cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Doeschi
Doeschi inside Policy Management 2 hours ago
views 144 8

fw sam rule with src net / dst net / any port

Hi all,I've been looking for a fw sam command to instantly block a source ip range to a destination ip range for any protocols /ports, but without any success. It's possible to do so using the legacy SmartView Monitor, but since this would be triggered from an external source, I'd like to use the "fw sam" command.I already tried to use "fw sam subsrv" but as soon as I put ANY or ALL as port / protocol, the management server doesn't accept the command.Any ideas on this matter?RegardsRoger
Eric_Davis
Eric_Davis inside Policy Management 6 hours ago
views 1998 9

Best practices for inline layers

Hi, we're running R80.10 and would like to start cleaning up our policy that has become cluttered and outdated and inline layers look like they could assist in keeping things organized as we clean up the old clutter but I can't find a lot of info about best practices for them. Should you try to limit how many inline layers/rules you use in a policy? Is there a preferred method for crafting the parent rule?  Should it be vague and then get more particular with each inline layer rule?  Or should the parent rules be crafted very specifically as well? I've read a few of the threads here on CheckMates and any relevant SK's but was just wondering if there was any specific guidance on the best way to utilize inline layers.  
PhoneBoy
inside Policy Management 8 hours ago
views 9934 29 18
Admin

SmartMove: Convert Cisco ASA Policy to Check Point

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.At the moment, the tool handles Cisco ASA (version 8.3 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.10 policy. The tool is planned to support additional vendors in the future.Source is available on GitHub: SmartMove
Tomer_Sole
inside Policy Management yesterday
views 33736 19 27
Mod

Layers in R80

I would like to clarify the use of layers in R80 Management Server and SmartConsole.A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways that have the Firewall and Application control blades enabled, will have their policies split into two ordered layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80 Gateways, this basically means the same enforcement as it always was, only in a different representation in the Security Management.Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer. The layers concept opens more options for policy management:Setting different view and edit permissions per layer for different administrator roles.Re-using a layer in different places: The same application control layer in different policy packages ( Sharing a layer across different policies  ), or the same inline layer for different scopes.Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will be the set of rules that are added in each domain by the domain administrator.R80.10 Gateways and above will have the ability to utilize layers in new ways:Unifying all blades into a single policy (How to use the unified policy? )Segregating a policy into more ordered layers, not necessarily by bladesAllowing sub-policies inside a rulebase, with the use of inline layers (How do I define diffrent policies to diffrent users? )Message was edited by: Tomer Sole
Howard_Gyton
Howard_Gyton inside Policy Management yesterday
views 103 1

R80.30 - Services port conflict recurring

When we push policy, it succeeds but we get a warning stating that there are multiple services which both have 'Match for any selected'.When I first did this there were 10 pairs, so I worked through those.  At the next policy push it found another two.  And the next.  And the one after that.I don't know why, but it is drip feeding me information and doesn't list them all.  At every change I make another new pair appear for some reason.Is this expected?  If so, it's not very user friendly as I would prefer to fix them all in one go.Howard
ledesgagnes
ledesgagnes inside Policy Management Friday
views 121 6

Unable to allow a URL via WIFI but works from Ethernet

Hi,To put in place a context, I am replacing a previous IT manager who left the enterprise several months ago.I had a request put in place to allow certain URL which are in the Alcohol & Tobacco. So I went in Blade, under application and URL filtering and added a rule to allow this category.I went with a source of: AnyDestination: InternetApplication: Category Alcohol & TobaccoAction: Allow When I am on the network, the rule work without any issue. Once I disconnect the cable and get on the wifi and hit the same URL, I am sent to a Check Point Application Control Page, where it says that Access is blocked according to the organization security policy. It also provide a Reference: 0B34CDBD. I did research on the web and I've looked around in Blade but didn't find anything that differentiate Ethernate from WIFI. Thanks 
G_W_Albrecht
G_W_Albrecht inside Policy Management Thursday
views 2192 16 23

