cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Vladimir
Vladimir inside General Topics 57m ago
views 1232 12

Default and maximum memory per VS in VSX R80.10

Since R80.10 virtual systems are 64 bit, how is the memory allocation per VS instance works in it and could the amount of RAM for VS's be configured either globally or per VS?
Darren_Fine
Darren_Fine inside General Topics 2 hours ago
views 16

R80.30 broke FTP

Had a client that wanted to use the new URL filtering features of R80.30.Upgraded them on Monday morning (yesterday morning early) they are a media house and they do alot of file transfers for their content to get printed and posted etc (yes I know it should be encrypted with ftps or scp rather but that is another discussion) and R80.30 seemed to break this entirely.First after a couple of hours of troubleshooting I resorted to allowing any service/any port from the servers sending the ftp traffic - this seemed to quell the issue for a short time but they still had intermittent failures yesterday afternoon. Furthermore no changing of active/passive ftp types on the client side made any difference. Today alot more was not working and the IT guys were getting alot of heat which was being passed down to us. I tried to log a high ticket with TAC etc but after 2 hours of no traction and the any service /any port allow not being a viable workaround we have to revert to the R80.20 snapshots. As soon as R80.20 snapshots reverted all the FTP's from all the servers worked instantly. So not sure if anyone else out there has R80.30 running and have issues with FTP traffic - let me know . (I did install R80.30 in our lab and try and recreate the problem in the live environment - but could not. The client is using ISP redundancy with Load Sharing - perhaps this is causing the issue but no way of knowing now .)(Also the drop reasons were for the dynamic ports as if the firewall did not understand the FTP protocol or the ports it was dynamically assigning . or some cryptic fwpslglue_chain Reason: PSL Drop: xxx yyy xxx yyy . That was not usual or searchable on the knowledgebase or in CheckMates.)I am a bit sad that my first R80.30 in production was so short lived 😞
Chanatip_Adisak
Chanatip_Adisak inside General Topics 2 hours ago
views 36 1

Anti-Bot is not working as expected

Hi everyone!I'm do testing Anti-Bot software blade in R80.30 and found something that looks like does not work as expected.The Security Gateway is able to block definitely with Medium Confidence but if High Confidence does not work and the site test is bypassed, please see screenshots and explanations belowHere are the URLs that I used for Anti-Bot test purpose https://www.threat-cloud.com/test/files/LowConfidenceBot.htmlhttps://www.threat-cloud.com/test/files/MediumConfidenceBot.htmlhttps://www.threat-cloud.com/test/files/HighConfidenceBot.htmlhttp://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html 1st screenshot.I have already enabled and configured profile on Activation Mode, both High and Medium confidence are Prevented, only Low confidence will be detected.2.nd screenshot.Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/HighConfidenceBot.html( found nothing blocking from the gateway and any logs ) The user could access the site. 3rd screenshot. Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/MediumConfidenceBot.htmlThe Gateway was able to block this site definitely as expected due to this site is detected as a Medium Confidence level. 4th screenshot. Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/LowConfidenceBot.htmlThe Gateway was able to detect this site definitely as expected due to this site is detected as a Low Confidence level. 5th screenshot, Test Anti-Bot with High Confidence by connecting to http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.htmlThe Gateway wasn't able to block this site as expected. And from the logs found it appears to redirect an action My question is why does the security gateway is not able to block the site https://www.threat-cloud.com/test/files/HighConfidenceBot.html and http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html? Anyone has any ideas on this. Really appreciate every comment. Regards,Sarm
Jose_Rivera
Jose_Rivera inside General Topics 3 hours ago
views 14

AWS BGP Graceful Restart

Does anyone know if AWS supports the BGP "Graceful restart" option?We have an issue similar to:https://community.checkpoint.com/t5/General-Topics/R80-20-Gaia-ClusterXL-HA-BGP-Routing-Causes-Outage-During/m-p/46820where we have an on-prem ClusterXL GW's uplinked to AWS Direct Connect, and failovers cause a brief outage. Also, what is the harm in enabling without first confirming if supported/enabled on the peer?
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics 4 hours ago
views 150528 38 146

