Thursday, February 25, 2010

Alw@ys Knw Wh@ts Happening inside your KERNEL - “A CHEAT SHEET”

FW MONITOR - Monitor your KERNEL..


Many People have problems with their daily life, is just bcoz they dont know what is/was happening INSIDE, I could never trouble shoot the KERNEL of Mine, but definitely did in my Favorite Product CheckPoint..

Yes.. Always monitor the each points (don't simply believe ALL IZZZ WELL..) Nothing gonna be Well untill and unless you have the control on each point of the Process..

Here we go,, FW Monitor,

Why fw monitor?

The fw monitor utility is similar to ‘snoop’ and ‘tcpdump’ in being able to capture and display packet information. Unlike snoop or tcpdump, fw monitor is always available on FW-1, can show all interfaces at once and can have insertion points between different Check Point modules. The fw monitor commands are the same on every platform.

Fw monitor syntax:

There are many options for the fw monitor command and these can be seen by typing fw monitor –h on the command line;

fw monitor -h

Usage: fw monitor [- u|s] [-i] [-d] <{-e expr}+|-f > [-l len] [-m mask] [-x offset[,len]] [-o ] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all [-a ]> [-ci count] [-co count]

Each option is fully explained in the Check Point document How to use fw monitor.

Brief option description:

-u|s, is used to show the uuid which is the same number during the entire connection
-i, is used to make sure that all info is written to standard output immediately
-d|D, is used to put fw monitor in debug or more Debug modes
-e, is used for the user defined expressions
-f, for the filter file
-l, is used to limit the packet length captured
-m, is a mask of interface such as the default mask of iIoO
-x, prints the packet data to the screen
-o, output file
-p[x] pos, is used to set the insertion point of the monitor
-p all, places insertion points between each module
-ci count, is used to break out of fw monitor after incoming packets
-co count, is used to break out of fw monitor after outgoing packets

Reading the output:

El59x1:i[48]: -> (TCP) len=48 id=944

TCP: 1034 -> 21 .S.... seq=78caaa74 ack=00000000

Filter expressions:

A great reference for filter expressions is the tcpip.def file located at $FWDIR/lib.
In this document we will just describe a few and how they work.
#define ip_tos [ 1 : 1]
#define ip_len [ 2 : 2, b]
#define ip_id [ 4 : 2, b]
#define ip_off [ 6 : 2, b]
#define ip_ttl [ 8 : 1]
#define ip_p [ 9 : 1]
#define ip_sum [ 10 : 2, b]
#define ip_src [ 12 , b]
#define ip_dst [ 16 , b]
#define PROTO_icmp 1
#define PROTO_icmp6 58
#define PROTO_tcp 6
#define PROTO_udp 17

This sample of the tcpip.def file shows how the macros used in the firewall are defined.
For example ip_src is [ 12, b]. This means that at offset 12 bytes data is read in big endian to gain the source ip address.

ip_len is defined as [ 2 :2, b]. This means that at offset 2 bytes, a 2 byte length is read in big endian to determine the ip length field.

These expressions can be used in an fw monitor command to filter on whatever is needed.
For example to capture packets to and from one ip address of interest we could use,
fw monitor –e “accept [12, b]= or [16, b]=;”
OR you could use the macro definition
fw monitor –e “accept src= or dst=;”

Using the macro definitions is usually easier to remember.

In this doc we will use the macros in the tcpip.def file.

Syntax Examples (cheat sheet);
Basic capture of everything on all interfaces,
fw monitor

To filter on an ip of interest,

-e “accept src=;”
This will show just source address matching src.

-e “accept src= or dst=;”
This will show both source and destination matching src or dst and is an example of the Or operator in use.

To filter on a particular protocol of interest,

-e “accept ip_p=6;”
This will show TCP packets only.

-e “accept ip_p=17;”
This will show UDP packets only.

-e “accept ip_p=6 or ip_p=50;”
This will show TCP and ESP protocols

Making a slightly more complex expression we will use ip address and protocol type as an example.
-e “accept ip_p=6 and src=;”
This is an example of the And operator in use. If we used ping to test the fw monitor would not show these packets, but if we used ftp to connect to then all packets with a source of would be shown.

To filter on an packet length

-e “accept ip_len=60;”
This will show all packets with the IP header and Data length of 60 bytes.
A standard Windows ping is 60 bytes total. This is found by adding the IP header of 20 bytes to the 8 bytes ICMP header and 32 bytes of ICMP data.

If we were trying to filter only packets larger or smaller than a certain size we could use;
-e “accept ip_len>512;”
This will show ip packets larger than 512 bytes.
-e “accept ip_len <512;”
This will show packets smaller than 512 bytes.
-e “accept ip_len > 60 and ip_len<70;”
This will show packets between 61 and 69 bytes long.

Note that ip_len is defined as the IP header and Data.

To filter on a source port or destination port

-e “accept sport=21;”
This will show packets from port 21.
-e “accept dport=21;”
This will show destination port 21
-e “accept sport=21 or dport=21;”
This will show source or destination port 21.

Note; that the definitions for sport, th_sport, and uh_sport are all the same [20: 2, b]. The same is true for dport, th_dport and uh_dport [22: 2, b]. This means a filter as set above will show port 21 even if it is a UDP port. If you wanted to filter only TCP ports you would have to add expressions.
-e “accept ip_p=6 and sport=21 or dport=21;”
This would show port 21 and only TCP.

To filter on a port and an IP address

-e “accept sport=21 or dport=21 and src= or dst=;”

To filter flags or TCP states

The th_flags macro can be used in different ways and can get confusing so here is a brief explanation. The definitions below show how the macros for the flags are defined. In the syntax we can use the hexadecimals listed in this manner.
TH_FIN 0x1
TH_SYN 0x2
TH_RST 0x4
TH_ACK 0x10
TH_URG 0x20
-e “accept th_flags=0x1;”
will only see packets that have only the FIN flag set. If any other flag is set also it will not show up.
-e “accept th_flags=0x11;”
This will show packets with FIN and ACK flags set.
As you can see the hex numbers can be added together to reflect the flags you want.
OR we can use the following syntax;
-e “accept th_flags & 0x1;”
This will show packets with the FIN flag set even if other flags are set. This expression basically says look for flags AND if FIN is set show it.
-e “accept th_flags = fin;”
This will show packets with a FIN flag set even if other flags are set since fin is already defined as seen below in this sample of the tcpip.def file. Any of the below can be used.

syn { th_flags & TH_SYN };
fin { th_flags & TH_FIN };
rst { th_flags & TH_RST };
ack { th_flags & TH_ACK };
first { th_flags & TH_SYN, not (th_flags & TH_ACK) };
established { (th_flags & TH_ACK) or ((th_flags & TH_SYN) = 0) };
not_first { not ( th_flags & TH_SYN ) };
last { th_flags & TH_FIN, th_flags & TH_ACK };
tcpdone { fin or rst };

To filter on ICMP types

-e “accept icmp_type=8;”
This will show echo requests.
-e “accept icmp_type=0;”
This will show echo replies.
See the tcpip.def file to see the icmp_type definitions. Here are a couple of examples,
8= echo
0= echo reply
3= unreachable
5= redirect
11= ttl exceeded

To set the mask on filter

-m io
Will show pre-in and pre-out packets
-m IO
Will show post-in and post-out packets
The mask defaults to iIoO and shows all four inspection points. It can be set with the –m option to be whatever you want.

To set the packet capture count

-ci 3
Will show 3 incoming packets and the break out.
-m i –ci 4
Will show 4 incoming packets on the pre-in interface.

To print the packet payload use the –x option

-x 52, 96
This example would show packet data starting at offset 52 and printing 96 bytes to the screen. Output to a file gives all data any way so this is usually not needed.
The offset starts with the IP header. i.e. offset of 40 would give the start of data offset of 55 bytes in an http packet. 20 bytes ip header, 20 bytes tcp header.

To set the monitor position in the fw chain

-pi 3 –po 2
These are relative positions in the fw chain. The chain can be seen by typing fw ctl chain on the command line.

To change the insertion point you can use the relative position ie 1,2,3 etc.
Or you can use the alias such as secxl_sync. All details to usage and syntax can be found in How to use fw monitor.

Default insertion points

In using the relative number use the number after the module where you want it inserted, in other words if relative number 2 is Secxl_sync and you want to insert after this module then use –pi 3. If you use –pi 3 it is inserted after relative number 2. If using the alias then use the alias after where you want it installed. In other words, if you use –pi Secxl_sync then the position will be inserted before Secxl_sync. See Figure below.

NG AI has a new position option –p all which inserts at each point in the chain.

To filter packets that are part of a network or a range of ip addresses

-e “accept netof src=;”
This will show all packets with an address on network
A mask can not be set, it is implied by the address. So if you have subnetted further you will need a different syntax to capture a range of addresses.
-e “internal = {<,>}; accept ( in internal);”
This will show all packets in the internal definition.

Putting it together with more complex expressions;
-e “accept not (src=;”
To see all but src above.
-e “accept sport=21 and not (src=;”
To see source port 21 but not from

-e “accept src= or dst= and not (sport=22 or dport=22);”
To see everything to and from ip except ssh.

-e “accept src= or dst= and not (sport=21 or dport=21) and not (sport=22 or dport=22);”
To show all to an from ip except ssh and ftp.

-ci 200 –m iI –pi Secxl_sync –e “accept ip_p=6 and netof src= and not (sport=22 or dport=22);”
This will show 200 incoming packets before breaking out, with a mask of iI showing both pre-in and post-in with the monitor insertion point being before the Secxl_sync module in the chain. In addition it will only show TCP packets that have an ip address that is part of network but not the ssh protocol.

This may be more complex than is reasonable but it shows what can be done with fw monitor.

I hope this is explanatory.. Pls write to me in case of quries.. :-)


Wednesday, February 24, 2010

Checkpoint Commands

Checkpoint commands generally come under,

cp - general
fw - firewall
fwm - management

CP, FW & FWM Commands

cphaprob stat List cluster status

cphaprob -a if List status of interfaces

cphaprob syncstat shows the sync status

cphaprob list Shows a status in list form

cphastart/stop Stops clustering on the specfic node

cp_conf sic SIC stuff

cpconfig config util

cplic print prints the license

cprestart Restarts all Checkpoint Services

cpstart Starts all Checkpoint Services

cpstop Stops all Checkpoint Services

cpstop -fwflag -proc Stops all checkpoint Services
but keeps policy active in kernel

cpwd_admin list List checkpoint processes

cplic print Print all the licensing information.

cpstat -f all polsrv Show VPN Policy Server Stats

cpstat Shows the status of the firewall

fw tab -t sam_blocked_ips Block IPS via SmartTracker

fw tab -t connections -s Show connection stats

fw tab -t connections -f Show connections with IP instead of HEX

fw tab -t fwx_alloc -f Show fwx_alloc with IP instead of HEX

fw tab -t peers_count -s Shows VPN stats

fw tab -t userc_users -s Shows VPN stats

fw checklic Check license details

fw ctl get int [global kernel parameter] Shows the current value
of a global kernel parameter

fw ctl set int [global kernel parameter] [value] Sets the current value of
a global keneral
parameter. Only Temp;
Cleared after reboot.
fw ctl arp Shows arp table

fw ctl install Install hosts internal interfaces

fw ctl ip_forwarding Control IP forwarding

fw ctl pstat System Resource stats

fw ctl uninstall Uninstall hosts internal interfaces

fw exportlog .o Export current log file to ascii file

fw fetch Fetch security policy and install

fw fetch localhost Installs (on gateway) the last installed policy.

fw lichosts Display protected hosts

fw log -f Tail the current log file

fw log -s -e Retrieve logs between times

fw logswitch Rotate current log file

fw lslogs Display remote machine log-file list

fw monitor Packet sniffer

fw printlic -p Print current Firewall modules

fw printlic Print current license details

fw putkey Install authenication key onto host

fw stat -l Long stat list, shows which policies are installed

fw stat -s Short stat list, shows which policies are installed

fw unloadlocal Unload policy

fw ver -k Returns version, patch info and Kernal info

fwstart Starts the firewall

fwstop Stop the firewall

fwm lock_admin -v View locked admin accounts

fwm dbexport -f user.txt used to export users , can also use dbimport

fwm_start starts the management processes

fwm -p Print a list of Admin users

fwm .a Adds an Admin

fwm .r Delete an administrator

Provider 1

mdsenv [cma name] Sets the mds environment

mcd Changes your directory to that of the environment.

mds_setup To setup MDS Servers

mdsconfig Alternative to cpconfig for MDS servers

mdsstat To see the processes status

mdsstart_customer [cma name] To start cma

mdsstop_customer [cma name] To stop cma

cma_migrate To migrate an Smart center server to CMA

cmamigrate_assist If you dont want to go through the pain
of tar/zip/ftp and if you wish to enable FTP
on Smart center server


vpn tu VPN utility, allows you to rekey vpn

vpn ipafile_check ipassignment.conf detail‏ Verifies the ipassignment.conf file

dtps lic show desktop policy license status

cpstat -f all polsrv show status of the dtps

vpn shell /tunnels/delete/IKE/peer/[peer ip] delete IKE SA

vpn shell /tunnels/delete/IPsec/peer/[peer ip] delete Phase 2 SA

vpn shell /show/tunnels/ike/peer/[peer ip] show IKE SA

vpn shell /show/tunnels/ipsec/peer/[peer ip] show Phase 2 SA


router Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)

backup Allows you to preform a system operating system backup
restore Allows you to restore your backup
snapshot Performs a system backup which includes all Checkpoint binaries. Note : This issues a cpstop.


vsx get [vsys name/id] get the current context

vsx set [vsys name/id] set your context

fw -vs [vsys id] getifs show the interfaces for a virtual device

fw vsx stat -l shows a list of the virtual devices and installed policies

fw vsx stat -v shows a list of the virtual devices and installed policies (verbose)

reset_gw resets the gateway, clearing all previous virtual devices and settings.

SOME MORE.............

Stops the FireWall-1 daemon, management server (fwm), SNMP (snmpd)
and authentication daemon (authd).
(To stop Firewall-1 NG and load the default filter: fwstop –default, fwstop –proc)
Loads the FireWall-1 and starts the processes killed by fwstop.
Stops all Check Point applications running, except cprid.
Starts all Check Point applications.
In NT, opens Check Point Configuration Tool GUI. (licenses, admins …)
>cpstat options
Provides status of the target hosts.
Usage: cpstat [-h host][-p port][-f flavour][-o polling [-c count] [-e period]]
[-d] application_flag
-h A resolvable hostname, a dot-notation address, or a DAIP object name.
Default is localhost.
-p Port number of the AMON server.
Default is the standard AMON port (18192).
-f The flavour of the output (as appears in the configuration file).
Default is to use the first flavour found in the configuration file.
-o Polling interval (seconds) specifies the pace of the results.
Default is 0, meaning the results are shown only once.
-c Specifying how many times the results are shown.
Default is 0, meaning the results are repeatedly shown.
-e Period interval (seconds) specifies the interval over which "statistical" oids are computed.
Ignored for regular oids.
-d Debug mode
Available application_flags:
Flag Flavours
fw default, policy, perf, hmem, kmem, inspect, cookies, chains, fragments, totals,
ufp, http, ftp, telnet, rlogin, smtp, sync, all
ha default, all
ls default
mg default
os default, routing, memory, old_memory, cpu, disk, perf, all, average_cpu,
average_memory, statistics
persistency product, TableConfig, SourceConfig
polsrv default, all
vpn default, product, IKE, ipsec, traffic, compression, accelerator, nic, statistics,
watermarks, all
FireWall-1 Commands
>fw ver [-h] ..
Display version
This is Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 3 Build 53920
>fw kill [-sig_no] procname
Send signal to a daemon
>fw putkey –n ip_address_host ip_address_of_closest_interface
Client server keys; helpful if you are integrating an NG Management Server
with 4.x enforcement modules. Will install an authenticating password; used
to authenticate SIC between the Management Server and the module.
>fw sam (Suspicious Activities Monitoring)
sam [-v] [-s sam-server] [-S server-sic-name] [-t timeout] [-l log] [-f fw-host]
[-C] -((n|i|I|j|J)
sam [-v] [-s sam-server] [-S server-sic-name] [-f fw-host] -M -ijn
sam [-v] [-s sam-server] [-S server-sic-name] [-f fw-host] -D
Criteria may be one of:
>fw fetch ip_address_management_station
Used to fetch Inspection code from a specified host and install it to the
kernel of the current host.
>fw tab [-h] ...
Displays the contents of FireWall-1’s various tables
>fw tab –t connections –s tells how many connections in state table
>fw monitor [-h] ...
Monitor VPN-1/FW-1 traffic
>fw ctl [args] install, uninstall, pstat, iflist, arp, debug, kdebug, chain, conn
Control kernel
>fw ctl pstat shows the internal statistics – memory/connections
>fw ctl arp shows firewall’s ARP cache – IP addresses via NAT
>fw lichosts
Display protected hosts
>fw log [-h] ...
Display logs
>fw logswitch [-h target] [+|-][oldlog]
Create a new log file; the old log is moved
>fw repairlog ...
Log index recreation
>fw mergefiles ...
log files merger
>fw lslogs ...
Remote machine log file list
>fw fetchlogs ...
Fetch logs from a remote host
FireWall Management Server Commands
>fwm ver [-h] ...
Display version
>fwm load [opts] [filter-file|rule-base] targets
Will convert the *.W file from the GUI to a *.pf file and compile into
Inspection code, installing a Security Policy on an enforcement module.
>fwm load Standard.W all.all@localgateway
>fwm unload [opts] targets
Uninstall Security Policy from the specified target(s).
>fwm dbload [targets]
Download the database
>fwm logexport [-h] ...
Export log to ascii file
>fwm logexport [-d delimiter] [-i filename] [-o filename] [-n] [-f] [-m
] [-a]
-d - Set the output delimiter. Default is ;
-i - Input file name. Default is the active log file, fw.log
-o - Output file name. Default is printing to the screen
-n - No IP resolving. Default is to resolve all IPs
-f - In case of active file (fw.log), wait for new records and export them
-m - Unification mode. Default is initial order.
Initial - initial order mode
Raw - No unification
Semi - Semi-unified mode
-a - Take account records only. Default is export all records
Once your logs files have been written to a backup file you can begin to export them into an
ASCII format so you may begin to analyze them. The command that accomplishes this is
the fw logexport command. The format of this command is as follows:
C:\WINNT\FW1\NG\log>fwm logexport -d , -i 2003-03-19_235900_1.log -o fwlog2003-03-
The –d switch specifies a delimiter character with the default being the semi-colon.
The –i switch specifies the input file and the –o switch specifies the output file. The –n
switch tells the program to not perform any name resolution on the IP addresses. This will
greatly speed up the export process. If you have the time and want to see the domain
names instead of IP addresses you may omit this switch. One word of caution though, the
size of the output files that get created grow an average of 2.5 times the input file.
>fwm gen [-RouterType [-import]] rule-base
Generate an inspection script or a router access-list
>fwm dbexport [-h] ...
Export the database
>fwm ikecrypt
Crypt a secret with a key (for the dbexport command)
>fwm dbimport [-h] ...
Import to database
SmartUpdate commands – Requires license
>cppkg add
>cppkg del [vendor] [product] [version] [os] [sp]
>cppkg print
>cppkg setroot
>cppkg getroot

Checkpoint SPLAT Quick Command

Commonly Used Linux Command

Sometimes, I do have problem remembering Linux commands when I'm on my console. I will list the most common Linux commands and also specific for Checkpoint fw running on SPLAT(Secure Platform). It's a bit odd how they short form it to SPLAT :)

ls -l (to list the files)

ls -lrt (list the files according the dates, the last line will be the latest file)

df -h (to view the size of the disks created, if the disk is 100% utilized, you might experienced some problem, especially if you are running the fw management server)

df -k (the same as above, instead of megabytes, it will show you the size in kilobytes)

netstat -rn (to show the routing table of your device)

ifconfig ( to show the list of available interfaces)

if your Linux has the tcpdump features, (i think most are pre-installed) the commands to sniff the packets on specific interface are as below;

# tcpdump -i -s 1500net -w/var/tmp/xxw.pcap

*the interface name is the interface sets on your device. If you want to filter based on the network address, you should put as above, if filter based on host, change it to 'host'.

The -s 1500 indicate the normal 1500 size packet you want to capture. If you don't define 1500, the packets captured will show incomplete details.

-w is used to save the files to a specific folder. By defining the file extension with .pcap, you'd be able to double click the file to open it via ethereal.

trace route (to do normal trace route functions. In windows, you'll use tracert)

ping (to check the response of the destination server)

ssh (to ssh using a defined username)

grep command can be used at the end of the normal commands to grab specific name you wish to search for. Example, in your routing table, you wish the routing at your interface eth3. You'll use below commands;

netstat -rn | grep eth3

If you wish to display the routing table per page, use | more at the end of your command line. Example;

netstat -rn | more

ps -ef (to check the processes running and identify the process ids and also which are consuming the most RAM)

snmpd service stat (to check the status of the snmpd daemon)

For specific Checkpoint command line, the most commonly used are;

cphaprob stat ( to check the Checkpoint High Availability status)

cpstart ( to start the checkpoint application)

cpstop (to stop the checkpoint application)

sysconfig (to enter the network setting on the SPLAT machine)

cpconfig ( to enter the checkpoint setting)

New ones for Checkpoint firewall

cplic print (print the license)

cpstat (to check cp stats)

cpstat -vs 3 fw -f policy (to check the stats on the firewall VID=3 based on the fw vsx)

Other stats finding command lines

cpstat os -f all

cpstat os -f cpu

fw tab -s -t connections

fw ctl cpstat

Thursday, February 18, 2010

IPSO Password Recovery

Resetting the Admin Password
At some point, you will encounter a Nokia that needs to have work done on it, but the
admin password has been forgotten. The password cannot be recovered, but a new one may be set as long as console access to the Nokia is available.

1. Boot into single-user mode from a directly attached console connection by entering boot –s at the BOOTMGR prompt.
2. Select sh for the shell by pressing Enter when prompted
3. Type /etc/overpw at the # prompt, and confirm that you want to reset the admin password.
4. Enter the new admin password when prompted, or leave it blank.
5. Press Ctrl + D and allow the system to come up into full multiuser mode.
6. Login as admin. If a dmin password was set to blank, set it now.
7. Use the dbpasswd command to change the password for Voyager: dbpasswd admin newpassword “
8. Save the new voyager password:
dbset :save

The following is what the receding procedure looks like when run through on IPSO 3.6:
Enter pathname of shell or RETURN for sh:

# /etc/overpw
This program is used to set a temporary admin password when you have lost the configured password. You must have booted the machine into single user mode to run it. The configured password will be changed. Please change the temporary password as soon as you log on to your system through voyager.

Please enter password for user admin:
Please re-enter password for confirmation:
Continue? [n] y

Running fsck…
/dev/rwd0f: clean, 65453 free (2461 frags, 7874 blocks, 0.6% fragmentation)
/dev/rwd0a: clean, 36154 free (42 frags, 4514 blocks, 0.1% fragmentation)
/dev/rwd0d: clean, 5802929 free (625 frags, 725288 blocks, 0.0% fragmentation)
/dev/rwd0e: clean, 902680 free (992 frags, 112711 blocks, 0.1% fragmentation)
Admin password changed. You may enter ^D to continue booting.

IPSO Upgrade Procedure

Upgrading to IPSO 4.2

You might already have a previous IPSO release installed on your Nokia platform and simply want to upgrade to IPSO 4.2. You can upgrade directly to Nokia IPSO 4.2 from the following IPSO versions:
3.7, 3.7.1,3.8, 3.8.1, 3.9, 4.0, 4.0.1, 4.1
Notes from the Underground…
Words of Caution When Upgrading
As with any software, there might be some caveats or warnings you should review before starting the upgrade process. Nokia IPSO is no exception and has some issues you should know about before proceeding with an upgrade.

Upgrading from IPSO 3.7.1 and Earlier
If you upgrade to IPSO 4.2 from IPSO 3.7, IPSO 3.7.1, or earlier and want to use disk mirroring, you must first install the 4.2 boot manager and then install IPSO 4.2 from the new boot manager. If you do not, you might receive messages that show the mirror set is 100 percent complete or that the sync process is complete when in fact the disks are still syncing. You do not need to follow this procedure if you upgrade to IPSO 4.2 from IPSO 3.8, 3.8.1, 3.9, 4.0, 4.0.1, or 4.1.

Upgrading from IPSO 4.1

Avoid using the IPSO boot manager to install IPSO 4.2 on a platform running IPSO 4.1 Build 016 or 019 if you installed the 4.1 build using the boot manager. If you attempt to upgrade in this way, the system might repeatedly panic and reboot. To upgrade these systems to IPSO 4.2, use Network Voyager, the CLI, or the newimage shell command.

Space Requirements
You need at least 140MB of free disk space in your root partition to install an IPSO 4.2 image. To determine the available disk space, log in to the IPSO shell through a terminal or console connection and enter df -k. If the first number in the Avail column (which shows the available space in the root partition) is less than 140000Kbytes, you should make more space available by deleting the temporary files specified in the following command if they are present. (These files might not be present, depending on how the upgrades were done on your system.) Execute the following commands to delete the list of unwanted files:

mount -uw /
rm -f /image/*/bootmgr/*.sav
rm -f /image/*/bootmgr/*.tmp
mount -ur /

If you use the df command after you install IPSO 4.2 as a third image, you might see that the root partition is more than 100-percent full. If no errors were displayed while you installed IPSO 4.2, you can safely ignore this output from df.

Other upgrade-specific issues are covered in greater detail in the Getting Started and Release Notes for IPSO 4.2 document available on the Checkpoint support site:

There are several ways to copy the IPSO installation image used to upgrade your Nokia
IPSO version to your Nokia appliance. You can:

1. Use the Nokia Network Voyager to fetch the IPSO image from a remote FTP server.
2. Use the Nokia Network Voyager to upload the IPSO image from a local workstation using HTTP.
3. Use an FTP client to push the IPSO image to the Nokia appliance (if the FTP server is enabled).
4. Use secure copy (SCP) to push the IPSO image to the Nokia appliance (if the SSH server is enabled).
5. Use secure copy (SCP) to pull the IPSO image to the Nokia appliance from another server.
6. Use a floppy or CD-ROM to copy the image to the Nokia appliance (if the appliance has a floppy or CD-ROM drive).

As you can see, there is no shortage of installation image transfer mechanisms. Upgrading the image using Nokia Network Voyager (options 1 and 2) is covered in detail in Chapter 4. If you decide to transfer the IPSO image manually (options 3, 4, 5, and 6) you can use the newimage command to upgrade from the CLI. The syntax of the newimage command is as

newimage [[-i | -l localfile] [-b] [-R | -T]] [-r | -t imagename]

newimage Command-Line Switches

Switch Description
-b Force upgrade of bootmanager.
-i Load a new image interactively.
-l localfile Extract the new image from an extant file.
-r imagename Specify imagename to run at the next boot.
-t imagename Specify imagename to run at the next test boot.
-R Use a newly installed image to run at the next boot.
-T Test boot using a newly installed image.
-k Do not deactivate existing packages.
-v Verbose ftp.

On some appliances, installing the image can take some time. The newimage command might display the message “Setting up new image…” for several minutes with no other sign of activity.

The test boot option -t imagename is a method to test the newly installed image when you reboot your Nokia appliance. If it fails to boot, your Nokia appliance reverts to the previous IPSO image the next time it is started.

To add an IPSO image from the local file system, use the following newimage syntax:

NOKIA_IPSO[admin]# newimage -k -l ipso.tgz
You should see a response similar to the following:
ipso.tgz Validating image. . .done.
Version tag stored in image: IPSO-4.2-BUILD029-releng-1515-01.05.2007-222742
Installing new image. . .done [example]

You are then prompted to choose the image to load after the next reboot. At the
prompt, reboot your platform. If for some reason the package is not present, you will see
a message similar to the following when trying to run the newimage command:

NOKIA_IPSO[admin]# newimage -k -l ipso.tgz
tar: can’t open archive /var/emhome/admin/ipso.tgz : No such file or directory
tar: child returned status 3
tar: VERSION not found in archive
No version file in /var/emhome/admin/ipso.tgz. Possibly corrupted. Exiting
Jul 27 12:13:44 NOKIA_IPSO [LOG_ERR] Upgrade: No version file in
/var/emhome/admin/ipso.tgz. Possibly corrupted. Exiting. . .

If the IPSO image is corrupt, you will see an image similar to the following when trying
to run the newimage command:

NOKIA_IPSO[admin]# newimage -k -l ipso.tgz
gzip: stdin: unexpected end of file
tar: child returned status 1
tar: VERSION not found in archive
No version file in /var/emhome/admin/ipso.tgz. Possibly corrupted. Exiting
Jul 27 12:15:52 NOKIA_IPSO [LOG_ERR] Upgrade: No version file in /var/emhome/admin/ipso.
tgz. Possibly corrupted. Exiting. . .

To verify the integrity of an IPSO image archive you can use the openssl command as

NOKIA_IPSO[admin]# openssl sha1 ipso.tgz
You should see a response that displays the same SHA1 value that matches the SHA1
value shown at the Nokia support site. For example, you should see something like the
SHA1 (ipso.tgz)=390366ED8C53A9F1F516D2DC742331E7FE5A11C0

Wednesday, February 17, 2010

IPSO Scratch Installation

Couple of Months before I got a call from my Senior, he said they are transferring me to a Data center, to administrate a CheckPoint Cluster which is installed on IPSO..

Grrr... Now what is IPSO!!!

IPSO is a a FreeBSD fork developed originally by IPSILLION Networks, later acquired by Nokia and now with CheckPoint (Nokia IP devices has been acquired by Nokia one year back)

Following is the procedure to install IPSO in a Nokia Box...


Manu B alias Karthik...

Installing IPSO

Performing a clean installation of IPSO is a relatively simple process. The installer configures
the system based on the selections you make during the process. The standard installation
procedure is as follows:
1. Power on the appliance and enter the boot manager (Bootmgr).
2. Initiate the installation process.
3. Answer the configuration questions when prompted.
4. Reboot the appliance when the initial installation is complete.
5. Continue with the initial configuration of your appliance.
Let’s walk through these steps.

Booting into the Boot Manager

When the appliance is powered on, after the memory test completes, you will be presented
with a menu that presents you with a boot manager (1 Bootmgr) option and an IPSO
(2 IPSO) option.

Entering 2 starts the standard boot process into the IPSO operating system.
Because you want to perform a clean installation, you must enter the boot manager and
launch the installation process. Do this by entering 1.

1 Bootmgr
Default: 1
Starting bootmgr
Loading boot manager..
Boot manager loaded.
Entering autoboot mode.

Type any character to enter command mode.
You are now presented with the BOOTMGR[1]> prompt. To begin the installation
process, enter install.

BOOTMGR[1]> install
The IPSO installer will warn you that you will be expected to enter information during
the initial configuration process, such as client IP address, netmask, system serial number,
and so on. You will also be reminded that the clean installation will destroy any existing files
and data on your disk. To proceed with the clean installation, enter y.

############## IPSO Full Installation ###############
You will need to supply the following information:
Client IP address/netmask, FTP server IP address and filename,
system serial number, and other license information.
This process will DESTROY any existing files and data on your disk.
Continue? (y/n) [n] y

Part of the installation process is entering the chassis serial number. This is very important
in identifying your appliance should you ever need to call into Nokia for technical support.
The serial number is typically located on the back of the appliance but has been known to be
on the bottom in some of the older appliances.
Enter your serial number.
Motherboard serial number is NONE.
The chassis serial number can be found on a
sticker on the back of the unit with the letters

Of course, you have already written down the serial number prior to racking the appliance.

S/N in front of the serial number.
Please enter the serial number: 12345678
Please answer the following licensing questions.
Depending on your requirements, an enhanced license can be purchased to support
IGRP and BGP routing protocols. If you do not require these routing protocols, like
most Nokia installations, you can enter n when presented with the IGRP and BGP

Will this node be using IGRP ? [y] n
Will this node be using BGP ? [y] n

Because we are performing a clean installation, it does not make sense to pull the installation image from the disk you are looking to overwrite. What the installation script does allow you to do, however, is fetch the IPSO image from a remote FTP server.

Depending on your FTP server configuration, you can select from one of two options: You can install from an anonymous FTP server where no user credentials are required, by entering

1, or you can install from an FTP server that requires a username and password, by entering 2.

Regardless of the option you select, you are prompted to enter an IP address for your Nokia IP appliance, the IP address of the FTP server, and the default gateway your communications will use for routing. The only additional entries that require user input, if using the second menu option, are the username and password fields. To simplify the installation steps, and based on what most customers use, we will continue with the anonymous FTP server method. When prompted to choose an installation method, enter 1 and then the IP addresses you want to use. Each IP address field requires that you press Enter to move to the next option.

1. Install from anonymous FTP server.
2. Install from FTP server with user and password.
Choose an installation method (1-2): 1
Enter IP address of this client (
Enter IP address of FTP server (
Enter IP address of the default gateway (
After you have supplied the IP address and subnet mask information, you must
select a physical interface to assign it to. Select the interface you wish to use for the FTP
communications by typing the corresponding number and pressing Enter.

Choose an interface from the following list:
1) eth1
2) eth2
3) eth3
4) eth4
Enter a number [1-4]: 4

Select the speed of the chosen interface by entering the corresponding number.

Choose interface speed from the following list:
1) 10 Mbit/sec
2) 100 Mbit/sec

Enter a number [1-2]: 2
Select the duplex settings for the interface using h for half duplex or f for full duplex.
The duplex settings of your interface will vary depending on the device it is connected to.
Half or full duplex? [h/f] [h] f

The interface list may appear differently on your Nokia since it depends
entirely on the types of network interface cards (NICs) installed.

Now that your interface is configured, you must provide the path to, and the name of,
the IPSO installation package on the remote FTP server. Enter the full path to the IPSO
installation package. If the installation package is located in the root directory of the FTP
server you can press Enter or type the / character and press Enter.

Enter path to ipso image on FTP server [/]: /
Accept the default IPSO installation package name by pressing Enter or typing the full
package name and pressing Enter.
Enter ipso image filename on FTP server [ipso.tgz]: ipso.tgz

After the installation script connects to the FTP server, you have the option of telling
it what to retrieve. You can retrieve all valid packages it finds on the server, retrieve the
packages it finds one at a time and prompt you to accept or reject the package, or retrieve
no additional packages and only install the IPSO operating system. Select your option by
entering the associated menu number.

1. Retrieve all valid packages, with no further prompting.
2. Retrieve packages one-by-one, prompting for each.
3. Retrieve no packages.
Enter choice [1-3] [1]: 3

A final confirmation screen lets you verify all of your configuration settings before
proceeding. Check this carefully to ensure you have not added any incorrect information.
If you are happy with your configuration settings, enter y to start the installation process.
Client IP address=
Server IP address=
Default gateway IP address=
Network Interface=eth1, speed=100M, full-duplex
Server download path=[//]
Package install type=none
Mirror set creation=no
Are these values correct? [y] y

If the Nokia appliance is able to contact the FTP server and find the IPSO installation
package, you will see the installation process status messages as the various steps are

Downloading compressed tarfile(s) from
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
100% 36760 KB 00:00 ETA
Checking validity of image. . .done.
Installing image. . .done.
Image version tag: IPSO-4.2-BUILD069-10.27.2007-035617-1515.
Checking if bootmgr upgrade is needed. . .
Need to upgrade bootmgr. Proceeding..
Upgrading bootmgr. . .
new bootmgr size is 2097152
old bootmgr size is 1474560
Saving old bootmgr.
Installing new bootmgr.
Verifying installation of bootmgr.
When the installation completes, you will see an Installation Completed message and
a final instruction telling you to reset the system or press Enter to reboot.
Installation completed.

Reset system or hit to reboot.

Post Installation

The first thing you must do is provide a hostname for your Nokia appliance. Typically, this
is a one-word name for the system so you can easily recognize the system when performing
administrative tasks. Type your hostname and press Enter. You will also be prompted to
confirm the setting of the hostname. Enter y to continue.

Please choose the host name for this system. This name will be used
in messages and usually corresponds with one of the network hostnames
for the system. Note that only letters, numbers, dashes, and dots (.)
are permitted in a hostname.
Hostname? pint
Hostname set to “pint”, OK? [y] y

The admin user will require a password to authenticate you to the command line of the
Nokia appliance and for Web-based administration using the Nokia Network Voyager interface.
You will be asked to enter it again for validation. Enter the password you want to use.
Please enter password for user admin: notpassword
Please re-enter password for confirmation: notpassword

With the hostname and admin password set, you will be prompted to select your preferred
configuration method. You can configure an interface and use Nokia Network Voyager to
complete the configuration (the recommended method), or you can configure an interface by
using the CLI.
The easiest, and most popular, configuration method is to configure the appliance using
the Nokia Network Voyager. Enter 1 to select this method.

You can configure your system in two ways:
1) configure an interface and use our Web-based Voyager via a remote browser
2) configure an interface by using the CLI
Please enter a choice [ 1-2, q ]: 1

Select an interface you would like to use to configure your appliance by typing the
associated menu option number and pressing Enter.
Select an interface from the following for configuration:
1) eth1
2) eth2
3) eth3
4) eth4
5) quit this menu
Enter choice [1-11]: 4

Type the IP address and mask length you want to use for this interface. Press Enter for
each option after you have input the correct information.
Enter the IP address to be used for eth4:
Enter the masklength: 24

You are asked to configure a default route for this interface to use, and to provide the IP address information for your default router. To configure the default route, enter y. When asked to specify your default router, type the IP address of your default gateway and press Enter.

Do you wish to set the default route [ y ] ? y
Enter the default router to use with eth4:

After specifying the IP address and default route information, you have the option to change
the interface speed and duplex settings. Because this interface is configured for 1000 mbs and
full duplex, by default, you can enter n to accept the current settings.

This interface is configured as 1000 mbs by default.
Do you wish to configure this interface for other speeds [ n ] ? n

A final confirmation screen lets you verify all of your configuration settings before proceeding. Check this carefully to ensure you have not added any incorrect information.
If you are happy with your configuration settings, enter y.

You have entered the following parameters for the eth4 interface:
IP address:
masklength: 24
Default route:
Speed: 1000M
Duplex: full
Is this information correct [ y ] ? y

Optionally, you can configure the virtual local area network (VLAN) settings for this
interface. Typically, you will want to answer no to this question unless the interface needs to
be part of the VLAN for security or routing reasons. Enter n to continue.

Do you want to configure Vlan for this interface[ n ] ? n
You may now configure your interfaces with the Web-based Voyager by
typing in the IP address “” at a remote browser.

At this point, you should be able to connect to your Nokia appliance using the Nokia
Network Voyager Web interface with the browser of your choice.
A final optional setting is the changing of the default SNMP community string. Because
this is easily performed within Nokia Network Voyager, along with more advanced SNMP
configuration settings, you can type n and press Enter to complete the initial configuration.
Do you want to change SNMP Community string [ n ] ? n

Tuesday, February 16, 2010


Cluster Down:

Suddenly she's
Suddenly the
Promise of love has gone
Breathing seems so hard to do

Trogen Horse Attack:

Carefully you
Planned it
I got to know just
A minute to late, oh girl
now I understand it
All the times we
Made love together
Baby you were thinking of him

Cluster Member Came Up:

Ain't gonna show no
I'm gonna smile
And tell the whole world I'm fine
I'm gonna keep my senses
But deep down
When no one can hear me
Baby I'll be crying for you

Preempt is not Enabled and Logging is Set:

Can't go back
Can't erase
Baby your smiling face oh no
I can think of nothing else but you

Kernel Panic:

Why do I love you
Don't even want to
Why do I love you like I do
Like I always do
You should've told me
Why did you have to be untrue
Why do I love you like I do

Monday, February 15, 2010

Check your documents before sharing with Clients........

Check your documents before sharing with Clients........

Hidden data can often be found within Microsoft Office documents particularly Word. Whenever you exchange documents with clients, either convert them to PDF format or else run them through Microsoft's Hidden Data Removal tool.

Remove hidden data and personal information from Office documents:

Office 2K7

Office 2K3

Forgot to mention subject, while writing an official mail and feel bad later???????

Don't worry......... just follow the simple steps mentioned below in case you’ve already not done that and see the result.

Below are the steps:

1. Open your outlook (Only For Outlook Users)

2. Press Alt+F11. This opens the Visual Basic editor

3. On the Left Pane, one can see "Microsoft Outlook Objects" or "Project1", expand this. Now one can see the "ThisOutLookSession".

4. Double click on "ThisOutLookSession". It will open up a code pane.

5. Copy and Paste the following code in the right pane.(Code Pane)


Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)

Dim strSubject As String

strSubject = Item.Subject

If Len(Trim(strSubject)) = 0 Then

Prompt$ = "Subject is Empty. Are you sure you want to send the Mail?"

If MsgBox(Prompt$, vbYesNo + vbQuestion + vbMsgBoxSetForeground, "Check for Subject") = vbNo Then

Cancel = True

End If

End If

End Sub


6. Save this and now close the VB Code editor and take a breath. From now on, this macro will make sure you do not make the mistake of sending a mail without a subject.