Troubleshooting

This section is for common issues and solutions. If you cannot resolve the issue with these troubleshooting solutions, contact Check Point Support. Make sure to open the ticket for Cloud Management / Smart-1 Cloud.

Include these items in your support request:

  • The service identifier (from the overview page)

  • Log files:

    • If the issue is in the connectivity between the Security Gateway and service, upload these log files from the Security Gateway:

      • $FWDIR/log/vtunnel

      • $FWDIR/log/wstunnel

    • If the issue is with SmartConsole upload these log files:

      • SmartConsole logs

Table: Troubleshooting
Symptom Solution

Cannot open a tunnel from the Security Gateway to the service.

Error: maas: command not found.

  • Make sure the Security Gateway can contact:

    updates.checkpoint.com

  • Make sure the gateway can contact:

    https://<Service-Identifier>.maas.checkpoint.com

Security Gateway is unable to connect to the service.

Enable the Download consent flag for this Security Gateway.

For instructions:

  • For R81.20 and higher, refer to: sk175504.

  • For R81.10 and lower, refer to: sk111080.

Upgrade of the Security Gateway is stuck, or the Security Gateway is unable to connect to the service after an upgrade.

Follow sk166036.

No SIC with the Security Gateway.

  • Do these steps to connect the Security Gateway:

    Navigate to the Check Point Infinity Portal > Smart-1 Cloud > select Connect Gateway.

  • Make sure the MaaS tunnel is up and running:

    • Run one of these commands:

      • maas status

      • show security-gateway cloud-mgmt-service

    • Run the ifconfig command and make sure you have an interface "maas_tunnel" configured with the same IP address as the Security Gateway object.

  • Make sure the Security Gateway clock is correct and synced.

Tunnel works, but there is no communication between the Security Gateway and the service.

  • Make sure the MaaS tunnel is up and running:

    • Run one of these commands:

      • maas status

      • show security-gateway cloud-mgmt-service

    • Run the ifconfig command and make sure that you have an interface "maas_tunnel" configured with the same IP address as the Security Gateway object.

  • Make sure the Security Gateway can contact:

    https://<Service-Identifer>.maas.checkpoint.com

After I installed policy, I lost management communication with the Security Gateway.

  • You must allow outbound HTTPS traffic to FQDN listed below to allow the communication between the Security Gateway and the service:

    • To your domain at Smart-1 Cloud:

      <Service-Identifier>.maas.checkpoint.com

    • For Smart-1 Cloud deployments in Europe:

      cloudinfra-gw.portal.checkpoint.com

    • For Smart-1 Cloud deployments in the United States:

      cloudinfra-gw-us.portal.checkpoint.com

    • For Smart-1 Cloud deployments in the APAC:

      https://cloudinfra-gw.ap.portal.checkpoint.com

  • If this is not possible, then reset the SIC, or contact Check Point Support.

The "maas on" or "set security-gateway cloud-mgmt-service on auth-token XXXX" command shows this error message:

check for Internet connectivity.

Examine connectivity to:

<Service-Identifier>.maas.checkpoint.com

The " maas on or "set security-gateway cloud-mgmt-service on auth-token XXXX" command shows this error:

error 132

Make sure that the Security Gateway time is correct and synced with NTP.

The "maas status" or "show security-gateway cloud-mgmt-service" command returned:

MaaS Status: Enabled

MaaS Tunnel State: Down

Unable to connect to MaaS at https://<Service-Identifier>.maas.checkpoint.com

  1. Make sure your policy enables outgoing HTTPS (TCP 443) to your domain at MaaS:

    2. <Tenant-ID>.maas.checkpoint.com

    If the Security Gateway connects to Smart-1 Cloud through a Proxy Server, make sure the Security Gateway can connect to this Proxy Server.

  2. If the Security Gateway connects to Smart-1 Cloud through a Proxy Server, make sure your policy allows the HTTPS traffic to your Proxy Server.

  3. Make sure the Security Gateway can connect to Smart-1 Cloud using FQDN, and there is no HTTPS inspection:

    1. Connect to the command line on the Security Gateway and log in to the Expert mode.

    2. Get the Smart-1 Cloud FQDN and CloudInfra URL:

      CloudInfraURL=`jq -r ".data.cloudInfaUrl" $FWDIR/conf/cloudinfra.conf`

      FQDNURL=`jq -r ".data.fqdn" $FWDIR/conf/cloudinfra.conf`

    3. Try to connect to Smart-1 Cloud using FQDN:

      curl_cli $CloudInfraURL -k -vvv

      curl_cli https://$FQDNURL -k -vvv

  4. Compare the certificate the Security Gateway gets in the curl_cli command output to the certificate you see when you do not use the proxy.

