cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

konix
konix inside General Management Topics yesterday
views 56 1

license and changing management server

Hi checkpoint community,I got 2 firewalls 1550w that are currently working as standalones, I am going to connect them to Management server (trial open server) for a while in order to practice before I connect them to the real Management licensed server. My question is : will it have any influence on licensing ? Is it possible to change management server or if I assign IP address of MGMT server once I have to stick with that ?thanks for replies Marcin
Tbgaz
Tbgaz inside General Management Topics yesterday
views 62 2

Can't Add LDAP Groups to Firewall Rule

Hi. We have several pre-existing Active Directory LDAP groups linked to Check Point/used in the firewall rules. I have created another AD group but I can't find the AD groups listed in the filter so I can't add it to the firewall rule (I have read the manual). What am I missing? 
Rob_Bush
Rob_Bush inside General Management Topics Wednesday
views 89 1

VPN to 3rd parties with large subnets

Greetings all, We currently have VPN's with our sister companies (3rd party firewalls.)  Our network is growing fast and our defined networks in the VPN Domain of the Checkpoint gateways continues to increase, which means we must constantly communicate with the 3rd parties to ask them to add yet another network to the encryption domain so that the VPN tunnel can work correctly.  It would be easier if I could just manually define the one large subnet block assigned to us instead of all the smaller subnets so that we can just make one change with our 3rd parties and be done with it entirely.  We currently "own" the 10.0.0.0/9 network range for our local company while the remote sites own /10's.  We are not using every network within that range, however we do seem to be slicing and dicing the /9 network up more and more all the time and the VPN Domain setting on the gateway continues to grow and grow. I have been searching on the Checkpoint knowledge base and various internet searches to try and find out if there is a best practice on how big of a subnet you can or should define for a VPN tunnel?  Sadly, I'm striking out.  Does anyone have any experience with this on the Checkpoint side of things?  Is there a limit to the size network I should manually define in the VPN Domain?  I would love to specify the entire 10.0.0.0/9 and be done with it, but I'd be happy to cut that down to two /10's or four /11's, as even those would be easier to coordinate with my overseas counterparts versus the huge list we have right now. Thanks in advance for any help.
Arik_Ovtracht
inside General Management Topics Wednesday
views 1516 5 10
Employee+

CDT v1.6 is GA!

Hi all,I am very happy to announce the release of version 1.6 of the CDT - Central Deployment Tool, which now also supports VSX.Version 1.6 introduces the following new features, as well as bug fixes and minor additions: VSX support – including gateways, HA clusters and VSLS clusters Customized RMA backup & restore - add additional files to the backup Resume mode – quickly resume after resolving issues with failed deployment plans CloudGuard support - Gateways and CloudGuard Controllers R80.10 and above Version 1.6 will also be included in version releases starting R80.30 on all Security Management and Multi-Domain Management machines. Please visit sk111158 for download and usage instructions.Any comments or suggestions for CDT will be appreciated!
Rafael_Lima1
Rafael_Lima1 inside General Management Topics Wednesday
views 1871 13

Problem after migration to R80.20 - ClusterXL

After migrating from version R80.10 to version R80.20, our cluster presents the following messages.Feb 25 16:40:45 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 25 16:40:46 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedFeb 26 06:55:33 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 26 06:55:33 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedFeb 26 13:49:52 2019 FWINTRA1 kernel: [fw4_1];CLUS-216400-2: Remote member 1 (state ACTIVE -> LOST) | Reason: Timeout Control Protocol packet expired member declared as DEADFeb 26 13:49:52 2019 FWINTRA1 kernel: [fw4_1];CLUS-214904-2: Remote member 1 (state LOST -> ACTIVE) | Reason: Reason for ACTIVE! alert has been resolvedIn this cluster the backup traffic passes, causing a high consumption, before the migration we had the same consumption, but did not occur messages / errors.Another thing, we are verifying a connectivity problem on our servers and the time is similar to that listed in the above messages. Can these messages identify traffic disruption? We have seen that it does not occur on all servers, but in the most sensitive the connection is interrupted, causing serious problems on servers that use NFS.Another detail, we are getting the following message when executing the "show cluster failover" command, but we did not run the cpstop on the gatewaysFWINTRA1> show cluster failoverLast cluster failover event:Transition to new ACTIVE: Member 1 -> Member 2Reason: FULLSYNC PNOTE - cpstopEvent time: Tue Feb 26 15:02:13 2019Cluster failover count:Failover counter: 4Time of counter reset: Mon Feb 11 21:30:31 2019 (reboot)Cluster failover history (last 20 failovers since reboot/reset on Mon Feb 11 21:30:31 2019):No. Time: Transition: CPU: Reason:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 Tue Feb 26 15:02:13 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop2 Tue Feb 26 13:49:52 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop3 Tue Feb 26 06:55:33 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop4 Mon Feb 25 16:40:45 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop_______________________________________________________________________________________________FWINTRA2> show cluster failoverLast cluster failover event:Transition to new ACTIVE: Member 1 -> Member 2Reason: FULLSYNC PNOTE - cpstopEvent time: Tue Feb 26 15:02:13 2019Cluster failover count:Failover counter: 4Time of counter reset: Mon Feb 11 21:30:31 2019 (reboot)Cluster failover history (last 20 failovers since reboot/reset on Mon Feb 11 21:30:31 2019):No. Time: Transition: CPU: Reason:- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1 Tue Feb 26 15:02:13 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop2 Tue Feb 26 13:49:52 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop3 Tue Feb 26 06:55:33 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstop4 Mon Feb 25 16:40:45 2019 Member 1 -> Member 2 00 FULLSYNC PNOTE - cpstopEnvironment:Check Point's software version R80.20 - Build 255kernel: R80.20 - Build 014JHF Take: 17OpenServer - Dell PowerEdge R730
edd080
edd080 inside General Management Topics Wednesday
views 5700 10 4

Checkpoint endpoint VPN with Microsoft 2-Factor Authentication.

Good Day to all,                         we currently have our checkpoint endpoint vpn authentication which uses username, password and dynamicid which sends an sms to the user in order to complete the logon.We would like to change the dynamicid portion to Microsoft's two factor authentication. I am aware that a radius server is needed for this, however is there an sk or guide which can help us out on how checkpoint can be configured for this?Thanks in advance.
Jan_Kleinhans
Jan_Kleinhans inside General Management Topics Wednesday
views 753 7 1

Changing Multiportal Certificate via API or script (let's encrypt)

Hello,we are using an official purchased wildcard certificate for the Identity Portal and Mobile Access.Is there any way to change the certificate without usind the SmartConsole (R80.10).That would provide the possibility to use let's encrypt certificates which have to be updated every 3 months.Best Regards,Jan
Prabulingam_N1
Prabulingam_N1 inside General Management Topics Tuesday
views 176 3 1

Credential Guessing Event in SmartEvent

Dear All,Anyone had come across on the below Events:We have SmartEvent (Both R77.x & R80.x) in same machine of Management server.We have enabled Event Policy - "Unauthorized Entry" - "Credential Guessing" to generate events of 3 failures within 600 Seconds.We are receiving Events on the above as well which is fine.But we have different info on the above "Credential Guessing" Event Log.Example: We have Internal Server (Windows 2012) and we tried to SSH into Firewall from this Server.For few wrong attempts as per Event Detection - we get Events.But the Event "Product" says "Linux OS" instead of "Windows OS"(Attached screenshot)Regards, Prabulingam

Does system backup of management server contains all the policies and objects ?

Dear Team,My management server has got crashed. We used to take weekly system backup of the management server.Will restoring system backup has all the policies and objects ?What are recommendations for restoring system backup on management server.Regards,Ravindra
Don_Paterson
Don_Paterson inside General Management Topics Monday
views 14845 22 8

NAT Templates - SecureXL

Is it recommended to turn NAT Templates on?Why is it not on by default?[Expert@GW:0]# fwaccel statAccelerator Status : onAccept Templates : enabledDrop Templates : disabledNAT Templates : enabledNMR Templates : enabledNMT Templates : enabled
yishola
yishola inside General Management Topics Monday
views 808 10

R80.10 -> R80.20/30 Management upgrade issues

Hi There,I've tried various upgrade paths for my VM Management server (R80.10 take 462) to R80.20 or R80.30 without success. I've increased the disk space and extended existing space with lvm_manager - still no joys. Tried cli and cpuse and the errors are always about insufficient disk space. I seem to have a lot of space.Tried migrate export and space issue persists. Tried snapshot and though system says I need 9gb for snapshot (and I have 33gb free), snapshot is unsuccessful.What I am looking for is a process by which I can upgrade the server without CheckPoint snapshot or backup. I can use VM Snapshot as fallback in case I need to.LVM overview============                     Size(GB)     Used(GB)       Configurable    Descriptionlv_current  20                  9                    yes                     Check Point OS and productslv_log          20                15                   yes                     Logs volumeupgrade     22                N/A                 no                      Reserved for version upgradeswap           5                 N/A                 no                      Swap volume sizefree             33               N/A                 no                      Unused space------- ----total 100 N/A no Total size  

Cleaning up /var/log

We recently did an inline (cpuse) upgrade on our SmartCenter Server from R80.20 to R80.30/var/log has now a size of 712GB, and there must be plenty of unused stuff to delete. Any hints are welcome.For example: WTF is /var/log/opt/CPsuite-R80.20/fw1/log/blob/
yishaia
yishaia inside General Management Topics Monday
views 202 6

20 FWs on 1 Management server

Hello,I have 20 gateways and 1 management server,when i install policy from the management server,i put the FWs i want to install on - on the "install on" section,is there any way to make groups on "install on" FWs?i need to select 5-6 diffrents FWs on every rule i install,anyway to make groups?like 5 gateways "group one"10 gateways "group two" something like that?thanks

Outbound https inspection and SNI on R80.20

Hi!I am a bit confused about https inspection and SNI-support.We are running r80.20 take 80 with https inspection and we alse have enabled the "Categorize HTTPS websites" for non https-inspection machines.Lately we encounter strange behaviours with websites running in Cloudflare.ssllabs shows: "This site works only in browsers with SNI support." and most of them only supports ESCDA cipher suites that is only supported from the gateway to the server in R80.20 One example of the behaviourClient using chrome (same issue with other browsers) to access https://oauth.netPcap from the client: Client web browser sends Client Hello , SNI=oauth.netThe gateway tries to connect to the server and tries the supported cipher suites.Pcap from the gateway: After a while (after failing several times without sending ECDSA ciphers) they connect with the supported ECDSA cipher and the server sends correct SAN-names:*.oauth.net, sni.cloudflare.com and oauth.netPcap from the client:The client recieves wrong SAN-names: api2.hitta.se and sni.cloudflare.com and the web browser displays a certificate warning.All wrong SAN-names displayed are also hosted on cloudflare, so my theory is that the firewall has cached the SAN-names and the corresponding ip-address.After hitting F5 alot of times and accepting the wrong certificate the client can connect. My questions:Why is the client getting wrong SAN-names from the gateway?Is there a https-cache (SAN-names to corresponding ip-address) that is causing this?If so, can it be cleared?Is there a way to get around this issue without disabling https-inspection to the cloudflare /14 subnet without upgrading to R80.30?Adding screenshots of the behaviour. 

Tacacs+ SmartDshboard authentication

Hello,Not work  tacacs authentication in SmartDshboard. But on this managment applince ssh and WebUI tacacs authentication is work. In log "Administrator failed to log in: Wrong Password"Tacacs server is Cisco ISE.