CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: aweldon

Page 1 of 2 1 2

Search: Search took 0.00 seconds.

  1. Replies
    3
    Views
    4,063

    Re: the grass is not greener on the other side.

    As others in that thread posted, there's a ton of info there on Firepower. Interesting to see so many people saying go to Check Point / Palo Alto / Fortinet
  2. Re: jumbo hot fix acc. on r80.10 on the gateway not showing after installation.

    This article might help:

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120981
  3. Replies
    24
    Views
    16,646

    Re: CPDBL - CP Dynamic block lists

    FYI, looks like the site was just recently update to https://opendbl.net from https://cpdbl.net - With the domain change users have to update before December 2nd 2019.
  4. Re: supporting multiple auth schema - Active Directory Auth and RSA Auth

    Not sure on the multiple authentication schemes front. Would be interested to know your results.

    For securid, I did some very preliminary testing and found these two resources to be helpful:
    ...
  5. Replies
    2
    Views
    4,257

    Re: User access role not working properly

    Do you have "Assume that only one user is connected per computer" checked? Gateway properties -> Identity Awareness -> Settings
  6. Re: SANS ISC/DShield Block List Not Updating, Check Point Seems To Have Trouble Resol

    I stopped using the Check Point version with Dynamic Objects and instead implemented the CPDBL.net method

    https://www.cpug.org/forums/showthread.php/21709-CPDBL-CP-Dynamic-block-lists
  7. Re: FTP traffic categorized as unknown in URL filtering

    You can submit sites for re-categorization here - https://www.checkpoint.com/urlcat/main.htm
  8. Re: FTP traffic categorized as unknown in URL filtering

    Do you have any more details from the log? Just a guess but maybe that HP site is unclassified within Check Points URL database and you are blocking the "Unknown Traffic" category in URL Filtering /...
  9. Replies
    2
    Views
    4,338

    Re: Organizing a messy rule base

    Hi, I am by no means an expert but, the way I try to do this:

    Firewall communication rules at the top of the rule base - SSH allows, admin access etc.
    Followed by your highest hit rules - more...
  10. Replies
    6
    Views
    28,666

    Re: SAM rule expiration sorting

    I use SAM rules quite a bit - as others have said with SmartEvent reactions. Also using CPDBL for fw samp.
  11. Re: HTTPS inspection bypass not working as expected

    Yeah, that's a tough one as the only way to bypass a self-signed cert (Carbon Black, whoever) in R77.30 is to create an HTTPS bypass like you did for #2. But then you need support for dynamic objects...
  12. Replies
    2
    Views
    3,973

    Re: CPUSE force install?

    Can you edit the registry to remove it from the installer check?
  13. Replies
    9
    Views
    18,963

    Re: Check Point Gaia OS Privilege Escalation

    Yeah, I only found it while browsing the Tenable site for an unrelated issue.
  14. Replies
    9
    Views
    18,963

    Check Point Gaia OS Privilege Escalation

    Info available here:

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk123197

    https://www.tenable.com/security/research/tra-2018-04
  15. Replies
    26
    Views
    18,894

    Re: URL filtering, is this a joke?

    Yeah, I see what you mean with multi-line and carets. Don't think I'll be using them anyway - stick to what's working.
  16. Replies
    26
    Views
    18,894

    Re: URL filtering, is this a joke?

    Why would you need multi line mode for a single URL?
  17. Replies
    26
    Views
    18,894

    Re: URL filtering, is this a joke?

    The caret just represents the beginning of the line.

    https://regexr.com/3lgj0

    So yes you will need multiple entries for a single site. Regex and non-regex.
  18. Replies
    4
    Views
    4,907

    Re: fw samp blocking Reconn attacks - How to?

    Perhaps something like this:

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk74520

    Or something dynamic:

    https://cpdbl.net/
  19. Replies
    26
    Views
    18,894

    Re: URL filtering, is this a joke?

    So, what I usually do, is we have a bypass custom category defined as regex - meaning box checked and a secondary custom with the box not checked (non regular expression) defined in a bypass rule....
  20. Replies
    26
    Views
    18,894

    Re: URL filtering, is this a joke?

