Showing results for 
Search instead for 
Did you mean: 
Post a Question
parfuar inside IPS, Anti-Virus, and Anti-Bot 10m ago
views 355 4

IPS conditions to generate alert

Hi,I have a doubt. Is there any way we can validate the conditions of an IPS protections? I have found some false positives in IPS signatures, and I would like to see the reason (conditions) for generating alert.Thanks

DNS Reputation Exception

I am trying to white-list a single domain for DNS Reputation prevents. Currently, it seems like the only option is to make exceptions for all of our DNS servers, effectively turning off DNS Reputation checks for DNS lookups in our company. The domain is a employee awareness training like for phishing that is publically available, so it technically is a phishing site and should not necessary be re-categorized, but we'd like to whitelist it for our company during our phishing tests.Has anyone ever had to do this before?

R80.30 Packet Processing - Achieving Infinity

This video explains the packet processing architecture enforcing the Infinity Gen V prevention functionalities NGTX. You will understand how SecureXL, CoreXL and Multi-Queue handle packet streams and how the NGTX engine applies security. The packet processing explained here is valid as well for R80.10 and R80.20. In the video you will find references to recommended SecureKnowledge articles used as a source for this video. LITHIUM.OoyalaPlayer.addVideo('https:\/\/\/static\/v4\/production\/', 'lia-vid-NjNHl4aDE60ZV9xCBQeS8Ti33p_AWg_Cw1600h900r250', 'NjNHl4aDE60ZV9xCBQeS8Ti33p_AWg_C', {"pcode":"kxN24yOtRYkiJthl3FdL1eXcRmh_","playerBrandingId":"ODI0MmQ3NjNhYWVjODliZTgzY2ZkMDdi","width":"1600px","height":"900px"});(view in My Videos)

SMTP encrypted session bypassed, yet attachments are emulated

Hi community long time no see (dunno why these days can't login to CheckMates), I'm seeing some strange things in the Firewall and Threat Emulation logs, but first some context:- R80.20 GA Management- R80.10 Security Gateway, with Threat Emulation blade enabled (emulation occurs in the Check Point Cloud), MTA enabled and imported the SSL certificate of our local antispam to inspect TLS SMTP connectionsThe incoming email flow for our organization is like this:- The MX entries for our mail domain has as its highest priority some servers provided by TrendMicro (the service it's called TrendMicro Cloud Pre-Filter), which basically work as a cloud antispam and receive the mails on a TLS session- Then the cloud MTA forwards the email to our local antispam (also a TrendMicro VM appliance deployed on our DMZ) on a TLS session, which also analyze the incoming mail and then forward it to the Security Gateway (also on a TLS session, and if I'm not wrong it uses the SSL certificate I imported to the Security Gateway)- The Security Gateway do its thing and forward the mail to the MS Exchange, and the mail arrives then to the clientThe strange thing is I have a lot (A LOT) of SMTP traffic bypassed logs (encrypted session) in the Security Gateway, but also I have logs of the attachment of these TLS connection are been emulated, so it appears the Security Gateway can't decrypt the TLS connection, but in the same time it's capable to strip the attachment to upload for emulation?!The header of some test mail I sent shows the connection between our antispam and the Security Gateway is in fact TLS and then I have a bypass log for the same email session:X-MTA-CheckPoint: {5BBF4235-0-A00A8C0-129C07B6}Received: from myantispam (unknown []) by Security Gateway (Postfix) with ESMTPS id ACFF41B0FA6 for <>; Thu, 11 Oct 2018 09:29:41 -0300 (ART)The SMTP bypass log:Time: 2018-10-11T12:29:42ZInterface Direction: outboundInterface Name: eth2Email Control: SMTP Policy RestrictionsEmail Session ID: 5BBF4235-7-A00A8C0-C0000001Information: Encrypted sessionSource: Port: 43182Destination: Port: 25IP Protocol: 6Action: BypassType: LogBlade: FirewallService: TCP/25Product Family: AccessInterface: eth2Description: smtp Traffic Bypassed from ( to TE log:Time: 2018-10-11T12:29:46ZSource: Protocol: 6Destination Port: 25Threat Prevention Rule Id:DA846A34-636B-4B7A-A75C-0F72DC130D1EScope: Name: test.pdfFile Type: pdfFile Size: 215615File MD5: 265c632b5d24d09f1e20d763ab8f3ee4File SHA1: a6e5d9577005cbb3e2ad013ee71d4baf85a2d299File Sha256: 361d4f8bc67527b1e9d2231cc340a53a09d7935f4c9af99923f62227bd29dddaVerdict: BenignAnalyzed On: Check Point Threat CloudDetermined By: Win7,Office 2013,Adobe 11: static analysis. WinXP,Office 2003/7,Adobe 9: static analysis. Protection Type: SMTP EmulationNote: some log fields where deleted o modified to keep confidentiality of the organization.So, the main question is: I should ignore the SMTP bypassed logs or I'm missing something? My fear is I could be missing some potentially malicious attachment on incoming SMTP TLS traffic flows.Thanks mates.
MattDunn inside IPS, Anti-Virus, and Anti-Bot Thursday
views 795 6