R80.30 cheat sheet - ClusterXL

Introduction This overview gives you an view of the changes in R80.30 ClusterXL. All R80.10 and R80.20 changes are contained in this command overview (cheat sheet). You could download the cheat sheet at the end of this article as a PDF file. Cheat Sheet Chapter Architecture:R80.x Security Gateway Architecture (Logical Packet Flow)R80.x Security Gateway Architecture (Content Inspection) R80.x Security Gateway Architecture (Acceleration Card Offloading) R80.x Ports Used for Communication by Various Check Point Modules Performance Tuning:R80.x Performance Tuning Tip - AES-NI R80.x Performance Tuning Tip - SMT (Hyper Threading) R80.x Performance Tuning Tip - Multi Queue R80.x Performance Tuning Tip - Connection Table R80.x Performance Tuning Tip - fw monitorR80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ Cheat Sheet:R80.x cheat sheet - fw monitor R80.x cheat sheet - ClusterXL More interesting articles:Article list (Heiko Ankenbrand) References sk56202 - How to troubleshoot failovers in ClusterXL sk62570 - How to troubleshoot failovers in ClusterXL - Advanced Guide sk92723 - Cluster flapping prevention sk43984 - Interface flapping when cluster interfaces are connected through several switches sk83220 - How to collect ClusterXL debug during boot sk31499 - How to find out the Multicast MAC Addresses that are associated with Cluster Virtual interfaces sk92909 - How to debug ClusterXL to understand why a connection is not synchronized sk55081 - Best practice for manual fail-over in ClusterXL sk92723 - Cluster flapping prevention sk32578 - SecureXL Mechanism sk33781 - Performance analysis for Security Gateway NGX R65 / R7x
danakatz
inside General Topics 4 hours ago
views 21 1
Employee

Live Webinar, July 24th: Absolute Zero Trust Security

Consider designing your security infrastructure around a Zero Trust Approach? Join us on July 24 for a live webinar where we will cover how you can: Fully implement all of the seven principles of the Zero Trust security model with Check Point technologies Use new enterprise and datacenter security gateways to implement Zero Trust networking Use new security management appliances to implement Zero Trust visibility and analytics Increase security operational efficiency and save 50% in security manpower Future proof your security architecture against fifth and sixth-generation cyber-attacks Register in this link: https://pages.checkpoint.com/webinar-zero-trust-amer.html?
Nicola_Caddeo
Nicola_Caddeo inside General Topics 10 hours ago
views 838 4 1

Configuring 2FA with DynamycID in R77.30 - HTTP Post request to SMS Provider

Hi,I'd like to configure the DynamicID authentication in SSL VPN in order to configure the 2FA in a R77.30 environmentI already configured the Mobile Access blade and I have already some native applications pubblished. Users are able to reach the portal and to log in by using the first factor.Based on the documentatio, in order to configure the 2FA, i have to type the URL of my SMS provider in Authentication tab.All variables of the request (credentials of SMS Provider, text of the message and cellphone) must be included int the URL. Ex:https://gateway.test.com/SMs?user=$USER&password=$PASSWORD&text=$TEXT&phone=$PHONEUnfortuntately, the sms provider that I'm trying to use, needs to receive the credentials in the HEADER or the request. For this reason, I'm not able to configure it.Do you know if it's possible to modify the Header of the HTTP POST call done by the Gateway when it tries to comunicate with the SMS Provider?I only need to add user and password.Or is there a feasible alternative to interact with that SMS Provider?Thanks for your attention.
Chanatip_Adisak
Chanatip_Adisak inside General Topics yesterday
views 158 8

When will checkpoint support the Load Sharing mode in either R80.20 and R80.30?

