Showing results for 
Search instead for 
Did you mean: 
Create a Post

IPS change management - Help needed

Hi all,we've recently upgraded out managment and logging servers from R77.30 to R80.20 (gateways are still on R77.30). With R77.30 we've used a simple MS Excel based change management tool to document all of our changes and exceptions in the IPS System.We've simply marked and copied the changed protections from the R77.30 dashboard to a text file and used a script to import to excel. This was an easy way to keep a time track to our changes. Since I can't copy any content from the R80.20 SmartConsole this solution isn't working any more and I try to figure out a simple way how to keep a time track of our IPS changes and get the data into our Excel chart again.I've learned the R80.20 has new automation APIs but to be honest - I'm a noob on that.Any ideas?Many thx

Slow performance when Antivrus enabled.

I am looking for information on why performance of a java applet drops by a factor of 20 when I enable the antivirus blade and where I can look for the cause. The environment: I have replaced an existing cluster of 5200 appliances with a cluster of 5600 appliances. the 5200 cluster is running r77.30 and the 5600 cluster is running R80.20 They both have exactly the same features/blades enabled and the same policy is applied to both. When I run the java applet(jnlp) from the web page using the 5200 cluster, logon to the application takes under 5 seconds after entering my credentials. However when I replaced the cluster with the 5600 cluster running R80.20 logon takes >2 minutes. If I disable the antivirus blade logon goes back to sub 5 seconds. I set up a test environment where I can run the 5600 cluster in parallel with the 5200 cluster with the only traffic through the 5600 cluster being the one server that java applet connects to. I have exactly the same experience with the applet, <5sec logon with antivirus disabled and > 2 minutes with it enabled. To me this would indicate that it is not a capacity problem, but possibly something to do with the way R80.20 performs antivirus. I have checked the logs on the smartconsole but there are no antivirus logs recorded. Does anyone have any tips on how to see what the antivirus is doing and why it may be causing slow performance?

R80.30 Packet Processing - Achieving Infinity

This video explains the packet processing architecture enforcing the Infinity Gen V prevention functionalities NGTX. You will understand how SecureXL, CoreXL and Multi-Queue handle packet streams and how the NGTX engine applies security. The packet processing explained here is valid as well for R80.10 and R80.20. In the video you will find references to recommended SecureKnowledge articles used as a source for this video. LITHIUM.OoyalaPlayer.addVideo('https:\/\/\/static\/v4\/production\/', 'lia-vid-NjNHl4aDE60ZV9xCBQeS8Ti33p_AWg_Cw1600h900r255', 'NjNHl4aDE60ZV9xCBQeS8Ti33p_AWg_C', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)

"Release Date" and "Update Date" column of the IPS Signature Export formatting incorrectly

Hello, this is my first post, so apologies if posted in an incorrect category. Is there a way to configure the date format in SmartConsole prior to exporting to csv?When I export the IPS signatures from the R80.10 dashboard, the csv output appears to be generated with two formats in the Release/Update Date columns (columns C & D). I don't recall having this issue in R77. The dashboard view within SmartConsole shows the date format to be DD/MM/YYYY, yet only a subset of the exported signatures follow this format. The other signatures appear to be formatting as MM/DD/YYYY. Along with the mismatch date formats, the values are inputted differently as well, either as MM/DD/YYYY or DD-MM-YY. This makes filtering the output challenging as I show some release dates coming up as December 2, 2019 when it should be February 12, 2019. Formatting the columns after the export doesn't appear to effect the way excel interprets the values (there may be a setting in Excel to address, If so, please let me know. My excel limitations are just not familiar one). Thank you in advance, Marcus

Prevent brute force attack on Web mail

I have one question. We are running R77.30. How to prevent brute force attack on Web mail. Attack is coming from blacklisted IP (Tor, free proxy). IPS blade is activated but nothing is blocking. What is best practice or documentation to prevent this kind of attack?

GeoProtection daily update problem today

Hello,I'm writing this post to let other Check Point customers know that their iptocountry.csv file used in GeoProtection may be corrupt, to confirm if others have experienced a similar problem today, as well as to vent 🙂We are running R80.30 and heavily utilize the GeoProtection feature of Threat Prevention (block about 180 of the 195 countries for To/From). We utilize a whitelist policy such that if a country isn't explicitly allowed, we drop/log the packet.This morning we were receiving complaints that uses' internet connection wasn't working. Upon inspection of our firewall logs, we noticed that 99% of traffic was being blocked due to GeoProtection. To get things up and running (as our risk tolerance leans heavily towards usability) we disabled GeoProtection prior to performing an RCA.As every block was related to GeoProtection, I theorized that the GeoProtection update (which occurs in the morning of every day) was a possible root cause. Sure enough, upon inspection of the iptocountry.csv file located at $FWDIR/tmp/geo_location_tmp/updates/, the timestamp of the file matched the first report of a user's inability to connect to the internet.Prior to contacting Check Point support, I pulled the file from the gateway in case they needed a copy for troubleshooting. But when I opened the file I noticed that it was much smaller than previous examinations. Indeed, the size of the file was only 22KB, whereas other times it's been closer to 7MB.Additionally, I examined a specific log entry for a blocked session destined to one of Apple's public IP addresses, 17.x.x.x, and using Check Point's conversion method (sk94364), I confirmed that the IP was not in the .csv file and by extension not identified as belonging to any particular country.Sidenote about GeoProtection up to R80.30; if an IP range is not included in the iptocountry.csv file (of which there are a handful, including,, and, SmartConsole will cosmetically identify the country as the United States but behaviorally treat the packet as belonging to an unknown country.So if a packet has an IP whose range is not in the iptocountry.csv file, then depending on your GeoPolicy being whitelist or blacklist two different things will happen.If your GeoPolicy is whitelist (and logically your action for 'other countries' would be to drop), then the packet would be dropped.If your GeoPolicy is blacklist (and logically your action for 'other countries' would be to allow), then the packet would be allowed.When I got on the phone with support, they were doing their traditional troubleshooting of break/fix by replacing the iptocountry.csv file on the gateway. However after mentioning that when attempting to download the same .csv file from Check Point's website (from this URL:, as mentioned in this Checkmates post:, it's the same 22KB sized file that was synced to our gateway.He reached out to his escalation team and they mentioned that other tickets were appearing for the same symptom.So heads up Checkmates!Fun morning 🙂-------------------Edit regarding blacklist vs whitelist: a few months ago we had a ticket open with Check Point support regarding GeoProtection, and were told that the best practice is to implement a whitelist, despite the fact that sk112249 mentions that Blacklisting (at least Application Control as mentioned in that article) is 'by far more common'.-------------------Update: CP support responded with this post about their RCA ( also received an email on July 11 from the TAC engineer assigned to the case saying that their CFG team has confirmed the issue has been resolved in the most recent Geo Protection update file. However, the URL for which I was downloading a copy of the iptocountry.csv file ( still only has the 22KB file, but I'm wondering if this is only the monthly update (not daily) as support wrote about in their aforementioned RCA post.

GeoProtection daily update issue from July 10th

Hi guys, I would like to share our root cause analysis for the Geo-location update issue from July 10th: On July 10th at 9:16 UTC our automatic geo-location update service issued an update package which included only small fraction of the geo-location information, resulting in Security Gateways around the world getting only partial information. This caused either allowing or disallowing more traffic than intended. Throughout July 10th we started receiving reports from customers about this issue and on July 11th we reverted the update to the July 9th version while investigating the issue. We have since then found the bug and know its root cause. This was not caused by a software update or a faulty deployment. For transparency we would like to share the details of the incident: In 2018, 9 years after creating the geo-location update service, we improved the service to become updated daily (instead of monthly updates as was until then). This was done to accommodate our customers’ wishes mostly in response to new US OFAC (Office of Foreign Assets Control) regulations. We created an algorithm to produce hybrid geo-location updates from two data sources – one that is more accurate but updates once a month, and another that is less detailed and possibly less accurate but updates once per day – taking the good parts from each data source and leaving the bad parts out. This algorithm proved itself – we saw a drastic decline in the number of complaints about geo-location misclassification and received positive feedback. Last week’s incident was caused by a daily update which assigned an IPv4 range to the country of Laos. Laos’s official name is “Lao People’s Democratic Republic”. Embarrassingly that name caused a sequence of events that caused our service to publish a valid but very partial geo-location package. Although this service is well monitored – the failure was in a blind spot and we did not get an alert prior to the service tickets. We are very sorry this happened, we realize this service means a lot to our customers. We are doing a full review of the script monitoring system to make sure no other blind spots exist and make sure this doesn’t happen again.

Understanding Identity Sharing

The documents reviews the process of identity sharing between PDP and PEP instances and it is providing a short documentation about the related commands for monitoring and troubleshooting.

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please

VRRP with R80.10 - Interfaces in backup mode

Hi Folks,I am facing a weird issue with R80.10 Cluster in VRRP.I have currently have only one firewall configured in VRRP cluster and management server is away one hop; that is on L3 switch. So my topology is INTERNET-----Firewall--> L3-->Mgmt server.I then upgraded the firewall to R80.30 however after upgradation obviously it came up with Initial Policy since it could not fetch the policy from Mgmt server however when I decided to install policy it couldnt connect to Mgmt server. When I investigated I found that all the interfaces [though its single appliance in cluster] were in backup mode. And since no policy was installed HA module wasnt started.I guess since being a single appliance it by default should come up as Primary, correct?Any clue or any other alternative by which appliance can load last installed policy?

How to configure Check Point as WAF?

Hi,We have heard that the Check Point can work as simple WAF.We are thinking that it is a part of IPS. Becasue there is no WAF blade.However we couldn't find any documents and information about it in SK or this check mate site.Could you inform me of how to configure Check Point as WAF?We know that OWASP Top 10 is renewed in 2017 as below.--------------------------------------------A1:2017-InjectionA2:2017-Broken AuthenticationA3:2017-Sensitive Data ExposureA4:2017-XML External Entities (XXE)A5:2017-Broken Access ControlA6:2017-Security MisconfigurationA7:2017-Cross-Site ScriptingA8:2017-Insecure DeserializationA9:2017-Using Components with Known VulnerabilitiesA10:2017-Insufficient Logging&Monitoring--------------------------------------------We are thinking that the above each item is corresponded to a signature of IPS.Regards,

VPN Tunnel Management per Gateway Pair and consequences when I have multiple other tunnels

Hi Folks,I have total around 12 VPN Tunnels running on 5900; all are Policy/Domains based VPN. I have been asked to move and see the possibiities one Tunnel out of those 12 to One VPN tunnel per Gateway Pair. Wondering what could be the consequences on other tunnels then? Since I know One VPN tunnel per Gateway pair means CP will start sending/accepting R
DM inside IPS, Anti-Virus, Anti-Bot, Anti-Spam a week ago
views 75 1

Meaning of CVE numbers in IPS signatures

Hi,we are currently running 77.30 and are going to upgrade to 80.x.Anyway we started using IPS now with the 77.30 and I'm wondering about the meaning of the CVE numbers in the IPS signatures.As an example I have the "Linux System Files Information Disclosure" going with CVE-2018-3948. The CVE number is about TP-Link devices.So we don't run TP-Link devices and I first thought I could deactivate this protection. But then I checked the logged events and saw common directory traversal attacks. I checked if there are other "Linux System Files Information Disclosure" protections but cannot find any.Is this signature just for TP-Link devices because of the CVE or is the CVE just an example for this attack pattern?Thank you for your help.

IPS Tags assigned to a IPS protection

I'm not sure this is a feature request or something I'm missing, but I'd like to see what IPS tags are applied to a single protection. For example, when I open protection "Adobe Acrobat and Reader Memory Corruption (APSB17-24; CVE-2017-11227)", I'd like it to display what tags are applied to it. This would be more useful in certain circumstances instead of filtering on a tag and seeing what protections have that tag. Am I missing something? Dave

Geo policy

Good Morning, Is there a way to generate/extract the list of countries that we currently block under Geopolicy? we are running on R80.20.