cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
checklock
checklock inside General Management Topics 10m ago
views 42 3 1

Blocking list of domain names (FQDN) with R80.10

I want to block a list of domain names (example.com, google.com, customurl1.com, customurl2.com, customurl3.com, and so forth) using Checkpoint Firewall R80.10. This has proven challenging, though. I want to block the domain names from being resolved at the DNS level, even if it has no IP address assigned to it yet.The two options appear to be to use:Application Control & URL FilteringBlock domains using Domain ObjectsIs there a clear-cut solution to perform what I am trying to achieve? Documentation has left me feeling unclear. I want to know what the proper approach for doing this is.
edd080
edd080 inside General Management Topics 3 hours ago
views 1441 9 4

Checkpoint endpoint VPN with Microsoft 2-Factor Authentication.

Good Day to all, we currently have our checkpoint endpoint vpn authentication which uses username, password and dynamicid which sends an sms to the user in order to complete the logon.We would like to change the dynamicid portion to Microsoft's two factor authentication. I am aware that a radius server is needed for this, however is there an sk or guide which can help us out on how checkpoint can be configured for this?Thanks in advance.
BorisS
BorisS inside General Management Topics 4 hours ago
views 39 2

Gateway version change in SmartConsole R80

Hi! I am doing an upgrade of R77.30 to R80.20, management server and 2 boxes in ClusterXL (OpenServer all of them). The upgrade itself went OK, but I am now facing a problem with changing the gateway version inside the SmartConsole: When I click the "Get" button the menu changes to the correct version (R80.20), but I am then unable to save the changes. I am presented with 2 error windows: Because of this it is impossible to apply the policy... I have researched the problem, but have not been able to find a solution or more information about the error. Any help would be appreciated!
Blason_R
Blason_R inside General Management Topics 8 hours ago
views 54 4

Can we upgrade R80.20 M2 to r80.30?

Hi Folks,Wondering if an upgrade from R80.20M2 to R80.30 is possible? I tried upgrading mine and it failed twice. Second time CPD service was not coming up hence wondering if this path is first available?
lucafabbri365
lucafabbri365 inside General Management Topics 9 hours ago
views 28 1 1

ws_mux errors in /var/log/messages

Hello,we have R80.20 version in production: two physical Security Gateways nodes in cluster (Open Server) and on virtual Management.I noticed /var/log/messages contains these entries:May 21 09:10:29 2019 kernel: [fw4_4];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:10:29 2019 kernel: [fw4_4];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:10:30 2019 kernel: [fw4_3];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:10:30 2019 kernel: [fw4_3];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:10:30 2019 kernel: [fw4_3];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:11:00 2019 kernel: [fw4_2];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:11:00 2019 kernel: [fw4_2];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:11:00 2019 kernel: [fw4_2];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:11:21 2019 kernel: [fw4_1];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:11:21 2019 kernel: [fw4_1];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:11:21 2019 kernel: [fw4_1];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:11:39 2019 kernel: [fw4_3];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:11:39 2019 kernel: [fw4_3];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:11:39 2019 kernel: [fw4_3];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:11:48 2019 kernel: [fw4_3];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:11:48 2019 kernel: [fw4_3];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:11:48 2019 kernel: [fw4_3];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:12:11 2019 kernel: [fw4_2];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:12:11 2019 kernel: [fw4_2];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:12:11 2019 kernel: [fw4_2];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:13:28 2019 kernel: [fw4_0];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:13:28 2019 kernel: [fw4_0];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:13:28 2019 kernel: [fw4_0];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:13:33 2019 kernel: [fw4_1];CLUS-120200-1: Starting CUL mode because CPU usage (82%) on the local member increased above the configured threshold (80%).May 21 09:13:37 2019 kernel: [fw4_2];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:13:37 2019 kernel: [fw4_2];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:13:37 2019 kernel: [fw4_2];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:14:06 2019 kernel: [fw4_5];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:14:06 2019 kernel: [fw4_5];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:14:06 2019 kernel: [fw4_5];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.May 21 09:14:13 2019 kernel: [fw4_1];CLUS-120202-1: Stopping CUL mode after 10 sec (short CUL timeout), because no member reported CPU usage above the configured threshold (80%) during the last 10 sec.May 21 09:15:03 2019 kernel: [fw4_1];ws_mux_body_fastpath_av: ERROR: Failed to run AV filter. Destroying filter.May 21 09:15:03 2019 kernel: [fw4_1];ws_mux_perform_fastpath: ERROR: Fastpath handler failed.May 21 09:15:03 2019 kernel: [fw4_1];ws_mux_body_fastpath: ERROR: Failed to perform fastpath.Any suggestion ?Bye,Luca
Wolfgang
Wolfgang inside General Management Topics 9 hours ago
views 11

