cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Access Control Products

Have questions about Application Control, URL Filtering, Site-to-Site IPsec VPN, Network Address Translation, Identity Awareness, and other related technologies? This is the place to ask!

Chinmaya_Naik
Chinmaya_Naik inside Access Control Products 3 hours ago
views 109 4

System Backup Size increases more even on small changes

Hi Team,We only  add one or two rule max in a week but we see the system backup size increasing continuously. Any idea ?Regards@Chinmaya_Naik 
Wolfgang
Wolfgang inside Access Control Products 4 hours ago
views 229 6 2

Microsoft forces LDAPS march 2020, is Check Point aware of this

Hello, starting march 2020 Microsoft forces the use of LDAPS only for connect to ActiveDirectory 2020 LDAP channel binding and LDAP signing requirement for Windows   I think there are some changes needed in the product. You can configure the LDAP-connection to AD with LDAPS, this works and is recommended. But there are still some feature they are using LDAP: - first time wizard if enabling MOB or IA (gateway tries to connect to domain controller via LDAP not LDAPS) - browsing ActiveDirectory (looks like problem from sk120669 is still active in R80.30) Any statement from Check Point about this? Wolfgang
Alan_Camelo1
Alan_Camelo1 inside Access Control Products 5 hours ago
views 176 6

Domain based VPN to ANY (0.0.0.0/0) R80.20 question

Hi All,I am trying to create a VPN to a 3rd party using a backup Tunnel where possible using a destination of ANY on http/https. I only want this rule to be hit after other rules that will NOT route through the tunnel so it will be lower in the rule base. My questions are1. Can I use a VPN to ANY 0.0.0.0 using Domain based VPN as I only want this rule to be hit after other rules have been satisfied.2. When defining the local domain e.g 172.16.10.0/24 do I just add it to the Topology/VPN part? what if other subnets exist do they need to be added to the SA? 3. Can I add a backup tunnel into the start community? if so what is the metric or mechanism that says primary is A secondary is B?Thanks in advanceAl
Nishant12
Nishant12 inside Access Control Products yesterday
views 86 3

ISP redudancy over vpn

We have cluster on one cma with dual ISP. And it's creating tunnel to the site B in other cma , how we need if one ISP goes down other will take over  
Dennis_M
Dennis_M inside Access Control Products Friday
views 113 1 4

HowTo Set Up Certificate Based VPNs with Check Point Appliances – R80.x edition

I am sure that the majority of CheckMates users sometime already stumbled upon the article "HowTo Set Up Certificate Based VPNs with Check Point Appliances - R77 edition" written by  @Danny . He is our instructor and CTO at ESC and has been working with Check Point Firewalls for almost two decades. With the new R80.x release an update to his great VPN article was needed. Here we go:PrefaceSecuring virtual private networks (VPNs) in enterprise Site-to-Site environments is an important task for keeping the trusted network and data protected. Also it's critical to avoid any loss of data sovereignty.When it comes to VPN security many security experts first think of encryption algorithms, perfect forward secrecy (PFS), Diffie-Hellman groups... and a long pre-shared key (PSK).What about VPN certificates?Every security expert knows how much better certificates are for gaining high security levels. Therefore certificates are always best practice in enterprise grade security environments.However, most VPN Site-to-Site setups are still based on simple, long lasting pre-shared keys. In many cases these keys were even forgotten by the administrators in charge of keeping the network secure because once configured for the VPN tunnel they are not needed anymore.This is because it's much quicker and really easy to set up a VPN with a simple pre-shared key than having to deal with certificates and a certificate authority (CA).But the comfort of choosing PSKs over certificates does not only minimize your security level it also makes you vulnerable to potential attacks and is not as safe as you might expect. Even if you pick a long PSK! This is because tools like 'ike-scan' (also comes preinstalled with Kali Linux), pks-crack etc. make it really easy to crack your PSK. It's just a matter of time. ℹ️As a rule of thumb: VPN certificates significantly increase VPN security!So let's get started!When working with VPN tunnels between Check Point gateways there is absolutely no reason not to use VPN certificates. We used the following setup : Gateway : Check Point Firewall & VPNManagement : Check Point SmartCenter (R80.40)Remote Office : Check Point 1550 Appliance(it is important to notice that the 1500 SMB appliances can only be centrally managed with R80.30 Jumbo Take_76  or R80.40 as mentioned in sk157412 and sk163296)Centrally managedCheck Point is well-known for its superior security management solution to which all Check Point gateways are connected. This central management approach makes it remarkably easy to deploy security settings to all connected gateways with a single click on policy installation.Check Point's security management is called SmartCenter Server (or Multi-Domain Security Management) and has a built-in internal certificate authority. This Internal CA enables the global use of certificates between all connected components and gateways right out-of-the-box.Check Point automatically generates certificates whenever a new Check Point object is created, so you don't have to take care of certificate handling. Check Point does it all for you.Establishing a certificate based VPN in centrally managed Check Point environments is as easy as 1-2-3.First, create a VPN community for certificate based VPNs (Mesh or Star topology)Now let's take a closer look at the settings of the created VPN community.Check the "Accept all encrypted traffic on: " box and select the "Both center and satellite gateways" in the "Encrypted Traffic" tab.Configure your preferred VPN encryption settings for Phase 1 (IKE) and Phase 2 (IPsec) and allow permanent tunnels if needed.Leave the checkbox for pre-shared keys unchecked!In the next step we want to activate and configure the needed IPSec VPN blade on the participating gateways. There are two possible options to do this. You can activate the blade in the “General Properties” tab on the gateway or during the installation when using the “Wizard Method”. Classic MethodActivate the IPSec VPN blade in the "General Properties" tab.Choose your VPN community.Activate NAT on the participant gateways...and select the VPN encryption domain of the specific object.Gateway : RemoteOffice : (end of Classic Method)Wizard MethodActivate IPSec VPN on your participant gateways.Choose your VPN community and activate NAT..and select the VPN encryption domain of the specific gateway.When everything is set verify your VPN certificate and IPSec VPN community.After you have configured the VPN topology for your VPN gateways you should add them to your VPN community (if not already done).Finally, install the security policy.The certificate based VPN tunnel is now up and working!Should the connection to the SMB appliance (in our case the "RemoteOffice") get lost after the policy installation check the "Connection Persist" option and activate "Keep all connections".  Locally managedCheck Point's 700 appliances are locally managed. So can be 1100 / 1400 / 1500 appliances. These SMB appliances have their own local CA!First, let's export our Internal CA to the 1100 / 1400 / 1500 appliance at our remote office.In SmartDashboard just navigate to Manage > Servers and OPSEC Applications... > internal_ca > Edit... > Local Security Management Server > Save As... and export the certificate.Verify that the locally managed SMB appliance has Site-to-Site VPN enabled.Import the internal_ca.crt file to your locally managed SMB appliance.You may want to disable CRL checking if your Management as primary CRL Distribution Point can't be reached or isn't resolvable.Easy, isn't it? Now we want to exxport the SMB appliance's certificate to our Management or (if you prefer) issue a certificate request to be signed by our management's Internal CA.Option A - Export the SMB appliance's certificateHighlight the Internal CA of our SMB appliance (NOT the one we just imported), then click "Export" and save the file.Go to VPN >Certificates > Internal Certificates and copy the Certificate CN of the Internal VPN Certificate.Create a VPN site for the certificate based VPN tunnel to our VPN Gateway and configure the site to use Certificate as authentification.Don't forget to select the Remote Site Encryption Domain.In the tab Advanced > Certificate Matching set the "Remote Site Certificate should be issued by" to our Management trusted CA's name and enable permanent tunnels if needed.We are now finalizing our VPN setup in SmartDashboard on our Management.Navigate to Manage > Servers and OPSEC Applications.. > New > CA > Trusted select OPSEC PKI and open the tab OPSEC PKI to import our saved SMB Internal CA file.Again, you may want to disable CRL Checking if required.You'll then find our imported SMB certificate 'CP1550' next to our internal_ca within the Trusted CA list of our Management.(end of Option A)Option B - Issue a certificate requestGo to VPN > Certificates > Installed Certificates and click New Signing Request to generate a new certificate.Enter a Certificate name and Subject DN.Export the signing request to a file.Copy the content of the exported file.On the Management start the ICA Management Tool (sk39915), go to Create Certificates and paste the certificate request into the PKCS#10 text box.Create the signed certificate.If required change the file name extension of the created certificate to .crt .On the SMB appliance click 'Upload Signed Certificate', select the certificate and click 'Complete'.(end of Option B)Now simply create an Externally Managed Check Point Gateway for our SMB appliance and you are all set up and done.When configurating the Matching Criteria for our SMB appliance, check the DN box and paste the subject of our SMB appliance Default Certificate if you took Option A.In case of Option B first copy the DN of the created certificate from within ICA Management Tool.Then paste it into the DN field of the VPN certificate as issued by our internal_ca.Install the security policy.And check out the working VPN tunnel.  Special thanks to @boxis-green , @Joshua and @jannag !Thank you.
Kamiar_Sh
Kamiar_Sh inside Access Control Products Friday
views 5892 26 2

Enable DPD on R80.20

Hi everyone,I have upgraded R77.30 to R80.20 recently and I am new with R80.20 , I have 20  IPsec Tunnel terminated to my cluster firewalls and here is my question:1-there is an issue on one IPsec tunnel with 3rd party and I need to enable DPD mode ( the tunnel is not permanent) so if I enable DPD mode is there any impact to other tunnels?and here is the tunnel config:IKEv1Phase 1AES-256SHA-256DH:Group5Renegotiation IKE security  1440 minutesappreciate if someone can assist me to resolve the issue

Check Point URLF for inbound traffic

We use Check Point URL filtering for controlling the access to websites hosted outside the organization and we follow blacklisting mechanism to block access to a particular website. Now, in my scenario, I have a web server(behind the CHKP FW) hosting multiple websites using the same IP(10.10.10.100--NATed-to-a-public-IP-on CHKP) and port 80 for all the websites. The differentiation of each site can be done using the HTTP unique attribute called Host Header.My Questions:1. Is there a way we can use URL filtering to block access to a few of my webserver from the Internet?2. If not, do we have any other way? Note: As both IP addresses and Port numbers are same for all the internal web servers I cannot use NAT and FW rule base to block certain sites.  
thevvk
thevvk inside Access Control Products Thursday
views 812 11

VPN/SSH connection disconnected during data transfer

Hi, we are using Global VPN to connect with one of our clients to access their servers but when we are trying to transfer data through Winscp application; the SSH and global VPN getting this connected as we checked, there is no restriction from client side.The same data transfer is working with mobile hotspot taghering but we are having a problem when we are using our company network.In our company, we using checkpoint Firewall(5400) and we have enabled communication to client public IP in our check point access rule. 
RoD
RoD inside Access Control Products Wednesday
views 192 7

HTTPS Inspection and P-521 certificate

Hi,I have question about site-to-site VPN with P-521 ECC encryption and HTTPS Inspection.It it possible to have two certificate for HTTPS Inspection,one RSA 2048 certificate for website and second P-521 ECC certificate for site-to-site VPN ?Thanks
Trey_Havener
Trey_Havener inside Access Control Products Wednesday
views 6107 22 2

UserCheck Block Page Times Out

We just cut over to our 5400 cluster, and during testing the Block Page displayed fine.  Today during the cutover however, the block page seems to keep timing out.  We aren't doing much on the block page but telling them why they were blocked and to contact us if they feel it's in error.  If I do an incognito tab and then sometimes that will work but most of the time it times out as well.  I have a ticket open but wanting to see if anyone else has had this problem.  We aren't doing any https inspection...not ready for that nightmare.  Just URL filtering.
FWNinja
FWNinja inside Access Control Products Wednesday
views 119 1

UserCheck Portal Customization - URL Filtering Block Page

Hi guys,I'm trying to configure UserCheck Portal for URL Filtering Block Page.I need that the user can send an email trough a link in the UserCheck Portal Block Page in order to request specific url whitelist. It can be possible? ThanksBRFrancesco

Best Practice of o365 and on-prem gateways

I have a customer that is looking for "best practices" for on-prem gateways integrating with o365.  They had some major latency and an outage which ended up being ISP related, but it spawned a complete integration review from MSFT to the network team and to Check Point.Specifically they are asking me for best practices.  I don't think anything like that exists.  I have asked my internal Check Point resources so some of you may have seen this question in your internal groups.  I would think if there are any best practices it's around HTTP/S and SSL inspection since that's really what o365 is.  Application control comes into play, but I don't think there are "best practices" for application control and o365 as its pretty self explanatory.Anyway I started this thread to cover all of my bases.  Does anyone know if there are any Check Point sanctioned best practices for integrating o365 with on-prem gateways?Thanks,Paul

Request to add application for inspection

  So, what's the right way nowadays to request application to be added for inspection? I want "MSP360™ (CloudBerry) Remote Assistant"  to be added to the list of recognized apps. In the past there was a Web page to request it but now I cannot find it anymore. Opening SR does not seem to give you such an option either...  
VictorPG
VictorPG inside Access Control Products Tuesday
views 475 10

Question about overlapping vpn domain same management

Hello Everybody, I have a little question that has been bothering me for  while. Let's say that I  have management with a VSX with 2 Virtual Systems (VS_A and VS_B) . The VS_A has a VPN site to site with peerA that has the network 172.16.20.0/24(remote domain) and now I want to create a site to site with VS_B with peerB (a total different site that peerA) that has as remote domain 172.16.20.1, 172.16.20.2 (and maybe also the whole 172.16.20.0/24).Would this cause overlapping even though are different Firewalls?If that is the case, is there a way to solve this? (maybe having a multidomain with different CMAs for each VS for example) Thanks in advance
hakanka
hakanka inside Access Control Products Monday
views 237 5

About integration between my AD and checkpoint

Hi,I am newbie on checkpoint management. Please forgive me if I am wrong. I am managing 2* firewall on my city. I have an issue on one of them. One of them has AD with windows server 2012, and there is no issue after changing firewall group on user firewall groups at AD. But, other firewall has AD with windows server 2008 and after I change firewall group of one user, the info is coming very delayed.(half hour, an hour or more-if location is MPLS-) so we can not react quickly when we need changes on fw groups. What do you suggest to me ? Thank you for incoming answer.