cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Valeri_Loukine
inside General Topics 14m ago
views 5743 41 1
Admin

Propose your Idea of the Year!

Yes, this is this time of year, again. Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better: The Idea Of The Year! The rules are the same as before, it is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones. Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game? Tell us NOW! A few disclaimers/notes: There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year", From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on, Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well. "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known! @Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later. Get creative, use your imagination and PROPOSE!
Vladimir
Vladimir inside General Topics 16m ago
views 85 2

0-Phishing functionality on the gateways

Does the URL filtering with IPS and TE enforce 0 Phishing capability on the gateways? I mean, if we have the HTTPS inspection and categorization enabled on R80.30, would the new phishing sites be identified dynamically?
Albert_Chang
Albert_Chang inside General Topics yesterday
views 60 2

Packets from IPSec tunnel were dropped. It seems there is an issue on the coreXL connections table

Our security gateway sometimes drops packets from IPSec tunnel. The workaround is usually to reinstall policy and the issue will be fixed for a few days.By using the "fw ctl zdebug drop" to capture the drop message, it says "failed to resolve SA (VPN Error code 01)".But in the kernel debug, it looks like it cannot find the connection in the connections table.Has anyone encounter similar issue and has a solution? Thanks in advance! ;20Jun2019 3:30:27.466084;[cpu_1];[fw4_2];fwconn_lookup: not found in connections table; ;20Jun2019 3:30:27.466088;[cpu_1];[fw4_2];forward_if_not_mine: forwarded to another instance (rc=0); ....;20Jun2019 3:30:27.466102;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn 10.13.1.29:0 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0> not found in connections table; .....;20Jun2019 3:30:27.466268;[cpu_1];[fw4_2];fwconn_key_lookup_ex: conn 172.28.0.126:15 IPP 10,0,0,0,0,UUID: 00000000-0000-0000-00-0-0-0-0-0-0-0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0> not found in connections table; ;20Jun2019 3:30:27.466282;[cpu_1];[fw4_2]; vpnk_conn_log: in the kernel - calling fwchainlog_delayed_rulebase_log with alert -1 ; ;20Jun2019 3:30:27.466284;[cpu_1];[fw4_2]; action = 0 schemename = IKE user = methods = ESP: AES-256 + SHA384 + PFS (group 2) fail_reason = Encryption/Decryption failure, failed to resolve SA (VPN Error code 01) xpo_loghandle = 0 community_loghandle = 0
sysad1929
sysad1929 inside General Topics yesterday
views 73 4

Management IP address after factory reset

Anyone experienced in factory resetting R80.20 to default by both pressing factory button and/or via boot menu but it did not revert admin password to default? Tried factory reset for 5 times but still not luck. Keeps saying Invalid login. I can try boot from USB but weird that this happened. Performed factory reset in a same model 3200 but different device and it works fine.
GGiorgakis
GGiorgakis inside General Topics yesterday
views 80 1

Top critical issues for R80.20

Address the top critical issue that you faced for R80.20 ?
Chris_Sanduliak
Chris_Sanduliak inside General Topics Friday
views 66 2

