This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
skandshus
Advisor
Advisor
‎2021-05-13 06:50 AM
Jump to solution

Failed to find a dynamic interface on DAIP module" er

hello everyone.

First time poster here..

still learning all this.

I am trying to Remotely manage a 3600 Appliance which sits on a DHCP provided address, i have both a dynamic and a DHCP "static" address available..

 

so for testing i need to have both scenarios working, so i know how to counter multiple issue in the future if they were to arrive.

 

right now i am stuck with the fact that in the Gaia first time setup i was only able to choose STATIC or dynamic adress on the External interface.. since the ip right now is DHCP supplied as a DHCP reservation from the ISP, it trigs in the gaia and the smart console as a DAIP interface. which it both isnt and somehow is..  its dynamically assigned but it will never change.

 

so i've read that the solution would be to remove a "flag" from the registry here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Solution:

  1. Disable the Dynamic Address Gateway (DAG) flag in the registry.

    • On Gaia / SecurePlatform / Linux Security Gateways:

      Edit the $CPDIR/registry/HKLM_registry.data file:

      [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL
      [Expert@HostName:0]# vi $CPDIR/registry/HKLM_registry.data

      Search for "DAG".

      Change the value of this attribute from 1 to 0:
      from
      :DAG ("[4]1")
      to
      :DAG ("[4]0")


I have been searching all over to find some guides on how to achieve this but i havent come to a solution yet.
can anybody in here shed some light on how i can actually change the mentioned registry file on the 3600 Appliance?

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-05-13 07:51 AM
Jump to solution

When you perform the steps above and do cprestart, what precisely happens?

Note you should never choose dynamic as the option unless the IP can actually change.
If the IP is always retrieved via DHCP and it will be the same, choose static in the First Time Wizard.
You can configure the external IP using DHCP later on.

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-05-13 07:51 AM
Jump to solution

When you perform the steps above and do cprestart, what precisely happens?

Note you should never choose dynamic as the option unless the IP can actually change.
If the IP is always retrieved via DHCP and it will be the same, choose static in the First Time Wizard.
You can configure the external IP using DHCP later on.

0 Kudos
skandshus
Advisor
Advisor
‎2021-05-13 08:05 AM
In response to PhoneBoy
Jump to solution

Hi Phoneboy.
since im new in this Checkpoint world. Would you say its easier for me to just "start over" on the 3000 appliance?

The steps above is actually my first challenge. im dont know how to edit it through ssh.
i tried use winscp to locate the file, but the checkpoint wont accept connection attemps from that one 🙂

and since the "solution" doesnt provide an actual guide but only the answer im somewhat stuck as to fixing the issue.
i can start over, but id love to actually SOLVE the problem instead 🙂
is there anywhere in the support section where i can actually read up on, or find guides on how to manage DAIP gateway and remote gateway.
like "how to's" and stuff like that.
from what i have found so far, it seems like most of the info is for Advanced users only.. not newcomers to the Checkpoint world.




EDIT: I managed to call a friend who helped me change the value from 1 to 0 and did a CPrestart. but that didnt change anything.

i still got an issue when trying to push policy's..

I've attached a Photo of the issue when trying to push a policy

Preview file
226 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-13 01:25 PM
In response to skandshus
Jump to solution

winscp won't work unless you use a user that has bash as the shell instead of clish (which is the default).
You can edit the file on the appliance with "vi", which is a standard Linux/Unix utility.

As I implied in my last message, your situation really isn't "dynamic IP" since your IP will never change.
Also, DAIP gateways have significant limitations (see https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...), so you shouldn't choose that option unless your IP is truly dynamic (versus just being obtained via DHCP).
These limitations don't apply to our SMB appliances, which run different code more suited for DAIP environments.

To make sure Gaia is configured to use DHCP for the relevant interface, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

To solve the problem that you currently have, I suspect you'll need to uncheck the Dynamic Address box in your gateway object.

Screen Shot 2021-05-13 at 1.17.07 PM.png

As for "getting started" as a new Check Point customer, you can start with our Check Point for Beginners section on CheckMates (in the Learn menu) which has several "step by step" labs.
There are also links to other free training resources there as well. 

0 Kudos
skandshus
Advisor
Advisor
‎2021-05-13 01:53 PM
In response to PhoneBoy
Jump to solution

While waiting for your response, i Decided to Reset the device and go with the "static" option and say "off" to the upcoming question regarding my interfaces and dealt with them manually after the quick start.
That made it work 🙂

Thank you for the hint though from the beginning, it actually made the difference.


Would you by any chance have another guess at why the "remote gateway" doesnt show log in the management?
the management server is behind nat. and ive done the nat rules for the management server so logs should be able to enter..
i cant even see "hits" on the nat rule

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-13 04:25 PM
In response to skandshus
Jump to solution

You should configure the NAT in the management object, as described here versus manual NAT rules: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Trending Discussions
Harmony SASE geo block question
Upcoming Events

    CheckMates Events