cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Tomer_Sole
inside Policy Management yesterday
views 32859 18 27
Mod

Layers in R80

I would like to clarify the use of layers in R80 Management Server and SmartConsole.A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways that have the Firewall and Application control blades enabled, will have their policies split into two ordered layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80 Gateways, this basically means the same enforcement as it always was, only in a different representation in the Security Management.Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer. The layers concept opens more options for policy management:Setting different view and edit permissions per layer for different administrator roles.Re-using a layer in different places: The same application control layer in different policy packages ( Sharing a layer across different policies ), or the same inline layer for different scopes.Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will be the set of rules that are added in each domain by the domain administrator.R80.10 Gateways and above will have the ability to utilize layers in new ways:Unifying all blades into a single policy (How to use the unified policy? )Segregating a policy into more ordered layers, not necessarily by bladesAllowing sub-policies inside a rulebase, with the use of inline layers (How do I define diffrent policies to diffrent users? )Message was edited by: Tomer Sole
Baasanjargal_Ts
Baasanjargal_Ts inside Policy Management yesterday
views 922 5

I cannot delete gateway object

I cannot delete gateway object. Because it is used on the Objects (gatewayStaticprofilesConfiguration ->Assignment Profiles).I don't know how to delete that object.
Markus_Malits
Markus_Malits inside Policy Management Wednesday
views 909 6 3

Smart Console filtered rule export, including resolved object details

Hi,one of my customers is having a challenge with exporting filtered rules to CSV. This is AFAIK not possible at the moment in Check Point R8x SmartConsole - and I think it should be low hanging fruit to develop, and a feature that adds to reputation as the premium gold standard GUI in firewall management.What are your opinions to that one? Quick set of screenshots to make the problem clear:In demomode filter for a subnetuse export to csvrealize the export is containing all rules, and that there is no "export filtered rulebase" optionWhen this would be considered to be developed by R&D, it would be nice to have a possibility to export the relevant list of objects / groups as well.The usecase for this customer is to report all relvant rules (and have the details about srcs/dsts) for a tenant, while rules are spread across the rulebase of this perimeter firewall.Looking forward to your commentsBest regardsMarkus
TAEKBOM_Kim
TAEKBOM_Kim inside Policy Management Wednesday
views 63 2

URL regular expression in Threat Emulation Exceptions

HiI want to make an exception for access to the XXXX.XXX.r.cloudfront.net. <Event Log>Resource-> http://aldn.altools.co.kr/setup/ALZip1092.exeDestination-> server-52-85-230-110.icn55.r.cloudfront.net (52.85.230.110) server-13-225-132-39.icn54.r.cloudfront.net (13.225.132.39) server-99-86-144-55.icn51.r.cloudfront.net (99.86.144.55) server-52-85-230-85.icn55.r.cloudfront.net (52.85.230.85) ..... ... .. <I did it this way, but I failed to make an exception.>* disabled URLs defined as Regular Expression Anyone knows how to make an exception?
emre
emre inside Policy Management Wednesday
views 67 2

how to find conflicts rules in firewall

Hi,How can i find conflicts or matched rules in firewall rules. I looked at in Compliance blade but I didn't find anything about this. for example, it can told me you can matched rule2 and rule3. Skybox algosec etc. applications can do but I want to do in with checkpoint management
PhoneBoy
inside Policy Management Tuesday
views 9499 26 18
Admin

SmartMove: Convert Cisco ASA Policy to Check Point

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.At the moment, the tool handles Cisco ASA (version 8.3 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.10 policy. The tool is planned to support additional vendors in the future.Source is available on GitHub: SmartMove
Clement
Clement inside Policy Management Monday
views 96 2

Verify Access Control Policy and Sub-policies usage

I have an Access Control Policy which is made of the follwing:- Global Policies- Multiple Sub-policies, used for zone-to-zone purpose (we migrated from Juniper, which used zones) Unfortunately, I realized that the Verify Access Control Policy tool is not comparing rules across sub-policies. Is there a way to force the tool to verify global policies against sub-policies ?
Christoph
Christoph inside Policy Management a week ago
views 1028 8 1

Windows UI Scaling breaking R80.20 UI

I'm using the latest SmartConsole for R80.20 on Windows 10 and there are multiple areas where the UI breaks.I run a dual monitor setup. 4k 3840x2160 on a 42" with recommended 150% scaling and 2736x1824 with on a 13" with the recommended 200% scaling.Doing a few tests it looks like most, if not all problems are in the 150% scenario. The 200% feels ok.Reading checkmates it sounds like there shouldn't be problems with R80.10 regarding to windows scaling but with R80.20 there are problems all over the place.A few examples:Compliance blade:- Regulatory Compliance graphs are out of the screen with no scroll bars or only a hint of text is recognizable and overlaps with graphs.Cluster object:- Network ManagementNot all networks are shown. No scroll bar. You can still reach and alter these networks blind with cursor and enter keys.- GeneralOpening a dialog with a scaling of X on one monitor and moving the dialog to another screen with a different scaling keeps the initial scaling. Maybe a Windows feature.
Gerrard_Leach
Gerrard_Leach inside Policy Management a week ago
views 5071 19 1

Error installing SmartConsole R80

Hello, I am attempting to install SmartConsole R80 and R80.10 on a Windows 2012 server.The installer gets to about 90% and then fails.I receive an error log and it shows in can't find SmartConsolePreInstall.bat and yet I see it in the folder[10-3-2017 15:25:05] OnInstallingFile: File=C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\ExternalPackages\.NetframeworkInstaller.msi[10-3-2017 15:25:05] OnInstallingFile: File=C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\ExternalPackages\DotNetSetup.exe[10-3-2017 15:25:05] OnInstallingFile: File=C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\ExternalPackages\dotnetconf.txt[10-3-2017 15:25:05] OnInstallingFile: File=C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\ExternalPackages\WindowsInstaller31.exe[10-3-2017 15:25:05] OnFirstUIAfter: Function Start[10-3-2017 15:25:05] Call_SmartConsolePostInstall: Could not find C:\Program Files (x86)\CheckPoint\SmartConsole\R80\PROGRAM\SmartConsolePreInstall.bat[10-3-2017 15:25:05] WriteProgressBarValuesToRegistry...[10-3-2017 15:25:05] | SOFTWARE\CheckPoint\Check Point Product Suite\ProgressBar ,percent ,70 | was set[10-3-2017 15:25:05] WriteProgressBarValuesToRegistry - END[10-3-2017 15:25:05] ProgramAfter: Function Start[10-3-2017 15:25:05] UpdateRegistry: Function Start[10-3-2017 15:25:05] SetComponentsReg: COMPONENT1 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT3 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT7 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT10 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT4 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT5 NOT Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT6 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT9 NOT Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT11 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT12 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT13 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT2 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT14 Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT15 NOT Installed[10-3-2017 15:25:05] SetComponentsReg: COMPONENT16 Installed[10-3-2017 15:25:06] ProgramAfter: Vc8 already installed[10-3-2017 15:25:06] WriteProgressBarValuesToRegistry...[10-3-2017 15:25:06] | SOFTWARE\CheckPoint\Check Point Product Suite\ProgressBar ,percent ,75 | was set[10-3-2017 15:25:06] WriteProgressBarValuesToRegistry - END[10-3-2017 15:25:06] CPLaunchApp: Failed to load DLL - C:\Users\gleach\AppData\Local\Temp\2\{9F8DC9EF-F853-4FB6-BC6F-13C202BEDFC0}\{F29C8957-4268-4505-A717-C0F75F6B075E}\system.dll[10-3-2017 15:25:06] OnAbort: Installation aborted.[10-3-2017 15:25:06] WriteProgressBarValuesToRegistry...[10-3-2017 15:25:06] | SOFTWARE\CheckPoint\Check Point Product Suite\ProgressBar ,percent ,75 | was set[10-3-2017 15:25:06] | SOFTWARE\CheckPoint\Check Point Product Suite\ProgressBar ,status ,failed | was set[10-3-2017 15:25:06] | SOFTWARE\CheckPoint\Check Point Product Suite\ProgressBar ,prevStatus ,failed | was set[10-3-2017 15:25:06] WriteProgressBarValuesToRegistry - END
Jake_Williams
Jake_Williams inside Policy Management a week ago
views 102 1

Inline layer vs separate rules

I finally got my firewalls all updated to R80.20 so now I'm looking at taking advantage of the layer options. One thing that occurred to me and I haven't been able to find an answer so far is how to best optimize rules when taking the inline layers into account.For example, say I have a firewall management rule section that allows certain traffic to the firewall. One rule for SSH/HTTPS from managers, one for DHCP requests to the firewalls, one for SNMP from our monitoring servers, etc. Is there a reason not to make those an inline policy with the main policy just src: Any dst: Firewalls svc: Any? Would doing it as an inline layer speed up the firewall itself, or does it split it out into the separate layers when it pushes policy (the inline layers are just for management ease of use/reuse)?Thanks!Jake
Haris_Chaudhry
inside Policy Management a week ago
views 5089 15
Employee

Firewall allowing traffic without Access Policy

Hello, I am new here. I am having an Issue with an R80.30 Gateway that is allowing inbound traffic on 443 without an access policy in place. I think it is based on NAT, I do have a DNAT in place for 443 traffic, I thought Access policy must be matched in order to allow traffic ? The said traffic is not showing up on any logs either. Fw monitor I can see the traffic hit the WAN side not I cant see any other details after that. I am filtering based on source IP. fw monitor -m iIoO -l 56 -T -e '{accept(((src=123.32.234.234,dport=443) or (sport=443,dst=123.32.234.234)),[9:1]=6);}'
Feridun_ÖZTOK
Feridun_ÖZTOK inside Policy Management a week ago
views 3809 20 3

SmartConsole object problem on Windows 1903

Hello everyone,I formatted my computer Windows 10 1903 version and install latest SmartConsole R80.10 and R80.20 . I found a cosmetics bug. This bug in object panel and object explorer. Item name dubliated or wrong display. Otherwise description true in object explorer. Clicked object and i saw true value. Problem not just in hosts. Service, application category etc. same problem. My computer language and regional setting English, my friends computer language and regional setting Turkish, He has same problem. Sorry for my bad English. I'm uploading screenshots. Does anyone else have this problem?
Tom_Cripps
Tom_Cripps inside Policy Management a week ago
views 72 5

Certificate validity time hours after creation time

Hi,I've recently recreated our HTTPS inspection certificate due to it expiring soon but it created the certificate with a valid from time 3 hours after creation?Is this normal behaviour or has something gone wrong in the creation process? Due to this issue we've had to turn off HTTPS inspection until after the valid from time.Any help is appreciatedTom
Daniel_Hainich
Daniel_Hainich inside Policy Management 2 weeks ago
views 88 4

Policy Verification

Hi,iam using R80.20 with SmartConsole Version 055.Within "Verify Access Control Policy" there is no Error. When i start to install Policy, this ends with Error.Is it an Bug or is the Verify not able to check inside sub-layers? ThanksDaniel
Daniel_Westlund
Daniel_Westlund inside Policy Management 2 weeks ago
views 6113 13 6

R80.20 and Database Revision

I have heard from several customers asking for a return of Database Revision Control in R80.X. I know every policy is backed up, but once and object is deleted, it can no longer be recovered with anything short of a full restore from backup since DB Revision is gone. My question is this. I'd heard that there were plans to bring it back in a future version. As it's not there in R80.20, does anyone know if there are plans to bring it back, and if so, at which future version?