cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

unable to join another network and internet through the appliance

Hello community, I need your help. in fact I had to deploy a 3200 applicance under GAIA R80.20 to a client who already has an ASA cisco that I have to replace. So after configuring the interfaces, the default route, the DNS and importing the cisco ASA rules, I connected the appliance to the network. But no communication possible through the 3200. attached the existing architecture with the ASA
dwinurm
dwinurm inside SMB Appliances and SMP 2 hours ago
views 14 1

checkpoint 1490, user can't get ip from dhcp server on checkpoint

hello everyone, i have vlan on checkpoint for dhcp server access point,but in this section, user can't get ip from dhcp serverand when i'm check in log "no free leases"can everyone help my problem,thanks and regards.
Timothy_Hall
Timothy_Hall inside Access Control Products yesterday
views 61 5

R80.20 SecureXL - User Space?

I keep seeing in the excellent documents by @HeikoAnkenbrand and posts by @PhoneBoy that SecureXL runs in user space starting in R80.20. After a detailed look at an R80.20 security gateway I don't think this assertion is correct and I'm seeking clarification, I believe this is some kind of mixup with the new USFW function which is available in R80.20 but not enabled by default. What I see on a standard R80.20 gateway is that the SecureXL kernel driver code has ballooned from 5.2MB in R80.10 to about 18MB in R80.20 and is now named with an instance number (i.e. simmod_0) which would allow multiple instances of SecureXL to be running; useful in the case of Falcon cards. The size of the simmod code would certainly have grown since it is now capable of PSL and CPAS whereas those functions were handled in a Firewall Worker instance (fw_X) before. The firewall worker kernel instance code (fw_X) has also grown from about 40MB to 48MB between R80.10 and R80.20. There is a new SecureXL-related daemon called sxl_statd in R80.20 but its functions seem to be very simple and its small size (38K) makes it impossible that it is "SecureXL running in user space". I can't seem to find any other processes that would be "SecureXL running in User Space" unless it is somehow now part of the fw_worker_X processes which I find unlikely. So as a bit of an experiment I enabled USFW under R80.20 according to the instructions in sk149973: How to enable USFW (User-Space Firewall) on a 23900 appliance on my 8-core VMware firewall (2/6 split) and rebooted. In the kernel with lsmod I still see the 18MB simmod_0 but now there is only one firewall kernel driver called fwmod at 48MB. In process space I only see one firewall worker (fwk), but I also see "fwk_wd -i 6 -i6 0" and fwk_forker so I'm pretty sure more fwk firewall workers would get forked off if needed. It still looks like SecureXL is completely in kernel space. The whole justification for USFW is due to the 2GB kernel limitation that was being reached by trying to load up to 40 separate instances of the firewall workers into the kernel, in R80.20 if there are 40 workers * 48MB = 1.9 GB so it makes sense that Check Point couldn't just keep adding more and more workers in the kernel. However there is only one SecureXL simmod kernel driver and it takes up a "whopping" 18MB of kernel space, so it doesn't make sense to me to move that part into user space. So unless I'm really missing something here I don't think the assertion that "SecureXL is in user space" is correct, at least not in R80.20, regardless of whether USFW is enabled or not. Edit: Just looked over R80.30 and set USFW on it too, looks exactly the same as what I observed in R80.20 above.

PBR with VPN

Hi MatesCurrently I am having a case like the following:- We have a 5600 Appliance which has 2 external interfaces, one for Inbound traffic with public IP, one for Outbound traffic with private IP.- We PBR for all DMZ server for Inbound interface, and users access to internet through Outbound interface with normal route.- We want to Remote Access by Inbound inteface, but cannot. If i change default route in "normal" routing table from Outbound to Inbound, we can Remote Access VPN normallyI'm sure the problem is due to PBR, but is there any solution for remote access by Inbound interface?Thank you and Best Regards.
Shahar_Grober
Shahar_Grober inside Access Control Products yesterday
views 102 5

skype for business issues

Hi, I am facing an issue where VOIP calls from our Polycom device to Skype for business online are dropped after about 1 minute. The drops are one-way (incoming voice) which looks like the incoming SIP traffic is dropped. The topology is quite simple: Polycom --> CP GW --> Internet --> Skype for Business online some insights: 1. the problem doesn't occur when connecting the Polycom directly to the internet via a hotspot. so it is a Check point issue 2. issue still occurs when disabling SecureXL so it is not a SXL issue 3. Hide NAT changes source port for SIP over UDP IP is checked in inspection settings 4. No IPS drops on VOIP. The Polycom IP is excluded from IPS and all inspection settings 5. we see incoming connections from the Skype for business online IP range are blocked by the stealth rule the last point made me think that it might be a NAT issue with SIP ports range (outgoing connections are NATed but incoming connections are not recognized by the firewall as part of the same connection)I see the following drops coming from Skype for business online IP range to the GW external IP address My questions are:Are there any best practices to configure Skype for business with Check Point What is the recommendation for NAT with SIP?Any insights on how to solve this issue

Geo-policy in the following scenario

Hi,I actually wanted to know if I can achieve the following using GEO POLICY in R80.20- BLOCK INCOMING from all countries but one- ALLOW OUTGOING to all countries.Is this possible in a simple way, because the non simple way is too time consuming.I would have to set policy for other countries to Drop and then individually add rules for 250 countries as "allow to" Is there any simpler way of achieving this?
shlomip
inside Enterprise Appliances and Gaia OS yesterday
views 351 11 4
Employee

R80.30 3.10 EA Program is now available!

