How you will update the changes happened when you were out of home...
I would say its always good* to ask your better half .. Dont worry if they are not reponding / you dont have one, its temporary,,,!!! You can ask someone you trust (in Checkpoint its SCS)....
The same thing is happening when your cluster member returns/recovers in clustered environment of checkpoint..
When a failed cluster member recovers, it will first try to take a policy from one of the other cluster members. The assumption is that the other cluster members have a more up to date policy. If this does not succeed, it compares its own local policy to the policy on the SmartCenter server. If the policy on the SmartCenter server is more up to date than the one on the cluster member, the policy on the SmartCenter server will be retrieved. If the cluster member does not have a local policy, it retrieves one from the SmartCenter server. This ensures that all cluster members use the same policy at any given moment.
*Applicable for only who trust their partner :-p
Thursday, April 22, 2010
Monday, April 19, 2010
Checkpoint : fw ctl pstat - Thanks Shanawazzzzz
Yeas.... I remember his name, "Shanawaz", asked me a bloody question (at least for me that time) .. What is the command “fw ctl pstat” used for.. I was clarifying the question by asking him fw ctl p???? what.. (As if am another PhoneBOY)
Literally he was laughing at me in the video conferencing…. Ofcoz I was thinking what to laugh….. !!! In a way I was happy, at least he was laughing at me just in front. Thank God…. that laugh ended up with my CCSA Certification.. of coz they told me a sorry at the end of our discussion.. haha .. Nothing new... as am in TRANS of another "Sorry"..
Now what is fw ctl pstat??
According to me, its nothing but a fw command with which we can monitor the heath of your CP box., especially Syc Status.. Am sure that you will love this command and say thanks for CP for this……
As I have mentioned in my previous post, SYC is so important (at least this time not start but to CONTINUE)
Am taking an example to explain the same.. here we go…….
Sync:
Version: new
Status: Able to Send/Receive sync packets
Sync packets sent:
total : 466729198, retransmitted : 241305, retrans reqs : 6089, acks : 809
Sync packets received:
total : 77283541, were queued : 6715, dropped by net : 6079
retrans reqs : 37462, received 175 acks
retrans reqs for illegal seq : 0
dropped updates as a result of sync overload: 0
Delta Sync memory usage: currently using XX KB mem
Callback statistics: handled 138 cb, average delay : 2, max delay : 34
Number of Pending packets currently held: 1
Packets released due to timeout: 18
Explanation:
Version: new
This line must appear if synchronization is configured (versions above 4.1)
Status: Able to Send/Receive sync packets
If sync is unable to either send or receive packets, there is a problem
Sync packets sent:
total : 466729198, retransmitted : 241305, retrans reqs : 6089, acks : 809
TOTAL number of sync packets is non-zero and increasing
RETRANS REQS may increase under load
Sync packets received:
total : 77283541, were queued : 6715, dropped by net : 6079
QUEUED value never decreases - A non-zero value does not indicate a problem
DROPPED BY NET number may indicate network congestion
The “dropped by net” counter is incremented when the cluster member receives a sync packet with a sequence number which is higher than the expected seq num. This means packets with lower seq where lost somewhere along the way, and we need to find out where.
retrans reqs : 37462, received 175 acks
RETRANS REQS growing very fast may indicate that the load is becoming too high
retrans reqs for illegal seq : 0
May indicate a sync problem
dropped updates as a result of sync overload: 0
In a heavily loaded system, the cluster member may drop synchronization updates sent from another cluster member
Delta Sync memory usage: currently using XX KB mem
This statistic only appears for a non-zero value.
It requires memory only while full sync is occurring at other times, Delta sync requires no memory
Callback statistics: handled 138 cb, average delay : 2, max delay : 34
This statistic only appears for a non-zero value.
AVERAGE DELAY should be 1-5 packets, otherwise indicates an overload of sync traffic
Number of Pending packets currently held: 1
This statistic only appears for a non-zero value.
Packets released due to timeout: 18
This statistic only appears for a non-zero value.
