Friday, July 27, 2018

Blue Coat Proxy SG shortcuts


Under 'Statistics - Advanced' you'll find more then you need, here are a short sumary.

sysinfo & sysinfo-stat

# Sysinfo

# Core Images

# Access Logs

Check Point Cli Commands

Cli commands

Some good cli commands that are useful, I always forget the syntax so it's good to have them in one place.
 
### Cluster XL Debug
# Expert
clish -c "show routed cluster-state detailed"

# clish
show routed cluster-state detailed

##### VPN
### VPN encryption domain overlap
vpn overlap_encdom > temp.txt

### list tunnels
vpn tu tlist -p peer_ip

##### FW
### proxy arp and active local.arp
fw ctl arp -n

### CCC (good script (dangerous))
curl_cli http://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc

Wednesday, May 17, 2017

I WannaCry - Don't get ransomware

Backup process to avoid Ransomware.

This process will off course not protect me from getting my disk encrypted, but at least it will prevent my backups from also getting encrypted. I fear many people at home or at work don't have a good process to verify their data status and backup as well. 

How do I know If I got a ransomware on my NAS?
How do I prevent my backup from running if I got a ransomware?

For me I found myself a handy solution, my NAS rarely change a lot of files, most of them are static so a script that will check the number of changed files during the last 24h is sufficient.

The script will update Domoticz via json and set a Dummy Switch to 'Off' if there are too many files and also set a Dummy Alert with log. The Dummy Switch has a notification that will send me an email about the situation. The script will then bail out and no rsync between primary and secondary disk will occur.

The next day when the script starts again, by crontab, it will first check the status from Domoticz for the Dummy Switch, if that still is set to 'Off' no backup will occur and a new Log entry will be set for the utility Dummy Alert.

I then need to manually verify why I got more changed files than I expected on my NAS and then set my Dummy switch 'NAS_Backup_Script' to 'On' again.

Additional security to this script is to have a honeypot folder with documents of type that most ransomware will attack, and monitor any change in there, this method is a very good indication that you have some kind of intrusion in your network.

Other solutions could be if you got version based incremental backups to monitor the growth of the backup and have limits with alerts.


Find my process, and scripts at my GitHub

Sunday, February 26, 2017

Check Point Endpoint protection - SandBlast Agent

Check out the new features from Check Point with their new SandBlast Agent.

https://youtu.be/rXwCqrDcZJ4

https://www.checkpoint.com/products/endpoint-sandblast-agent/

Also take notice of that with the new firmware for the SMB series SandBlast is also available even on all embedded devices from the 700 to 1400 series.

Wednesday, April 6, 2016

IA (Identity Awareness) can be a pain, here are some short notes that helps in the troubleshoting. Check the smartlog that there is full access between the AD DC and the FW Gateway as the DCE-RPC uses dynamic high ports to communicate.

## Debug PFP on
pdp d s all all

## Debug PDP Off
pdp debug off

# Check logfile
tail -f /$FWDIR/log/pdpd.elg

# Check if PDPD is running
ps aux -| grep pdpd

# Try to restart it by killing, it will autorestart
killall pdpd

# Verify connectivity to AD (LDAP and WMI) that runs over DCE-RPC. 
Solution Title: How to use test_ad_connectivity to troubleshoot AD Query connectivity.
Solution ID: sk100406
Solution Link: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100406

# Check pdp
pdp connections pep

# check pep
pep s pdp a

# View and control the AD Query (ADQ) status.
adlog a dc - Displays a table specifying which Domain Controllers this Security Gateway is connected to, their connectivity status and the number of events fetched in the last hour

adlog a query all - (or 'adlog a q a' for short) - Displays all of the identity information currently known by AD Query (ADQ)
If this shows error kill the pdpd and verify that it restarts. see above

adlog a query ip 1.1.1.1 - (or 'adlog a q i 1.1.1.1' for short) - Displays the information currently known for 1.1.1.1





Thursday, February 4, 2016

Deleting the ProxySG 'main' Access Log

Blue Coat SG810 Series#configure terminal
Enter configuration commands, one per line.  End with CTRL-Z.
Blue Coat SG810 Series#(config)access-log
Blue Coat SG810 Series#(config access-log)edit log main
Blue Coat SG810 Series#(config log main)commands delete-log
  ok
Blue Coat SG810 Series#(config log main)

Blue Coat SG810 Series#show access-log statistics main
Statistics:
Access Log (main) Statistics:
Log Manager Version 3
Log entry lifetime counter:     38029489
System Status:
  Log manager:                  enabled and running
  Upload client:                not connected
  Log writer:                   idle
  Log reader:                   idle
Log Information:
  Current log size:             0 bytes
  Maximum log size:             20000 MB
  Max size policy:              stop logging
  Bytes in write buffer :       184
  Tail sockets in use :         0
  Modified time:                2010-05-25 10:29:48+08:00MYT
Next Upload:
  Client type:                  bluecoat
  Next attempt:                 21 seconds
  Connect type:                 continuous upload
  Connect reason:               regular upload
  Retrying, failure count:      1
  Upload format:                gzip
Last Upload Attempt:
  Time:                         2010-05-25 10:29:48+08:00MYT
  Maximum bandwidth:            0.82 KB/sec
  Result:                       failure
Current/Last Upload File:
  Remote filename:              Not Applicable
  Remote size:                  0 bytes
Blue Coat SG810 Series#