Showing results for 
Search instead for 
Did you mean: 
Create a Post
IPS, Anti-Virus, Anti-Bot, Anti-Spam

Your place to discuss Check Point's Intrusion Prevention System, Anti-Bot, Antivirus, and Anti-Spam solutions.


Mitre ATT&CK Framework and Check Point TechTalk

On 14th August 2019, we recorded a TechTalk with @Jony_Fischbein and @Irina_Shalem on how to take Cyber Security to the next level with the MITRE ATT&CK Framework. Presentation Materials, available to CheckMates members, include: Full Video Powerpoint Presentation An excerpt of the session is below. Q&A from the session will be posted in the comments. (view in My Videos)

MTA SPAM Alternating drop and accept

Most of the time when we receive spam mail, I'm seeing two entries appears for the mail, and accept followed by a drop. At first I thought this was how the MTA blade behaved, where it was accepting the mail to be scanned, but it looks like it's actually being allowed through. Our secondary spam filter appliance is seeing the accepted spam hit it, and is filtering them.Our MTA is set to hold mails until scan is finished, 25 min max. max disk usage of 70%. if limits are exceeded or in case of error, it is allowed.Here's an example from last night where we we're hit with ~6000 emails from a bad rep, where 3000 made it through to our secondary spam filter and blocked. Weird issue. I'm wondering if anyone here has any insight before opening a TAC case.

Configuring checkpoint as mail relay using MTA

We have currently setup our R80.10 Cluster as an MTA to receive external mail.Reason is filtering span and viruses.  We set up MTA as described on picture.MX record has been changed to our CP external IP (87.245.x.x).We tried sending test email via telnet with no luck. No response from server.Which additional steps should be performed (security rules,  NAT rules) to configure CP properly? Regards

Verify that DNS tunneling is being prevented in R80.10

How do I verify that DNS Tunneling is being blocked in R80.10. I have found allot of good info if I was running R77.30 but it doesn't covert very well to R80.10.

ips_export_import on R80.10

Hi,  is ips_export_import  is working on R80.10 Management server ?When i try to export an IPS profile it returns that profile does not exist. for example if i try to export the Default_Protection IPS profile# ips_export_import export Default_ProtectionTrying to open the CPMI database...Completed opening CPMI database.Start exporting profile object...Failed to export profile (profile 'Default_Protection' does not exist) Thanks.

Anti-Virus 20191127 update issue?

Happen on customers whose enable https inspection and Anti-virus blade.Duo to web site use "" object.

Error: kfunc_cmik_loader_execute_dyn_ctx

Hi - Curious to know if anyone can tell me what these errors mean?  I am seeing this on our active gateway and after failing over I am seeing them on the now other active gateway.  These are Dell open servers running 80.10 patch 103.  We are seeing a lot of devices behind this cluster flopping up and down as well.cphaprob -a if shows all interface IP and no tx/rx errors in netstat.ThanksJun 30 05:13:07 2018 Gateway01 kernel: [fw4_4];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:07 2018 Gateway01 kernel: [fw4_5];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:23 2018 Gateway01 kernel: [fw4_2];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:55 2018 Gateway01 kernel: [fw4_0];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:14:11 2018 Gateway01 kernel: [fw4_4];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL

Geo Blocking

Hi Folks,We are looking to implement Geo blocking and wondered if Checkpoint works with the US Treasury Office of Foreign Assets Control OFAC list of sanctioned IP addresses ?Any one know ?

IPS packet captures upload to remote servers

Is there any built-in feature, which would allow to upload IPS packet captures to remote servers and not just store them on gateways? Our SOC team is asking for storage space, where they could download those .cap/.eml files

Is there SNI support for inbound HTTPS inspection in R80.20?

Hi,on gws R80.20 can I do HTTPS inspection on inbound connections that require SNI since on the server there are some virtual hosts with different certificates? If yes how? Thanks in advance 

Antibot & Antivirus Updates Through Proxy

Hello,I have 2 VSX Gateways managed by SmartConsole... I want to enable Antibot,Antivirus, URL Filtering & IPS updates via Proxy... for the same i have configured Proxy Settings in Global Properties (SmartConsole) & also added Proxy server IP and Port in individual Gateways (set proxy address XXXX 8080). However, the problem is IPS and URL Filtering is getting updated fine via smartconsole but the Anitbot and Antivirus blades are not updating and throwing the error " Update failed, contract entitlement check failed, unable to reach" .. i have tested all the update urls thorugh both gateways and all of them return a postive "It Works" result... am i missing some configuration here ?  Thanks

Query regarding CLI command to check Threat Extraction

Hi, Checkmates,Need a help here.I need to know the CLI command to check if the threat extraction (TE) module is active, If yes then to check if TE is local or cloud.Thanks in Advance

Routing between 2 Virtual Systems

Hello,In my VSX environment on R80.10 CP 5900 , antibot,antivirys updates are going through internet gateway connected to VS0 , now i want to divert this traffic such that the GW updates through another internet gateway which is reachable through VS1.How can this be achieved ? Thanks.

IPS Protection filter

Hi, I want to understand what is dynamic and static IPS Protection. Also if we applied optimize profile then do basic profile still work? Thanks
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 3 weeks ago
views 10061 14 24

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please