cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Geo policy reporting

I am trying to create a custom report that can be sent out daily or weekly, using the current log traffic. But I only want to see countries that are not US and Canada (we are based in the US and have office's in Canada).When I do this, it only shows my internal traffic. No matter what filter I try to place, the report ends up blank when I try to exclude the internal traffic. We had an issue with our Geo Policy and I want to have a report that's generated so we can have it reviewed more frequently. Or is there another way to do this?

PSL Drop ADVP on DHCP Packets

R80.20 Jumbo 47 Cluster does not seem to pass DHCP request/response traffic, debug log shows:dropped by fwpslglue_chain Reason: PSL Drop: ADVP on port 67 traffic from the DHCP servers to the clients.Anybody have a solution? I have the DHCP server in an IPS exceptions rule.SmartConsole logs show the traffic is all accepted, but clients not receiving an IP address.

Ips report of protections

Hi, Do you know how to get a report of all of protections and its action prevent/detect/inactive in r80.10? I cant figure out how to generate the filter in smart event. Thanks.

Anti-Bot is not working as expected

Hi everyone!I'm do testing Anti-Bot software blade in R80.30 and found something that looks like does not work as expected.The Security Gateway is able to block definitely with Medium Confidence but if High Confidence does not work and the site test is bypassed, please see screenshots and explanations belowHere are the URLs that I used for Anti-Bot test purpose https://www.threat-cloud.com/test/files/LowConfidenceBot.htmlhttps://www.threat-cloud.com/test/files/MediumConfidenceBot.htmlhttps://www.threat-cloud.com/test/files/HighConfidenceBot.htmlhttp://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html 1st screenshot.I have already enabled and configured profile on Activation Mode, both High and Medium confidence are Prevented, only Low confidence will be detected.2.nd screenshot.Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/HighConfidenceBot.html( found nothing blocking from the gateway and any logs ) The user could access the site. 3rd screenshot. Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/MediumConfidenceBot.htmlThe Gateway was able to block this site definitely as expected due to this site is detected as a Medium Confidence level. 4th screenshot. Test Anti-Bot with High Confidence by connecting to https://www.threat-cloud.com/test/files/LowConfidenceBot.htmlThe Gateway was able to detect this site definitely as expected due to this site is detected as a Low Confidence level. 5th screenshot, Test Anti-Bot with High Confidence by connecting to http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.htmlThe Gateway wasn't able to block this site as expected. And from the logs found it appears to redirect an action My question is why does the security gateway is not able to block the site https://www.threat-cloud.com/test/files/HighConfidenceBot.html and http://sc1.checkpoint.com/za/images/threatwiki/pages/TestAntiBotBlade.html? Anyone has any ideas on this. Really appreciate every comment. Regards,Sarm

Difference IPS and ThreatPrevention

Hi Community,I'm new to CP IPS and confused:Within Threat Prevention Policy, we got to Policy Layers, Shared IPS and Threat Prevention.In both you can configure IPS and the other blades.What is the sense behind this? Will this be enforced as a security policy layer?What is the naming difference for Check Point between IPS and Threat Prevention in this context?What does happen, if I enable in IPS only IPS, but in Threat Prevention everything except IPS?What does "protected scope" mean - is it a src, dst or both?What is best practice?The admin guides are not helpful.Looking forward to your inputBest RegardsJohannes

Slow performance when Antivrus enabled.

I am looking for information on why performance of a java applet drops by a factor of 20 when I enable the antivirus blade and where I can look for the cause. The environment: I have replaced an existing cluster of 5200 appliances with a cluster of 5600 appliances. the 5200 cluster is running r77.30 and the 5600 cluster is running R80.20 They both have exactly the same features/blades enabled and the same policy is applied to both. When I run the java applet(jnlp) from the web page using the 5200 cluster, logon to the application takes under 5 seconds after entering my credentials. However when I replaced the cluster with the 5600 cluster running R80.20 logon takes >2 minutes. If I disable the antivirus blade logon goes back to sub 5 seconds. I set up a test environment where I can run the 5600 cluster in parallel with the 5200 cluster with the only traffic through the 5600 cluster being the one server that java applet connects to. I have exactly the same experience with the applet, <5sec logon with antivirus disabled and > 2 minutes with it enabled. To me this would indicate that it is not a capacity problem, but possibly something to do with the way R80.20 performs antivirus. I have checked the logs on the smartconsole but there are no antivirus logs recorded. Does anyone have any tips on how to see what the antivirus is doing and why it may be causing slow performance?
Admin

Mitre ATT&CK Framework and Check Point TechTalk

On 14th August 2019, we recorded a TechTalk with @Jony_Fischbein and @Irina_Shalem on how to take Cyber Security to the next level with the MITRE ATT&CK Framework. Presentation Materials, available to CheckMates members, include: Full Video Powerpoint Presentation An excerpt of the session is below. Q&A from the session will be posted in the comments. LITHIUM.OoyalaPlayer.addVideo('https:\/\/player.ooyala.com\/static\/v4\/production\/', 'lia-vid-hzcjNjaTE6IRkKnHMJo-WpHWyvgPn4k0w1600h900r609', 'hzcjNjaTE6IRkKnHMJo-WpHWyvgPn4k0', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)

IPS SHARED

Hi everyone,There is something I have not been able to do and I was doing a lot of research but I have found almost nothing the help will be appreciable. In the threat prevention layer how can I add IPS as shared in priority 1 and then threat preventionfor example: Thanks,

Downloading Original Document from Threat Extraction

I must admit that i really love Threat Extraction . But how to get the original files if needed, but the download link does not work anymore ? There is a solution in sk114629 How to send original email after Threat Extraction scrubbed the email, but here is my version:The original fles are saved in /var/log/jail/tmp/scrub and can be downloaded from there (e.g. using WinSCP).To send the original by E-mail again using scrub commands:You can find the find the needed File ID here:

antivirus blade enabling protections

Hello, In R80.20, under Threat prevention / Protections / Activation tab. We have noticed a lot of the protections are set to inactive by default such as:- Reputation URL- Reputation Domains- Unusual Activity Should there be any untoward result of us enabling these to detect or protect? We have a decent amount of resource available on the gateway but just wondering if they are default turned off if there is some reason why we should not turn them on. thanks!

Disaster recovery plan for Check Point

Hi,I need to create a document (Disaster Recovery Plan) for my customer. Does anyone has an example of Disaster Recovery Plan for Check Point integration (gateway claster and management server)?Thanks!

IPS Signature Download - how does it work?

Can somebody please explain how R80.10 IPS updates work? There are 2 update options available on the GUI: 1) Download using Smartconsole 2) Download using Security Management Server The second of these works fine on our system, but appears to download for ALL CMAs, so we cannot control the update of individual CMAs. I'm hoping that Option 1) will do the download for a specific CMA. Can anybody confirm this? If I am correct in the above, why might I not be seeing any attempts to reach the proxy server which is defined in the global properties of this CMA? Thanks, Alex

Browser getting Struck randomly when access internal http application running on port 91

Hi Experts, my Network Topology is Clients <-->Checkpoint (no nat) <-->Cyberoam(IPSEC) <----ISP-----> Cyberoam(IPSEC) <-->Checkpoint (no nat)<--> Server(port http:91)Recently Installed Client Side Checkpoint-1430 locally managed. after i installed this firewall . Clients Browser getting stuck on application page randomly. when i captured packet LAN and WAN side on Checkpoint,there is no packet missing but still we are getting this issue. Same issue in Two places.i i reduce the no of client it is working fine but when clients are increasing approximately more the 4 clients, browser getting hang.When i replace checkpoint with layer3 switch. it is working fine . Please help me in this issue

# ips stat command do not show Active Profile in R80.10

For R80.10 use following command to see Active IPS profile- sk123053# cat $FWDIR/state/local/AMW/local.set | grep -A15 malware_profiles | grep ":name" | awk '{print $2}' | tr -d "()"
Omer_Shliva
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 3 weeks ago
views 8487 13 21
Employee+

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please contact:omersh@checkpoint.com