Showing results for 
Search instead for 
Did you mean: 
Create a Post
Multi-Domain Management

Discussions related to Check Point's Multi-Domain Security Management solution, also known by it's legacy name: Provider-1.

FWM dies quietly on CMA R0.20

Just wondering if anyone else has noticed issues with FWM on CMA - shows as UP on mdsstat but actually is not responding. Then you do mdsstop_customer and that particular FWM still shows in UP state. Kill manually and start CMA, then all starts working again. I simply haven't had time to run any debugs yet but would be interesting to know if we are alone with this
cp_mummy inside Multi-Domain Management Thursday
views 143 4

static routing in vsx vsls solution using CLI

Hi guys,Newbie here! I have a quick question about cli configuration in a vsls solution, is it not possible to add static routes via cli or am I just missing something. I've seen that I can do dynamic routing when I go into a specific context but can’t find anyting else than "static-mroute"btw, I have tested vsx_provisioning_tool and it works great, but I was kind of confused as it is possible to configure bgp via CLI.  Anyways, I will also test bgp and would be really grateful to hear from anyone who has experience in running bgp in checkpoint. thx 😊 @Jim_Oqvist @PhoneBoy @G_W_Albrecht @HeikoAnkenbrand @Timothy_Hall 
piotrsz90 inside Multi-Domain Management Tuesday
views 609 7 1

Management API

Hello Multi MDS R80.10 Is there any way to non-interactively install policy using management API ?Im asking because i want to script policy installations to happen periodically, as there is no option to use expect, how can i go through policy installations non-interactively ?
inside Multi-Domain Management Tuesday
views 175 2

White Paper - Identity Awareness in Multi-Domain Environment

This white paper is focused on a scenario of enforcing identity-based policies on security gateways running version R80.30 and earlier in a Multi-Domain environment. It specifically provides recommendations and describes procedures how to enforce identity-based policies for users from other Management Domains.   Author @Anton_Razumov  For the full list of White Papers, go here. 
Sajenthiran_Mic inside Multi-Domain Management a week ago
views 200 2

find object sting in all cma

I have a object called  "departent_svr_cms_mike" in each cma. i am searching for a way to find all host objects containg the string "cms " in the name.Is they' re a way do this type of query?
deepakk inside Multi-Domain Management a week ago
views 265 5

Want to export object , policy file from checkpoint R77.30

Hi ,We are managing 10 context (virtual firewalls) on single physical firewall 4800 in Active-active mode. We are trying to check object list , policies , routes of individual firewall or complete MDS but failed to collect.Tried to export  Objects_5_0.C file(From MDM)  but it is showing only 9000 address object which has shared/global objects. local firewall objects are not showingTried to export  Objects_5_0.C fil but address object count is not correctChecked below paths but backup neither showing for individual context nor for complete Firewall1. Objects_5_0.C -  found this on: /opt/CPsuite-R77/fw1/conf2. Rulebases_5_0.fws -  found this on: /opt/CPsuite-R77/fw1/conf3. PolicyName.W - a file with extension .W”, the filename takes the policy’s name (by default Standard.W). Those files are stored in the SmartCenter (Management) under “$FWDIR/conf”Please suggest. Thanks in advance 
Sanjay_S inside Multi-Domain Management 2 weeks ago
views 280 5 2

Upgrade MDS from R80.10 to R80.30

Hi All,Please let me know the pre-requisites to upgrade the MDS from R80.10 to R80.30 directly?Also installation guide suggests clean install, but we do not want to go with Clean install and then migrate all the domains one by one. Instead of clean install can we go with CPUSE to upgrade?Wish to get the response as soon as possible please.Regards,Sanjay S
Jose_Luis_Mart1 inside Multi-Domain Management 2 weeks ago
views 262 3

Error migrating MDS from R80.10 to R80.30

Hi all!We've been trying to upgrade our MDS from R80.10 to R80.30. We almost got it. Everything went well except for two CMAs that didn't work because of an unknown error. We had a similar problem when we upgraded from R77.30, so we tried what we did then:1. Create clean CMAs in R80.302. migrate export of the CMAs in the R80.10 MDS3. cma_migrate... then we get this error:Source management version detected:R80======================================================================>>> Executing Source Version Upgrade Path Checker======================================================================>>> Executing Source Version cma_migrate Path CheckerError:   cma_migrate is not supported from version R80.XX Is that so? Can't we do a cma_migrate "inside" R80? How could we move/upgrade a single CMA then? thanks   
Kaspars_Zibarts inside Multi-Domain Management 3 weeks ago
views 410 7 3

R80.20 MDS restore missing over a month worth of data

This is a bit of SOS call if anyone else has seen this. Was forced to restore our production MDS this morning. So not a biggie. Backup was taken yesterday and restore worked just fine. But then we noticed weird things that a lot of rules are missing and some topology push failed due to missing interfaces or routes on VSX. Then we realised that "newest" data we have on MDS is from 5th November! Ouch. Audit logs still show all the changes from yesterday but rule are gone. Quite a pickle we are in now as I don't believe backups from day before would be any better. We will keep trying  but if anyone has seen/knows something would be great!
ravimahajan44 inside Multi-Domain Management 3 weeks ago
views 205 2

What is the maximum number of gateway can add in management server ?

