Table of Contents
Advertisement
Check Point Devices
Click Submit to remove the child enforcement module from the primary management station.
Step 7
Troubleshooting MARS and Check Point
The following information can be used to troubleshoot communicate issues between the MARS
Appliance and Check Point components.
•
•
Note
•
Common reasons for failure of device discovery are as follows:
•
•
•
•
•
•
•
•
•
For additional Check Point discovery-related debug information, use the pnlog command at the CLI of
the MARS Appliance. You can use the cpdebug attribute to specify appropriate debug level. Level 9
presents all debug messages. You can view the debug messages using the pnlog showlog cpdebug
command at the CLI. For more information on pnlog, see
Guide for Cisco Security Monitoring, Analysis, and Response System.
User Guide for Cisco Security MARS Local Controller
4-56
To view attack information by user, run a query where the device is a Check Point device.
If you attempt to discover the certificate and it returns to the CheckPoint Certificate screen instead
of displaying the "Discovery done." message box, then the discover operation failed. The likely
cause is an incorrect SIC value.
A certificate can be pulled only once for an OPSEC Application. If for any reason the pull
operation fails, you must reset the certificate using the CheckPoint SmartDashboard. For more
information, see
Reset the OPSEC Application Certificate of the MARS Appliance, page
If the device discovery operation fails, click the View Error button for a detailed error message.
client SIC DN name or server SIC DN name is incorrect. Use copy and paste from SmartDashboard
to avoid erroneous entry.
Invalid Certificate used.
Invalid user name, password, or both used. Verify that the credentials provided for the Access IP
match an Check Point account with administrative privileges.
Unsupported version of Check Point. (Discovery works only with NG FP3 and above. Internally we
have tested up to Version R60)
Invalid authentication method used. The default method is SSLCA. Check the
determine which method is used. CS-MARS currently support only three authentication methods for
CPMI communication: SSLCA, ASYM_SSLCA and CLEAR. For more information on specifying
these settings, see
Select the Access Type for LEA and CPMI Traffic, page
Invalid access port. Default port for secured CPMI-based communication is TCP 18180. Check the
to verify the configured port.
fwopsec.conf
The MARS Appliance does not have access to port 18190, or an alternate specified in
for CPMI. At the CLI of the MARS Appliance, use the telnet command to test the access port. For
more information on telnet, see
Point Devices, page
4-36.
The policy database was not installed after creating OPSEC Application in the SmartDashboard.
Firewall policies were not created and installed that permitted the MARS Appliance to connect to
the Check Point primary management station. For information, see
4-34.
Verify Communication Path Between MARS Appliance and Check
pnlog, page A-30
Chapter 4
Configuring Firewall Devices
fwopsec.conf
4-32.
fwopsec.conf
Create and Install Policies, page
in the Install and Setup
78-17020-01
4-36.
file to
Advertisement
Table of Contents
Troubleshooting
