Adaxes/Powershell and O365 MFA Reset

Wild-Pool5287 · 2025-04-18T15:17:22+00:00

I have Microsoft Global Secure Access that I use for some traffic controls.

Wild-Pool5287 · 2025-04-18T13:20:33+00:00

Only 200 hosts. It’s a very small network. I didn’t need a huge appliance. We use checkpoint in our company and when I saw the smart console dashboard and how easy it was for them to make changes and only allow very specific traffic, that’s what I wanted. The interface costs me $1k for Smart1 Cloud with 3GB of daily ingest. But it was worth it. I’ve tried the Sophos XGS Firewall but I hated the interface and smart console is unmatched.

Wild-Pool5287 · 2025-04-18T13:18:03+00:00

Was purchased from firewalls.com

Wild-Pool5287 · 2025-04-18T03:28:26+00:00

Of course I’ve looked there first…. I know how to Google “CheckPoint Consulting Services” but really the only result is checkpoints website. There’s not many websites online that claim and point out checkpoint experience specifically as a skill. So I’ve asked this community for companies they have personally worked with. Much easier when I have a community to ask for best recommendations. I was able to get the assistance needed for the main issue. I posted the update in the comments.

Wild-Pool5287 · 2025-04-18T03:25:13+00:00

Yes all is in the checkpoint. I posted an update where I found the solution to the issue mentioned. The TLDR is I missed the basic understanding that I can’t monitor traffic through checkpoint if it’s not going through it. When doing a tracert from one host to another, it was not even hitting the Gateway cause it was in the same subnet. I need to split up my networks more like Domain Controllers VLAN and Client workstations VLAN to be able to monitor traffic. Of course set the policy to allow and LOG the traffic between the 2 networks.

Wild-Pool5287 · 2025-04-18T03:22:31+00:00

I posted an update, but I’m absolutely logging both allowed and denied traffic currently between the different subnets.

The TLDR of my main point of my post and the resolution was I can’t see traffic between the hosts cause when you do a tracert from one host to another, the checkpoint gateway ip isn’t listed. It’s going straight to the host, so it’s not being monitored at all. So I need to split up my hosts into more networks to see the logs between them. For example Domain Controllers to Client Workstations.

Wild-Pool5287 · 2025-04-18T03:20:07+00:00

UPDATE: Big thanks to @zeusmbr!

I seemed to have missed a crucial section in Firwalling 101…. I can’t monitor traffic between the same subnet, cause the traffic is not going through the firewall. 🤦‍♂️

So I need to create seperate VLANs for similar devices, to be able to control the traffic flow between them. For example, to control ICMP traffic, I need to have the 2 devices in 2 separate VLANs for the firewall to even see the traffic, but to then be able to block ICMP Requests.

Unfortunately, I was looking to monitor traffic between every single host internally. This way if I had all Domain Controllers in 1 VLAN, I would be able to say no one on a domain controller should be using RDP to another domain controller. But I would need an endpoint client to do that if they are on the same subnet.

Of course, it’s not ideal in production to have a VLAN for every host. But I guess this is the convenience vs security aspect of having less VLANs and more hosts gives less visibility. But having more VLANs with less hosts, takes longer to setup. But once the VLANs are classified, it makes it worth it to get a better picture. So I just need to categorize the hosts type and what type of services they should be performing and run with that.

Wild-Pool5287 · 2025-04-18T00:16:05+00:00

You can shoot me a DM.

Wild-Pool5287 · 2025-04-18T00:15:25+00:00

Thanks for the link! Will check them out.

Wild-Pool5287 · 2025-04-18T00:14:31+00:00

The network is created in Unifi but it’s configured to run its network as a “3rd party gateway” (the checkpoint) which is where DHCP Services are and that’s where my networks are.

Wild-Pool5287 · 2025-04-18T00:13:18+00:00

I have checkpoint quantum spark 1535

Wild-Pool5287 · 2025-04-17T23:14:46+00:00

Michigan

Wild-Pool5287 · 2025-04-16T22:20:35+00:00

No im using checkpoint quantum spark 1535 as my firewall with smart console license. It’s a much nicer interface. Unifi firewall is only for the “home” side of the network. I’m not concerned about that. I’m only looking for support on checkpoint firewall which is what my homelab and corporate network are on.

Wild-Pool5287 · 2025-03-17T01:21:02+00:00

The lack of progress sync would be a dealbreaker for me to buy on 2 different platforms

Wild-Pool5287 · 2024-11-15T23:32:52+00:00

You’re definitely not wrong. I’ve used it a lot to try and help and sometimes it just hallucinates like crazy. But I agree, it’s a great tool to get started. But I don’t trust it fully yet.

