cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Dear Team,OS: R80.20We enable the Threat Prevention Blade.Profile: Optimized (Clone)Activation Mode: Detect (Note: Only for POC later we make as Prevent)See some prevent logs even we set as DetectAdd Exception for "any any" with the profile (Optimized Clone) and also added port "445" but not worked.Then we Open the Prevent Logs and click "Go to Profile".It's showing the Profile "Optimized" even I set as "Optimized (Clone)".So I Finally "Inactive" that Signature for Optimized and Optimized Clone Profile.NOTE: Initially I set "inactive" for the Optimized (clone) then I set as "Inactive" for "Optimized " profile as well.Now it's working fine.All are up to date.Question: So is this the known behavior?Because we create a new profile (Optimized Clone) but still some signature block by (Optimized). Regards@Chinmaya_Naik

Blocking IP using custom IOC feeds

Hello All,I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script. Please let me know, if there is any work-around for this issue.

Geo policy reporting

I am trying to create a custom report that can be sent out daily or weekly, using the current log traffic. But I only want to see countries that are not US and Canada (we are based in the US and have office's in Canada).When I do this, it only shows my internal traffic. No matter what filter I try to place, the report ends up blank when I try to exclude the internal traffic. We had an issue with our Geo Policy and I want to have a report that's generated so we can have it reviewed more frequently. Or is there another way to do this?

PSL Drop ADVP on DHCP Packets

R80.20 Jumbo 47 Cluster does not seem to pass DHCP request/response traffic, debug log shows:dropped by fwpslglue_chain Reason: PSL Drop: ADVP on port 67 traffic from the DHCP servers to the clients.Anybody have a solution? I have the DHCP server in an IPS exceptions rule.SmartConsole logs show the traffic is all accepted, but clients not receiving an IP address.

Ips report of protections

Hi, Do you know how to get a report of all of protections and its action prevent/detect/inactive in r80.10? I cant figure out how to generate the filter in smart event. Thanks.
Employee+

IPS utilization report - Smart View

Hey all, I believe that most of us that enabled IPS in our environment, asked one of the following questions: "if I will move to prevent, what will happen to my network" "Should I do it a step-by-step? how?" "is there any tool that i can use to eliminate any potential impact on my network" for those question we have created multiple documentations with formal procedures. Now, we have created a new Smart View report that allows you to understand your IPS utilization status and base on different step-by-step procedures, utilize the blade for maximum protection and minimum business impact. You can download the CPR file (for Smart-View) from the following link: https://gofile.io/?c=DBShEe If you want to influence, you are welcome to replay to this blog with any insight or change you believe we need to add/change. we will change the report based on your needs and will upload a new one until we will have a report that will be release as part of the next GA + Jumbo. Thanks, Oren

Anti-Bot is not working as expected

Hi everyone!I'm do testing Anti-Bot software blade in R80.30 and found something that looks like does not work as expected.The Security Gateway is able to block definitely with Medium Confidence but if High Confidence does not work and the site test is bypassed, please see screenshots and explanations belowHere are the URLs that I used for Anti-Bot test purpose https://www.threat-cloud.com/test/files/LowConfidenceBot.htmlhttps://www.threat-cloud.com/test/files/MediumConfidenceBot.htmlhttps://www.threat-cloud.com/test/files/HighConfidenceBot.htmlhttp://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html 1st screenshot.I have already enabled and configured profile on Activation Mode, both High and Medium confidence are Prevented, only Low confidence will be detected.2.nd screenshot.Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/HighConfidenceBot.html( found nothing blocking from the gateway and any logs ) The user could access the site. 3rd screenshot. Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/MediumConfidenceBot.htmlThe Gateway was able to block this site definitely as expected due to this site is detected as a Medium Confidence level. 4th screenshot. Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/LowConfidenceBot.htmlThe Gateway was able to detect this site definitely as expected due to this site is detected as a Low Confidence level. 5th screenshot, Test Anti-Bot with High Confidence by connecting to http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.htmlThe Gateway wasn't able to block this site as expected. And from the logs found it appears to redirect an action My question is why does the security gateway is not able to block the site https://www.threat-cloud.com/test/files/HighConfidenceBot.html and http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html? Anyone has any ideas on this. Really appreciate every comment. Regards,Sarm

Difference IPS and ThreatPrevention

Hi Community,I'm new to CP IPS and confused:Within Threat Prevention Policy, we got to Policy Layers, Shared IPS and Threat Prevention.In both you can configure IPS and the other blades.What is the sense behind this? Will this be enforced as a security policy layer?What is the naming difference for Check Point between IPS and Threat Prevention in this context?What does happen, if I enable in IPS only IPS, but in Threat Prevention everything except IPS?What does "protected scope" mean - is it a src, dst or both?What is best practice?The admin guides are not helpful.Looking forward to your inputBest RegardsJohannes

Slow performance when Antivrus enabled.

I am looking for information on why performance of a java applet drops by a factor of 20 when I enable the antivirus blade and where I can look for the cause. The environment: I have replaced an existing cluster of 5200 appliances with a cluster of 5600 appliances. the 5200 cluster is running r77.30 and the 5600 cluster is running R80.20 They both have exactly the same features/blades enabled and the same policy is applied to both. When I run the java applet(jnlp) from the web page using the 5200 cluster, logon to the application takes under 5 seconds after entering my credentials. However when I replaced the cluster with the 5600 cluster running R80.20 logon takes >2 minutes. If I disable the antivirus blade logon goes back to sub 5 seconds. I set up a test environment where I can run the 5600 cluster in parallel with the 5200 cluster with the only traffic through the 5600 cluster being the one server that java applet connects to. I have exactly the same experience with the applet, <5sec logon with antivirus disabled and > 2 minutes with it enabled. To me this would indicate that it is not a capacity problem, but possibly something to do with the way R80.20 performs antivirus. I have checked the logs on the smartconsole but there are no antivirus logs recorded. Does anyone have any tips on how to see what the antivirus is doing and why it may be causing slow performance?
Admin

Mitre ATT&CK Framework and Check Point TechTalk

On 14th August 2019, we recorded a TechTalk with @Jony_Fischbein and @Irina_Shalem on how to take Cyber Security to the next level with the MITRE ATT&CK Framework. Presentation Materials, available to CheckMates members, include: Full Video Powerpoint Presentation An excerpt of the session is below. Q&A from the session will be posted in the comments. LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-hzcjNjaTE6IRkKnHMJo-WpHWyvgPn4k0w1600h900r642', 'hzcjNjaTE6IRkKnHMJo-WpHWyvgPn4k0', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)

IPS SHARED

Hi everyone,There is something I have not been able to do and I was doing a lot of research but I have found almost nothing the help will be appreciable. In the threat prevention layer how can I add IPS as shared in priority 1 and then threat preventionfor example: Thanks,

Downloading Original Document from Threat Extraction

I must admit that i really love Threat Extraction . But how to get the original files if needed, but the download link does not work anymore ? There is a solution in sk114629 How to send original email after Threat Extraction scrubbed the email, but here is my version:The original fles are saved in /var/log/jail/tmp/scrub and can be downloaded from there (e.g. using WinSCP).To send the original by E-mail again using scrub commands:You can find the find the needed File ID here:

antivirus blade enabling protections

Hello, In R80.20, under Threat prevention / Protections / Activation tab. We have noticed a lot of the protections are set to inactive by default such as:- Reputation URL- Reputation Domains- Unusual Activity Should there be any untoward result of us enabling these to detect or protect? We have a decent amount of resource available on the gateway but just wondering if they are default turned off if there is some reason why we should not turn them on. thanks!

Disaster recovery plan for Check Point

Hi,I need to create a document (Disaster Recovery Plan) for my customer. Does anyone has an example of Disaster Recovery Plan for Check Point integration (gateway claster and management server)?Thanks!

IPS Signature Download - how does it work?

Can somebody please explain how R80.10 IPS updates work? There are 2 update options available on the GUI: 1) Download using Smartconsole 2) Download using Security Management Server The second of these works fine on our system, but appears to download for ALL CMAs, so we cannot control the update of individual CMAs. I'm hoping that Option 1) will do the download for a specific CMA. Can anybody confirm this? If I am correct in the above, why might I not be seeing any attempts to reach the proxy server which is defined in the global properties of this CMA? Thanks, Alex