Showing results for 
Search instead for 
Did you mean: 
Create a Post

Blocking parts of the internet / Performance considerations

HiI want to block some parts of the big bad internet. CP has this cute script that was built for dshield but uses "fw samp" to block connections using the quota functionality. Now quota sucks because it kills connection templates and I love having them.I am now thinking of rebuilding the dshield script for my purpose by using the accelerated drop functionality (sim dropcfg -f blog_very_very_bad_networks.cfg)Since drop templates are applied after connection templates or connection table lookups there could be some glitches (or I kill already established connections based on my list of very bad IP addresses).Is this the most elegant way of dropping traffic from a large list of networks or hosts (list.txt, cidr notation) or is there a better solution? Thanks.-Manuel 

Differences in how IPS functions in R80.10+ and R77.30

Hi All,  I will be upgrading a gateway from R77.30 to R80.30 and it is running IPS. I have already upgraded the management server. I understand the policy layers and how on pre-R80.10 gateways the IPS is separate to threat prevention but what I am struggling to find any consolidated details on is if there is a difference in how IPS functions on the gateway . I am trying to assess what the risk is  with IPS and service interruption when we upgrade .  Any references to know URLs detailing this or SKs would be helpful. Thanks

BlueKeep exploit is weaponized: Check Point customers remain protected.

The notorious BlueKeep vulnerability has been escalated from a theoretical, critical vulnerability, to an immediate, critical threat. While BlueKeep’s devastating potential was always known, it was a theoretical threat, as there was no working exploit code. That code was released into the wild when the open source Metasploit penetration testing framework released a Bluekeep exploit module on September 6. Unfortunately, the Metasploit toolset is used by both security practitioners and cybercriminals alike. By publishing the BlueKeep exploit code hackers were essentially provided with weaponized, working code that enables the creation of a dangerous worm. How serious is the threat? If a single unpatched Windows machine with network admin access is running on a network, the attacker may have access to all in-use credentials to all systems on the network, whether they are running Windows, Linux, MacOS or NetBIOS. In effect, this scenario means that a single, infected Windows machine can completely own a network. Check Point’s BlueKeep protections for network and endpoint, released several months ago, protect against the new weaponized version of this attack. Check Point customers who have implemented these protections remain protected. We recommend all customers to take immediate action to make sure they are protected: Install the Microsoft patch on all vulnerable Windows systems Enable Check Point’s IPS network protection for BlueKeep Implement Check Point’s endpoint protection for BlueKeep

R80.20 MTA update take_49

CPUSE is recommending I install the MTA update take_49 on R80.20 gateways, but there is no mention of take_49 in sk123174.Does anyone know what is in take_49? 
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 2 weeks ago
views 846 1 3

Mitre ATT&CK Framework and Check Point TechTalk

On 14th August 2019, we recorded a TechTalk with @Jony_Fischbein and @Irina_Shalem on how to take Cyber Security to the next level with the MITRE ATT&CK Framework. Presentation Materials, available to CheckMates members, include: Full Video Powerpoint Presentation An excerpt of the session is below. Q&A from the session will be posted in the comments. (view in My Videos)

Checkpoint IPS Bridge mode deployment with Juniper SRX

Hi,Any one can help us the Checkpoint IPS Bridge mode deployment best practice document...ThanksBala   

How to block Hashes of malware by IPS signature

Hi experts,Is there any way in checkpoint IPS (R80.20) to block Hashes of malware. Please share your experience.Sample of Hashes of malware 04fb0ccf3ef309b1cd587f609ab0e81e0b2e07205245697a749e422238f9f785272537bbd2a8e2a2c3938dc31f0d2461dd792f9185860e1464b4346254b2101bfcfab508663d9ce519b51f767e9028065b26f5c7c367d5e976aaba320965cc7f Regards,Rahul  
Dan_Roddy inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 2 weeks ago
views 786 6 5

Threat Emulation Exceptions

I have noticed we are emulating far too many files for our 250,000 file limit.  Not long ago I decided we did not need to emulate Windows.update files AND files.  I created exceptions for our Endpoint client but sadly they are still being emulated.  Has anyone else tried to reduce their emulation load and noticed this behavior?Many thanks for your support,Dan Roddy

IPS utilization report - Smart View

Hey all, I believe that most of us that enabled IPS in our environment, asked one of the following questions: "if I will move to prevent, what will happen to my network" "Should I do it a step-by-step? how?" "is there any tool that i can use to eliminate any potential impact on my network" for those question we have created multiple documentations with formal procedures. Now, we have created a new Smart View report that allows you to understand your IPS utilization status and base on different step-by-step procedures, utilize the blade for maximum protection and minimum business impact. You can download the CPR file (for Smart-View) from the following link: If you want to influence, you are welcome to replay to this blog with any insight or change you believe we need to add/change. we will change the report based on your needs and will upload a new one until we will have a report that will be release as part of the next GA + Jumbo. Thanks, Oren            

Antivirus update

Hi, I observed that my gateway shows Antivirus signature Updates as 0, but in SMART it shows antivirus has been updated to latest on gateways. Why there is difference in data on both interfaces, screenshot attached herewith 

Maac OS users unable to access app store even if they are given any application access

Maac OS users unable to access app store even if they are given any application access

Mobile Users

Mobile users unable to download apps from playstore. Pls help

Some Signature show Prevent even profile set as Detect Mode (Threat Prevention) (Solution Added)

Dear Team,OS: R80.20We enable the Threat Prevention Blade.Profile: Optimized (Clone)Activation Mode: Detect (Note: Only for POC later we make as Prevent)See some prevent logs even we set as DetectAdd Exception for "any any" with the profile (Optimized Clone) and also added port "445" but not worked.Then we Open the Prevent Logs and click "Go to Profile".It's showing the Profile  "Optimized" even I set as  "Optimized (Clone)".So I Finally "Inactive" that Signature for Optimized and Optimized Clone Profile.NOTE: Initially I set "inactive" for the Optimized (clone) then I set as "Inactive" for "Optimized " profile as well.Now it's working fine.All are up to date.Question: So is this the known behavior?Because we create a new profile (Optimized Clone) but still some signature block by (Optimized). Regards@Chinmaya_Naik 

Blocking IP using custom IOC feeds

Hello All,I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script. Please let me know, if there is any work-around for this issue.

Geo policy reporting

I am trying to create a custom report that can be sent out daily or weekly, using the current log traffic. But I only want to see countries that are not US and Canada (we are based in the US and have office's in Canada).When I do this, it only shows my internal traffic. No matter what filter I try to place, the report ends up blank when I try to exclude the internal traffic. We had an issue with our Geo Policy and I want to have a report that's generated so we can have it reviewed more frequently.  Or is there another way to do this?