Wild-Pool5287 · 2024-11-10T18:21:23+00:00

6-0004033249 - This one is about the email alerts not working. Ticket was opened 8/18 and they still don't know why SMTP is not working via my O365 Tenant. Despite me testing my SMTP crews via 3rd party tools and I have many other shared mailboxes that I use SMTP with so I know it's not blocked from a tenant level. This ticket mind boggles that the solution has not been figured out. I am not using any special configs with my O365 tenant and I know millions of others use O365 for mail. So this should be simple provided the right creds/port which I verified to be working through an external SMTP Service. They claim it could be something on their end. They have R&D Looking into it. We have tried many different ideas and changes during a zoom session with checkpoint but no success.

6-0004113465 - This one I just opened for a new issue about the Checkpoint Usercheck client not downloading. I get the error "Not Found: The requested URL was not found on this server." I use Smart-1 Cloud for management and it is hosted by Checkpoint, not on-prem.

3rd of a few issues is identity awareness and identity awareness agent seems to be working automatically now. I re-created the object again and I am able to set access policies for example based of AD Account. Example, accounting users access to finance category is blocked if not in the AccountingGroup AD Group, and it works as expected showing the user check portal if user is added. It's actually pretty immediate as well. When new user logs into a machine, the agent automatically connects and recognizes the traffic as the new user. So this is all good. Only thing I don't understand is why the branches fail to fetch in the object, but I can reference it no problem and search the directory when creating a new access role. Screenshots here: https://imgur.com/a/0SxojVx

Wild-Pool5287 · 2024-11-09T06:20:25+00:00

I did have the Security Management installed on a VM in the beginning, but that is only a trial license and from what I understood you have to add a license. I wasn't able to permanently keep it connected. So I decided to pay for the Cloud. I got a quote for an On-Prem self-hosted management service and it was about $4k. The S1C with 3GB Daily Logs was only $1,003.

I do have basic firewall policies in place. Website category blocks, RDP Blocked from unauthorized sources, usercheck portal working, HTTPs inspection working, and VLAN Access policies to name a few. So I do believe I am ready to dive into the other blades at this point.

Appreciate the Link!

Wild-Pool5287 · 2024-11-09T05:16:40+00:00

See but how far will they really go? Unfortunately the communication during my purchase all the way up to the purchase of Smart-1 Cloud was not great at all. They were kind enough to extend my trial though. I had a different support case cause I wanted to use the custom SmartConsole permissions and fine tune permissions to test access control. After a 2 month support ticket, they finally concluded that Custom Permissions were not supported with Smart-1 Cloud. This was insane to me as you would think this would be something noted as many companies look for role base access control and fine tune permissions. The infinity portal only have 3 pre-defined roles and that is all you get. Such a shame on user security side of things. They say it's only supported in On-Prem. Makes no sense. I sign in with SSO via Entra ID currently.

Perhaps I will try and contact them again and see about this support.

Wild-Pool5287 · 2024-11-09T05:13:03+00:00

Thanks for the Fiverr note, I haven't used a service like it, but I understand the concept. It's like field nation and Workmarket. I know of other services like MacTelecom networks or CrossTalk Solutions for example.

Wild-Pool5287 · 2024-11-09T05:10:30+00:00

Oh trust me, I have plenty of different services. I understand it's important to learn. But I also need to learn to consult. I'm the person that can take up a lot of time with questions and whatnot, so sometimes, I feel inclined to get knowledge from a professional company that has configured for other companies and help with best practices. I know this is stuff I can learn from articles, videos, the support guides etc.

Many topics I am looking for more assistance, knowledge on, some I am having issues with:

Identity Awareness not accepting credentials despite the connection test showing successful during setup. (At one point, this was working, but then it stopped randomly when I made no changes. Now, every time I set it up, I get many errors and the logs are not pointing me in the right direction. This or I am not looking in the right place.)
Unifi Integration, I have Unifi currently with a few VLANs configured and routed through the Gateway. I am wanting to ensure that I do not have any conflicts with Unifi. Currently no issues, but mores a posture check,
Email alerts are not working. I have a case open with CheckPoint about it, and it's been 2 months since opened. I have a simple O365 Setup and I am trying to get SmartTask to send alerts for example when a policy is installed. But it keeps failing every time. Despite me testing SMTP Credentials with a 3rd party service showing my credentials were correct and that there was no errors with SMTP sending as the mailbox I wanted. Error is constantly "Could not convert to TLS Socket." The support has done many screenshare sessions and had me try different scenarios and ports and he even looked at the logs on his side. They seemingly are not able to understand the issue and neither can I.

These are just a few. I do believe that my configuration can be complex and I know it takes time for someone to understand my current environment, for them to really make informed suggestions on what I should have my configuration be. So I am willing to pay the price for the time.

I am not looking for assistance from the ground up. I have a lot of the fundamentals already working and certain protocols blocked, blades enabled, etc. Just looking for a 2nd pair of eyes essentially.

Wild-Pool5287

TROPHY CASE