Hi Mates, After the upgrade to R80.10 on a MDS, hosting 5 CMAs, we are facing a very strange issue and until now the struggle is huge but no luck on sorting it out. In one of the CMA we need to make some tweaks on “Inspections Settings” for both FTP and MGCP and somehow we don’t have such settings available to manage. In fact we only 9 of them…(Show moreShow less)
For the IPS core, my guess would be that you will need to completely reset all IPS, reload a new database and continue from there. We had some weird problems with IPS a while back and this did the trick.
Content Awareness in R80.10 - A user is trying to download some packages from a program called Unity and some are failing to download. After looking through the logs I repeatedly see a log that is blocking and the reason is 'Blocking request as configured in engine settings of Content Awareness. Reason 1 - Content Awareness - Error while…(Show moreShow less)
I'm going back and forth to our vendor, then to CheckPoint support and then back. I'm debating whether to turn on fail-open as this is just using up too much of my time and stopping a lot of users from uploading & downloading files. It seems there's some sort of limit at 200mb, although when running fw ctl get int fileapp_max_upload_file_size it …
Hi Folks, We operate a web platform completely hosted in AWS. A new client we have requires that we use Sandblast to scan documents before they are sent to them. Sandblast looks to be the software for the job. The usage scenario is we store the documents in an AWS S3 bucket and have them scanned there. A piece of middleware will send…(Show moreShow less)
You are looking in the GAIA WebUI, not SmartDashboard, which is where you would configure what Danny suggests. However, for the use case you describe, you might find the following interesting: Protecting AWS S3 Buckets with SandBlast
Hello Guys, What approaches do you use to exclude multitude of .cab files which are part of Windows and Office updates from Threat Emulation without blocking all the .cab files in general? I tried to add a global exception to threat prevention policy based on sites (*.windowsupdate.com and etc), but it seems to me it does not work. I am very…(Show moreShow less)
Can you check the log details ? If it does not show "trusted source" or "local cache" here you need to open a ticket. Then we will add the missing servers to our global whitelist which will be automatically updated in your environment. Regards Thomas
Any one has good documentation link for checkpoint IPS configuration R 80.10 with IPS policy update (a) can you describe the Performance impact and confidence level parameters
Please also look into the IPS Self Help Guide for R80.10 - here, you will find references to sk43733 How to measure CPU time consumed by IPS protections and sk110737 IPS Analyzer Tool - How to analyze IPS performance efficiently as well as for other resources.
We are seeing a lot of email being rejected by postfix, some of which is legitimate email that should be delivered. What I'm seeing from the maillog is logs such as the following; NOQUEUE: reject: RCPT from unknown[Our IP Address]: 554 5.7.1 <Internal Email address>: Recipient address rejected: Access denied; from=<External Email Address>…(Show moreShow less)
Hi Matt, please don´t edit main.cf directly as it will be overwritten at each policy install. Please use this: How to change Postfix configuration for Threat Emulation MTA Can you post more infos on your mailflow ? NOQUEUE: reject: RCPT from unknown[Our IP Address]: 554 5.7.1 <Internal Email address>: Recipient address rejected: Access…
Hi, Is it possible for a mail alert to be generated when a specific IPS protection is triggered, as well as logging it to the log? We have SmartEvent R80 but otherwise a dedicated logging and management running R77.30. I'm not finding a clear answer that I can have both mail alerting and for it to be logged at the same time. Thanks
Team, Can we create Multiple threat prevention profile in R80.10 , One profile with AV & AB blade enabled with prevent action and the other profile is having only IPS enabled .
Profile suggestions as per my previous post: For the rough profiles definitions, we can use "Windows" and "Linux" specific profiles. Under Windows profile category, Servers and Clients (with Servers, omitting the things like Adobe Flash and Reader, IE and other, application specific protections). Under Linux, same breakdown with Server and…
Hi CheckMates, I'm trying to pickup a word in DLP using a case sensitive weighted keyword. Ive tried a few variations of regular expressions but none seem to work, Can anyone help? Thanks Jamie
Thanks for your reply Günther. As noted above, the SK suggests that the RegEx filtering is not case sensitive. Do you (or anybody) know if there is a different way of achieving the case sensitive filtering? Maybe CPCode? Thanks
Hi Checkmates, I recently enabled IPS in detect mode to make sure that I have all false positives removed before enabling in prevent mode. One of the false positives is coming from a monitoring system, that I want to create an exception for. The monitoring system detects "Brute force scanning of CIFS ports". I tried to create a global…(Show moreShow less)
Thanks Dameon, That might do it. I now have created a custom query: blade:(Anti-Bot OR IPS) NOT "Brute Force Scanning of CIFS Ports" that does basically the same, however if needed I still have the logs for other servers that may be involved in an attack. If I ignore logs for this signature complete, than I lose the logs that I might need…