FW [Admin]# cat /var/etc/.nvram
Vendor Nokia
Chassis serialnum: 93064000318
Model IP560
FW [Admin]#
Wednesday, December 22, 2010
Tuesday, December 21, 2010
TCP DUMP - Deep Inside
Running the tcpdump utility
====================
Following are examples of commands used to run the tcpdump utility:
Selecting an Interface or VLAN
The tcpdump utility is able to sniff for packets on only one interface or VLAN. By default, it will select the lowest numbered interface.
To select an interface, use the -i flag as follows:
tcpdump -i
For example:
tcpdump -i exp1
tcpdump -i 1.10
tcpdump -i internal
Disabling name resolution
By default, tcpdump will attempt to look up IP addresses and use names, rather than numbers, in the output. BIG-IP must wait for a response from the DNS server, so the lookups can be time consuming and the output may be confusing.
To disable name resolution, use the -n flag as in the following examples:
tcpdump -n
tcpdump -ni internal
Saving tcpdump output to a file
You can save the tcpdump data to one of the following file formats:
• A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump utility as well as many other traffic analysis packages.
• A text file that contains a subset of the full tcpdump data, but is readable only as plain text.
Binary file
To save the tcpdump output to a binary file, type the following command:
tcpdump -w
For example:
tcpdump -w dump1.bin
Note: The tcpdump utility will not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C.
Text file
To save the tcpdump output to a text file, type the following command:
tcpdump >
For example:
tcpdump >dump1.txt
Reading tcpdump binary file output
To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the following command:
tcpdump -r
For example:
tcpdump -r dump1.bin
In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would reading from the network interface. As a result, you can use formatting commands and filters.
Filters
The tcpdump utility allows you to use filters to, among other things, restrict the output to specified addresses and ports and specified tcp flags.
Filtering on a host address
• To view all packets that are traveling to or from a specific IP address, type the following command:
tcpdump host
For example:
tcpdump host 10.90.100.1
• To view all packets that are traveling from a specific IP address, type the following command:
tcpdump src host
For example:
tcpdump src host 10.90.100.1
• To view all packets that are traveling to a particular IP address, type the following command:
tcpdump dst host
For example:
tcpdump dst host 10.90.100.1
Filtering on a port
• To view all packets that are traveling through the BIG-IP system and are either sourced from or destined to a specific port, type the following command:
tcpdump port
For example:
tcpdump port 80
• To view all packets that are traveling through the BIG-IP system and sourced from a specific port, type the following command:
tcpdump src port
For example:
tcpdump src port 80
• To view all packets that are traveling through the BIG-IP system and destined to a specific port, type the following command:
tcpdump dst port
For example:
tcpdump dst port 80
Filtering on a tcp flag
• To view all packets that are traveling through the BIG-IP system that contain the SYN flag, type the following command:
tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'
• To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the following command:
tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'
Combining filters with the and operator
You can use the and operator to filter for a mixture of output.
Following are some examples of useful combinations:
tcpdump host 10.90.100.1 and port 80
tcpdump src host 172.16.101.20 and dst port 80
tcpdump src host 172.16.101.20 and dst host 10.90.100.1
Capturing Packet Data
The tcpdump utility provides an option which allows you to specify the amount of each packet to capture.
You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero). For example:
tcpdump -s0 src host 172.16.101.20 and dst port 80
Alternatively, you can specify a length large enough to capture the packet data you need to examine. For example:
tcpdump -s200 src host 172.16.101.20 and dst port 80
If you are using the tcpdump utility to examine the output on the console during capture or by reading from an input file with the -r option, you should also use the -X flag to display ASCII encoded output along with the default HEX encoded output. For example:
tcpdump -X -s200 src host 172.16.101.20 and dst port 80
Supressing hostname and port resolution
The tcpdump utility provides an option which allows you to specify whether IP addresses and service ports are translated to their corresponding hostnames and service names.
Since performing multiple name lookups during a packet capture may be resource intensive, you should disable name resolution while capturing on a busy system using the -n option. For example:
tcpdump -n src host 172.16.101.20 and dst port 80
Service port lookups incur less overhead than DNS-based name resolutions, but still are usually unnecessary while capturing. You can disable both name and service port resolution while capturing by using the -nn option. For example:
tcpdump -nn src host 172.16.101.20 and dst port 80
Combining tcpdump options
This Solution contains the most essential tcpdump options. You will generally need to use most of the options in combination.
Following are examples of how to combine the tcpdump options to provide the most meaningful output:
tcpdump -ni internal -w dump1.bin
tcpdump -ni internal -r dump1.bin host 10.90.100.1
tcpdump -ni exp1 host 10.90.100.1 and port 80
tcpdump -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt
tcpdump -Xs200 -nni eth0 -w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162
====================
Following are examples of commands used to run the tcpdump utility:
Selecting an Interface or VLAN
The tcpdump utility is able to sniff for packets on only one interface or VLAN. By default, it will select the lowest numbered interface.
To select an interface, use the -i flag as follows:
tcpdump -i
For example:
tcpdump -i exp1
tcpdump -i 1.10
tcpdump -i internal
Disabling name resolution
By default, tcpdump will attempt to look up IP addresses and use names, rather than numbers, in the output. BIG-IP must wait for a response from the DNS server, so the lookups can be time consuming and the output may be confusing.
To disable name resolution, use the -n flag as in the following examples:
tcpdump -n
tcpdump -ni internal
Saving tcpdump output to a file
You can save the tcpdump data to one of the following file formats:
• A binary file that contains all the information collected by the tcpdump and is readable by the tcpdump utility as well as many other traffic analysis packages.
• A text file that contains a subset of the full tcpdump data, but is readable only as plain text.
Binary file
To save the tcpdump output to a binary file, type the following command:
tcpdump -w
tcpdump -w dump1.bin
Note: The tcpdump utility will not print data to the screen while it is capturing to a file. To stop the capture, press CTRL-C.
Text file
To save the tcpdump output to a text file, type the following command:
tcpdump >
For example:
tcpdump >dump1.txt
Reading tcpdump binary file output
To read data from a binary tcpdump file (that you saved by using the tcpdump -w command), type the following command:
tcpdump -r
For example:
tcpdump -r dump1.bin
In this mode, the tcpdump utility reads stored packets from the file, but otherwise operates just as it would reading from the network interface. As a result, you can use formatting commands and filters.
Filters
The tcpdump utility allows you to use filters to, among other things, restrict the output to specified addresses and ports and specified tcp flags.
Filtering on a host address
• To view all packets that are traveling to or from a specific IP address, type the following command:
tcpdump host
For example:
tcpdump host 10.90.100.1
• To view all packets that are traveling from a specific IP address, type the following command:
tcpdump src host
For example:
tcpdump src host 10.90.100.1
• To view all packets that are traveling to a particular IP address, type the following command:
tcpdump dst host
For example:
tcpdump dst host 10.90.100.1
Filtering on a port
• To view all packets that are traveling through the BIG-IP system and are either sourced from or destined to a specific port, type the following command:
tcpdump port
For example:
tcpdump port 80
• To view all packets that are traveling through the BIG-IP system and sourced from a specific port, type the following command:
tcpdump src port
For example:
tcpdump src port 80
• To view all packets that are traveling through the BIG-IP system and destined to a specific port, type the following command:
tcpdump dst port
For example:
tcpdump dst port 80
Filtering on a tcp flag
• To view all packets that are traveling through the BIG-IP system that contain the SYN flag, type the following command:
tcpdump 'tcp[tcpflags] & (tcp-syn) != 0'
• To view all packets that are traveling through the BIG-IP system that contain the RST flag, type the following command:
tcpdump 'tcp[tcpflags] & (tcp-rst) != 0'
Combining filters with the and operator
You can use the and operator to filter for a mixture of output.
Following are some examples of useful combinations:
tcpdump host 10.90.100.1 and port 80
tcpdump src host 172.16.101.20 and dst port 80
tcpdump src host 172.16.101.20 and dst host 10.90.100.1
Capturing Packet Data
The tcpdump utility provides an option which allows you to specify the amount of each packet to capture.
You can use the -s (snarf/snaplen) option to specify the amount of each packet to capture. To capture the entire packet, use a value of 0 (zero). For example:
tcpdump -s0 src host 172.16.101.20 and dst port 80
Alternatively, you can specify a length large enough to capture the packet data you need to examine. For example:
tcpdump -s200 src host 172.16.101.20 and dst port 80
If you are using the tcpdump utility to examine the output on the console during capture or by reading from an input file with the -r option, you should also use the -X flag to display ASCII encoded output along with the default HEX encoded output. For example:
tcpdump -X -s200 src host 172.16.101.20 and dst port 80
Supressing hostname and port resolution
The tcpdump utility provides an option which allows you to specify whether IP addresses and service ports are translated to their corresponding hostnames and service names.
Since performing multiple name lookups during a packet capture may be resource intensive, you should disable name resolution while capturing on a busy system using the -n option. For example:
tcpdump -n src host 172.16.101.20 and dst port 80
Service port lookups incur less overhead than DNS-based name resolutions, but still are usually unnecessary while capturing. You can disable both name and service port resolution while capturing by using the -nn option. For example:
tcpdump -nn src host 172.16.101.20 and dst port 80
Combining tcpdump options
This Solution contains the most essential tcpdump options. You will generally need to use most of the options in combination.
Following are examples of how to combine the tcpdump options to provide the most meaningful output:
tcpdump -ni internal -w dump1.bin
tcpdump -ni internal -r dump1.bin host 10.90.100.1
tcpdump -ni exp1 host 10.90.100.1 and port 80
tcpdump -ni 1.10 src host 172.16.101.20 and dst port 80 >dump1.txt
tcpdump -Xs200 -nni eth0 -w /var/tmp/mgmt.cap dst host 172.16.101.20 and dst port 162
Thursday, September 30, 2010
Checkpoint Ports
| TCP Port 256 is used for three important things:
TCP Port 257 (FW1_log) is used for logging purposes. TCP Port 258 is used by the fwpolicy remote GUI. FireWall-1 will only listen to this port on a management console. TCP Port 259 is used for Client Authentication via telnet. FireWall-1 will only listen to this port on a firewall module. UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs). UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides. TCP Port 262 is used by netsod, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains netsod in $FWDIR/conf/fwauthd.conf. TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console. FireWall-1 will only listen to this port on a management console. UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client. FireWall-1 will only listen to this port on a firewall module. TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism. This can be disabled by commenting the appropriate line in $FWDIR/bin/fwauthd.conf. TCP Port 4532 is used for the Session Auth agent, asessiond. TCP Ports above 1024, other than the ones listed below, are generally any Security Servers that are active. The actual ports used by these servers will vary. 1024 is the lowest & 65535 is the highest port a Security Server process will use for a connection. If you wish to minimize the number of ports listening, comment out the appropriate lines from $FWDIR/conf/fwauthd.conf. Note that if you disable a security server in this fashion, you can not use its capabilities (like content security or authentication), so make sure you only do it for the security servers you know you are not using. TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning). FireWall-1 will not listen on this port. TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like). FireWall-1 will not listen on this port. TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf. TCP Port 18184 is used for Log Export API (lea). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf. TCP Port 18186 (FW1_omi-sic) is used for Secure Internal Communications (SIC) between OPSEC certified products and a NG FireWall module. TCP Port 18190 (CPMI) is used by the FireWall Management process (FWM) to listen for NG Management Clients attempting to connect to the management module. TCP Port 18191 (CPD) is used by the CPD process for communications such as policy installation, certificate revocation, and status queries. TCP Port 18192 (CPD_amon) is used by the CPD process FireWall Application Monitoring. TCP Port 18196 is used for CPEPS which is part of User Monitor. TCP Port 18207 is used by polsrvd, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains polsrvd in $FWDIR/conf/fwauthd.conf. TCP Port 18210 (FW1_ica_pull): The CPD process, on the management module, is listening on TCP port 18210 for certificates to be "pulled" by a FireWall module from a management module. TCP Port 18211 (FW1_ica_push): The Check Point Daemon (CPD) process, running on the FireWall module, listens on TCP port 18211 for certificate creation and for the "push" of the certificate to the FireWall module from the management module. Should you make any changes above, the 'fwd' process will need to be restarted as follows: nokia[admin]# fw kill fwd |
Sunday, September 26, 2010
Forcing NICs on SecurePlatform full/half duplex or 10/100/1000 Mbps using ethtool
In expert mode, use the 'ethtool' to hard code link speed and duplex settings of network interfacesNICs.
Note: Per the IEEE specification, gigabit speed cannot be forced. It can only be auto-negotiated.
Quick command syntax:ethtool -s DEVNAME speed 10|100|1000 duplex full|half autoneg off|on
Example:
ethtool -s eth0 speed 100 duplex full autoneg off
(Will force eth0 interface to 100 MB link speed, full duplex).
ethtool -s eth0 speed 100 duplex half
(Will force eth0 interface to 100 MB link speed, half duplex).
ethtool -s eth0 autoneg on
(Will force eth0 interface to auto-negotiate).
ethtool -s eth0 autoneg off
(Will force eth0 interface auto-negotiate off).
Commands can be put at the end of the /etc/rc.local startup script, to survive reboot.m Wake on multicast messages.b Wake on broadcast messages.a Wake on ARP.g Wake on MagicPacket(tm).s Enable SecureOn(tm) password for MagicPacket(tm).d Disable (wake on nothing). This option clears all previous options.sopass xx:yy:zz:aa:bb:cc
(Set SecureOn(tm) password. Argument to this option must be 6 bytes in ethernet MAC hex format (xx:yy:zz:aa:bb:cc).msglvl N
(Set driver message level. Meanings differ per driver).
Full options of command:
Example:ethtool -s ethX [speed 10|100|1000] [duplex half|full] [port tp|aui|bnc|mii] [autoneg on|off] [phyad N] [xcvr internal|external][wol p|u|m|b|a|g|s|d...] [sopass xx:yy:zz:aa:bb:cc] [msglvl N]
OPTIONS-s
Allows changing some or all settings of the specified Ethernet device; options only apply if -s is specified.ethX
Device Namespeed 10|100|1000
Sets speed in Mbps; ethtool with a single argument will show supported device speeds.duplex half|full
Sets full- or half-duplex mode.port tp|aui|bnc|mii
Selects device port.autoneg on|off
Specifies whether or not autonegotiation is enabled.phyad N
Physical addressxcvr internal|external
Selects transceiver type; currently only internal and external can be specified.wol p|u|m|b|a|g|s|d...
Sets Wake-on-LAN options; not all devices support this. The Argument to this option is a string of characters specifying the options to enable.p Wake on physically activity.u Wake on unicast messages.
Checkpoint Global Parameters
Warning: Check Point strongly recommends consulting Technical Support before editing the kernel global parameters. If a parameter is edited incorrectly, it may lead to serious problems.
| Parameter | Parameter Type | Default Value | Description |
| fwdebug | int | Error flag and warning flag. If defined secure remote, only error flag. | The debug flags of the fw debug module, which eventually determine which debug messages will be printed. For instructions on how to modify the parameter before reboot, see sk26202. |
| fw_debug_kdbufsz | int | 0 | The debug buffer size. |
| fwkdbmaxlen | int | 32 MB | The debug buffer size limit. |
| fw_kdprintf_limit | int | In 30 | Controls the suppression mechanism of debug messages. If it is not "0", it indicates how many debug messages can be printed in fw_kdprintf_limit_time seconds. |
| fw_kdprintf_limit_time | int | 60 | Part of the suppression mechanism of debug messages. |
| fwmonitormaxlen | int | 100K | Half of the maximum size of the data buffer of the 'fw monitor' command. |
| fwhmem | int | 20 MB | Size of memory allocated for hash tables (hmem) in bytes. |
| fwhmemmax | u_int | 80 MB | The Maximum size in bytes that hash tables (hmem) can be extended to. |
| fw_allow_udp_port0 | Int (bool) | 1 | UDP port 0 dropped by default. |
| fw_allow_tcp_port0 | Int (bool) | 1 | TCP port 0 dropped by default |
| fw_log_udp_port0 | Int (bool) | 1 | Do we log UDP port 0 drops? |
| fw_log_tcp_port0 | Int (bool) | 1 | Do we log TCP port 0 drops? |
| fwconn_smart_conn_reuse | Int (bool) | 1 | Do we use a smart connection reuse algorithm, i.e. whenever a SYN packet is encountered on an established connection we change it to ACK and decide according to server's response. If server responds with an RST, connection is reused. Otherwise (server responds with an ACK), connection is not reused. |
| fw_log_syn_on_estab | Int (bool) | 0 | When SYN is encountered on an established connection and fwconn_smart_conn_reuse is on, server may respond with an ACK packet, which means that the client's SYN was out of state. However, the client's SYN was not necessarily a malicious action. It may have been, for instance, a client application recovering from reboot. The following variable determines whether to log the previous SYN or not. (default=0) |
| fw_trust_rst_on_port | int | "Untrusted" (-2) | Should we trust Resets if sequence verifier is off? |
| fw_accept_syn_rst | int | FW_DONT_ACCEPT_SYN_RST (-2) | This variable specifies a certain service on which SYN-RST packet is allowed. Where it is allowed, previous connection is deleted (if it existed), and a new connection is always recorded, with state BOTH_FIN and without sequence verification. |
| fw_trust_ack_resp_to_syn | Int (bool) | 0 | Determine whether to trust server's ACK that follows client's SYN. The packet will pass or drop according to the value of fw_allow_out_of_state_syn_resp. |
| Listparams | int |
| When set, all the kernel global parameters are printed to the console. |
| fw_allow_simultaneous_ping | Int (bool) | 0 | Allow simultaneous ping to virtual IP and real IP of a cluster machine by storing the ICMP sequence number as one of the connection entry parameters, in order to differentiate between the two IPs. Otherwise, the connections look the same in certain directions. Currently, the feature does not work with SXL. |
| tcp_local_start_timeout | int | 0 | Override TCP start session timeout that is defined in the GUI. |
| tcp_local_end_timeout | int | 0 | Override TCP end session timeout that is defined in the GUI. |
| fwx_max_conns | int | 25000 | Maximum entries in several NAT tables, including fwx_alloc, which is in charge of hide NAT. |
| fwx_udp_hide_high | int | 0 | When not "0", a UDP connection from this (low) port will be hidden behind high port (10000+) instead of low ports (600-1023). |
| fwx_auth_expiration | int | 120 | Expiration in fwx_auth_table, used for folding to security servers. |
| fwx_cluster_hide_for_dynamic_routing | int | 0 | Enables cluster hide for dynamic routing protocols. Changing this variable also changes fwconn_override_dynamic_routing_collision. |
| fwx_g_user_cluster_fold | int | 1 | Enables cluster fold. |
| fwx_do_nat_cache | int | 1 | Should cache be used when trying to match on address translation rules. |
| fwx_g_max_rand_alloc_attempts | int | 30 | Maximum number of attempts to allocate a port before saying there are no available ports. |
| fw_local_interface_anti_spoofing | int | 1 | Local interface anti-spoofing verifies that no packet on the inbound chain has a source IP that matches one of the Gateway's IP addresses. This can be overridden by setting this parameter to "0". |