IPS confusion

Hello,Is somebody able to clear up some confusion over how IPS works please?Customer has IPS enabled, using the "Recommended_Profile".The policy is set to prevent most stuff. When I look at the list of protections, under the "Recommended_Protection" column, the vast majority of protections are set to Prevent, either natively or from manual override. There are a small bunch set to detect, and a small bunch as Inactive.When I go to Logs & Monitor > General Overview, I see this: Notice that the pie chart shows 94% as Detect, and only 6% at Prevent.Notice also that the "Critical Attacks Allowed by Policy" box shows (I think?) that a number of critical severity attacks have been allowed to happen.Now let's take one of them as an example... "SQL Servers UNION Query-based SQL Injection" has apparently been allowed to happen. But if I check the actual protection, it is set to Prevent. This is correct according to the policy as it matches all of the performance, severity and confidence criteria to be automatically set to Prevent. So what's going on?Why does the General Overview page seem to be so wildly different and wrong compared to what is configured in the policy? Why for example does it report that SQL UNION attack as being allowed according to the policy, when the actual policy states it is set to Prevent? And why is the pie chart showing do much Detect when in reality very few protections are set in Detect mode?I presume there's an easy explanation that I'm not aware of?Thanks,Matt

Support Renewal Warning on Gateways

Hello,I have 6 Products in my environment 4 Gateways and 2 Mgmt Servers. It is a DC/DR Setup with 2 Gateways and 1 Mgmt in each Data Center. Suddenly i am getting a license expiration warning on Antivirus and Antibot Blades in 2 of the 4 Gateways only. When i checked the SmartAccount along with the built in blades there are additional blades with 2 year support for Antivirus and Antibot Blades available. My Question is why i am getting this warning in only 2 of the 4 gateways , also as i can see additional blades available in the account will they be incorporated automatically once the built in one expires ? What are the after effects if the license/support expiration ? will it affect production environment ? Thanks

Policy Violation on MTA with Thread Emulation/Extraction

Hi mates!This is my very first post so i'll try to do my best.We are facing a strange issue where immedately after enabling the Thread Emulation and Thread Prevention blades (along with the MTA) on the checkpoint cluster, all mail traffic flow stops.Our mail flow setup consists of 2 Exchange 2010 Edge Transport servers in our DMZ, and 2 Exchange hub Transport servers in the internal security zone, all of them connected with a Edge Subscription. All security zones are connected via our 15400 two-node ClusterXL, on R80.10.The behavior is really strange because when we enable the blades and the MTA, all mail queues stop delivering and the Exchange queue viewer show a "POLICY VIOLATION" error.Please don't hesitate to ask for further information. Lot of thanks
MKnox inside IPS, Anti-Virus, and Anti-Bot Wednesday
views 245 5

