cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Blason_R
Blason_R inside Endpoint Security Products 38m ago
views 20 1

Can agent exported from one EPM server connect to other?

Hi Folks,Somehow I believe I need to re-format the existing EPM R77.30.03 server due to hard disk failure and unfortunately I do not have a backup of that.Now the only option left in front of me is to create a new R80.30/80.20 server and get the new agent. Wondering if the existing agents deployed on endpoints can they be configured so that they can connect to the new EPM server?Or at the max, I do not have any option left but to deploy new agents, but as a last resort if the above can be done? TIABlason R
TheRealDiZ
TheRealDiZ inside Endpoint Security Products yesterday
views 78 3

Upgrade SmartEndPoint from R77.30.03 to R80.20 with migration

Hi guys, Anyone has already tried to upgrade SmartEndPoint server from R77.30.03 to R80.20?In the R80.20 Install & Upgrade guide is stated :"These instructions equally apply to:• Security Management Server• Endpoint Security Management Server"!Is that true?Anyone that has upgraded a SmartEndPoint before has tips or suggestions about it? I'm concern about for example:1. The FDE feature where the EndPoint keys are stored on SmartEndPoint Server.. what happens to these keys? They will be export via migrate export?2. Software deployment rules are based on a specific client package that will be pushed to EndPoint clients that will match that rule.. When you do an upgrade with migration the current packages will be exported via migrate export or I have to upload them manually on the new machine? Let me know guys.. It will be very very appreciated 😆
Keld_Norman
Keld_Norman inside Remote Access Solutions yesterday
views 1750 5 3

How to get better grades @ SSL Labs Certificate scan

Can any one here guide me on how to get a better score when I scan my firewall with the SSL Server Test (Powered by Qualys SSL Labs) ?Is there a quick guide on how to enable forward secrecy, disable tls v1.0, 1.1 and weak ciphers etc. ? Best regards Keld NormanThanks for the anwsers so far - I have collected them all - testet and gotten better scores - here is what i did: ######################################################################## HOW TO GET BETTER GRADES IN THE SSLLABS.COM SSL TEST ########################################################################To get from the B to A I did the following: Alter the portal to only support TLS 1.2In my 80.10 SmartConsole: Global Properties -> AdvancedConfiguration -> Portal Properties: Altered minimum version to TLS 1.2NB: Thanks to Claus Kjær for reminding me of this GUI way of doing things - I were trying to do achieve this by altering conf files with vim in expert shell.. Now to enable perfect forward support: REF: Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled (sk110883)A note about the above sk110883ECDHE is quite widely used and recommend. It works with elliptical keys and provides forward secrecy. It's used for the key exchange.ECDSA is not widely used though, but it does also use elliptical keys. It it used for authenticationI logged on to the firewall via secure shell (I have a standalone installation with the manager and firewall running in a VM) and in expert mode pasted the following 3 lines in: [Expert@firewall:0]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1 ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1 ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1Then a reboot or just a cpstop/start is needed: [Expert@firewall:0]# nohup $(cpstop ; cpstart) & Now the grade went from B to A : Now to look at the suggested link from Dameon Welch Abernathy Remove the weak ciphers related to TLS 1.2(ref: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120774)So basically I just need to alter this in the file: /web/templates/httpd-ssl.conf.templALTER: SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5TO SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1Again secure shell to the system - and in export mode paste the lines in purple below: # Backup the file you want to alter first[Expert@firewall:0]#cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ.backup# Oneliner to replace the old line with the new using the SED util.sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1/' /web/templates/httpd-ssl.conf.templ # Test if the line was altered: grep -i ^SSLCipherSuite /web/templates/httpd-ssl.conf.templ( it should return: SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1)Then reboot the firewall.. [Expert@firewall:0]# rebootThe Qualys SSL scan still only shows an A - I still have some weak ciphers 😕 To be continued..

