Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

Shurik inside General Topics 3 hours ago
views 16 1

Load Balancing for IPSEC VPN Tunnels

Hello guys, We're looking to implement Active/Active or Active/Standby VPN tunnels from our client (two locations) to our data centers (two locations). Would like to see if there is a way to create global load balancer (or something similar) to be able to manage (manually or automatically) what data center the traffic will go to. Any idea will be appreciated 🙂 Thanks 
Danny inside General Topics 3 hours ago
views 74021 196 190

Common Check Point Commands (ccc)

🏆 Code Hub Contribution of the Year 2018!👍 Endorsed by Check Point Support! ccc is a menu-driven script to run common Check Point CLI tasks.License: GPL Installation (expert mode) or download:curl_cli -k | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc
SCSupport inside General Topics 3 hours ago
views 227 9

Passing GRE traffic

Hello. Can someone advise exactly how Check Point stand with GRE support? I understand they can’t build or terminate GRE tunnels, but can they pass the traffic through? There is a VPN between 2 Cisco Routers who are trying to establish a tunnel however it isn’t coming up. After discussions, I realised they are using GRE over IPSEC VPN.I have now concluded that this is the reason why it’s not coming up. Any suggestions?
Lockout888 inside General Topics 3 hours ago
views 397 6

Redirecting DNS

Running R80.30 for home use, and I want to force my kids devices to use OpenDNS Family Shield DNS Servers, while allowing other devices to use regular DNS Servers.I was able to do this with DD-WRT via MAC address by using these commands. Even if the DNS Servers were changed on the device manually, they were forced to use Family Shield.iptables -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p udp --dport 53 -j DNAT --to -t nat -I PREROUTING -i br0 -m mac --mac-source ##:##:##:##:##:## -p tcp --dport 53 -j DNAT --to do I accomplish this in GAIA? 
SCSupport inside General Topics 6 hours ago
views 180 2

Unable to download R80.40

Hi, Has something happened to the download link for R80.40?I have registered for the EA however when continuing through to the download link, it suggests that I havent registered or it can not find the link I am looking for? If anyone can help that would be great.
HeikoAnkenbrand inside General Topics 8 hours ago
views 703 13 17

R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Elephant Flow (Heavy Connections) In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows). All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. What typically produces heavy connections: System backups Database backups VMWare sync. Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Evaluation of heavy connections The big question is, how do you found elephat flows on an R80 gateway? Tip 1Evaluation of heavy connections (epehant flows)A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes. Heavy connection flow system definition on Check Point gateways: Specific instance CPU is over 60% Suspected connection lasts more than 10s Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%   CLI Commands Tip 2Enable the monitoring of heavy connections. To enable the monitoring of heavy connections that consume high CPU resources: # fw ctl multik prioq 1 # reboot Tip 3Found heavy connection on the gateway with „print_heavy connections“ On the system itself, heavy connection data is accessible using the command: # fw ctl multik print_heavy_conn Tip 4Found heavy connection on the gateway with cpview # cpview                CPU > Top-Connection > InstancesX   Links sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above    
inside General Topics 9 hours ago
views 10248 80 15

