- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
hi,
We have two gateway in cluster.
the first gateway is in red.
I think I can't add or modify existing rule...
I don"t understand why there is a gateway in red, there is no modification...
I have only the admin account, to access to smartconsole R80.30 and webpage gaia portal R80.30.
and expert password.
I don"t have password cli to access to Gateway directly in cli.
How I can resolve this gateway in green ?
without break the other gateway or block access completly the compagny on rules on outside...
thanks you very Much
Eric
I have the solution !
in fact the interface in our backbone was shut
Im connect to cisco 4500, and shut, no shut and it's work now
all is green
but I don"t understand our configuration.
we have a cable rj45 between two gateway type sync
two cables directly in backbone cisco, with an interco vlan
and two other cables for the stack switch in another vlan, (same as the vlan for the smart console)
I don"t understand why there is an interco with backbone, and a cable between two gw.
thanks
R80.30 is out of support for a while now.
As the error show, you have an issue with ClusterXL on one of the gateways. You need GW access to troubleshoot. If you can access GW WebUI, use the same credentials to access it via SSH or console
hi val
I have this message to connect to the first gateway
I have find the password for the second gateway and it's ok !
for the first I have this message :
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
XX:XX:XX:XX.......
Please contact your system administrator.
Add correct host key in /home/admin/.ssh/known_hosts to get rid of this message.
Offending key in /home/admin/.ssh/known_hosts:2
RSA host key for 10.38.204.24 has changed and you have requested strict checking.
Ignore this warning for now. Connect to the first GW via SSH and run "cphaprob stat" command
Cluster Mode: High Availability (Primary Up) with IGMP Membership
ID Unique Address Assigned Load State Name
1 (local) 1.1.1.1 0% DOWN fw1-CKP
2 1.1.1.2 100% ACTIVE fw2-CKP
Active PNOTEs: IAC
Last member state change event:
Event Code: CLUS-110800
State change: INIT -> DOWN
Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)
Event time: Tue Apr 9 09:59:29 2024
Last cluster failover event:
Transition to new ACTIVE: Member 1 -> Member 2
Reason: Interface eth3 is down (Cluster Control Protocol packets are not received)
Event time: Thu Apr 4 13:23:37 2024
Cluster failover count:
Failover counter: 13
Time of counter reset: Mon Aug 23 07:42:39 2021 (reboot)
I have find this topic to remove the fw to cluster, and add again
https://support.checkpoint.com/results/sk/sk88360
it's possible ?
it's dont block all the lan, if there is only one fw active in the cluster ?
thanks
"Reason for state change: Incorrect configuration - Local cluster member has fewer cluster interfaces configured compared to other cluster member(s)"
So the interface configurations should be checked and compared between both nodes.
Seems like there is an interface configured in SmartConsole objects topology and on one of the nodes but not on the other.
You may use as well commands like
cphaprob -a if
fw getifs
and see output.
Or at least, connect to the Gaia Web Interface and Check / Compare Interface Configs of both nodes.
Beside of the unsupported release:
The red cross icon can have many reasons. What tells the little popup when moving the mouse over it?
Just try this from smart console, as per my screenshot and see what it shows you. And yes, send output of cphaprob -a if from both members, as well as output from cpconfig
Andy
I have the solution !
in fact the interface in our backbone was shut
Im connect to cisco 4500, and shut, no shut and it's work now
all is green
but I don"t understand our configuration.
we have a cable rj45 between two gateway type sync
two cables directly in backbone cisco, with an interco vlan
and two other cables for the stack switch in another vlan, (same as the vlan for the smart console)
I don"t understand why there is an interco with backbone, and a cable between two gw.
thanks
we have a
cisco 4500 *2 : backbone of the compagny (who are connected all other switch by fiber)
and a stack of 5 switch in it room
and two checkpoint
there is a link between two checkpoint for the SYNC => I think it's for HA
but there is a cable between checkpoint checkpoint and each backbone cisco on vlan interco 100 : vlan not routed (just to isolate of other vlan)
and two others cables in another vlan (the same of smartconsole vm) goes to each backbone cisco
I don"t understand the configuration.
why there is a link between two gw type sync
and interco with backbone of the company
First of all i would identity the interfaces on the Checkpoint devices connected to each other and those connected to your interco.
Then i would have a look at the topology of the object in SmartConsole.
I guess, somebody has configured two interfaces as sync interfaces. What should work in theory i guess but officially it's not a supported setup afaik.
Supported sync redundancy is to do that using bond interfaces.
I agree with everything @Vincent_Bacher said. Just for the context, would you mind run below commands on both members and send as text file attachments.
Andy
cphaprob roles
cphaprob state
cpconfig
cphaprob -a if
cphaprob syncstat
cphaprob -i list
cphaprob -l list
cphaprob show_failover
cphaprob mvc
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
25 | |
13 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
5 | |
4 |
Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewWed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewWed 05 Nov 2025 @ 11:00 AM (EST)
TechTalk: Access Control and Threat Prevention Best PracticesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY