Showing results for 
Search instead for 
Did you mean: 
Create a Post
Matt_Foreman inside Policy Management 8 hours ago
views 42 3

IPsec Star Community Question

If you have a star IPsec community with TWO clusters in the center and and multiple satellites, what makes any given satellite choose one center over another when routing from satellite to satellite using the center as an hub and spoke? No MEP, No overlapping domains,  
Evan_Fisher inside Policy Management 8 hours ago
views 5171 17

Unused Objects Cleanup

Is there an easy way in R80.10 to cleanup all unused objects or at least identify them? Our object database has been steadily growing for years and I know there are a lot of stale objects and don't want to have to do manually do a"Where Used" on every object just to find the stale ones.Thanks!
Doeschi inside Policy Management 15 hours ago
views 227 10

fw sam rule with src net / dst net / any port

Hi all,I've been looking for a fw sam command to instantly block a source ip range to a destination ip range for any protocols /ports, but without any success. It's possible to do so using the legacy SmartView Monitor, but since this would be triggered from an external source, I'd like to use the "fw sam" command.I already tried to use "fw sam subsrv" but as soon as I put ANY or ALL as port / protocol, the management server doesn't accept the command.Any ideas on this matter?RegardsRoger
Bekir_Aldemir2 inside Policy Management yesterday
views 2528 10

Any tool to build a rulebase from an "Any-Any Accept" rule?

Hello everyone,A customer recently placed a firewall to control all inter-VLAN traffic and they unfortunately are not aware (as it usually is) what kind of traffic is generated between the VLANs as it was running through a switch until now.We started building the rulebase depending on their necessities but I still believe that is far from ideal. To avoid any major issues we had to leave the last rule as ACCEPT.  At this point, the only way seems to analyze the logs of this rule and keep adding new rules which brings me to the real question and I sincerely apologize if this is stupid but is there any quick way or a tool (I know Tufin can analyze the existing rulebase) to do this?(I searched the forum but couldn't find any Q or A that might be directly related) Thanks in advance,
Eric_Davis inside Policy Management yesterday
views 2063 10

Best practices for inline layers

Hi, we're running R80.10 and would like to start cleaning up our policy that has become cluttered and outdated and inline layers look like they could assist in keeping things organized as we clean up the old clutter but I can't find a lot of info about best practices for them. Should you try to limit how many inline layers/rules you use in a policy? Is there a preferred method for crafting the parent rule?  Should it be vague and then get more particular with each inline layer rule?  Or should the parent rules be crafted very specifically as well? I've read a few of the threads here on CheckMates and any relevant SK's but was just wondering if there was any specific guidance on the best way to utilize inline layers.  
inside Policy Management yesterday
views 10031 29 18

SmartMove: Convert Cisco ASA Policy to Check Point

Check Point SmartMove tool enables you to convert 3rd party database with firewall security policy and NAT to Check Point database.At the moment, the tool handles Cisco ASA (version 8.3 and above) configuration file and converts its objects, NAT and firewall policy to a Check Point R80.10 policy. The tool is planned to support additional vendors in the future.Source is available on GitHub: SmartMove
inside Policy Management Sunday
views 33857 19 27

Layers in R80

I would like to clarify the use of layers in R80 Management Server and SmartConsole.A layer is a set of rules, or a rule-base. R80 organizes the policy with ordered layers. For example, Gateways that have the Firewall and Application control blades enabled, will have their policies split into two ordered layers: Network and Applications. Another example is Gateways that have the IPS and Threat Emulation blades enabled, will have their policies split into two ordered layers: IPS and Threat Prevention. For Pre-R80 Gateways, this basically means the same enforcement as it always was, only in a different representation in the Security Management.Ordered layers are enforced this way: When the Gateway matches a rule in a layer, it starts to evaluate the rules in the next layer. The layers concept opens more options for policy management:Setting different view and edit permissions per layer for different administrator roles.Re-using a layer in different places: The same application control layer in different policy packages ( Sharing a layer across different policies  ), or the same inline layer for different scopes.Explaining global and local policies in Multi-Domain with the same feature set of layers: A domain layer will be the set of rules that are added in each domain by the domain administrator.R80.10 Gateways and above will have the ability to utilize layers in new ways:Unifying all blades into a single policy (How to use the unified policy? )Segregating a policy into more ordered layers, not necessarily by bladesAllowing sub-policies inside a rulebase, with the use of inline layers (How do I define diffrent policies to diffrent users? )Message was edited by: Tomer Sole
Howard_Gyton inside Policy Management Sunday
views 120 1