R80.40 Early Availability Program @ Check Point Update

      R80.40 EA Program  R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.  Enrollment // Production EA     • We are looking for R80.X / R77.X Production environment to evaluate the new version. • Start date: Started    Public EA (for Lab/Sandbox use) is now also available! Log into UserCenter and Select Try Our Products > Early Availability Programs In PartnerMap, it is Learn > Evaluate > Early Availability Programs NOTE: Upgrade from Public EA to GA is not supported   Additional questions? contact us@ What's New  IoT Security A new IoT security controller to: Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).  Configure a new IoT dedicated Policy Layer in policy management. Configure and manage security rules that are based on the IoT devices' attributes.                       TLS Inspection HTTP/2 HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.  Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol. Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.                       TLS Inspection Layer This was formerly called HTTPS Inspection. Provides these new capabilities: A new Policy Layer in SmartConsole dedicated to TLS Inspection. Different TLS Inspection layers can be used in different policy packages. Sharing of a TLS Inspection layer across multiple policy packages. API for TLS operations. Threat Prevention Overall efficiency enhancement for Threat Prevention processes and updates. Automatic updates to Threat Extraction Engine. Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects. Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI. Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol. Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols. Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature. Access Control Identity Awareness Support for Captive Portal integration with SAML 2.0 and third party Identity Providers. Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.  Enhancements to Terminal Servers Agent for better scaling and compatibility. IPsec VPN Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:  Improved privacy - Internal networks are not disclosed in IKE protocol negotiations. Improved security and granularity - Specify which networks are accessible in a specified VPN community. Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain). Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles. URL Filtering Improved scalability and resilience. Extended troubleshooting capabilities. NAT Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse. NAT port utilization monitoring in CPView and with SNMP. Voice over IP (VoIP) Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance. Remote Access VPN Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication). Mobile Access Portal Agent Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410. Security Gateway and Gaia CoreX L and Multi-Queue Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot. Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. Clustering Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes. Cluster Control Protocol encryption is now enabled by default. New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses. Support for ClusterXL Cluster Members that run different software versions. Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet. VSX Support for VSX upgrade with CPUSE in Gaia Portal. Support for Active Up mode in VSLS. Support for CPView statistical reports for each Virtual System Zero Touch A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration. Gaia REST API Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612. Advanced Routing Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon. Enhancing route refresh for improved handling of BGP routing inconsistencies. New kernel capabilities Upgraded Linux kernel New partitioning system (gpt): Supports more than 2TB physical/logical drives Faster file system (xfs) Supporting larger system storage (up to 48TB tested) I/O related performance improvements Multi-Queue: Full Gaia Clish support for Multi-Queue commands Automatic "on by default" configuration SMB v2/3 mount support in Mobile Access blade Added NFSv4 (client) support (NFS v4.2 is the default NFS version used) Support of new system tools for debugging, monitoring and configuring the system   CloudGuard Controller Performance enhancements for connections to external Data Centers. Integration with VMware NSX-T. Support for additional API commands to create and edit Data Center Server objects. Security Management Multi-Domain Server Back up and restore an individual Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management. Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server to become a Security Management Server. Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing. SmartTasks and API New Management API authentication method that uses an auto-generated API Key. New Management API commands to create cluster objects. Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy. Deployment Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartEvent Share SmartView views and reports with other administrators. Log Exporter Export logs filtered according to field values. Endpoint Security Support for BitLocker encryption for Full Disk Encryption. Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server. Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment. Policy can now control level of notifications to end users. Support for Persistent VDI environment in Endpoint Policy Management.    
Carsten_R inside General Topics 10 hours ago
views 104 9

ARP table size of 131072 entires?

Hi,sk43772 says, that with R80.30, the ARP table size has been extended to 131072 entires. However, it's not working: The SK says nothing about any HW or RAM requirements, so my test device is only a VM with R80.30, Take 111. 
C_M inside General Topics 10 hours ago
views 29

Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

Runnning this command is supposed to show top connecting ips.I'm having trouble with converting the hex to ip addresses. Any success? I'm using sites and they are just giving me incomplete numbers.
C_M inside General Topics 10 hours ago
views 21

Top connections

Runnning this command is supposed to show top connecting ips.I'm having trouble with converting the hex to ip addresses. Any success? I'm using sites and they are just giving me incomplete numbers.
inside General Topics 10 hours ago
views 964 1 5

R80.30 Jumbo Hotfix Accumulator - New Ongoing Take #135

A new Ongoing Jumbo Hotfix Accumulator take for R80.30 (Take #135) is available. Please refer to sk153152 This take updates take 132 that was released on Jan 2. Thanks,  Release Management group 
Nik_Bloemers inside General Topics 10 hours ago
views 70 4

F2F cluster message

Hello Check Mates,Can anyone explain what the F2F violation 'cluster message' means?fwaccel stats -pF2F packets:--------------Violation Packets Violation Packets-------------------- --------------- -------------------- ---------------pkt has IP options 227              ICMP miss conn 153026TCP-SYN miss conn 327641              TCP-other miss conn 28868624UDP miss conn              295417 other miss conn 10604VPN returned F2F 0              uni-directional viol 0possible spoof viol 11              TCP state viol 0out if not def/accl 0              bridge, src=dst 0routing decision err 0              sanity checks failed 0fwd to non-pivot 0              broadcast/multicast 0cluster message 207254     cluster forward 0chain forwarding 0              F2V conn match pkts 89454general reason 0              route changes 0The ATRG sk for SecureXL explains most values, but not this one. I believe this should normally be 0, so I'm wondering why it's quite high. 
inside General Topics 14 hours ago
views 837 13 8

sk164752 - Installing DOOM on Gaia

Hello everyone, I work at one of the Checkpoint TACs. We had a little internal contest to see if we could get doom running on a Checkpoint firewall for fun. I managed to get it done and just finished the SK. Feel free to take a look at sk164752 for how it was done. It is general access so anyone should be able to view it.   Needless to say do not try this in production, you are increasing the attack surface of the operating system significantly by doing so.   Edit: It looks like management decided to make the SK internal, sorry guys. Edit2: They did ok it to be posted on checkmates though, Please see below.   Symptoms You want to run linux applications on Gaia. You need to defeat the minions of hell. Solution Please note this procedure is not supported and not secure Under no circumstances should this be done in a production environment This is a proof of concept and for fun Pre-requisites An R80.30 Gateway running the 3.10 kernel as per sk152652 A bootable Ubuntu Live image - link More spare time than sense Installing a Debian chroot Boot the R80.30 3.10 gateway from the Ubuntu Live Image Ensure the live OS has an internet connection Once booted installed debootstrap sudo apt update     sudo apt install debootstrap Create a working environment and mount the Gaia file system mkdir /home/ubuntu/installdir sudo mount /dev/mapper/vg_splat-lv_current /home/ubuntu/installerdir We will be installing Debian Jessie in the chroot, this is because Jessie runs Kernel 3.16 which is very close to the gaia Kernel 3.10. This will help ensure things run smoother. Create the chroot environment, if you choose another chroot OS be sure to change the path sudo mkdir /home/ubuntu/installdir/chroot sudo mkdir /home/ubuntu/installdir/chroot/jessie Use the following command to install Jessie this may take some time sudo debootstrap --include locales --arch amd64 jessie /home/ubuntu/installdir/chroot/jessie Once complete reboot and remove the Ubuntu installation media Prepare the Chroot To allow the chroot to properly communicate with the hardware of the machine we need to bind several mount points in the chroot, since this needs to be done at every boot I will provide a script below that binds these mounts. I placed this in the home directory of the admin user for ease of use. Start of script #!/bin/bash mount --bind /proc /chroot/jessie/proc mount --bind /sys /chroot/jessie/sys mount --bind /dev /chroot/jessie/dev mount --bind /dev/pts /chroot/jessie/dev/pts End of script Give the script the privileges it needs to run and run it chmod 755 /home/admin/ cd /home/admin ./ Create the default root users home directory mkdir /chroot/jessie/home/admin optionally you may bind the existing gaia /home/admin directory to the chroot by adding the below line to the script mount --bind /home/admin /chroot/jessie/home/admin Enter the chroot chroot /chroot/jessie Configure the Chroot Set the dns server by adding a dns server of your preference to /etc/resolv.conf with vi add "nameserver $IPgoesHere" to the file Install vim because vi is terrible, the default repositories should be able to do this. apt update apt install vim add the gaia hostname to /etc/hosts see below for an example, my hostname is DOOM The first line of /etc/hosts should appear similar below but with your hostname127.0.0.1 localhost DOOM add a complete list of jessie repositories to /etc/apt/sources.list by matching the contents below using vim Start of sources.list deb jessie main non-free contrib deb-src jessie main non-free contrib deb jessie/updates main contrib non-free deb-src jessie/updates main contrib non-free End of sources.list Update the repository list using "apt update" Create a non-root user Install sudo apt install sudo create a new non-root user (in this case doom) adduser doom follow the prompts to set the password Add the new user to the sudo group usermod -aG sudo doom   Installing the desktop Ensure the debian software selection with the following command tasksel Using the arrow keys and space bar select "Debian Desktop Environment" & "Xfce" Use tab to select OK and enter to continue. Wait for the needed packages to install (this will take several minutes) You will be prompted to select your keyboard layout during this process, do so. Once complete you will be back at the terminal Installing the desktop will have overwritten /etc/resolv.conf reset the dns server by adding a dns server of your preference to /etc/resolv.conf with vim add "nameserver $IPgoesHere" to the file Installing the desktop may have overwritten the hostname inside the chroot test the hostname to see if its changed by using the hostname command if it has changed, change it back by using the hostname command example below hostname DOOM make sure to edit the /etc/hostname file to match so it survives reboot Install xrdp apt install xrdp exit the chroot (just type exit in the terminal) add the following line to the script chroot /chroot/jessie /etc/init.d/xrdp restart This will ensure xrdp is started properly when spawning the chroot Ensure that your firewall policy is either unloaded (fw unloadlocal) or add firewall rules that allow port 3389 re-add the full repository list as per the "Configure the Chroot" section, ensure you "apt update"   Login to the GUI and install DOOM RDP to an ip of the gateway that is reachable Use the default sesman-Xvnc module Provide the username and password (do not log in with root use the non-root user we created earlier) If all went well you should see the desktop Open a terminal and install DOOM sudo apt-get install doom-wad-shareware prboom Start DOOM /usr/games/prboom Doom running on a Gaia firewall, note the xfce4 and xrdp processes running in attached screenshot.      
inside General Topics 16 hours ago
views 44

White Paper - Private ThreatCloud & Offline Gateway Updates

There are plenty of harmful malware attacks that take advantage of software vulnerabilities in common applications, such as operating systems and browsers. To counter these threats security solutions need to be updated in time so as to take advantage of the latest defense mechanisms. Traditionally, threat prevention products such as Anti-Virus or IPS have relied on intelligence packages periodically pushed to the enforcement points. It has also been possible to schedule updates once a day and even deliver them manually. However, today security assets need to be updated constantly, including when they protect highly critical resources not connected to the Internet. Check Point's ThreatCloud is a large data repository in the cloud that feeds security gateways, endpoint security agents, as well as mobile and cloud security platforms with up-to-the-second security intelligence. ThreatCloud is able to efficiently distribute big data threat intelligence throughout global enterprises, to all enforcement points on networks, hosts, mobile devices and local clouds. However, due to individual enterprise network segmentation restrictions, the result is that some enforcement points become forbidden or technically unable to access the Internet, creating a challenge for any solution that leverages ThreatCloud data and it’s services. To address this challenge, we came up with the Private ThreatCloud.  The Private ThreatCloud provides a solution for customers who’s Security Gateways or other Check Point devices do not connect directly to the Internet. With the Private ThreatCloud, users receive continuous protection as cloud services are extended offline and into other compartmentalized environments.   Author @Anton_Razumov  For the full list of White Papers, go here. 
inside General Topics 16 hours ago
views 50

White Paper - Internet Web Access Security Best Practices

This document explains the Check Point approach to securing access to Internet. It provides architectural references for what, why and how organizations should consider when securing access to Internet in modern and effective way.   Author @Anton_Razumov  For the full list of White Papers, go here.