We have a R80.10 cluster which has Firewall, IPS, Anti-Virus and Anti-Bot Blades in place and it is being used as a parent proxy. When the IPS/AV detect a virus signature (in this case the test Eicar virus) it drops the connection to the child proxy, however if the Anti-bot detects an issue which is classed as reputation it is redirected to the…(Show moreShow less)
Is the firewall an explicit proxy in this case? Because if so, we may not be able to redirect the traffic to a UserCheck page. See: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy Otherwise, a diagram of how the proxies are configured (related to users and Internet) would be helpful.
Hi All We have a situation where R80.10 Mgmt/GW we have created multiple Threat Prevention (TP) rules, each rule with different blade (Profile) enable, e.g. Rule 1- IPS Rule 2 - AV Rule 3 - Threat Prevention Isn't Check Point supposed to go through each and every rule and execute all blades? What we see it just hits the first rule (IPS)…(Show moreShow less)
Threat Prevention blades in general only generate logs if something is blocked or scanned. Specific to your example. IPS only generates logs if traffic triggers an active IPS signature. Otherwise, no log is generated. Threat Emulation only generates a log entry if an actual file is emulated and/or Threat Extraction is performed.…
Hi Guys, We are facing a problem when trying to install policy on our firewall. We get this error "Contract entitlement check failed" for Anit-Virus and Anti-Bot blades. The internet is okay as we can reach the Check Point sites as well as resolve public DNS names. We have also rebooted the gateways several times. We are running…(Show moreShow less)
Hi, For R80.10 Security Management servers, Application Control updates are negligible in size. IPS Updates are actually about 40MB per update, and older updates get cleared out automatically in R80.10 starting jumbo hotfix take 42 and in R80.20. Read more about it at How can I control the size of my R80.10 Security Management Server?
As my client wants to use their own Microsoft AD server to generate certificate and import into Mgmt server for HTTP Inspection with outgoing traffic, we are using Internal CA certificate from Check Point Mgmt server itself and it is work. My question is do we need to generate CSR and let their AD sign the certificate for this purpose? If yes,…(Show moreShow less)
Hi Jason, You won´t need to change the certificates on CP Management Server. You´ll need to install a new SubCA Certificate issued from Microsoft CA to the gateway. As you have to import the certificate for this via the Smart Console from .pfx, you will have to create the CSR somewhere else, then let the AD CA sign the request and fullfill…
Hi, I´m looking for a way to run a script that will check each domain on a MDS if there was a IPS update scheduled and what is the latest date of the update. The frame for running the script over all domains is available, but I need to find which files to check per domain and what command to run to see this information.
In Smartview, in General Overview, there is written "Infected hosts" and shows quantity. Infected hosts means - infected pcs as far as I understand. But, when analyzing infected hosts, all of infections were prevented by blades. If they had been prevented, why it is written "Infected hosts"? How can we understand it clearly?
As Dameon Welch Abernathy already mentioned above, Anti-Bot shows you info about blocked malicious activity from your assets that are already compromised. For example, if a machine is already infected with a bot-ware, it will try report to C&C and/or to download additional malware modules and tools. Such activity can be detected and blocked by…
In SmartView, when CheckPoint shows Attacks (for example 2 critical attacks), If I click it (let's say it is found by Anti-Virus blade), it shows details and writes only "Action: Detect" and "not prevented by policy". Besides, in General Overview tab, it shows general information about detection and prevention (%). How can I clearly understand…(Show moreShow less)
From one of the default policies as noted above. For most customers, we recommend using the Optimized profile. If you're new, you might want to review this TechTalk we did: TechTalk: Advanced Threat Prevention Best Practices
Maya Horowitz and Yoav Flint-Rosenfeld host a TechTalk to cover its mid-year report on what the Top Wanted Malware has been for 2018 so far, followed by live Q&A! Video: Mid-Year Report - Top Wanted Malware of 2018 (so far) Video Slides: Mid-Year Report Webinar w World Cup Reports: Cyber Attack Trends: 2018 Mid-Year Report GlanceLove:…(Show moreShow less)