cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
SMB Appliances and SMP

Have a question about our Small Business Security and Branch Office Security solutions? This is where to ask! This includes the 600, 700, 900, 1400, and 1500 Series appliances, Security Management Portal, and legacy SMB appliances (UTM-1 EDGE, Safe@).

Dick_Summers
Dick_Summers inside SMB Appliances and SMP 34m ago
views 265 8

790 appliance High Availability Configuration

790 WiFi appliance is in production with two Internet connections, and multiple defined objects and rules, local switch is defined and two WiFi segments, one guest and one with access to LAN.I was advised to: 1) backup the existing 790 2) confirm both units have same firmware 3) flatten existing unit retaining existing firmware version 4) setup first unit as Primary HA 5) setup second unit as HA, 6) restore backup to newly created cluster to retain objects and rules.When I restored the backup to the cluster, it brought back the objects and rules, but overwrote the cluster configuration and would not operate normally until the second unit was taken off line.Question: Can I configure cluster from the existing device (with its rules and objects in place) by simply adding the second unit, or must I flatten the existing unit, create the cluster with both "bare" units, then recreate the objects and rules?
PhoneBoy
inside SMB Appliances and SMP 8 hours ago
views 268 6
Admin

1500 SMB Appliances and Watchtower: TechTalk and Q&A

On 13th November 2019, @Amir_Ayalon and @Nir_Lukach gave a TechTalk on the newly released SMB Appliances (1500 Series) plus a bit about the Watchtower, a mobile app to monitor and maintain SMB appliances. Materials available to CheckMates members: Slides (coming soon) Video Q&A asked during the session will be posted as comments to this post.
CPnoob
CPnoob inside SMB Appliances and SMP Friday
views 73 3

Issue using block of WAN IP addresses

I have a CPAP 730 firewall, two servers I need to hide behind public addresses and from my ISP I have 87.x.x.128/29 ip addresses.My firewall gets .130 as it is the first available ip address. My problem is I don't know how to use the other available addresses to hide behind.
Amir_Ayalon
inside SMB Appliances and SMP Friday
views 1113 32 7
Employee

SMB - New Product announcement - 1500 Series Security Gateways

Hi All We are happy to announce The release of the new 1500 series security gateways for SMBs. Our first Models to be announced are the 1550 and 1590 gateways which set new standards of protection against the most advanced fifth-generation cyber attacks. The 1550 and 1590 gateways are powered by Check Point’s R80 release. R80 is the industry’s most advanced security management software, and includes multi-layered next-generation protection from both known threats and zero-day attacks using the award-winning SandBlast™ Zero-Day Protection, plus antivirus, anti-bot, IPS, app control, URL filtering and identity awareness.    The 1500 Security Gateways offer integrated, multi-layered security in a compact desktop form factor. Setup can be done in minutes using pre-defined security policies and our step-by-step configuration wizard. Check Point 1500 Security Gateways are conveniently manageable both locally via a Web interface and centrally by means of a cloud-based Check Point Security Management Portal (SMP) or R80 Security Management. The new 1500 series empowers Small and Midsize businesses with Enterprise Grade Security: 100% block score for malware prevention for email and web, exploit resistance and post-infection catch rate, as seen in the NSS Labs’ recent Breach Prevention Systems (BPS) Group Test Up to 2 times more performance from previous generations. The 1550 Gateway offers 450Mbps of threat prevention performance, and the 1590 Gateway offers 660Mbps The 1550 provides maximum firewall throughput of 2Gbps and the 1590 provides maximum firewall throughput of 4Gbps The 1550 features six 1GbE ports and the 1590 features ten 1GbE ports. Check Point WatchTower mobile application, enables IT staff to monitor their networks and quickly mitigate security threats on the go from their mobile device Out-of-the-box zero-touch provisioning allows for under 1-minute setup IoT devices discovery and recognition for accurate security policy definition.   Want to know more ? Visit the 1500 Series Security Gateways SK https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157412   And the R80.20 for Small and Medium Business Appliances https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk159173     For full product specifications, visit:  https://www.checkpoint.com/products/small-business-security/     Amir Ayalon | SMB Project Management Team LeaderCheck Point SW Technologies. | ( +972-733-79-8629| Mobile: +972-545-787673 * amiray@checkpoint.com
HristoGrigorov
HristoGrigorov inside SMB Appliances and SMP Thursday
views 139 7

HTTP/2 over TLS

Regarding inspection of HTTP/2 over TLS there is the SK116022 but what do you say? Is it valid for 77.20.87 ? Because I have HTTPS Inspection enabled and it does not look like it is inspecting that kind of traffic.
mmitic
mmitic inside SMB Appliances and SMP Thursday
views 157 2

750 appliance - DHCP reservation on Office Mode Network

Hello,Can I make DHCP reservation on Office Mode Network for clients connecting via VPN?Thanks in advance.Regards
Baasanjargal_Ts
Baasanjargal_Ts inside SMB Appliances and SMP Wednesday
views 96 1

SMB bridge mode

How to deploy bridge mode SMB 790 appliance.We created bridge and added two interfaces. But it must configure IP address and subnet mask. I don't want to configure any IP address on the bridge. I just want to layer 2 bridging. Just bridge external interface and internal interface. How to do it.?
Dick_Summers
Dick_Summers inside SMB Appliances and SMP Wednesday
views 120 3

1500 models HA and local switch

On the 1500 models, does HA mode require the local switch to be disabled as did the 700 models?
John_Fleming
John_Fleming inside SMB Appliances and SMP Tuesday
views 203 1

SMB host based (dynamic) IKEv2 S2S - Global Identifier bug

Dear Abby,In trouble shooting a hostname to hostname site to site vpn on a self manged 730, I found a typical strange checkpoint vpn issue. If the remote starts the connection the tunnel comes up fine. If the local 730 start the tunnel we get phase II failure. I checked and double checked the networks via ikeview (geez when can i stop using this?) and compared working to not working. What I found was the checkpoint would accept its name as listed in the global identified of the s2s config, but when the checkpoint initiates the tunnel it would advertise its name as its external IP address. I tried the override global identifier option with the correct name as well. Made no difference. Firewall is still ignoring this setting at sticking the external IP address as the identifier.  I don't have a support contract on this firewall but we have 3 CP1550s on the way so we'll check it out again then. BTW this is a 730 running - R77.20.86 - Build 855
Neil_Wkd
Neil_Wkd inside SMB Appliances and SMP a week ago
views 194 1

SMB 1100 not showing imported certificates

We have a couple of 1100 appliances which we recently upgraded from R75.20 to R77.80.20 so that we could import a third party signed Cert for the WebUI. We have successfully imported onto 1400 appliances previously.when importing the import appears to run successfully - No errors, crt files appear in /pfrm2.0/config1/fw1/conf. but not in Web UI.Certificate is not availabe to apply under Device Details.1 1100 failed to upgrade sp was factory reset and built direct to R77.20.80 and successfully imported cert but others fail.Any suggestions, anyone seen this?Neil  
David_Charnon
David_Charnon inside SMB Appliances and SMP a week ago
views 225 3

Remote site encryption domain

We have a remote user which we will be setting up a site to site VPN using a locally managed 1430 appliance (at user site) and a centrally managed Check Point gateway (in datacenter).The user needs to have traffic from corporate assets use the VPN tunnel (including traffic bound for internet) and traffic from personal devices not go through the tunnel (i.e. straight to the internet).My plan was to have him connect his personal devices to the DMZ interface (which I have assigned a separate network) and have corporate devices use the LAN switch. I have configured the VPN site and have set the Remote Site Encryption Domain to "Route all traffic through this site." I chose this to have all the traffic from corporate assets (including traffic bound for internet) go through the tunnel. I am unsure, however, if "all traffic" includes traffic from devices connected to the DMZ interface.Does anyone know if "all traffic" in this setting includes traffic sourced from behind DMZ interface? If yes, any suggestions as to how to accomplish what I need? Thanks,Dave
IgorD
IgorD inside SMB Appliances and SMP 2 weeks ago
views 183

Switching network interfaces on 1100/1430 Appliance

Hi!There was a very usefull command on UTM-1 Edge devices "swap wanconn"Is there an analogue of this command on1100/1430 Appliance.  
David_Mosca
David_Mosca inside SMB Appliances and SMP 2 weeks ago
views 237 4

Routing config for Checkpoint 750 and MPLS

Hi all,I have a customer with a new MPLS network and a Checkpoint 750 in place as per the diagram below. A few notes:1. MPLS acts as a private network for the customer2. Internet access for Branch office has to go through HO- I've configured the DMZ port for the private network and have full connectivity between HO and the branch network. However, the branch PCs can't access the Internet. I have (I think) all the correct routes and policies in place. When I try to browse the web from the branch office, I can see DNS and HTTPS activity from the branch office in the firewall logs (all allowed), but the web sessions never connect. There are no proxies in use and PC firewall is off. ICMP also fails from the branch PC to the web (but is ok for HO LAN).The other option would be to go straight from the MPLS to our network switch at HO, but we want to have the option to restrict branch traffic and investigate logs. Is this a firewall issue, or an MPLS routing issue? Any and all help/suggestions appreciatedThanks,David
LuisSP
LuisSP inside SMB Appliances and SMP 2 weeks ago
views 259 2

SSL inspection policy - additional HTTPS ports

Hello everyone. Recently I started to reorganize rulebase on 1490 appliance with r77.20.87. I decided to turn on ssl inspection, and probe each site/application that I has activated on rulebase previously. Point is that I found some https web sites with non standards ports, by example https://www4.oxxo.com:9443/facturacionElectronica-web/views/layout/inicio.do, so I added to "SSL inspection policy - additional HTTPS ports" property in ADVANCED SETTINGS the ports needed ( I has 3 cases with differents ports). My dude is.....is good practice to resolve this cases by modify that property? (SSL inspection policy - additional HTTPS ports). Is there other...and better way to fix this issue? By advance, thanks for your comments
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP 2 weeks ago
views 318 5

sk163296 Management Platforms per SMB Appliance

We have received a new SMB sk: sk163296: Management Platforms per SMB Appliance While the table itself is valuable (at least for historical reasons), the presented information for 1500 Series is incorrect! It reads Centrally Managed Version by R80.30 Jumbo Take_76 / R80.40 -  and although i can say nothing about R80.40, SMS R80.30 Jumbo Take_76 can not manage a 1550. As the model is not shown in Dashboard you can either: - you disguise it as a 1490, then SW Version is shown as 77.20 and only access policy can be installed and TP policy c fails - you can try to create an "other" R80.20 GW out of it, then TP policy can be installed but Access Policy fails I have given appropriate feedback already...