Troubleshooting

Support of CloudGuard Network for Azure vWAN:

To open a support ticket, follow this procedure:

  1. Contact Check Point support to open a ticket in the Check Point support system.

  2. Contact Microsoft Azure Support to open a ticket in the Microsoft support system and specify the ticket number in Check Point.

  3. Add Microsoft's ticket number to the support ticket with Check Point.

Note - Microsoft manages the resources and the hardware of the NVAClosed Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure., and some support actions can be done only by Microsoft support.

  • Deployment issues

    A failure or an issue in the NVA deployment can have several causes.

    For assistance, follow the general support process.

  • Traffic do not pass the NVA

    Traffic passes between the spokes but does not go through the NVA.

    A possible cause is that the spokes are peered to the Virtual WAN, but the routing intent is not configured.

    Configure routing intent as described in: Step 6: Configure NVA Security Gateways on the Security Management Server or Quantum Smart-1 Cloud.

  • BGP is not in the "Established" state

    BGP not in the "Established" state could cause routes not to be transmitted. To see the state of the BGP peers from the Clish terminal in the machine, run the command: show bgp peers

    Possible causes are:

    • Anti-spoofing enabled on the VPN interfaces causes BGP not to enter the "Established" state.

      In that case, Disable anti-spoofing on the VPN interfaces.

    • Connectivity or configuration errors could cause the BGP not to enter the "Established" state.

      The possible cause can appear in the log file.

      To enable BGP logs run the command:

      set trace bgp all on

      The logs show in the log file: /var/log/routed.log.

  • BGP routes are not transmitted or received

    Routemaps that are not configured correctly can cause routes not to transmit or received.

    Run this command to view and verify the routemaps configurations:

    show configuration routemaps

    You can see basic routemap in the BGP configuration for on-premises server section.

    For example, if direct routes are not advertised, use this command to customize the route map:

    set routemap ex_azure id 10 match protocol direct