Skip to main content

CHKP400 - Invalid Response from Check Point Gateway

Agent error code #CHKP400 indicates that the Knocknoc agent received a response from the configured endpoint that it could not parse as an Identity Web API reply.

This almost always means the Gateway Hostname or its port is pointing at something that is not the Identity Web API. The endpoint answered, but with content the API never produces, such as an HTML error page.

Common causes include:

  • The hostname or port points at a captive portal, a reverse proxy, or a load balancer rather than the Identity Web API
  • The Identity Web API portal is not online because policy has not been installed since it was configured
  • A TLS-intercepting proxy is rewriting the response

Steps to Resolve

Verify the Endpoint

  1. From the agent host, send a test request to the Web API:

    curl -k -X POST https://gw.example.com/_IA_API/v1.0/show-identity \
  -H 'Content-Type: application/json' \
  -d '{"shared-secret":"<your secret>","ip-address":"192.0.2.1"}'

  2. A working endpoint returns a JSON body, either an identity payload or an err_identity_not_found code. An HTML page or a connection error means the URL or port is wrong

Confirm the Portal Is Installed

  1. If the Web API was configured recently, Install Policy in SmartConsole so the gateway registers the portal
  2. Confirm the Gateway Hostname and any :port point at the gateway serving the Web API, not a proxy or management server

For the full setup, see the Check Point setup guide.

Back to top