cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Baasanjargal_Ts
Baasanjargal_Ts inside Access Control Products 4 hours ago
views 77 2

Block all torrent sites to access

Hello, How to block entering an all torrent sites, for example https:thepiratebay.org etc.
Serebryakov_Dmi
Serebryakov_Dmi inside Access Control Products 9 hours ago
views 89 3

Inspection Settings - Profile cloning feature required

Hi All, I`m a little confused by the impossibility of cloning Inspection Profile in R80+ management (R80.20 and R80.30).Manage & Settings -> Inspection Settings -> Profiles. Сan only make a new inspection profile. The `New` Inspection Profile is created with default settings (the same as `Default Inspection` Profile) - almost everything parser settings is Inactive.Is there any way to make a `New` Inspection Profile the same as the `Recommended Inspection` Profile?A lot of movements and mouse clicks need to be done in order to bring the `New` Inspection Profile to a more or less normal (secure) state 🙂 since we use nearly all non-heavy load inspections.
Fedor_Agafonov1
Fedor_Agafonov1 inside Access Control Products 19 hours ago
views 155 14

Content Awareness does not match to rule

Hello,We have two web site: https://habr.com and https://habrastorage.org . habr.com use images from https://habrastorage.org/ .https://habrastorage.org/ include in URLs Categories : File Storage and Sharing . We need to block URLs Categories : File Storage and Sharing, but images on habr.com need to be work.We create two rules 1. 2.but it isn't work... for example image: https://habrastorage.org/getpro/habr/post_images/b09/090/87b/b0909087b281cd74df8fc2de8735758b.pngnot match on firts rule. it match on the second rule.
Terri_Hawkins
Terri_Hawkins inside Access Control Products Wednesday
views 137 4

Seeing Odd Behavior in r80.20

We have recently upgraded our Management and Log servers and primary gateways to r80.20 and have been seeing odd behavior since then, just wondering if anyone else is.1. We have had two instances where we have a firewall rule allowing a server to go out and get updates. The rule has been working for years. In the last week traffic has attempted to go out as normal but for a period of many hours the firewall could not match the normal rule and dropped it on the clean up rule. Both times this occurred in the evening when no one would have been attempting any changes or publishes of the rule. It just stops and drops, same source, same destination, same port.2. We had another instance where traffic was being dropped and the log shows it on one rule number, but the rule number does not match the rule. If you click the rule number it goes to the correct rule. At the time the traffic was being dropped we were doing a test, no one was publishing anything that would have changed the rule number, it was just wrong. This was actually us trying to ping some devices inside our network from the gateway and we can suddenly no longer do that. It is dropping as unknown internal traffic.3. We have two instances where people are trying to get to websites using https and their traffic is completely bypassing our access policy and going out a different port (so their websites never open). I can find no other object in the firewall for their workstations or the websites. All their other traffic works fine.There have been other odd things that I just sort of wrote off when they occurred which I wish I documented now, but in general, r80.20 just seems quirky, which is not good for a firewall. Is anyone else experiencing this type of behavior? I am getting ready to document everything I can and send it to support, but I'm not sure they can help with this type of inconsistent stuff.Any input is greatly appreciated.
Bob_Bent
inside Access Control Products Tuesday
views 156 3
Mod

Identity Awareness Reference Architecture and Best Practices Guide

Abstract Every IT organization can greatly enhance their security posture and increase the overall value of their network security deployment with contextual identity-based metadata. With our Identity Awareness API and integrations with leading directory stores and IAM vendors, Check Point security gateways fit well in large and small environments. To create a winning design that is satisfying to your customer’s end users and IT staff, start with an in-depth discovery process to better understand the customer’s topology, users, connected devices, identity sources and identity topology. Ask the right questions. Become familiar with all possible identity sources. Design your Check Point deployment with identity in mind. Understand identity, access flows and use cases. Understand the impact on users, on the identity sources and the Check Point infrastructure. Source: @Royi_Priov, @Tzvi_Katz
chuka
chuka inside Access Control Products Tuesday
views 551 5

Identity Awareness Issues after resetting AD service account

Hello All, I am running an environment with R80.10 and AD Query enabled for my gateways. All have been well till we had to perform a yearly password rotation for service accounts.After the service account change, rules based on ID management and Mobile access authentication via AD stopped working.I have updated the LDAP Account object with the new passwords, yet the issue still persist. Output of adlog a DC show the gateways are connected to the DC's. Output of the Test_ad_Connectivity tool returns a success status. At this point don't know what else to check, any ideas on how to resolve. regards.
Ramawatar_Maury
Ramawatar_Maury inside Access Control Products Tuesday
views 15746 4 7

VPN Troubleshooting Commands

CommandsDescriptionsvpn tuVPN utility, allows you to rekey vpnvpn ipafile_check ipassignment.conf detail‏Verifies the ipassignment.conf filedtps licshow desktop policy license statuscpstat -f all polsrvshow status of the dtpsvpn shellStart the VPN shellvpn shell /tunnels/delete/IKE/peer/[peer ip]delete IKE SAvpn shell /tunnels/delete/IPsec/peer/[peer ip]delete Phase 2 SAvpn shell /show/tunnels/ike/peer/[peer ip]show IKE SAvpn shell /show/tunnels/ipsec/peer/[peer ip]show Phase 2 SAvpn shell show interface detailed [VTI name]show VTI detailvpn debug ikeon|ikeoffDebug IKE into $FWDIR/log/ike.elg. Analyze ike.elg with the IKEView toolvpn debug on|offDebug VPN into $FWDIR/log/vpnd.elg. Analyze vpnd.elg with the IKEView toolvpn debug truncTruncate and stamp logs, enable IKE & VPN debugvpn drv statShow status of VPN-1 kernel modulevpn overlap_encdomShow, if any, overlapping VPN domainsvpn macutil <user>Show MAC for Secure Remote user <user>vpn ver [-k]Check VPN-1 major and minor version as well as build number and latest hotfix. Use -k for kernal version
Krishna
Krishna inside Access Control Products Monday
views 307 2

Post-Encrypt traffic is not visible in Fw monitor. Other end FW is not receiving traffic sent by me

Below are the logs collected from the primary gateway of my firewall. In "O" the source IP is getting NATed to the NAT IP and then pre-encrypt is shown and not receiving the POST-encrpt packet.The other end firewall is not observing any traffic. [vs_0][fw_2] eth1:i[60]: 10.140.96.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000[vs_0][fw_2] eth1:I[60]: 10.140.96.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000[vs_0][fw_2] eth0:o[60]: 10.140.96.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000[vs_0][fw_2] eth0:O[60]: 10.40.112.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000[vs_0][fw_2] eth0:e[60]: 10.40.112.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000
Di_Junior
Di_Junior inside Access Control Products a week ago
views 1026 9

URL Filtering acess to specific link

Hi Mates We are trying to allow a link to specific youtube video using custom application/site in Application and URL Filtering.What is happening is that when we copy the URL from the browser and create the custom application/site, use it in the rule with an Access role, the users in the access role are only able to play the video up to the minute/second when the link was copied from the browser. After reaching the time, the video no longer plays.Any help as to what could be the reason behind this behavior? Is there anything we are missing? The blade is enabled, HTTPS is enabled as well. We are using R80.20 Thanks in advance
Zocki82
Zocki82 inside Access Control Products a week ago
views 300 3

Installation error message with new custom Identity Agent version

Hello all,we plan to enroll a new Identity Agent version (R80.181) to our systems. The old one was a custom build Identity Agent and we used the same settings for the new package: Installation Type = Per-computer, Installation UI = Basic, Agent Type = Custom, Custom Features = MAD Service, Copy configuration from this computer = checked.When installing the new package (as an (local) administrator) we get the following error: “Sorry, but this feature was disabled by the administrator.”The same error appears when building another custom Identity Agent and disabling the MAD Service or using the Full Agent as Agent Type.When just clicking the OK-Button, the agent is installed successfully and connected, but we want to get rid of this error message which causes users to be irritated.Does anyone have a clue which configuration option leads to this error? ThanksOliver
Peter_Elmer
inside Access Control Products a week ago
views 445 1 6
Employee

HTTPS Inspection and website categorization improvements introduced in R80.30

In this training video you will learn the benefits of the improvements for HTTPS inspection introduced in R80.30. In the R80.30 release the SNI field is evaluated in a secure way when matching the HTTPS inspection policy. In addition the SNI field is evaluated in a secure way when websites are categorized without HTTPS inspection being enabled. The video contains referrals to recommended readings and presents a starting point to understand the fundamentals of HTTPS inspection and website categorization used for granular application control and URL filtering.LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-Rla3R5aDE6z_mT6qEITDChp8kQtoRDBHw1600h900r249', 'Rla3R5aDE6z_mT6qEITDChp8kQtoRDBH', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)
Pantsu
Pantsu inside Access Control Products 2 weeks ago
views 873 6

identity awareness terminal server in r80.20

hello.i have url filtering in checkpoint and it filters trafiс with username , i've activated identity awareness with AD query and it is working normaly for computers , but i have terminal server , where many users are connected . i've installed terminal agent soft and in checkpoint side i 've activated terminal server with shared secret in identyti awareness, when i try to connect from terminal server agent it stay disconected and in logs it says that domain cannot find . if i delate shared secret from terminal agent then it is conected , but in checkpoint log , the trafic is droped bacause no shared secret.plaese help
Duane_Monroe1
Duane_Monroe1 inside Access Control Products 2 weeks ago
views 259 1

Identity Awareness - Browser-Based Authentication - Radius - Identity Sharing

I have 2 security appliances running Identity Awareness using Browser-Based Authentication with Radius. The Portal runs on Appliance A. Appliance B has the Portal Network Location set to Appliance A. A Identity Rule is installed on Appliance A & B that should allow this traffic if Appliance B is aware of my identity. If I am on a network behind Appliance A and authenticate with the Portal, Appliance B will not let me through the Firewall based on my Identity. Appliance A will allow traffic though its firewall based on my Identity. I do have "Get Identities from other gateways" enabled on Appliance B and defined as Appliance A. From what I understand, Identity Sharing only works with AD Query. I am using Radius.I do not want users to be required to authenticate with multiple portals. Providing access based on identity rather than location on the network is a requirement of implementation. I am not interested in authentication based on AD credentials. I know AD would work but we don't trust AD credentials. Is this possible?
Mike_Jensen
Mike_Jensen inside Access Control Products 2 weeks ago
views 413 6

R80.10 VPN Performance 2200 Appliance

Hello, My environment has a Headquarters with a HA pair of 15,400's running R80.10. We have a DR site with a 2200 appliance and 100Mbps public internet connection and the two sites communicate through a IPSEC VPN.When the 2200 at the DR site was still on R77.30 and the Headquarters security gateways on R80.10 I was using AES-256 and SHA 384 for the encryption and everything worked fine.After upgrading the DR site's 2200 to R80.10 I started noticing a nightly backup job that copies data from the Headquarters site to the DR site started taking several more hours than it did before.I lowered the encryption on the VPN community to AES-128 and SHA 256 and the backup time improved by about an hour, but still is nowhere near as fast as it was when the 2200 was running R77.30.When I look at the 2200 spec sheet it seems as if this security gateway should be able to handle this throughput.Is it known that R80.10 will have an impact on performance such as described above? If so does anyone have any specific details on why? I think I need to try and convince my leadership to purchase a more powerful security gateway for our DR site. Thank you.
Alex_Shpilman
Alex_Shpilman inside Access Control Products 3 weeks ago
views 1617 5

Identity Collector pxGrid parsing issue

Hi,I have Identity Collector integrated with AD and Cisco ISE.The users' information coming from AD is based on logon names, while ISE pxGrid is based on UPNs.When the users information from ISE is passed to the secure gateway, it can't find a match in AD.For O365 compatibility, the UPNs are equal to the email addresses, while the logon names are in a different format so the IDC alias feature can't resolve the issue.Is there a way to change the method IDC pareses the bulk connection table downloaded from Cisco ISE?Any other ideas? I logged a TAC case and was advised to change the IDC UserLoginAttr using GuiDBEdit under the relevant gateway, which didn't make any difference. Thanks!