cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Kul
Kul inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 2 hours ago
views 28 3

log file -network compromised

One of my checkpoint client got the logs being sent by ISP saying that there are numerous traffic being generated and my network is compromised .The ip address in the log is my one of my servers IP.i blocked  ssh from outside  to the server  as wellwhat do i do ?Reported-From: abuse-team@blocklist.deCategory: abuseReport-Type: login-attackService: sshVersion: 0.2User-Agent: Fail2BanFeedBackScript blocklist.de V0.2Date: Sat, 21 Sep 2019 08:24:56 +0200Source-Type: ip-addressSource: 202.xxx.xx.xxPort: 22Report-ID: 896439139@blocklist.deSchema-URL: http://www.xarf.org/schema/abuse_login-attack_0.1.2.jsonAttachment: text/plain Sep 21 08:24:54 vps34202 sshd[544]: Address 202.XX.XX.XX maps to www.xx.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!Sep 21 08:24:54 vps34202 sshd[544]: Invalid user oracle from 202.XX.XX.XXSep 21 08:24:54 vps34202 sshd[544]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.XX.XX.XX Sep 21 08:24:56 vps34202 sshd[544]: Failed password for invalid user oracle from 202.XX.XX.XX port 45262 ssh2Sep 21 08:24:56 vps34202 sshd[544]: Received disconnect from 202.XX.XX.XX: 11: Bye Bye [preauth]

Does IPS has CVE-2019-1181,1182,1222,1226 protection ?

I have already updated ips in SmartConsole to find IPS protection ofCVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226 and I cannot find these protections and About TFlower Ransomware protection too.Can I have information about these?

Antivirus blade prose and cons.

Hi All,I want to enable Antivirus blade in R80.10. My firewall (5400) is in production environment. My firewall max connection is 79797. Already VPN, Application control, IPS and Antibot blade enabled. Just want to know what will be prose and cons if I enabled Antivirus blade. Please help me.

DNS Malware trap - DNS servers

Hello CheckMates,Can anyone explain to me what adding the internal DNS servers to the DNS trap configuration actually does?The only thing I can find in the documentation is 'to better help identify the origin of malicious requests', but it's not like we can see the client IP that the DNS request originates from.I've built a test setup in VM's to compare the difference of the logs with and without the DNS server defined, and I see no difference in the log cards. This is with both the client to DNS server and DNS server to public DNS requests going through the gateway.I hope someone knows more about this. 
Blason_R
Blason_R inside SandBlast Network Thursday
views 121 6

TE appliance VM's

Hello  I would like to find total number of VM's in TE appliance like 28,56 as per device. Is there any way to find?plus to find Emulation quota on local TE appliance.Thanks in advance.
Employee+

Exceptions on IPS Core Protections

I wanted to share with you a new SK about working with core protections and adding exceptions to them. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk162493&partition=Advanced&product=IPS%22 More than once I have seen issues with R80.x where exceptions "don't seem to apply". Remember that core protections are different animals from IPS Threat Cloud Protections, enforced on dedicated profiles and installed with access control policy.

Blocking parts of the internet / Performance considerations

HiI want to block some parts of the big bad internet. CP has this cute script that was built for dshield but uses "fw samp" to block connections using the quota functionality. Now quota sucks because it kills connection templates and I love having them.I am now thinking of rebuilding the dshield script for my purpose by using the accelerated drop functionality (sim dropcfg -f blog_very_very_bad_networks.cfg)Since drop templates are applied after connection templates or connection table lookups there could be some glitches (or I kill already established connections based on my list of very bad IP addresses).Is this the most elegant way of dropping traffic from a large list of networks or hosts (list.txt, cidr notation) or is there a better solution? Thanks.-Manuel 

Differences in how IPS functions in R80.10+ and R77.30

Hi All,  I will be upgrading a gateway from R77.30 to R80.30 and it is running IPS. I have already upgraded the management server. I understand the policy layers and how on pre-R80.10 gateways the IPS is separate to threat prevention but what I am struggling to find any consolidated details on is if there is a difference in how IPS functions on the gateway . I am trying to assess what the risk is  with IPS and service interruption when we upgrade .  Any references to know URLs detailing this or SKs would be helpful. Thanks
GGiorgakis
GGiorgakis inside SandBlast Network 2 weeks ago
views 115 2

Threat emulation - Email content

Is there any possibility for TE to search for characters/words/content of the email subject and body?If yes, how we can implement the requested configuration in TE R80.20.?
Employee

BlueKeep exploit is weaponized: Check Point customers remain protected.

The notorious BlueKeep vulnerability has been escalated from a theoretical, critical vulnerability, to an immediate, critical threat. While BlueKeep’s devastating potential was always known, it was a theoretical threat, as there was no working exploit code. That code was released into the wild when the open source Metasploit penetration testing framework released a Bluekeep exploit module on September 6. Unfortunately, the Metasploit toolset is used by both security practitioners and cybercriminals alike. By publishing the BlueKeep exploit code hackers were essentially provided with weaponized, working code that enables the creation of a dangerous worm. How serious is the threat? If a single unpatched Windows machine with network admin access is running on a network, the attacker may have access to all in-use credentials to all systems on the network, whether they are running Windows, Linux, MacOS or NetBIOS. In effect, this scenario means that a single, infected Windows machine can completely own a network. Check Point’s BlueKeep protections for network and endpoint, released several months ago, protect against the new weaponized version of this attack. Check Point customers who have implemented these protections remain protected. We recommend all customers to take immediate action to make sure they are protected: Install the Microsoft patch on all vulnerable Windows systems Enable Check Point’s IPS network protection for BlueKeep Implement Check Point’s endpoint protection for BlueKeep
Shahar_Grober
Shahar_Grober inside SandBlast Network 2 weeks ago
views 291 6

MTA AV Exceptions

Hi, AV in MTA is blocking one of our emails coming from a trusted source This is a False positive. The only option I see to exclude the sender Mail Adress is in IPS profile --> Threat Emulation --> Excluded Mail Adresses. Is there a way to exlude Emails from MTA scanning until the issue is resolved with the AV?

R80.20 MTA update take_49

CPUSE is recommending I install the MTA update take_49 on R80.20 gateways, but there is no mention of take_49 in sk123174.Does anyone know what is in take_49? 
PhoneBoy
inside IPS, Anti-Virus, Anti-Bot, Anti-Spam 3 weeks ago
views 883 1 3
Admin

Mitre ATT&CK Framework and Check Point TechTalk

On 14th August 2019, we recorded a TechTalk with @Jony_Fischbein and @Irina_Shalem on how to take Cyber Security to the next level with the MITRE ATT&CK Framework. Presentation Materials, available to CheckMates members, include: Full Video Powerpoint Presentation An excerpt of the session is below. Q&A from the session will be posted in the comments. (view in My Videos)

Checkpoint IPS Bridge mode deployment with Juniper SRX

Hi,Any one can help us the Checkpoint IPS Bridge mode deployment best practice document...ThanksBala   

How to block Hashes of malware by IPS signature

Hi experts,Is there any way in checkpoint IPS (R80.20) to block Hashes of malware. Please share your experience.Sample of Hashes of malware 04fb0ccf3ef309b1cd587f609ab0e81e0b2e07205245697a749e422238f9f785272537bbd2a8e2a2c3938dc31f0d2461dd792f9185860e1464b4346254b2101bfcfab508663d9ce519b51f767e9028065b26f5c7c367d5e976aaba320965cc7f Regards,Rahul