CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Search:

Type: Posts; User: PhoneBoy

Page 1 of 5 1 2 3 4

Search: Search took 0.02 seconds.

  1. Replies
    71
    Views
    70,434

    Re: SmartDashboard on macOS

    Nice to see you're still working on this :)
  2. Replies
    71
    Views
    70,434

    Re: SmartDashboard on macOS

    There is still some "legacy" CPMI stuff there as well, which is why it's not quite as RESTy as it could be.
    The latest R80.40 JHF closes some gaps, which of course will be in R81.
  3. Replies
    9
    Views
    9,516

    Re: Business case to keep Check Point

    Are you really comparing apples to apples here?
    My guess is...probably not.
    In most of the analysis I've seen, Palo is rarely the cheaper option.
    Again, this assumes properly sized solutions.
    ...
  4. Replies
    71
    Views
    70,434

    Re: SmartDashboard on macOS

    If you look at how SmartDashboard operated (R77.30 and earlier), it pretty much operated on the same principle.
    It downloaded the relevant configuration (objects, active policy package), effectively...
  5. Replies
    13
    Views
    9,793

    Re: Upgrade to 80.40

    If it were a simple issue of changing the filesystem, it could probably be done.
    In this case, we're also changing the partition type.
  6. Replies
    71
    Views
    70,434

    Re: SmartDashboard on macOS

    You realize we are building web version of SmartConsole in R81, right?
    Not suggesting your effort won't be useful, or that our web SmartConsole won't have limitations.
    For logs, you can use...
  7. Re: How do I check the routing table through command line? In checkpoint ?

    Commands should be the same in R80.x
  8. Replies
    13
    Views
    8,621

    Re: First time configuration wizard hanged up

    Please describe the virtual hardware you allocated to your VM.
    You will see this if you do not allocate enough resources (especially disk) to your VM.
    See also:...
  9. Thread: CPX

    by PhoneBoy
    Replies
    2
    Views
    4,683

    Re: CPX

    I was in Bangkok, will be in Vegas and Vienna, as will Val.
  10. Replies
    10
    Views
    20,760

    Re: Blink - Full gateway installation in 5 minutes

    We'll be showing it off at CPX.
    It's quite impressive :)
  11. Replies
    4
    Views
    5,187

    Re: Checkpoint RAS solutions

    On a trial license, you have "all of the above" in terms of VPN connectivity.
    Meaning, you can use either the "Endpoint Security" options or the "Mobile Access" options (SNX or Check Point...
  12. Re: Change of Public IP of 2nd ISP (Cluster setup)

    Your best bet is to do it over the CLI from the serial console.
    If you can't do that, your second best bet is to do it from a different interface than the one you're trying to change.
  13. Replies
    1
    Views
    4,252

    Re: How can you take a backup (similar to R77)?

    While you're asking about a backup, I suspect what you're actually asking about is a Database Revision.
    They work differently in R80.x than R77.x.
    You can see a description of how it works here:...
  14. Replies
    3
    Views
    4,091

    Re: Simultaneous SSLVPN & IPSEC VPN

    Simplified Mode was introduced in NG FP3 and has been the recommended configuration since then.
    Traditional Mode is formally deprecated in R80.x.
  15. Replies
    3
    Views
    14,602

    Re: Has my Safe@ died

    The thing you plug into the wall is the power supply in this case :)
  16. Replies
    3
    Views
    14,602

    Re: Has my Safe@ died

    My money is on the power supply giving out.
    As the Safe@ appliances are no longer being sold or supported, your best bet is to find a power supply through a secondary source.
  17. Replies
    10
    Views
    7,922

    Re: Security Management Server migration

    While yes, in general, most software downloads require a software subscription, we do allow download of R80.10 by design (mostly for evaluation purposes).
    I suppose now that R80.20 is out, that...
  18. Replies
    3
    Views
    3,900

    Re: R80.10 Upgrade error

    The correct and only supported method to do an in-place upgrade is to use CPUSE.
    Refer to the Installation and Upgrade guide:...
  19. Re: IPS Protect internal hosts only - recommendation

    Further, R80.20 was released today, so you can actually start using these features.
  20. Replies
    0
    Views
    4,051

    Check Point R80.20 is GA

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122485
  21. Re: Management Server HA two different data centers?

    FYI, in R80.x, this got a major overhaul due to the other changes in management architecture.
  22. Replies
    10
    Views
    7,870

    Re: ICMP time exceeded are not logged?

    Virtual systems are not virtual machines in the sense they all run on the same underlying OS.
    Stats you obtain from netstat are for the entire machine, not the VS.
  23. Replies
    10
    Views
    7,870

    Re: ICMP time exceeded are not logged?

    In R77.10, we added TCP State Logging.
    It's not enabled by default, of course.
    See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101221
  24. Replies
    8
    Views
    7,793

    Re: Antispoofing adding static route

    This is not true as anti-spoofing checks also occur after the traffic is routed.
    In fact, I had an FAQ about this exact issue back in the day.
    There's probably a copy of it somewhere on this site,...
  25. Replies
    3
    Views
    3,886

    Re: URL redirect on safe@

    Pretty sure this feature is not supported on Safe@ or UTM-1 EDGE appliances as this requires the Security Servers, which I do not believe are present on these appliances.
    Further, you'd need...
  26. Replies
    5
    Views
    5,771

    Re: Check Point DHCP Interface

    You have to mark one of the interface in your topology as Dynamic IP.

    1405
  27. Replies
    5
    Views
    5,771

    Re: Check Point DHCP Interface

    It appears in the General Properties of the object.
    Specifically, it's a checkbox to the right of the button Resolve from Name.

    1404

    This is not available if the gateway is standalone (gateway...
  28. Replies
    5
    Views
    5,771

    Re: Check Point DHCP Interface

    Unless you define the gateway as having a Dynamic Address (it's a checkbox in the gateway object), then you can't do that.
  29. Replies
    1
    Views
    2,199

    Re: Add DAIP gateways to source in a policy

    Based on the fact you're talking about certificates, I'm assuming you're referring to VPN from a host with a dynamic IP.
    Check Point requires certificates to be used in this case because pre-shared...
  30. Thread: Doubts on IPS

    by PhoneBoy
    Replies
    1
    Views
    4,397

    Re: Doubts on IPS

    Pretty sure that the default action for the MS08-067 protection is Optimized or Strict profiles is Prevent.
    Did you install the Firewall policy or the Threat Prevention policy?
    Note for R80.10+...
  31. Replies
    18
    Views
    11,345

    Re: R80.20.M1 Management Release

    It's safe to say we'll be leveraging new kernel infrastructure for a lot of things in the gateway (including VSX).
  32. Replies
    2
    Views
    2,355

    Re: New GUI Signature Tool

    Here's a screenshot from R80.20.M1 showing where to import custom applications.
    It should be similar in R80.10.

    1400
  33. Replies
    18
    Views
    11,345

    Re: R80.20.M1 Management Release

    Nope, we're not using systemd.
    We actually use our own process manager (pm).
  34. Replies
    18
    Views
    11,345

    Re: R80.20.M1 Management Release

    Correct.
  35. Replies
    18
    Views
    11,345

    R80.20.M1 Management Release

    R80.20.M1 Management Release is now available.
    To be clear, this is for Management only (including Provider-1/Multi-Domain) and does not support installation as a gateway (with or without...
  36. Replies
    71
    Views
    70,434

    Re: SmartDashboard on macOS

    To provide a bit of background on the situation:

    When Check Point designed R80, the goal was to have an outstanding UI experience for the administrator as well as flexible UI components, allowing...
  37. Replies
    7
    Views
    3,806

    Re: Load balancing capabilities?

    vSEC/CloudGuard makes use of these objects, actually.
  38. Replies
    8
    Views
    5,059

    Re: CMA import fails to R80

    As I suggested on the same thread on CheckMates, it's probably a good idea to get the TAC involved with this.
    At least some internal SKs suggest part of the database might be corrupt.
  39. Replies
    6
    Views
    5,070

    Re: Mgmt and Sync ports

    On anything but the Scalable Platforms (e.g. 41k/44k/61k/64k), the Management interfaces are just labeled that way.
    They can be used for production traffic as well.

    If you need multiple sync...
  40. Replies
    4
    Views
    3,103

    Re: vpn against a gateway with a dinamical ip

    Since it's not a Check Point gateway, you should definitely create it as an interoperable device.
    If you can guarantee the remote IP address won't change, then you can configure the IP address in...
  41. Replies
    4
    Views
    5,645

    Re: R80.20 Production and Public EA

    At least in the public EA, it's 2.4.4.

    However, I assume this is subject to change in GA, especially since the current Public EA is only centered around Management and not gateway where this would...
  42. Replies
    4
    Views
    5,645

    Re: R80.20 Production and Public EA

    Since I'm not familiar with the userspace of RHEL 7, I can't say for sure.
    Just doing a perfunctory compare of installed RPM packages, I can see some updated libraries are there for sure.
    Same with...
  43. Re: Support for embedded R77.20 extended by a year

    If you need support for R77.30 beyond the stated timeframes, I recommend engaging with your account teams sooner rather than later.
    There are plans to bring more of SmartWorkflow's functionality...
  44. Replies
    4
    Views
    4,449

    Re: Checkpoint 13500 appliances and NTP servers

    You may want to check to see if the immutable flag has been set on /etc/ntp.conf by using the command lsattr /etc/ntp.conf.
    If the immutable flag is set, then GAiA will not be able to update the...
  45. Re: Can I get URL wise report from Smart Reporter?

    Just as a reminder, SmartReporter is not available in R80+.
  46. Re: SmartProvisioning to get firmware of all devices?

    Someone created a script on CheckMates to get a list of gateways and their installed code versions.
    It's not specific to the 1430 but should work:...
  47. Replies
    4
    Views
    3,103

    Re: vpn against a gateway with a dinamical ip

    You should only create it as a UTM-1 EDGE appliance if it truly is a UTM-1 EDGE appliance.
    Otherwise you would create it as an Externally Managed VPN Gateway with the Dynamic Address box checked....
  48. Replies
    4
    Views
    5,645

    R80.20 Production and Public EA

    For those who can't wait for R80.20 to become generally available, it is available in Early Availability form.
    Both Production and Public EA versions are available.
    Public EA is Management only,...
  49. Replies
    6
    Views
    27,830

    Re: SAM rule expiration sorting

    I'm curious how many people actually use fw sam rules.
    It's an older feature for sure.
  50. Replies
    1
    Views
    2,388

    Re: VPN SecuRemtoe disconnects

    Using the same IP address space on both ends of a VPN tunnel rarely ends well.
    Office Mode would probably work around your particular issue, but that requires Endpoint VPN or Mobile Access licenses.
  51. Replies
    6
    Views
    6,816

    Re: Vsec Failover Partially Worked

    You need permissions for both nodes as you will be ultimately changing the routing on both nodes during a failover.
    Also, I'm guessing this is your problem:


    RequestException: HTTP/1.1 401...
  52. Replies
    6
    Views
    6,750

    Re: 1100 - site to site route based VPN

    Except the WebUI is clearly not allowing this configuration.
    The fact it's limited as a known limitation suggests it's not an accident.
  53. Replies
    6
    Views
    6,750

    Re: 1100 - site to site route based VPN

    VPN Service based link selection is not supported on the SMB appliances.
    It is listed as a known limitation....
  54. Re: SMVT cannot read the license on the Log server

    For what it's worth, I was able to fire up SmartView Tracker on R80.10 without any licensing errors.
    Granted, I am using the standard "All-in-One" eval license and it's a management system.
    Like...
  55. Replies
    6
    Views
    6,816

    Re: Vsec Failover Partially Worked

    The example in sk116212 suggests you need appropriate permissions for the cluster member VMs at a minimum.
    When the failover "failed" what showed in $FWDIR/log/azure_had.elg if anything?
  56. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115961

    TL;DR: Anything involving Security Servers doesn't support the new unified...
  57. Replies
    6
    Views
    6,816

    Re: Vsec Failover Partially Worked

    The HA test script just verifies the configuration is set up correctly so when a failover event actually occurs, we can trigger the relevant API calls to do the failover.
    It does not trigger the...
  58. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    If you're not already using Client Authentication, I would not recommend you start now.
    R80.10 has some pretty significant limitations with regards to new features if you're using Client Auth.
  59. Replies
    0
    Views
    8,352

    Check Point Log Exporter via Syslog

    While CPLogToSyslog has been around for a while, it definitely has some limitations.
    This is the official replacement for CPLogToSyslog, built on top of recent R77.30/R80.10 Jumbo Hotfixes.
    It will...
  60. Re: Can a Checkpoint R77.30 gateway enforce user authentication to a web server via R

    Mobile Access Blade should also work here.
    Depending on the nature of the website, it may work without installing a VPN client.
  61. Re: SMVT cannot read the license on the Log server

    While the binary for SmartView Tracker is still installed as part R80+ SmartConsole, it's formally deprecated.
  62. Replies
    1
    Views
    1,935

    Re: Website Categorisation

    If the gateway is categorizing stuff as "Web Browsing" that means one of four things:

    1. You don't have URL Filtering enabled on your gateway. This can be enabled in the gateway object and...
  63. Re: Can I get a report like this from smart reporter

    In R80.10 SmartEvent, there's a standard view called "Active Users" that will show you this information (top users and how much data they've consumed plus apps they consumed it with).
    In my case, I...
  64. Re: Smart Console error "Unable to get idle-time workstation locking policy"

    R75.45 has been End of Support for a couple years now.
    None of the potential causes for this issue occur on currently supported versions of code running on Gaia OS.

    I highly recommend you...
  65. Re: Tenable Scan opening ports dynamically on GW

    A better question might be why you are allowing traffic to "any" port to your firewall from anywhere, or even a specific network.
    That's not considered best practice.

    In any case, those "random"...
  66. Replies
    12
    Views
    16,987

    Re: ipso 6.2 R70 and 77.10 on Ip560

    That means we're both old :)
  67. Replies
    12
    Views
    16,987

    Re: ipso 6.2 R70 and 77.10 on Ip560

    To be clear, you don't really need a hotfix if you do what I suggested (backdate the system when the internal CA is created).
    Afterwords, you can change the system to a current date and all should...
  68. Replies
    12
    Views
    16,987

    Re: ipso 6.2 R70 and 77.10 on Ip560

    This sounds like the issue described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122612

    By default, when the Internal CA is...
  69. Re: How to install policy with comms from mgmt server blocked by antispoofing

    The only place I've seen where this is needed is when you're listening off a SPAN port and the gateway sees it's own traffic from the management port on it.
    Part of that old "can't see the same...
  70. Re: How to install policy with comms from mgmt server blocked by antispoofing

    You can see Tim's excellent presentation at CPX (as well as a bunch of other ones) here: https://community.checkpoint.com/docs/DOC-2734-cpx360-slides-2018
    You can also see a video of me poorly...
  71. Replies
    5
    Views
    3,934

    Re: VPN PreShare Key cmd/clish

    fwauth.NDB may be where it is stored, not sure.
    Regardless, there is no supported method to "show" the PSK any longer (yes, it used to show in plaintext in SmartDashboard ages ago).
    If you forget...
  72. Re: Mobile Access Reverse Proxy - Anyone used yet

    The Reverse Proxy was developed by and is maintained by the same team that is responsible for Mobile Access Blade.
    I can say that as someone who both works for Check Point and is familiar with the...
  73. Re: Mobile Access Reverse Proxy - Anyone used yet

    If the Reverse Proxy feature required authentication, why wouldn't you just use Mobile Access Blade, which already provides this?
    The whole reason the Reverse Proxy functionality was created was to...
  74. Replies
    5
    Views
    3,934

    Re: VPN PreShare Key cmd/clish

    And like I said over on CheckMates, you can't see it.
    If you forget it, you have to reset it.
  75. Replies
    6
    Views
    3,229

    Re: Hot Fix Installation Verifier

    cpinfo -y all should also provide another source (assuming recent version of cpinfo).
    But if you want the belt and suspenders approach, you'd have to open up the hotfix, see what it installed, and...
  76. Replies
    26
    Views
    18,668

    Re: URL filtering, is this a joke?

    The SK has been updated one more time.
    Since the URLs we are matching against start with http:// or https://, we are matching a slash rather than a carat as the start of the hostname.
    And yes, the...
  77. Replies
    26
    Views
    18,668

    Re: URL filtering, is this a joke?

    FWIW I also asked my R&D contacts about the unescaped periods.

    Note that even when you enter things as wildcards, the underlying pattern matcher uses regex only, thus what you enter will be...
  78. Replies
    25
    Views
    25,979

    Re: unable to connect to server

    Your support partner should be opening a ticket with Check Point support on this if they haven't already.
    Please ask them for the SR number and send to me in a Private Message.
  79. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    8,764

    Re: Skype

    Yes, theoretically, STUN could be used outside of the Skype context in this situation.
    That said, if you're not allowing other VoIP applications, then allowing STUN won't really do much since the...
  80. Replies
    26
    Views
    18,668

    Re: URL filtering, is this a joke?

    The patterns in the SK should be treated as regular expressions and the SK was updated to reflect this.
    Apologies for the confusion.
  81. Re: PBR Problem Behavior on 1100 and 1400 Appliances

    Making changes to the routing outside of the CLI/WebUI is not officially supported on Gaia (embedded or otherwise).
  82. Replies
    6
    Views
    3,229

    Re: Hot Fix Installation Verifier

    New hotfixes are only released using CPUSE.
    If there are specific issues with using CPUSE, we of course would love to understand the issues and try to address them.
  83. Replies
    26
    Views
    18,668

    Re: URL filtering, is this a joke?

    We have updated the contents of sk106623 based on the feedback in this thread.
    Please review it and let me know if there are further problems.
  84. Replies
    3
    Views
    4,364

    Re: Editin multiple user object possible?

    The answer: use dbedit (same for R77.x and R80.x)
    The commands in dbedit would look something like:


    modify users joe.roberts colorblack
    update_all

    You can do multiple modify commands before...
  85. Replies
    2
    Views
    5,187

    Re: smart console window too big

    See if the tips here help: https://community.checkpoint.com/message/14609-re-how-to-make-smartconsole-look-good-even-with-terminal-server-or-remote-desktop
  86. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    8,764

    Re: Skype

    I've flagged this to the folks who work on the various App Control signatures.
    Adding STUN to the Skype service doesn't seem unreasonable.
    Meanwhile, manually adding STUN to the same rule that...
  87. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    8,764

    Re: Skype

    That should not be required for Skype (the consumer version).
    You can change the application definition to allow different ports, like I suggested earlier.
  88. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    8,764

    Re: Skype

    The ports we list in our application definition are exactly the same that Skype specifies on their website: ...
  89. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    8,764

    Re: Skype

    Something doesn't look right with your Skype service.
    On my system, the Skype service shows with the Skype logo.
    Also notice the ports it matches as part of the application definition:

    1372
    ...
  90. Thread: Skype

    by PhoneBoy
    Replies
    13
    Views
    8,764

    Re: Skype

    What does your policy look like to allow the traffic?
    If pre-R80.10, what's the Firewall policy in addition to the App Control policy?
  91. Replies
    6
    Views
    3,229

    Re: Hot Fix Installation Verifier

    This was part of the reason we created CPUSE.
    In fact, we stopped releasing non-CPUSE hotfixes a while back.
    Why are you installing hotfixes without using CPUSE?
  92. Replies
    3
    Views
    4,962

    Re: How to update waagent in Checkpoint Azure

    waagent is provided as part of the image in Azure.
    The reason for the version we use (as I recall) relates to the Linux kernel version we are using in Gaia currently.
    We currently do not provide a...
  93. Replies
    10
    Views
    20,760

    Re: Blink - Full gateway installation in 5 minutes

    The Gaia OS can be configured, but the idea of Blink is blow away/restart.
    I do agree pairing this with isomorphic or similar would be a good thing.
  94. Replies
    13
    Views
    5,402

    Re: fw samp in Bridge mode not working

    I will agree with Uri here, fw samp is meant for "immediate" responses to issues without pushing policy.
    If you want to block IPs permanently, it's best to move them into the regular firewall policy...
  95. Replies
    4
    Views
    4,823

    Re: fw samp blocking Reconn attacks - How to?

    There isn't a specific limit that I am aware of.
  96. Replies
    1
    Views
    1,984

    Re: config_system: command not found

    Use blink or a boot off an ISO from a USB drive to clear the appliance.
  97. Replies
    4
    Views
    4,823

    Re: fw samp blocking Reconn attacks - How to?

    fw samp rules are meant to be changed on the fly.
    Whether you do that with ssh, cprid, or the R80.x API is a matter of personal preference.
    In R80.10, you might also try using dynamic objects,...
  98. Replies
    3
    Views
    4,193

    Re: Compliance policy for Mobile Access

    See this thread on CheckMates: https://community.checkpoint.com/message/12072-endpoint-security-on-demand
  99. Replies
    12
    Views
    8,114

    Re: Anyone attending CPX360 2018?

    We do, and I'm sure photographic evidence will appear to that effect on the Internet soon enough. :)
    Here's a pic from last year's CPX in Milan in the meantime.

    1359
  100. Replies
    12
    Views
    8,114

    Re: Anyone attending CPX360 2018?

    Sure you're not :P
Results 1 to 100 of 500
Page 1 of 5 1 2 3 4