cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Access Control Products

Have questions about Application Control, URL Filtering, Site-to-Site IPsec VPN, Network Address Translation, Identity Awareness, and other related technologies? This is the place to ask!

Identity Awareness Access Role Objects

Hello, With regards to creating Identity Awareness Access Role Objects, if two or more objects are added i.e. a network and an AD user group, do only one or both attributes have to match for the user to be granted access? From R80.10 administration documentation:In Smart Console, you can create Access Role objects to define users, computers and network locations as one object.You can use Access Role objects as a source or a destination parameter in a rule.Access Role objects can include one or more of these objects:NetworksUsers and user groupsComputers and computer groupsRemote Access Clients Regards,Simon
Shahar_Grober
Shahar_Grober inside Access Control Products yesterday
views 162 3

O365 + HTTPS Inspection + Bypass

Hi All, This issue has been discussed before in https://community.checkpoint.com/t5/Policy-Management/R80-20-HTTPS-Inspection-Bypass-for-Office365/m-p/33297#M2520but I have a few questions about this issue I am running App control + HTTPS Inspection in R80.20. In the HTTPs Inspection policy, I bypassed Microsoft and Office365 services category as in the below rule but traffic to office365 is still inspected by https inspection   So in order to mitigate it, I had to create a custom category with all Office365 and MS domainMy questions are:1. Is the fact that the "Microsoft & Office365 services" category do not resolve Microsoft & Office365 URL/domains is a bug in R80.20? 2. is there a way to make it work in R80.20  without adding all Microsoft Domains to the bypass rules (and without waiting for R80.40)? (sk104564 discuss adding manual domains but it refers to R70.20 only. if it is relevant to R80.20 as well, please update the SR) 3. It is discussed that activating "enhanced_ssl_inspection" can help this issue. What is this exactly and how it can be achieved?
Peter_Elmer
inside Access Control Products yesterday
views 989 2 9
Employee+

Performance Test Documentation HTTPS Inspection and Content Awareness

The video documents performance test results where a 16000 appliance achieves 5Gbps while sustaining 3000 connections per second performing HTTPS inspection, Content Awareness and attack prevention. The test is based on the IXIA Enterprise Traffic Mix and uses R80.30 software release.(view in My Videos)

Site to Site VPN configuration suggestion

Hello everybody,We have a customer with topology like this:They have established VPN tunnels between Cisco ASA (will be replaced with FirePower as on image above) and remote peers (different devices). Current configuration is such that ASA has all private IP addresses and NAT to public IP address used for VPN peering is being done on CheckPoint GW.They reported few issues after upgrade from version 77.30 to version 80.10. Also, I have read that it's not best design decision to have NAT configured like this in a S2S VPN configuration.What are your thoughts on this? Do you have any suggestions on how it should be done "properly"?Thank you all in advanced,Ivan 
Dave_Hoggan
Dave_Hoggan inside Access Control Products Saturday
views 212 3

Unwanted VPN Routing Between RA and S2S Communities

Hi,I've been having a tough time trying to get something to NOT work and hoping that someone can suggest how I can achieve what I am trying to do.The scenario is a HQ office and two data centres, each with a R80.xx cluster terminating VPNs. The three sites are connected by VPLS and routing handled by OSPF throughout the core network and up to the clusters. The preference is to keep all site-traffic over the VPLS unless there is an issue and then fail over to S2S VPNs. Because of this, there is a S2S VPN mesh community containing DC1, DC2 and HQ and each cluster has an encdom of only those networks local to the cluster (so HQ encdom is the HQ networks; DC1 encdom is the DC1 networks). Note: whilst the community is created, there are no access rules defined allowing traffic to pass between DC1, DC2 and HQ networks, not even a rule with a VPN column of "any".We also have a RA community in first to respond MEP configuration. RA users can connect to DC1 or DC2 and be assigned an office mode address by the cluster. Users can then access resources local to the cluster to which they are connected.  The issue is that if a user connects to DC1 and tries to access a resource in DC2, the DC1 cluster attempts to VPN route the traffic over the S2S VPN which  (1) is not what we want and (2) does not work as there are no rules to permit the traffic. We want DC1 to route the traffic over the VPLS to DC2.In the logs we see DC1 decrypt the remote access traffic and shows a source IP of the OM IP address. We then see a log entry from DC2 dropping the traffic on the cleanup rule (again source IP is the DC1 OM address, so no NAT is occurring). The interesting point is that an fw monitor on DC1 shows inbound packets arrive on DC1  with inbound chain "id" and "ID" and then outbound chain "o" and "O" on the interface connecting to the core router. So at this point all looks to be OK, but then we see the packet being sent over the S2S VPN on the external interface!I think this is being caused by an implied rule Source: MemberGWs.EncDomain@MyIntranetDest: MemberGWs.EncDomain@MyIntranetVPN: AnyServices: EncryptedServices@MyIntranetAction: Encrypt&Continue But cannot find any way to remove this implied rule. vpn_route,conf is blank and the communities "Accept all encrypted traffic" is not ticked, If I remove the destination network from the DC2 encdom, then traffic is passed over the internal network as expected, so it is definitely the S2S configuration causing the issue.Can anyone see what I am missing?Thanks,Dave       
Wyatt_Felger
Wyatt_Felger inside Access Control Products Saturday
views 147 4

HTTPS Inspection Bypass GooglePlay

We have scanguns that are having trouble getting to the GooglePlay store. It appears based on errors that GooglePlay does not use the Android Certificate store to use our https inspection certificate.I have opened up the clients to bypass the following URL's but am still having issues:*.google.comgoogle.com*.googleapis.comgoogleapis.com I don't see other google entries in the inspection and according to the logs the clients are getting bypassed, but it hasn't been until I bypass all https inspection for the specific client that it is fully able to connect to the GooglePlay store, register, and download files.  
Luisnego
Luisnego inside Access Control Products Saturday
views 108 1

Identity Collector Windows Server 2019

Hello, CheckMates,  I have a doubt about creating a new server with IC, can I use windows server 2019 to install an identity collector?. I was reading the documentation and I only see Windows Server 2008 or Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2, Windows 2016.  
humt
humt inside Access Control Products Friday
views 148 2

Url filtering [Malware/Adware]

I am facing the big issue of virus(Malware/Adware]. And i am fedup now. I have format my system 3 times and 2times reset the firewall but the virus did not gone yet.  Firewall  not able to block yet. Even antivirus did not able to clean it yet. It is coming again and again. And i am not sure , how did it enter into system. Behavior-1) Internet auto disconnecting again and again.2) Changing the settings of firewall which i feel. It stop accessing localhost IP address.3) I feel when i synchronize the data with google for backup. Virus is entering into the system. Is it possible virus is entering via Google. Just take chrome data only via synchronize. These are the below website which open sometime with different websitesarcaptarts[.]site allashark[.]siteareantaid[.]site  I have block these website manaully. But it is useless.  Almost coming new website in next 2-4days.   
JG
JG inside Access Control Products Wednesday
views 210 1

Checkpoint NAT Best Practices

For Checkpoint is there a best practice guide for the NAT table?
KWD
KWD inside Access Control Products a week ago
views 281 3

Site to Site VPN HTTPS External Interface

Hello,I have an existing clusterA with 2 gateways and a SMS server.  Cluster A has several internal interfaces, an external interface and a sync.  I have a new external clusterB that I have successfully added to my SMS.  The external clusterB has 2 internal interfaces, 1 external interface and a sync interface.From the internal interface of clusterA to the external interface of new clusterB, I was able to SSH, HTTPS and ping.  After setting up a site to site VPN between clusterA and clusterB, I can no longer SSH or HTTPS from the internal interface of clusterA to the external interface of clusterB, but I can still ping from the internal interface of clusterA to the external interface of clusterB. I can SSH/HTTPS from the internal interface of clusterA to the internal interfaces of cluster B.On my other site to site VPNs (which I don't manage with my SMS), I see SSH being accepted on an implied rule, but on my new cluster, SSH just drops to the cleanup rule.Any ideas on what the issue is?  Why I can no longer SSH/HTTPS from internal interface of clusterA to the external interface of clusterB?Thanks
Borut_Vozelj
Borut_Vozelj inside Access Control Products a week ago
views 499 6

Default process affinity on R80.30

HiI'm noticing some strange CPU usage on our gateway since upgrade to R80.30 3.10 (currently on JHF T50). The hardware was also changed at the same time (HP DL360 Gen10). We have an 8 core license.The first thing I noticed was the weird CPU allocation for CoreXL and SecureXL. We have the gateway configured with 6 CoreXL cores, and 2 for SecureXL. In previous version (80.10) CPU's 2-7 were assigned for CoreXL and 0 and 1 to SecureXL. Now, the distribution is something I'm not used to.# fw ctl affinity -l -r CPU 0: eth8 CPU 1: CPU 2: CPU 3: fw_5 mpdaemon fwd wsdnsd usrchkd in.asessiond in.acapd vpnd pepd lpd rad pdpd topod cprid cpd CPU 4: fw_3 mpdaemon fwd wsdnsd usrchkd in.asessiond in.acapd vpnd pepd lpd rad pdpd topod cprid cpd CPU 5: fw_1 mpdaemon fwd wsdnsd usrchkd in.asessiond in.acapd vpnd pepd lpd rad pdpd topod cprid cpd CPU 6: CPU 7: eth9 eth4 CPU 8: CPU 9: fw_4 CPU 10: fw_2 CPU 11: fw_0 All: The current license permits the use of CPUs 0, 1, 2, 3, 4, 5, 6, 7 only.What has changed in R80.30 that CoreXL is using cores 3,4,5,9,10,11? Is it trying to evenly distribute load between physical CPU's?  Why was SecureXL affinity set to cores 0 and 7 by default (why not 0 and 6)? I configured manual affinity using the default values.Also, CoreXL instances don't seem to balance load as nicely as in R80.10.This was the CPU usage in R80.10:And this is R80.30As you can see cores 3-5 are utilized much more than cores 9-11. I presume this is because default affinity for processes is set only to cores 3-5. Why is that? Is that a feature or a bug? Is there a simple way to persuade the process affinity to be on all CoreXL cores without manually setting the affinity in fwaffinity.conf for every possible process?Best regards
Alejandro_Ferna
Alejandro_Ferna inside Access Control Products a week ago
views 279 4

Captive portal fails randomly

Hi, we are having some issues in captive portal authentication.Users get this message randomly (with the correct password):Once this message appears, it's impossible to log in. The user has to close the navigator's tag and try again until it works.These are the related pdpd.elg log entries: [16716 4105733904]@hades1[29 Oct 16:00:00] [TRACKER]: #405402 -> INCOMING -> PORTAL_REQUEST -> Portal Hello from ip: 10.10.4.22[16716 4105733904]@hades1[29 Oct 16:00:00] [TRACKER]: #405403 -> OUTGOING -> PORTAL_RESPONSE -> hello ok...ip: 10.10.4.22 ,session: f9a1fbc6[16716 4105733904]@hades1[29 Oct 16:00:09] [TRACKER]: #405438 -> INCOMING -> PORTAL_REQUEST -> login_auth for session: f9a1fbc6, user: a.fernandez(The user gets here the "login failed" message)[16716 4105733904]@hades1[29 Oct 16:01:42] [TRACKER]: #405805 -> INCOMING -> PORTAL_REQUEST -> login_auth for session: f9a1fbc6, user: a.fernandez[16716 4105733904]@hades1[29 Oct 16:01:48] [TRACKER]: #405855 -> INCOMING -> PORTAL_REQUEST -> login_auth for session: f9a1fbc6, user: a.fernandez[16716 4105733904]@hades1[29 Oct 16:02:12] [TRACKER]: #405957 -> INCOMING -> PORTAL_REQUEST -> login_auth for session: f9a1fbc6, user: a.fernandez[16716 4105733904]@hades1[29 Oct 16:02:13] [TRACKER]: #405963 -> INCOMING -> PORTAL_REQUEST -> login_auth for session: f9a1fbc6, user: a.fernandez[16716 4105733904]@hades1[29 Oct 16:02:31] [TRACKER]: #406040 -> INCOMING -> PORTAL_REQUEST -> login_auth for session: f9a1fbc6, user: a.fernandez(After a few clicks in the "log In" button, the user close the tag and reopen it)[16716 4105733904]@hades1[29 Oct 16:02:53] [TRACKER]: #406179 -> INCOMING -> PORTAL_REQUEST -> Portal Hello from ip: 10.10.4.22[16716 4105733904]@hades1[29 Oct 16:02:53] [TRACKER]: #406181 -> OUTGOING -> PORTAL_RESPONSE -> hello ok...ip: 10.10.4.22 ,session: e12519ba[16716 4105733904]@hades1[29 Oct 16:03:04] [TRACKER]: #406314 -> INCOMING -> PORTAL_REQUEST -> login_auth for session: e12519ba, user: a.fernandez[16716 4105733904]@hades1[29 Oct 16:03:04] [TRACKER]: #406315 -> OUTGOING -> PORTAL_RESPONSE -> auth ok!... session: e12519ba[16716 4105733904]@hades1[29 Oct 16:03:04] [TRACKER]: #406316 -> INCOMING -> PORTAL_REQUEST -> login_seq_done for session: e12519ba[16716 4105733904]@hades1[29 Oct 16:03:04] [TRACKER]: #406319 -> OUTGOING -> PORTAL_RESPONSE -> login_seq_done ok...session: e12519ba[16716 4105733904]@hades1[29 Oct 16:03:04] [TRACKER]: #406320 -> INCOMING -> PORTAL_REQUEST -> agent_settings for session: e12519ba[16716 4105733904]@hades1[29 Oct 16:03:04] [TRACKER]: #406321 -> OUTGOING -> PORTAL_RESPONSE -> agent_settings ok... session: e12519ba(Log In Success at first attempt) Any idea or clue about this issue? This is a R80.10 on-premise gateway.Thank you!Alex
XC
XC inside Access Control Products 2 weeks ago
views 319 6

Proxy settings

Hi,Using R77.30I'm getting the following log entry when attempting to access a website using https that's been allowed in the policy: "Proxy: Internal error; Connection was rejected due to internal error" The firewall cluster is set up to use the gateway as a HTTP/HTTPS Proxy in Non Transparent modeSpecific interfaces - inlcudes the LAN interface Ports 8081 and 8080 Does anything need to be set on the client side to bypass the proxy, or any other changes required on the firewall?Many thanks for any advice on this. 
Sree_checkpoint
Sree_checkpoint inside Access Control Products 2 weeks ago
views 284 4

URL filtering not working

On the Checkpoint management server we have ordered layer for our access rules. Access Application and URL filtering. We need to whitelist certain subnet to access certain specific urls and the rest of the Internet access from those subnet is denied by the default deny rule in the Application  and Url filetering rule base. Below are some of the urls I need whitelisted.https://api.nuger.orghttps://www.nuget.org/  So for this access I created a new custom Application/Site and created a rule in the application/url filtering rulebase with source as the subnet, destination as any and in service/applications I put the newly created custom application/site and action permit When i check the custom Application/site i created I could see http, https is allowed. Now when i try to access the website from the host in that subnet it is still getting blocked as per the default deny rule in the Application and url filtering rule base,even though I have kept the new created rule above default deny. Can someone please help me to understand why this is causing this and what is the solution.
Sanjay_S
Sanjay_S inside Access Control Products 2 weeks ago
views 333 4 1

Identity Awareness for Remote Access Users

Hi All,We have enabled Identity Awareness blade yesterday, This has been enabled mainly for the Remote Access VPN users. I am able to fetch the details from AD and created the Access role for the specific group in the AD and provided ANY access for that particular group. But it doesn't seem to be working. User able to connect to Remote Access(Ex: User Bob logs in to RA i can see the identity awareness blade shows the login and logout details but the problem is it is not hitting the Any rule configured. So the users are not able to have complete access which they required. Please let me know how to proceed further on this. Below are the details:GW: R77.30 Take 225MDS: R80.10 Take 121 Let me know if you need anymore details on this.Thank you in advance.