If the it is large (more than 100 pending packets), and the "Number of Pending packets currently held" is small, you should take action to reduce the number of pending packets.
To tackle this problem, try google "Reducing the Number of Pending Packets".
Hey.. Now who is shanawaz….!!!
He was my interviewer (Not revealing his company), Anyway.. Thanks Dude for asking me that….
Literally he was laughing at me in the video conferencing…. Ofcoz I was thinking what to laugh….. !!! In a way I was happy, at least he was laughing at me just in front. Thank God…. that laugh ended up with my CCSA Certification.. of coz they told me a sorry at the end of our discussion.. haha .. Nothing new... as am in TRANS of another "Sorry"..
Now what is fw ctl pstat??
According to me, its nothing but a fw command with which we can monitor the heath of your CP box., especially Syc Status.. Am sure that you will love this command and say thanks for CP for this……
As I have mentioned in my previous post, SYC is so important (at least this time not start but to CONTINUE)
Am taking an example to explain the same.. here we go…….
Sync:
Version: new
Status: Able to Send/Receive sync packets
Sync packets sent:
total : 466729198, retransmitted : 241305, retrans reqs : 6089, acks : 809
Sync packets received:
total : 77283541, were queued : 6715, dropped by net : 6079
retrans reqs : 37462, received 175 acks
retrans reqs for illegal seq : 0
dropped updates as a result of sync overload: 0
Delta Sync memory usage: currently using XX KB mem
Callback statistics: handled 138 cb, average delay : 2, max delay : 34
Number of Pending packets currently held: 1
Packets released due to timeout: 18
Explanation:
Version: new
This line must appear if synchronization is configured (versions above 4.1)
Status: Able to Send/Receive sync packets
If sync is unable to either send or receive packets, there is a problem
Sync packets sent:
total : 466729198, retransmitted : 241305, retrans reqs : 6089, acks : 809
TOTAL number of sync packets is non-zero and increasing
RETRANS REQS may increase under load
Sync packets received:
total : 77283541, were queued : 6715, dropped by net : 6079
QUEUED value never decreases - A non-zero value does not indicate a problem
DROPPED BY NET number may indicate network congestion
The “dropped by net” counter is incremented when the cluster member receives a sync packet with a sequence number which is higher than the expected seq num. This means packets with lower seq where lost somewhere along the way, and we need to find out where.
retrans reqs : 37462, received 175 acks
RETRANS REQS growing very fast may indicate that the load is becoming too high
retrans reqs for illegal seq : 0
May indicate a sync problem
dropped updates as a result of sync overload: 0
In a heavily loaded system, the cluster member may drop synchronization updates sent from another cluster member
Delta Sync memory usage: currently using XX KB mem
This statistic only appears for a non-zero value.
It requires memory only while full sync is occurring at other times, Delta sync requires no memory
Callback statistics: handled 138 cb, average delay : 2, max delay : 34
This statistic only appears for a non-zero value.
AVERAGE DELAY should be 1-5 packets, otherwise indicates an overload of sync traffic
Number of Pending packets currently held: 1
This statistic only appears for a non-zero value.
Packets released due to timeout: 18
This statistic only appears for a non-zero value.
If the it is large (more than 100 pending packets), and the "Number of Pending packets currently held" is small, you should take action to reduce the number of pending packets.
To tackle this problem, try google "Reducing the Number of Pending Packets".
Hey.. Now who is shanawaz….!!!
He was my interviewer (Not revealing his company), Anyway.. Thanks Dude for asking me that….
Avoid Breakup... By Any Means : CheckPoint : Check Firewalls in Sync
Every "TRUE" Relation needs syncronisation..
Most of the relations are breaking up just because of lack of Communication, May be a Sync Problem..
The same problem which we face/faced in normal life can happen in a clustered environment, will lead into misbehaviour in cluster node... So before the "BreakUP" happens try the following in case of checkpoint... However am not good to give a similar solution in real LIFE...
How can I check that my Checkpoint Cluster is in Sync ?