CP5600 Memory Exhaustion

We have a couple of CP5600 operating in different locations with very similar configurations. The load is about the same. Each is running r80.10 - T189.Location B is stable and running without issues, but Location A we have to reboot about once every 45 days due to memory issues. Whatever is happening, affects the dataplane. IE, Fw stops forwarding packets. This is the memory output for location A:System Capacity Summary:Memory used: 77% (4455 MB out of 5731 MB) - below watermarkConcurrent Connections: 10410 (Unlimited)Aggressive Aging is enabled, not activeHash kernel memory (hmem) statistics:Total memory allocated: 3737321472 bytes in 912432 (4096 bytes) blocks using 14 poolsInitial memory allocated: 599785472 bytes (Hash memory extended by 3137536000 bytes) - 3.1GB?Memory allocation limit: 4806672384 bytes using 512 poolsTotal memory bytes used: 0 unused: 3737321472 (100.00%) peak: 3426386556Total memory blocks used: 0 unused: 912432 (100%) peak: 861288Allocations: 4163792559 alloc, 0 failed alloc, 4140371486 freeSystem kernel memory (smem) statistics:Total memory bytes used: 4598247500 peak: 4608745920Total memory bytes wasted: 3721660Blocking memory bytes used: 4784944 peak: 9567848Non-Blocking memory bytes used: 4593462556 peak: 4599178072Allocations: 13741524 alloc, 0 failed alloc, 13738637 free, 0 failed freevmalloc bytes used: 4588389496 expensive: noKernel memory (kmem) statistics:Total memory bytes used: 4143730832 peak: 4231943656Allocations: 4177522403 alloc, 0 failed alloc4154099588 free, 0 failed freeExternal Allocations: 16896 for packets, 88628453 for SXLCookies:3778625491 total, 0 alloc, 0 free,150073 dup, 300575262 get, 2794359219 put,2072999334 len, 2707089222 cached len, 0 chain alloc,0 chain freeConnections:388319874 total, 136725382 TCP, 231455561 UDP, 19560665 ICMP,578266 other, 30721 anticipated, 195046 recovered, 10410 concurrent,159214 peak concurrentFragments:1118953332 fragments, 2706956154 packets, 3456 expired, 0 short,0 large, 0 duplicates, 848 failuresNAT:67013/0 forw, 52962/0 bckw, 982 tcpudp,0 icmp, 5906-17579 allocSync: off[Expert@LocationA:0]# free -mtotal used free shared buffers cachedMem: 7744 7580 164 0 333 1837-/+ buffers/cache: 5409 2334Swap: 18394 0 18394 This is Location B:System Capacity Summary:Memory used: 9% (539 MB out of 5731 MB) - below watermarkConcurrent Connections: 8560 (Unlimited)Aggressive Aging is enabled, not activeHash kernel memory (hmem) statistics:Total memory allocated: 599785472 bytes in 146432 (4096 bytes) blocks using 1 poolTotal memory bytes used: 0 unused: 599785472 (100.00%) peak: 27427 7488Total memory blocks used: 0 unused: 146432 (100%) peak: 69627Allocations: 1607331344 alloc, 0 failed alloc, 1607117916 freeSystem kernel memory (smem) statistics:Total memory bytes used: 967638752 peak: 986044552Total memory bytes wasted: 4180014Blocking memory bytes used: 5820820 peak: 14955252Non-Blocking memory bytes used: 961817932 peak: 971089300Allocations: 151132250 alloc, 0 failed alloc, 151129180 free, 0 failed freevmalloc bytes used: 956763424 expensive: noKernel memory (kmem) statistics:Total memory bytes used: 401812380 peak: 640749756Allocations: 1758439658 alloc, 0 failed alloc1758224295 free, 0 failed freeExternal Allocations: 76032 for packets, 89765022 for SXLCookies:1450833429 total, 836424 alloc, 836424 free,251 dup, 433718314 get, 2695578081 put,2263227759 len, 2298121504 cached len, 0 chain alloc,0 chain freeConnections:1628040697 total, 660800638 TCP, 927853823 UDP, 39386225 ICMP,11 other, 288832 anticipated, 441738 recovered, 8560 concurrent,161987 peak concurrentFragments:302418965 fragments, 2297426537 packets, 2476610 expired, 0 short,0 large, 0 duplicates, 1969 failuresNAT:0/0 forw, 0/0 bckw, 0 tcpudp,0 icmp, 0-27257 allocSync: off[Expert@locationB:0]# free -mtotal used free shared buffers cachedMem: 7744 7555 189 0 419 4896-/+ buffers/cache: 2239 5504Swap: 18394 0 18394The only difference I can find between the two is that Location A is using Extended memory hash tables, but I don't know what would cause this behavior?
Maik
Maik inside General Topics Friday
views 2602 19 6

TCP SACK PANIC - Kernel vulnerabilities | Check Point affected?

Hello, Just wanted to ask for a statement from Check Point regarding CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479. As redhat posted a statement and mentioned several releases are affected my guess is, that Check Point with GAiA is affected too (as based on RH Linux...).Details can be read below:https://access.redhat.com/security/vulnerabilities/tcpsack Regards,Maik
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Friday
views 8777 21 23

R80.20 - IP blacklist in SecureXL

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level. For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level. On gateway set the IP 1.2.3.4 to Secure XL blacklist: # fwaccel dos blacklist -a 1.2.3.4 On gateway displays all IP's on the SecureXL blacklist: # fwaccel dos blacklist -s On gateway delete the IP 1.2.3.4 from Secure XL blacklist: # fwaccel dos blacklist -d 1.2.3.4 Very nice new function in R80.20! Furthermore there are also the Penalty Box whitelist in SecureXL. The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address. The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks. More under this link: Command Line Interface R80.20 Reference Guide Regards, Heiko
Oscar_David_Gom
Oscar_David_Gom inside General Topics Friday
views 89 1

