cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Policy Management

Have a general question related to SmartConsole and/or SmartDashboard? This is the place to ask! For questions related to configuring Access Policy, including VPN, NAT, and Identity Awareness, ask in the Access Control Products space.

Harmesh_Yadav
Harmesh_Yadav inside Policy Management 5 hours ago
views 107 6

Error installing smart console 80.10

Dear Team,  i am struggling from last week to install R80.10 smart console latest  in my system but i am facing issue .My PC having latest updated windows 10 when i starts installation it will complete and i got one error . unable to register dll in:C\Program Files(x86)\Checkpoint\Smart Console\R80.10\pe_components_reg.conf i also check perquisite software that is already installed and tried to reinstalled it  find below list of installed software Microsoft visual C++ 2005 RedistributeMicrosoft visual C++ 2010 RedistributeMicrosoft visual C++ 2012 RedistributeMicrosoft visual C++ 2015 Redistribute  Please let us know how can i remove this error after this instillation i am able to open smart console but when i tried to edit object i could not edit  Regards,Harmesh Yadav  
Newbie
Newbie inside Policy Management yesterday
views 24

Smart Provisioning Limitations

Hi All, Are there any limitations on the number of devices that Smart Provisioning can provision? We are contemplating managing about 200-400 devices through it.Thanks in advance.
Jerry
Jerry inside Policy Management yesterday
views 97 4

IPS/ThreatProtection SK hunt

hi mates can you give me some more details on the settings ... IT Sec guys want to know what "Block SIP Early Media " or "Block Unrecoverable H.323 Inspections Errors " means ... some of them are self explanatory ... but not all ... do you know if there is a list describing this more in detail?   Cheers and thanks in advance 🙂
NeilDavey
NeilDavey inside Policy Management yesterday
views 90 1

Application Anonymizer Exception

I have combined my Firewall and Applications and URL Filtering Policy now into a single layer and have a question about if I can add an exception to an Anonymizer category/OpenVPN?I have created default recommended categories to block near the top of my rule base as attached.I have a rule a few lines further down that requires OpenVPN which at the moment is being blocked due to the rules at the higher level.I don't really want to move my rules above my recommended block rules, so was seeing if you are able to add an exception for the OpenVPN application to be allowed for a specific source and destination if possible?This means I can leave all my rules in place and the exception would only allow this specific traffic from working.Thanks
Shahar_Grober
Shahar_Grober inside Policy Management Monday
views 1512 7 1

R80.20 Updatable Objects - Intune + Autopilot

Hi, Are there updateable objects in R80.20 for Microsoft Intunes and Autopilot?Intune:https://docs.microsoft.com/en-us/intune/network-bandwidth-useAutopilot:https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements-network also, It would be nice if there could be a way to import/upload IP address xml, csv directly to the policy in R80.20 and not only via mgmt API. Or maybe there is something like this which I am not aware of
Stelios
Stelios inside Policy Management Monday
views 219 5 1

smart console connect

Hey I am new to check point, i have one smart console r80.10 and i connect to my management but not to gateway. Maybe i can't connect to gateway directly with smart console?Thank you.
HeikoAnkenbrand
HeikoAnkenbrand inside Policy Management Sunday
views 1727 26 46

