cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Policy Management

Have a general question related to SmartConsole and/or SmartDashboard? This is the place to ask! For questions related to configuring Access Policy, including VPN, NAT, and Identity Awareness, ask in the Access Control Products space.

Tom_Vandepoel
Tom_Vandepoel inside Policy Management an hour ago
views 3164 18 2

Identity Collector - Cisco ISE SXP mappings support

Hi,I've been doing some testing with an R80.20 gateway, Identity Collector and Cisco ISE 2.4 pxGrid.I've managed to interconnect these components so the basic communication is working fine (the certificate setup is quite cumbersome to be honest).I'm am trying to get SXP-learned IP-SGT mappings into the CP IA blade, but it seems the identity collector is not picking these up. Does this mean that identity collector will only learn IP-SGT mappings from dynamic user sessions and not from SXP-learned IP-SGT mappings?E.g. I've got the following static mapping on my test switch:cts role-based sgt-map 172.20.21.151 sgt 6Which is then learned over SXP by ISE:I've tried adding and removing the mappings as well but no mappings are being received on the collector, even though it is fully connected to pxgrid (and has an approved connection).The identity collector does not seem to receive these SXP mappings at all... the ISE is set to publish these on pxgrid:If this is not supported right now, is this on the roadmap?Thanks,Tom.cisco ise  ‌ ‌
Andy_Yap
Andy_Yap inside Policy Management yesterday
views 1392 2

Geo Policy

I am trying to implement a Geo policy which block traffic from certain country from accessing certain IP ad port within our domain.  I was told that I can actually use the Geo Policy is the negate way e.g add India in the Geo policy list  and set action to accept and  set policy for other country to accept too. On the exemption for the policy  set the destination to the IP and service port that I want to block. I was told that it will block the traffic to the exemption list since the action on the Geo policy is set to accept. Is anyone able to confirm this solution will work?
Maarten_Sjouw
Maarten_Sjouw inside Policy Management yesterday
views 95 3 1

R80.40 Policy install fail

In R80.40 management I have found a small glitch in verification: When you push a APCL/URLF policy (inline layer) to a gateway, without APCL/URLF blades turned on, the verification does not stop the Policy install process with an error, it just hangs at 50%. It shows as if it still busy but even after an hour it did not move. In my case it is on a MDS and the only way to recover is by rebooting the MDS. Stopping/starting the Domain does not help. You cannot try to install again as it tells you there is a policy install in progress. When the blades are turned on on the same gateway the policy pushes just fine (after a reboot).
MattDunn
MattDunn inside Policy Management Sunday
views 300 3

Object is viewed in Read Only mode

Odd thing started happening today.  Most (not quite all) service groups are opening in Read Only mode, so I can't edit them.  As per the below screenshot.  Other objects are fine - I can edit at will.I've checked for old sessions.  There are none.  The only session showing is the one I'm logged in with, so nothing else should have any objects locked.I've rebooted, still the same problem.Anyone got any ideas?  I've been on a TAC chat for an hour and getting nowhere....
kobilevi
kobilevi inside Policy Management Sunday
views 135 3

install R80.30 smartconsole win 10

helloi try to install smartconsole that i dowload from the gui interface and the setup will stop after i remove and reinstall the progrem, i up here file with log of the installation what i will need to do?i cannot install this progrem
David_Miguel_Al
David_Miguel_Al inside Policy Management Friday
views 140 1

Rule tabs Summary/Details/Logs/History does not resize correctly

Hi all! The rule tabs in my Smart Console (R80.20 992000081) sometimes is not resizing correctly to the full width of the rulebase (see picture attached).I'm on W10 v1809. Already tried to reinstall it but it keeps happening.Does anyone 'suffers' from the same issue? Regards! 
Tomer_Sole
inside Policy Management Thursday
views 6310 17 10
Mod

Where did all my IPS Protections go?

IPS in SmartDashboard R7x had its protections organized:By type:SignaturesProtocol anomaliesApplication controlsEngine settingsBy protocolNetwork securityApplication intelligenceWeb intelligence In SmartConsole R80 and R80.10, I cannot find some of these protections. Did they get deleted?
G_W_Albrecht
G_W_Albrecht inside Policy Management Thursday
views 189 1

SMS R80.30 is GW not Host

When running the cpm doctor on my Lab, it showed an error - my management is no host, but a gateway ! In Dashboard, the convert to host command is not available anymore, and apart from cpm doctor there are no issues with the SMS, and cpprod_util shows 0 for fw module and 1 for SMS. Did anyone experience a similar case ?
Daniel_Collins
Daniel_Collins inside Policy Management Thursday
views 1379 20 1

R80.20 Management Performance

Hello Check Mates!I hope you can help perhaps shed some light on an issue we're seeing with one of our customers. The customer is commercially sensitive due to some long-standing issues they've had with a 61k appliance and a recent code upgrade on the system (management at the moment) to R80.20 has degraded performance from the customer's perspective.What we're seeing is this:- A slowness in stacking and unstacking the subject headings in the rulebase - There is around 700 rules with 200 subject headings in the policy - What we see is you press the button to drop the subject headings and then the wire frames appear for the rules, a few seconds later the rule content pops into the console- Adding say objects to rules (clicking the *) that there is a good second or few seconds delay until the search box appears.The management server is on R80.20 with the latest T91 of the JHF installed. Very well specced, 16 cores / 18GB RAM / SSD based flash storage in VMware. The console is being run on a machine with 32 cores and 64GB of RAM, similar storage scenario. We observed the server via SSH while testing these issues and saw no noticable load on the system, use of swap or any %WA on I/O.From our perspective as a partner, the behaviour we see other than the rule stacking is as we'd expect from an R80.x install of management. I do not have a point of comparison for the rule stacking issue, all of the customers I have worked with as of late (in R80.x days) have significantly smaller rulebases or far fewer subject headings.The customer was on R77.30 before and has noticed that the server performances significantly worse in R80.20 than it did previously. We can replicate these issues through a database export into a lab server as well as exporting the policy via the python script into a fresh management server, it follows the policy.There is an element of expectation here, but this customer is commercially sensitive as we will be trying to ensure they continue to replace the 61k's with another Check Point appliance (something that's not SP based) so we're looking to see what we can do in terms of tuning up performance of the management server.We're not in a position to re-jig the policy (in terms of in-line layers, due to the 61k being on R76SP.50 and consultancy time needed to do so prior to a replacement solution) but the policy is very tidy. Some perhaps duplication but nothing severe.I've been through the VMware tuning guide on sk104848 and not had any noticeable difference..Any thoughts?
Kai_Magnussen
Kai_Magnussen inside Policy Management Thursday
views 215 6

Problems with Show Package tool

I have a slight issue with exporting rulesets from a R80.30 environment, with jumbo t50 installed.After exporting either all rulesets at once, or just a single policy, only uid will be shown inside groups, or in networks.That means the customer will then have to click further into these uids to disclose the full information, which is a bit troublesome.The problem looks similar to the one posted here:https://community.checkpoint.com/t5/General-Management-Topics/Is-quot-Show-Package-quot-useless/td-p/13465but, that post says it should be fixed since r80.20m2.Any input to this would be appreciated.
Daroost
Daroost inside Policy Management Thursday
views 184 2

Does the SmartDashboard R77.30 will work with the Winows Server 2016?

During the last SmartDashboard R77.30 installation on Windows Server 2008 VM I had a big problem with the application. The problem was solved only after applying the following solution:https://www.51sec.org/2014/09/08/checkpoint-smartconsole-r77-20-installation-issue-smartdashboard-loading-local-configuration-up-to-15-and-then-disappears/Due to Windows Server 2008 EOS we have to upgrade our VM to 2016 version. Can anyone give me answer if SmartDashboard R77.30 version will work with Windows Server 2016? I've spent the last few days searching for this information and I can't find the answer anywhere.
Dana_Honsa
Dana_Honsa inside Policy Management Wednesday
views 172 1

Remote_Desktop_Protocol not being detected?

So we're having a weird problem with some new firewalls in our environment.We're migrating services to a new datacenter, behind brand new 6500s running R80.20, managed by an R80.30 management server. Once moved down there, users are reporting that they can't remote into some Windows systems that are behind firewalls. In our rules, we are explicitly allowing this with the built in Remote_Desktop_Protocol object. When I take a look at the rules, they're being dropped by our drop all rule for custom ranges that contain 3389. So it seems to be ignoring the Check Point object. Now we have R77.30 gateways managed by this server not suffering the same issue, and we have another R80.30 management server, managing R80.30 gateways, also not suffering this issue. I've been scouring the knowledgebase to see if there is some known issue with our version(take 91) of the gateway, but I haven't been able to find anything. I've already got a ticket open and reached out to our SE, but figured I'd check here too. Has anyone encountered something similar?
Eric_Davis
Eric_Davis inside Policy Management Wednesday
views 3731 12 2

Best practices for inline layers

Hi, we're running R80.10 and would like to start cleaning up our policy that has become cluttered and outdated and inline layers look like they could assist in keeping things organized as we clean up the old clutter but I can't find a lot of info about best practices for them. Should you try to limit how many inline layers/rules you use in a policy? Is there a preferred method for crafting the parent rule?  Should it be vague and then get more particular with each inline layer rule?  Or should the parent rules be crafted very specifically as well? I've read a few of the threads here on CheckMates and any relevant SK's but was just wondering if there was any specific guidance on the best way to utilize inline layers.  
PhoneBoy
inside Policy Management a week ago
views 12255 30 19
Admin

SmartMove: Convert Cisco ASA Policy to Check Point

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.At the moment, the tool handles Cisco ASA (version 8.3 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.10 policy. The tool is planned to support additional vendors in the future.Source is available on GitHub: SmartMove
johnnyringo
johnnyringo inside Policy Management a week ago
views 250 9

NAT rule hiding source IP of external address

Seems like a pretty basic question, but been searching for days and still haven't found an answer.I simply want to Source Nat / "Hide" traffic from certain internet IP addresses coming in via the external network.  In this packet flow: 198.51.100.111 (Internet IP)  --->  203.0.113.222:8080 (Checkpoint External IP)  --->  10.10.10.111:80 Web server on internal network The NAT Policy rule is written like so:Source: All_InternetOriginal destination: 203.0.111.222Original Service: HTTP_proxyTranslated source: = OriginalTranslated destination: 10.10.10.111Translated Services: httpUsually the web server would see the source IP 198.51.100.111 on traffic from internet.  I instead want it to see the Checkpoint's internal interface IP address of 10.10.10.1What should be in the "Translated source" field for this to work?