Last week this procedure saved our time a lot.
to repair communications issue on Proventia M and Site Protector, the corrupted rsPostSensorEventQueue.adf file must be restored.
follow the steps
1.Login as root.
2.Stop the issDaemon service: service issDaemon stop.
3.Rename the old queue file: mv /cache/spool/crm/rsPostSensorEventQueue.ADF /cache/spool/crm/rsPostSensorEventQueue.old
4.Start the issDaemon service: service issDaemon start
The Simplest and Best Way to Manage Checkpoint Secure Platform http://www.smartsplat.com
Sunday, January 30, 2011
Saturday, January 29, 2011
Debugging NAT problems with SmartSPLAT
I have added a NAT section to SmartSPLAT some commands related to the new tab:
To Debug Nat related issues,
Start debug
# fw ctl debug 0
# fw ctl debug -buf 2048
# fw ctl debug xlate xltrc
# fw ctl kdebug -f > kdebug.out
stop debug
# fw ctl debug 0
My way to debug with fw monitor,
#fw monitor -e 'accept src=xxx or src=yyy or dst=xxx or dst=yyy;' -o fwmon.cap
NAT tables are not cleared upon Security Policy installation.
To manually clear the NAT tables,
#fw tab -t fwx_alloc -x
To see the maximum capacity,
# fw tab -t connections | grep limit
To see the NAT Limit
# fw tab -t fwx_alloc | grep limit
To see NAT Statistics
#fw tab –t fwx_alloc -t fwx_cache –s
SmartSPLAT Whats New at 3.4.3.2
Management HA symptoms
ManagementHA has inconsistencies,primary and Secondary HA randomly takes the master role,
rulebase changes that been made at active member does not replicate to other.
on both the cluster members
1. cpstop
2. cd $FWDIR/conf/mgha
3. remove all files.
4. cd $FWDIR/conf/
5. rm applic* and CPMIL*
6. cpstart
note that if you are seeing member leaving and joining messages,
then the cphad and fwd timeouts can be increased on both the cluster members as follows:
# cphaprob -d fwd -t 60 -s ok -p register
# cphaprob -d cphad -t 60 -s ok -p register
Failover occurs in the cluster during Security Policy installation.
Standby member installs the policy faster than the current Active member,
therefore it is the first member to load the new configuration, and as a result the first member to check if there are any Active members with new configuration, so it assumes the Active state.
Enable the "freeze" mechanism on each cluster member (by default this mechanism is disabled).
# fw ctl set int fwha_freeze_state_machine_timeout VALUE_IN_SECONDS (value in HEX format)
# fw ctl set int fwha_freeze_state_machine_timeout 0xb4
B4 = 180 seconds
To disable this mechanism, run:
# fw ctl set int fwha_freeze_state_machine_timeout 0
Thursday, January 27, 2011
R80 EndPoint Security, Some Notes,
Just for now,No Upgrade available from R73, No Support for SPLAT and reduced functionality of existing R73 products,I think Checkpoint bringed up this version for New Sales opportunities for the new year.
But a new hfa will be soon for the missing features and it will support existing SmartCenters.
I love the easy way to manage the endpoints with SmartDashboard, user management with AD is so easy,applying different blades to different users,New Compliance feature gives you a basic NAC control solution and the WebChecker upon enabling it i really liked the style of new internet explorer,Ghosty style ;)
But a new hfa will be soon for the missing features and it will support existing SmartCenters.
I love the easy way to manage the endpoints with SmartDashboard, user management with AD is so easy,applying different blades to different users,New Compliance feature gives you a basic NAC control solution and the WebChecker upon enabling it i really liked the style of new internet explorer,Ghosty style ;)
Sunday, January 23, 2011
WCG load sharing,Yes it works.
Last week i was dealing with a V10k load sharing project,
v10k does not have load sharing feature so we put an alteon switch front of 4 v10k appliances,
our tests was fine,sessions were sharing along the appliances with round-robin.
Policy Server functions on it's own independent of the Policy Broker so i have left the 3 roles PS,US,FS on V10Ks
Although you can define one policy server during the installation of logserver, we have seen that we can successfully get logs from the 4 policy servers simultaneously,
also another issue was to upgrade v6.3x to 7.5 , dont forget to follow v6 to 7.0 to 7.1 and finally to 7.5
v10k does not have load sharing feature so we put an alteon switch front of 4 v10k appliances,
our tests was fine,sessions were sharing along the appliances with round-robin.
Policy Server functions on it's own independent of the Policy Broker so i have left the 3 roles PS,US,FS on V10Ks
Although you can define one policy server during the installation of logserver, we have seen that we can successfully get logs from the 4 policy servers simultaneously,
also another issue was to upgrade v6.3x to 7.5 , dont forget to follow v6 to 7.0 to 7.1 and finally to 7.5
Wednesday, January 12, 2011
Websense DSS Restore Fails
This point is not clear yet in websense kb.
You have to Keep in mind that it was intended for recovery and not migration to new machines.
For instance the following should be identical:
OS installation partition and folder,
(change from 2003 Standard to 2003 Enterprise should be OK and not interfere with the "restore")
Oracle installation partition and folder,
Dss version and patch
Hostname
IP addresses and NIC configuration
You have to Keep in mind that it was intended for recovery and not migration to new machines.