R80.x - Policy Installation Flowchart

Policy Installation Flow Policy installation process has several stages: 1)  Assuming the initiation was made by the SmartConsole the web service policy installation command is sent to the Check Point management (CPM) on the management server. 2)  The first stage is the process that CPM convert the objects with Java from new DB language/ files to the old set language and to files. Then the policy installation process is verifying compiling it to a "language" the security gateway can understand and implement. The verification and compilation stages are performed by the FWM and in the future by CPM process.Note: The translated policies of CPM for FWM can be found for the „Standard“ policy here:$FWDIR/conf/Standard.W 3)  FWM process is responsible for code generation and compilation. For example, the process reads the policy from „$FWDIR/conf/Standard.W“ and other files and use them for the policy verification and conversion. The FWM process performs verification and conversion of the files and database information for the installation targets for which policy installation is requested. For this the fw_loader of the corresponding Check Point version is started to verify and convert the policy.Note: For the corresponding Check Point versions, the fw_loader and other tools can be found in the following path on a R80.30 management server:             /opt/CPsuite-R80.30/fw1/bin/fw_loader                      R80.30             /opt/CPR7520CMP-R80.30/bin/fw_loader                   R75.20, R75.30              /opt/CPR7540CMP-R80.30/bin/fw_loader                   R75.40, R75.45, R75.46, R75.47             /opt/CPR76CMP-R80.30/bin/fw_loader                       R76, R76SP to R76SP.50             /opt/CPR77CMP-R80.30/bin/fw_loader                       R77, R77.10, R77.20, R77.30             /opt/CPR75CMP-R80.30/bin/fw_loader                       R75, R75.10One question that keeps coming up is. Which config files are used on the management server to compile policies with user specificlally INSPECT code?For this purpose, different directorys are used for each Check Point gateway version according to the above scheme similar to fw_loader.              /opt/CPsuite-R80.30/fw1/lib                                         R80.30             /opt/CPR7520CMP-R80.30/lib                                      R75.20, R75.30              /opt/CPR7540CMP-R80.30/lib                                      R75.40, R75.45, R75.46, R75.47             /opt/CPR76CMP-R80.30/lib                                          R76, R76SP to R76SP.50             /opt/CPR77CMP-R80.30/lib                                          R77, R77.10, R77.20, R77.30             /opt/CPR75CMP-R80.30/lib                                          R75, R75.10Here are the most important config files, which we can customize Check Point INSPECT code individually:      |-> user.def                                          ->  User-defined implied rules that can be added in Check Point INSPECT language (sk98239)       |-> fwui_head.def                  |-> table.def                             -> Definitions of various kernel tables for Check Point security gateway (sk98339)                   |-> auth.def                  |-> base.def                            |-> crypt.def                   -> VPN encryption macros (sk98241)                            |-> services.def                            |-> proxy.def                            |-> crypt.def4)  After code generation and compilation, the FWM process invokes the Check Point Policy Transfer Agent (CPTA) command that sends the policy to all applicable security gateways. 5)  The CPD process on the security gateway on port 18191 receives the policy files and save this in the following directory „$FWDIR/state/__tmp/FW1“ on the security gateway. The file integrity of the policy will checked now. Once complete, the cpd invokes“fw fetchlocal“ to load the new policy with the following command from the temporary policy directory: fw fetchlocal -d $FWDIR/state/__tmp/FW1 6)  The FWD process on the security gateway updates all of the user-mode processes responsible for enforcement aspects. These include VPND process for VPN, FWSSD processes for security server issues and so on. All security server daemons running on the gateway are notified of the new policy by FWD and adjust their behavior accordingly, which could include restarting, stopping or starting if a new feature was enabled. 7)  The new policy is loaded into the INSPECT kernel instances while traffic is still being queued. This process happens very quickly.  Chain sequences are rebuilt, and may end up adding or removing chain modules from the sequences if blades were enabled or disabled since the last policy push. The new policy is prepared, the Check Point kernel holds the current traffic and starts queuing all incoming traffic. The atomic load takes place. This process should take a fraction of a second. At this point if "Connection Persistence" is set to "Rematch connections" on the gateway object, a CPU-intensive rematch of all open connections against the new policy is performed to ensure that all current connections are still allowed by the new policy.  Note SecureXL: If enabled SecureXL is restarted as well and recalculates its various state tables based on the new policy. During policy load, SecureXL is disabled and re-enabled afterwards. Here I am not quite sure if this is the case with R80.20 as well. 8).  The traffic queue on firewall kernel is released and all of the packets are handled by the new security policy. 9)  The CPD waits for fw_fetchlocal to complete the process and then informs the management server of the command's status installation succeeded or failed. 10)  The FWM process received the policy installation status from CPD process from security gateway and then presents them in SmartConsole. Note:Here I am not 100% sure whether the FWM or the CPM distributes the policy installation information to the SmartConsole. According to sk115557, this should be the FWM. Firewall Processes   CPM Process CPM process is responsible for writing all information to the PostgreSQL and SOLR databases. All the communications between the different GUI clients are done through web services. Is a component within CPM. Whenever we connect to the SmartCenter server with SmartConsole we are basically opening a connection from the GUI machine to the CPM process „java à solr-solrj-v4_X_X.jar“ on the SmartCenter server over port 19009 via web service. web_services is a component within CPM process that serves GUI and remote client (like remote API) and responsible to transfer the request to the dleserver DLE server (dleserver) is a component within the CPM server that contains all the logic of the server to writing the info to the database and SOLR object_store is a component within the CPM server, responsible to write the information to SOLR search engine and to the PostgreSQL database PostgreSQL DB The CPM process is also responsible to perform all database tasks, such as: creating objects removing objects modifying objects Whenever we create an object via SmartConsole we are basically sending a command to the CPM process on the SmartCenter server requesting it to create the object or changing it. SOLR SOLR is the Full Text Search engine that contains full clone of all data from PostgreSQL database. FWM ProcessThe FWM process is used for installing security policy to the backward compatibly R7x.x security gateways after the CPM process converts the objects from Java to old policy file format. It runs only on management products such as security management server, log server, SmartEvent, etc. Serving the embedded GUI clients and authentication requests Collecting statuses Policy compilation for backward compatibly R77.X security gateways VSX database operation SIC operations via SmartConsole Database install License attach and detach from SmartUpdate Some of management HA functionality Performs legacy operations CPD Process The CPD process runs on all Check Point products (security management server products as well as security gateways). There are 3 major responsibilities: SIC - we contact CPD process during SIC negotiation to validate and/or push the certificate. If the CPD process on a certain security gateway is down, policy installation on that security gateway will fail due to a SIC issue.  After SIC was established, the rest of the communication to the security gateway will be via port 18191. Status collection - the FWM process requests the CPD process for the statuses from security gateways and security management server and then presents them in SmartView monitor. If the CPD process is down, we will not be able to receive the gateways and security management statuses in SmartView Monitor. Installing security policy on the security gateway. FWD Process The FWD process is responsible for sending and receiving the logs from the different Check Point entities to the security management\log server (sometimes they are on the same machine). On Security Management server side: FWD process listens on port 257, waiting for logs to be sent from various security gateways that are connected to it. On the security gateway side: FWD process opens a connection to the FWD on the log\security management server on port 257. SK’s sk33208 - How to debug FWM daemon on Multi-Domain Management / Provider-1 sk86320 - How to debug the CPD daemon sk86321 - How to debug FWD daemon sk112334 - How to debug SmartConsole / SmartDashboardsk115557 - R80.x Security Management server main processes debugging  sk103918 - Policy installation fails with the error "Operation failed, install/uninstall has been improperly terminated"  
KatiaCruz
inside Policy Management Saturday
views 137 1
Employee

Importing policies from an Excel/CSV file

Hi CheckMates Community!   Does anyone here know a way to import an access control policy (bulk of rules) from an Excel/CSV file? I could find some pieces of information on how to import objects and NAT policies from such files, but I found nothing about access control policies.   Any insight will be much appreciated! 🙂 Thanks, Katia
Michal_Gans
Michal_Gans inside Policy Management Friday
views 181 1

Howto define only MAB users at rule in Unified Policy

We use Unified Policy (Access, App&URL and MAB) and I need to define on the end of MAB part drop rule (so the rest of the policy will not affected remote access). Is it possible to do that? 
carl_t
carl_t inside Policy Management Thursday
views 175 1

Checkpoint Firewall industrial protocol awareness

Hi AllCan anyone tell me if Checkpoint Firewalls are aware of most industrial protocols such as Ethernet/IP, Modbus, Profinet, CIP, Profibus etc ?Many thanks
Yvette_Ntuli
Yvette_Ntuli inside Policy Management a week ago
views 177 1

Policy Installation

More than 400 changes made on R80 gateway but can't push policy. How to resolve?
Rahul_Borah
Rahul_Borah inside Policy Management a week ago
views 456 8

GEO Plicy for a single access rule

Hi Experts, Is there any option to allow only one country traffic to access a single destination Ip (Server) in Checkpoint R80. Regards,R.B 
David_Charnon
David_Charnon inside Policy Management 2 weeks ago
views 194 1

Custom Application/Site and IP addresses

Simple question - I want to create a Custom Application/Site for use in Application layer (Running R80.20) and need to know if IP addresses are supported in the URL list.  Will it match on an IP address or does it need to by a URL? Thanks, Dave
Rccou
Rccou inside Policy Management 2 weeks ago
views 281 3 1

How to discard unwanted changes

HiI have a problem with a R80.30 cluster. I had made some changes to interfaces which seem to have caused some topology changes to other interfaces. I have also made other simple policy changes. I have published these changes but the install fails each time with various errors about topology, interfaces etc.In total I have over 95 changes from 4 sessions that i want to simply discard and forget about and not to install.I have followed the advice in this link:https://community.checkpoint.com/t5/Policy-Management/R80-Change-Control-A-Visual-Guide/td-p/39702and reverted to a previous known version but the 95 pending changes still seem to be pending installation and i don't know how to get rid of them.How is this done?i reverted to an earlier version but the pending changes are still there.I'm stuck with these changes in the install queueno option to discard
batmunkh_unubuk
batmunkh_unubuk inside Policy Management 2 weeks ago
views 5226 12 2

How to block "Proxy" included all search engine result and web sites

how can i block to spell or word ? my workers find proxy in google.com then after access to any web by proxy. how can i block "proxy" word include any search engine and web sites?