unable to sign in checkpoint smart dash board

tng_aik_hong · ‎2018-06-10

Hi all,

i have created a VM checkpoint in the VMware for testing. but i could not sign in to checkpoint smart dash board.

i have register the licenses in the checkpoint already.

i have done the following troubleshoot steps

change the date and time in checkpoint gui and laptop

stop and start the firewall service in cli

i wanted to test this specific version of checkpoint in the vm test environment

below are my specification,

i don't want to upgrade the version, please help

Maarten_Sjouw · ‎2018-06-11

Have you run sysconfig/mdsconfig to add a admin and a gui-client? If so then read on.

I ran into similar issues with the R75.40 (non VS). Best thing to do is to re-image the VM and BEFORE you run the FTW (GAIA) or while running sysconfig set the date back to 01-01-2016.

After that finish your installation and you will find that when you update all mdsconfig settings that need to be set you will be fine.

Regards, Maarten

Vincent_Bacher · ‎2018-06-11

I had a similar issue few month ago with R77.30 and found sk122612.

Cause

The issue is relevant to the below scenarios:

Upon clean install of Security Management / Standalone / Multi-Domain Server R77.30 or below after January 24th 2018.
Upon adding CMA on Multi-Domain Server below 77.30 Jumbo Hotfix take 143 (Inlcuding previous versions) .

You can check if this is your issue by (re-)creating internal ca. If this fails (Could not create Certificate Authority. General problem in Certificate Authority. Failed to initiate Certificate Authority NOTE: The creation of the certificate failed) this sk may match your Scenario.

In R77.30 the solution was to install recent jumbo. In your R75.40: For R77.20 and below contact Check Point Support to get a solution for this issue.

But a workaround could be to set the System date prior to January 24th.

Another issue i had in the past when using VM was when assigned not enough RAM.

Cheers
Vincent

P.S.: Maarten was quicker than me
And: Why does the first screenshot display "security gateway"? Is this a standalone Gateway including Management? If yes, did you try "fw unloadlocal"?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

ED · ‎2018-06-11

Hi,

Please run through these troubleshooting steps first. It's a well known error.

"Connection cannot be initiated. Make sure server is up and running" error in SmartDashboard

PhoneBoy · ‎2018-06-11

Just so you know, this version of code is no longer supported.

You will most likely have to do the initial installation with the system backdated to prior to 24th January 2018, as Vincent Bacher‌ suggests.

Once the ICA is initialized, you can set the date forward appropriately.

tng_aik_hong · ‎2018-06-11

hi,

i have changed the date backward to 2017 for checkpoint and my laptop and the ca was registered succesfully and the finger print in the cli say it communicating.my problem is both of this has been register while i changed the backward date. but when i play around with the cpstop and cpstart

cpstop giving me the error unable to initialte

and cpstart give me the error your trial period is expired

Vincent_Bacher · ‎2018-06-11

Hello,

well, in this case you have to either stay on the old date or first attach a license, i assume.

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

PhoneBoy · ‎2018-06-12

That's because the 15-day plug-n-play eval license is based on the date the initial CA was created.

When you set the date forward, you are past those 15 days

You can request a 30-day evaluation in UserCenter free of charge from the menu Try Our Products > Try Our Products > Product Evaluation.

G_W_Albrecht · ‎2018-06-12

I do see no use in testing this outdated & unsupported version at all, i must admit

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Vincent_Bacher · ‎2018-06-12

Sure. Maybe there are other reasons than testing

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Hue_hue · ‎2018-09-14

I do this to test a specific upgrade scenario...because you kind of have to if you want an error free day

tng_aik_hong · ‎2018-06-14

Hi all,

i have done the license again and this time, it is able to capture in the gui, but im still unable to sign in to the smart dash board, i got the error "authentication to server 10.85.186.153 failed"

Vincent_Bacher · ‎2018-06-14

Hello,

don't have a solution in mind but you may debug fwm as per sk86186

See instructions below.

Then have a look at fwm.elg 😉

Cheers

Procedure:
On SecurePlatform OS R75.10 and lower: Disable log rotation per Solution sk52120:
[Expert@Hostname]# /bin/log_start list | grep fwm
[Expert@Hostname]# /bin/log_start unlimit 35
[Expert@Hostname]# /bin/log_start list | grep fwm

Add a mark to the log file:
[Expert@Hostname]# echo "=debug_start=" >> $FWDIR/log/fwm.elg

Start the FWM debug:
[Expert@Hostname]# fw debug fwm on TDERROR_DBG_OPT=time,host,prog,topic,pid,tid
[Expert@Hostname]# fw debug fwm on TDERROR_ALL_ALL=5
[Expert@Hostname]# fw debug fwm on OPSEC_DEBUG_LEVEL=3
Notes:
For MGMT HA debugging, on both Management machines also run:
[Expert@HostName]# fw debug fwm on TDERROR_ALL_MGMTHA=5

In case of policy installation, the TDERROR_ALL_ALL=5 can be replaced with two more focused debugs -
TDERROR_ALL_INSTMGR=5andTDERROR_ALL_INSTMGRFN=5:
instead of
[Expert@Hostname]# fw debug fwm on TDERROR_ALL_ALL=5
run
[Expert@Hostname]# fw debug fwm on TDERROR_ALL_INSTMGR=5 [Expert@Hostname]# fw debug fwm on TDERROR_ALL_INSTMGRFN=5

Replicate the problem.

Stop the FWM debug:
[Expert@Hostname]# fw debug fwm off TDERROR_ALL_ALL=0
[Expert@Hostname]# fw debug fwm off OPSEC_DEBUG_LEVEL=0
Note:
If MGMT HA debugging was started, then on both Management machines also run:
[Expert@HostName]# fw debug fwm off TDERROR_ALL_MGMTHA=0

Add a mark to the log file:
[Expert@Hostname]# echo "=debug_stop=" >> $FWDIR/log/fwm.elg

On SecurePlatform OS R75.10 and lower: Re-enable log rotation per Solution sk52120:
[Expert@Hostname]# /bin/log_start list | grep fwm
[Expert@Hostname]# /bin/log_start limit 35 1048576 4
[Expert@Hostname]# /bin/log_start list | grep fwm

Send the following files to Check Point Support for analysis:
CPinfo file from the Security Management Server collected with the latest version of CPinfo utility from sk92739
Note: On Provider-1 Server / Multi-Domain Server, collect the CPinfo file from both
the context of MDS
the context of relevant CMA / Domain

Log files:
$FWDIR/log/fwm.elg*
$CPDIR/log/cpwd.elg*
/var/log/message*

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

tng_aik_hong · ‎2018-06-17

Hi,

i have try the above following debug session, but it mention the license version might be not compatible

PhoneBoy · ‎2018-06-17

The current eval licenses contain feature strings that are not valid in R75.40VS.

Those errors can be safely ignored.

Let's start with more basic things:

Is the fwm process even running? Something like a ps -auxw | grep fwm should validate this.
Have you specified the correct IP address (or any) in cpconfig as a GUI client?
Have you defined an administrator (with the correct password) via cpconfig?

Even if you've think you've done all these, it's worth checking/defining again.

tng_aik_hong · ‎2018-06-17

Hi,

Is the fwm process even running? Something like a ps -auxw | grep fwm should validate this.
i got the following error message

Have you specified the correct IP address (or any) in cpconfig as a GUI client?

Have you defined an administrator (with the correct password) via cpconfig?

Vincent_Bacher · ‎2018-06-17

You misunderstood a bit.

ps command without the fwm in front of if

And gui clients in cpconfig. Or the addresses may listed by

cat $FWDIR/conf/gui-clients

as well

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Are you a member of CheckMates?

unable to sign in checkpoint smart dash board