| fw_antispoofing_enabled | int | 1 | Anti-Spoofing is defined in the topology tab of interfaces. This global parameter can globally disable Anti-Spoofing checks in the enforcement module. To disable anti-spoofing checks, set this kernel global parameter to "0". |
| dns_allowed_chars | int | 0 | The ASCII enforcement as part of the DNS protocol enforcement checks that the domain names do not contain illegal characters. These illegal characters are any character other than letters (a-z, A-Z) digits (0-9) hyphen (-) and underscore (_). This global parameter allows adding up to 4 extra characters that have decimal value less than 128. For example, in order to allow backtick (`) define dns_allowed_chars to the value "96". |
| enforce_tkey_class_any | int | 1 | The DNS enforcement verifies that the TKEY/TSIG resource record class is "ANY". If this global parameter is set to "0", this field will be ignored. |
| dns_disable_servers_check | int | 0 | When enabling DNS TCP protocol enforcement, VPN-1/FireWall-1's current implementation limits the size of TCP data in a stream. This limitation is mainly relevant to zone transfers. When the limit is met, a log will be generated with the error message, "DNS data is too long". To overcome this limitation, change this kernel global parameter value from "0" to "1". This will allow traffic between defined DNS servers to pass, without DNS verification. |
| SmartDefense Parameters | |||
| ws_debug_ip | ip | _ | This parameter can be set, in order to focus on debug messages that are related to a specific IP (destination or source). |
| enforce_notify_header | int | 0 | When activated, produces ?Illegal Notify message? log. |
| allow_dnssec_bit | int | 1 | Allows AD ('authentic data') bit in response packet. |
| dns_allowed_chars | int | 0 | User configured additional allowed characters in domain names. |
| dns_maximum_message_length_overflow | int | 2 | Maximal additional bytes in query. When exceeded, produces ?Request packet too long, potential buffer overflow? log. |
| enforce_tkey_class_any | int | 1 | When set, produces ?Bad Resource Record format, TKEY RR class is not ANY? and ?Bad Resource Record format, TSIG RR class is not ANY? logs on DNS class other than ANY. |
| dns_disable_servers_check | int | 0 | When set, allows TCP traffic between known servers to run unchecked. |
Tuesday, September 21, 2010
Wednesday, August 4, 2010
Cisco ASA Stateful Informations, During Failover
Stateful:
When stateful failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
The state information passed to the standby unit includes these:
The NAT translation table
The TCP connection states
The UDP connection states
The ARP table
The Layer 2 bridge table (when it runs in the transparent firewall mode)
The HTTP connection states (if HTTP replication is enabled)
The ISAKMP and IPSec SA table
The GTP PDP connection database
The information that is not passed to the standby unit when stateful failover is enabled includes these:
The HTTP connection table (unless HTTP replication is enabled)
The user authentication (uauth) table
The routing tables
State information for security service modules
When stateful failover is enabled, the active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
The state information passed to the standby unit includes these:
The NAT translation table
The TCP connection states
The UDP connection states
The ARP table
The Layer 2 bridge table (when it runs in the transparent firewall mode)
The HTTP connection states (if HTTP replication is enabled)
The ISAKMP and IPSec SA table
The GTP PDP connection database
The information that is not passed to the standby unit when stateful failover is enabled includes these:
The HTTP connection table (unless HTTP replication is enabled)
The user authentication (uauth) table
The routing tables
State information for security service modules
Monday, July 26, 2010
Packet Flow Sequence in PIS/ASA
Packet Flow Sequence
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
---------------------------------------------------------------
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
10. ROUTE-LOOKUP - [output and adjacency]
====================
PIX/ASA - Inside (Higher Sec_Lev) to Outside (Lower SEC_Level)
---------------------------------------------------------------
Eg. Type - [Sub-Type] - Description
1. FLOW-LOOKUP - [] - Check for existing connections, if none found create a new connection.
2. ROUTE-LOOKUP - [input] - Initial Checking (Reverse Path Check, etc.)
3. ACCESS-LIST - [log] - ACL Lookup
4. CONN-SETTINGS - [] - class-map, policy-map, service-policy
5. IP-OPTIONS - [] -
6. NAT - [] - xlate
7. NAT - [host-limits] -
8. IP-OPTIONS - [] -
9. FLOW-CREATION - [] - If everything passes up until this point a connection is created.
10. ROUTE-LOOKUP - [output and adjacency]
Checkpoint Nokia / Secure Platform : Backup Methods : CMA and Gateway
NOKIA
The Nokia IP series appliance comes with an option in Voyager to perform a backup. This will backup and restore the configuration for both Nokia IPSO and firewall packages. The files backed up when using the Nokia Voyager's Backup and Restore function are listed below.
Under the $FWDIR, the following files are backed up during the backup process:
Under the $CPDIR, the following files are backed up during the backup process:
Secure Platform
Secure Platform NG with Application Intelligence and NGX provide a command line or Web GUI capability for conducting backups of your system settings and products configuration. The backup utility can store backups either locally on the SecurePlatform machine hard drive or remotely to a TFTP server or SCP server. The backup can be performed on request, or can be scheduled to take place at set intervals.
The backup files are kept in tar gzipped format (.tgz). Backup files saved locally are kept in
See the Secure Platform documentation for exact syntax for the backup command.
You can choose to export the existing Check Point configuration of your machine (including which Check Point products are installed, and all their configuration files). This can be later used to import to a clean machine (any Check Point supported OS), enabling you to replace an existing machine with another (with an identical Check Point configuration).
The exported file is saved in the
The first time installation wizard will offer to get an imported file from a TFTP server, and later will invoke the Check Point upgrade wrapper that will allow you to import the configuration from that file.
UPGRADE _EXPORT
The
You can log in to SmartDashboard and install an existing Security Policy without having to reset SIC. This process minimizes downtime in the event of catastrophic system failure.
Import and Export tools are located under
The Nokia IP series appliance comes with an option in Voyager to perform a backup. This will backup and restore the configuration for both Nokia IPSO and firewall packages. The files backed up when using the Nokia Voyager's Backup and Restore function are listed below.
Under the $FWDIR, the following files are backed up during the backup process:
$FWIR/conf/*
$FWDIR/state/*
$FWDIR/database/*
$FWDIR/lib/user.def
$FWDIR/lib/control.map
$FWDIR/etc Under the $CPDIR, the following files are backed up during the backup process:
$CPDIR/conf/*
$CPDIR/database/*
$CPDIR/registry/*
$CPDIR/etc/* Secure Platform
Secure Platform NG with Application Intelligence and NGX provide a command line or Web GUI capability for conducting backups of your system settings and products configuration. The backup utility can store backups either locally on the SecurePlatform machine hard drive or remotely to a TFTP server or SCP server. The backup can be performed on request, or can be scheduled to take place at set intervals.
The backup files are kept in tar gzipped format (.tgz). Backup files saved locally are kept in
/var/CPbackup/backups. The restore command line utility is used for restoring SecurePlatform settings and/or Product configuration from backup files.See the Secure Platform documentation for exact syntax for the backup command.
You can choose to export the existing Check Point configuration of your machine (including which Check Point products are installed, and all their configuration files). This can be later used to import to a clean machine (any Check Point supported OS), enabling you to replace an existing machine with another (with an identical Check Point configuration).
The exported file is saved in the
/var/tmp/cpexport file. You can use TFTP to transfer it to a TFTP server (use the 'sysconfig' utility, "Export Setup"). The "Import" option can only be accomplished on a clean machine. Install SecurePlatform, and use the shell for the initial setup (through 'sysconfig').The first time installation wizard will offer to get an imported file from a TFTP server, and later will invoke the Check Point upgrade wrapper that will allow you to import the configuration from that file.
UPGRADE _EXPORT
The
upgrade_export tool is used for Smartcenter server to export a copy of the rules and user databases. During the installation process, there is an option called Installation using Imported Configuration. At this point, you can select the previously exported tgz file to import, and then automatically installs the new software and utilizes the imported .tgz configuration file.You can log in to SmartDashboard and install an existing Security Policy without having to reset SIC. This process minimizes downtime in the event of catastrophic system failure.
Import and Export tools are located under
$/FWDIR/bin/upgrade_tools or on the installation CD-ROM.
Thursday, July 15, 2010
Everything Have a Reason and I Need to Know that - RST Packet from Server - TCP Stack
Last week I faced a strange issue. Thou it was a good experience, lost my sleep for for a night at-least!! The problem was with TCP 3-way Handshake.. So I took a capture in server, I could see SYN packets coming from client, SYN ACK going back from server, and finally a "RST" from server.... Here I got screwed... Why "RST" from Server.. I thought of all conditions even if I don't know the exact working of TCP stack..
I looked into wireshark, could see TCP retransmission from SYN as well as SYN ACK. I decided to read some TCP stack stufff..
Next day I got call saying the issue is resolved, but HOW?? No one is interested in looking into that (F____rs) and I hate it most when putting things in a black HOLE.. One more day and I was so restless.. Needed a reason for "RST"
Finally yesterday I found the reason, could sleep well..
