cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
SMB Appliances and SMP

Have a question about our Small Business Security and Branch Office Security solutions? This is where to ask! This includes the 600, 700, 900, 1400, and 1500 Series appliances, Security Management Portal, and legacy SMB appliances (UTM-1 EDGE, Safe@).

S2S VPN connectivity issues

Hi, I have S2S VPN to another 5000 series appliance running R80.10. It happens every now and then that the tunnel is up and one host can SSH to a host on the other end but another one can't. The strange thing is that the host that can't SSH is able to ping the IP on the other end. Problem happens with any protocol (RDP, HTTP, etc). Only ICMP seems to always work.  Resetting VPN tunnel solves the problem but it started to annoy me already so I am looking for more permanent solution. We tried to switch tunnel sharing from per-net to per-host with no success.  Have you ever encountered such issue ? Is it possible to be TP policy on the other end that is causing this issue ? 
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP 24m ago
views 51 2

A new firmware version is available: 1500_R80.20.00_992000696

Device > System Operations show: A new firmware version is available: 1500_R80.20.00_992000696 But when searching in UserCenter, no such firmware is found... Only R80.20 Build 992000668 for 1500 Appliances is present. Why that ?
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP 13 hours ago
views 154 4 1

1550 SMB IPS and TP troubles

Finally, i have a working IPS on the 1550 in my Dashboard. But still, some issues remain. Look at my GW list with enabled blades:                                   Looks good - but what about TP Updates ? TE lists all GWs with TE enabled:                                         But IPS, AV and ABOT do not list it, look at the IPS Update Statuses:                                         You will only see in Device & License Information of the 1550 (or CLI) that it is updated - it does show IPS not updated, but the Version is the newest one:                 Hard to explain this to customers...
Wolfgang
Wolfgang inside SMB Appliances and SMP 19 hours ago
views 65 1

DNS forwarding for internal domain

Hello CheckMates, is it possible to configure a DNS forwarder on a SMB appliance for specific domains? Meaning, clients have the appliance configured as DNS server, and the appliacne forwards requests for internal domain to the central DNS at the central site over VPN and all other requests are forwarded to DNS-server from provider. Problem is that the remote sites can access internet via local appliance. Connectivity to the central site is done via VPN and all internal DNS-server are hosted only at the central site. If the VPN connection to central site is up everything is fine, but if the connection is lost the clients can't resolve DNS names. Other vendors have a feature to do this DNS forwarding like described, but I missed this on Check Point appliance.  Another option would be to have a local DNS-server, but we don't want run any servers local. All ideas are welcome Wolfgang
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP 20 hours ago
views 48 1

1550 hosts encountered an exploit attempt

CheckPoint SmartView is a good tool for log reviews with its templates like Attacks Allowed by Policy. During IPS profile testing on the 1550 - you had to limit IPS protections in a special SMB profile with the older Embedded GAiA models while 1550 / R80.20 now has a TP policy like all GAiA GWs do - i also used SmartView. This gave me an odd encounter i would not have expected: hosts encountered an exploit attempt ! Have a look:             The 1550 FifteenFifty 😊 is managed by SMS7520 🙃 and set to send Security  Logs and Syslog there. Seems not to be easy with Syslog, though:                                         Matthaeus 5:30: And if thy right hand offend thee, cut it off, and cast it from thee 😎
TOM_MORAN
TOM_MORAN inside SMB Appliances and SMP yesterday
views 240 3

exclude services vpn Gaia embedded

Hi when setting up a VPN in R80.10 there is the option to exclude services from the VPN Community. My question if using Gaia embedded & administrating via the Webui is it possible to do the same?The firewall in question is a 1450 running R77.20.86 .Is this supported on GAIA embedded? all help is appreciated    
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP yesterday
views 51

1550 / 1590 Jumbo Frames Support

I was not able to locate this in the new  features listing from sk159173 - but in sk111407 Jumbo Frames Support we read: Small and Medium Business Appliances 1550 / 1590 Starting from R80.30 Jumbo Hotfix Take 76    OK, in fact you will you need central management with R80.30 JT 111, but it is a real enhancement as: The following appliances do not support Jumbo Frames: 600 / 1100 / 1200R / 700 / 1400 / 900 Small and Medium Business Appliances But sk159772 Check Point R80.20 for 1500 Appliances Features and Known Limitations tells us that neither centrally nor locally managed 1500s do support Jumbo Frames... I have provided SK feedback to get at the truth in this.
Hugo_vd_Kooij
Hugo_vd_Kooij inside SMB Appliances and SMP Tuesday
views 139 6

Memory leak in 14xx appliances with IPS enabled

Hi, Do any of you have ticket(s) open in regard to memory leak issue in the 14xx appliances with IPS enabled? So far we have seen this in 2 distinct setups. In on of these it only happened on 1 of the 30 remote offices. But we have run about a dozen different firmware versions and the issue was never resolved. If anyone want to share their ticket number(s) in a private message we can join forces and make Check Point more aware of the problem. Regards, Hugo.
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP Tuesday
views 84 1

LED indicators on 1550 Embedded GAIA appliance

For the older models we have sk123865 LED indicators on Embedded GAIA appliance - but not for the 1550 !                 We have four LEDs, from right to left they are: - On / Alert LED : Will blink in red for alerts - Internet LED : Shows if the internet connection is working - Cloud LED : Shows if the SMB is managed from the cloud, else it is off - WLAN LED : Shows if SMB WLAN is enabled, else it is off The first two LEDs were called Power and System on the old UTM-1 Edge, WLAN LED was present as WLAN LED and this model also had a very valuable additional LED - the VPN LED reflecting the current VPN status ! That times are long gone, we now have the Cloud LED that will light up when connected to Cloud management and be off if managed centrally or locally. Initially, i thought this will light up if all TP services are updated to the current version - might be a helpful feature, but this LED only cares for cloud...

SMB 1470 centraly managed and management throught VPN

Hello,i have in production 2 1470 SMB appliances that are locally managed. One 1470 is at  site A and the other one is at  site B. Both 1470 SMB are DAIP gateways and we are using NoIP DDNS.There is site-to-site VPN. The customer is imlementing Remote desktop service  for thin clients and wants to be able to implement firewall rules specific for a specific user and because with RDS the connection is comming always from the same IP adress i have to install MUH (Multi user agent) ond the RDS server. When the SMB appliance is managed locally there is no possibility to use the identity agents but for the centrally managed SMB the agents are supported based on the sk97751.  In this SK it is not clear if MUH agent is supported. I have few questions:1. If i install Secure management R80.10 in site A can i import a configuration from a locally managed device to the SM server and if yes how?2. When i connect SMB 1470 on site A with the SM R80.10 and configure the S2S VPN with  locally managed 1470 on site B how can i configure Firewall B to be managed by the SM that is on the siteA? If i change on the firewall B the option security management from local to central i presume it will clear all the configuration and i will lose the VPN and cut off myself from the fireall B.     
Sanja_Rakic
Sanja_Rakic inside SMB Appliances and SMP a week ago
views 226 7

Cluster of two 1200 R devices in bridge mode

Hello everybody,I have two Check Point 1200R devices and they have just one bridge made of two LAN interfaces connected to the rest of the network. I want to create HA cluster and I constantly fail. These gateways are being centrally managed.All interfaces are up, but once I try to get the topology, I constantly see just one of the LAN interfaces making cluster.Do you have any idea how to troubleshoot it?Best regards, Sanja
Patrick_Tuttle1
Patrick_Tuttle1 inside SMB Appliances and SMP a week ago
views 364 4

SMB Questions (management & fetching policy)

Hello CheckMates;We have some questions regarding the SMB platform. We were under the impression that these device could call home ang grad policy  from centrally managed check point.  We are testing this in our lab with R77.20 and 1200R R7720.81Looking at /var/log/log/sfwd.elg  we see it calling out but then saying "Local security policy is up to date" "same policy as already on module"   We are also considering deploying these in our SCADA environment in the field over very slow links and were hoping the policy install would be a quicker process compared to a regular gateway running full Gaia. Not sure this would be a smaller file resulting in a faster (lass bandwidth intensive) policy install. And our other question is whats the differences between using Smart Provisioning (LSM) or the newer product SMP?  Are there any advantages?  One thing We would need in our environment is to keep all management local on Prem as opposed to being in the cloud.  We are told this due to NERC-CIP guidelines. Thanks and appreciate any direction / experience anyone can share.       
Amir_Ayalon
inside SMB Appliances and SMP a week ago
views 1455 40 7
Employee

SMB - New Product announcement - 1500 Series Security Gateways

Hi All We are happy to announce The release of the new 1500 series security gateways for SMBs. Our first Models to be announced are the 1550 and 1590 gateways which set new standards of protection against the most advanced fifth-generation cyber attacks. The 1550 and 1590 gateways are powered by Check Point’s R80 release. R80 is the industry’s most advanced security management software, and includes multi-layered next-generation protection from both known threats and zero-day attacks using the award-winning SandBlast™ Zero-Day Protection, plus antivirus, anti-bot, IPS, app control, URL filtering and identity awareness.    The 1500 Security Gateways offer integrated, multi-layered security in a compact desktop form factor. Setup can be done in minutes using pre-defined security policies and our step-by-step configuration wizard. Check Point 1500 Security Gateways are conveniently manageable both locally via a Web interface and centrally by means of a cloud-based Check Point Security Management Portal (SMP) or R80 Security Management. The new 1500 series empowers Small and Midsize businesses with Enterprise Grade Security: 100% block score for malware prevention for email and web, exploit resistance and post-infection catch rate, as seen in the NSS Labs’ recent Breach Prevention Systems (BPS) Group Test Up to 2 times more performance from previous generations. The 1550 Gateway offers 450Mbps of threat prevention performance, and the 1590 Gateway offers 660Mbps The 1550 provides maximum firewall throughput of 2Gbps and the 1590 provides maximum firewall throughput of 4Gbps The 1550 features six 1GbE ports and the 1590 features ten 1GbE ports. Check Point WatchTower mobile application, enables IT staff to monitor their networks and quickly mitigate security threats on the go from their mobile device Out-of-the-box zero-touch provisioning allows for under 1-minute setup IoT devices discovery and recognition for accurate security policy definition.   Want to know more ? Visit the 1500 Series Security Gateways SK https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157412   And the R80.20 for Small and Medium Business Appliances https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk159173     For full product specifications, visit:  https://www.checkpoint.com/products/small-business-security/     Amir Ayalon | SMB Project Management Team LeaderCheck Point SW Technologies. | ( +972-733-79-8629| Mobile: +972-545-787673 * amiray@checkpoint.com
mmitic
mmitic inside SMB Appliances and SMP 2 weeks ago
views 202 3

750 appliance - DHCP reservation on Office Mode Network

Hello,Can I make DHCP reservation on Office Mode Network for clients connecting via VPN?Thanks in advance.Regards
kb1
kb1 inside SMB Appliances and SMP 2 weeks ago
views 253 8

I need help with routing

So i need to configure routing on my 1100 firewall and below is the information i have for the configuration- Site subnet:  10.40.3.X/24 Eth LAN2 (vlan20 –secured): 10.40.3.21/29; dgw= 10.40.3.20/29  (int Gi0/2)Eth LAN5 (vlan 10 - unsecured): 10.40.3.11/29, dgw = 10.40.3.10/29 (int Gi0/1) Source network:216.152.218.X/32 Destination networks:Checkpoint Portal/Blade - https://10.169.90.4/sslvpn                149.122.13.X/32                149.122.13.X/32                149.122.13.X/32 So what would be the command on cli since i only have console access to configure routing? Fo reference below is the routing configuration for another 1100 appliance and i was told that the routing should be similar to this one- # Static routesdelete static-routesadd static-route service Any destination 10.0.0.X/8 nexthop gateway ipv4-address 10.43.1.20" metric 0set static-route 2 service Any destination 10.0.0.X/8 nexthop gateway ipv4-address 10.43.1.20 metric 0 disabled falseadd static-route service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0"set static-route 3 service Any destination "216.152.218.X/32" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false"add static-route service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0"set static-route 1 service Any destination "149.122.0.X/16" nexthop gateway ipv4-address "10.43.1.X" metric "0" disabled "false" I cannot figure out what the destination network should be as is shown for above configuration, just keeps showing error and so whenever i try out something.