When using Check Point Management R80.x besides the "normal" OPSEC connections a connect to the Check Point Management API is necessary.
How to connect Tufin SecureTrack with Check Point Management R80 is described here.
Even if the connection to the Check Point Management is ok, an error might be displayed:
Checkpoint API client error
Testing the connection from SecureTrack using
Menu > Settings > Monitoring > Check Point Management R80 > Test Connectivity
seems successful, but the status icon of the device is yellow in SecureTrack. In Menu > Settings > Administration > Status > Check Point Management R80 > Status the error is shown and no new revisions are imported to SecureTrack.
Background information: "Test Connectivity" checks currently the OPSEC channel (used in R77.x) only. The second channel is the Management API which is necessary when monitoring R80.x.
Some troubleshooting might solve this issue. You can try one or more of the following things before restart monitoring the device:
- Check that the Check Point Management monitored is really Version R80.x and not still Check Point R77.30. If that's the case, the device needs to be deleted and new defined as Check Point Management R77.30. There is no way to change the Check Point Version from R80.x back to the old one.
- Check that Tufin SecureTrack is able to connect to Check Point management Server using port 443/tcp. Maybe a Firewall is blocking this traffic.
- Check the credentials configured for the Tufin user at the Check Point Management Server.
- Check the permissions of the Tufin user at the Check Point Management Server. This user needs rw even if there is no provisioning configured or planned.
- Check the Expiration Date of the account, sometimes it's not the default value ending in 2030.
- If all these measures don't help, try to restart the Management API at the Check Point Management Server. This can be done as "expert" using the command api restart.
If you have further ideas or if these items didn't help, please don't hesitate to contact us.
