Showing results for 
Search instead for 
Did you mean: 
Create a Post
MrSaintz inside Policy Management 4 hours ago
views 1426 12 2

Inline Layer and software blades

Hi all,When setting up inline layers to setup for instance mobile access rules (unified mode) application/urlf rules, content, etc should the parent be enabled with all the blades I want to use at the inline layer level?I think it would make sense, not enable at the parent level, example:parent allowing lan to internet service http/https assign inline layer "urlf"(here I would only enable access control)at the "urlf" inline layer specify allowed/blocked categories there (here i would enable urlf sb)Is this proper, best practice?Regards,Carlos
Artem1 inside Policy Management 7 hours ago
views 39 1

block pop-UPS, banners, ads

Hello! Faced with the problem of blocking pop-up ads (ads, banners). I added a category Web Advertisements to the policy, but it didn't help. Is it possible to completely get rid of Intrusive advertising, banners ?
carl_t inside Policy Management yesterday
views 145 3 1

What traffic does Gateway scan first, FW, IPS, threat etc ?

Hi AllOn a checkpoint Firewall, how is the traffic processed? does it look at the Firewall rules first, then pass to IPS, then threat prevention etc? Or are they all scanned at the same time?Also, what about if you used the URL filtering blade, would you still need to allow a rule to anywhere under the Firewall, then use the URL to lock down to url's ?cheers
vaidehi inside Policy Management Saturday
views 80 1


can 2 smartconsoles  access the same management server at the same time?
mefsoft inside Policy Management Friday
views 71 1

how to control different policies in different management

Hi everybody, I have 8 policy in different appliance. I want to control first  rules of all policies. First rule is fishing ip adress droping. When I found new  ip address for drop, I'm updating the same rule in all policies. Also my 4 policies connect  different management servers. How can I control different managements without using MDSM.
G_W_Albrecht inside Policy Management Thursday
views 2364 22 24

Searching Network Objects in R80.xx is crippled

Managing large networks is easier if searching in Dashboard does simply work ! In R77.30, it was easy to search for e.g. servers in network objects > hosts, see here an example from Demo mode: In the search results, we can find the objects having a name containing "server" as well as objects having "server" in comment field - so, it is easy to find all server objects. But not in R80.xx - in Demo, we see a list of Hosts named using "server": So when searching, we would expect to get all objects with "server" in its name, but not the one with "srv". But what do we really get ? Not much: It will not show the FileServer and WebCalendarServer. But now. try it yourself and do not search "Server" but "erver" - nothing will be shown at all ! I am thinking that this is not a search function anymore ! But what about other users, is this kind of searching unusable or not needed anymore ? Does anyone else miss it ? And what did really happen to Dashboard that did the searching very well in R77.30 ?
Doeschi inside Policy Management Wednesday
views 300 12

fw sam rule with src net / dst net / any port

Hi all,I've been looking for a fw sam command to instantly block a source ip range to a destination ip range for any protocols /ports, but without any success. It's possible to do so using the legacy SmartView Monitor, but since this would be triggered from an external source, I'd like to use the "fw sam" command.I already tried to use "fw sam subsrv" but as soon as I put ANY or ALL as port / protocol, the management server doesn't accept the command.Any ideas on this matter?RegardsRoger
Matt_Foreman inside Policy Management Tuesday
views 102 3

IPsec Star Community Question

If you have a star IPsec community with TWO clusters in the center and and multiple satellites, what makes any given satellite choose one center over another when routing from satellite to satellite using the center as an hub and spoke? No MEP, No overlapping domains,  
Evan_Fisher inside Policy Management Tuesday
views 5270 17

Unused Objects Cleanup

Is there an easy way in R80.10 to cleanup all unused objects or at least identify them? Our object database has been steadily growing for years and I know there are a lot of stale objects and don't want to have to do manually do a"Where Used" on every object just to find the stale ones.Thanks!
Bekir_Aldemir2 inside Policy Management Monday
views 2639 10

Any tool to build a rulebase from an "Any-Any Accept" rule?

