This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
katsarasd
Explorer
‎2025-05-12 03:00 AM

CheckPoint Gateway backup

Hello,

Our  environment consists of 2 Checkpoint Clusters (External & Internal Firewall) where each cluster comprises of three nodes. Also we've got two SMS servers in Active-Standby. All Gateways as well as management Servers are on 81.20 version. My issue is that when i am trying to backup gateway config via TFTP server this works only for active members, for standby nodes this fails. I am able to backup both SMS without any issue. Is there something i am missing. Fyi, TFTP Server is on the same subnet as the management network of all gateways. Also i've created the firewall policies required. Could you please assist on what i am missing?

Thanks in advance

Labels
0 Kudos
12 Replies
_Val_
Admin
Admin
‎2025-05-12 03:44 AM

@katsarasd I moved your post to the more appropriate space and also fixed the label.

In the cluster, connections from Standby member through a cluster interface may fail because they are NAT-ed behind VIP.

There are two options here:
1. use a private interface to open a connection to a backup server

2. Apply a workaround mentioned in sk169975

 

I would suggest the second option, as it is much simpler to move forward and does not require any network change.

0 Kudos
katsarasd
Explorer
‎2025-05-12 03:57 AM
In response to _Val_

Hello @_Val_ 

TFTP Server is on the same subnet as gateways management interface. Is there something additional i need to specify ?

0 Kudos
_Val_
Admin
Admin
‎2025-05-12 04:05 AM
In response to katsarasd

Even if it is on the same network, if the GW is communicating with it on a cluster interface, it will be NAT-ed behind a VIP address. Did you read the SK I suggested?

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-05-12 04:07 AM
In response to katsarasd

You are abe to ping the TFTP server from the STANDBY member?

----------------
\m/_(>_<)_\m/
0 Kudos
katsarasd
Explorer
‎2025-05-12 04:08 AM
In response to AkosBakos

Yes standby members can ping tftp server

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-05-12 04:16 AM
In response to katsarasd

Maybe can you do a telnet test to the  TFTP server? Maybe there is a service which is not TFTP, and you can make a test. Only the TFTP is failing?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
katsarasd
Explorer
‎2025-05-12 04:26 AM
In response to AkosBakos

I tried nc -v <server ip address> rdp port
for active member connection works
for standby members connection timeout

0 Kudos
_Val_
Admin
Admin
‎2025-05-12 04:27 AM
In response to katsarasd

As I already mentioned, look into the SK. You will have to create No-NAT rule for the standby to work.

0 Kudos
katsarasd
Explorer
‎2025-05-12 04:34 AM
In response to _Val_

Sorry, but i am bit confused.

The cause of the issue of the  sk169975
is of the no-nat rules. You mention above that i'll need to create no-nat rules for standby, it's not clear to me. sorry for the trouble.

0 Kudos
the_rock
Legend
Legend
‎2025-05-12 04:41 AM
In response to katsarasd

Appears as Val had said its just a simple no-nat rule, thats it, does not need any other network changes.

Andy

0 Kudos
_Val_
Admin
Admin
‎2025-05-12 06:43 AM
In response to katsarasd

No worries, the SK is indeed describing a bit different case, but it does have a link to the solution you need: sk34180

Please check it is clear enough, and let me know if it helps.

0 Kudos
the_rock
Legend
Legend
‎2025-05-12 07:04 AM

Hey @katsarasd 

I did some more checking on this and found below sk...not sure if it may apply to you, but worth confirming.

Andy

https://support.checkpoint.com/results/sk/sk181866

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events