Showing results for 
Search instead for 
Did you mean: 
Create a Post
felipetropeia inside Access Control Products Saturday
views 89 1

Identity Agent - Distributed Configuration

Hi there,For some reason, my Identity Agent version R80.181.0000 on windows 10 Enterprise and our Domain Controller is running on Windows Server 2016 using SSO settings with Kerberos authentication isn't respecting Identity Server priorities. I configured in Identity Agent a gateway with priority 20 within Distributed List and Server Configuration. And I have configured in our DNS SRV records other gateways with priority 100.What should happen is that Identity Agent connects to the priority 20 gateway and if it cannot for some reason connect to the 100 priority firewall however what happens it immediately connects to the 100 priority firewalls.Anyone see this situation before?
VENKAT_S_P inside Access Control Products Thursday
views 98 7

IpToCountry.csv vs Ip2Country.csv difference?

What is the difference between IpToCountry.csv vs Ip2Country.csv? I found a sk120261 but its not clear.The default present in customer folder is IpToCountry.csv and even file dowloaded is IpToCountry.csv.gz. Do this file needs to be renamed to Ip2Country.csv?My another question is does this requires a mdsstop/mdsstart?
Ravindra_Yadav inside Access Control Products Wednesday
views 70 3

MPLS to IPSEC failover in 80.30 with Cisco ASA as remote end device

Hi Team,I have a scenerio where I want to achieve failover between IPSEC vpn and MPLS traffic terminating on the same remote end Cisco ASA device. MPLS will act as primary and when MPLS link fails, traffic should failover to IPSEC vpn.Is there any way to achieve this between checkpoint & Cisco ASA. Your suggestions would be highly appreciated.I heard that there is a feature in R80.30 to achieve this.Regards,Ravindra
DFR_ inside Access Control Products a week ago
views 133 2

Site-Site Tunnel with NAT to a second Tunnel

Hello all,I'm in no way a experienced admin of Check Point, this is a situation that I was tasked with because no one else would take it.I'm used to work with palo and asa devices, so I might be missing something here.This is the basic layout: Due to whatever policies, 10.13.1.x can't be connected directly to, so the solution was to create the tunnel between devices 1 and 2.Device 1 is a Fortinet that I have no control over.The tunnel between device 2 and 10.13.1.x already exists and is ok.I have assigned to a internal interface on device 2, that is a Check Point device, and created access and nat rules that I can see applied on logs when I telnet one of the allowed ports from to 1 is ok, but the admin of device 1 says it sees device 2 trying to negotiate the 10.13.1.x subnet but not 172.31.221.x on phase 2. Is there any way I can force 2 to negotiate only the wanted subnet?Should I create a new gateway object for this new tunnel and set the topology to this address? On a palo device I would create a new IKE gateway for each tunnel I want to establish. Is this the same logic on Check Point?Thank you for any help you provide.
abihsot__ inside Access Control Products 2 weeks ago
views 73 5

how to configure Captive portal?

Hi All,I have strange behavior with Captive portal, maybe you will have some ideas.So I have access role consisting of my username and source network being my computer.I have a rule x with allows http/https with accept(display captive). As a source I have access role mentioned above.Rule x+1 is to block http/https. When computer is not associated with username I don't always get captive portal. For example displays captive, while don't. In the logs I can see that cnn gets redirected to captive, while access to ( is blocked by rule x+1. The ultimate goal is to authenticate linux users and drop not known traffic from computers.
andy_currigan inside Access Control Products 2 weeks ago
views 40 1

SSL protocol in application control rules

we have a strange behaviour with ssl protocol and application control.customer notify us that some sites that should be blocked by the application control were accessible (like facebook)rules are configured in whitelist mode (allowing specific categories and applications and a block all rule a the bottom)after investigating we notice that there was an application control rule that enabled https to internet that allow facebook and many other sites, once disabled that rule all these sites were correctly blocked by the application control rules but we got also lot's of traffic blocked as "SSL protocol" and we needed to recover the can we enable ssl protocol and block these sites at the same time?one solution would be to change the policies to a blacklist mode but the customer want to keep the rules in whitelist mode.thanks
Florin_Dumitru inside Access Control Products 2 weeks ago
views 701 1

ClusterXL, 2 ISP, 2 x /29 public IP ranges, multi-VPN

Setup runs as ClusterXL, 2 ISPs (using /30 provided from each ISP for cluster external VIPs). Each ISP forwards /29 public IP range traffic through the corresponding useable address from the /30.Existing VPN setup - a number of existing S2S VPNs and RA uses those /30 public IP's is working as expected.Is it possible to setup another set of S2S VPNs with IP's from the available /29 public IP's instead the ones already in use with the same Cluster (i.e. without having to deploy another appliance as separate VPN server)?
Gianluca_Giorda inside Access Control Products 2 weeks ago
views 60 2

