Showing results for 
Search instead for 
Did you mean: 
Create a Post
Access Control Products

Have questions about Application Control, URL Filtering, Site-to-Site IPsec VPN, Network Address Translation, Identity Awareness, and other related technologies? This is the place to ask!

Neville_Kuo inside Access Control Products 7 hours ago
views 46 6

Multiqueue without Secreuxl

Dear all,Due to some service impact reason we have to disable securexl in our customer production network, to improve network performance we turned on multiqueue on some interfaces, accord to some documents and SK I know multiqueue is only relevant with securexl enabled, but I know multiqueue is linux thing not check point proprietary, so we really don't have any benefit to turn multiqueue on with securexl off?
bsb inside Access Control Products 7 hours ago
views 34 2

Packet leaves firewall, but doesnt reach peer device

Hi, Below is the scenario Checkpoint ( 3 subnets) ------ > Symantec decrypter (2 subnets reaches, 3rd subnet doesnt reach). Above devices are connected back to back, initially there are subnet with /27 routed between these two devices, post ip exhaust , one more /27 was added.traffic reaches from checkpoint to symantec decrytor device, now second subnet is also we are planning with 3 rd subnet in symantec side.we could see packet leaving checkpoint exit interface through fwmonitor, but there is no received packets in packet capture of ssl decryptor.Is there an alternate option to check packet leaving checkpoint other than fwmonitor or tcpdump.thanksBSB
mark239 inside Access Control Products Friday
views 215 12 1

R80.30 URL filtering blocking allowed categories

 HiI recently rolled out a pair of small appliances to two sites.The web filtering policy for a particular user group is layered, and it has an allow list and the next rule is a drop all, with block message. HTTPS scanning is enabled with the cert rolled out. (I have also tried breaking the layers and having the standalone accept rule and then the standalone drop all rule after it)On one site this works perfectly.On another site, regularly (Every day or at least every other day) from early in the morning the firewall starts blocking all requests to anything categorised 'Computers/Internet' (Which is an allowed category) and a lot of things stop working. There are no failed category updates in the system log (Before the upgrade this same behaviour occurred, but we had updates failed and then database failed to reload so i suspected this initially). It's like the allow rule is being completely ignored. User auth is working, as the user name is logged in the log entry with the message the site was blocked as it belongs to the computers/internet category.The only way to stop this is to remove the drop rule after the allow for this user group, Once you re-enable it and install the policy it will be fine again until the next time it happens out of the blue.I previously upgraded the appliance from R80.20, as they were getting an HTTPS inspection error around certificate length (>1000) that the fix seemed to be upgrade to R80.30.Any ideas?
humt inside Access Control Products Thursday
views 253 3

Url filtering [Malware/Adware]

I am facing the big issue of virus(Malware/Adware]. And i am fedup now. I have format my system 3 times and 2times reset the firewall but the virus did not gone yet.  Firewall  not able to block yet. Even antivirus did not able to clean it yet. It is coming again and again. And i am not sure , how did it enter into system. Behavior-1) Internet auto disconnecting again and again.2) Changing the settings of firewall which i feel. It stop accessing localhost IP address.3) I feel when i synchronize the data with google for backup. Virus is entering into the system. Is it possible virus is entering via Google. Just take chrome data only via synchronize. These are the below website which open sometime with different websitesarcaptarts[.]site allashark[.]siteareantaid[.]site  I have block these website manaully. But it is useless.  Almost coming new website in next 2-4days.   
Emanuel_Miut inside Access Control Products Wednesday
views 118 1

Identity Awareness

We would like to set up IA between 2 clusters managed by different management domain servers and our first thought was to go with IA sharing. We checked IA Admin Guide and everything seemed pretty straight forward until I stumble across another SK about establishing SIC between IA entities handled by different management domain servers which will complicate the config. (specially with repeating several steps with each upgrade of PDP or PEP).If identity sharing set up will be too complicated, there is still the possibility to use separate IA on each cluster.In that case, we will also replicate the access role in both clusters and we were wondering if we can use the same Terminal Servers for both clusters? (with the same preshared key) 
elbrabra_94 inside Access Control Products Tuesday
views 139 1

FW rules base on HTTP/HTTPS application without application control license

Hello, We would like to create FW rules to only authorize HTTP and HTTPS traffic (without decrypt HTTPS traffic) regardless of the port used (standard or not). Is-it something feasible without Application control license? Thank you very much for your feedback, Regards

Identity Awareness Access Role Objects

Hello, With regards to creating Identity Awareness Access Role Objects, if two or more objects are added i.e. a network and an AD user group, do only one or both attributes have to match for the user to be granted access? From R80.10 administration documentation:In Smart Console, you can create Access Role objects to define users, computers and network locations as one object.You can use Access Role objects as a source or a destination parameter in a rule.Access Role objects can include one or more of these objects:NetworksUsers and user groupsComputers and computer groupsRemote Access Clients Regards,Simon
Martijn inside Access Control Products Tuesday
views 122

Connection client side is moved to new vpn interface vpnt2

Hi All,One of our customer has two VPN tunnels to AWS based on VTI's. These VPN tunnels are configured successfully and working fine.Based on BGP only one VPN tunnel is 'active' while the other one is just in case of a problem with the first VPN tunnel. This mechanism is also tested and is working fine. But.....Sometimes ths customer is seeing the following in SmartLog:"Connection client side is moved to new vpn interface vpnt2" and at the same time-stamp "Connection client side is moved to new vpn interface vpnt1".I found sk120152 which tells the issue if probably related to routing. But we do not see any changes in BGP and the last BGP update was a few days ago.A deeper look at SmartLog shows outbound traffic is leaving vpnt1 and inbound traffic is entering vpnt2. This is not correct and probably the reason for the mentioned log entries.Customer contacted AWS support and they confirm what we are seeing. Traffic entering one VPN tunnel and leaving the other one (from AWS point of view). So we think the cause is with AWS, but they also do not see a BGP update and VPN tunnels are up-and-running for several days.So a short summary:No BGP updates or route changes shown in logs.VPN tunnel stable for many day.AWS and customer are seeing the same issue. Traffic uses both VPN tunnels.I have a case open with Check Point support, but for now they are telling us to look at AWS.Has anyone seen this kind of behavior in the field? What can we do to investigate and solve this issue?Thanks for the help.Regards,Martijn.

O365 + HTTPS Inspection + Bypass

Hi All, This issue has been discussed before in I have a few questions about this issue I am running App control + HTTPS Inspection in R80.20. In the HTTPs Inspection policy, I bypassed Microsoft and Office365 services category as in the below rule but traffic to office365 is still inspected by https inspection   So in order to mitigate it, I had to create a custom category with all Office365 and MS domainMy questions are:1. Is the fact that the "Microsoft & Office365 services" category do not resolve Microsoft & Office365 URL/domains is a bug in R80.20? 2. is there a way to make it work in R80.20  without adding all Microsoft Domains to the bypass rules (and without waiting for R80.40)? (sk104564 discuss adding manual domains but it refers to R70.20 only. if it is relevant to R80.20 as well, please update the SR) 3. It is discussed that activating "enhanced_ssl_inspection" can help this issue. What is this exactly and how it can be achieved?
inside Access Control Products Monday
views 1016 2 9

Performance Test Documentation HTTPS Inspection and Content Awareness

The video documents performance test results where a 16000 appliance achieves 5Gbps while sustaining 3000 connections per second performing HTTPS inspection, Content Awareness and attack prevention. The test is based on the IXIA Enterprise Traffic Mix and uses R80.30 software release.(view in My Videos)

