Showing results for 
Search instead for 
Did you mean: 
Create a Post
Blason_R inside Policy Management 6m ago
views 16 3

Query regarding EPM server for branch location

Hi Team,I have three locations which are connected through MPLS while my EPM server is at Central location, wondering from where my users at Branch location will fetch the AV/AM updates? from my EPM server or Internet? Being on MPLS I do not want all the users talk to my centralized EPM server which I feel could exhaust my bandwidth.So, is there any alternate config available where those users can fetch updates from CP Cloud service or any other idea that I may not be aware of? TIABlason R
Christopher_Ta1 inside Policy Management 3 hours ago
views 794 7

How to create in R80.10 an email alert if the policy is already expired

How to create an email alert if the policy is already expired? Or is there any logs where I can see which policy is already expired?
Lijo_mathai inside Policy Management yesterday
views 48 2

Unable to clone policy package in R80.20

Hi, after upgrading to R80.20 and applying take 47, i am unable to clone the existing policy package. Is there anything i am missing. I checked there is no validation error for the name i used to clone, but still i am unable to clone the policy. Attached is the error i faced.
Blason_R inside Policy Management yesterday
views 74 2

What query checkpoint wmic uses to get the username from event IDs4624/4625

Hi Guys,Wondering if anyone knows what query checkpoint uses to query AD server over wmi to get the logged on usernames and then map it with log fields?
Ademt inside Policy Management yesterday
views 51 1

Remove gateway from Smartconsole error

Hello,I tried to create a Cluster object using wizard. At the end of procedure smart console crashed and after restarting it and login I could see that the cluster object way created but it appeared as it has no memmbers. Both gaetway status way thath there are not part of the cluster. I deleted cluster object from smart console but i couldn't access gateway objects through smart console anymore. Now, i cannont add them to another cluster object nor can I delete them from the smartconsole because from the smartconsole view they are still part of the cluster which does not exist.Any help regarding this? BR,Adem
Akeel_Sayed inside Policy Management yesterday
views 61 1

CheckPoint Solution Migration

Hi I have a scenario whereby i will be migrating a CP solution & I wanted some views to compare on the best way to achieve this.The new solution will have a different network design & involves introducing +-5 VSXs for better security within the environment. The new solution will not be integrated with the current at any given time. Once the new solution is ready it should be a matter of just moving cables across from the current to new FWs.From what i can gather, most of the work would need to be done from scratch (vsx portions & new FW policies). I would appreciate the policies & objects to at least be migrated so that i can copy/paste to the new FW policies i will create for each vsx. What would be your best approach to take for this? Current:Smart Mgmt Appliance Running R77.302 x Security Gateways HA (Active/Active) R77.30 New:Smart Mgmt Open Server - R80.202 x Security Gateways HA (Active/Standby) R80.20 - VSX Thanks
sergio_s inside Policy Management Tuesday
views 193 3

Access-rules package Import error

Hi All,I have used "Python tool for exporting/importing a policy package or parts of it" to import object and ACL. All works fine, until access-rule import, that fail with following message: Failed to import access-rule. Error: message: enable-firewall-session code: generic_err_invalid_parameter how can i correct the issue?Thanks
Daniel_Westlund inside Policy Management Tuesday
views 5208 10 5

R80.20 and Database Revision

I have heard from several customers asking for a return of Database Revision Control in R80.X. I know every policy is backed up, but once and object is deleted, it can no longer be recovered with anything short of a full restore from backup since DB Revision is gone. My question is this. I'd heard that there were plans to bring it back in a future version. As it's not there in R80.20, does anyone know if there are plans to bring it back, and if so, at which future version?
Maarten_Sjouw inside Policy Management Monday
views 233 12 1

in line layer without cleanup

Ok, here is my understanding of inline layers and I really doubt in the mean time if this is correct. I have a number of /29 networks that are part of a /24 and all need access to some specified services. Each of these /29's has it's own specific access in-line layer with in and outbound cleanup rules. Now I added a access rule with in-line layer to allow the centralized services of which a part is based on URLs and part on specific IP's. Now my assumption was, that when you do NOT add a cleanup rule in the /24 in-line layer, the matching will continue thru the rest of the rulebase, thus hitting the specific rules for the /29. Today someone told me that traffic was allowed that should not be allowed, all I can think of is that the message on the /24 in-line layer that says: "Missing Cleanup-rule - Unmatched traffic will be accepted and not logged" So the main question here is, is this really true?
Abhishek_Kumar1 inside Policy Management Sunday
views 88 1

Internal certificate expire policy installtion failed

After upgrading mgmt r77.30 to r80.20 my all cluster is showing ok only one cluster in showing internal certificate expired error.policy installtion failed. Even try to reset sic but not luckI dont want to reset sic for my all cluster Could you please some one help me to resolve the issue?
catherine_gibso inside Policy Management Saturday
views 6440 2