In order to ensure that the State Tables of all your nodes within your Checkpoint Cluster are syncronised you will need to check the #VALS of your State Table summary on each node.
You may find that these figures aren`t identical but this is just down to the delay/latancy in which occurs between State Syncronisations. You should only be concerned if the values are hunreds or even thousands out.
The best way to view the State Table summaries (on SPLAT based firewalls) is to run the command watch 'fw tab -t connections -s'.
Check the State Tables on both nodes, checking for the #VAL totals. It should be somewhat same.. Linearly same.. :-)
So whenever possible, check SYNC Regularly to avoid BREAKUP....
Most of the relations are breaking up just because of lack of Communication, May be a Sync Problem..
The same problem which we face/faced in normal life can happen in a clustered environment, will lead into misbehaviour in cluster node... So before the "BreakUP" happens try the following in case of checkpoint... However am not good to give a similar solution in real LIFE...
How can I check that my Checkpoint Cluster is in Sync ?
In order to ensure that the State Tables of all your nodes within your Checkpoint Cluster are syncronised you will need to check the #VALS of your State Table summary on each node.
You may find that these figures aren`t identical but this is just down to the delay/latancy in which occurs between State Syncronisations. You should only be concerned if the values are hunreds or even thousands out.
The best way to view the State Table summaries (on SPLAT based firewalls) is to run the command watch 'fw tab -t connections -s'.
Check the State Tables on both nodes, checking for the #VAL totals. It should be somewhat same.. Linearly same.. :-)
So whenever possible, check SYNC Regularly to avoid BREAKUP....
Friday, April 16, 2010
SPLAT - Forgot Standard Password
SecurePlatform Administrator password (Standard mode) lost Cannot reboot SecurePlatform to Standard mode ??
Note: Following steps are not used for recovering "Expert Password"
Solution
Maintenance mode should be used in rare system emergencies, such as when there is a problem rebooting the system, or the standard Administrator password is lost.
To reboot in this mode:
1) Select “SecurePlatform with Application Intelligence [Maintenance Mode]” at the boot-loader screen, after SecurePlatform reboots.
2) Enter Expert password.
The Maintenance Mode boot option in SecurePlatform is known on UNIX systems as “single-user mode”. In this mode, SecurePlatform boots to runlevel 1. The local file systems will be mounted, but the network will not be activated. The SecurePlatform Administrator can have an usable system-maintenance shell.
In Maintenance mode, the Administrator password can be reset as follows:
1) At the bash shell prompt, type "passwd":
sh-2.05#passwd newadmin (The name 'newadmin' is an example).
Changing password for user newadmin
New UNIX password:
Retype new UNIX password:
The message "passwd: all authentication tokens updated successfully" appears.
2) After the new Administrator password is reset, reboot the SecurePlatform machine (as follows), and log in to Standard mode using the new password:
sh-2.05#reboot
3) When the boot-loader menu appears, select the default option.
4) Enter Administrator name and new password to log in to Standard mode.
Note: Following steps are not used for recovering "Expert Password"
Solution
Maintenance mode should be used in rare system emergencies, such as when there is a problem rebooting the system, or the standard Administrator password is lost.
To reboot in this mode:
1) Select “SecurePlatform with Application Intelligence [Maintenance Mode]” at the boot-loader screen, after SecurePlatform reboots.
2) Enter Expert password.
The Maintenance Mode boot option in SecurePlatform is known on UNIX systems as “single-user mode”. In this mode, SecurePlatform boots to runlevel 1. The local file systems will be mounted, but the network will not be activated. The SecurePlatform Administrator can have an usable system-maintenance shell.
In Maintenance mode, the Administrator password can be reset as follows:
1) At the bash shell prompt, type "passwd
sh-2.05#passwd newadmin (The name 'newadmin' is an example).
Changing password for user newadmin
New UNIX password:
Retype new UNIX password:
The message "passwd: all authentication tokens updated successfully" appears.