So reason is as follows
When ever a SYN or SYN ACK sent, there will a timer and first time it will set for 3 seconds.. after 3 sec if no response from peer, TCP will resend the packet and the timer will be set to 6 Seconds (Double)... after 6 sec if no response from peer, TCP will resend the packet and the timer will be set to 12 Seconds (Double)... even after this no response (after 21 Sec from the first packet); the server will send a "RST" packet, which is quiet normal...
The issue was in WAN, which never delivered SYN ACK to the other end.. (Some IPSC Crypto ACL problem)
Mistakes Which I did : I should have asked for the other end Capture toooo.. :)
Anyway I am happy to find a reason..
NB: I stick to my theory in practical way, will find a reason for each and everything and it will be audited.. Because I believe in RCA (Root Cause Analysis)
I looked into wireshark, could see TCP retransmission from SYN as well as SYN ACK. I decided to read some TCP stack stufff..
Next day I got call saying the issue is resolved, but HOW?? No one is interested in looking into that (F____rs) and I hate it most when putting things in a black HOLE.. One more day and I was so restless.. Needed a reason for "RST"
Finally yesterday I found the reason, could sleep well..
So reason is as follows
When ever a SYN or SYN ACK sent, there will a timer and first time it will set for 3 seconds.. after 3 sec if no response from peer, TCP will resend the packet and the timer will be set to 6 Seconds (Double)... after 6 sec if no response from peer, TCP will resend the packet and the timer will be set to 12 Seconds (Double)... even after this no response (after 21 Sec from the first packet); the server will send a "RST" packet, which is quiet normal...
The issue was in WAN, which never delivered SYN ACK to the other end.. (Some IPSC Crypto ACL problem)
Mistakes Which I did : I should have asked for the other end Capture toooo.. :)
Anyway I am happy to find a reason..
NB: I stick to my theory in practical way, will find a reason for each and everything and it will be audited.. Because I believe in RCA (Root Cause Analysis)
Wednesday, July 7, 2010
Fnd the Cluster IP (Virtual IP ) in SPALT
How to find the Cluster IP (Virtual IP ) Associated to all interfaces in SPALT, here is the way..
cphaprob -a if
cphaprob -a if
Tuesday, June 29, 2010
Know the Changes Happening Around You: How do I configure mail alerts for policy push in NGX?
Change is the Only Constant in LIFE, but its very much important to know the changes happening around you, always keep one eye on all....
In NGX mail alerts for policy pushes are now configured thorough SmartView Monitor. The steps are as followed.
1. In Smart Dash Board verify the mail alter script is setup.
1. Select Global Properties > Log and Alert > Alert Commands.
2. Check "Run mail alert script"
3. Enter into script field:
internal_sendmail [-s
Example:
internal_sendmail -s alert -t 10.11.12.112 -f admin@admin.com fwadmin@admin.com
internal_sendmail -s alert -t 10.11.12.112 -f admin@admin.com fwadmin@admin.com
2. Open up SmartView Monitor
3. In the SmartView select File > New > Gateways View. The Dialog window appears for Gateways Properties4. In the "Select Available Fields from" drop down menu select "Firewall".
5. Under the "Available fields" add Security Policy and Security Policy Installation.
6. Click OK.
7. Now you will see a new Custom view on the right side for SmartView Monitor. You can re-name it what you would like.
8. Now you need to set a threshold. In the Custom branch of the tree view on the left hand side right click on you new Custom setting and select run.
9. Select the gateway for which you would like create an alert for.
10. Right-click and select "Configure Thresholds".
11. In the new Dialog window you can select "Custom" for this gateway or "Use global Settings" for all gateways.
12. At the bottom of the Dialog window check the "Enabled" for FireWall-1 Policy, Firewall-1 install time, and Firewall-1 Policy name.
13. Under the action for all the above select change it from "alert" to "mail"
14. Click OK
15. Click the save button to save your changes
16. Verify that the System Alert daemon is started by going to Tools > Start System Alert Daemon in the SmartView Monitor window.
17. Under Smart Dash Board install policy to the firewall
18. Under Policy install Database to the Management module.
Smart View monitor alerts should now be working.:)
Wednesday, June 16, 2010
Everything got a way to exit, just only one exception, "LIFE" - How to Enlarge ARP Cache in SPLAT
The default ARP cache size in SPLAT is 1024. In cases where the number of hosts exceed 1024, you may begin to notice slow initial response times from hosts that are not frequently accessed.
Everything got a way to exit, just only one exception, "LIFE"
To enlarge the ARP cache entry table on-the-fly, run:
#sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
#sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
#sysctl -w net.ipv4.neigh.default.gc_thresh1=1024
To make these changes survive a reboot, modify the /etc/sysctl.conf file to include the following lines:
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096
and reboot the machine.
Everything got a way to exit, just only one exception, "LIFE"
To enlarge the ARP cache entry table on-the-fly, run:
#sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
#sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
#sysctl -w net.ipv4.neigh.default.gc_thresh1=1024
To make these changes survive a reboot, modify the /etc/sysctl.conf file to include the following lines:
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096
and reboot the machine.
Thursday, June 10, 2010
I Luv Errors.. Itz ma Bread n' Butter..... Internet Explorer : Error Codes - Explained
52 Runtime Error
This is a "bad file name or number" error in JavaScript.
It means that the script cannot find a file it is looking for (web-page, course component) and is most likely a connectivity problem.
Try to clear your temporary internet files which should resolve any further problems... If this does not then speak with the website administrator as there may be a problem with the websites server.
400 Bad File Request
Usually means the syntax used in the url is incorrect (e.g. uppercase letter should be lowercase letter; wrong punctuation marks)
401 Unauthorised
The website server is looking for some encryption key(s) from the client (your computer) and is not getting it. Also, a wrong password may have been entered. Try it again, paying close attention to case sensitivity..
403 Forbidden/Access Denied
Similar to 401, special permission is needed to access the website A password and/or username may not be correctly registered on the websites database. Other times the website server may not have the proper permissions set up on its directories...
404 File Not Found
Server cannot find the file you requested. Refreshing the page (F5) should resolve this problem, although continued error messages may mean the page is no longer available, that there is considerable internet congestion (in which case the user should try again later).
Alternatively the file could have been either been moved or deleted, or you entered the wrong URL or document name. Look at the URL. If a word looks misspelled, correct it and try it again. If that doesn't work backtrack by deleting information between each backslash, until you come to a page on that site that isn't a 404.
From there you may be able to find the page you're looking for. This has to be the most common Internet Explorer Error message on the Internet!
408 Request Timeout
Client (your computer) stopped the request before the server finished retrieving it. A user will either hit the stop button, close the browser, or click on a link before the page loads. Usually occurs when servers are slow or file sizes are large.
500 Internal Error
Couldn't retrieve the HTML document because of server-configuration problems.
Contact website administrator...
501 Not Implemented
Web server doesn't support a requested feature.
502 Service Temporarily Overloaded
Server congestion; too many connections; high traffic. Keep trying until the page loads. This can be a common occurrence at peak news times eg. the Twin Towers during September 2001 brought CNN and the BBC news sites to a slow crawl and many folks got this error.
503 Service Unavailable
Server busy, site may have moved, or you lost your dial-up Internet connection!
Bad File Request
Browser may not support the form or other coding you're trying to access.
Connection Refused by Host
Either you do not have permission to access the site or your password is incorrect. Try again!
Errors on Page
This error message is a catch-all statement meaning there is something on the web page that the browser either hasn't read properly (connectivity problem) or there are missing items in the web page itself. This problem normally affects the graphics on a web page.
This can be a temporary glitch (caused by insufficient bandwidth), and may be quickly resolved, or it can have a more complex and longer term problem. With regard to most cases of this Internet Explorer Error message, it is due to not having given sufficient time to download the page you are requesting.
It is necessary to wait until the bottom left hand corner of the page reads 'done' before selecting any other links on the page to move forward.
Failed DNS Lookup
The Domain Name Server can't translate your domain request into a valid Internet address. The website server may be busy or down, or incorrect url (web address) was entered.
File Contains No Data
Page is there but is not showing anything. Error occurs in the document. Attributed to bad table formatting, or stripped header information....
Host Unavailable
Host server down. Hit reload or go to the site later
Network Connection Refused by the Server
The Web server is busy. To resolve this problem, refresh the page. (Press Ctrl and F5).
Runtime Error
(The information in this solution applies to: Internet Explorer 5.5 (SP1) 95 / 98 / 98 Second Edition / NT4.0 / 2000). When you attempt to browse to various websites, you may receive an error message similar to the following 'A runtime error has occurred. Do you wish to debug? Line number Error: Permission Denied.'
This can occur if you upgrade to IE 5.5 (SP1). The upgrade enables the script-debugging and script-error-notification options. (Note: Because there are several versions of Windows, the following steps may be different on your computer. If they are, please consult your product documentation to complete these steps:)
To resolve this issue, disable the script-debugging and script-error-notification options. To do this, follow these steps:
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab .
4. Click to select the Disable script debugging check box .
5. Click to clear the Display a notification about every script error check box .
6. Click Apply, and then click OK.
Fortunately this is a very rare Internet Explorer Error message...
Script Error
Script errors are caused when something goes wrong when surfing some web pages. It is caused by VBScript or JavaScript code that is embedded within certain web pages. These errors are mostly due to connectivity problems, though can occasionally be caused by browser incompatibilities. Ensure that you have a compatible browser version (IE 5.5 and above or Netscape 4.76 and above).
Unable to Locate Host
Host server is down, Internet connection is lost, or URL typed incorrectly.
If refreshing the page doesn't work, try clearing the Temporary Internet Files and History and refreshing again. You may have to wait until later.
This is a "bad file name or number" error in JavaScript.
