This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
‎2026-01-07 08:39 AM
Jump to solution

CP 3950 - lost Gaia access after installaition of the migrated policy

Hello everyone,

I connected our on-premises Management Server (managing a CP1900) to Cloud-1 (managing a CP3950 with IP 192.168.111.51), then successfully migrated all policies and objects.

After a small cleanup and adjusting the policies for the new 3950 firewall, and after installing these policies, I lost web access to Gaia.

Port 443 is open, the gateway is responding, but nothing opens in the browser. What could be the reason for this?

Meanwhile, SSH is working fine. In firewall logs I see HTTPS was successful. 

web_error1.png

17:29:32.503910 ethertype IPv4, IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [SEW], seq 1769120811, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:29:32.503910 ethertype IPv4, IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [SEW], seq 1785169404, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:29:32.503912 IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [SEW], seq 1769120811, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:29:32.503913 IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [SEW], seq 1785169404, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:29:32.504922 ethertype IPv4, IP 192.168.111.51.443 > 192.168.111.40.53391: Flags [S.], seq 3979140708, ack 1769120812, win 32768, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
17:29:32.504923 ethertype IPv4, IP 192.168.111.51.443 > 192.168.111.40.53390: Flags [S.], seq 2784020504, ack 1785169405, win 32768, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
17:29:32.504924 IP 192.168.111.51.443 > 192.168.111.40.53391: Flags [S.], seq 3979140708, ack 1769120812, win 32768, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
17:29:32.504924 IP 192.168.111.51.443 > 192.168.111.40.53390: Flags [S.], seq 2784020504, ack 1785169405, win 32768, options [mss 1460,nop,nop,sackOK,nop,wscale 5], length 0
17:29:32.504926 ethertype IPv4, IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [.], ack 1, win 8212, length 0
17:29:32.504926 ethertype IPv4, IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [.], ack 1, win 8212, length 0
17:29:32.504928 IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [.], ack 1, win 8212, length 0
17:29:32.504928 IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [.], ack 1, win 8212, length 0
17:29:32.504929 ethertype IPv4, IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [.], seq 1:1461, ack 1, win 8212, length 1460
17:29:32.504930 IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [.], seq 1:1461, ack 1, win 8212, length 1460
17:29:32.504931 ethertype IPv4, IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [P.], seq 1461:1766, ack 1, win 8212, length 305
17:29:32.504932 IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [P.], seq 1461:1766, ack 1, win 8212, length 305
17:29:32.504936 ethertype IPv4, IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [.], seq 1:1461, ack 1, win 8212, length 1460
17:29:32.504936 IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [.], seq 1:1461, ack 1, win 8212, length 1460
17:29:32.504937 ethertype IPv4, IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [P.], seq 1461:1702, ack 1, win 8212, length 241
17:29:32.504938 IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [P.], seq 1461:1702, ack 1, win 8212, length 241
17:29:32.505938 ethertype IPv4, IP 192.168.111.51.443 > 192.168.111.40.53391: Flags [.], ack 1766, win 1049, length 0
17:29:32.505940 IP 192.168.111.51.443 > 192.168.111.40.53391: Flags [.], ack 1766, win 1049, length 0
17:29:32.505940 ethertype IPv4, IP 192.168.111.51.443 > 192.168.111.40.53391: Flags [F.], seq 1, ack 1766, win 1049, length 0
17:29:32.505941 IP 192.168.111.51.443 > 192.168.111.40.53391: Flags [F.], seq 1, ack 1766, win 1049, length 0
17:29:32.505941 ethertype IPv4, IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [.], ack 2, win 8212, length 0
17:29:32.505942 IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [.], ack 2, win 8212, length 0
17:29:32.505943 ethertype IPv4, IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [F.], seq 1766, ack 2, win 8212, length 0
17:29:32.505943 IP 192.168.111.40.53391 > 192.168.111.51.443: Flags [F.], seq 1766, ack 2, win 8212, length 0
17:29:32.505946 ethertype IPv4, IP 192.168.111.40.53393 > 192.168.111.51.443: Flags [SEW], seq 2326915469, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:29:32.505946 IP 192.168.111.40.53393 > 192.168.111.51.443: Flags [SEW], seq 2326915469, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:29:32.505955 ethertype IPv4, IP 192.168.111.51.443 > 192.168.111.40.53390: Flags [.], ack 1702, win 1049, length 0
17:29:32.505956 IP 192.168.111.51.443 > 192.168.111.40.53390: Flags [.], ack 1702, win 1049, length 0
17:29:32.505957 ethertype IPv4, IP 192.168.111.51.443 > 192.168.111.40.53390: Flags [F.], seq 1, ack 1702, win 1049, length 0
17:29:32.505957 IP 192.168.111.51.443 > 192.168.111.40.53390: Flags [F.], seq 1, ack 1702, win 1049, length 0
17:29:32.505959 ethertype IPv4, IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [.], ack 2, win 8212, length 0
17:29:32.505959 IP 192.168.111.40.53390 > 192.168.111.51.443: Flags [.], ack 2, win 8212, length 0

  

0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2026-01-08 12:24 AM
In response to RickLin
Jump to solution

 

platform.jpg

Maybe check out here, the edit and if there is the correct port

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

17 Replies
the_rock
MVP Diamond
MVP Diamond
‎2026-01-07 09:26 AM
Jump to solution

Hey @Exonix 

Mind check few things for us?

First, is the issue same for any browser you try?

What is the output of fw stat command?

Can you check the output of show web ssl-port and show web daemon-enable in clish?

If all above is good, did you try change web portal to another port in smart console fw object?

