cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Access Control Products

Have questions about Application Control, URL Filtering, Site-to-Site IPsec VPN, Network Address Translation, Identity Awareness, and other related technologies? This is the place to ask!

Creating new User Directory Profile

Hi, I'm having an issue with Identity Awareness(, IDC, Cisco ISE, dot1x) and LDAP lookups. Running r80.30 take 111 on mgmt and gates.Our laptops authenticate using a certificate with the Subject CN=<fqdn of client>. This does not translate well to sAMAccountName in the AD of course. But this certificate template is apparently a standard for AD machine certs.The users themselves authenticate as usual with sAMAccountName, that works nicely on the gateway. The guy in charge of our CA and Cert templates quit, and no one has taken over the job yet. So until that is done and I've managed to convince them that <fqdn> is not very good. I'm stuck with a couple alternatives:* Skip machine authentication and allow traffic as usual via IP/IP-network.* Create two LDAP Account Units where one runs a custom User Directory Profile. How would I go about creating a copy of the existing Microsoft_AD profile, with a new name of course?I tried creating a new Profile in guidbedit, basically a copy of "Microsoft_AD" as I went row by row copying values but with "UserLoginAttr" set to "dNSHostName" an attribute that exists in the AD. But when back in SmartConsole, the Profile does not allow me to set a Domain and does not activate SSO to be configured. Only a Prefix and SSO is greyed out.Several R80 Admin guides mention creating a new profle and copying values - but just that.Is there a better way to do this via IDC, RADIUS or something else that I haven't thought of? The goal is to just authenticate computers so we can use AD-groups or SGT's to allow traffic in the policy.Right now I can get SGT's to work, but then LDAP-groups for the users stops working - and vice versa. Thanks,David
abihsot__
abihsot__ inside Access Control Products Thursday
views 166 1

appl/urlf AWS S3 not recognized

Hi there,R80.30 JHF111 with inspection enabled. I build the policy with only AWS S3 application allowed. Everything else is dropped.In the logs I see that when connection goes to s3.amazonaws.com, it is recognized correctly, but when connection goes to s3.eu-central-1.amazonaws.com for example, it is now no longer S3 app, but generic computers/internet category.
Pantsu
Pantsu inside Access Control Products Thursday
views 90 2

checkpoint web filtering works too slow

hello I have Url filtering with proxy,it'has been working very slow for 2 day , (web sites are  opening very slowly) and CPU in Checkpoint has  increased,I discover this error logs , followed down , should  it cause of this problem .[ERROR]: uc_log_suppression_set_entry: Failed storing log data in log suppression table! 
Markus_Kress
Markus_Kress inside Access Control Products Thursday
views 100 1

updatable objects with wildcard entries

Hi,we are using updatable objects in our o365 policy.The updatable object "Office Worldwide Services" includes some Wildcard Domain entries, e.g. "*.msappproxy.net". We figured out, requests which should match these wildcards do not work.Should they work? - We assume that the gateway does a dns lookup for every fqdn which is listed in the updatable object and cashs it. For wildcard entries it is not possible. Are we Right?Can someone explain how the updatable object mechanism works? Or is there a good article in the knowledgebase?
PhoneBoy
inside Access Control Products Tuesday
views 260 3 3
Admin

HTTPS Inspection and macOS 10.15 (Catalina)

Apple has changed the requirements regarding HTTPS server certificates in its products – Mainly Catalina 10.15 and iOS 13.SHA1 signed certificates are no longer considered secure and servers using them will be blocked.The default CA certificate we generate for HTTPS Inspection is SHA1 signed.This means end users with a default HTTPS Inspection CA certificate using macOS 10.15 endpoints will encounter an untrusted certificate error message.More details (and a solution) can be found in sk163932.  In R80.40, the default HTTPS Inspection CA certificate will be SHA256 signed.This change will also be integrated into upcoming Jumbo Hotfixes for other R80.x releases.

SSL inspection bypass for Signal app

Hi, Did someone manage to configure SSL Inspection bypass for Signal app on R80.30 based on custom application?I have ssl enhanced inspection enabled, 1 rule with custom application (textsecure-service.whispersystems.org) with action bypass, and second rule to inspect everything. Signal traffic always hits second rule. In logs I can find:First SSL Inspection log: textsecure-service.whispersystems.org DetectedSecond SSL Inpsection log: Matched Category: Uncategorized, HTTPS Inspected So it looks that aplication (url) is detected properly but NGFW still want's to inspect it.  Best Regads,Maciej  
Employee

syslog

What are the compatible syslog servers with checkpoint firewall
Employee

captive portal

Dear Team,   What all browsers are compatible for captive portal through our Check Point firewall 
prashantds
prashantds inside Access Control Products Sunday
views 245 9

Make Windows Server accessible publically.

Hi All,  I am very new to Checkpoint Firewall, We are using R77.30. We want to make our server accessible publicly by using Public IP.This public IP is having GW different than the current one which is configured on fw for internet access.I have tried making a Node with Static NAT, and allowed the traffic by making rules.but when i use that internet stops working on the server. and its not working.Please suggest.Thanks,Prashant. 
D_W
D_W inside Access Control Products a week ago
views 220 5

Url categorization issue specific sites

Hi, quick question about Application and URLFiltering without HTTPS Inspection on R80.10.We block category "web-advertisement" and at the moment when someone tries to access https://fontawesome.com it get's blocked and we only see that "ad-balancer.at" in the SmartLog is getting blocked in that session.Anyone with the same behaviour? KRDavid
beneaton
beneaton inside Access Control Products a week ago
views 124

VOIP - One way audio / Tranmission - Protocol violiation

Hi,I have seen a few questions like this asked, but OPs have either not replied or fixed their issue for their own specific environment.Customer is getting VOiP one-way audio/transmission intermittently.1. It is probably 1 in every 6 or 7 calls that get affected during the call (I.e. Starts off fine)2. If a call is made immediately after the call that has just had OWT in the call, the new call has OWT from the start.3. A log entry for the call that connected and had OWT part-way through, shows no errors (but I assume this is likely because the log was generated when it accepted the traffic, and won't revise itself to reflect any noticeable issues?)4. The call immediately after (which has the OWT from the get-go) is still an accept log, but has the Alert! and the same warning as posted in the OP's post - "Firewall - Protocol violation detected with protocol:(RTP), matched protocol sig_id:(1), violation sig_id:(9), (500)"5. The log that gets alerted, shows the same Interface as all the other accepts (without Alert!) but the Interface arrow points UP not DOWN - Maybe a Red Herring, but thought worth mentioning6. I have asked for a copy of their Rule that the accept log matched, which I'll add once I have it.7. NAT is being used. Or is it even just a case of that the CP FW is unlikely to be the cause of the OWT?I'm trying to help a customer get to the bottom of it, they are not pointing the finger at us/Check Point but we want a prove it one way or another.Thanks,Ben
Shahar_Grober
Shahar_Grober inside Access Control Products a week ago
views 248 7

Identity Awareness on Remote Gateway

Hi,  I have an issue with Identity Awareness where I want to configure IDA on a remote gateway.the topology is AD --> Corporate GW <---S2S VPN---> Remote GW IDA is working well in the main office where the AD is and the corporate GW has direct access to the AD. when I try to connect the remote Gateway with the AD I get the following error:"An error was detected while trying to authenticate against the AD server.  It may be a problem of bad configuration or connectivity.  Please refer to the troubleshooting guide for more help" There are no instructions in the IDA manual or SK on how to work in such a configuration. Does anyone have experience with it or can help troubleshoot?( I have already contacted support but they aren't very helpful) 
Alexey_Dagil
Alexey_Dagil inside Access Control Products a week ago
views 211 4

Identity Awareness ignores machines

Hello! I am setting up a test environment. There is a distributed installation of Check Point, a pair of test computers, AD DS, IIS. AD Query connects correctly. Then, when changing the user, the message "Machine (machine name) at (IP address) has 1 users (or more) currently connected to it, and will be automatically ignored" appears in the logs. I did not make any additional settings on the gateway or in the account unit. Please tell me how to fix it.Thanks!!
Johan_Rudberg
Johan_Rudberg inside Access Control Products a week ago
views 263 7

Identity awareness Access Rules

HelloWe are using Identity awareness with identity collector. When we create a access rule within the access policy in order to block a group of computers from accessing the internet, however this does not work, the traffic doesnt even match this rule. Creating a simular rule for users from the AD works just fine but not the computers. Any ideas?Running version R80.20 HFA Take 91  //Johan
Howard_Gyton
Howard_Gyton inside Access Control Products 2 weeks ago
views 461 7 1

R80.30 - Recent HTTPS inspection issues

For the last few months we had been seeing a steady increase in sites that did not suffer undergoing HTTPS inspection issues very well, and a small handful that we could not even create reliable "Bypass" rules for.Our upgrade path was from R77.30 to R80.30 on the gateways, and an export/import to our new R80.30 management server.We had been given a number of options by both CP and our support partners, all of which sadly failed, but I and a colleague dug a little deeper, and found the real cause and fix.One of the sites in question was https://roccochiou.weebly.com/When attempting to connect to this site, due to some local settings I will come to, a TLS1.1 connection was attempted, at the TLS Record layer (outer for simplicity) but TLS1.2 at the Client Hello layer (Inner).Due to a known issue, documented in https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/record/rec_layer_s3.c#L850, this would cause the site to fail to load.Advice given was to rebuild our firewalls to R80.30, which we didn't and would have failed anyway, and adding the sites certificate/chain, to the firewall list of trusted CA's, which also didn't work.What it turned out to be in the end was an SK we followed back in 2017, when we were still running R77.30.https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk107744In essence, this was to enable enchanced SSL inpspection and also raise the "ssl_min_ver" to TLS1.1.During a more recent ticket, again with sites failing to load, we were advised to turn off the enhanced SSL inspection issue, but we had forgotten about the "tsl_min_ver".  I just happened to run a search for "HTTPS Inspection TLS1.1" on this forum, and found an article that jogged my memory, and solved the issue for us by changing the "ssl_min_ver" back to its default value of "TLS1.0"My take on this, on reflection, is that the ticket had dragged on for weeks with no end in site, had repeatedly resisted our requests for escalation, and overall could have been handled better.  One bit of advice we thought of, as part of support staff's scripts would be:1. Ask the customer whether they have any non-default values set on relevant tables.2. Possibly have a script that would trawl a customers database for non-default values, then inspect tables relevant to the issue at hand.With hindsight being 20:20 its easy to make these suggestions, but hopefully they would speed up ticket resolution, and would be applicable to other issues, not just HTTPS Inspection.Howard