It means that the script cannot find a file it is looking for (web-page, course component) and is most likely a connectivity problem.
Try to clear your temporary internet files which should resolve any further problems... If this does not then speak with the website administrator as there may be a problem with the websites server.
400 Bad File Request
Usually means the syntax used in the url is incorrect (e.g. uppercase letter should be lowercase letter; wrong punctuation marks)
401 Unauthorised
The website server is looking for some encryption key(s) from the client (your computer) and is not getting it. Also, a wrong password may have been entered. Try it again, paying close attention to case sensitivity..
403 Forbidden/Access Denied
Similar to 401, special permission is needed to access the website A password and/or username may not be correctly registered on the websites database. Other times the website server may not have the proper permissions set up on its directories...
404 File Not Found
Server cannot find the file you requested. Refreshing the page (F5) should resolve this problem, although continued error messages may mean the page is no longer available, that there is considerable internet congestion (in which case the user should try again later).
Alternatively the file could have been either been moved or deleted, or you entered the wrong URL or document name. Look at the URL. If a word looks misspelled, correct it and try it again. If that doesn't work backtrack by deleting information between each backslash, until you come to a page on that site that isn't a 404.
From there you may be able to find the page you're looking for. This has to be the most common Internet Explorer Error message on the Internet!
408 Request Timeout
Client (your computer) stopped the request before the server finished retrieving it. A user will either hit the stop button, close the browser, or click on a link before the page loads. Usually occurs when servers are slow or file sizes are large.
500 Internal Error
Couldn't retrieve the HTML document because of server-configuration problems.
Contact website administrator...
501 Not Implemented
Web server doesn't support a requested feature.
502 Service Temporarily Overloaded
Server congestion; too many connections; high traffic. Keep trying until the page loads. This can be a common occurrence at peak news times eg. the Twin Towers during September 2001 brought CNN and the BBC news sites to a slow crawl and many folks got this error.
503 Service Unavailable
Server busy, site may have moved, or you lost your dial-up Internet connection!
Bad File Request
Browser may not support the form or other coding you're trying to access.
Connection Refused by Host
Either you do not have permission to access the site or your password is incorrect. Try again!
Errors on Page
This error message is a catch-all statement meaning there is something on the web page that the browser either hasn't read properly (connectivity problem) or there are missing items in the web page itself. This problem normally affects the graphics on a web page.
This can be a temporary glitch (caused by insufficient bandwidth), and may be quickly resolved, or it can have a more complex and longer term problem. With regard to most cases of this Internet Explorer Error message, it is due to not having given sufficient time to download the page you are requesting.
It is necessary to wait until the bottom left hand corner of the page reads 'done' before selecting any other links on the page to move forward.
Failed DNS Lookup
The Domain Name Server can't translate your domain request into a valid Internet address. The website server may be busy or down, or incorrect url (web address) was entered.
File Contains No Data
Page is there but is not showing anything. Error occurs in the document. Attributed to bad table formatting, or stripped header information....
Host Unavailable
Host server down. Hit reload or go to the site later
Network Connection Refused by the Server
The Web server is busy. To resolve this problem, refresh the page. (Press Ctrl and F5).
Runtime Error
(The information in this solution applies to: Internet Explorer 5.5 (SP1) 95 / 98 / 98 Second Edition / NT4.0 / 2000). When you attempt to browse to various websites, you may receive an error message similar to the following 'A runtime error has occurred. Do you wish to debug? Line number Error: Permission Denied.'
This can occur if you upgrade to IE 5.5 (SP1). The upgrade enables the script-debugging and script-error-notification options. (Note: Because there are several versions of Windows, the following steps may be different on your computer. If they are, please consult your product documentation to complete these steps:)
To resolve this issue, disable the script-debugging and script-error-notification options. To do this, follow these steps:
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. Click the Advanced tab .
4. Click to select the Disable script debugging check box .
5. Click to clear the Display a notification about every script error check box .
6. Click Apply, and then click OK.
Fortunately this is a very rare Internet Explorer Error message...
Script Error
Script errors are caused when something goes wrong when surfing some web pages. It is caused by VBScript or JavaScript code that is embedded within certain web pages. These errors are mostly due to connectivity problems, though can occasionally be caused by browser incompatibilities. Ensure that you have a compatible browser version (IE 5.5 and above or Netscape 4.76 and above).
Unable to Locate Host
Host server is down, Internet connection is lost, or URL typed incorrectly.
If refreshing the page doesn't work, try clearing the Temporary Internet Files and History and refreshing again. You may have to wait until later.
Wednesday, June 9, 2010
Every Small Things Have Its OWN Significance : Nokia Backip thru CLISH
I think now a days am becoming lazy... Two days back I got a call from one of my colleague, he want to back up Nokia, ofcoz Answer was as simple as that.. Goto Voyager=>backup.. But not all the time... he don't have any access to voyager, and its a Severity 1 Call..
I thought of CLISH.. the command line of Nokia, which I skipped during my studies thinking that Voyager Gonna Help me for all..
Yes.. I found that Clish Can Do That..
BACKUP USING CLISH
==================
1.clish -c "set backup manual filename ipso-backup"
2.clish -c "set backup manual on"
3. check the back created in /var/backup/
BACKUP RESTORE
==============
To restore run the following command :
view sourceprint?1.clish -c "set restore manual /[path]/[filename].tgz
Moral Story
===========
Dont Leave anything thinking that better is available.. When you are in trouble small things gonna play the role.... Enuf for 2DAY..
I thought of CLISH.. the command line of Nokia, which I skipped during my studies thinking that Voyager Gonna Help me for all..
Yes.. I found that Clish Can Do That..
BACKUP USING CLISH
==================
1.clish -c "set backup manual filename ipso-backup"
2.clish -c "set backup manual on"
3. check the back created in /var/backup/
BACKUP RESTORE
==============
To restore run the following command :
view sourceprint?1.clish -c "set restore manual /[path]/[filename].tgz
Moral Story
===========
Dont Leave anything thinking that better is available.. When you are in trouble small things gonna play the role.... Enuf for 2DAY..
Sunday, May 16, 2010
NAT PRECEDENCE in CISCO
NAT PRECEDENCE
==============
1. Existing XLate
2. NAT 0
3. Satic NAT
3. Dynamic NAT, nat (inside)
==============
1. Existing XLate
2. NAT 0
3. Satic NAT
3. Dynamic NAT, nat (inside)
Tuesday, May 11, 2010
Sometimes Answers will be a Question !!!! Route Precedence
Recently I got a call from one of my followers, asking if we have three routes
10.10.10.0/24 via bgp
10.10.10.0/24 via ospf
10.10.0.0/16 via eigrp
which route will take for 10.10.10.1??
Now the basic funda is,
Route selection precedence is as follows
1. Most Specific route
2. AD value
3. Metric
Now here most specific routes are
10.10.10.0/24 via bgp
10.10.10.0/24 via ospf
Now AD value will come in the picture as tie breaker....
Take a look at the following Table for AD values
Default Administrative Distances
Connected 0
Static 1
eBGP 20
EIGRP (internal) 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EIGRP (external) 170
iBGP 200
EIGRP summary route 5
Now the Answer is a question, Which BGP route was that, EBGP or IBGP??
If it is IBGP (AD value: 200), OSPF routes will get precedence…. Else it gonna take BGP routes (AD Value: 20)
10.10.10.0/24 via bgp
10.10.10.0/24 via ospf
10.10.0.0/16 via eigrp
which route will take for 10.10.10.1??
Now the basic funda is,
Route selection precedence is as follows
1. Most Specific route
2. AD value
3. Metric
Now here most specific routes are
10.10.10.0/24 via bgp
10.10.10.0/24 via ospf
Now AD value will come in the picture as tie breaker....
Take a look at the following Table for AD values
Default Administrative Distances
Connected 0
Static 1
eBGP 20
EIGRP (internal) 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
EIGRP (external) 170
iBGP 200
EIGRP summary route 5
Now the Answer is a question, Which BGP route was that, EBGP or IBGP??
If it is IBGP (AD value: 200), OSPF routes will get precedence…. Else it gonna take BGP routes (AD Value: 20)
Thursday, May 6, 2010
Checkpoint : How to Find the the Management Interface
It will be gud if you know the one who controls you.. So I was thinking how to get it in SPLAT and I was sure that they are storing it somewhere as they ask during configuration...
Finally I found the file:
more /etc/sysconfig/external.if
Finally I found the file:
more /etc/sysconfig/external.if
Sunday, May 2, 2010
GRE is like Girls!!! - GRE Tunnel in IPSEC - there will be twists in the Story...
Atleast I could not sleep for two dayz thinking, why GRE (Generic Routing Encapsulation) is required in IPSec when we run Dynamic Routing Protocols...
I talked to techies which I ever trust... all said "its required" but their answers were not enuf for me to sleep... eventually I reached office very early.. Started with my friend Google... My biggest confusion was IPSec works in Layer 3 , why they cant accommodate the dynamic routing protocol which runs on the same layer... Why it is not compatible... ??
Finally I found the answer... Its nothing but IPSec doesnt support Multicast Traffic.. I recalled my routing KB, yeas,,, most of the routing updates are done with Multicast.. So they needed a work around, and hence GRE into the scene... Now what is GRE....??
GRE is nothing but, type of a VPN, which create a virtual tunnel towards the destination from a particular source..
It hides the Multicast Packets, generated by your D. Routing Protocol and fools IPSEC, pretending that its a normal IP Packet.. I felt GRE is just like girls, hiding so many things in them and pretends everything normal...
