Troubleshooting GUI Access

Issues

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 1
 Introduction

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 2
 Agenda

1 Login process flow

2 GUI login issues

3 Troubleshooting scenarios

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 3
 Agenda

1 Login process flow

2 GUI login issues

3 Troubleshooting scenarios

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 4
 Login process flow
Login Step 1: The GUI client open a CPMI connection over port 18190 to the MGMT
process flow server
GUI Login
issues Step 2: The fwm process on the MGMT server which listens on port 18190 receives
the request and checks whether the GUI client is listed in the
Troubleshoot
$FWDIR/conf/gui-clients file. Only in case it is listed in the file, the
scenarios
connection process will continue.
Cannot initiate
Step 3: The fwm process checks the MGMT server certificate (cp_mgmt). It verifies
Connectivity that the certificate is valid and that it matches the certificate details located
FWM
in the registry and the objects_5_0.C files. In case this step has finished
successfully, the SIC between the MGMT server and the GUI will be
Certificate established

FWM debug
In case the MGMT server certificate DN (CN + O) is not identical to the
FWM down
information appear in the objects_5_0,C and the registry files, the
connection will fail during the SIC negotiation.
Connection – In order to identify the DN of your MGMT server certificate, you can run the following
refused
command:
Authenticate # cpca_client lscert –dn “cn=cp_mgmt”

Step 4: Once the SIC negotiation has completed, the MGMT server will authenticate
the administrator.

Step 5: After the administrator was authenticated successfully, the fwm process will
load the different database files.
©2015 Check Point Software Technologies Ltd. 5
 Agenda

1 Login process flow

2 GUI login issues

3 Troubleshooting scenarios

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 6
 GUI Connectivity issues
Login
process flow
 Connection to the management server via GUI can fail for various reasons, we
GUI Login will try to cover most of them.
issues

Troubleshoot  The first thing that we must check when we have login issues is the error
scenarios message we receive.
Cannot initiate
 We will divide the issues according to 3 main error messages:
Connectivity – Connection cannot be initiated
– The connection has been refused
FWM
– Authentication to server failed
Certificate
 Note: In case you cant find a solution on the spot, It’s always recommended to
FWM debug
replicate the issue in the lab if it’s possible, in most cases it will decrease
FWM down
resolution time dramatically.

Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 7

 Agenda

1 Login process flow

2 GUI login issues

3 Troubleshooting scenarios

- Not for distribution -

©2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 8
 Troubleshooting steps
Login
process flow
The ERROR message:
GUI Login
issues

Troubleshoot
scenarios

Cannot initiate

Connectivity

FWM

Certificate

FWM debug

FWM down

Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 9

 Troubleshooting steps

Connectivity

Running FWM Not running

Check Certificate Crashing or Not starting?

Debugs Crashing Not starting

©2015 Check Point Software Technologies Ltd. 10

 Connectivity
Login
process flow
 Make sure the GUI Client can communicate with the MGMT server machine,
GUI Login and that it's defined as a GUI client.
issues

Troubleshoot  Incase there is a FW installed on the MGMT server (standalone), it’s possible
scenarios that the FW drops the CPMI traffic.
Cannot initiate
- For troubleshooting purposes Run: # fw unloadlocal on the FW and check if
Connectivity it solves the issue.

FWM Note: make sure that the customer is aware about the effect of this command
and that you are doing that during a maintenance window.
Certificate

FWM debug  In the issue was solved, connect to the MGMT server via GUI and configure a
rule which allows the GUI client to connect to the MGMT server on port 18190
FWM down (CPMI).
Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 11

 Troubleshooting steps

Connectivity

Running FWM Not running

Check Certificate Crashing or Not starting?

Debugs Crashing Not starting

©2015 Check Point Software Technologies Ltd. 12

 FWM
Login
process flow
 As mentioned previously, the fwm process responsible for all
GUI Login
issues communication between the management server and the GUI.
Troubleshoot
scenarios  The first thing that we must check after we verified that there is no
connectivity issue, is whether the fwm process is running or not.
Cannot initiate

– On the MGMT server run:

Connectivity
# ps aux| grep fwm
FWM and check if the fwm process is running.
Certificate You can also use command:
# cpwd_admin list
FWM debug

FWM down  Note: both commands are collected by the cpinfo file, so if you
Connection
have a cpinfo file from the customer machine which was taken
refused during the problem you can check it there.
Authenticate

©2015 Check Point Software Technologies Ltd. 13

 Troubleshooting steps

Connectivity

Running FWM Not running

Check Certificate Crashing or Not starting?

Debugs Crashing Not starting

©2015 Check Point Software Technologies Ltd. 14

 Certificate
Login
process flow
 CPMI connection is working over SIC.
GUI Login As mentioned previously during the ‘Login process flow’, one of the first things
issues which are being done during the authentication process is verifying that the
Troubleshoot MGMT server has a valid certificate (step 3).
scenarios
 Therefor, we can get a good indication for whether the problem is related to
Cannot initiate
that process according to the time frame in which the ERROR message appears
Connectivity (while attempting to connect to the GUI).
In case the certificate verification process fails, the ERROR message should pop
FWM up very quickly, within 1-2 seconds.
Certificate
 If that is the case, check the following:
FWM debug – Run: # cpca_client lscert –dn ‘cn=cp_mgmt’
– Verify that the certificate is valid
FWM down – Make sure that the certificate Is identical to the DN presented in the
Connection objects_5_0.C and on the registry file.
refused Note: If they are not identical then follow the steps mentioned in sk33779.
– Verify that the correct Time & Date are configured on the GUI Client and
Authenticate
on MGMT server

©2015 Check Point Software Technologies Ltd. 15

 Troubleshooting steps

Connectivity

Running FWM Not running

Check Certificate Crashing or Not starting?

Debugs Crashing Not starting

©2015 Check Point Software Technologies Ltd. 16

 FWM debug
Login
process flow
 In case there are no problems with the certificate, perform the following and
GUI Login check if it solves the issue:
issues 1) Run : # cpstop
Troubleshoot 2) Remove the following files from the management server to allow the
scenarios system to rebuild new ones:
– $FWDIR/conf/ CPMIL*
Cannot initiate
– $FWDIR/conf/ applications*
Connectivity 3) Run : # cpstart and check if the issue is solved..

FWM Note: The above are dynamic files which contains cached GUI information.
Sometime these files become corrupted and deleting those files should cause
Certificate
the system to re-create them.
FWM debug
 If the issue persists, collect the following information for further investigation:
FWM down

Connection  upgrade_export file (in order to try and reproduce the issue in our lab ).
refused  Search for relevant messages in $FWDIR/log/fwm.elg
Authenticate
 collect fwm debug (in case you did not find enough information in the fwm.elg file ):

©2015 Check Point Software Technologies Ltd. 17

 FWM debug
Login
process flow
The fwm debugging procedure:
GUI Login
issues  start the fwm debug – by typing the commands:
Troubleshoot # fw debug fwm on TDERROR_ALL_ALL=5
scenarios
 Replicate the problem
Cannot initiate

Connectivity
 Stop the fwm debug – by typing the commands:
# fw debug fwm off TDERROR_ALL_ALL=0
FWM
 Collect the log filet:
Certificate $FWDIR/log/fwm.elg
FWM debug

FWM down

Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 18

 Troubleshooting steps

Connectivity

Running FWM Not running

Check Certificate Crashing or Not starting?

Debugs Crashing Not starting

©2015 Check Point Software Technologies Ltd. 19

 FWM down?!
Login
process flow
It is important to distinguish between two different scenarios:
GUI Login
issues 1. fwm starts successfully but crashes again at some point
Troubleshoot
scenarios 2. fwm fails to start
Cannot initiate

Connectivity
** We will discuss the proper handling further on.
FWM

Certificate

FWM debug

FWM down

Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 20

 Troubleshooting steps

Connectivity

Running FWM Not running

Check Certificate Crashing or Not starting?

Debugs Crashing Not starting

©2015 Check Point Software Technologies Ltd. 21

 FWM crashes
Login
process flow
 Enabling core files creation in Splat:
GUI Login
issues 1. Enable core files creation by running the following commands on the management
Troubleshoot
server:
# um_core enable
scenarios
# ulimit unlimited
# reboot
Cannot initiate
2. After the fwm process crashes an fwm core file should be generated:
Connectivity
A core file name should look like: <proc_name>.<core_serial_number>.core and
should be created under /var/log/dump/usermode.
FWM 3. Provide us with the fwm core files, and then disable core files creation:
# um_core disable
Certificate
 Enabling core files creation in Windows:
FWM debug

1. Installation- Install Dr Watson as your default application debugger (on the

FWM down
smart_console machine) Start-> Run-> type: drwtsn32 -i (Default location of Dr Watson is
Connection %SystemRoot%\system32\drwtsn32.exe ).
refused 2. Configuration- check/change the following:
Authenticate - log file path (where to put the log file Drwtsn32.log)
- crash dump (where to place the Dump file
user.dmp) - crash Dump Type ( full)
-
options (check ALL the boxes, leave out Visual Notification and Sound Notification )
3. When the process crashes a dump file is created at the crash dump path you
specified in step2.
©2015 Check Point Software Technologies Ltd. 22
 Troubleshooting steps

Connectivity

Running FWM Not running

Check Certificate Crashing or Not starting?

