News | CheckMates

Johannes Schoen in Installation, Maintenance, and Upgrades3 hours ago (Show more)

Can't monitor secondary node over IPSec tunnel

Dear Community, as an ISP we are monitoring our costumer environments throug IPSec tunnels from our datacenter. I don't know why, but two of our Check Point installations are strange - I cannot access the secondary node through IPSec - other sites work well with the same design. One troublemaker runs an old VRRP cluster (R77.30), the other on… (Show more)

7 repliesShow more activity

Maarten Sjouw (to Johannes Schoen) 17 minutes ago (Show more Show less)

There is no way to do this indeed, as you say the traffic is decrypted on the active node and forwarded to the backup, and dropped there because it is cleartext. You cannot build separate tunnels to the different members.

Actions

Evgeniy Solovyev in General Product Topics18 minutes ago (Show more)

Expert command of security management server to show status of it initialization.

Hello to all. I know that there is a CP command to view the status of the management server loading (for example after reboot). When the server boots, command output says that the server is in the process of initialization. When the command indicates that the status of the server is working, you can connect by the console. I used it in R80… (Show more)

CHINMAYA NAIK in Logging, Monitoring, Reporting, and Event Analysis7 months ago (Show more)

Exporting Check Point logs over syslog (LogExporter) (using Smrtevent server)

Requirement: Exporting Check Point logs over Syslog (LogExporter) to SIEM. Dedicated SmrtEvent server with R77.30 GAIA OS Step 01: Check the current Hotfix install on SmartEvent server Using CLI: installed_jumbo_take and cpinfo -y all Using WebUI: "Status and Actions" section. Step 02: If take_338 or above is exit then skip this step…

3 commentsShow more activity

Vishnu Vardhan Reddy.L marked this document as helpful

Gorazd Baldovsky in Threat Prevention3 hours ago (Show more)

HTTPS inspection drops .js files bigger than 3 MB. No log, nothing strange in fw monitor, no drop in zdebug

Hi all, We run VSX 77.30 firewall with enabled IPS and HTTPS inspection. One HTTPS webpage uses large javaScript (.js) files, and the download is being dropped at 3.06 MB. I case we switch HTTPS interception off, everything works fine. There is no special log in the tracker - just that the traffic was allowed and then HTTPS-inspected. There is… (Show more)

b93417f3-d070-3a49-b70a-6fc8912efc50 in General Product Topics2 hours ago (Show more)

ISP Redundancy (3 or more ISPs) and Policy Based-routing in R80.30

Hello Checkmates, Does anyone know if - ISP Redundancy with more than two links (3 or more Internet links) - Policy Based Routing (route to different ISPs for different types or traffic and from different subnets) is going to supported anytime soon? There appears to be some enhancements in R80.30 for Advanced Networking in this regard… (Show more)

Erakul Siddharth S in Management1 hour ago (Show more)

NTP Server

Can anyone explain clear about NTP server in checkpoint, how it's getting synchronization with other server time?. Also Share the steps to proceed in GUI and command which used in CLI for clear understanding.

Heiko Ankenbrand

in General Product Topics4 days ago (Show more)

R80.30 - ClusterXL CCP Encryption!

Under R80.30 it is possible to encrypt CCP traffic. This is very useful to protect the cluster from manipulated CCP packets. Therefore new commands have been implemented on the CLI for this purpose. The following description shows you how to enable CCP encryption. All settings you make on the CLI are permanently stored in the following file…

10 commentsShow more activity

Heiko Ankenbrand marked Dmitry Krupnik's comment as helpful

Johannes Schoen in Installation, Maintenance, and Upgrades3 weeks ago (Show more)

VPN Tunneled traffic is blocked - Address Spoofing

Hi Community, I got a annoying strange behavior: Perimeter Checkpoint, Transfernet to Core Firewall with topoloy RFC1918 networks. New VPN tunnel with a /24 net from 10.0.0.0/8 range. Excluded tunneled network from address spoofing on external interface. Created a Group RFC1918 networks with Exclusion of tunneld /24 network. Set that… (Show more)

4 repliesShow more activity

Johannes Schoen (to Maarten Sjouw) 2 hours ago (Show more Show less)

Hi Maarten, I already excluded the tunneled network from monitoring side, but that didn't help either. The ping/snmp traffic is dropped on the management interface (as seen in the screenshot above, received unencrypted packet should be encrypted)

Actions

Jesus Cano in Installation, Maintenance, and Upgrades1 day ago (Show more)

Licenses after upgrade R80.10

Hi, I upgraded SMS (virtual) and gateways from R77.20 to R80.10. In SMS i did a clean install with migrate import. The only doubt is about licensing. I didnt touch anything about licenses in R80 after upgrade was done, so i dont know if i should install/attach the licenses in R80.10 for SMS or GWs. So how can i know if the nodes are working… (Show more)

5 repliesShow more activity

Günther W. Albrecht (to Maarten Sjouw) 2 hours ago (Show more Show less)

That is a good thing to keep the contracts clean - but will not help when the repository contains duplicate licenses. In SmartUpdate, the CK- s can be checked and duplicates found, but sometimes, you will not be able to find out which are the newest licenses generated for the CK. Then, it makes sense to - download all licenses from UC (again) or…

Actions

David Spencer in Installation, Maintenance, and Upgrades21 hours ago (Show more)

Identity Agent - disable exiting for existing agents

I've configured the global properties such that nac_agent_disable_quit has been enabled, however agents that are already deployed are able to exit the agent still. New deploys are correctly receiving this setting. What have people done to ensure this setting is changed for agents that are already deployed? Thanks

2 repliesShow more activity

Günther W. Albrecht (to David Spencer) 3 hours ago (Show more Show less)

This sounds like "as-it-is" as explained in the IA Admin Guide: You can change settings for Endpoint Identity Agent parameters to control Endpoint Identity Agent behavior. You can change some of the settings in SmartConsole and others using the Endpoint Identity Agent Configuration tool. In SmartConsole you can comfigure e.g. "Allow user to…

Actions

lfmm lfmm in Management2 days ago (Show more)

Hello, I have a cluster: gateway active-pasive, my pasive gtwy show this error: "Identity Awareness: Serious error", but I don't find any documentation for this issue. Please help. Attach images.

1 replyShow more activity

Günther W. Albrecht (to lfmm lfmm) 3 hours ago (Show more Show less)

It looks as like you should rather contact TAC !

Actions

Vladimir Yakovlev

in Management13 hours ago (Show more)

Can someone tell me what is this sku for?

Can't find it in $CPDIR/conf/cp.macro: CPSM-PU001-F-CLM Specifically the -F-CLM portion. Thank you, Vladimir

3 repliesShow more activity

Günther W. Albrecht (to Vladimir Yakovlev) 3 hours ago (Show more Show less)

That are really old licenses, i have found a document from 6.2008 with content from 2003-2007: CPMP-CLM Customer Log Module enables real-time log accumulation, tracking and SmartCenter on a dedicated log server for VPN-1 Pro Gateways. Licensed per number of log servers In 2011, the Multi-Domain R75v Licensing Primer explained the name changes:…

Actions

Tim McColgan in SandBlast Agent (Endpoint)8 months ago (Show more)

Export from excel to pdf

We are seeing an issue since we upgraded to client E80.83.5080. When a user saves an Excel file and chooses the File Type of PDF, an error will show up in Excel saying the document has not been saved. However, the strange thing is, the file will (sometimes) save. It seems that it saves when you try the save as PDF process after the first time with… (Show more)

16 repliesShow more activity

Willem Goethals (to Kim Moberg) 4 hours ago (Show more Show less)

Hello Kim, The issue was resolved in E80.87, yes. We mostly had problems exporting to pdf from Visio and Excel for example. We could remove Microsoft Corporation from the anti-ransomware Monitoring Settings excluded locations. I can only assume that all Microsoft products are again subject to TE. Default exclusions are Symantec, Trend Micro and…

Actions