Showing results for 
Search instead for 
Did you mean: 
Post a Question
Michael_Carson inside General Topics 22m ago
views 10 1

License CheckPoint 4400

Good Morningsince I expired my license, when creating a rule for example to restrict bandwidth, it does not question is, if the expired license has something to do?
Maik inside General Topics 47m ago
views 618 7 5

TCP SACK PANIC - Kernel vulnerabilities | Check Point affected?

Hello, Just wanted to ask for a statement from Check Point regarding CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479. As redhat posted a statement and mentioned several releases are affected my guess is, that Check Point with GAiA is affected too (as based on RH Linux...).Details can be read below: Regards,Maik
Thomas_Allen inside General Topics 2 hours ago
views 16

Manage users with Centrify

Is anyone using Centrify to manage their Gaia deployments? We are going to have a POC with Centrify later this month for our servers, databases, etc., and I'm sure there will be a push to also manage the firewalls. I have only started reading about Centrify and Gaia, but it sounds like there are a lot of "gotchas", and not so much benefit. The Centrify deployment would be managed outside of security team, I'm not very fond of giving up control over gateways to another system/group that is not in the security team.
Maik inside General Topics 3 hours ago
views 126 5

Question regarding R80.20 software release

Hello guys, I have a quite basic qustion which got me confused so far.It is related to a gateway upgrade from R80.10 to R80.20 - for that I used the upgrade wizard which pointed me to the file "Check_Point_R80.20_T101_Fresh_Install_and_Upgrade_Security_Gateway.tgz", linked here.That's fine and the installation can be accomplished via cpuse - CLI or WebUI. However, what I do not unserstand is, the related jumbo hotfix package, that is included - or not included.The file name itself mentions "T101", but this can't be related to the latest jumbo hotfix release which is release take 80 - or GA just take 47.The package itself for the fresh install or upgrade (within cpuse) was updated on the 30th April - which roughly translates to the latest jumbo hotfix release (which was released on the 25th).So my question is - does the install/upgrade come with a jumbo hotfix or do I need to install one on top? Thanks and best regards,Maik
Heath_Mote inside General Topics 3 hours ago
views 375 3

Support portal : Cannot view tickets

When I go to support center and click on 'My Service Requests' I get taken to Which only looks like it wants me to open a new ticket. This is what happens when using Chrome. I get the same results with Edge.Is anyone else experiencing this? We have a couple of tickets opened and cannot currently track these issues. Thanks!
bllackpython inside General Topics 4 hours ago
views 206 2

Strange behaviour after R80.20 upgrade

Ever since upgrading our Checkpoints to R80.20 (from R80.10) we are having some issues with receiving mail from certain sources (which so far seems to be Microsoft).For instance if I try the following test: get:Attempting to resolve the host name X in DNS. -The host name resolved successfully.Testing TCP port 25 on host X to ensure it's listening and open. -The port was opened successfully. Analyzing SMTP Capabilities for server X:25 -SMTP Capabilities were analyzed successfuly. 250-X 250-PIPELINING 250-SIZE 26214400 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSNAttempting to send a test email message to X@X using MX X. -Delivery of the test email message failedThe server returned status code -1 - Failure sending mail.Exception details:Message: Failure sending mail.Type: System.Net.Mail.SmtpExceptionStack trace:at System.Net.Mail.SmtpClient.Send(MailMessage message)at Microsoft.Exchange.Tools.ExRca.Tests.SmtpMessageTest.PerformTestReally()Exception details:Message: Unable to connect to the remote serverType: System.Net.WebExceptionStack trace:at System.Net.ServicePoint.GetConnection(PooledStream PooledStream, Object owner, Boolean async, IPAddress& address, Socket& abortSocket, Socket& abortSocket6)at System.Net.PooledStream.Activate(Object owningObject, Boolean async, GeneralAsyncDelegate asyncCallback)at System.Net.ConnectionPool.GetConnection(Object owningObject, GeneralAsyncDelegate asyncCallback, Int32 creationTimeout)at System.Net.Mail.SmtpConnection.GetConnection(ServicePoint servicePoint)at System.Net.Mail.SmtpClient.GetConnection()at System.Net.Mail.SmtpClient.Send(MailMessage message)Exception details:Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond x.x.x.x:25Type: System.Net.Sockets.SocketExceptionStack trace:at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)Elapsed Time: 21010 ms Microsoft seem to be the only connections coming in with the ECN,CWR flags set. If we trace the external Interface we can see SYN,ECN,CWR packets come in from Microsoft:10:28:46.056526 IP > x.x.x.x.smtp: SWE 3702938783:3702938783(0) win 8192If we trace the internal interface we see a RST packet going to the Load Balancer:10:02:52.605181 IP > x.x.x.x.smtp: R 3928789066:3928789066(0) ack 0 win 0 We do not have MTA setupAny ideas?
inside General Topics 5 hours ago
views 4749 30 1

Propose your Idea of the Year!

Yes, this is this time of year, again. Same as one year ago, we turn to the community and ask you, good folks, to propose the idea of the year. Or, better: The Idea Of The Year! The rules are the same as before, it is about ideas that you wish Check Point would develop into a product/service offering, or improvements to existing ones. Do you think we miss something important or we should consider to expand our product portfolio, feature set, functionalities, get to a completely new playground, change the rules of the game? Tell us NOW! A few disclaimers/notes: There are no guarantees that any idea suggested will be developed, even the "Idea Of The Year", From the suggestions below, we will choose 3-5 ideas which will be put up for voting later on, Preference will be given to ideas that come from customers and partners, though employees are welcome to participate as well. "Likes" and "discussion" around specific ideas will influence (but not wholly determine) the final list, so if you like something someone has suggested, let it be known! @Dorit_Dor and R&D leaders will choose the best ideas, and if you win, you will get a prize! What prize? We will tell you later. Get creative, use your imagination and PROPOSE!
Sigbjorn_Eik inside General Topics 5 hours ago
views 27 1

External Monitoring system

How are people monitoring their infrastructure and gateways today?Our infrastructure has a good mix of cloudguard, appliances and open servers. The biggest clusters being VSLS VSX on Open Server.We're looking to get a monitoring system to monitor and correlate events over all over firewalls, including the bare metal the open server is running on, cisco switches and routers etc.Zenoss just presented their system, which on paper looks very good. But does anyone have experience monitoring Check Point with it?In particular VSX VSLS Open Server clusters with more then two nodes? (So you have Active/Standby/Backup state, where some monitoring systems present the backup nodes as down.)
Di_Junior inside General Topics 6 hours ago
views 233 14

Check Point Clustering between two Datacenters

Dear Mates We are currently experiencing routing assymetry on our infrastructure, and we are trying to find possible solutions that could help us solve the problem.I would like to know whether there is a limitation in terms of creating a Check Point cluster over two geographically separeted Datacenters (Few Kilometers away from each other). Is there any distance constraints? If there is no a distance constraint, since the current version of GAIA we are using (R80.20) does not support Load-sharing, we do not intend to have 4 appliances in a cluster while only one is taking all the traffic.Can Maestro be used in order to take advantage of the 4 appliances?The rationale for this question is because we are thinking of turning the 4 Check Point Appliances into a single cluster. Thanks in Advance
Pedro_Roure inside General Topics 6 hours ago
views 16

Captive Portal and HTTPS

Hi, I created a rule to redirect the traffic destined to http e https ports from a specific network segment to the captive portal (identity awareness blade). The rule was created using an Acess Role as source (the access role was configured only with the specific network segment). The redirect to the captive portal works perfectly when the user access a HTTP (clear-text) site, but when the users access an HTTPS (encrypted) site, the redirect does not work (browser tries to connect until timeout). Is there any way to the redirect to the captive portal works with HTTPS sites? PS: The HTTPS Inspection is enabled for all traffic originated from the specific network segment mentioned above.
Junior inside General Topics 6 hours ago
views 11

botnet activity detection

Hello dear, The checkpoint firewall detected botnet activity on one of our DNS servers, and another on a computer network. To my knowledge the firewall is supposed to block such activity? How to get rid of this infection, I launched the ESET ENDPOINT Security antivirus but nothing found.
aner_sagi inside General Topics 8 hours ago
views 537 6 1

Smartcenter gaia on nutanix ?

Hi All,A new customer of mine want to move his R80.10 smartcenter (currently on Hyper-V) to it supported ?Thanks in advanceAner
ThaiHoang inside General Topics 9 hours ago
views 9

I can't Isomorphic download

HI!My checkpoint has fail with terminal:+==============================================================================+| CPU T: Intel(R) Celeron(R) M processor Base Memory : 640K || CPU I: 06D8/20D Extended Memory :1038336K || CPU C: 1.50GHz Cache Memory : 1024K ||------------------------------------------------------------------------------|| Diskette Drive A : None Display Type : EGA/VGA || Diskette Drive B : None Serial Port(s) : 3F8 2F8 || Pri. Master Disk : None Parallel Port(s) : None || Pri. Slave Disk : None DDR2 at Bank(s) : 0 2 || Sec. Master Disk : None || Sec. Slave Disk : None |+==============================================================================+ PCI device listing ...Bus No. Device No. Func No. Vendor/Device Class Device Class IRQ--------------------------------------------------------------------------------0 2 0 8086 2592 0300 Display Cntrlr 50 29 0 8086 2658 0C03 USB 1.0/1.1 UHCI Cntrlr 150 29 1 8086 2659 0C03 USB 1.0/1.1 UHCI Cntrlr 150 29 2 8086 265A 0C03 USB 1.0/1.1 UHCI Cntrlr 10Verifying DMI Pool Data ...........I want download ISOmorphic but i can't. Website notifice :"You are not entitled to download this file."Pls, help me!!!Thanks for your help
Hirschmann_Netw inside General Topics 9 hours ago
views 9

SMB layer 2 setup

Hi all,Currently we are designing protection for a factory. They have a fiber ring and want to protect their process automation. We implemented some 1200R firewalls in bridge mode with strict policy and it works fine.The problem is in the current setup people can easily remove the firewall and the protection is gone. It did happen when the System Integrator had some problems, removed the firewall, solved the problem and did not restore the connection.There is a possibility to use a RADIUS server, but I'm lost in how to set this up on the 1200R.Does anyone have an idea on how to solve this?And NO we can not use Layer3 on the 1200R, the PLC's only support Layer2 communication.Thanks in advance!Henk
JonWilliams inside General Topics 10 hours ago
views 692 6

Nat through site to site vpn

Hi, I am trying to setup a nat through a site to site vpn. we have a weird setup where our internal source is a public ip /32 talking to a dest public ip /32. When i do a no nat rule it works ok. Issue being that our internal ip is a public ip address in italy so they cannot route to it.i then nat our internal to a spare public ip off our cp range and the tunnel breaks. no nat rule issource ip - dest ip - source nat to public spare ipdest ip - source ip (Public) - denat dest to real ipMy encruption domain is source (real and public) des(dest public) Any help, greatly received,, thanks