Wednesday, March 16, 2011

Checkpoint Reverse Proxy Configuration

Checkpoint Reverse Proxy listens requests from the Internet and forwars them to inside web servers, request connects to the proxy and may not be aware of the internal network.
This can be used for loadbalancing , publishing OCS and etc.

We need 2 rules for this,

Source: Any
Destination: http://www.test.com/
Service: HTTP -> test
Action: drop

Source: Any
Destination: internalipaddress
Service: HTTP
Action: Accept
URI Resource should be like this;




Gönderen zaman:
Etiketler:

Tuesday, March 15, 2011

Difference between Install Policy and Install Database

In Some situations Ex: log server, Mail Alert settings and etc. related to SMC should be done with install database, Policy install doesnt include specific Install Database operations.

Always Keep in mind this not to waste your time.
Gönderen zaman:
Etiketler:

Monday, March 14, 2011

magic number corrupted fwauth.NDB

Cant install policy to one of the cluster member,warning message : magic number corrupted

Copy the fwauth.NDB from  $FWDIR/conf/defaultDatabase  to $FWDIR/conf/database , reinstall policy.
Gönderen zaman:
Etiketler:

Friday, March 11, 2011

Corruption in the Checkpoint IPS database

IPS reset procedure

1. Delete all IPS profiles except the default profiles (Default_Protection and Recommended_Protection).
2. Prepare the clean IPS files that are listed below from the same version
3. # cpstop
4. # cd $FWDIR/conf
5. Copy the provided IPS files to conf directory:
$FWDIR/conf/
inspect_logs.C
ips_db_cfg.C
sd_parser_settings.C
inspect_logs_profiles.C
ips_exceptions_table.C
sd_topic_categories.C
asm.C
inspect_streaming.C
ips_protections_override_table.C
sd_topics.C
asm_profiles.C
ips_attribute_extensions.C
ips_protections_per_profile_table.C
sd_topics.conversion
ips_attribute_extensions.C.converted
ips_signatures.C
sd_topics_table.C
default_asm.C
ips_c_s.C
ips_signatures.C.converted
inspect.C
ips_classes.C
ips_tables.sqlite
inspect.lf
ips_contexts.C
profiles.C
6. Edit the file $FWDIR/conf/asm.C, change:
need_local_update to "true"
asm_update_version_ips1 to "0"
asm_update_version_vpn1 to "0"
asm_update_version to "0"
7. Delete $FWDIR/conf/CPMILinks* and $FWDIR/conf/applications.C
8. Delete $FWDIR/conf/SMC_Files/asm/crc_marker_db.fws
9. # cpstart
10. fwm should start a process called "sduu", wait until it finish, it can take several minutes.
11. Verify that :asm_update_version_ips1, :asm_update_version_vpn1 and :asm_update_version value has changed and it's not zero now - means the silent update finished successfully.
12. Performed online update.
13. Push policy
Gönderen zaman:
Etiketler:

/bin/console_age at hyper terminal

Today i had a problem with new Smart-1 appliance that comes with R71.10 image.
If HyperTerminal output stops responding at /bin/console_age
Dont directly think of RMA.
In my case This was a cable error.
The default cable that comes within device or a Standard cisco cable wont work. try an other RS232 connector, I tried a Proventia IPS cable and resolved the problem with it.

Also,
you may safety ignore the  "microcode device /dev/cpu/0/microcode doesn't exist" warnings that appears at console.



Gönderen zaman:
Etiketler:
Subscribe to: Posts (Atom)