cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Christoph_Holzi
Christoph_Holzi inside Remote Access Solutions yesterday
views 1951 22 2

Multiple Remote Access Communities (GW Version?)

Hello, when playing around in R80.10-Management today, I discovered that it's now possible to define multiple remote access communities (including defining different vpn domains for each RAC). First of all, thank you CheckPoint - I've been waiting for this feature for so long. [edit 07.01.: more a bug than a feature, see below]I couldn't find any hints regarding multiple RACs in the R80.10 Release Notes/HFA Notes/Support-Center.So my questions are:Is there any official statement whether the GW has to run R80.10 or can this be configured for a R77.30 GW (managed by R80.10 SM) as well?(added) Any experiences/considerations when using on VSX?Thanks in advance!Greetings Christoph
Anton_Kazantsev
Anton_Kazantsev inside Remote Access Solutions yesterday
views 826 9 1

Multifactor login support fo mac clients

Is there a client version for MacOS that supports multifactor authentication? Sk111583 says, that Endpoint Security VPN version E65 and above has it, but I found only version E64 for MacOs clients.
AndyDixon
AndyDixon inside Remote Access Solutions yesterday
views 94 2

Add additional IP routes to Check Point Endpoint Security VPN client?

Dear Checkmates. This is my first post and I am new to Checkpoint products so please accept my apologies if information is missing or incomplete. I would welcome advice on what details to provide in future. My organisation's public Internet perimeter is protected by a pair of CPAP-SG5900-NGTX appliances running Gaia R80.20 in a cluster XL configuration. These appliances have the Mobile Access blade licensed (amongst other blades). We have remote clients connecting to the 5900 appliances via the Checkpoint Endpoint Security VPN software (E80.87 Build 986009514). I have had a request to route a particular public IP address over the VPN tunnel instead of natively routing via the Public Internet. I can see that many extra IP routes are added to the client's routing table when the VPN software is connected. When the VPN is disconnected, these additional IP routes are no longer present. The new destination IP address does not appear in the list of additional routes. I assume that these additional routes are downloaded from the appliance? My question is how and where are these additional routes configured? The R80.20 administration guide suggest using the Check Point Database Tool (GuiDBedit) via sk13009 but I am unable to load this application when I point it at either of the appliances or the mgmt. appliance. I receive a pop up telling me that the 'Connection cannot be initiated'. A Google search of this suggests that there may be a firewall rule blocking access. I have no explored this further in case there is another solution. Again, apologies if my explanation is missing any important information. Please let me know what information will assist further. Many thanks, Andy
AndrewZ
AndrewZ inside Remote Access Solutions Wednesday
views 88 3

IPsec VPN packet flow.

Hello all! I have a simple question but I can't clarify this point by googling. I have box under R77.30 and IPsec community based VPN.The IPsec is a legacy solution and I need to migrate some networks to L3VPN which available via 802.1Q subinterface on firewall. By now, I use an aggregated prefix 10.0.0.0/8(at remote site) throught IPsec. I need migrate 10.1.1.0/24 to L3VPN.Can I just make new static through L3VPN subinterface or I should change IPsec settings(exclude10.1.1.0/24 from encryption domain or etc.)? The general point is where exactly the crypto policy is applyed. Thanks in advance.Regards.
Lenin_Ramirez
Lenin_Ramirez inside Remote Access Solutions Wednesday
views 73 1

2FA With RADIUS and other methods at the same tie

Hello People, Please your help answering if it´s possible 2FA with RADIUS and other Methods at the same time. For example, what I want is that a group A authenticate with local credentials, group B with certificate, group C with RADIUS, group D with SecurId.Is it possible ?? Thank you very much. BRLRS
Sagar_Manandhar
Sagar_Manandhar inside Remote Access Solutions Monday
views 56710 12

VPN client for ubuntu

Hi,Is there any ubuntu vpn client i can used to access the ssl vpn ?Gaia version : R77.30Environment : StandaloneThanksSagar Manandhar
stefan_o
stefan_o inside Remote Access Solutions Sunday
views 75 1

VPN Client for Ubuntu 18.04

is there a way to connect ubuntu 18.04 with a vpn client.mobile access is not working anymore with new firefox without java plugin.thanks!
wenxiang_guo
wenxiang_guo inside Remote Access Solutions Saturday
views 77 2

Multi-Factor Authentication with SMS

I have done a test by Postman with the below code,it was succed.But I do not know how to transfer these codes to checkpoint gateway.I did follow the mobile access adminguide(https://api.example.com/http/sendmsg?api_id=$APIID&user=$USERNAME&password=$PASSWORD&to=$PHONE&text=$MESSAGE ),but SMS provider do not have username and password."curl -X POST \http://10.2.14.30:8080/MicroMsgHub/http/sendMsg<DATA><COUNT>1</COUNT><TYPE>1</TYPE><SOURCE>20</SOURCE><ITEM><ID>aabbccddeeffggexf</ID><TO>15652702591</TO><TEMPLATE>SM200001</TEMPLATE><SHOULDSENDDATE>01</SHOULDSENDDATE><PARAMS><MSGCONTENT>188427</MSGCONTENT></PARAMS></ITEM></DATA>"Has anyone ever encountered such a situation before?

Check Point Endpoint Security client

Hi Team,I would like to know one thing, we are going to set-up Remote access VPN. We have both Mac and Windows users in my org. Is there any configuration required to do for Mac user on Check Point side. RegardsYatiraj
KWD
KWD inside Remote Access Solutions a week ago
views 75 1

2 Checkpoint gateways, 1 SMS, site to site VPN ike failure

Hello,I am trying to connect a new (remote location) 3200 to an existing Checkpoint infrastructure consisting of 1 SMS and 2-12400 gateways in a cluster. All devices are 80.20. We have setup an site to site vpn. SIC connects, and when we push policies to the new 3200, it is successful. But we only get Up Phase 1 IKE from the 12400 to the 3200. I have looked through assorted documentation, but have not found a solution. Where do I start or what could the problem be. VPN tu on the remote 3200 for List all IKE SAs says, "No data to display".VPN tu on the 12400 for List all IKE SAs has 4 different SAs for the 3200 peer. Thanks
Damjan_Janev
Damjan_Janev inside Remote Access Solutions a week ago
views 2675 9 3

Certificate VPN authentication against LDAP using userPrincipalName (R80.10)

Has anyone tried and succeeded in this?Since R80.10, sk61060 is no longer applicable and the relevant configuration is performed directly on the gateway object in VPN CLients -> Authentication. In the personal certificate i haveFetch Username From: Subject Alternative Name.UPN in the Login optionCommon lookup type: User-Principal-Name / UPN (userPrincipalName) in the User DirectoriesThe first part seems to be working OK. I can verify in the logs that UPN is extracted from the certificate but it is not matched against an UPN in LDAP. Login fails with unknown user. If i change everything to default (DN based), it works OK.If i change the Fetch Username From part to DN, and leave the lookup to be UPN based, authentication succeeds. Looks like the lookup is always DN based, no matter what is selected. I even tried to use custom lookup with userPrincipalName, but the behavior is the same. I am currently testing this on R80.10 with Jumbo Hotfix Accumulator Take 91ETA:Tried with Hotfix Accumulator Take 103 (latest). No change.I am currently running some packet capture of the FW-DC communication an concluded that the above configuration results in LDAP search based on sAMAccountName instead on userPrincipalName
Dale_Lobb
Dale_Lobb inside Remote Access Solutions a week ago
views 431 7 1

MABDA support in R80.30

SK113410 contains the Mobile Access Portal Agent updates to support additional browsers other than IE.Unfortunately, there is no mention of R80.30 in the document.I just got off the phone with CheckPoint support who were singularly unhelpful in this instance. We are contemplating upgrading to R80.30 in the very near term, but do not want to lose functionality. My question to support was: is there a hotfix for MABDA for r80.30 or if not, what is the release schedule. All they could tell me was that there is a release scheduled for Q3 or Q4 2019 for the Firefox on MAC update. So them I asked what browser support is baked into R80.30? They directed me to the release notes for R80.30, which, upon review, actually does not have any information on the topic.So: Does anyone know which browsers are currently supported by the SSL Extended for R80.30 and/or what the release schedule might be for a hotfix to support the current list in sk113410?
Belchior
Belchior inside Remote Access Solutions 2 weeks ago
views 60 3

How to access VPN via Linux

Hello support, is there any sample client (Capsule - Windows 10) that can be used to authenticate to VPN using Linux?
Blason_R
Blason_R inside Remote Access Solutions 2 weeks ago
views 35 1

Endpoint Connect VPN Compliance and scanning for Spyware

Hi there,I wanted to enable basic compliance/posture check for Remote Access VPN clients connecting to my firewall. These clients are Office mode users and not SNX.I guess and per my understanding, I don't need to have any licenses since I already have purchased 50 user Endpoint VPN/office mode licenses. So, by enabling "Scan Endpoint for spyware and compliance" in Global properties -> Remote Access -> Endpoint Connect and defining policies should suffice my need.Or do I need to activate any other settings to make these settings enforce for the users?Please confirm. TIABlason R
Blason_R
Blason_R inside Remote Access Solutions 2 weeks ago
views 40 1

Endpoint compliance check for Endpoint Connect clients.

Hi there,I wanted to enable basic compliance/posture check for Remote Access VPN clients connecting to my firewall. These clients are Office mode users and not SNX.I guess and per my understanding, I don't need to have any licenses since I already have purchased 50 user Endpoint VPN/office mode licenses. So, by enabling "Scan Endpoint for spyware and compliance" in Global properties -> Remote Access -> Endpoint Connect and defining policies should suffice my need.Or do I need to activate any other settings to make these settings enforce for the users? Or ESOD is only available for SNX?Please confirm. TIABlason R