Showing results for 
Search instead for 
Did you mean: 
Create a Post
Access Control Products

Have questions about Application Control, URL Filtering, Site-to-Site IPsec VPN, Network Address Translation, Identity Awareness, and other related technologies? This is the place to ask!

inside Access Control Products Saturday
views 72 1

Redirect NTP and DNS requests through NAT

Hi Team,   One of our customers needs to redirect all outbound NTP requests to the Internet to their internal NTP server only so that when internal users try to hit an external NTP server they’re really talking to the customer’s internal NTP server – and be none the wiser. The customer wants to do the same with the DNS requests. The goal is to prevent users from using external NTP and DNS servers without reconfiguring their laptops.   This seems like an easy thing to do with NAT, and we found out that some vendors provide a solution through NAT, but Check Point doesn't allow us to configure a NAT rule with Many-to-One in the destination field. Here is essentially what the customer wants to do: And attached is a screen capture of the NAT rule we are trying to install with no success.   Is there any NAT trick that can be used to get this to work?  The customer is open to implementing a workaround if we can provide one.   Thanks, Katia

Load balancing - ConnectControl not NATing

Hello all,I am trying to configure load balancing with my Checkpoint firewalls - two 5200 series firewalls configured in High Availability mode. I have followed to the letter the instructions in have two HTTPS servers on addresses and; I created a virtual ip of (different subnet) for them. I also added the VIP to the ARP proxy on both appliances.When I try to ping (the VIP) from a workstation, the ping is successful; however, the reply comes from the actual server address, not from the VIP.And when I try to access the VIP using HTTPS, it simply does not work. I sniffed the packets and I can see an http response from the actual server address (not from the VIP) which is not taken by the target machine since it is not expecting the response from that address.In my mind, the response should be coming from the VIP, and everything should be NATed back and fort to the server addresses (as opposed to a simple redirection). What am I doing wrong? Please advise, thanks! Pablo   
hakanka inside Access Control Products Friday
views 147 4

About integration between my AD and checkpoint

Hi,I am newbie on checkpoint management. Please forgive me if I am wrong. I am managing 2* firewall on my city. I have an issue on one of them. One of them has AD with windows server 2012, and there is no issue after changing firewall group on user firewall groups at AD. But, other firewall has AD with windows server 2008 and after I change firewall group of one user, the info is coming very delayed.(half hour, an hour or more-if location is MPLS-) so we can not react quickly when we need changes on fw groups. What do you suggest to me ? Thank you for incoming answer. 

(When) Will there be a configurable VPN client for Android Enterprise

Currently the Capsule VPN client for Android can not be configured by using an EMM solution. When will there be a new version of Capsule VPN that does support adding a configuration for Android Enterprise? Regards,Almar
Larry_Birch inside Access Control Products Wednesday
views 147 1

Passive FTP Issue

Since moving to R80.20 we've had an issue with the "ftp" service.  As a stop gap we used "ftp-protocol-signature" and match for any which is now causing issues as a great number of ports are now sporadically identified as such (80, 53, 443, etc).  I am now trying to get back to the port based ftp service and having issues.  To troubleshoot I have an "ftp" rule followed by an "ftp-protocol-signature" rule.The initial ftp connection on port 21 matches on the "ftp" service rule, however, upon negotiation of the data port it falls through to the second "ftp-protocol-signature" rule around line 8:  No.TimeSourceDestinationProtocolLengthInfo10192.139.152.XXX216.8.153.YYYTCP6255479  >  21 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=120.034743192.139.152.XXX216.8.153.YYYTCP5455479  >  21 [ACK] Seq=1 Ack=1 Win=32768 Len=030.050639192.139.152.XXX216.8.153.YYYFTP60Request: SYST40.066276192.139.152.XXX216.8.153.YYYFTP72Request: USER *********50.08137192.139.152.XXX216.8.153.YYYFTP69Request: PASS **********60.154162192.139.152.XXX216.8.153.YYYTCP5455479  >  21 [ACK] Seq=40 Ack=235 Win=32768 Len=070.168541192.139.152.XXX216.8.153.YYYFTP60Request: PASV80.184125192.139.152.XXX216.8.153.YYYTCP6255486  >  63690 [SYN] Seq=0 Win=32768 Len=0 MSS=1460 WS=190.198893192.139.152.XXX216.8.153.YYYFTP83Request: STOR FILEXXXXX100.214221192.139.152.XXX216.8.153.YYYTCP5455486  >  63690 [ACK] Seq=1 Ack=1 Win=32768 Len=0110.229467192.139.152.XXX216.8.153.YYYTCP140655486  >  63690 [ACK] Seq=1 Ack=1 Win=32768 Len=1352120.229566192.139.152.XXX216.8.153.YYYTCP140655486  >  63690 [ACK] Seq=1353 Ack=1 Win=32768 Len=1352130.22961192.139.152.XXX216.8.153.YYYTCP76455486  >  63690 [PSH, ACK] Seq=2705 Ack=1 Win=32768 Len=710140.229614192.139.152.XXX216.8.153.YYYTCP5455486  >  63690 [FIN, ACK] Seq=3415 Ack=1 Win=32768 Len=0150.245719192.139.152.XXX216.8.153.YYYTCP5455486  >  63690 [ACK] Seq=3416 Ack=2 Win=32768 Len=0160.245726192.139.152.XXX216.8.153.YYYFTP59Request: PWD170.260447192.139.152.XXX216.8.153.YYYFTP83Request: RNFR FILEXXXXX180.275011192.139.152.XXX216.8.153.YYYFTP86Request: RNTO FILEYYYYY190.30613192.139.152.XXX216.8.153.YYYFTP60Request: QUIT200.3216192.139.152.XXX216.8.153.YYYTCP5455479  >  21 [FIN, ACK] Seq=147 Ack=449 Win=32768 Len=0210.321714192.139.152.XXX216.8.153.YYYTCP5455479  >  21 [ACK] Seq=148 Ack=450 Win=32768 Len=0221.576145192.139.152.XXX216.8.153.YYYTCP6621  >  63691 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1231.590468192.139.152.XXX216.8.153.YYYFTP81Response: 220 Microsoft FTP Service241.605046192.139.152.XXX216.8.153.YYYFTP77Response: 331 Password required251.620133192.139.152.XXX216.8.153.YYYFTP1088Response: 230-WARNING:261.62016192.139.152.XXX216.8.153.YYYFTP75Response: 230 User logged in.271.634786192.139.152.XXX216.8.153.YYYFTP74Response: 200 Type set to I.281.648881192.139.152.XXX216.8.153.YYYFTP70Response: 215 Windows_NT291.663016192.139.152.XXX216.8.153.YYYFTP88Response: 211-Extended features supported:301.663093192.139.152.XXX216.8.153.YYYFTP72Response:  LANG EN*311.663115192.139.152.XXX216.8.153.YYYFTP107Response:  AUTH TLS;TLS-C;SSL;TLS-P;321.663132192.139.152.XXX216.8.153.YYYFTP61Response:  HOST331.663153192.139.152.XXX216.8.153.YYYFTP91Response:  SIZE341.677245192.139.152.XXX216.8.153.YYYFTP112Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.351.712574192.139.152.XXX216.8.153.YYYFTP83Response: 250 CWD command successful.361.729417192.139.152.XXX216.8.153.YYYFTP103Response: 550 The system cannot find the file specified. 371.74992192.139.152.XXX216.8.153.YYYFTP107Response: 227 Entering Passive Mode (192,139,152,XXX,237,68).381.764894192.139.152.XXX216.8.153.YYYTCP6660740  >  24973 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1391.788989192.139.152.XXX216.8.153.YYYFTP108Response: 125 Data connection already open; Transfer starting.401.803761192.139.152.XXX216.8.153.YYYTCP5460740  >  24973 [ACK] Seq=1 Ack=2107 Win=131072 Len=0411.807151192.139.152.XXX216.8.153.YYYTCP5460740  >  24973 [ACK] Seq=1 Ack=2108 Win=131072 Len=0421.8073192.139.152.XXX216.8.153.YYYTCP5460740  >  24973 [FIN, ACK] Seq=1 Ack=2108 Win=131072 Len=0431.807392192.139.152.XXX216.8.153.YYYFTP78Response: 226 Transfer complete.441.880154192.139.152.XXX216.8.153.YYYFTP68Response: 221 Good-Bye451.880182192.139.152.XXX216.8.153.YYYTCP5421  >  63691 [FIN, ACK] Seq=1572 Ack=160 Win=130816 Len=0461.895165192.139.152.XXX216.8.153.YYYTCP5421  >  63691 [ACK] Seq=1573 Ack=161 Win=130816 Len=0   
Blason_R inside Access Control Products Wednesday
views 223 3

Access role in Remote access VPN not working

Hi Folks,I have created policy for remote access VPN and wants to give access to users in access role. But the rule does not match and it drops. If I choose legacy then it works. But for inline policy layer needs to be access role in source 
dolph2005 inside Access Control Products Tuesday
views 153 1

Browser based authentication not working

Hi all,I have following trouble, Browser-Based Authentication enabled (see screenshot at attach), but after succesful authentication, i have following message (see screenshot message). Has anyone encountered such a problem.OS Windows 7, 10, server 2012, server 2016.CP R77.30.Thanks.  
Rccou inside Access Control Products a week ago
views 273 3

VPN from a non-internet interface

Hi,I have been trying to configure a VPN between our Checkpoints (in ClusterXL) to a Juniper SRX with little success.The situation is that we need to tunnel across the internal network rather than from the internet-facing interface.How would i configure this on the Checkpoint so that it is listening for IKE on a particular Vlan subinterface rather than the Internet interface? Thanks for your help.
Technical_Servi inside Access Control Products a week ago
views 237 2

Site2Site VPN AWS Setup

Hi All We have just configured our first vpn with vti's to aws as described in sk100726.The tunnels are up and running. Traffic from aws to our location goes through the tunnels.So far so good. But our gw drops the packets with"dropped by vpn_drop_and_log Reason: According to the policy the packet should not have been decrypted"Any ideas or hints are highly appreciated! Thanx in advanceMarc 
Neal_Welsh inside Access Control Products 2 weeks ago
views 247 1 1

Identity Awareness -custom banner text - How to create a new line ?

