cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Topics

Have a question and you can't figure out where to post about it after reading All Products and Where to Post About Them? Post it here!

Kaspars_Zibarts
Kaspars_Zibarts inside General Topics an hour ago
views 294 10 2

First impressions R80.30 on gateway - one step forward one (or two back)

Ok, we were finally "forced" to go ahead and upgrade our gateways from R80.10 to R80.30 for fairly small things - we wanted to be ale to use O365 Updatable Object (instead of home grown scripts) and improve Domain (FQDN) object performance issues when all FWK cores were making DNS queries causing a lot of alerts (see https://community.checkpoint.com/t5/General-Topics/Domain-objects-in-R80-10-spamming-DNS/m-p/19786) Positive things - upgrades were smooth and painless - both on regular gateways and VSX. All regular gateways seems to be performing as before, but I have to be honest that they are "over-dimensioned" and having rather powerfull HW for the job - 5900 with 16 cores. VSX though threw couple of surprises. SXL medium path usage. CPU jumped from <30% to above 50% on the busiest VS that only has FW and IA blades enabled. Ok, there is also VPN but only one connection:             I haven't spent enough time digging into it but for some reason 1/3 of all connections took medium path whereas before in R80.10 it was nearly all fully accelerated. And most of it was HTTPS (95%) with next most used LDAP-SSL (2%) I used the SXL fast accelerator feature (thanks @HeikoAnkenbrand  https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-SecureXL-Fast-Accelerator-fw-ctl/td-p/67604) to exclude our proxies and some other nets and you can see that on friday CPU load was reduced by 10% but nowhere near what it used to be. I just find it impossible to explain why would gateway with only FW blade enabled start to to throw all (by the looks of it) traffic via PXL. And statistics are a bit funny too:   FQDN alerts in logs. I can definitely confirm that only one core now is doing DNS lookups (against all DNS server you have defined, in our case 2). But we are still getting a lot of alerts like these: Firewall - Domain resolving error. Check DNS configuration on the gateway (0)             Especially after I enabled updatable object for O365 in the rulebase. As said before - I have not spent too much time on this as we had other "fun" stuff to deal with on our chassis, so it's fairly "raw". I will report more once I had some answers  
Val_Loukine
inside General Topics an hour ago
views 24
Admin

White Paper - Blueprint for Securing Industrial Control Systems

At about midnight on Monday March 18, 2019, one of the world’s largest aluminum producers, with smelting plants, factories and offices in 40 countries, noticed irregularities in its systems. Hours later, Norway-based Norsk Hydro confirmed it was suffering production stoppages in Europe and the US as it battled a major ransomware attack, forcing the company to switch to manual operations while it attempted to contain the issue. Ransom was never paid, but the total cost of the attack was estimated to be around $52 million. A few days later, 2 other US-based chemical companies, Hexion and Momentive, were also hit by cyber attacks and had to shut down IT systems to contain the incidents. The same encryption program called LockerGoga is thought to be behind all three attacks. The attack had a tremendous impact on the production of aluminum worldwide. This white paper is written as a guide to securing networks with Critical Infrastructure in order to prevent similar catastrophes from happening again. Author: @Jeroen_De_Corel  For the full list of White Papers, go here.   
Di_Junior
Di_Junior inside General Topics 4 hours ago
views 45 1

Skype for business over Check Point Firewall

Hi MatesI need an urgent help.Has anyone has implemented skype for business over a Check Point Firewall?I am trying to do so, but I am having issues with certificates presented to mobile devices (smartphones, tablets) when connecting to our internal SFB servers. The internal servers are present a self-signed certificate, hence they clients are unable to connect.Thanks in advance  
Tsvika_Akerman
inside General Topics 4 hours ago
views 10089 74 15
Employee

R80.40 Early Availability Program @ Check Point Update

      R80.40 EA Program  R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.  Enrollment // Production EA     • We are looking for R80.X / R77.X Production environment to evaluate the new version. • Start date: Started    Public EA (for Lab/Sandbox use) is now also available! Log into UserCenter and Select Try Our Products > Early Availability Programs In PartnerMap, it is Learn > Evaluate > Early Availability Programs NOTE: Upgrade from Public EA to GA is not supported   Additional questions? contact us@ EA_SUPPORT@checkpoint.com What's New  IoT Security A new IoT security controller to: Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis).  Configure a new IoT dedicated Policy Layer in policy management. Configure and manage security rules that are based on the IoT devices' attributes.                       TLS Inspection HTTP/2 HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience.  Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol. Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS Inspection capabilities.                       TLS Inspection Layer This was formerly called HTTPS Inspection. Provides these new capabilities: A new Policy Layer in SmartConsole dedicated to TLS Inspection. Different TLS Inspection layers can be used in different policy packages. Sharing of a TLS Inspection layer across multiple policy packages. API for TLS operations. Threat Prevention Overall efficiency enhancement for Threat Prevention processes and updates. Automatic updates to Threat Extraction Engine. Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects. Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI. Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol. Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols. Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature. Access Control Identity Awareness Support for Captive Portal integration with SAML 2.0 and third party Identity Providers. Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing.  Enhancements to Terminal Servers Agent for better scaling and compatibility. IPsec VPN Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides:  Improved privacy - Internal networks are not disclosed in IKE protocol negotiations. Improved security and granularity - Specify which networks are accessible in a specified VPN community. Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain). Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles. URL Filtering Improved scalability and resilience. Extended troubleshooting capabilities. NAT Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse. NAT port utilization monitoring in CPView and with SNMP. Voice over IP (VoIP) Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance. Remote Access VPN Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication). Mobile Access Portal Agent Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410. Security Gateway and Gaia CoreX L and Multi-Queue Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot. Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load. Clustering Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP Broadcast or Multicast modes. Cluster Control Protocol encryption is now enabled by default. New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses. Support for ClusterXL Cluster Members that run different software versions. Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet. VSX Support for VSX upgrade with CPUSE in Gaia Portal. Support for Active Up mode in VSLS. Support for CPView statistical reports for each Virtual System Zero Touch A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration. Gaia REST API Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612. Advanced Routing Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon. Enhancing route refresh for improved handling of BGP routing inconsistencies. New kernel capabilities Upgraded Linux kernel New partitioning system (gpt): Supports more than 2TB physical/logical drives Faster file system (xfs) Supporting larger system storage (up to 48TB tested) I/O related performance improvements Multi-Queue: Full Gaia Clish support for Multi-Queue commands Automatic "on by default" configuration SMB v2/3 mount support in Mobile Access blade Added NFSv4 (client) support (NFS v4.2 is the default NFS version used) Support of new system tools for debugging, monitoring and configuring the system   CloudGuard Controller Performance enhancements for connections to external Data Centers. Integration with VMware NSX-T. Support for additional API commands to create and edit Data Center Server objects. Security Management Multi-Domain Server Back up and restore an individual Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management. Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server. Migrate a Domain Management Server to become a Security Management Server. Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing. SmartTasks and API New Management API authentication method that uses an auto-generated API Key. New Management API commands to create cluster objects. Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy. Deployment Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel. SmartEvent Share SmartView views and reports with other administrators. Log Exporter Export logs filtered according to field values. Endpoint Security Support for BitLocker encryption for Full Disk Encryption. Support for external Certificate Authority certificates for Endpoint Security client authentication and communication with the Endpoint Security Management Server. Support for dynamic size of Endpoint Security Client packages based on the selected features for deployment. Policy can now control level of notifications to end users. Support for Persistent VDI environment in Endpoint Policy Management.    
Biggsy
Biggsy inside General Topics 8 hours ago
views 224 6 1

Move External Interface to different NIC

Gaia 3.10 R80.20 fail-over cluster using ClusterXL on Open Servers (Dell R740).  I need to move the External interface from a 1G copper (eth2) NIC to a 10G SFP+ slot (eth0) utilizing a DAC cable.  Here is my plan so far:Do during a maintenance window as there will be an outage:Via CPUSE, Network Interfaces tab;  Start on Standby member delete IP address from eth2 and disable NIC.  Configure eth0 with settings & IP from eth2, disable auto-negotiation, click on link speed and select 10Gbps / Full and enable NIC.   Then do Active member (which will start my outage).  Disconnect copper cables from eth2 and connect DAC cables.Via SmartConsole, edit FW Cluster object, select Network Management; copy all info from eth2, then delete the eth2 interface.  Then should I :    a.)  Do a "get interfaces with topology"  OR    b.)  Add a new interface and input the info from eth2 by hand. I'm thinking I should do the "get interfaces with topology" just worried it might change some settings or something with the other interfaces....Then, save and push policy.  Or do I need to reboot the gateways first?  Since there isn't a discntd.if file anymore I don't think I need to reboot them.... PLEASE let me know if I'm missing something or if there is a better way to do this. 
Gianlucheck
Gianlucheck inside General Topics yesterday
views 62 3

Proxy HTTP/HTTPS - two sessions

I have to configure the Checkpoint as Proxy HTTP/HTTPS with Application Control.I know that the Proxy open 2 connections, one to client and one to server.For client side I have to configure one policy:source: client, destination: gw internal interface  (proxy ip) , service: tcp_8080For server side I have to configure the following polcy?source: gw external interface, destination: internet, service: http/https?In short the connection between GW and Internet has the client source Ip or the external interface source IP ? Thanks
TimLofgren
TimLofgren inside General Topics Friday
views 359 8

Gateway issue post upgrade to R80.30

Hello all,I recently upgraded my SMS server from R80.20 to R80.30 and ran all pending hotfixes after the update.  I took new backups of the config and snapshots of the SMS server after all was done.  I then started the snapshots and backups of the one and only gateway that we utilize.  I ran the upgrade from CPUSE.  After it rebooted the management interface never came back up.  The device was located off site at a data center so I had to go capture it and it is now on my desk.  I can connect to the device CLISH from console but I have no idea how to troubleshoot what went wrong or how to proceed with the upgrade to the R80.30 version after this failure.  Luckily this is not in production yet.  We are still on our old firewall systems until I get this online and working in R80.30.  Can anyone point me in the right direction? Tim
Sunandan_Banerj
inside General Topics Friday
views 2298 5
Employee

SSH decryption in Check Point R80.20

Hi, Do we support SSH decryption ? If yes pls share URL/Link for reference. If No, do we have any workaround ? Regards, Sunandan
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Friday
views 259 5 6

ONELINER - process utilization per core

With this onliner you can view the process load of each core. Change the variable CORE to the correct core number (for example CORE=3):   CORE=3; ps --sort=-c -e -o pid,psr,%cpu,%mem,cmd | grep -E "^[[:space:]][[:digit:]]+[[:space:]]+${CORE}"   ps L -> List all format specifiers (for example pid, psr, %cpu, %mem, ...) There is still much potential for improvement here 🙂
Security_Suppo1
Security_Suppo1 inside General Topics Friday
views 122 1

Unable to download R80.40

Hi, Has something happened to the download link for R80.40?I have registered for the EA however when continuing through to the download link, it suggests that I havent registered or it can not find the link I am looking for? If anyone can help that would be great.
Danish_Javed1
Danish_Javed1 inside General Topics Thursday
views 1453 6

Vulnerability Mitigation for TLS 1.0 and Weak Ciphers

Hello,I need  instructions to mitigate the following two vulnerabilities from our Gateways : 1) Enable Support for TLS 1.1 and TLS 1.2 , and disable TLS  1.02) Removal of Weak CiphersWe are using a VSX Cluster environment with R80.10Also, what could be the after effects after removing these vulnerabilities on the existing production environment.Please suggest. Thanks
Carlos_Rodrigu2
Carlos_Rodrigu2 inside General Topics Thursday
views 1460 4

Unable to find any devices of the type needed for this installation type.

Hi guys,After using the ISOmorphic tool to put a R77.30 image on it, I turn on my checkpoint T2200 with the USB and the process begins, after a few seconds a have the following error:I try to select different drivers, but any success with that, can someone help me, because right now my checkpoint is stopped....Thanks in advance
humt
humt inside General Topics Thursday
views 439 13

ISP Compromised - Everything become failure

My ISP has been compromised. And no idea what to do?  ISP has been already compromised few months back but i thought my router is from local company therefore such issue. But i am wrong. I have use the another router and even firewall. All become waste for me. Firewall fail to stop.  I have send the report to Kaspersky. And kaspersky says the problem from router side. And when i search in google. Some developer says it is from ISP side. I have format my system 3 times, reset router , reset firewall. All become failure. 
HeikoAnkenbrand
HeikoAnkenbrand inside General Topics Thursday
views 633 11 16

R80.x Performance Tuning Tip - Elephant Flows (Heavy Connections)

Elephant Flow (Heavy Connections) In computer networking, an elephant flow (heavy connection) is an extremely large in total bytes continuous flow set up by a TCP or other protocol flow measured over a network link. Elephant flows, though not numerous, can occupy a disproportionate share of the total bandwidth over a period of time.  When the observations were made that a small number of flows carry the majority of Internet traffic and the remainder consists of a large number of flows that carry very little Internet traffic (mice flows). All packets associated with that elephant flow must be handled by the same firewall worker core (CoreXL instance). Packets could be dropped by Firewall when CPU cores, on which Firewall runs, are fully utilized. Such packet loss might occur regardless of the connection's type. What typically produces heavy connections: System backups Database backups VMWare sync. Chapter More interesting articles: - R80.x Architecture and Performance Tuning - Link Collection- Article list (Heiko Ankenbrand) Evaluation of heavy connections The big question is, how do you found elephat flows on an R80 gateway? Tip 1Evaluation of heavy connections (epehant flows)A first indication is a high CPU load on a core if all other cores have a normal CPU load. This can be displayed very nicely with "top". Ok, now a core has 100% CPU usage. What can we do now? For this there is a SK105762 to activate "Firewall Priority Queues".  This feature allows the administrator to monitor the heavy connections that consume the most CPU resources without interrupting the normal operation of the Firewall. After enabling this feature, the relevant information is available in CPView Utility. The system saves heavy connection data for the last 24 hours and CPDiag has a matching collector which uploads this data for diagnosis purposes. Heavy connection flow system definition on Check Point gateways: Specific instance CPU is over 60% Suspected connection lasts more than 10s Suspected connection utilizes more than 50% of the total work the instance does. In other words, connection CPU utilization must be > 30%   CLI Commands Tip 2Enable the monitoring of heavy connections. To enable the monitoring of heavy connections that consume high CPU resources: # fw ctl multik prioq 1 # reboot Tip 3Found heavy connection on the gateway with „print_heavy connections“ On the system itself, heavy connection data is accessible using the command: # fw ctl multik print_heavy_conn Tip 4Found heavy connection on the gateway with cpview # cpview                CPU > Top-Connection > InstancesX   Links sk105762 - Firewall Priority Queues in R77.30 / R80.10 and above    
Jay
Jay inside General Topics Thursday
views 1195 5 1

checkpoint OS download

HelloWhen downloading the image for R80.20, we have the following options.i would like to understand use of item 1 below  , what is the difference of it compared with  item 5 and 6.1.Check Point R80.20 with new Gaia 3.10 T5 for Security Gateway 2.Dual Image R80.20 (Take 101) / R80.10 Gaia Clean Install for 6000 appliance 3.ISOmorphic - tool for creating a bootable SecurePlatform/Gaia flash device - Build 166 4.ISOmorphic - tool for creating a bootable SecurePlatform/Gaia flash device - Build 168 5.R80.20 Fresh Install and Upgrade for Security Gateway and Standalone 6.R80.20 Gaia Fresh Install for Security Gateway and Standalone  ThanksJay