cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Lesley_Willems2
Lesley_Willems2 inside Policy Management an hour ago
views 1198 5

Application Control AD service not matching

Hi all, I'm trying to use the predefined AD service in a access rule but the rule will not be hit. Traffic is from cliënt to domain controller. The AD service comes from the application/categories which is in the object categories. Is it even possible to use it in the way as I decribed? Manual made services will match the rule. TIA!BR,Lesley
HS
HS inside Policy Management yesterday
views 277 13

Hotfix Ongoing Take 87

Hi,we need to get protect against CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479: TCP SACK PANIC - Linux Kernel vulnerabilities. Refer to sk156192.We are running R80.20 take 17 and we don't find any Checkpoint official documentation about the hotfix take 87. Does anyone already install the ongoing take 87. We don't have idea the minimal requirements for take 87 ? We are under take 17 far away from general availability take 47. Install take 87 before take 47 it is good idea ?thank you for help.
Stephan_Lanfer
Stephan_Lanfer inside Policy Management Monday
views 90 4

R80.20.M2 Silent Install

Hello,are there any silent install parameters for the SmartConsole.exe for R80.20.M2?The old "smartconsole.exe -s" doesn't work anymore!RegardsStephan
Blason_R
Blason_R inside Policy Management Sunday
views 196 6 1

Unable to connect to McAfee SIEM via LEA after upgrade to R80.20

Hi Folks,I just migrated Smart-1 appliance from R77.30 to R80.20 however after migration observed that SIEM servers could not pickup the logs via LEA. Any help is greatly appreciated.
GGiorgakis
GGiorgakis inside Policy Management Saturday
views 71 2

Can we control download bandwidth from appControl in R80.20?

Can we control download bandwidth from appControl in R80.20?For example can i limit the bandwidth only when download from youtube?
Alan_Dressner1
Alan_Dressner1 inside Policy Management Friday
views 67 1

SmartMove Policy Creation and future requests SmartMove_5_1_7078_13288

At the time of this writing the current version is SmartMove is SmartMove_5_1_7078_13288.When I use this tool to covert a Cisco ASA policy the tools creates the layers but does not associate the layers with the policy. I have to manually copy the rules from the layers and paste them into the correct policy.I would also like to see the the following options added if possible to the tool for better functionality:1.) add an option to create the policy in in-line mode or ordered.2.) add an option to use set-if-exists in the scripts3.) add an option to use a specific user to run the scripts. It is better to review the created policy without auto publishing. Sometimes what the tool creates and what is needed are not the same.4.) add an option to help avoid creating duplicate objects
Tomer_Sole
inside Policy Management Thursday
views 3575 13 16
Mod

Did you know? SmartConsole Tags

R80 and R80.10 provide a new feature for ease of security management: Tags.We have presented it in Check Point conventions dating back to 2013 - it's time that we discuss them at CheckMates as well The purpose with tags is to ease the searches and associations of objects. You can tag any object from its Object Editor, as well as with the Security Management CLI or API. You can then search for all objects that belong to a specific tag.In the Object Explorer:When picking objects in places like security policies:In addition of simplified user experience, Tags have good value in the world of automation and orchestration.
Lijo_mathai
Lijo_mathai inside Policy Management a week ago
views 187 10

Unable to clone policy package in R80.20

Hi, after upgrading to R80.20 and applying take 47, i am unable to clone the existing policy package. Is there anything i am missing. I checked there is no validation error for the name i used to clone, but still i am unable to clone the policy. Attached is the error i faced.
kobilevi
kobilevi inside Policy Management a week ago
views 122 4

Can checkpoint Block Acces by Geo for only 1 or more object?

helloi using check point R80 gaia managment i want to enable access by location to my local web site , can i do it? **(enable geo policy by access policy to 1 or more objects)
Blason_R
Blason_R inside Policy Management a week ago
views 121 3

