As others in that thread posted, there's a ton of info there on Firepower. Interesting to see so many people saying go to Check Point / Palo Alto / Fortinet
CPUG: The Check Point User Group | |
Resources for the Check Point Community, by the Check Point Community.
| |
First, I hope you're all well and staying safe. | |
|
Type: Posts; User: aweldon
As others in that thread posted, there's a ton of info there on Firepower. Interesting to see so many people saying go to Check Point / Palo Alto / Fortinet
This article might help:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120981
FYI, looks like the site was just recently update to https://opendbl.net from https://cpdbl.net - With the domain change users have to update before December 2nd 2019.
Not sure on the multiple authentication schemes front. Would be interested to know your results.
For securid, I did some very preliminary testing and found these two resources to be helpful:
...
Do you have "Assume that only one user is connected per computer" checked? Gateway properties -> Identity Awareness -> Settings
I stopped using the Check Point version with Dynamic Objects and instead implemented the CPDBL.net method
https://www.cpug.org/forums/showthread.php/21709-CPDBL-CP-Dynamic-block-lists
You can submit sites for re-categorization here - https://www.checkpoint.com/urlcat/main.htm
Do you have any more details from the log? Just a guess but maybe that HP site is unclassified within Check Points URL database and you are blocking the "Unknown Traffic" category in URL Filtering /...
Hi, I am by no means an expert but, the way I try to do this:
Firewall communication rules at the top of the rule base - SSH allows, admin access etc.
Followed by your highest hit rules - more...
I use SAM rules quite a bit - as others have said with SmartEvent reactions. Also using CPDBL for fw samp.
Yeah, that's a tough one as the only way to bypass a self-signed cert (Carbon Black, whoever) in R77.30 is to create an HTTPS bypass like you did for #2. But then you need support for dynamic objects...
Can you edit the registry to remove it from the installer check?
Yeah, I only found it while browsing the Tenable site for an unrelated issue.
Info available here:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk123197
https://www.tenable.com/security/research/tra-2018-04
Yeah, I see what you mean with multi-line and carets. Don't think I'll be using them anyway - stick to what's working.
Why would you need multi line mode for a single URL?
The caret just represents the beginning of the line.
https://regexr.com/3lgj0
So yes you will need multiple entries for a single site. Regex and non-regex.
Perhaps something like this:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk74520
Or something dynamic:
https://cpdbl.net/
So, what I usually do, is we have a bypass custom category defined as regex - meaning box checked and a secondary custom with the box not checked (non regular expression) defined in a bypass rule....
Most of the documentation surrounding their regex and what works and what doesn't work is frustrating. Two articles will say two different things. Ultimately it is usually a combo of a regex and...
Maybe through some complex regex?
(youtu\.be\/|youtube\.com\/(watch\?(.*&)?v=|(embed|v)\/))dQw4w9WgXcQ
And just to follow up... is sk118539 stating that you are only using the Kaspersky engine if you are doing "Deep Scanning" which impacts performance anywhere you turn it on? Are people running this...
Check Point also uses the Cyren/CommTouch engine.
Could't you just exclude this service account from IA?
I'll echo what Ed said. Lot's of sites need to be bypassed in order to function. Check Point's bypass is interesting in that it will always inspect the first packet regardless of bypass then...
Did you check out sk110539?
And to add some more examples:
https://www.cpug.org/forums/showthread.php/19855-Schedule-migrate-export
I liked the breakout sessions the last time I attended. Also, if you were interested in any complimentary products (AlgoSec, Tufin, etc.) The vendors are usually on site hawking their wares and its a...
Bumping this up from the dead. Did you ever make a decision to stick with Check Point or go with Fortinet? If you made the switch how is it working out for you?
Thanks for the suggestion. Just exported the file and extracted it. I went looking for two protections that I know are setup to send an email (user defined) but, once locating them in the file there...
Hi all, just wondering if anyone knows of a way to do a bulk export of the Logging Settings - Log, Alert, User Defined etc. all at once with an IPS export. We have user defined actions in our Logs...
I just saw the announcement for CPX 2017 in Las Vegas. Does anyone plan to attend?
https://www.checkpoint.com/cpx/usa
Still on 205 with a custom hotfix on top. And probably not as complex of a setup.
I am running it in production on one cluster. So far so good. No impact to CPU/Memory. Running Talos, ETKnown, DShield, BruteforceBlocker. No VSX though.
So if you know the file name that means Check Point is logging the block correct? You can just input the URL to VirusTotal or Hybrid Analysis and it will pull the pdf to be scanned. (No downloading...
It's ok. Mine is obsolete now :)
Adobe PDF! (you said not office)
I used awk, not sure if this would help you out?
function convert {
while read line; do
awk '/^[0-9]/ { printf "add -a d -l r -t 3600 -c dshield_blocklist quota service any source range:%s/%s...
Nice job. I see you included the script for DShield but I do not see an option to enable it. Any reason for that?
One thing to keep in mind is that IA does not keep up with AD user group changes or OU renames or any AD edits really. So if you created an IA group for the capsule portion somewhat recently it may...
I attended via the web. Some technical difficulties but that was to be expected. I thought it was interesting.
Expired again FYI!
You can try this also, $FWDIR/bin/sendmail -s 'subject' -t 1.2.3.4 -f from@from.com to@to.com
I guess that depends on the features you are trying to make use of with endpoint security. Which features you want to use determine the type of server you will need. (at least that's my...
Just FYI it would be Wednesday November 30th!
Interesting, thanks for the update on that.
Not native, but I know AlgoSec does this.
Well from your other threads if your after stability take 159 is the way to go. 172, 174, and 178 were all "recalled for additional testing"
Not sure if you are having the same issue as me but in a similar occurrence when searching from the omnibox Chrome uses UDP 443 / QUIC protocol. I have heard that by default if you block UDP 443...
Bumping this up from the dead, PhoneBoy it has been a few months now just wondering if QUIC inspection is on Check Point's radar as of yet?
Are you running a base install of R77.30 or do you have any hot fixes installed as of yet?
I asked a similar question awhile back. But, it will scan on http/any port, smtp, and https if you have inspection enabled.
...
I don't think this will work without the probe bypass enabled which then breaks a sites that you didn't need https bypasses for previously :)
We ended up reverting to the non-secure update for yum...
We tried a few evaluations but in the month of using them I don't think we saw any blocks. What feeds are you running that you feel are valuable?
So we are actually using DLP and have actually increased the threshold so anything over 1 SSN and or 1 CC# triggers an alert. Our reasoning being a legitimate transaction Social Security...
Hi all, I wanted to post this up in case anyone wanted to give it a go. It is a modification of the IP-blacklist.sh script from sk103154 but it takes advantage of the DShield block list without using...
Gotcha. Thanks will do.
We are running Gaia, max connections are set to auto but fw ctl pstat returns it is not enabled.
In this case we do have the aggressive aging signature in use as well in prevent mode. I just referenced the book on pg.255 and it looks like we have the default timers in place on the signature.
Where is the proxy located? If it's behind the gateway and you are using identity awareness you could tag users using x-forward-for.
Winner. So the timeout was set before my time and I wanted a way to safely lower the setting without breaking anything important.
Well thanks but it was google who led me to that awk.. I will take a stab at it and post back.
Hi, I was reviewing some of our configs and it looks like our TCP session timeout has been modified from its default 3600 under global properties and I am not sure why. I want to reduce the...
Sorry it took a bit to get back. That is a copy paste from my management box obviously changing the addresses. And yes directly from the "Run user defined script" box. Are you pushing policy after...
I cant find the SK but it mentioned that you have to layout the full path to the script sometimes.. This works for us.
$FWDIR/bin/sendmail -s 'ALERT' -t 1.1.1.1 -f from@from.org to@to.org
...
Do you make use of any browser Ad Blockers? UBlock, NoScript, Ad Block Plus? The domain in question ad.wsod.com is obviously an advertiser. It could be loading in the background and waiting for a...
