Showing results for 
Search instead for 
Did you mean: 
Create a Post
Access Control Products

Have questions about Application Control, URL Filtering, Site-to-Site IPsec VPN, Network Address Translation, Identity Awareness, and other related technologies? This is the place to ask!

Kamiar_Sh inside Access Control Products an hour ago
views 5808 25 2

Enable DPD on R80.20

Hi everyone,I have upgraded R77.30 to R80.20 recently and I am new with R80.20 , I have 20  IPsec Tunnel terminated to my cluster firewalls and here is my question:1-there is an issue on one IPsec tunnel with 3rd party and I need to enable DPD mode ( the tunnel is not permanent) so if I enable DPD mode is there any impact to other tunnels?and here is the tunnel config:IKEv1Phase 1AES-256SHA-256DH:Group5Renegotiation IKE security  1440 minutesappreciate if someone can assist me to resolve the issue
Arun_Malipatil1 inside Access Control Products 2 hours ago
views 163 6

Check Point URLF for inbound traffic

We use Check Point URL filtering for controlling the access to websites hosted outside the organization and we follow blacklisting mechanism to block access to a particular website. Now, in my scenario, I have a web server(behind the CHKP FW) hosting multiple websites using the same IP( CHKP) and port 80 for all the websites. The differentiation of each site can be done using the HTTP unique attribute called Host Header.My Questions:1. Is there a way we can use URL filtering to block access to a few of my webserver from the Internet?2. If not, do we have any other way? Note: As both IP addresses and Port numbers are same for all the internal web servers I cannot use NAT and FW rule base to block certain sites.  
thevvk inside Access Control Products 2 hours ago
views 281 11

VPN/SSH connection disconnected during data transfer

Hi, we are using Global VPN to connect with one of our clients to access their servers but when we are trying to transfer data through Winscp application; the SSH and global VPN getting this connected as we checked, there is no restriction from client side.The same data transfer is working with mobile hotspot taghering but we are having a problem when we are using our company network.In our company, we using checkpoint Firewall(5400) and we have enabled communication to client public IP in our check point access rule. 
Alan_Camelo1 inside Access Control Products 9 hours ago
views 76 4

Domain based VPN to ANY ( R80.20 question

Hi All,I am trying to create a VPN to a 3rd party using a backup Tunnel where possible using a destination of ANY on http/https. I only want this rule to be hit after other rules that will NOT route through the tunnel so it will be lower in the rule base. My questions are1. Can I use a VPN to ANY using Domain based VPN as I only want this rule to be hit after other rules have been satisfied.2. When defining the local domain e.g do I just add it to the Topology/VPN part? what if other subnets exist do they need to be added to the SA? 3. Can I add a backup tunnel into the start community? if so what is the metric or mechanism that says primary is A secondary is B?Thanks in advanceAl
RoD inside Access Control Products yesterday
views 126 7

HTTPS Inspection and P-521 certificate

Hi,I have question about site-to-site VPN with P-521 ECC encryption and HTTPS Inspection.It it possible to have two certificate for HTTPS Inspection,one RSA 2048 certificate for website and second P-521 ECC certificate for site-to-site VPN ?Thanks
Trey_Havener inside Access Control Products yesterday
views 6020 22 2

UserCheck Block Page Times Out

We just cut over to our 5400 cluster, and during testing the Block Page displayed fine.  Today during the cutover however, the block page seems to keep timing out.  We aren't doing much on the block page but telling them why they were blocked and to contact us if they feel it's in error.  If I do an incognito tab and then sometimes that will work but most of the time it times out as well.  I have a ticket open but wanting to see if anyone else has had this problem.  We aren't doing any https inspection...not ready for that nightmare.  Just URL filtering.
FWNinja inside Access Control Products yesterday
views 62 1

UserCheck Portal Customization - URL Filtering Block Page

Hi guys,I'm trying to configure UserCheck Portal for URL Filtering Block Page.I need that the user can send an email trough a link in the UserCheck Portal Block Page in order to request specific url whitelist. It can be possible? ThanksBRFrancesco

Best Practice of o365 and on-prem gateways

I have a customer that is looking for "best practices" for on-prem gateways integrating with o365.  They had some major latency and an outage which ended up being ISP related, but it spawned a complete integration review from MSFT to the network team and to Check Point.Specifically they are asking me for best practices.  I don't think anything like that exists.  I have asked my internal Check Point resources so some of you may have seen this question in your internal groups.  I would think if there are any best practices it's around HTTP/S and SSL inspection since that's really what o365 is.  Application control comes into play, but I don't think there are "best practices" for application control and o365 as its pretty self explanatory.Anyway I started this thread to cover all of my bases.  Does anyone know if there are any Check Point sanctioned best practices for integrating o365 with on-prem gateways?Thanks,Paul

Request to add application for inspection

  So, what's the right way nowadays to request application to be added for inspection? I want "MSP360™ (CloudBerry) Remote Assistant"  to be added to the list of recognized apps. In the past there was a Web page to request it but now I cannot find it anymore. Opening SR does not seem to give you such an option either...  
VictorPG inside Access Control Products Tuesday
views 421 10

Question about overlapping vpn domain same management

Hello Everybody, I have a little question that has been bothering me for  while. Let's say that I  have management with a VSX with 2 Virtual Systems (VS_A and VS_B) . The VS_A has a VPN site to site with peerA that has the network domain) and now I want to create a site to site with VS_B with peerB (a total different site that peerA) that has as remote domain, (and maybe also the whole this cause overlapping even though are different Firewalls?If that is the case, is there a way to solve this? (maybe having a multidomain with different CMAs for each VS for example) Thanks in advance
hakanka inside Access Control Products Monday
views 222 5

About integration between my AD and checkpoint

Hi,I am newbie on checkpoint management. Please forgive me if I am wrong. I am managing 2* firewall on my city. I have an issue on one of them. One of them has AD with windows server 2012, and there is no issue after changing firewall group on user firewall groups at AD. But, other firewall has AD with windows server 2008 and after I change firewall group of one user, the info is coming very delayed.(half hour, an hour or more-if location is MPLS-) so we can not react quickly when we need changes on fw groups. What do you suggest to me ? Thank you for incoming answer. 
inside Access Control Products Saturday
views 165 1

Redirect NTP and DNS requests through NAT

Hi Team,   One of our customers needs to redirect all outbound NTP requests to the Internet to their internal NTP server only so that when internal users try to hit an external NTP server they’re really talking to the customer’s internal NTP server – and be none the wiser. The customer wants to do the same with the DNS requests. The goal is to prevent users from using external NTP and DNS servers without reconfiguring their laptops.   This seems like an easy thing to do with NAT, and we found out that some vendors provide a solution through NAT, but Check Point doesn't allow us to configure a NAT rule with Many-to-One in the destination field. Here is essentially what the customer wants to do: And attached is a screen capture of the NAT rule we are trying to install with no success.   Is there any NAT trick that can be used to get this to work?  The customer is open to implementing a workaround if we can provide one.   Thanks, Katia
PabloOttawa inside Access Control Products Friday
views 164 1

Load balancing - ConnectControl not NATing

Hello all,I am trying to configure load balancing with my Checkpoint firewalls - two 5200 series firewalls configured in High Availability mode. I have followed to the letter the instructions in have two HTTPS servers on addresses and; I created a virtual ip of (different subnet) for them. I also added the VIP to the ARP proxy on both appliances.When I try to ping (the VIP) from a workstation, the ping is successful; however, the reply comes from the actual server address, not from the VIP.And when I try to access the VIP using HTTPS, it simply does not work. I sniffed the packets and I can see an http response from the actual server address (not from the VIP) which is not taken by the target machine since it is not expecting the response from that address.In my mind, the response should be coming from the VIP, and everything should be NATed back and fort to the server addresses (as opposed to a simple redirection). What am I doing wrong? Please advise, thanks! Pablo   
Almar_Diehl inside Access Control Products Friday
views 163 1

(When) Will there be a configurable VPN client for Android Enterprise

Currently the Capsule VPN client for Android can not be configured by using an EMM solution. When will there be a new version of Capsule VPN that does support adding a configuration for Android Enterprise? Regards,Almar
Larry_Birch inside Access Control Products a week ago
views 193 1

Passive FTP Issue

Since moving to R80.20 we've had an issue with the "ftp" service.  As a stop gap we used "ftp-protocol-signature" and match for any which is now causing issues as a great number of ports are now sporadically identified as such (80, 53, 443, etc).  I am now trying to get back to the port based ftp service and having issues.  To troubleshoot I have an "ftp" rule followed by an "ftp-protocol-signature" rule.The initial ftp connection on port 21 matches on the "ftp" service rule, however, upon negotiation of the data port it falls through to the second "ftp-protocol-signature" rule around line 8:  No.TimeSourceDestinationProtocolLengthInfo10192.139.152.XXX216.8.153.YYYTCP6255479  >  21 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=120.034743192.139.152.XXX216.8.153.YYYTCP5455479  >  21 [ACK] Seq=1 Ack=1 Win=32768 Len=030.050639192.139.152.XXX216.8.153.YYYFTP60Request: SYST40.066276192.139.152.XXX216.8.153.YYYFTP72Request: USER *********50.08137192.139.152.XXX216.8.153.YYYFTP69Request: PASS **********60.154162192.139.152.XXX216.8.153.YYYTCP5455479  >  21 [ACK] Seq=40 Ack=235 Win=32768 Len=070.168541192.139.152.XXX216.8.153.YYYFTP60Request: PASV80.184125192.139.152.XXX216.8.153.YYYTCP6255486  >  63690 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=190.198893192.139.152.XXX216.8.153.YYYFTP83Request: STOR FILEXXXXX100.214221192.139.152.XXX216.8.153.YYYTCP5455486  >  63690 [ACK] Seq=1 Ack=1 Win=32768 Len=0110.229467192.139.152.XXX216.8.153.YYYTCP140655486  >  63690 [ACK] Seq=1 Ack=1 Win=32768 Len=1352120.229566192.139.152.XXX216.8.153.YYYTCP140655486  >  63690 [ACK] Seq=1353 Ack=1 Win=32768 Len=1352130.22961192.139.152.XXX216.8.153.YYYTCP76455486  >  63690 [PSH, ACK] Seq=2705 Ack=1 Win=32768 Len=710140.229614192.139.152.XXX216.8.153.YYYTCP5455486  >  63690 [FIN, ACK] Seq=3415 Ack=1 Win=32768 Len=0150.245719192.139.152.XXX216.8.153.YYYTCP5455486  >  63690 [ACK] Seq=3416 Ack=2 Win=32768 Len=0160.245726192.139.152.XXX216.8.153.YYYFTP59Request: PWD170.260447192.139.152.XXX216.8.153.YYYFTP83Request: RNFR FILEXXXXX180.275011192.139.152.XXX216.8.153.YYYFTP86Request: RNTO FILEYYYYY190.30613192.139.152.XXX216.8.153.YYYFTP60Request: QUIT200.3216192.139.152.XXX216.8.153.YYYTCP5455479  >  21 [FIN, ACK] Seq=147 Ack=449 Win=32768 Len=0210.321714192.139.152.XXX216.8.153.YYYTCP5455479  >  21 [ACK] Seq=148 Ack=450 Win=32768 Len=0221.576145192.139.152.XXX216.8.153.YYYTCP6621  >  63691 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1231.590468192.139.152.XXX216.8.153.YYYFTP81Response: 220 Microsoft FTP Service241.605046192.139.152.XXX216.8.153.YYYFTP77Response: 331 Password required251.620133192.139.152.XXX216.8.153.YYYFTP1088Response: 230-WARNING:261.62016192.139.152.XXX216.8.153.YYYFTP75Response: 230 User logged in.271.634786192.139.152.XXX216.8.153.YYYFTP74Response: 200 Type set to I.281.648881192.139.152.XXX216.8.153.YYYFTP70Response: 215 Windows_NT291.663016192.139.152.XXX216.8.153.YYYFTP88Response: 211-Extended features supported:301.663093192.139.152.XXX216.8.153.YYYFTP72Response:  LANG EN*311.663115192.139.152.XXX216.8.153.YYYFTP107Response:  AUTH TLS;TLS-C;SSL;TLS-P;321.663132192.139.152.XXX216.8.153.YYYFTP61Response:  HOST331.663153192.139.152.XXX216.8.153.YYYFTP91Response:  SIZE341.677245192.139.152.XXX216.8.153.YYYFTP112Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.351.712574192.139.152.XXX216.8.153.YYYFTP83Response: 250 CWD command successful.361.729417192.139.152.XXX216.8.153.YYYFTP103Response: 550 The system cannot find the file specified. 371.74992192.139.152.XXX216.8.153.YYYFTP107Response: 227 Entering Passive Mode (192,139,152,XXX,237,68).381.764894192.139.152.XXX216.8.153.YYYTCP6660740  >  24973 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1391.788989192.139.152.XXX216.8.153.YYYFTP108Response: 125 Data connection already open; Transfer starting.401.803761192.139.152.XXX216.8.153.YYYTCP5460740  >  24973 [ACK] Seq=1 Ack=2107 Win=131072 Len=0411.807151192.139.152.XXX216.8.153.YYYTCP5460740  >  24973 [ACK] Seq=1 Ack=2108 Win=131072 Len=0421.8073192.139.152.XXX216.8.153.YYYTCP5460740  >  24973 [FIN, ACK] Seq=1 Ack=2108 Win=131072 Len=0431.807392192.139.152.XXX216.8.153.YYYFTP78Response: 226 Transfer complete.441.880154192.139.152.XXX216.8.153.YYYFTP68Response: 221 Good-Bye451.880182192.139.152.XXX216.8.153.YYYTCP5421  >  63691 [FIN, ACK] Seq=1572 Ack=160 Win=130816 Len=0461.895165192.139.152.XXX216.8.153.YYYTCP5421  >  63691 [ACK] Seq=1573 Ack=161 Win=130816 Len=0