Now, is GRE is only meant for IPSEC?? Answer is simplee.. NO.. whenever you want to hide something from your transit path, can do the same..
It seems nothing wrong in hiding something and fooling someone .... here is the twist, there will be overheads for these type of packets.. Did you forget the MSS value... ?? So beware those who fools someone.. there will be twists in the Story...
I talked to techies which I ever trust... all said "its required" but their answers were not enuf for me to sleep... eventually I reached office very early.. Started with my friend Google... My biggest confusion was IPSec works in Layer 3 , why they cant accommodate the dynamic routing protocol which runs on the same layer... Why it is not compatible... ??
Finally I found the answer... Its nothing but IPSec doesnt support Multicast Traffic.. I recalled my routing KB, yeas,,, most of the routing updates are done with Multicast.. So they needed a work around, and hence GRE into the scene... Now what is GRE....??
GRE is nothing but, type of a VPN, which create a virtual tunnel towards the destination from a particular source..
It hides the Multicast Packets, generated by your D. Routing Protocol and fools IPSEC, pretending that its a normal IP Packet.. I felt GRE is just like girls, hiding so many things in them and pretends everything normal...
Now, is GRE is only meant for IPSEC?? Answer is simplee.. NO.. whenever you want to hide something from your transit path, can do the same..
It seems nothing wrong in hiding something and fooling someone .... here is the twist, there will be overheads for these type of packets.. Did you forget the MSS value... ?? So beware those who fools someone.. there will be twists in the Story...
Thursday, April 22, 2010
Its always good to ask your partner first, but what if you dont have one / they are not responding properly?? - Checkpoint - Policy Synchronisation
How you will update the changes happened when you were out of home...
I would say its always good* to ask your better half .. Dont worry if they are not reponding / you dont have one, its temporary,,,!!! You can ask someone you trust (in Checkpoint its SCS)....
The same thing is happening when your cluster member returns/recovers in clustered environment of checkpoint..
When a failed cluster member recovers, it will first try to take a policy from one of the other cluster members. The assumption is that the other cluster members have a more up to date policy. If this does not succeed, it compares its own local policy to the policy on the SmartCenter server. If the policy on the SmartCenter server is more up to date than the one on the cluster member, the policy on the SmartCenter server will be retrieved. If the cluster member does not have a local policy, it retrieves one from the SmartCenter server. This ensures that all cluster members use the same policy at any given moment.
*Applicable for only who trust their partner :-p
I would say its always good* to ask your better half .. Dont worry if they are not reponding / you dont have one, its temporary,,,!!! You can ask someone you trust (in Checkpoint its SCS)....
The same thing is happening when your cluster member returns/recovers in clustered environment of checkpoint..
When a failed cluster member recovers, it will first try to take a policy from one of the other cluster members. The assumption is that the other cluster members have a more up to date policy. If this does not succeed, it compares its own local policy to the policy on the SmartCenter server. If the policy on the SmartCenter server is more up to date than the one on the cluster member, the policy on the SmartCenter server will be retrieved. If the cluster member does not have a local policy, it retrieves one from the SmartCenter server. This ensures that all cluster members use the same policy at any given moment.
*Applicable for only who trust their partner :-p
Monday, April 19, 2010
Checkpoint : fw ctl pstat - Thanks Shanawazzzzz
Yeas.... I remember his name, "Shanawaz", asked me a bloody question (at least for me that time) .. What is the command “fw ctl pstat” used for.. I was clarifying the question by asking him fw ctl p???? what.. (As if am another PhoneBOY)
Literally he was laughing at me in the video conferencing…. Ofcoz I was thinking what to laugh….. !!! In a way I was happy, at least he was laughing at me just in front. Thank God…. that laugh ended up with my CCSA Certification.. of coz they told me a sorry at the end of our discussion.. haha .. Nothing new... as am in TRANS of another "Sorry"..
Now what is fw ctl pstat??
According to me, its nothing but a fw command with which we can monitor the heath of your CP box., especially Syc Status.. Am sure that you will love this command and say thanks for CP for this……
As I have mentioned in my previous post, SYC is so important (at least this time not start but to CONTINUE)
Am taking an example to explain the same.. here we go…….
Sync:
Version: new
Status: Able to Send/Receive sync packets
Sync packets sent:
total : 466729198, retransmitted : 241305, retrans reqs : 6089, acks : 809
Sync packets received:
total : 77283541, were queued : 6715, dropped by net : 6079
retrans reqs : 37462, received 175 acks
retrans reqs for illegal seq : 0
dropped updates as a result of sync overload: 0
Delta Sync memory usage: currently using XX KB mem
Callback statistics: handled 138 cb, average delay : 2, max delay : 34
Number of Pending packets currently held: 1
Packets released due to timeout: 18
Explanation:
Version: new
This line must appear if synchronization is configured (versions above 4.1)
Status: Able to Send/Receive sync packets
If sync is unable to either send or receive packets, there is a problem
Sync packets sent:
total : 466729198, retransmitted : 241305, retrans reqs : 6089, acks : 809
TOTAL number of sync packets is non-zero and increasing
RETRANS REQS may increase under load
Sync packets received:
total : 77283541, were queued : 6715, dropped by net : 6079
QUEUED value never decreases - A non-zero value does not indicate a problem
DROPPED BY NET number may indicate network congestion
The “dropped by net” counter is incremented when the cluster member receives a sync packet with a sequence number which is higher than the expected seq num. This means packets with lower seq where lost somewhere along the way, and we need to find out where.
retrans reqs : 37462, received 175 acks
RETRANS REQS growing very fast may indicate that the load is becoming too high
retrans reqs for illegal seq : 0
May indicate a sync problem
dropped updates as a result of sync overload: 0
In a heavily loaded system, the cluster member may drop synchronization updates sent from another cluster member
Delta Sync memory usage: currently using XX KB mem
This statistic only appears for a non-zero value.
It requires memory only while full sync is occurring at other times, Delta sync requires no memory
Callback statistics: handled 138 cb, average delay : 2, max delay : 34
This statistic only appears for a non-zero value.
AVERAGE DELAY should be 1-5 packets, otherwise indicates an overload of sync traffic
Number of Pending packets currently held: 1
This statistic only appears for a non-zero value.
Packets released due to timeout: 18
This statistic only appears for a non-zero value.
If the it is large (more than 100 pending packets), and the "Number of Pending packets currently held" is small, you should take action to reduce the number of pending packets.
To tackle this problem, try google "Reducing the Number of Pending Packets".
Hey.. Now who is shanawaz….!!!
He was my interviewer (Not revealing his company), Anyway.. Thanks Dude for asking me that….
Literally he was laughing at me in the video conferencing…. Ofcoz I was thinking what to laugh….. !!! In a way I was happy, at least he was laughing at me just in front. Thank God…. that laugh ended up with my CCSA Certification.. of coz they told me a sorry at the end of our discussion.. haha .. Nothing new... as am in TRANS of another "Sorry"..
Now what is fw ctl pstat??
According to me, its nothing but a fw command with which we can monitor the heath of your CP box., especially Syc Status.. Am sure that you will love this command and say thanks for CP for this……
As I have mentioned in my previous post, SYC is so important (at least this time not start but to CONTINUE)
Am taking an example to explain the same.. here we go…….
Sync:
Version: new
Status: Able to Send/Receive sync packets
Sync packets sent:
total : 466729198, retransmitted : 241305, retrans reqs : 6089, acks : 809
Sync packets received:
total : 77283541, were queued : 6715, dropped by net : 6079
retrans reqs : 37462, received 175 acks
retrans reqs for illegal seq : 0
dropped updates as a result of sync overload: 0
Delta Sync memory usage: currently using XX KB mem
Callback statistics: handled 138 cb, average delay : 2, max delay : 34
Number of Pending packets currently held: 1
Packets released due to timeout: 18
Explanation:
Version: new
This line must appear if synchronization is configured (versions above 4.1)
Status: Able to Send/Receive sync packets
If sync is unable to either send or receive packets, there is a problem
Sync packets sent:
total : 466729198, retransmitted : 241305, retrans reqs : 6089, acks : 809
TOTAL number of sync packets is non-zero and increasing
RETRANS REQS may increase under load
Sync packets received:
total : 77283541, were queued : 6715, dropped by net : 6079
QUEUED value never decreases - A non-zero value does not indicate a problem
DROPPED BY NET number may indicate network congestion
The “dropped by net” counter is incremented when the cluster member receives a sync packet with a sequence number which is higher than the expected seq num. This means packets with lower seq where lost somewhere along the way, and we need to find out where.
retrans reqs : 37462, received 175 acks
RETRANS REQS growing very fast may indicate that the load is becoming too high
retrans reqs for illegal seq : 0
May indicate a sync problem
dropped updates as a result of sync overload: 0
In a heavily loaded system, the cluster member may drop synchronization updates sent from another cluster member
Delta Sync memory usage: currently using XX KB mem
This statistic only appears for a non-zero value.
It requires memory only while full sync is occurring at other times, Delta sync requires no memory
Callback statistics: handled 138 cb, average delay : 2, max delay : 34
This statistic only appears for a non-zero value.
AVERAGE DELAY should be 1-5 packets, otherwise indicates an overload of sync traffic
Number of Pending packets currently held: 1
This statistic only appears for a non-zero value.
Packets released due to timeout: 18
This statistic only appears for a non-zero value.
If the it is large (more than 100 pending packets), and the "Number of Pending packets currently held" is small, you should take action to reduce the number of pending packets.
To tackle this problem, try google "Reducing the Number of Pending Packets".
