cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Hugo_Marques
Hugo_Marques inside General Topics an hour ago
views 3668 6 1

R80.20 SecureXL drop template support

Hi,I was reading the "Performance Tuning Administration Guide R80.20" and pass by something that made me think about some upgrades that i will need to do on the next's months to R80.20 and push them forward until this is supported, at least on 2 of them that have a good amount of traffic droped by the SXL.The drop template feature on SXL still not supported. Does anyone know when it will be supported? mid 2019?Regards
Di_Junior
Di_Junior inside General Topics 2 hours ago
views 3175 16

Check Point Clustering between two Datacenters

Dear Mates We are currently experiencing routing assymetry on our infrastructure, and we are trying to find possible solutions that could help us solve the problem.I would like to know whether there is a limitation in terms of creating a Check Point cluster over two geographically separeted Datacenters (Few Kilometers away from each other). Is there any distance constraints? If there is no a distance constraint, since the current version of GAIA we are using (R80.20) does not support Load-sharing, we do not intend to have 4 appliances in a cluster while only one is taking all the traffic.Can Maestro be used in order to take advantage of the 4 appliances?The rationale for this question is because we are thinking of turning the 4 Check Point Appliances into a single cluster. Thanks in Advance
Taekyoon-kim
Taekyoon-kim inside General Topics 6 hours ago
views 134 6

What happens when a license expires?

Hi ..!What happens when a license expires? I just..If the licenses for each device expire, can I use the features I used before?And what features are available and what are not? I wonder. 1. Smart-1 2. Collector 3. TE Thank you for taking the time to ask.
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics 6 hours ago
views 8648 18 22

R80.20 - IP blacklist in SecureXL

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level. For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level. On gateway set the IP 1.2.3.4 to Secure XL blacklist: # fwaccel dos blacklist -a 1.2.3.4 On gateway displays all IP's on the SecureXL blacklist: # fwaccel dos blacklist -s On gateway delete the IP 1.2.3.4 from Secure XL blacklist: # fwaccel dos blacklist -d 1.2.3.4 Very nice new function in R80.20! Furthermore there are also the Penalty Box whitelist in SecureXL. The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address. The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks. More under this link: Command Line Interface R80.20 Reference Guide Regards, Heiko
Maik
Maik inside General Topics yesterday
views 2263 18 6

TCP SACK PANIC - Kernel vulnerabilities | Check Point affected?

Hello, Just wanted to ask for a statement from Check Point regarding CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479. As redhat posted a statement and mentioned several releases are affected my guess is, that Check Point with GAiA is affected too (as based on RH Linux...).Details can be read below:https://access.redhat.com/security/vulnerabilities/tcpsack Regards,Maik
Valeri_Loukine
inside General Topics yesterday
views 5620 38 1
Admin

Propose your Idea of the Year!

Yes, this is this time of year, again. Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better: The Idea Of The Year! The rules are the same as before, it is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones. Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game? Tell us NOW! A few disclaimers/notes: There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year", From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on, Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well. "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known! @Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later. Get creative, use your imagination and PROPOSE!
AlexeyB
AlexeyB inside General Topics yesterday
views 70 2 2

Command to show history of ClusterXL member status

Here is yet another onliner for R77.xxsqlite3 /var/log/CPView_history/CPViewDB.dat "SELECT datetime(a.Timestamp, 'unixepoch', 'localtime'), a.cluster_status FROM UM_STAT_UM_SYSTEM AS a WHERE a.cluster_status <> ( SELECT b.cluster_status FROM UM_STAT_UM_SYSTEM AS b WHERE a.Timestamp > b.Timestamp ORDER BY b.Timestamp DESC LIMIT 1 );" Comand shows data for current member like show cluster failover in R80.20:2019-11-01 15:31:03|Standby2019-12-02 15:11:15|Down2019-12-02 15:12:15|Standby2019-12-02 15:15:15|ActiveIt is better than show routed cluster-state detailedbecause it shows only real changes excluding info like Jun 16 17:33:36 Master to Master and it shows more older data
JonWilliams
JonWilliams inside General Topics yesterday
views 895 8

Nat through site to site vpn

Hi, I am trying to setup a nat through a site to site vpn. we have a weird setup where our internal source is a public ip /32 talking to a dest public ip /32. When i do a no nat rule it works ok. Issue being that our internal ip is a public ip address in italy so they cannot route to it.i then nat our internal to a spare public ip off our cp range and the tunnel breaks. no nat rule issource ip - dest ip - source nat to public spare ipdest ip - source ip (Public) - denat dest to real ipMy encruption domain is source (real and public) des(dest public) Any help, greatly received,, thanks
ThaiHoang
ThaiHoang inside General Topics yesterday
views 318 3

I can't Isomorphic download

HI!My checkpoint has fail with terminal:+==============================================================================+| CPU T: Intel(R) Celeron(R) M processor Base Memory : 640K || CPU I: 06D8/20D Extended Memory :1038336K || CPU C: 1.50GHz Cache Memory : 1024K ||------------------------------------------------------------------------------|| Diskette Drive A : None Display Type : EGA/VGA || Diskette Drive B : None Serial Port(s) : 3F8 2F8 || Pri. Master Disk : None Parallel Port(s) : None || Pri. Slave Disk : None DDR2 at Bank(s) : 0 2 || Sec. Master Disk : None || Sec. Slave Disk : None |+==============================================================================+ PCI device listing ...Bus No. Device No. Func No. Vendor/Device Class Device Class IRQ--------------------------------------------------------------------------------0 2 0 8086 2592 0300 Display Cntrlr 50 29 0 8086 2658 0C03 USB 1.0/1.1 UHCI Cntrlr 150 29 1 8086 2659 0C03 USB 1.0/1.1 UHCI Cntrlr 150 29 2 8086 265A 0C03 USB 1.0/1.1 UHCI Cntrlr 10Verifying DMI Pool Data ...........I want download ISOmorphic but i can't. Website notifice :"You are not entitled to download this file."Pls, help me!!!Thanks for your help
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics yesterday
views 7849 23

Which version is better? R80.10 or R77.30

We always have the discussion in Checkmates forum which version is better. That's why I started a survey. Check Point R80.10 Check Point R77.30 R80.10 50 R77.30 26 R80.20 EA 14 0
Jonathan_Griffi
Jonathan_Griffi inside General Topics yesterday
views 35

R80.10 - Remote Access VPN - Endpoint Security Diffie-Hellman Support

Info:Security Manager / Gateway Environment R80.10Endpoint Security VPN Client: E80.97 Hi,I won't pretend to know the cryptographic intricacies of all the differences between the numerous Diffie-Hellman groups; my question / concern is based on best practice while providing a balance between security and usability. I've spent the last few hours trying to find content relating to why I can't use Diffie-Hellman Group 19/20 with my Remote Access VPN clients...using Endpoint Security E80.9x. Within global properties on my SMS I can set some pretty respectable Encryption / Integrity algorithms. However, the "best" offering regarding Diffie-Hellman Groups is 14 (2048bits). I would like to know why I am unable to use Diffie-Hellman Groups 19/20 as this is really the minimum standard for IPSec as far as I can tell...happy to be corrected if this understanding is wrong?I'm beginning to suspect this is a client limitation. I have checked the database with the guiDB tool and can see groups 19 and 20 are defined. Some clarification and /or direction to the relevant resource would be much appreciated. Thanks,Jon
Kaspars_Zibarts
Kaspars_Zibarts inside General Topics yesterday
views 54

CPUSE will fail to install new Jumbo on restored gateway

Just run into a interesting scenario with CPUSE failing to install take 203 on very last gateway (nearly 40 updated without any issues). Won't be creating TAC case out of pure laziness and too much to do as is DA agent version is 1677, so all good there and gateway had take 154 installed before attempt to upgrade to 203. What turned out was that this particular box was recently fully re-built from factory image due to SSD failure (second SSD dying on 5900 appliances! not good trend there). So we went R77.30 > R80.10 > take 154 > backup restore. All went great and box was running like a charm. But now when I attempted to install take 203 it failed at very early stage with following error: Digging into more detailed logs I found that CPUSE was looking for an older file that was not there (/opt/CPInstLog/install_cpfc_wrapper_HOTFIX_R80_10_JUMBO_HF.log) So I compared the deployment agent backup directory contents on both cluster members. /opt/CPda/backup/ This was restored node and this was the secondary that was in it's "original" state Ok - bunch of archives missing.. Then it clicked - when we restored the box from backup, we did not install all jumbo HFs that were installed over time originally but went straight to the latest take 154 that was running on the node when backup was taken. So quick action was simply to copy all missing archives from "original" node /opt/CPda/backup to restored one and then take 203 installation succeeded. It might be a known issue, but there's a definitely room for improvement for CPUSE in case you use backup for restore instead of snapshot
Junior
Junior inside General Topics Tuesday
views 120 1

botnet activity detection

Hello dear, The checkpoint firewall detected botnet activity on one of our DNS servers, and another on a computer network. To my knowledge the firewall is supposed to block such activity? How to get rid of this infection, I launched the ESET ENDPOINT Security antivirus but nothing found.
Pedro_Roure
Pedro_Roure inside General Topics Tuesday
views 347 1

Captive Portal and HTTPS

Hi, I created a rule to redirect the traffic destined to http e https ports from a specific network segment to the captive portal (identity awareness blade). The rule was created using an Acess Role as source (the access role was configured only with the specific network segment). The redirect to the captive portal works perfectly when the user access a HTTP (clear-text) site, but when the users access an HTTPS (encrypted) site, the redirect does not work (browser tries to connect until timeout). Is there any way to the redirect to the captive portal works with HTTPS sites? PS: The HTTPS Inspection is enabled for all traffic originated from the specific network segment mentioned above.
Thomas_Allen
Thomas_Allen inside General Topics Tuesday
views 206 1

Manage users with Centrify

Is anyone using Centrify to manage their Gaia deployments? We are going to have a POC with Centrify later this month for our servers, databases, etc., and I'm sure there will be a push to also manage the firewalls. I have only started reading about Centrify and Gaia, but it sounds like there are a lot of "gotchas", and not so much benefit. The Centrify deployment would be managed outside of security team, I'm not very fond of giving up control over gateways to another system/group that is not in the security team.