| TCP Port 256 is used for three important things:
TCP Port 257 (FW1_log) is used for logging purposes. TCP Port 258 is used by the fwpolicy remote GUI. FireWall-1 will only listen to this port on a management console. TCP Port 259 is used for Client Authentication via telnet. FireWall-1 will only listen to this port on a firewall module. UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs). UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides. TCP Port 262 is used by netsod, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains netsod in $FWDIR/conf/fwauthd.conf. TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console. FireWall-1 will only listen to this port on a management console. UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client. FireWall-1 will only listen to this port on a firewall module. TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism. This can be disabled by commenting the appropriate line in $FWDIR/bin/fwauthd.conf. TCP Port 4532 is used for the Session Auth agent, asessiond. TCP Ports above 1024, other than the ones listed below, are generally any Security Servers that are active. The actual ports used by these servers will vary. 1024 is the lowest & 65535 is the highest port a Security Server process will use for a connection. If you wish to minimize the number of ports listening, comment out the appropriate lines from $FWDIR/conf/fwauthd.conf. Note that if you disable a security server in this fashion, you can not use its capabilities (like content security or authentication), so make sure you only do it for the security servers you know you are not using. TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning). FireWall-1 will not listen on this port. TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like). FireWall-1 will not listen on this port. TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf. TCP Port 18184 is used for Log Export API (lea). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf. TCP Port 18186 (FW1_omi-sic) is used for Secure Internal Communications (SIC) between OPSEC certified products and a NG FireWall module. TCP Port 18190 (CPMI) is used by the FireWall Management process (FWM) to listen for NG Management Clients attempting to connect to the management module. TCP Port 18191 (CPD) is used by the CPD process for communications such as policy installation, certificate revocation, and status queries. TCP Port 18192 (CPD_amon) is used by the CPD process FireWall Application Monitoring. TCP Port 18196 is used for CPEPS which is part of User Monitor. TCP Port 18207 is used by polsrvd, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains polsrvd in $FWDIR/conf/fwauthd.conf. TCP Port 18210 (FW1_ica_pull): The CPD process, on the management module, is listening on TCP port 18210 for certificates to be "pulled" by a FireWall module from a management module. TCP Port 18211 (FW1_ica_push): The Check Point Daemon (CPD) process, running on the FireWall module, listens on TCP port 18211 for certificate creation and for the "push" of the certificate to the FireWall module from the management module. Should you make any changes above, the 'fwd' process will need to be restarted as follows: nokia[admin]# fw kill fwd |
Thursday, September 30, 2010
Checkpoint Ports
Sunday, September 26, 2010
Forcing NICs on SecurePlatform full/half duplex or 10/100/1000 Mbps using ethtool
In expert mode, use the 'ethtool' to hard code link speed and duplex settings of network interfacesNICs.
Note: Per the IEEE specification, gigabit speed cannot be forced. It can only be auto-negotiated.
Quick command syntax:ethtool -s DEVNAME speed 10|100|1000 duplex full|half autoneg off|on
Example:
ethtool -s eth0 speed 100 duplex full autoneg off
(Will force eth0 interface to 100 MB link speed, full duplex).
ethtool -s eth0 speed 100 duplex half
(Will force eth0 interface to 100 MB link speed, half duplex).
ethtool -s eth0 autoneg on
(Will force eth0 interface to auto-negotiate).
ethtool -s eth0 autoneg off
(Will force eth0 interface auto-negotiate off).
Commands can be put at the end of the /etc/rc.local startup script, to survive reboot.m Wake on multicast messages.b Wake on broadcast messages.a Wake on ARP.g Wake on MagicPacket(tm).s Enable SecureOn(tm) password for MagicPacket(tm).d Disable (wake on nothing). This option clears all previous options.sopass xx:yy:zz:aa:bb:cc
(Set SecureOn(tm) password. Argument to this option must be 6 bytes in ethernet MAC hex format (xx:yy:zz:aa:bb:cc).msglvl N
(Set driver message level. Meanings differ per driver).
Full options of command:
Example:ethtool -s ethX [speed 10|100|1000] [duplex half|full] [port tp|aui|bnc|mii] [autoneg on|off] [phyad N] [xcvr internal|external][wol p|u|m|b|a|g|s|d...] [sopass xx:yy:zz:aa:bb:cc] [msglvl N]
OPTIONS-s
Allows changing some or all settings of the specified Ethernet device; options only apply if -s is specified.ethX
Device Namespeed 10|100|1000
Sets speed in Mbps; ethtool with a single argument will show supported device speeds.duplex half|full
Sets full- or half-duplex mode.port tp|aui|bnc|mii
Selects device port.autoneg on|off
Specifies whether or not autonegotiation is enabled.phyad N
Physical addressxcvr internal|external
Selects transceiver type; currently only internal and external can be specified.wol p|u|m|b|a|g|s|d...
Sets Wake-on-LAN options; not all devices support this. The Argument to this option is a string of characters specifying the options to enable.p Wake on physically activity.u Wake on unicast messages.
Checkpoint Global Parameters
| Parameter | Parameter Type | Default Value | Description |
| fwdebug | int | Error flag and warning flag. If defined secure remote, only error flag. | The debug flags of the fw debug module, which eventually determine which debug messages will be printed. For instructions on how to modify the parameter before reboot, see sk26202. |
| fw_debug_kdbufsz | int | 0 | The debug buffer size. |
| fwkdbmaxlen | int | 32 MB | The debug buffer size limit. |
| fw_kdprintf_limit | int | In 30 | Controls the suppression mechanism of debug messages. If it is not "0", it indicates how many debug messages can be printed in fw_kdprintf_limit_time seconds. |
| fw_kdprintf_limit_time | int | 60 | Part of the suppression mechanism of debug messages. |
| fwmonitormaxlen | int | 100K | Half of the maximum size of the data buffer of the 'fw monitor' command. |
| fwhmem | int | 20 MB | Size of memory allocated for hash tables (hmem) in bytes. |
| fwhmemmax | u_int | 80 MB | The Maximum size in bytes that hash tables (hmem) can be extended to. |
| fw_allow_udp_port0 | Int (bool) | 1 | UDP port 0 dropped by default. |
| fw_allow_tcp_port0 | Int (bool) | 1 | TCP port 0 dropped by default |
| fw_log_udp_port0 | Int (bool) | 1 | Do we log UDP port 0 drops? |
| fw_log_tcp_port0 | Int (bool) | 1 | Do we log TCP port 0 drops? |
| fwconn_smart_conn_reuse | Int (bool) | 1 | Do we use a smart connection reuse algorithm, i.e. whenever a SYN packet is encountered on an established connection we change it to ACK and decide according to server's response. If server responds with an RST, connection is reused. Otherwise (server responds with an ACK), connection is not reused. |
| fw_log_syn_on_estab | Int (bool) | 0 | When SYN is encountered on an established connection and fwconn_smart_conn_reuse is on, server may respond with an ACK packet, which means that the client's SYN was out of state. However, the client's SYN was not necessarily a malicious action. It may have been, for instance, a client application recovering from reboot. The following variable determines whether to log the previous SYN or not. (default=0) |
| fw_trust_rst_on_port | int | "Untrusted" (-2) | Should we trust Resets if sequence verifier is off? |
| fw_accept_syn_rst | int | FW_DONT_ACCEPT_SYN_RST (-2) | This variable specifies a certain service on which SYN-RST packet is allowed. Where it is allowed, previous connection is deleted (if it existed), and a new connection is always recorded, with state BOTH_FIN and without sequence verification. |
| fw_trust_ack_resp_to_syn | Int (bool) | 0 | Determine whether to trust server's ACK that follows client's SYN. The packet will pass or drop according to the value of fw_allow_out_of_state_syn_resp. |
| Listparams | int |
| When set, all the kernel global parameters are printed to the console. |
