Security Gateways and Security Management Server require access to the Internet (either directly, or via configured proxy) for various Software Blades. The table below lists the relevant connectivity tests.

• In Gaia OS, use the "curl_cli" command (Important: Refer to sk110779 - "curl: (900) servercert: Error - server certificate validation failed!" when running "curl_cli" command).

• For each of the curl_cli commands, add the option --cacert $CPDIR/conf/ca-bundle.crt to prevent the issue in sk110779.

• In Gaia Embedded OS, use the "wget" command. It is enough to check the connectivity only to the http://cws.checkpoint.com server. Use the following syntax:
  [Expert@HostName:0]# [http_proxy=Proxy_IP_or_HostName:Port] wget http://cws.checkpoint.com/

• In SecurePlatform OS, use the "curl" command instead of "curl_cli" command.

• If IPv6 address is assigned on Security Gateway / Security Management Server, then these services should be allowed in the rulebase for IPv6 as well.

• All the domains below are part of the new Updatable object “Check Point Services”. For more information on Updatable objects, see sk131852.

• You can also check and subscribe to updates on the Services status page.

Hostname	Protocol	From	Used For (Version)	Verifying Connectivity (Run command listed below. You will get a response if connectivity is OK.)
cws.checkpoint.com	http	Security Gateway, Security Management Server, SMB Gateways	Social Media Widget Detection (from R75)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/APPI/SystemStatus/type/short
			URL Filtering Cloud Categorization (from R75.20)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/URLF/SystemStatus/type/short
			Virus Detection (from R75.40)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short
			Bot Detection (from R75.40)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/Malware/SystemStatus/type/short
updates.checkpoint.com	https http	Security Gateway, Security Management Server, SMB Gateways	IPS Updates, Updatable Object (from R80.20, on Security Gateway and Security Management)	curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://updates.checkpoint.com/
crl.godaddy.com	https http	Security Gateway, Security Management Server	Update Service uses it for revocation.	curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://crl.godaddy.com/
crl.globalsign.com	http	Security Gateway, Security Management Server	CRL that updates service certificate uses	curl_cli -v http://crl.globalsign.com/
dl3.checkpoint.com	http	Security Gateway, Security Management Server	Download Service Updates (from R70), Updatable Object (from R80.20, on Security Gateway and Security Management)	curl_cli [--proxy <IP_or_HostName:Port>] -v -k http://dl3.checkpoint.com
usercenter.checkpoint.com	https	Security Gateway, Security Management Server	Contract Entitlement for IPS (from R70), Traditional Anti-Virus, Legacy URL Filtering, etc.	curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://usercenter.checkpoint.com/usercenter/services/ProductCoverageService
usercenter.checkpoint.com	https	Security Gateway, Security Management Server	Software Blades Manager Service	curl_cli [--proxy <IP_or_HostName:Port>] -v --cacert $CPDIR/conf/ca-bundle.crt https://usercenter.checkpoint.com/usercenter/services/BladesManagerService
resolver1.chkp.ctmail.com resolver2.chkp.ctmail.com resolver3.chkp.ctmail.com resolver4.chkp.ctmail.com resolver5.chkp.ctmail.com	http	Security Gateway	Suspicious Mail Outbreaks (from R75.40)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://resolver1.chkp.ctmail.com
download.ctmail.com	http	Security Gateway, Security Management Server	Anti-Spam	curl_cli [--proxy <IP_or_HostName:Port>] -v http://download.ctmail.com
te.checkpoint.com	https	Security Gateway	Threat Emulation (from R77)	curl_cli -vk https://te.checkpoint.com/tecloud/Ping
teadv.checkpoint.com	http https	Security Gateway	Threat Emulation (from R77)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://teadv.checkpoint.com
threat-emulation.checkpoint.com	https	Security Gateway	Threat Emulation (from R77)	curl_cli [--proxy <IP_or_HostName:Port>] -v https://threat-emulation.checkpoint.com curl_cli [--proxy <IP_or_HostName:Port>] -v https://threat-emulation.checkpoint.com/tecloud/Ping
ptcs.checkpoint.com ptcd.checkpoint.com	https	Security Gateway	PTC Updates	curl_cli [--proxy <IP_or_HostName:Port>] -v https://ptcs.checkpoint.com curl_cli [--proxy <IP_or_HostName:Port>] -v https://ptcd.checkpoint.com
kav8.zonealarm.com	http	Security Gateway	Archive scanning in R75.40 and higher. Deep inspection in R77.10 and higher.	curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.zonealarm.com/version.txt
kav8.checkpoint.com	http https	Security Gateway Endpoint Security Management	Traditional Anti-Virus, Endpoint Security Management pulling Anti-Malware updates	curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.checkpoint.com
avupdates.checkpoint.com	http https	Security Gateway	Traditional Anti-Virus, Legacy URL Filtering	curl_cli [--proxy <IP_or_HostName:Port>] -v http://avupdates.checkpoint.com/UrlList.txt
sigcheck.checkpoint.com	http	Security Gateway, Security Management Server	Download of signature updates for Traditional Anti-Virus, Legacy URL Filtering, Edge devices, etc.	curl_cli [--proxy <IP_or_HostName:Port>] -v http://sigcheck.checkpoint.com/Siglist2.txt
smbmgmtservice.checkpoint.com	https	SMB Gateway (on Gaia Embedded)	Manage SMB Gateways	smp_connectivity_test smbmgmtservice.checkpoint.com
zerotouch.checkpoint.com	https	SMB Gateways	ZeroTouch deployment	test zero-touch-request
secureupdates.checkpoint.com	http	General updates server for Check Point's gateways	Manage Security Gateways	wget http://secureupdates.checkpoint.com Note: Delete the index.html file after each wget command attempt. Otherwise it will report that file already exists and will not try to download it. curl_cli [--proxy <IP_or_HostName:Port>] -v secureupdates.checkpoint.com
productcoverage.checkpoint.com	https	Security Gateway, Security Management Server	Makes sure the machine's contracts are up-to-date (since R75.47)	curl_cli [--proxy <IP_or_HostName:Port>] -v https://productcoverage.checkpoint.com/ProductCoverageService
sc1.checkpoint.com sc2.checkpoint.com sc3.checkpoint.com sc4.checkpoint.com sc5.checkpoint.com	https	Security Gateway, Security Management Server, SmartDashboard	Download of icons and screenshots from Check Point media storage servers (e.g., Check Point AppWiki)	curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/sc/images/checkmark.gif curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/za/images/facetime/large_png/60342479_lrg.png curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/za/images/facetime/large_png/60096017_lrg.png
push.checkpoint.com	https	Mobile Access Gateway	Push Notifications (since R77.10) for incoming e-mails and meeting requests on hand held devices, while the Capsule Workspace Mail app is in the background	curl -vk https://push.checkpoint.com/push/ping
downloads.checkpoint.com	http	Mobile Access Gateway, Security Management Server	Download of Endpoint Compliance Updates (Endpoint Security On Demand (ESOD) database):	curl_cli [--proxy <IP_or_HostName:Port>] -v http://downloads.checkpoint.com
productservices.checkpoint.com	https	Security Gateway, Security Management Server	Next Generation Licensing uses this service. (Entitlement/Licensing Updates)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://productservices.checkpoint.com

