cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
wenxiang_guo
wenxiang_guo inside Remote Access Solutions yesterday
views 62 2

Multi-Factor Authentication with SMS

I have done a test by Postman with the below code,it was succed.But I do not know how to transfer these codes to checkpoint gateway.I did follow the mobile access adminguide(https://api.example.com/http/sendmsg?api_id=$APIID&user=$USERNAME&password=$PASSWORD&to=$PHONE&text=$MESSAGE ),but SMS provider do not have username and password."curl -X POST \http://10.2.14.30:8080/MicroMsgHub/http/sendMsg<DATA><COUNT>1</COUNT><TYPE>1</TYPE><SOURCE>20</SOURCE><ITEM><ID>aabbccddeeffggexf</ID><TO>15652702591</TO><TEMPLATE>SM200001</TEMPLATE><SHOULDSENDDATE>01</SHOULDSENDDATE><PARAMS><MSGCONTENT>188427</MSGCONTENT></PARAMS></ITEM></DATA>"Has anyone ever encountered such a situation before?

Check Point Endpoint Security client

Hi Team,I would like to know one thing, we are going to set-up Remote access VPN. We have both Mac and Windows users in my org. Is there any configuration required to do for Mac user on Check Point side. RegardsYatiraj
KWD
KWD inside Remote Access Solutions Thursday
views 63 1

2 Checkpoint gateways, 1 SMS, site to site VPN ike failure

Hello,I am trying to connect a new (remote location) 3200 to an existing Checkpoint infrastructure consisting of 1 SMS and 2-12400 gateways in a cluster. All devices are 80.20. We have setup an site to site vpn. SIC connects, and when we push policies to the new 3200, it is successful. But we only get Up Phase 1 IKE from the 12400 to the 3200. I have looked through assorted documentation, but have not found a solution. Where do I start or what could the problem be. VPN tu on the remote 3200 for List all IKE SAs says, "No data to display".VPN tu on the 12400 for List all IKE SAs has 4 different SAs for the 3200 peer. Thanks
Damjan_Janev
Damjan_Janev inside Remote Access Solutions Thursday
views 2655 9 3

Certificate VPN authentication against LDAP using userPrincipalName (R80.10)

Has anyone tried and succeeded in this?Since R80.10, sk61060 is no longer applicable and the relevant configuration is performed directly on the gateway object in VPN CLients -> Authentication. In the personal certificate i haveFetch Username From: Subject Alternative Name.UPN in the Login optionCommon lookup type: User-Principal-Name / UPN (userPrincipalName) in the User DirectoriesThe first part seems to be working OK. I can verify in the logs that UPN is extracted from the certificate but it is not matched against an UPN in LDAP. Login fails with unknown user. If i change everything to default (DN based), it works OK.If i change the Fetch Username From part to DN, and leave the lookup to be UPN based, authentication succeeds. Looks like the lookup is always DN based, no matter what is selected. I even tried to use custom lookup with userPrincipalName, but the behavior is the same. I am currently testing this on R80.10 with Jumbo Hotfix Accumulator Take 91ETA:Tried with Hotfix Accumulator Take 103 (latest). No change.I am currently running some packet capture of the FW-DC communication an concluded that the above configuration results in LDAP search based on sAMAccountName instead on userPrincipalName
Dale_Lobb
Dale_Lobb inside Remote Access Solutions Wednesday
views 419 7 1

MABDA support in R80.30

SK113410 contains the Mobile Access Portal Agent updates to support additional browsers other than IE.Unfortunately, there is no mention of R80.30 in the document.I just got off the phone with CheckPoint support who were singularly unhelpful in this instance. We are contemplating upgrading to R80.30 in the very near term, but do not want to lose functionality. My question to support was: is there a hotfix for MABDA for r80.30 or if not, what is the release schedule. All they could tell me was that there is a release scheduled for Q3 or Q4 2019 for the Firefox on MAC update. So them I asked what browser support is baked into R80.30? They directed me to the release notes for R80.30, which, upon review, actually does not have any information on the topic.So: Does anyone know which browsers are currently supported by the SSL Extended for R80.30 and/or what the release schedule might be for a hotfix to support the current list in sk113410?
Belchior
Belchior inside Remote Access Solutions Monday
views 51 3

How to access VPN via Linux

Hello support, is there any sample client (Capsule - Windows 10) that can be used to authenticate to VPN using Linux?
AndrewZ
AndrewZ inside Remote Access Solutions Monday
views 40 1

IPsec VPN packet flow.

