Support Center > Search Results > SecureKnowledge Details
How to configure Check Point software to upload data to Check Point / download data from Check Point in versions R81.10 and lower Technical Level
Solution

Note - For Management Server versions R81.20 and higher, see sk175504.

Table of Contents:

  1. Consent flags
  2. How consent flags are enabled
  3. Flags Decision Table
    • For Security Management Servers / Domain Management Servers / Log Server (all versions)
    • For R77.X / R76SP.X Security Gateways managed by R77.X Security Management Servers
    • For R77.X / R80.X Security Gateways managed by R80.X Security Management Servers
  4. How consent flags are modified
    • Edit the consent flags in the Registry
    • Edit the consent flags in the Objects Database using SmartDashboard
    • Edit the consent flags in the Objects Database using Database Tool (GuiDBedit Tool) / dbedit tool
  5. Related solutions
  6. Revision History

 

Click Here to Show the Entire Article

 

Note: For SMB appliances, refer to set privacy-settings section in the Check Point 700/900/1400 Appliance R77.20.85 Technical Reference Guide.

Important Note: On Security Gateway, the value of flags is changed automatically during policy installation - after setting the relevant flags on Security Management Server / Domain Management Server (either using SmartDashboard, or using Database Tool (GuiDBedit Tool) / dbedit tool).

Flag Type Description
"Allow Upload"

Allows the upload of data from the Gaia OS to Check Point.

Note: This consent flag is available only starting in R77.20

"Allow Download"

Allows the download of data from Check Point to the Gaia OS.

Note: This consent flag is available only starting in R77.20

"Upload Core Dumps"

Allows the upload of core dump files from the Gaia OS to Check Point.

Note: This consent flag is available only starting in R80.40

Notes:

  • The consent flags are stored on the Gaia OS in the following places:

    Consent Flags Where the consent flags are stored When the consent flags are created Comments

    "Allow Upload"

    "Allow Download"

    $FWDIR/conf/objects_5_0.C

    R77.20 and higher:

    • On Security Gateway:
      During the first policy installation.

    • On Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server:
      During the first "Install Database" operation.

    • This article refers to this file as the "Objects Database".

    • You must not edit this file in any text editor - any settings in this file should be modified only using SmartDashboard / Database Tool (GuiDBedit Tool) / dbedit tool.

    • The consent flags are stored in the firewall_properties section.

      The consent flags are:

      • :allow_download_content (...)
      • :allow_upload_content (...)
    • To check the current flag value, run in the Expert mode:

      grep -n "load_content" $FWDIR/conf/objects_5_0.C

      Possible values of these flags are:

      • (false) = upload/download of data is forbidden
      • (true) = upload/download of data is allowed
    • How values of consent flags are checked:

      1. Check if the flag value exists in the "Internal Database"
        (in $CPDIR/tmp/umis_objects.C file) and return it

      2. If the flag value does not exist in the "Internal Database",
        then check if the flag value exists in the "Registry"
        (in $CPDIR/registry/HKLM_registry.data file) and return it

      3. If the flag value does not exist in the "Registry",
        then assume "true" for that consent flag
        (i.e., allow the upload / download) and return it

    "Allow Upload"

    "Allow Download"

    $CPDIR/registry/HKLM_registry.data

    R80.10 and higher:

    • On Security Gateway / Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server:
      During the First Time Configuration Wizard.

    R80 / R77.30 / R77.20:

    • On Security Gateway:
      During the first policy installation.

    • On Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server:
      During the first "Install Database" operation.

    • This article refers to this file as the "Registry".

    • You must not edit this file in any text editor - any settings in this file should be modified only using ckp_regedit command / cpprod_util command.