 

Additional Notes:

• Specific IP addresses for the servers are not provided because they vary by region and are subject to change.

• There are some Check Point Services / Software Blades that requires Proxy configuration on top of the Proxy global property configured in the object of your Security Management Server / Domain Management Server, so that connections to sigcheck.checkpoint.com will be able to pass through your Proxy server.

  Examples from R7X SmartDashboard:

  Note: Check if you have one those blades enabled and configure proxy settings for each of them.

  • Endpoint Compliance

    1. Go to the "Mobile Access" tab
    2. Expand the "Endpoint Security On Demand"
    3. Click on the "Endpoint Compliance Updates"
    4. In the "Automatic Update" section, click on the "Configure..." button
    5. Go to the "Proxy" tab

    Example:
    

  • Legacy URL Filtering

    1. Go to the "Application & URL Filtering" tab
    2. Expand the "Legacy URL Filtering"
    3. Click on the "Legacy URL Filtering Policy"
    4. Click on the "Automatic updates" link
    5. Go to the "Proxy" tab

    Example:
    

  • Traditional Anti-Virus and Edge devices

    1. Go to the "Threat Prevention" tab
    2. Expand the "Traditional Anti-Virus"
    3. Click on the "Database Updates"
    4. In the "Automatic Update" section, click on the "Configure..." button
    5. Go to the "Proxy" tab

    Example:
    

 

Related Solutions:

• sk116590 - How to verify that SandBlast Agent can access Check Point servers?

Revision History