How to verify that Security Gateway and/or Security Management Server can access Check Point servers?

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk83520
Product	Security Gateway, Security Management, Application Control, IPS, URL Filtering, Anti-Spam, Threat Emulation, Anti-Bot, Anti-Virus, Small and Medium Business Appliances
Version	R75.20, R75.30, R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R77, R77.10, R77.20, R77.30, R80, R80.10, R80.20, R80.30
Platform / Model	All
Date Created	01-Jun-2015
Last Modified	19-Aug-2019

Solution

Security Gateways and Security Management Server require access to the Internet (either directly, or via configured proxy) for various Software Blades. The table below lists the relevant connectivity tests.

Notes:

In Gaia OS, use the "curl_cli" command (Important: Refer to sk110779 - "curl: (900) servercert: Error - server certificate validation failed!" when running "curl_cli" command).
For each of the curl_cli commands, add the option --cacert $CPDIR/conf/ca-bundle.crt to prevent the issue in sk110779.
In Gaia Embedded OS, use the "wget" command. It is enough to check the connectivity only to the http://cws.checkpoint.com server. Use the following syntax:
[Expert@HostName:0]# [http_proxy=Proxy_IP_or_HostName:Port] wget http://cws.checkpoint.com/
In SecurePlatform OS, use the "curl" command instead of "curl_cli" command.
If IPv6 address is assigned on Security Gateway / Security Management Server, then these services should be allowed in the rulebase for IPv6 as well.

You can also check and subscribe to updates on the Services status page.

Hostname	Protocol	From	Used For (Version)	Verifying Connectivity (Run command listed below. You will get a response if connectivity is OK.)
`cws.checkpoint.com`	http	Security Gateway, Security Management Server, SMB Gateways	Social Media Widget Detection (R75 and above)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/APPI/SystemStatus/type/short
			URL Filtering Cloud Categorization (R75.20 and above)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/URLF/SystemStatus/type/short
			Virus Detection (R75.40 and above)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/AntiVirus/SystemStatus/type/short
			Bot Detection (R75.40 and above)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://cws.checkpoint.com/Malware/SystemStatus/type/short
`updates.checkpoint.com`	https http	Security Gateway, Security Management Server, SMB Gateways	IPS Updates, Updatable Object (R80.20 and above, on Security Gateway and Security Management)	curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://updates.checkpoint.com/
`dl3.checkpoint.com`	http	Security Gateway, Security Management Server	Download Service Updates (R70 and above), Updatable Object (R80.20 and above, on Security Gateway and Security Management)	curl_cli [--proxy <IP_or_HostName:Port>] -v -k http://dl3.checkpoint.com
`usercenter.checkpoint.com`	https	Security Gateway, Security Management Server	Contract Entitlement for IPS (R70 and above), Traditional Anti-Virus, Legacy URL Filtering, etc.	curl_cli [--proxy <IP_or_HostName:Port>] -v -k https://usercenter.checkpoint.com/usercenter/services/ProductCoverageService
`usercenter.checkpoint.com`	https	Security Gateway, Security Management Server	Software Blades Manager Service	curl_cli [--proxy <IP_or_HostName:Port>] -v --cacert $CPDIR/conf/ca-bundle.crt https://usercenter.checkpoint.com/usercenter/services/BladesManagerService
`resolver1.chkp.ctmail.com` `resolver2.chkp.ctmail.com` `resolver3.chkp.ctmail.com` `resolver4.chkp.ctmail.com` `resolver5.chkp.ctmail.com`	http	Security Gateway	Suspicious Mail Outbreaks (R75.40 and above)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://resolver1.chkp.ctmail.com
`download.ctmail.com`	http	Security Gateway, Security Management Server	Anti-Spam	curl_cli [--proxy <IP_or_HostName:Port>] -v http://download.ctmail.com
`te.checkpoint.com`	http https	Security Gateway	Threat Emulation (R77 and above)	curl_cli -vk https://te.checkpoint.com/tecloud/Ping
`teadv.checkpoint.com`	http https	Security Gateway	Threat Emulation (R77 and above)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://teadv.checkpoint.com
`threat-emulation.checkpoint.com`	http https	Security Gateway	Threat Emulation (R77 and above)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://threat-emulation.checkpoint.com curl_cli [--proxy <IP_or_HostName:Port>] -v http://threat-emulation.checkpoint.com/tecloud/Ping
`kav8.zonealarm.com`	http	Security Gateway	Archive scanning in R75.40 and above. Deep inspection in R77.10 and above.	curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.zonealarm.com/version.txt
`kav8.checkpoint.com`	http https	Security Gateway Endpoint Security Management	Traditional Anti-Virus, Endpoint Security Management pulling Anti-Malware updates	curl_cli [--proxy <IP_or_HostName:Port>] -v http://kav8.checkpoint.com
`avupdates.checkpoint.com`	http https	Security Gateway	Traditional Anti-Virus, Legacy URL Filtering	curl_cli [--proxy <IP_or_HostName:Port>] -v http://avupdates.checkpoint.com/UrlList.txt
`sigcheck.checkpoint.com`	http	Security Gateway, Security Management Server	Download of signature updates for Traditional Anti-Virus, Legacy URL Filtering, Edge devices, etc.	curl_cli [--proxy <IP_or_HostName:Port>] -v http://sigcheck.checkpoint.com/Siglist2.txt
`smbmgmtservice.checkpoint.com`	https	SMB Gateway (on Gaia Embedded)	Manage SMB Gateways	smp_connectivity_test smbmgmtservice.checkpoint.com
`zerotouch.checkpoint.com`	https	SMB Gateways	ZeroTouch deployment	test zero-touch-request
`secureupdates.checkpoint.com`	http	General updates server for Check Point's gateways	Manage Security Gateways	wget http://secureupdates.checkpoint.com Note: Delete the index.html file after each wget command attempt. Otherwise it will report that file already exists and will not try to download it. curl_cli [--proxy <IP_or_HostName:Port>] -v secureupdates.checkpoint.com
`productcoverage.checkpoint.com`	https	Security Gateway, Security Management Server	Makes sure the machine's contracts are up-to-date (since R75.47)	curl_cli [--proxy <IP_or_HostName:Port>] -v https://productcoverage.checkpoint.com/ProductCoverageService
`sc1.checkpoint.com` `sc2.checkpoint.com` `sc3.checkpoint.com` `sc4.checkpoint.com` `sc5.checkpoint.com`	https	Security Gateway, Security Management Server, SmartDashboard	Download of icons and screenshots from Check Point media storage servers (e.g., Check Point AppWiki)	curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/sc/images/checkmark.gif curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/za/images/facetime/large_png/60342479_lrg.png curl_cli [--proxy <IP_or_HostName:Port>] -v https://sc1.checkpoint.com/za/images/facetime/large_png/60096017_lrg.png
`push.checkpoint.com`	https	Mobile Access Gateway	Push Notifications (since R77.10) for incoming e-mails and meeting requests on hand held devices, while the Capsule Workspace Mail app is in the background	curl -vk https://push.checkpoint.com/push/ping
`downloads.checkpoint.com`	http	Mobile Access Gateway, Security Management Server	Download of Endpoint Compliance Updates (Endpoint Security On Demand (ESOD) database):	curl_cli [--proxy <IP_or_HostName:Port>] -v http://downloads.checkpoint.com
`productservices.checkpoint.com`	https	Security Gateway, Security Management Server	Next Generation Licensing uses this service. (Entitlement/Licensing Updates)	curl_cli [--proxy <IP_or_HostName:Port>] -v http://productservices.checkpoint.com

