Showing results for 
Search instead for 
Did you mean: 
Create a Post
Access Control Products

Have questions about Application Control, URL Filtering, Site-to-Site IPsec VPN, Network Address Translation, Identity Awareness, and other related technologies? This is the place to ask!

Gregory_Link inside Access Control Products 5 hours ago
views 13 1

Reason why Checkpoint doesn't like my regex block for C2 traffic?

Trying to implement a regex block from a threat feed for known C2 traffic on app/url blade and policy will not install.  The only thing I noticed is the + operator that Checkpoint doesn't appear to like.  However, this conforms to PCRE format when I test on regex101.  Has anyone else dealt with this and how have you addressed it? ^https?:\/\/[^\x2f]+\/(?:[a-zA-Z0-9\._-]+\/)+[1-3]c\.jpg$
Alex_Sykes inside Access Control Products 11 hours ago
views 24

Identity Awareness failsafe

Hi,We're deploying new gateways heavily reliant on IA and we've had a few IA problems, most of which are resolved now fortunately, however, we're looking at a failsafe should IA not work again.Does anyone on here have any recommendations?  Captive Portal is one option, but that will only work for HTTP/s applications (unless I'm mistaken).  What happens if IA fails and users need to access applications using SSH or any other non HTTP/s protocol?ThanksAlex
Garrett_Anderso inside Access Control Products yesterday
views 859 16

HTTPS Inspection documentation for R80.30

update:   I incorrectly referenced one of the two primary "HTTPS INSPECTION" SK articles.   The fundamental argument that CP has not updated it's documentation/guides/SK/etc for R80.30 is still true.   my last quote below sums up the two primary articles.   thanks to @Dale_Lobb for identifying the SK problem.  Hello - - I've been poking around looking for full details (and best practices) for the use of HTTPS inspection with R80.30+.SK108202 "Best Practices - HTTPS Inspection" specifically states  "This sk is not relevant to R80.30". The next logical question "where is the updated SK document that does apply to R80.30?".     What is a customer supposed to think when encountering this information?The "new" HTTPS inspection features of R80.30 are native to code (and not a hotfix like previous releases).   I just had a conversation with customer that relayed various conversations he had with CP folks at last CPX.    In large majority of conversations, the various CP folks stated "just turn  ON HTTPS inspection" grossly oversimplifying a complicated topic . My point, HTTPS inspection is important,  we should be encouraging customers to use (at least, start testing),  R80.30 includes latest and great features, and I can't find unified document that consolidates and showcases all the features and discusses best practice commendations (for use and performance).I suggest such a consolidated "one stop shop" for this information is critical.   I wasn't able to find on R80.30 docs, KB, or community using search strings "https decryption" or "https inspection".   I was trying to simulate what a customer would search for if they wanted to locate this information.Please fix this issue.   thanks in adv.   -GA    
rdegoix inside Access Control Products yesterday
views 44

Increasment of "out of state packet"

Hello,  I received from our SOC a report that the "out of state packets" have been increased (skyrocketed) since 23th of October. We still had some of them out of state packets by the past and that makes sense for me... On the November month, we got like arround 15 millions of dropped packets and most of them related to "out of state packet" (on September month, arround 2-3 millions dropped packets).The flow generating this "out of state packet" is the following, a flow back from our proxy to an user : source-port : 80 - destination-port : dynamic / src-ip : Proxy-IP (Blue-Coat) dst-ip : random_user (not related to a specific user)I checked on Checkpoint side if something have been enabled or disabled before 23th of October (global properties > Statefull inspection > out of state & also checking the aggressive aging on http service that have been still enable). But I'm not able to explain, why an increasment like that (x6-7 of out of state packets and related to the same kind of flow)... May be it's more related to our Blue-Coat proxy, I tried to check if some parameters have been modified (hard to get audit from more 1 month...).Just in case that you can provide me some news ideas about this topic 😉Thanks for your support ! Regards,Robin.
CSR inside Access Control Products Tuesday
views 232 7

SHA-512 unavailable for hashing method in Checkpoint Firewall

Hi Team,SHA-512 is not available as Hashing option in Checkpoint Firewall to configure in VPN community. Even I checked the same on R80.30 as well but its still not feasible. Screenshot attached below.When can we expect SHA-512 to be included in configuration as nowadays many clients ask to use SHA-512 for Integrity.  Thanks,CSRMobile- +91- 971 727 2237

Re: VPN from a non-internet interface

The gateway listens on all interfaces for VPN connections, it is not limited to the Internet side of things.To make sure a specific IP / interface is used for initiating or responding to, a VPN is done by setting up Link selection in the gateway object under IPSEC-VPN.First you can setup the main IP for the tunnel to use and next to that you can also set the responding IP (in the source settings)
MattDunn inside Access Control Products Monday
views 104 1

Cluster Performance Question

Hi all,I seem to recall hearing some time ago that there was a performance hit for the more cluster members you added to a cluster.  Is this still an issue in R80.30?  (or was it ever an issue?!)I have a cluster of two gateways, and want to add a 3rd cluster member in my DR site, so all the interfaces would be trunked via a 10gb circuit between the main office and the DR site, and the ISP can route the public IP's to the DR site if the primary site went down.  Latency over the circuit is very low.  Are there any other performance type issues that might trip me up?Thanks.
elbrabra_94 inside Access Control Products Monday
views 329 7

FW rules base on HTTP/HTTPS application without application control license

Hello, We would like to create FW rules to only authorize HTTP and HTTPS traffic (without decrypt HTTPS traffic) regardless of the port used (standard or not). Is-it something feasible without Application control license? Thank you very much for your feedback, Regards
Wolfgang inside Access Control Products Monday
views 160 3

Manually defined encryption domain via user_early.def

Hello CheckMates, I had a customer who is using a manually defined encryption domain for some of the remote third party VPN peer gateways. Normally this is done via user.def file and entries for "subnet_for_range_and_peer"... But in this environment the customer is using "user_early.def" file in the same directories and the syntax in the file is the same like in user.def.  Anyone know this ? I never used "user_early.def" for such kind of configuration. regards Wolfgang
Shahar_Grober inside Access Control Products Saturday
views 897 11

O365 + HTTPS Inspection + Bypass

Hi All, This issue has been discussed before in I have a few questions about this issue I am running App control + HTTPS Inspection in R80.20. In the HTTPs Inspection policy, I bypassed Microsoft and Office365 services category as in the below rule but traffic to office365 is still inspected by https inspection   So in order to mitigate it, I had to create a custom category with all Office365 and MS domainMy questions are:1. Is the fact that the "Microsoft & Office365 services" category do not resolve Microsoft & Office365 URL/domains is a bug in R80.20? 2. is there a way to make it work in R80.20  without adding all Microsoft Domains to the bypass rules (and without waiting for R80.40)? (sk104564 discuss adding manual domains but it refers to R70.20 only. if it is relevant to R80.20 as well, please update the SR) 3. It is discussed that activating "enhanced_ssl_inspection" can help this issue. What is this exactly and how it can be achieved?
HeikoAnkenbrand inside Access Control Products Saturday
views 180 1 4

Readme with more update informations!

It happens more and more often that new features in blades don't work the way they did before. After the update to the new version we have to look for the solution in SK's or open a TAC ticket. Could you please better document the readme's of the new versions with changes to the old versions. Solution:A diagram in the readme (or a sk) that gives us the information we need to affirm and not run into the issues first. Here are a few examples of bugs that would have been avoidable: 1) R80.10 to R80.20 --> (sk162637) ClusterXL in Load Sharing mode is not supported with IPSec VPN blade enabled. Must be written from my point of view thick red in the readme. Now, for R80.20 release and above, ClusterXL Load Sharing mode is available with the following Jumbo Hotfixes R80.20 HF 117 or R80.30 HF76 and abouve 2) R80.x to R80.30 --> user.def encryption domain entries don't work anymore if you don't have no set special kernel parameter (here i can't find the sk at the moment). 3) R80.10 to R80.20 -> supernetting behavior with 3rd party VPN -> (sk101219) From R80.20, you can disable supernetting behavior with 3rd party VPN devices, per specific community. That way you can migrate to a non-supernetting environment gradually, community by community. This process requires also configuration changes on the 3rd party peers as well. Before R80.20, global parameter ike_enable_supernet determined supernetting behavior for all 3rd party devices. 4) R80.xx to R80.30 -> fw_clamp_tcp_mss -> (sk61221) This is a global parameter in R80.30, and will be applied for all Security Gateways / Clusters that are managed by this Management Server - depending on the value of the kernel parameter "fw_clamp_tcp_mss" on the Security Gateways / Cluster Members via guidbedit. 5) R80.xx to R80.30 -> https inspection -> (sk104717) This section is irrelevant for R80.30 and above, since a new probe mechanism was introduced (enabled by default) - customer should NOT use the 'old' mechanism (enhanced_ssl_inspection).  
MMMiller60 inside Access Control Products Friday
views 479 10

/30 and /26 to ISP without a router

Hi AllI hope I'm posting correctly here, It's one of first posts, I apologize if I'm in the wrong place.  I've raised the question with TAC but its been days and still can seem to get a clear answer.  We are running Gaia 80.30 jhft50 on our gateway appliance, management is separate.  We have a /30 and a /26 usable IPs from our ISP.  We have always used a router in between the gateway and the ISP with the router having on interface in the /30 and one in the /26, then our gateway has an IP in the /26 and the router as its default route.  We do 1 to 1 static NATs for any IP we want to use in the /26.  Can this be done without the router?  Can I just give the gateway an IP in the /30 and set the default route to the ISP router also in the /30?  I think outbound should be fine it will just take the default route to the ISP but I'm worried about inbound traffic for the /26 NATs.  I know our ISP has routes pointing all the traffic for our /26 IPs to our IP in the /30 but, once the traffic gets to the gateway will the gateway accept the traffic for the /26 when its IP for that interface is in the /30 not the /26?  If not, is there a solution to make this work, was thinking maybe using a layer 2 - 3 bridge to pin an IP from the /26 to that interface in the /30, could that do the trick?  TAC at one point mentioned proxy ARP, maybe that's what I need, but not sure, it seems tedious, one for every NAT.  Any help would be appreciated, thanks!
Quangui_Ou inside Access Control Products Thursday
views 159 1

VPN traffic action is accepted instead of being encrypted

Hi,I have a Check Point 5800 NGTP security gateway.I have set up a route based site to site vpn with a Cisco router. Sometime I found the traffic action is accept instead of being encrypted. If I turn off the VTI interface and turn on it,the VPN traffic will be encrypted again and the VPN can be working normally in a period of time. After a while the issue will appear again. How can I figure out this issue?
sajin inside Access Control Products a week ago
views 314 13 1


HiFound the Checkpoint HTTPS INSPECTION cert is SHA1 and as it is outdated should move forward to SHA256. Followed the sk115894 but when accessing,  the browser is not trusting the certificate. Kindly help on resolving this issue.
Wang inside Access Control Products a week ago
views 197 4

ISP redundancy configuration in primary/backup mode, link switching will result in NAT mapping error

Hi, engineers, I have a problem. When ISP redundancy is configured in the primary/backup mode, and I switch the link to the backup link, the NAT mapping address is still the public address of the primary link, not the public address of the backup link.When I change the Network address Hide to the Gateway and the main link to the backup link, there is no NAT mapping error.