cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
SMB Appliances and SMP

Have a question about our Small Business Security and Branch Office Security solutions? This is where to ask! This includes the 600, 700, 900, 1400, and 1500 Series appliances, Security Management Portal, and legacy SMB appliances (UTM-1 EDGE, Safe@).

John_Fleming
John_Fleming inside SMB Appliances and SMP Friday
views 217 5

End point connect connectivity issues - DPD - Negotiation with site failed

So its a day ending with the word day so I've stumbled across another issue with my 1500.After bringing up the 1550 I noticed my remote access users didn't work anymore with end point connect but did with SNX and IOS end point connect.Some debugging on the client and I found  [ 4132 4180][11 Feb 13:17:07][IKE] **** MM6PacketHandler: Receive packet 6: Main Mode packet, cookies 7c27174af0bb8d93,e6a0f06ab07e931d, length 1997, 5 payloads[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Identification payload (total 1)[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Certificate payload (total 1)[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Certificate payload (total 2)[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Signature payload (total 1)[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: A Vendor ID payload (total 1)[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 1 payloads of type Identification, need one exactly[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 2 payloads of type Certificate, need one or more[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 1 payloads of type Signature, need one exactly[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: Found 0 payloads of type Notification, need zero or one exactly[ 4132 4180][11 Feb 13:17:07][IKE] payloads_count: FAILED: Extra payloads left in packet (found 1 Vendor ID's)[ 4132 4180][11 Feb 13:17:07][IKE] MM6PacketHandler: Packet parse failed (expecting 1 ID, 1-2 certs, 1 sig)[ 4132 4180][11 Feb 13:17:07][IKE] send_notification: NOT IMPLEMENTED YET[ 4132 4180][11 Feb 13:17:07][negs] [WARNING] [Negotiation::process_event] (0x03B64198): *** Negotiation failed! ***[ 4132 4180][11 Feb 13:17:07][tunnel] [COVERAGE] [IkeV1Tunnel::negotiationEnded] (0x03BA2058): __start__ which led me to sk121736 - "Gateway sends DPD to client during phase 1 negotiation, resulting in "Negotiation with site failed" error for Remote Access Client trying to connect to a R80.XX Security Gateway". Funny thing on the vpn page VPN -> Advanced -> Tunnel health monitoring method -> Tunnel Test (Check Point proprietary is selected) Use DPD responder mode checked with no way to uncheck (greyed out)I changed tunnel health monitoring to DPD and unchecked use DPD responder mode..and it worked... So...uh...  End Point Connect with checkpoint's own internal tunnel monitoring is broken but the RFC version works?  ..SR opened..
junior_kakou
junior_kakou inside SMB Appliances and SMP Thursday
views 215 7

Download acces policy (rules for downloading)

Hello;I want to allow users to downloadfilms during break hours (between 12:30 p.m. and 2:00 p.m.).I use checkpoint 1490, how can I make the setting.thank you
HristoGrigorov
HristoGrigorov inside SMB Appliances and SMP Thursday
views 116 4

Temporary connectivity loss

Hi,   Have any of you experienced situation where connectivity between different LAN networks is loss after (or during) high system load ?   That's 1470 with R77.20.87 Build 990173004.
pmship
pmship inside SMB Appliances and SMP Thursday
views 241 8

Couln't save sysctl variables

Hello!Unfortunately i don't know right category for my question... Sorry!I have CheckPoint 600 Appliance with R77.20.20 firmware. There is a proble like https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106397, but "To view this solution, Advanced access is required"... Pity.I consider that this ploblem seemsed like ARP Flux, so sulution can be "sysctl -w net.ipv4.conf.all.arp_ignore=2", byt this work only before reboot... For a standard linux you should write this config to /etc/sysctl.conf for permanently save. But CheckPoint is not a standard linux, and have no /etc/sysctl.conf (if i've create it, checkpoint dont read that). Whot shoul i do to save "net.ipv4.conf.all.arp_ignore=2" config permanently??? 
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP Wednesday
views 253 1 1

