Mobile Access VPN Policy tab is Empty

An exception occured while constructing the view:
CDIeException Exception:
Error Code: 0(Unspecified error)
User Message: Genera Error: Invalid or No UID
Debug Message:
CDleDereferenceReqHandler::_dereferenceSingleFieldObject not found in CPMI
File Name:
f:\ckp\src\cpdle_flow_983000029\cpdle\comm_itf\CommandCpmiAsync.h
Line number: 207
Inner: NONE

Solution:
Backup and delete the files
applications.C
CPMILinksMGR.db
at $FWDIR/conf
This is a general solution for SmartConsole problems..

Updated Note: Checkout connectra_policy.C File , correct the corrupted lines.

Changing Mac Magic numbers at Checkpoint Cluster

Below operation should be done at the scenario where two checkpoint clusters work on the same network.
To view the values
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
default values are 254 and 253
Lets change them to 251 and 250
# fw ctl set int fwha_mac_magic 251
# fw ctl set int fwha_mac_forward_magic 250
Also we should write these to $FWDIR/boot/modules/fwkern.conf with hex values like the example below
fwha_mac_magic=0xfb
fwha_mac_forward_magic=0xfa

R65.X to R7x Upgrade - How to Uninstall Connectra Plugin

Dont forget to uninstall the plugins,

Uninstall Connectra plugin

# /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier
# /opt/CPPIconnectra*R65/bin/plugin_uninstall

Uninstalling VOIP Plugin

# /opt/CPPIvoip-R65/bin/plugin_preuninstall_verifier
# rpm –e CPVOIPCMP
# /opt/CPPIvoip-R65/bin/plugin_uninstall

R75 Console Crash Problem

We have faced some dashboard problems after upgrading to R75 , SmartDashboard or Tracker crashes randomly , There is an improved version named Check_Point_SmartConsole_r75_Improved.exe , I will suggest you to request this file from Checkpoint Support.

R75.20 Upgrade failed via Check_Point_Upgrade_for_R75.20.Splat.tgz

So Interesting but I have encountered this problem at two different customers and
followed a solution with # patch add cd command via Check_Point_R75.20.Splat.iso
As you already know you can use SmartSplat to upload an iso file to firewall and mount it like a CDROM with single clicks.

How to manually backup SMC

This is a way to backup related files at SMC, can also be used for CMA migration

mkdir /var/tmp/manualyedek
mkdir /var/tmp/manualyedek/conf
mkdir /var/tmp/manualyedek/database
mkdir /var/tmp/manualyedek/conf.cpdir
mkdir /var/tmp/manualyedek/database.cpdir
mkdir /var/tmp/manualyedek/registry
cd $FWDIR/conf
cp -rfL * /var/tmp/manualyedek/conf
cd $FWDIR/database
cp -rfL * /var/tmp/manualyedek/database
cd $CPDIR/conf
cp -rfL * /var/tmp/manualyedek/conf.cpdir
cd $CPDIR/database
cp -rfL * /var/tmp/manualyedek/database.cpdir
cd $CPDIR/registry
cp -rfL * /var/tmp/manualyedek/registry


 cd /var/tmp/
gtar -zcvf manualyedek.tgz manualyedek

The connection has been refused due to one of following SmartCenter Server certificate problems:

1. The SmartCenter Server’s clock is not setup properly.
2. The certificate’s issue date is later than the date of the SmartCentre Server’s clock.
3. The Gui Client’s clock and the SmartCenter Server’s clock are not synchronized.
4. The certificate has expired.
5. The certificate is invalid.

FAQ
Q:I have several fw modules managing from this SMC, Can they drop traffic or SIC will be reset after this operation ?
A: No, This certificate is related to Smart Console,You dont have to worry about this questions.
Q: Why did I get this warning, What caused this ?
A: May have several issues but most of them are related to low disk space , check usage with # df -h

Solution at SMC :

1. # cd $CPDIR/conf
2. # cp sic_cert.p12 sic_cert.p12old
3. # cpca_client revoke_cert -n "CN=cp_mgmt"
4. # cpca_client create_cert -n "CN=cp_mgmt" -f sic_cert.p12
5. # cpstop;cpstart

How to reset lost password at IBM ISS MX Firewalls

Use Putty, Hyper terminal wont work with this procedure.

* Open a console terminal session with the M/MX appliance.
* Reboot the appliance.
* Press [Delete] to enter setup.
* When the GRUB menu appears, press 'e'
* Select the kernel that you wish to boot and type 'e' for edit.
* Select the line that starts with 'kernel' and type 'e' to edit the line.
* Go to the end of the line and type 'single' as a separate word (press the [Spacebar] and then type single).
* Press [Enter] to exit edit mode.
* Back at the GRUB screen, type 'b' to boot into single user mode.
* You should get a fairly normal looking boot sequence except that it terminates a little early at a bash prompt.

NOTE: If you get a "Give root password for system maintenance" message, your system has been secured to require the root password for any level of access. In that case, this procedure isn't going to work and you would need to reimage the system to regain access.

Once you get to the command prompt, the / file system may not be mounted as writable. To ensure that it is writable, enter the following
command:
mount -o remount,rw /

* If all is successfull up to this point, you can type the following and change the root password to whatever you like:
passwd

* You can also change the command line admin password here using the following command:
passwd admin

* You can change the web interface admin password here using the following command:
htpasswd -m /var/www/auth/htpasswd admin

* Once the passwords have been changed, reboot the appliance with the
command:
shutdown -r now

* After the system has finished rebooting, you should be able to login with the newly changed password.

Checkpoint L2TP Android Configuration

 The only setup difference between Iphone and Android is the L2TP preshared key.This is empty at  Android side.

*Go to Settings -> Wireless & Networks -> VPN Settings

 -vpn name: “set a vpn name”

  -vpn server : “set firewall ip”

  -ipsec preshared key:” set l2tp key ”

  -l2tp preshared key : “disable”

You will be able to connect from Android.

New features in version 4

SmartSPLAT

 FREE SSH Software for Checkpoint Firewalls

http://www.smartsplat.com/