1470 - Policy not working working

Hi,I have created two policies in checkpoint 1470 but it is not working properly as expected. The first policy is like -source (new IP group)---Destination (server ip-121)-----services(port no.)---Allow.and other policy is likeSource (any) ----Destination (server ip-121) -----service(any)----Block. After this, I am still able to access the server IP from different IP other then group IP. Allow policyBlock policyAccording to the above policy no one access the IP-121 from unknown IP address, but it not happening.What could be the issue here ?Please help.
G_W_Albrecht
G_W_Albrecht inside Remote Access Solutions Monday
views 1148 1

No menu bar symbol for Endpoint Security VPN E80.89 Build 986000724 on macOS Mojave 10.14.5 (18F132)

Yesterday, i did install Endpoint Security VPN E80.89 Build 986000724 on macOS Mojave 10.14.5 (18F132). I had an older version installed on an older macOS that had been uninstalled longer ago. After the install, i found an application in the folder, but no icon un the menu bar. Starting the app did not change anything, also, uninstall and re-install did not resolve the issue. But then, when hovering over other icons in menu bar, i suddenly saw: And when clicking: All further steps ended up successfully - this is not only happening in dark mode, but in both modes. So i am really glad that now we have a new security feature for Mac RA VPN users, the "hidden vpn client" 😎

Blue screen (PFN_LIST_CORRUPT) after E80.94 to E81.10 upgrade Windows 10 1703

Hi,We've now had two instances where a Windows 10 1703 machine running E80.94 has failed to upgrade correctly to E81.10.The package appears to deploy and install okay. Upon restart the pre-boot screen shows it is running E81.10 but then the OS loads, gets to the login screen and within a few seconds it blue screens with the error:PFN_LIST_CORRUPTFor the first machine, a laptop, I created recovery media for, stripped off FDE, and then performed a system restore to a previous point. I was then able to uninstall the Endpoint software and am in the process of patching the machine to 1809.During the removal of Endpoint I observed that it was still running E80.94, which was the version shown on the recovery key, not E81.10. Perhaps this is the reason for the blue screen.In any case I am about to investigate the second machine and will hopefully have the same workaround.I can say I have successfully upgraded 150 machines to E81.10, with a further 103 awaiting upgrade from E80.94, so these are small numbers, thankfully.Howard
Thomas_Bennek
Thomas_Bennek inside Remote Access Solutions Monday
views 729 3 2

