Support Center > Search Results > SecureKnowledge Details
How to configure Check Point software to upload data to Check Point / download data from Check Point
Solution

Table of Contents:

  1. Consent flags
  2. How consent flags are enabled
  3. Flags Decision Table
    • For Security Management Servers / Domain Management Servers / Log Server (all versions)
    • For R77.X / R76SP.X Security Gateways managed by R77.X Security Management Servers
    • For R77.X / R80.X Security Gateways managed by R80.X Security Management Servers
  4. How consent flags are modified
    • Edit the consent flags in the Registry
    • Edit the consent flags in the Objects Database using SmartDashboard
    • Edit the consent flags in the Objects Database using GuiDBedit Tool / dbedit tool
  5. Related solutions
  6. Revision History

 

Click Here to Show the Entire Article

 

Important Note: On Security Gateway, the value of flags is changed automatically during policy installation - after setting the relevant flags on Security Management Server / Domain Management Server (either using SmartDashboard, or using GuiDBedit Tool / dbedit tool).

Flag Type Description
"Allow Upload"

Allows the upload of data from the machine to Check Point.

Note: This consent flag is available only starting in R77.20
"Allow Download"

Allows the download of data from Check Point to the machine.

Note: This consent flag is available only starting in R77.20

Notes:

  • The "Allow Upload" / "Allow Download" consent flags are stored on the machine in the following places:

    Where the consent flags are stored When the consent flags are created Comments

    $FWDIR/conf/objects_5_0.C

    R77.20 and above:

    • On Security Gateway:
      During the first policy installation.

    • On Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server:
      During the first "Install Database" operation.

    • This file is referred in this article as the "Objects Database".

    • This file should not be edited in any text editor - any settings in this file should be modified only using SmartDashboard / GuiDBedit Tool / dbedit tool.

    • The consent flags are stored in the firewall_properties section.

      the consent flags are:

      • :allow_download_content (...)
      • :allow_upload_content (...)
    • To check the current flag values, run in Expert mode:

      grep -n "load_content" $FWDIR/conf/objects_5_0.C

      Possible values of these flags are:

      • (false) = upload/download of data is forbidden
      • (true) = upload/download of data is allowed
    • How values of consent flags are checked:

      1. Check if the flag value exists in the "Internal Database"
        (in $CPDIR/tmp/umis_objects.C file) and return it
      2. If the flag value does not exist in the "Internal Database",
        then check if the flag value exists in the "Registry"
        (in $CPDIR/registry/HKLM_registry.data file) and return it
      3. If the flag value does not exist in the "Registry",
        then assume "true" for that consent flag
        (i.e., allow the upload / download) and return it

    $CPDIR/registry/HKLM_registry.data

    R77.20 / R77.30 / R80.X:

    • On Security Gateway:
      During the first policy installation.

    • On Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server:
      During the first "Install Database" operation.

    R80.10 and above:

    • On Security Gateway / Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server:
      During the First Time Configuration Wizard.
    • This file is referred in this article as the "Registry".

    • This file should not be edited in any text editor - any settings in this file should be modified only using ckp_regedit command / cpprod_util command.

    • The consent flags are stored at:

      /SOFTWARE/CheckPoint/CPshared/6.0/reserved

      the consent flags are:

      • :AllowReceivingDataFromCheckPoint (...)
      • :AllowSendingDataToCheckPoint (...)
    • To check the current values, run in Expert mode one of these two commands:

      • grep Allow $CPDIR/registry/HKLM_registry.data | grep Data
      • ckp_regedit -p /SOFTWARE/CheckPoint/CPshared/6.0/reserved | grep CheckPoint

      Possible values of these flags are:

      • (0) = upload/download of data is forbidden
      • (1) = upload/download of data is allowed
    • How values of consent flags are checked:

      1. Check if the flag value exists in the "Internal Database"
        (in $CPDIR/tmp/umis_objects.C file) and return it
      2. If the flag value does not exist in the "Internal Database",
        then check if the flag value exists in the "Registry"
        (in $CPDIR/registry/HKLM_registry.data file) and return it
      3. If the flag value does not exist in the "Registry",
        then assume "true" for that consent flag
        (i.e., allow the upload / download) and return it

    $CPDIR/tmp/umis_objects.C

    R77.20 and above / R76SP.X (since Take_84 of R76SP.30 Jumbo Hotfix, and since Take_16 of R76SP.50 Jumbo Hotfix):

    • On Security Gateway:
      During the first policy installation.

    • On Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server:
      During the first "Install Database" operation.

    • This file is referred in this article as the "Internal Database".
      This file is an internal database created by the FWD daemon based on the information from the Registry.

    • This file should not be edited in any text editor.
      This file is updated automatically during each start of FWD daemon / policy installation / database installation operation.

    • The consent flags are stored in this file in the DownloadAccess section.

      the consent flags are:

      • :allow_download_content (...)
      • :allow_upload_content (...)
    • To check the current values, run in Expert mode:

      grep -A 2 DownloadAccess $CPDIR/tmp/umis_objects.C

      Possible values of these flags are:

      • (false) = upload/download of data is forbidden
      • (true) = upload/download of data is allowed
    • How values of consent flags are checked:

      1. Check if the flag value exists in the "Internal Database"
        (in $CPDIR/tmp/umis_objects.C file) and return it
      2. If the flag value does not exist in the "Internal Database",
        then check if the flag value exists in the "Registry"
        (in $CPDIR/registry/HKLM_registry.data file) and return it
      3. If the flag value does not exist in the "Registry",
        then assume "true" for that consent flag
        (i.e., allow the upload / download) and return it
  • The "Allow Upload" consent flag has priority over the "Sync with User Center" consent flag (refer to sk94064).
    Meaning that if administrator enabled the "Sync with User Center" consent flag, but did not enable the "Allow Upload" consent flag, then synchronization with User Center will not be performed.

  • In R77.X and lower, the consent flags on Security Gateway are independent from the consent flags on Security Management Server.
    Meaning that, for example, if administrator enabled the "Allow Upload" consent flag on the R77.X Security Gateway, but disabled the "Allow Upload" consent flag on R77.X Security Management Server, then Security Gateway would still be able to upload the data to Check Point.
    Starting in R80, the consent flags on R80.X Security Management Server have priority over the consent flags on R77.X / R80.X Security Gateway.
    For details, refer to "Flags Decision Table" section below.

Important Note for R77.20 / R77.30 / R80.X versions:

  • To completely block the upload of data from Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server to Check Point cloud, administrator has to:

    1. Disable the consent flags in the Objects Database (either using SmartDashboard, or using GuiDBedit Tool / dbedit tool)
    2. Perform "Install Database" operation
  • To completely block the upload of data from Security Gateway to Check Point cloud, administrator has to:

    1. Disable the consent flags in the Objects Database (either using SmartDashboard, or using GuiDBedit Tool / dbedit tool)
    2. Perform "Install Policy" operation

 

Consent flags are enabled during the initial installation and database installation / policy installation in the following way:

  • First Time Configuration Wizard creates the "Allow Upload" and "Allow Download" consent flags in the Registry (in $CPDIR/registry/HKLM_registry.data file).
    These flags are enabled by default:

    • The "Allow Download" consent flag:

      The checkbox is called "Automatically download Blade Contracts and other important data":

      In R77.X versions: In R80.X versions:
    • The "Allow Upload" consent flag:

      The checkbox is called "Improve product experience by sending data to Check Point":

      In R77.X versions: In R80.X versions:
  • "Install Policy" operation:

    • Creates the "Allow Upload" and "Allow Download" consent flags in the Objects Database (in $FWDIR/conf/objects_5_0.C file) on all machines.
    • Creates the "Allow Upload" and "Allow Download" consent flags in the Registry (in $CPDIR/registry/HKLM_registry.data file) on a Security Gateway.
    • Creates the "Allow Upload" and "Allow Download" consent flags in the Internal Database (in $CPDIR/tmp/umis_objects.C file) on a Security Gateway.
  • "Install Database" operation on Management Server / Log Server object:

    • Creates the "Allow Upload" and "Allow Download" consent flags in the Internal Database (in $CPDIR/tmp/umis_objects.C file) on a Security Management Server / Multi-Domain Security Management Server / Domain Security Management Server / Log Server.

During upgrade:

  • No change is made to these flags.
  • Once upgrade is completed, flags can be modified as described in the "How consent flags are modified" section below.

 

(3) Flags Decision Table

The following tables show possible combinations of flags values and whether the machine will be able to download data from / upload data to Check Point.

Note: The ability to download / upload is controlled separately by the corresponding flags. Refer to "How consent flags are modified" section below.