2) After the new Administrator password is reset, reboot the SecurePlatform machine (as follows), and log in to Standard mode using the new password:
sh-2.05#reboot
3) When the boot-loader menu appears, select the default option.
4) Enter Administrator name and new password to log in to Standard mode.
Thursday, April 15, 2010
Finding Smartcenter Server - from Gateway
It will be easy for you when you troubleshoot / isolate issues, ofcourse you will be knowing your object name of your smartcenter server in small deployments, but what about big deployements,
Attimes we may need to issue "fw fetch [SCSobjectname]" from your gateway..
how we can find the SCS (SmartCenter Server) object name from gateway..
Here is the magic..
go to gateway and issue
more $FWDIR/conf/masters
You will find the policy server, logserver and alert server.. Happy???
Attimes we may need to issue "fw fetch [SCSobjectname]" from your gateway..
how we can find the SCS (SmartCenter Server) object name from gateway..
Here is the magic..
go to gateway and issue
more $FWDIR/conf/masters
You will find the policy server, logserver and alert server.. Happy???
Checkpoint Important Ports
VPN-1 binds to some well-known ports and a few not-so well known ports. This document will explain what ports these are, what they are used for, and, if applicable, how to disable them.
Various parts of FireWall-1 bind to various ports on the system. Typically, they intercept connections traversing through the firewall, but in order for this to work correctly, they must bind to their own port and listen. In general, the services bound to these ports do not pose any sort of security risk. If no policy is in place or the policy permits access to these ports inadvertenly, the processes themselves are smart enough to reject direct requests to these ports. In the case of the SAM and LEA ports (see below), these ports require authentication in much the same way that remote management does, so it is not believed to be a security risk.
TCP Port 256 is used for three important things:
Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles
SecuRemote build 4005 and earlier uses this port to fetch the network topology and encryption keys from a FireWall-1 Management Console
When instaling a policy, the management console uses this port to push the policy to the remote firewall.
TCP Port 257 (FW1_log) is used for logging purposes.
TCP Port 258 is used by the fwpolicy remote GUI. FireWall-1 will only listen to this port on a management console.
TCP Port 259 is used for Client Authentication via telnet. FireWall-1 will only listen to this port on a firewall module.
UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs).
UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides.
TCP Port 262 is used by netsod, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains netsod in $FWDIR/conf/fwauthd.conf.
TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console. FireWall-1 will only listen to this port on a management console.
UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client. FireWall-1 will only listen to this port on a firewall module.
TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism. This can be disabled by commenting the appropriate line in $FWDIR/bin/fwauthd.conf.
TCP Port 4532 is used for the Session Auth agent, asessiond.
TCP Ports above 1024, other than the ones listed below, are generally any Security Servers that are active. The actual ports used by these servers will vary. 1024 is the lowest & 65535 is the highest port a Security Server process will use for a connection. If you wish to minimize the number of ports listening, comment out the appropriate lines from $FWDIR/conf/fwauthd.conf. Note that if you disable a security server in this fashion, you can not use its capabilities (like content security or authentication), so make sure you only do it for the security servers you know you are not using.
TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning). FireWall-1 will not listen on this port.
TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like). FireWall-1 will not listen on this port.
TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18184 is used for Log Export API (lea). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18186 (FW1_omi-sic) is used for Secure Internal Communications (SIC) between OPSEC certified products and a NG FireWall module.
TCP Port 18190 (CPMI) is used by the FireWall Management process (FWM) to listen for NG Management Clients attempting to connect to the management module.
TCP Port 18191 (CPD) is used by the CPD process for communications such as policy installation, certificate revocation, and status queries.
TCP Port 18192 (CPD_amon) is used by the CPD process FireWall Application Monitoring.
TCP Port 18196 is used for CPEPS which is part of User Monitor.
TCP Port 18207 is used by polsrvd, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains polsrvd in $FWDIR/conf/fwauthd.conf.
TCP Port 18210 (FW1_ica_pull): The CPD process, on the management module, is listening on TCP port 18210 for certificates to be "pulled" by a FireWall module from a management module.
