Thursday, November 19, 2015
Export Checkpoint policy to HTML or XML format
Even if the SmartDashboard console is fantastic sometimes you need to play with the ruleset in different formats.
Try the Web Visualization Tool from Check Point
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk64501
Note: You don't have to reboot your computer as the last step in windows, you can temporarily add the path manually. I hate to reboot.
c:\Users\admin> set path=%path%;your_path_to_application
Try the Web Visualization Tool from Check Point
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk64501
Note: You don't have to reboot your computer as the last step in windows, you can temporarily add the path manually. I hate to reboot.
c:\Users\admin> set path=%path%;your_path_to_application
Tuesday, November 17, 2015
tcpdump of SYNners
Shows a list of the top 10 Source IP-addresses that starts a new TCP connection (SYN).
# tcpdump -nnt -i Lan1 "tcp[tcpflags] & (tcp-syn) != 0" and "tcp[tcpflags] & (tcp-ack) == 0" >/var/log/tmp/lan1_syn.txt
# awk '{print $2}' /var/log/tmp/lan1_syn.txt | sed 's/.[^.]*$//'| sort -n | uniq -c | sort -n | tail -n10
Friday, November 13, 2015
LDAP Account unit - SSL fingerprint
when using secure channel on port 636 for the LDAP servers the encryption is verified by a Fingerprint against the AD servers certificate. When this certificate is updated in AD you must 'Fetch' a new fingerprint or this connection will not continue to work.
This could be a complicated task to know about and remember.
Solution:
CP solutions is to simply delete the fingerprint and leave that field blank, now you would never have this problem. The downside is you have an increased risk for man-in-the-middle attack.
Another solution would be to have 1 AD server with higher priority and keep that on standard port 389 not encrypted. Then monitor the log for traffic for that host, then you know you have problem with a encrypted AD server. This is also a security risk since all user password will be sent in clear text. So in my mind the first solution is a better choice.
This could be a complicated task to know about and remember.
Solution:
CP solutions is to simply delete the fingerprint and leave that field blank, now you would never have this problem. The downside is you have an increased risk for man-in-the-middle attack.
Another solution would be to have 1 AD server with higher priority and keep that on standard port 389 not encrypted. Then monitor the log for traffic for that host, then you know you have problem with a encrypted AD server. This is also a security risk since all user password will be sent in clear text. So in my mind the first solution is a better choice.
Wednesday, November 11, 2015
The End Of Unix Time
January 18 2038 02:00 - 07:00 PM PST
Put the date in you calendar. When our primitive 32-bit signed time_t type rolls over, it will be time for a massive party. That is, unless we somehow find some more bits.
Where (time() == 0x7FFFFFFF)
Put the date in you calendar. When our primitive 32-bit signed time_t type rolls over, it will be time for a massive party. That is, unless we somehow find some more bits.
Where (time() == 0x7FFFFFFF)
BlueCoat webfilter categorise my blog as 'suspicious'
What!
If you don't agree with BlueCoat's categorisation you can ask for a review with a suggestion. At the same page you can also verify how sites get categorised and you can use it to test your proxy SG.
https://sitereview.bluecoat.com/sitereview.jsp
If you don't agree with BlueCoat's categorisation you can ask for a review with a suggestion. At the same page you can also verify how sites get categorised and you can use it to test your proxy SG.
https://sitereview.bluecoat.com/sitereview.jsp
Tuesday, November 10, 2015
Nagios plug-in Checkpoint
check_cpfw1_v3 is a really good plug-in for checking your cluster status, your management server and other things, I have used it for several years with success.
Nagios plug-in
Nagios plug-in
Status of cluster interfaces is displayed as "Partially up"
Does SmartView Monitor show this randomly for interfaces, or the output from 'cphastat -f all'?
Don't worry this is only that the status of cluster interfaces is checked incorrectly and the hotfix from CP is only cosmetic, I got this confirmed the other day in a chat session with CP.
Solution ID: sk106488
Solution Link: sk106488
Don't worry this is only that the status of cluster interfaces is checked incorrectly and the hotfix from CP is only cosmetic, I got this confirmed the other day in a chat session with CP.
Solution ID: sk106488
Solution Link: sk106488
"NAT Hide failure - there are currently no available ports for hide operation"
Today we finally hit the wall and run out of available free ports for NAT. In my case this was an expected error to occur sooner or later due to too many hosts hiding behind the same IP.
We solved this incident by changing the hide_max_high_port from 60.000 to 50.000 in the DB using GuiDBtool and then installed the policy. This gave us additional 10.000 ports for hide NAT.