1550 hosts encountered an exploit attempt

CheckPoint SmartView is a good tool for log reviews with its templates like Attacks Allowed by Policy. During IPS profile testing on the 1550 - you had to limit IPS protections in a special SMB profile with the older Embedded GAiA models while 1550 / R80.20 now has a TP policy like all GAiA GWs do - i also used SmartView. This gave me an odd encounter i would not have expected: hosts encountered an exploit attempt ! Have a look:             The 1550 FifteenFifty 😊 is managed by SMS7520 🙃 and set to send Security  Logs and Syslog there. Seems not to be easy with Syslog, though:                                         Matthaeus 5:30: And if thy right hand offend thee, cut it off, and cast it from thee 😎
G_W_Albrecht
G_W_Albrecht inside SMB Appliances and SMP Wednesday
views 229 1 1

New LED on 1500

Two days ago, sk123865 LED indicators on Embedded GAIA appliances has been edited. The LED descriptions for the 1500 models have been added ! And one completely new LED is present here: 3 Management LED Interesting thing about the LED: It is only used during Zero Touch installation process and when managed by a SMP portal. When managed locally or centrally, the LED is not used at all and dark. This seems fine for using Management in the Cloud o.e., but why not also use it when managed by an SMS ? Strange to have a new extra LED just for these purposes...
Oliver-Hamel
Oliver-Hamel inside SMB Appliances and SMP Tuesday
views 617 17

Problems with multiple 1550 appliance behind NAT device (same external IP) and VPN

Hi,we are facing problems with central managed 1550 devices (LSM & Provisioning) behind NAT device (several 1550 coming from same public IP to VPN center).The IKE phase I in center is mapped to the public IP of the peer (1550 behind NAT) instead of another identifier like internal ID or DN.Therefore only one 1550 can have a valid IKE phase I.The next 1550 with the same public IP is overwriting the exisiting phase I with a new phase I (which is only valid for this device).[Central Security Gateway] --- (VPN) --- [NAT Device] --- Satellite 1550                                                --- (VPN) --- [NAT Device] --- Satellite 1550Is there a solution to connect several 1550 connecting to VPN Center with same public IP?ThanksOliver  

central managemnt mode

Hello i switched CP 1430 from Local mgmt mode to central mgmt mode and i can no longer access the device using the remote VPN . I can still ping the WAN ip so i know its online. What are my options i need to get into the box and set the SIC password or revert to local mode somewhow. i am not physically with the box. 
lbcadenco10
lbcadenco10 inside SMB Appliances and SMP Tuesday
views 212 5

Gaia Embedded Syslog Severity

Anyone know how to change the syslog severity on Gaia Embedded appliances? I've seen sk92798 but this appears to only apply to Gaia appliances. I edited /etc/syslog.conf to only send warning and higher level logs to our remote syslog servers but "logger -p local4.info info2" and "tcpdump" shows informational level logs still being sent. I'm guessing syslogd needs to be restarted in order for the changes to go into effect, but "service syslog restart" is not a valid command in expert mode.
John_Fleming
John_Fleming inside SMB Appliances and SMP Monday
views 159 1

SMP Portal configuring remote syslog hosts

So this seems.. odd.. I signed up my 1550 into the SMP portal, which i'm not sure if i'm digging so far but thats another story.I was poking around in syslog configuration and ran across this. $ModLoad imuxsock.so$LocalHostName |stuff|$DefaultNetstreamDriverCAFile /opt/fw1/bin/ca-bundle.crt$ActionSendStreamDriver ossl$ActionSendStreamDriverMode 1$ActionSendStreamDriverAuthMode x509/name$ActionSendStreamDriverPermittedPeer *.Syslog$template format,"%$YEAR% %timegenerated% %HOSTNAME% %syslogfacility-text%.%syslogpriority-text% %programname%: %msg%\n"$outchannel msg_rotation,/var/log/messages, 204800,/pfrm2.0/bin/log_gzip.sh /var/log/messages$outchannel ntf_rotation,/logs/notifications, 204800,/pfrm2.0/bin/log_gzip.sh /logs/notifications*.info;mail.!* :omfile:$msg_rotation;formatmail.info :omfile:$ntf_rotation;format*.info;mail.!* @mysyslogserver:514*.info;mail.!* @209.87.212.13:514*.info;mail.!* @209.87.212.16:514*.info;mail.!* @209.87.212.14:514*.info;mail.!* @209.87.212.15:514*.info;mail.!* @209.87.222.192:514 I never configured the firewall to send syslog events to those addresses. I get the need for logs but OS logs? Again maybe its part of SMP and thats fine I guess.. but udp syslog? That just seems a bit strange. I sure hope there is some dynamic filtering going on and that those addresses aren't just open to the public at large.
sasac
sasac inside SMB Appliances and SMP Monday
views 181 4

sk100610-Error has occurred while applying the Firewall settings (error 00351)

I am trying to SNMP poll a checkpoint 600 from a LibreNMS (connected to local LAN of the applicance) and even with the firewall policy switched off the firewall log reports the SNMP traffic is "Blocked on rule 0 Outgoing policy violation".Any changes to the appliance cause a system Notification pop-up with  "Error has occurred while applying the Network Objects settings (error 00362). If the problem persists, contact Check Point Technical Assistance Center"The Check Point 600 appliance (L50) is running factory default firmware version: R75.20.40 (983003847), with firewall blade license expiration=Never.It is EOL hardware, and it is not under any maintenance agreement, and there is no plan to put it under support as it was planned to be donated to a volunteer organisation to replace their even older 500 appliance......if it would actually work normally.The assumption is the blocking issue and the cause of the pop-up is linked and the solutions would be explained by sk100610, but without support I don't have access to the document.Any suggestions? 
John_Fleming
John_Fleming inside SMB Appliances and SMP Monday
views 274 7

What is supported for SNMP?

Hi so I'm having a hard time understanding what is supported for polling. I was going through the mib file located on the SMB device and found OIDs for pulling licensing info. Snmpwalk of the tree returns nothing. Like empty strings (I guess that is technically something).. its not saying the OID doesn't exist, its just returning a empty string. I opened a ticket with support and they're telling me the only thing supported on the SMB is what is listed on the snmp page. I pointed out everything listed there is a snmptrap which is different then a polled OID. I was told to file a RFE, which I think is basically the generic go way message. :). I did open like 6 other tickets so its possible they're getting a bit tired of me.  
John_Fleming
John_Fleming inside SMB Appliances and SMP a week ago
views 192 3

no way to view switch mac address database

I think in cisco terms this is called the CAM table (show mac address-table address $MAC), but since checkpoint is making SMBs with many switch ports (really even with 4 this should be possible) they really need to show the user where MACs. As in port 1, port 2, port 3 etc.  For example out of the box you will have LAN1_Switch. Its currently impossible to know what port a given mac address is attached to. All you will get back is "LAN1". In the event a bad actor on the internal switch the only option is to shutdown everything and then enable them one by one to find the port.I seem to remember checkpoint making fun of some vendor for bringing this up as a solutions to some short coming that vendor had.
jh00nbr
jh00nbr inside SMB Appliances and SMP a week ago
views 175 1

Checkpoint SMB locally managed 1490 - VPN SITE-TO-SITE - Two ISPs Links HA

      Hey Guys I'm closing a S2S VPN with a Sonicwall, and I'm having some problems with the SMB 1490 Locally managed when closing the tunnel with two ISPs Links enabled, it just doesn't close. When I disable the second link (DMZ) the VPN closes the tunnel normally, when it is connected it does not work.I have already set up a static route forcing it to exit through the VPN peer remote gateway, even so it didn't work. What can be happening? 
Maarten_Sjouw
Maarten_Sjouw inside SMB Appliances and SMP a week ago
views 239 5

Modbus traffic on 1200R

Hi, I got a question from a customer: Is it possible to filter modbus traffic and would this also work in transparent mode?   Does anyone have experience running this?