  • Show / Hide summary table only for Security Management Servers / Domain Management Servers / Log Server (all versions)

    Important Note: To completely block the upload of data from Security Management Server / Multi-Domain Security Management Server / Domain Management Server / Log Server to Check Point cloud, administrator has to disable the consent flags in the Objects Database (either using SmartDashboard, or using GuiDBedit Tool / dbedit tool) and perform "Install Database" operation.

    # Value of
    flags in
    Database
    on R77.X /
    R80.X
    Management
    Server
    Value of
    flags in
    Registry
    on R77.X /
    R80.X
    Management
    Server
    Ability to
    download /
    upload
    on R77.X /
    R80.X
    Management
    Server
    How is this configuration possible?
    1 false 0 Server is not able
    to download / upload
    Both flags were manually disabled in the Registry (either during First Time Configuration Wizard, or later), and in the Objects Database.
    Then Install Database operation was performed.
    2 false 1 Server is not able
    to download / upload
    Both flags were enabled during First Time Configuration Wizard (default), but were manually disabled in the Objects Database.
    Then Install Database operation was performed.
    3 true 0 Server is able
    to download / upload
    Both flags were manually disabled in the Registry, but were enabled in the Objects Database.
    Then Install Database operation was performed.
    4 true 1 Server is able
    to download / upload
    Both flags were enabled in the Registry (during First Time Configuration Wizard, or later), and in the Objects Database.
    Then Install Database operation was performed.

    How values of consent flags are checked:

    1. Check if the flag value exists in the "Internal Database" (in $CPDIR/tmp/umis_objects.C file) and return it
    2. If the flag value does not exist in the "Internal Database", then check if the flag value exists in the "Registry" (in $CPDIR/registry/HKLM_registry.data file) and return it
    3. If the flag value does not exist in the "Registry", then assume "true" for that consent flag (i.e., allow the upload / download) and return it


  • Show / Hide summary table for R77.X / R76SP.X Security Gateways managed by R77.X Security Management Servers / Multi-Domain Security Management Servers

    Important Notes:

    • On Security Gateway, the value of flags is changed automatically during policy installation - after setting the relevant flags on Security Management Server / Domain Management Server (either using SmartDashboard, or using GuiDBedit Tool / dbedit tool).
    • To completely block the upload of data from Security Gateway to Check Point cloud, administrator has to disable the consent flags in the Objects Database and install the policy.

    Note: Value of flags on R7x Security Management Server is irrelevant - only value of flags on R77.X / R76SP.X Security Gateway counts.

    # Value of
    flags in
    Database
    on R77.X
    Gateway
    Value of
    flags in
    Registry
    on R77.X
    Gateway
    Value of
    flags in
    Registry
    on R76SP.X
    Gateway
    Ability to
    download /
    upload
    on R77.X
    Gateway
    How is this configuration possible?
    1 false 0 N/A Gateway is not able
    to download / upload
    Both flags were manually disabled in the Registry (either during First Time Configuration Wizard, or later), and in the Objects Database.
    Then policy was installed.
    2 false 1 N/A Gateway is not able
    to download / upload
    Flags were enabled only in the Registry (during First Time Configuration Wizard, or later), and disabled in the Objects Database.
    Then policy was installed.
    3 true 0 N/A Gateway is able
    to download / upload
    Both flags were manually disabled in the Registry (either during First Time Configuration Wizard, or later).
    Then policy was installed.
    4 true 1 N/A Gateway is able
    to download / upload
    Both flags were enabled in the Registry (during First Time Configuration Wizard, or later), and in the Objects Database.
    Then policy was installed.

    How values of consent flags are checked:

    1. Check if the flag value exists in the "Internal Database" (in $CPDIR/tmp/umis_objects.C file) and return it
    2. If the flag value does not exist in the "Internal Database", then check if the flag value exists in the "Registry" (in $CPDIR/registry/HKLM_registry.data file) and return it
    3. If the flag value does not exist in the "Registry", then assume "true" for that consent flag (i.e., allow the upload / download) and return it


  • Show / Hide summary table for R77.X / R80.X Security Gateways managed by R80.X Security Management Servers

    Important Notes:

    • On Security Gateway, the value of flags is changed automatically during policy installation - after setting the relevant flags on Security Management Server / Domain Management Server (either using SmartDashboard, or using GuiDBedit Tool / dbedit tool).
    • To completely block the upload of data from Security Gateway to Check Point cloud, administrator has to disable the consent flags in the Objects Database and install the policy.

    Note: Value of flags on R8x Security Management Server has priority over flags on R77.X / R80.X Security Gateway.

