R80.10 has this thing called inspection profile which some of the protections are coming pre-R80 IPS blade.
This inspection profile is actually still linked back to IPS blade. If the firewall IPS blade is turned off then, the inspection profile does not seem to be active. Otherwise if the firewall IPS blade is turned on, the inspection profile will be active.
Sample of inspection profile working its inspection (When IPS blade is enabled)
Cheers,
ASK
This article is going to share on how to integrate Checkpoint capsule doc with third party proxy – Bluecoat ProxySG
The high level steps are:
In bluecoat proxy:
– create forwarding host
– do proxy service (this IP is of proxy IP) to ensure the traffic get capture by proxy server
– create policy in vpm (for redirect). The destination host / object should be URL object of the organization defined in capsule doc
– apply or push the policy of Proxy
On Checkpoint
On test machine install capsule doc client to test external communication
Cheers.
Anthony SK
Recently issue encountered such as:
The solution is to change the this file to 1 – vi $FWDIR/appi/update/next_update
Wait for it to update to Checkpoint cloud and it will show correct date.
Otherwise there is another alternative if above does not work.
First step:
Disable automatic updates for Application Control / URL Filtering / Anti-Bot / Anti-Virus:
Connect with SmartDashboard to Security Management Server / Domain Management Server.
Go to the Application & URL Filtering tab.
Expand Advanced in the left pane.
Click on Updates.
In the Automatic Application Updates section, uncheck both boxes:
Second step:
[Expert@MGMT]# rm $FWDIR/av/ca/update/incoming/*
[Expert@MGMT]# rm $FWDIR/uf/sc/update/incoming/*
Manually download the contracts file from User Center:
Important Note: On the Multi-Domain Security Management Server, first switch to the context of the involved Domain Management Server with mdsenv <Domain_Name> command.
[Expert@MGMT]# $CPDIR/bin/contract_util download uc upgrade UserName Password [Proxy_IP_Address [Proxy_UserName:Proxy_Password]]
Restart Check Point services:
On the Security Management Server:
[Expert@MGMT]# cpstop
[Expert@MGMT]# cpstart
Third step:
Verify the subscription status on the Security Gateway / each Cluster member:
For Application Control:
[Expert@GW]# cpstat appi -f subscription_status
Subscription status: valid
Subscription expiration date: Sat Dec 15 00:00:00 2018
Subscription description: Contract is up to date.
For URL Filtering:
[Expert@GW]# cpstat urlf -f subscription_status
Subscription status: valid
Subscription expiration date: Sat Dec 15 00:00:00 2018
Subscription description: Contract is up to date.
Last step:
Enable automatic updates for Application Control / URL Filtering / Anti-Bot / Anti-Virus:
Connect with SmartDashboard to the Security Management Server / Domain Management Server.
Go to the Application & URL Filtering tab.
Expand Advanced in the left pane.
Click on Updates.
In the Automatic Application Updates section, check both boxes.
Go to the Threat Prevention tab (in R77 and lower, this tab is called Anti-Bot & Anti-Virus).
Expand Advanced in the left pane.
Click on Updates.
In the Automatic Updates section, check all boxes.
Save the changes: go to File menu – click on Save.
Install the policy onto the relevant Security Gateway / Cluster object
Cheers
Recently i encountered issue whereby renaming of service group in R80.10 is not possible.
Why would i want to rename it? it is because there is a domain in provider-1 called Web which coincidentally match with service group in R80.10 called Web.
This caused issue with name uniqueness and to make it worse, the name of the CMA is also called Web.
Although the issue does not seem to affect much however in order to get rid of it, have decided to go for this approach as a workaround as editing service group is not possible even with dbedit.
Hence the workaround approach is:
1. Perform migrate export from particular CMA
2. Delete the domain from the pre R80.10
3. Create a new domain that does not have same name as Web
4. Create CMA. Do take note as Checkpoint before R80 has issue with creation of ICA after 25th Jan 18. Workaround -> set the date earlier than January 25th 18. If not the creation of CMA will failed.
5. Ensure CMA is not started as need to import CMA else it will failed. Set the date back to current date.
6. Go inside the specific CMA and delete the secondary management server object. If not the creation of secondary CMA will failed with error message.
7. Create secondary CMA
8. Re-assign global policy if there is any
9. Test everything is OK. SIC should be fine even with hostname change on CMA as the ICA is inside provider-1 (MDS) container
10. Performed R80.10 export on pre R80.10 provider-1 server and import.
11. Name uniqueness error disappeared.
*ensure licenses get exported*
Cheers,
Anthony S.K
In certain scenario, certain checkpoint process causes some zombies process to appear because the parent process terminate unexpectedly thus causing the child process to be not able to reach out to parents and leave “hanging” thus become zombies.
In such situation, sometimes there is a need to kill the parent process to eliminate all the child process which become zombies.
Use this command – ps -l | grep <process name> and it will list down the process together whether such process has become zombie or defunct.
Look for third and fourth column. Third column refer to PID (Process ID) and the fourth column refer to PPID (Parent process ID).
To terminate it use kill -9 <process ID> and see if the zombies process still appear in either ps -aux | grep defunct
or top command and look for zombies
Cheers
For this post, i am going to discuss on how to configure route based VPN in Checkpoint R80.10 with Juniper. This post will only cover checkpoint part and not Juniper.
To configure route based VPN there are few things to take note of:
Configuration on web portal -> look for network interface -> VPN tunnel
Key in the VPN tunnel ID to distinguish. Under VPN peer, it is important to take note as this name must be same name as what will be configured in the console later on.
The local address will be the tunnel IP (private IP) that is usually in same subnet as the peer firewall. While the remote address will be the peer IP (Put public IP of the peer firewall)
If you do not want to use numbered, you may opt to use unnumbered to eliminate the use of assigning of IP address however numbered interface is better in a sense of NAT in case of overlapping IP address on both sides of the tunnel. This is called borrowing of IP address of that particular interface.
Once the tunnel interface created, move to console and configure the route based VPN -> under security policy -> Access tool -> VPN community -> create New either star or mesh.
key in all the necessary stuff -> Community Name -> the participating gateways which are the Checkpoint and Juniper. Set the encryption and authentication method (must be match on both sites).
Under the Checkpoint gateway object -> key in the domain as empty group.
Configure the interoperable device under network service object and put empty group under the domain.
Finally..configure the routing on Checkpoint gateway via clish or webgui.
Cheers,
ASK
Not many article mentioned the real difference on the two backups even though most of the time the guide always mentioned to perform mds_backup script instead of backup.
After consulting with TAC, the conclusion is this:
Backup will perform back up Os config and database for the entire MDS while mds_backup will only perform mds backup but not the OS.
However one thing that i notice, mds_backup also perform backup of the interfaces and its IP address.
The OS in this case is most of the thing that u can see on the Web portal are related to OS configuration
Cheers,
ASK
Based on the SK67420, it was mentioned the issue related to MTU size however another possibility of this issue could happened due to Firewall is blocking communication of port 18211 which is part of SIC layer communication between gateway and management server.
These are the ports:
So before changing the MTU size or troubleshoot at interface layer, do consider above.
Cheers
Recently one of my colleague faced an issue whereby the users using Checkpoint remote access VPN behaving weirdly. The behaviour is:
The solution is to perform sk32229 – Configuring VPN Link Selection for SecuRemote/SecureClient
This happened when apply_resolving_mechanism_to_SR attribute located in objects_5_0.C. is set to “FALSE”. This will cause the remote access VPN to ignore the link selection configuration and instead it may choose another IP address.
To fix it, set accordingly either to “TRUE” or by configure the IP manually for the remote access VPN based on the SK.
Cheers
Recently one of my colleague encountered strange issue when installing R77.30 Gaia Add on hotfix in order to configure send firewall logs directly from Firewall.
The add on installation causing a crash therefore upon investigation from Diamond Checkpoint TAC, it was suspected to be corrupted RPM module in the R77.30 Gaia Add on.
The environment:
Symptom:
Resolution:
Cheers,
A.S.K
engineereverydaylife 