Dear Community, as an ISP we are monitoring our costumer environments throug IPSec tunnels from our datacenter. I don't know why, but two of our Check Point installations are strange - I cannot access the secondary node through IPSec - other sites work well with the same design. One troublemaker runs an old VRRP cluster (R77.30), the other on…(Show moreShow less)
There is no way to do this indeed, as you say the traffic is decrypted on the active node and forwarded to the backup, and dropped there because it is cleartext. You cannot build separate tunnels to the different members.
Hello to all. I know that there is a CP command to view the status of the management server loading (for example after reboot). When the server boots, command output says that the server is in the process of initialization. When the command indicates that the status of the server is working, you can connect by the console. I used it in R80…(Show moreShow less)
Requirement: Exporting Check Point logs over Syslog (LogExporter) to SIEM. Dedicated SmrtEvent server with R77.30 GAIA OS Step 01: Check the current Hotfix install on SmartEvent server Using CLI: installed_jumbo_take and cpinfo -y all Using WebUI: "Status and Actions" section. Step 02: If take_338 or above is exit then skip this step…
Hi all, We run VSX 77.30 firewall with enabled IPS and HTTPS inspection. One HTTPS webpage uses large javaScript (.js) files, and the download is being dropped at 3.06 MB. I case we switch HTTPS interception off, everything works fine. There is no special log in the tracker - just that the traffic was allowed and then HTTPS-inspected. There is…(Show moreShow less)
Hello Checkmates, Does anyone know if - ISP Redundancy with more than two links (3 or more Internet links) - Policy Based Routing (route to different ISPs for different types or traffic and from different subnets) is going to supported anytime soon? There appears to be some enhancements in R80.30 for Advanced Networking in this regard…(Show moreShow less)
Can anyone explain clear about NTP server in checkpoint, how it's getting synchronization with other server time?. Also Share the steps to proceed in GUI and command which used in CLI for clear understanding.
Under R80.30 it is possible to encrypt CCP traffic. This is very useful to protect the cluster from manipulated CCP packets. Therefore new commands have been implemented on the CLI for this purpose. The following description shows you how to enable CCP encryption. All settings you make on the CLI are permanently stored in the following file…
Hi Community, I got a annoying strange behavior: Perimeter Checkpoint, Transfernet to Core Firewall with topoloy RFC1918 networks. New VPN tunnel with a /24 net from 10.0.0.0/8 range. Excluded tunneled network from address spoofing on external interface. Created a Group RFC1918 networks with Exclusion of tunneld /24 network. Set that…(Show moreShow less)
Hi Maarten, I already excluded the tunneled network from monitoring side, but that didn't help either. The ping/snmp traffic is dropped on the management interface (as seen in the screenshot above, received unencrypted packet should be encrypted)
Hi, I upgraded SMS (virtual) and gateways from R77.20 to R80.10. In SMS i did a clean install with migrate import. The only doubt is about licensing. I didnt touch anything about licenses in R80 after upgrade was done, so i dont know if i should install/attach the licenses in R80.10 for SMS or GWs. So how can i know if the nodes are working…(Show moreShow less)
That is a good thing to keep the contracts clean - but will not help when the repository contains duplicate licenses. In SmartUpdate, the CK- s can be checked and duplicates found, but sometimes, you will not be able to find out which are the newest licenses generated for the CK. Then, it makes sense to - download all licenses from UC (again) or…
I've configured the global properties such that nac_agent_disable_quit has been enabled, however agents that are already deployed are able to exit the agent still. New deploys are correctly receiving this setting. What have people done to ensure this setting is changed for agents that are already deployed? Thanks
This sounds like "as-it-is" as explained in the IA Admin Guide: You can change settings for Endpoint Identity Agent parameters to control Endpoint Identity Agent behavior. You can change some of the settings in SmartConsole and others using the Endpoint Identity Agent Configuration tool. In SmartConsole you can comfigure e.g. "Allow user to…
That are really old licenses, i have found a document from 6.2008 with content from 2003-2007: CPMP-CLM Customer Log Module enables real-time log accumulation, tracking and SmartCenter on a dedicated log server for VPN-1 Pro Gateways. Licensed per number of log servers In 2011, the Multi-Domain R75v Licensing Primer explained the name changes:…
We are seeing an issue since we upgraded to client E80.83.5080. When a user saves an Excel file and chooses the File Type of PDF, an error will show up in Excel saying the document has not been saved. However, the strange thing is, the file will (sometimes) save. It seems that it saves when you try the save as PDF process after the first time with…(Show moreShow less)
Hello Kim, The issue was resolved in E80.87, yes. We mostly had problems exporting to pdf from Visio and Excel for example. We could remove Microsoft Corporation from the anti-ransomware Monitoring Settings excluded locations. I can only assume that all Microsoft products are again subject to TE. Default exclusions are Symantec, Trend Micro and…