Hello everyone,A customer recently placed a firewall to control all inter-VLAN traffic and they unfortunately are not aware (as it usually is) what kind of traffic is generated between the VLANs as it was running through a switch until now.We started building the rulebase depending on their necessities but I still believe that is far from ideal. To avoid any major issues we had to leave the last rule as ACCEPT.  At this point, the only way seems to analyze the logs of this rule and keep adding new rules which brings me to the real question and I sincerely apologize if this is stupid but is there any quick way or a tool (I know Tufin can analyze the existing rulebase) to do this?(I searched the forum but couldn't find any Q or A that might be directly related) Thanks in advance,
Eric_Davis inside Policy Management a week ago
views 2125 10

Best practices for inline layers

Hi, we're running R80.10 and would like to start cleaning up our policy that has become cluttered and outdated and inline layers look like they could assist in keeping things organized as we clean up the old clutter but I can't find a lot of info about best practices for them. Should you try to limit how many inline layers/rules you use in a policy? Is there a preferred method for crafting the parent rule?  Should it be vague and then get more particular with each inline layer rule?  Or should the parent rules be crafted very specifically as well? I've read a few of the threads here on CheckMates and any relevant SK's but was just wondering if there was any specific guidance on the best way to utilize inline layers.  
inside Policy Management a week ago
views 10145 29 18

SmartMove: Convert Cisco ASA Policy to Check Point

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.At the moment, the tool handles Cisco ASA (version 8.3 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.10 policy. The tool is planned to support additional vendors in the future.Source is available on GitHub: SmartMove
inside Policy Management a week ago
views 34086 19 28

Layers in R80

I would like to clarify the use of layers in R80 Management Server and SmartConsole.A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways that have the Firewall and Application control blades enabled, will have their policies split into two ordered layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80 Gateways, this basically means the same enforcement as it always was, only in a different representation in the Security Management.Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer. The layers concept opens more options for policy management:Setting different view and edit permissions per layer for different administrator roles.Re-using a layer in different places: The same application control layer in different policy packages ( Sharing a layer across different policies  ), or the same inline layer for different scopes.Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will be the set of rules that are added in each domain by the domain administrator.R80.10 Gateways and above will have the ability to utilize layers in new ways:Unifying all blades into a single policy (How to use the unified policy? )Segregating a policy into more ordered layers, not necessarily by bladesAllowing sub-policies inside a rulebase, with the use of inline layers (How do I define diffrent policies to diffrent users? )Message was edited by: Tomer Sole
Howard_Gyton inside Policy Management a week ago
views 130 1

R80.30 - Services port conflict recurring

When we push policy, it succeeds but we get a warning stating that there are multiple services which both have 'Match for any selected'.When I first did this there were 10 pairs, so I worked through those.  At the next policy push it found another two.  And the next.  And the one after that.I don't know why, but it is drip feeding me information and doesn't list them all.  At every change I make another new pair appear for some reason.Is this expected?  If so, it's not very user friendly as I would prefer to fix them all in one go.Howard
ledesgagnes inside Policy Management a week ago
views 181 6

Unable to allow a URL via WIFI but works from Ethernet

Hi,To put in place a context, I am replacing a previous IT manager who left the enterprise several months ago.I had a request put in place to allow certain URL which are in the Alcohol & Tobacco. So I went in Blade, under application and URL filtering and added a rule to allow this category.I went with a source of: AnyDestination: InternetApplication: Category Alcohol & TobaccoAction: Allow When I am on the network, the rule work without any issue. Once I disconnect the cable and get on the wifi and hit the same URL, I am sent to a Check Point Application Control Page, where it says that Access is blocked according to the organization security policy. It also provide a Reference: 0B34CDBD. I did research on the web and I've looked around in Blade but didn't find anything that differentiate Ethernate from WIFI. Thanks