Site to Site VPN configuration suggestion

Hello everybody,We have a customer with topology like this:They have established VPN tunnels between Cisco ASA (will be replaced with FirePower as on image above) and remote peers (different devices). Current configuration is such that ASA has all private IP addresses and NAT to public IP address used for VPN peering is being done on CheckPoint GW.They reported few issues after upgrade from version 77.30 to version 80.10. Also, I have read that it's not best design decision to have NAT configured like this in a S2S VPN configuration.What are your thoughts on this? Do you have any suggestions on how it should be done "properly"?Thank you all in advanced,Ivan 
Dave_Hoggan inside Access Control Products a week ago
views 232 3

Unwanted VPN Routing Between RA and S2S Communities

Hi,I've been having a tough time trying to get something to NOT work and hoping that someone can suggest how I can achieve what I am trying to do.The scenario is a HQ office and two data centres, each with a R80.xx cluster terminating VPNs. The three sites are connected by VPLS and routing handled by OSPF throughout the core network and up to the clusters. The preference is to keep all site-traffic over the VPLS unless there is an issue and then fail over to S2S VPNs. Because of this, there is a S2S VPN mesh community containing DC1, DC2 and HQ and each cluster has an encdom of only those networks local to the cluster (so HQ encdom is the HQ networks; DC1 encdom is the DC1 networks). Note: whilst the community is created, there are no access rules defined allowing traffic to pass between DC1, DC2 and HQ networks, not even a rule with a VPN column of "any".We also have a RA community in first to respond MEP configuration. RA users can connect to DC1 or DC2 and be assigned an office mode address by the cluster. Users can then access resources local to the cluster to which they are connected.  The issue is that if a user connects to DC1 and tries to access a resource in DC2, the DC1 cluster attempts to VPN route the traffic over the S2S VPN which  (1) is not what we want and (2) does not work as there are no rules to permit the traffic. We want DC1 to route the traffic over the VPLS to DC2.In the logs we see DC1 decrypt the remote access traffic and shows a source IP of the OM IP address. We then see a log entry from DC2 dropping the traffic on the cleanup rule (again source IP is the DC1 OM address, so no NAT is occurring). The interesting point is that an fw monitor on DC1 shows inbound packets arrive on DC1  with inbound chain "id" and "ID" and then outbound chain "o" and "O" on the interface connecting to the core router. So at this point all looks to be OK, but then we see the packet being sent over the S2S VPN on the external interface!I think this is being caused by an implied rule Source: MemberGWs.EncDomain@MyIntranetDest: MemberGWs.EncDomain@MyIntranetVPN: AnyServices: EncryptedServices@MyIntranetAction: Encrypt&Continue But cannot find any way to remove this implied rule. vpn_route,conf is blank and the communities "Accept all encrypted traffic" is not ticked, If I remove the destination network from the DC2 encdom, then traffic is passed over the internal network as expected, so it is definitely the S2S configuration causing the issue.Can anyone see what I am missing?Thanks,Dave       
Wyatt_Felger inside Access Control Products a week ago
views 263 4

HTTPS Inspection Bypass GooglePlay

We have scanguns that are having trouble getting to the GooglePlay store. It appears based on errors that GooglePlay does not use the Android Certificate store to use our https inspection certificate.I have opened up the clients to bypass the following URL's but am still having issues:** I don't see other google entries in the inspection and according to the logs the clients are getting bypassed, but it hasn't been until I bypass all https inspection for the specific client that it is fully able to connect to the GooglePlay store, register, and download files.  
Luisnego inside Access Control Products a week ago
views 219 1

Identity Collector Windows Server 2019

Hello, CheckMates,  I have a doubt about creating a new server with IC, can I use windows server 2019 to install an identity collector?. I was reading the documentation and I only see Windows Server 2008 or Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2, Windows 2016.  
JG inside Access Control Products 2 weeks ago
views 247 1

Checkpoint NAT Best Practices

For Checkpoint is there a best practice guide for the NAT table?