I think I know what you mean. The initial query from your domain controller is only "Detected" then any subsequent queries should hit your DNS trap. This was explained to me as normal behavior in a...
So I think you are saying it's a security risk that another user can see whoever the last person to login was? Isn't that what you would want? As in some rogue person has connected from an odd IP out...
Thanks, I did open a case and TAC closed it already. Said it was in the hands of engineering.
We too saw the Citrix forums being blocked. Also arstechnica.com would trigger alerts because their forums were using the /civis/ folder. I understand Angler is updating constantly. According to...
Has anyone else noticed a recent uptick in false positives associated with the Angler Exploit Kit IPS protections?
How is your HTTPS bypass setup? Where is the bypass? In destination or category? How did you distribute the certificate generated by your management server? How far down in the HTTPS policy is this...
CLI reference pdf
http://www.roesen.org/files/cp_cli_ref_card.pdf
But more than likely you'll be looking for drops using
fw ctl zdebug drop | grep 1.2.3.4 > /var/log/drop.txt
Also if you are...
I use it by looking at the bottom to see whats new then looking at the same link ShadowPeak posted. To be honest for as prevalent as Check Point claims to be there is not much discussion here. Is...
The best first step would be to place all the rules into a detect only mode. Then you could also add individual team members by their full email address to inspect individuals and not your whole...
Is this an in-house developed product or a 3rd party integration?
Thanks for the info, we were hoping for some performance increase and it seems like its there. The upgrade path is not the best at this point so I think we will wait until R80 is released. Hopefully...
To those who have done the upgrade, was it worth it? We are running standard R77.30 SmartEvent on 225 hardware. Were the performance increases drastic? Just looking to get a feel for how the upgrade...
Yeah it was odd, had to do a dbedit and apply a fix to the gateways.. the URL didn't change much so not really sure what the hold up was.
This is another trial ware.. http://www.advancedinstaller.com/download.html
Do you have a centralized collector for this new endpoint server? Also, are you running FDE on your endpoints?
Interesting, I just spun up a new E80.62 server running R77.30.01 after support recommended no longer running them on the same network/endpoint policy server. The recommended a clean break between...
When launching the exe does it extract as an msi to %appdata% or similar folder? I haven't used the utility myself.
Save failure.. is there enough space in the partition? MD5/Hash matches?
For those using the DShield / Malicious IPs protection
Has anyone else run into this with a newer version of Check Point R77.10+?
Updated certificate installed but dynamic object will not...
Hopefully I attached this correctly.
1025
Thanks for that. We are using the Threat Prevention blade in conjunction with IPS, DLP, Anti-Spam, and application control/URL filtering/https. The odd thing about the zero day malware is that it is...
Hi all,
I'm looking to get some clarification on the apparently two different anti-virus options offered by Check Point. Threat Prevention has its own tab and policy to craft what you would like...
I don't use NGSE but, from what I think your asking, copy whichever event you are looking to get reporting on under the policy tab. For example application activity, modify it by filtering out...
I don't think you can look at the cache, just clear it. We had issues initially with AD as well until we came to the realization that the AD query on the Check Point side does not update any nesting...
In this situation, did you block a URL that someone had previously visited? Perhaps it is cached on the device?
Same goes for CPU if you were interested..
cat /proc/cpuinfo
Indeed, tried logging out/in a few times.
Well, it now works after rebooting the device. Initially I was getting no package could be found errors.. Odd.
Does not seem to work for me..
Doing the install now, installing the Hotfix # 4 to all devices. I see the cloud hotfix naming has changed for the jumbo accumulator though. R77.20 used to be...
Thanks ShadowPeak, I have been using the SmartView Monitor Top Connections but like you said I was hoping to automate or alert that query without success. We will be upgrading to R77.30 shortly so...
We do have a smartevent license but under the queries I couldn't quite figure out the correct combination for generating the alert.
Is there a way to send an alert within SmartView monitor for top sources say if a users goes above a certain percentage of usage? I think i have asked this before but did not get a concrete answer....
Thanks for the responses, I will let our admins know.