Error connecting to Management server

[usmanshaikh]

Hi,

i am runnign CP R55 in a distributed environemnt...
I recently modified my GUI clients on the management server via 'ssh'ing to the box and rebooted the server..Since then I have not ben able to connect to the box via smart dashboard and gives the error message saying " make sure server is up and running and you are defined as a GUI client"
ssh to the box also fails now..however I verified that the modified GUI clinets exist by loggin on via console..

Any ideas as to what needs to be done now..An urgent reply will be appreciated

U

[northlandboy]

If ssh is failing, then it's more likely a firewall policy issue than an issue with gui clients. There is no connection between ssh and gui clients.

When you connect with SmartDashboard, are you getting an immediate reject (GUI clients problem, or fwm not running) or a longer timeout (firewall problem).

What debugging have you done on the management server? cpstat mg, or anything like that? Logs?

Firewall logs?

tcpdump?

Any of the basics?

[usmanshaikh]

Hi,

Thanks for getting back on this...It was the firewall loading the local policy at boot time which is a reject by default..I had do a cpstart and then an unloadlocal and all seems to be ok now..I have disabled this option now via cpconfig...

>>When you connect with SmartDashboard, are you getting an immediate reject (GUI clients problem, or fwm not running) or a >>longer timeout (firewall problem).

Interesting to know.....Something new for me

Much appreciated

Usman

[northlandboy]

It's pretty standard with Check Point when your default is drop, not reject. So if users say they are getting an immediate reject, then you know it's not a firewall problem. If they say it is timing out, then it's either a firewall or routing issue.

Sounds like you've got some misconfiguration going on - did you configure your management server as both management and enforcement, but it should only be management?

[melipla]

Quote:

Originally Posted by northlandboy

Sounds like you've got some misconfiguration going on - did you configure your management server as both management and enforcement, but it should only be management?

With R55W, doing an initial install, if you select "Smartcenter server" as a CP product, it automatically selects VPN-1/enforcement. You have no choice but to load the FW module in addition to the Smartcenter Server. I know this isn't the case in R60. I don't know how R55 behaves. Just a little FYI.

[k0rruptuk]

Quote:

Originally Posted by usmanshaikh

Hi,

I have disabled this option now via cpconfig...

Where abouts do you disable this? I have the same issue in that everytime my SmartCenter server is restarted I have to manually go in and do a fw unloadlocal

[abusharif]

fw unloadlocal to temporaly disable (till next push or reboot or cprestart)
or
control_bootsec -r to remove the default policy from loading at all


To disable firewall module from management module:

cpprod_util FwIsFireWallModule
if output is 1 do:
cpprod_util FwSetFireWallModule 0

[k0rruptuk]

Thank you for the prompt answer!!