TCP Port 18211 (FW1_ica_push): The Check Point Daemon (CPD) process, running on the FireWall module, listens on TCP port 18211 for certificate creation and for the "push" of the certificate to the FireWall module from the management module.
Should you make any changes above, the 'fwd' process will need to be restarted as follows:
nokia[admin]# fw kill fwd
nokia[admin]# fwd `cat $FWDIR/conf/masters`
Various parts of FireWall-1 bind to various ports on the system. Typically, they intercept connections traversing through the firewall, but in order for this to work correctly, they must bind to their own port and listen. In general, the services bound to these ports do not pose any sort of security risk. If no policy is in place or the policy permits access to these ports inadvertenly, the processes themselves are smart enough to reject direct requests to these ports. In the case of the SAM and LEA ports (see below), these ports require authentication in much the same way that remote management does, so it is not believed to be a security risk.
TCP Port 256 is used for three important things:
Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles
SecuRemote build 4005 and earlier uses this port to fetch the network topology and encryption keys from a FireWall-1 Management Console
When instaling a policy, the management console uses this port to push the policy to the remote firewall.
TCP Port 257 (FW1_log) is used for logging purposes.
TCP Port 258 is used by the fwpolicy remote GUI. FireWall-1 will only listen to this port on a management console.
TCP Port 259 is used for Client Authentication via telnet. FireWall-1 will only listen to this port on a firewall module.
UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs).
UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides.
TCP Port 262 is used by netsod, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains netsod in $FWDIR/conf/fwauthd.conf.
TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console. FireWall-1 will only listen to this port on a management console.
UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client. FireWall-1 will only listen to this port on a firewall module.
TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism. This can be disabled by commenting the appropriate line in $FWDIR/bin/fwauthd.conf.
TCP Port 4532 is used for the Session Auth agent, asessiond.
TCP Ports above 1024, other than the ones listed below, are generally any Security Servers that are active. The actual ports used by these servers will vary. 1024 is the lowest & 65535 is the highest port a Security Server process will use for a connection. If you wish to minimize the number of ports listening, comment out the appropriate lines from $FWDIR/conf/fwauthd.conf. Note that if you disable a security server in this fashion, you can not use its capabilities (like content security or authentication), so make sure you only do it for the security servers you know you are not using.
TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning). FireWall-1 will not listen on this port.
TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like). FireWall-1 will not listen on this port.
TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18184 is used for Log Export API (lea). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18186 (FW1_omi-sic) is used for Secure Internal Communications (SIC) between OPSEC certified products and a NG FireWall module.
TCP Port 18190 (CPMI) is used by the FireWall Management process (FWM) to listen for NG Management Clients attempting to connect to the management module.
TCP Port 18191 (CPD) is used by the CPD process for communications such as policy installation, certificate revocation, and status queries.
TCP Port 18192 (CPD_amon) is used by the CPD process FireWall Application Monitoring.
TCP Port 18196 is used for CPEPS which is part of User Monitor.
TCP Port 18207 is used by polsrvd, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains polsrvd in $FWDIR/conf/fwauthd.conf.
TCP Port 18210 (FW1_ica_pull): The CPD process, on the management module, is listening on TCP port 18210 for certificates to be "pulled" by a FireWall module from a management module.
TCP Port 18211 (FW1_ica_push): The Check Point Daemon (CPD) process, running on the FireWall module, listens on TCP port 18211 for certificate creation and for the "push" of the certificate to the FireWall module from the management module.
