Routes are ok?

Can you reach gw2 from mgmt using SSH for example?

What are you seeing in log?

Have you tried capturing packets on gw1 using tcpdump/fw monitor?

Because this is the lab an you are trying to determine if your routing is OK, do the following:

In your SmartConsole go to Global Policy Properties and enable ICMP as well as "Log Implied Rules".

SSH into your branch gateway (or open an emulated console) and perform "fw unloadlocal".

Its default policy will be blocking ICMP.

Then verify that your routing is working and that you are getting ICMP responses where expected.

Configure Static NAT for the Management Server object to translate its internal IP into one of the available IPs in 192.168. network.

Cheers,

Vladimir

Vladimir,

Still facing same issue ,Unable to for SIC between Management to B-FW

Unable to ping Management 

help..

Thanks

You have no route on your gateway! As management is not in a directly attached network, you need to add correct routing!

@Akram_wasim , your management server's IP is not in your FW2 routing table.

If you want to ping it, provided the static NAT is assigned to the Management server's object, you should be able to ping the IP you are NATing it to, i.e. one in the 192.168.1.*/24 range.

Otherwise, provided you have ICMP enabled in Global properties, you should add a route to 10.1.1.25/255.255.255.255 to your BQF or specify the route to the entire 10.1.1.0/24 network with the next hop being external IP of your primary gateway.

If you are using WebUI, it is self-explanatory.

If you are trying to do this via Clish:

On your Management server (where SMS is the hostname of your management server):

SMS> set static-route default nexthop gateway address 10.1.1.111 on

SMS>save config 

On your HQ-FW1:

HQ-FW1> set static-route 10.2.2.0/24 nexthop gateway address 192.168.1.222 on

HQ-FW1> set static-route 172.16.2.0/24 nexthop gateway address 192.168.1.222 on
HQ-FW1>save config 

On your Branch-FW2:

BQFW> set static-route 10.1.1.0/24 nexthop gateway address 192.168.1.111 on

BQFW> set static-route 172.16.1.0/24 nexthop gateway address 192.168.1.111 on
BQFW>save config 

Hi,

Added all route as per instruction you had given to me  but same issue nothing has changed ,able to ping FW2 to Manager

Above are current routing table after you shared me new routes ,i added everything and enable icmp in the global properties ,,i done everything ,, This is so headache,, i am unable to figure out.

Show the route on your management server.

Have you created the firewall objects, defined their topology, configured security policy for the HQ-FW, published it and installed?

If not, you cannot expect this to work unless you perform "fw unloadlocal" on both firewalls.

Please show a screenshot of your policy here.

Please show the "Network" property of both firewall objects here.

P.S. In your management server's screenshot, the routes shown are NOT the one I have wrote you to add:

On your Management server (where SMS is the hostname of your management server):

SMS> set static-route default nexthop gateway address 10.1.1.111 on

SMS>save config 

VS. yours:

Your management server cannot know how to reach the 10.2.2.0/24 network, your HQ-FW does.

Vladimir ,

This is current scenario 

Manager to FW 1 - Ping working

FW1 to Fw 2 ping working

Fw2 to FW 1 Ping working

FW2 to Manager Ping working

real problem exist  " Manager to FW 2 Ping not working"

Is it because of VMnet setting or i really dont know mate.

I can see all routes in the routing table

Policy also install

why i dont know SIC is not establish FW2  to Manager ,when though all policy and routes available ,,why ??

Help ..

Hi Vladimir

Same issue

1. I have enabled the ICMP in Global properties

2. add default routes from BFW to FW1 external IP 

I am unable to ping ..

Pic 1 : Add static Nat from Manager to 192.168.1.112

Pic 2 : routing table FW 2

Can you ping from BQFW the IP of 192.168.1.112?

Have you enabled the "Log Implied Rules" in Global properties to see where your ICMP traffic is going in the logs?

You either use static NAT and refer to the Management server by its' NATed IP (the most common scenario in practice), or in your lab environment, do not NAT, but rely on static routes.

As shown in your screenshot below, the Static NAT is being applied to the "Security Gateway control connections".

This means that you should be able to establish SIC with BQFW even in the absence of ICMP, if your routing is correct.

Try performing "fw unloadlocal" on the BQFW and ping and trace route to it from your management server to see where things are breaking down.

Additionally, verify that on your Management Server the default route is configured to use FW1 internal interface as it's gateway.

Can you ping 192.168.1.222 from your HQ-FW1?  

Answer : No

Can you ping 192.168.1.111 from your Branch-FW2?  

Answer : No

Can you ping your 10.1.1.111 from your management server?

Answer : No

What do you see in logs when looking for ICMP traffic?

I dont know how to check ICMP logs in Checkpoint ,Can you share me the command in CLISH 

In Logs and monitor i cant find any icmp traffic

manager routes

Can you ping 192.168.1.222 from your HQ-FW1?

Can you ping 192.168.1.111 from your Branch-FW2?

Can you ping your 10.1.1.111 from your management server?

What do you see in logs when looking for ICMP traffic?

Now i am to ping Management -FW1-FW2 eachother

But SIC not forming ,,Still something is missing 

When you configured the branch firewall, have you configured it as a standalone or as a gateway only?

If it is configured correctly, as a gateway only and if you did not restrict its management in Gaia, reset SIC via cpconfig on the branch firewall, verify that its object configured properly, and re-initialize SIC for it.

I have some doubt whether i am setup VMnet setting correctly 

Do you have any idea of Vmwareworkstation Vmnet detting

in my case Management - Vmnet 1 

FW1 - Vm1 ,vmt 2 ,vmnet 3

FW2 - Vmnet1 ,Vmnet2,Vmnet3

I have one doubt,, I am almost there ,,