Showing results for 
Search instead for 
Did you mean: 
Create a Post
IPS, Anti-Virus, Anti-Bot, Anti-Spam

Your place to discuss Check Point's Intrusion Prevention System, Anti-Bot, Antivirus, and Anti-Spam solutions.

Verify that DNS tunneling is being prevented in R80.10

How do I verify that DNS Tunneling is being blocked in R80.10. I have found allot of good info if I was running R77.30 but it doesn't covert very well to R80.10.

ips_export_import on R80.10

Hi,  is ips_export_import  is working on R80.10 Management server ?When i try to export an IPS profile it returns that profile does not exist. for example if i try to export the Default_Protection IPS profile# ips_export_import export Default_ProtectionTrying to open the CPMI database...Completed opening CPMI database.Start exporting profile object...Failed to export profile (profile 'Default_Protection' does not exist) Thanks.

Anti-Virus 20191127 update issue?

Happen on customers whose enable https inspection and Anti-virus blade.Duo to web site use "" object.

Error: kfunc_cmik_loader_execute_dyn_ctx

Hi - Curious to know if anyone can tell me what these errors mean?  I am seeing this on our active gateway and after failing over I am seeing them on the now other active gateway.  These are Dell open servers running 80.10 patch 103.  We are seeing a lot of devices behind this cluster flopping up and down as well.cphaprob -a if shows all interface IP and no tx/rx errors in netstat.ThanksJun 30 05:13:07 2018 Gateway01 kernel: [fw4_4];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:07 2018 Gateway01 kernel: [fw4_5];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:23 2018 Gateway01 kernel: [fw4_2];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:55 2018 Gateway01 kernel: [fw4_0];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:14:11 2018 Gateway01 kernel: [fw4_4];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL

Geo Blocking

Hi Folks,We are looking to implement Geo blocking and wondered if Checkpoint works with the US Treasury Office of Foreign Assets Control OFAC list of sanctioned IP addresses ?Any one know ?

IPS packet captures upload to remote servers

Is there any built-in feature, which would allow to upload IPS packet captures to remote servers and not just store them on gateways? Our SOC team is asking for storage space, where they could download those .cap/.eml files

Is there SNI support for inbound HTTPS inspection in R80.20?

Hi,on gws R80.20 can I do HTTPS inspection on inbound connections that require SNI since on the server there are some virtual hosts with different certificates? If yes how? Thanks in advance 

Antibot & Antivirus Updates Through Proxy

Hello,I have 2 VSX Gateways managed by SmartConsole... I want to enable Antibot,Antivirus, URL Filtering & IPS updates via Proxy... for the same i have configured Proxy Settings in Global Properties (SmartConsole) & also added Proxy server IP and Port in individual Gateways (set proxy address XXXX 8080). However, the problem is IPS and URL Filtering is getting updated fine via smartconsole but the Anitbot and Antivirus blades are not updating and throwing the error " Update failed, contract entitlement check failed, unable to reach" .. i have tested all the update urls thorugh both gateways and all of them return a postive "It Works" result... am i missing some configuration here ?  Thanks

Query regarding CLI command to check Threat Extraction

Hi, Checkmates,Need a help here.I need to know the CLI command to check if the threat extraction (TE) module is active, If yes then to check if TE is local or cloud.Thanks in Advance

Routing between 2 Virtual Systems

Hello,In my VSX environment on R80.10 CP 5900 , antibot,antivirys updates are going through internet gateway connected to VS0 , now i want to divert this traffic such that the GW updates through another internet gateway which is reachable through VS1.How can this be achieved ? Thanks.

IPS Protection filter

Hi, I want to understand what is dynamic and static IPS Protection. Also if we applied optimize profile then do basic profile still work? Thanks
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 3 weeks ago
views 9963 14 24

IPS Analyzer Tool - How to analyze IPS performance efficiently

(1) IntroductionThe IPS Analyzer Tool collects information about the IPS Protections usage. The IPS statistics information indicates which patterns out of all IPS protections were called into action (but not necessarily matched) and how many times. Analyzer tool processes the statistic outputs and produces a clear HTML report based on that output. The report indicates which IPS protections are causing critical, high or medium load on CPU and provides information regarding the load on Security Gateway per traffic type.The IPS Analyzer Tool is supported on R77 and above.(2) ProcedureCollect the relevant IPS statistics per sk43733 - How to measure CPU time consumed by IPS protections - section "(1) IPS statistics" - sub-section "Show / Hide the procedure for versions R77 and above".Compress the IPS statistics output folder on Security Gateway:[Expert@HostName:0]# cd /path_to_IPS_statistics_output_folder/[Expert@HostName:0]# tar cvf IPS_Statistics.tar <HH-MM-SS__MM-DD-YYYY>Transfer the compressed IPS statistics output folder (IPS_Statistics.tar) from Security Gateway to your computer and unpack it.Run the IPS Analyzer Tool on the unpacked IPS statistics output folder:Open Windows Command PromptRun:C:\> Analyzer.exe OFFLINE "DISK:\path_to_unpacked_statistics_output_folder"Review the output files:AnalyzerReport.html - Main report file, located in DISK:\path_to_uncompressed_statistics_output_folder\AnalyzerReport.html (use Chrome or Firefox browser)analyzer.log - Log file*NOTE*The tool only displays protection information relevant to the IPS Software Blade. Details from other Software Blades may appear with the following protection name:"Threat Prevention Protection – ID NUM"If a significant portion of these entries is found then the IPS Software Blade is not the only one impacting the gateway performance and the impact of other Software Blades should be considered.(3) IPS Analyzer Tool SurveyWe would like to receive your feedback in a short, up to 2 minutes survey. Your feedback will help us to improve the tool and the services we provide you. Click here to take the survey.For any question please

TE Redundancy (NGTX)

Hey Everyone, Hope you doing well today. I've got a confusion with a following scenario.Per sk102309, it's possible to build a redundant TE solution with up to 6 gateways. With the configuration from that SK, I can only assume that the Security Gateway has to be MTA, and has all licenses.Is it possible to make a redundant solution with TE  appliances, and installing NGTX license on them to work as MTA? Best regards,Evgenii Puzakov

Anti-spam and email security blade always bypassing all emails

Non spam bypassedd (Temporary scan failure)From the logs Anti-spam and email security blade always bypassing all emailsIT seems Anti spam and email security blade is not working well.

IPS Attack direction

Hi everyone,On my checkpoint 80.30 I would like to know, for a generic IPS log, which field tell me the direction of attack, in order to get who is the attacker, the pc or the server. I think that is simple for the checkpoint by looking the direction of the attack signature . Please do not confuse the session TCP/IP direcion with the attack direction.thanks a lot.Emi