Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics
minhhaivietnam inside General Topics 12m ago
views 21 1

Packet replying does not match initial connection (R80.10)

Hello ,I have a problem about checkpoint R80.10 like this:I create a rule like below:From IP_SOURCE to IP_DST, service : TCP_8082 But when I search log drop from DST to SRC, I saw that replying packet get dropped because CP does not see it as a replying packet; (Checkpoint think this is new connection from DST to SRC and simply drop it by cleanup rule) So please let me know why or any step to troubleshoot it?Thank a lot!!        
Darius inside General Topics 16m ago
views 3

Mail alert when user browse a certain website/ category

Hi,Is there a way for CheckPoint alert me through email if my users access a certain websites or URL under category that I want to monitor? For example, I want to be alerted if users access a uRL belongs to Shopping category?
Johan_Rudberg inside General Topics 19m ago
views 61 7

NAT problem

Hello A week or so ago we changed an ip address on one of our interfaces from to we also changed the NAT rules that was configured to the old ip address. But now still the firewall sends packets with the old ip of and 12 even when those addreses are unconfigured.Running R80.20 with HFA 103 //Johan 
kapuranirudh inside General Topics 45m ago
views 228 4

Need help in preparing benchmark documents for Checkpoint firewall

Hi All,Can anyone help me and tell me the "RISK factors" for the following benchmark conditions:Ensure Password Minimum length is setEnsure Password Syntax: Character Types is setEnsure Password Syntax: ID within Password is setEnsure Maximun signon attempts is setEnsure Lockout duration is setEnsure Reset account lockout counter afterUser login to system/deviceUser logoout from system/deviceRetention of created log filesConnection matched by SAMVPN packet handling errorsVPN configuration & key exchange errorsIP Options dropFile Transfer Protocol (FTP)Unused Interfaces accessDynamic routing protocolsICMP virtual session timeoutAccept stateful UDP replied for unknown servicesAccept Stateful ICMP repliesAccept Stateful ICMP errorsDrop and log out of state packetsDrop and log out of state ICMP packetsExplicit firewall management rules presentAccept Remote Access Control connectionsAccept outgoing packets originating from GatewayAccept Web and SSH connections for Gateway's administrationAccept incoming traffic to DHCP and DNS services of gatewaysAccept Dynamic Address modules' outgoing Internet connectionsIPsec VPNSSL VPNIPSWeb Security URL FilteringAnti-virus and Anti MalwareAnti-Spam and Email SecurityAcceleration and ClusteringVoice over IPData loss PreventionApplication ControlLogging Sorry, the list is long, but if you could help me I will be grateful to you, thanks..!! 
Tbgaz inside General Topics 4 hours ago
views 22 1

Log Exporter to Syslog Server

Hi all,We're setting up 3rd party network monitoring for our network. The 3rd party has requested that the Check Point logs are sent to their monitoring server to port 10527.  That's fine, we've configured Log Exporter to do that.I've done a tcpdump on the CP management server and can see packets being sent from it, using ports 40617 and 53660, to the monitoring server's port of 10527. I've looked on the CP logs and the last time packets were accepted was last week (not long after I setup the firewall rule). Nothing has hit since then.Have I missed anything out? As far as I can see I have done everything needed. Any suggestions would be appreciated! 
mbsm inside General Topics 5 hours ago
views 196 5

Identity Collector Users unable to browse to internet

Hi,We successfully implement Identity Collector and working on R80.30. But we encounter an problem, the user is connected thru the WiFi and able to browse the internet but when the user disconnect to WiFi then connect thru LAN cable the user unable to browse the internet. By the way, the network of the WiFi is different to the LAN. Our workaround is login thru captive portal or restart the laptop.Is there a solution for this issue? Or is this a limitation of the Identity Collector? Appreciate your answers,
Marcel_Gramalla inside General Topics 6 hours ago
views 81 3

Identity Collector - not getting any events

Hi,we want to establish the Identity Awareness in our Check Point Firewall. We want to test all possibilities and of course also the Identity Collector.We activated the function and installed the Collector on one machine. The setup was fairly easy and the connection tests were successful.Unfortunately the Identity Collector doesn't show any received events even if we use a domain administrator as the account:Do you have any idea how to troubleshoot that? I would assume that the connection test tells me if there is anything wrong. The firewall on the domain controller allows the access from the Identity Collector.
Baasanjargal_Ts inside General Topics yesterday
views 25

Smart Management 1-405 hard drive RPM

Hello, What is the RPM speed and Model of Smart1-405 appliance hard drive,?How to check it,?
Rafael_Morato inside General Topics yesterday
views 41

Strange behavior when running the new fw monitor -F command

Hi!! I've noticed a strange behavior after I runned the fw monitor with the flag -F (released take 73) , for example:fw monior -F "0,0,0,443,0"That returns the follow message: kernel: [fw4_20];simple_debug_filter_unset: unsetting debug filter when no filter is set I have other behavior, when I end the fw monitor, the followed messages are shown:monitor: unloadingmonitor: caught sig 2monitor: cannot do fw ctl setThe last message is very strange.  I'd like know about theses behaviors. Thanks,Rafael Morato
Dave_Taylor1 inside General Topics yesterday
views 89 2

DHCP Relay. Cluster VIP

We currently have R80.20 on our gateways with JHF 87We encountered an issue recently with DHCP and it was suggested that we change the Relay interface to use the VIP.The issue was resolved and was actually related to an SVI configuration on the Cisco deviceAlthough the issue wasn’t on the firewall it is requested that I change the gateways to use the VIP since they believe this is the correct configuration.I've not been able to find any documentation stating this.I'm looking for clarification please.Thanks
Howard_Gyton inside General Topics yesterday
views 358 9

R80.30 - Slow DMZ transfer performance

Hi,We recently upgraded our firewall cluster from R77.30 to R80.30.Almost immediately after this, we noticed an observed degredation to the performance of a couple of our VMs, one being an SSH gateway, and the other being an ownCloud server.  Both have NFS mounts to our Nexenta storage.Running some tests, we found extremely slow transfer rates to and from each VMs local disk.  I was in the process of building a new ownCloud server, and have ended up using this as an analogue for further testing.Taking a ~250MB file on my local disk and SCPing the file up to my test VM, with it being in the same VLAN as my workstation, this file tranfers up and down in about 3 seconds flat.When I then move this VM into a sub interface (DMZ) on our firewall and run the same tests, it has take as long as 2 minutes 20 seconds to perform the same test.I even created a new threat prevention policy that has none of the inspection blades enabled, and matching this host, and managed to get variable rates from just under 2 minutes to around 1 minute 18 seconds.We also do not use QoS.I have just raised a ticket with our support partner, but was very interested to know whether any other users had observed this?  We  had noticed a performance degradation under R77.30 but no where near this bad.Howard
Thomas_B inside General Topics yesterday
views 3758 2 1

NAT thru VPN IPsec

Hi all,I come back with my NAT story...I have a problem.Please watch the diagram attached.My site (green) is connected to my customer (violet) thru a VPN IPsec.My Encryption Domain is my public range ( and the remote Encryption Domain is Peer is and the remote peer is are mounted between a CheckPoint and an ASA Cisco 5555.The CheckPoint is carrying the virtual IP ( for the NAT of SRV001 with an ARP Proxy.My customer thru the VPN has to communicate with SRV001 via the NATed IP the check has to NAT it to the other sense, SRV001 has to communicate with SRV_CUSTOMERS (, SRV001 initiate the communication, the CheckPoint has to NAT is IP from to and then to send it thru the VPN.On the other case SRV001 no need to be NATed for corporate communication.Right now, my VPN Tunnel is UP.When I am pinging the or with the CheckPoint it's working going thru the VPN Tunnel.When I am pinging the or from SRV001, I saw with TCPDUMP that the firwall on the customer interface make the NAT and replace the with the but the trafic is not going thru the VPN.How to force to send the NATed packet thru the VPN?Support NAT-Traversal is enabled.I saw the option in the VPN Communities the option "Disable NAT inside the VPN communitie", what is it doing?
Tiago_Cerqueira inside General Topics yesterday
views 320 8

VPN issue with IKEv2 and Cisco ASA

Hi,Last week we upgraded our security gateway from R77.30 to R80.20. After this upgrade, we lost connectivity with one of our VPNs. This VPN is with a third party gateway, a Cisco ASA and we are using IKEv2.The issue is weird and I've isolated the following things:1)If the negotiation is triggered on the ASA side, everything works as expected (so, as a workaround, they are bouncing the tunnel on their side, generating traffic to us (if we are the first to generate traffic it won't work) and that's allowing us to connect)2)If we initiate the connection, we are unable to reach the other side of the VPN but, they are able to reach our network. So traffic generated on their side of the VPN always reaches us without issues.3)Child SAs are only being negotiated on re-keys, I'm assuming the first time they are created is under the AUTH packet, as per the RFC. I have a case opened with TAC, but so far no meaningful replies. I can also share the vpnd.elg files, as well as the ikev2.xmll files if you are interested in taking a look at that. Thanks
marcherren inside General Topics yesterday
views 29

Old session in "DST_FIN" state blocks new session

Hi all, One of our customers creates a lot of SSL sessions to a server located on our infrastructure.The FW the client uses, does handle it's hide-nat to the internet a bit strange (well, I never encountered this before 😅) it will always try to use the same source port as in the initial request of the server and only nat the ip src port randomly if the port is already used by another session.Anyway, we now see a lot of sessions in "DST_FIN" state on our frontend firewall which are apparently all correct terminated/delete on the clients firewall (we only checked randomly some sessions). On your firewall the session counter is counting downwards from 3600s.Now sometimes a session is dropped as it still exists in our table as "DST_FIN".To mention is also that this behavior only showed up once we have upgraded from R77.30 to R80.20. 1) Can someone explain me what exactly DST_FIN means? Could not find it in the TCP state machine definition2) If our fw detected a tcp session ending, shouldn't the 20s from the global properties apply?Best regards,Marc
inside General Topics yesterday
views 3783 20 14

R80.40 Early Availability Program @ Check Point Update

      R80.40 EA Program  R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.  Enrollment // Production EA     • We are looking for R80.X / R77.X Production environment to evaluate the new version. • Start date: mid-September 2019   Additional questions? contact us@ What's New  IoT Security A new IoT security controller to: Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).  Configure a new IoT dedicated Policy Layer in policy management. Configure and manage security rules that are based on the IoT devices' attributes.                       TLS Inspection HTTP/2 HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.  Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol. Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.                       TLS Inspection Layer This was formerly called HTTPS Inspection. Provides these new capabilities: A new Policy Layer in SmartConsole dedicated to TLS Inspection. Different TLS Inspection layers can be used in different policy packages. Sharing of a TLS Inspection layer across multiple policy packages. API for TLS operations. Threat Prevention Overall efficiency enhancement for Threat Prevention processes and updates. Automatic updates to Threat Extraction Engine. Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects. Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI. Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol. Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols. Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature. Access Control Identity Awareness Support for Captive Portal integration with SAML 2.0 and third party Identity Providers. Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.  Enhancements to Terminal Servers Agent for better scaling and compatibility. IPsec VPN Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:  Improved privacy - Internal networks are not disclosed in IKE protocol negotiations. Improved security and granularity - Specify which networks are accessible in a specified VPN community. Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain). Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles. URL Filtering Improved scalability and resilience. Extended troubleshooting capabilities. NAT Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse. NAT port utilization monitoring in CPView and with SNMP. Voice over IP (VoIP) Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance. Remote Access VPN Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication). Mobile Access Portal Agent Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410. Security Gateway and Gaia CoreX L and Multi-Queue Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot. Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. Clustering Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes. Cluster Control Protocol encryption is now enabled by default. New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses. Support for ClusterXL Cluster Members that run different software versions. Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet. VSX Support for VSX upgrade with CPUSE in Gaia Portal. Support for Active Up mode in VSLS. Support for CPView statistical reports for each Virtual System Zero Touch A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration. Gaia REST API Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612. Advanced Routing Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon. Enhancing route refresh for improved handling of BGP routing inconsistencies. New kernel capabilities Upgraded Linux kernel New partitioning system (gpt): Supports more than 2TB physical/logical drives Faster file system (xfs) Supporting larger system storage (up to 48TB tested) I/O related performance improvements Multi-Queue: Full Gaia Clish support for Multi-Queue commands Automatic "on by default" configuration SMB v2/3 mount support in Mobile Access blade Added NFSv4 (client) support (NFS v4.2 is the default NFS version used) Support of new system tools for debugging, monitoring and configuring the system   CloudGuard Controller Performance enhancements for connections to external Data Centers. Integration with VMware NSX-T. Support for additional API commands to create and edit Data Center Server objects. Security Management Multi-Domain Server Back up and restore an individual Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management. Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server to become a Security Management Server. Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing. SmartTasks and API New Management API authentication method that uses an auto-generated API Key. New Management API commands to create cluster objects. Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy. Deployment Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartEvent Share SmartView views and reports with other administrators. Log Exporter Export logs filtered according to field values. Endpoint Security Support for BitLocker encryption for Full Disk Encryption. Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server. Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment. Policy can now control level of notifications to end users. Support for Persistent VDI environment in Endpoint Policy Management.