Thursday, November 19, 2015

Phishing fraud "TeliaSonera AB Opinionsundersökning - Windows & Chrome-användare"

This is probably one of the best phishing I've seen for a while, it claims to be from my ISP and the spelling and content is excellent. It's when you hit the last page to retrieve your gifts for participating you can tell for sure, an iPhone for $5....sure


Safe browsing

Export Checkpoint policy to HTML or XML format

Even if the SmartDashboard console is fantastic sometimes you need to play with the ruleset in different formats.

Try the Web Visualization Tool from Check Point

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk64501

Note: You don't have to reboot your computer as the last step in windows, you can temporarily add the path manually. I hate to reboot.

c:\Users\admin> set path=%path%;your_path_to_application 

Tuesday, November 17, 2015

tcpdump of SYNners


Shows a list of the top 10 Source IP-addresses that starts a new TCP connection (SYN).

# tcpdump -nnt -i Lan1 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" >/var/log/tmp/lan1_syn.txt

# awk '{print $2}' /var/log/tmp/lan1_syn.txt | sed 's/.[^.]*$//'| sort -n | uniq -c | sort -n | tail -n10

Friday, November 13, 2015

LDAP Account unit - SSL fingerprint

when using secure channel on port 636 for the LDAP servers the encryption is verified by a Fingerprint against the AD servers certificate. When this certificate is updated in AD you must 'Fetch' a new fingerprint or this connection will not continue to work.

This could be a complicated task to know about and remember.

Solution:
CP solutions is to simply delete the fingerprint and leave that field blank, now you would never have this problem. The downside is you have an increased risk for man-in-the-middle attack.

Another solution would be to have 1 AD server with higher priority and keep that on standard port 389 not encrypted. Then monitor the log for traffic for that host, then you know you have problem with a encrypted AD server. This is also a security risk since all user password will be sent in clear text. So in my mind the first solution is a better choice.


Wednesday, November 11, 2015

The End Of Unix Time

January 18 2038 02:00 - 07:00 PM PST

Put the date in you calendar. When our primitive 32-bit signed time_t type rolls over, it will be time for a massive party. That is, unless we somehow find some more bits.

Where (time() == 0x7FFFFFFF)

BlueCoat webfilter categorise my blog as 'suspicious'

What!

If you don't agree with BlueCoat's categorisation you can ask for a review with a suggestion. At the same page you can also verify how sites get categorised and you can use it to test your proxy SG.

https://sitereview.bluecoat.com/sitereview.jsp

Tuesday, November 10, 2015

Nagios plug-in Checkpoint

check_cpfw1_v3 is a really good plug-in for checking your cluster status, your management server and other things, I have used it for several years with success.

Nagios plug-in

Status of cluster interfaces is displayed as "Partially up"

Does SmartView Monitor show this randomly for interfaces, or the output from 'cphastat -f all'?
Don't worry this is only that the status of cluster interfaces is checked incorrectly and the hotfix from CP is only cosmetic, I got this confirmed the other day in a chat session with CP.

Solution ID: sk106488
Solution Link: sk106488

"NAT Hide failure - there are currently no available ports for hide operation"

Today we finally hit the wall and run out of available free ports for NAT. In my case this was an expected error to occur sooner or later due to too many hosts hiding behind the same IP.

We solved this incident by changing the hide_max_high_port from 60.000 to 50.000 in the DB using GuiDBtool and then installed the policy. This gave us additional 10.000 ports for hide NAT.

Some useful hints to troubleshoot:
fw tab –t connections –f –u | awk ‘{print $9”,”$11”,”$13”,”$15”,”$43}’ > /tmp/connections.txt

Summary - top 20 sources
awk -F"," '{print $1}' /tmp/connections.txt | sort -n | uniq -c | sort -rn | head -20

Summary - top 20 destinations
awk -F"," '{print $3}' /tmp/connections.txt | sort -n | uniq -c | sort -rn | head -20

From R77.30 You can check the allocation
[Expert@HostName]# fw ctl get int fwx_nat_dynamic_port_allocation


Solution ID: sk103656
Solution Link: sk103656 

Other good resources for this:
Connections with Hide NAT are dropped during policy installation due to NAT port allocation failure when CoreXL is enabled
sk86401

NAT table reaches its maximum capacity on ClusterXL, which causes traffic issues
sk36708

Load on Module Failed - R77.30 GAIA

Recently several GAIA R77.30 cluster has failed with "Load on Module Failed" on policy installation and then the cluster members have become in 'down' state and stopped run trafic.

According to Checkpoint R&D this is a bug in Aplication Control and the only solution so far is to disble that blade. Contact Checkpoint to retrieve a hotfix.

Monday, November 9, 2015

Checkpoint OPSEC LEA Splunk

If you intend to index your Firewall logs into Splunk, consider the size. Normally indexed logs in Splunk is half the original size but in this case, because the Checkpoint format is in binery, the log ends up 3 times as big.

With that in mind, and with Smart Log actually working so good, I wouldn't index all logs but only the Management logs.

Sunday, November 8, 2015

In your head

Hello,
Is there anybody in there?
Just nod if you can hear me.
Is there anyone at home?

Come on now
I hear you're feeling down
Well, I can ease your pain
And get you on your feet again

Relax
I'll need some information first
Just the basic facts
Can you show me where it hurts?

There is no pain, you are receding
A distant ship smoke on the horizon
You are only coming through in waves
Your lips move but I can't hear what you're saying
When I was a child I had a fever
My hands felt just like two balloons
Now I've got that feeling once again
I can't explain, you would not understand
This is not how I am
I have become comfortably numb

I have become comfortably numb

O.K.
Just a little pin prick
There'll be no more aaaaaaaah!
But you may feel a little sick

Can you stand up?
I do believe it's working, good
That'll keep you going through the show
Come on, it's time to go.

There is no pain you are receding
A distant ship smoke on the horizon
You are only coming through in waves
Your lips move but I can't hear what you're saying
When I was a child
I caught a fleeting glimpse
Out of the corner of my eye
I turned to look but it was gone
I cannot put my finger on it now
The child is grown
The dream is gone
I have become comfortably numb.