Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
IGSSV
Participant
Jump to solution

Objects not visible in Object Explorer despite existing in ClusterXL setup

Hello,

I'm facing an issue where two hosts configured in a ClusterXL setup are not visible in the Object Explorer. I need to reference these hosts in a policy, so I tried to create host objects for them. However, I received an error message indicating that the objects already exist (as shown in the attached screenshot).

Despite this, I'm unable to see these objects in the Object Explorer.

Environment:

  • Smart-1: VM (currently in testing phase)
  • Security Gateway: Checkpoint 9100 x2

Issue:

Two hosts configured in ClusterXL are not visible in the Object Explorer.
Attempting to create host objects results in an error stating the objects already exist.

ClusterXL appears to be functioning normally.ClusterXL appears to be functioning normally.Smart-1 host alert is only about the trial license expiring.Smart-1 host alert is only about the trial license expiring.Hosts are not visible in "Gateways and Servers" or any other category after searching.Hosts are not visible in "Gateways and Servers" or any other category after searching.Error message displayed when attempting to manually create host objects.Error message displayed when attempting to manually create host objects.

Any assistance would be greatly appreciated.

Thank you.

0 Kudos
2 Solutions

Accepted Solutions
emmap
Employee
Employee

You can just use the cluster object for this, it includes the cluster members and their interface IPs. 

View solution in original post

the_rock
Legend
Legend

Wow, I cant believe I NEVER noticed this before, but in my 17 years being around CP, I always assumed cluster members were there in object explorer, but thats apparently NOT the case. I just checked 2 R81.20 labs and they are definitely not present, though you can add them as part of the rules.

Guess @IGSSV , as they say, learn something new every day : - )

I never had customer bring this up, but if anyone ever does, I wont have to wonder.

Andy

 

Screenshot_1.png

View solution in original post

(1)
24 Replies
G_W_Albrecht
Legend Legend
Legend

Please show where the host have been created and for what reason!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
IGSSV
Participant

I thought that when creating a cluster, the objects of the cluster members would be created automatically.
I did not create the host manually.

Before creating the cluster, I imported objects using the API (ExportImportPolicyPackage-master), but the host in question was not created.

0 Kudos
the_rock
Legend
Legend

They are NOT created automatically. You need to add them manuially from smart console. As far as smart-1 mgmt server, its expected it does not show up, I cofirmed that with R&D while ago and Im sure it has not changed, at least not in R81.20.

Andy

0 Kudos
IGSSV
Participant

I see, they are not created automatically.

In that case, was it necessary to create the host as "Gateways and Servers" before creating the cluster with the wizard?

If I create the host in the current state, I think it will be registered as a normal host.

Also, it seems that a duplicate error occurs at the time of creation, but is it okay to ignore this?

0 Kudos
AkosBakos
Advisor
Advisor

Hi @IGSSV 

Did you try database install? Just to be sure. 
A cpstop;cpstart in not an axact solution, but can help. 🙂

Run $MDS_FWDIR/scripts/run_cpmdoc.sh, maybe this point out something. Let's see what shows.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
IGSSV
Participant
  • What kind of operation is database installation? Is it different from policy installation?
  • I tried cpstop; cpstart on both Smart-1 and SecurityGW, but the situation remains unchanged.
  • The results (summary) of CPM Doctor are as follows. It contains some customer information, so if you tell me, I will mask the details as needed and present them.
Version: R81.20
Hot Fixes:
FW1:
HOTFIX_VCE_R81_20_AUTOUPDATE
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_WEBCONSOLE_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE

MGMT:
NO HOTFIXES..

Setup: Security Management Server
Machine's name: XXXXXXXX
Type: Primary
Date: Tue Aug 27 00:11:54 JST 2024
Running mode: REGULAR

OK Icon 153 Tests Error Icon 1 Tests Warning Icon 2 Tests Info Icon 43 Tests

The following are tests with Alert or higher:

- Missing IpsUpdateInspectFileList
- HTTPSi Rules Exist In Legacy HTTPSi Policy Check
- Test Result Icon Java Xmx Check

 

0 Kudos
AkosBakos
Advisor
Advisor

Hi @IGSSV 

q: What kind of operation is database installation? Is it different from policy installation?

a: Yes, you can find in the main menu in the top left corner of smartconsole. It related to SmartCenter and Logservers

I prefer manual cluster creation to Wizard. As I see the guys gave tha solution for you. 🙂

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
IGSSV
Participant

Thank you for your reply.

I tried the database installation, but the situation did not change.

Is it possible that this is happening because the VM has low allocated resources in the test environment?

Virtual Memory: 8GB
Virtual CPU: 2 cores

0 Kudos
the_rock
Legend
Legend

Think of it this way...installing the database is sort of like pushing policy to the mgmt server (if thats even right way to put it), but its more if you ever create new admin in smart console or something changes in guidbedit, I always install database, simply "refreshes" mgmt database, thats all. You can do that literally any time.

Andy

IGSSV
Participant

I understand. Thank you for the clear explanation!

0 Kudos
the_rock
Legend
Legend

No problem!

0 Kudos
PhoneBoy
Admin
Admin

I suspect the solution will be similar to: https://support.checkpoint.com/results/sk/sk126872 

0 Kudos
the_rock
Legend
Legend

Funny you mentioned that sk, as it did come to my mind, since I used it before, but only for groups related to anti-spoofing, nothing else. Not sure it may apply in this scenarion, but definitely worth a try.

Andy

0 Kudos
IGSSV
Participant

Thank you.

Based on the SK you provided, I was able to find the relevant Security Gateway as a Network Object.

However, there was no cdm_auto_calculated item as mentioned in the SK, so I couldn't do anything further. It seems that the object does exist.

0 Kudos
the_rock
Legend
Legend

From my lab below (cluster object and cluster members). Can you send what you see in your setup? (just blur out sensitive info).

Btw, what options do you see when you single click on the cluster member object? (bottom pane)?

 

Screenshot_1.png

0 Kudos
IGSSV
Participant

 

Thank you for your reply.

I will include a screenshot below.

 

It seems that there are also member objects, just like in your lab environment.It seems that there are also member objects, just like in your lab environment.The contents were like this.The contents were like this.

Bob_Zimmerman
Authority
Authority

Why are you trying to make a host object with the same name as a cluster member object? Just use the cluster in the policy.

0 Kudos
IGSSV
Participant

I'm trying to write rules for Mgmt for SSH and Snmp

and some PBR

0 Kudos
emmap
Employee
Employee

You can just use the cluster object for this, it includes the cluster members and their interface IPs. 

IGSSV
Participant

For some reason, when I checked Smart-1 this morning, the object in question appeared. It doesn't show up in the Object Browser, but it is now visible in the Src/Dst selection when registering policies.

I tried installing the database three times as you suggested, the_rock, but I haven't made any other configuration changes.

Thank you for your prompt response.

0 Kudos
the_rock
Legend
Legend

Well, installing database probably wont make object appear out of the blue in the object list, but I really find it odd that you saw them in guidbedit, but not in smart console. I never had that happen either in the lab or with any customer and I helped hundreds. Either way, sk Phoneboy gave is definitely great reference, but as I mentioned, personally, I ONLY used it for anti-spoofing groups issue not being visible, never for fw object itself.

Andy

0 Kudos
IGSSV
Participant

This is completely puzzling, but this is the situation now. (See attached image)
There are no issues with policy configuration, so I plan to proceed as is.
Thank you!

The Security Gateways are still not appearing in the Object Browser.The Security Gateways are still not appearing in the Object Browser.

However, the Security Gateways are visible when selecting from the "+" option in the source or destination fields during policy creation.However, the Security Gateways are visible when selecting from the "+" option in the source or destination fields during policy creation.

0 Kudos
the_rock
Legend
Legend

I will double check my lab tomorrow and update.

Andy

0 Kudos
the_rock
Legend
Legend

Wow, I cant believe I NEVER noticed this before, but in my 17 years being around CP, I always assumed cluster members were there in object explorer, but thats apparently NOT the case. I just checked 2 R81.20 labs and they are definitely not present, though you can add them as part of the rules.

Guess @IGSSV , as they say, learn something new every day : - )

I never had customer bring this up, but if anyone ever does, I wont have to wonder.

Andy

 

Screenshot_1.png

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events