R80.30 - Services port conflict recurring

When we push policy, it succeeds but we get a warning stating that there are multiple services which both have 'Match for any selected'.When I first did this there were 10 pairs, so I worked through those.  At the next policy push it found another two.  And the next.  And the one after that.I don't know why, but it is drip feeding me information and doesn't list them all.  At every change I make another new pair appear for some reason.Is this expected?  If so, it's not very user friendly as I would prefer to fix them all in one go.Howard
ledesgagnes inside Policy Management Friday
views 159 6

Unable to allow a URL via WIFI but works from Ethernet

Hi,To put in place a context, I am replacing a previous IT manager who left the enterprise several months ago.I had a request put in place to allow certain URL which are in the Alcohol & Tobacco. So I went in Blade, under application and URL filtering and added a rule to allow this category.I went with a source of: AnyDestination: InternetApplication: Category Alcohol & TobaccoAction: Allow When I am on the network, the rule work without any issue. Once I disconnect the cable and get on the wifi and hit the same URL, I am sent to a Check Point Application Control Page, where it says that Access is blocked according to the organization security policy. It also provide a Reference: 0B34CDBD. I did research on the web and I've looked around in Blade but didn't find anything that differentiate Ethernate from WIFI. Thanks 
G_W_Albrecht inside Policy Management Thursday
views 2211 16 23

Searching Network Objects in R80.xx is crippled

Managing large networks is easier if searching in Dashboard does simply work ! In R77.30, it was easy to search for e.g. servers in network objects > hosts, see here an example from Demo mode: In the search results, we can find the objects having a name containing "server" as well as objects having "server" in comment field - so, it is easy to find all server objects. But not in R80.xx - in Demo, we see a list of Hosts named using "server": So when searching, we would expect to get all objects with "server" in its name, but not the one with "srv". But what do we really get ? Not much: It will not show the FileServer and WebCalendarServer. But now. try it yourself and do not search "Server" but "erver" - nothing will be shown at all ! I am thinking that this is not a search function anymore ! But what about other users, is this kind of searching unusable or not needed anymore ? Does anyone else miss it ? And what did really happen to Dashboard that did the searching very well in R77.30 ?
Jose_Ramon_Rodr inside Policy Management Wednesday
views 3832 5 1

Searching zero hits rules in R80.10

Hi, Prior to R80.10 you could find every rule with zero hits right from the search bar. For instance, in R77.30 you could see only the rules with no hits this way:Now in R80.10 I can't find the way to do that search. In "Searching a Rule Base" page in SmartConsole R80.10 Help there are no clues about it.Is there a way to do this search?Greetings.
Tom_Cripps inside Policy Management Wednesday
views 173 4 1

Do Access Roles need Identity Awareness to function?

Hi,I'm looking to use Access roles to look at specific networks? This due to a requirement in having both network objects and an existing access role in the same rule.I'm seeing though, that the access role looking at certain networks is only picking up identified users, through the use of the IA client. My question is then, do access roles need some form of IA client to work on the Endpoint?Tom
Arthur_DENIS1 inside Policy Management Wednesday
views 192 4

Publish take so long time with lot of change

Hi,For one customer, with MGMT in R80.30 - open server, we have change a lot of rules (around 400) on one policy containing 5000 rules. And publish take few hours to complete !!!As you can see, on the top below, server is not really overloaded.Someone already get this issue and a way to solve this ?Thanks for your help guys!Arthur  top - 17:45:14 up 13 days,  7:51,  2 users,  load average: 1.68, 2.05, 2.05Tasks: 231 total,   2 running, 229 sleeping,   0 stopped,   0 zombie%Cpu(s): 27.1 us,  0.8 sy,  3.1 ni, 68.4 id,  0.5 wa,  0.0 hi,  0.1 si,  0.0 stKiB Mem : 32846464 total,   615404 free, 12984148 used, 19246912 buff/cacheKiB Swap: 17840176 total, 17617344 free,   222832 used. 18440132 avail Mem   PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND12491 cp_post+  20   0  774048 746728 687892 R  75.1  2.3  77:10.47 postgres5212 admin     20   0 6997584 1.143g   9704 S  72.4  3.6   1229:24 java12497 cp_post+  20   0  770464 743240 687844 S  61.5  2.3  69:51.17 postgres4987 admin     39  19 90.730g 6.484g 187260 S  15.9 20.7   4859:52 java5137 admin     39  19  999044 383048   7540 S  10.0  1.2   1702:18 log_indexer5929 admin     20   0  339524  34196  11316 S   4.3  0.1 834:04.65 lea_session30135 admin     20   0  337056  36484  11336 S   3.0  0.1 696:04.91 lea_session5092 admin     20   0 6899844 714356  10368 S   2.0  2.2 260:54.02 java1665 admin     20   0  869948 489284  38084 S   1.3  1.5  34:19.38 fwm4781 admin     20   0 1087456 313604  13292 S   1.3  1.0 312:18.45 fw_full4672 admin     20   0   17456   1984   1756 S   0.7  0.0  10:48.43 cpwd17680 cp_post+  20   0  708776 690520 687044 S   0.7  2.1  57:27.45 postgres5035 admin     39  19 5805956 304128   8992 S   0.3  0.9  24:44.17 java6381 admin     20   0   12604   3656   2960 S   0.3  0.0   0:01.60 sshd17248 cp_post+  20   0  708812 690720 687056 S   0.3  2.1  57:32.87 postgres    1 admin     20   0    2584    592    564 S   0.0  0.0   0:08.00 init    2 admin     20   0       0      0      0 S   0.0  0.0   0:00.04 kthreadd    3 admin     20   0       0      0      0 S   0.0  0.0   4:04.17 ksoftirqd/0    5 admin      0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:0H    7 admin     rt   0       0      0      0 S   0.0  0.0   0:03.98 migration/0    8 admin     20   0       0      0      0 S   0.0  0.0   0:00.00 rcu_bh    9 admin     20   0       0      0      0 S   0.0  0.0  17:04.23 rcu_sched   10 admin     20   0       0      0      0 S   0.0  0.0   0:00.00 rcuob/0   11 admin     20   0       0      0      0 S   0.0  0.0   2:02.09 rcuos/0   12 admin     rt   0       0      0      0 S   0.0  0.0   0:03.73 watchdog/0   13 admin     rt   0       0      0      0 S   0.0  0.0   0:03.39 watchdog/1   14 admin     rt   0       0      0      0 S   0.0  0.0   0:03.46 migration/1
MrSaintz inside Policy Management a week ago
views 1407 11 2

Inline Layer and software blades

Hi all,When setting up inline layers to setup for instance mobile access rules (unified mode) application/urlf rules, content, etc should the parent be enabled with all the blades I want to use at the inline layer level?I think it would make sense, not enable at the parent level, example:parent allowing lan to internet service http/https assign inline layer "urlf"(here I would only enable access control)at the "urlf" inline layer specify allowed/blocked categories there (here i would enable urlf sb)Is this proper, best practice?Regards,Carlos
HS inside Policy Management a week ago
views 129 2

Hotfix Ongoing Take 91

Hi,we are planning gw upgrade to R80.20.Our MGMT are running R80.20 take 87. We are planning upgrade to take 91, the latest GA.Does anyone already install take 91? We don't have idea if there requirements for take 91 some special attention ?Our gateways will be installed with R80.20 take 91.thank you for help.