This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gentjan
Explorer
‎2021-12-26 09:40 PM

Smart console R81 internal error

The new user with only read credentials is created in smart console. After that, when trying to access through admin (superuser) the "internal error " is displayed.

How can be solved this situation.

0 Kudos
13 Replies
_Val_
Admin
Admin
‎2021-12-26 11:42 PM

Please provide more information, and show the actual error.

0 Kudos
gentjan
Explorer
‎2021-12-27 12:31 AM
In response to _Val_

The error is as per attached. The access as read is OK, but when try with administrative role get the attached error.

Preview file
983 KB
0 Kudos
_Val_
Admin
Admin
‎2021-12-27 03:41 AM
In response to gentjan

Reboot the management server. If the error is still there, post here output of "cpwd_admin list"

0 Kudos
the_rock
Legend
Legend
‎2021-12-27 10:22 AM
In response to gentjan

@_Val_ made a good point. Just reboot it (wont cause any issues), or at least do cpstop/cpstart first and check. It makes no sense that if you created read only access user, that somehow it would cause this problem.

0 Kudos
gentjan
Explorer
‎2021-12-27 11:12 AM
In response to the_rock

The topology is two gateways deployed in cluster. I performed (same situation after) the cpstop and cpstart in primary gateway (i dont know if it is needed to perform and to the secondary gateway)through  Clish.

Is there any procedure to reboot the management server (in cluster and management server is integrated as well) as there is no any other administrator account in smart console??

0 Kudos
gentjan
Explorer
‎2021-12-27 09:38 PM
In response to gentjan

I rebooted the management server and still internal error" when trying to login as admin credentials. Please be aware that same credentials as read only everything is OK.

below are the outputs of cpwd admin list


APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 17031 E 1 [06:25:10] 28/12/2021 N cpviewd
CPVIEWS 17036 E 1 [06:25:10] 28/12/2021 N cpview_services
SXL_STATD 17039 E 1 [06:25:10] 28/12/2021 N sxl_statd
CPD 17052 E 1 [06:25:10] 28/12/2021 Y cpd
MPDAEMON 17063 E 1 [06:25:10] 28/12/2021 N mpdaemon /opt/CPshrd-R81/log/mpdaemon.elg /opt/CPshrd-R81/conf/mpdaemon.conf
TP_CONF_SERVICE 17080 E 1 [06:25:10] 28/12/2021 N tp_conf_service --conf=tp_conf.json --log=error
CXLD 17189 E 1 [06:25:17] 28/12/2021 N cxld -d
CI_CLEANUP 17198 E 1 [06:25:18] 28/12/2021 N avi_del_tmp_files
CIHS 17200 E 1 [06:25:18] 28/12/2021 N ci_http_server -j -f /opt/CPsuite-R81/fw1/conf/cihs.conf
FWD 17215 E 1 [06:25:18] 28/12/2021 N fwd
FWM 17221 E 1 [06:25:18] 28/12/2021 N fwm
STPR 17245 E 1 [06:25:18] 28/12/2021 N status_proxy
SPIKE_DETECTIVE 17249 E 1 [06:25:18] 28/12/2021 N spike_detective
CPM 17570 E 1 [06:25:23] 28/12/2021 N /opt/CPsuite-R81/fw1/scripts/cpm.sh -s
CPHAMCSET 19140 E 1 [06:25:43] 28/12/2021 N cphamcset -d
RFL 30033 E 1 [06:26:31] 28/12/2021 N LogCore
SMARTVIEW 30062 E 1 [06:26:31] 28/12/2021 N SmartView
INDEXER 30102 E 1 [06:26:32] 28/12/2021 N /opt/CPrt-R81/log_indexer/log_indexer
SMARTLOG_SERVER 30217 E 1 [06:26:33] 28/12/2021 N /opt/CPSmartLog-R81/smartlog_server
EXPORTER.SPLUNK-SIEM-57.56.41.14 30250 E 1 [06:26:33] 28/12/2021 N /opt/CPrt-R81/log_exporter/targets/SPLUNK-SIEM-57.56.41.14/log_exporter -export /opt/CPrt-R81/log_exporter/targets/SPLUNK-SIEM-57.56.41.14/targetConfiguration.xml
REPMAN 30358 E 1 [06:26:35] 28/12/2021 N java_repository_manager
DASERVICE 30362 E 1 [06:26:35] 28/12/2021 N DAService_script
AUTOUPDATER 30416 E 1 [06:26:36] 28/12/2021 N AutoUpdaterService.sh
CPSM 10476 E 1 [06:29:53] 28/12/2021 N cpstat_monitor

0 Kudos
_Val_
Admin
Admin
‎2021-12-27 11:35 PM
In response to gentjan

Please open a TAC request.

0 Kudos
the_rock
Legend
Legend
‎2021-12-29 06:00 AM
In response to gentjan

K, silly question, but just to cover all the basics, have you tried logging in with admin account from maybe a different PC to see if you get same issue?

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2021-12-29 05:57 AM

Hi

As a workaround I would recommend creating a new Superuser administrator using Management API:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-administrator~v1.8%20

 

After creating it try to login using the new administrator.

HTH

Tal

gentjan
Explorer
‎2022-01-03 11:54 PM
In response to Tal_Paz-Fridman

I tried it in Gaia CLI in primary gateway, but the administrator is not created. 

Authentication in server failed message received.

 

0 Kudos
the_rock
Legend
Legend
‎2022-01-04 05:46 AM
In response to gentjan

This is such a weird problem. What did TAC recommend to you?

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2022-01-05 09:51 AM
In response to gentjan

If it failed on the authentication it still does not signal a problem.

First, you need to be logged in Expert Mode.

Then run the mgmt_cli add administrator command from the link I provided. The credentials you need to use are of the Security Management Administrator (like the one used to login using SmartConsole) and not the Gaia machine credentials.

HTH

Tal

0 Kudos
bgodbout
Explorer
‎2022-04-22 07:13 PM

Long time lurker - just spent the last few hours with TAC on a very similar issue. I now feel obligated to share the result.

Upgraded from r80.30 to r80.10. Applied latest jhf (45). After successful upgrade, received generic error about an internal error when logging in to SmartConsole.

Services up, applied a not yet public sk178807 fix, handful of other things, still no luck.

The issue was with the Security Management GUI Clients defined. I personally had three entries; one specific IP, network range 0.0.0.0-0.0.0.0, and "any." My host met two of the three client types defined, only has to match one to be allowed to authenticate. And to remind you, did not have issues prior to upgrade.

We removed the single IP, and network range to just keep the "any" entry. BAM let me in.

BUG will be posted soon.. my scenario may not match yours exactly.. but it sure is close.. Just one stranger trying to help another.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events