Dear Check Point Team, Regarding the known issue with ClusterXL R80.20 and above does not support Load Sharing mode. Therefore, SmartConsole blocks such a configuration with a warning message. I would like to know when it will be fixed and become to support like an R80.10. Regards,Sarm
jc332
jc332 inside General Topics yesterday
views 168 10

Zoom Meeting Issues with SecureXL

Hi there,We're having issues with zoom meetings when SecureXL is turned on. The meeting connects and runs fine for ~15 mins before one end will appear to freeze (video and audio) and eventually disconnect (although users usually notice first and restart it themsleves before it disconnects. This will repeat itself until we turn SecureXL off.The thing is, SecureXL can be turned on for a number of days or even weeks with multiple zoom meetings happening per day before we see any issues. We saw this issue in R77.30 and it remains even since we've migrated to R80.30. I suppose it could still be unrelated or there may of course be something else at play.Hardware is a pair of 15400 applianes (ClusterXL).I have a TAC case open but obviously they want logs etc. from the time the issue is occuring which are hard to provide as the focus was on turning off SecureXL at the time to get the meeting running smoothly and we can't really turn it back on and risk breaking more meetings due to the nature of them.I have been trying to reproduce the issue through a pair of 3100s running R80.30 with SecureXL turned on without success. But obviously there are many differences here (it could be speific to that hardware...).Obviously we'd rather have it turned on, so I was just wondering if anyone had seen any similar issues and had any advice?Many thanks in advance.Josh
Tbgaz
Tbgaz inside General Topics yesterday
views 48 1

Office Mode IP Failure

Hi. A few of our users have had an issue connecting to our VPN, they've been getting the "Office Mode IP Assignment failure - all IP address were allocated or the user is not authorized to receive an IP address from the gateway" error.From what I can tell, it might be because we don't have enough licenses for everyone to connect. I have used the following commands to get a look at how many licenses are in use:fw tab -t om_assigned_ips -sfw tab -t sslt_om_ip_params -sThe affected users have tried connecting via SNX and the Mac Endpoint Security client. My question is: how can I find out how many licenses we are covered for or is there another cause for this?Many thanks.
MKIT_NMG
MKIT_NMG inside General Topics yesterday
views 77 2

Getting error “dropped by fwpslglue_chain Reason: PSL Drop: internal - streaming;"

Hi Team,We are having 5800 box with R80.20 in Cluster-HA mode.We are facing the issue with some slowness traffic/hang in our organization. When we checked the logs on Firewall found a drop message- “dropped by fwpslglue_chain Reason: PSL Drop: internal - streaming;"We logged a case in Tac but they are asking for Kernal level multiple debugs which requires scheduled downtime.We are not in the condition of providing any downtime. Can anyone please help us with this. Let us know if any additional information is required.Thanks in advance. Regards,Chandan Singh Rathore
Rick_Rodrix
Rick_Rodrix inside General Topics yesterday
views 65 2

To prevent VPN access from internal network

Hello there!I´ve been asked to prevent users to connect VPN from internal network. Some coworkers rather than solve a internal software bug, they discovered that the software worked if they connect through VPN from internal network. Yes, it happens.Is there a way to prevent this happen? I don´t want allow people using Endpoint Security VPN from internal network.Thanks.
Raj_Khatri
Raj_Khatri inside General Topics yesterday
views 38

RAID Configuration for HP DL380 Gen 10

Looking at deploying a new Multi-Domain Log Server running R80.20 on a DL380 Gen10. I'm aware the new 3.10 kernel eliminates the 2TB array restriction and wanted to know if there are any limitations or recommendations to the RAID configuration.
Cliff_Becker
Cliff_Becker inside General Topics yesterday
views 56

Capsule VPN does not connect after upgrade to R80.30

Has anyone had issues with the Capsule VPN form the Windows store not working after the upgrade to R80.30?This has happened to me twice now after a customer has upgraded their gateway.No VPN client works after the upgrade but I was able to get the Check Point Mobile client to work after removing the VPN settings and then adding them again under the gateway object.However the Capsule VPN client fails to connect with the site not responding message.
Wang
Wang inside General Topics yesterday
views 1604 5 1

SSL Medium Strength Cipher Suites Supported

What about a list of moderately strong SSL passwords? Can someone help me?42873 - SSL Medium Strength Cipher Suites SupportedHere is the list of medium strength SSL ciphers supported by the remote server :Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 ECDHE-RSA-DES-CBC3-SHA Kx=ECDH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1The fields above are :{OpenSSL ciphername}Kx={key exchange}Au={authentication}