CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Search:

Type: Posts; User: PhoneBoy

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Re: How do I check the routing table through command line? In checkpoint ?

    Commands should be the same in R80.x
  2. Replies
    13
    Views
    612

    Re: First time configuration wizard hanged up

    Please describe the virtual hardware you allocated to your VM.
    You will see this if you do not allocate enough resources (especially disk) to your VM.
    See also:...
  3. Thread: CPX

    by PhoneBoy
    Replies
    2
    Views
    687

    Re: CPX

    I was in Bangkok, will be in Vegas and Vienna, as will Val.
  4. Re: Blink - Full gateway installation in 5 minutes

    We'll be showing it off at CPX.
    It's quite impressive :)
  5. Replies
    4
    Views
    475

    Re: Checkpoint RAS solutions

    On a trial license, you have "all of the above" in terms of VPN connectivity.
    Meaning, you can use either the "Endpoint Security" options or the "Mobile Access" options (SNX or Check Point...
  6. Re: Change of Public IP of 2nd ISP (Cluster setup)

    Your best bet is to do it over the CLI from the serial console.
    If you can't do that, your second best bet is to do it from a different interface than the one you're trying to change.
  7. Re: How can you take a backup (similar to R77)?

    While you're asking about a backup, I suspect what you're actually asking about is a Database Revision.
    They work differently in R80.x than R77.x.
    You can see a description of how it works here:...
  8. Replies
    3
    Views
    637

    Re: Simultaneous SSLVPN & IPSEC VPN

    Simplified Mode was introduced in NG FP3 and has been the recommended configuration since then.
    Traditional Mode is formally deprecated in R80.x.
  9. Replies
    3
    Views
    1,527

    Re: Has my Safe@ died

    The thing you plug into the wall is the power supply in this case :)
  10. Replies
    3
    Views
    1,527

    Re: Has my Safe@ died

    My money is on the power supply giving out.
    As the Safe@ appliances are no longer being sold or supported, your best bet is to find a power supply through a secondary source.
  11. Replies
    10
    Views
    1,675

    Re: Security Management Server migration

    While yes, in general, most software downloads require a software subscription, we do allow download of R80.10 by design (mostly for evaluation purposes).
    I suppose now that R80.20 is out, that...
  12. Replies
    3
    Views
    911

    Re: R80.10 Upgrade error

    The correct and only supported method to do an in-place upgrade is to use CPUSE.
    Refer to the Installation and Upgrade guide:...
  13. Re: IPS Protect internal hosts only - recommendation

    Further, R80.20 was released today, so you can actually start using these features.
  14. Replies
    0
    Views
    1,267

    Check Point R80.20 is GA

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122485
  15. Re: Management Server HA two different data centers?

    FYI, in R80.x, this got a major overhaul due to the other changes in management architecture.
  16. Replies
    10
    Views
    914

    Re: ICMP time exceeded are not logged?

    Virtual systems are not virtual machines in the sense they all run on the same underlying OS.
    Stats you obtain from netstat are for the entire machine, not the VS.
  17. Replies
    10
    Views
    914

    Re: ICMP time exceeded are not logged?

    In R77.10, we added TCP State Logging.
    It's not enabled by default, of course.
    See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101221
  18. Replies
    8
    Views
    1,326

    Re: Antispoofing adding static route

    This is not true as anti-spoofing checks also occur after the traffic is routed.
    In fact, I had an FAQ about this exact issue back in the day.
    There's probably a copy of it somewhere on this site,...
  19. Replies
    3
    Views
    610

    Re: URL redirect on safe@

    Pretty sure this feature is not supported on Safe@ or UTM-1 EDGE appliances as this requires the Security Servers, which I do not believe are present on these appliances.
    Further, you'd need...
  20. Replies
    5
    Views
    593

    Re: Check Point DHCP Interface

    You have to mark one of the interface in your topology as Dynamic IP.

    1405
  21. Replies
    5
    Views
    593

    Re: Check Point DHCP Interface

    It appears in the General Properties of the object.
    Specifically, it's a checkbox to the right of the button Resolve from Name.

