Showing results for 
Search instead for 
Did you mean: 
Create a Post
Multi-Domain Management

Discussions related to Check Point's Multi-Domain Security Management solution, also known by it's legacy name: Provider-1.

Hww to Recover Primary MDS

Hi All,Our Primary MDS has failed and we need to build it from scratch now. But I think we can not directly build our Primary MDS and Sync with Secondary one. So can anyone has any idea how can we recover our Primary MDS (We don't have any backup of Primary MDS)
Roy_Smith inside Multi-Domain Management Friday
views 104 1

MDS Migration and export

HiWe are running R80.10 and need to migrate to R80.30 on a new appliance. This is a MDS HA pair, across 2 sites. I can export the MDS configuration fine, using the mds_setup utility from the upgrade tools. My problem is, I do not have enough space for the export when I choose to export the log database and indexes. We do have a SmartEvent server that corelates the logs and provides the necessary reports. I would like to export or copy the log files to the new server. If I manually copied the log files and log indexes, after building the new server, would that work? Would Smartlog still display the logs?If I rebuilt the new server without the logs, what effect would that have on SmartEvent?Many thanksRoy 
Maarten_Sjouw inside Multi-Domain Management Thursday
views 172 1

MDS License for R80.40

2 weeks ago I installed a MDS with R80.40 and used the 15 days evaluation to find it stopped working this morning. So up to the Evaluation pool and get me a CPSM-MD1004-EVAL, the only available license in the Evaluate our products options for an MDS. Installed the license and tried to attach a Domain license to the domain I created, which fails with a reference error in the object. Ok create a separate domain blade license with the IP of the domain, that can be attached. Now when opening the domain and trying to create a new gateway this is the error I get: So it looks like R80.40 MDS will only accept the new CPSM-NGSMxxx with a CPSB-DMN-xx blade license format??
Sajenthiran_Mic inside Multi-Domain Management Wednesday
views 243 3 1

find object sting in all cma

I have a object called  "departent_svr_cms_mike" in each cma. i am searching for a way to find all host objects containg the string "cms " in the name.Is they' re a way do this type of query?
Kaspars_Zibarts inside Multi-Domain Management 2 weeks ago
views 439 18 2

FWM dies quietly on CMA R0.20

Just wondering if anyone else has noticed issues with FWM on CMA - shows as UP on mdsstat but actually is not responding. Then you do mdsstop_customer and that particular FWM still shows in UP state. Kill manually and start CMA, then all starts working again. I simply haven't had time to run any debugs yet but would be interesting to know if we are alone with this
Chamila inside Multi-Domain Management 2 weeks ago
views 228 7

MDS Migration from R77.30 to R80.30 fresh install with HA

Hi Support,Apologies, if this is not the right place to post this query as this may be an architectural query along side the migration.Our MDS Servers are in a HA pair per region and we have a requirement to migrate them one at the time to R80.30 code rather than both at the same time. Current set up is, we have 2 servers in the UK (UK Primary MDS and US Secondary MDS) and 2 in the US (US Primary and UK Secondary) and two existing domains, domain US and domain UK, nothing fancy. After migration, we will have one MDS server per region for a period of time before introducing HA at a later date, e.g both UK and US MDS servers will be hosted in a US data center.Are there any gotchas we need to be aware of when we do this migration or any advice on this matter is highly appreciated. Thanks in advaceChamila
Raj_Khatri inside Multi-Domain Management 2 weeks ago
views 279 4 1

SmartLog Issue

We are facing an issue with logs not working when connected to our MDS.  SmartLog no longer works and displays the message “SmartLog is Initializing…”  The issue started while we were running Take 87 which was stable for quite some time.  We can see logs when connected directly to the MLM via SmartConsole.   We have rebooted, performed smartlogstop/smartlogstart several times, without success.  We have an open case with TAC who suggested upgrading to Take 118 which didn’t help.  They are reviewing other logs in the meantime.EnvironmentMDS – R80.20 Take 118 (Smart1-3150)MLM – R80.20 Take 118 (HP Open Server)SME – R80.20 Take 118 (HP Open Server)Looking to see if anyone has run into this issue and other possible suggestions to look at and try.Thanks
Maria_Pologova inside Multi-Domain Management 3 weeks ago
views 517 6 2

Policy Preset limitation

Our current setup includes four Multi-Domain Management servers, where Domain Management servers are spread across all of them in order to distribute the load. R80.20 Take 107The issue/limitation we are facing is that in order for Policy Preset (scheduled or not) to work, we must have Global domain Active on the MDM that holds a DMS with policy targets, what breaks the idea of centralized management and makes policy installation automation far away from straightforward.Also, for the ones who faced the following warning when creating a new Policy Preset - this is the same problem. make sure that Global Domain is active on the MDM that holds the DMS with policy targets.Does someone know if there is a plan to improve this or we need to do a RFE? Additional posts for the similar subjects:Install Policy Presets not working on R80.20 
cp_mummy inside Multi-Domain Management 4 weeks ago
views 342 4 1

static routing in vsx vsls solution using CLI

Hi guys,Newbie here! I have a quick question about cli configuration in a vsls solution, is it not possible to add static routes via cli or am I just missing something. I've seen that I can do dynamic routing when I go into a specific context but can’t find anyting else than "static-mroute"btw, I have tested vsx_provisioning_tool and it works great, but I was kind of confused as it is possible to configure bgp via CLI.  Anyways, I will also test bgp and would be really grateful to hear from anyone who has experience in running bgp in checkpoint. thx 😊 @Jim_Oqvist @PhoneBoy @G_W_Albrecht @HeikoAnkenbrand @Timothy_Hall 
piotrsz90 inside Multi-Domain Management a month ago
views 723 7 1

Management API

Hello Multi MDS R80.10 Is there any way to non-interactively install policy using management API ?Im asking because i want to script policy installations to happen periodically, as there is no option to use expect, how can i go through policy installations non-interactively ?
inside Multi-Domain Management a month ago
views 256 3

White Paper - Identity Awareness in Multi-Domain Environment

This white paper is focused on a scenario of enforcing identity-based policies on security gateways running version R80.30 and earlier in a Multi-Domain environment. It specifically provides recommendations and describes procedures how to enforce identity-based policies for users from other Management Domains.   Author @Anton_Razumov  For the full list of White Papers, go here. 
deepakk inside Multi-Domain Management a month ago
views 321 5

Want to export object , policy file from checkpoint R77.30

Hi ,We are managing 10 context (virtual firewalls) on single physical firewall 4800 in Active-active mode. We are trying to check object list , policies , routes of individual firewall or complete MDS but failed to collect.Tried to export  Objects_5_0.C file(From MDM)  but it is showing only 9000 address object which has shared/global objects. local firewall objects are not showingTried to export  Objects_5_0.C fil but address object count is not correctChecked below paths but backup neither showing for individual context nor for complete Firewall1. Objects_5_0.C -  found this on: /opt/CPsuite-R77/fw1/conf2. Rulebases_5_0.fws -  found this on: /opt/CPsuite-R77/fw1/conf3. PolicyName.W - a file with extension .W”, the filename takes the policy’s name (by default Standard.W). Those files are stored in the SmartCenter (Management) under “$FWDIR/conf”Please suggest. Thanks in advance 
Sanjay_S inside Multi-Domain Management 2020-01-15
views 348 5 2

Upgrade MDS from R80.10 to R80.30

Hi All,Please let me know the pre-requisites to upgrade the MDS from R80.10 to R80.30 directly?Also installation guide suggests clean install, but we do not want to go with Clean install and then migrate all the domains one by one. Instead of clean install can we go with CPUSE to upgrade?Wish to get the response as soon as possible please.Regards,Sanjay S
Jose_Luis_Mart1 inside Multi-Domain Management 2020-01-15
views 303 3

Error migrating MDS from R80.10 to R80.30

Hi all!We've been trying to upgrade our MDS from R80.10 to R80.30. We almost got it. Everything went well except for two CMAs that didn't work because of an unknown error. We had a similar problem when we upgraded from R77.30, so we tried what we did then:1. Create clean CMAs in R80.302. migrate export of the CMAs in the R80.10 MDS3. cma_migrate... then we get this error:Source management version detected:R80======================================================================>>> Executing Source Version Upgrade Path Checker======================================================================>>> Executing Source Version cma_migrate Path CheckerError:   cma_migrate is not supported from version R80.XX Is that so? Can't we do a cma_migrate "inside" R80? How could we move/upgrade a single CMA then? thanks   
Kaspars_Zibarts inside Multi-Domain Management 2020-01-09
views 524 7 3

R80.20 MDS restore missing over a month worth of data

This is a bit of SOS call if anyone else has seen this. Was forced to restore our production MDS this morning. So not a biggie. Backup was taken yesterday and restore worked just fine. But then we noticed weird things that a lot of rules are missing and some topology push failed due to missing interfaces or routes on VSX. Then we realised that "newest" data we have on MDS is from 5th November! Ouch. Audit logs still show all the changes from yesterday but rule are gone. Quite a pickle we are in now as I don't believe backups from day before would be any better. We will keep trying  but if anyone has seen/knows something would be great!