Nice to see you're still working on this :)
CPUG: The Check Point User Group | |
Resources for the Check Point Community, by the Check Point Community.
| |
First, I hope you're all well and staying safe. | |
|
Type: Posts; User: PhoneBoy
Nice to see you're still working on this :)
There is still some "legacy" CPMI stuff there as well, which is why it's not quite as RESTy as it could be.
The latest R80.40 JHF closes some gaps, which of course will be in R81.
Are you really comparing apples to apples here?
My guess is...probably not.
In most of the analysis I've seen, Palo is rarely the cheaper option.
Again, this assumes properly sized solutions.
...
If you look at how SmartDashboard operated (R77.30 and earlier), it pretty much operated on the same principle.
It downloaded the relevant configuration (objects, active policy package), effectively...
If it were a simple issue of changing the filesystem, it could probably be done.
In this case, we're also changing the partition type.
You realize we are building web version of SmartConsole in R81, right?
Not suggesting your effort won't be useful, or that our web SmartConsole won't have limitations.
For logs, you can use...
Commands should be the same in R80.x
Please describe the virtual hardware you allocated to your VM.
You will see this if you do not allocate enough resources (especially disk) to your VM.
See also:...
I was in Bangkok, will be in Vegas and Vienna, as will Val.
We'll be showing it off at CPX.
It's quite impressive :)
On a trial license, you have "all of the above" in terms of VPN connectivity.
Meaning, you can use either the "Endpoint Security" options or the "Mobile Access" options (SNX or Check Point...
Your best bet is to do it over the CLI from the serial console.
If you can't do that, your second best bet is to do it from a different interface than the one you're trying to change.
While you're asking about a backup, I suspect what you're actually asking about is a Database Revision.
They work differently in R80.x than R77.x.
You can see a description of how it works here:...
Simplified Mode was introduced in NG FP3 and has been the recommended configuration since then.
Traditional Mode is formally deprecated in R80.x.
The thing you plug into the wall is the power supply in this case :)
My money is on the power supply giving out.
As the Safe@ appliances are no longer being sold or supported, your best bet is to find a power supply through a secondary source.
While yes, in general, most software downloads require a software subscription, we do allow download of R80.10 by design (mostly for evaluation purposes).
I suppose now that R80.20 is out, that...
The correct and only supported method to do an in-place upgrade is to use CPUSE.
Refer to the Installation and Upgrade guide:...
Further, R80.20 was released today, so you can actually start using these features.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122485
FYI, in R80.x, this got a major overhaul due to the other changes in management architecture.
Virtual systems are not virtual machines in the sense they all run on the same underlying OS.
Stats you obtain from netstat are for the entire machine, not the VS.
In R77.10, we added TCP State Logging.
It's not enabled by default, of course.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101221
This is not true as anti-spoofing checks also occur after the traffic is routed.
In fact, I had an FAQ about this exact issue back in the day.
There's probably a copy of it somewhere on this site,...
Pretty sure this feature is not supported on Safe@ or UTM-1 EDGE appliances as this requires the Security Servers, which I do not believe are present on these appliances.
Further, you'd need...
You have to mark one of the interface in your topology as Dynamic IP.
1405
It appears in the General Properties of the object.
Specifically, it's a checkbox to the right of the button Resolve from Name.
1404
This is not available if the gateway is standalone (gateway...
Unless you define the gateway as having a Dynamic Address (it's a checkbox in the gateway object), then you can't do that.
Based on the fact you're talking about certificates, I'm assuming you're referring to VPN from a host with a dynamic IP.
Check Point requires certificates to be used in this case because pre-shared...
Pretty sure that the default action for the MS08-067 protection is Optimized or Strict profiles is Prevent.
Did you install the Firewall policy or the Threat Prevention policy?
Note for R80.10+...
It's safe to say we'll be leveraging new kernel infrastructure for a lot of things in the gateway (including VSX).
Here's a screenshot from R80.20.M1 showing where to import custom applications.
It should be similar in R80.10.
1400
Nope, we're not using systemd.
We actually use our own process manager (pm).
Correct.
R80.20.M1 Management Release is now available.
To be clear, this is for Management only (including Provider-1/Multi-Domain) and does not support installation as a gateway (with or without...
To provide a bit of background on the situation:
When Check Point designed R80, the goal was to have an outstanding UI experience for the administrator as well as flexible UI components, allowing...
vSEC/CloudGuard makes use of these objects, actually.
As I suggested on the same thread on CheckMates, it's probably a good idea to get the TAC involved with this.
At least some internal SKs suggest part of the database might be corrupt.
On anything but the Scalable Platforms (e.g. 41k/44k/61k/64k), the Management interfaces are just labeled that way.
They can be used for production traffic as well.
If you need multiple sync...
Since it's not a Check Point gateway, you should definitely create it as an interoperable device.
If you can guarantee the remote IP address won't change, then you can configure the IP address in...
At least in the public EA, it's 2.4.4.
However, I assume this is subject to change in GA, especially since the current Public EA is only centered around Management and not gateway where this would...
Since I'm not familiar with the userspace of RHEL 7, I can't say for sure.
Just doing a perfunctory compare of installed RPM packages, I can see some updated libraries are there for sure.
Same with...
If you need support for R77.30 beyond the stated timeframes, I recommend engaging with your account teams sooner rather than later.
There are plans to bring more of SmartWorkflow's functionality...
You may want to check to see if the immutable flag has been set on /etc/ntp.conf by using the command lsattr /etc/ntp.conf.
If the immutable flag is set, then GAiA will not be able to update the...
Just as a reminder, SmartReporter is not available in R80+.
Someone created a script on CheckMates to get a list of gateways and their installed code versions.
It's not specific to the 1430 but should work:...
You should only create it as a UTM-1 EDGE appliance if it truly is a UTM-1 EDGE appliance.
Otherwise you would create it as an Externally Managed VPN Gateway with the Dynamic Address box checked....
For those who can't wait for R80.20 to become generally available, it is available in Early Availability form.
Both Production and Public EA versions are available.
Public EA is Management only,...
I'm curious how many people actually use fw sam rules.
It's an older feature for sure.
Using the same IP address space on both ends of a VPN tunnel rarely ends well.
Office Mode would probably work around your particular issue, but that requires Endpoint VPN or Mobile Access licenses.
You need permissions for both nodes as you will be ultimately changing the routing on both nodes during a failover.
Also, I'm guessing this is your problem:
RequestException: HTTP/1.1 401...
Except the WebUI is clearly not allowing this configuration.
The fact it's limited as a known limitation suggests it's not an accident.
VPN Service based link selection is not supported on the SMB appliances.
It is listed as a known limitation....
For what it's worth, I was able to fire up SmartView Tracker on R80.10 without any licensing errors.
Granted, I am using the standard "All-in-One" eval license and it's a management system.
Like...
The example in sk116212 suggests you need appropriate permissions for the cluster member VMs at a minimum.
When the failover "failed" what showed in $FWDIR/log/azure_had.elg if anything?
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115961
TL;DR: Anything involving Security Servers doesn't support the new unified...
The HA test script just verifies the configuration is set up correctly so when a failover event actually occurs, we can trigger the relevant API calls to do the failover.
It does not trigger the...
If you're not already using Client Authentication, I would not recommend you start now.
R80.10 has some pretty significant limitations with regards to new features if you're using Client Auth.
While CPLogToSyslog has been around for a while, it definitely has some limitations.
This is the official replacement for CPLogToSyslog, built on top of recent R77.30/R80.10 Jumbo Hotfixes.
It will...
Mobile Access Blade should also work here.
Depending on the nature of the website, it may work without installing a VPN client.
While the binary for SmartView Tracker is still installed as part R80+ SmartConsole, it's formally deprecated.
If the gateway is categorizing stuff as "Web Browsing" that means one of four things:
1. You don't have URL Filtering enabled on your gateway. This can be enabled in the gateway object and...
In R80.10 SmartEvent, there's a standard view called "Active Users" that will show you this information (top users and how much data they've consumed plus apps they consumed it with).
In my case, I...
R75.45 has been End of Support for a couple years now.
None of the potential causes for this issue occur on currently supported versions of code running on Gaia OS.
I highly recommend you...
A better question might be why you are allowing traffic to "any" port to your firewall from anywhere, or even a specific network.
That's not considered best practice.
In any case, those "random"...
That means we're both old :)
To be clear, you don't really need a hotfix if you do what I suggested (backdate the system when the internal CA is created).
Afterwords, you can change the system to a current date and all should...
This sounds like the issue described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122612
By default, when the Internal CA is...
The only place I've seen where this is needed is when you're listening off a SPAN port and the gateway sees it's own traffic from the management port on it.
Part of that old "can't see the same...
You can see Tim's excellent presentation at CPX (as well as a bunch of other ones) here: https://community.checkpoint.com/docs/DOC-2734-cpx360-slides-2018
You can also see a video of me poorly...
fwauth.NDB may be where it is stored, not sure.
Regardless, there is no supported method to "show" the PSK any longer (yes, it used to show in plaintext in SmartDashboard ages ago).
If you forget...
The Reverse Proxy was developed by and is maintained by the same team that is responsible for Mobile Access Blade.
I can say that as someone who both works for Check Point and is familiar with the...
If the Reverse Proxy feature required authentication, why wouldn't you just use Mobile Access Blade, which already provides this?
The whole reason the Reverse Proxy functionality was created was to...
And like I said over on CheckMates, you can't see it.
If you forget it, you have to reset it.
cpinfo -y all should also provide another source (assuming recent version of cpinfo).
But if you want the belt and suspenders approach, you'd have to open up the hotfix, see what it installed, and...
The SK has been updated one more time.
Since the URLs we are matching against start with http:// or https://, we are matching a slash rather than a carat as the start of the hostname.
And yes, the...
FWIW I also asked my R&D contacts about the unescaped periods.
Note that even when you enter things as wildcards, the underlying pattern matcher uses regex only, thus what you enter will be...
Your support partner should be opening a ticket with Check Point support on this if they haven't already.
Please ask them for the SR number and send to me in a Private Message.
Yes, theoretically, STUN could be used outside of the Skype context in this situation.
That said, if you're not allowing other VoIP applications, then allowing STUN won't really do much since the...
The patterns in the SK should be treated as regular expressions and the SK was updated to reflect this.
Apologies for the confusion.
Making changes to the routing outside of the CLI/WebUI is not officially supported on Gaia (embedded or otherwise).
New hotfixes are only released using CPUSE.
If there are specific issues with using CPUSE, we of course would love to understand the issues and try to address them.
We have updated the contents of sk106623 based on the feedback in this thread.
Please review it and let me know if there are further problems.
The answer: use dbedit (same for R77.x and R80.x)
The commands in dbedit would look something like:
modify users joe.roberts colorblack
update_all
You can do multiple modify commands before...
See if the tips here help: https://community.checkpoint.com/message/14609-re-how-to-make-smartconsole-look-good-even-with-terminal-server-or-remote-desktop
I've flagged this to the folks who work on the various App Control signatures.
Adding STUN to the Skype service doesn't seem unreasonable.
Meanwhile, manually adding STUN to the same rule that...
That should not be required for Skype (the consumer version).
You can change the application definition to allow different ports, like I suggested earlier.
The ports we list in our application definition are exactly the same that Skype specifies on their website: ...
Something doesn't look right with your Skype service.
On my system, the Skype service shows with the Skype logo.
Also notice the ports it matches as part of the application definition:
1372
...
What does your policy look like to allow the traffic?
If pre-R80.10, what's the Firewall policy in addition to the App Control policy?
This was part of the reason we created CPUSE.
In fact, we stopped releasing non-CPUSE hotfixes a while back.
Why are you installing hotfixes without using CPUSE?
waagent is provided as part of the image in Azure.
The reason for the version we use (as I recall) relates to the Linux kernel version we are using in Gaia currently.
We currently do not provide a...
The Gaia OS can be configured, but the idea of Blink is blow away/restart.
I do agree pairing this with isomorphic or similar would be a good thing.
I will agree with Uri here, fw samp is meant for "immediate" responses to issues without pushing policy.
If you want to block IPs permanently, it's best to move them into the regular firewall policy...
There isn't a specific limit that I am aware of.
Use blink or a boot off an ISO from a USB drive to clear the appliance.
fw samp rules are meant to be changed on the fly.
Whether you do that with ssh, cprid, or the R80.x API is a matter of personal preference.
In R80.10, you might also try using dynamic objects,...
See this thread on CheckMates: https://community.checkpoint.com/message/12072-endpoint-security-on-demand
We do, and I'm sure photographic evidence will appear to that effect on the Internet soon enough. :)
Here's a pic from last year's CPX in Milan in the meantime.
1359
Sure you're not :P