Beruflich Dokumente
Kultur Dokumente
Solution ID sk91380
Product Security Gateway, Security Management, Multi-Domain Management / Provider-1, ClusterXL, Cluster - 3rd party
Version R76, R77, R77.10, R77.20, R77.30, R80, R80.10, R80.20
OS Gaia
Platform / Model All
Date Created 16-Jan-2013
Last Modified 02-Aug-2018
Solution
Gaia has introduced an all-new Portal that provides full access to system configuration.
Gaia Portal (WebUI) is powered by an Apache server running on the Security Gateway or Security Management server. The Apache server handles HTTPS requests of Gaia
via a CGI interface, passing the requests to the TCL scripts. Besides this, the Apache manages the sessions using a proprietary Apache module that works in coordination
with the Gaia DB and RBA roles. The Client side is based on Javascript and CSS files powered by ExtJs Javascript library. The Gaia Portal, as system portal, functions with
and without multi-portal I/S. When there is no multi-portal, the HTTPS requests go directly to the Apache process listening for HTTPS connections.
Troubleshooting needs to be conducted when you have problems accessing the Gaia Portal, for example:
Table of Contents
Check with other supported browsers - Internet Explorer, Firefox, Chrome and Safari - refer to Gaia Administration Guide (R75.40, R75.40VS, R76, R77.X, R80.10) and
to sk92668 - Browsers supported to work with Gaia Portal.
Open the browser console, and see if there is any error message:
in Google Chrome, press F12 and go to Console tab
in FireFox, press CTRL+Shift+J keys
Related solution:
sk118801 - "ERR_CONNECTION_REFUSED" error is displayed in web browser when connecting to Gaia Portal
1. Connect to Gaia Portal using Google Chrome (but do not log in yet).
2. Enable Developer Tools - in the menu, go to More tools - click on Developer tools (or press either F12, or CTRL+Shift+I)
Note: It is strongly recommended to undock the Developer Tools into separate window (click on the 3 vertical dots in the upper right corner).
Example:
Example:
9. Send the following files from the involved Gaia machine to Check Point Support:
CPinfo file
/web/cgi-bin2/*
/web/htdocs2/js/*
/var/log/messages*
Recorded network log (HAR file)
2. Enable Developer Tools in Network mode - go to the upper right-menu - click on Developer - click on Network (or press CTRL+Shift+Q):
Note: It is strongly recommended to undock the Developer Tools into separate window (click on the 2-windows icon in the upper right corner).
4. Click on the Back button to see all the loaded scripts and images.
Example:
8. Right-click on any of the files - select Save All As HAR - save the <Archive DD-MM-YY HH-MM-SS>.har file on your computer.
Example:
9. Send the following files from the involved Gaia machine to Check Point Support:
CPinfo file
/web/cgi-bin2/*
/web/htdocs2/js/*
/var/log/messages*
Recorded network log (HAR file)
1. Download and install HttpWatch on the computer, from which you will connect to Gaia Portal.
2. Start the HttpWatch capture (refer to HttpWatch Help file, or online version).
9. Send the following files from the involved Gaia machine to Check Point Support:
CPinfo file
/web/cgi-bin2/*
/web/htdocs2/js/*
/var/log/messages*
Exported HttpWatch capture (HAR file)
If the command does not work - Probably, this is Gaia Database problem. Check the /var/log/messages file.
The reasons for this issue can vary and may occur at different layers.
Below are steps and instructions on how to narrow the troubleshooting scope.
Check if you have connectivity to the machine from the client machine via ping.
Capture the traffic with tcpdump to see if pings can reach the machine.
Capture the traffic with tcpdump to see that the HTTPS connections are being seen on the machine.
If HTTPS connections are seen on the machine, and this machine is Security Gateway / Cluster member,
then run a simple kernel debug to check these HTTPS connections are dropped: fw ctl zdebug + drop.
If there is a doubt, and this machine is NOT connected to any network (except your test computer),
then try unloading the Firewall policy: fw unloadlocal (to reload the policy, run: fw fetch localhost command).
Check if the Multi-Portal is not routing the Gaia connections to the wrong portal.
Run fw ctl zdebug + crypt command.
If there is a doubt, and this machine is NOT connected to any network (except your test computer),
then try unloading the Firewall policy to disable Multi-Portal: fw unloadlocal (to reload the policy, run: fw fetch localhost command).
If indeed Multi-Portal routes the Gaia connections to the wrong portal, then check that the Gaia Portal port is configured
in SmartDashboard in the corresponding object and see that the browser connects to the same port.
Check the Apache server logs to see if Gaia connections arrive at the Apache server:
Check the ownership and permissions of the TCL files in the /web/cgi-bin2/ directory with ls -al /web/cgi-bin2/ command.
These TCL files should have:
The following ownership: admin root
The following permissions: -r-xr-xr-x
Note: the httpd_dyno.tcl file located in this directory, has different permissions since it is obsolete and is not used by Gaia Portal anymore.
Check the ownership and permissions of /usr/bin/cgisu file with ls -l /usr/bin/cgisu command.
This file should have:
The following ownership: admin config
The following permissions: -r-sr-x---
Check that the files /web/conf/server.key and /web/conf/server.crt are not empty with the following commands:
cat /web/conf/server.key
cat /web/conf/server.crt
Related solutions:
sk97648: How to create and set certificate for Gaia Portal
sk108252: How to change Gaia Portal's certificate from SHA-1 to SHA-256
sk109593: How to configure Gaia Portal to use a 3rd party CA-issued Wildcard certificate