cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
AndrewZ
AndrewZ inside Remote Access Solutions 6 hours ago
views 56 2

IPsec VPN packet flow.

Hello all! I have a simple question but I can't clarify this point by googling. I have box under R77.30 and IPsec community based VPN.The IPsec is a legacy solution and I need to migrate some networks to L3VPN which available via 802.1Q subinterface on firewall. By now, I use an aggregated prefix 10.0.0.0/8(at remote site) throught IPsec. I need migrate 10.1.1.0/24 to L3VPN.Can I just make new static through L3VPN subinterface or I should change IPsec settings(exclude10.1.1.0/24 from encryption domain or etc.)? The general point is where exactly the crypto policy is applyed. Thanks in advance.Regards.
Anton_Kazantsev
Anton_Kazantsev inside Remote Access Solutions 10 hours ago
views 798 8 1

Multifactor login support fo mac clients

Is there a client version for MacOS that supports multifactor authentication? Sk111583 says, that Endpoint Security VPN version E65 and above has it, but I found only version E64 for MacOs clients.

2FA With RADIUS and other methods at the same tie

Hello People, Please your help answering if it´s possible 2FA with RADIUS and other Methods at the same time. For example, what I want is that a group A authenticate with local credentials, group B with certificate, group C with RADIUS, group D with SecurId.Is it possible ?? Thank you very much. BRLRS
Sagar_Manandhar
Sagar_Manandhar inside Remote Access Solutions yesterday
views 56417 12

VPN client for ubuntu

Hi,Is there any ubuntu vpn client i can used to access the ssl vpn ?Gaia version : R77.30Environment : StandaloneThanksSagar Manandhar
stefan_o
stefan_o inside Remote Access Solutions Sunday
views 66 1

VPN Client for Ubuntu 18.04

is there a way to connect ubuntu 18.04 with a vpn client.mobile access is not working anymore with new firefox without java plugin.thanks!
wenxiang_guo
wenxiang_guo inside Remote Access Solutions Saturday
views 74 2

Multi-Factor Authentication with SMS

I have done a test by Postman with the below code,it was succed.But I do not know how to transfer these codes to checkpoint gateway.I did follow the mobile access adminguide(https://api.example.com/http/sendmsg?api_id=$APIID&user=$USERNAME&password=$PASSWORD&to=$PHONE&text=$MESSAGE ),but SMS provider do not have username and password."curl -X POST \http://10.2.14.30:8080/MicroMsgHub/http/sendMsg<DATA><COUNT>1</COUNT><TYPE>1</TYPE><SOURCE>20</SOURCE><ITEM><ID>aabbccddeeffggexf</ID><TO>15652702591</TO><TEMPLATE>SM200001</TEMPLATE><SHOULDSENDDATE>01</SHOULDSENDDATE><PARAMS><MSGCONTENT>188427</MSGCONTENT></PARAMS></ITEM></DATA>"Has anyone ever encountered such a situation before?

Check Point Endpoint Security client

Hi Team,I would like to know one thing, we are going to set-up Remote access VPN. We have both Mac and Windows users in my org. Is there any configuration required to do for Mac user on Check Point side. RegardsYatiraj
KWD
KWD inside Remote Access Solutions Thursday
views 73 1

2 Checkpoint gateways, 1 SMS, site to site VPN ike failure

Hello,I am trying to connect a new (remote location) 3200 to an existing Checkpoint infrastructure consisting of 1 SMS and 2-12400 gateways in a cluster. All devices are 80.20. We have setup an site to site vpn. SIC connects, and when we push policies to the new 3200, it is successful. But we only get Up Phase 1 IKE from the 12400 to the 3200. I have looked through assorted documentation, but have not found a solution. Where do I start or what could the problem be. VPN tu on the remote 3200 for List all IKE SAs says, "No data to display".VPN tu on the 12400 for List all IKE SAs has 4 different SAs for the 3200 peer. Thanks
Damjan_Janev
Damjan_Janev inside Remote Access Solutions Thursday
views 2663 9 3

Certificate VPN authentication against LDAP using userPrincipalName (R80.10)

Has anyone tried and succeeded in this?Since R80.10, sk61060 is no longer applicable and the relevant configuration is performed directly on the gateway object in VPN CLients -> Authentication. In the personal certificate i haveFetch Username From: Subject Alternative Name.UPN in the Login optionCommon lookup type: User-Principal-Name / UPN (userPrincipalName) in the User DirectoriesThe first part seems to be working OK. I can verify in the logs that UPN is extracted from the certificate but it is not matched against an UPN in LDAP. Login fails with unknown user. If i change everything to default (DN based), it works OK.If i change the Fetch Username From part to DN, and leave the lookup to be UPN based, authentication succeeds. Looks like the lookup is always DN based, no matter what is selected. I even tried to use custom lookup with userPrincipalName, but the behavior is the same. I am currently testing this on R80.10 with Jumbo Hotfix Accumulator Take 91ETA:Tried with Hotfix Accumulator Take 103 (latest). No change.I am currently running some packet capture of the FW-DC communication an concluded that the above configuration results in LDAP search based on sAMAccountName instead on userPrincipalName
Dale_Lobb
Dale_Lobb inside Remote Access Solutions Wednesday
views 425 7 1