Facing enormous issues while upgrading from R77.30.03 to R80.30

Hi Team,I have Smart-1 210 with initially gone for On-prem Capsule DOCS & Capsule Workspace integrated with on-prem Exchange server. Even have installed Reverse proxy patch installed on mgmt appliance.Now I have been struggling to upgrade as migrate export is giving me issues even after excluding epm db. Since later customer did not have used DOCS we stopped EPM blade and install database so hopefully, EPM must have de-activated.But still, I am unable to take migrate export for the of-line upgrade. Even Pre-upgrade verifier is failing and I believe this is all due to EPM blade?What is the other way as I do not have any redundancy for Mgmt server since that is an appliance.Can someone please suggest?******************[Expert@xxxx-xxxx:0]# ./pre_upgrade_verifier -p $FWDIR -t R77 -t R80.30 -f output.txtReadFwsetFromSqlFile: 2 Error reading from database for file /opt/CPsuite-R77/fw1/conf/grc_test_elements.sqlite. Error is:********************Expert@xxxx-xxxxx:0]# ./migrate export xxx-xxxx.tgzExecution finished with errors. See log file '/opt/CPshrd-R77/log/migrate-Sun_Jul__7_11-06-21_2019.log' for further details.###################[7 Jul 11:06:21] .<-- GetVersionString[7 Jul 11:06:21] .--> UpgradeMacroReplacer::Instance[7 Jul 11:06:21] .<-- UpgradeMacroReplacer::Instance[7 Jul 11:06:21] .--> UpgradeMacroReplacer::Instance[7 Jul 11:06:21] .<-- UpgradeMacroReplacer::Instance[7 Jul 11:06:21] .--> ExecCommandGetOutput[7 Jul 11:06:21] [ExecCommandGetOutput] Going to execute command: '"/opt/CPsuite-R77/fw1/bin/upgrade_tools/././pre_upgrade_verifier" -p "/opt/CPsuite-R77/fw1" -c 6.0.4.0 -t 6.0.4.0'[7 Jul 11:06:23] [ExecCommandGetOutput] ERR: Command completed with error code -1[7 Jul 11:06:23] .<-- ExecCommandGetOutput[7 Jul 11:06:23] [PreupgradeVerifierRunner::exec] ERR: Preupgrade verifier had failed[7 Jul 11:06:23] [PreupgradeVerifierRunner::exec] Preupgrade verifier's output:-------------------------------------Plugin upgrade match command failedWarning: Can't find ::CPSB-NGEP in cp.macro. License version might be not compatible-------------------------------------[7 Jul 11:06:23] <-- PreupgradeVerifierRunner::exec[7 Jul 11:06:23] [ActivitiesManager::exec] ERR: Activity 'PreupgradeVerifierRunner' failed[7 Jul 11:06:23] [ProgressUpdater::UpdateProgressToGaia] Progress Updated to '25[7 Jul 11:06:23] [ActivitiesManager::exec] WRN: Activities execution finished with errors[7 Jul 11:06:23] [ActivitiesManager::exec] WRN: Activities 'PreupgradeVerifierRunner' have failed[7 Jul 11:06:23] [ActivitiesManager::exec] Designated exit code is 1######################
Abeja_huhuhu
Abeja_huhuhu inside Policy Management a week ago
views 95 2 1

How to block all other country and only accept destination service from specific country

Hi Guys, i would like to know is it possible for us to create a rule that only accept connection coming from specific country for speficic services?i believe the first portion can be done using clean up rule or spefic drop rule but then the most important part is to only allow access specific service from specific country for eg: singapore, as we are not able to list down all malaysia subnets inside this rules.please advise.
Charris_Lappas
Charris_Lappas inside Policy Management 2 weeks ago
views 80 1

Office Mode security policy

Hi,What's the best way to define a security policy on R80.20 when using the CheckPoint VPN client? For Mobile access we get the option to define a policy based on AD user. We would like to have the same sort of policy when that same user is using the VPN client. Please advice Charris Lappas
Jigar_Shah
Jigar_Shah inside Policy Management 2 weeks ago
views 67 1

View Firewall Rules in CLI for specific Object

1Hello,Please help me with the CLI command to view the firewall rule for specific object which is being used in multiple rules. Thanks in advance!
Alejandro_Lansa
Alejandro_Lansa inside Policy Management 2 weeks ago
views 1285 4

Replace Proxy with Checkpoint Application Control and URL Filtering

I would like to replace our current Proxy with the Application Control and URL Filtering functionalities from Checkpoint Firewall. I have installed a Security gateway to Test but I experience some problems.Requirements:Non Transparent ProxyIntegration with Identity AwarenessEach Group of users have access to a Group of URL CategoriesConfigurationCheckpoint R80.10 With the following Blades: Firewall, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Identity Awareness and Content AwarenessThe Security Gateway is configured as HTTP/HTTPS Proxy – Port 8080There is a Rule to allow access from clients network to the Security gateway – Port 8080Identity Awareness is configured with Identity collector and works fine.A rule allows access from the clients network to a Group of URLs “Trusted Sites”Some rules allow access from user access roles to some groups of CategoriesIn the Implied Policy, the option “Accept outgoing packets originating from Gateway” is configured as “Before last”Behavior:All Clients have access to all URLs.In the Log I can see 2 connections: One from the client to the Security Gateway, port 8080, allowed and the other one from the Security Gateway to Internet allowed by Implicit Rule 0. In the second rule there is neither information about the client IP nor the client user.When I disable the implicit rule that allow outgoing packets originating from the Gateway, the clients cannot access any URL.There is probably something wrong in my design. Can the security gateway work as a Proxy and at the same time filter what URL can use a group of Clients?
Christopher_Ta1
Christopher_Ta1 inside Policy Management 2 weeks ago
views 910 8 4

How to create in R80.10 an email alert if the policy is already expired

How to create an email alert if the policy is already expired? Or is there any logs where I can see which policy is already expired?