SSL Ciphers Mobile Access Portal

Hello everyone,for the connection to the Mobile Access Portal we want to use strong ciphers and therefore used "vpn_cipher_priority.conf" in R80.10 to allow only secure ciphers.For example:# more /opt/CPshrd-R80/conf/vpn_cipher_priority.conf( :allowed ( : (TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) ) :forbidden ( : (TLS_RSA_WITH_AES_256_CBC_SHA) : (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) : (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) : (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) : (TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA) : (TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) : (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) : (TLS_SRP_SHA_WITH_AES_256_CBC_SHA) : (TLS_DHE_DSS_WITH_AES_256_GCM_SHA384) : (TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) : (TLS_DHE_DSS_WITH_AES_256_CBC_SHA256) : (TLS_DHE_RSA_WITH_AES_256_CBC_SHA) : (TLS_DHE_DSS_WITH_AES_256_CBC_SHA) : (TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA) : (TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA) : (TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384) : (TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384) : (TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384) : (TLS_ECDH_RSA_WITH_AES_256_CBC_SHA) : (TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA) : (TLS_RSA_WITH_AES_256_GCM_SHA384) : (TLS_RSA_WITH_AES_256_CBC_SHA256) : (TLS_RSA_WITH_CAMELLIA_256_CBC_SHA) : (TLS_PSK_WITH_AES_256_CBC_SHA) : (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) : (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) : (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) : (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) : (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) : (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) : (TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA) : (TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) : (TLS_SRP_SHA_WITH_AES_128_CBC_SHA) : (TLS_DHE_DSS_WITH_AES_128_GCM_SHA256) : (TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) : (TLS_DHE_DSS_WITH_AES_128_CBC_SHA256) : (TLS_DHE_RSA_WITH_AES_128_CBC_SHA) : (TLS_DHE_DSS_WITH_AES_128_CBC_SHA) : (TLS_DHE_RSA_WITH_SEED_CBC_SHA) : (TLS_DHE_DSS_WITH_SEED_CBC_SHA) : (TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA) : (TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA) : (TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256) : (TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256) : (TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256) : (TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256) : (TLS_ECDH_RSA_WITH_AES_128_CBC_SHA) : (TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA) : (TLS_RSA_WITH_AES_128_GCM_SHA256) : (TLS_RSA_WITH_AES_128_CBC_SHA256) : (TLS_RSA_WITH_AES_128_CBC_SHA) : (TLS_RSA_WITH_SEED_CBC_SHA) : (TLS_RSA_WITH_CAMELLIA_128_CBC_SHA) : (TLS_RSA_WITH_IDEA_CBC_SHA) : (TLS_PSK_WITH_AES_128_CBC_SHA) : (TLS_ECDHE_RSA_WITH_RC4_128_SHA) : (TLS_ECDHE_ECDSA_WITH_RC4_128_SHA) : (TLS_ECDH_RSA_WITH_RC4_128_SHA) : (TLS_ECDH_ECDSA_WITH_RC4_128_SHA) : (TLS_RSA_WITH_RC4_128_SHA) : (SSL_CK_RC4_128_WITH_MD5) : (TLS_PSK_WITH_RC4_128_SHA) : (TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA) : (TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA) : (TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) : (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA) : (TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA) : (SSL_CK_DES_192_EDE3_CBC_WITH_SHA) : (TLS_PSK_WITH_3DES_EDE_CBC_SHA) : (TLS_DHE_RSA_WITH_DES_CBC_SHA) : (TLS_DHE_DSS_WITH_DES_CBC_SHA) : (TLS_RSA_WITH_DES_CBC_SHA) : (TLS_RSA_WITH_RC4_128_MD5) : (TLS_RSA_WITH_3DES_EDE_CBC_SHA) : (TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) ))After configuring the priority list, the allowed cipher hasn´t worked, the configuration is set to "default" because the one allowed cipher is not supported.(shown in vpn debug)Check Point Support said, only ciphers in the following sk are supported sk108426, but they are all SHA-1 or MD5 ciphers, which are definitly insecure. But, opening the Mobile Access Portal with default list configured, uses a strong AES_128_GCM Cipher:The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_GCM (a strong cipher).Answer from Support:"I understand your disappointment, however if the customer would like to use other ciphers other then TLS RSA, this would require opening an RFE through your local office. Unfortunately at this point I will proceed to close the case snce we as support cannot further assist."Could this really be true, Check Point only supports SHA-1 and MD5 ciphers for Mobile Access Portal? And we need to generate a RFE for changing this?Support said: <snip> however if the customer would like to use other ciphers other then TLS RSA</snip> but the configured allowed cipher is a TLS RSA cipher: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256But in the end, if only SHA-1 and MD5 ciphers are supported, why will the default configuration use a cipher which is not supported, because it is not listed in the skArticle?Can anyone help me figuring out which strong ciphers are working with mobile access portal and how I can force it to use only these ciphers? The support seems not to be able to.Thanks!
Employee

Endpoint VPN and auto connect before Windows 10 Login Prompt...

Hello, Is there any way to force the Endpoint VPN to prompt for credentials and connect prior to the Windows Login prompt (either via boot-up or returning from sleep / standby mode). This is available on Windows 7 machines however I haven't seen an equivalent feature for Windows 10. I know with location awareness and auto connect you can force the client to prompt the user to authenticate and connect, etc... however the client doesn't prompt the user to connect until they are already logged into Windows and the user can just keep cancelling the prompt and continue to use the laptop without the VPN being connected. Ultimately my customer is trying to ensure that when a user takes their laptop home and boots up / open the lid they are forced to connect to the VPN before they can do anything else (Unlock the laptop, etc...). Even on Windows 7 machines when we were able to get the VPN client to prompt the user to connect before the Windows Login prompt, the user could still simply click cancel and proceed to windows without forcing the VPN. Any help would be appreciated. Thanks.