    Most of the documentation surrounding their regex and what works and what doesn't work is frustrating. Two articles will say two different things. Ultimately it is usually a combo of a regex and...
  21. Replies
    6
    Views
    3,366

    Re: Youtube blocking certain channels?

    Maybe through some complex regex?

    (youtu\.be\/|youtube\.com\/(watch\?(.*&)?v=|(embed|v)\/))dQw4w9WgXcQ
  22. Re: Vendor Used By Check Point For A/V Engine and Definitions

    And just to follow up... is sk118539 stating that you are only using the Kaspersky engine if you are doing "Deep Scanning" which impacts performance anywhere you turn it on? Are people running this...
  23. Re: Vendor Used By Check Point For A/V Engine and Definitions

    Check Point also uses the Cyren/CommTouch engine.
  24. Replies
    2
    Views
    5,492

    Re: IA is getting 3rd antivirus user

    Could't you just exclude this service account from IA?
  25. Re: https inspection both on proxy and check point

    I'll echo what Ed said. Lot's of sites need to be bypassed in order to function. Check Point's bypass is interesting in that it will always inspect the first packet regardless of bypass then...
  26. Re: Getting error while exporting package from R77.30.03

    Did you check out sk110539?
  27. Replies
    3
    Views
    4,374

    Re: Script for Scheduled Migrate Export

    And to add some more examples:

    https://www.cpug.org/forums/showthread.php/19855-Schedule-migrate-export
  28. Thread: CPX 2017

    by aweldon
    Replies
    8
    Views
    13,361

    Re: CPX 2017

    I liked the breakout sessions the last time I attended. Also, if you were interested in any complimentary products (AlgoSec, Tufin, etc.) The vendors are usually on site hawking their wares and its a...
  29. Replies
    15
    Views
    27,226

    Re: Check Point vs Fortinet pro's and con's.

    Bumping this up from the dead. Did you ever make a decision to stick with Check Point or go with Fortinet? If you made the switch how is it working out for you?
  30. Replies
    2
    Views
    4,214

    Re: Export IPS Logging settings

    Thanks for the suggestion. Just exported the file and extracted it. I went looking for two protections that I know are setup to send an email (user defined) but, once locating them in the file there...
  31. Replies
    2
    Views
    4,214

    Export IPS Logging settings

    Hi all, just wondering if anyone knows of a way to do a bulk export of the Logging Settings - Log, Alert, User Defined etc. all at once with an IPS export. We have user defined actions in our Logs...
  32. Thread: CPX 2017

    by aweldon
    Replies
    8
    Views
    13,361

    CPX 2017

    I just saw the announcement for CPX 2017 in Las Vegas. Does anyone plan to attend?

    https://www.checkpoint.com/cpx/usa
  33. Replies
    4
    Views
    3,019

    Re: R77.30 with JHFA 216

    Still on 205 with a custom hotfix on top. And probably not as complex of a setup.
  34. Replies
    24
    Views
    16,646

    Re: CPDBL - CP Dynamic block lists

    I am running it in production on one cluster. So far so good. No impact to CPU/Memory. Running Talos, ETKnown, DShield, BruteforceBlocker. No VSX though.
  35. Replies
    7
    Views
    6,479

    Re: how to download blocked file by Anti-Virus

    So if you know the file name that means Check Point is logging the block correct? You can just input the URL to VirusTotal or Hybrid Analysis and it will pull the pdf to be scanned. (No downloading...
  36. Replies
    24
    Views
    16,646

    Re: CPDBL - CP Dynamic block lists

    It's ok. Mine is obsolete now :)
  37. Replies
    10
    Views
    4,286

    Re: documenting security policies

    Adobe PDF! (you said not office)
  38. Replies
    24
    Views
    16,646

    Re: CPDBL - CP Dynamic block lists

    I used awk, not sure if this would help you out?

    function convert {
    while read line; do
    awk '/^[0-9]/ { printf "add -a d -l r -t 3600 -c dshield_blocklist quota service any source range:%s/%s...
  39. Replies
    24
    Views
    16,646

    Re: CPDBL - CP Dynamic block lists

    Nice job. I see you included the script for DShield but I do not see an option to enable it. Any reason for that?
  40. Re: Association is Found but App/URL Filtering is not working

    One thing to keep in mind is that IA does not keep up with AD user group changes or OU renames or any AD edits really. So if you created an IA group for the capsule portion somewhat recently it may...
  41. Replies
    13
    Views
    18,289

    Re: CPUG MERGE event updates

    I attended via the web. Some technical difficulties but that was to be expected. I thought it was interesting.
  42. Replies
    4
    Views
    5,763

    Re: www.cpug.org cert expired!