Searching Network Objects in R80.xx is crippled

Managing large networks is easier if searching in Dashboard does simply work ! In R77.30, it was easy to search for e.g. servers in network objects > hosts, see here an example from Demo mode: In the search results, we can find the objects having a name containing "server" as well as objects having "server" in comment field - so, it is easy to find all server objects. But not in R80.xx - in Demo, we see a list of Hosts named using "server": So when searching, we would expect to get all objects with "server" in its name, but not the one with "srv". But what do we really get ? Not much: It will not show the FileServer and WebCalendarServer. But now. try it yourself and do not search "Server" but "erver" - nothing will be shown at all ! I am thinking that this is not a search function anymore ! But what about other users, is this kind of searching unusable or not needed anymore ? Does anyone else miss it ? And what did really happen to Dashboard that did the searching very well in R77.30 ?
Jose_Ramon_Rodr
Jose_Ramon_Rodr inside Policy Management Wednesday
views 3815 5 1

Searching zero hits rules in R80.10

Hi, Prior to R80.10 you could find every rule with zero hits right from the search bar. For instance, in R77.30 you could see only the rules with no hits this way:Now in R80.10 I can't find the way to do that search. In "Searching a Rule Base" page in SmartConsole R80.10 Help there are no clues about it.Is there a way to do this search?Greetings.
Tom_Cripps
Tom_Cripps inside Policy Management Wednesday
views 156 4 1

Do Access Roles need Identity Awareness to function?

Hi,I'm looking to use Access roles to look at specific networks? This due to a requirement in having both network objects and an existing access role in the same rule.I'm seeing though, that the access role looking at certain networks is only picking up identified users, through the use of the IA client. My question is then, do access roles need some form of IA client to work on the Endpoint?Tom
Arthur_DENIS1
Arthur_DENIS1 inside Policy Management Wednesday
views 179 4

Publish take so long time with lot of change

Hi,For one customer, with MGMT in R80.30 - open server, we have change a lot of rules (around 400) on one policy containing 5000 rules. And publish take few hours to complete !!!As you can see, on the top below, server is not really overloaded.Someone already get this issue and a way to solve this ?Thanks for your help guys!Arthur  top - 17:45:14 up 13 days,  7:51,  2 users,  load average: 1.68, 2.05, 2.05Tasks: 231 total,   2 running, 229 sleeping,   0 stopped,   0 zombie%Cpu(s): 27.1 us,  0.8 sy,  3.1 ni, 68.4 id,  0.5 wa,  0.0 hi,  0.1 si,  0.0 stKiB Mem : 32846464 total,   615404 free, 12984148 used, 19246912 buff/cacheKiB Swap: 17840176 total, 17617344 free,   222832 used. 18440132 avail Mem   PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND12491 cp_post+  20   0  774048 746728 687892 R  75.1  2.3  77:10.47 postgres5212 admin     20   0 6997584 1.143g   9704 S  72.4  3.6   1229:24 java12497 cp_post+  20   0  770464 743240 687844 S  61.5  2.3  69:51.17 postgres4987 admin     39  19 90.730g 6.484g 187260 S  15.9 20.7   4859:52 java5137 admin     39  19  999044 383048   7540 S  10.0  1.2   1702:18 log_indexer5929 admin     20   0  339524  34196  11316 S   4.3  0.1 834:04.65 lea_session30135 admin     20   0  337056  36484  11336 S   3.0  0.1 696:04.91 lea_session5092 admin     20   0 6899844 714356  10368 S   2.0  2.2 260:54.02 java1665 admin     20   0  869948 489284  38084 S   1.3  1.5  34:19.38 fwm4781 admin     20   0 1087456 313604  13292 S   1.3  1.0 312:18.45 fw_full4672 admin     20   0   17456   1984   1756 S   0.7  0.0  10:48.43 cpwd17680 cp_post+  20   0  708776 690520 687044 S   0.7  2.1  57:27.45 postgres5035 admin     39  19 5805956 304128   8992 S   0.3  0.9  24:44.17 java6381 admin     20   0   12604   3656   2960 S   0.3  0.0   0:01.60 sshd17248 cp_post+  20   0  708812 690720 687056 S   0.3  2.1  57:32.87 postgres    1 admin     20   0    2584    592    564 S   0.0  0.0   0:08.00 init    2 admin     20   0       0      0      0 S   0.0  0.0   0:00.04 kthreadd    3 admin     20   0       0      0      0 S   0.0  0.0   4:04.17 ksoftirqd/0    5 admin      0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H    7 admin     rt   0       0      0      0 S   0.0  0.0   0:03.98 migration/0    8 admin     20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh    9 admin     20   0       0      0      0 S   0.0  0.0  17:04.23 rcu_sched   10 admin     20   0       0      0      0 S   0.0  0.0   0:00.00 rcuob/0   11 admin     20   0       0      0      0 S   0.0  0.0   2:02.09 rcuos/0   12 admin     rt   0       0      0      0 S   0.0  0.0   0:03.73 watchdog/0   13 admin     rt   0       0      0      0 S   0.0  0.0   0:03.39 watchdog/1   14 admin     rt   0       0      0      0 S   0.0  0.0   0:03.46 migration/1
MrSaintz
MrSaintz inside Policy Management Tuesday
views 1384 11 2