"Release Date" and "Update Date" column of the IPS Signature Export formatting incorrectly

Hello, this is my first post, so apologies if posted in an incorrect category. Is there a way to configure the date format in SmartConsole prior to exporting to csv?When I export the IPS signatures from the R80.10 dashboard, the csv output appears to be generated with two formats in the Release/Update Date columns (columns C & D). I don't recall having this issue in R77. The dashboard view within SmartConsole shows the date format to be DD/MM/YYYY, yet only a subset of the exported signatures follow this format. The other signatures appear to be formatting as MM/DD/YYYY. Along with the mismatch date formats, the values are inputted differently as well, either as MM/DD/YYYY or DD-MM-YY. This makes filtering the output challenging as I show some release dates coming up as December 2, 2019 when it should be February 12, 2019. Formatting the columns after the export doesn't appear to effect the way excel interprets the values (there may be a setting in Excel to address, If so, please let me know. My excel limitations are just not familiar one). Thank you in advance, Marcus


Anyone know anything about Check Point maybe working with JA3 yet, or plans around this?References:A new method of TLS fingerprinting was recently put together called JA3. Rather than simply looking at the certificate used, JA3 parses multiple fields set in the TLS client hello packet sent over during the SSL handshake. The resulting fingerprint can then be used to identify, log, alert and/or block specific traffic.JA3 looks at the client hello packet in the SSL handshake to in order to gather the SSL version and list of supported ciphers. If supported by the client, it will also use all supported SSL extensions, all supported Elliptic Curves, and finally the Elliptic Curve Point Format. GitHub - salesforce/ja3: JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.
MattDunn inside IPS, Anti-Virus, and Anti-Bot a week ago
views 194 1

Original Files - restoring to new gateway

Hi,I have an R77.30 gateway running TEX, with the gateway configured as an MTA. When a mail is cleaned the original mail is stored on the gateway.I need to install bigger HDD's in the gateway, so it'll need a fresh install. I want to take that opportunity to upgrade to R80.x at the same time.Is it simply a case of copying the files off the current R77.30 disk, then copying back to the newly rebuilt R80.x disk, or is there some kind of index that needs to be rebuilt on the new server for users to be able to click their link to access the original file again?Thanks,Matt
Kevin_Vargo inside IPS, Anti-Virus, and Anti-Bot a week ago
views 521 4 3

Error: kfunc_cmik_loader_execute_dyn_ctx

Hi - Curious to know if anyone can tell me what these errors mean? I am seeing this on our active gateway and after failing over I am seeing them on the now other active gateway. These are Dell open servers running 80.10 patch 103. We are seeing a lot of devices behind this cluster flopping up and down as well.cphaprob -a if shows all interface IP and no tx/rx errors in netstat.ThanksJun 30 05:13:07 2018 Gateway01 kernel: [fw4_4];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:07 2018 Gateway01 kernel: [fw4_5];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:23 2018 Gateway01 kernel: [fw4_2];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:13:55 2018 Gateway01 kernel: [fw4_0];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULLJun 30 05:14:11 2018 Gateway01 kernel: [fw4_4];[ERROR]: kfunc_cmik_loader_execute_dyn_ctx: cmi_match_env is NULL
Vladimir inside IPS, Anti-Virus, and Anti-Bot a week ago
views 262 1

HTTP parsing error occurred, bypass request.