    1404

    This is not available if the gateway is standalone (gateway...
  22. Replies
    5
    Views
    593

    Re: Check Point DHCP Interface

    Unless you define the gateway as having a Dynamic Address (it's a checkbox in the gateway object), then you can't do that.
  23. Replies
    1
    Views
    452

    Re: Add DAIP gateways to source in a policy

    Based on the fact you're talking about certificates, I'm assuming you're referring to VPN from a host with a dynamic IP.
    Check Point requires certificates to be used in this case because pre-shared...
  24. Thread: Doubts on IPS

    by PhoneBoy
    Replies
    1
    Views
    1,071

    Re: Doubts on IPS

    Pretty sure that the default action for the MS08-067 protection is Optimized or Strict profiles is Prevent.
    Did you install the Firewall policy or the Threat Prevention policy?
    Note for R80.10+...
  25. Replies
    18
    Views
    2,220

    Re: R80.20.M1 Management Release

    It's safe to say we'll be leveraging new kernel infrastructure for a lot of things in the gateway (including VSX).
  26. Replies
    2
    Views
    469

    Re: New GUI Signature Tool

    Here's a screenshot from R80.20.M1 showing where to import custom applications.
    It should be similar in R80.10.

    1400
  27. Replies
    18
    Views
    2,220

    Re: R80.20.M1 Management Release

    Nope, we're not using systemd.
    We actually use our own process manager (pm).
  28. Replies
    18
    Views
    2,220

    Re: R80.20.M1 Management Release

    Correct.
  29. Replies
    18
    Views
    2,220

    R80.20.M1 Management Release

    R80.20.M1 Management Release is now available.
    To be clear, this is for Management only (including Provider-1/Multi-Domain) and does not support installation as a gateway (with or without...
  30. Replies
    7
    Views
    2,775

    Re: SmartDashboard on macOS

    To provide a bit of background on the situation:

    When Check Point designed R80, the goal was to have an outstanding UI experience for the administrator as well as flexible UI components, allowing...
  31. Replies
    7
    Views
    563

    Re: Load balancing capabilities?

    vSEC/CloudGuard makes use of these objects, actually.
  32. Replies
    8
    Views
    836

    Re: CMA import fails to R80

    As I suggested on the same thread on CheckMates, it's probably a good idea to get the TAC involved with this.
    At least some internal SKs suggest part of the database might be corrupt.
  33. Replies
    6
    Views
    846

    Re: Mgmt and Sync ports

    On anything but the Scalable Platforms (e.g. 41k/44k/61k/64k), the Management interfaces are just labeled that way.
    They can be used for production traffic as well.

    If you need multiple sync...
  34. Re: vpn against a gateway with a dinamical ip

    Since it's not a Check Point gateway, you should definitely create it as an interoperable device.
    If you can guarantee the remote IP address won't change, then you can configure the IP address in...
  35. Replies
    4
    Views
    1,579

    Re: R80.20 Production and Public EA

    At least in the public EA, it's 2.4.4.

    However, I assume this is subject to change in GA, especially since the current Public EA is only centered around Management and not gateway where this would...
  36. Replies
    4
    Views
    1,579

    Re: R80.20 Production and Public EA

    Since I'm not familiar with the userspace of RHEL 7, I can't say for sure.
    Just doing a perfunctory compare of installed RPM packages, I can see some updated libraries are there for sure.
    Same with...
  37. Re: Support for embedded R77.20 extended by a year

    If you need support for R77.30 beyond the stated timeframes, I recommend engaging with your account teams sooner rather than later.
    There are plans to bring more of SmartWorkflow's functionality...
  38. Re: Checkpoint 13500 appliances and NTP servers

    You may want to check to see if the immutable flag has been set on /etc/ntp.conf by using the command lsattr /etc/ntp.conf.
    If the immutable flag is set, then GAiA will not be able to update the...
  39. Re: Can I get URL wise report from Smart Reporter?

    Just as a reminder, SmartReporter is not available in R80+.
  40. Re: SmartProvisioning to get firmware of all devices?