MABDA support in R80.30

SK113410 contains the Mobile Access Portal Agent updates to support additional browsers other than IE.Unfortunately, there is no mention of R80.30 in the document.I just got off the phone with CheckPoint support who were singularly unhelpful in this instance. We are contemplating upgrading to R80.30 in the very near term, but do not want to lose functionality. My question to support was: is there a hotfix for MABDA for r80.30 or if not, what is the release schedule. All they could tell me was that there is a release scheduled for Q3 or Q4 2019 for the Firefox on MAC update. So them I asked what browser support is baked into R80.30? They directed me to the release notes for R80.30, which, upon review, actually does not have any information on the topic.So: Does anyone know which browsers are currently supported by the SSL Extended for R80.30 and/or what the release schedule might be for a hotfix to support the current list in sk113410?
Belchior
Belchior inside Remote Access Solutions a week ago
views 57 3

How to access VPN via Linux

Hello support, is there any sample client (Capsule - Windows 10) that can be used to authenticate to VPN using Linux?
Blason_R
Blason_R inside Remote Access Solutions a week ago
views 32 1

Endpoint Connect VPN Compliance and scanning for Spyware

Hi there,I wanted to enable basic compliance/posture check for Remote Access VPN clients connecting to my firewall. These clients are Office mode users and not SNX.I guess and per my understanding, I don't need to have any licenses since I already have purchased 50 user Endpoint VPN/office mode licenses. So, by enabling "Scan Endpoint for spyware and compliance" in Global properties -> Remote Access -> Endpoint Connect and defining policies should suffice my need.Or do I need to activate any other settings to make these settings enforce for the users?Please confirm. TIABlason R
Blason_R
Blason_R inside Remote Access Solutions 2 weeks ago
views 39 1

Endpoint compliance check for Endpoint Connect clients.

Hi there,I wanted to enable basic compliance/posture check for Remote Access VPN clients connecting to my firewall. These clients are Office mode users and not SNX.I guess and per my understanding, I don't need to have any licenses since I already have purchased 50 user Endpoint VPN/office mode licenses. So, by enabling "Scan Endpoint for spyware and compliance" in Global properties -> Remote Access -> Endpoint Connect and defining policies should suffice my need.Or do I need to activate any other settings to make these settings enforce for the users? Or ESOD is only available for SNX?Please confirm. TIABlason R
Keld_Norman
Keld_Norman inside Remote Access Solutions 2 weeks ago
views 2079 7 5

How to get better grades @ SSL Labs Certificate scan

Can any one here guide me on how to get a better score when I scan my firewall with the SSL Server Test (Powered by Qualys SSL Labs) ?Is there a quick guide on how to enable forward secrecy, disable tls v1.0, 1.1 and weak ciphers etc. ? Best regards Keld NormanThanks for the anwsers so far - I have collected them all - testet and gotten better scores - here is what i did: ######################################################################## HOW TO GET BETTER GRADES IN THE SSLLABS.COM SSL TEST ########################################################################To get from the B to A I did the following: Alter the portal to only support TLS 1.2In my 80.10 SmartConsole: Global Properties -> AdvancedConfiguration -> Portal Properties: Altered minimum version to TLS 1.2NB: Thanks to Claus Kjær for reminding me of this GUI way of doing things - I were trying to do achieve this by altering conf files with vim in expert shell.. Now to enable perfect forward support: REF: Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled (sk110883)A note about the above sk110883ECDHE is quite widely used and recommend. It works with elliptical keys and provides forward secrecy. It's used for the key exchange.ECDSA is not widely used though, but it does also use elliptical keys. It it used for authenticationI logged on to the firewall via secure shell (I have a standalone installation with the manager and firewall running in a VM) and in expert mode pasted the following 3 lines in: [Expert@firewall:0]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1 ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1 ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1Then a reboot or just a cpstop/start is needed: [Expert@firewall:0]# nohup $(cpstop ; cpstart) & Now the grade went from B to A : Now to look at the suggested link from Dameon Welch Abernathy Remove the weak ciphers related to TLS 1.2(ref: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120774)So basically I just need to alter this in the file: /web/templates/httpd-ssl.conf.templALTER: SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5TO SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1Again secure shell to the system - and in export mode paste the lines in purple below: # Backup the file you want to alter first[Expert@firewall:0]#cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ.backup# Oneliner to replace the old line with the new using the SED util.sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1/' /web/templates/httpd-ssl.conf.templ # Test if the line was altered: grep -i ^SSLCipherSuite /web/templates/httpd-ssl.conf.templ( it should return: SSLCipherSuite ECDH:!aNULL:!ECDSA:!aECDH:!eNULL:!MD5:!SHA1)Then reboot the firewall.. [Expert@firewall:0]# rebootThe Qualys SSL scan still only shows an A - I still have some weak ciphers 😕 To be continued..
Sanjay_S
Sanjay_S inside Remote Access Solutions 2 weeks ago
views 28

Mobile Access Blade Restrict Non-Domain machines

Hi All,I have configured the Mobile access vpn for one of my customers. They do not want non-domain machines to connect to Mobile access. So in mobile access dashboard i have configured a rule under Endpoint Compliance to check the below "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" Registry entry would be "Domain" and if it is Not Equal to the domain they given should restrict the access. But still they are able to access with Non-domain machines. Please help how to troubleshoot this.