cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
SMB Appliances and SMP

Have a question about our Small Business Security and Branch Office Security solutions? This is where to ask! This includes the 600, 700, 900, 1400, and 1500 Series appliances, Security Management Portal, and legacy SMB appliances (UTM-1 EDGE, Safe@).

mmitic
mmitic inside SMB Appliances and SMP yesterday
views 18

750 appliance - DHCP reservation on Office Mode Network

Hello,Can I make DHCP reservation on Office Mode Network for clients connecting via VPN?Thanks in advance.Regards
Neil_Wkd
Neil_Wkd inside SMB Appliances and SMP Saturday
views 99 1

SMB 1100 not showing imported certificates

We have a couple of 1100 appliances which we recently upgraded from R75.20 to R77.80.20 so that we could import a third party signed Cert for the WebUI. We have successfully imported onto 1400 appliances previously.when importing the import appears to run successfully - No errors, crt files appear in /pfrm2.0/config1/fw1/conf. but not in Web UI.Certificate is not availabe to apply under Device Details.1 1100 failed to upgrade sp was factory reset and built direct to R77.20.80 and successfully imported cert but others fail.Any suggestions, anyone seen this?Neil  
John_Fleming
John_Fleming inside SMB Appliances and SMP Thursday
views 110

SMB host based (dynamic) IKEv2 S2S - Global Identifier bug

Dear Abby,In trouble shooting a hostname to hostname site to site vpn on a self manged 730, I found a typical strange checkpoint vpn issue. If the remote starts the connection the tunnel comes up fine. If the local 730 start the tunnel we get phase II failure. I checked and double checked the networks via ikeview (geez when can i stop using this?) and compared working to not working. What I found was the checkpoint would accept its name as listed in the global identified of the s2s config, but when the checkpoint initiates the tunnel it would advertise its name as its external IP address. I tried the override global identifier option with the correct name as well. Made no difference. Firewall is still ignoring this setting at sticking the external IP address as the identifier.  I don't have a support contract on this firewall but we have 3 CP1550s on the way so we'll check it out again then. BTW this is a 730 running - R77.20.86 - Build 855
David_Charnon
David_Charnon inside SMB Appliances and SMP Thursday
views 134 3

Remote site encryption domain

We have a remote user which we will be setting up a site to site VPN using a locally managed 1430 appliance (at user site) and a centrally managed Check Point gateway (in datacenter).The user needs to have traffic from corporate assets use the VPN tunnel (including traffic bound for internet) and traffic from personal devices not go through the tunnel (i.e. straight to the internet).My plan was to have him connect his personal devices to the DMZ interface (which I have assigned a separate network) and have corporate devices use the LAN switch. I have configured the VPN site and have set the Remote Site Encryption Domain to "Route all traffic through this site." I chose this to have all the traffic from corporate assets (including traffic bound for internet) go through the tunnel. I am unsure, however, if "all traffic" includes traffic from devices connected to the DMZ interface.Does anyone know if "all traffic" in this setting includes traffic sourced from behind DMZ interface? If yes, any suggestions as to how to accomplish what I need? Thanks,Dave
Dick_Summers
Dick_Summers inside SMB Appliances and SMP Wednesday
views 230 4

790 appliance High Availability Configuration

790 WiFi appliance is in production with two Internet connections, and multiple defined objects and rules, local switch is defined and two WiFi segments, one guest and one with access to LAN.I was advised to: 1) backup the existing 790 2) confirm both units have same firmware 3) flatten existing unit retaining existing firmware version 4) setup first unit as Primary HA 5) setup second unit as HA, 6) restore backup to newly created cluster to retain objects and rules.When I restored the backup to the cluster, it brought back the objects and rules, but overwrote the cluster configuration and would not operate normally until the second unit was taken off line.Question: Can I configure cluster from the existing device (with its rules and objects in place) by simply adding the second unit, or must I flatten the existing unit, create the cluster with both "bare" units, then recreate the objects and rules?
IgorD
IgorD inside SMB Appliances and SMP Wednesday
views 129

Switching network interfaces on 1100/1430 Appliance

Hi!There was a very usefull command on UTM-1 Edge devices "swap wanconn"Is there an analogue of this command on1100/1430 Appliance.  
David_Mosca
David_Mosca inside SMB Appliances and SMP Tuesday
views 216 4

Routing config for Checkpoint 750 and MPLS

Hi all,I have a customer with a new MPLS network and a Checkpoint 750 in place as per the diagram below. A few notes:1. MPLS acts as a private network for the customer2. Internet access for Branch office has to go through HO- I've configured the DMZ port for the private network and have full connectivity between HO and the branch network. However, the branch PCs can't access the Internet. I have (I think) all the correct routes and policies in place. When I try to browse the web from the branch office, I can see DNS and HTTPS activity from the branch office in the firewall logs (all allowed), but the web sessions never connect. There are no proxies in use and PC firewall is off. ICMP also fails from the branch PC to the web (but is ok for HO LAN).The other option would be to go straight from the MPLS to our network switch at HO, but we want to have the option to restrict branch traffic and investigate logs. Is this a firewall issue, or an MPLS routing issue? Any and all help/suggestions appreciatedThanks,David
LuisSP
LuisSP inside SMB Appliances and SMP Tuesday
views 245 2

SSL inspection policy - additional HTTPS ports

Hello everyone. Recently I started to reorganize rulebase on 1490 appliance with r77.20.87. I decided to turn on ssl inspection, and probe each site/application that I has activated on rulebase previously. Point is that I found some https web sites with non standards ports, by example https://www4.oxxo.com:9443/facturacionElectronica-web/views/layout/inicio.do, so I added to "SSL inspection policy - additional HTTPS ports" property in ADVANCED SETTINGS the ports needed ( I has 3 cases with differents ports). My dude is.....is good practice to resolve this cases by modify that property? (SSL inspection policy - additional HTTPS ports). Is there other...and better way to fix this issue? By advance, thanks for your comments
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP a week ago
views 305 5

sk163296 Management Platforms per SMB Appliance

We have received a new SMB sk: sk163296: Management Platforms per SMB Appliance While the table itself is valuable (at least for historical reasons), the presented information for 1500 Series is incorrect! It reads Centrally Managed Version by R80.30 Jumbo Take_76 / R80.40 -  and although i can say nothing about R80.40, SMS R80.30 Jumbo Take_76 can not manage a 1550. As the model is not shown in Dashboard you can either: - you disguise it as a 1490, then SW Version is shown as 77.20 and only access policy can be installed and TP policy c fails - you can try to create an "other" R80.20 GW out of it, then TP policy can be installed but Access Policy fails I have given appropriate feedback already...
humt
humt inside SMB Appliances and SMP a week ago
views 306 4

Malware deducted

I am using the Checkpoint 730 with latest firmware 86.    Few queries in my mind 1) Malware has been Infected. I am not sure it has been removed automatic or not. 2) How system has been infected when internet is pass through the firewall only.3) I have scan with kaspersky Antivirus but the infected system has been not deducted the malware. So i have to install Bitdefender for remove the malware because there are 4 results which deducted as Malware according to Virustotal?  Sorry if this is in wrong category section, please move this thread to another category.  
HristoGrigorov
HristoGrigorov inside SMB Appliances and SMP 2 weeks ago
views 7998 123 2

R77.20.85 performance issue on centrally managed SMB

Guys,That build is causing significant traffic delays and CPU load is higher than that of R77.20.81. Any of you experiencing similar problem ?
Steffen_Appel
Steffen_Appel inside SMB Appliances and SMP 2 weeks ago
views 271 4

Bridge Control Protocol

Hi, I am trying to set up an L2TP-tunnel. The provider needs BCP on it - is that possible with checkpoint? Thanks
Martin_Valenta
Martin_Valenta inside SMB Appliances and SMP 2 weeks ago
views 231 1

Pulling "fw ver" via ssh from Gaia Embedded

Trying to pull via paramiko python module to get, when running "fw ver" via ssh it shows something like this:This is Check Point's 1490 Appliance Major Version 9, Feature Pack 9, Hotfix 171 - Build 299 instead of just "This is Check Point's 1490 Appliance R77.20.50 - Build 299"which you get via normal ssh session to box Anyone have workaround for it?
Libor_Kovar
Libor_Kovar inside SMB Appliances and SMP 2 weeks ago
views 264 6

SMB appliances backup

 Hello,I need to make a scheduled remote backup  of my branch appliances 680, 730, 1180. all the newest version R77.20.80 I use a ftp server as a target for it, but no success, contrary to UTM 3200.If I try to ftp directly from a shell, it works. I need not to specify a target path there, asi it uses the home dir of my unix user specified.On a 3200 one needs to specify the complete path including trailing /I tried all three options , no path, full path, full path with / in the GUI for 680, 730, 1180 , but no success.I  didn't find any way how to debug it , because cmd line allows usb and tftp backup only and gui the scheduled ftp only, which I consider a strange inconsistence.I also find neither usb backup as a remote one, nor the running  tftp server in the net  as a safe thing.It could lso be the schedule problem, as the config file found from the command line shows in one place the daily schedule and a also the day-of-week. ( I cannot find it at the moment)Could you advice pls ?Many thanksLKConfig used in gui: (not working)     
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP 2 weeks ago
views 1244 24

R77.20.87 Jumbo Hotfix Accumulator

They did it again - in addition to sk151574: R77.20.87 for Small and Medium Business Appliances, we now have the fresh new sk153433: R77.20.87 Jumbo Hotfix Accumulator with the new firmware image Build 2960. Nice to have a new build and a list of resolved issues - but for what reason name it Jumbo HF (which it is not, just a plain installation image containing fixed components) ? Or will R77.20.87 stay as a kind of final version for 7x0/9110/14x0 models that will get updated this Jumbo HF way from now on ?