    Someone created a script on CheckMates to get a list of gateways and their installed code versions.
    It's not specific to the 1430 but should work:...
  41. Re: vpn against a gateway with a dinamical ip

    You should only create it as a UTM-1 EDGE appliance if it truly is a UTM-1 EDGE appliance.
    Otherwise you would create it as an Externally Managed VPN Gateway with the Dynamic Address box checked....
  42. Replies
    4
    Views
    1,579

    R80.20 Production and Public EA

    For those who can't wait for R80.20 to become generally available, it is available in Early Availability form.
    Both Production and Public EA versions are available.
    Public EA is Management only,...
  43. Replies
    6
    Views
    3,081

    Re: SAM rule expiration sorting

    I'm curious how many people actually use fw sam rules.
    It's an older feature for sure.
  44. Replies
    1
    Views
    604

    Re: VPN SecuRemtoe disconnects

    Using the same IP address space on both ends of a VPN tunnel rarely ends well.
    Office Mode would probably work around your particular issue, but that requires Endpoint VPN or Mobile Access licenses.
  45. Replies
    6
    Views
    1,476

    Re: Vsec Failover Partially Worked

    You need permissions for both nodes as you will be ultimately changing the routing on both nodes during a failover.
    Also, I'm guessing this is your problem:


    RequestException: HTTP/1.1 401...
  46. Replies
    6
    Views
    1,715

    Re: 1100 - site to site route based VPN

    Except the WebUI is clearly not allowing this configuration.
    The fact it's limited as a known limitation suggests it's not an accident.
  47. Replies
    6
    Views
    1,715

    Re: 1100 - site to site route based VPN

    VPN Service based link selection is not supported on the SMB appliances.
    It is listed as a known limitation....
  48. Re: SMVT cannot read the license on the Log server

    For what it's worth, I was able to fire up SmartView Tracker on R80.10 without any licensing errors.
    Granted, I am using the standard "All-in-One" eval license and it's a management system.
    Like...
  49. Replies
    6
    Views
    1,476

    Re: Vsec Failover Partially Worked

    The example in sk116212 suggests you need appropriate permissions for the cluster member VMs at a minimum.
    When the failover "failed" what showed in $FWDIR/log/azure_had.elg if anything?
  50. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115961

    TL;DR: Anything involving Security Servers doesn't support the new unified...
  51. Replies
    6
    Views
    1,476

    Re: Vsec Failover Partially Worked

    The HA test script just verifies the configuration is set up correctly so when a failover event actually occurs, we can trigger the relevant API calls to do the failover.
    It does not trigger the...
  52. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    If you're not already using Client Authentication, I would not recommend you start now.
    R80.10 has some pretty significant limitations with regards to new features if you're using Client Auth.
  53. Replies
    0
    Views
    2,875

    Check Point Log Exporter via Syslog

    While CPLogToSyslog has been around for a while, it definitely has some limitations.
    This is the official replacement for CPLogToSyslog, built on top of recent R77.30/R80.10 Jumbo Hotfixes.
    It will...
  54. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    Mobile Access Blade should also work here.
    Depending on the nature of the website, it may work without installing a VPN client.
  55. Re: SMVT cannot read the license on the Log server

    While the binary for SmartView Tracker is still installed as part R80+ SmartConsole, it's formally deprecated.
  56. Replies
    1
    Views
    401

    Re: Website Categorisation

    If the gateway is categorizing stuff as "Web Browsing" that means one of four things:

    1. You don't have URL Filtering enabled on your gateway. This can be enabled in the gateway object and...
  57. Re: Can I get a report like this from smart reporter

    In R80.10 SmartEvent, there's a standard view called "Active Users" that will show you this information (top users and how much data they've consumed plus apps they consumed it with).
    In my case, I...
  58. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    R75.45 has been End of Support for a couple years now.
    None of the potential causes for this issue occur on currently supported versions of code running on Gaia OS.

    I highly recommend you...
  59. Re: Tenable Scan opening ports dynamically on GW

    A better question might be why you are allowing traffic to "any" port to your firewall from anywhere, or even a specific network.
    That's not considered best practice.

