Showing results for 
Search instead for 
Did you mean: 
Create a Post
Maciej_Maczka inside Multi-Domain Management Monday
views 1231 5 4

VPN Domain per VPN community

Hi,Do you have any information about "VPN Domain per VPN community" development progress?According to: Video Link : 6473 Scheduled to Q3 2018.Best RegardsMM
Michael_Goodwin inside Multi-Domain Management Monday
views 2538 13 4

R80.10 MDM import

If I'm running a R80.10 MDM, and I am onboarding a new managed customer into this environment from their already existing managment server, it seems the import process that used to work for R77.30 MDM is broken.We used to be able to take a migrate export from the stand-alone manager and use the CMA import tools to bring this into a new domain within the MDM.Similarly if the customer used to be on another providers MDM, they could get the migrate export from that MDM and we could import into a new domain.Reading through the community, I see a few options about API usage, but this would require re-creation of objects which the API cannot support (gateway objects - and therefore SIC etc), so this is certainly more intense than I would like, and is nowhere near as straightforward as it was?Is there anything I'm missing here?What's the best practise way to onboard an existing R80.10 customer into an R80.10 MDM?Thanks
Michal_Gans inside Multi-Domain Management a week ago
views 49 2 1

Cannot connect to CMA behind s2s, firewall routed return traffic to inf by route not into s2s tunnel

We have s2s (terminated on FWext) to mng network in customer environment and we can connect to all assets (include both MDSs and CMAs not related to FWext) except both CMAs (from domain where FWext is used in policy).I tried to debug the issue and I found that the return packet from CMA goes to FWext, but FWext used routing table and send it to some interface not into s2s tunnel.Because it is not a critical problem for us, I do not want to open SR on it and rather try to find a solution by digging deeper.So mine question, do you have any idea where to start (I think it will be matther of kernel debug commands but I'm not sure).
Ankur_Datta inside Multi-Domain Management a week ago
views 221 5

Rule section fields missing in log in R80.20 Smart view tracker

Hi All, We have a MLM installed in data centre with 23 CLM configured. Admin was checking logs through R80.20 Smart view tracker.In log we see empty fields in Rule section.R80.20 version is installed with hotfix take_87. PFA snapshot.Whereas when we view logs in logs and monitor through smart console we can see rule number, rule name etc. Kindly advise.
George_Ellis inside Multi-Domain Management 2 weeks ago
views 45 1

New R80.10 SmartConsole that *works* with .NET 4.8

This might affect other consoles, but .Net 4.8 broke sorting names in a bunch of the dialogs in the SmartConsole. Build 137 was released yesterday and fixes it. I can scroll down again!* * I could scroll down if I uninstalled 4.8, installed 4.7.2. But then software distribution would put me back on 4.8. 😉
Roy_Smith inside Multi-Domain Management 2 weeks ago
views 1636 4

Leading Interface for MDS and CMA

HiWe currently have a MDS cluster on R80.10 and now looking at upgrading to R80.30. In looking through the upgrade guide, I came across this in prerequisite section: On Smart-1 appliances with Multi-Domain Server or Multi-Domain Log Server installed, if you configured an interface other than Mgmt as the Leading interface, the upgrade process or clean install process (with CPUSE) configures the interface Mgmt to be the Leading interface. To configure another interface as the Leading interface after the upgrade, see sk107336 When I checked both management devices, I discover that the standby member has the leading interface configured as eth1. Therefore, I thought it would be straightforward to change this to Mgmt, prior to upgrading to R80.30, as this device is in our DR server room at a remote location. So, I changed the IP address on eth1, disabled the interface, added the management IP to Mgmt, enabled the interface and moved the network cable. I also changed the entry in $MDSDIR/conf/external.if from eth1 to Mgmt.After MDSSTOP/MDSSTART, in Smartconsole, I get the message "no active server is present" under the standby server for each domain. SK107336 refers to changing the IP address but I am not changing the IP address and do not want to change it. Is there another setting somewhere to tell the CMA which interface to use? Has anyone tried to do this?ThanksRoy
Herold inside Multi-Domain Management 2 weeks ago
views 454 1

HA MDS setup were some domains are initially created on the primary and some on the secondary

Hi,My customer has an HA MDS setup were some domains were initially created on the primary and some on the secondary. I have two questions regarding such environment:1- Is there a way to normalize the situation so that all domains, even the ones that were created initially on the secondary, consider the primary MDS as the main one?2- What would be the best way to upgrade the two MDS servers from R80.10 to R80.20Regards,Herold
Richard_Quick inside Multi-Domain Management 4 weeks ago
views 353 2 1

R80.30 MDS BUG/RFE tracking

Hello all, I'm creating this post to try and help us have a consolidated place to track any large scale issues we are seeing with R80.30 MDS as well as a "braindump" for RFE's that we have submitted or will submit. Criteria for posting a bug are:1) An SR must be open with Check Point - The reason for this is that it will help eliminate bugs that aren't really causing you an issue. If you are willing to open a ticket then i think you are willing to participate and look for a solution. Please don't post any SR numbers but feel free to reach out to the user to see if they are willing to provide it.2) The issue can be reproduced - If this is something that only you are experiencing then it could be due to hardware, custom software added on etc. If someone here or Check Point can reproduce it then it's possible to find a solution. This also removes any what if's and we work off factual information rather than assumptions. Thanks for participating!
George_Ellis inside Multi-Domain Management a month ago
views 1459 5 1

Global Objects load into gateway memory?

This appears to be confusion among some folks. In the MDM environment, while using global objects, some folks think that the global objects (all of them) load into memory on the gateway with the policy. I have asked before and the answer I got was that objects are conveyed to the endpoint, but are not in the compiled policy unless they are used in the policy.Someone is thinking that we should abandon global objects to save memory in some of the domain firewall policies that load into the gateway policy in memory. That does not make much sense. Anyone know differently?
Richard_Quick inside Multi-Domain Management a month ago
views 1004 3

R80.30 MDS"bug/feature" tracking

I was thinking it might be useful to have a "bug/feature" tracking page for those of us brave enough to jump into R80.30. We are doing a rollout of 1000+ gateways and 450+ domains so we are seeing some oddities and opening tickets on them as well. I thought it might help identify possible issues and provide reference tickets if we see the same issues. Would this be a good forum for that? If so then i will create a new post. This is just to get feedback prior.
Irek_Romaniuk inside Multi-Domain Management 2019-07-17
views 354 1

Finding LAN IP of Smart Provisioned gateway

I am looking for a way to retrieve a list of my smart provisioned (centrally managed) gateways, including name, external and LAN (internal) IP addresses (R77). I know I can easily get gateway name and external IP address using SmartLSM LSMcli. See example below where I find external IP for a gateway with name Irek-11. # LSMcli user password Show -F=nibtp | grep Irek-11Irek-11 "VPN-1 Express/Pro ROBO" Z_IRom1100-77.20So above command without grep will produce a list of names and external IPs at least. But I can't find LAN IP address of this gateway other than in GUI. I need cli command or file (mgmt server of firewall) where I can find it.
Peter_Lyndley inside Multi-Domain Management 2019-07-15
views 843 5 3

You have to stop the MDS to import a CMA ?!

I am in disbelief this morning...This is our first attempt to import/migrate_CMA whilst on R80.20 and now I find the followingcma_migrate /var/log/xxxxxxx.tgz /opt/CPmds-R80/customers/xxxxxxxxx_CMA/CPsuite-R80.20/fw1Your Multi-Domain Server should NOT be running while you import.cma_migrate will now stop the Multi-Domain Server.Do you want to continue [yes/no] ? noSurely the whole point of a multi-domain, multi-tenanted solution is that you can build a new customer management domain whilst still running the rest of the production domains - apparently not any more in R80.20 - we could in ALL previous versions of Check Point... why no more ?Does anyone have any insight into this please ?thanksPeter
inside Multi-Domain Management 2019-07-15
views 1645 4

Support for multiple TACACS servers for administrator authentication

It is possible to define a group of RADIUS servers that can be used to authenticate access to SmartConsole, but you can only define a single server for TACACS+. Any plans to improve this?
Ashish_Ekka inside Multi-Domain Management 2019-07-14
views 1475 3 1


Hi Team, What is the command to check the sshv2 on firewall ?If we need to enable only shv2 for accessing firewall then how to do it?
Adam_Styles inside Multi-Domain Management 2019-07-12
views 850 1

Check Point MDS Failover/HA

Hi all, We're deploying our first Check Point environment and have 2 x Smart-1 5050 in Multi-domain mode that we'd like to set up. I was hoping someone would be able to help me with some questions: 1. The MDS are online and I need to set up HA. I'm assuming I do this by connecting to the x.x.x.x\MDS instance via Smart Console and setting the secondary domain server up here. Do I also need to add the secondary server as an object and sync when I'm inside of a domain? So for example if I then left the MDS instance and connected to x.x.x.x\Domain1 via Smart Console - do I need to set up HA in here? 2. I have imported the licenses in to Smart-1 and they now have an expiration date of never but when adding a new device in to their domain i'm not able to enable any blades, they are all greyed out. Are you able to advise why? Thanks