Hey.. Now who is shanawaz….!!!
He was my interviewer (Not revealing his company), Anyway.. Thanks Dude for asking me that….
Avoid Breakup... By Any Means : CheckPoint : Check Firewalls in Sync
Every "TRUE" Relation needs syncronisation..
Most of the relations are breaking up just because of lack of Communication, May be a Sync Problem..
The same problem which we face/faced in normal life can happen in a clustered environment, will lead into misbehaviour in cluster node... So before the "BreakUP" happens try the following in case of checkpoint... However am not good to give a similar solution in real LIFE...
How can I check that my Checkpoint Cluster is in Sync ?
In order to ensure that the State Tables of all your nodes within your Checkpoint Cluster are syncronised you will need to check the #VALS of your State Table summary on each node.
You may find that these figures aren`t identical but this is just down to the delay/latancy in which occurs between State Syncronisations. You should only be concerned if the values are hunreds or even thousands out.
The best way to view the State Table summaries (on SPLAT based firewalls) is to run the command watch 'fw tab -t connections -s'.
Check the State Tables on both nodes, checking for the #VAL totals. It should be somewhat same.. Linearly same.. :-)
So whenever possible, check SYNC Regularly to avoid BREAKUP....
Most of the relations are breaking up just because of lack of Communication, May be a Sync Problem..
The same problem which we face/faced in normal life can happen in a clustered environment, will lead into misbehaviour in cluster node... So before the "BreakUP" happens try the following in case of checkpoint... However am not good to give a similar solution in real LIFE...
How can I check that my Checkpoint Cluster is in Sync ?
In order to ensure that the State Tables of all your nodes within your Checkpoint Cluster are syncronised you will need to check the #VALS of your State Table summary on each node.
You may find that these figures aren`t identical but this is just down to the delay/latancy in which occurs between State Syncronisations. You should only be concerned if the values are hunreds or even thousands out.
The best way to view the State Table summaries (on SPLAT based firewalls) is to run the command watch 'fw tab -t connections -s'.
Check the State Tables on both nodes, checking for the #VAL totals. It should be somewhat same.. Linearly same.. :-)
So whenever possible, check SYNC Regularly to avoid BREAKUP....
Friday, April 16, 2010
SPLAT - Forgot Standard Password
SecurePlatform Administrator password (Standard mode) lost Cannot reboot SecurePlatform to Standard mode ??
Note: Following steps are not used for recovering "Expert Password"
Solution
Maintenance mode should be used in rare system emergencies, such as when there is a problem rebooting the system, or the standard Administrator password is lost.
To reboot in this mode:
1) Select “SecurePlatform with Application Intelligence [Maintenance Mode]” at the boot-loader screen, after SecurePlatform reboots.
2) Enter Expert password.
The Maintenance Mode boot option in SecurePlatform is known on UNIX systems as “single-user mode”. In this mode, SecurePlatform boots to runlevel 1. The local file systems will be mounted, but the network will not be activated. The SecurePlatform Administrator can have an usable system-maintenance shell.
In Maintenance mode, the Administrator password can be reset as follows:
1) At the bash shell prompt, type "passwd":
sh-2.05#passwd newadmin (The name 'newadmin' is an example).
Changing password for user newadmin
New UNIX password:
Retype new UNIX password:
The message "passwd: all authentication tokens updated successfully" appears.
2) After the new Administrator password is reset, reboot the SecurePlatform machine (as follows), and log in to Standard mode using the new password:
sh-2.05#reboot
3) When the boot-loader menu appears, select the default option.
4) Enter Administrator name and new password to log in to Standard mode.
Note: Following steps are not used for recovering "Expert Password"
Solution
Maintenance mode should be used in rare system emergencies, such as when there is a problem rebooting the system, or the standard Administrator password is lost.
To reboot in this mode:
1) Select “SecurePlatform with Application Intelligence [Maintenance Mode]” at the boot-loader screen, after SecurePlatform reboots.
2) Enter Expert password.
The Maintenance Mode boot option in SecurePlatform is known on UNIX systems as “single-user mode”. In this mode, SecurePlatform boots to runlevel 1. The local file systems will be mounted, but the network will not be activated. The SecurePlatform Administrator can have an usable system-maintenance shell.
In Maintenance mode, the Administrator password can be reset as follows:
1) At the bash shell prompt, type "passwd
sh-2.05#passwd newadmin (The name 'newadmin' is an example).
Changing password for user newadmin
New UNIX password:
Retype new UNIX password:
The message "passwd: all authentication tokens updated successfully" appears.
2) After the new Administrator password is reset, reboot the SecurePlatform machine (as follows), and log in to Standard mode using the new password:
sh-2.05#reboot
3) When the boot-loader menu appears, select the default option.
4) Enter Administrator name and new password to log in to Standard mode.
Thursday, April 15, 2010
Finding Smartcenter Server - from Gateway
It will be easy for you when you troubleshoot / isolate issues, ofcourse you will be knowing your object name of your smartcenter server in small deployments, but what about big deployements,
Attimes we may need to issue "fw fetch [SCSobjectname]" from your gateway..
how we can find the SCS (SmartCenter Server) object name from gateway..
Here is the magic..
go to gateway and issue
more $FWDIR/conf/masters
You will find the policy server, logserver and alert server.. Happy???
Attimes we may need to issue "fw fetch [SCSobjectname]" from your gateway..
how we can find the SCS (SmartCenter Server) object name from gateway..
Here is the magic..
go to gateway and issue
more $FWDIR/conf/masters
You will find the policy server, logserver and alert server.. Happy???
Checkpoint Important Ports
VPN-1 binds to some well-known ports and a few not-so well known ports. This document will explain what ports these are, what they are used for, and, if applicable, how to disable them.
Various parts of FireWall-1 bind to various ports on the system. Typically, they intercept connections traversing through the firewall, but in order for this to work correctly, they must bind to their own port and listen. In general, the services bound to these ports do not pose any sort of security risk. If no policy is in place or the policy permits access to these ports inadvertenly, the processes themselves are smart enough to reject direct requests to these ports. In the case of the SAM and LEA ports (see below), these ports require authentication in much the same way that remote management does, so it is not believed to be a security risk.
TCP Port 256 is used for three important things:
Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles
SecuRemote build 4005 and earlier uses this port to fetch the network topology and encryption keys from a FireWall-1 Management Console
When instaling a policy, the management console uses this port to push the policy to the remote firewall.
TCP Port 257 (FW1_log) is used for logging purposes.
TCP Port 258 is used by the fwpolicy remote GUI. FireWall-1 will only listen to this port on a management console.
TCP Port 259 is used for Client Authentication via telnet. FireWall-1 will only listen to this port on a firewall module.
UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs).
UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides.
TCP Port 262 is used by netsod, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains netsod in $FWDIR/conf/fwauthd.conf.
TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console. FireWall-1 will only listen to this port on a management console.
UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client. FireWall-1 will only listen to this port on a firewall module.
TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism. This can be disabled by commenting the appropriate line in $FWDIR/bin/fwauthd.conf.
TCP Port 4532 is used for the Session Auth agent, asessiond.
TCP Ports above 1024, other than the ones listed below, are generally any Security Servers that are active. The actual ports used by these servers will vary. 1024 is the lowest & 65535 is the highest port a Security Server process will use for a connection. If you wish to minimize the number of ports listening, comment out the appropriate lines from $FWDIR/conf/fwauthd.conf. Note that if you disable a security server in this fashion, you can not use its capabilities (like content security or authentication), so make sure you only do it for the security servers you know you are not using.
TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning). FireWall-1 will not listen on this port.
TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like). FireWall-1 will not listen on this port.
TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18184 is used for Log Export API (lea). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18186 (FW1_omi-sic) is used for Secure Internal Communications (SIC) between OPSEC certified products and a NG FireWall module.
TCP Port 18190 (CPMI) is used by the FireWall Management process (FWM) to listen for NG Management Clients attempting to connect to the management module.
TCP Port 18191 (CPD) is used by the CPD process for communications such as policy installation, certificate revocation, and status queries.
TCP Port 18192 (CPD_amon) is used by the CPD process FireWall Application Monitoring.
TCP Port 18196 is used for CPEPS which is part of User Monitor.
TCP Port 18207 is used by polsrvd, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains polsrvd in $FWDIR/conf/fwauthd.conf.
TCP Port 18210 (FW1_ica_pull): The CPD process, on the management module, is listening on TCP port 18210 for certificates to be "pulled" by a FireWall module from a management module.
TCP Port 18211 (FW1_ica_push): The Check Point Daemon (CPD) process, running on the FireWall module, listens on TCP port 18211 for certificate creation and for the "push" of the certificate to the FireWall module from the management module.
Should you make any changes above, the 'fwd' process will need to be restarted as follows:
nokia[admin]# fw kill fwd
nokia[admin]# fwd `cat $FWDIR/conf/masters`
Various parts of FireWall-1 bind to various ports on the system. Typically, they intercept connections traversing through the firewall, but in order for this to work correctly, they must bind to their own port and listen. In general, the services bound to these ports do not pose any sort of security risk. If no policy is in place or the policy permits access to these ports inadvertenly, the processes themselves are smart enough to reject direct requests to these ports. In the case of the SAM and LEA ports (see below), these ports require authentication in much the same way that remote management does, so it is not believed to be a security risk.
TCP Port 256 is used for three important things:
Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles
SecuRemote build 4005 and earlier uses this port to fetch the network topology and encryption keys from a FireWall-1 Management Console
When instaling a policy, the management console uses this port to push the policy to the remote firewall.