    In any case, those "random"...
  60. Replies
    12
    Views
    2,694

    Re: ipso 6.2 R70 and 77.10 on Ip560

    That means we're both old :)
  61. Replies
    12
    Views
    2,694

    Re: ipso 6.2 R70 and 77.10 on Ip560

    To be clear, you don't really need a hotfix if you do what I suggested (backdate the system when the internal CA is created).
    Afterwords, you can change the system to a current date and all should...
  62. Replies
    12
    Views
    2,694

    Re: ipso 6.2 R70 and 77.10 on Ip560

    This sounds like the issue described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122612

    By default, when the Internal CA is...
  63. Re: How to install policy with comms from mgmt server blocked by antispoofing

    The only place I've seen where this is needed is when you're listening off a SPAN port and the gateway sees it's own traffic from the management port on it.
    Part of that old "can't see the same...
  64. Re: How to install policy with comms from mgmt server blocked by antispoofing

    You can see Tim's excellent presentation at CPX (as well as a bunch of other ones) here: https://community.checkpoint.com/docs/DOC-2734-cpx360-slides-2018
    You can also see a video of me poorly...
  65. Replies
    5
    Views
    715

    Re: VPN PreShare Key cmd/clish

    fwauth.NDB may be where it is stored, not sure.
    Regardless, there is no supported method to "show" the PSK any longer (yes, it used to show in plaintext in SmartDashboard ages ago).
    If you forget...
  66. Re: Mobile Access Reverse Proxy - Anyone used yet

    The Reverse Proxy was developed by and is maintained by the same team that is responsible for Mobile Access Blade.
    I can say that as someone who both works for Check Point and is familiar with the...
  67. Re: Mobile Access Reverse Proxy - Anyone used yet

    If the Reverse Proxy feature required authentication, why wouldn't you just use Mobile Access Blade, which already provides this?
    The whole reason the Reverse Proxy functionality was created was to...
  68. Replies
    5
    Views
    715

    Re: VPN PreShare Key cmd/clish

    And like I said over on CheckMates, you can't see it.
    If you forget it, you have to reset it.
  69. Replies
    6
    Views
    696

    Re: Hot Fix Installation Verifier

    cpinfo -y all should also provide another source (assuming recent version of cpinfo).
    But if you want the belt and suspenders approach, you'd have to open up the hotfix, see what it installed, and...
  70. Replies
    26
    Views
    2,822

    Re: URL filtering, is this a joke?

    The SK has been updated one more time.
    Since the URLs we are matching against start with http:// or https://, we are matching a slash rather than a carat as the start of the hostname.
    And yes, the...
  71. Replies
    26
    Views
    2,822

    Re: URL filtering, is this a joke?

    FWIW I also asked my R&D contacts about the unescaped periods.

    Note that even when you enter things as wildcards, the underlying pattern matcher uses regex only, thus what you enter will be...
  72. Replies
    25
    Views
    4,423

    Re: unable to connect to server

    Your support partner should be opening a ticket with Check Point support on this if they haven't already.
    Please ask them for the SR number and send to me in a Private Message.
  73. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    1,472

    Re: Skype

    Yes, theoretically, STUN could be used outside of the Skype context in this situation.
    That said, if you're not allowing other VoIP applications, then allowing STUN won't really do much since the...
  74. Replies
    26
    Views
    2,822

    Re: URL filtering, is this a joke?

    The patterns in the SK should be treated as regular expressions and the SK was updated to reflect this.
    Apologies for the confusion.
  75. Re: PBR Problem Behavior on 1100 and 1400 Appliances

    Making changes to the routing outside of the CLI/WebUI is not officially supported on Gaia (embedded or otherwise).
  76. Replies
    6
    Views
    696

    Re: Hot Fix Installation Verifier

    New hotfixes are only released using CPUSE.
    If there are specific issues with using CPUSE, we of course would love to understand the issues and try to address them.
  77. Replies
    26
    Views
    2,822

    Re: URL filtering, is this a joke?

    We have updated the contents of sk106623 based on the feedback in this thread.
    Please review it and let me know if there are further problems.
  78. Replies
    3
    Views
    858

    Re: Editin multiple user object possible?

    The answer: use dbedit (same for R77.x and R80.x)
    The commands in dbedit would look something like:


    modify users joe.roberts colorblack
    update_all

    You can do multiple modify commands before...
  79. Replies
    2
    Views
    1,098

    Re: smart console window too big

    See if the tips here help: https://community.checkpoint.com/message/14609-re-how-to-make-smartconsole-look-good-even-with-terminal-server-or-remote-desktop
  80. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    1,472

    Re: Skype

    I've flagged this to the folks who work on the various App Control signatures.
    Adding STUN to the Skype service doesn't seem unreasonable.
    Meanwhile, manually adding STUN to the same rule that...
  81. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    1,472

    Re: Skype

    That should not be required for Skype (the consumer version).
    You can change the application definition to allow different ports, like I suggested earlier.
  82. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    1,472

    Re: Skype

    The ports we list in our application definition are exactly the same that Skype specifies on their website: ...
  83. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    1,472

    Re: Skype

    Something doesn't look right with your Skype service.
    On my system, the Skype service shows with the Skype logo.
    Also notice the ports it matches as part of the application definition:

    1372
    ...
  84. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    1,472

    Re: Skype

    What does your policy look like to allow the traffic?
    If pre-R80.10, what's the Firewall policy in addition to the App Control policy?
  85. Replies
    6
    Views
    696

    Re: Hot Fix Installation Verifier

    This was part of the reason we created CPUSE.
    In fact, we stopped releasing non-CPUSE hotfixes a while back.
    Why are you installing hotfixes without using CPUSE?
  86. Re: How to update waagent in Checkpoint Azure

    waagent is provided as part of the image in Azure.
    The reason for the version we use (as I recall) relates to the Linux kernel version we are using in Gaia currently.
    We currently do not provide a...
  87. Re: Blink - Full gateway installation in 5 minutes

    The Gaia OS can be configured, but the idea of Blink is blow away/restart.
    I do agree pairing this with isomorphic or similar would be a good thing.
  88. Replies
    13
    Views
    1,072

    Re: fw samp in Bridge mode not working

    I will agree with Uri here, fw samp is meant for "immediate" responses to issues without pushing policy.
    If you want to block IPs permanently, it's best to move them into the regular firewall policy...
  89. Re: fw samp blocking Reconn attacks - How to?

    There isn't a specific limit that I am aware of.
  90. Replies
    1
    Views
    382

    Re: config_system: command not found

    Use blink or a boot off an ISO from a USB drive to clear the appliance.
  91. Re: fw samp blocking Reconn attacks - How to?

    fw samp rules are meant to be changed on the fly.
    Whether you do that with ssh, cprid, or the R80.x API is a matter of personal preference.
    In R80.10, you might also try using dynamic objects,...
  92. Replies
    3
    Views
    954

    Re: Compliance policy for Mobile Access

    See this thread on CheckMates: https://community.checkpoint.com/message/12072-endpoint-security-on-demand
  93. Replies
    12
    Views
    1,830

    Re: Anyone attending CPX360 2018?

    We do, and I'm sure photographic evidence will appear to that effect on the Internet soon enough. :)
    Here's a pic from last year's CPX in Milan in the meantime.

    1359
  94. Replies
    12
    Views
    1,830

    Re: Anyone attending CPX360 2018?

    Sure you're not :P
  95. Replies
    12
    Views
    1,830

    Anyone attending CPX360 2018?

    Aside from myself, I know a few people here are going to be there :)
    And yes, before you ask which one I will be at, the answer is Yes.
  96. Replies
    1
    Views
    1,070

    Re: Snort Rules Does not work over HTTPS

    If you've configured HTTPS Inspection properly, it should just work like regular IPS.
    What version/jumbo hotfix are you at?
    Have you engaged the Check Point TAC with this?
  97. Replies
    6
    Views
    661

    Re: Youtube blocking certain channels?

    Pretty sure this is not currently possible.
  98. Re: why one should upgrade their gateways from R77.30 to R80.10 ?

    I actually did a talk last week that covers a few of these points: https://community.checkpoint.com/message/12403-techtalk-migrate-to-r8010-and-new-years-toast
  99. Replies
    9
    Views
    2,597

    Re: Hide NAT Address Range

    I seem to recall this feature being available (perhaps in "customer releases") as far back as R65.
    That said, it was definitely not a SecureXL-friendly feature in those days.
  100. Re: Goodbye Check Point, hello Guardicore, wish me luck, etc

    There are some good people at Guardicore.
    You're now among them!
    Best of luck in your new gig and we'll see you in Barcelona.
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4