cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

clearblue
clearblue inside General Topics 38m ago
views 25 2

R80 CCSA certification

How do I get to print out my CCSA certification? I took the test last month and passed but I'm having some trouble with finding the actual certification award. 
Sukru_isik
Sukru_isik inside General Topics 2 hours ago
views 1069 10 2

Https inspection Validation error

Hello  ,I have checkpoint with version R80.20.I have enabled https inspection and using Sophos endpoint agent.Agents are managed on cloud side. When we want to install agent , we are taking a log like below and  we couldnt install it. I have written exception url like "*.sophos.com" on inspection rules, but it is not working.(When I disable https inspection completely, the agents are installed succesfully.)How can I solve this problem?
Vladimir
Vladimir inside General Topics 3 hours ago
views 4699 9 2

Gateway behind NAT. What limitations am I to be aware of?

Hi,I am working with the client who insists on hiding their CP cluster behind ASAs.External interface will be in RFC 1918 range.I've used this setup before in the lab environments, but would like to hear from you if there are any gotchas and particulars that I should be aware of.ASAs will supply Static Nat from one of the public IPs to the VIP of the cluster and, should the need arise, to any hosts located in DMZs.I am a bit concerned with S2S and remote access VPNs and am trying to figure out what else may be impacted.Thank you,Vladimir
Ryan_Ryan
Ryan_Ryan inside General Topics 4 hours ago
views 347 3 4

Checkpoint to Azure Route based - guide

I had a bit of struggle to get this working initially, as Azure don't provide configs for Checkpoint and they operate a bit different to AWS route based VPN's. Sk101275 will give you about 20% of what you need, so I am writing this up in case it helps others. Steps for Checkpoint cluster to Azure Route based vpn (based on R80.20)In this config all traffic from Azure will be tunnelled to the Checkpoint.The Checkpoint can be participating in other Policy Based / Domain based VPN's without impacting them Azure Sideconfigure for "forced tunnelling mode"Download the generic (IOS based) config Checkpoint sideOpen smartConsoleCreate a new interoperable device, choose a unique name and give it the Public IP of Azure. (eg. AZUREIP, 52.1.1.1)On topology tab, set manually defined topology, create a new simple group, with NO OBJECTS in it (ie an empty group) Open the centre gateway, Click network management, Select VPN Domain, now you have two options:if you have no other VPN's and don't expect to ever need a policy based VPN, then add grp.empty as your encryption domainIf you have existing policy based VPN's then open the current encryption domain group, inside that group add a new network object: network address: 0.0.0.0, net mask: 0.0.0.0Under VPN communities, create new star VPN, name it, add your local gateway as the Center gateway, and the new interoperable device as the satellite gateway (eg AZUREIP)Encryption tab:Method- Prefer Ikev2, support Ikev1Encryption suite - CustomPhase 1: AES-256, SHA256, Group2Phase 2: AES-256, SHA256(everything else unticked)Tunnel management: Select One VPN tunnel per gateway pairVPN Routing: select "To center, through center, Internet and other VPN targets"Shared Secret: Add peer name (eg AZUREIP) and the PSK provided in config fileAdvanced Tab -Phase 1: 480Phase 2: 3600 Create VPN tunnel interfaces (VTI)SSH to your gateways and enter clish(Find the "int tunnel 11 ip address" it is a 169.254 address with a /30 mask in the Azure provided config)The IP address listed (eg 169.254.0.1) will be your VIP, we need to extend that mask to /29 which gives more usable addresseseg:169.254.0.1 = VIP169.254.0.2 = FW A169.254.0.3 = FW B (peer name must be exactly the same as interoperable device name in GUI, remote IP is the public IP of the interoperable device)A: add vpn tunnel 11 type numbered local 169.254.0.2 remote 52.1.1.1 peer AZUREIPA: set interface vpnt11 mtu 1350A: save configB: add vpn tunnel 11 type numbered local 169.254.0.3 remote 52.1.1.1 peer AZUREIPB: set interface vpnt11 mtu 1350B: save config Add statics routes for your Azure CIDR via the new VPN interfaceeg:A: set static-route 192.168.55.0/24 nexthop gateway logical vpnt11 onA: save configB: set static-route 192.168.55.0/24 nexthop gateway logical vpnt11 onB: save config Get topology and assign VIPEnsure that you have enabled the IPsec VPN blade on your gateway.Open your gateway or cluster object, and choose "Network Management"Choose "Get Interfaces without toplogy" - but sure not to select WITH!Locate new vpn interface, add virtual IP (our local 169.254 address eg 169.254.0.1/29)Under topology, select "leads to, override, specific" create a new group, add your Azure CIDR, your 169.254.x.x/29 subnet and your Azure Interoperable device to this group)Enable antispoofing as desiredIn checkpoint global properties, select VPN, advanced, at the bottom tick "enable VPN directional match)Firewall RulesCreate firewall rules as requiredIn VPN column right click and add "Directional match condition" for each rule add three match conditions as follows:Internal clear => AZURE-VPN-COMMUNITYAZURE-VPN-COMMUNITY => AZURE-VPN-COMMUNITYAZURE-VPN-COMMUNITY=> Internal_clearInstall policy
kevin_t
kevin_t inside General Topics 6 hours ago
views 63 3

Custom Feed Blocking - SK103154

We are currently implementing the SK103154 to block known TOR nodes/IP addresses that Checkpoint provides.  We are trying to add more feeds to this custom list though, and they appear to not be reflecting in the gateways.  Specifically this URL:https://talosintelligence.com/documents/ip-blacklistThe Checkpoint feeds work just fine, but this Talos one will not.  Anyone have any ideas on why this might be?  We are on R80.20Relevant SK:  https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk103154
ashish_verma
ashish_verma inside General Topics 9 hours ago
views 152 3

NAT issue over VPN

Hello Mates,  We are getting this issue in which the tracker is showing 2 logs for the same traffic (same source and destination port numbers) one is getting encrypted (and accepted) and with the same time stamp another one which is getting dropped at the external interface with reason of address-spoofing. Below are the details:The source is 10.1.4.0/24 and is directly connected to CP firewall. The source is getting natted to IP 194.168.1.153 (subnet 194.168.1.x is not configured on any of the interface of this firewall. The VPN is configured with interoperable object and the tunnel are up. When initiating the traffic with source 10.1.4.233, in the tracker we can see the source is getting natted to 194.168.1.153 and also the traffic is getting encrypted. Just after this log ( with the same timestamp) another drop log is there with source 10.1.4.233, same source port and destination and getting reason is address-spoofing on eth2.530(external interface). On putting tcpdump on eth2.530 we are not getting any hit. On "fw monitor -p all", I can see the traffic (Syn) is passing through the firewall after getting translated, also receiving the reply back (Syn/Ack) to 194.168.1.153 but only i (Pre-inbound) after that no IoO. We have done manual hide nat configuration. Please let me know if any further info required. Thanks in advance.  
Tsvika_Akerman
inside General Topics yesterday
views 5728 42 14
Employee

R80.40 Early Availability Program @ Check Point Update

      R80.40 EA Program  R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.  Enrollment // Production EA     • We are looking for R80.X / R77.X Production environment to evaluate the new version. • Start date: Started    Additional questions? contact us@ EA_SUPPORT@checkpoint.com What's New  IoT Security A new IoT security controller to: Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).  Configure a new IoT dedicated Policy Layer in policy management. Configure and manage security rules that are based on the IoT devices' attributes.                       TLS Inspection HTTP/2 HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.  Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol. Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.                       TLS Inspection Layer This was formerly called HTTPS Inspection. Provides these new capabilities: A new Policy Layer in SmartConsole dedicated to TLS Inspection. Different TLS Inspection layers can be used in different policy packages. Sharing of a TLS Inspection layer across multiple policy packages. API for TLS operations. Threat Prevention Overall efficiency enhancement for Threat Prevention processes and updates. Automatic updates to Threat Extraction Engine. Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects. Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI. Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol. Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols. Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature. Access Control Identity Awareness Support for Captive Portal integration with SAML 2.0 and third party Identity Providers. Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.  Enhancements to Terminal Servers Agent for better scaling and compatibility. IPsec VPN Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:  Improved privacy - Internal networks are not disclosed in IKE protocol negotiations. Improved security and granularity - Specify which networks are accessible in a specified VPN community. Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain). Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles. URL Filtering Improved scalability and resilience. Extended troubleshooting capabilities. NAT Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse. NAT port utilization monitoring in CPView and with SNMP. Voice over IP (VoIP) Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance. Remote Access VPN Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication). Mobile Access Portal Agent Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410. Security Gateway and Gaia CoreX L and Multi-Queue Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot. Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. Clustering Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes. Cluster Control Protocol encryption is now enabled by default. New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses. Support for ClusterXL Cluster Members that run different software versions. Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet. VSX Support for VSX upgrade with CPUSE in Gaia Portal. Support for Active Up mode in VSLS. Support for CPView statistical reports for each Virtual System Zero Touch A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration. Gaia REST API Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612. Advanced Routing Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon. Enhancing route refresh for improved handling of BGP routing inconsistencies. New kernel capabilities Upgraded Linux kernel New partitioning system (gpt): Supports more than 2TB physical/logical drives Faster file system (xfs) Supporting larger system storage (up to 48TB tested) I/O related performance improvements Multi-Queue: Full Gaia Clish support for Multi-Queue commands Automatic "on by default" configuration SMB v2/3 mount support in Mobile Access blade Added NFSv4 (client) support (NFS v4.2 is the default NFS version used) Support of new system tools for debugging, monitoring and configuring the system   CloudGuard Controller Performance enhancements for connections to external Data Centers. Integration with VMware NSX-T. Support for additional API commands to create and edit Data Center Server objects. Security Management Multi-Domain Server Back up and restore an individual Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management. Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server to become a Security Management Server. Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing. SmartTasks and API New Management API authentication method that uses an auto-generated API Key. New Management API commands to create cluster objects. Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy. Deployment Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartEvent Share SmartView views and reports with other administrators. Log Exporter Export logs filtered according to field values. Endpoint Security Support for BitLocker encryption for Full Disk Encryption. Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server. Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment. Policy can now control level of notifications to end users. Support for Persistent VDI environment in Endpoint Policy Management.    
Maria_Pologova
Maria_Pologova inside General Topics yesterday
views 20809 14 5

Drop optimization

We are considering to enable this feature on a highly utilized gateway, where from time to time we observe spikes, which are usually related to high amount of dropped traffic.What is your experience about this feature? Do you encounter any problems while using Drop optimization?
Danny
Danny inside General Topics yesterday
views 70827 180 177

Common Check Point Commands (ccc)

🏆 Code Hub Contribution of the Year 2018!👍 Endorsed by Check Point Support! ccc is an interactive script to run common Check Point CLI tasks without having to crawl for cheat sheets, bookmarks, manuals or admin guides.License: GPL Installation (expert mode) or download:curl_cli http://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc Spoiler Changelog 0.1 - Initial Release - Inspired by Moti Sagey's  Top 3 Check Point CLI commands thread 0.2 - Added more commands 0.3 - Interactive Mode added by Marko Keca‌ 0.4 - Added more commands, removed a bug with the 'View all commands' option, Interface Cleanups 0.5 - Added advanced interface summary developed in this thread 0.6 - Implemented enhancements as suggested by Günther W. Albrecht and Martin Heim, added SIC status check for gateways, general code cleanup 0.7 - Added more Security Management commands and CPU + memory statistics 0.8 - Added IPS/Threat Prevention 'Panic Button' as described in this presentation by Timothy Hall and a command suggested by Maarten Sjouw‌ plus more MDS/VSX commands 0.9 - Implemented enhancements as suggested by Mikael Johnsson‌ and Sven Glock‌, added commands to enable/disable SecureXL 1.0 - Colors added for better user experience, dropping for out-of-state packets can now be turned on/off thanks to Dameon Welch Abernathy's thread, IPS Update Time is now shown on R80.x systems thanks to Jerom van den Hoek's thread and many other little adjustments to make this a real 1.x release 1.1 - Added system info to Main Menu (props to: Rosemarie Rodriguez & Nathan Davieau for their Healthcheck script), started a Threat Emulation & Extraction section, improved command coloring 1.2 - Enhanced system info as suggested by Martin Heim, improved system information for cluster status 1.3 - Code improvements, replaced several sed with faster tr and cut commands, added more cluster info to Main Menu, corrected checking routines as suggested by Günther W. Albrecht 1.4 - Added Identity Awareness commands, ability to check the postfix email queue (sk114034), MDS additions as suggested by Maarten Sjouw‌ and output optimizations as suggested by Sven Glock‌ 1.5 - Changed interactive mode to support arrow keys for navigation, added usage information, general performance improvements via Bash's builtin parameter substitution, various fixes 1.6 - Added self-update functionality as requested by Vladimir Yakovlev in this thread, implemented more tests to avoid calls to non-existing ressources as mentioned by Günther W. Albrecht 1.7 - Fixed a nasty bug discovered by Aleksei Shelepov and  Günther W. Albrecht 1.8 - Added commands to start/stop the ICA Management Tool, fixed a typo discovered by Ty King  1.9 - Added cpconfig and mdsconfig utilities, added ipassignment.conf integrity check, improved Multi-Core Performance Tuning commands 2.0 - Improved detection for supported OS as suggested by cciesec2006 at CPUG, added commands for CoreXL Dynamic Dispatcher and Firewall Priority Queue handling 2.1 - Added more details to system info (memory, CPU cores, CoreXL & SecureXL statistics), added migrate export command to Firewall Management section, improved several checks 2.2 - Fixed Firewall Management commands as suggested by Günther W. Albrecht 2.3 - Added more commands for mail handling tasks within Check Point Threat Emulation & code optimization as suggested by Maciej Maczka‌ 2.4 - Added Threat Extraction Bypass commands as suggested by Niels van Sluis, added command to show calculated interface topology for easier address spoofing troubleshooting, general code and interface cleanup 2.5 - Added command to check the LOM of Check Point Appliances, improved Address Spoofing commands as suggested Norbert Bohusch 2.6 - Improved system information as suggested by Michael Asher, added VPN routing information as developed in Heiko Ankenbrand's thread 2.7 - Added IA command as suggested by Hans Hartung. Introduced a QoS Troubleshooting section and several code improvements as suggested by Alexander Wilke 2.8 - Improved system info (new: SMT, CPU Load, Multi-Queue Interfaces and Dynamic Dispatcher), added more performance tuning commands, minor script code fixes 2.9 - Added more system info (new: Policy, Blades), improved check for number of Multi-Queue interfaces, added Postfix queue message distribution commands as suggested by Benoit Verove 3.0 - Improved script starting time, added status dots to script starting routine, added Jumbo Hotfix take number and free RAM to system info 3.1 - Added performance troubleshooting commands (sar, iotop etc.), added check for licensed cores and OS edition to system info, fixed a parameter gone in R80.20 as mentioned by Günther W. Albrecht 3.2 - Added more details to system info as suggested by Rolf Peeters and Jozko Mrkvicka, improved script code, added user confirmation before executing commands 3.3 - Added Endpoint Management support, improved check for number of permitted cores as discussed in this thread 3.4 - Added more warning markup to system info, added core & crash dump checks, added commands to view and edit the malware policy on Threat Prevention gateways 3.5 - Fixed a syntax error spotted by Kaloyan Metodiev, improved crash dump location check, added max power script command 3.6 - Replaced a Non-Standard ASCII character spotted by Martin Heim, added red warning label to SecureXL and CoreXL when disabled, minor code improvements 3.7 - Added Tim Hall's "Super Seven" performance assessment commands from this TechTalk session 3.8 - Added more commands to MDS Troubleshooting, fixed Multi-Domain Server OS string handling, improved error handling 3.9 - Revised the self-update mechanism to support user control, added more commands to Firewall Management and MDS Troubleshooting, minor code fixes 4.0 - Added support for t, f, g, h keys (when arrow keys don't work) as suggested by Vladimir Yakovlev 4.1 - Added blade update status, added Management server status as discussed in this thread, revised command to show VPN routes as suggested by Alibi in this post, added firewall inspection, address spoofing and IPS mode checks, added Geo Policy check as suggested in Tim Hall's presentation 4.2 - Added disk usage check, fixed CoreXL check, grouped VPN routes by peer, improved cpvinfo syntax as suggested by Günther W. Albrecht 4.3 - Added API status and version to menu info, added check for Any host access, added commands for CPUSE Deployment Agent handling, fixed syntax for disk usage check 4.4 - Added more VPN commands, added Geo Policy One-liner from this thread, added VSX-capabilities as requested by Kaspars Zibarts in this thread, added checks for NTP sync status, SNMP version and GUI clients, added info for dynamic objects, general code improvements 4.5 - Added FW Monitor SuperTool Planned Advanced checks for Sync interface MDS Support for easy +/- navigation between mdsenv's SMB appliance support Secure self-update routine GAiA cleanup tasks ($CPDIR/tmp/ cleanups, log compression etc.) Changelog 0.1 - Initial Release - Inspired by Moti Sagey's  Top 3 Check Point CLI commands thread 0.2 - Added more commands 0.3 - Interactive Mode added by Marko Keca‌ 0.4 - Added more commands, removed a bug with the 'View all commands' option, Interface Cleanups 0.5 - Added advanced interface summary developed in this thread 0.6 - Implemented enhancements as suggested by Günther W. Albrecht and Martin Heim, added SIC status check for gateways, general code cleanup 0.7 - Added more Security Management commands and CPU + memory statistics 0.8 - Added IPS/Threat Prevention 'Panic Button' as described in this presentation by Timothy Hall and a command suggested by Maarten Sjouw‌ plus more MDS/VSX commands 0.9 - Implemented enhancements as suggested by Mikael Johnsson‌ and Sven Glock‌, added commands to enable/disable SecureXL 1.0 - Colors added for better user experience, dropping for out-of-state packets can now be turned on/off thanks to Dameon Welch Abernathy's thread, IPS Update Time is now shown on R80.x systems thanks to Jerom van den Hoek's thread and many other little adjustments to make this a real 1.x release 1.1 - Added system info to Main Menu (props to: Rosemarie Rodriguez & Nathan Davieau for their Healthcheck script), started a Threat Emulation & Extraction section, improved command coloring 1.2 - Enhanced system info as suggested by Martin Heim, improved system information for cluster status 1.3 - Code improvements, replaced several sed with faster tr and cut commands, added more cluster info to Main Menu, corrected checking routines as suggested by Günther W. Albrecht 1.4 - Added Identity Awareness commands, ability to check the postfix email queue (sk114034), MDS additions as suggested by Maarten Sjouw‌ and output optimizations as suggested by Sven Glock‌ 1.5 - Changed interactive mode to support arrow keys for navigation, added usage information, general performance improvements via Bash's builtin parameter substitution, various fixes 1.6 - Added self-update functionality as requested by Vladimir Yakovlev in this thread, implemented more tests to avoid calls to non-existing ressources as mentioned by Günther W. Albrecht 1.7 - Fixed a nasty bug discovered by Aleksei Shelepov and  Günther W. Albrecht 1.8 - Added commands to start/stop the ICA Management Tool, fixed a typo discovered by Ty King  1.9 - Added cpconfig and mdsconfig utilities, added ipassignment.conf integrity check, improved Multi-Core Performance Tuning commands 2.0 - Improved detection for supported OS as suggested by cciesec2006 at CPUG, added commands for CoreXL Dynamic Dispatcher and Firewall Priority Queue handling 2.1 - Added more details to system info (memory, CPU cores, CoreXL & SecureXL statistics), added migrate export command to Firewall Management section, improved several checks 2.2 - Fixed Firewall Management commands as suggested by Günther W. Albrecht 2.3 - Added more commands for mail handling tasks within Check Point Threat Emulation & code optimization as suggested by Maciej Maczka‌ 2.4 - Added Threat Extraction Bypass commands as suggested by Niels van Sluis, added command to show calculated interface topology for easier address spoofing troubleshooting, general code and interface cleanup 2.5 - Added command to check the LOM of Check Point Appliances, improved Address Spoofing commands as suggested Norbert Bohusch 2.6 - Improved system information as suggested by Michael Asher, added VPN routing information as developed in Heiko Ankenbrand's thread 2.7 - Added IA command as suggested by Hans Hartung. Introduced a QoS Troubleshooting section and several code improvements as suggested by Alexander Wilke 2.8 - Improved system info (new: SMT, CPU Load, Multi-Queue Interfaces and Dynamic Dispatcher), added more performance tuning commands, minor script code fixes 2.9 - Added more system info (new: Policy, Blades), improved check for number of Multi-Queue interfaces, added Postfix queue message distribution commands as suggested by Benoit Verove 3.0 - Improved script starting time, added status dots to script starting routine, added Jumbo Hotfix take number and free RAM to system info 3.1 - Added performance troubleshooting commands (sar, iotop etc.), added check for licensed cores and OS edition to system info, fixed a parameter gone in R80.20 as mentioned by Günther W. Albrecht 3.2 - Added more details to system info as suggested by Rolf Peeters and Jozko Mrkvicka, improved script code, added user confirmation before executing commands 3.3 - Added Endpoint Management support, improved check for number of permitted cores as discussed in this thread 3.4 - Added more warning markup to system info, added core & crash dump checks, added commands to view and edit the malware policy on Threat Prevention gateways 3.5 - Fixed a syntax error spotted by Kaloyan Metodiev, improved crash dump location check, added max power script command 3.6 - Replaced a Non-Standard ASCII character spotted by Martin Heim, added red warning label to SecureXL and CoreXL when disabled, minor code improvements 3.7 - Added Tim Hall's "Super Seven" performance assessment commands from this TechTalk session 3.8 - Added more commands to MDS Troubleshooting, fixed Multi-Domain Server OS string handling, improved error handling 3.9 - Revised the self-update mechanism to support user control, added more commands to Firewall Management and MDS Troubleshooting, minor code fixes 4.0 - Added support for t, f, g, h keys (when arrow keys don't work) as suggested by Vladimir Yakovlev 4.1 - Added blade update status, added Management server status as discussed in this thread, revised command to show VPN routes as suggested by Alibi in this post, added firewall inspection, address spoofing and IPS mode checks, added Geo Policy check as suggested in Tim Hall's presentation 4.2 - Added disk usage check, fixed CoreXL check, grouped VPN routes by peer, improved cpvinfo syntax as suggested by Günther W. Albrecht 4.3 - Added API status and version to menu info, added check for Any host access, added commands for CPUSE Deployment Agent handling, fixed syntax for disk usage check 4.4 - Added more VPN commands, added Geo Policy One-liner from this thread, added VSX-capabilities as requested by Kaspars Zibarts in this thread, added checks for NTP sync status, SNMP version and GUI clients, added info for dynamic objects, general code improvements 4.5 - Added FW Monitor SuperTool Planned Advanced checks for Sync interface MDS Support for easy +/- navigation between mdsenv's SMB appliance support Secure self-update routine GAiA cleanup tasks ($CPDIR/tmp/ cleanups, log compression etc.)  
Jaisingh_rathor
Jaisingh_rathor inside General Topics yesterday
views 57 1

Secure XL ,How it works and templates please explain in detail

Secure XL ,How it works and templates please explain in detail
Chinmaya_Naik
Chinmaya_Naik inside General Topics yesterday
views 3631 10

Showing logs "Missing OS Route" when place new CP Appliance (Suspect ARP issue)

Hi Team, As previously we using L3 Switch (Name: POC L3) where 4 interface which comes from two internal switches (ABC and XYZ Switch) is terminated with upstream L3 Switch (Name: POC L3) internal VLAN interface.➡️  Two internal switches (ABC and XYZ) both having one bond interface with mode LACP.➡️  On Checkpoint external interface also having a bond interface with network 192.168.100.0/22.➡️  Our requirement is to place Checkpoint Firewall (23500) in between internal switch (ABC and XYZ) and L3 Switch (Name: POC L3).We face below challengesScenario 1As per our requirement, we can not add two bonds on one VLAN, If we added then it will be creating two networks, for example, bond1.100, bond2.100 with respect to VLAN 100.➡️  So we added 4 interfaces to one BOND as bond1 with mode LACP and then create a VLAN and added that bond1 but we face the issue because all interface is active because of mode LACP.➡️  So on this scenario, If we remove the cable from any one internal switch, for example, ABC switch then XYZ switch working fine, we able to access server as well ssh from LAN/WAN.Scenario 2:As the first scenario does not work as expected so we change the configuration.➡️  We create a two BOND, bond 1 and bond 2 with respect to the internal switch and then bridge between bond 1 and bond 2 so in this scenario, we only assign one IP address on the bridge interface as 172.16.100.1/22 which meet our requirement.So in this scenario we able to ping internal server that behind ABC and XYZ switch.Issue:➡️  we check the logs found that the packet drop on Checkpoint internal bond interface, showing error "missing OS route".➡️  Base on the logs I suspect as the ARP cache is overflowing. The most possible reason - too much traffic on the network (generated by some application, by some hosts, or by related factors). (sk108587 )➡️  By default, the arp cache size is 4096 ARP cache slot so maximum we can increase up to 4096*4=16384 arp cache slot.Possible Solution1. If we use two Checkpoint device and give cluster VIP address as 172.16.100.1/22 then we will not face challenges with bond interface configuration.2. If we place the checkpoint gateway above the POC L3 Switch then we not face challenge related to bond.3. We need to increase the arp cache size up to 16386 arp cache slot before that we need to check the below command to verify whether arp entry will increase or not after live the checkpoint gateway.arp -an | wc -l (to check the line on arp cache size)Check the message file as "neighbour table overflow"command : dmesg | grep -i “table overflow”From MAX POWER Book : One interesting side effect of not having a private transit network between the internal interface of the firewall and your internal core router is that the firewall will have to maintain far more IP address to MAC address mappings in its ARP cache than it otherwise would. This is especially true if there are hundreds or thousands of workstations/servers located on VLANs directly attached to the firewall’s various interfaces.Such a large network will, of course, have far more broadcast traffic flooded to all stations on the network including the firewall, resulting in reduced overall networkthroughput.However, one situation that can occur in this case will severely damage the firewall’s performance (almost to the point of looking like rolling outages in some cases): anoverflow of the firewall’s ARP cache.Please suggest us what about the possible reason for getting the error "missing OS route".NOTE: Message file is overwritten so we unable to find "neighbor table overflow" also we do not have any output or arp cache size during the issue.Now we again plane to place the Checkpoint with the proper plane so need all your help. Regards,@Chinmaya_Naik 
Yifat_Chen
inside General Topics yesterday
views 88 3
Employee+

Jumbo Hotfix Accumulator - Did You Know?

Hi Everyone, My name is @Yifat_Chen   and I’m part of  the Release Operation group managed by @MeravAlon  Our group is responsible for Check Point major releases (e.g R80.20), minor releases (e.g R80.30) and Jumbo Hotfix Accumulator releases for R80.10, R80.20 & R80.30 trains. Following several recent conversations and questions from customers, I would like to provide some general  information regarding the Jumbo Hotfix (JHF) Accumulator: Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving issues in different products. For more information, see sk98028. Check Point  recommends that you install the latest GA Jumbo take on a regular basis. A new Jumbo take is usually released every 1-2 months. For a complete list of fixes in each Jumbo take, please refer to the following SKs: R80.10 JHF SK, R80.10 SmartConsole SK , R80.20 JHF SK , R80.20 SmartConsole SK , R80.30 JHF SK , R80.30 SmartConsole SK Every new Jumbo take has 2 phases: 1st -  Released as “Ongoing” - The main purpose of the “Ongoing” take is early adoption. 2nd – Published as “GA” - Recommended as a General Availability take. After 3-4 weeks, an “Ongoing” take is moved to GA status. If there is a problem with an “Ongoing” take, a new one will be released. A new JHF on the Management Server can be installed regardless of the Gateway server. There’s no requirement to align the Management and Gateway to use the same JHF take. (Note - All Management machines should have the same JHF take.) SmartConsole Jumbo HF is also released every 1-2 months. Note – there is no dependency between SmartConsole and Jumbo takes. Different takes of Jumbo can be used with each SmartConsole take. However – some features/fixes require an upgrade of both Jumbo and SmartConsole. Installing a JHF is not an upgrade process ! The installation of a JHF is simple  and doesn’t perform any changes in the Management Database. JHF  only replaces specific binaries with new fixes, However - a reboot may required after JHF installation  I’m tagging also: @Tsahi_Etziony  – R&D director of Product operation @MeravAlon  - Release Operation Group manager   Please don’t hesitate to contact us for any further questions regarding the Jumbo releases. Regards, Yifat Chen   
James_Sullivan
James_Sullivan inside General Topics Wednesday
views 3478 5

can I export the list of web application categories

Our risk group is wanting to review and compare the application categories in App Control to other categories used by other similar tools in our environment to try and see if we can line up our policies as close as possible across toolsets. I am hoping to be able to export the list.ThanksJames
Longson_Ho1
Longson_Ho1 inside General Topics Wednesday
views 607 3

R80.20 Identity Collector Syslog Parser

Hi,We are doing testing of R80.20 Identity Collector with Syslog Parser feature.Is there any guide about how to create Syslog Parsers for Ruckus Zone Director (Version: 10.0.1.0 build 61) to get the identity information from login and logout event?Thank you
Val_Loukine
inside General Topics Wednesday
views 13794 161 11
Admin

BEYOND - Customer Success Hub

Hi all,as you have probably mentioned, Check Point has changed the look and feel of Support Portal. If you are opening a new request or working with existing ones, you are now using our new Support tool called BEYOND.Guided tool for this tool is available here. Should you have any comments and suggestions, please feel free to express them in the comments.UPDATE: Thank you very much for the feedbackJust to provide an update on some of the issues reported:Customers now can see the details of the migrated SRs - all the migrated SRs allow View Previous Updates that show the updates, activities, and attachments.Users now can access all tickets on the accounts they are connected to (regardless if they or others opened these tickets).RMAs should be working now