TCP Port 257 (FW1_log) is used for logging purposes.
TCP Port 258 is used by the fwpolicy remote GUI. FireWall-1 will only listen to this port on a management console.
TCP Port 259 is used for Client Authentication via telnet. FireWall-1 will only listen to this port on a firewall module.
UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs).
UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides.
TCP Port 262 is used by netsod, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains netsod in $FWDIR/conf/fwauthd.conf.
TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console. FireWall-1 will only listen to this port on a management console.
UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client. FireWall-1 will only listen to this port on a firewall module.
TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism. This can be disabled by commenting the appropriate line in $FWDIR/bin/fwauthd.conf.
TCP Port 4532 is used for the Session Auth agent, asessiond.
TCP Ports above 1024, other than the ones listed below, are generally any Security Servers that are active. The actual ports used by these servers will vary. 1024 is the lowest & 65535 is the highest port a Security Server process will use for a connection. If you wish to minimize the number of ports listening, comment out the appropriate lines from $FWDIR/conf/fwauthd.conf. Note that if you disable a security server in this fashion, you can not use its capabilities (like content security or authentication), so make sure you only do it for the security servers you know you are not using.
TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning). FireWall-1 will not listen on this port.
TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like). FireWall-1 will not listen on this port.
TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18184 is used for Log Export API (lea). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18186 (FW1_omi-sic) is used for Secure Internal Communications (SIC) between OPSEC certified products and a NG FireWall module.
TCP Port 18190 (CPMI) is used by the FireWall Management process (FWM) to listen for NG Management Clients attempting to connect to the management module.
TCP Port 18191 (CPD) is used by the CPD process for communications such as policy installation, certificate revocation, and status queries.
TCP Port 18192 (CPD_amon) is used by the CPD process FireWall Application Monitoring.
TCP Port 18196 is used for CPEPS which is part of User Monitor.
TCP Port 18207 is used by polsrvd, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains polsrvd in $FWDIR/conf/fwauthd.conf.
TCP Port 18210 (FW1_ica_pull): The CPD process, on the management module, is listening on TCP port 18210 for certificates to be "pulled" by a FireWall module from a management module.
TCP Port 18211 (FW1_ica_push): The Check Point Daemon (CPD) process, running on the FireWall module, listens on TCP port 18211 for certificate creation and for the "push" of the certificate to the FireWall module from the management module.
Should you make any changes above, the 'fwd' process will need to be restarted as follows:
nokia[admin]# fw kill fwd
nokia[admin]# fwd `cat $FWDIR/conf/masters`
Monday, April 12, 2010
Change Date in Linux
Login to Linux box as root and enter root's password:
[me@mybox me]$ su
password:
Check the current date and time of the Linux box by entering:
[root@mybox me]# date
Linux yields the current settings:
[root@mybox me]# Wed Apr 7 12:03:45 EDT 2004
Change the current time and date of the Linux box by entering:
[root@mybox me]# date 040713032004
would change the time and yield:
[root@mybox me]$ Wed Apr 7 13:03:00 EDT 2004
====================================================
One more option:
Linux Set Date
Use the following syntax to set new data and time:date set="STRING"
For example, set new data to 2 Oct 2006 18:00:00, type the following command as
root user:# date -s "2 OCT 2006 18:00:00"
[me@mybox me]$ su
password:
Check the current date and time of the Linux box by entering:
[root@mybox me]# date
Linux yields the current settings:
[root@mybox me]# Wed Apr 7 12:03:45 EDT 2004
Change the current time and date of the Linux box by entering:
[root@mybox me]# date 040713032004
would change the time and yield:
[root@mybox me]$ Wed Apr 7 13:03:00 EDT 2004
====================================================
One more option:
Linux Set Date
Use the following syntax to set new data and time:date set="STRING"
For example, set new data to 2 Oct 2006 18:00:00, type the following command as
root user:# date -s "2 OCT 2006 18:00:00"
CheckPoint Splat - Setting up SCP
I found this article in internet (Following are not my scripts), am just copy pasting.. :) Nothing but for easyness to access..
This article is intended to help users setup SCP (SecureCopy) on their SPLAT gateways. This is the secure and preferred method of file transfers to and from gateways, as opposed to unsecured FTP. I use putty for SSH and WinSCP for SCP, they are both free programs, but you can use whatever clients you want.NOTE: represents the username(s) you will be adding. For example, my username will be xxxx
1) Add users to each gateway you manage
a) SSH (or console) to gateway and enter expert mode
b) At the command prompt, type: adduser
c) Enter and confirm password for this user
d) Repeat steps a though c for each user to be added
NOTE: If you are unfamiliar with operating in the vi editor, please search for a command list or call your support vendor for assistance
2) Add users to the scpusers file
a) At the command prompt, type: vi /etc/scpusers
b) Type: i <== to enter insert mode
c) Type: <== repeat adding usernames - 1 per line
d) Exit insert mode with the [ESC] key
e) Type: :wq! <== The colon enters command mode and then writes and quits the editor
f) Verify the changes at the command prompt by typing: cat /etc/scpusers <== You should see your users there, one per line
3) Change the new SCP enabled user's default shell to always be in expert mode. At the command prompt, type: chsh -s /bin/bashThat's it! Using your preferred SCP software and provided you have the appropriate rules in place for your IP to access the box, you should now be able to complete secure file transfers to your SPLAT gateways.
This article is intended to help users setup SCP (SecureCopy) on their SPLAT gateways. This is the secure and preferred method of file transfers to and from gateways, as opposed to unsecured FTP. I use putty for SSH and WinSCP for SCP, they are both free programs, but you can use whatever clients you want.NOTE:
1) Add users to each gateway you manage
a) SSH (or console) to gateway and enter expert mode
b) At the command prompt, type: adduser
c) Enter and confirm password for this user
d) Repeat steps a though c for each user to be added
NOTE: If you are unfamiliar with operating in the vi editor, please search for a command list or call your support vendor for assistance
2) Add users to the scpusers file
a) At the command prompt, type: vi /etc/scpusers
b) Type: i <== to enter insert mode
c) Type:
d) Exit insert mode with the [ESC] key
e) Type: :wq! <== The colon enters command mode and then writes and quits the editor
f) Verify the changes at the command prompt by typing: cat /etc/scpusers <== You should see your users there, one per line
3) Change the new SCP enabled user's default shell to always be in expert mode. At the command prompt, type: chsh -s /bin/bash
Sunday, April 11, 2010
Checkpoint Logging Issue
The following article is a list of steps one should go through when troubleshooting logging related issues in a distributed setup.
1. Ensure that you have not run out of disk space on the hard disk that the logs are being sent to. If this is the case, delete or move the logs to an external storage device.
2. Is there communication between the MS and the Module? Test using ping to the MS from the module and then from the Module to the MS (your rules must allow for this). If this fails, and your rules allow for this, then it is most likely a routing issue.
3. Check to see if the fw.log file is growing on the module. It should be if the logs are not going to the MS. From the console run these commands:
cd $FWDIR/log
ls -la
ls -la
Verify that the fw.log file is increasing. If it is increasing then the modules are logging locally instead of forwarding the traffic to the MS. This could be a connectivity issue, or it could be the way the logging is setup. Check the FW object to ensure it is setup to send logs to the MS.
4. Can you fetch a policy? Verify that you can fetch using the hostname and IP address. If this fails then you probably have a SIC issue. To test this run the following commands:
fw fetch hostname_of_MS
fw fetch IP_Addr_of_MS (fetch by IP address also to ensure it is not a DNS issue)
5. Check the masters file. The hostname or IP address of the management station should be listed in there. To check this run the following commands:
cd $FWDIR/conf
cat masters
cat masters
It should be look like this:
[Policy]
hostname_of_MS
[Log]
hostname_of_MS
[Alert]
hostname_of_MS
hostname_of_MS
[Log]
hostname_of_MS
[Alert]
hostname_of_MS
6. Run tcpdumps on the module, listening for port 257 on the interface facing the MS, to see if it is attempting to send logs. To check this run the following command:
tcpdump -i eth-facing-MS port 257 (use the Ctrl+C to break out of the dump)
You should see traffic leaving the FW and heading to the IP address of the MS.
You should also see traffic coming back from the MS.
7. The log file may have gotten corrupt. Run a log switch on the MS and reboot the MS to create a new log file. If logswitch does not work, move all contents of the log directory (do not move the directory itself) to a temp folder outside of the log directory. Reboot and see if the logs start again.
8. Delete the $FWDIR/log files and $FWDIR/state directory files on the module; reboot the module.
Reboot and see if the logs start again.
9. Look to see if there is a listening port for logging. Run the following command on the MS and the module:
netstat -na
You should see the *.257 LISTEN for logging connections. You should also see the IP address of the MS :257 associated with the IP address of each module, and showing an ESTABLISHED connection.
10. Check the log settings for the FW object and make sure the 'Log Server' is set to the MS that should be receiving the logs. This is usually done by default, but may have been changed by a user.
If after going through these steps you are still experiencing logging issues, please open a ticket with Corresponding TAC for further troubleshooting and ofcoz try your way with help of our all time Gaint Mr. Google.. :-)
Checkpoint Troubleshooting - Debugging
Checkpoint Common debugging
Kernel debugging
Usage
% fw ctl debug -buf [buffer size]
% fw ctl debug [-x] [-m] [+|-]
% fw ctl kdebug –f >
Kernel debugging
Usage
% fw ctl debug -buf [buffer size]
% fw ctl debug [-x] [-m
% fw ctl kdebug –f >