Showing results for 
Search instead for 
Did you mean: 
Create a Post
KWD inside General Topics 28m ago
views 5

Site to Site VPN between 2 Checkpoint Gateways and a Checkpoint SMS

Hello,I am trying to connect two gateways, a 3200 (remote) and a 12400 local to the SMS (virtual) by a site to site VPN. Phase 1 IKE appears to succeed from the 12400 to the 3200. Phase 2 fails. The ike.elg file states INVALID-CERTIFICATE. We tried renewing the certificate, modifying the $FWDIR/conf/masters file on the remote gateway and adding a rule from the remote gateway to the SMS for FW1_ica_services. None of these have fixed the problem. Does anyone know what the problem is?Thanks
Yoni-Indeni inside General Topics 3 hours ago
views 206 6

Are you in an R77.30 Upgrade Rush?

A few months ago, the vast majority of Check Point firewalls out there were still running R77.30*. As the time progressed, we slowly saw people upgrading their firewalls to R80.10 and later. However, in the month of August, we saw a massive acceleration in upgrades**, in anticipation of the End of Support for R77.30 in September.This raised a few questions:1. Why are so many people waiting for the last minute to upgrade? Some may even go beyond the Sep 30th date.2. What can be done to avoid this from happening again in the future? ---------------------------------* Our data comes from Indeni Insight, which receives non-confidential data about the devices in use by our customers. These are mostly large enterprises in North America, with deployments of at least 100 firewalls.** Massive acceleration: 40% of all upgrades to R80.20, up to Aug 15 2019, occurred in the first two weeks of August. Again, this is based on just our data.
Furil inside General Topics 3 hours ago
views 21

R80.20-R80.30 ClusterXL vlan monitoring

Hello,I cannot find any discussion about the fact that in OS R80.20 and R80.30 admin guide in the section "vlan support in clusterXL" monitor all vlan id is no longer supported. I would like to understand why 🙂Any other way to monitor all vlan then ?Can someone help ? Thank you Best regards;Furil
Kamiar_Sh inside General Topics 5 hours ago
views 33 3

upgrading security gateways in a cluster from R77.30 to R80.20

Hi All,I have upgraded my cluster R77.30 to R80.20 last week and I faced an issue after upgrading as follow:Unix server couldn`t send files to FTP server via FTP passive mode and after 2, 3 hours troubleshooting I disabled the SecureXL and issue resolved so do you have any suggestion or thought?Thanks
sajin inside General Topics 5 hours ago
views 46 3

Traffic from FW takes External IP

HI,We need to configure all firewall in the remote location with Centralized NTP. NTP is in HO and we are connecting remote sites only through VPN. Remote Firewalls are not able to connect to NTP and not able to ping. In the tracker we identified the Remote Firewall takes its External Public IP as the source and is dropped in the HO FW, as encryption domain IP is only allowed.The firewall is configured with HO DNS and nslookup from the Remote FWs is resolving with the HO DNS .All other communication other than nslookup is taking the Public IP to reach HO DNS.
Jain_Raj inside General Topics 6 hours ago
views 771 10 2

Zero Downtime Upgrade From R77.30 to R80.20

As this is a season of R80 Upgrade, just sharing my experience of recent upgrades in the live environment from R77.30 to R80.20 without any service down1.Upgrade the DA Agent to the latest version2.Upload the R80.20 Image through CPUSE and verify for any errors3. In CMA cluster Properties, Select Maintain current cluster Active member4.Upgrade on the current standby FW(CPUSE) and let it Reboot5. Once rebooted, Change the Gateway Object to R80.20 version(It will change for all 3 objects)6.Install policy(Uncheck the option- For gateway clusters, if installation on a cluster member fails, do not install on that cluster)7. Check the HA in new version FW,(HA module not started or it may be Ready)8. Now do the upgrade in another gateway, During a reboot, the other pair on HA not started/Ready will become Active9.No service Interruption and the other FW will take HA Active10.Reinstall policy by again (Uncheck) the optionNow verify both status and do a final Policy Installation by "Keep Check" the actions11. Now Install the Hotfix.R80.20 Jumbo Hotfix Accumulator General Availability(Take 87)
Patricio_Gavila inside General Topics 9 hours ago
views 1459 7

Messages of mux error on a cluster (active-standby) in r80.20

Hi all,I have a Lenovo System x3650 M5 (compatibility matrix) with GAIA r80.20 (jumboHF take 80) in distributed deployment. The server firmware is updated to the last level, and with the r77.30 version works great. I have many problems with the Internet, for example, images and Office 365 emails take too long to load, even when the user is in an unrestricted rule. This did not happen with r77.30. In active Gateway shows error messages in file /var/log/messages: Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc20085221670, app_id=1, mux_state=ffffc20092970c00.Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc20092970c00.Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc2008275e530, app_id=1, mux_state=ffffc2005f6a5c00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2005f6a5c00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc2011e77b7b0, app_id=1, mux_state=ffffc200d97bfc00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200d97bfc00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_task_handler: ERROR: Failed to handle task. task=ffffc200a775bfb0, app_id=1, mux_state=ffffc2027cc1a420.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2027cc1a420.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_task_handler: ERROR: Failed to handle task. task=ffffc200aa947b30, app_id=1, mux_state=ffffc200dffa5810.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200dffa5810.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];mux_task_handler: ERROR: Failed to handle task. task=ffffc2007f670b30, app_id=1, mux_state=ffffc200c6950420.Jun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200c6950420.Jun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];mux_task_handler: ERROR: Failed to handle task. task=ffffc20122ccdb70, app_id=1, mux_state=ffffc20068218810.Jun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc20068218810.Jun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:02 2019 FW-NODO1 kernel: [fw4_5];cpas_newconn_ex : called upon something other than tcp SYN. Aborting My question is if anyone knows if it is possible to deactivate the mux?. Otherwise I will rollback to r77.30.My concern is: because Check Point sells a poorly tested product and even more wants to force customers to migrate from r77.30 to r80, knowing that the r77.30 version is the best they have had in many years. The r80 version has too many problems, but even in cluster, the truth is impressive the failures of the product. Thanks,Patricio G.
HeikoAnkenbrand inside General Topics 11 hours ago
views 299 9 8

Update R80.20+ Security Gateway Architecture (Logical Packet Flow)

Flowchart news in R80.20 and above SecureXL has been significantly revised in R80.20. This has also led to some changes in "fw monitor". There are new fw monitor chain (SecureXL) objects that do not run in the virtual machine. Now SecureXL works in part in user space. The SecureXL driver takes a certain amount of kernel memory per core and that was adding up to more kernel memory than Intel/Linux was allowing. The packet flow in R80.20+ is a little bit different from the flow lower than R80.20. Now it is possible to use async SecureXL and other new functions. This figure shows the new features with the reinjection of SecureXL packages. SecureXL supportes now also Async SecureXL with Falcon cards. That's new in acceleration high level architecture (SecureXL on Acceleration Card): Streaming over SecureXL, Lite Parsers, Scalable SecureXL, Acceleration stickiness... More informations here: R80.x Security Gateway Architecture (Logical Packet Flow) Whats new in R80.20+: Now there are several SecureXL instances possible. As a result, packets are reinjected with the new SecureXL ID into the correct SecureXL instance again after they have been allowed by access template or rule set. After the packet has been reinjected, the SecureXL ID is added to the SecureXL connetion table and the packet is forwarded to the correct SecureXL instance. Therefore the flow is slightly different to older version before R80.20. This new mechanism also offers the possibility to transfer packets into a new SecureXL instance on Falcon cards. PXL vs. PSLXL - Technology name for combination of SecureXL and PSL. PXL was renamed to PSLXL in R80.20. This is from my point of view the politically correct better term. For the new acceleration Falcon card architecture with R80.20+ and SecureXL offloading read this article: R80.x Security Gateway Architecture (Acceleration Card Offloading):
Carlos_Arzate inside General Topics 14 hours ago
views 115 6

Vsx R80. 30

We have an environment with 2 12000 in Ha and they are VSX. It has 5 virtual instances. Ii it advisable to instala R80. 30 to improve performance? Keep in mind that every 12K has only 4 cores. Regards
Antony inside General Topics yesterday
views 79 2

application control can't block chrome remote desktop

Recently, We want to block all remote administration applications like chrome remote desktop. We enabled the application control blade in existing 4210 R77.30 and block all remote administration applications. But it seem not work.Antony
inside General Topics yesterday
views 70

TechTalk - Utilizing the Check Point API to Automate Operations

Join our next TechTalk on September 11, 2019. In this session, Rafi Zvi will talk about use of Check Point APIs for automation, covering the following topics: Learn how to work with the Check Point API to push configuration changes, automate upgrades and jumbo fix installs and manipulate the security policy. Understand how to work with the new Smart Dashboard Extensions to populate relevant 3rd party data. Monitor and query the CPView database to visualize critical resource and performance data over time. Register here Rafi Zvi brings over 20 years of experience in the technology sector to the BackBox leadership. He has grown BackBox to become a global player and a leading provider of solutions for automated backup and recovery software for network and security devices.
HeikoAnkenbrand inside General Topics yesterday
views 2983 6 1

When does the R80.40 EA phase start?

Is there any information about R80.40 EA? When does the EA80.40 EA phase start? Regards Heiko
inside General Topics yesterday
views 1698 12 5

R80.30 – default version (widely recommended)

As of today, R80.30 take 200 with Jumbo Hotfix Accumulator take_19 (as described in sk153152) is the default version (widely recommended) for all deployments. This version is available for download via CPUSE and from the R80.30 home page (sk144293). Thanks, Release Management group.
Jessie_Rich inside General Topics Saturday
views 90 3

Internal firewall anti-spoofing

I have 2 networks separated by a firewall and then a internet facing firewall. I am getting anti-spoofing alerts on traffic passing through my internal firewall from the internet.Topology looks something like thisNetwork-A >>> InternalFW >>>> Network-B >>>>> internetFW >>>>>> InternetOn the Network-B facing interfaces on both firewalls I have only my Network-B networks defined in the topology. I assume on the InternalFW I need to add the internet to the topology on the interface connected to Network-B? To not mess up anti-spoofing on the internetFW I assume I would create separate network groups for my topology on the internal and internet firewalls?Thank you for any advice you can give.
inside General Topics Saturday
views 9756 8 16

White Papers Publishing Project

Hi CheckMaters, As you may have mentioned, we are currently in the process of publishing white papers created by our Security Engineers around the globe. These documents cover various products, implementation scenarios, features and configuration details. Here is the list: Name Link A deeper dive into FQDN Objects CDT and Blink Guide to configure logging to SolarWinds LEM SIEM Configuring R80.10 GW to send logs to Log Analytics Restoring a large MDS environment in VMware from mds backup Recovering a file from Gaia Snapshot Integrating Custom IOC Feeds RulebaseExporter/RulebaseImporter Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option Log cleaning rule Deploying Auto Scaling CloudGuard gateways in Azure using VM Scale Sets Tufin integration with Check Point R80 Integration of Gemalto’s MobilePass+ Secure MFA and Managed Identities with the Check Point Firewall Mobile Access Blade as an IT Automator Protecting IoT (Internet of Things) implementations with R80.10 and later Unified Policy, Protocol Signature, and Segmentation Integration with Splunk Phantom Check Point and LogRhythm: Integrated Enterprise Security ClearPass & Checkpoint utilizing RESTful API and RADIUS Accounting Azure Deployment Leveraging Capsule Docs and DLP to provide IRM Advanced Migration to R80.x Quick Guide Updating Legacy DHCP Relay To Be R80.10 Ready Protect ICS SCADA URL Filtering using SNI for HTTPS websites Using AD certificates for outbound SSL inspection Deploying CP GW/MGMT with gcloud shell Publishing SmartConsole as a RemoteApp Reducing False Positive DLP CGSaaS CloudGuard SaaS Threat Prevention Managing Threat Prevention IoCs Introduction to Management CLI and JQ Endpoint Policy Server in DMZ Deploying Endpoint clients via GPO Adding a CloudGuard Cluster into an existing AWS Environment AAD compared to NIST Logging OSPF transitions with syslog Deploying SMS & a cluster on Azure Management upgrade workbook Azure Service Principal Configuration Phantom integration Custom SmartEvent Reports Updating Endpoint Client Version from EndPoint Management Server Healthcare: Mobile Security Mobile Security Configuring NAT64 for Internet Access in R80.20 Importing Custom IOC’s in Smart Console R80.20 URL Filtering Best Practices for Large Scale Deployment SMB Technology Guide Deploying 1200R Security Gateway with Zero Touch Cloud Service SandBlast Cloud Office 365 to CloudGuard SaaS for Office 365 Migration TWC/Spectrum VOIP with SMB appliances Customer User Center Basics and Strategy How to Batch Categorize URLs Security Zones How to configure Client Authentication in R80.20 HTTPS Inspection with Cisco Umbrella Integration of Check Point Identity Collector and Cisco ISE SMS and EPM log integration using SmartLog Getting out of CPUSE Jumbo Jail Distributed IPS Integration with Extreme Networks Network Access Control (NAC) Configuring Check Point Security Gateway with an IPv6 Tunnel Broker Updating 1200R Firmware with a USB Stick Security Management Server Migration from R65 to R80.20 Ansible Deployment Guide for Check Point Minimizing SBA Notifications with Check Point GuiDBedit Using RADIUS Authentication for Remote Access VPN Check Point Compliance Checking with Secure Configuration Verification Check Point Configuration with Radware (Alteon) SSL Decrypt & URL/UserCheck Logging & Monitoring, Events & Reports with R80.10 VSX Migration - Moving one VS at a Time R80.20 Endpoint initial Configuration and Setup (CP4B Series) Absolute Beginner’s Guide to R80.x Site to Site VPN in R80.x Implementing Non-FQDN Domain Objects Utilizing GeoProtection and Updatable Objects Within the R80.20 Rulebase Inline Layer Policy Best Practice More documents to come!