Hi , I am trying to create a custom text banner for captive portal (IA blade) as defined in the IA admin guide :- section "Changing Portal Text in SmartConsole".Which is basically Global properties\advanced\configure button (on right) \identity awareness\Portal Texts  and changing the  specific page entry to be modified from the word  DEFAULT to the specific text you want. However I can't work out how to add carriage returns or new lines (what I need is for text to appear on different line as they are currently extending too far off the page to the right). You can't cut and paste text that has a carriage return in it (as the text before the carriage return is the last text that it allows).I have tried "/n"  ,which then gets converted to '/n'     and is then displayed as actual text '/n' in the WebUi login page.   Also tried '/r/n'      and 'r'   but they are all displayed as text rather than being identified as performing a carriage return or new line function.Does anyone know what the correct format is between the text to force it onto a different line ?thanks for any help in advance Neal  PS I couldn't see an Identity awareness topic heading /category so apologies if this is in wrong category of general topics.     
Garrett_Anderso inside Access Control Products 2 weeks ago
views 1304 18

HTTPS Inspection documentation for R80.30

update:   I incorrectly referenced one of the two primary "HTTPS INSPECTION" SK articles.   The fundamental argument that CP has not updated it's documentation/guides/SK/etc for R80.30 is still true.   my last quote below sums up the two primary articles.   thanks to @Dale_Lobb for identifying the SK problem.  Hello - - I've been poking around looking for full details (and best practices) for the use of HTTPS inspection with R80.30+.SK108202 "Best Practices - HTTPS Inspection" specifically states  "This sk is not relevant to R80.30". The next logical question "where is the updated SK document that does apply to R80.30?".     What is a customer supposed to think when encountering this information?The "new" HTTPS inspection features of R80.30 are native to code (and not a hotfix like previous releases).   I just had a conversation with customer that relayed various conversations he had with CP folks at last CPX.    In large majority of conversations, the various CP folks stated "just turn  ON HTTPS inspection" grossly oversimplifying a complicated topic . My point, HTTPS inspection is important,  we should be encouraging customers to use (at least, start testing),  R80.30 includes latest and great features, and I can't find unified document that consolidates and showcases all the features and discusses best practice commendations (for use and performance).I suggest such a consolidated "one stop shop" for this information is critical.   I wasn't able to find on R80.30 docs, KB, or community using search strings "https decryption" or "https inspection".   I was trying to simulate what a customer would search for if they wanted to locate this information.Please fix this issue.   thanks in adv.   -GA    
inside Access Control Products 2 weeks ago
views 183

New Updatable Objects for Microsoft Intune, Zoom, and Okta

For gateways R80.20 and above, we have a few new Updatable Objects:
lior_me1 inside Access Control Products 2 weeks ago
views 1760 12 1

clusterxl with 1 public ip

hii'm settings up a cluster for an internet connection with 1 public ipso how should i set the cluster members in terms of routing?  how can i get them to go out to the internet?
rkucera inside Access Control Products 2 weeks ago
views 284 3

Identity Awareness - IDC Problems

Hi,we have been using Identity Awareness for a long time now. In the past we always used Identy Agents and had different problems with them ( most likely rather client based problems). A while ago we started using Identity Collectors on our AD servers. Basically this works quite well for us, but we have the situation several times a week that different users are not authenticated. Often I see that the ID Collector at the AD recognizes the user but this information does not reach the gateways. Only when I restart the pepd and pdpd service at the gateway will it work again.Has anyone had a similar problem and knows why they occure? Our Infrastructure:2 Checkpoint GWs (Version: R80.30 Take 76)2 AD Servers with IDC Version: 80.87.0000Both IDC report Identities to both Gateways and the GWs are configured to share the identities between them Best RegardsRene
Nadav_Hellman inside Access Control Products 2 weeks ago
views 212 7

Mail trasfer agent configuration for outgoing mails

Hello guys !I need your help kinda urgently ...Im going tomorrow to a customer's site and I need to block outgoing mails from the exchange server to the internet with content awareness.I tried creating a rule saying that the exchange server is the source and the internet is the destination(drop rule for a certain data type) and the firewall just didn't catch the traffic that it was supposed to catch(we tried sending test mails from the internal exchange to a gmail email).To my understanding, I need to enable mail transfer agent so that the firewall could open up the mail completely and analyze it.Can anyone help with how to configure the above scenario ?