cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

PhoneBoy
inside General Topics 3 hours ago
views 153 9 9
Admin

New updatable object for HTTPS Inspection: HTTPS Services Bypass

We are glad to share a new usability enhancement for our HTTPS Inspection customers.Starting from R80.40, HTTPS Inspection customers will be able to consolidate their certificate pinned apps rules using managed updatable objects. We've collected a list of HTTPS services which are known to be used in scenarios where HTTPS Inspection is unable to establish the trust between the client and the Security Gateway and is therefore unable to inspect the traffic.These HTTPS services are part of "HTTPS services - bypass" updatable object. You can choose to add this object to HTTPS Inspection policy as a bypass rule to avoid connectivity issues and/or to the Access policy as a drop rule to block these services explicitly.For further information please refer to sk163595 If you'd like to see some additional services added to this, let us know!
kobilevi
kobilevi inside General Topics yesterday
views 7

First packet isnt SYN-r80.20

hello  recently we have installed 2 check points 15600 in cluster mode - active/passive  since we moving the L3 of the vlans the performence of the network very slow - (bandwith is not fully )i only see in the logs the massage :CP packet out of state- First packet isn't SYNTCP Flags -RST-ACK  and some log showed me :CP packet out of state- First packet isn't SYNTCP Flags -FIN-ACKi see many Documents here but no one linked me to the resolve ...***the problem occur in the same source and destnation vlan and diffrent source and destention vlan OS build 101OS kernel version 2.6.18-92cpx86_64OS edition 64-bi
aner_sagi
aner_sagi inside General Topics yesterday
views 1952 15 3

Smartcenter gaia on nutanix ?

Hi All,A new customer of mine want to move his R80.10 smartcenter (currently on Hyper-V) to Nutanix.is it supported ?Thanks in advanceAner
kb1
kb1 inside General Topics yesterday
views 52 4

Can anyone tell me how to unblock a website

So my team got assigned a service request from someone who is not able to access a website, I'm assuming the checkpoint firewall is blocking it or it could something else maybe a bluecoat or something that we use in our company that is blocking it, but if it really is the checkpoint that is blocking it how do I verify that? The URL filtering blade is responsible for that right? (I don't think we have url filled enabled on any of the firewalls but I could be wrong) , and if it does turn out that the checkpoint is blocking it how do I unblock it? And how do I know which firewall is blocking it? By looking at the logs? And to unblock it do I just have to create a simple rule?Any help would be absolutely appreciated!
GGiorgakis
GGiorgakis inside General Topics yesterday
views 197 3 1

spike monitor tool

Hello Guys , Any idea about spike monitor tool and link to download it ?
stuart2020
stuart2020 inside General Topics yesterday
views 151 5

Checkpooint R77.30 High CPU Slow Performance

We have been experiencing intermittent performance issues that causes connectivity through the firewall to run slow. This particularly impacts accessing systems over Site 2 Site VPNs and Remote Access VPN. We are running CheckPoint 15400 R77.30 in ClusterXL active / standby. The firewall has IPSec VPN, Mobile Access, IPS, Anti-Bot, Anti-Virus, URL Filtering and Application Control features enabled.Looking at cpview, the CPU spiked on a particular core and stayed high for 6 hours before returning to normal. This time frame correlates with when the issue was reported and resolved. This issue occurred during a low usage period so doesn't seem to be caused due to high traffic / connections on the firewall.   If anyone has any ideas, thoughts to resolve this issue, please let me know. Thank you.   
Gaurav_Pandya
Gaurav_Pandya inside General Topics Friday
views 217 5

Renew external (3rd party) certificate for IPSEC VPN

Hi, I want to renew external certificate in IPSEC VPN TAB as it will expire soon. I have gone thru some docs and came to know that, In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email. Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and ask for the x509/pem versions of your root and intermediate certificates. then generate CSR and give it to vendor for certificate generation. Is this the method I need to follow? Can someone please share step-by-step procedure to renew external certificate for VPN?    
chimda
chimda inside General Topics Friday
views 49 1

error 27559 no blades were selected

sir I downloaded checkpoint version 82.10 as adviced for window 10 version 10.0.18200.but it popped up error 27559 no blades were selected.I need someone to tell me how to install the software.attach is the error message.
Theo
Theo inside General Topics Friday
views 80 2

Endpoint Security- Failed to create new site Reason: Site is not responding

Location: ChinaSecurity Gateway: Standalone/ CheckPoint 2200 Appliance/ R80.30Problem: Unable to create site in Endpoint SecurityAction: Verified and compared the settings of gateway object from other working sites with VPN Clients Please refer to settings of my VPN Clients
Theo
Theo inside General Topics Thursday
views 96 2

Access Server from Branch office using Remote Access

VPN Community type: StarHQ1- Center gateway/ Check Point 2200/ R80.30Branch1- Satellite gateway/ Check Point 1100/ R77.20VPN Routing- To center and to other satellites through centerBranch1 Policy Rule- RA range added to access the server over port 8069 VPN client was able to connect to HQ1 gateway, can access services inside the HQ1 office but unable to reach the server in Branch1 office.
PhoneBoy
inside General Topics Thursday
views 242 1
Admin

The R80.x Adoption Experience by the Numbers TechTalk: Q&A, Video, and Slides

How widely has Check Point R80.x been adopted? What was the path people took? What was the experience? With the help with @Jim_MacLeod and our friends from Indeni, we'll answer these questions in this TechTalk! Content available to CheckMates members: Slides Full Video Selected Q&A will be posted in the comments.Excerpt from the session below: (view in My Videos)  
Patricio_Gavila
Patricio_Gavila inside General Topics Thursday
views 2083 10

Messages of mux error on a cluster (active-standby) in r80.20

Hi all,I have a Lenovo System x3650 M5 (compatibility matrix) with GAIA r80.20 (jumboHF take 80) in distributed deployment. The server firmware is updated to the last level, and with the r77.30 version works great. I have many problems with the Internet, for example, images and Office 365 emails take too long to load, even when the user is in an unrestricted rule. This did not happen with r77.30. In active Gateway shows error messages in file /var/log/messages:  Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc20085221670, app_id=1, mux_state=ffffc20092970c00.Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc20092970c00.Jun 12 14:19:57 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc2008275e530, app_id=1, mux_state=ffffc2005f6a5c00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2005f6a5c00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_task_handler: ERROR: Failed to handle task. task=ffffc2011e77b7b0, app_id=1, mux_state=ffffc200d97bfc00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200d97bfc00.Jun 12 14:19:58 2019 FW-NODO1 kernel: [fw4_4];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_task_handler: ERROR: Failed to handle task. task=ffffc200a775bfb0, app_id=1, mux_state=ffffc2027cc1a420.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc2027cc1a420.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_task_handler: ERROR: Failed to handle task. task=ffffc200aa947b30, app_id=1, mux_state=ffffc200dffa5810.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200dffa5810.Jun 12 14:19:59 2019 FW-NODO1 kernel: [fw4_3];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];mux_task_handler: ERROR: Failed to handle task. task=ffffc2007f670b30, app_id=1, mux_state=ffffc200c6950420.Jun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc200c6950420.Jun 12 14:20:00 2019 FW-NODO1 kernel: [fw4_2];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];mux_task_handler: ERROR: Failed to handle task. task=ffffc20122ccdb70, app_id=1, mux_state=ffffc20068218810.Jun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];mux_soc_result_handler: ERROR: Failed to handle task queue. mux_opaque=ffffc20068218810.Jun 12 14:20:01 2019 FW-NODO1 kernel: [fw4_5];tls_main_send_record_layer_message: mux_soc_result_handler failedJun 12 14:20:02 2019 FW-NODO1 kernel: [fw4_5];cpas_newconn_ex : called upon something other than tcp SYN. Aborting My question is if anyone knows if it is possible to deactivate the mux?. Otherwise I will rollback to r77.30.My concern is: because Check Point sells a poorly tested product and even more wants to force customers to migrate from r77.30 to r80, knowing that the r77.30 version is the best they have had in many years. The r80 version has too many problems, but even in cluster, the truth is impressive the failures of the product. Thanks,Patricio G.
kobilevi
kobilevi inside General Topics Thursday
views 221 7

smartconsole 80.30 is crashing

helloi install the last version of smartconsole on my computer, my gaia server is installed on vmwork stationafter the installation and compalte the wizard in the web interface the system will reboted and  comes on.. but i lost the connection to the server -the web interface still up, but i cannot ping to the server from my computer - smartconsole is too dont work ping to my computer from the server is fine.. someone know what is the problem?   
David_Herselman
David_Herselman inside General Topics Thursday
views 4028 8

Disable NAT on SIP payload - breaks ICE

How do we disable NAT on SIP and SDP payloads, when using NAT? The ATRG: VoIP documentation states the following:We're running Asterisk with ICE (Interactive Connectivity Establishment), which essentially provides multiple candidates in INVITE or SDP negotiation messages, where each is an IP and port combination. It discovers the public candidates by connecting to STUN servers on the public internet.Why would we not want the security gateway to NAT the payload?We intend on using Bria Stretto as a mobile SIP application. The app works perfectly in all environments, when in the foreground and subsequently registered directly to our office SIP server. The problem we're having is when the app is in the background, becoming completely inactive. Public SIP servers operated by CounterPath essentially register in place of the mobile and send a wake-up push notification when they receive a call. The push appears to provide the app with a copy of the original invite, so it should receive both the higher priority ICE host candidates as well as the lower priority server reflexive (natted IP and port) candidates.The problem with the Check Point overwriting the SIP and SDP payload is that a mobile device connected to either private cellular APN or corporate WiFi will exclusively be provided with the public IP and results in one way audio. Everything works perfectly when the mobile is using LTE or natted through a home WiFi network.What we're after:We would simply like the Check Point to continue applying a NAT policy to the headers but leave the SIP and SDP payloads alone. This is typically accomplished by simply turning off SIP ALG processing.Sample packet leaving SIP server towards CounterPath's public push servers:Sample packet after NAT processing by Check Point:We have not had success in following the following recommendations. Both of these however appear to apply to cases where threat prevention policies were blocking packets, not the Check Point simply natting packets like any other UDP packet and leaving the payload alone:How to disable SIP ALG inspection in a specific rule in Checkpoint? Also Could this be done globally, like Cisco ASA? Tried disabling SIP inspectionfw ctl set int voip_multik_enable_forwarding 0 echo voip_multik_enable_forwarding=0 >> $FWDIR/boot/modules/fwkern.confThe following is an excellent summation of the ICE protocol:Interactive Connectivity Establishment: – IETF Journal 
Czar
Czar inside General Topics Thursday
views 181 5 1

Check Point for Beginners - Part 2 - Preparing the Lab

Thank you Val Loukine (and other admins) for his page CP4B. Really helpful.I am new to Check Point. I changed company and will have to use this technology. In the past I used Cisco, Palo Alto, PfSense. In Part 2 the lab is discussed. I think I might be short in resources to make the lab :-(. I have a mini desktop with Intel(R) Core(TM) i5-8500T CPU @ 2.10GHz, 2112 MHz, 6 core('s) and 12GB ram. I don't have access to a nice ESXI environment with lots of ram and storage. Has someone else experience with a setup like mine using VMware Workstation and only 12GB of ram? Also I try to figure out what the comment of Vladimir means at the end of the page. Should I use Virtual Box instead of VMware Workstation?Last question; I used GNS3 in the past for Cisco labs. Is this an even better option for a lab setup?