Re: CheckPoint Gateway backup

katsarasd · ‎2025-05-12

Hello,

Our environment consists of 2 Checkpoint Clusters (External & Internal Firewall) where each cluster comprises of three nodes. Also we've got two SMS servers in Active-Standby. All Gateways as well as management Servers are on 81.20 version. My issue is that when i am trying to backup gateway config via TFTP server this works only for active members, for standby nodes this fails. I am able to backup both SMS without any issue. Is there something i am missing. Fyi, TFTP Server is on the same subnet as the management network of all gateways. Also i've created the firewall policies required. Could you please assist on what i am missing?

Thanks in advance

_Val_ · ‎2025-05-12

@katsarasd I moved your post to the more appropriate space and also fixed the label.

In the cluster, connections from Standby member through a cluster interface may fail because they are NAT-ed behind VIP.

There are two options here:
1. use a private interface to open a connection to a backup server

2. Apply a workaround mentioned in sk169975

I would suggest the second option, as it is much simpler to move forward and does not require any network change.

katsarasd · ‎2025-05-12

Hello @_Val_

TFTP Server is on the same subnet as gateways management interface. Is there something additional i need to specify ?

_Val_ · ‎2025-05-12

Even if it is on the same network, if the GW is communicating with it on a cluster interface, it will be NAT-ed behind a VIP address. Did you read the SK I suggested?

AkosBakos · ‎2025-05-12

You are abe to ping the TFTP server from the STANDBY member?

----------------
\m/_(>_<)_\m/

katsarasd · ‎2025-05-12

Yes standby members can ping tftp server

AkosBakos · ‎2025-05-12

Maybe can you do a telnet test to the TFTP server? Maybe there is a service which is not TFTP, and you can make a test. Only the TFTP is failing?

Akos

----------------
\m/_(>_<)_\m/

katsarasd · ‎2025-05-12

I tried nc -v <server ip address> rdp port
for active member connection works
for standby members connection timeout

_Val_ · ‎2025-05-12

As I already mentioned, look into the SK. You will have to create No-NAT rule for the standby to work.

katsarasd · ‎2025-05-12

Sorry, but i am bit confused.

The cause of the issue of the sk169975
is of the no-nat rules. You mention above that i'll need to create no-nat rules for standby, it's not clear to me. sorry for the trouble.

the_rock · ‎2025-05-12

Appears as Val had said its just a simple no-nat rule, thats it, does not need any other network changes.

Andy

Best,
Andy

_Val_ · ‎2025-05-12

No worries, the SK is indeed describing a bit different case, but it does have a link to the solution you need: sk34180

Please check it is clear enough, and let me know if it helps.

the_rock · ‎2025-05-12

Hey @katsarasd

I did some more checking on this and found below sk...not sure if it may apply to you, but worth confirming.

Andy

https://support.checkpoint.com/results/sk/sk181866

Best,
Andy

Are you a member of CheckMates?

CheckPoint Gateway backup