| fw_allow_simultaneous_ping | Int (bool) | 0 | Allow simultaneous ping to virtual IP and real IP of a cluster machine by storing the ICMP sequence number as one of the connection entry parameters, in order to differentiate between the two IPs. Otherwise, the connections look the same in certain directions. Currently, the feature does not work with SXL. |
| tcp_local_start_timeout | int | 0 | Override TCP start session timeout that is defined in the GUI. |
| tcp_local_end_timeout | int | 0 | Override TCP end session timeout that is defined in the GUI. |
| fwx_max_conns | int | 25000 | Maximum entries in several NAT tables, including fwx_alloc, which is in charge of hide NAT. |
| fwx_udp_hide_high | int | 0 | When not "0", a UDP connection from this (low) port will be hidden behind high port (10000+) instead of low ports (600-1023). |
| fwx_auth_expiration | int | 120 | Expiration in fwx_auth_table, used for folding to security servers. |
| fwx_cluster_hide_for_dynamic_routing | int | 0 | Enables cluster hide for dynamic routing protocols. Changing this variable also changes fwconn_override_dynamic_routing_collision. |
| fwx_g_user_cluster_fold | int | 1 | Enables cluster fold. |
| fwx_do_nat_cache | int | 1 | Should cache be used when trying to match on address translation rules. |
| fwx_g_max_rand_alloc_attempts | int | 30 | Maximum number of attempts to allocate a port before saying there are no available ports. |
| fw_local_interface_anti_spoofing | int | 1 | Local interface anti-spoofing verifies that no packet on the inbound chain has a source IP that matches one of the Gateway's IP addresses. This can be overridden by setting this parameter to "0". |
| fw_antispoofing_enabled | int | 1 | Anti-Spoofing is defined in the topology tab of interfaces. This global parameter can globally disable Anti-Spoofing checks in the enforcement module. To disable anti-spoofing checks, set this kernel global parameter to "0". |
| dns_allowed_chars | int | 0 | The ASCII enforcement as part of the DNS protocol enforcement checks that the domain names do not contain illegal characters. These illegal characters are any character other than letters (a-z, A-Z) digits (0-9) hyphen (-) and underscore (_). This global parameter allows adding up to 4 extra characters that have decimal value less than 128. For example, in order to allow backtick (`) define dns_allowed_chars to the value "96". |
| enforce_tkey_class_any | int | 1 | The DNS enforcement verifies that the TKEY/TSIG resource record class is "ANY". If this global parameter is set to "0", this field will be ignored. |
| dns_disable_servers_check | int | 0 | When enabling DNS TCP protocol enforcement, VPN-1/FireWall-1's current implementation limits the size of TCP data in a stream. This limitation is mainly relevant to zone transfers. When the limit is met, a log will be generated with the error message, "DNS data is too long". To overcome this limitation, change this kernel global parameter value from "0" to "1". This will allow traffic between defined DNS servers to pass, without DNS verification. |
| SmartDefense Parameters | |||
| ws_debug_ip | ip | _ | This parameter can be set, in order to focus on debug messages that are related to a specific IP (destination or source). |
| enforce_notify_header | int | 0 | When activated, produces ?Illegal Notify message? log. |
| allow_dnssec_bit | int | 1 | Allows AD ('authentic data') bit in response packet. |
| dns_allowed_chars | int | 0 | User configured additional allowed characters in domain names. |
| dns_maximum_message_length_overflow | int | 2 | Maximal additional bytes in query. When exceeded, produces ?Request packet too long, potential buffer overflow? log. |
| enforce_tkey_class_any | int | 1 | When set, produces ?Bad Resource Record format, TKEY RR class is not ANY? and ?Bad Resource Record format, TSIG RR class is not ANY? logs on DNS class other than ANY. |
| dns_disable_servers_check | int | 0 | When set, allows TCP traffic between known servers to run unchecked. |