Should you make any changes above, the 'fwd' process will need to be restarted as follows:
nokia[admin]# fw kill fwd
nokia[admin]# fwd `cat $FWDIR/conf/masters`
Monday, April 12, 2010
Change Date in Linux
Login to Linux box as root and enter root's password:
[me@mybox me]$ su
password:
Check the current date and time of the Linux box by entering:
[root@mybox me]# date
Linux yields the current settings:
[root@mybox me]# Wed Apr 7 12:03:45 EDT 2004
Change the current time and date of the Linux box by entering:
[root@mybox me]# date 040713032004
would change the time and yield:
[root@mybox me]$ Wed Apr 7 13:03:00 EDT 2004
====================================================
One more option:
Linux Set Date
Use the following syntax to set new data and time:date set="STRING"
For example, set new data to 2 Oct 2006 18:00:00, type the following command as
root user:# date -s "2 OCT 2006 18:00:00"
[me@mybox me]$ su
password:
Check the current date and time of the Linux box by entering:
[root@mybox me]# date
Linux yields the current settings:
[root@mybox me]# Wed Apr 7 12:03:45 EDT 2004
Change the current time and date of the Linux box by entering:
[root@mybox me]# date 040713032004
would change the time and yield:
[root@mybox me]$ Wed Apr 7 13:03:00 EDT 2004
====================================================
One more option:
Linux Set Date
Use the following syntax to set new data and time:date set="STRING"
For example, set new data to 2 Oct 2006 18:00:00, type the following command as
root user:# date -s "2 OCT 2006 18:00:00"
CheckPoint Splat - Setting up SCP
I found this article in internet (Following are not my scripts), am just copy pasting.. :) Nothing but for easyness to access..
This article is intended to help users setup SCP (SecureCopy) on their SPLAT gateways. This is the secure and preferred method of file transfers to and from gateways, as opposed to unsecured FTP. I use putty for SSH and WinSCP for SCP, they are both free programs, but you can use whatever clients you want.NOTE: represents the username(s) you will be adding. For example, my username will be xxxx
1) Add users to each gateway you manage
a) SSH (or console) to gateway and enter expert mode
b) At the command prompt, type: adduser
c) Enter and confirm password for this user
d) Repeat steps a though c for each user to be added
NOTE: If you are unfamiliar with operating in the vi editor, please search for a command list or call your support vendor for assistance
2) Add users to the scpusers file
a) At the command prompt, type: vi /etc/scpusers
b) Type: i <== to enter insert mode
c) Type: <== repeat adding usernames - 1 per line
d) Exit insert mode with the [ESC] key
e) Type: :wq! <== The colon enters command mode and then writes and quits the editor
f) Verify the changes at the command prompt by typing: cat /etc/scpusers <== You should see your users there, one per line
3) Change the new SCP enabled user's default shell to always be in expert mode. At the command prompt, type: chsh -s /bin/bashThat's it! Using your preferred SCP software and provided you have the appropriate rules in place for your IP to access the box, you should now be able to complete secure file transfers to your SPLAT gateways.
This article is intended to help users setup SCP (SecureCopy) on their SPLAT gateways. This is the secure and preferred method of file transfers to and from gateways, as opposed to unsecured FTP. I use putty for SSH and WinSCP for SCP, they are both free programs, but you can use whatever clients you want.NOTE:
1) Add users to each gateway you manage
a) SSH (or console) to gateway and enter expert mode
b) At the command prompt, type: adduser
c) Enter and confirm password for this user
d) Repeat steps a though c for each user to be added
NOTE: If you are unfamiliar with operating in the vi editor, please search for a command list or call your support vendor for assistance
2) Add users to the scpusers file
a) At the command prompt, type: vi /etc/scpusers
b) Type: i <== to enter insert mode
c) Type:
d) Exit insert mode with the [ESC] key
e) Type: :wq! <== The colon enters command mode and then writes and quits the editor
f) Verify the changes at the command prompt by typing: cat /etc/scpusers <== You should see your users there, one per line
3) Change the new SCP enabled user's default shell to always be in expert mode. At the command prompt, type: chsh -s /bin/bash
Sunday, April 11, 2010
Checkpoint Logging Issue
The following article is a list of steps one should go through when troubleshooting logging related issues in a distributed setup.
1. Ensure that you have not run out of disk space on the hard disk that the logs are being sent to. If this is the case, delete or move the logs to an external storage device.
