Showing results for 
Search instead for 
Did you mean: 
Post a Question
inside General Topics 16m ago
views 5482 160 11

BEYOND - Customer Success Hub

Hi all,as you have probably mentioned, Check Point has changed the look and feel of Support Portal. If you are opening a new request or working with existing ones, you are now using our new Support tool called BEYOND.Guided tool for this tool is available here. Should you have any comments and suggestions, please feel free to express them in the comments.UPDATE: Thank you very much for the feedbackJust to provide an update on some of the issues reported:Customers now can see the details of the migrated SRs - all the migrated SRs allow View Previous Updates that show the updates, activities, and attachments.Users now can access all tickets on the accounts they are connected to (regardless if they or others opened these tickets).RMAs should be working now
George_Giorgaki inside General Topics 3 hours ago
views 29 1

Disable SecureXL permanent R80.20

How can i permanently disabled SecureXL on R80.20?
Dale_Lobb inside General Topics 5 hours ago
views 54 1 1

Loss of functional parity

Why does it seems that every new CheckPoint release is missing some major potion of the functionality that was present in previous versions?We are running an R77.30 cluster for our Internet facing firewall. On that cluster we are running most of the Threat Prevention Suite including HTTPS inspection, Threat Extraction and Threat Emulation. We have been "in the process" of upgrading the cluster since September.Every time we settle on a target version, we get just about up to implementing it, only to discover that the target version is missing some functionality that we really need.We were quite close to taking the cluster live on R80.20 back in February, but ran into some networking problems the night of go-live and reverted back to R77.30. It turns out that was a good thing, as we informed a few days later that the SNI hot fix, which I had already requested, was not available for R80.20 and there was no plan to provide it. We really need the SNI hotfix. We had to turn off Probe Bypass because it does not support SNI sites at all, even if the site does not actually use or need SNI. Without Probe Bypass, HTTPS Inspection is not as nicely implemented, and we suffer a slow roil of frustrated users and automated processes whose first connection to a site fails, since the HTTPS inspection engine must inspect the first connection in a 24 hour period to tell if it should inspect or bypass inspection. If the site is on the bypass list, the first connection fails as it had to be inspected in order to tell.The word in February was that there was no plan to provide the SNI hot fix for R80.20, even though it had been out for some time for R80.10. We were told to either use R80.10 or wait for R80.30, which would be out really soon now. R80.30 would have the SNI hot fix baked in.So, for various reasons, it turned out the next time we could attempt to implement a cluster upgrade would be the end of May. My boss told me to plan for R80.10 for that date, so we could get the SNI hot fix. In the meantime, R80.30 finally was released to GA.The new features list for R80.30 is impressive, and it turns out we really need one of those features: R80.30 finally supports the full gamut of encryption protocols for TLS 1.2. We have been seeing a fair number of sites are configured to only allow these new R80.30 supported encryption protocols. I don't know if the sites are misconfigured, or if they know something that I don't, but I do know that we have had to write a number of HTTPS Inspection Bypass rules because these protocols have not been supported for HTTPS Inspection until now.So crazy me, I read through all the Release Notes and Limitations and a bunch of other R80.30 docs and then convinced my boss that we should move everything to R80.30. I mean, we still had two weeks left until the scheduled upgrade date: Plenty of time to re-image the new servers and use the fail over management system to upgrade to R80.30 management as well.So, I was pretty aghast when I found out yesterday that the Mobile Access Portal hot fix, sk113410, is not available for R80.30. The Mobile Access Portal is the front end to the SSL Network Extender, which we use for external vendor and employee access to our internal network. Over half of those users are using browsers other than Internet Explorer. That's a real problem, because without the sk113410 patch, the Mobile Access Portal only supports IE on Windows. There is no mention of this lack of an sk113410 patch in the R80.30 Limitations document. The SK article for sk113410 was updated yesterday, after my call on the subject to CheckPoint TAC, stating that there would be no hot fix for R80.30 until Q3 or Q4 2019.Look, I understand the software development cycle and the need to fork the code somewhere in order to start on the new version. But when you have added functionality in widely used hot fixes already available for prior releases, it seems to me you should either plan to incorporate the hot fixes into the forked code base, as they did with the SNI hot fix for R80.30, or develop a version of the hot fix for the new version before general release.I am so frustrated with CheckPoint right now.... I had to go back to my boss and explain that we would not be able to go to R80.30 after all. So, now were are back to R80.10 for our end of the month upgrade. I sure look stupid. My boss' comment was: "Why do they keep doing this? I don't remember ever having similar issues with Cisco or Palo Alto firewalls at previous jobs."Why does does CheckPoint keep releasing new versions without functional parity with prior releases?
HeikoAnkenbrand inside General Topics yesterday
views 16

Check Inbound and Outbound TCP Sequece Numbers on R80.20+

Incoming and outgoing TCP sequence numbers should not be changed at the Check Point firewall. I have always asked myself how this can be explained and I have come to the following solution! This can be checked with the following one-liner: fw ctl zdebug + packet |grep -A 5 "==I\|==O" |grep -B 5 '<IP-ADDRESS>' |grep "==I\|==O\|Device" Change the <IP-ADDRESS> in the one-liner to your device. Please note that "fw ctl zdebug" can cause performance problems on firewalls. More see here:"fw ctl zdebug" Helpful Command Combinations
HeikoAnkenbrand inside General Topics yesterday
views 5111 15 2

R80.10 User-Mode Firewall and performance impact

A question to the R&D. When I switch a firewall from kernel mode to user mode has this a performance impact. Is it better for the performance to enable user mode on a firewall or not? Does it make sense to enable user mode even for a few cores? Enable user mode: > cpprod_util FwSetUsermode 1> reboot More to user mode here: How to enable USFW (User-Mode Firewall) on a 23900 appliance
HeikoAnkenbrand inside General Topics yesterday
views 6905 12 20

R80.20 - IP blacklist in SecureXL

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level. For example, the traffic from and to IP should be blocked at SecureXL level. On gateway set the IP to Secure XL blacklist: # fwaccel dos blacklist -a On gateway displays all IP's on the SecureXL blacklist: # fwaccel dos blacklist -s On gateway delete the IP from Secure XL blacklist: # fwaccel dos blacklist -d Very nice new function in R80.20! Furthermore there are also the Penalty Box whitelist in SecureXL. The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address. The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks. More under this link: Command Line Interface R80.20 Reference Guide Regards, Heiko
John_Pinegar inside General Topics yesterday
views 85 2

High PEPD CPU After Upgrading to R80.10 HFA 189

Has anyone else seen high CPU on the PEPD process after upgrading to HFA take 189 on R80.10? I had to uninstall and revert back to my previous HFA (take 121). I was seeing 50-60% increased CPU usage overall and dropped traffic to my VPNs (although the VPNs themselves seemed to be staying up).
Jason_Carrillo inside General Topics yesterday
views 194 3

Identity Agent - Distributed Configuration

Hey Checkmates,Anybody out there have any experience configuring and deploying SSO capable Identity Agents for Check Point? The documentation is leaving a little to be desired.We think we have AD set up and ready for the pertinent firewalls, but I'm at a loss as to what the "Identity Servers" are and how to actually create the installer that I can deploy that is ready to go.Thanks!
GreyOwl inside General Topics yesterday
views 45 1 1

AppControl do not block Teamviewer

Hello,we have a very strange problem. I created AppControl rule blocking TeamViewer. After policy installation, it shows in logs that TeamViewer is blocking successfully. But it continues to work! In other words, TeamViewer is blocked only in logs. We tried to drop block other apps for testing (WhatsApp for ex) and everything is working OK.Does anyone has any idea, what's happening and how to solve it?Thanks.
Kim_Moberg inside General Topics Tuesday
views 109 3

R80.30 GA Installation experience

Hi CheckMates,I just want to share my positive experience after upgrade to R80.30 GA and when talking with TAC support they provided a very professional and competent as well fast resolution to issues found.First Gateway Mgmt server was upgraded from R80.20 GA to R80.30 GA first release.Was unable to login with admin Gaia user but administrative users worked.Solution was fast - tried to recreate admin account using CLI 'cpconfig'.Endpoint Mgmt server upgraded from R80.20 GA to R80.30 issues with the upgrade everything worked fine.Upgraded a cluster running R80.20 GA with JHF to solve SK147493 - " After Upgrade to R80.30 -Unable to connect to the Standby Cluster member from a non-local subnet via SSH or WebUI" After running R80.30 GA problem came back again.Reached our to TAC and very fast an update was ready and problem solved.Any one else experience any issues after the upgrade or just a possible experience with TAC support?Looking forward to hear from you.
Takashi_Suzuki inside General Topics Tuesday
views 45 1

About automatic update of a license signature

Hi, Team.Although who was operating nothing on UserCenter, the signature part of the license installed in the appliance currently operation had changed.Is there any function in which the license installed in the appliance is updated automatically?* This signatures is the thing of the part of a license like [aTFvAfpKy-tf8...].*[IPaddress / expiration / Features] had not changed.In this case, isn't off-line environment affected?* In an off-line environment, the contract is periodically outputted from UserCenter and imported by the file format manually.Doesn't inconsistent occur in a license and a contract?
ashish_verma inside General Topics Tuesday
views 2665 5

Natting to an IP range not directly connected

I am trying to do natting by creating object with IP address which is in subnet not connected to firewall-1 and natting it to an IP address that is also not connected. In fw monitor it is only showing pre-in. how can I do so?Thanks in advance.
Martin_Oles inside General Topics Tuesday
views 245 5

Duplicate services - which will be used?

Hi,recently I came across behavior, where supposedly permitted traffic is dropped by protocol handler. In my case I do do have defined duplicated service objects for snmp, udp/161. First is default service object snmp, port udp/161 with no Protocol Type set. Second service object is also port udp/161 with Protocol Type: SNMP_V3 , both objects are set "Match for Any", And both objects are used in a rule, which permits SNMP for monitoring.Some SNMPv2 packets are permitted when matching rule, but dropped by protocol handler:;[cpu_2];[fw4_3];fw_log_drop_ex: Packet proto=17 -> dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT;Being aware, that such is not ideal situation, but still I am wonder, how INSPECT will decide, which service parameters will be used for traffic? How then is handling traffic in situation, where is duplicity in service objects exists and in a rule is used "any" for service?Thank you for tips to documentation or SKs related.
Oscar_David_Gom inside General Topics Tuesday
views 28 1

Tunnel sharing option for VPN

Hi, This is a fast question, which do you consider as the best option to configure tunnel sharing on a VPN between Google cloud and on premise checkpoint appliance. Thanks.
CCL_TAC inside General Topics Tuesday
views 32 2

Smart event report doesn't display resolved names

Hello ,The reports generated by Smart event in R80.10 doesn't display the DNS names and only show the IP addresses. DNS server is configured on the Smart event object on the dashboard. Is there any other setting i need to modify ?Thanks