In order to allow multicast traffic by the gateway, you need to follow sk35996, In addition you also need to create an allow rule with the service “pim”.
Regarding sk31190 Secure platform pro needs to be enabled if you would like the gateway to participate in the multicasting traffic.
If you just want to let that traffic pass through the gateway and the gateway does not need to perform any dynamic routing decisions then there is no need to enable Splat Pro.
Some tips,
# tcpdump ip multicast will show you multicast packets..
to enable Secure Platform Router Config mode type “pro enable”
This will need a license of “Advanced Routing Blade”
Lets enable multicast routing with sparse mode
[Expert@NGx-gw1]# router config
localhost.localdomain>enable
localhost.localdomain#config t
localhost.localdomain(config)#interface eth0
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config-if)#exit
localhost.localdomain(config)#interface eth1
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config-if)#exit
localhost.localdomain(config)#ip pim enable
localhost.localdomain(config)#exit
localhost.localdomain#wr mem
Saturday, December 10, 2011
Tuesday, October 18, 2011
Cluster Status Active - Ready
Last night I have faced a problem after replacing cluster nodes to new hardwares,
Although software versions was same at # cphaprob stat command, One node was at active and other was at ready
Solution is at CoreXL: Noticed that enabled cores differs on nodes, # fw ctl multik stat shows this to you.
number of cores should be same at both members.
Although software versions was same at # cphaprob stat command, One node was at active and other was at ready
Solution is at CoreXL: Noticed that enabled cores differs on nodes, # fw ctl multik stat shows this to you.
number of cores should be same at both members.
Monday, October 10, 2011
R75.20 Console Error
If you are getting the below error at SmartConsole,
Failed to save object firewall_properties.
Server error is:Validation error in field 'SynDefender active mode' at
object 'firewall_properties' @ 'properties' --> The value '0' is not in the list of valid values '1~2'. (Code: 0x800415A6, Object Validation Failed)
Create an upgrade_export then Close all SmartConsoles and open GuiDBedit.exe located at SmartConsole directory X:\Program Files\CheckPoint\SmartConsole\R7X\PROGRAM
Find the related object via CTRL+F,In this example its firewall_properties, Change the value of the property (1) and click saveall, If it gives a similar error continue to fix it with needed parameter.
Failed to save object firewall_properties.
Server error is:Validation error in field 'SynDefender active mode' at
object 'firewall_properties' @ 'properties' --> The value '0' is not in the list of valid values '1~2'. (Code: 0x800415A6, Object Validation Failed)
Create an upgrade_export then Close all SmartConsoles and open GuiDBedit.exe located at SmartConsole directory X:\Program Files\CheckPoint\SmartConsole\R7X\PROGRAM
Find the related object via CTRL+F,In this example its firewall_properties, Change the value of the property (1) and click saveall, If it gives a similar error continue to fix it with needed parameter.
Mobile Access VPN Policy tab is Empty
An exception occured while constructing the view:
CDIeException Exception:
Error Code: 0(Unspecified error)
User Message: Genera Error: Invalid or No UID
Debug Message:
CDleDereferenceReqHandler::_dereferenceSingleFieldObject not found in CPMI
File Name:
f:\ckp\src\cpdle_flow_983000029\cpdle\comm_itf\CommandCpmiAsync.h
Line number: 207
Inner: NONE
Solution:
Backup and delete the files
applications.C
CPMILinksMGR.db
at $FWDIR/conf
This is a general solution for SmartConsole problems..
Updated Note: Checkout connectra_policy.C File , correct the corrupted lines.
CDIeException Exception:
Error Code: 0(Unspecified error)
User Message: Genera Error: Invalid or No UID
Debug Message:
CDleDereferenceReqHandler::_dereferenceSingleFieldObject not found in CPMI
File Name:
f:\ckp\src\cpdle_flow_983000029\cpdle\comm_itf\CommandCpmiAsync.h
Line number: 207
Inner: NONE
Backup and delete the files
applications.C
CPMILinksMGR.db
at $FWDIR/conf
This is a general solution for SmartConsole problems..
Updated Note: Checkout connectra_policy.C File , correct the corrupted lines.
Sunday, October 2, 2011
Changing Mac Magic numbers at Checkpoint Cluster
Below operation should be done at the scenario where two checkpoint clusters work on the same network.
To view the values
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
default values are 254 and 253
Lets change them to 251 and 250
# fw ctl set int fwha_mac_magic 251
# fw ctl set int fwha_mac_forward_magic 250
Also we should write these to $FWDIR/boot/modules/fwkern.conf with hex values like the example below
fwha_mac_magic=0xfb
fwha_mac_forward_magic=0xfa
To view the values
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
default values are 254 and 253
Lets change them to 251 and 250
# fw ctl set int fwha_mac_magic 251
# fw ctl set int fwha_mac_forward_magic 250
Also we should write these to $FWDIR/boot/modules/fwkern.conf with hex values like the example below
fwha_mac_magic=0xfb
fwha_mac_forward_magic=0xfa
Tuesday, August 23, 2011
R65.X to R7x Upgrade - How to Uninstall Connectra Plugin
Dont forget to uninstall the plugins,
Uninstall Connectra plugin
# /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier
# /opt/CPPIconnectra*R65/bin/plugin_uninstall
Uninstalling VOIP Plugin
# /opt/CPPIvoip-R65/bin/plugin_preuninstall_verifier
# rpm –e CPVOIPCMP
# /opt/CPPIvoip-R65/bin/plugin_uninstall
Uninstall Connectra plugin
# /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier
# /opt/CPPIconnectra*R65/bin/plugin_uninstall
Uninstalling VOIP Plugin
# /opt/CPPIvoip-R65/bin/plugin_preuninstall_verifier
# rpm –e CPVOIPCMP
# /opt/CPPIvoip-R65/bin/plugin_uninstall
R75 Console Crash Problem
We have faced some dashboard problems after upgrading to R75 , SmartDashboard or Tracker crashes randomly , There is an improved version named Check_Point_SmartConsole_r75_Improved.exe , I will suggest you to request this file from Checkpoint Support.
R75.20 Upgrade failed via Check_Point_Upgrade_for_R75.20.Splat.tgz
So Interesting but I have encountered this problem at two different customers and
followed a solution with # patch add cd command via Check_Point_R75.20.Splat.iso
As you already know you can use SmartSplat to upload an iso file to firewall and mount it like a CDROM with single clicks.
followed a solution with # patch add cd command via Check_Point_R75.20.Splat.iso
As you already know you can use SmartSplat to upload an iso file to firewall and mount it like a CDROM with single clicks.
Thursday, July 7, 2011
How to manually backup SMC
This is a way to backup related files at SMC, can also be used for CMA migration
mkdir /var/tmp/manualyedek
mkdir /var/tmp/manualyedek/conf
mkdir /var/tmp/manualyedek/database
mkdir /var/tmp/manualyedek/conf.cpdir
mkdir /var/tmp/manualyedek/database.cpdir
mkdir /var/tmp/manualyedek/registry
cd $FWDIR/conf
cp -rfL * /var/tmp/manualyedek/conf
cd $FWDIR/database
cp -rfL * /var/tmp/manualyedek/database
cd $CPDIR/conf
cp -rfL * /var/tmp/manualyedek/conf.cpdir
cd $CPDIR/database
cp -rfL * /var/tmp/manualyedek/database.cpdir
cd $CPDIR/registry
cp -rfL * /var/tmp/manualyedek/registry
cd /var/tmp/
gtar -zcvf manualyedek.tgz manualyedek
mkdir /var/tmp/manualyedek
mkdir /var/tmp/manualyedek/conf
mkdir /var/tmp/manualyedek/database
mkdir /var/tmp/manualyedek/conf.cpdir
mkdir /var/tmp/manualyedek/database.cpdir
mkdir /var/tmp/manualyedek/registry
cd $FWDIR/conf
cp -rfL * /var/tmp/manualyedek/conf
cd $FWDIR/database
cp -rfL * /var/tmp/manualyedek/database
cd $CPDIR/conf
cp -rfL * /var/tmp/manualyedek/conf.cpdir
cd $CPDIR/database
cp -rfL * /var/tmp/manualyedek/database.cpdir
cd $CPDIR/registry
cp -rfL * /var/tmp/manualyedek/registry
cd /var/tmp/
gtar -zcvf manualyedek.tgz manualyedek
The connection has been refused due to one of following SmartCenter Server certificate problems:
1. The SmartCenter Server’s clock is not setup properly.
2. The certificate’s issue date is later than the date of the SmartCentre Server’s clock.
3. The Gui Client’s clock and the SmartCenter Server’s clock are not synchronized.
4. The certificate has expired.
5. The certificate is invalid.
FAQ
Q:I have several fw modules managing from this SMC, Can they drop traffic or SIC will be reset after this operation ?
A: No, This certificate is related to Smart Console,You dont have to worry about this questions.
Q: Why did I get this warning, What caused this ?
A: May have several issues but most of them are related to low disk space , check usage with # df -h
Solution at SMC :
1. # cd $CPDIR/conf
2. # cp sic_cert.p12 sic_cert.p12old
3. # cpca_client revoke_cert -n "CN=cp_mgmt"
4. # cpca_client create_cert -n "CN=cp_mgmt" -f sic_cert.p12
5. # cpstop;cpstart
2. The certificate’s issue date is later than the date of the SmartCentre Server’s clock.
3. The Gui Client’s clock and the SmartCenter Server’s clock are not synchronized.
4. The certificate has expired.
5. The certificate is invalid.
FAQ
Q:I have several fw modules managing from this SMC, Can they drop traffic or SIC will be reset after this operation ?
A: No, This certificate is related to Smart Console,You dont have to worry about this questions.
Q: Why did I get this warning, What caused this ?
A: May have several issues but most of them are related to low disk space , check usage with # df -h
Solution at SMC :
1. # cd $CPDIR/conf
2. # cp sic_cert.p12 sic_cert.p12old
3. # cpca_client revoke_cert -n "CN=cp_mgmt"
4. # cpca_client create_cert -n "CN=cp_mgmt" -f sic_cert.p12
5. # cpstop;cpstart
Sunday, June 26, 2011
How to reset lost password at IBM ISS MX Firewalls
Use Putty, Hyper terminal wont work with this procedure.
* Open a console terminal session with the M/MX appliance.
* Reboot the appliance.
* Press [Delete] to enter setup.
* When the GRUB menu appears, press 'e'
* Select the kernel that you wish to boot and type 'e' for edit.
* Select the line that starts with 'kernel' and type 'e' to edit the line.
* Go to the end of the line and type 'single' as a separate word (press the [Spacebar] and then type single).
* Press [Enter] to exit edit mode.
* Back at the GRUB screen, type 'b' to boot into single user mode.
* You should get a fairly normal looking boot sequence except that it terminates a little early at a bash prompt.
NOTE: If you get a "Give root password for system maintenance" message, your system has been secured to require the root password for any level of access. In that case, this procedure isn't going to work and you would need to reimage the system to regain access.
Once you get to the command prompt, the / file system may not be mounted as writable. To ensure that it is writable, enter the following
command:
mount -o remount,rw /
* If all is successfull up to this point, you can type the following and change the root password to whatever you like:
passwd
* You can also change the command line admin password here using the following command:
passwd admin
* You can change the web interface admin password here using the following command:
htpasswd -m /var/www/auth/htpasswd admin
* Once the passwords have been changed, reboot the appliance with the
command:
shutdown -r now
* After the system has finished rebooting, you should be able to login with the newly changed password.
* Open a console terminal session with the M/MX appliance.
* Reboot the appliance.
* Press [Delete] to enter setup.
* When the GRUB menu appears, press 'e'
* Select the kernel that you wish to boot and type 'e' for edit.
* Select the line that starts with 'kernel' and type 'e' to edit the line.
* Go to the end of the line and type 'single' as a separate word (press the [Spacebar] and then type single).
* Press [Enter] to exit edit mode.
* Back at the GRUB screen, type 'b' to boot into single user mode.
* You should get a fairly normal looking boot sequence except that it terminates a little early at a bash prompt.
NOTE: If you get a "Give root password for system maintenance" message, your system has been secured to require the root password for any level of access. In that case, this procedure isn't going to work and you would need to reimage the system to regain access.
Once you get to the command prompt, the / file system may not be mounted as writable. To ensure that it is writable, enter the following
command:
mount -o remount,rw /
* If all is successfull up to this point, you can type the following and change the root password to whatever you like:
passwd
* You can also change the command line admin password here using the following command:
passwd admin
* You can change the web interface admin password here using the following command:
htpasswd -m /var/www/auth/htpasswd admin
* Once the passwords have been changed, reboot the appliance with the
command:
shutdown -r now
* After the system has finished rebooting, you should be able to login with the newly changed password.
Checkpoint L2TP Android Configuration
The only setup difference between Iphone and Android is the L2TP preshared key.This is empty at Android side.
*Go to Settings -> Wireless & Networks -> VPN Settings
-vpn name: “set a vpn name”
-vpn server : “set firewall ip”
-ipsec preshared key:” set l2tp key ”
-l2tp preshared key : “disable”
Wednesday, June 15, 2011
Monday, May 23, 2011
Iphone IPad support for Connectra
Connectra (All versions for now 23.05.2011) does not support Checkpoint Mobile Vpn Software , you cant use the Vpn client because certificate enrollment is not supported you will get an error "Certificate Enrollment Failed" You have to upgrade to Mobile Access Blade.
You only can use safari browser but if you are using ICS then again you wont be able to login to Portal.
You only can use safari browser but if you are using ICS then again you wont be able to login to Portal.
Deployment shell internal error at Connectra
To successfully use Connectra Portal ICS (Scanning with compliance policy ) activeX and Java VM should be installed on the pc, If the two components are successfully installed another component deployment shell installation begins , if you have a problem with the two prequiste you cant install the deployment shell and you get the warning deployment shell internal error.
Solution: unregister the pc from windows domain (you wont deal with GPO,User Profiles,Security Templates , etc. ) unistall everything and do a fresh install.
Also, ICS components reside at /opt/CPcvpn-R66/htdocs/ICS/components for R66.1 server ,replace them by the new files from your test vm
and apply the command # cvpn_port_utility.csh.R66_01
Also checkout http://www.microsoft.com/technet/security/advisory/2562937.mspx
use "wusa /uninstall /kb:2562937" command to uninstall the related update.
Solution: unregister the pc from windows domain (you wont deal with GPO,User Profiles,Security Templates , etc. ) unistall everything and do a fresh install.
Also, ICS components reside at /opt/CPcvpn-R66/htdocs/ICS/components for R66.1 server ,replace them by the new files from your test vm
and apply the command # cvpn_port_utility.csh.R66_01
Also checkout http://www.microsoft.com/technet/security/advisory/2562937.mspx
use "wusa /uninstall /kb:2562937" command to uninstall the related update.
Tuesday, May 10, 2011
SmartSPLAT v4 is now Released
I'm pleased to announce the release of SmartSPLAT v4
This version includes a number of new features,
New Floaty Terminals,
New Floaty HTML Notepad with browser support,
New Recording options, You can now record everything within Shells,
New SCP support you can upload and download files via browsing, (Integrated with Putty PSCP)
New Tufin Terminal Support
New Nokia Terminal Support
New HyperTerminal support for Win7
New External software support , you can now open debug outputs via WordPad or Wireshark,
New Confirmation dialogs and tooltips on commands
New Syslog Server supports Windows 7 and Server 2008
Sunday, April 3, 2011
Basic way to test an IPS via Windows CLI
Telnet to a webserver behind the IPS and execute the command,
GET ../../etc/passwd HTTP/1.0
Yo will see the HTTP_GET_Malformed signature triggered at SiteProtector
Also you can use this technique at pentests, it gives you to discover if there is an IPS or not.
Open a WireShark and examine the return packets, if you see RST packets or connection time-outs you can be sure that the IPS is active.
Steps are simple, Can be used for any IPS vendor.
Cagdas Ulucan
Wednesday, March 16, 2011
Checkpoint Reverse Proxy Configuration
Checkpoint Reverse Proxy listens requests from the Internet and forwars them to inside web servers, request connects to the proxy and may not be aware of the internal network.
This can be used for loadbalancing , publishing OCS and etc.
This can be used for loadbalancing , publishing OCS and etc.
We need 2 rules for this,
Source: Any
Destination: internalipaddress
Destination: internalipaddress
Service: HTTP
Action: Accept
Action: Accept
URI Resource should be like this;
Tuesday, March 15, 2011
Difference between Install Policy and Install Database
In Some situations Ex: log server, Mail Alert settings and etc. related to SMC should be done with install database, Policy install doesnt include specific Install Database operations.
Always Keep in mind this not to waste your time.
Always Keep in mind this not to waste your time.
Monday, March 14, 2011
magic number corrupted fwauth.NDB
Cant install policy to one of the cluster member,warning message : magic number corrupted
Copy the fwauth.NDB from $FWDIR/conf/defaultDatabase to $FWDIR/conf/database , reinstall policy.
Copy the fwauth.NDB from $FWDIR/conf/defaultDatabase to $FWDIR/conf/database , reinstall policy.
Friday, March 11, 2011
Corruption in the Checkpoint IPS database
IPS reset procedure
1. Delete all IPS profiles except the default profiles (Default_Protection and Recommended_Protection).
2. Prepare the clean IPS files that are listed below from the same version
3. # cpstop
4. # cd $FWDIR/conf
5. Copy the provided IPS files to conf directory:
$FWDIR/conf/
inspect_logs.C
ips_db_cfg.C
sd_parser_settings.C
inspect_logs_profiles.C
ips_exceptions_table.C
sd_topic_categories.C
asm.C
inspect_streaming.C
ips_protections_override_table.C
sd_topics.C
asm_profiles.C
ips_attribute_extensions.C
ips_protections_per_profile_table.C
sd_topics.conversion
ips_attribute_extensions.C.converted
ips_signatures.C
sd_topics_table.C
default_asm.C
ips_c_s.C
ips_signatures.C.converted
inspect.C
ips_classes.C
ips_tables.sqlite
inspect.lf
ips_contexts.C
profiles.C
6. Edit the file $FWDIR/conf/asm.C, change:
need_local_update to "true"
asm_update_version_ips1 to "0"
asm_update_version_vpn1 to "0"
asm_update_version to "0"
7. Delete $FWDIR/conf/CPMILinks* and $FWDIR/conf/applications.C
8. Delete $FWDIR/conf/SMC_Files/asm/crc_marker_db.fws
9. # cpstart
10. fwm should start a process called "sduu", wait until it finish, it can take several minutes.
11. Verify that :asm_update_version_ips1, :asm_update_version_vpn1 and :asm_update_version value has changed and it's not zero now - means the silent update finished successfully.
12. Performed online update.
13. Push policy
1. Delete all IPS profiles except the default profiles (Default_Protection and Recommended_Protection).
2. Prepare the clean IPS files that are listed below from the same version
3. # cpstop
4. # cd $FWDIR/conf
5. Copy the provided IPS files to conf directory:
$FWDIR/conf/
inspect_logs.C
ips_db_cfg.C
sd_parser_settings.C
inspect_logs_profiles.C
ips_exceptions_table.C
sd_topic_categories.C
asm.C
inspect_streaming.C
ips_protections_override_table.C
sd_topics.C
asm_profiles.C
ips_attribute_extensions.C
ips_protections_per_profile_table.C
sd_topics.conversion
ips_attribute_extensions.C.converted
ips_signatures.C
sd_topics_table.C
default_asm.C
ips_c_s.C
ips_signatures.C.converted
inspect.C
ips_classes.C
ips_tables.sqlite
inspect.lf
ips_contexts.C
profiles.C
6. Edit the file $FWDIR/conf/asm.C, change:
need_local_update to "true"
asm_update_version_ips1 to "0"
asm_update_version_vpn1 to "0"
asm_update_version to "0"
7. Delete $FWDIR/conf/CPMILinks* and $FWDIR/conf/applications.C
8. Delete $FWDIR/conf/SMC_Files/asm/crc_marker_db.fws
9. # cpstart
10. fwm should start a process called "sduu", wait until it finish, it can take several minutes.
11. Verify that :asm_update_version_ips1, :asm_update_version_vpn1 and :asm_update_version value has changed and it's not zero now - means the silent update finished successfully.
12. Performed online update.
13. Push policy
/bin/console_age at hyper terminal
Today i had a problem with new Smart-1 appliance that comes with R71.10 image.
If HyperTerminal output stops responding at /bin/console_age
Dont directly think of RMA.
In my case This was a cable error.
The default cable that comes within device or a Standard cisco cable wont work. try an other RS232 connector, I tried a Proventia IPS cable and resolved the problem with it.
Also,
you may safety ignore the "microcode device /dev/cpu/0/microcode doesn't exist" warnings that appears at console.
If HyperTerminal output stops responding at /bin/console_age
Dont directly think of RMA.
In my case This was a cable error.
The default cable that comes within device or a Standard cisco cable wont work. try an other RS232 connector, I tried a Proventia IPS cable and resolved the problem with it.
Also,
you may safety ignore the "microcode device /dev/cpu/0/microcode doesn't exist" warnings that appears at console.
Sunday, February 27, 2011
Checkpoint site-to-site vpn with Overlapping VPN domain
If two side in a site-to-site vpn has the same ip subnet, then we have to make a scenario similar to below,
Site A and Site B is using the 192.168.0.0/24 subnet,
Site A Site B
LAN_A 192.168.0.0/24 LAN_B 192.168.0.0/24
we will nat to 172.16.0.0/24 and we will nat to 10.0.0.0/24
Site A VPN Domain = LAN_A and NAT_Net A
fw object that represents the Site B vpn domain = NAT_NETB_10.0.0.0
Add the static nat at Site A
Site B VPN Domain = LAN_B and NAT_Net B
fw object that represents the Site A vpn domain = NAT_NETA_172.16.0.0
Add the static nat at Site B
Site A and Site B is using the 192.168.0.0/24 subnet,
Site A Site B
LAN_A 192.168.0.0/24 LAN_B 192.168.0.0/24
we will nat to 172.16.0.0/24 and we will nat to 10.0.0.0/24
Site A VPN Domain = LAN_A and NAT_Net A
fw object that represents the Site B vpn domain = NAT_NETB_10.0.0.0
Add the static nat at Site A
Site B VPN Domain = LAN_B and NAT_Net B
fw object that represents the Site A vpn domain = NAT_NETA_172.16.0.0
Add the static nat at Site B
Checkpoint Source Based Routing (PBR)
The best and easiest way to do is via SmartSPLAT
You will setup your new environment with in seconds!
In this example, the client node 192.168.0.70 will go to internet through Router1 , DMZ network 172.16.0.0/24 will go to internet through Router 2, all other clients will go through Router 0
Define the tables,
echo 100 route1 >> /etc/iproute2/rt_tables
echo 200 route2 >> /etc/iproute2/rt_tables
Define the routes for that tables,
ip route add default via 10.1.1.1 table route1
ip route add default via 10.2.2.1 table route2
Define the client or network that will use these tables
ip rule add from 192.168.0.70 table route1
ip rule add from 172.16.0.0/24 table route2
Define the routes to access each other
ip route add 172.16.0.0/24 dev eth3 table route1
ip route add 192.168.0.0/24 dev eth4 table route2
To be persistent after reboot add them to : /etc/rc.local
Make routes active: ip route flush cache
To view Routes : ip rule list / ip route show
You will setup your new environment with in seconds!
In this example, the client node 192.168.0.70 will go to internet through Router1 , DMZ network 172.16.0.0/24 will go to internet through Router 2, all other clients will go through Router 0
Define the tables,
echo 100 route1 >> /etc/iproute2/rt_tables
echo 200 route2 >> /etc/iproute2/rt_tables
Define the routes for that tables,
ip route add default via 10.1.1.1 table route1
ip route add default via 10.2.2.1 table route2
Define the client or network that will use these tables
ip rule add from 192.168.0.70 table route1
ip rule add from 172.16.0.0/24 table route2
Define the routes to access each other
ip route add 172.16.0.0/24 dev eth3 table route1
ip route add 192.168.0.0/24 dev eth4 table route2
To be persistent after reboot add them to : /etc/rc.local
Make routes active: ip route flush cache
To view Routes : ip rule list / ip route show
Tuesday, February 22, 2011
After installing Endpoint Security VPN R75 users can't ping or access the pc
Endpoint VPN R75 comes with a built-in firewall that uses a default filter.
An easy solution will be ; uninstalling and re-installing the new client without the firewall.
Start the installer from the command line with "FW_INSTALL=NO" added to it.
Run through the wizard as normal, endpoint vpn will be installed without the firewall option.
An easy solution will be ; uninstalling and re-installing the new client without the firewall.
Start the installer from the command line with "FW_INSTALL=NO" added to it.
Run through the wizard as normal, endpoint vpn will be installed without the firewall option.
Packet Capture on ISS IPS
We can measure how much traffic is going through the appliance.
Here is the instruction to get the packet capture.
To log all packets on a Next-gen (1.2 or later firmware) Proventia G, you will need to use tcpdump on the command line. The command is below.
# tcpdump –s 0 -i ProvG_1 -n -w /tmp/capture.enc
Below is an explanation of the parameters in the command above.
The –s 0 parameter is used to capture all traffic on the wire. Usually, tcpdump will only capture approximately the first 68 bytes.
The –i ProvG_1 is used to capture all the traffic on all monitoring interfaces. A single interface can not be specified.
The -n option is used to disable reverse dns lookup.
The -w /tmp/capture.enc parameter instructs tcpdump to write the contents to a file on the disk. This file will be in raw format and can be analyzed in ethereal or by running the capture back through tcpdump for a text dump of the headers.
The tcpdump will gather captures before the packets reach PAM or the firewall. Therefore, all traffic, including traffic that the Proventia G would normally block, will be seen in the packet capture
Here is the instruction to get the packet capture.
To log all packets on a Next-gen (1.2 or later firmware) Proventia G, you will need to use tcpdump on the command line. The command is below.
# tcpdump –s 0 -i ProvG_1 -n -w /tmp/capture.enc
Below is an explanation of the parameters in the command above.
The –s 0 parameter is used to capture all traffic on the wire. Usually, tcpdump will only capture approximately the first 68 bytes.
The –i ProvG_1 is used to capture all the traffic on all monitoring interfaces. A single interface can not be specified.
The -n option is used to disable reverse dns lookup.
The -w /tmp/capture.enc parameter instructs tcpdump to write the contents to a file on the disk. This file will be in raw format and can be analyzed in ethereal or by running the capture back through tcpdump for a text dump of the headers.
The tcpdump will gather captures before the packets reach PAM or the firewall. Therefore, all traffic, including traffic that the Proventia G would normally block, will be seen in the packet capture
Sunday, February 20, 2011
SmartSPLAT v 3.6 is Released
For this release, Just two words New Style, New Look.
This was the last release of 3x . With the upcoming version 4 , you will have more control over splat , will download and upload files with one single click.
Thank you for your interest
Cagdas
SmartSPLAT
FREE SSH Software for Checkpoint Firewalls
Tuesday, February 1, 2011
Endpoint Security VPN R75 HFA1 is available in EA
This is What everybody was waiting for,
Three installation modes:
The following remote-access clients are available as a part of this program:
Check Point SecuRemote R75
• Replacing SecuRemote NGX
• Basic remote access functionality
• Added support for Windows 7 64 bit
• Unlimited number of connections for any Security Gateway with the IPsec VPN blade
• Does not require a license
Check Point Mobile for Windows R75
• New VPN Client
• Enterprise Grade Remote Access Client
• Secure Configuration Verification (SCV) is integrated with Windows Security Center for querying status of antivirus, Windows updates, etc
• Bug fixes
• In-place upgrade from Endpoint Connect
• Requires Mobile Access Software Blade on the Security Gateway
Check Point Endpoint Security VPN R75 HFA1
• Replacing SecureClient and Endpoint Connect
• Enterprise Grade Remote Access Client, including Desktop firewall and compliance checks
• Secure Configuration Verification (SCV) is integrated with Windows Security Center for querying status of antivirus, Windows updates, etc
• Integrated desktop firewall, centrally managed from SmartCenter
• Bug fixes
• In-place upgrade from Endpoint Security VPN R75
• Requires Endpoint Container and Endpoint VPN Software Blade
Three installation modes:
The following remote-access clients are available as a part of this program:
Check Point SecuRemote R75
• Replacing SecuRemote NGX
• Basic remote access functionality
• Added support for Windows 7 64 bit
• Unlimited number of connections for any Security Gateway with the IPsec VPN blade
• Does not require a license
Check Point Mobile for Windows R75
• New VPN Client
• Enterprise Grade Remote Access Client
• Secure Configuration Verification (SCV) is integrated with Windows Security Center for querying status of antivirus, Windows updates, etc
• Bug fixes
• In-place upgrade from Endpoint Connect
• Requires Mobile Access Software Blade on the Security Gateway
Check Point Endpoint Security VPN R75 HFA1
• Replacing SecureClient and Endpoint Connect
• Enterprise Grade Remote Access Client, including Desktop firewall and compliance checks
• Secure Configuration Verification (SCV) is integrated with Windows Security Center for querying status of antivirus, Windows updates, etc
• Integrated desktop firewall, centrally managed from SmartCenter
• Bug fixes
• In-place upgrade from Endpoint Security VPN R75
• Requires Endpoint Container and Endpoint VPN Software Blade
Sunday, January 30, 2011
Can't see the events from Proventia M firewall at SiteProtector
Last week this procedure saved our time a lot.
to repair communications issue on Proventia M and Site Protector, the corrupted rsPostSensorEventQueue.adf file must be restored.
follow the steps
1.Login as root.
2.Stop the issDaemon service: service issDaemon stop.
3.Rename the old queue file: mv /cache/spool/crm/rsPostSensorEventQueue.ADF /cache/spool/crm/rsPostSensorEventQueue.old
4.Start the issDaemon service: service issDaemon start
to repair communications issue on Proventia M and Site Protector, the corrupted rsPostSensorEventQueue.adf file must be restored.
follow the steps
1.Login as root.
2.Stop the issDaemon service: service issDaemon stop.
3.Rename the old queue file: mv /cache/spool/crm/rsPostSensorEventQueue.ADF /cache/spool/crm/rsPostSensorEventQueue.old
4.Start the issDaemon service: service issDaemon start
Saturday, January 29, 2011
Debugging NAT problems with SmartSPLAT
I have added a NAT section to SmartSPLAT some commands related to the new tab:
To Debug Nat related issues,
Start debug
# fw ctl debug 0
# fw ctl debug -buf 2048
# fw ctl debug xlate xltrc
# fw ctl kdebug -f > kdebug.out
stop debug
# fw ctl debug 0
My way to debug with fw monitor,
#fw monitor -e 'accept src=xxx or src=yyy or dst=xxx or dst=yyy;' -o fwmon.cap
NAT tables are not cleared upon Security Policy installation.
To manually clear the NAT tables,
#fw tab -t fwx_alloc -x
To see the maximum capacity,
# fw tab -t connections | grep limit
To see the NAT Limit
# fw tab -t fwx_alloc | grep limit
To see NAT Statistics
#fw tab –t fwx_alloc -t fwx_cache –s
SmartSPLAT Whats New at 3.4.3.2
Management HA symptoms
ManagementHA has inconsistencies,primary and Secondary HA randomly takes the master role,
rulebase changes that been made at active member does not replicate to other.
on both the cluster members
1. cpstop
2. cd $FWDIR/conf/mgha
3. remove all files.
4. cd $FWDIR/conf/
5. rm applic* and CPMIL*
6. cpstart
note that if you are seeing member leaving and joining messages,
then the cphad and fwd timeouts can be increased on both the cluster members as follows:
# cphaprob -d fwd -t 60 -s ok -p register
# cphaprob -d cphad -t 60 -s ok -p register
Failover occurs in the cluster during Security Policy installation.
Standby member installs the policy faster than the current Active member,
therefore it is the first member to load the new configuration, and as a result the first member to check if there are any Active members with new configuration, so it assumes the Active state.
Enable the "freeze" mechanism on each cluster member (by default this mechanism is disabled).
# fw ctl set int fwha_freeze_state_machine_timeout VALUE_IN_SECONDS (value in HEX format)
# fw ctl set int fwha_freeze_state_machine_timeout 0xb4
B4 = 180 seconds
To disable this mechanism, run:
# fw ctl set int fwha_freeze_state_machine_timeout 0
Thursday, January 27, 2011
R80 EndPoint Security, Some Notes,
Just for now,No Upgrade available from R73, No Support for SPLAT and reduced functionality of existing R73 products,I think Checkpoint bringed up this version for New Sales opportunities for the new year.
But a new hfa will be soon for the missing features and it will support existing SmartCenters.
I love the easy way to manage the endpoints with SmartDashboard, user management with AD is so easy,applying different blades to different users,New Compliance feature gives you a basic NAC control solution and the WebChecker upon enabling it i really liked the style of new internet explorer,Ghosty style ;)
But a new hfa will be soon for the missing features and it will support existing SmartCenters.
I love the easy way to manage the endpoints with SmartDashboard, user management with AD is so easy,applying different blades to different users,New Compliance feature gives you a basic NAC control solution and the WebChecker upon enabling it i really liked the style of new internet explorer,Ghosty style ;)
Sunday, January 23, 2011
WCG load sharing,Yes it works.
Last week i was dealing with a V10k load sharing project,
v10k does not have load sharing feature so we put an alteon switch front of 4 v10k appliances,
our tests was fine,sessions were sharing along the appliances with round-robin.
Policy Server functions on it's own independent of the Policy Broker so i have left the 3 roles PS,US,FS on V10Ks
Although you can define one policy server during the installation of logserver, we have seen that we can successfully get logs from the 4 policy servers simultaneously,
also another issue was to upgrade v6.3x to 7.5 , dont forget to follow v6 to 7.0 to 7.1 and finally to 7.5
v10k does not have load sharing feature so we put an alteon switch front of 4 v10k appliances,
our tests was fine,sessions were sharing along the appliances with round-robin.
Policy Server functions on it's own independent of the Policy Broker so i have left the 3 roles PS,US,FS on V10Ks
Although you can define one policy server during the installation of logserver, we have seen that we can successfully get logs from the 4 policy servers simultaneously,
also another issue was to upgrade v6.3x to 7.5 , dont forget to follow v6 to 7.0 to 7.1 and finally to 7.5
Wednesday, January 12, 2011
Websense DSS Restore Fails
This point is not clear yet in websense kb.
You have to Keep in mind that it was intended for recovery and not migration to new machines.
For instance the following should be identical:
OS installation partition and folder,
(change from 2003 Standard to 2003 Enterprise should be OK and not interfere with the "restore")
Oracle installation partition and folder,
Dss version and patch
Hostname
IP addresses and NIC configuration
You have to Keep in mind that it was intended for recovery and not migration to new machines.
For instance the following should be identical:
OS installation partition and folder,
(change from 2003 Standard to 2003 Enterprise should be OK and not interfere with the "restore")
Oracle installation partition and folder,
Dss version and patch
Hostname
IP addresses and NIC configuration
Tuesday, January 11, 2011
Check Point Mobile for iPhone and iPad
You want to make a remote access vpn from IPhone or IPAD device but dont know where to start,
Here is a checklist that i have prepared for you:
Firewall version must be ; R71.10 (only with an EA hotfix) R71.30,A patch that will enable support in R75 is coming shortly
License : Mobile Access Blade
enable the checkbox SSL Vpn "new name Mobile Access"
if you see a 404 page instead of Portal Site keep in mind that CD2 of splat may require with using the command #sysconf_wrapper
also the command #cvpnd_settings set MobileAppAllowed "true" is required to enable support for iPhone and iPad on the Mobile Access gateway continue with restarting the Mobile Access Software Blade services: #cvpnrestart and do a #toggleCvpnPortal off and #toggleCvpnPortal on
At the firewall initiate the certificate on the user that you create during the setup wizard, write it down you will use it at ipad device to pull the certificate from the firewall.
At the IPAD device, go to APPStore download the Checkpoint Mobile software, you have all the necessary info for two-factor authentication,
fw ip, reg-key "that is the key you created with the initiate button" and the checkpoint user/pass
To view a demo of the business web portal, launch the app and set up the below credentials:
• SERVER: idemo.checkpoint.com
• ACTIVATION KEY: demo-1234
• PASSWORD: cpdemo
And other similar question is, "I have also 64 bit Windows clients How can i make a protocol independently remote vpn from them" answer is simple enable SNX inside SSL VPN Portal, to do this create at least one Native application, also checkout Additional settings - VPN Clients tab for startup options.
Note: Citrix is not supported from ipad / iphone client. If citrix is configured for the SSL VPN portal, ipad / iphone clients will not be able to see it on the portal and also there is no target date to support this feature yet.
and also note that to connect via other protocols you have to use L2TP VPN
Thats all
Cagdas
Here is a checklist that i have prepared for you:
Firewall version must be ; R71.10 (only with an EA hotfix) R71.30,A patch that will enable support in R75 is coming shortly
License : Mobile Access Blade
enable the checkbox SSL Vpn "new name Mobile Access"
if you see a 404 page instead of Portal Site keep in mind that CD2 of splat may require with using the command #sysconf_wrapper
also the command #cvpnd_settings set MobileAppAllowed "true" is required to enable support for iPhone and iPad on the Mobile Access gateway continue with restarting the Mobile Access Software Blade services: #cvpnrestart and do a #toggleCvpnPortal off and #toggleCvpnPortal on
At the firewall initiate the certificate on the user that you create during the setup wizard, write it down you will use it at ipad device to pull the certificate from the firewall.
At the IPAD device, go to APPStore download the Checkpoint Mobile software, you have all the necessary info for two-factor authentication,
fw ip, reg-key "that is the key you created with the initiate button" and the checkpoint user/pass
To view a demo of the business web portal, launch the app and set up the below credentials:
• SERVER: idemo.checkpoint.com
• ACTIVATION KEY: demo-1234
• PASSWORD: cpdemo
And other similar question is, "I have also 64 bit Windows clients How can i make a protocol independently remote vpn from them" answer is simple enable SNX inside SSL VPN Portal, to do this create at least one Native application, also checkout Additional settings - VPN Clients tab for startup options.
Note: Citrix is not supported from ipad / iphone client. If citrix is configured for the SSL VPN portal, ipad / iphone clients will not be able to see it on the portal and also there is no target date to support this feature yet.
and also note that to connect via other protocols you have to use L2TP VPN
Thats all
Cagdas
SmartSPLAT
FREE SSH Software for Checkpoint Firewalls
ISS IPS Tuned PAM parameters "SYNFLood Protection"
while you have the signature that protects against 'synflood attacks' enabled,
it will only effectively block synflood traffic if the following parameter is configured
'pam.tcp.synflood.protection'with a value of 'true'.
There are a couple of other tuning parameters available to more granularly configure the synflood protection.
advanced tuning parameters:
pam.tcp.synflood.protection.untrusted.rate
pam.tcp.synflood.protection.duplicatesyn.retransmit
pam.tcp.synflood.protection.duplicatesyn.timeout
pam.tcp.synflood.protection.duplicatesyn.enabled
pam.tcp.synflood.protection
pam.tcp.synflood.custom.limit
pam.tcp.synflood.custom
pam.tcp.synflood.size
pam.tcp.synflood.limit
To fine-tune your config, make sure that you specifically include these parameters in the local tuning section of the G
NAME=pam.tcp.synflood.protection
VALUE=true
NAME=pam.tcp.synflood.limit
VALUE=1000
You can then modify the limit parameter to suit your needs, depending on network conditions.
it will only effectively block synflood traffic if the following parameter is configured
'pam.tcp.synflood.protection'with a value of 'true'.
There are a couple of other tuning parameters available to more granularly configure the synflood protection.
advanced tuning parameters:
pam.tcp.synflood.protection.untrusted.rate
pam.tcp.synflood.protection.duplicatesyn.retransmit
pam.tcp.synflood.protection.duplicatesyn.timeout
pam.tcp.synflood.protection.duplicatesyn.enabled
pam.tcp.synflood.protection
pam.tcp.synflood.custom.limit
pam.tcp.synflood.custom
pam.tcp.synflood.size
pam.tcp.synflood.limit
To fine-tune your config, make sure that you specifically include these parameters in the local tuning section of the G
NAME=pam.tcp.synflood.protection
VALUE=true
NAME=pam.tcp.synflood.limit
VALUE=1000
You can then modify the limit parameter to suit your needs, depending on network conditions.
Subscribe to:
Posts (Atom)