Sandblast IE Plugin support for Enhanced Protected Mode

Hi Community,we noticed, that the Sandblast browser plugin for IE is incompatible with the Enhanced Protected Mode from Internet Explorer.Is there anybody from product team or similar, who can explain, why this plugin is incompatible and when the plugin is planned to be certified? The EPM mode from IE got a few nice security features, we would miss by deactivating it.I guess Microsoft does a plugin-verification like all the other vendors and for EPM mode, the plugin needs to implement all the requirements - which are these and why aren't they implemented yet?I'm thankful for any thoughts on thisProblem is described with SK154912 , but I don't think this is a permanent solution, more a workaround.Best RegardsJohannes
foxcon
foxcon inside Endpoint Security Products Saturday
views 84 1

Error durin installation of Checkpoint E80.92

Dear Community,im deploying over 4000 CheckPoint clients in our infrastructure and over 95 % were installed successfully.On some machines i got the following error:Error 1935. An error occurred during the installation of assembly 'Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86'. Please refer to Help and Support for more information. HRESULT: 0x8007054F. All machines in our infrastructure are Windows 7 x64 or Windows 10 1809. If i deploy it via SCCM or install it via cmd with ADM priviliges, the same result. I have attached a log file. If i check the logfile, it says i should have a look in the %windir%\logs\cbs folder buti cant find anything which helps me.Thank you very much!
Ankit
Ankit inside Endpoint Security Products Saturday
views 75 2

Sandblast forensic report generation through smart endpoint console .

Hello Team,We are facing issue while generating forensic report through smart endpoint console. we are able to view detail forensic report through sandblast agent while click to incidentid.below are forensic report we capture from agent . same we need to generatethough smart console.
Heng_Eng
Heng_Eng inside Endpoint Security Products Friday
views 1172 5

Connectivity with the Check Point Endpoint Security service is lost

I have just installed Endpoint Security VPN E80.90 Build 986100112. After rebooting, all I get is:Connectivity with the Check Point Endpoint Security service is lost.Clicking any button, eg Disconnect or VPN Options will simply produce the same error message: Connectivity with the Check Point Endpoint Security service is lost.I checked and both Check POint Endpoint Client Watchdog service and Check Point Endpoint Security VPN service are running.What can I do? I am totally lost. I have to connect to a client's site urgently to investigate an issue.Thanks.
Kevin_Vargo
Kevin_Vargo inside Remote Access Solutions Thursday
views 1296 10

Win10 v80.85 endpoint patching VPN connection lost July updates?

