cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

Di_Junior
Di_Junior inside General Topics 3 hours ago
views 64 4

RDP and SSH not working through a Check Point Firewall site-to-site vpn

Dear MatesI am running through a very strange behavior.I have a site-to-site VPN connecting two sites (Check Point Firewall and Cisco).The connection from site A to site B everythings works fine, but connection from site B to A only ping works the rest protocols does not work.I am doing NAT on both Sites (traffic from Site A to Site B is natted by the firewall to its interface in site B, and vice versa)Any help would be appreciated.Thanks in advance
Di_Junior
Di_Junior inside General Topics 5 hours ago
views 24

Issues migrating from Cisco ASA to Check Point

Hi MatesJust to give more information about the issue I am facing with a customer network.We are migrating the infrastructure from Cisco ASA to Check Point Firewall, everything seems to be working fine but we have this problem that I need help on how I can achieve the same cenario using Check Point. We are using R80.20   There is sit-to-site VPN between the Cisco Router and Check Point. the machines on Networks C and D must communicate with the machines in Networks A and B (vice-versa) using this site-to-site VPN between Check Point and Cisco Router. In addition to that, Networks C and D must also go to the internet through the site-to-site VPN with Check Point that is connected to the internet. The site-to-site VPN tunel is closed using the Ips: X.X.X.1 from the Firewall and the Peer is X.X.X.2, in order to allow communication between the Networks A and B and Networks C and D, I am doing NAT on the Firewall. Hence, if a host on network A is trying to connect to the Host on network C, the IP of the host in the network A is NATted to the Firewalls IP (X.X.X.1) and vice-versa.So we have this cenario:Networks C and D area able to communicate with Network A and B, and they are also going to the internet through the tunel.Network A and B are able to access the internet as well using the F.F.F.2ProblemNetwork A and B are ONLY able to ping Network C and D, and nothing else. You cannot run RDP or SSH from Network A and B to networks C and D.There are some services on Network C that are published on the Internet; these services are also not working.Another issue that I will be facing too is the fact that with Cisco ASA, they have different site-to-site VPN with their partners using point-to-point links, how can I have Check Point having multiple site-to-site VPN using different interfaces. For example, there is tunnel with Cisco router using X.X.X.1 address, and another tunel with the partner using the F.F.F.1.Your help will be appreciated Thanks in advance
kobilevi
kobilevi inside General Topics 5 hours ago
views 110 4

Gaia applaince -15600 Lab

helloi need to reclaim my network to lab, i have 2 checkpoint 15600 that connect with cluster and 1 server that manage the friewalls   what is the best practice to build this lab ?i need server that running smartdashbord too? thanks
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics yesterday
views 623402 44 166

R80.x Architecture and Performance Tuning - Link Collection

  Architecture - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Logical Packet Flow) - Update R80.20+- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - Security Gateway Architecture (Acceleration Card Offloading)- R80.x - Ports Used for Communication by Various Check Point Modules- R80.x - How does the Medium Path (PXL) and Content Inspection work with R80- R80.x - ClusterXL CCP Encryption (R80.30+)- R80.x - SNI vs. enabled HTTPS Interception- R80.x - Policy Installation Flowchart  Performance tuning - R80.x - Top 20 Gateway Tuning Tips - R80.x - Gateway Performance Metrics - R80.x - Performance Tuning Tip - Intel Hardware- R80.x - Performance Tuning Tip - AES-NI- R80.x - Performance Tuning Tip - SMT (Hyper Threading)- R80.x - Performance Tuning Tip - Multi Queue- R80.x - Performance Tuning Tip - Connection Table- R80.x - Performance Tuning Tip - Elephant Flows (Heavy Connections)- R80.x - Performance Tuning Tip – User Mode Firewall vs. Kernel Mode Firewall  - R80.x - Performance Tuning Tip - Dynamic split of CoreXL in R80.40 - R80.x - Performance Tuning Tip - SecureXL Fast Accelerator in R80.20 JHF103- R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“ - R80.x - Performance Tuning Tip - SNI vs. https inspection- R80.x - Performance Tuning Tip - Control SecureXL / CoreXL Paths- R80.x - Performance Tuning and Debug Tips - fw monitor- R80.x - Performance Tuning and Debug Tips - TCPDUMP vs. CPPCAP- R80.x - High Performance Gateways and Tuning- R80.x - Falcon Modules and R80.20- R80.x - Performance Tuning - Link Collection Cheat sheets - R80.x - cheat sheet - fw monitor- R80.x - cheat sheet - ClusterXL ClusterXL - R80.20 - new ClusterXL commands- R80.20 - More ClusterXL State Information- R80.30 - ClusterXL CCP Encryption SecureXL - R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor CoreXL - R80.x - Security Gateway Architecture (Logical Packet Flow)- R80.x - Security Gateway Architecture (Content Inspection)- R80.x - More then 40 Cores for CoreXL- R80.x - User-Mode Firewall and performance impact Management Server, MDS and SmartConsole - R80.20 - Portable SmartConsole + Tips and Tricks- R80.10 - Syslog Exporter- R80.20 - Multiple SmartConsole sessions- R80.x   - Debug policy installation on gateway- R80.x   - MDS Upgrade failing from R80.10 to R80.30- R80.x   - Policy Installation Flowchart  Sandblast and TEX - Fortigate Firewall ICAP and Sandblast (TEX)- Symantec (Bluecoat) SG ICAP and Sandblast (TEX)- ICAP and Sandblast Appliance R80.10+ - R80.10 - Syslog Exporter- R80.10 - Bash script to show IP ranges for countrys from GeoProtection (new version)- R80.10 - GEO Location Objects in Firewall Policy (with Dynamic Objects)- R80.10 - User-Mode Firewall and performance impact R80.20+ - R80.20 - new interesting commands- R80.20 - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“- R80.20 - New FW Monitor inspection points- R80.20 - SYN Defender on SecureXL Level- R80.20 - IP blacklist in SecureXL- R80.20 - New Chain Modules?- R80.20 - SecureXL + new chain modules + fw monitor- R80.20 - SecureXL - new names in "/proc/ppk/statistics"?- R80.20 - Portable SmartConsole + Tips and Tricks- R80.20 - New daemon or processes under R80.20!- R80.20 - New SecureXL path in R80.20 (CPASXL)- R80.20 - More then 40 Cores for CoreXL - R80.20 - Updatable Domain Objects and CLI Commands- R80.20 - SNI vs. enabled HTTPS Interception  R80.30+ - R80.30 - new interesting commands- R80.30 - ClusterXL CCP Encryption- R80.30 - Swiss Army Knive IPMITOOL for GAIA R80.40+ - R80.40 - new interesting commands - R80.40 - automatically changes the number of CoreXL SNDs, Firewall instances and the Multi-Queue- R80.40 - Dynamic split of CoreXL SND and FW  CLI - GAIA - Easy execute CLI commands from management on gateways- GAIA - Easy execute CLI commands on all gateways simultaneously- GAIA - Create snapshots or backups on all gateways with one CLI command.- GAIA - Backup all clish configs from all gateways with one CLI command- CLISH Commands in Expert Mode easier- Show VPN Routing on CLI- Show Address Spoofing Networks via CLI- Interface speed and duplex as list- "fw ctl zdebug" Helpful Command Combinations- Check Inbound and Outbound TCP Sequece Numbers on R80.20+- R80.20 - new interesting commands- R80.30 - new interesting commands- ccp_analyzer - what is it!- Check Point - HEX to IP Converter Tool?- R80.30 - Swiss Army Knive IPMITOOL for GAIA- ONELINER - process utilization per core  Script - Bash script to show IP ranges for countrys from GeoProtection (new version)- GEO Location Objects in Firewall Policy (with Dynamic Objects) More - Appliance model from CLI and dmidecode with full model list- VoIP Issue and SMB Appliance (600/1000/1200/1400)- High CPU utilization during process fwk0_dev_0 (UMFW vs. KMFW) - Password reset - Collection- One-liner collection- Check and config SSHv1 or SSHv2 on GAIA- Top100 - Check Point Terms Overview for Debug  More interesting articles and books Over the last years I had a very good cooperation and exchange of knowledge with @Timothy_Hall. Therefore I recommend you to read this book about Check Point Performance Tuning. - Max Power 2020 Why these articles I wrote my first article on R80.x firewall architecture a year ago. After many hours in the lab with R80.10, R80.20, R80.30 and R80.40 many long evenings, another approximately 40 articles were added. Because I lost the overview of my articles, here is a list of links to the most interesting articles with the topics:- R80.x performance tuning- R80.x architecture- R80.x new CoreXL, SecureXL and ClusterXL functions I hope I can help you with interesting information about R80.x! Thanks to everyone who contributed to the Checkmates forum and to the Check Point R&D guys as well as the Chackmates team and thanks to all who voted this article as Post of the Year 2019.  Copyright by Heiko Ankenbrand  1994-2020
PhoneBoy
inside General Topics yesterday
views 49 2 1
Admin

Who's Going to CPX 360 2020 New Orleans and/or Vienna?

Of course, the CheckMates team will be there.Be sure to bring your A Game to the CheckMates Zone 🙂 And the Blazepods...will be ablazing! (view in My Videos)
sebastian_tarka
sebastian_tarka inside General Topics Saturday
views 2472 4

Cannot re-install Check Point VPN macOS

Hello everyone!I'm facing the issue that I cannot install (re-install) the latest checkpoint version (E80.89). I also tried to install older versions but I always get the same error message (see picture as well):"Check Point Endpoint Security VPN can not be installed on this computerCheck Point Endpoint Security is installed on this computer. Please install the VPN blade as part of Endpoint Security."Before installing the latest version of Checkpoint Endpoint Security VPN, I have used the uninstaller located in /Library/Applications Support/Checkpoint...I was already looking for files which could be part of the VPN application, but I could find anymore. I hope that you guys can help me out, because I need to run this application... BR
SUPPORT_RINGO_C
SUPPORT_RINGO_C inside General Topics Friday
views 1480 8 1

centrally manage a DAIP gateway

Hello Teams,My environment:I have a SmarCenter on R80.10 with public ip address, and want to centrally manage a natted 3000 series R80.10 gateway (is behind natting device router).My question:How should i create the gw object without knowing in advance its ip ? And succeed SIC communication ?Is there any method that suits for such cases ?Thanks in advance.
entsupport
entsupport inside General Topics Friday
views 91 3

Commmands not executing in Management Server R80.10

Hello All,Since last 2 days every morning we are facing very strange issue. Commands are not getting executed on management server. CPU & memory utilization is also normal. After rebooting of management server the issue gets fixed but again next morning the issue arises.We have collected few of the outputs during the issue as per the TAC suggestion. Attaching the same herewith.We have logged a ticket with checkpoint TAC but they are also not able to fix this issue.Kindly help if any troubleshooting we can perform to fix this issue
BrianPerry
inside General Topics Friday
views 1837 15 10
Employee

sk164752 - Installing DOOM on Gaia

Hello everyone, I work at one of the Checkpoint TACs. We had a little internal contest to see if we could get doom running on a Checkpoint firewall for fun. I managed to get it done and just finished the SK. Feel free to take a look at sk164752 for how it was done. It is general access so anyone should be able to view it.   Needless to say do not try this in production, you are increasing the attack surface of the operating system significantly by doing so.   Edit: It looks like management decided to make the SK internal, sorry guys. Edit2: They did ok it to be posted on checkmates though, Please see below.   Symptoms You want to run linux applications on Gaia. You need to defeat the minions of hell. Solution Please note this procedure is not supported and not secure Under no circumstances should this be done in a production environment This is a proof of concept and for fun Pre-requisites An R80.30 Gateway running the 3.10 kernel as per sk152652 A bootable Ubuntu Live image - link More spare time than sense Installing a Debian chroot Boot the R80.30 3.10 gateway from the Ubuntu Live Image Ensure the live OS has an internet connection Once booted installed debootstrap sudo apt update     sudo apt install debootstrap Create a working environment and mount the Gaia file system mkdir /home/ubuntu/installdir sudo mount /dev/mapper/vg_splat-lv_current /home/ubuntu/installerdir We will be installing Debian Jessie in the chroot, this is because Jessie runs Kernel 3.16 which is very close to the gaia Kernel 3.10. This will help ensure things run smoother. Create the chroot environment, if you choose another chroot OS be sure to change the path sudo mkdir /home/ubuntu/installdir/chroot sudo mkdir /home/ubuntu/installdir/chroot/jessie Use the following command to install Jessie this may take some time sudo debootstrap --include locales --arch amd64 jessie /home/ubuntu/installdir/chroot/jessie Once complete reboot and remove the Ubuntu installation media Prepare the Chroot To allow the chroot to properly communicate with the hardware of the machine we need to bind several mount points in the chroot, since this needs to be done at every boot I will provide a script below that binds these mounts. I placed this in the home directory of the admin user for ease of use. Start of script #!/bin/bash mount --bind /proc /chroot/jessie/proc mount --bind /sys /chroot/jessie/sys mount --bind /dev /chroot/jessie/dev mount --bind /dev/pts /chroot/jessie/dev/pts End of script Give the script the privileges it needs to run and run it chmod 755 /home/admin/jessie.sh cd /home/admin ./jessie.sh Create the default root users home directory mkdir /chroot/jessie/home/admin optionally you may bind the existing gaia /home/admin directory to the chroot by adding the below line to the script mount --bind /home/admin /chroot/jessie/home/admin Enter the chroot chroot /chroot/jessie Configure the Chroot Set the dns server by adding a dns server of your preference to /etc/resolv.conf with vi add "nameserver $IPgoesHere" to the file Install vim because vi is terrible, the default repositories should be able to do this. apt update apt install vim add the gaia hostname to /etc/hosts see below for an example, my hostname is DOOM The first line of /etc/hosts should appear similar below but with your hostname127.0.0.1 localhost DOOM add a complete list of jessie repositories to /etc/apt/sources.list by matching the contents below using vim Start of sources.list deb http://httpredir.debian.org/debian jessie main non-free contrib deb-src http://httpredir.debian.org/debian jessie main non-free contrib deb http://security.debian.org/debian-security jessie/updates main contrib non-free deb-src http://security.debian.org/debian-security jessie/updates main contrib non-free End of sources.list Update the repository list using "apt update" Create a non-root user Install sudo apt install sudo create a new non-root user (in this case doom) adduser doom follow the prompts to set the password Add the new user to the sudo group usermod -aG sudo doom   Installing the desktop Ensure the debian software selection with the following command tasksel Using the arrow keys and space bar select "Debian Desktop Environment" & "Xfce" Use tab to select OK and enter to continue. Wait for the needed packages to install (this will take several minutes) You will be prompted to select your keyboard layout during this process, do so. Once complete you will be back at the terminal Installing the desktop will have overwritten /etc/resolv.conf reset the dns server by adding a dns server of your preference to /etc/resolv.conf with vim add "nameserver $IPgoesHere" to the file Installing the desktop may have overwritten the hostname inside the chroot test the hostname to see if its changed by using the hostname command if it has changed, change it back by using the hostname command example below hostname DOOM make sure to edit the /etc/hostname file to match so it survives reboot Install xrdp apt install xrdp exit the chroot (just type exit in the terminal) add the following line to the jessie.sh script chroot /chroot/jessie /etc/init.d/xrdp restart This will ensure xrdp is started properly when spawning the chroot Ensure that your firewall policy is either unloaded (fw unloadlocal) or add firewall rules that allow port 3389 re-add the full repository list as per the "Configure the Chroot" section, ensure you "apt update"   Login to the GUI and install DOOM RDP to an ip of the gateway that is reachable Use the default sesman-Xvnc module Provide the username and password (do not log in with root use the non-root user we created earlier) If all went well you should see the desktop Open a terminal and install DOOM sudo apt-get install doom-wad-shareware prboom Start DOOM /usr/games/prboom Doom running on a Gaia firewall, note the xfce4 and xrdp processes running in attached screenshot.      
AlexeyB
AlexeyB inside General Topics Friday
views 608 3 2

Command to show history of ClusterXL member status

 Here is yet another onliner for R77.xxsqlite3 /var/log/CPView_history/CPViewDB.dat "SELECT datetime(a.Timestamp, 'unixepoch', 'localtime'), a.cluster_status FROM UM_STAT_UM_SYSTEM AS a WHERE a.cluster_status <> ( SELECT b.cluster_status FROM UM_STAT_UM_SYSTEM AS b WHERE a.Timestamp > b.Timestamp ORDER BY b.Timestamp DESC LIMIT 1 );" Comand shows data for current member like  show cluster failover in R80.20:2019-11-01 15:31:03|Standby2019-12-02 15:11:15|Down2019-12-02 15:12:15|Standby2019-12-02 15:15:15|ActiveIt is better than show routed cluster-state detailedbecause it shows only real changes excluding info like Jun 16 17:33:36 Master to Master and it shows more older data 
mahesh027cse1
mahesh027cse1 inside General Topics Friday
views 64 1

How to Check Point maintaining connection for GRE traffic

Hi,Can anyone please help to understand how Checkpoint firewall,  GRE through traffic handling.I am getting an issue.  GRE is configured on both end route and in between i have CheckPoint firewall.When a fail-over (primary to secondary) occurs, GRE is stop working and then i need to request with network person to bounce the Router GRE terminated physical port. I need to understand CheckPoint GRE through traffic handling, and how it maintain in connection table, i tried to find documents but no luck.Route --->CheckPoint ---> Router    
Adrian_Pillo
Adrian_Pillo inside General Topics Friday
views 128 2

Do you trust goole?

searching in google from a german IP for "checkpoint" or "check point" shows palo alto on firt position ... somehow strange! ok, it is advertisement for e book NGFW for dummies ....  Who believs in coincidence ???      
Khalid_Aftas
Khalid_Aftas inside General Topics Thursday
views 1024 10

R80.20 Ipsec VPN issues

Hi, After upgrade to r80.20 in multiple gateway, we started having issue with a lot of VPN that were running without problem in 80.10 case 1 : VPN with partner down, i had to make him disable NAT-T option for it to work again.Case 2 (most critical) : Amazon Web Services, once phase 2 proposition from aws come, CP accept it, then decide to propose again another negotiation, during few minutes complete cut out of the traffic. Other cases in other GW with simlar issues. Opened a case in the TAC, they made me install some special hotfix, with no succes. What changed in R80.20 regarding vpn ? i hope there is a solution for these issues. [CPFC]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[MGMT]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[FW1]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87HOTFIX_R80_20_JHF_T87_190_MAINHOTFIX_R80_20_JHF_T87_174_MAINHOTFIX_R80_20_JHF_87_90_002_MAINFW1 build number:This is Check Point's software version R80.20 - Build 100kernel: R80.20 - Build 001[SecurePlatform]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CPinfo]No hotfixes..[DIAG]No hotfixes..[PPACK]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CVPN]HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87[CPUpdates]BUNDLE_R80_20_JUMBO_HF_MAIN Take: 87
Gianlucheck
Gianlucheck inside General Topics Thursday
views 88 1

Application Control update signature

In R77.30 I remember that the Application Control, Update the signature on both Management server and Gatweay FW. There were 2 different signature update. I remember because I had a problem with signature update on firewall.On R88.20 I see only the signature update on Management, I don't see gateway. Can someone clarify if the signature update are now only on management ? 
Tal_Eisner
inside General Topics Thursday
views 98 1
Employee+

Introducing cp< radio> Check Point Research Podcast Channel

Is TikTok secure enough? What are the latest security risks surrounding Medical IoT? Who was behind the new malware targeting ISIS operatives?  Check Point Research is proud to launch cp<radio> a podcast channel in which we will update on the latest cyber researches, product vulnerabilities articles and global threat intelligence insights. You can now subscribe to follow us and keep up with the latest cyber research. Now available on Apple, Google or Spotify anytime, anywhere. http://bit.ly/37jsOLq