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Johannes_Schoen
Collaborator
‎2019-01-17 06:04 AM
Jump to solution

Change GAIA SSL-Port R80.20

Hi Guys,

I'm preparing for CCSA R80 and when I try to change the SSL-Port from Gaia through clish, the following output is given:

cp-mgmt> set web ssl-port 4434
WARNING This command is for initial use. SSL port should be set through SmartCon
sole. Changing the port may cause inconsistency with the settings on the SmartCo
nsole.
Are you sure you want to continue?(Y/N)[N]
n

I cannot find any option to set the ssl-port for a GAIA system from SmartConsole.
The SecurityManagement Guide for R80.20 got no hits, when searching for "ssl-port"

Does anyone know where to find that option?

Best Regard

Johannes

0 Kudos
1 Solution

Accepted Solutions
Alessandro_Marr
Advisor
‎2019-01-17 08:34 AM
Jump to solution

Johannes, the command set web ssl-port <port number> is correct and, remember, after execute this command you need to save this configuration with "save config". To verify you could run " grep 'httpd:ssl_port' /config/db/initial  "

sk91380

(8) Changing the Gaia Portal port in Clish results in warning

"WARNING This command is for initial use. SSL port should be set through SmartDashboard. Changing the port may cause inconsistency with the settings on the SmartDashboard. Are you sure you want to continue?(Y/N)
[N] 
"It is recommended to change the port using the Platform Portal section of the object in SmartDashboard. 
Add the port to the end of the Main URL and push policy. "show web ssl-port" should now display the port in the Main URL
Show / Hide Solution 

For Security Gateway:

In SmartConsole, perform:
  1. Open the Security Gateway / Cluster object and go to the "Platform Portal" pane.
  2. In the "Main URL" field, set the desired port (e.g., port 4434):
    https://IP_ADDRESS:PORT
  3. Click on OK to apply the changes.
  4. Install the security policy on this Security Gateway / Cluster object.
Note: Using Clish to change portal port on Security Gateway will be overwritten on a policy installation. After the change the httpd process can be seen listening to the new port with "netstat -lpn|grep port". Port 443 is handled by he mpdaemon and will not be listed in netstat.

For Security Management Server:

  1. Connect to command line on Security Management Server and log in to Clish.
  2. Set the desired port (e.g., port 4434):
    HostName> set web ssl-port <Port_Number>
  3. Save the changes: HostName> save config
  4. Verify that the configuration was saved:
    [Expert@HostName]# grep 'httpd:ssl_port' /config/db/initial

View solution in original post

10 Replies
_Val_
Admin
Admin
‎2019-01-17 06:12 AM
Jump to solution

Here we go: Platform portal under GW object. 

Now, the main question is, why do you want to change SSL portal port from the default one?

Johannes_Schoen
Collaborator
‎2019-01-17 06:19 AM
In response to _Val_
Jump to solution

yeah, that looks good.

But it seems, that you cannot change the default port for a mgmt server.

I guess you still need to change the admin-port from 443 to 4434 like in R77 when configuring CaptivePortal or sth. which also uses port 443.

But strange - when I add a new Gateway, the menu looks like the one in the picture, no Platform Portal branch

0 Kudos
_Val_
Admin
Admin
‎2019-01-17 06:31 AM
In response to Johannes_Schoen
Jump to solution

Yes and no. 

In your example, you are on SMS. There is no Captive portal or any other GW side functionality, so no need to change SSL port. You still have Platform Portal option for GWs, as shown above.

0 Kudos
Norbert_Bohusch
Advisor
‎2019-01-17 06:56 AM
Jump to solution

On SMS/MDM the Gaia Port can be defined using the clish command „set web ssl-port“.

This is then default port for Gaia, Smartview, REST-API.


On gateways and clusters the platform portal is defining the Gaia Port but you can define different ports for UserCheck, MAB, IA CaptivePortal and maybe I forgot others.