Additional Notes:

Specific IP addresses for the servers are not provided because they vary by region and are subject to change.
There are some Check Point Services / Software Blades that requires Proxy configuration on top of the Proxy global property configured in the object of your Security Management Server / Domain Management Server, so that connections to sigcheck.checkpoint.com will be able to pass through your Proxy server.

Examples from R7X SmartDashboard:

Note: Check if you have one those blades enabled and configure proxy settings for each of them.
- Endpoint Compliance
  1. Go to the "Mobile Access" tab
  2. Expand the "Endpoint Security On Demand"
  3. Click on the "Endpoint Compliance Updates"
  4. In the "Automatic Update" section, click on the "Configure..." button
  5. Go to the "Proxy" tab
  Example:
- Legacy URL Filtering
  1. Go to the "Application & URL Filtering" tab
  2. Expand the "Legacy URL Filtering"
  3. Click on the "Legacy URL Filtering Policy"
  4. Click on the "Automatic updates" link
  5. Go to the "Proxy" tab
  Example:
- Traditional Anti-Virus and Edge devices
  1. Go to the "Threat Prevention" tab
  2. Expand the "Traditional Anti-Virus"
  3. Click on the "Database Updates"
  4. In the "Automatic Update" section, click on the "Configure..." button
  5. Go to the "Proxy" tab
  Example:

Revision History

Show / Hide this section

Date Description

29 May 2017 Added information about Proxy configuration on top of the Proxy global property configured in the object of Security Management Server / Domain Management Server

25 Apr 2017 Added http://downloads.checkpoint.com

16 Feb 2017 Added "Revision History" section

02 Mar 2017 Added teadv.checkpoint.com

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating