This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
asif
Explorer
‎2019-04-25 06:35 AM
Jump to solution

Unable to add security gateway to management

HI

 

I'm planning to deploy a Checkpoint deployment into our network. I have used my security management as 'Smart-1 405 device' and 4 '3200' appliances  as security gateways where im planning to implement two gateways as Clusters and other 2 for HA. I'm in starting phase and I have installed and configured the devices and able to ping from Gateway to Management, but unable from Manage. to Gw. Moreover, I'm unable to add Gateways into Management Smart-console  Dashboard. I have attached my topology and want to make sure this deployment is possible in this topology.

Is it mandatory that security management device (smart-1 405) needs directly connected to at least one gateway (two '3200' device) . I'm having a L3 catalyst switch between Mana and GW. Please clarify my questions. 

 

MicrosoftTeams-image (2).png
Preview file
58 KB
0 Kudos
1 Solution

Accepted Solutions
Maarten_Sjouw
Champion
Champion
‎2019-04-25 09:04 AM
Jump to solution

There are some unclear things in your post, you say you have 4 gateways, 2 for cluster and 2 for HA, what do you mean by that, are you going to build 2 HA Clusters? Or are you going to build a Load Sharing cluster and 1 HA cluster?

On your network questions, your ping to the gateway fails due to the initial policy that does not allow any access to the gateway, except for the control connection from management. Therefore ping is dropped, but you should be able to SSH from management to the gateway.

When you say I'm unable to add the gateway in the Smartconsole, how are you trying to add the gateway?

The network is not needed to be directly connected, we manage FW's with management server in EU and gateway in Australia.

Regards, Maarten

View solution in original post

14 Replies
Maarten_Sjouw
Champion
Champion
‎2019-04-25 09:04 AM
Jump to solution

There are some unclear things in your post, you say you have 4 gateways, 2 for cluster and 2 for HA, what do you mean by that, are you going to build 2 HA Clusters? Or are you going to build a Load Sharing cluster and 1 HA cluster?

On your network questions, your ping to the gateway fails due to the initial policy that does not allow any access to the gateway, except for the control connection from management. Therefore ping is dropped, but you should be able to SSH from management to the gateway.

When you say I'm unable to add the gateway in the Smartconsole, how are you trying to add the gateway?

The network is not needed to be directly connected, we manage FW's with management server in EU and gateway in Australia.

Regards, Maarten
asif
Explorer
‎2019-04-26 08:20 AM
In response to Maarten_Sjouw
Jump to solution

Hi

 

Is there a specific command to take ssh from Management (cli or smartconsole) ? Im unable to find any commands on how to take ssh from security management to security gateway.

0 Kudos
asif
Explorer
‎2019-04-26 12:39 PM
In response to Maarten_Sjouw
Jump to solution

I'm able to add Gateway into Management. And, trying to add the policies like (ICMP,SSH) and while installing. Installation progress is going till 50% and after some time 'Connection to the gateway is getting lost' and policy installation is failing with error: Operation Incomplete due to timeout.


I'm googling it and checking in checkpoint community. No where I'm able to find proper solution for this. Could you suggest some inputs regarding the above error.


Thanks

 

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-27 11:24 AM
In response to asif
Jump to solution

It sounds like you are locking yourself out, did you change anything in the global properties of the management? Anything like control connections? Did you make sure the topology (interface information) is entered on the gateway/cluster object properly?
You will need to connect to the gateway via console and type 'fw unloadlocal' to unload the policy you have pushed that is now blocking you.
Regards, Maarten
0 Kudos
asif
Explorer
‎2019-04-29 06:53 AM
In response to Maarten_Sjouw
Jump to solution

I just changed the MGMT IP address from 192.168.1.1 to other IP address. Apart from this, I haven't changed anything. 

Is it possible can I able to login to smart console by sitting in my desk where my checkpoint devices are in Datacenter ?Usually, I'm able to login only if I connect MGMT port to my laptop ethernet port. Otherwise, I cant. 

