cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Troy_Yeske
inside Access Control Products 2 hours ago
views 70 3
Employee

Understanding url filtering app control on https sites...

Trying to understand some behavior: we have an access control rule that blocks uncategorized sites. Below site is visited and access to it is blocked as uncategorized, it is an https site and yet is categorized as business/economy. The destination is visible via the logs as seen below, yet eventhough the destination is recognized, URL filtering still says it is uncategorized. I'm assuming this is because it is https and the IP address only is scrutinized but just wanted to understand why, if the destination is visible, it isn't categorized as such.
Luis_Filipe
Luis_Filipe inside Access Control Products 2 hours ago
views 67 5

Debug with ikeview

Hello folks, I have a simple question, I need to troubleshooting one VPN site-to-site tunnel, it's safe to use ikeview tool to analyze the logs on a heavy (a lot of traffic and users) production firewall?This tool does not have the ability to land a firewall (Stop working on debug mode)? Thanks in advance guys
Peter_Baumann
Peter_Baumann inside Access Control Products yesterday
views 66 3

Application for CRL downloads

Hello,Here at the customer site the clients only have over the CP proxy access to the internet.For SSL certificate revocation checks the clients are fetching CRL lists according the different certificates they using.Now, it does not exist a "CRL Application" in the application control or any category for this.As a workaround the customer is using a manual "CRL list" which is not a good solution for CRL fetching.The only way seems to be to create a custom application for this, as example using the mime type of .crl here:https://pki-tutorial.readthedocs.io/en/latest/mime.htmlMatching mime types would be:application/x-pkcs7-crlapplication/pkix-crl I know about the possibility with the signature tool for custom application control or url filtering but this is not an option for the customer.The question is now how are other check point admins doing the filtering for this?Is there any feature available for CRL filtering from check point I don't know about it?Maybe the above could be added in a future release, I have seen that other firewall-vendors are doing the same like above.Thanks,Peter

the transceiver serial number

Hi, I'm looking to see if I can remotely check the transceiver serial number. The following models are owned.CPAC-4-10FCPAC-TR-10SR Does NGFW have a command similar to Cisco's show inventory command?e.g. https://community.cisco.com/t5/switching/how-to-show-module-and-sfp-information-include-hardware-serial/td-p/2406437 Regards,
hazyman
hazyman inside Access Control Products Sunday
views 67 2

dst NAT from inside

Good day!We need to write a nat rule so that requests from the internal network to the external address and the port of the checkpoint are processed in the same way as requests from the outside when using dst nat

SIP Traffic is not working in R80.20

Hi Team,Setup is VOIP phones connected to Switch, Switch is then connected to FirewallVOIP Phones able to make call only when it is connected to VOIP Server over the internet.1. Customer upgraded firewall from R77.30 to R80.202. In R77.30, the firewall rule base is like---> Network_A Any Any AcceptWe can say VOIP network as Network_A which is Hide NAT (behind gateway)And in Applictaion rule base is--> Network_A Internet [SIP Communicator, SDP over SIP, SIP messaging, SIP Protocol, Network Protocols Category] AcceptSIP traffic is working fine with R77.30 version.3. But the same is not working in R80.20 and getting the below errors:--> fw ctl zdebug shows the multicast IP 224.0.1.75:@;78481;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 :5060 -> 224.0.1.75:5060 dropped by fw_first_packet_outbound_init Reason: failed to get outbound interface;--> tcpdump shows:For example: Source IP is 10.10.10.10arp who has <10.10.10.20 -- internal ip> address tell 10.10.10.10--> But in Logs and Monitoring view, the SIP traffic is getting dropped with the message information: Missing OS RouteKindly let me know how can we resolve this issue.
Allen_Fambro
inside Access Control Products Thursday
views 88 3
Employee

Is it possible to change an interface MAC address??

Hello, Is it possible to change the physical MAC address of an interface on the gateway (Gaia R80.30 3200 appliance)?? Troubleshooting a DHCP assigned IP address for the interface and want to change the MAC to prove the issue is on the DHCP server. I know I could just use a different interface as well but that only changes the last digit in the MAC. I'd like to use a totally different MAC. I tried changing it below but it doesn't seem to stick. Any assistance would be greatly appreciated. Thanks.
Mike_Jensen
Mike_Jensen inside Access Control Products Thursday
views 64 1

Bad IpToCountry.csv file from Check Point

Hello,My organization uses Geo Policy on all of our security gateways. Last week we ran into a serious issue with Geo Policy blocking all United States traffic, even though we were allowing United States traffic to and from. Other security gateways that had specific countries blocked such as Russia and China were allowing those countries in.After a couple hours of working with Check Point TAC it was determined that Check Point had sent out a IpToCountry.csv where the United States was accidentally deleted. This took all of our branch offices offline and required personnel to physically travel to each branch office, perform a fw unloadlocal, and then install policy from the SMS with the applicable Geo Policy set to inactive.The IP's from Russia, China, etc. , that were getting past Geo Policy were found as not being in the bad IpToCountry.csv.Check Point TAC further described that the IpToCountry.csv file is hosted on many CDN's and it would take some time for the bad file to propagate out of the network and be replaced with the known good one. Presumably all customers using Geo Policy were affected by this.My question is have any of you experienced issues with Geo Policy last week as described above?I am having a hard time understanding why this seemed to be a rare issue with my organization. I am under the assumption that many organizations use Geo Policy and there would have been widespread outages due to this, prompting a alert from Check Point to be sent out via e-mail.Do not that many companies use Geo Policy?
Dave
Dave inside Access Control Products Thursday
views 315 9

Identity awareness access group problem

Hi,We have Identity Awareness implemented for a lot of stuff, but it seems now that it got broken for one specific access rule.RDP access to certain servers is controlled via IA and the access role is configured with a specific AD group, for which users in this group have access.All of the sudden, it stopped working and users cannot RDP to these servers anymore.Weird thing is that it was perfectly working before.When basic troubleshooting this and removing the group access but adding the users separately, this works again and RDP is working fine again.I'm fairly new to Checkpoint firewalls so any guidance how to pinpoint what the exact problem is would be highly appreciated.Thanks!
Krishna
Krishna inside Access Control Products a week ago
views 339 3

Post-Encrypt traffic is not visible in Fw monitor. Other end FW is not receiving traffic sent by me

Below are the logs collected from the primary gateway of my firewall. In "O" the source IP is getting NATed to the NAT IP and then pre-encrypt is shown and not receiving the POST-encrpt packet.The other end firewall is not observing any traffic. [vs_0][fw_2] eth1:i[60]: 10.140.96.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000[vs_0][fw_2] eth1:I[60]: 10.140.96.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000[vs_0][fw_2] eth0:o[60]: 10.140.96.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000[vs_0][fw_2] eth0:O[60]: 10.40.112.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000[vs_0][fw_2] eth0:e[60]: 10.40.112.6 -> 10.232.144.14 (TCP) len=60 id=42611TCP: 40768 -> 515 .S.... seq=24587d9c ack=00000000
Lijo_mathai
Lijo_mathai inside Access Control Products 2 weeks ago
views 85 3

Unable to update threat prevention

Hi, after we upgraded from R77 to R80.10 on gateways i am unable to update the threat prevention database. On checking i can see that the subscription status is not reflected on the gateways. So far i have only enable the blades and no rules exist for this. Any similar issue encountered ? I have valid license for all the blades also all my gateways are able to reach updates.checkpoint.com. Is there any settings i am missing?
PhoneBoy
inside Access Control Products 2 weeks ago
views 86 1 1
Admin

Inline Layer Policy Best Practice

A short document explaining Inline Layers by Josephil Chan.
PhoneBoy
inside Access Control Products 2 weeks ago
views 103 3 1
Admin

Implementing Non-FQDN Domain Objects

Author: @Michael_Behum Security Engineer12/31/2018 This whitepaper will explain how to properly implement legacy domain objects for wildcard network objects compared to FQDN. The disadvantage to the legacy model is DNS queries on each rule hit and the lack of acceleration on traffic in pre-R80.10 gateway code. These objects can be very helpful when you need to have large amounts of cloud traffic sites or dynamic DNS subdomain names where FQDN are not possible. Implementing legacy domain objects incorrectly can cause network outages due to high load on the gateway or DNS server. Use Case: Inbound wildcard objects Create new domain object via New -> Other -> Domain Name the objects with a ‘.’ in the beginning with this meaning *.domain.com. This example would be *.aws.com . Make sure FQDN is not checked boxed in this scenario. Create three new rules above the existing cleanup rule. The top will be a new cleanup rule and will be hit frequently. This rule will be key in protecting the gateway and DNS servers from being overloaded. The next rule is an exceptions for the destination IPs or ports depending on how often the domain object is being hit. The third rule will be the actual domain rule. Create a new group for source IPs that need to use the domain objects and another group for destination exceptions. Set the rules as follows: Rule 1 – Negated source of new group needing domain access. Rule 2 – Source of domain access group and destination of new exceptions group Rule 3 – Source of domain access group and destination of domain objects.
PhoneBoy
inside Access Control Products 2 weeks ago
views 65 1
Admin

Utilizing GeoProtection and Updatable Objects Within the R80.20 Rulebase

Whitepaper from @Luke_Ellwood Use Case: Customer wants to allow access to cloud-based Microsoft services regardless of location but wants to block other traffic to non-domestic sources. References: sk131852 Click the '+' button under the Source/Destination column, choose import 'Updatable Objects', and then choose the relevant Office 365 Service from the Office 365 Services section. You can also choose the relevant countries.
Vladimir
Vladimir inside Access Control Products 2 weeks ago
views 7718 11 7

How to deal with DNS over HTTPS, DNS over TLS, QUIC and PSOM?

There is now a concerted move on part of multiple service providers to offer DNS over HTTPS. Browser vendors are doing it to differentiate their services supposedly addressing privacy issues, (i.e. Google LOL ) and now, there is an offering of vendor-independent DNS over HTTPS from Cloudflare that could be found at https://1.1.1.1/ Since not everyone running HTTPS inspection on their gateways or proxies, probability of evasion for categorized traffic is increasing.Furthermore, presently the DNS group in services is limited to conventional DNS over UDP and DNS over TCP, so event if we are to inspect the HTTPS traffic, there are no guaranties that we can recognize and act on its DNS payload.I would like to hear your thoughts on this subject as well as on inspection of the proprietary protocols such as QUIC and PSOM.