For instance the following should be identical:
OS installation partition and folder,
(change from 2003 Standard to 2003 Enterprise should be OK and not interfere with the "restore")
Oracle installation partition and folder,
Dss version and patch
Hostname
IP addresses and NIC configuration
Tuesday, January 11, 2011
Check Point Mobile for iPhone and iPad
You want to make a remote access vpn from IPhone or IPAD device but dont know where to start,
Here is a checklist that i have prepared for you:
Firewall version must be ; R71.10 (only with an EA hotfix) R71.30,A patch that will enable support in R75 is coming shortly
License : Mobile Access Blade
enable the checkbox SSL Vpn "new name Mobile Access"
if you see a 404 page instead of Portal Site keep in mind that CD2 of splat may require with using the command #sysconf_wrapper
also the command #cvpnd_settings set MobileAppAllowed "true" is required to enable support for iPhone and iPad on the Mobile Access gateway continue with restarting the Mobile Access Software Blade services: #cvpnrestart and do a #toggleCvpnPortal off and #toggleCvpnPortal on
At the firewall initiate the certificate on the user that you create during the setup wizard, write it down you will use it at ipad device to pull the certificate from the firewall.
At the IPAD device, go to APPStore download the Checkpoint Mobile software, you have all the necessary info for two-factor authentication,
fw ip, reg-key "that is the key you created with the initiate button" and the checkpoint user/pass
To view a demo of the business web portal, launch the app and set up the below credentials:
• SERVER: idemo.checkpoint.com
• ACTIVATION KEY: demo-1234
• PASSWORD: cpdemo
And other similar question is, "I have also 64 bit Windows clients How can i make a protocol independently remote vpn from them" answer is simple enable SNX inside SSL VPN Portal, to do this create at least one Native application, also checkout Additional settings - VPN Clients tab for startup options.
Note: Citrix is not supported from ipad / iphone client. If citrix is configured for the SSL VPN portal, ipad / iphone clients will not be able to see it on the portal and also there is no target date to support this feature yet.
and also note that to connect via other protocols you have to use L2TP VPN
Thats all
Cagdas
Here is a checklist that i have prepared for you:
Firewall version must be ; R71.10 (only with an EA hotfix) R71.30,A patch that will enable support in R75 is coming shortly
License : Mobile Access Blade
enable the checkbox SSL Vpn "new name Mobile Access"
if you see a 404 page instead of Portal Site keep in mind that CD2 of splat may require with using the command #sysconf_wrapper
also the command #cvpnd_settings set MobileAppAllowed "true" is required to enable support for iPhone and iPad on the Mobile Access gateway continue with restarting the Mobile Access Software Blade services: #cvpnrestart and do a #toggleCvpnPortal off and #toggleCvpnPortal on
At the firewall initiate the certificate on the user that you create during the setup wizard, write it down you will use it at ipad device to pull the certificate from the firewall.
At the IPAD device, go to APPStore download the Checkpoint Mobile software, you have all the necessary info for two-factor authentication,
fw ip, reg-key "that is the key you created with the initiate button" and the checkpoint user/pass
To view a demo of the business web portal, launch the app and set up the below credentials:
• SERVER: idemo.checkpoint.com
• ACTIVATION KEY: demo-1234
• PASSWORD: cpdemo
And other similar question is, "I have also 64 bit Windows clients How can i make a protocol independently remote vpn from them" answer is simple enable SNX inside SSL VPN Portal, to do this create at least one Native application, also checkout Additional settings - VPN Clients tab for startup options.
Note: Citrix is not supported from ipad / iphone client. If citrix is configured for the SSL VPN portal, ipad / iphone clients will not be able to see it on the portal and also there is no target date to support this feature yet.
and also note that to connect via other protocols you have to use L2TP VPN
Thats all
Cagdas
SmartSPLAT
FREE SSH Software for Checkpoint Firewalls
ISS IPS Tuned PAM parameters "SYNFLood Protection"
while you have the signature that protects against 'synflood attacks' enabled,
it will only effectively block synflood traffic if the following parameter is configured
'pam.tcp.synflood.protection'with a value of 'true'.
There are a couple of other tuning parameters available to more granularly configure the synflood protection.
advanced tuning parameters:
pam.tcp.synflood.protection.untrusted.rate
pam.tcp.synflood.protection.duplicatesyn.retransmit
pam.tcp.synflood.protection.duplicatesyn.timeout
pam.tcp.synflood.protection.duplicatesyn.enabled
pam.tcp.synflood.protection
pam.tcp.synflood.custom.limit
pam.tcp.synflood.custom
pam.tcp.synflood.size
pam.tcp.synflood.limit
To fine-tune your config, make sure that you specifically include these parameters in the local tuning section of the G
NAME=pam.tcp.synflood.protection
VALUE=true
NAME=pam.tcp.synflood.limit
VALUE=1000
You can then modify the limit parameter to suit your needs, depending on network conditions.
it will only effectively block synflood traffic if the following parameter is configured
'pam.tcp.synflood.protection'with a value of 'true'.
There are a couple of other tuning parameters available to more granularly configure the synflood protection.
advanced tuning parameters:
pam.tcp.synflood.protection.untrusted.rate
pam.tcp.synflood.protection.duplicatesyn.retransmit
pam.tcp.synflood.protection.duplicatesyn.timeout
pam.tcp.synflood.protection.duplicatesyn.enabled
pam.tcp.synflood.protection
pam.tcp.synflood.custom.limit
pam.tcp.synflood.custom
pam.tcp.synflood.size
pam.tcp.synflood.limit
To fine-tune your config, make sure that you specifically include these parameters in the local tuning section of the G
NAME=pam.tcp.synflood.protection
VALUE=true
NAME=pam.tcp.synflood.limit
VALUE=1000
You can then modify the limit parameter to suit your needs, depending on network conditions.
Subscribe to:
Posts (Atom)