Skip to main content

CHKP004 - Check Point Source IP Not Authorised

Agent error code #CHKP004 indicates that the Check Point gateway recognised the shared secret but refused the request because the agent connected from an IP address the Identity Web API client does not accept.

The Identity Web API enforces a source-IP allow-list in addition to the shared secret. That allow-list comes from the host object bound to the Authorized Client, not from a field on the client itself. This error means the agent's actual source address is not that host object's IP.

This is distinct from #CHKP003, where the shared secret itself was rejected, and from #CHKP005, where the gateway would not say whether the secret or the source IP was the problem.

Common causes include:

  • The host object bound to the Identity Web API client has the wrong IP address
  • The agent egresses through a NAT, proxy, or jump host, so the gateway sees a different source IP than the agent's local address
  • The agent was moved to a new host with a different outbound IP
  • A different host object is bound to the client than the one you updated

Steps to Resolve

Confirm the Agent's Real Source IP

  1. Determine the address the agent actually leaves its host with. This is the address the gateway sees, not necessarily the agent's local interface, so account for any NAT or proxy
  2. The gateway-side rejection log records the source IP it observed, which is a quick way to confirm it

Update the Host Object in SmartConsole

  1. In SmartConsole, open the host object bound to the Identity Web API client (for example knocknoc-agent)
  2. Set its IPv4 Address to the agent's real source IP
  3. Install Policy

For the full setup, see the Check Point setup guide.

Back to top