2. Is there communication between the MS and the Module? Test using ping to the MS from the module and then from the Module to the MS (your rules must allow for this). If this fails, and your rules allow for this, then it is most likely a routing issue.
3. Check to see if the fw.log file is growing on the module. It should be if the logs are not going to the MS. From the console run these commands:
cd $FWDIR/log
ls -la
ls -la
Verify that the fw.log file is increasing. If it is increasing then the modules are logging locally instead of forwarding the traffic to the MS. This could be a connectivity issue, or it could be the way the logging is setup. Check the FW object to ensure it is setup to send logs to the MS.
4. Can you fetch a policy? Verify that you can fetch using the hostname and IP address. If this fails then you probably have a SIC issue. To test this run the following commands:
fw fetch hostname_of_MS
fw fetch IP_Addr_of_MS (fetch by IP address also to ensure it is not a DNS issue)
5. Check the masters file. The hostname or IP address of the management station should be listed in there. To check this run the following commands:
cd $FWDIR/conf
cat masters
cat masters
It should be look like this:
[Policy]
hostname_of_MS
[Log]
hostname_of_MS
[Alert]
hostname_of_MS
hostname_of_MS
[Log]
hostname_of_MS
[Alert]
hostname_of_MS
6. Run tcpdumps on the module, listening for port 257 on the interface facing the MS, to see if it is attempting to send logs. To check this run the following command:
tcpdump -i eth-facing-MS port 257 (use the Ctrl+C to break out of the dump)
You should see traffic leaving the FW and heading to the IP address of the MS.
You should also see traffic coming back from the MS.
7. The log file may have gotten corrupt. Run a log switch on the MS and reboot the MS to create a new log file. If logswitch does not work, move all contents of the log directory (do not move the directory itself) to a temp folder outside of the log directory. Reboot and see if the logs start again.
8. Delete the $FWDIR/log files and $FWDIR/state directory files on the module; reboot the module.
Reboot and see if the logs start again.
9. Look to see if there is a listening port for logging. Run the following command on the MS and the module:
netstat -na
You should see the *.257 LISTEN for logging connections. You should also see the IP address of the MS :257 associated with the IP address of each module, and showing an ESTABLISHED connection.
10. Check the log settings for the FW object and make sure the 'Log Server' is set to the MS that should be receiving the logs. This is usually done by default, but may have been changed by a user.
If after going through these steps you are still experiencing logging issues, please open a ticket with Corresponding TAC for further troubleshooting and ofcoz try your way with help of our all time Gaint Mr. Google.. :-)
Checkpoint Troubleshooting - Debugging
Checkpoint Common debugging
Kernel debugging
Usage
% fw ctl debug -buf [buffer size]
% fw ctl debug [-x] [-m] [+|-]
% fw ctl kdebug –f >
Kernel debugging
Usage
% fw ctl debug -buf [buffer size]
% fw ctl debug [-x] [-m
% fw ctl kdebug –f >
Friday, April 9, 2010
TCP Flags
There are 6 TCP Flags.
Connection Establishment
==========================
1.SYN --- Client to Server
2. SYN ACK ---Server to Client
3. ACK--------- Client to Server
Connection Established
Termination
+++++++++++++
Termination requires four packets as TCP is full duplex, connection should be terminated from both the ends.
1. FIN ACK - Client to Server
2. ACK - Server to Client
3. FIN ACK - Server to Client
4. ACK -- Client to Server
Pls note that this is a Graceful termination where "RST" is not
More info can be available @ http://support.microsoft.com/kb/172983
Connection Establishment
==========================
1.SYN --- Client to Server
2. SYN ACK ---Server to Client
3. ACK--------- Client to Server
Connection Established
Termination
+++++++++++++
Termination requires four packets as TCP is full duplex, connection should be terminated from both the ends.
1. FIN ACK - Client to Server
2. ACK - Server to Client
3. FIN ACK - Server to Client
4. ACK -- Client to Server
Pls note that this is a Graceful termination where "RST" is not
More info can be available @ http://support.microsoft.com/kb/172983