cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Rick_Rodrix
Rick_Rodrix inside General Topics 12m ago
views 15 2

Using ldap for user authentication on vpn checkpoint

Hello everyone!Please Helllp!!At this moment I´m using Checkpoint local users to connect to Client-to-site VPN. But I want to improve this and change all the method of VPN authentication to LDAP.For tests purposes, I´ve already a group on AD where we use shared with Checkpoint then we are able to do that and it realy works.By now, I don´t want to ask AD admin to create AD groups everytime we are asked to provide an VPN access.Is there a way to add AD users to a VPN rule without using a AD group?Let me explain better: we are a big organization, so we have diferents kinds of users with different needs, so we need to create differents kinds of access groups. Since I know that VPN rules only accept legacy users on groups, I´d like to know if theres a way to designate some AD users directly on firewall rules, or a way to do this without to contact AD admin to create the groups.Thanks in advance!Checkpoint r77.30
Di_Junior
Di_Junior inside General Topics an hour ago
views 716 6 1

LDAP groups in Remote Access VPN Rules

Dear MatesI have been searching around, and so far I was not able to find an answer to the issue that I am facing.I have currently migrated our VPN solution to Check Point RA VPN, but I am having an issue when it comes to create rules for remote access users. Each group has permissions to access different machines remotely, so I have requested the creation of specific LDAP groups to be used for remote access.Unfornatunately, when a use an LDAP group in the Source field of the policy, users are not being able to authenticate. The authentication only works when I select the option "All Account Unit´s Users".Any idea on how this issue could be overcomed? or a workaround perhaps? Thanks in advance
Ryan_St__Germai
Ryan_St__Germai inside General Topics 2 hours ago
views 76 4

Intel X540-T2 on OpenServer running R80.20 3.10?

Is anyone aware of issues using the 10GB Intel X540-T2 network card with the 3.10 Kernel version of R80.20 or above? The HCL doesn't have a check mark for R80.20 3.10 kernel but wasn't sure if that is because the card hasn't officially been tested yet. Thanks, Ryan
Jason_Carrillo
Jason_Carrillo inside General Topics 2 hours ago
views 42091 41 4

R80.20 Managing R80.10 Gateway - CPU Increase

After upgrading our MDS and MLM to R80.20, we are seeing average CPU increases across all of clusters after pushing policy to the gateways. It has become very apparent on one of our firewalls that is licensed for four cores. The four gateways I am seeing this on are open hardware. I do have a pair of appliance based clusters that do not seem to have any increase in CPU. All gateways running 80.10.I've opened a ticket with Check Point, but they haven't heard about anything like this and frankly, didn't seem too interested in getting to the bottom of it. Has anyone else seen this out there?
Josh_Wilson
Josh_Wilson inside General Topics 3 hours ago
views 1826 11 2

Best Practices for Identity Collector Architecture

Is there a "best practices" doc available that gives coverage of proper IDC architecture, specifically in VSX environment with multiple VS running IDA? Should IDC agents be configured with each IDA enabled VS as a gateway (IDC agent side)? Should only VS0 run IDA and share out the database to each VS? I'm having a difficult time finding the best way to implement this IDC on VSX in regard to reliability first, redundancy second, and performance third.Thanks,Josh
Daniel_Taney
Daniel_Taney inside General Topics 7 hours ago
views 79 2

64-Bit VS Mode In R80.30 VSX?

I just upgraded a VSX cluster to R80.30 and it appears the vs_bits command no longer exists. Is this because all VS's are automatically running in 64-bit mode on R80.30? I wasn't seeing anything anywhere the conclusively confirmed this. Thanks!
Yifat_Chen
inside General Topics 8 hours ago
views 1858 3
Employee+

R80.20 Jumbo Hotfix Accumulator - New Ongoing Take #74

Hi, A new Ongoing Jumbo Hotfix Accumulator take for R80.20 (take 74) is available. Please refer to sk137592. R80.20 JHF T74 is the same as T73 (including only alignment to Mail Transfer Agent engine). The new releases will not be published via CPUSE as a recommended version. Availability: Will be provided by customer support Available for download via CPUSE by using package identifier R80.20 JHF Take #74 content: PRJ-503 - Alignment to Mail Transfer Agent Engine Update. Refer to sk123174.
Sharma_Prashant
Sharma_Prashant inside General Topics 9 hours ago
views 4326 9

Tunnel mode VPN and Transport mode VPN

Does Checkpoint support only Tunnel mode VPN only or we can use Transport mode as well for IPSEC...?can we switch between them?Any documentation can we get it on this to get the clarity with example...?
Danny
Danny inside General Topics 10 hours ago
views 64203 175 171

Common Check Point Commands (ccc)

ccc is an interactive script to run common Check Point CLI tasks without having to crawl for cheat sheets, bookmarks, manuals or admin guides. GPL licensed. Installation (expert mode) or download: curl_cli http://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc Spoiler (Highlight to read) Changelog 0.1 - Initial Release - Inspired by Moti Sagey's Top 3 Check Point CLI commands thread 0.2 - Added more commands 0.3 - Interactive Mode added by Marko Keca‌ 0.4 - Added more commands, removed a bug with the 'View all commands' option, Interface Cleanups 0.5 - Added advanced interface summary developed in this thread 0.6 - Implemented enhancements as suggested by Günther W. Albrecht and Martin Heim, added SIC status check for gateways, general code cleanup 0.7 - Added more Security Management commands and CPU + memory statistics 0.8 - Added IPS/Threat Prevention 'Panic Button' as described in this presentation by Timothy Hall and a command suggested by Maarten Sjouw‌ plus more MDS/VSX commands 0.9 - Implemented enhancements as suggested by Mikael Johnsson‌ and Sven Glock‌, added commands to enable/disable SecureXL 1.0 - Colors added for better user experience, dropping for out-of-state packets can now be turned on/off thanks to Dameon Welch Abernathy's thread, IPS Update Time is now shown on R80.x systems thanks to Jerom van den Hoek's thread and many other little adjustments to make this a real 1.x release 1.1 - Added system info to Main Menu (props to: Rosemarie Rodriguez & Nathan Davieau for their Healthcheck script), started a Threat Emulation & Extraction section, improved command coloring 1.2 - Enhanced system info as suggested by Martin Heim, improved system information for cluster status 1.3 - Code improvements, replaced several sed with faster tr and cut commands, added more cluster info to Main Menu, corrected checking routines as suggested by Günther W. Albrecht 1.4 - Added Identity Awareness commands, ability to check the postfix email queue (sk114034), MDS additions as suggested by Maarten Sjouw‌ and output optimizations as suggested by Sven Glock‌ 1.5 - Changed interactive mode to support arrow keys for navigation, added usage information, general performance improvements via Bash's builtin parameter substitution, various fixes 1.6 - Added self-update functionality as requested by Vladimir Yakovlev in this thread, implemented more tests to avoid calls to non-existing ressources as mentioned by Günther W. Albrecht 1.7 - Fixed a nasty bug discovered by Aleksei Shelepov and Günther W. Albrecht 1.8 - Added commands to start/stop the ICA Management Tool, fixed a typo discovered by Ty King 1.9 - Added cpconfig and mdsconfig utilities, added ipassignment.conf integrity check, improved Multi-Core Performance Tuning commands 2.0 - Improved detection for supported OS as suggested by cciesec2006 at CPUG, added commands for CoreXL Dynamic Dispatcher and Firewall Priority Queue handling 2.1 - Added more details to system info (memory, CPU cores, CoreXL & SecureXL statistics), added migrate export command to Firewall Management section, improved several checks 2.2 - Fixed Firewall Management commands as suggested by Günther W. Albrecht 2.3 - Added more commands for mail handling tasks within Check Point Threat Emulation & code optimization as suggested by Maciej Maczka‌ 2.4 - Added Threat Extraction Bypass commands as suggested by Niels van Sluis, added command to show calculated interface topology for easier address spoofing troubleshooting, general code and interface cleanup 2.5 - Added command to check the LOM of Check Point Appliances, improved Address Spoofing commands as suggested Norbert Bohusch 2.6 - Improved system information as suggested by Michael Asher, added VPN routing information as developed in Heiko Ankenbrand's thread 2.7 - Added IA command as suggested by Hans Hartung. Introduced a QoS Troubleshooting section and several code improvements as suggested by Alexander Wilke 2.8 - Improved system info (new: SMT, CPU Load, Multi-Queue Interfaces and Dynamic Dispatcher), added more performance tuning commands, minor script code fixes 2.9 - Added more system info (new: Policy, Blades), improved check for number of Multi-Queue interfaces, added Postfix queue message distribution commands as suggested by Benoit Verove 3.0 - Improved script starting time, added status dots to script starting routine, added Jumbo Hotfix take number and free RAM to system info 3.1 - Added performance troubleshooting commands (sar, iotop etc.), added check for licensed cores and OS edition to system info, fixed a parameter gone in R80.20 as mentioned by Günther W. Albrecht 3.2 - Added more details to system info as suggested by Rolf Peeters and Jozko Mrkvicka, improved script code, added user confirmation before executing commands 3.3 - Added Endpoint Management support, improved check for number of permitted cores as discussed in this thread 3.4 - Added more warning markup to system info, added core & crash dump checks, added commands to view and edit the malware policy on Threat Prevention gateways 3.5 - Fixed a syntax error spotted by Kaloyan Metodiev, improved crash dump location check, added max power script command 3.6 - Replaced a Non-Standard ASCII character spotted by Martin Heim, added red warning label to SecureXL and CoreXL when disabled, minor code improvements 3.7 - Added Tim Hall's "Super Seven" performance assessment commands from this TechTalk session 3.8 - Added more commands to MDS Troubleshooting, fixed Multi-Domain Server OS string handling, improved error handling 3.9 - Revised the self-update mechanism to support user control, added more commands to Firewall Management and MDS Troubleshooting, minor code fixes 4.0 - Added support for t, f, g, h keys (when arrow keys don't work) as suggested by Vladimir Yakovlev 4.1 - Added blade update status, added Management server status as discussed in this thread, revised command to show VPN routes as suggested by Alibi in this post, added firewall inspection, address spoofing and IPS mode checks, added Geo Policy check as suggested in Tim Hall's presentation 4.2 - Added disk usage check, fixed CoreXL check, grouped VPN routes by peer, improved cpvinfo syntax as suggested by Günther W. Albrecht 4.3 - Added API status and version to menu info, added check for Any host access, added commands for CPUSE Deployment Agent handling, fixed syntax for disk usage check 4.4 - Added more VPN commands, added Geo Policy One-liner from this thread, added VSX-capabilities as requested by Kaspars Zibarts in this thread, added checks for NTP sync status, SNMP version and GUI clients, added info for dynamic objects, general code improvements Planned Advanced checks for Sync interface MDS Support for easy +/- navigation between mdsenv's SMB appliance support Secure self-update routine GAiA cleanup tasks ($CPDIR/tmp/ cleanups, log compression etc.) Changelog 0.1 - Initial Release - Inspired by Moti Sagey's Top 3 Check Point CLI commands thread 0.2 - Added more commands 0.3 - Interactive Mode added by Marko Keca‌ 0.4 - Added more commands, removed a bug with the 'View all commands' option, Interface Cleanups 0.5 - Added advanced interface summary developed in this thread 0.6 - Implemented enhancements as suggested by Günther W. Albrecht and Martin Heim, added SIC status check for gateways, general code cleanup 0.7 - Added more Security Management commands and CPU + memory statistics 0.8 - Added IPS/Threat Prevention 'Panic Button' as described in this presentation by Timothy Hall and a command suggested by Maarten Sjouw‌ plus more MDS/VSX commands 0.9 - Implemented enhancements as suggested by Mikael Johnsson‌ and Sven Glock‌, added commands to enable/disable SecureXL 1.0 - Colors added for better user experience, dropping for out-of-state packets can now be turned on/off thanks to Dameon Welch Abernathy's thread, IPS Update Time is now shown on R80.x systems thanks to Jerom van den Hoek's thread and many other little adjustments to make this a real 1.x release 1.1 - Added system info to Main Menu (props to: Rosemarie Rodriguez & Nathan Davieau for their Healthcheck script), started a Threat Emulation & Extraction section, improved command coloring 1.2 - Enhanced system info as suggested by Martin Heim, improved system information for cluster status 1.3 - Code improvements, replaced several sed with faster tr and cut commands, added more cluster info to Main Menu, corrected checking routines as suggested by Günther W. Albrecht 1.4 - Added Identity Awareness commands, ability to check the postfix email queue (sk114034), MDS additions as suggested by Maarten Sjouw‌ and output optimizations as suggested by Sven Glock‌ 1.5 - Changed interactive mode to support arrow keys for navigation, added usage information, general performance improvements via Bash's builtin parameter substitution, various fixes 1.6 - Added self-update functionality as requested by Vladimir Yakovlev in this thread, implemented more tests to avoid calls to non-existing ressources as mentioned by Günther W. Albrecht 1.7 - Fixed a nasty bug discovered by Aleksei Shelepov and Günther W. Albrecht 1.8 - Added commands to start/stop the ICA Management Tool, fixed a typo discovered by Ty King 1.9 - Added cpconfig and mdsconfig utilities, added ipassignment.conf integrity check, improved Multi-Core Performance Tuning commands 2.0 - Improved detection for supported OS as suggested by cciesec2006 at CPUG, added commands for CoreXL Dynamic Dispatcher and Firewall Priority Queue handling 2.1 - Added more details to system info (memory, CPU cores, CoreXL & SecureXL statistics), added migrate export command to Firewall Management section, improved several checks 2.2 - Fixed Firewall Management commands as suggested by Günther W. Albrecht 2.3 - Added more commands for mail handling tasks within Check Point Threat Emulation & code optimization as suggested by Maciej Maczka‌ 2.4 - Added Threat Extraction Bypass commands as suggested by Niels van Sluis, added command to show calculated interface topology for easier address spoofing troubleshooting, general code and interface cleanup 2.5 - Added command to check the LOM of Check Point Appliances, improved Address Spoofing commands as suggested Norbert Bohusch 2.6 - Improved system information as suggested by Michael Asher, added VPN routing information as developed in Heiko Ankenbrand's thread 2.7 - Added IA command as suggested by Hans Hartung. Introduced a QoS Troubleshooting section and several code improvements as suggested by Alexander Wilke 2.8 - Improved system info (new: SMT, CPU Load, Multi-Queue Interfaces and Dynamic Dispatcher), added more performance tuning commands, minor script code fixes 2.9 - Added more system info (new: Policy, Blades), improved check for number of Multi-Queue interfaces, added Postfix queue message distribution commands as suggested by Benoit Verove 3.0 - Improved script starting time, added status dots to script starting routine, added Jumbo Hotfix take number and free RAM to system info 3.1 - Added performance troubleshooting commands (sar, iotop etc.), added check for licensed cores and OS edition to system info, fixed a parameter gone in R80.20 as mentioned by Günther W. Albrecht 3.2 - Added more details to system info as suggested by Rolf Peeters and Jozko Mrkvicka, improved script code, added user confirmation before executing commands 3.3 - Added Endpoint Management support, improved check for number of permitted cores as discussed in this thread 3.4 - Added more warning markup to system info, added core & crash dump checks, added commands to view and edit the malware policy on Threat Prevention gateways 3.5 - Fixed a syntax error spotted by Kaloyan Metodiev, improved crash dump location check, added max power script command 3.6 - Replaced a Non-Standard ASCII character spotted by Martin Heim, added red warning label to SecureXL and CoreXL when disabled, minor code improvements 3.7 - Added Tim Hall's "Super Seven" performance assessment commands from this TechTalk session 3.8 - Added more commands to MDS Troubleshooting, fixed Multi-Domain Server OS string handling, improved error handling 3.9 - Revised the self-update mechanism to support user control, added more commands to Firewall Management and MDS Troubleshooting, minor code fixes 4.0 - Added support for t, f, g, h keys (when arrow keys don't work) as suggested by Vladimir Yakovlev 4.1 - Added blade update status, added Management server status as discussed in this thread, revised command to show VPN routes as suggested by Alibi in this post, added firewall inspection, address spoofing and IPS mode checks, added Geo Policy check as suggested in Tim Hall's presentation 4.2 - Added disk usage check, fixed CoreXL check, grouped VPN routes by peer, improved cpvinfo syntax as suggested by Günther W. Albrecht 4.3 - Added API status and version to menu info, added check for Any host access, added commands for CPUSE Deployment Agent handling, fixed syntax for disk usage check 4.4 - Added more VPN commands, added Geo Policy One-liner from this thread, added VSX-capabilities as requested by Kaspars Zibarts in this thread, added checks for NTP sync status, SNMP version and GUI clients, added info for dynamic objects, general code improvements Planned Advanced checks for Sync interface MDS Support for easy +/- navigation between mdsenv's SMB appliance support Secure self-update routine GAiA cleanup tasks ($CPDIR/tmp/ cleanups, log compression etc.)
Patrick
Patrick inside General Topics yesterday
views 23

Silent Uninstall SmartConsole

Hello,the silent install of the SmartConsole via "SmartConsole.exe -s" works good... but is it possible to silent uninstall the SmartConsole?
Adam_Styles
Adam_Styles inside General Topics yesterday
views 79 1

VSX Cluster IP address

Hi all,I have 2 x SG5600's and have configured a VSX Cluster so I have the VSX Cluster IP address, the IP address of 5600 #1 and the IP address of 5600 #2. After bringing this up I tried to ping all 3 interfaces but could only ping one VSX member and the VSX Cluster IP itself. Upon checking the ARP cache the VSX Cluster IP shares the same MAC as one of the physical interfaces so I wouldn't be able to ping all 3. Is this the expected behaviour? I am also seeing the VSX Cluster object and Active FW as 'OK' in SmartConsole but the Standby firewall just has a grey line next to it - is this due to the issue above?Thanks
Maik
Maik inside General Topics yesterday
views 3736 29 6

TCP SACK PANIC - Kernel vulnerabilities | Check Point affected?

Hello, Just wanted to ask for a statement from Check Point regarding CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479. As redhat posted a statement and mentioned several releases are affected my guess is, that Check Point with GAiA is affected too (as based on RH Linux...).Details can be read below:https://access.redhat.com/security/vulnerabilities/tcpsack Regards,Maik
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Tuesday
views 34790 19 91

R80.x Performance Tuning Tip - AES-NI

What is AES-NI Intel‘s AES New Instructions AES-NI is a encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in many processor familys. Comprised of seven new instructions, AES-NI gives your environment faster, more affordable data protection and greater security. Chapter Architecture:R80.x Security Gateway Architecture (Logical Packet Flow)R80.x Security Gateway Architecture (Content Inspection) R80.x Security Gateway Architecture (Acceleration Card Offloading) R80.x Ports Used for Communication by Various Check Point Modules Performance Tuning:R80.x Performance Tuning Tip - Intel HardwareR80.x Performance Tuning Tip - AES-NI R80.x Performance Tuning Tip - SMT (Hyper Threading) R80.x Performance Tuning Tip - Multi Queue R80.x Performance Tuning Tip - Connection Table R80.x Performance Tuning Tip - fw monitorR80.x Performance Tuning Tip - TCPDUMP vs. CPPCAP R80.x Performance Tuning Tip – DDoS „fw sam“ vs. „fwaccel dos“ Cheat Sheet:R80.x cheat sheet - fw monitor R80.x cheat sheet - ClusterXL More interesting articles:Article list (Heiko Ankenbrand) Appliances and Open Servers with AES-NI Better throughput can be achieved by selecting a faster encryption algorithm. For a comparison of encryption algorithm speeds, refer to sk73980 - Relative speeds of algorithms for IPsec and SSL. AES-NI is Intel's dedicated instruction set, which significantly improves the speed of Encrypt-Decrypt actions and allows one to increase AES throughput for: Site-to-Site VPN Remote Access VPN Mobile Access HTTPS Interception The general speed of the system depends on additional parameters. Check Point supports AES-NI on many appliances, only when running Gaia OS with 64-bit kernel. On these appliances AES-NI is enabled by default. AES-NI is also supported on Open Servers. Affected encryption algorithms include: AES-CBC (128-bit and 256-bit) AES-GCM (128-bit and 256-bit), which shows the most significant improvement - with AES-NI, it is faster than AES-CBC, when both sides support AES-NI. Without AES-NI support, it is slightly slower than AES-CBC + HMAC-SHA1. Check if AES-NI is activated # dmesg | grep "AES-NI" If it is not available, the following message is displayed: If AES-NI is not enabled, it must be turned on in the BIOS (if available). Typical way for Open Servers. It can also be checked if the CPU provides AES-NI. For this the following command should be executed. Here "aes" should now be displayed. # grep -m1 -o aes /proc/cpuinfo AES-NI performance measurement A little bit of reverse engineering. Check Point uses OpenSSL as library. Therefore the command "openssl" is provided as "cpopenssl". This gives us the possibility to execute all openssl commands. With this I tested a little bit and came to the conclusion that performance measurements are possible with the following command. So you can test the performance differences with enabled and disabled AES-NI. Warning notice: If you execute this command you have 100% CPU usage on the firewall for 20 sec. # cpopenssl speed aes-256-cbc Enabled AES-NI: Disabled AES-NI: After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration.With the following command you can test and compare all encryption methods. After these results I would always recommend to activate AES-NI and AES is preferred to 3DES because it offers many performance advantages through the hardware acceleration. Warning notice: If you execute this command you have 100% CPU usage for a long time! # cpopenssl speed This makes it possible to compare encryption algorithms. It shows that e.g. AES 256 is more performant than DES. Therefore AES 256 should rather be used for VPN connections than DES or 3DES. This is also well described in the following SK Relative speeds of algorithms for IPsec and SSL. References Relative speeds of algorithms for IPsec and SSL Best Practices - VPN Performance vSEC Virtual Edition (VE) Gateway support for AES-NI on VMware ESX Best Practices - VPN Performance MultiCore Support for IPsec VPN in R80.10 and above Copyright by Heiko Ankenbrand 1994-2019
Philip_W
Philip_W inside General Topics Tuesday
views 265 8 1

high cpu allowed but unknown trafic

Hi Checkmates,For the second week in a row, over the weekend we have been experiencing heavy (allowed) trafic through our VSX (R77.30) toward servers located behind our load balancers. This causes high CPU usage on 2 cores and now we are fearing some targetted DDOS or reconnaissance action is taking place.We received no complaints from users or server admins. We know which VS is impacted but are having difficulties identifiying exactly what is happening. To this end I used:fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head -10from 'My top 3 CLI commands' ( where Timothy shared a way of showing the top ten source IPs hogging slots in the connection table). This gave us some IPs, but basically we could see that in Smartlog tooHow could we investigate this any deeper? Taking a .cap wouldn't help a lot, or would it?Any ideas?
carl_t
carl_t inside General Topics Tuesday
views 46

Multiple VPN domains - when will it be supported?

Hi AllA few months back I posted a questions around the support for Multiple VPN domains on the R80 Gateway, someone said this was on the roadmap for R80.30?Is this still the case?I have heard nothing for a whileMany thanks