problem with CRL distribution point address

Dear Checkmates,we had a problem with the CRL distribution path after migration of a SMS.We moved SMS from old one to a new machine and changed the hostname and IP-address.This process was successful, but now we got some problems with VPN between gateways.The root cause of the VPN problems is a false path in the CRL distribution list point address.Looking in the details of the certificates, there is defined the old path "URL=http://old-SMS.domainname.com:18264/ICA_CRL0.crl"Every certificate for gateways will be issued with this path, pointing to the name of the old SMS.Is there a way to change this path without recreating the internal_CA?As a workaround we added the DNS name for the old SMS to the gateways hosts file and everything is fine, but we want to solve it basically.ThanksWolfgang
nagarevathi
nagarevathi inside General Management Topics 13 hours ago
views 17

How can we install on multiple firewalls using install policy comand from API CLI

Hi Team,I have explored the API reference posted in checkmates. It has given below command to deploy policy from API CLI to deploy on single firewall. Similarly, If we want to run policy installation on all firewalls of CMA. What is the command?API Referrence:https://sc1.checkpoint.com/documents/latest/APIs/index.html#gui-cli/install-policy~v1.2Single Firewall:mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway" --version 1.1 --format jsonMultiple Firewall:mgmt_cli install-policy policy-package "standard" access true threat-prevention true targets.1 "corporate-gateway corporate-gateway1 corporate-gateway2 " --version 1.1 --format jsonIn double quotes, can we include multiple firewalls by giving space?RegardsRevathi
Daniel_Westlund
Daniel_Westlund inside General Management Topics 13 hours ago
views 4732 5

Can R80.10 manage R80.20 gateways

Here is what the R80.20 Release Notes say:Maintaining Security Management Server VersionYou can maintain a R80.10 Security Management Server or Multi-Domain Security Management without upgrading and manage R80.20 Security Gateways:Support for such a setup will be provided at a later stage via the R80.10 Jumbo Hotfix Accumulator (sk116380)In this mode R80.20 new features are not available.The way I read this, first it says it is supported, but then it says it is not supported until a new jumbo comes out. I checked the jumbo SK for R80.10 and it has nothing about R80.20. My questions are: am I reading this right that this support is not available yet? And if so, does anyone know when that jumbo will be available so that we can manage R80.20 with R80.10?
Larry_Birch
Larry_Birch inside General Management Topics yesterday
views 30 1

SonicWall Migration

Has anyone had any experience in migrating SonicWall policies into Check Point? How do this as easily as possible, and lessons learned. I understand that SmartMove will not work. Thank you.
Biju_Nair
Biju_Nair inside General Management Topics yesterday
views 1956 6

Restricting the Acces on Policy package

Hi,Is it possible to restrict the access on the policy package for respective administrators.version is R80.10For eg: I have a four different branches and all managed by single management and there are four separate policy packages for these branches.I do not wish that the branch1 admin to access or view the policy details of branch2.Even each admin should view their own policy, nat, IPSEC VPN, objects etc.... they should not view any details related to other branches.is this possible ?
Dmitriy_Chazov
Dmitriy_Chazov inside General Management Topics yesterday
views 1890 5 3

(R80.10) No server has yet to be synchronized

Good day all.Faced the problem of incorrectly displaying the time. Time displayed in WebGUI and correspondingly in SmartConsole regularly runs ahead for a very long time.And if you go to the "Time" section and select "Set Time and Date" and then just click "OK" without changing anything in the settings, then the time is set again correctly. It turns out that the time is synchronized with the time source at the time of clicking the "OK" button but still shows the status of "No server has yet to be synchronized".The output of the ntpq command is as follows:

Legitimate traffic being blocked - R80.20

After migration to R80.20 we are having a legitimate traffic being blocked, filtering via "fw ctl zdebug drop", we receive the following log:@;2731325746;[cpu_9];[fw4_2];fw_log_drop_ex: Packet proto=6 x.x.x.x:45242 -> y.y.y.y:443 dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: internal - reject enabledWe opened a SR and passed us the SK33328, which was done but did not work, we still have connection problems sometimes.The traffic is from an apache server to an nginx, TCP / 443Anyone else went through this and could help?
Kevin_Werner
Kevin_Werner inside General Management Topics Monday
views 1459 8 1

80.10 to 80.20 Pre-Upgrade Verifier

I'm attempting to run the 80.20 pre-upgrade verification script on my 80.10 management server, but nothing appears to be happening when I execute it. I've run the tool in the past with no issues so I am assuming there is a problem with my syntax. I'm running ./pre_upgrade_verifier -p $FWDIR -c R80 -t R80.20 and am not getting an output. The help doesn't list 80.10 as a possibility for the currently installed version so I'm partially wondering if its not supported.where the Currently installed version is one of the following:NGX_R65 (aliases: 6.0.1.0)R70 (aliases: R70_R70, 6.0.1.6)R71 (aliases: R71_R71, 6.0.1.7)R75 (aliases: R75_R75, 6.0.2.0)R75.20 (aliases: R75.20_R75.20, 6.0.2.1)R75.40 (aliases: R75.40_R75.40, 6.0.2.5)R75.40VS (aliases: R75.40VS_R75.40VS, 6.0.3.0)R76 (aliases: R76_R76, 6.0.3.5)R77 (aliases: R77_R77, 6.0.4.0)R80 (aliases: R80_R80, 6.0.4.8)The file permissions for the entire upgrade pack are below-rw-r----- 1 admin root 19141755 Jan 22 10:00 Check_Point_R80.20_Gaia_SecurePlatform_Migration_Tools.tgz-rwxr-xr-x 1 105 80 893915 Dec 6 03:52 gtar-rwxr-xr-x 1 105 80 241318 Dec 6 03:52 gzip-rwxr-xr-x 1 105 80 9210256 Dec 6 03:52 ips_upgrade_tool-rwxr-xr-x 1 105 80 4636 Dec 6 03:52 mgmt_puv.sh-rwxr-xr-x 1 105 80 14529536 Dec 6 03:52 migrate-rw-r--r-- 1 105 80 70783 Dec 6 03:52 migrate.conf-rw-r--r-- 1 105 80 107 Dec 6 03:52 plugin_pack.conf-rwxr-xr-x 1 105 80 8388116 Dec 6 03:52 plugin_upgrade_matcher-rwxr--r-- 1 105 80 19175 Dec 6 03:52 ppidb.conf-rwxr-xr-x 1 105 80 20965372 Dec 6 03:52 pre_upgrade_verifier-rwxr-xr-x 1 105 80 1468920 Dec 6 03:52 puv_report_generator

r80.10 FQDN allow rule not being picked up in DMZ zone.

TL;DRHave rules for cylance.com being allowed on the application layer (All traffic regardless of zones.) However, the DMZ network is not seeing all their AWS instances as "cylance.com"Okay fine I'll create a network rule (Seeing its traffic get blocked by last catch-all block/drop) for the DMZ to wildcard *.cylance.com <--- But you can't do that so I did .*\.cylance.com (FQDN domain object.)Still nada. The odd thing is DMZ stuff isn't resolving their AWS addresses as standard traffic does.Does anyone know where I've gone wrong? Thanks in advance.

IPSec ikev2

Have someone configured a lan2lan tunnel with just ikev2? I have a problem with IDi that presents in the remote peer (it presents private IP) and I do not know if it can be changed / forced to be public IP, without changing the main IP of the cluster. I can nota disable the NAT-T because I have other IPSec tunnels working well with ikev1.This issue is only with V2.Thank you!