0 Kudos
asif
Explorer
‎2019-04-29 01:43 PM
In response to asif
Jump to solution

Successfully added the Security gateways to the MGMT. I'm having four GW's and while trying to install policies, getting succeded for two GW and failing for remaining two. Throwing an below error:

 

Policy installation failed on gateway. The gateway has a Cluster member license but is not defined as a Cluster member in SmartConsole. To view existing licenses and add new licenses, use SmartUpdate (see sk11054).

 

But the devices are brand new with licensed one. Why am in facing this error while installing the policies ?

 

0 Kudos
asif
Explorer
‎2019-04-30 08:22 AM
In response to Maarten_Sjouw
Jump to solution

You will need to connect to the gateway via console and type 'fw unloadlocal' to unload the policy you have pushed that is now blocking you.

Results:

1. I gave 'unloadlocal' to unload the policies.'

2. I'm able to access all GW's via web for ex: https://GW1 ip address, https://GW2 ip address

3. Im able to add the Gateway's (four 3200 appliances) to my Management via Management Smart-Console dashboard 

4. Added some policies and pushed the installed policies.

5. Once done, getting an error like Firewalls not installed on 'two' of the gateway's and marked as 'RED CROSS' in status.

6. After that, unable to access that two GW's via web.

 

Please help on this. 

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-30 01:45 PM
In response to asif
Jump to solution

To be able to access the gateways via the browser, or SSH for the command line interface, you need to allow that in a rule from your workstation.
When you say I have 4 gateways, you need to create 2 new Cluster objects and add 2 gateways each to it, The license message tells me that you did not create a cluster object, just 4 gateways.
Regards, Maarten
0 Kudos
asif
Explorer
‎2019-04-30 03:06 PM
In response to Maarten_Sjouw
Jump to solution

I accidentally deleted the standard policy and again adding the GW's and tried to install policies. but, I'm unable to find the standard or default policies

0 Kudos
asif
Explorer
‎2019-04-30 03:10 PM
In response to Maarten_Sjouw
Jump to solution

I accidentally deleted the standard policy and again adding the GW's and tried to install policies. but, I'm unable to find the standard or default policies after I deleted and added GW's again. 

Is there a way to restore the standard policies in MGMT smart console!! Can you provide the detailed steps?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-30 10:57 PM
In response to asif
Jump to solution

The only "default" policy is not editable/viewable through SmartConsole and basically permits very specific management traffic and denies everything else.
It is loaded at boot time before the real policy is installed.

There is a policy called "Standard" on first install but it literally has no rules in it to begin with.
Other than the various implied rules, which are generally configured in Global Properties (not in the rulebase), all rules must be defined by the admin.
So restoring your rulebases to default would mean deleting all but one entitled "Standard" which would be empty.

I suspect what you're asking is to restore a policy that may have previously existed.
Unless you've taken a backup, you will need to recreate it.
You may be able to reconstruct it based on the audit logs.
0 Kudos
asif
Explorer
‎2019-05-01 08:28 AM
In response to PhoneBoy
Jump to solution

Ok..I created a New Policy tab under 'Manage policies and Layers' and added some basic services such as ssh, icmp between MGMT and GW's. While installing policies, getting an error such as:

 

Internal Error occurred during the verification process.

Policy verification failed. 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-01 10:12 AM
In response to asif
Jump to solution

Highly recommend opening a TAC case so this can be investigated.
0 Kudos
asif
Explorer
‎2019-05-01 02:57 PM
In response to PhoneBoy
Jump to solution

I'm having certain concerns:

Is it I have to configure 'port channel or bond interface' between 'Cluster Load-sharing Multicast' and 'Catalyst 3750 switch'??

What set of configurations I have to do between them (I heard like disabling IGMP, port mirroring etc.). I'm not pretty clear about the configurations between Cluster devices and Catalyst switch. Please help me on this.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top