What is the maximum number of gateway can add in management server ?
piotrsz90 inside Multi-Domain Management 3 weeks ago
views 246 2

tcl/expect packages for MDS

Hello Im doing interactive script on MDS (R80.10), so i want to get expect on it.As i read, kernel is RHEL based, so when installing expect package shall i follow regular RHEL procedure(offline)?             # tar -zxvf expectx.xx.tar.gz            # ./configure            # make            # make install KR
Sn00pDoug inside Multi-Domain Management 3 weeks ago
views 252 2

MDS vs CMA policies

Hello Community!Is there a recommended way to manage multiple domains in terms of where best to apply any policies/objects etc, globally or on the CMA directly. Obviously some objects and access/threat policies will be relevant to single CMAs but its easier/neater to manage globally so its in one place and assign to each domain.For example I've been doing a lot of IPS exceptions on noisy false positives, which are typically relevant to a particular CMA. Unfortunately doing so requires creating objects on the MDS, essentially duplicating the objects on the CMA just with a different name. Which got me thinking, would it be better to just have all the objects globally? Or perhaps I should just keep my IPS exceptions per CMA? Thanks 
Marcus_with_C inside Multi-Domain Management 2019-12-20
views 312 2 1

Global Management and Stealth Rule

Hi Checkpoint community,We were wondering if there is a way to create the Management Access and Stealthrule rules on a global Layer.Our use-case:We are using a R80.30 MDS to manage our (mostly R80.20) firewalls, using Global Layer and Domain Layer for Rules. So our rulebase consists of Global Rules then Domain Rules then again Global Rules (inlcuding the Cleanup-Rule).We split our quite big corporate network into different zones (using VLANs and IP-Ranges to seperate them).Hosts within the same zone can communicate via Any Port with each other, hosts in different zones can only communicate by a predefined set of allowed directions and Ports.Due to amount of connections covered by this rulebase, these rules are the ones with the most hits by far. Therefore we would like to have these rules at the beginning of each rulebase => on the Global Layer above the Domain layer.Since the Firewalls are the Gateways for all DMZ-networks and necessarily have IP addresses in these ranges, this rulebase would allow every host of a zone to reach every Gateway IP-Address ( = Firewall) of the same zone.As DMZ networks do not count as secure networks, this is a security risk we do not want to face.Currently we solved this problem by having the Management- and Stealth rule on top of each Domain Layer rulebase and the zone-rulebase in the Global Layer below the Domain Layer. Of course his is not ideal for performance.My question therefore is:Is it possible, to create a global Management and Stealth Rule above this zone-ruleset?For example by using some object/trick to- tell the gateways that theyself are the destination- use the Policy Installation Target as destination in these rulesOr by any other possible way?BR Marcus
Ankur_Datta inside Multi-Domain Management 2019-12-16
views 417 5

automating mds backup

Hi all, I am writing a script to automate mds backup. will running mds_backup with -b parameter will create any problems? we are planning to run this script in midnight when nobody is login into management. for precaution measures, we will enable the setting to log out user from smart console after specific idle time-out. Kindly also let me know if any suggestions please. Thanks
derilzemer inside Multi-Domain Management 2019-11-28
views 405 5 1

Validation error - empty Validation pane - reason Whitespaces

Hi,my name is Andreas. I'm from Germany and work in a data center for banks and I'm responsible for the operative part. I'm new and not the absolute expert in this case, but still I post something. My English is also not the best, so be patient with me.We have R80.10 in use and after changing some Objects and insert of many new Rules in the Policy from an CMA i become a Publish Failed The Validation Pane is empty and so i haven't no more details what happens 🤔.I know that we have the same problem in the begin of the year and a old Case give me the hint that the problem belongs on a whitspace inside a Rulename.Instead of always asking the support to look for the mistake, I wanted to know how to do it myself. I would then document it a little bit or is that already a kind of trade secret that you should not do that yourself or get any information about how to find the whitespace?Thanks for any help or hintregards from GermanyAndreas