One of my client's gateways has started logging this since May 28th and users behind Check Point are experiencing dramatic slowdown in web access. Time: 2019-06-04T14:33:59ZInterface Direction: outboundInterface Name: MgmtId: c0a8960e-0af6-593b-5cf6-8157f9480002Sequencenum: 10Client Type: Other: Microsoft Office/16.0Precise Error: unknown errorSource: Port: 52843Destination Country: United StatesDestination: Port: 80IP Protocol: 6Proxied Source IP: HTTP parsing error occurred, bypass request.Source User Name: User, One ( Machine Name: machine01@domain.comUser: User, One ( AcceptType: LogPolicy Name: Policy01Policy Management: CheckpointMGTDb Tag: {6AEB0FA4-2F80-A84B-A5FD-61DB3123D6CF}Policy Date: 2019-05-28T14:10:53ZBlade: IPSOrigin: CheckpointPhService: TCP/80Product Family: ThreatResource: @A@@B@1559620800@C@213270Log Server Origin: aaa.bbb.ccc.14Orig Log Server Ip: aaa.bbb.ccc.14Index Time: 2019-06-04T14:34:01ZLastupdatetime: 1559658839000Lastupdateseqnum: 10Severity: InformationalRounded Sent Bytes: 0Confidence Level: N/ARounded Bytes: 0Stored: trueRounded Received Bytes:0Interface: MgmtDescription: Can someone let me know what we are looking at here?
Luis_Borralho1 inside IPS, Anti-Virus, and Anti-Bot a week ago
views 1797 2 1

Blocking TOR Exit nodes with scripting

Hello guys!I'm planning to block all of TOR exit nodes using Checkpoint scripts created for that purpose, see link below.How to block traffic coming from known malicious IP addresses My question is this..Will these exit nodes be append to the SAM Rule, or when it updates the SAM Rule will it clean all my SAM Rules already created and in place?Thank you very much for your support.Best regards.Luis Borralho
parfuar inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 634 2

IPS Protection - TCP Windows Size Enforcement

Hi,I have been validating some IPS signatures and found this (TCP Windows Size Enforcement) and found it interesting. Where I want to apply is an external FW, where all the traffic comes from outside the infrastructure. Being the virtualized firewall is afraid that it will impact upon activation. They think it will have a lot of impact when activating this in the IPS. Thanks
inside IPS, Anti-Virus, and Anti-Bot 2 weeks ago
views 218 1

SandBlast Agent Protects Against BlueKeep RDP Vulnerability (CVE-2019-0708)!

Critical Vulnerability in Windows OS - Code execution using Remote Desktop Protocol (CVE-2019-0708) SandBlast Agent is the First Endpoint Security Solution to Protect Against BlueKeep RDP Vulnerability! Recently, a security advisory was released for a vulnerability in RDP (Remote Desktop Protocol) affecting multiple Windows Operating Systems prior to 8.1. According to Microsoft’s advisory this vulnerability can be exploited for both remote code execution and denial of service attacks. All this without needing the credentials of the target machine. Check Point’s SandBlast Agent Anti-Exploit now monitors the RDP service for both Windows 7 and Windows 2008R2 and is able to prevent this attack from occurring. Not only ןד SandBlast Agent able to prevent the exploit from being delivered on unpatched systems, but it is also able to prevent the exploit from being delivered to the previously vulnerable driver in patched systems. The protection is available in SandBlast Agent's E80.97 Client Version (Can be downloaded from sk154432). To see Anti-Exploit’s protection in action please see the following video, where our Threat Research Group’s POC used for exploitation is blocked. SandBast Agent protects against Check Point's Threat Research group BlueKeep based exploit: SandBlast Agent BlueKeep Event Forensics Report: To learn more about SandBlast Agent's Anti-Exploit protection of BlueKeep, see: sk154232 - Anti-Exploit Protection for Remote Desktop Protocol Vulnerability (CVE-2019-0708) Note: Users who run SandBlast Agent with a third party Anti-Virus (AV) should be aware that Anti-Exploit is turned off in the presence of third party AVs. For this protection to be enabled, you must allow Anti-Exploit to work with third party AVs as detailed in sk154454 - Enabling Anti-Exploit when deployed with a third party Anti-Virus.