cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Nick_Doropoulos
Nick_Doropoulos inside General Topics 5 hours ago
views 20

Patching on SMB Appliances

I'm having difficulty finding documentation with regards to patching SMB appliances. I have looked at several admin guides so far without having found a relevant section.Could somebody point me in the right direction please?Many thanks in advance.
Wolfgang
Wolfgang inside General Topics 6 hours ago
views 741 3

2200 appliacne R80.20 failure

Dear folks,we are running R80.20 on an 2200 appliance since 2 month without problems.This week some problems occurs. We got a lot of errors like these:Jun 13 11:19:25 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=1 flags=1 opcode=15)Jun 13 11:19:26 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=1 flags=1 opcode=15)Jun 13 11:19:26 2019 XXXXX kernel: [fw4_0];fwmutlik_do_sequence_accounting_on_entry: bad dir -1 (gconn_segment=0 flags=1 opcode=15)If we do a restart of the appliance they can't install policy (policy install failed) and default policy is loaded.A manual fw fetch after restart loads the actual policy, but the shown errors occurs again after some minutes.Any ideas or seen this error anywhere?Wolfgang
Oscar_David_Gom
Oscar_David_Gom inside General Topics 7 hours ago
views 24

VSX VPN with AWS

HI I have a R80.10 VSX cluster, one of my VS is manging our VPNS, today I recevied a request of creating a VPN against AWS, they send us a txt file generated from AWS where indicate the step by step for creating it, the problem started with first step: Creating a Tunnel interface, as we are using VSX, that is not supported, so what we do was: 1. Creating a Star community2. Add as the center my VS and for the satellite the interoperable device configured as usual (Public IP, encryption domain, etc).3. Setting parameters of encryption, etc. as said by txt configuration file from aws. 1. Under Security Policies choose "VPN Communities" and click "New", "Star Community". 2. Choose "General" and provide a name : vpn-0a265dfe8bec93511. 3. For "Center Gateways", add your gateway or cluster. 4. For "Satellite Gateways", add the interoperable devices that you created before. 5. For "Encryption", choose "IKEv1 only". 6. In the "Encryption Suite" section, choose "Custom", "Custom Encryption". 7. Configure the properties as follows: Phase 1 Properties - Internet Key Exchange (IKE) a. Perform key exchange encryption with: aes128 b. Perform data integrity with: sha1 Phase 2 Properties -IPSEC a. Perform IPsec data encryption with: aes128 b. Perform data integrity with: sha1 8. For "Tunnel Management", choose "Set Permanent Tunnels", "On all tunnels in the community". 9. In the "VPN Tunnel Sharing" section, choose "One VPN tunnel per Gateway pair". 10. Expand "Advanced Settings". For "Shared Secret": ************* 11. For "Advanced VPN Properties", configure the properties as follows: IKE (Phase 1) a. Use Diffie-Hellman group: 2 b. IKE SA lifetime: 28800 seconds IPSEC (Phase 2) a. Use Perfect Forward Secrecy: Checked b. IPSEC SA Lifetime: 3600 sec 12. Click OK to close the VPN Window4. Configuring tunnel_keep_alive method for dpd.5. Creating the rule.6. Installing policies.Result: VPN is always Down, so my question is, how to configure a vpn against amazon when i'm using VSX? Thanks.
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics 9 hours ago
views 8671 19 22

R80.20 - IP blacklist in SecureXL

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level. For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level. On gateway set the IP 1.2.3.4 to Secure XL blacklist: # fwaccel dos blacklist -a 1.2.3.4 On gateway displays all IP's on the SecureXL blacklist: # fwaccel dos blacklist -s On gateway delete the IP 1.2.3.4 from Secure XL blacklist: # fwaccel dos blacklist -d 1.2.3.4 Very nice new function in R80.20! Furthermore there are also the Penalty Box whitelist in SecureXL. The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address. The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks. More under this link: Command Line Interface R80.20 Reference Guide Regards, Heiko
kobilevi
kobilevi inside General Topics 11 hours ago
views 29

checking policy creator and history

hello (:can someone know how check in gaia R80.10 who and when someone create a roll in the policy ? Tanks
Hugo_Marques
Hugo_Marques inside General Topics 11 hours ago
views 3685 6 1

R80.20 SecureXL drop template support

Hi,I was reading the "Performance Tuning Administration Guide R80.20" and pass by something that made me think about some upgrades that i will need to do on the next's months to R80.20 and push them forward until this is supported, at least on 2 of them that have a good amount of traffic droped by the SXL.The drop template feature on SXL still not supported. Does anyone know when it will be supported? mid 2019?Regards
GreyOwl
GreyOwl inside General Topics 11 hours ago
views 78 2 1

AppControl do not block Teamviewer

Hello,we have a very strange problem. I created AppControl rule blocking TeamViewer. After policy installation, it shows in logs that TeamViewer is blocking successfully. But it continues to work! In other words, TeamViewer is blocked only in logs. We tried to drop block other apps for testing (WhatsApp for ex) and everything is working OK.Does anyone has any idea, what's happening and how to solve it?Thanks.
Junior
Junior inside General Topics 11 hours ago
views 31

rules management

Hello everyone ;I have the SMB 1490, I publish here my rules of management to know if they are well written. also I would like to know if there is documentation for the 1490 for better grip.thank.grip. Thank you
Di_Junior
Di_Junior inside General Topics 12 hours ago
views 3208 16

Check Point Clustering between two Datacenters

Dear Mates We are currently experiencing routing assymetry on our infrastructure, and we are trying to find possible solutions that could help us solve the problem.I would like to know whether there is a limitation in terms of creating a Check Point cluster over two geographically separeted Datacenters (Few Kilometers away from each other). Is there any distance constraints? If there is no a distance constraint, since the current version of GAIA we are using (R80.20) does not support Load-sharing, we do not intend to have 4 appliances in a cluster while only one is taking all the traffic.Can Maestro be used in order to take advantage of the 4 appliances?The rationale for this question is because we are thinking of turning the 4 Check Point Appliances into a single cluster. Thanks in Advance
GGiorgakis
GGiorgakis inside General Topics 12 hours ago
views 36

Top critical issues for R80.20

Address the top critical issue that you faced for R80.20 ?
Junior
Junior inside General Topics 14 hours ago
views 122 2

botnet activity detection

Hello dear, The checkpoint firewall detected botnet activity on one of our DNS servers, and another on a computer network. To my knowledge the firewall is supposed to block such activity? How to get rid of this infection, I launched the ESET ENDPOINT Security antivirus but nothing found.
Valeri_Loukine
inside General Topics 15 hours ago
views 5638 39 1
Admin

Propose your Idea of the Year!

Yes, this is this time of year, again. Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better: The Idea Of The Year! The rules are the same as before, it is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones. Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game? Tell us NOW! A few disclaimers/notes: There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year", From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on, Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well. "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known! @Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later. Get creative, use your imagination and PROPOSE!
HEnRY
HEnRY inside General Topics 15 hours ago
views 961 5

DHCP on Check Point 3200

Hello Mates, Kindly assist i have my device Gaia R80.10 device up and running in production. 1. At the moment i am using Static IP address config to assign ip addresses to end users. 2. I want to users to get DHCP addresses automatically. 3. I have used sk92768 but not successful.4. I dont have an external DHCP servderKindly assist.
Taekyoon-kim
Taekyoon-kim inside General Topics 16 hours ago
views 143 6

What happens when a license expires?

Hi ..!What happens when a license expires? I just..If the licenses for each device expire, can I use the features I used before?And what features are available and what are not? I wonder. 1. Smart-1 2. Collector 3. TE Thank you for taking the time to ask.
Maik
Maik inside General Topics yesterday
views 2313 18 6

TCP SACK PANIC - Kernel vulnerabilities | Check Point affected?

Hello, Just wanted to ask for a statement from Check Point regarding CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479. As redhat posted a statement and mentioned several releases are affected my guess is, that Check Point with GAiA is affected too (as based on RH Linux...).Details can be read below:https://access.redhat.com/security/vulnerabilities/tcpsack Regards,Maik