Monday, July 26, 2010

Packet Flow Sequence in PIS/ASA

Packet Flow Sequence
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
10. ROUTE-LOOKUP - [output and adjacency]

Checkpoint Nokia / Secure Platform : Backup Methods : CMA and Gateway


The Nokia IP series appliance comes with an option in Voyager to perform a backup. This will backup and restore the configuration for both Nokia IPSO and firewall packages. The files backed up when using the Nokia Voyager's Backup and Restore function are listed below.

Under the $FWDIR, the following files are backed up during the backup process:


Under the $CPDIR, the following files are backed up during the backup process:


Secure Platform

Secure Platform NG with Application Intelligence and NGX provide a command line or Web GUI capability for conducting backups of your system settings and products configuration. The backup utility can store backups either locally on the SecurePlatform machine hard drive or remotely to a TFTP server or SCP server. The backup can be performed on request, or can be scheduled to take place at set intervals.
The backup files are kept in tar gzipped format (.tgz). Backup files saved locally are kept in /var/CPbackup/backups. The restore command line utility is used for restoring SecurePlatform settings and/or Product configuration from backup files.

See the Secure Platform documentation for exact syntax for the backup command.

You can choose to export the existing Check Point configuration of your machine (including which Check Point products are installed, and all their configuration files). This can be later used to import to a clean machine (any Check Point supported OS), enabling you to replace an existing machine with another (with an identical Check Point configuration).

The exported file is saved in the /var/tmp/cpexport file. You can use TFTP to transfer it to a TFTP server (use the 'sysconfig' utility, "Export Setup"). The "Import" option can only be accomplished on a clean machine. Install SecurePlatform, and use the shell for the initial setup (through 'sysconfig').
The first time installation wizard will offer to get an imported file from a TFTP server, and later will invoke the Check Point upgrade wrapper that will allow you to import the configuration from that file.


The upgrade_export tool is used for Smartcenter server to export a copy of the rules and user databases. During the installation process, there is an option called Installation using Imported Configuration. At this point, you can select the previously exported tgz file to import, and then automatically installs the new software and utilizes the imported .tgz configuration file.
You can log in to SmartDashboard and install an existing Security Policy without having to reset SIC. This process minimizes downtime in the event of catastrophic system failure.

Import and Export tools are located under $/FWDIR/bin/upgrade_tools or on the installation CD-ROM.

Thursday, July 15, 2010

Everything Have a Reason and I Need to Know that - RST Packet from Server - TCP Stack

Last week I faced a strange issue. Thou it was a good experience, lost my sleep for for a night at-least!! The problem was with TCP 3-way Handshake.. So I took a capture in server, I could see SYN packets coming from client, SYN ACK going back from server, and finally a "RST" from server.... Here I got screwed... Why "RST" from Server.. I thought of all conditions even if I don't know the exact working of TCP stack..

I looked into wireshark, could see TCP retransmission from SYN as well as SYN ACK. I decided to read some TCP stack stufff..

Next day I got call saying the issue is resolved, but HOW?? No one is interested in looking into that (F____rs) and I hate it most when putting things in a black HOLE.. One more day and I was so restless.. Needed a reason for "RST"

Finally yesterday I found the reason, could sleep well..

So reason is as follows

When ever a SYN or SYN ACK sent, there will a timer and first time it will set for 3 seconds.. after 3 sec if no response from peer, TCP will resend the packet and the timer will be set to 6 Seconds (Double)... after 6 sec if no response from peer, TCP will resend the packet and the timer will be set to 12 Seconds (Double)... even after this no response (after 21 Sec from the first packet); the server will send a "RST" packet, which is quiet normal...

The issue was in WAN, which never delivered SYN ACK to the other end.. (Some IPSC Crypto ACL problem)

Mistakes Which I did : I should have asked for the other end Capture toooo.. :)

Anyway I am happy to find a reason..

NB: I stick to my theory in practical way, will find a reason for each and everything and it will be audited.. Because I believe in RCA (Root Cause Analysis)

Wednesday, July 7, 2010

Fnd the Cluster IP (Virtual IP ) in SPALT

How to find the Cluster IP (Virtual IP ) Associated to all interfaces in SPALT, here is the way..

cphaprob -a if