CP HOW TO CUSTOM

________________

• ISP REDUNDACY
• APPLY HFA in FIREWALL CLUSTER
• L2TP
• SSL NETWORK EXTENDER
• MOBILE ACCESS BLADE IPHONE/IPAD SUPPORT
• IDENTITY AWARENESS
• SMART EVENT
• SECURE CLIENT E75.20
• CERTIFICATE 3rd Party
• ENDPOINT SECURITY SERVER (install/upgrade)

_________________

How to Configure ISP Redundancy in SecurePlatform * sk23630: Advanced configuration options for ISP redundancy *sk40958: How do I verify the status of redundant ISP links from the firewall console ?  .... # cpstat fw # fw isp_link ISP-1 down # fw isp_link ISP-1 up ..... *sk61692: Troubleshooting ISP Redundancy *sk25129: Supported platforms for ISP Redundancy   *sk83900: ISP Redundancy failover is not working in GAIA   *sk34209: Static (Hide) NAT fails for outgoing connections through gateway with ISP Redundancy  *sk25152: Static NAT (Hide NAT) is failing for outgoing connections through Gateway with ISP Redundancy (A/S) *sk42636 - Controlling connections through Gateway that is configured with ISP Redundancy in Load Sharing mode     *blog:isp-redundancy-routed-public-networks On the Security Gateway or cluster (on each cluster member), run the following commands:  dynamic_objects -n DYN_ISP_A  dynamic_objects -n DYN_ISP_B  dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a  dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a On management: create dynamic object e Nat Rule DYN_ISP_A DYN_ISP_B  OLD VERSION (with splat) On the Gateway or cluster (on each cluster member), edit $FWDIR/bin/cpisp_update, and add the following lines before the "exit" line:  ...... if ($USE_LINK1 == "1") then dynamic_objects -o DYN_ISP_A -r 0.0.0.0 255.255.255.255 -a  dynamic_objects -o DYN_ISP_B -r 0.0.0.0 255.255.255.255 -d  dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a  else  dynamic_objects -o DYN_ISP_B -r 0.0.0.0 255.255.255.255 -a  dynamic_objects -o DYN_ISP_A -r 0.0.0.0 255.255.255.255 -d  dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a endif NEW VERSION (with Gaia)  [Expert@fw]# more $FWDIR/bin/cpisp_update #! /bin/csh -f # # (c) Copyright 1993-2005 Check Point Software Technologies Ltd. # All rights reserved. # # This is proprietary information of Check Point Software Technologies # Ltd., which is provided for informational purposes only and for use # solely in conjunction with the authorized use of Check Point Software # Technologies Ltd. products.  The viewing and use of this information is # subject, to the extent appropriate, to the terms and conditions of the # license agreement that authorizes the use of the relevant product. # # $RCSfile: cpisp_update.csh,v $ $Revision: 1.1.6.1.4.3 $ $Date: 2005/01/17 19:56:17 $ # # This script is called whenever an ISP link changes state and when the # firewall starts. # The script is called with the following arguments: # ISP1NAME { primary|backup } INTERFACE NEXTHOP {up|down} # ISP2NAME { primary|backup } INTERFACE NEXTHOP {up|down} # When enabled, this script will set the default route of the gateway to be: # In a primary/backup configuration: # The next hop of the primary link if it is up or if both links are down, # otherwise the next hop of the backup is used. # In a load sharing configuration: # The next hop of the first link if it is up or if both links are down, # otherwise the next hop of the second ISP is used. # To disable the script uncomment the following line. # exit 1 fw ctl set int fwx_do_nat_cache 0 set LINK1_NAME          = $1 set LINK1_MODE          = $2 