    • The consent flags are stored at:

      /SOFTWARE/CheckPoint/CPshared/6.0/reserved

      the consent flags are:

      • :AllowReceivingDataFromCheckPoint (...)
      • :AllowSendingDataToCheckPoint (...)
    • To check the current values, run in the Expert mode one of these two commands:

      • grep Allow $CPDIR/registry/HKLM_registry.data | grep Data
      • ckp_regedit -p /SOFTWARE/CheckPoint/CPshared/6.0/reserved | grep CheckPoint

      Possible values of these flags are:

      • (0) = upload/download of data is forbidden
      • (1) = upload/download of data is allowed
    • How values of consent flags are checked:

      1. Check if the flag value exists in the "Internal Database"
        (in $CPDIR/tmp/umis_objects.C file) and return it

      2. If the flag value does not exist in the "Internal Database",
        then check if the flag value exists in the "Registry"
        (in $CPDIR/registry/HKLM_registry.data file) and return it

      3. If the flag value does not exist in the "Registry",
        then assume "true" for that consent flag
        (i.e., allow the upload / download) and return it

    "Allow Upload"

    "Allow Download"

    $CPDIR/tmp/umis_objects.C

    R77.20 and higher / R76SP.X (since Take_84 of R76SP.30 Jumbo Hotfix, and since Take_16 of R76SP.50 Jumbo Hotfix):

    • On Security Gateway:
      During the first policy installation.

    • On Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server:
      During the first "Install Database" operation.

    • This article refers to this file as the "Internal Database".
      This file is an internal database created by the FWD daemon based on the information from the Registry.

    • You must not edit this file in any text editor.
      This file is updated automatically during each start of FWD daemon / policy installation / database installation operation.

    • The consent flags are stored in this file in the DownloadAccess section.

      The consent flags are:

      • :allow_download_content (...)
      • :allow_upload_content (...)
    • To check the current values, run in the Expert mode:

      grep -A 2 DownloadAccess $CPDIR/tmp/umis_objects.C

      Possible values of these flags are:

      • (false) = upload/download of data is forbidden
      • (true) = upload/download of data is allowed
    • How values of consent flags are checked:

      1. Check if the flag value exists in the "Internal Database"
        (in $CPDIR/tmp/umis_objects.C file) and return it

      2. If the flag value does not exist in the "Internal Database",
        then check if the flag value exists in the "Registry"
        (in $CPDIR/registry/HKLM_registry.data file) and return it

      3. If the flag value does not exist in the "Registry",
        then assume "true" for that consent flag
        (i.e., allow the upload / download) and return it

    "Upload Core Dumps"

    /config/db/initial

    /config/db/initial_db

    Important - This consent flag works independently from the "Allow Upload" and "Allow Download" consent flags.

    • This article refers to these files as the "Gaia OS Database".

    • You must not edit this file in any text editor - any settings in this file should be modified only using Gaia Portal or Gaia Clish.

    • To check the current flag value, run in the Expert mode:

      dbget cdm:allow_sending

      Possible values of this flag are:

      • 0 = upload of data is forbidden
      • 1 = upload of data is allowed
    • To check the current flag value, run in Gaia Clish:

      show core-dump crash_data_status

  • The "Allow Upload" consent flag has priority over the "Sync with User Center" consent flag (refer to sk94064).
    Meaning that if administrator enabled the "Sync with User Center" consent flag, but did not enable the "Allow Upload" consent flag, then synchronization with User Center will not be performed.

  • In R77.X and lower, the consent flags on Security Gateway are independent from the consent flags on Security Management Server.
    Meaning that, for example, if administrator enabled the "Allow Upload" consent flag on the R77.X Security Gateway, but disabled the "Allow Upload" consent flag on R77.X Security Management Server, then Security Gateway would still be able to upload the data to Check Point.
    Starting in R80, the consent flags on R80.X Security Management Server have priority over the consent flags on R77.X / R80.X Security Gateway.
    For details, refer to "Flags Decision Table" section below.

Important Notes:

  • To completely block the upload of data from Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server to Check Point cloud, administrator has to:

    1. Disable the consent flags in the Objects Database (either using SmartDashboard, or using Database Tool (GuiDBedit Tool) / dbedit tool)
    2. Perform "Install Database" operation
    3. Disable the consent flag in the Gaia OS Database
  • To completely block the upload of data from Security Gateway to Check Point cloud, the administrator has to:

    1. Disable the consent flags in the Objects Database (either using SmartDashboard, or using Database Tool (GuiDBedit Tool) / dbedit tool)
    2. Perform "Install Policy" operation
    3. Disable the consent flag in the Gaia OS Database

 

Consent flags are enabled during the initial installation and database installation / policy installation.