Hi - this morning dozens of folks were unable to connect to VPN after powering up their machines; receiving a "Connectivity with the VPN service is lost". While not confirmed, we believe this is due to a Windows patch. After several hours of troubleshooting we resolved by installing v81.10 but still have no idea what caused this specifically. I was referred to sk158032, but would really like to know what happened for reference. If anyone has thoughts on this that'd be great. All I can say is that I had KB890830 (from June 2019) installed on July 1st and after rebooting (now a week later) I was not able to connect. Repeatedly I saw the service control manager restarting the CP service. Below is a snipit of my helpdesk log where I rebooted the PC at 10:24:50 or so. Thank you. [10 Jul 9:31:32] Disconnect initiated by user[10 Jul 9:31:32] Client state is connected[10 Jul 9:31:33] State connected. User chose to disconnect. Cancelling connection.[10 Jul 9:31:43] Connect initiated by user[10 Jul 9:31:43] Client state is idle[10 Jul 9:31:43] User pressed connect[10 Jul 9:31:43] Creating primary conn flow to CLUSTER[10 Jul 9:31:43] Transport is auto detect[10 Jul 9:31:43] No need to upgrade client, client version is 986008506[10 Jul 9:31:43] Starting new connection (3)[10 Jul 9:31:43] Client state is connecting[10 Jul 9:31:43] Policy changed, restarting connection (3)[10 Jul 9:31:44] Sent ClientHello[10 Jul 9:31:44] No need to upgrade client, client version is 986008506[10 Jul 9:31:44] Starting new connection (3)[10 Jul 9:31:46] Topology download in progress[10 Jul 9:31:46] No need to upgrade client, client version is 986008506[10 Jul 9:31:46] no need executing firewall step[10 Jul 9:31:46] Office mode IP was set successfully[10 Jul 9:31:48] OM started successfully with IP = 10.245.74.1.[10 Jul 9:31:48] Client state is connecting[10 Jul 9:31:48] Connection was successfully established (3)[10 Jul 10:22:31] Disconnect initiated by user[10 Jul 10:22:31] Client state is connected[10 Jul 10:22:32] State connected. User chose to disconnect. Cancelling connection.[10 Jul 10:22:49] Console/remote connect has occurred. Ignoring[10 Jul 10:22:53] Logoff has occurred[10 Jul 10:22:54] Client state is idle[10 Jul 10:22:54] Session logoff while idle.[10 Jul 10:22:54] Client state is idle[10 Jul 10:22:54] Session logoff while idle.[10 Jul 10:22:58] Client state is idle[10 Jul 10:22:58] received system suspend or session lock, state is idle. no action[10 Jul 10:22:58] Client state is idle[10 Jul 10:22:58] received system suspend or session lock, state is idle. no action[10 Jul 10:23:09] Console/remote disconnect has occurred. Disconnecting[10 Jul 10:23:14] Console/remote disconnect has occurred. Disconnecting[10 Jul 10:23:14] Console/remote connect has occurred. Ignoring[10 Jul 10:23:54] Client state is idle[10 Jul 10:23:54] System resume, state is idle. always connect is on. Connecting[10 Jul 10:23:54] Always connect scheduled to start in 60 seconds[10 Jul 10:23:54] Client state is idle[10 Jul 10:23:54] System resume, state is idle. always connect is on. Connecting[10 Jul 10:23:54] Always connect scheduled to start in 60 seconds[10 Jul 10:23:56] Console/remote disconnect has occurred. Disconnecting[10 Jul 10:23:58] Client state is idle[10 Jul 10:23:58] Session logoff while idle.[10 Jul 10:23:58] Client state is idle[10 Jul 10:23:58] Session logoff while idle.[10 Jul 10:23:58] Console/remote connect has occurred. Ignoring[10 Jul 10:24:46] Client state is idle[10 Jul 10:24:46] received network OUT event while state is idle. no action[10 Jul 10:26:18] Service was started[10 Jul 10:26:38] Service was started[10 Jul 10:26:39] Service was started[10 Jul 10:26:40] Service was started[10 Jul 10:26:40] Service was started[10 Jul 10:26:41] Service was started[10 Jul 10:26:42] Service was started[10 Jul 10:26:43] Service was started[10 Jul 10:26:43] Service was started[10 Jul 10:26:44] Service was started[10 Jul 10:26:44] Service was started[10 Jul 10:26:46] Service was started[10 Jul 10:26:48] Service was startedETC......
Jason_Dance
Jason_Dance inside Endpoint Security Products Wednesday
views 219 1 1

Policy Server

Hi Community!I'm currently on R80 for management, and R77.30.03 for Endpoint management. EPM is its own separate management/endpoint management server, and won't be associated with my R80 management until CP are able to release a supportable version on the R80 train with the latest feature set.Is there a solution for specifying a NAT/external IP on the R77.30.03 Endpoint management server without needing to establish SIC or a separate log server acting as a Policy Server in the DMZ?Regards,Jason
David_Spencer
David_Spencer inside Remote Access Solutions Wednesday
views 256 11

Mobile VPN for Windows Multiple Authentication options

Currently we have the Checkpoint Mobile for windows deployed, utilizing username+password with LDAP for login.I'm wanting to implement 2FA, but with a staggered approach (start out with a small set of users).I know that multiple authentication options are possible as per sk111583, however i'm a bit confused on the implementation.Based on AD memberships I want one set of users to be on LDAP, and another set to be utilizing RADIUS (which will accept ldap credential, then go off to our 2FA server and do a push notification/PIN to cell, likely using DUO). I'm not sure if I can force the users into certain authentication types based off of LDAP roles, or if the options are presented on the client. Any information on implementing this will be helpful