CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E



Type: Posts; User: mcnallym

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Replies

    Re: SMTP Relay Security Risks

    Never seen any such, it is quite basic although uses Postfix as the MTA that is in the background. The purpose of the MTA on the Check Point is to allow the other Blades to do inspection, ie...
  2. Re: Promoting Secondary Management Server to be Primary

    You have understood correctly.

    In Management HA environment then the Gateways should be licensed to the IP of the Primary SmartCentre.

    If you promote the Secondary to become Primary then you...
  3. Replies

    Re: Central licensing, vsec, scale sets

    EVAL Licenses have to be manually attached to VSEC gateways the same as if an Appliance or OpenServer they do not work with the vsec_central_license tool.

    You license the VSEC license to the IP...
  4. Re: License not entitled to receive updates from Check Point download center

    CPUSE is done at the License level so if the License on the Box in question is Support Expired then won't get CPUSE updates.

    Now if you install the NEW License on the Management Server, removed...
  5. Replies

    Re: Hotfix for R80.20M1

    That is my understanding as well.

    The Management Feature Releases will be released then would be R80.20M2 would be the Patched version for R80.20M1.

    When they announced the Management Releases...
  6. Replies

    Re: High cpu - monitord process

    It is supposed to be fixed in R80.10 so if deleting it isn't resolving then need to log a TAC Case.
  7. Replies

    Re: BGP routing in cluster


    Is BGP on Gaia

    Explicitly in there

  8. Replies

    Re: capture traffic on outbound

    If you do an fw monitor then will show the Interfaces involved

    you can also run the command in clash

    show route destination w.x.y.z

    This will show the next hop that would be used for that...
  9. Replies

    Re: capture traffic on outbound

    Is this a Server being accessed from the Internet, in which case use something like this

    fw monitor -e "accept((dst=server_natted_ip or dst=server_ip) or (src=server_natted_ip or src=server_ip));"...
  10. Replies

    Re: Management interface on webui Gaia

    The interface labelled Mgmt on the Appliance has no significance beyond being the MAC Address that the User Centre recognises the Interface as. Sync Interface as well is NOT a dedicated Interface...
  11. Replies

    Re: Problem running Log Exporter

    Not sure if missing something but reading your opening post then refers to

    installer import

    This simply imports the Package into CPUSE and is saying that package exists

    installer install
  12. Replies

    Re: Web Server Error

    Have always avoided Load Sharing so I don't really have any exposure to it beyond when being on Training Course.

    Other then suggesting tweaking the SDF trying the different options then cannot...
  13. Replies

    Re: Web Server Error

    If reading this correctly then if only one of the boxes is actually processing traffic then this works.

    What I would suspect is happening here is that the connection potentially been handled...
  14. Replies

    Re: NAT assistance

    I don't think is that on the same subnet that is an issue

    Looking at what you seeing then is always the first one that works.

    What happens if try

    Linux Client to
  15. Replies

    Re: Numbered VTI in cluster

    When I configure VTI then to be honest always using 169.254.x.x addresses. Is used as unique to the local box and won't overlap with actual networks.

    What have is each member gets it's own IP...
  16. Replies

    Re: Numbered Interface - VTI

    When using Numbered IP VTI then only relevant locally on the box and it's VPN Peer.

    Normally people seem to use 169.254.x.x IP addresses, using consecutive IP so for instance for...
  17. Re: Checkpoint Provider-1 and Proxy server configuration

    On the Check Point Object in SmartConsole then if expand the + for the Topology there is a sub section for Proxy

    Has two options

    First which is the Default which is

    use default proxy...
  18. Replies

    Re: MDS R77.30 restore. Some unexpected things.

    When you do the mds_backup then along with the backup then also places the gtar files etc that need to use along with the backup file to restore.

    Is important that use those gtar from where the...
  19. Re: Intervlan Routing configuration on checkpoint

    When you do a tcpdump on the eth1.20 or eth1.30 sub-interfaces do you see the traffic arriving.

    I am presuming here that defined the interfaces in Gaia OS, then updated the Topology with those...
  20. Re: Can we have R77 MDS and gateway running on R80

    No you cannot

    Generally speaking your Management should be on the same or later version then your gateway.

    There maybe some exceptions, for instance you can manage R80.20 gateways from an...
  21. Replies

    Re: How to add a firewall in mds ?

    Same steps as if a SmartCentre.
  22. Replies

    Re: Sandblast appliance as firewall

    Is a specialist Appliance with specialist license.

    Is the same ISO these days a the regular appliance, so my personal thought would be NO, just use as a private on-premise...
  23. Re: Struggling with Identity Awareness : Auth on domain X, fetch group on domain Y

    Possibly this may be a language/choice of words thing however Check Point Identity Awareness won't look at Groups in AD.

    What Identity Awareness is doing is reading AD Server Logs so that as a...
  24. Replies

    Re: Checkpoint 3 tier Architecture

    Management Server
    Gateway / Enforcement Point

    Are your 3 tiers
  25. Thread: SIC questions

    by mcnallym

    Re: SIC questions

    On the MDS then check the same way. Look at the Cluster and then the Members.
  26. Replies

    Re: How to rollback in checkpoint

    Really depends upon what trying to rollback from.

    For instance if simply a Jumbo HFA installation then can simply restore to a snapshot image taken before applying the hfa.
  27. Replies

    Re: VRRP works on which checkpoint version

    The only time that found VRRP better then ClusterXL is down to the Network Environment and the difference between how the two work.

    VRRP uses a Virtual MAC address for the HA IP address, which...
  28. Replies

    Re: The problem with the access

    Last Time I saw this was a few years ago where the ICA Cert had actually expired hence why couldn't connect.

    Ended up having to escalate to Check Point TAC to resolve the issue, and I know that...
  29. Replies

    Re: First time configuration wizard hanged up

    What 77.30 iso did you use to build this and what machine is this as depending upon what is then may need specific R77.30 build.
  30. Re: Export https inspection certificates off the firewall

    In SmartConsole then under the Application Control & URL Filtering / Advanced / HTTPS Inspection / Gateways then at the bottom then lists the Self Generated CA Certificate that would be generated.
  31. Replies

    Re: 23500 - expansion cards are not visible .

    I have had some fun with 23500/23800 chassis and cards. Really need to make sure that inserted properly.

    Couple of times thought card was bad, but had to reseat the card. Does seem a little...
  32. Replies

    Re: Change Mgmt interface on appliance

    From your update then the Mgmt Interface not in the Topology so the Check Point Firewall won't know about it, only the Gaia OS will, and will get dropped at the Firewall.

    Mgmt is simply the label...
  33. Re: Redundant Domain-Based Site2Site IPSEC tunnel

    Real Easy

    FW-B has two Internet Connections so presumably has ISP Redundancy configured so can use both lines.

    Use VPN Link Selection and configure to

    Use Probing. Link redundancy mode
  34. Replies

    Re: Installing R77.30_T204

  35. Replies

    Re: Checkpoint RAS solutions

    Standlone IPSEC VPN Client

    Endpoint Security VPN ( SecureClient ) - Requires IPSEC VPN Blade, also requires Endpoint VPN License - Provides Office Mode and Desktop Policy from VPN Gateway...
  36. Re: Dedicated Management Port and Firewall Rules

    Sadly quite a few people get caught up with Check Point's naming of some Interfaces.

    Is the same with the larger boxes with the Synch Interface as well. Again that is simply a label and is equal...
  37. Replies

    Re: Simultaneous SSLVPN & IPSEC VPN

    Short Answer is that if a Check Point has a Site to Site VPN with an IP then it cannot establish a Remote Access from it.

    Basic idea is that if have a Site to Site then why not just use that.
  38. Replies

    Re: Security Management Server migration

    Leave the existing licenses on the Gateways initially.
    Get the licenses re-iped to the new SMS IP address and get then attach those updated licenses onto the gateways. Don't detach the old SMS IP...
  39. Replies

    Re: Saving a U-5 UTM

    IF you have the Gateway connected to a Management Server then can use this
  40. Re: Clean up rule in Application Control & Url filtering layer

    1.) ALL Traffic that gets passed by the Firewall Blade will get handed off to the Application Control/URL Filtering, not just HTTP/HTTPS in R77.30. With R80.10 then if kept the AppCtrl/URL as an...
  41. Replies

    Re: Domain based VPN and VTI

    Can you elaborate further as to the question as not quite sure what asking.
  42. Replies

    Re: Domain based VPN and VTI

    Yes you can

    Define YOUR Gateway with an Encryption Domain ( so can do Domain Based VPN )
    Define 1st Remote Gateway with an Encryption Domain ( so can do Domain Based VPN )
    Define 2nd Remote...
  43. Replies

    Re: Hotfix and Migration tool

    First thing you need to do is make sure that your Deployment Agent is the current one.
  44. Replies

    Re: Show routing table on Domain Based VPNs

    If there is then I have never found any documentation about it.
  45. Re: Migrate R77.30 Open Server to new appliance 5100

    Ok then first thing that would do is migrate the Management to R80.10, Use the Migration Tools to clean build an R80.10 then import the exported R80.10 config from the R77.30.

    Make sure get the...
  46. Re: Migrate R77.30 Open Server to new appliance 5100

    Are you looking to go from two clusters to two single boxes or two clusters based on 5100 Appliances?
  47. Re: have you ever seen this and how do you go about solving it?

    Have only seen something similar where the Search / Query Network Objects then use the Unusued Objects ib the refined fllter says some object unused and when you do a right click where used on an...
  48. Replies

    Re: Mobile Access Config Help Please

    SCV would be what would be used and would look to check that your machine is domain joined

    : (RegMonitor
    :type (plugin)
    :parameters (
  49. Re: Enforce source IP address change for Gaia 80.10

    The issue here will be that your NAT is being done upstream at the ISP.

    The Network is used to link the Check Point to the ISP.

    The ISP has NAT configured to NAT traffic...
  50. Replies

    Re: vpn site to site full tunnel mode

    Star community

    Branches as satellite

    Under vpn routing go option 3 allowing satellites to vpn to each other and internet.

    Make sure that nay the satellite office networks when going to the...
  51. Replies

    Re: spoofing question.....

    External in Topology is simply saying that this is where IP addresses that not specified on another interface will be permitted as source

    As the MPLS Traffic not specified on another interface...
  52. Replies

    Re: Site2Site between 2 Cisco ASA

    What you need to do at the Check Point side is

    1.) Make sure is a Single Star Community that has the Cisco as Satellites
    2.) Set the VPN Routing in the Community so that Satellites can...
  53. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    If this is all internal then what you want is to use Client Authentication.

    Requires that users HTTP or Telnet on 259 to the Gateway and Authenticate before they can pass through the rule ie
  54. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    Might want to check if any group policy changes made on the Windows Side preventing SmartConsole locking the Machine if SmartConsole been idle.

    In Check Point is found under

    Global Properties...
  55. Re: Does Backup Job need inbound udp68 for Checkpoints?

    Would suggest a look at sk117433


    From that SK...
  56. Replies

    Re: Management HA/Migrate Export and SIC Mess!

    What did you migrate import into the PRI.

    Reading this then is almost as if migrate imported the config from the SEC unit.

    If you have a backup of the PRI does it not contain the Check Point...
  57. Replies

    Re: site to site vpn

    Key thing to make sure is that in connecting with a Non-Check Point gateway that the Phase 2 negotiations are correct in terms of what the Meraki is expecting.

    ie that the Check Point doesn't...
  58. Re: Centrally managed remote cluster + VPN site to site

    OK your issue is that your Management Server sits inside the Firewall that has the VPN to the 14x0 Cluster. Check Point always adds the Gateway IP into the VPN

    As such when you push the VPN out...
  59. Re: Two factor authentication for Gaia portal and GUI client login

    For Gaia Portal/CLISH then your RSA would need to be via RADIUS connection.

    You can use RSA SecurID for SmartDashboard. Simply define the Admin Account and set the Authentication to SecureID.
  60. Replies

    Re: How to update waagent in Checkpoint Azure

    A search in the knowledgebase turns up nothing.

    What is it that wanting to update the Agent for?

    Searching throws up about trying to use the Azure Backup utility and not having the latest agent...
  61. Replies

    Re: Natting behind different ISPs

    You would need to remove the ISP Redundancy Configuration and create Policy Based Routing configuration to route the traffic from the various IP out of an ISP line.

    Cannot do PBR and ISP...
  62. Replies

    Re: upgrade to GAIA 80.10 "command not found"

    You should be using the migrate command.

    The upgrade_export upgrade_import commands were replaced by the migrate command instead.


    ./migrate import

    would be the command that would use...
  63. Replies

    Re: Enabiling Https inspection

    Installing the CA Cert into the Clients Trusted Store simply tells the machines that the CA is a Trusted CA Authority. This means that when the client makes a connection to a real website and gets...
  64. Replies

    Re: Enabiling Https inspection

    Without HTTPS Inspection then may find that some apps on HTTPS are not identified properly. Office 365 SK articles on Check Point specifically state that for Office365 Apps to work correctly then...
  65. Mobile Access Reverse Proxy - Anyone used yet

    Is there anyone out there that has used the Check Point Mobile Access Reverse Proxy in the real world yet.

    If so how have they found it.
  66. Re: Configure different public IP for Remote Access (S2S already present)

    Even easier then as the work is done at your end rather then the far end.

    1.) Configure the NAT ( define a node object with the Cluster IP and accept the warning message ) so that when connecting...
  67. Re: Configure different public IP for Remote Access (S2S already present)

    If I understand what is happening is that you were able to Remote Access into YOUR gateway from a Customers location.

    You have now configured a Site 2 Site VPN with the Customer from the Gateway...
  68. Re: Intel CPU kernel bug FAQ: Fix for massive security flaw could slow down PCs and M

    Would put down to poor English ( anyone that done the exams will know where coming from! )

    I would suspect that as this a HARDWARE CPU vulnerability as opposed to a straight OS level that...
  69. Replies

    Re: VPN with 3rd party ASA

    Sounds like your are NATting the Traffic behind the Gateway as it goes out through the Check Point. That will cause the 3rd Party to simply see the External IP of the Gateway.

    Your Encryption...
  70. Thread: FW and Proxy

    by mcnallym

    Re: FW and Proxy

    Nearest there is for X-Forward-For header support which is there if have additional software blades such as AppCtrl/URL etc enabled. ( if you have them then the only reason for Proxy Server is...
  71. Replies

    Re: Separate EPM Server - How to?

    Separate System so no need to create anything on the Firewall Management Server.
  72. Replies

    Re: Separate EPM Server - How to?

    Install as a Primary

    Will then want to add the Endpoint Addons ie R77.30.03 etc

    Will define itself on the Primary as Host
    Endpoint Licenses attached to the Endpoint Server IP. VPN Licenses...
  73. Re: Question regarding 'host access' during provisioning

    Personally tend to leave the Host Access settings alone on the Unit but set the Access to be via the Firewall Policy instead. Whilst building them then am not on the correct subnet for what would be...
  74. Replies

    Re: wiered r80.10 error when pushing policy

    What does cplic print show on the gateway

    Would suggest that detach and reattach the license using SmartUpdate

    Have seen similar behaviour previously with R7x software as well, and just...
  75. Re: Gateway as a Proxy - NAT Hiding Address Selection

    When using the Proxy then you make a connection to the Gateway, the gateway then makes a new connection from itself to the end destination on the Internet.

    As such the traffic won't match rules...
  76. Replies

    Re: Need decrypt utility for FDE

    If the machine is in contact with the Endpoint Server then in the Deployment simply ensure that the Deployment Rule that applies to your machine doesn't install the FDE Blade.

    When the machine...
  77. Re: Compatibility SecuRemote E80.62 and Gateway+MDS R80.10


    Is the Software Support Policy

    E80.62 support till Dec 2019. Is classed under Endpoint Security

  78. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    Really depends upon what has been selling previously. SMB kit comes with the license pre-installed so wouldn't need to transfer the license. When you reset the device then it already has the...
  79. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    When Check Point sells the Appliance it comes with a License. The license is placed in the UserCentre Account of the Buyer.
    If they then resell the Appliance then the License should be transferred...
  80. Re: Check Point 4800 on either end of 1gb FIOS. VPN Throughput question

    You would need the license, however licenses are allocated/fixed with Appliances. So if you do buy a used 4800 make sure that you also get the UserCentre license moved across to a User Centre...
  81. Replies

    Re: R77.30 Upgrade to R80.10

    Would suggest that you build a NEW VM with R80.10, with the specs that you want moving forward, use the same IP and Hostname as existing unit and keep offline, ie stick on a dummy network so doesn't...
  82. Replies

    Re: R80 Appliance support

    IP Appliances go End of Life as in no more support 31st December 2018, so you want to be planning on replacement of any remaining IP Appliances. Purchasing etc always takes time so you really don't...
  83. Replies

    Re: Deploying IPS blade in Prevent mode


    Is a pretty good starting point.

  84. Re: Checkpoint firewall can't reach tacacs servers-> logs show allowed

    Presuming that the firewall is a Gaia OS Firewall then can simply SSH into the unit and run the command

    show route

    This will then display the routing table of the Firewall.

    May well need to...
  85. Replies

    Re: How to use LOM interface on CP 12600



    If on R77.10 or newer

    Failing that use the ipmitool which is listed more in that SK.
  86. Re: Centrally managed 1490 - seriously screwed up control connections and VPN traffic

    What you want to do is use the crypt.def to exclude encrypting traffic to the External IP of the 1490 so that the Local Gateway doesn't recognise that the External IP is part of the VPN.

    When you...
  87. Re: "ERR_CONNECTION_REFUSED" error is displayed in web browser when connecting to Gai

    There are a number of things that this could be

    sk118801 goes through 5 possible scenarios' and how can troubleshoot those 5 scenario's

    What was the last thing that was done on the unit before...
  88. Re: Cant reach resorses via static IPsec over remote VPN

    Does the SMB Code allow VPN Routing, as in Pass Traffic between VPN Tunnels.

    I know that on regular gateways that can enable Hub Mode which allows Remote Access Clients to route traffic through...
  89. Re: Upgrade from R77.30 JHFA 216 to R80.10 not working

    Pretty sure that a CPUSE Upgrade is an inplace upgrade.
  90. Re: File Shares not working when SMB1 on Windows Server is disabled/uninstalled

    Might be worth checking sk112202 on the Check Point site.

    File Shares using SMBv3 cannot be accessed using the Mobile Access Blade File Share application

    •Mobile Access File Share fails to...
  91. Re: Why CheckPoint is sending Proxy ID to Cisco

    Always find pretty easy as well.

    Agree on what using for the P1 and P2 settings in terms of encryption, ie AES-256/SHA1 etc DH Group to use, PFS or not. Agree the subnets used for P2, edit the...
  92. Re: Why CheckPoint is sending Proxy ID to Cisco

    Going to make an educated guess that the Community is set to be 1 VPN Tunnel per Gateway pair, or possibly under VPN advanced on the Gateway then is set to Custom Settings and then One VPN tunnel per...
  93. Re: Is there a way to shutdown all interfaces on one VSX?

    I presume you are looking to shutdown the interfaces for a VS in one go as opposed to simply shutting down individually.

    Not aware of a command to shutdown ALL the interfaces in a VS in one go,...
  94. Replies

    Re: IPS Profile and SmartEvent

    Regarding Port and Host Scan

    Taken from the Notes of the protections.

    Port Scan Protections can be set to Detect; they cannot be set to Prevent. The nature of this attack is to misuse...
  95. Replies

    Re: VPN S2S CheckPoint x Aker

    https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk108600#Scenario 4

    Possibly Scenario 4 in sk108600...
  96. Replies

    Re: Microsoft Azure acting as C&C?

    Colleagues seen some of this based on protection name

    There was some investigation work done which indicated that likely a false positive.

    Was reported to Check Point and waiting on...
  97. Re: can't perform mds_restore in a DEV environment from a mds_backup of a Production


    Is the only thing that found for testing...
  98. Replies

    Re: random issues with identifying users

    All Identified Users is basically anyone that been identified. Would use where basically you only want identified users to be able to match. There are genuine cases where would use.

    Is the...
  99. Replies

    Re: checkpoint policy error

    No you will need to upgrade the license as in purchase from the HA to a Full License.

    Typically a HA License is discounted ( 20% seems to be a figure that springs to mind ) compared to a full...
  100. Thread: ipvanish vpn

    by mcnallym

    Re: ipvanish vpn

    Wrong Type of VPN.

    IPVanish are not VPN's as in Site to Site but more Client to Site in that you need to use a Username and Password with the IPVanish Service. Check Points Site to Site VPN...
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4