In background everything is handled by multi-portal daemon which forwards requests on relevant port and path to relevant daemon/functionality listening on high-port.

Alessandro_Marr
Advisor
‎2019-01-17 08:34 AM
Jump to solution

Johannes, the command set web ssl-port <port number> is correct and, remember, after execute this command you need to save this configuration with "save config". To verify you could run " grep 'httpd:ssl_port' /config/db/initial  "

sk91380

(8) Changing the Gaia Portal port in Clish results in warning

"WARNING This command is for initial use. SSL port should be set through SmartDashboard. Changing the port may cause inconsistency with the settings on the SmartDashboard. Are you sure you want to continue?(Y/N)
[N] 
"It is recommended to change the port using the Platform Portal section of the object in SmartDashboard. 
Add the port to the end of the Main URL and push policy. "show web ssl-port" should now display the port in the Main URL
Show / Hide Solution 

For Security Gateway:

In SmartConsole, perform:
  1. Open the Security Gateway / Cluster object and go to the "Platform Portal" pane.
  2. In the "Main URL" field, set the desired port (e.g., port 4434):
    https://IP_ADDRESS:PORT
  3. Click on OK to apply the changes.
  4. Install the security policy on this Security Gateway / Cluster object.
Note: Using Clish to change portal port on Security Gateway will be overwritten on a policy installation. After the change the httpd process can be seen listening to the new port with "netstat -lpn|grep port". Port 443 is handled by he mpdaemon and will not be listed in netstat.

For Security Management Server:

  1. Connect to command line on Security Management Server and log in to Clish.
  2. Set the desired port (e.g., port 4434):
    HostName> set web ssl-port <Port_Number>
  3. Save the changes: HostName> save config
  4. Verify that the configuration was saved:
    [Expert@HostName]# grep 'httpd:ssl_port' /config/db/initial
Alex_Tooze
Contributor
‎2019-04-25 05:29 AM
In response to Alessandro_Marr
Jump to solution

Hi,
Having done this, the mgmt_cli command could no longer connect to the server, even though 'api status' appeared OK. Reverting port back to 443 fixed this. How can we make the change and ensure the API port is also updated?
Thanks
0 Kudos
Václav_Brožík
Collaborator
‎2019-11-29 06:56 AM
In response to Alex_Tooze
Jump to solution

You have to connect to the new port when invoking login. You can do this either using the --port CLI option or using the environment variable MGMT_CLI_PORT.

Examples:

a)
mgmt_cli login --port 4434 -u username-p userpassword > sid

b)
export MGMT_CLI_PORT=4434
mgmt_cli login -u username-p userpassword > sid

Unfortunately I did not find a way how to specify the port for the mgmt command in clish. It does not understand the --port option and it does not obey the MGMT_CLI_PORT environment variable.
0 Kudos
johnnyringo
Advisor
‎2020-10-22 02:33 PM
In response to Václav_Brožík
Jump to solution

Isn't there a way to run GAIA on only the Management interface, and run other Portals on External/Internal interfaces?  

Seems like that would be the simpler solution to this problem.  

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2023-09-11 03:59 AM
Jump to solution

Anyone seen this issue?
Updated R81.10 ssl port from 443 to 4434 (on a new manager with migrated data) after this I get the following message when attempting to access the GAIA portal:

HTTP Status 404 - Not Found

Type Status Report

Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

 

Apache Tomcat/9.0.71

---
# grep 'httpd:ssl_port' /config/db/initial
httpd:ssl_port 4434

Port looks set correct looking at the above

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2023-09-16 03:01 AM
In response to genisis__
Jump to solution

TAC provided the solution, its known that when upgrading Endpoint Server from R80.40 or less to R81.x or above the httpd/httpd2 ports can get mixed up.

Resolution to this is documented in SK172485
#$UEPMDIR/system/install/gaia_apache_conf_regenerate 4434
#uepm_apache.sh port 443

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events