Gateway Gaia Portal not accessible.

See How to Configure Access to Security Gateway Gaia Portal.

"Failure in deserializing object of type" error in SmartConsole when trying to connect to Security Management Server with Portable SmartConsole.

See sk123152.

Cannot change the SmartConsole admin password from the Infinity Portal.

Go to SmartConsole > Manage & Settings and make sure that the administrator password is not configured as an OS password.

If it is, change it to Check Point password.

Error message in SmartConsole log in, "Could not verify shared secret".

Make sure that you have the latest SmartConsole version.

Download the SmartConsole from the Smart-1 Cloud portal (topic SmartConsole)

When you add a Cluster Member, the "failed to save object validation error on maas_tunnel network object" messages appears.

Fetch cluster topology again, see sk171157.

Upgrade of Security Gateways with SmartConsole fails, times-out or appears stuck at approximately 62%.

See sk166036.

Cannot see Security Gateway logs in SmartConsole, or the Security Gateway does not send logs to Smart-1 Cloud.

  • Make sure the consent flag to upload data to Check Point is enabled on the Security Gateway (see sk111080).

  • Install Database:

    1. Open SmartConsole.

    2. Click the Menu > Install Database.

    3. Select the Management Server object.

    4. Click Install.

"Loss connectivity to client" error with the "Try again" option.

  1. On the Security Gateway appliance, make sure the network settings are correct.

  2. In the Smart-1 Cloud portal, click Try again.

"Loss connectivity to client" error without the "Try again" option.

  1. On the Security Gateway appliance, run the "fcd revert" command and wait for the appliance to reboot.

  2. Connect to the Gaia Portal of the Security Gateway appliance.

  3. Follow through the Gaia First Time Configuration wizard.

  4. In the Smart-1 Cloud portal, add the appliance manually.

"Authentication failed" error with the "Try again" option.

  1. On the Security Gateway appliance, make sure the network settings are correct.

  2. In the Smart-1 Cloud portal, click Try again.

"Authentication failed" error without the "Try again" option.

  1. Connect to the Gaia Portal of the Security Gateway appliance.

  2. Follow through the Gaia First Time Configuration wizard.

  3. In the Smart-1 Cloud portal, add the appliance manually.

"Tunnel Down" error.

  1. On the Security Gateway appliance, make sure you have connectivity to the Smart-1 Cloud service.

  2. See sk83520 - How to verify that Security Gateway and/or Security Management Server can access Check Point servers?

  3. In the Smart-1 Cloud portal, click the button with the three vertical dots to open the menu.

  4. Click Regenerate Token.

  5. Follow the instructions on the screen.

"Trust (SIC) establishment failed" error.

  1. On the Security Gateway appliance, make sure it can connect to the Smart-1 Cloud service.

    See sk83520 - How to verify that Security Gateway and/or Security Management Server can access Check Point servers?

  2. On the Security Gateway appliance, run one of these commands to make sure the tunnel is up:

    • In the Expert mode:

      maas status

    • In Gaia Clish:

      show security-gateway cloud-mgmt-service

  3. Reset SIC on the Security Gateway appliance and the Security Management Server. Follow sk65764 - How to Reset SIC.

"Fetch interfaces failed" warning.

  1. In SmartConsole, open the Security Gateway object.

  2. From the left, click Network Management.

  3. Click Get Interfaces > Get Interfaces With Topology > click Accept.

  4. Click OK.

  5. Publish the session.

"Installation failed (install policy)" error.

  1. Open SmartConsole.

  2. In the bottom left corner, click the details of the failed policy installation.

  3. Read the details about the root cause, fix the issues, and try again.

Note - The card you see on the screen shows the initial policy. During the next policy installation (successful or failed), the card is not updated with the real status.

  1. New Quantum appliance is not discovered automatically on the Connected Gateways page.

  2. Attempt to on board a new Quantum appliance encounters an issue with connectivity resulting in a "No internet connection" page.

  1. Make sure the Service and Contract page shows the correct contract.

  2. Make sure the appliance is powered on and connected to the Internet with the blinking interface (this interface is configured to get an IP address from a DHCP server).

  3. Make sure the appliance received the required IP address configuration from the DHCP server:

    1. Connect to the command line on the appliance.

    2. Log in.

    3. If you default shell is the Expert mode, then go to Gaia Clish:

      clish

    4. Make sure the appliance received the correct IP address:

      show interface <Name of Blinking Interface> all

    5. Make sure the appliance received the correct Default Gateway:

      show route

  4. Make sure your network allows the connection from this appliance to the zerotouch.checkpoint.com server.