cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Policy Management

Have a general question related to SmartConsole and/or SmartDashboard? This is the place to ask! For questions related to configuring Access Policy, including VPN, NAT, and Identity Awareness, ask in the Access Control Products space.

Markus_Kress
Markus_Kress inside Policy Management 8m ago
views 10 1

updatable objects with wildcard entries

Hi,we are using updatable objects in our o365 policy.The updatable object "Office Worldwide Services" includes some Wildcard Domain entries, e.g. "*.msappproxy.net". We figured out, requests which should match these wildcards do not work.Should they work? - We assume that the gateway does a dns lookup for every fqdn which is listed in the updatable object and cashs it. For wildcard entries it is not possible. Are we Right?Can someone explain how the updatable object mechanism works? Or is there a good article in the knowledgebase?
AHMADAHUSEN
AHMADAHUSEN inside Policy Management yesterday
views 19

Deletion of disabled rules in R80.10

Dear Team, I am doing rule-base optimization in R80.10, So I have disabled lot of rules manually. How can I delete all disabled rules in faster way?(If you recommend for API, then kindly give complete procedure to accomplish this) 
johnnyringo
johnnyringo inside Policy Management yesterday
views 263 10

NAT rule hiding source IP of external address

Seems like a pretty basic question, but been searching for days and still haven't found an answer.I simply want to Source Nat / "Hide" traffic from certain internet IP addresses coming in via the external network.  In this packet flow: 198.51.100.111 (Internet IP)  --->  203.0.113.222:8080 (Checkpoint External IP)  --->  10.10.10.111:80 Web server on internal network The NAT Policy rule is written like so:Source: All_InternetOriginal destination: 203.0.111.222Original Service: HTTP_proxyTranslated source: = OriginalTranslated destination: 10.10.10.111Translated Services: httpUsually the web server would see the source IP 198.51.100.111 on traffic from internet.  I instead want it to see the Checkpoint's internal interface IP address of 10.10.10.1What should be in the "Translated source" field for this to work?
Vladimir
Vladimir inside Policy Management yesterday
views 37

Validity of DET (Data Exfiltration Toolkit - ICMP Mode)

Can someone let me know if the DET (Data Exfiltration Toolkit - ICMP Mode) is accurately identified by CP? I am seeing these in the Security Checkup environment from multiple sources that are Meraki Wi-Fi access points.
Andy_Yap
Andy_Yap inside Policy Management yesterday
views 1427 4 1

Geo Policy

I am trying to implement a Geo policy which block traffic from certain country from accessing certain IP ad port within our domain.  I was told that I can actually use the Geo Policy is the negate way e.g add India in the Geo policy list  and set action to accept and  set policy for other country to accept too. On the exemption for the policy  set the destination to the IP and service port that I want to block. I was told that it will block the traffic to the exemption list since the action on the Geo policy is set to accept. Is anyone able to confirm this solution will work?
Tom_Vandepoel
Tom_Vandepoel inside Policy Management yesterday
views 3175 18 2

Identity Collector - Cisco ISE SXP mappings support

Hi,I've been doing some testing with an R80.20 gateway, Identity Collector and Cisco ISE 2.4 pxGrid.I've managed to interconnect these components so the basic communication is working fine (the certificate setup is quite cumbersome to be honest).I'm am trying to get SXP-learned IP-SGT mappings into the CP IA blade, but it seems the identity collector is not picking these up. Does this mean that identity collector will only learn IP-SGT mappings from dynamic user sessions and not from SXP-learned IP-SGT mappings?E.g. I've got the following static mapping on my test switch:cts role-based sgt-map 172.20.21.151 sgt 6Which is then learned over SXP by ISE:I've tried adding and removing the mappings as well but no mappings are being received on the collector, even though it is fully connected to pxgrid (and has an approved connection).The identity collector does not seem to receive these SXP mappings at all... the ISE is set to publish these on pxgrid:If this is not supported right now, is this on the roadmap?Thanks,Tom.cisco ise  ‌ ‌
Maarten_Sjouw
Maarten_Sjouw inside Policy Management Tuesday
views 134 3 1

R80.40 Policy install fail

In R80.40 management I have found a small glitch in verification: When you push a APCL/URLF policy (inline layer) to a gateway, without APCL/URLF blades turned on, the verification does not stop the Policy install process with an error, it just hangs at 50%. It shows as if it still busy but even after an hour it did not move. In my case it is on a MDS and the only way to recover is by rebooting the MDS. Stopping/starting the Domain does not help. You cannot try to install again as it tells you there is a policy install in progress. When the blades are turned on on the same gateway the policy pushes just fine (after a reboot).
MattDunn
MattDunn inside Policy Management Sunday
views 320 3

Object is viewed in Read Only mode

Odd thing started happening today.  Most (not quite all) service groups are opening in Read Only mode, so I can't edit them.  As per the below screenshot.  Other objects are fine - I can edit at will.I've checked for old sessions.  There are none.  The only session showing is the one I'm logged in with, so nothing else should have any objects locked.I've rebooted, still the same problem.Anyone got any ideas?  I've been on a TAC chat for an hour and getting nowhere....
kobilevi
kobilevi inside Policy Management Sunday
views 170 3

install R80.30 smartconsole win 10

helloi try to install smartconsole that i dowload from the gui interface and the setup will stop after i remove and reinstall the progrem, i up here file with log of the installation what i will need to do?i cannot install this progrem
David_Miguel_Al
David_Miguel_Al inside Policy Management Friday
views 174 1

Rule tabs Summary/Details/Logs/History does not resize correctly

Hi all! The rule tabs in my Smart Console (R80.20 992000081) sometimes is not resizing correctly to the full width of the rulebase (see picture attached).I'm on W10 v1809. Already tried to reinstall it but it keeps happening.Does anyone 'suffers' from the same issue? Regards! 
Tomer_Sole
inside Policy Management Thursday
views 6326 17 10
Mod

Where did all my IPS Protections go?

IPS in SmartDashboard R7x had its protections organized:By type:SignaturesProtocol anomaliesApplication controlsEngine settingsBy protocolNetwork securityApplication intelligenceWeb intelligence In SmartConsole R80 and R80.10, I cannot find some of these protections. Did they get deleted?
G_W_Albrecht
G_W_Albrecht inside Policy Management Thursday
views 191 1

SMS R80.30 is GW not Host

When running the cpm doctor on my Lab, it showed an error - my management is no host, but a gateway ! In Dashboard, the convert to host command is not available anymore, and apart from cpm doctor there are no issues with the SMS, and cpprod_util shows 0 for fw module and 1 for SMS. Did anyone experience a similar case ?
Daniel_Collins
Daniel_Collins inside Policy Management Thursday
views 1386 20 1

R80.20 Management Performance

Hello Check Mates!I hope you can help perhaps shed some light on an issue we're seeing with one of our customers. The customer is commercially sensitive due to some long-standing issues they've had with a 61k appliance and a recent code upgrade on the system (management at the moment) to R80.20 has degraded performance from the customer's perspective.What we're seeing is this:- A slowness in stacking and unstacking the subject headings in the rulebase - There is around 700 rules with 200 subject headings in the policy - What we see is you press the button to drop the subject headings and then the wire frames appear for the rules, a few seconds later the rule content pops into the console- Adding say objects to rules (clicking the *) that there is a good second or few seconds delay until the search box appears.The management server is on R80.20 with the latest T91 of the JHF installed. Very well specced, 16 cores / 18GB RAM / SSD based flash storage in VMware. The console is being run on a machine with 32 cores and 64GB of RAM, similar storage scenario. We observed the server via SSH while testing these issues and saw no noticable load on the system, use of swap or any %WA on I/O.From our perspective as a partner, the behaviour we see other than the rule stacking is as we'd expect from an R80.x install of management. I do not have a point of comparison for the rule stacking issue, all of the customers I have worked with as of late (in R80.x days) have significantly smaller rulebases or far fewer subject headings.The customer was on R77.30 before and has noticed that the server performances significantly worse in R80.20 than it did previously. We can replicate these issues through a database export into a lab server as well as exporting the policy via the python script into a fresh management server, it follows the policy.There is an element of expectation here, but this customer is commercially sensitive as we will be trying to ensure they continue to replace the 61k's with another Check Point appliance (something that's not SP based) so we're looking to see what we can do in terms of tuning up performance of the management server.We're not in a position to re-jig the policy (in terms of in-line layers, due to the 61k being on R76SP.50 and consultancy time needed to do so prior to a replacement solution) but the policy is very tidy. Some perhaps duplication but nothing severe.I've been through the VMware tuning guide on sk104848 and not had any noticeable difference..Any thoughts?
Kai_Magnussen
Kai_Magnussen inside Policy Management a week ago
views 218 6

Problems with Show Package tool

I have a slight issue with exporting rulesets from a R80.30 environment, with jumbo t50 installed.After exporting either all rulesets at once, or just a single policy, only uid will be shown inside groups, or in networks.That means the customer will then have to click further into these uids to disclose the full information, which is a bit troublesome.The problem looks similar to the one posted here:https://community.checkpoint.com/t5/General-Management-Topics/Is-quot-Show-Package-quot-useless/td-p/13465but, that post says it should be fixed since r80.20m2.Any input to this would be appreciated.
Daroost
Daroost inside Policy Management a week ago
views 185 2

Does the SmartDashboard R77.30 will work with the Winows Server 2016?

During the last SmartDashboard R77.30 installation on Windows Server 2008 VM I had a big problem with the application. The problem was solved only after applying the following solution:https://www.51sec.org/2014/09/08/checkpoint-smartconsole-r77-20-installation-issue-smartdashboard-loading-local-configuration-up-to-15-and-then-disappears/Due to Windows Server 2008 EOS we have to upgrade our VM to 2016 version. Can anyone give me answer if SmartDashboard R77.30 version will work with Windows Server 2016? I've spent the last few days searching for this information and I can't find the answer anywhere.