Some useful hints to troubleshoot:
fw tab –t connections –f –u | awk ‘{print $9”,”$11”,”$13”,”$15”,”$43}’ > /tmp/connections.txt
Summary - top 20 sources
awk -F"," '{print $1}' /tmp/connections.txt | sort -n | uniq -c | sort -rn | head -20
Summary - top 20 destinations
awk -F"," '{print $3}' /tmp/connections.txt | sort -n | uniq -c | sort -rn | head -20
From R77.30 You can check the allocation
[Expert@HostName]# fw ctl get int fwx_nat_dynamic_port_allocation
Solution ID: sk103656
Solution Link: sk103656
Other good resources for this:
Connections with Hide NAT are dropped during policy installation due to NAT port allocation failure when CoreXL is enabled
sk86401
NAT table reaches its maximum capacity on ClusterXL, which causes traffic issues
sk36708
We solved this incident by changing the hide_max_high_port from 60.000 to 50.000 in the DB using GuiDBtool and then installed the policy. This gave us additional 10.000 ports for hide NAT.
Some useful hints to troubleshoot:
fw tab –t connections –f –u | awk ‘{print $9”,”$11”,”$13”,”$15”,”$43}’ > /tmp/connections.txt
Summary - top 20 sources
awk -F"," '{print $1}' /tmp/connections.txt | sort -n | uniq -c | sort -rn | head -20
Summary - top 20 destinations
awk -F"," '{print $3}' /tmp/connections.txt | sort -n | uniq -c | sort -rn | head -20
From R77.30 You can check the allocation
[Expert@HostName]# fw ctl get int fwx_nat_dynamic_port_allocation
Solution ID: sk103656
Solution Link: sk103656
Other good resources for this:
Connections with Hide NAT are dropped during policy installation due to NAT port allocation failure when CoreXL is enabled
sk86401
NAT table reaches its maximum capacity on ClusterXL, which causes traffic issues
sk36708
Load on Module Failed - R77.30 GAIA
Recently several GAIA R77.30 cluster has failed with "Load on Module Failed" on policy installation and then the cluster members have become in 'down' state and stopped run trafic.
According to Checkpoint R&D this is a bug in Aplication Control and the only solution so far is to disble that blade. Contact Checkpoint to retrieve a hotfix.
According to Checkpoint R&D this is a bug in Aplication Control and the only solution so far is to disble that blade. Contact Checkpoint to retrieve a hotfix.
Monday, November 9, 2015
Checkpoint OPSEC LEA Splunk
If you intend to index your Firewall logs into Splunk, consider the size. Normally indexed logs in Splunk is half the original size but in this case, because the Checkpoint format is in binery, the log ends up 3 times as big.
With that in mind, and with Smart Log actually working so good, I wouldn't index all logs but only the Management logs.
With that in mind, and with Smart Log actually working so good, I wouldn't index all logs but only the Management logs.
Sunday, November 8, 2015
In your head
Hello,
Is there anybody in there?
Just nod if you can hear me.
Is there anyone at home?
Come on now
I hear you're feeling down
Well, I can ease your pain
And get you on your feet again
Relax
I'll need some information first
Just the basic facts
Can you show me where it hurts?
There is no pain, you are receding
A distant ship smoke on the horizon
You are only coming through in waves
Your lips move but I can't hear what you're saying
When I was a child I had a fever
My hands felt just like two balloons
Now I've got that feeling once again
I can't explain, you would not understand
This is not how I am
I have become comfortably numb
I have become comfortably numb
O.K.
Just a little pin prick
There'll be no more aaaaaaaah!
But you may feel a little sick
Can you stand up?
I do believe it's working, good
That'll keep you going through the show
Come on, it's time to go.
There is no pain you are receding
A distant ship smoke on the horizon
You are only coming through in waves
Your lips move but I can't hear what you're saying
When I was a child
I caught a fleeting glimpse
Out of the corner of my eye
I turned to look but it was gone
I cannot put my finger on it now
The child is grown
The dream is gone
I have become comfortably numb.
Is there anybody in there?
Just nod if you can hear me.
Is there anyone at home?
Come on now
I hear you're feeling down
Well, I can ease your pain
And get you on your feet again
Relax
I'll need some information first
Just the basic facts
Can you show me where it hurts?
There is no pain, you are receding
A distant ship smoke on the horizon
You are only coming through in waves
Your lips move but I can't hear what you're saying
When I was a child I had a fever
My hands felt just like two balloons
Now I've got that feeling once again
I can't explain, you would not understand
This is not how I am
I have become comfortably numb
I have become comfortably numb
O.K.
Just a little pin prick
There'll be no more aaaaaaaah!
But you may feel a little sick
Can you stand up?
I do believe it's working, good
That'll keep you going through the show
Come on, it's time to go.
There is no pain you are receding
A distant ship smoke on the horizon
You are only coming through in waves
Your lips move but I can't hear what you're saying
When I was a child
I caught a fleeting glimpse
Out of the corner of my eye
I turned to look but it was gone
I cannot put my finger on it now
The child is grown
The dream is gone
I have become comfortably numb.
Subscribe to:
Posts (Atom)