  • The Gaia First Time Configuration Wizard creates the consent flags in the following way:

    Consent Flag Description

    "Allow Download"

    The Gaia First Time Configuration Wizard creates the "Allow Download" consent flags in the Registry (in $CPDIR/registry/HKLM_registry.data file).

    This consent flag is enabled by default.

    • In R80.40 and higher versions:

      The checkbox is called "Automatically download Blade Contracts, new software, and other important data (highly recommended)":

    • In R80.30, R80.20, R80.10, and R80 versions:

      The checkbox is called "Automatically download Blade Contracts and other important data":

    • In R77.30 and R77.20 versions:

      The checkbox is called "Automatically download Blade Contracts and other important data":

    "Allow Upload"

    • In R80.40 and higher versions:

      The checkbox is called "Send data to Check Point":

    • In R80.30, R80.20, R80.10, and R80 versions:

      The checkbox is called "Improve product experience by sending data to Check Point":

    • In R77.30 and R77.20 versions:

      The checkbox is called "Improve product experience by sending data to Check Point":

    "Upload Core Dumps"

    • In R80.40 and higher versions:

      The Gaia First Time Configuration Wizard creates the "Upload Core Dumps" consent flags in the Gaia OS Database (in /config/initial* files).

      The checkbox is called "Send crash data which might contain personal data to Check Point":

  • "Install Policy" operation:

    • Creates the "Allow Upload" and "Allow Download" consent flags in the Objects Database (in $FWDIR/conf/objects_5_0.C file) on all configurations (Security Gateway, Management Server, and so on).

    • Creates the "Allow Upload" and "Allow Download" consent flags in the Registry (in $CPDIR/registry/HKLM_registry.data file) on a Security Gateway.

    • Creates the "Allow Upload" and "Allow Download" consent flags in the Internal Database (in $CPDIR/tmp/umis_objects.C file) on a Security Gateway.

  • "Install Database" operation on Management Server / Log Server object:

    • Creates the "Allow Upload" and "Allow Download" consent flags in the Internal Database (in $CPDIR/tmp/umis_objects.C file) on a Security Management Server / Multi-Domain Security Management Server / Domain Security Management Server / Log Server.

  • Gaia Portal or Gaia Clish

    In R80.40 and higher versions, you can control the "Upload Core Dumps" consent flag:

    • In Gaia Portal:

      1. In the navigation tree, click System Management > Core Dumps.

      2. Select or clear the option "Send crash data which might contain personal data to Check Point"

      3. Click Apply.

    • In Gaia Clish:

      1. Run:

        set core-dump send_crash_data {on | off}

      2. Run:

        save config

During upgrade:

  • No change is made to these flags.

  • After the upgrade is completed, flags can be modified as described in the "How consent flags are modified" section below.

 

(3) Flags Decision Table

The following tables show possible combinations of flags values and whether the Gaia OS can download data from / upload data to Check Point.

Note: The ability to download / upload is controlled separately by the corresponding flags. Refer to "How consent flags are modified" section below.

  • Show / Hide summary table only for Security Management Servers / Domain Management Servers / Log Server (all versions)

    Important Note: To completely block the upload of data from Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server to Check Point cloud, administrator has to disable the consent flags in the Objects Database (either using SmartDashboard, or using Database Tool (GuiDBedit Tool) / dbedit tool) and perform "Install Database" operation.

