Showing results for 
Search instead for 
Did you mean: 
Create a Post
ShripadBuwa inside Access Control Products 9 hours ago
views 329 7

How to configure VPN tunnel should get up if point to point link goes down

Customer has single point to point link between two branch offices and customer wants to have s2s vpn tunnel in between the branch offices if the point to point link goes. how to configure such s2s vpn in this scenario?
minhhaivietnam inside Access Control Products yesterday
views 142 5

Block file sharing over skype

Hi friends,I have a checkpoint R80.10 like this: User PC------>Firewall--------->internetMy requirement is Allow user to use skype but prevent them from sharing file over it.My question is what blade can I enable for this purpose, and what step to configure after enable blade Thanks a lot!! 
bsb inside Access Control Products yesterday
views 120 3

header to identify inbound original ip after nat hide nat

Hi, below is the scenarioInternet -- > Checkpoint Firewall (any internet Nat'd to firewall external interface ip hide nat) ---- > Load balancer -- > backend serverNeed to identify the inbound public ip post performing Nat in checkpoint firewall for analysis.Is there a way to see this original inbound public ip in packet captures with different header name like xff etc....thanks BSB  
Ned_Stark inside Access Control Products Thursday
views 117 1

Identity Collector don't receive events from servers AD

Hello, I have installed and configured Identity Collector on server AD, but I don't have any events. That configuration I did it from Admin Guide CheckPoint. The server have active event logs, etc.  The status Identity Source are connected. 
phlrnnr inside Access Control Products Wednesday
views 167 6

Identity Collector filter configuration from external source

@Royi_Priov I'd like to ask for a feature request to allow the identity collector to be able to pull in some configurations from an external source.  For example, we have 6 identity collector servers deployed due to scale needs, and whenever we need to update the filter list, we have to do it manually in 6 places.  It would be great to be able to update the filters in one central place, and have it deployed automatically to all 6 identity collectors.This could be done from SmartConsole, perhaps.  Or maybe a remote SFTP server that gets configured in the identity collector, etc.Thanks for consideration!Phil
Shahar_Grober inside Access Control Products Tuesday
views 4966 14

skype for business issues

Hi, I am facing an issue where VOIP calls from our Polycom device to Skype for business online are dropped after about 1 minute. The drops are one-way (incoming voice) which looks like the incoming SIP traffic is dropped. The topology is quite simple:  Polycom --> CP GW --> Internet --> Skype for Business online  some insights: 1. the problem doesn't occur when connecting the Polycom directly to the internet via a hotspot. so it is a Check point issue 2. issue still occurs when disabling SecureXL so it is not a SXL issue 3. Hide NAT changes source port for SIP over UDP IP is checked in inspection settings 4. No IPS drops on VOIP. The Polycom IP is excluded from IPS and all inspection settings 5. we see incoming connections from the Skype for business online IP range are blocked by the stealth rule the last point made me think that it might be a NAT issue with SIP ports range (outgoing connections are NATed but incoming connections are not recognized by the firewall as part of the same connection)I see the following drops coming from Skype for business online IP range to the GW external IP address  My questions are:Are there any best practices to configure Skype for business with Check Point What is the recommendation for NAT with SIP?Any insights on how to solve this issue   
Sanjay_S inside Access Control Products a week ago
views 252 3 1

Identity Awareness for Remote Access Users

Hi All,We have enabled Identity Awareness blade yesterday, This has been enabled mainly for the Remote Access VPN users. I am able to fetch the details from AD and created the Access role for the specific group in the AD and provided ANY access for that particular group. But it doesn't seem to be working. User able to connect to Remote Access(Ex: User Bob logs in to RA i can see the identity awareness blade shows the login and logout details but the problem is it is not hitting the Any rule configured. So the users are not able to have complete access which they required. Please let me know how to proceed further on this. Below are the details:GW: R77.30 Take 225MDS: R80.10 Take 121 Let me know if you need anymore details on this.Thank you in advance. 
inside Access Control Products a week ago
views 251 1 2

Identity Awareness Use Cases

Hello!,   Identity Awareness is quickly expanding as a need for many corporate environments today.  Check Point employs many different technologies to help support this need. I put together a slide that overviews how we can fit into customers environment employing to IA needs. I've attached a few Power Point slides that educates on the processes on how our technologies work. If you have any questions feel free to contact me.        
George_Donoghue inside Access Control Products a week ago
views 207 2

ID Credentials not being forwarded!!

Hi, I’m looking to see if any of you guys came across this issue before. I have users that access a firewall to authenticate so they can access their servers, when he tries to access server in another location the traffic is getting dropped by the drop rule. This is because the first firewall is not forwarding his authentication details to the firewall in the secondary location even though the firewalls are configured to share these details.When the user authenticates again to the firewall in the secondary location he is then able to access the server in the secondary location.  Any help would be greatly appreciated!! Thanks for your help in advance!!George
lullejd inside Access Control Products a week ago
views 234 2

Video Conferencing Issues

Hi all,We have an issue where when we place a call to a Polycom VC behind a CheckPoint firewall, we are able to establish the call however we are not able to hear the other party talking and seeing him on video. He is able to see us and hear us. On the firewall there are no drops. Also checked sk92803 followed by sk62082 where we have configured the relevant table.def for the Protocol and IP Options. We tried with both SecureXL turned off and on. The devices are Checkpoint 3200. Have any one encountered an issue similar with a Video Conferencing setup?Thanks in advance 🙂
Gerasimos_Tzaki inside Access Control Products 2 weeks ago
views 278 9

Gateway not replying to pings

Hello all, we upgraded one Security Gateway to R80.20 and we have a really strange behavior.The gateway doesn't reply to ping requests. We see logs that the request is accepted, and the tcpdump and fwmonitor shows that the requests successfully reach the gateway, but both tcpdump and fwmonitor don't show replies. Also on zdebug we don't see any drops at all.We disabled SecureXL with "fwaccel off", because it has caused some problems on others upgrades and the issue persists.It is really weird, and we cannot think what may cause this problem.Find below tcpdump output with some requests but without replies!08:27:18.461003 IP 10.x.78.154 > 10.x.78.1: ICMP echo request, id 6556, seq 38729, length 8708:27:19.462044 IP 10.x.78.154 > 10.x.78.1: ICMP echo request, id 6556, seq 38730, length 8708:27:20.463021 IP 10.x.78.154 > 10.x.78.1: ICMP echo request, id 6556, seq 38731, length 87The 10.x.78.1 is the VIP of the cluster, and the server with 10.x.78.154 is an esxi that has to ping the default gateway as a Keep Alive mechanism.Can you think of something to investigate, because we have reached a wall.Thank you all
Carsten_Weber inside Access Control Products 2 weeks ago
views 268 3

Identity Awareness (IA) OUs and nested AD groups

Hi everyone,R77.30I just noticed an unfortunate behaviour of the Identity Awareness (IA) in regards to handling OUs inside "Access Role"-objects. Maybe you know if this is known not to work, or you even have a workaround/fix for this.One of our customers has a working Access Role listing a OU called "OU=LocationA" comprising of other OUs and inside those are users (DN):OU=LocationA,DC=blablub,DC=corp,DC=intExample user entries inside the used OU or sub-OUs (DN):CN=UserA,OU=CB,OU=LocationA,DC=blablub,DC=corp,DC=intCN=UserB,OU=Extern,OU=CB,OU=LocationA,DC=blablub,DC=corp,DC=intetc.They also have a not working Access Role using one OU with AD-groups only inside called "OU=JIRA" (DN):OU=JIRA,OU=Applications,OU=Global-Groups,DC=blablub,DC=corp,DC=intExample AD-groups entries inside the used OU (DN):CN=JIRA_PX,OU=JIRA,OU=Applications,OU=Global-Groups,DC=blablub,DC=corp,DC=intCN=JIRA_QA,OU=JIRA,OU=Applications,OU=Global-Groups,DC=blablub,DC=corp,DC=intetc.not working means: The "Access Role" does not match connections of users that are members of the according AD-group.working means: The "Access Role" does match connections of users that are members of the according OU or sub-OUs.These are the only two occasions we used OUs. Normally AD-groups are the standard entry for "Access Roles". And in this case we really need the not working OU to work.I can browse those AD branches inside the SmartDashboard "Objects list" under (Users and Administrators) ok. Users are being listed for the AD-groups and OUs when double clicking.I'm not too deep into AD, but I believe IA has an issue with nested AD-groups inside an OU when a OU is used as entry in an Access Role.Does anyone have any experience with this situation? Your thoughts are highly appreciated. best regardsCarsten
phlrnnr inside Access Control Products 2 weeks ago
views 186 4

Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

A feature request for ID Awareness - to simplify password rotations on service accounts for Identity Collector or even LDAP account units, it would be great to see support for gMSAs (Group Managed Service Accounts).  These handle the password rotation automatically, and securely.Until then, however, any recommendations for ID Awareness / Identity Collector for password rotation without impacting service?
Udupi_krishna inside Access Control Products 2 weeks ago
views 281 4 1

Checkpoint VPN as responder only

Hello All, I am in the midst of troubleshooting a VPN between Checkpoint (R80.10) and Paloalto firewall. This site to site tunnel is configured to use certificate for authentication.During the course of our troubleshooting there was a unknown bug identified in Palo alto firewall due to which it has to initiator of the tunnel till the time a fix is available. Issue pops up whenever Checkpoint becomes the initiator instead and Palo alto firewall stops responding. Now coming to the requirement, is there a way I can force Checkpoint to always be just the responder in a VPN tunnel? I am not talking about DPD responder, but at the level of negotiation. Basically at any point of time, I do not want Checkpoint initiate a request to bring up the VPN either due to inactivity or idle timeout.
scottikon inside Access Control Products 2 weeks ago
views 260 3 1

cpview -t <timestamp> no longer working since upgrading to R80.30 from R77.30

Has anyone else had any difficulties using cpview -t <timestamp>?With R77.30 we could issue cpview -t 30.0.2019 10:00:00 for example and it would show me the historical cpview data starting that the time and date issued. Since upgrading to R80.30 this no longer works and just displaying the help output. I can issue cpview -t and it will go to the oldest date and I have to scroll through to get to the date I want. Can be quite cumbersome.  Thanks