cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Maarten_Sjouw
Maarten_Sjouw inside Policy Management 4 hours ago
views 14

in line layer without cleanup

Ok, here is my understanding of inline layers and I really doubt in the mean time if this is correct. I have a number of /29 networks that are part of a /24 and all need access to some specified services. Each of these /29's has it's own specific access in-line layer with in and outbound cleanup rules. Now I added a access rule with in-line layer to allow the centralized services of which a part is based on URLs and part on specific IP's. Now my assumption was, that when you do NOT add a cleanup rule in the /24 in-line layer, the matching will continue thru the rest of the rulebase, thus hitting the specific rules for the /29. Today someone told me that traffic was allowed that should not be allowed, all I can think of is that the message on the /24 in-line layer that says: "Missing Cleanup-rule - Unmatched traffic will be accepted and not logged" So the main question here is, is this really true?
Serebryakov_Dmi
Serebryakov_Dmi inside Policy Management yesterday
views 30

Inspection Settings - Profile cloning feature required

Hi All, I`m a little confused by the impossibility of cloning Inspection Profile in R80+ management (R80.20 and R80.30).Manage & Settings -> Inspection Settings -> Profiles. Сan only make a new inspection profile. The `New` Inspection Profile is created with default settings (the same as `Default Inspection` Profile) - almost everything parser settings is Inactive.Is there any way to make a `New` Inspection Profile the same as the `Recommended Inspection` Profile?A lot of movements and mouse clicks need to be done in order to bring the `New` Inspection Profile to a more or less normal (secure) state 🙂 since we use nearly all non-heavy load inspections.
sergio_s
sergio_s inside Policy Management yesterday
views 164 2

Access-rules package Import error

Hi All,I have used "Python tool for exporting/importing a policy package or parts of it" to import object and ACL. All works fine, until access-rule import, that fail with following message: Failed to import access-rule. Error: message: enable-firewall-session code: generic_err_invalid_parameter how can i correct the issue?Thanks
Shiva_B
Shiva_B inside Policy Management Tuesday
views 160 2

Block Nudity Images in Search Engine Results

Haii,Our IT manager has requested if it is possible to block the images that appear in a Google search if someone is to search for the word porn.
David_Spencer
David_Spencer inside Policy Management Tuesday
views 1314 17

Allowing custom site with external hosted images

We have a custom site that we've created an access rule for all users to be able to access. However the page only partially loads. Looking into the logs show that the images used by the website fail to load, as they are being blocked because they are hosted on an external site (*.cloudfront.net) that isnt explicitly allowed.I'd like to be able to allow the site to load these pages for our users, without white listing cloudfront.netI feel like this is doable, but I'm missing something.
Andres_Gonzalez
Andres_Gonzalez inside Policy Management Monday
views 1108 3

Allow selected youtube videos

Hello, I need to allow certain known youtube videos, while keeping all other streaming filtered. How can I do that?
Danny
Danny inside Policy Management Monday
views 21441 42 41

Properly defining the Internet within a security policy

Let's discuss!There are various methods of defining the Internet within your firewall security policy.I've showcased the five most common methods in the screen shot below.The proper firewall definition of the Internet depends on your needs!This discussion shall raise your awareness that it's required to evaluate your specific demand to avoid using * Any or All_Internet by default.Method 1: Using the default * Any definition Pro: Allows for proper Security Policy verification checks. Con: Any is not the Internet. In an ideal security world, you shouldn't use * Any in any of your firewall rules.Method 2: Using the default IP Address range: All_Internet (0.0.0.0-255.255.255.255) Pro: While Hide-NAT on "Any" source doesn't work, using All_Internet as the source will do the job. Con: The Internet consists of various networks, public, private and other ones. In a security environment you operate all kind of corporate networks, DMZs, VPNs, Remote Users, Office Modes and many more entities using IP addresses. From a firewall security point of view the Internet definition means everything that is not internally, branch office, Site-to-Site or Remote Access VPN connected. For a firewall the Internet is everything else, public, untrusted, external. A simple IP Address range object with the name All_Internet provokes many misunderstandings. A security reviewer, like me, would be happy that * Any was replaced with an object someone hopefully took care of properly defining what the Internet for that specific firewall implementation is. Only when looking deeper into the object it gets clear that this definition is even more worse than * Any because it might supersede the automatic validation checks Check Point does. Please see the Global Properties for Non Unique IP Adresses shown below.Method 3: Using a Group with Exclusion (Any except all corp. networks, branch office networks, VPN encryption domains, office mode networks, RFC 1918 networks and so on) Pro: Easy to use and understandable for humans within normal firewall administration. Con: Groups with Exclusion are very complex for automatic firewall validation checks, hard to troubleshoot for humans, known to sometimes cause issues when used in VPN encryption domains and therefore have many limitations (sk97246, sk101506, sk107543, sk107417, ..). Also, what is * Any from a firewalls perspective? How does a firewall define * Any? Are there exclusions from * Any? For Services everyone knows that Check Point per default excludes X11 from Any. How about Networks?Method 4: Using the Application and URL Filtering object 'Internet' Pro: Only applies to traffic heading outside the corporate network - to the DMZ and external interfaces. The object distinguishes between internal and external addresses. Con: This is only the default destination for Application and URL Filtering rules so you can only use this object in the destination column of Application and URL Filtering enabled rules and layers.Method 5: Negating a group that contains all your networks (similar to Method 3 without using a Group without Exclusion) Pro: Perfect definition of the Internet for the firewall and all of its automatic verification and validation mechanisms. Simple negation of all networks that your firewall 'knows' not to be part of the public, untrusted, external Internet. Con: Harder to understand for humans, especially in security policies with advanced complexity.Appendix:Menu > Global Properties > Non Unique IP AddressesIn the above window you can see the non-unique IPv4 and IPv6 address ranges.Security Management considers addresses that are routable on the Internet as unique, and private, non-routable addresses as being non-unique (duplicated). It is possible to add address ranges to the default list. There is normally no need to change the default addresses.This list is used by SmartDashboard to perform automatic validity checks on addresses.IPv4 AddressesRFC 1918 documents private address spaces which may be used on internal networks that will not have hosts directly connected to the Internet. The Internet assigned Numbers authority (IANA) has set aside the following three blocks of IP addresses for internal (private) network use:Class A network numbers: 10.0.0.0–10.255.255.255Class B network numbers: 172.16.0.0–172.31.255.255Class C network numbers: 192.168.0.0–192.168.255.255In an intranet that uses private addresses, a Check Point Security Gateway NAT gateway is put in place to connect the intranet to the Internet and translate the private addresses, to routable addresses. The default list of non-unique addresses are the three ranges specified in RFC 1918.IPv6 AddressesThere are so many IPv6 public addresses that is not usually necessary to assign private IPv6 addresses for an internal network. There is a "Unique Unicast" IP range of fc00::/7 that can be used for private IPv6 addresses as specified in RFC4193.
GUEYDON_Olivier
GUEYDON_Olivier inside Policy Management Saturday
views 465 1

Security rule for domain computer

Hi team,I'm running a cluster of 2 5400 SG and a SmartConsole, in R80.10, with Identity Awarness and AD query for a MS Active Directory Domain.I've created some Access Roles that match our AD groups.But i'm confused with generic AD groups, like Domain Users and Domain Computers dynamic groups. And the Access role options : Any user/All identified users or Any machine/All identified machines.For some reasons, some trafic have no source user name, so i'd like to set up security policies with the Access Role "Domain Computers", and no source user. Is there a way to do so ?Thanks for any help !
Miguel_Hernes
inside Policy Management Saturday
views 380 1
Employee

Check Point integration with Minemeld

Hi mates, Does anyone used Minemeld as a IOC source in R80? I found information about how to use etknown, tor, bruteforce, talos, blocklistde, malwaredomainlist, sslabuse, zeus but Minemeld. Thanks in advance. Miguel.
Danny
Danny inside Policy Management Friday
views 15270 23 25

CPT - Check Point Packet Trace Utility ?

Will Check Point release a management plugin that offers a similar functionality to Cisco's ASDM packet tracer anytime soon? I'm thinking about coding it on my own for quite some time. Shall I start or wait for Check Point?
Manoj_Pallapoth
inside Policy Management Thursday
views 346 2
Employee

sslv

Hi everyone, Can someone provide me solution on this. 1.There is windows pc behind CP firewall. 2. When this PC tries to access internet , he should be asked for authentication and then only should be able to access internet.( *Note: This all should happen through sslvpn only)
David_Spencer
David_Spencer inside Policy Management Thursday
views 608 3

Create a Custom Site Category

Is it possible to create a custom Site Category in r80.10? I can do an override categorization, but I'd like to create my own categories to override with. I see user categories that can be created, but not sites. For Example, I want to create a Weather category and do an override categorization for weather.gc.ca to be in the weather category (currently categorized as news/media, and government/military).This way I can create a security policy allowing people out to the weather category, and can add more sites to this category as needed.
Markus_Malits
Markus_Malits inside Policy Management a week ago
views 772 3 2

Smart Console filtered rule export, including resolved object details

Hi,one of my customers is having a challenge with exporting filtered rules to CSV. This is AFAIK not possible at the moment in Check Point R8x SmartConsole - and I think it should be low hanging fruit to develop, and a feature that adds to reputation as the premium gold standard GUI in firewall management.What are your opinions to that one? Quick set of screenshots to make the problem clear:In demomode filter for a subnetuse export to csvrealize the export is containing all rules, and that there is no "export filtered rulebase" optionWhen this would be considered to be developed by R&D, it would be nice to have a possibility to export the relevant list of objects / groups as well.The usecase for this customer is to report all relvant rules (and have the details about srcs/dsts) for a tenant, while rules are spread across the rulebase of this perimeter firewall.Looking forward to your commentsBest regardsMarkus
Danny
Danny inside Policy Management a week ago
views 252

SmartConsole R80.20 (GA Build 053) released

Check Point released SmartConsole R80.20 Build 053 as General Availability on June 13th, 2019, replacing Build 046. [ Download ] Portable version Resolved issues ID Description SmartConsole - General Availability Build 053 (13 June 2019) MB-30,PMTR-34967 New validation added: Starting from R80.20, ClusterXL does not support Load Sharing mode. SmartConsole blocks such configuration with a warning message. PMTR-35587,PMTR-35383 In a rare scenario, SmartConsole unexpectedly terminates when searching in the search bar or browsing the gateway's list either on Domain or on MDS level. PMTR-32163,PMTR-25752 "There are no Anti-Bot update statuses. Validate SIC connectivity and install policy for Anti-Bot enables gateways" message on Anti-Bot update failure. Refer to sk149153.
Networks_Winter
Networks_Winter inside Policy Management a week ago
views 3340 9

URL Filtering: Computers / Internet Category

We are running a trial with App & URL filtering on R80. At the moment we have used the CP categories to broad stroke sites and apps we want to block. Hit an issue with the category Computers / Internet, which contains a bunch of stuff (some quite random) that we want to block. Our issue is this category also contains CDN networks so breaks a bunch of stuff.Options seem to be :1 - Enable the block on the category and triage the CDN issues.2 - Ignore the category and simply block the apps within it. Feels like this will also open us up to whatever URL's are filtered in that category.Wondering how other people in the community have handled this?