Support Center > Search Results > SecureKnowledge Details
How to verify that Security Gateway and/or Security Management Server can access Check Point servers?
Solution

Security Gateways and Security Management Server require access to the Internet (either directly, or via configured proxy) for various Software Blades. The table below lists the relevant connectivity tests.

Notes:

  • In Gaia OS, use the "curl_cli" command (Important: Refer to sk110779 - "curl: (900) servercert: Error - server certificate validation failed!" when running "curl_cli" command).

  • For each of the curl_cli commands, add the option --cacert $CPDIR/conf/ca-bundle.crt to prevent the issue in sk110779.

  • In Gaia Embedded OS, use the "wget" command. It is enough to check the connectivity only to the http://cws.checkpoint.com server. Use the following syntax:
    [Expert@HostName:0]# [http_proxy=Proxy_IP_or_HostName:Port] wget http://cws.checkpoint.com/

  • In SecurePlatform OS, use the "curl" command instead of "curl_cli" command.

  • If IPv6 address is assigned on Security Gateway / Security Management Server, then these services should be allowed in the rulebase for IPv6 as well.

  • You can also check and subscribe to updates on the Services status page.
Hostname Protocol From Used For (Version) Verifying Connectivity (Run command listed below. You will get a response if connectivity is OK.)
cws.checkpoint.com http Security Gateway,
Security Management Server,
SMB Gateways
Social Media Widget Detection (R75 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/APPI/SystemStatus/type/short
URL Filtering Cloud Categorization (R75.20 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/URLF/SystemStatus/type/short
Virus Detection (R75.40 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short
Bot Detection (R75.40 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/Malware/SystemStatus/type/short
updates.checkpoint.com https
http
Security Gateway,
Security Management Server,
SMB Gateways
IPS Updates, Updatable Object (R80.20 and above, on Security Gateway and Security Management) curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://updates.checkpoint.com/
dl3.checkpoint.com http Security Gateway,
Security Management Server
Download Service Updates (R70 and above), Updatable Object (R80.20 and above, on Security Gateway and Security Management) curl_cli [--proxy <IP_or_HostName:Port>] -v -k http://dl3.checkpoint.com
usercenter.checkpoint.com https Security Gateway,
Security Management Server
Contract Entitlement for IPS (R70 and above), Traditional Anti-Virus, Legacy URL Filtering, etc. curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://usercenter.checkpoint.com/usercenter/services/ProductCoverageService
usercenter.checkpoint.com https Security Gateway,
Security Management Server
Software Blades Manager Service curl_cli [--proxy <IP_or_HostName:Port>] -v --cacert $CPDIR/conf/ca-bundle.crt https://usercenter.checkpoint.com/usercenter/services/BladesManagerService
resolver1.chkp.ctmail.com
resolver2.chkp.ctmail.com
resolver3.chkp.ctmail.com
resolver4.chkp.ctmail.com
resolver5.chkp.ctmail.com
http Security Gateway Suspicious Mail Outbreaks (R75.40 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://resolver1.chkp.ctmail.com
download.ctmail.com http Security Gateway,
Security Management Server
Anti-Spam curl_cli [--proxy <IP_or_HostName:Port>] -v http://download.ctmail.com
te.checkpoint.com http
https
Security Gateway Threat Emulation (R77 and above) curl_cli -vk https://te.checkpoint.com/tecloud/Ping
teadv.checkpoint.com http
https
Security Gateway Threat Emulation (R77 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://teadv.checkpoint.com
threat-emulation.checkpoint.com http
https
Security Gateway Threat Emulation (R77 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://threat-emulation.checkpoint.com
curl_cli [--proxy <IP_or_HostName:Port>] -v http://threat-emulation.checkpoint.com/tecloud/Ping
kav8.zonealarm.com http Security Gateway Archive scanning in R75.40 and above.
Deep inspection in R77.10 and above.
curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.zonealarm.com/version.txt
kav8.checkpoint.com http
https
Security Gateway
Endpoint Security Management
Traditional Anti-Virus,
Endpoint Security Management pulling Anti-Malware updates
curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.checkpoint.com
avupdates.checkpoint.com http
https
Security Gateway Traditional Anti-Virus, Legacy URL Filtering curl_cli [--proxy <IP_or_HostName:Port>] -v http://avupdates.checkpoint.com/UrlList.txt
sigcheck.checkpoint.com http Security Gateway,
Security Management Server
Download of signature updates for Traditional Anti-Virus, Legacy URL Filtering, Edge devices, etc. curl_cli [--proxy <IP_or_HostName:Port>] -v http://sigcheck.checkpoint.com/Siglist2.txt
smbmgmtservice.checkpoint.com https SMB Gateway
(on Gaia Embedded)
Manage SMB Gateways smp_connectivity_test smbmgmtservice.checkpoint.com
zerotouch.checkpoint.com https SMB Gateways ZeroTouch deployment test zero-touch-request
secureupdates.checkpoint.com http General updates server for Check Point's gateways Manage Security Gateways
  • wget http://secureupdates.checkpoint.com

    Note: Delete the index.html file after each wget command attempt. Otherwise it will report that file already exists and will not try to download it.

  • curl_cli [--proxy <IP_or_HostName:Port>] -v secureupdates.checkpoint.com
productcoverage.checkpoint.com https Security Gateway,
Security Management Server
Makes sure the machine's contracts are up-to-date (since R75.47) curl_cli [--proxy <IP_or_HostName:Port>] -v https://productcoverage.checkpoint.com/ProductCoverageService
sc1.checkpoint.com
sc2.checkpoint.com
sc3.checkpoint.com
sc4.checkpoint.com
sc5.checkpoint.com
https Security Gateway,
Security Management Server,
SmartDashboard
Download of icons and screenshots from Check Point media storage servers (e.g., Check Point AppWiki)

curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/sc/images/checkmark.gif

curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/za/images/facetime/large_png/60342479_lrg.png

curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/za/images/facetime/large_png/60096017_lrg.png

push.checkpoint.com https Mobile Access Gateway Push Notifications (since R77.10) for incoming e-mails and meeting requests on hand held devices, while the Capsule Workspace Mail app is in the background curl -vk https://push.checkpoint.com/push/ping
downloads.checkpoint.com http Mobile Access Gateway, Security Management Server Download of Endpoint Compliance Updates (Endpoint Security On Demand (ESOD) database):
curl_cli [--proxy <IP_or_HostName:Port>] -v http://downloads.checkpoint.com
productservices.checkpoint.com https  Security Gateway,
Security Management Server 
Next Generation Licensing uses this service. (Entitlement/Licensing Updates) curl_cli [--proxy <IP_or_HostName:Port>] -v http://productservices.checkpoint.com

 

Additional Notes:

  • Specific IP addresses for the servers are not provided because they vary by region and are subject to change.

  • There are some Check Point Services / Software Blades that requires Proxy configuration on top of the Proxy global property configured in the object of your Security Management Server / Domain Management Server, so that connections to sigcheck.checkpoint.com will be able to pass through your Proxy server.

    Examples from R7X SmartDashboard:

    Note: Check if you have one those blades enabled and configure proxy settings for each of them.

    • Endpoint Compliance

      1. Go to the "Mobile Access" tab
      2. Expand the "Endpoint Security On Demand"
      3. Click on the "Endpoint Compliance Updates"
      4. In the "Automatic Update" section, click on the "Configure..." button
      5. Go to the "Proxy" tab
      Example:
    • Legacy URL Filtering

      1. Go to the "Application & URL Filtering" tab
      2. Expand the "Legacy URL Filtering"
      3. Click on the "Legacy URL Filtering Policy"
      4. Click on the "Automatic updates" link
      5. Go to the "Proxy" tab
      Example:
    • Traditional Anti-Virus and Edge devices

      1. Go to the "Threat Prevention" tab
      2. Expand the "Traditional Anti-Virus"
      3. Click on the "Database Updates"
      4. In the "Automatic Update" section, click on the "Configure..." button
      5. Go to the "Proxy" tab
      Example:

 

Related Solution: sk116590 - How to verify that SandBlast Agent can access Check Point servers?.

Revision History

Show / Hide this section
Date Description
29 May 2017 Added information about Proxy configuration on top of the Proxy global property configured in the object of Security Management Server / Domain Management Server
25 Apr 2017 Added http://downloads.checkpoint.com
16 Feb 2017 Added "Revision History" section
02 Mar 2017 Added teadv.checkpoint.com

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment