cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
IPS, Anti-Virus, Anti-Bot, Anti-Spam

Your place to discuss Check Point's Intrusion Prevention System, Anti-Bot, Antivirus, and Anti-Spam solutions.

FM
FM inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 5 hours ago
views 82 1

How to whitelist a URL for all the threat prevention blades

Hello,I would like to know how to whitelist 1 or more external URLs on all the threat prevention blades. The URLs are used for security tests such as phishing campaigns and threat simulations. ThanksFaisal

what is use of cp_file_convert

What is the use of cp_file_convert CPU utilization goes high because of this process 

Anti-spam and email security blade always bypassing all emails

Non spam bypassedd (Temporary scan failure)From the logs Anti-spam and email security blade always bypassing all emailsIT seems Anti spam and email security blade is not working well.

Slow performance when Antivrus enabled.

I am looking for information on why performance of a java applet drops by a factor of 20 when I enable the antivirus blade and where I can look for the cause. The environment: I have replaced an existing cluster of 5200 appliances with a cluster of 5600 appliances. the 5200 cluster is running r77.30 and the 5600 cluster is running R80.20 They both have exactly the same features/blades enabled and the same policy is applied to both. When I run the java applet(jnlp) from the web page using the 5200 cluster, logon to the application takes under 5 seconds after entering my credentials. However when I replaced the cluster with the 5600 cluster running R80.20 logon takes >2 minutes. If I disable the antivirus blade logon goes back to sub 5 seconds. I set up a test environment where I can run the 5600 cluster in parallel with the 5200 cluster with the only traffic through the 5600 cluster being the one server that java applet connects to. I have exactly the same experience with the applet, <5sec logon with antivirus disabled and > 2 minutes with it enabled. To me this would indicate that it is not a capacity problem, but possibly something to do with the way R80.20 performs antivirus. I have checked the logs on the smartconsole but there are no antivirus logs recorded. Does anyone have any tips on how to see what the antivirus is doing and why it may be causing slow performance?

Suspicious Activity Monitoring (SAM) Rules

The challenge was to block a lot of pub IPs. Allocated via Mgmt-Server.Example to allocate on all SGW's I do following on Mgmt Server (CP R80.30)fw sam -I subdst 2.237.76.249 255.255.255.255Everything is fine and this IP is blocked on all our SGW's R80.10 til R80.30.Problem is to check which IPs are in kernel table in this "blocking modus".-----So I did on the SGW:----[Expert@SGW:0]# fw tab -t sam_blocked_ipslocalhost:-------- sam_blocked_ips --------dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>   ->Example: a7=167  .56=186  .7b= 123 .b0=176 von HeX nach dEz !!!  IPv4=  167.186.123.176   !!!!Actually 1175 entries are on this SGW active.How can I see all this entries ? ? Is there a table to copy and to relocate to IPv4 (all this 1175 IPs ) ??---My output is following:[Expert@SGW:0]# fw tab -t sam_blocked_ipslocalhost:-------- sam_blocked_ips --------dynamic, id 8141, num ents 1175, load factor 2.29, attributes: keep, , hashsize 512, limit 50000<a7567bb0; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>  <46a935ea; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>      <9a78e3ce; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><68efafd3; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><2d5094a8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><830067c8; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><ba926e6c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><be8ec86c; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><18b57d3e; 00000000, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><d44996e9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><02ed4cf9; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><ba54ad99; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><92b9fdaf; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><59bc7c91; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><566240bd; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000><4845632f; 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000>...(16434 More)

Error: 'IPS' is not responding

Hi Expert,  I am faceing an error on my R80.20 Checkpoint IPS. Kindly share your suggestion. Error screen shot attached.Note : IPS blade is enable.  Regards,RB

Crimea IP ranges in Threat Prevention Geo Policy

Hi,I need to apply specific security rules for traffic coming from Crimea but this state is not defined in Checkpoint  Threat Prevention Geo Policy. So far, i've been downloading manual updates from Maxminds and statically update the Checkpoint policy. This manual method is not reliable enough as you can understand. What do you think would be the best way to maintain policies with Crimea IP ranges on Checkpoint? I doubt that i'm the only one facing this challenge.Thanks in advanced.  

Generic.TC.gjgwrm verbose discription

My antivirus detect malicious DNS request on resourse qaeqxa.pw. Signature is Generic.TC.gjgwrmPlease help my find verbose discription by the signature.

External DNS Stops working

We are having an issue where External DNS stops working intermittently until we do a cluster fail over. fw ctl zdebug drop  shows lots of the following drop messages:@;129816940;[cpu_3];[fw4_0];[X.X.X.X:36028 -> 203.94.129.130:53] [ERROR]: appi_clobs_observer_remove_context_dependent: application id (60341234) has unknown context id and won't be free;@;134917386;[cpu_3];[fw4_0];[X.X.X.X:49252 -> 1.1.1.1:53] [ERROR]: appi_clobs_observer_remove_context_dependent: application id (60341234) has unknown context id and won't be free;The strange thing is that i am still seeing these same messages even in a working state, so i am not convinced that this is the cause of the issue.

Blocking IP using custom IOC feeds

Hello All,I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script. Please let me know, if there is any work-around for this issue.
Admin

Moving from Detect to Prevent TechTalk: Video, Slides, and Q&A

On 8th January 2020, @Oren_Koren gave us a preview of a SmartConsole Extension that will be launched at CPX 360 2020, making it simple to move from Detect to Prevent with Check Point! The following is available to CheckMates members who are logged in: Slides (will be provided after CPX 360 2020) Video Q&A will be posted as comments.

CVE-2019-19781

Hello, Will my Checkpoint firewall have a signatures for: CVE-2019-19781 ?I would like to alert on exploitation attempts again my Citrix access gateways and wonder if Checkpoint will automatically detect the directory traversal style attack.

R80.10 Mismatched Replies Core IPS Protection

Hi,I'm trying to get DNS queries to populate in our logs. Is this possible in R80.10? There's an old R77 article which states it can be achieved by enabling the IPS protection "Mismatched Replies" (or other related DNS protections)https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116694I've noticed in R80.10 the protection is set to "Inactive". Within the Smart Dashboard it states:Supported Products:Security Gateway: NGX R65, R70, R71, R75, R75.20 Connectra: R62CM, R66Does anyone know if activating this protection will produce the same results as outlined in the above article? If not, is there another way to achieve this?Thanks,Jon 

DNS Trap prevent after Activation Anti-Bot

Hi together, since I activated on CP SGW's (R80.10/R80.20 and R80.30) members Anti-Bot I have trouble with DNS requests.Time to time User cann't get access to Internet, because Anti-Bot Prevent fromSRC: Internal User DST: Internal DNS Server (10.1.1.67)with protection Details: Mgmt Server R80.30. This issue occurs only to DNS IP: 10.1.1.67. By activation Anti-Bot (on Cluster Member ) we add following IP (10.1.1.67) - yellow marked:What's the reason about it  - 1.) DNS Trap with prevent to internal DNS (needed !)  ?2.) In Detail Log u can see under Forensics Details:   d2cb5ad7002c4066.huaweisafedns.com    ?

CVE-2020-0601

Any ideas when CP is going to release a protection for CVE-2020-0601? It seems that it should be doing this already, but would like to verify!