If specify my internet source as another router - it all works fine.
But if I try to use the modem per sk92768:
Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS, Proxy)

Try this: In the gaia web interface, go down to 'Advanced Routing -> Routing Options' and enable the checkbox for 'Kernel Routes' - this will allow the gateway to import the dynamically learned default route that it received from DHCP.

No change in the error - still:
Could not connect to the Check Point Cloud. Check your connection settings (Default Gateway, DNS, Proxy)

With or without the Modem IP hardcoded.

That error literally always mean that gateway can't reach cp update server. So try curl_cli updates.checkpoint.com and curl_cli cws.checkpoint.com commands and see what you get.

Once the routing has been verified further to Joseph's suggestion some other diagnostic measures may include:

External Interface topology: If the address you receive isn't static try specifying a dummy address of 0.0.0.0/32

Global properties: Menu > Gloabl Properties > FireWall > Access outgoing packets originating from Gateway: First.

Whilst on this screen its probably also beneficial to you to enable "Log Implied Rules".

Click OK and install policy.

I felt like I was making progress - I finally got cert errors figured out and cpconfig enabled correctly.
I was into smart console:
- Enabled the Hide Nat Setting
- Enabled Autonomous IPS
-Enabled Base Firewall

Now I can't connect to SmartConsole anymore (Certificate Revoked).
GAIA via browser is "Secure Connection Failed"

It seems like if I do a cpstop/cpstart - there is a short window when I get the UI back, but then back to cert errors.

Two steps forward - one step.

Thanks for all the assistance - look forward to trying more things once I can get off just a putty connection 😉

Does "fw unloadlocal" from the CLI allow you back in to correct your policy/config.

fw unloadlocal - Fixed "Secure Connection Failed" and I can get back into GAIA.
SmartConsole is still (Certificate Revoked).

Can you attach a screenshot of the smart console error? Try this...ssh into mgmt server and once you type cpconfig from expert mode, just click option for administrators and add new admin (this is for dashboard). Once you do this, it may ask to do cprestart and then try log in with that newly created user.

fw unloadlocal -> GAIA -> Certificate Authority Reset -> cprestart - Got rid of the "revoked" messaged.

Back to "Unable to Connect" or "The Operation Timed Out".

cpconfig -> re-add admin -> restart == didn't get any improvement.
^ (originally that's how I got into past those errors and into SmartConsole to begin with).

At least I can get into GAIA again, but a little unsure how to proceed from here.

Ok, thats what I figured. So try do what I suggested and see if you can log in. Also, on mgmt server, run cpwd_admin list, as well as cd $FWDIR/scripts and then ./cpm_status.sh

Those commands would tell us if there is an issue with any process on your management server.

Miraculously SmartConsole just kicked over...didn't change anything from 5 minutes ago...but not going to argue it.
I guess my next question is what do I check for or set that I don't have to run telnet to "fw unloadlocal" and play firewall reset everytime the CP services restart....then maybe back to getting the modem connecting..sigh.. nothing is ever easy 🙂

I hear ya brother : - ). Well, technically, every time firewall reboots, it should fetch latest known policy, so if you apply correct policy from mgmt server, than that's what would be on it after reboot. That way, you would never have to run fw unloadlocal command.

I figured out what happened. There is a "clean-up" rule. That applies when you enable the firewall blade. But neglects to set allow route for MGMT. The smartconsole logs were showing the dropped packets. With 192.168.X.0 to host address Accept defined - problem seems to have corrected.

Hello,

Unfortunately Certificate Revoked has became a classic issue in Management server. Good news is that CheckPoint knows how to fix this:  https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

That link just explains the problem, bu it will take you to a second sk with the solution procedure:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Hope it helps you.

Regards

I honestly never had that problem in 15 years dealing with CP. But, good links for the reference. Don't want to jinx it now : - )

I think I have some kind of lead on the modem - our least oddity:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

dhcp.leases is blank for me. (with automatic ipv4 set or static set)

Your Firewall is a DHCP client?

The SK is referring to it being set as a server for allocating IPs to LAN hosts.

Do you see a default route when you get the dynamic address or have you tried configuring one manually?

Can you ping the next-hop? 

ifconfig -a ethX

netstar -nr

ping a.b.c.d

What IP Range should you receive from the modems DHCP, does it conflict with the existing firewall LAN addressing?