VPN and DPD configuration

Helloin according to the R80.10 VPN documentation, for enabling DPD as method for the permanent tunnel, I need to change the parameter tunnel_keepalive_method property for each gateway in the community.With the statement "for each gateway in the community" means you have to perform the change at the remote peer object and at the CKP gateway object as well.The same CKP gw object is used in other VPN community with permanent tunnel on but based on tunnel_test protocol because s2s with other CKP gateway.I'm worried about the impact it could introduce.My question is what happens if I will configure the parameter to DPD on ckpgw used in different community?I'd like to know what is the permanent tunnel protocol used in the following scenariockpgw1 tunnel_keepalive_method: dpdckpgw2 tunnel_keepalive_method: tunnel_test3rdgw1: dpdVPN community1 center gateway: ckpgw1 satellite gateway: ckpgw2 permanent tunnel: on all tunnels in the communitykeepalive is based on .... (dpd/tunnel_test/not working)VPN community2 center gateway: ckpgw1 satellite gateway: 3rdgw1 permanent tunnel: on all tunnels in the communitykeepalive is based on .... (dpd/tunnel_test/not working) thank you in advanced
rajko inside Access Control Products 2 weeks ago
views 1178 4

Problem with AutoCad licencing servers

Hello,This is my first post and im not quite sure that right category.Like you can read in subject, I have problem with AutoCad licencing servers, very often they change IPs so its complicated to add new addresses again and again. I checked logs and i see that all licencing informations come from:something.amazonaws.comSo I added rule which looks like this:Is it right and if someone have better solution it will mean a lot to me!Thank you in advance. 🙂
Egor_Cherkasov inside Access Control Products 2 weeks ago
views 440 4

Firsth connection for HTTPS Inspection

Hello CheckMates,According to HTTPS Inspection Enhancements in R77.30 and above , every first connection to a site is inspected even if it should have been bypassed according to the policy adn Probe bypass can resolve this issue.The question is how much time it takes that next connection becomes the first again?For instance, today I connected to a Financial services web-site and the first connection was inspected by the Check Point certificate, henceforth, next connection during today are not inspected. However, tomorrow the first connection will be inspected again. What are the time frames? Regards,Egor.
Alex_Shpilman inside Access Control Products 2 weeks ago
views 94 4

Identity Agent - a few issues

We deployed an Identity Agent to all the domain machines from SCCM.There is a VSX cluster in the environment, the agent connects to the active member of VS0 (active on member a) and identities are shared to a different VS which is active on member b.There are about 1700 clients and running R80.20 HFA73.A while after the deployment e started to experience a memory leak on member a, 100% of the memory is being consumed and memory allocation errors being observed, only a reboot helps and then the issue comes back after a week or so.We have an SR for that without much progress so far, perhaps someone experienced the same issue?Another question, is that possible to suppress any pop-ups of the agent?The users are quite annoyed with this as they confuse it with the VPN client. Thanks.
Tom_Cripps inside Access Control Products 3 weeks ago
views 2019 8

Multiple types of objects in source column leading to Policy Verification Failure

Hi all,I'm wondering if anyone knows why and if there is a way around this other than creating a duplicate rule and removing the foreign objects from one rule and placing them in the duplicated rule. Also, I'm curious if this is planned to be rectified in the near future? Tom
Udupi_krishna inside Access Control Products 3 weeks ago
views 1092 3

Categorize HTTPS Website and TLSv1.3

Hello Folks,I am working with a client who has an issue blocking a specific adult categorized website. Security gateway is running R77.30 and management is on R80.10.While the initial problem was because of an old app db due to which the website used to return as un-categorized. This was fixed, however we started to see that the website was still accessible over HTTPS. Categorize HTTPS websites is enabled (no inspection). Most of the known adult websites over HTTP or HTTPS is being blocked except this one ( When I ran tests on ssllabs, I did see multiple certificates returning (possible SNI too), but from the capture ran on a test setup and client's environment I saw that the server was returning the CN/DN matching the URL (no SNI). Further to this, while using additional TLS filters on Wireshark saw that the website is negotiating over TLSv1.3.To confirm the behavior, I tried accessing the website using Internet explorer with TLSv1.2 and 1.1 disabled. Firewall blocked it successfully, while when I use Chrome (from version 63 is built to support TLSv1.3) website opens.I understand HTTPS inspection is the answer, but we are talking about multiple client offices + multiple firewalls which invites additional work. TAC has been involved, but they don't seem be answering my question on this limitation, but its just a pure reply recommending Inspection to be enabled. Anybody knows if this has been documented/discussed before?
Trey_Havener inside Access Control Products 3 weeks ago
views 4519 18 2

UserCheck Block Page Times Out

We just cut over to our 5400 cluster, and during testing the Block Page displayed fine. Today during the cutover however, the block page seems to keep timing out. We aren't doing much on the block page but telling them why they were blocked and to contact us if they feel it's in error. If I do an incognito tab and then sometimes that will work but most of the time it times out as well. I have a ticket open but wanting to see if anyone else has had this problem. We aren't doing any https inspection...not ready for that nightmare. Just URL filtering.
Scott_Bunde inside Access Control Products 4 weeks ago
views 841 1

Additional Updatable Objects request

I would like to know if Sales Force and In Contact would become available as updatable objects anytime in the near future. These are wonderful and look forward to expanding the usability.