cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
GUEYDON_Olivier
GUEYDON_Olivier inside Policy Management yesterday
views 40 1

Security rule for domain computer

Hi team,I'm running a cluster of 2 5400 SG and a SmartConsole, in R80.10, with Identity Awarness and AD query for a MS Active Directory Domain.I've created some Access Roles that match our AD groups.But i'm confused with generic AD groups, like Domain Users and Domain Computers dynamic groups. And the Access role options : Any user/All identified users or Any machine/All identified machines.For some reasons, some trafic have no source user name, so i'd like to set up security policies with the Access Role "Domain Computers", and no source user. Is there a way to do so ?Thanks for any help !
Miguel_Hernes
inside Policy Management yesterday
views 46 1
Employee

Check Point integration with Minemeld

Hi mates, Does anyone used Minemeld as a IOC source in R80? I found information about how to use etknown, tor, bruteforce, talos, blocklistde, malwaredomainlist, sslabuse, zeus but Minemeld. Thanks in advance. Miguel.
Danny
Danny inside Policy Management Friday
views 14738 23 24

CPT - Check Point Packet Trace Utility ?

Will Check Point release a management plugin that offers a similar functionality to Cisco's ASDM packet tracer anytime soon? I'm thinking about coding it on my own for quite some time. Shall I start or wait for Check Point?
Manoj_Pallapoth
inside Policy Management Thursday
views 46 2
Employee

sslv

Hi everyone, Can someone provide me solution on this. 1.There is windows pc behind CP firewall. 2. When this PC tries to access internet , he should be asked for authentication and then only should be able to access internet.( *Note: This all should happen through sslvpn only)
David_Spencer
David_Spencer inside Policy Management Thursday
views 218 3

Create a Custom Site Category

Is it possible to create a custom Site Category in r80.10? I can do an override categorization, but I'd like to create my own categories to override with. I see user categories that can be created, but not sites. For Example, I want to create a Weather category and do an override categorization for weather.gc.ca to be in the weather category (currently categorized as news/media, and government/military).This way I can create a security policy allowing people out to the weather category, and can add more sites to this category as needed.
Markus_Malits
Markus_Malits inside Policy Management Thursday
views 131 3 2

Smart Console filtered rule export, including resolved object details

Hi,one of my customers is having a challenge with exporting filtered rules to CSV. This is AFAIK not possible at the moment in Check Point R8x SmartConsole - and I think it should be low hanging fruit to develop, and a feature that adds to reputation as the premium gold standard GUI in firewall management.What are your opinions to that one? Quick set of screenshots to make the problem clear:In demomode filter for a subnetuse export to csvrealize the export is containing all rules, and that there is no "export filtered rulebase" optionWhen this would be considered to be developed by R&D, it would be nice to have a possibility to export the relevant list of objects / groups as well.The usecase for this customer is to report all relvant rules (and have the details about srcs/dsts) for a tenant, while rules are spread across the rulebase of this perimeter firewall.Looking forward to your commentsBest regardsMarkus
Danny
Danny inside Policy Management Thursday
views 42

SmartConsole R80.20 (GA Build 053) released

Check Point released SmartConsole R80.20 Build 053 as General Availability on June 13th, 2019, replacing Build 046. [ Download ] Portable version Resolved issues ID Description SmartConsole - General Availability Build 053 (13 June 2019) MB-30,PMTR-34967 New validation added: Starting from R80.20, ClusterXL does not support Load Sharing mode. SmartConsole blocks such configuration with a warning message. PMTR-35587,PMTR-35383 In a rare scenario, SmartConsole unexpectedly terminates when searching in the search bar or browsing the gateway's list either on Domain or on MDS level. PMTR-32163,PMTR-25752 "There are no Anti-Bot update statuses. Validate SIC connectivity and install policy for Anti-Bot enables gateways" message on Anti-Bot update failure. Refer to sk149153.
David_Spencer
David_Spencer inside Policy Management Tuesday
views 870 16

Allowing custom site with external hosted images

We have a custom site that we've created an access rule for all users to be able to access. However the page only partially loads. Looking into the logs show that the images used by the website fail to load, as they are being blocked because they are hosted on an external site (*.cloudfront.net) that isnt explicitly allowed.I'd like to be able to allow the site to load these pages for our users, without white listing cloudfront.netI feel like this is doable, but I'm missing something.
Networks_Winter
Networks_Winter inside Policy Management Tuesday
views 2955 9

URL Filtering: Computers / Internet Category

We are running a trial with App & URL filtering on R80. At the moment we have used the CP categories to broad stroke sites and apps we want to block. Hit an issue with the category Computers / Internet, which contains a bunch of stuff (some quite random) that we want to block. Our issue is this category also contains CDN networks so breaks a bunch of stuff.Options seem to be :1 - Enable the block on the category and triage the CDN issues.2 - Ignore the category and simply block the apps within it. Feels like this will also open us up to whatever URL's are filtered in that category.Wondering how other people in the community have handled this?
Dor_Marcovitch
Dor_Marcovitch inside Policy Management 2 weeks ago
views 737 1

API Update object name

hey, how can i update an object name using the API?i am using python with the python SDKthanks
Kevin_Vargo
Kevin_Vargo inside Policy Management 2 weeks ago
views 524 1 1

Access Role and Machine name

Hi - I am setting up an access role. I want to add the users AD name and their machine name to the access role. Will this result in the rule looking at both the username and machine name to allow traffic to a dest? I was hoping so. Essentially I want to allow a specific user and their specific machine name, not one or the other. I read that the access role is all combined so I feel like this is how it works, but am not 100% Thanks.
Tom_Vandepoel
Tom_Vandepoel inside Policy Management 2 weeks ago
views 1363 17 2

Identity Collector - Cisco ISE SXP mappings support

Hi,I've been doing some testing with an R80.20 gateway, Identity Collector and Cisco ISE 2.4 pxGrid.I've managed to interconnect these components so the basic communication is working fine (the certificate setup is quite cumbersome to be honest).I'm am trying to get SXP-learned IP-SGT mappings into the CP IA blade, but it seems the identity collector is not picking these up. Does this mean that identity collector will only learn IP-SGT mappings from dynamic user sessions and not from SXP-learned IP-SGT mappings?E.g. I've got the following static mapping on my test switch:cts role-based sgt-map 172.20.21.151 sgt 6Which is then learned over SXP by ISE:I've tried adding and removing the mappings as well but no mappings are being received on the collector, even though it is fully connected to pxgrid (and has an approved connection).The identity collector does not seem to receive these SXP mappings at all... the ISE is set to publish these on pxgrid:If this is not supported right now, is this on the roadmap?Thanks,Tom.cisco ise ‌ ‌
Yavor
Yavor inside Policy Management 2 weeks ago
views 340

R80.30 HTTPS inspection?

Hello,We are in a process of implementing Check Point Application and URL filtering, and related to this we enabled HTTPS inspection.We use R80.20 and we enabled probe bypass:enhanced_ssl_inspection=1bypass_on_enhanced_ssl_inspection=1Some web sites are not properly working and we have to bypass from HTTPS inspection such using regex.*sitename.com.*Has anybody already tried how R80.30 HTTPS inspection works, and how that compares with the above described setup? Yavor
lanmanjs
lanmanjs inside Policy Management 2 weeks ago
views 951 4

R80.10 Concurrent Administrators

I am just now getting into R80.10 Administration. I am seeing that Check Point is allowing Concurrent Admins in the same Policy. My question is: What about the changes being made? If I am working on a FW making changes and at the same time another Admin is doing the same thing on the same FW and I finish before he/she does I will save my changes - do I save the other admins changes they have completed up to that point as well? If I go ahead and push policy am I pushing the other Admins changes they have made up to that point as well as the changes I am pushing? Once the other Admin finishes their work are they only saving/pushing the changes they completed after I pushed the Policy earlier?Finally, is there a way to differentiate who made what changes? Was this taken into consideration by UserID or?? If they are both using a shared Admin ID?I have dealt with this mess in another FW application and it caused a number of frustrations for the department.
Evan_Fisher
Evan_Fisher inside Policy Management 3 weeks ago
views 3907 16

Unused Objects Cleanup

Is there an easy way in R80.10 to cleanup all unused objects or at least identify them? Our object database has been steadily growing for years and I know there are a lot of stale objects and don't want to have to do manually do a"Where Used" on every object just to find the stale ones.Thanks!