Skip navigation
All Places > SecureKnowledge > Blog
1 2 Previous Next


23 posts

Did you know that there is a way to connect one of your Security Gateways to a switch mirror (span) port on a switch to run security inspection of the traffic without interfering?


This type of deployment is called Monitor Mode.


Monitor Mode on Check Point Security Gateway interface is usually configured to monitor and analyze network traffic without affecting the production environment.


You can use mirror ports in the following scenarios:

  • As a permanent part of your deployment, to monitor the use of applications in your organization.
  • As an evaluation tool for the capabilities of the Application Control and Threat Prevention blades before you decide to purchase them.


Benefits of a mirror port include:

  • There is no risk to your production environment.
  • It requires minimal set-up configuration.
  • It does not require TAP equipment, which is much more expensive.


Read the following article for more information: Monitor Mode on Gaia OS and SecurePlatform OS.

In case you missed the November SET Newsletter we released last week, here it is again:
Security Expert Technical Newsletter (SET November2018) .

Arguably, the most popular tool to troubleshoot traffic crossing a Security Gateway is fw monitor. However, not all security engineers and administrators are familiar with the full potential of fw monitor.


The tool is extremely powerful, flexible and versatile.


To unleash its full potential, please look into the article of the week: What is FW Monitor? 

One of the classic yet not so commonly used features of ClusterXL is the ability to configure cluster IP addresses in a manner where physical IP addresses and VIPs are on different network subnets.



 The advantage of this is that it:

  • Enables a multi-machine cluster to replace a single-machine gateway in a pre-configured network, without the need to allocate new addresses to the cluster members.
  • Makes it possible to use one routable address only, for the ClusterXL Gateway Cluster.


Article sk32073 explains the configuration, implications and limitations of this feature. 

The Threat Emulation RESTful API is available on any Check Point appliance with enabled Threat Emulation blade. It allows you to:

  • Query for emulation results
  • Download reports
  • Upload files for emulation/extraction


For more details and usage examples, look into the following SK article: Threat Prevention API for Security Gateway 

Our featured SecureKnowledge article of the week is SecureXL Penalty Box


Protecting your networks from DDoS attacks is a challenge. With SecureXL Penalty Box, your Security Gateway can start dropping IPs frequently reported by IPS, without decreasing performance.


To learn more about this feature, please read the article.

This week we feature the Advanced Technical Reference Guide for R80.x Multi-Domain Security Management.


As you know, Check Point management server architecture has been completely changed after R77.30. Understanding the new structure, data flows, dependencies and troubleshooting techniques is vital for maintaining a stable and reliable security system.


If you are interested to learn how the new MDSM servers process data, synchronize databases, interact with elements of SmartConsole GUI clients, treat logs, etc., this article is for you.    

Today we feature SandBlast Mobile 3.0 release. 


SandBlast Mobile 3.0 release adds Anti-Phishing and more protections to a light-weight iOS or Android app which integrates with leading UEM (Unified Endpoint Management) vendors like VMware AirWatch, BlackBerry, IBM MaaS360, MobileIron, Microsoft Intune and Ctirix XenMbobile.


Find the latest integration guides, release notes, videos and more in the SandBlast Mobile space.


Also, you can read Check Point Press Release about SandBlast Mobile 3.0 and download SandBlast Mobile 3.0 release Notes PDF

Whether you work on improving performance of your Security Gateways or Management Servers, OS cumulative statistics are important for understanding the issue in hands and identifying a bottleneck. 


Gaia OS uses standard Linux instrument sar to provide such information. With sar command one can look into statistics about disk operations, system interrupts, network utilization, CPU times and memory usage.


For the comprehensive details about usage of the command sar, look into the following SecureKnowledge article: How to collect System Activity Report using the "sar" command 

Some month ago we have described Check Point's new tool for automated deployment: Blink - Gaia Fast Deployment Tool.


Today we want to present you SecureKnowledge article for it: sk120193. All you need to know to start working with the tool is mentioned in the article: requirements, use cases, supported software versions, configuration details and limitation.


This article is one worth adding to your bookmarks.


NoteR80.20 Blink images are still being tested by QA and are planned to be released soon

This week we feature the article Best Practices - HTTPS Inspection . 


The topic is rather hot these days, as need to secure and control both inbound and outbound HTTPS encrypted traffic is growing fast.
The article explains different modes of deployment, creation and use of SSL certificates, and an inspection rulebase. It lays out specific parameters and considerations, such as encryption parameters and cipher details.


Most importantly it provides references for estimated performance and tools for troubleshooting the resulting security system.

Whether you only consider HTTP Inspection or use it already, this is the best reading material to work with for the matter. 

Understanding how a particular connection is matched through your security policy is vital. There is now a tool for that, Check Point Packet Injector.


This utility is executed on the Security Gateway, simulating packets arriving from the sender on their way to the target host. After the packets are sent, Packet Injector listens for response packets from the target host back to the sender passing through the Security Gateway, letting the user know they arrived.


For more details, please refer to the article.

The article of the week is ATRG: Threat Extraction


It describes everything you need to know about Threat Extraction with Check Point:

  • Need for Threat Extraction and its concept
  • Its place within Threat Prevention capabilities of Check Point
  • Supported implementation modes, configurations and requirements
  • Config files and CLI commands
  • Troubleshooting techniques and debug suggestions


The article also contains a very detailed FAQ section and a list of references to related SecureKnowledge articles.

Security Gateway performance optimization is arguably one of the toughest challenges today. To deal with it, one needs to understand lots of moving bits and pieces related to technologies in questions, security features in use, system limitations and bottlenecks. 


Fortunately, SecureKnowledge authors made a tremendous job in writing down practically everything you need to know about security gateway performance tuning in the article Best Practices - Security Gateway Performance.


This article describes the technological approach of dealing with gateway performance, existing limitations, best practices, initial and advanced diagnostics of ongoing issues, relevant commands and tools, and examples of using those.


It also has references to further read on the subject of  gateway performance tuning.

Virtual Data Center and Cloud Security is the hottest and also one of the most challenging subjects today. 


CloudGuard Aggregation Article sk132552 helps you to understand the solution, design, build up and run security systems protecting your virtualized assets on various deployment platforms for public and private cloud: AWS, Azure, Google Cloud and VMware NSX.  


The article contains structured links to further articles concerning various topics for all CloudGuard deployment options. Whenever you plan deployment, want to acquire a better comprehension of the technology or have a particular question concerning CloudGuard, it is worth starting with this SK.