    # Value of
    flags in
    Database
    on R77.X /
    R80.X
    Management
    Server
    Value of
    flags in
    Registry
    on R77.X /
    R80.X
    Management
    Server
    Ability to
    download /
    upload
    on R77.X /
    R80.X
    Management
    Server
    How is this configuration possible?
    1 false 0 Server is not able
    to download / upload
    Both flags were manually disabled in the Registry (either during First Time Configuration Wizard, or later), and in the Objects Database.
    Then Install Database operation was performed.
    2 false 1 Server is not able
    to download / upload
    Both flags were enabled during First Time Configuration Wizard (default), but were manually disabled in the Objects Database.
    Then Install Database operation was performed.
    3 true 0 Server is able
    to download / upload
    Both flags were manually disabled in the Registry, but were enabled in the Objects Database.
    Then Install Database operation was performed.
    4 true 1 Server is able
    to download / upload
    Both flags were enabled in the Registry (during First Time Configuration Wizard, or later), and in the Objects Database.
    Then Install Database operation was performed.

    How values of consent flags are checked:

    1. Check if the flag value exists in the "Internal Database" (in $CPDIR/tmp/umis_objects.C file) and return it

    2. If the flag value does not exist in the "Internal Database", then check if the flag value exists in the "Registry" (in $CPDIR/registry/HKLM_registry.data file) and return it

    3. If the flag value does not exist in the "Registry", then assume "true" for that consent flag (i.e., allow the upload / download) and return it



  • Show / Hide summary table for R77.X / R76SP.X Security Gateways managed by R77.X Security Management Servers / Multi-Domain Security Management Servers

    Important Notes:

    • On Security Gateway, the value of flags is changed automatically during policy installation - after setting the relevant flags on Security Management Server / Domain Management Server (either using SmartDashboard, or using Database Tool (GuiDBedit Tool) / dbedit tool).
    • To completely block the upload of data from Security Gateway to Check Point cloud, administrator has to disable the consent flags in the Objects Database and install the policy.

    Note: Value of flags on R7x Security Management Server is irrelevant - only value of flags on R77.X / R76SP.X Security Gateway counts.

    # Value of
    flags in
    Database
    on R77.X
    Gateway
    Value of
    flags in
    Registry
    on R77.X
    Gateway
    Value of
    flags in
    Registry
    on R76SP.X
    Gateway
    Ability to
    download /
    upload
    on R77.X
    Gateway
    How is this configuration possible?
    1 false 0 N/A Gateway is not able
    to download / upload
    Both flags were manually disabled in the Registry (either during First Time Configuration Wizard, or later), and in the Objects Database.
    Then policy was installed.
    2 false 1 N/A Gateway is not able
    to download / upload
    Flags were enabled only in the Registry (during First Time Configuration Wizard, or later), and disabled in the Objects Database.
    Then policy was installed.
    3 true 0 N/A Gateway is able
    to download / upload
    Both flags were manually disabled in the Registry (either during First Time Configuration Wizard, or later).
    Then policy was installed.
    4 true 1 N/A Gateway is able
    to download / upload
    Both flags were enabled in the Registry (during First Time Configuration Wizard, or later), and in the Objects Database.
    Then policy was installed.

    How values of consent flags are checked:

    1. Check if the flag value exists in the "Internal Database" (in $CPDIR/tmp/umis_objects.C file) and return it

    2. If the flag value does not exist in the "Internal Database", then check if the flag value exists in the "Registry" (in $CPDIR/registry/HKLM_registry.data file) and return it

    3. If the flag value does not exist in the "Registry", then assume "true" for that consent flag (i.e., allow the upload / download) and return it



  • Show / Hide summary table for R77.X / R80.X Security Gateways managed by R80.X Security Management Servers

    Important Notes:

    • On Security Gateway, the value of flags is changed automatically during policy installation - after setting the relevant flags on Security Management Server / Domain Management Server (either using SmartDashboard, or using Database Tool (GuiDBedit Tool) / dbedit tool).
    • To completely block the upload of data from Security Gateway to Check Point cloud, administrator has to disable the consent flags in the Objects Database and install the policy.

    Note: Value of flags on R8x Security Management Server has priority over flags on R77.X / R80.X Security Gateway.

    # Value of
    flags in
    Objects
    Database
    on R80.X
    Server
    Value of
    flags in
    Registry
    on R80.X
    Server
    Value of
    flags in
    Objects
    Database
    on R77.X /
    R80.X
    Gateway
    Value of
    flags in
    Registry
    on R77.X /
    R80.X
    Gateway
    Ability to
    download /
    upload
    on R77.X /
    R80.X
    Gateway
    How is this configuration possible? Comments
    1 false 0 false 0 Gateway is not able
    to download / upload
    • On Security Gateway and on Security Management Server:
      Both flags were manually disabled in the Registry (either during FTW, or later), and in the Objects Database
    Flags are disabled on Security Gateway.
    In addition, priority is given to flags on Security Management Server.
    2 false 0 false 1 Gateway is not able
    to download / upload
    • On Security Gateway:
      Flags were manually disabled in the Objects Database
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Priority is given to flags on Security Management Server.
    3 false 0 true 0 Not relevant
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    4 false 0 true 1 Not relevant
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    5 false 1 false 0 Gateway is not able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later), and in the Objects Database
    • On Management Server / Log Server:
      Flags were manually manually disabled in the Objects Database
    Priority is given to the consent flags in Database on Security Management Server.
    6 false 1 false 1 Gateway is not able
    to download / upload
    • On Security Gateway and on Security Management Server:
      Flags were manually disabled in the Objects Database
    Priority is given to the consent flags in Database on Security Management Server.
    7 false 1 true 0 Not relevant
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    • On Management Server / Log Server:
      Flags were manually disabled in the Objects Database
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    8 false 1 true 1 Not relevant
    • On Management Server / Log Server:
      Flags were manually disabled in the Objects Database
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    9 true 0 false 0 Gateway is not able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Flags are disabled on Security Gateway.
    In addition, priority is given to flags on Security Management Server.
    10 true 0 false 1 Not relevant
    • On Security Gateway:
      Flags were manually disabled in the Objects Database
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    11 true 0 true 0 Gateway is able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Priority is given to the consent flags in Database on Security Management Server.
    12 true 0 true 1 Gateway is able
    to download / upload
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Priority is given to the consent flags in Database on Security Management Server.
    13 true 1 false 0 Gateway is not able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later), and in the Objects Database
    Flags are disabled on Security Gateway.
    In addition, priority is given to flags on Security Management Server.
    14 true 1 false 1 Not relevant
    • On Security Gateway:
      Flags were manually disabled in the Objects Database

    Priority is given to flags on Security Management Server.

    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    15 true 1 true 0 Gateway is able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Priority is given to flags on Security Management Server.
    16 true 1 true 1 Gateway is able
    to download / upload
    • On Security Gateway and on Security Management Server:
      Both flags are enabled in the Registry, and in the Objects Database
    Priority is given to the consent flags in Database on Security Management Server.

    How values of consent flags are checked:

    1. Check if the flag value exists in the "Internal Database" (in $CPDIR/tmp/umis_objects.C file) and return it

    2. If the flag value does not exist in the "Internal Database", then check if the flag value exists in the "Registry" (in $CPDIR/registry/HKLM_registry.data file) and return it

    3. If the flag value does not exist in the "Registry", then assume "true" for that consent flag (i.e., allow the upload / download) and return it

 

Important Note: On Security Gateway, the value of flags is changed automatically during policy installation - after setting the relevant flags on Security Management Server / Domain Management Server (either using SmartDashboard, or using Database Tool (GuiDBedit Tool) / dbedit tool).

 

 

(6) Revision History

Show / Hide the revision history

Date Description
06 Dec 2022 Added the information about the "Upload Core Dumps" consent flag (available in R80.40 and higher versions).
27 Aug 2017 "Allow Upload" / "Allow Download" consent flags are stored in the $CPDIR/tmp/umis_objects.C file since Take_16 of R76SP.50 Jumbo Hotfix.
18 July 2017 "Allow Upload" / "Allow Download" consent flags are stored in the $CPDIR/tmp/umis_objects.C file since Take_84 of R76SP.30 Jumbo Hotfix.
13 July 2017 Added R76SP.X in relevant places.
31 Aug 2016 Major updates in the technical explanations.
16 May 2016 First release of this article.
Applies To:
  • 02118807

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment