Threat Prevention | CheckMates

JunedRafeek kittur in Threat Prevention1 day ago (Show more)

How can we block Nmap and other Port scanners

How can I block Nmap scan from Outside? . VAPT report submitted by external vendors used nmap to scan our network and checkpoint gave pretty much all the information which can used further for attacks. How can we block such request on checkpoint? Sample :: Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-11 17:51 Standard Time Nmap… (Show more)

5 repliesShow more activity

Enis Dunic (to JunedRafeek kittur) 53 minutes ago (Show more Show less)

Have you tried to follow the sk suggested by Martin? Nmap as portscanner has been along for ages (tons of options to avoid being detected) and as long as you have services open for "anyone" it will show on port scanners. If you have services exposed for anyone on the Internet then you should not be so worried being port scanned. As long as you…

Actions

Tom Nguyen in Threat Prevention14 hours ago (Show more)

IPS Query

Hi, With the R80.10 API, is there a way determine which IPS profile is tied to a gateway? Basically, we have a large number of gateways and multiple IPS profiles and I would like to create a script that will eventually create a list with the name of the gateway and the associated IPS profile. I'm trying to work backwards and I'm just stuck… (Show more)

Sylvia Ross in Threat Prevention18 hours ago (Show more)

initial analysis of IPS in R80.10

In R75.X,R76 and R77.X there was the possibility to configure in the profile setting a troubleshooting mode. Is this feature in R80.10 for VM/Azure Cloud Template also available? I have not found this so far in documentation. Thank you for your support.

1 replyShow more activity

Norbert Bohusch (to Sylvia Ross) 14 hours ago (Show more Show less)

In the R80.10 management you can achieve the same effect by going into gateway/cluster properties and there go to "IPS" page and change the setting from "according to policy" to "detect".

Actions

Tim McColgan in Threat Prevention2 days ago (Show more)

Email MTA setup

I am really just looking to know, which certificate from my Exchange server should I be importing into the MTA configuration for TLS decryption/encryption? I was going to use a .cer certificate I exported for use in another area in my Checkpoint console for sending emails, but it looks like the MTA configuration wants a p12 cert. Screenshot… (Show more)

3 repliesShow more activity

Santiago Platero (to Tim McColgan) 20 hours ago (Show more Show less)

Hi Tim, yes, you should get the certificate used by Symantec. And, depending on the supported format for importation, then you'll maybe have to convert it to .p12. You could refer to the documentation of the cloud service in order to know how to get the certificate and which formats supports (I personally have to done something similar, but with…

Actions

Chandhrasekar Saravanan in Threat Prevention1 day ago (Show more)

How to prevent TLS1.0 traffic passing through gateway using IPS

Hello, We are running CheckPoint R80.10 and have enabled IPS, Anti-Virus, Anti-Bot threat prevention blades. There is a requirement to block TLS1.0 traffic passing through the gateway. Just wondering how we can achieve this using our Threat Prevention blades. Thanks, Chandru

4 repliesShow more activity

Chandhrasekar Saravanan (to Vladimir Yakovlev) 1 day ago (Show more Show less)

OK. Thanks Vladimir. This seems to be a possible solution

Actions

Nicholas Sheridan in Threat Prevention4 days ago (Show more)

General Query about Analysing Behaviour and Mitigation

Hi forum! I recently installed with the help of a consultant some cloudguard firewalls. As a side effect of my deployment we needed to integrate remote access with OSX clients, and apparently needed to permit http and https from everywhere to the firewalls IP address - apparently related to the remote access blade and supporting OSX. So we… (Show more)

1 replyShow more activity

Dameon Welch-Abernathy

(to Nicholas Sheridan) 4 days ago (Show more Show less)

One of a few threads where this basic idea has come up: list of different IP addresses to be blocked

Actions

Mikel Aanstoot in Threat Prevention3 weeks ago (Show more)

Event Policy, Legacy

Hi, as briefly mentioned in my latest question we have moved from R77.30 to R80.10. In the Smart Event Policy we have noticed that for Thread Prevention some automatic reactions have moved to Legacy folder. Legacy suggest "old" and maybe superseded by something else. I cannot find any other setting however. Is this still a useful to configure in… (Show more)

3 repliesShow more activity

Mikel Aanstoot (to Mikel Aanstoot) 6 days ago (Show more Show less)

Sharing some info, I have learned that for having different alerting for different severity for the same threat is done by manually create an event based on the existing threat event. So I will play around with that. If anybody has any experience and tips for this I am interested. Would be nice to hear some best practices used by others.

Actions

Mikel Aanstoot in Threat Prevention3 weeks ago (Show more)

DNS Trap

Hello, I have configured DNS trap, first in R77.30 and we have now R80.10, according to sk74060. Also added an internal DNS server for better identification. We see some internal DNS trap alerts coming from internal DNS server. We cannot identify the real client who is actually making the DNS request. I think we have to correlate ourselves from… (Show more)

10 repliesShow more activity

Santiago Platero (to Mikel Aanstoot) 1 week ago (Show more Show less)

Hi Mikel, thanks for your answer. And yes, the VLANs are routed through the gateway (at least for internet browsing). As you say some traps aren't malicious browsing per se, but (malicious or not) almost never I could see from which client and/or user (we also have IA enabled) the request was made. Some insight I forgot to mention is we…

Actions

Santiago Platero in Threat Prevention2 months ago (Show more)

SMTP encrypted session bypassed, yet attachments are emulated

Hi community long time no see (dunno why these days can't login to CheckMates), I'm seeing some strange things in the Firewall and Threat Emulation logs, but first some context: - R80.20 GA Management - R80.10 Security Gateway, with Threat Emulation blade enabled (emulation occurs in the Check Point Cloud), MTA enabled and imported the SSL… (Show more)

7 repliesShow more activity

Santiago Platero (to Kenny Manrique) 1 week ago (Show more Show less)

Thanks Kenny, hope you can find it.

Actions

Jan Bucek in Threat Prevention1 week ago (Show more)

Application whitelist

Hi, we are software vendor and we faced with one of our custome false positive detection by CheckPoint Endpoint Security Anti-Malware. My question is "Is there any way how to whitelist our binaries?" I mean some way how to send our binaries to Check Point for prevent scan and global whitelist to not met this false positive detection in… (Show more)

3 repliesShow more activity

Günther W. Albrecht (to Jan Bucek) 1 week ago (Show more Show less)

To view this solution, Advanced access is required - you have to contact your support partner / CCSP for the sk. But the Endpoint Security Administration Guide also covers the topic. TAC is technical assistance - your CCSP opens a support ticket with CP and you then will be able upload the binary.

Actions