Troubleshooting SD-WAN in Check Point Portal

Symptom:

  1. In the WAN Link Mapping window, the yellow triangle icon appears near an SD-WAN Security Gateway.

  2. When you hover the mouse cursor over this icon, the information popup appears:

    This Gateway has no SD-WAN interfaces defined. Please complete the missing configuration using GAIA Portal.

Example:

Solution:

  1. In Check Point Portal:

    1. In the SD-WAN application, go to the Network view > Agents page.

    2. At the top, click the List View button.

    3. The top section must show the SD-WAN Security Gateway object.

    4. Click the SD-WAN Security Gateway object.

    5. The bottom section must show:

      1. Status: Connected

      2. Policy version: <Integer Value>

  2. In SmartConsole:

    1. From the left navigation panel, click Gateways & Servers.

    2. Open the Security Gateway object.

    3. In the left pane, click Network Management.

    4. Examine the configuration of interfaces:

      • The names of interface (you can click Get Interfaces > Get Interface with Topology (do not click Accept) to see the actual interface names.

      • The topology of the SD-WAN interfaces must be External (otherwise, they do not appear in the WAN Link Mapping window).

  3. On the Security Gateway, examine the interface configuration in one of these ways:

    • On the Security Gateway:

      • In Gaia Portal:

        Network Interfaces page > SD-WAN Interfaces section

      • In Gaia Clish:

        show interface <Name of Interface> sdwan

        or

        show configuration sdwan

      • In the Expert mode:

        sdwan_conf show

    • On the Spark Firewall Appliance:

      Make sure you configured Internet connections in one of these ways:

      • In WebUI:

        Device view > Network section > Internet

      • In Gaia Clish:

        show internet-connections

      • In the Expert mode:

        sdwan_conf show

  4. On the Security Gateway, examine the Nano-Agent status:

    1. Log in to the Expert mode.

    2. Run:

      cpnano -s

      All statuses must be Succeeded or Running.

  5. On the Security Gateway, make sure the Access Control Policy is installed:

    cpstat -f policy fw

Symptom:

In Check Point Portal > SD-WAN application > the Network view > SD-WAN Policy page > WAN Link Mapping window still shows an SD-WAN Security Gateway object, although an administrator deleted its object in SmartConsole.

Solution:

  1. In Check Point Portal > SD-WAN application, delete the SD-WAN Security Gateway object from all profiles of type "SD-WAN Profile":

    1. Go to the Network view > Profiles page.

    2. Click a profile of type "SD-WAN Profile".

    3. Click the General tab.

    4. In the SD-WAN Gateways section, click the SD-WAN Security Gateway object.

    5. From the top toolbar, click Delete (the "x" icon).

  2. In Check Point Portal > SD-WAN application, delete the SD-WAN Security Gateway object from the Agents page:

    1. Go to the Network view > Agents page.

    2. Delete the SD-WAN Security Gateway object:

      • In the Grid View:

        In the SD-WAN Security Gateway object, in the top right corner, click the 3-dots and click Delete.

      • In the List View:

        Click the SD-WAN Security Gateway object > from the top toolbar, click Delete (the "garbage can" icon).

  3. At the top, click Publish.

Symptom:

Some network objects are missing in Check Point Portal > SD-WAN application > Network view > SD-WAN Policy page > in the picker of the Source and / or Destination fields or rules.

Solution:

Make sure the required object appears in SD-WAN application > Network view > Assets page.

  • The object appears on the Assets page:

    Contact Check Point Support.

  • The object does not appear on the Assets page:

    1. In SmartConsole, make sure this object exists.

    2. In SmartConsole, make sure you published the session that created this object.

    3. In SmartConsole, make sure the Management Server is connected correctly to Check Point Portal:

      1. From the left navigation panel, click Infinity Services.

      2. At the top of this page, the Check Point Portal Account must appear with the status Active.

      3. At the bottom of this page, Configuration Sharing must show:

        1. It is enabled (to verify, click the Edit button).

        2. Its status is Active (green).

        3. The last sync time is after the last publish.

      4. If Configuration Sharing shows the status "Error", or if the last sync is not up to date, then follow sk181504.

        • If sk181504 did not resolve the issue, or if your Management Server is Smart-1 Cloud, then contact Check Point Support.

        • If Configuration Sharing shows the status "Active", and the last sync time is after the last publish, but the issue persists, then contact Check Point Support.