    Expired again FYI!
  43. Replies
    8
    Views
    31,427

    Re: SmartView Monitor email alerts

    You can try this also, $FWDIR/bin/sendmail -s 'subject' -t 1.2.3.4 -f from@from.com to@to.com
  44. Thread: How to Install

    by aweldon
    Replies
    3
    Views
    5,288

    Re: How to Install

    I guess that depends on the features you are trying to make use of with endpoint security. Which features you want to use determine the type of server you will need. (at least that's my...
  45. Replies
    13
    Views
    18,289

    Re: CPUG event(s)!!!

    Just FYI it would be Wednesday November 30th!
  46. Replies
    4
    Views
    5,852

    Re: AV Blade vs. Traditional AV

    Interesting, thanks for the update on that.
  47. Re: Exporting Application Control Rules in HTML/XLS/CSV File

    Not native, but I know AlgoSec does this.
  48. Re: Which hotfix should I install on my provider-1 system

    Well from your other threads if your after stability take 159 is the way to go. 172, 174, and 178 were all "recalled for additional testing"
  49. Re: What is the different between static and hide mode?

    1160
  50. Re: HTTPS Inspection with Google Chrome Omnibox Issue

    Not sure if you are having the same issue as me but in a similar occurrence when searching from the omnibox Chrome uses UDP 443 / QUIC protocol. I have heard that by default if you block UDP 443...
  51. Replies
    21
    Views
    10,695

    Re: HTTPS Inspection - Real world experience

    Bumping this up from the dead, PhoneBoy it has been a few months now just wondering if QUIC inspection is on Check Point's radar as of yet?
  52. Replies
    17
    Views
    11,691

    Re: Session Matching failing after R77.30 upgrade

    Are you running a base install of R77.30 or do you have any hot fixes installed as of yet?
  53. Replies
    4
    Views
    5,852

    Re: AV Blade vs. Traditional AV

    I asked a similar question awhile back. But, it will scan on http/any port, smtp, and https if you have inspection enabled.
    ...
  54. Replies
    1
    Views
    2,662

    Re: HTTPS Bypass - RedHat Yum updates failing

    I don't think this will work without the probe bypass enabled which then breaks a sites that you didn't need https bypasses for previously :)

    We ended up reverting to the non-secure update for yum...
  55. Replies
    3
    Views
    4,886

    Re: threatcloud intellistore

    We tried a few evaluations but in the month of using them I don't think we saw any blocks. What feeds are you running that you feel are valuable?
  56. Replies
    3
    Views
    6,732

    Re: blade:DLP AND "SSN - without Delimiters"

    So we are actually using DLP and have actually increased the threshold so anything over 1 SSN and or 1 CC# triggers an alert. Our reasoning being a legitimate transaction Social Security...
  57. Replies
    1
    Views
    3,518

    DShield through fw samp batch script

    Hi all, I wanted to post this up in case anyone wanted to give it a go. It is a modification of the IP-blacklist.sh script from sk103154 but it takes advantage of the DShield block list without using...
  58. Replies
    16
    Views
    16,189

    Re: TCP session timeout

    Gotcha. Thanks will do.
  59. Replies
    16
    Views
    16,189

    Re: TCP session timeout

    We are running Gaia, max connections are set to auto but fw ctl pstat returns it is not enabled.
  60. Replies
    16
    Views
    16,189

    Re: TCP session timeout

    In this case we do have the aggressive aging signature in use as well in prevent mode. I just referenced the book on pg.255 and it looks like we have the default timers in place on the signature.
  61. Replies
    4
    Views
    5,983

    Re: How does AntoBot work with a proxy?

    Where is the proxy located? If it's behind the gateway and you are using identity awareness you could tag users using x-forward-for.
  62. Replies
    16
    Views
    16,189

    Re: TCP session timeout

    Winner. So the timeout was set before my time and I wanted a way to safely lower the setting without breaking anything important.
  63. Replies
    16
    Views
    16,189

    Re: TCP session timeout

    Well thanks but it was google who led me to that awk.. I will take a stab at it and post back.
  64. Replies
    16
    Views
    16,189

    TCP session timeout

    Hi, I was reviewing some of our configs and it looks like our TCP session timeout has been modified from its default 3600 under global properties and I am not sure why. I want to reduce the...
  65. Replies
    4
    Views
    5,199

    Re: How to set userdefined alerts

    Sorry it took a bit to get back. That is a copy paste from my management box obviously changing the addresses. And yes directly from the "Run user defined script" box. Are you pushing policy after...
  66. Replies
    4
    Views
    5,199

    Re: How to set userdefined alerts

    I cant find the SK but it mentioned that you have to layout the full path to the script sometimes.. This works for us.

    $FWDIR/bin/sendmail -s 'ALERT' -t 1.1.1.1 -f from@from.org to@to.org
    ...
  67. Replies
    4
    Views
    3,575

    Re: Content of website not shown

    Do you make use of any browser Ad Blockers? UBlock, NoScript, Ad Block Plus? The domain in question ad.wsod.com is obviously an advertiser. It could be loading in the background and waiting for a...
  68. Replies
    7
    Views
    21,120

    Re: DNS query for a C&C site

    I think I know what you mean. The initial query from your domain controller is only "Detected" then any subsequent queries should hit your DNS trap. This was explained to me as normal behavior in a...
  69. Re: Unconventional behavior of "last login from " message

    So I think you are saying it's a security risk that another user can see whoever the last person to login was? Isn't that what you would want? As in some rogue person has connected from an odd IP out...
  70. Replies
    6
    Views
    4,235

    Re: Angler Exploit Kit false positives

    Thanks, I did open a case and TAC closed it already. Said it was in the hands of engineering.
  71. Replies
    6
    Views
    4,235

    Re: Angler Exploit Kit false positives

    We too saw the Citrix forums being blocked. Also arstechnica.com would trigger alerts because their forums were using the /civis/ folder. I understand Angler is updating constantly. According to...
  72. Replies
    6
    Views
    4,235

    Angler Exploit Kit false positives

    Has anyone else noticed a recent uptick in false positives associated with the Angler Exploit Kit IPS protections?
  73. Replies
    2
    Views
    2,816

    Re: HTTPS Inspection and iCloud

    How is your HTTPS bypass setup? Where is the bypass? In destination or category? How did you distribute the certificate generated by your management server? How far down in the HTTPS policy is this...
  74. Replies
    7
    Views
    5,048

    Re: Debugging commands

    CLI reference pdf
    http://www.roesen.org/files/cp_cli_ref_card.pdf

    But more than likely you'll be looking for drops using
    fw ctl zdebug drop | grep 1.2.3.4 > /var/log/drop.txt

    Also if you are...
  75. Replies
    9
    Views
    7,334

    Re: How do you use this site?

    I use it by looking at the bottom to see whats new then looking at the same link ShadowPeak posted. To be honest for as prevalent as Check Point claims to be there is not much discussion here. Is...
  76. Replies
    3
    Views
    2,465

    Re: Data Loss Prevention

    The best first step would be to place all the rules into a detect only mode. Then you could also add individual team members by their full email address to inspect individuals and not your whole...
  77. Replies
    13
    Views
    11,686

    Re: SandBlast Agent Now Available

    Is this an in-house developed product or a 3rd party integration?
  78. Replies
    5
    Views
    5,700

    Re: Upgrading to NGSE

    Thanks for the info, we were hoping for some performance increase and it seems like its there. The upgrade path is not the best at this point so I think we will wait until R80 is released. Hopefully...
  79. Replies
    5
    Views
    5,700

    Upgrading to NGSE

    To those who have done the upgrade, was it worth it? We are running standard R77.30 SmartEvent on 225 hardware. Were the performance increases drastic? Just looking to get a feel for how the upgrade...
  80. Replies
    2
    Views
    2,637

    Re: DShield update not working

    Yeah it was odd, had to do a dbedit and apply a fix to the gateways.. the URL didn't change much so not really sure what the hold up was.
  81. Replies
    6
    Views
    9,615

    Re: Reconnect Utility as an msi?

    This is another trial ware.. http://www.advancedinstaller.com/download.html

    Do you have a centralized collector for this new endpoint server? Also, are you running FDE on your endpoints?
  82. Replies
    6
    Views
    9,615

    Re: Reconnect Utility as an msi?

    Interesting, I just spun up a new E80.62 server running R77.30.01 after support recommended no longer running them on the same network/endpoint policy server. The recommended a clean break between...
  83. Replies
    6
    Views
    9,615

    Re: Reconnect Utility as an msi?

    When launching the exe does it extract as an msi to %appdata% or similar folder? I haven't used the utility myself.
  84. Replies
    5
    Views
    5,734

    Re: E80.62 has one package failure

    Save failure.. is there enough space in the partition? MD5/Hash matches?
  85. Replies
    2
    Views
    2,637

    DShield update not working

    For those using the DShield / Malicious IPs protection

    Has anyone else run into this with a newer version of Check Point R77.10+?

    Updated certificate installed but dynamic object will not...
  86. Replies
    5
    Views
    6,053

    Re: Threat Prevention and Traditional Anti-Virus

    Hopefully I attached this correctly.
    1025
  87. Replies
    5
    Views
    6,053

    Re: Threat Prevention and Traditional Anti-Virus

    Thanks for that. We are using the Threat Prevention blade in conjunction with IPS, DLP, Anti-Spam, and application control/URL filtering/https. The odd thing about the zero day malware is that it is...
  88. Replies
    5
    Views
    6,053

    Threat Prevention and Traditional Anti-Virus

    Hi all,

    I'm looking to get some clarification on the apparently two different anti-virus options offered by Check Point. Threat Prevention has its own tab and policy to craft what you would like...
  89. Replies
    1
    Views
    3,424

    Re: NGSE - Filtering out Events

    I don't use NGSE but, from what I think your asking, copy whichever event you are looking to get reporting on under the policy tab. For example application activity, modify it by filtering out...
  90. Replies
    7
    Views
    4,302

    Re: Application control doubts and queries

    I don't think you can look at the cache, just clear it. We had issues initially with AD as well until we came to the realization that the AD query on the Check Point side does not update any nesting...
  91. Replies
    7
    Views
    4,302

    Re: Application control doubts and queries

    In this situation, did you block a URL that someone had previously visited? Perhaps it is cached on the device?
  92. Re: How can I confirm the memory on a 4800, 12400 or 3150

    Same goes for CPU if you were interested..

    cat /proc/cpuinfo
  93. Replies
    17
    Views
    12,242

    Re: R77.30 Upgrade advice

    Indeed, tried logging out/in a few times.
  94. Replies
    17
    Views
    12,242

    Re: R77.30 Upgrade advice

    Well, it now works after rebooting the device. Initially I was getting no package could be found errors.. Odd.
  95. Replies
    17
    Views
    12,242

    Re: R77.30 Upgrade advice

    Does not seem to work for me..
  96. Replies
    17
    Views
    12,242

    Re: R77.30 Upgrade advice

    Doing the install now, installing the Hotfix # 4 to all devices. I see the cloud hotfix naming has changed for the jumbo accumulator though. R77.20 used to be...
  97. Replies
    5
    Views
    6,078

    Re: Top sources alerting?

    Thanks ShadowPeak, I have been using the SmartView Monitor Top Connections but like you said I was hoping to automate or alert that query without success. We will be upgrading to R77.30 shortly so...
  98. Replies
    5
    Views
    6,078

    Re: Top sources alerting?

    We do have a smartevent license but under the queries I couldn't quite figure out the correct combination for generating the alert.
  99. Replies
    5
    Views
    6,078

    Top sources alerting?

    Is there a way to send an alert within SmartView monitor for top sources say if a users goes above a certain percentage of usage? I think i have asked this before but did not get a concrete answer....
  100. Replies
    3
    Views
    5,284

    Re: DLP Exchange Agent Impact?

    Thanks for the responses, I will let our admins know.
Results 1 to 100 of 183
Page 1 of 2 1 2