Hi all, We are happy to announce that R80.30 3.10 EA program for Security Gateway and VSX is now available. For production EA path please contact ea_support@checkpoint.com For public EA path login to https://usercenter.checkpoint.com and go to Try Our Products -> Early Availability Programs. Then register to CPEA-EVAL-R80.30-3.10 public EA program. Release notes for this EA program are available here
Tim_Bernat
Tim_Bernat inside SMB Appliances and SMP Sunday
views 36 1

Internet link QoS bandwidth limiting not working on 620 Appliance

Hi All,I have tried using the bandwidth limiting (is that actually policing or shaping?) on a couple of our 600 appliances but without success. Seems simple enough, but just to be sure I checked with the Appliance Administration Guide:QoS Settings (bandwidth control) - supported in IPv4 connections onlyTo enable QoS bandwidth control for download and upload for this specified connection, select theapplicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximumKbps rates for the selected options as provided by your ISP for the Internet upload and downloadbandwidth.Make sure that the QoS blade has been turned on. You can do this from Home > SecurityDashboard > QoS > ON.All the commands are accepted, but seemingly nothing happens, I can't see anything in either of the logs. I tried different values, high and low, but no change on the devices:I know 100 bit is a bit silly, but this was just to make a point. I have also tried other higher rates : )End user devices still can pull what they usually can:On one of the appliances I saw this error after enabling QoS blade, but I have tried a different, no error, but no limiting.Can you suggest anything? We have a lot of these and this option would be really useful. Cheers, Tim

Deploy Identity Awareness Agent with Microsoft SCCM - Full Client with MAD and Packet Tagging

So I've got another issue with the Identity Awareness Agent. This time its the deployment from Microsoft SCCM. SCCM will run the installation as SYSTEM. Installation works, and all seems good. For some reason the MAD service doesn't work as expected. It doesn't provide the computer account to the gateway, and when you try to restart the Check Point Managed Asset Detection service, it crashes and completely stops working. Also the Packet Tagging driver doesn't work properly. It says its enabled, but the packet tagging never happens.Installing the same packet as Admin manually works perfectly. So is there any work-around for this? Or am I missing something? I would prefer not to have to manually install the agent on every computer. There are just to many to even think about going that way. Our SCCM guy says you can do a really ugly work around and have a admin account run the the installation from SCCM, but this is very much not recommended, and it won't work if you want it installed as a part of the task sequence, Any tips on how to do this?
Junior
Junior inside SMB Appliances and SMP Sunday
views 20 1

Access to DMZ from internet

Hello all dear. I would like help setting up an internet access to a web server located in a DMZ. I created a manual NAT to forward packets to NAT. but I can not access the server. Here are my rules and here is my schema:Outgoin Traficthank

Comparing 15000 series appliances against 6000 series

Hello!Check Point released a new appliance line of 6000 series and here comes the new challenge. For a customer who wants NGTP functionality and in the scenario where based on sizing 15600 is a perfect match for them, should we go for it or it is even better to go with 6800 model? You see NGTP performance of 6800 is far better by datasheet and price is much lower too.Enterprise Testing Conditions:6800 Security Gateway- 8.9 Gbps of Threat Prevention15600 Security Gateway- 7.4 Gbps of Threat Prevention2Both numbers are provided with R80.20 Your opinions?BRVato

Can't boot, no inittab file found, enter runlevel

Hello everyone, I really need help urgently from you. in fact, I recently tried to install OS GAIA R80.20 on my checkpoint 3200 appliance but the installation did not really start. And since when I try to start my appliance I get the message:Found volume group "vg_splat" using metadata type lvm24 logical volume(s) in volume group "vg_splat" now activeINIT: No inittab file foundINIT: Entering runlevel: 3INIT: no more processes left in this runleveln 3 seconds] I have already tried a factory and reset several times still nothing.I really rely on you to help me fix this problem as soon as possible because I have to deploy the appliance this Saturday at a customer. I'm waiting thank you
Nischit
Nischit inside Access Control Products Friday
views 63 1

Block URL in Checkpoint

Hi,I want to block this URL for eg. "abc.com/efg/mno" to a particular source but want to allow for eg. "abc.com/ijk/pqr" for the same source. How can we achieve this in Checkpoint? Thanks in advance!

Management IP address after factory reset

Hi,I'm trying to recall if you do a factory reset on a gateway, does the IP address assigned to the mgt port stay intact or does it get reset to 192.168.1.1? Thanks.
Tomer_Sole
inside SD-WAN Friday
views 377 2
Mod

Check Point integration guides with SD-WAN vendors

Check Point integrates with all major SD-WAN vendors as part of Network Security as a Service. Customers secure their branch offices and roaming users with Check Point’s latest Threat Prevention and Access Control, without the need to replace the site’s existing router or SD-WAN device. Check out our official step-by-step guides with: Silver-Peak VeloCloud Additional vendor-specific instructions are available inside our web-based management. Request a trial account by following these steps: https://community.checkpoint.com/t5/SD-WAN/Early-Availability-Program-for-Network-Security-as-a-Service/td-p/21932 Create a Site. Once the Site is ready, click its card and select Menu > View Instructions Select your choice of router or SD-WAN device and get step-by-step instructions for connecting it to Check Point's Network Security as a Service. These instructions contain the Check Point GRE or IPsec tunnels that were assigned to you.