    # Value of
    flags in
    Objects
    Database
    on R80.X
    Server
    Value of
    flags in
    Registry
    on R80.X
    Server
    Value of
    flags in
    Objects
    Database
    on R77.X /
    R80.X
    Gateway
    Value of
    flags in
    Registry
    on R77.X /
    R80.X
    Gateway
    Ability to
    download /
    upload
    on R77.X /
    R80.X
    Gateway
    How is this configuration possible? Comments
    1 false 0 false 0 Gateway is not able
    to download / upload
    • On Security Gateway and on Security Management Server:
      Both flags were manually disabled in the Registry (either during FTW, or later), and in the Objects Database
    Flags are disabled on Security Gateway.
    In addition, priority is given to flags on Security Management Server.
    2 false 0 false 1 Gateway is not able
    to download / upload
    • On Security Gateway:
      Flags were manually disabled in the Objects Database
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Priority is given to flags on Security Management Server.
    3 false 0 true 0 Not relevant
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    4 false 0 true 1 Not relevant
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    5 false 1 false 0 Gateway is not able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later), and in the Objects Database
    • On Management Server / Log Server:
      Flags were manually manually disabled in the Objects Database
    Priority is given to the consent flags in Database on Security Management Server.
    6 false 1 false 1 Gateway is not able
    to download / upload
    • On Security Gateway and on Security Management Server:
      Flags were manually disabled in the Objects Database
    Priority is given to the consent flags in Database on Security Management Server.
    7 false 1 true 0 Not relevant
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    • On Management Server / Log Server:
      Flags were manually disabled in the Objects Database
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    8 false 1 true 1 Not relevant
    • On Management Server / Log Server:
      Flags were manually disabled in the Objects Database
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    9 true 0 false 0 Gateway is not able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Flags are disabled on Security Gateway.
    In addition, priority is given to flags on Security Management Server.
    10 true 0 false 1 Not relevant
    • On Security Gateway:
      Flags were manually disabled in the Objects Database
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    11 true 0 true 0 Gateway is able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Priority is given to the consent flags in Database on Security Management Server.
    12 true 0 true 1 Gateway is able
    to download / upload
    • On Management Server / Log Server:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Priority is given to the consent flags in Database on Security Management Server.
    13 true 1 false 0 Gateway is not able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later), and in the Objects Database
    Flags are disabled on Security Gateway.
    In addition, priority is given to flags on Security Management Server.
    14 true 1 false 1 Not relevant
    • On Security Gateway:
      Flags were manually disabled in the Objects Database

    Priority is given to flags on Security Management Server.

    This scenario can be only temporary because once policy installation is performed, the Security Management Server transfers its configuration information to the Security Gateway.
    15 true 1 true 0 Gateway is able
    to download / upload
    • On Security Gateway:
      Both flags were manually disabled in the Registry (either during FTW, or later)
    Priority is given to flags on Security Management Server.
    16 true 1 true 1 Gateway is able
    to download / upload
    • On Security Gateway and on Security Management Server:
      Both flags are enabled in the Registry, and in the Objects Database
    Priority is given to the consent flags in Database on Security Management Server.

    How values of consent flags are checked:

    1. Check if the flag value exists in the "Internal Database" (in $CPDIR/tmp/umis_objects.C file) and return it
    2. If the flag value does not exist in the "Internal Database", then check if the flag value exists in the "Registry" (in $CPDIR/registry/HKLM_registry.data file) and return it
    3. If the flag value does not exist in the "Registry", then assume "true" for that consent flag (i.e., allow the upload / download) and return it

 

Important Note: On Security Gateway, the value of flags is changed automatically during policy installation - after setting the relevant flags on Security Management Server / Domain Management Server (either using SmartDashboard, or using GuiDBedit Tool / dbedit tool).

 

 

(6) Revision History

Show / Hide the revision history

Date Description
27 Aug 2017 "Allow Upload" / "Allow Download" consent flags are stored in the $CPDIR/tmp/umis_objects.C file since Take_16 of R76SP.50 Jumbo Hotfix.
18 July 2017
"Allow Upload" / "Allow Download" consent flags are stored in the $CPDIR/tmp/umis_objects.C file since Take_84 of R76SP.30 Jumbo Hotfix.
13 July 2017 Added R76SP.X in relevant places.
31 Aug 2016 Major updates in the technical explanations.
16 May 2016 First release of this article.
Applies To:
  • 02118807

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment