Support Center > Search Results > SecureKnowledge Details
How to verify that Security Gateway and/or Security Management Server can access Check Point servers?
Solution

Security Gateways and Security Management Server require access to the Internet (either directly, or via configured proxy) for various Software Blades. The table below lists the relevant connectivity tests.

Notes:

  • In Gaia OS, use the "curl_cli" command (Important: Refer to sk110779 - "curl: (900) servercert: Error - server certificate validation failed!" when running "curl_cli" command).

  • For each of the curl_cli commands, add the option --cacert $CPDIR/conf/ca-bundle.crt to prevent the issue in sk110779.

  • In Gaia Embedded OS, use the "wget" command. It is enough to check the connectivity only to the http://cws.checkpoint.com server. Use the following syntax:
    [Expert@HostName:0]# [http_proxy=Proxy_IP_or_HostName:Port] wget http://cws.checkpoint.com/

  • In SecurePlatform OS, use the "curl" command instead of "curl_cli" command.

  • If IPv6 address is assigned on Security Gateway / Security Management Server, then these services should be allowed in the rulebase for IPv6 as well.

  • You can also check and subscribe to updates on the Services status page.
Hostname Protocol From Used For (Version) Verifying Connectivity (Run command listed below. You will get a response if connectivity is OK.)
cws.checkpoint.com http Security Gateway,
Security Management Server,
SMB Gateways		 Social Media Widget Detection (R75 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/APPI/SystemStatus/type/short
URL Filtering Cloud Categorization (R75.20 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/URLF/SystemStatus/type/short
Virus Detection (R75.40 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short
Bot Detection (R75.40 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/Malware/SystemStatus/type/short
updates.checkpoint.com https
http		 Security Gateway,
Security Management Server,
SMB Gateways		 IPS Updates, Updatable Object (R80.20 and above, on Security Gateway and Security Management) curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://updates.checkpoint.com/
dl3.checkpoint.com http Security Gateway,
Security Management Server		 Download Service Updates (R70 and above), Updatable Object (R80.20 and above, on Security Gateway and Security Management) curl_cli [--proxy <IP_or_HostName:Port>] -v -k http://dl3.checkpoint.com
usercenter.checkpoint.com https Security Gateway,
Security Management Server		 Contract Entitlement for IPS (R70 and above), Traditional Anti-Virus, Legacy URL Filtering, etc. curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://usercenter.checkpoint.com/usercenter/services/ProductCoverageService
usercenter.checkpoint.com https Security Gateway,
Security Management Server		 Software Blades Manager Service curl_cli [--proxy <IP_or_HostName:Port>] -v --cacert $CPDIR/conf/ca-bundle.crt https://usercenter.checkpoint.com/usercenter/services/BladesManagerService
resolver1.chkp.ctmail.com
resolver2.chkp.ctmail.com
resolver3.chkp.ctmail.com
resolver4.chkp.ctmail.com
resolver5.chkp.ctmail.com		 http Security Gateway Suspicious Mail Outbreaks (R75.40 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://resolver1.chkp.ctmail.com
download.ctmail.com http Security Gateway,
Security Management Server		 Anti-Spam curl_cli [--proxy <IP_or_HostName:Port>] -v http://download.ctmail.com
te.checkpoint.com http
https		 Security Gateway Threat Emulation (R77 and above) curl -vk https://te.checkpoint.com/tecloud/Ping
teadv.checkpoint.com http
https		 Security Gateway Threat Emulation (R77 and above) curl_cli [--proxy <IP_or_HostName:Port>] -v http://teadv.checkpoint.com
kav8.zonealarm.com http Security Gateway Archive scanning in R75.40 and above.
Deep inspection in R77.10 and above.		 curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.zonealarm.com/version.txt
kav8.checkpoint.com http
https		 Security Gateway Traditional Anti-Virus curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.checkpoint.com
avupdates.checkpoint.com http
https		 Security Gateway Traditional Anti-Virus, Legacy URL Filtering curl_cli [--proxy <IP_or_HostName:Port>] -v http://avupdates.checkpoint.com/UrlList.txt
sigcheck.checkpoint.com http Security Gateway,
Security Management Server		 Download of signature updates for Traditional Anti-Virus, Legacy URL Filtering, Edge devices, etc. curl_cli [--proxy <IP_or_HostName:Port>] -v http://sigcheck.checkpoint.com/Siglist2.txt
smbmgmtservice.checkpoint.com https SMB Gateway
(on Gaia Embedded)		 Manage SMB Gateways smp_connectivity_test smbmgmtservice.checkpoint.com
zerotouch.checkpoint.com https SMB Gateways ZeroTouch deployment test zero-touch-request
secureupdates.checkpoint.com http General updates server for Check Point's gateways Manage Security Gateways
  • wget http://secureupdates.checkpoint.com

    Note: Delete the index.html file after each wget command attempt. Otherwise it will report that file already exists and will not try to download it.

  • curl_cli [--proxy <IP_or_HostName:Port>] -v secureupdates.checkpoint.com
https://productcoverage.checkpoint.com/ProductCoverageService https Security Gateway,
Security Management Server		 Makes sure the machine's contracts are up-to-date (since R75.47) curl_cli [--proxy <IP_or_HostName:Port>] -v https://productcoverage.checkpoint.com/ProductCoverageService
https://sc1.checkpoint.com
https://sc2.checkpoint.com
https://sc3.checkpoint.com
https://sc4.checkpoint.com
https://sc5.checkpoint.com		 https Security Gateway,
Security Management Server,
SmartDashboard		 Download of icons and screenshots from Check Point media storage servers (e.g., Check Point AppWiki)

curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/sc/images/checkmark.gif

curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/za/images/facetime/large_png/60342479_lrg.png

curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/za/images/facetime/large_png/60096017_lrg.png
https://push.checkpoint.com https Mobile Access Gateway Push Notifications (since R77.10) for incoming e-mails and meeting requests on hand held devices, while the Capsule Workspace Mail app is in the background curl -vk https://push.checkpoint.com/push/ping
http://downloads.checkpoint.com http Mobile Access Gateway, Security Management Server Download of Endpoint Compliance Updates (Endpoint Security On Demand (ESOD) database):
 curl_cli [--proxy <IP_or_HostName:Port>] -v http://downloads.checkpoint.com

 

Additional Notes:

  • Specific IP addresses for the servers are not provided because they vary by region and are subject to change.

  • There are some Check Point Services / Software Blades that requires Proxy configuration on top of the Proxy global property configured in the object of your Security Management Server / Domain Management Server, so that connections to sigcheck.checkpoint.com will be able to pass through your Proxy server.

    Examples from R7X SmartDashboard:

    Note: Check if you have one those blades enabled and configure proxy settings for each of them.

    • Endpoint Compliance

      1. Go to the "Mobile Access" tab
      2. Expand the "Endpoint Security On Demand"
      3. Click on the "Endpoint Compliance Updates"
      4. In the "Automatic Update" section, click on the "Configure..." button
      5. Go to the "Proxy" tab
      Example:

    • Legacy URL Filtering

      1. Go to the "Application & URL Filtering" tab
      2. Expand the "Legacy URL Filtering"
      3. Click on the "Legacy URL Filtering Policy"
      4. Click on the "Automatic updates" link
      5. Go to the "Proxy" tab
      Example:

    • Traditional Anti-Virus and Edge devices

      1. Go to the "Threat Prevention" tab
      2. Expand the "Traditional Anti-Virus"
      3. Click on the "Database Updates"
      4. In the "Automatic Update" section, click on the "Configure..." button
      5. Go to the "Proxy" tab
      Example:

 

Related Solution: sk116590 - How to verify that SandBlast Agent can access Check Point servers?.

Revision History

Show / Hide this section
Date Description
29 May 2017 Added information about Proxy configuration on top of the Proxy global property configured in the object of Security Management Server / Domain Management Server
25 Apr 2017 Added http://downloads.checkpoint.com
16 Feb 2017 Added "Revision History" section
02 Mar 2017 Added teadv.checkpoint.com

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment