cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Multi-Domain Security Management

Has checkpoint created a R80 certification test for Multi-Domain Security Management? 

MDS performance on R80.20 or above with xfs

Just wondering - whats the general feeling regarding R80.20 MDS file system for those who have upgraded from R80.10 and EXT3 - is the XFS filesystem faster and more efficient? We will be upgrading shortly from R80.10 (current take level) and were hoping for some increased performance in disk read/write.  
M_Ruszkowski
M_Ruszkowski inside Multi-Domain Management Wednesday
views 581 15 2

R80.20 MDS Slow

We are having performance issues with our primary MDS running R80.20. Like most people that upgraded from R77.30, we knew that R80.20 was more resource intensive. We purchased very large servers for this, since we run our MDS in VMware. We used multiple Cisco UCS servers with 96 cores, 1.5T Ram, a lot of SSD drives for each UCS server. We then installed VMware and built only one guest for now, the MDS. We used 48cores, 768G ram and assigned 8TB of storage for each MDS VM. All three of our virtual MDS servers are built to these specs on different UCS servers in different data-centers synced. And we just added MLM servers to offload logging.We expected this to be superfast. These VM servers doubled the specs of CheckPoint’s largest platform, the 5150. We only have 61 domains on the primary MDS and about 130 firewalls pointed to it.  Every time we turned on Firemon it would bring the MDS down and all the consoles would crash. CheckPoint support then said that we had too much logging and this was using up too much CPU. So we just installed MLM’s in the past three weeks and offloaded the logging. So now logging comes up way quicker in the SmartConsole. So this got faster. And we noticed the load value dropped from around 20 to about 8.  Even with the drop in load it is not significantly faster.  Consoles still take a while to load and view policy.  When someone reassigns the global policy this can take more than an hour and every console gets extremely slow,    It get worse if we turn on our tools.Whenever we turn on our Firemon collector it causes the load value to go from 8 to around 30. At this point all of our consoles start dropping out. We then have shut off Firemon and restart the MDS because the solr process is locked.   So we can no longer use Firemon. We verified the tuning parameters from CheckPoint’ VM tuning guide.The profile that the server is choosing is:CHOSEN_CPSETUP_PROFILE="131072 or larger without SME"In the Security Management – Performance tuning guide it mentions these values:NGM_CPM_MAX_HEAPNGM_CPM_SOLR_XMXRFL_RFL_MAX_HEAPSMARTVIEW_MAX_HEAPNGM_WEB_API_MAX_MEMORYOurs shows these set pretty low. We have way more resources that we could allocate to these settings.Does anyone know what these are set to in a 5150 with 256g RAM? I was thinking about doubling or quadrupling these memory values.  Maybe our server resources are not being detected and allocated properly.I am hoping that someone else out there may have some insight or has gone through this.  Any help is greatly appreciated.  
M_Ruszkowski
M_Ruszkowski inside Multi-Domain Management Tuesday
views 151 1

R80.20 MLM issues - SmatLog is blank

We have been working with CheckPoint on slowness with our MDS server.  Check Point stated that we need to purchase a MLM (two of them) and off load our logging.  So I just installed a brand new MLM 4 weeks ago on R80.20 and synced it to our MDS.  I then built about 20+ CLM's and everything seemed to work as expected.  As i was setting up new CLM's and changing the log config for each cluster to point to the CLM, we started running into issues.  The logs would not appear in the log view of the console.  Some CLM's worked and others did not.  I was able to verify that the the logs were on the CLM from the gateways.  I configured the log exporter and they were being exported to Splunk from the CLM.  Also you could see the fw.log file growing on the CLM.  However nothing would show in the console.  I continued to build new CLM's,  and three may work fine then the fourth one I built would do the same thing where the logs could not be seen.  I have 54 CLM's built and about 8 that will not work.  I have tried deleting them and recreating them.  We got two to work by just changing the color of the CLM object, publish, and then do an "install database" again.  This seemed to have synced something.   Sometimes ones that were working will just stop.  Then we have to change the object color again and install database again to get the logs back.So with all of that said...I have been on the phone with TAC/CFG and now R&D to get this to work.  And still no luck. It seems to be some type of sync issue between the MDS and MLM.  And we have ran the "clean dbsync" script several times with TAC.  This has been going on for a month.  Has anyone else ran into this issue?  Or are having issues with the MLM?Any help is appreciated.Regards, 
Leandro_Nicolet
Leandro_Nicolet inside Multi-Domain Management a week ago
views 191 1

SIC Issues - Internal SSL authentication SSL error (unknown)

Hi Folks. We are on R80.10 (take 184) running VSX gateways with a multi domain manager. We noticed last week on one of the VSX gateway clusters that policy installs were failing.Further investigation revealed SIC was failing on one gateway only in the cluster (of two). This was preventing a policy install to any VS on that gateway.We reset SIC from within the management CMA for the failing gateway and confirmed both gateways are responding to SIC. Re-installed the policy to the appliance (not the VS).Returning to the CMA managing several VS's, we still can't deploy to any VS on that firewall and get 'Internal SSL authentication SSL error (unknown). We can only deploy the policy to the firewall hosting the VS's from the management CMA.Also....upon resetting SIC and restarting services etc, the VS's stay in a 'down' state. They can be forced to start individually by going into each VS and doing a 'cphastart' along with 'fw ctl setsync start'. They do start with active/standby (we run VSLS), but the connection tables are not syncing.Bit of history....We did an export of R77.30 management 18 months ago and imported this onto new hardware. Same ip's and hostnames used etc.Couple of things puzzling me. First of all I would have thought both gateways in the cluster would fail of it was an expiration issue as both were deployed at the same time and SIC is working in the management CMA and we can install the policy to the appliance.Anyone seen this ? 
Gabriel_Support
Gabriel_Support inside Multi-Domain Management a week ago
views 219 2

Global Domain Assignment Failed: Failed to save the access policy assignment properties

Hi Guys, I am having some problem with assigning global policy to my domains. When I try to assign a global policy to some of the domains, I get this error "Global Domain Assignment Failed: Failed to save the access policy assignment properties"I thought maybe a session is lock somewhere..I clear out all session and still having the same issue. We upgraded from R77.30 to R80.30. Everything looks good after the upgrade except this global policy assignment issue.Any thought or idea on what to check next? I got a ticket open with TAC but no traction so far.
Pavol_Toman
Pavol_Toman inside Multi-Domain Management a week ago
views 331 4 2

Merging multiple CMAs into one

Hello all,Our Check Point MDS server has 4 CMAs (Domains) with approximately 10 firewall clusters in each (in total 80 security gateways). Whole environment, MDS and all the security gateways are owned by single customer. We are considering merging 4 CMAs into one and changing Multi Domain Management Server just to Management Server. Do you think it is a good idea or did someone of you such a migration? Any experiences how to do it in-house or do we need to engage Check Point professional services?Thank you
John_Fleming
John_Fleming inside Multi-Domain Management 2 weeks ago
views 280 2

R80.30 management server endless loop

I recently upgraded my GNS3 lab and found out that after running a mgmt server for a few hours, basically doing nothing, the mgmt server would become unreachable even after reboot. After much trouble shooting i bumped into known issues for R80.30 (granted says R80.20). Lab VM would boot and java would spike to %100 on a single cpu. PMTR-21441,PMTR-22269On oVirt virtual platforms, it is not supported to use the "kvm-clock" as the clock source (/sys/devices/system/clocksource/clocksource0/current_clocksource). This can cause the management processes to stuck in an endless loop with a very high CPU usage (almost 100%). R80.20 My hypervisor is Linux KVM / Qemu. I changed the clocksource to hpet inside the VM (as sure enough its running kvm-clock) and did a cpstop/cpstart and was able to login to the management server again. I checked the clock source the hyper visor was using and found out its using tsc which I've had issues with in the past in different systems.  FYI hardware is Dell R720 with 2 x E-2697v2 and ddr-1600. After changing to hpet on the hyper visor the VM seems to be working with kvm-clock again. My theory is the tsc clock isn't high resolution enough (or is just terrible for some reason) and its problems are being passed down to kvm-clock which is making java angry. So far this seems resolved. I'll do more testing and report back if kvm-clock still continues to have issues post hyper visor change to hpet.
vtlikinio
vtlikinio inside Multi-Domain Management 3 weeks ago
views 279 5

How to extract GAIA OS in VMWARE Converter?

We are trying to extract a Multi Domain Management Gaia OS to be converted in VMWARE. 
Rajput_Arvind
Rajput_Arvind inside Multi-Domain Management 3 weeks ago
views 290 6

Does R80.10 support cron job?

Hi,We have existing MDS running on R77.30 where we have configured cron jobs. So can anyone let me know if I can copy these cron jobs as it is to R80.10 MDS. Thanks,Arvind Singh
Rajput_Arvind
Rajput_Arvind inside Multi-Domain Management 3 weeks ago
views 189 5

How to find Non-Unicode Character in R77.30 MDS

Hi,We received below when we run Pre_Upgrade_Verifier on R77.30 MDS. It suggests to run  Check_Point_R80_Encoding_Detection_sk109795  to identify the non-Unicode encoding, but this is exe file which runs on Windows machine. So just wanted to know how I can find non-Unicode encoding by running this utility.When I run Encoding_Detection.exe, it doesn't ask for Domain management credentials. so not sure if this utility will help. Please suggest. Objects with non-Unicode charactersDescription: The database contains objects with non-Unicode characters. Remove the non-Unicode characters or follow the instructions in sk114739 before running the upgrade process.These tables contain objects with non-Unicode characters: fw_policiesnetwork_objectsservices Thanks,Arvind
Rajput_Arvind
Rajput_Arvind inside Multi-Domain Management 3 weeks ago
views 275 6

Unable to launch R80.10 Smart Console

Hi All,We have newly built setup of MDS server (Smart-1 5150) running with R80.10 with latest JumboHotfix. I can ssh and https, but can't access it via Smart Console. when I try to open it, I receive below error"Domain Failed to find domainIp<IP_Address> not found."Can anyone help to resolve this issue? Thanks,Arvind 
amy567
amy567 inside Multi-Domain Management 3 weeks ago
views 232 2 1

CCMSE EXAM

HiToday i given ccmse 156-820.77 exam . I got 62 score in exam. Total no of question in the exam is 80 and passing score is 70 percent. Then how i failed?. All other ccsa and ccse exam have same passing percentage 70 but no of question is 90. Can any one please help me. How to esacalete this. This is not good .I should pass CCMSE according to pass percentage
Maria_Pologova
Maria_Pologova inside Multi-Domain Management 3 weeks ago
views 597 6

Scheduled policy installation

Hello.For some reason scheduled policy installation on our MDM R80.20 is not being triggered. It worked once at the very first attempt.Does anyone came across such problem? Wondering where to dig in this case?  
Douglas_Rich
Douglas_Rich inside Multi-Domain Management a month ago
views 147 1

How to "show" only the value of a specific element with mgmt_cli

How to "show" only the value of a specific element with mgmt_cli I just want to get the value of a specific setting/element on a Check Point Object. Specifically this value:"logIndexer" : true, This is the command I have thus far and it shows everything but I want to be able to dial down to a specific object setting:mgmt_cli -r true -d "Dev_Test_Customer" -f json show generic-objects name "Dev_Test_Customer_Server" details-level "full" It was really simple in R77.30:$MDSDIR/bin/cpmiquerybin attr "" network_objects "class='host_ckp'" -a __name__,log_indexer