Inline Layer and software blades

Hi all,When setting up inline layers to setup for instance mobile access rules (unified mode) application/urlf rules, content, etc should the parent be enabled with all the blades I want to use at the inline layer level?I think it would make sense, not enable at the parent level, example:parent allowing lan to internet service http/https assign inline layer "urlf"(here I would only enable access control)at the "urlf" inline layer specify allowed/blocked categories there (here i would enable urlf sb)Is this proper, best practice?Regards,Carlos
HS
HS inside Policy Management Tuesday
views 118 2

Hotfix Ongoing Take 91

Hi,we are planning gw upgrade to R80.20.Our MGMT are running R80.20 take 87. We are planning upgrade to take 91, the latest GA.Does anyone already install take 91? We don't have idea if there requirements for take 91 some special attention ?Our gateways will be installed with R80.20 take 91.thank you for help.
Jon_Dyke
Jon_Dyke inside Policy Management Monday
views 2710 12 2

Drops on accept rule

Hi AllI am currently having a very odd issue that I cannot get to the bottom of on pair of R80.10 gateways.  I am seeing 'weird drops' on rules which are actually accept rules.Here is one example:-I open a browser on 192.168.3.14 and go to Intel.com. The site opens ok but :-fw ctl zdebug drop | grep 192.168.3.14shows:-;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=6 192.168.3.14:50702 -> 34.238.108.124:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Site0-Simplified-Policy Secur" rule 3;Rule 3 is an accept rule!!!!Any help appreciated.ThanksJon
Daniel_Collins
Daniel_Collins inside Policy Management a week ago
views 294 10

R80.20 Management Performance

Hello Check Mates!I hope you can help perhaps shed some light on an issue we're seeing with one of our customers. The customer is commercially sensitive due to some long-standing issues they've had with a 61k appliance and a recent code upgrade on the system (management at the moment) to R80.20 has degraded performance from the customer's perspective.What we're seeing is this:- A slowness in stacking and unstacking the subject headings in the rulebase - There is around 700 rules with 200 subject headings in the policy - What we see is you press the button to drop the subject headings and then the wire frames appear for the rules, a few seconds later the rule content pops into the console- Adding say objects to rules (clicking the *) that there is a good second or few seconds delay until the search box appears.The management server is on R80.20 with the latest T91 of the JHF installed. Very well specced, 16 cores / 18GB RAM / SSD based flash storage in VMware. The console is being run on a machine with 32 cores and 64GB of RAM, similar storage scenario. We observed the server via SSH while testing these issues and saw no noticable load on the system, use of swap or any %WA on I/O.From our perspective as a partner, the behaviour we see other than the rule stacking is as we'd expect from an R80.x install of management. I do not have a point of comparison for the rule stacking issue, all of the customers I have worked with as of late (in R80.x days) have significantly smaller rulebases or far fewer subject headings.The customer was on R77.30 before and has noticed that the server performances significantly worse in R80.20 than it did previously. We can replicate these issues through a database export into a lab server as well as exporting the policy via the python script into a fresh management server, it follows the policy.There is an element of expectation here, but this customer is commercially sensitive as we will be trying to ensure they continue to replace the 61k's with another Check Point appliance (something that's not SP based) so we're looking to see what we can do in terms of tuning up performance of the management server.We're not in a position to re-jig the policy (in terms of in-line layers, due to the 61k being on R76SP.50 and consultancy time needed to do so prior to a replacement solution) but the policy is very tidy. Some perhaps duplication but nothing severe.I've been through the VMware tuning guide on sk104848 and not had any noticeable difference..Any thoughts?
Mohideen_Abbas
Mohideen_Abbas inside Policy Management a week ago
views 220 7 1

Placing rule in Firewall

Am fresh to Checkpoint and I got this interview question. when we have multiple Firewall in single office lets say 5 Firewall. User is requesting to stage some rule.  how do we come to know that on which firewall the policy needs to be pushed out of that 5 boxes?I told I will do tracert and find out but they didn't agree for that. what are the other ways we can check the above and place rule