Showing results for 
Search instead for 
Did you mean: 
Create a Post
Policy Management

Have a general question related to SmartConsole and/or SmartDashboard? This is the place to ask! For questions related to configuring Access Policy, including VPN, NAT, and Identity Awareness, ask in the Access Control Products space.

HeikoAnkenbrand inside Policy Management 2 hours ago
views 388 12 16

R80.x - Policy Installation Flowchart

Policy Installation Flow Policy installation process has several stages: 1)  Assuming the initiation was made by the SmartConsole the web service policy installation command is sent to the Check Point management (CPM) on the management server. 2)  The first stage is the process that CPM convert the objects with Java from new DB language/ files to the old set language and to files. Then the policy installation process is verifying compiling it to a "language" the security gateway can understand and implement. The verification and compilation stages are performed by the FWM and in the future by CPM process.Note: The translated policies of CPM for FWM can be found for the „Standard“ policy here:$FWDIR/conf/Standard.W 3)  FWM process is responsible for code generation and compilation. For example, the process reads the policy from „$FWDIR/conf/Standard.W“ and other files and use them for the policy verification and conversion. The FWM process performs verification and conversion of the files and database information for the installation targets for which policy installation is requested. For this the fw_loader of the corresponding Check Point version is started to verify and convert the policy.Note: For the corresponding Check Point versions, the fw_loader and other tools can be found in the following path on a R80.30 management server:             /opt/CPsuite-R80.30/fw1/bin/fw_loader                      R80.30             /opt/CPR7520CMP-R80.30/bin/fw_loader                   R75.20, R75.30              /opt/CPR7540CMP-R80.30/bin/fw_loader                   R75.40, R75.45, R75.46, R75.47             /opt/CPR76CMP-R80.30/bin/fw_loader                       R76, R76SP to R76SP.50             /opt/CPR77CMP-R80.30/bin/fw_loader                       R77, R77.10, R77.20, R77.30             /opt/CPR75CMP-R80.30/bin/fw_loader                       R75, R75.10One question that keeps coming up is. Which config files are used on the management server to compile policies with user specificlally INSPECT code?For this purpose, different directorys are used for each Check Point gateway version according to the above scheme similar to fw_loader.              /opt/CPsuite-R80.30/fw1/lib                                         R80.30             /opt/CPR7520CMP-R80.30/lib                                      R75.20, R75.30              /opt/CPR7540CMP-R80.30/lib                                      R75.40, R75.45, R75.46, R75.47             /opt/CPR76CMP-R80.30/lib                                          R76, R76SP to R76SP.50             /opt/CPR77CMP-R80.30/lib                                          R77, R77.10, R77.20, R77.30             /opt/CPR75CMP-R80.30/lib                                          R75, R75.10Here are the most important config files, which we can customize Check Point INSPECT code individually:      |-> user.def                                          ->  User-defined implied rules that can be added in Check Point INSPECT language (sk98239)       |-> fwui_head.def                  |-> table.def                             -> Definitions of various kernel tables for Check Point security gateway (sk98339)                   |-> auth.def                  |-> base.def                            |-> crypt.def                   -> VPN encryption macros (sk98241)                             |-> services.def                            |-> proxy.def                            |-> crypt.def4)  After code generation and compilation, the FWM process invokes the Check Point Policy Transfer Agent (CPTA) command that sends the policy to all applicable security gateways. 5)  The CPD process on the security gateway on port 18191 receives the policy files and save this in the following directory „$FWDIR/state/__tmp/FW1“ on the security gateway. The file integrity of the policy will checked now. Once complete, the cpd invokes“fw fetchlocal“ to load the new policy with the following command from the temporary policy directory: fw fetchlocal -d $FWDIR/state/__tmp/FW1 6)  The FWD process on the security gateway updates all of the user-mode processes responsible for enforcement aspects. These include VPND process for VPN, FWSSD processes for security server issues and so on. All security server daemons running on the gateway are notified of the new policy by FWD and adjust their behavior accordingly, which could include restarting, stopping or starting if a new feature was enabled. 7)  The new policy is loaded into the INSPECT kernel instances while traffic is still being queued. This process happens very quickly.  Chain sequences are rebuilt, and may end up adding or removing chain modules from the sequences if blades were enabled or disabled since the last policy push. The new policy is prepared, the Check Point kernel holds the current traffic and starts queuing all incoming traffic. The atomic load takes place. This process should take a fraction of a second. At this point if "Connection Persistence" is set to "Rematch connections" on the gateway object, a CPU-intensive rematch of all open connections against the new policy is performed to ensure that all current connections are still allowed by the new policy.  Note SecureXL: If enabled SecureXL is restarted as well and recalculates its various state tables based on the new policy. During policy load, SecureXL is disabled and re-enabled afterwards. Here I am not quite sure if this is the case with R80.20 as well. 8).  The traffic queue on firewall kernel is released and all of the packets are handled by the new security policy. 9)  The CPD waits for fw_fetchlocal to complete the process and then informs the management server of the command's status installation succeeded or failed. 10)  The FWM process received the policy installation status from CPD process from security gateway and then presents them in SmartConsole. Note:Here I am not 100% sure whether the FWM or the CPM distributes the policy installation information to the SmartConsole. According to sk115557, this should be the FWM. Firewall Processes   CPM Process CPM process is responsible for writing all information to the PostgreSQL and SOLR databases. All the communications between the different GUI clients are done through web services. Is a component within CPM. Whenever we connect to the SmartCenter server with SmartConsole we are basically opening a connection from the GUI machine to the CPM process „java à solr-solrj-v4_X_X.jar“ on the SmartCenter server over port 19009 via web service. web_services is a component within CPM process that serves GUI and remote client (like remote API) and responsible to transfer the request to the dleserver DLE server (dleserver) is a component within the CPM server that contains all the logic of the server to writing the info to the database and SOLR object_store is a component within the CPM server, responsible to write the information to SOLR search engine and to the PostgreSQL database PostgreSQL DB The CPM process is also responsible to perform all database tasks, such as: creating objects removing objects modifying objects Whenever we create an object via SmartConsole we are basically sending a command to the CPM process on the SmartCenter server requesting it to create the object or changing it. SOLR SOLR is the Full Text Search engine that contains full clone of all data from PostgreSQL database. FWM ProcessThe FWM process is used for installing security policy to the backward compatibly R7x.x security gateways after the CPM process converts the objects from Java to old policy file format. It runs only on management products such as security management server, log server, SmartEvent, etc. Serving the embedded GUI clients and authentication requests Collecting statuses Policy compilation for backward compatibly R77.X security gateways VSX database operation SIC operations via SmartConsole Database install License attach and detach from SmartUpdate Some of management HA functionality Performs legacy operations CPD Process The CPD process runs on all Check Point products (security management server products as well as security gateways). There are 3 major responsibilities: SIC - we contact CPD process during SIC negotiation to validate and/or push the certificate. If the CPD process on a certain security gateway is down, policy installation on that security gateway will fail due to a SIC issue.  After SIC was established, the rest of the communication to the security gateway will be via port 18191. Status collection - the FWM process requests the CPD process for the statuses from security gateways and security management server and then presents them in SmartView monitor. If the CPD process is down, we will not be able to receive the gateways and security management statuses in SmartView Monitor. Installing security policy on the security gateway. FWD Process The FWD process is responsible for sending and receiving the logs from the different Check Point entities to the security management\log server (sometimes they are on the same machine). On Security Management server side: FWD process listens on port 257, waiting for logs to be sent from various security gateways that are connected to it. On the security gateway side: FWD process opens a connection to the FWD on the log\security management server on port 257. SK’s sk33208 - How to debug FWM daemon on Multi-Domain Management / Provider-1 sk86320 - How to debug the CPD daemon sk86321 - How to debug FWD daemon sk112334 - How to debug SmartConsole / SmartDashboardsk115557 - R80.x Security Management server main processes debugging  sk103918 - Policy installation fails with the error "Operation failed, install/uninstall has been improperly terminated"  
Renjith_M_P inside Policy Management Sunday
views 397 4

Traffic is accepted by implied rule

Hello everyone,we are getting accepted rule by an implied rule. we have a Stealth and clean up rule in the policy. how can block such access. verified SK -sk105740, unable to locate accessibility in R80. we don't have mobile access blade installed.  how do i block the traffic.SC attached
Gaurav_Pandya inside Policy Management Friday
views 20531 27 13

Dynamic Objects in R80.10

Hi All,I came to know the feature of R80.10 that we can make the dynamic objects for Microsoft services and others. Prerequisite for both Mgmt and Gateway : R80.10 with Take 24 HFA.ConfigurationIn SmartConsole, go to the Objects Explorer (in the upper right corner).Click on the .. button - go to the More menu - go to the Network Object menu - go to the Dynamic Objects menu - click on the Dynamic Object...: Name the dynamic object with the specific Office365 service name as specified in the table below (Important Note: The names are case sensitive).Description of Office 365 serviceName of Check Point Dynamic ObjectName in Microsoft feedAll Office 365 servicesCP_MS_Office365-Exchange FederationCP_MS_EX-FedEX-FedExchange OnlineCP_MS_EXOEXOExchange Online ProtectionCP_MS_EOPEOPMicrosoft Digital NoteCP_MS_OneNoteOneNoteMicrosoft TeamsCP_MS_TeamsTeamsOffice for iPadCP_MS_OfficeiPadOfficeiPadOffice MobileCP_MS_OfficeMobileOfficeMobileOffice OnlineCP_MS_WACWACOffice 365 Authentication and IdentityCP_MS_IdentityIdentityOffice 365 Certificate Revocation ListsCP_MS_CRLsCRLsOffice 365 Portal and sharedCP_MS_o365o365Office 365 ProPlusCP_MS_ProPlusProPlusOffice 365 Video and Microsoft StreamsCP_MS_Office365VideoOffice365VideoOffice 365 YammerCP_MS_YammerYammerOffice 365 SwayCP_MS_SwaySwayRemote Connectivity AnalyzerCP_MS_RCARCASharePoint Online and OneDrive for BusinessCP_MS_SPOSPOSkype for Business OnlineCP_MS_LYOLYOTask Management for TeamsCP_MS_PlannerPlannerCreate the relevant access policy rule.Publish the session and install the policy.
cm_d1 inside Policy Management Friday
views 149 11

Testing for Outbound connection

I was given task to set a rule for an SFTP connection for a client,Note: They are only meant to connect to usI have action the request. I have ran the tcpdump -n -i (interface) (ip address) and the client said they can only see one way traffic.what command can i run to test for the ACK packet, if what they seeing its only the SYN packetHope i have explained well 
Tim_Bernat inside Policy Management Friday
views 500 9 2

Limit the bandwidth of a single interface

Hi All,and thanks in advance for any replies. We are looking at limiting a single interface; we have a part of a network that we want on 150 or 200 Mbps, and it's connected to one of the gateways through a single interface. We are not currently using QoS, so and I am looking for an easy way to implement that. There are some QoS guides out there that describe policing, but as part of full setup. Can anyone please point me towards something more condensed? Cheers, Tim 
Francesco-P inside Policy Management Thursday
views 315 6 1

R80.20 SmartConsole installation error - Error during SmartConsole installation

Hi all,i'm tring to install the new build 81 of smart console for R80.20, after uninstalling the old one, but it fails here:I tried several time, also after reboot.If i try to install it from the SmartConsole.exe file in c:\...\AppData\Local\Temp\SmartConsoleWrapper folder, all goes fine and at the end i can open it and connect to the manager.     I think this could be tied to the .NET framework and i'm worried about, if this can cause problems under normal operation activity.Any suggestions is wellcomeThanks   
Eugene_Brown inside Policy Management Wednesday
views 1712 8 1

Restrict access to specific policies

Is it possible to restrict SmartConsole administrators to only access specific policies?I would like to be able to create read-only SmartConsole users that have access to only specific access rule policies (and NATs) in on domain.I am using MDS R80.10
Aathi inside Policy Management Tuesday
views 182 3 2

Export network host objects in SMART CLI

Hi Team, Is there any way to export the network objects as a CSV file  from checkpoint firewall management server.Please share the command for the same.RegardsAthimoolam.A
phlrnnr inside Policy Management 2 weeks ago
views 234 3

Policy verification failed for rule with network objects and access roles

I am new to identity awareness.  I have implemented identity collector with AD and LDAP connectivity from the GWs.  I have an existing network rule that has normal source / destination hosts and network objects in them.  I added an access role to the 'destination' column, and the policy verification fails stating " 'Destination' column of the rule contains both Access Roles and network objects". 1. Why can't network objects and access roles co-exist in the same column?  2. What is the best practice for deploying these rules?  Do I have to create an identical rule with the source / services, and put just the access role in for the destination?R80.20 / JHFA 87thanks,Phil
inside Policy Management 2 weeks ago
views 36665 20 29

Layers in R80

I would like to clarify the use of layers in R80 Management Server and SmartConsole.A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways that have the Firewall and Application control blades enabled, will have their policies split into two ordered layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80 Gateways, this basically means the same enforcement as it always was, only in a different representation in the Security Management.Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer. The layers concept opens more options for policy management:Setting different view and edit permissions per layer for different administrator roles.Re-using a layer in different places: The same application control layer in different policy packages ( Sharing a layer across different policies  ), or the same inline layer for different scopes.Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will be the set of rules that are added in each domain by the domain administrator.R80.10 Gateways and above will have the ability to utilize layers in new ways:Unifying all blades into a single policy (How to use the unified policy? )Segregating a policy into more ordered layers, not necessarily by bladesAllowing sub-policies inside a rulebase, with the use of inline layers (How do I define diffrent policies to diffrent users? )Message was edited by: Tomer Sole
Jose_Ramon_Rodr inside Policy Management 2 weeks ago
views 4594 7 3

Searching zero hits rules in R80.10

Hi, Prior to R80.10 you could find every rule with zero hits right from the search bar. For instance, in R77.30 you could see only the rules with no hits this way:Now in R80.10 I can't find the way to do that search. In "Searching a Rule Base" page in SmartConsole R80.10 Help there are no clues about it.Is there a way to do this search?Greetings.
Mart_Pirita inside Policy Management 2 weeks ago
views 8418 58 20

When Will SmartConsole Support In-Place Updates?

Hi,I have used CheckPoint since 2005 and I'm now pretty sure, that CheckPoint hates SmartConsole users, as in year 2019 it's impossible to upgrade CheckPoint SmartConsole, without uninstalling old CheckPoint SmartConsole. And in year 2019 this uninstalling does not give any option to save settings and fingerprints, like for example Juniper -s Pulse does.Uninstalling CheckPoint console removes all settings and fingerprints but of course it does not remove installation folder C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 and later on new installer then gives error - "The installation directory provided is not empty and might contain previous installation files. To proceed with the installation, please clean this directory or select an empty folder".Really? In year 2019 I must do it manually? What do you CP guys smoke? Investigated this a bit and it finally turned out, that folder C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 contained one empty folder "PROGRAM". After manually removing C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10 folder, installer was happy.But I'm not happy, as the console thinks I'm using it first time, so I must add all settings, again. Accept all servers fingerprints, again. Close the boring popup notifications, again. Etc. And as CheckPoint keeps constantly upgrade SmartConsole, I must deal with this installer issue quite often.  Conclusion - in year 2019 we are paying huge money to CheckPoint and in return we're getting lousy product and for comparision freeware tools can create better windows installer packages with better logic, but CheckPoint can't or won't.
Lijo_mathai inside Policy Management 2 weeks ago
views 625 13

Unable to clone policy package in R80.20

Hi, after upgrading to R80.20 and applying take 47, i am unable to clone the existing policy package. Is there anything i am missing. I checked there is no validation error for the name i used to clone, but still i am unable to clone the policy. Attached is the error i faced. 
Maik inside Policy Management 2 weeks ago
views 299 4 1

Export implied rules from policy

Hello guys,Short question... I got asked by a customer whether it is possible to export the implied rules from a given policy. I know that this question maybe sounds weird, as these rules can't be modified at all (just the logging option and where the rules should be matched ~ First rules | Before last rules | Last rules). But this is required for some kind of management report.The file $FWDIR/lib/implied_rules.def seems to include the implied rules in an absolutely not readable format (which makes sense as this file should not be opened or modified manually). But are there other ways to achieve the described goal in any way? The Mgmt API is not able to read these rules as well (can't find any parameter for implied rules). I also tried to achieve something via the generic object API but my guess is that the implied rules don't even have an UID to work with... so yeah. Kinda complicated (and maybe weird question). Hope someone can help me.Regards,Maik
HeikoAnkenbrand inside Policy Management 3 weeks ago
views 999 7 4

R80.20 - SNI vs. enabled HTTPS Interception

R80.20+  with enabled HTTPS interception: If the https interception is enabled, the parameter host from http header can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS, VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.)  More read here: R80.x Security Gateway Architecture (Content Inspection)    R80.20+ without enabled HTTPS interception (SNI is used): If the https interception is disabled, SNI is used to recognize the virtual URL for application control and url filtering. More read here: URL Filtering using SNI for HTTPS websites.pdf