This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
Advisor
‎2020-10-19 12:08 AM

Why are DAIP gateways never really shown as connected ... even when they working just fine?

Hello CheckMates,


this is an issue which causes alot of questions by customers and by me too...
DAIP gatways are never shown in SmartConsole as conencted (green) but as disconnected (red)?
Since the first three appliances in the picture are really online (red) its annoying to see them as disconnected ...

Is there a good explanation, and how to fix this?

DAIP_GW_SHOWN_AS_OFF.PNG

In Dashboard they are listed with IP´s like 0.0.0.X and incrementing ... 
Every one of this appliances has of course internal unique IP adresses .. .is there are way to play with them and do some creepy NAT?
I think i have seen an article on CheckMates how to overcome this, but i cannot find it anymore ...

Any help or ideas are welcome!

best regards
Thomas

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-10-19 01:07 AM

This looks very unnatural - i would suggest to contact TAC to resolve it !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Us4r
Contributor
‎2020-10-19 04:32 AM

Hello Thomas,

the Management Node needs to establish a connection to the DAIP Gateways. If this is not working because no NAT - Rules exist on the provider router for the SMB - Appliance, then you get the unreachable symbol presented.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-10-19 05:18 AM

In most cases, SMS is NATed behind a GW - see sk66381: How to configure Management behind NAT in Security Gateway 80 / 1100 / 1400 Appliance setup for help !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2020-10-19 05:43 AM
In response to G_W_Albrecht

Hello. well no, the SMS works perfect for other gateways with public IP ... just the DAIP IP GW´s are not shown as connected (green) but as disconnected (red)
The SMS hsa of course all this settings from SK66281 

for example the VPN certificate says:


Subject: CN=XXXXXXXXXXXXXXXXXXXXXXXXX
Issuer: O=XXXXXXXXXXXXXXXXXXXX
Not Valid Before: Sun Oct 21 14:20:21 2018 Local Time
Not Valid After: Sat Oct 21 14:20:21 2023 Local Time
Serial No.: 75149
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:


----> LOOK HERE  Address: 0.0.0.2

 

CRL distribution points:
http://XXXXXXXXXXXXXXX:18264/ICA_CRL1.crl
CN=ICA_CRL1,O=XXXXXXXXXXXXXXXXX..bn78tq
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
95:D1:57:3E:04:08:94:58:55:6E:CF:14:CC:58:A3:EA
SHA-1 Fingerprints:
1. 99:99:07:6C:7D:1C:10:8C:B8:A2:88:7F:5E:CB:0E:28:34:27:F0:A5
2. HOLE OMAN SHOW WERE MUTT WOW MATH FLO JAW MOLD LOAF FLY

so the DAIP GW´s get dummy IP´s starting at 0.0.0.1 ... here this guy has 0.0.0.2 ...

the MGMT will never reach a 0.0.0.2 adress ... 


best regards
Thomas.

Us4r
Contributor
‎2020-11-13 02:00 AM
In response to Thomas_Eichelbu

Hello Thomas,

 

<<so the DAIP GW´s get dummy IP´s starting at 0.0.0.1 ... here this guy has 0.0.0.2 ...

the MGMT will never reach a 0.0.0.2 adress ... >>

 

The mentioned 0.0.0.x - Addresses are only as you mentioned internal "dummy" IPs. They can be used for filtering, when you don't know the exact OIP.

But as I mentioned, check if a NAT / DMZ-Host Configuration is there on your provider router for the checkpoint appliance.

 

You need this, otherwise Management Node can never connect to the correct OIP.

0 Kudos
Nik_Bloemers
Advisor
Advisor
‎2020-11-13 02:26 AM
In response to Thomas_Eichelbu

This annoys me too 🙂

I wish Check Point would add a status 'push' CPD AMON mechanism for DAIP gateways, so they can report to the SMS instead of the SMS only being able to pull status.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events