cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Charlie_Dobson
Charlie_Dobson inside General Management Topics 8 hours ago
views 50 3

Endpoint device license management

We constantly seem to be going over the number of allotted licenses we have for our company which made my director question how Check Point manages licenses. I seem unable to find this information on my own. How does Check Point count endpoint devices and how do I know old devices that have been removed from our network aren't still being counted as taking up a license?
Blason_R
Blason_R inside General Management Topics 8 hours ago
views 2860 13

Captive portal for linux SSH or Terminal windows

Hi there,Is anyone aware if any mechanism exists to leverage Identity awareness when I would like to pass through Firewall with captive Portal enabled while using SSH or Linux with no GUI Terminal?With browser Yes it's pretty much possible; but what if the GUI is not available? Thanks and Regards,Blason R
Josh_Dill
Josh_Dill inside General Management Topics 10 hours ago
views 64 2

Identity Awareness setup

Hi All,I will be setting up Identity Awareness in an R80.10 MDS environment. We will be using Identity collects to communicate with the DCs and provide what is in the security logs to the firewall. After reading the documentation I have some questions regarding setup and usage. Thanks in advance: 1) I have read the following identity collection requirement:"Identity collector provides information about users, machines and IP addresses to the Security Gateway. LDAP Account Unit(s) should be configured to allow PDP gateways to perform group lookups on IDs that are provided from Identity Collector to match them to Access Roles." If an account unit is created in the domain (checkpoint local domain NOT active directory) and applied to the firewall object under firewall properties - others - user directory. Is that all I need to perform this requirement?2) There is no way to apply an account unit I created in global directory (at least not that I can find). Does this mean I cannot use global rules with identity awareness since the global account unit would not be assigned to the firewall to perform global lookups? 3) Is there anyway to create rules for individual users opposed to groups? Thanks,Josh
Hugo_vd_Kooij
Hugo_vd_Kooij inside General Management Topics 11 hours ago
views 61 1 2

A request for an in-depth session on the backend of R80

Hi, When I read articles like sk157932 : "Accept" traffic statistics are not displayed in the Access Control view then I could appreciate a session about how the backend things are designed and how they interact. This article explains some of it but I think a in-depth session on Check Mates would be a good idea to understand a lot more of how everything works in the backend where al the data is stored. I can deduct a lot from seperate articles but puttin g it all together would a good idea in my view. Let me know your thoughts on this. Regards, Hugo.
Sumedh_Gujar
Sumedh_Gujar inside General Management Topics 13 hours ago
views 469 9 1

Behavior of HA cluster when SYN link is down

Hi,I am bit confused in behavior of HA cluster. We have configured HA cluster between our 2 firewalls (12400 and R77.30). We have point to point link between these 2 firewalls for syncing. When this link goes down our Active firewall goes to down state and Standby firewall goes to Active state, which we can see in cphaprob stat command. I just want to confirm whether this is the normal behavior of Checkpoint firewalls in HA mode. Or like Cisco HSRP, both firewalls should go to Active Active mode. Thank youSumedh
Oliver_Matt
Oliver_Matt inside General Management Topics 16 hours ago
views 12

IPS change management - Help needed

Hi all,we've recently upgraded out managment and logging servers from R77.30 to R80.20 (gateways are still on R77.30). With R77.30 we've used a simple MS Excel based change management tool to document all of our changes and exceptions in the IPS System.We've simply marked and copied the changed protections from the R77.30 dashboard to a text file and used a script to import to excel. This was an easy way to keep a time track to our changes. Since I can't copy any content from the R80.20 SmartConsole this solution isn't working any more and I try to figure out a simple way how to keep a time track of our IPS changes and get the data into our Excel chart again.I've learned the R80.20 has new automation APIs but to be honest - I'm a noob on that.Any ideas?Many thx
Vincent_Bacher
Vincent_Bacher inside General Management Topics yesterday
views 29051 15 8

Will (Smart)Workflow come back?

Hello together,i am wondering if there are any news, if and when (Smart)Workflow will come back.Does anybody have news about that?Best regardsVincent
Heath_Mote
Heath_Mote inside General Management Topics yesterday
views 2789 12

R80.20.M2 Management - Finalizing Stuck at 99% During Policy Installs

Setup is 2x Management Server 5150 with dedicated SmartEvent server all running R80.20.M2 pushing policy to a single 5800 HA ClusterXL setup all running R80.10. The management and cluster are located at the same site. The access/threat policy takes less than 3 minutes to succeed on the cluster but the 99% finalizing status takes a very long time to complete. I've just pushed a policy and it again finished in 3 minutes but has been stuck at 99% finalizing for the past 45 minutes... Is anyone else experiencing this after updating your management to R80.20.M2 or R80.20 in general?

Endpoint client policy updates

Hi, I have a customer who has a central NPM/EPM server (R77.30) to manage their firewall and endpoint estate. They have an additional Endpoint Security Policy Server which faces the internet for clients in the field, and this works okay.I was wondering if by putting a reverse proxy (e.g. NGINX) in front of the private EPM, we could in R80 replace the functionality of the current policy server, to save on support costs? ThanksJamie

SmartView web access for firewall policy

Hi,I get one question from one of my customer.Smartview (webased) is a great tools and used for accessing the logs from read-only user. That's nice.But there is existing way to access to the access policy by the same way ?Currently we use the web_api_show_package.sh script to export in HTML, but this is not really easy to access to the html file for the policy and Smartview for log... Thanks for your help guys!Arthur

How to import Management Server VM configuration to Appliance(Smart-1 410) ?

Hi Everyone,I am trying to import configuration of Management server VM which has R80.20 OS; to the Smart-1 410 Appliance having same OS and same build number.I guess "System backup" will not work here since they are of different products.Hence I tried to use "migrate export and import method" but while trying to import into the appliance, the error pops out as "Database migration between Standalone and Management only machines is not supported".Any suggestions will be highly appreciable. With Regards,Bishal Upadhyay
Blason_R
Blason_R inside General Management Topics yesterday
views 215 10

Upgrade R77.30 to R80.10 Database Import issue

Hi Team,I am facing an issue while importing database for upgrade in R77.30. This is I am importing database from R77.30 to R77.30 and below is the error messages. Can someone pls help? [24 Jun 11:39:29] [ExecCommandGetOutput] ERR: Command completed with error code 1[24 Jun 11:39:29] ...<-- ExecCommandGetOutput[24 Jun 11:39:29] [CommandRunner::exec] Command's output:-------------------------------------Execution finished with errors. See log file '/opt/CPshrd-R77/log/PItpi-import_install.elg' for further detailsExecution has finished-------------------------------------[24 Jun 11:39:29] [CommandRunner::exec] ERR: Command execution had failed[24 Jun 11:39:29] ..<-- CommandRunner::exec[24 Jun 11:39:29] .<-- PluginsInstallationRunner::InstallPlugin[24 Jun 11:39:29] [PluginsInstallationRunner::exec] ERR: Failed to install plugin[24 Jun 11:39:29] <-- PluginsInstallationRunner::exec[24 Jun 11:39:29] [ActivitiesManager::exec] ERR: Activity 'PluginsInstallationRunner' failed[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities execution finished with errors[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities 'PluginsInstallationRunner' have failed[24 Jun 11:39:29] [ActivitiesManager::exec] Designated exit code is 1**************************************************[Expert@mgmt-server:0]# more /opt/CPshrd-R77/log/PItpi-import_install.elg[24 Jun 11:39:24][24 Jun 11:39:24] *****************************************************************[24 Jun 11:39:24] ********************* Log session beginning *********************[24 Jun 11:39:24] *****************************************************************[24 Jun 11:39:24] [writeExecCommandTolog] Program executed as: /opt/CPPItpi-R77/bin/uacRunner -p PItpi -import_install[24 Jun 11:39:24] [writeEnvInfoToLog] Binary was build for Linux OS[24 Jun 11:39:24] [writeEnvInfoToLog] Management type of machine is 'Smc'[24 Jun 11:39:24] [writeOptionsToLog] Base name is: PItpi[24 Jun 11:39:24] [writeOptionsToLog] Product name is: PItpi[24 Jun 11:39:24] [writeOptionsToLog] Main run flag is: -import_install[24 Jun 11:39:24] [writeOptionsToLog] Runner working directory is: /opt/CPPItpi-R77[24 Jun 11:39:24] [writeOptionsToLog] Main run option is of type: Default[24 Jun 11:39:24] [runDefaultActivities] Running default activities[24 Jun 11:39:24] [PluginSpecs::PluginSpecs] Initializing plugin specs with '/opt/CPPItpi-R77/conf/specs.conf'[24 Jun 11:39:24] [ActivitiesManager::exec] Starting activities execution[24 Jun 11:39:24] [ActivitiesManager::exec] Executing activity 'PluginDefaultDbMaker'[24 Jun 11:39:24] [copyPluginDBtoManagement] Removing directory '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi' if it exists[24 Jun 11:39:24] [copyPluginDBtoManagement] Creating directory '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi'[24 Jun 11:39:29] [copyPluginDBtoManagement] Copying plugin default directory from '/opt/CPPItpi-R77/conf/defaultDatabase' to '/opt/CPsuite-R77/fw1/conf/pluginDefault/_PItpi'[24 Jun 11:39:29] [copyPluginDBtoManagement] ERR: Failed to copy plugin default directory[24 Jun 11:39:29] [ActivitiesManager::exec] ERR: Activity 'PluginDefaultDbMaker' failed[24 Jun 11:39:29] [ActivitiesManager::exec] Rolling back previous activities[24 Jun 11:39:29] [ActivitiesManager::exec] Rolling back activity 'PluginDefaultDbMaker'[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities execution finished with errors[24 Jun 11:39:29] [ActivitiesManager::exec] WRN: Activities 'PluginDefaultDbMaker' have failed[24 Jun 11:39:29] [ActivitiesManager::exec] Designated exit code is 1
Alan_Kong
Alan_Kong inside General Management Topics yesterday
views 8692 8 3

Unable to install CheckPoint VPN E80.83

Failed to install checkpoint VPN e80.83 on windows 10 pro. I encountered this error:Error 26630. Failed to copy driverWhile installing virtual network adapter and installling network driver. Previously I had some virtual network adapter issue in e80.82 and wanted to resolve it by installing e80.83.i am the administrator for the system so I do not understand why I cannot install the program. Any help would be greetly appreciated.

R80.20 Updatable Domain Objects and CLI Commands

An updatable object (new in R80.20 and above) is a network object that represents an external service, such as Office 365, AWS, GEO locations and more. External services providers publish lists of IP addresses, or Domains, or both, to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list. There is no need to install policy for the updates to take effect. You can use an updatable object in the Access Control policy as a source, or a destination. I didn't find anything on the CLI commands in the documentation. Here my knowledge from the reverse engineering. In 80.20 and above you can run the tool "domains_tool" to show domain object informations. # domains_tool -d update.microsoft.com => show which IP is associated to a domain object # domains_tool -ip 1.2.3.4 => search and privide a list of domains for IP For more informations about updatable object see sk131852.

Inbound https inspection only

Hello, I wanted to turn on Inbound https inspection only and not outbound. Is there a way to do this?Going through documentation it says when you enable https inspection on the gateways, it creates an outbound CA certificate as well which means outbound https inspection is enabled as well. Thanks,Chandru