Also, any relevant logs when this fails?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Exonix
Advisor
‎2026-01-07 11:10 PM
In response to the_rock
Jump to solution

Hi @the_rock ,
the issue exists in any browser.
No I didn't try to change any Ports, where can I do this in Smart Console? This is a cluster object

fw stat
HOST      POLICY           DATE
localhost company_2026       7Jan2026 18:08:00 :  [>eth3.2] [<eth3.2] [>eth11.111] [>eth11.11] [<eth11.11] [>eth4.7]

show web ssl-port
web-ssl-port 443

show web daemon-enable
WebDaemonEnable on

 

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-01-07 01:51 PM
Jump to solution

platform portal and gaia config port has to match. check this

  1. In SmartConsole:

    1. Open the Security Gateway / Cluster object.

    2. Go to Platform Portal.

    3. In Main URL, set a new port for the Gaia Portal server (for example, port 4434):

      https://IP_ADDRESS:PORT
    4. Add a firewall rule to allow traffic on the new port.

    5. Click on OK to apply the changes.

    6. Install the security policy on this Security Gateway / Cluster object.

  2. In Clish:

    1. Connect to the Security Gateway command line (for clusters, connect to each member).

    2. Log in to Clish.

    3. Set the new port for the Gaia Portal server (for example, port 4434):

      HostName> set web ssl-port <Port_Number>
-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-07 03:15 PM
In response to Lesley
Jump to solution

All good points, though based on the description of the post, seems that should be correct. But, still worth confirming, for sure.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Exonix
Advisor
‎2026-01-07 11:27 PM
In response to Lesley
Jump to solution

Hello @Lesley 
I was thinking about this, but I got a warning and canceled it. Shall I continue?

ssl-port.png

In the cluster object, I have a public IP assigned to the cluster. Therefore, I can’t change it, because a new IP and port would not affect each node — they can’t share the same IP. And there is no "Platform Porlat" for each member...

0 Kudos
Exonix
Advisor
‎2026-01-08 12:13 AM
In response to Lesley
Jump to solution

I checked the settings of another working cluster — it has a cluster IP address, and since my new cluster is connected via public addresses, the Platform Portal is also configured with a public IP, but even that is not working anymore…

0 Kudos
RickLin
MVP Gold
MVP Gold
‎2026-01-07 04:29 PM
Jump to solution

In the meantime, you can also SSH into the 3950 appliance and execute the following debug command:

fw ctl zdebug + drop | grep 192.168.111.51

While the command is running, attempt to access the Gaia Web Portal via your browser again. Checking for any output from this command will help identify the root cause of the access issue.

    

the_rock
MVP Diamond
MVP Diamond
‎2026-01-07 04:34 PM
In response to RickLin
Jump to solution

Absolutely great way to test.

Best,
Andy
"Have a great day and if its not, change it"
Exonix
Advisor
‎2026-01-07 11:29 PM
In response to RickLin
Jump to solution

Hi @RickLin 

I used this command already (I know about the great way to test 😉 ) - there were no drops

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-01-08 12:24 AM
In response to RickLin
Jump to solution

 

platform.jpg

Maybe check out here, the edit and if there is the correct port

-------
Please press "Accept as Solution" if my post solved it 🙂
Exonix
Advisor
‎2026-01-08 12:46 AM
In response to Lesley
Jump to solution

This is a complete configuration:

cluster_fw.png

0 Kudos
Exonix
Advisor
‎2026-01-08 01:22 AM
In response to Lesley
Jump to solution

It looks like changing the port to 4434 has helped. I’m checking this now. At least it worked from the local network

the_rock
MVP Diamond
MVP Diamond
‎2026-01-08 04:01 AM
In response to Exonix
Jump to solution

Glad you were able to sort it out!

Best,
Andy
"Have a great day and if its not, change it"
Exonix
Advisor
‎2026-01-08 01:28 AM
In response to Lesley
Jump to solution

@Lesley  thanks a lot! 

Interesting why the port changed, even though port 443 was still configured in the Smart console… 

Now I can continue with the configuration; the next step is ISP redundancy 🙂

 

0 Kudos
saitoh
Advisor
‎2026-01-08 12:40 AM
Jump to solution

Hi @Exonix ,

 

I personally do not experience GAiA Portal unavailability when trying CP3950, maybe because web port changed to 4434.

As this problem emerges after policy installation, I am a bit curious whether fw unloadlocal will let you open GAiA Portal or not.

 

Is the cluster mode Active/Standby?

If so, would you mind if I ask you to make it failover to see if the problem persists or not when other cluster member is active?

Just out of curiosity, one of my 3950 cluster accepts L2TP, the other does not.

 

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos
Exonix
Advisor
‎2026-01-08 01:02 AM
In response to saitoh
Jump to solution

Hi @saitoh 

yes, my cluster is in Active/Standby, but each node was available via Gaia, like all other clusters. Now, none of the nodes are available. Right now, I suspect that there is an issue either with the certificate, with SSL in general, or that something else might be listening on port 443.

0 Kudos
saitoh
Advisor
‎2026-01-08 01:30 AM
In response to Exonix
Jump to solution

Judging from tcpdump you provided, since the gateway sent FIN, I echo your opinion, and would start investigating cert issue.

Does apache error_log says anything suspicious?

 

 

ADDED: Glad you found root cause!

Saitoh

sliver bullet: casting repero or tossing it into the harbor
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Thu 07 May 2026 @ 01:30 PM (AEST)

    CheckMates Live Sydney
    In-Person

    Thu 07 May 2026 @ 11:30 AM (CDT)

    Nashville: Humans & AI: A Real Conversation
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events