Showing results for 
Search instead for 
Did you mean: 
Create a Post
Multi-Domain Management

Discussions related to Check Point's Multi-Domain Security Management solution, also known by it's legacy name: Provider-1.

find object sting in all cma

I have a object called  "departent_svr_cms_mike" in each cma. i am searching for a way to find all host objects containg the string "cms " in the name.Is they' re a way do this type of query?
Sanjay_S inside Multi-Domain Management Wednesday
views 181 5 1

Upgrade MDS from R80.10 to R80.30

Hi All,Please let me know the pre-requisites to upgrade the MDS from R80.10 to R80.30 directly?Also installation guide suggests clean install, but we do not want to go with Clean install and then migrate all the domains one by one. Instead of clean install can we go with CPUSE to upgrade?Wish to get the response as soon as possible please.Regards,Sanjay S
Jose_Luis_Mart1 inside Multi-Domain Management Wednesday
views 204 3

Error migrating MDS from R80.10 to R80.30

Hi all!We've been trying to upgrade our MDS from R80.10 to R80.30. We almost got it. Everything went well except for two CMAs that didn't work because of an unknown error. We had a similar problem when we upgraded from R77.30, so we tried what we did then:1. Create clean CMAs in R80.302. migrate export of the CMAs in the R80.10 MDS3. cma_migrate... then we get this error:Source management version detected:R80======================================================================>>> Executing Source Version Upgrade Path Checker======================================================================>>> Executing Source Version cma_migrate Path CheckerError:   cma_migrate is not supported from version R80.XX Is that so? Can't we do a cma_migrate "inside" R80? How could we move/upgrade a single CMA then? thanks   
piotrsz90 inside Multi-Domain Management Tuesday
views 149 5

Management API

Hello Multi MDS R80.10 Is there any way to non-interactively install policy using management API ?Im asking because i want to script policy installations to happen periodically, as there is no option to use expect, how can i go through policy installations non-interactively ?

FWM dies quietly on CMA R0.20

Just wondering if anyone else has noticed issues with FWM on CMA - shows as UP on mdsstat but actually is not responding. Then you do mdsstop_customer and that particular FWM still shows in UP state. Kill manually and start CMA, then all starts working again. I simply haven't had time to run any debugs yet but would be interesting to know if we are alone with this
deepakk inside Multi-Domain Management Sunday
views 137 2

Want to export object , policy file from checkpoint R77.30

Hi ,We are managing 10 context (virtual firewalls) on single physical firewall 4800 in Active-active mode. We are trying to check object list , policies , routes of individual firewall or complete MDS but failed to collect.Tried to export  Objects_5_0.C file(From MDM)  but it is showing only 9000 address object which has shared/global objects. local firewall objects are not showingTried to export  Objects_5_0.C fil but address object count is not correctChecked below paths but backup neither showing for individual context nor for complete Firewall1. Objects_5_0.C -  found this on: /opt/CPsuite-R77/fw1/conf2. Rulebases_5_0.fws -  found this on: /opt/CPsuite-R77/fw1/conf3. PolicyName.W - a file with extension .W”, the filename takes the policy’s name (by default Standard.W). Those files are stored in the SmartCenter (Management) under “$FWDIR/conf”Please suggest. Thanks in advance 
Kaspars_Zibarts inside Multi-Domain Management a week ago
views 378 7 2

R80.20 MDS restore missing over a month worth of data

This is a bit of SOS call if anyone else has seen this. Was forced to restore our production MDS this morning. So not a biggie. Backup was taken yesterday and restore worked just fine. But then we noticed weird things that a lot of rules are missing and some topology push failed due to missing interfaces or routes on VSX. Then we realised that "newest" data we have on MDS is from 5th November! Ouch. Audit logs still show all the changes from yesterday but rule are gone. Quite a pickle we are in now as I don't believe backups from day before would be any better. We will keep trying  but if anyone has seen/knows something would be great!
ravimahajan44 inside Multi-Domain Management a week ago
views 182 2

What is the maximum number of gateway can add in management server ?

What is the maximum number of gateway can add in management server ?
piotrsz90 inside Multi-Domain Management a week ago
views 224 2

tcl/expect packages for MDS

Hello Im doing interactive script on MDS (R80.10), so i want to get expect on it.As i read, kernel is RHEL based, so when installing expect package shall i follow regular RHEL procedure(offline)?             # tar -zxvf expectx.xx.tar.gz            # ./configure            # make            # make install KR
Sn00pDoug inside Multi-Domain Management 2 weeks ago
views 239 2

MDS vs CMA policies

Hello Community!Is there a recommended way to manage multiple domains in terms of where best to apply any policies/objects etc, globally or on the CMA directly. Obviously some objects and access/threat policies will be relevant to single CMAs but its easier/neater to manage globally so its in one place and assign to each domain.For example I've been doing a lot of IPS exceptions on noisy false positives, which are typically relevant to a particular CMA. Unfortunately doing so requires creating objects on the MDS, essentially duplicating the objects on the CMA just with a different name. Which got me thinking, would it be better to just have all the objects globally? Or perhaps I should just keep my IPS exceptions per CMA? Thanks 
Marcus_with_C inside Multi-Domain Management a month ago
views 295 2

Global Management and Stealth Rule

Hi Checkpoint community,We were wondering if there is a way to create the Management Access and Stealthrule rules on a global Layer.Our use-case:We are using a R80.30 MDS to manage our (mostly R80.20) firewalls, using Global Layer and Domain Layer for Rules. So our rulebase consists of Global Rules then Domain Rules then again Global Rules (inlcuding the Cleanup-Rule).We split our quite big corporate network into different zones (using VLANs and IP-Ranges to seperate them).Hosts within the same zone can communicate via Any Port with each other, hosts in different zones can only communicate by a predefined set of allowed directions and Ports.Due to amount of connections covered by this rulebase, these rules are the ones with the most hits by far. Therefore we would like to have these rules at the beginning of each rulebase => on the Global Layer above the Domain layer.Since the Firewalls are the Gateways for all DMZ-networks and necessarily have IP addresses in these ranges, this rulebase would allow every host of a zone to reach every Gateway IP-Address ( = Firewall) of the same zone.As DMZ networks do not count as secure networks, this is a security risk we do not want to face.Currently we solved this problem by having the Management- and Stealth rule on top of each Domain Layer rulebase and the zone-rulebase in the Global Layer below the Domain Layer. Of course his is not ideal for performance.My question therefore is:Is it possible, to create a global Management and Stealth Rule above this zone-ruleset?For example by using some object/trick to- tell the gateways that theyself are the destination- use the Policy Installation Target as destination in these rulesOr by any other possible way?BR Marcus
Ankur_Datta inside Multi-Domain Management 2019-12-16
views 383 5

automating mds backup

Hi all, I am writing a script to automate mds backup. will running mds_backup with -b parameter will create any problems? we are planning to run this script in midnight when nobody is login into management. for precaution measures, we will enable the setting to log out user from smart console after specific idle time-out. Kindly also let me know if any suggestions please. Thanks
derilzemer inside Multi-Domain Management 2019-11-28
views 384 5 1

Validation error - empty Validation pane - reason Whitespaces

Hi,my name is Andreas. I'm from Germany and work in a data center for banks and I'm responsible for the operative part. I'm new and not the absolute expert in this case, but still I post something. My English is also not the best, so be patient with me.We have R80.10 in use and after changing some Objects and insert of many new Rules in the Policy from an CMA i become a Publish Failed The Validation Pane is empty and so i haven't no more details what happens 🤔.I know that we have the same problem in the begin of the year and a old Case give me the hint that the problem belongs on a whitspace inside a Rulename.Instead of always asking the support to look for the mistake, I wanted to know how to do it myself. I would then document it a little bit or is that already a kind of trade secret that you should not do that yourself or get any information about how to find the whitespace?Thanks for any help or hintregards from GermanyAndreas
M_Ruszkowski inside Multi-Domain Management 2019-11-17
views 1256 18 4

R80.20 MDS Slow

We are having performance issues with our primary MDS running R80.20. Like most people that upgraded from R77.30, we knew that R80.20 was more resource intensive. We purchased very large servers for this, since we run our MDS in VMware. We used multiple Cisco UCS servers with 96 cores, 1.5T Ram, a lot of SSD drives for each UCS server. We then installed VMware and built only one guest for now, the MDS. We used 48cores, 768G ram and assigned 8TB of storage for each MDS VM. All three of our virtual MDS servers are built to these specs on different UCS servers in different data-centers synced. And we just added MLM servers to offload logging.We expected this to be superfast. These VM servers doubled the specs of CheckPoint’s largest platform, the 5150. We only have 61 domains on the primary MDS and about 130 firewalls pointed to it.  Every time we turned on Firemon it would bring the MDS down and all the consoles would crash. CheckPoint support then said that we had too much logging and this was using up too much CPU. So we just installed MLM’s in the past three weeks and offloaded the logging. So now logging comes up way quicker in the SmartConsole. So this got faster. And we noticed the load value dropped from around 20 to about 8.  Even with the drop in load it is not significantly faster.  Consoles still take a while to load and view policy.  When someone reassigns the global policy this can take more than an hour and every console gets extremely slow,    It get worse if we turn on our tools.Whenever we turn on our Firemon collector it causes the load value to go from 8 to around 30. At this point all of our consoles start dropping out. We then have shut off Firemon and restart the MDS because the solr process is locked.   So we can no longer use Firemon. We verified the tuning parameters from CheckPoint’ VM tuning guide.The profile that the server is choosing is:CHOSEN_CPSETUP_PROFILE="131072 or larger without SME"In the Security Management – Performance tuning guide it mentions these values:NGM_CPM_MAX_HEAPNGM_CPM_SOLR_XMXRFL_RFL_MAX_HEAPSMARTVIEW_MAX_HEAPNGM_WEB_API_MAX_MEMORYOurs shows these set pretty low. We have way more resources that we could allocate to these settings.Does anyone know what these are set to in a 5150 with 256g RAM? I was thinking about doubling or quadrupling these memory values.  Maybe our server resources are not being detected and allocated properly.I am hoping that someone else out there may have some insight or has gone through this.  Any help is greatly appreciated.  
Douglas_Hewes inside Multi-Domain Management 2019-11-11
views 270 2

Two of each policy and each MDS server after CPUSE R80.30 upgrade from R80.10

Just performed an in-place upgrade from R80.10 to R80.30 on an MDS server running on a Smart-1 3150.  The verifier was clean before hand and the upgrade completed successfully, and installed the T50 HFA, rebooted, let it run for an hour or so.  I can log in and manage rules and almost everything looks great.  That said, kind of a weird issue...  I went to open a policy and noticed that each policy is now listed twice with the identical name.  The layers are fine - only one each of those.  Also things like when I select the Gateways and Servers each appliance is listed once, but when I do something like select targets to install the database on, each MDS server is listed twice, again with the identical names.  From what I can tell the policies do appear to be identical, but there are a couple thousand rules so I am not 100%. Anyone seen this before?