Debugs Crashing Not starting

©2015 Check Point Software Technologies Ltd. 23

 FWM Not starting
Login
process flow
In most cases the issue is caused due to corruption in one of the following database files:
GUI Login
issues o $FWDIR/conf/objects_5_0.C
Troubleshoot
o $FWDIR/conf/CPMIL*
scenarios o $FWDIR/conf/applications.C*
o $FWDIR/conf/*.NDB (fwatuh\robo-control\robo-gateways)
Cannot initiate
Troubleshooting:
Connectivity 1. As a first step remove these files from $FWDIR/conf:
o CPMIL*
FWM
o applications.C*
Certificate Perform cpstop; cpstart and check if the files were created again and if the issue is
resolved.
FWM debug
2. Load the fwm process manually in debug mode and collect the output as following:
FWM down #Export TDERROR_All_ALL=5 when using
#fwm –d &> <debug output filename> when using export TDERROR no need
Connection for –d when running fwm load
refused

Authenticate  Once the process has crashed unset the TDERROR and collect the output:
#unset TDERROR_ALL_ALL

In case the above troubleshooting process did not solve the issue – we will proceed the
investigation in our lab environment.

©2015 Check Point Software Technologies Ltd. 24

 FWM Not starting
Login
process flow
3. If you didn’t find the root cause using the troubleshooting process, collect a
GUI Login migrate export file for the issue will most likely be replicated in lab environment.
issues

Troubleshoot Note: In case the issue is replicated in your lab use fix_ndb (refer to sk36339) to
scenarios check and repair database.
corruptions in the *.NDB files, especially in the following files:
Cannot initiate
o $FWDIR/conf/fwauthd.NDB
Connectivity
o $FWDIR/conf/robo-control.NDB
o $FWDIR/conf/robo-gateways.NDB
FWM
Small Note: The following files contain information regarding edge devices:
Certificate
o $FWDIR/conf/robo-control.NDB
FWM debug o $FWDIR/conf/robo-gateways.NDB
Incase the customer does not use any edge device, it’s possible to remove these
FWM down files and they will be recreated.
Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 25

 Troubleshooting steps
Login
process flow

GUI Login
issues

Troubleshoot
scenarios

Cannot initiate

Connectivity

FWM

Certificate

FWM debug

FWM down

Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 26

 Expired certificate
Login
process flow

GUI Login  The error message indicates that the MGMT server certificate has
issues

Troubleshoot expired
scenarios
 Make sure that the time & date are correct on the management server
Cannot initiate

Connectivity and on the GUI client machine.

FWM  Follow sk33779 to regenerate the MGMT server certificate

Certificate

FWM debug

FWM down

Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 27

 Troubleshooting steps
Login
process flow

GUI Login
issues

Troubleshoot
scenarios

Cannot initiate

Connectivity

FWM

Certificate

FWM debug

FWM down

Connection
refused

Authenticate

©2015 Check Point Software Technologies Ltd. 28

 Authentication issues
Login
process flow
 All the GUI administrators are stored in $FWDIR/conf/fwauthd.NDB file
GUI Login on the management server.
issues The first administrator must be created via cpconfig command (It’s only possible to
Troubleshoot create one administrator via cpconfig, and only when no administrators are configured ).
scenarios  The rest of the administrators are configured via the GUI.
 The administrator which is configured from cpconfig uses Checkpoint's
Cannot initiate
password as an authentication method, while administrators which are created
Connectivity from the GUI can use other authentication methods as well.
 The process which is responsible for the authentication is fwm.
FWM
Troubleshooting steps:
Certificate
1. Make sure that you entered the correct password
FWM debug 2. When configuring administrators via GUI you must perform “install database”
in order for the changes to take place (Therefore, perform “install database” and check if
FWM down it solves the issue)
Connection 3. Make sure that the user is defined in fwauthd.NDB
refused 4. In case non of the above helped collect fwm debug
Authenticate

©2015 Check Point Software Technologies Ltd. 29

Questions?

©2015 Check Point Software Technologies Ltd. 30