Hello all! I have a simple question but I can't clarify this point by googling. I have box under R77.30 and IPsec community based VPN.The IPsec is a legacy solution and I need to migrate some networks to L3VPN which available via 802.1Q subinterface on firewall. By now, I use an aggregated prefix 10.0.0.0/8(at remote site) throught IPsec. I need migrate 10.1.1.0/24 to L3VPN.Can I just make new static through L3VPN subinterface or I should change IPsec settings(exclude10.1.1.0/24 from encryption domain or etc.)? The general point is where exactly the crypto policy is applyed. Thanks in advance.Regards.
Blason_R
Blason_R inside Remote Access Solutions Sunday
views 31 1

Endpoint Connect VPN Compliance and scanning for Spyware

Hi there,I wanted to enable basic compliance/posture check for Remote Access VPN clients connecting to my firewall. These clients are Office mode users and not SNX.I guess and per my understanding, I don't need to have any licenses since I already have purchased 50 user Endpoint VPN/office mode licenses. So, by enabling "Scan Endpoint for spyware and compliance" in Global properties -> Remote Access -> Endpoint Connect and defining policies should suffice my need.Or do I need to activate any other settings to make these settings enforce for the users?Please confirm. TIABlason R
Blason_R
Blason_R inside Remote Access Solutions a week ago
views 38 1

Endpoint compliance check for Endpoint Connect clients.

Hi there,I wanted to enable basic compliance/posture check for Remote Access VPN clients connecting to my firewall. These clients are Office mode users and not SNX.I guess and per my understanding, I don't need to have any licenses since I already have purchased 50 user Endpoint VPN/office mode licenses. So, by enabling "Scan Endpoint for spyware and compliance" in Global properties -> Remote Access -> Endpoint Connect and defining policies should suffice my need.Or do I need to activate any other settings to make these settings enforce for the users? Or ESOD is only available for SNX?Please confirm. TIABlason R
Keld_Norman
Keld_Norman inside Remote Access Solutions a week ago
views 2072 7 5

How to get better grades @ SSL Labs Certificate scan

Can any one here guide me on how to get a better score when I scan my firewall with the SSL Server Test (Powered by Qualys SSL Labs) ?Is there a quick guide on how to enable forward secrecy, disable tls v1.0, 1.1 and weak ciphers etc. ? Best regards Keld NormanThanks for the anwsers so far - I have collected them all - testet and gotten better scores - here is what i did: ######################################################################## HOW TO GET BETTER GRADES IN THE SSLLABS.COM SSL TEST ########################################################################To get from the B to A I did the following: Alter the portal to only support TLS 1.2In my 80.10 SmartConsole: Global Properties -> AdvancedConfiguration -> Portal Properties: Altered minimum version to TLS 1.2NB: Thanks to Claus Kjær for reminding me of this GUI way of doing things - I were trying to do achieve this by altering conf files with vim in expert shell.. Now to enable perfect forward support: REF: Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled (sk110883)A note about the above sk110883ECDHE is quite widely used and recommend. It works with elliptical keys and provides forward secrecy. It's used for the key exchange.ECDSA is not widely used though, but it does also use elliptical keys. It it used for authenticationI logged on to the firewall via secure shell (I have a standalone installation with the manager and firewall running in a VM) and in expert mode pasted the following 3 lines in: [Expert@firewall:0]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1 ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1 ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1Then a reboot or just a cpstop/start is needed: [Expert@firewall:0]# nohup $(cpstop ; cpstart) & Now the grade went from B to A : Now to look at the suggested link from Dameon Welch Abernathy Remove the weak ciphers related to TLS 1.2(ref: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120774)So basically I just need to alter this in the file: /web/templates/httpd-ssl.conf.templALTER: SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5TO SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1Again secure shell to the system - and in export mode paste the lines in purple below: # Backup the file you want to alter first[Expert@firewall:0]#cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ.backup# Oneliner to replace the old line with the new using the SED util.sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1/' /web/templates/httpd-ssl.conf.templ # Test if the line was altered: grep -i ^SSLCipherSuite /web/templates/httpd-ssl.conf.templ( it should return: SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1)Then reboot the firewall.. [Expert@firewall:0]# rebootThe Qualys SSL scan still only shows an A - I still have some weak ciphers 😕 To be continued..
Sanjay_S
Sanjay_S inside Remote Access Solutions 2 weeks ago
views 27

Mobile Access Blade Restrict Non-Domain machines

Hi All,I have configured the Mobile access vpn for one of my customers. They do not want non-domain machines to connect to Mobile access. So in mobile access dashboard i have configured a rule under Endpoint Compliance to check the below "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" Registry entry would be "Domain" and if it is Not Equal to the domain they given should restrict the access. But still they are able to access with Non-domain machines. Please help how to troubleshoot this.
David_Spencer
David_Spencer inside Remote Access Solutions 2 weeks ago
views 26 1

Adding a One time Password field to VPN client/clientless

I'm working on MFA solution, and I've got the push notification side working, but I'm also trying to support hardware tokens. with the one time password they provide, i'm able to sign in but to do this you have to do the following formatuser:usernamepassword:password,onetimepassword so the password with the OTP is comma delimited. I'm wondering if I'm able to add a separate field on the web vpn client and/or the windows Checkpoint Mobile client. This way it can be less clunky and easier for users to understand.
abihsot__
abihsot__ inside Remote Access Solutions 2 weeks ago
views 1648 7 1

Mobile Access portal problem

Hi Guys,Have anyone encountered such error in trace logs between gateway and backend server:[LOGGER_CURL_INFO/] |11:25:28.998| TLSv1.2 (OUT), TLS alert, Server hello (2):[LOGGER_CURL_INFO/] |11:25:28.998| SSL read: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac, errno 0[LOGGER_CURL_INFO/] |11:25:28.998| Closing connection 0[LOGGER_CURL_INFO/] |11:25:28.998| TLSv1.2 (OUT), TLS alert, Client hello (1):This happens on both R80.10 and R80.20 any JHF.Gateway is a VM on esx.Due to this error some files are partially downloaded, hence the webpage is broken.
abihsot__
abihsot__ inside Remote Access Solutions 2 weeks ago
views 422 6

CVPND process consumes 100% CPU

Hi There, I have a problem - during policy push cvpnd process is going 100% for 30 seconds during which existing or new connections are not served and users get page not displayed error. I checked debug of cvpnd process and my findings are that 98% of the lines (out of 2 millions) are:[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection[12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: intersecting: [x.x.x.x.,x.x.x.x] and [x.x..x.x,x.x..x.x.x.][12609][23 Apr 17:35:12][ROLES] [ROLES (NAC::IS::TD::Events)] NAC::IS::ROLE_MATCHER_API::RangeList::intersect: no intersection What is this ROLE_MATCHER_API doing? It seems it is flooding the process hence it is busy with 100% load. R80.20 latest JHF
Herschel_Liang
Herschel_Liang inside Remote Access Solutions 2 weeks ago
views 453 1

How mobile access vpn prevent brute force attack except  two-fator authentication in CP?

How mobile access vpn prevent brute force attack except two-fator authentication in CP? What can we config in CP? Can CP uses identification verification code?