cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Policy Management

Have a general question related to SmartConsole and/or SmartDashboard? This is the place to ask! For questions related to configuring Access Policy, including VPN, NAT, and Identity Awareness, ask in the Access Control Products space.


HeikoAnkenbrand
HeikoAnkenbrand inside Policy Management 2 hours ago
views 165 3 2

R80.20 - SNI vs. enabled HTTPS Interception

R80.20+  with enabled HTTPS interception: If the https interception is enabled, the parameter host from http header can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS, VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.)  More read here: R80.x Security Gateway Architecture (Content Inspection)    R80.20+ without enabled HTTPS interception (SNI is used): If the https interception is disabled, SNI is used to recognize the virtual URL for application control and url filtering. More read here: URL Filtering using SNI for HTTPS websites.pdf 
Rabindra_Khadka
Rabindra_Khadka inside Policy Management 10 hours ago
views 48 2

Which policy will work first threat prevention or access control

i am very much concerned with the checkpoint incoming traffic flow which policy will work first threat prevention or access control.If anyone have idea please reply me
pedkha1
pedkha1 inside Policy Management yesterday
views 157 5 1

web filtering with https inspection disabled

HelloI want to do web filtering for my wifi guest users and but it doesent work.https inspection disabled for the Guest subnet so how can i achieve it without https inspectionI added below rule to WF and still i can see traffic is passing through     
alexc88
alexc88 inside Policy Management Saturday
views 219 9

commit simultaneously on various policy packages

Hi, is there a way to deploy the changes you do on an object simultaneously on all policy package where the object is involved? Every time I need to modify an object that's involved in about 30 policy packages I have to open the single policy package and install, it would be glad to push in one single command or single operation this kind of change.Thanks for your help
alessandrocons
alessandrocons inside Policy Management Saturday
views 182 5

Export Mobile Access R77.30 Policues

Hello Forum! I have a little question for you!Our customer is using an R80.20 Management but he didn't migrate the Mobile Access policies so they are available in the old R77.30 Management (embedded in the R80.20 Smart Console). He asked if is it possible to export all the Mobile Access policies but I can't find a way to do it.I read the REST API reference but I didn't find any commands that can help me Do you have any suggestion for me? Thank yuo very very muchRegardsAlessandro
Blason_R
Blason_R inside Policy Management Friday
views 171 2

Checkpoint TE appliance

Hello Guys,I am integrating firewall with TE appliance. So need to know whether have to create different policy package  (network + threat) for TE appliance?
Christian_Benit
Christian_Benit inside Policy Management Thursday
views 21358 15 9

How do you rollback an old policy?

In previous versions, one could open the current policy, make 50 changes and then save it with a different name (usually, firewall.name.date). If there was an unforeseen issue (or management decision), one could rollback easily the old policy by installing the old version where everything was working as expected. How do you handle this situation in R80? I'm not seeing an easy way to save the current policy under another name to have a way to perform change management/revision control and restore it.
mbsm
mbsm inside Policy Management Thursday
views 184 2

Updatable Object with Application Control

Hi,Is the Updatable Objects only contains the IPs and Domains, or it comes with the services it needed?When using Updatable objects, should I use Application Control on the policy or Any is just fine?
stallwoodj
stallwoodj inside Policy Management a week ago
views 260 5 1

Install Policy doesn't select Threat Prevention by default?

Hi,I have a customer with R80.30, one manager and one gateway (FW, VPN, CPMOB, APCL, URL, IA, IPS).When the customer pushes their "Standard" policy, by default only the Network Access policy layer is ticked, not Threat Prevention.In R77 there used to be a customization that I now can't see in Global Properties. Is there a way of setting both layers to be ticked by default in the install dialog? ThanksJamie
Daniel_Collins
Daniel_Collins inside Policy Management a week ago
views 713 17 1

R80.20 Management Performance

Hello Check Mates!I hope you can help perhaps shed some light on an issue we're seeing with one of our customers. The customer is commercially sensitive due to some long-standing issues they've had with a 61k appliance and a recent code upgrade on the system (management at the moment) to R80.20 has degraded performance from the customer's perspective.What we're seeing is this:- A slowness in stacking and unstacking the subject headings in the rulebase - There is around 700 rules with 200 subject headings in the policy - What we see is you press the button to drop the subject headings and then the wire frames appear for the rules, a few seconds later the rule content pops into the console- Adding say objects to rules (clicking the *) that there is a good second or few seconds delay until the search box appears.The management server is on R80.20 with the latest T91 of the JHF installed. Very well specced, 16 cores / 18GB RAM / SSD based flash storage in VMware. The console is being run on a machine with 32 cores and 64GB of RAM, similar storage scenario. We observed the server via SSH while testing these issues and saw no noticable load on the system, use of swap or any %WA on I/O.From our perspective as a partner, the behaviour we see other than the rule stacking is as we'd expect from an R80.x install of management. I do not have a point of comparison for the rule stacking issue, all of the customers I have worked with as of late (in R80.x days) have significantly smaller rulebases or far fewer subject headings.The customer was on R77.30 before and has noticed that the server performances significantly worse in R80.20 than it did previously. We can replicate these issues through a database export into a lab server as well as exporting the policy via the python script into a fresh management server, it follows the policy.There is an element of expectation here, but this customer is commercially sensitive as we will be trying to ensure they continue to replace the 61k's with another Check Point appliance (something that's not SP based) so we're looking to see what we can do in terms of tuning up performance of the management server.We're not in a position to re-jig the policy (in terms of in-line layers, due to the 61k being on R76SP.50 and consultancy time needed to do so prior to a replacement solution) but the policy is very tidy. Some perhaps duplication but nothing severe.I've been through the VMware tuning guide on sk104848 and not had any noticeable difference..Any thoughts?
mbsm
mbsm inside Policy Management 2 weeks ago
views 258 3

Captive Portal Policy

Hi CheckMates,I currently enabled Browser-Based Authentication and i want to know how this will work.User1 is a Member of SecurityGroup2 & 3 on the AD ServerHere's the Access Roles details:-WebBrowsing_Access (Network: Any; User: SecurityGroup1; Machine: Any)-Youtube_Access (Network: Any; User: SecurityGroup2; Machine: Any)-Social_Networking_Access (Network: Any; User: SecurityGroup3; Machine: Any)Here's the Policies:1. Policy Name: Youtube; Src:Youtube_Access; Dst:Internet; Action:Accept2. Policy Name: SocialNetworking; Src:Social_Networking_Access; Dst:Internet; Action:Accept3. Policy Name: WebBrowsing_NoYoutubeSocialNet; Src:WebBrowsing_Access; Dst:Internet; Action:Accept(Captive Portal)When User1 access Youtube/Social Network Sites, is the traffic will hit the Policy #3 and redirected to Captive Portal? If yes, when User1 access Youtube or Social Network sites, is the traffic hit either policy #1 or #2?Thank you,
Chrono
Chrono inside Policy Management 2 weeks ago
views 225 1

Schedule Policy Setting

Hi Support, We need to schedule the time period for the policy/rule effective date, for example: 1st Oct to 1st Nov validity period. So, how to do that? Thanks!Regards,Chrono
Marcus_with_C
Marcus_with_C inside Policy Management 2 weeks ago
views 345 7 1

Change Match for Any Default value

Hi community,I am looking for a way to change the default value of "Match for Any" for new Service Objects. We have a R80.20 MDM and mostly have to use "basic" service objects (TCP/UDP, no Protocol-detection and default timeouts) for our policies, a Match for Any is not needed for 95% of our objects.Since every new object that is created has Match for Any enabled we get loads of warnings "Services port conflict. port X (udp/tcp) serves both <obejct1> and <object2>. Uncheck 'Match for Any' checkbox in the 'Advanced' dialogue for one of them." when installing the policy. A cleanup takes ages and after some months it starts all over again due to new objects having been created. Many ThanksMarcus
Tom_Cripps
Tom_Cripps inside Policy Management 2 weeks ago
views 603 16

Inline Layers vs Ordered Layers - Who's more efficient

Hi,Recent discussion here at the office, what is more efficient in regards to Layers. Is it better to more rules within a single layer, or use ordered layers to achieve the same goal.@Tomer_Sole do you have anything to add?
bob81
bob81 inside Policy Management 3 weeks ago
views 256 3

Referenced object removal

Hello,We've always been able to remove object that were still in rule. If it was the last object we were getting a warning saying that this is the last object and it will be changed to "Any". Since the update to R80.10 T203 we aren't able anymore to remove those object without removing it first from each rule were it is present.I've check with my teammate here and they all agree, it was working before the update.Is it supposed to work, should we be able to remove it when it's in a rule, or we are mixed up? Thanks Dave