VSX VPN with AWS

HI I have a R80.10 VSX cluster, one of my VS is manging our VPNS, today I recevied a request of creating a VPN against AWS, they send us a txt file generated from AWS where indicate the step by step for creating it, the problem started with first step: Creating a Tunnel interface, as we are using VSX, that is not supported, so what we do was: 1. Creating a Star community2. Add as the center my VS and for the satellite the interoperable device configured as usual (Public IP, encryption domain, etc).3. Setting parameters of encryption, etc. as said by txt configuration file from aws. 1. Under Security Policies choose "VPN Communities" and click "New", "Star Community". 2. Choose "General" and provide a name : vpn-0a265dfe8bec93511. 3. For "Center Gateways", add your gateway or cluster. 4. For "Satellite Gateways", add the interoperable devices that you created before. 5. For "Encryption", choose "IKEv1 only". 6. In the "Encryption Suite" section, choose "Custom", "Custom Encryption". 7. Configure the properties as follows: Phase 1 Properties - Internet Key Exchange (IKE) a. Perform key exchange encryption with: aes128 b. Perform data integrity with: sha1 Phase 2 Properties -IPSEC a. Perform IPsec data encryption with: aes128 b. Perform data integrity with: sha1 8. For "Tunnel Management", choose "Set Permanent Tunnels", "On all tunnels in the community". 9. In the "VPN Tunnel Sharing" section, choose "One VPN tunnel per Gateway pair". 10. Expand "Advanced Settings". For "Shared Secret": ************* 11. For "Advanced VPN Properties", configure the properties as follows: IKE (Phase 1) a. Use Diffie-Hellman group: 2 b. IKE SA lifetime: 28800 seconds IPSEC (Phase 2) a. Use Perfect Forward Secrecy: Checked b. IPSEC SA Lifetime: 3600 sec 12. Click OK to close the VPN Window4. Configuring tunnel_keep_alive method for dpd.5. Creating the rule.6. Installing policies.Result: VPN is always Down, so my question is, how to configure a vpn against amazon when i'm using VSX? Thanks.
kobilevi
kobilevi inside General Topics Friday
views 84 1

checking policy creator and history

hello (:can someone know how check in gaia R80.10 who and when someone create a roll in the policy ? Tanks
Di_Junior
Di_Junior inside General Topics Friday
views 3297 17

Check Point Clustering between two Datacenters

Dear Mates We are currently experiencing routing assymetry on our infrastructure, and we are trying to find possible solutions that could help us solve the problem.I would like to know whether there is a limitation in terms of creating a Check Point cluster over two geographically separeted Datacenters (Few Kilometers away from each other). Is there any distance constraints? If there is no a distance constraint, since the current version of GAIA we are using (R80.20) does not support Load-sharing, we do not intend to have 4 appliances in a cluster while only one is taking all the traffic.Can Maestro be used in order to take advantage of the 4 appliances?The rationale for this question is because we are thinking of turning the 4 Check Point Appliances into a single cluster. Thanks in Advance
Wolfgang
Wolfgang inside General Topics Friday
views 788 4

2200 appliacne R80.20 failure

Dear folks,we are running R80.20 on an 2200 appliance since 2 month without problems.This week some problems occurs. We got a lot of errors like these:Jun 13 11:19:25 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=1 flags=1 opcode=15)Jun 13 11:19:26 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=1 flags=1 opcode=15)Jun 13 11:19:26 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=0 flags=1 opcode=15)If we do a restart of the appliance they can't install policy (policy install failed) and default policy is loaded.A manual fw fetch after restart loads the actual policy, but the shown errors occurs again after some minutes.Any ideas or seen this error anywhere?Wolfgang
Hugo_Marques
Hugo_Marques inside General Topics Thursday
views 3714 6 1

R80.20 SecureXL drop template support

Hi,I was reading the "Performance Tuning Administration Guide R80.20" and pass by something that made me think about some upgrades that i will need to do on the next's months to R80.20 and push them forward until this is supported, at least on 2 of them that have a good amount of traffic droped by the SXL.The drop template feature on SXL still not supported. Does anyone know when it will be supported? mid 2019?Regards
GreyOwl
GreyOwl inside General Topics Thursday
views 93 2 1

AppControl do not block Teamviewer

Hello,we have a very strange problem. I created AppControl rule blocking TeamViewer. After policy installation, it shows in logs that TeamViewer is blocking successfully. But it continues to work! In other words, TeamViewer is blocked only in logs. We tried to drop block other apps for testing (WhatsApp for ex) and everything is working OK.Does anyone has any idea, what's happening and how to solve it?Thanks.
HEnRY
HEnRY inside General Topics Thursday
views 982 5

DHCP on Check Point 3200

Hello Mates, Kindly assist i have my device Gaia R80.10 device up and running in production. 1. At the moment i am using Static IP address config to assign ip addresses to end users. 2. I want to users to get DHCP addresses automatically. 3. I have used sk92768 but not successful.4. I dont have an external DHCP servderKindly assist.