Policy Changes - How to see what changes you have made

Policy Install Shows Multiple Changes.Hi All,Has anyone noticed when you go to push policy in R80 it shows multiple changes and for all policies?So say I add a host to one policy and then publish it and then go to push policy on the policy install page it shows like 50 changes. Even though all you have done is add an existing host to an existing rule.If you then click on the total changes you see a list of the changes but its for all firewalls and all policies, not just changes for the policy you just updated.It's pretty hard to see what changes you actually made.It doesn't seem there is a way to see only the changes you are pushing/have made.thanks all
Shiva_B inside Policy Management a week ago
views 182 2

Block Nudity Images in Search Engine Results

Haii,Our IT manager has requested if it is possible to block the images that appear in a Google search if someone is to search for the word porn.
David_Spencer inside Policy Management a week ago
views 1393 17 1

Allowing custom site with external hosted images

We have a custom site that we've created an access rule for all users to be able to access. However the page only partially loads. Looking into the logs show that the images used by the website fail to load, as they are being blocked because they are hosted on an external site (* that isnt explicitly allowed.I'd like to be able to allow the site to load these pages for our users, without white listing cloudfront.netI feel like this is doable, but I'm missing something.
Andres_Gonzalez inside Policy Management a week ago
views 1145 3

Allow selected youtube videos

Hello, I need to allow certain known youtube videos, while keeping all other streaming filtered. How can I do that?
Danny inside Policy Management a week ago
views 21668 42 41

Properly defining the Internet within a security policy

Let's discuss!There are various methods of defining the Internet within your firewall security policy.I've showcased the five most common methods in the screen shot below.The proper firewall definition of the Internet depends on your needs!This discussion shall raise your awareness that it's required to evaluate your specific demand to avoid using * Any or All_Internet by default.Method 1: Using the default * Any definition Pro: Allows for proper Security Policy verification checks. Con: Any is not the Internet. In an ideal security world, you shouldn't use * Any in any of your firewall rules.Method 2: Using the default IP Address range: All_Internet ( Pro: While Hide-NAT on "Any" source doesn't work, using All_Internet as the source will do the job. Con: The Internet consists of various networks, public, private and other ones. In a security environment you operate all kind of corporate networks, DMZs, VPNs, Remote Users, Office Modes and many more entities using IP addresses. From a firewall security point of view the Internet definition means everything that is not internally, branch office, Site-to-Site or Remote Access VPN connected. For a firewall the Internet is everything else, public, untrusted, external. A simple IP Address range object with the name All_Internet provokes many misunderstandings. A security reviewer, like me, would be happy that * Any was replaced with an object someone hopefully took care of properly defining what the Internet for that specific firewall implementation is. Only when looking deeper into the object it gets clear that this definition is even more worse than * Any because it might supersede the automatic validation checks Check Point does. Please see the Global Properties for Non Unique IP Adresses shown below.Method 3: Using a Group with Exclusion (Any except all corp. networks, branch office networks, VPN encryption domains, office mode networks, RFC 1918 networks and so on) Pro: Easy to use and understandable for humans within normal firewall administration. Con: Groups with Exclusion are very complex for automatic firewall validation checks, hard to troubleshoot for humans, known to sometimes cause issues when used in VPN encryption domains and therefore have many limitations (sk97246, sk101506, sk107543, sk107417, ..). Also, what is * Any from a firewalls perspective? How does a firewall define * Any? Are there exclusions from * Any? For Services everyone knows that Check Point per default excludes X11 from Any. How about Networks?Method 4: Using the Application and URL Filtering object 'Internet' Pro: Only applies to traffic heading outside the corporate network - to the DMZ and external interfaces. The object distinguishes between internal and external addresses. Con: This is only the default destination for Application and URL Filtering rules so you can only use this object in the destination column of Application and URL Filtering enabled rules and layers.Method 5: Negating a group that contains all your networks (similar to Method 3 without using a Group without Exclusion) Pro: Perfect definition of the Internet for the firewall and all of its automatic verification and validation mechanisms. Simple negation of all networks that your firewall 'knows' not to be part of the public, untrusted, external Internet. Con: Harder to understand for humans, especially in security policies with advanced complexity.Appendix:Menu > Global Properties > Non Unique IP AddressesIn the above window you can see the non-unique IPv4 and IPv6 address ranges.Security Management considers addresses that are routable on the Internet as unique, and private, non-routable addresses as being non-unique (duplicated). It is possible to add address ranges to the default list. There is normally no need to change the default addresses.This list is used by SmartDashboard to perform automatic validity checks on addresses.IPv4 AddressesRFC 1918 documents private address spaces which may be used on internal networks that will not have hosts directly connected to the Internet. The Internet assigned Numbers authority (IANA) has set aside the following three blocks of IP addresses for internal (private) network use:Class A network numbers:– B network numbers:– C network numbers:– an intranet that uses private addresses, a Check Point Security Gateway NAT gateway is put in place to connect the intranet to the Internet and translate the private addresses, to routable addresses. The default list of non-unique addresses are the three ranges specified in RFC 1918.IPv6 AddressesThere are so many IPv6 public addresses that is not usually necessary to assign private IPv6 addresses for an internal network. There is a "Unique Unicast" IP range of fc00::/7 that can be used for private IPv6 addresses as specified in RFC4193.