set LINK1_INTERFACE     = $3 set LINK1_NEXTHOP       = $4 set LINK1_STATE         = $5 set LINK2_NAME          = $6 set LINK2_MODE          = $7 set LINK2_INTERFACE     = $8 set LINK2_NEXTHOP       = $9 set LINK2_STATE         = $10 if (-f /image/current/kernel) then         set ipso = 1 else         set ipso = 0 endif if (-f /proc/kmsg) then         set linux = 1 else         set linux = 0 endif if (-f /etc/appliance_config.xml) then         set gaia = 1 else         set gaia = 0 endif # Bias towards first link in a load sharing configuration. if (($LINK1_MODE == "backup") && ($LINK2_MODE == "backup")) then         set LINK1_MODE = "primary" endif if (($LINK1_MODE == "primary")) then         if (($LINK2_STATE == "up") && ($LINK1_STATE == "down")) then                 set USE_LINK1 = 0         else                 set USE_LINK1 = 1         endif else         if (($LINK1_STATE == "up") && ($LINK2_STATE == "down")) then                 set USE_LINK1 = 1         else                 set USE_LINK1 = 0         endif endif if ($USE_LINK1 == "1") then   dynamic_objects -o Dyn_Navigazione_ACom -r 0.0.0.0 255.255.255.255 -a   dynamic_objects -o Dyn_Navigazione_BCom -r 0.0.0.0 255.255.255.255 -d   dynamic_objects -o Dyn_Navigazione_BCom -r 0.0.0.0 0.0.0.0 -a else   dynamic_objects -o Dyn_Navigazione_BCom -r 0.0.0.0 255.255.255.255 -a   dynamic_objects -o Dyn_Navigazione_ACom -r 0.0.0.0 255.255.255.255 -d   dynamic_objects -o Dyn_Navigazione_ACom -r 0.0.0.0 0.0.0.0 -a endif if ($ipso == 1 || $gaia == 1) then         setenv USER admin         if ($ipso == 1) then                 set os = "IPSO"         else                 set os = "GAIA"         endif         if ($USE_LINK1 == "1") then                 if ($LINK1_NEXTHOP == "0.0.0.0") then                         echo "Next hop must be specified on $os"                         exit 1                 else                         clish -c "set config-lock on override"                         clish -c "set static-route default nexthop gateway address $LINK1_NEXTHOP on" >& /dev/null                         clish -c "set static-route default nexthop gateway address $LINK2_NEXTHOP off" >& /dev/null                 endif         else                 if ($LINK2_NEXTHOP == "0.0.0.0") then                         echo "Next hop must be specified on $os"                         exit 1                 else                         clish -c "set config-lock on override"                         clish -c "set static-route default nexthop gateway address $LINK2_NEXTHOP on" >& /dev/null                         clish -c "set static-route default nexthop gateway address $LINK1_NEXTHOP off" >& /dev/null                 endif         endif else if ($linux == 1) then         set IPROUTE                     = /sbin/ip         if ($USE_LINK1 == "1") then                 if ($LINK1_NEXTHOP == "0.0.0.0") then                         $IPROUTE route replace default dev $LINK1_INTERFACE                 else                         $IPROUTE route replace default via $LINK1_NEXTHOP dev $LINK1_INTERFACE                 endif         else                 if ($LINK2_NEXTHOP == "0.0.0.0") then                         $IPROUTE route replace default dev $LINK2_INTERFACE                 else                         $IPROUTE route replace default via $LINK2_NEXTHOP dev $LINK2_INTERFACE                 endif         endif else         echo "Unsupported platform"         exit 1 endif fw ctl set int fwx_do_nat_cache 1 exit 0

____________

• APPLY HFA in  FIREWALL CLUSTER

see 

Fully Connectivity Upgrade

in

Installation_and_Upgrade_Guide.pdf
"CP_R75.40_Installation_and_Upgrade_Guide.pdf"

hfa-install-ipso-4-0-vrrp

1.) Installed HFA on the backup system and rebooted the system: State-sync was "ready"
2.) On the backup system i issued a fw fcu <primary IP>
It reported a successful full-sync and the active Clusternode stopped processing traffic (ups!).
3.) I changed the VRRP-priority so that the backup system got the higher priority, still no traffic was processed.
4.) I installed the HFA (which issues a cpstop) on the other node, still no traffic
5.) The cluster started to work again after the reboot of the second cluster node.

1. issue a "cphaconf set_ccp broadcast" on all cluster members
2. upgrade backup node ( i´ve used smartupdate )
3. check ha status : "cphaprob stat" - upgraded node should be down and the active node should be active or active attention
4. issue following command on the upgraded machine "fw fcu <here the ip of the sync interface of the other node>"
5. issue a "cphastop" on the active node -> now ipso will fail over and the upgraded node will become master
6. upgrade the remaining node, after the node is upgraded it will return to master state and process the traffic again
7. issue a cphaconf set_ccp multicast on all members to return to sync via multicast (optional)

----------------------------------------------------------------------------------------------

 

1.       Run cphaconf set_ccp broadcast on all cluster members

2.       check licenze

3.       upgrade firewall B

4.       reboot

5.       install policy

6.       cphaprob stat command (executed on a cluster member), verify that the status of cluster

7.       member A is Active or Active Attention. The remaining cluster members will have a Ready status.

8.       Run fw fcu <other member ip on sync network>

9.       cphastop firewall A

10.   cpstop firewall A

11.   upgrade firewall A

12.   reboot

13.   install policy

14.   Run cphaconf set_ccp multicast followed by cphastart  on all cluster members

##############################################################################

• L2TP

  Solution ID:

  sk63324  Version: R71.30

  Gateway Configuration To configure the L2TP Support for the gateways: 1. Enable L2TP on the specific gateway: ('Gateway Properties > IPSEC VPN > Remote Access') Select "Support L2TP" checkbox: 2. L2TP requires Office Mode definition for the Security Gateway: 'Gateway Properties > Remote Access > Office Mode'. Define: Allow Office Mode to all users (or to a specific group). Define the Office Mode method. i.e. "Manual (Using IP pool)" and define the Office Mode network pool addresses: Configure the DNS server of the organization and its domain suffix in the "IP Pool Optional Parameters" window: * For more office mode configurations methods and options go to the VPN Gateway Admin guide. 3. Configure a global Pre-Shared key: 'Global Properties > Remote Access > VPN Authentication > Support L2TP with Pre-Shared key': Note: For Security Gateway versions before R71 there was no GUI for configuring the Pre-Shared key. It was configured in a file calls l2tp.conf on the Security Gateway under $FWDIR/conf. iPhone Configuration To configure L2TP on the iPhone: From your iPhone home screen, go to 'Settings > General > Network > VPN > Add Configuration'. In the L2TP page: Provide your VPN-1 server FQDN (DNS name) or IP address, your user name, and the global shared secret: Connecting to the VPN Security Gateway: Go to Settings and set the VPN switch to "ON". The Password screen appears. Enter your password.

Android Configuration
To configure L2TP on the Android device:
1. Go to device's 'Settings > Wireless & Networks > VPN Settings > Add VPN' and select "Add L2TP/IPSec PSK VPN". The following window will appear:

                                
2.      In the opened window:

1. Give a VPN Name to your connection (i.e. MyVpn).
2. In "Set VPN Server", provide your VPN-1 server FQDN (DNS name) or IP address.
3. In "Set IPSec pre shared key", set the global pre shared secret key.
4. You might be asked to enter the storage credentials. In case it is the first time that you are using the storage, you will have to define a new password for it.
5. Tap on menu to save changes.

3. The VPN Connection will be added to your VPN Settings configuration.

Connecting to the VPN Security Gateway: 
1. Go to device's 'Settings > Wireless & Networks > VPN Settings' and select your VPN connection. The user name and Password screen appears. Enter your credentials for authentication.

Important: We don't recommend using the L2TP option in Android due to security vulnerabilities issues.

Solution ID: sk44967

Configuration on iPhone: From your iPhone home screen, go to 'Settings' > 'General' > 'Network' > 'VPN' > 'Settings'. Configure your VPN-1 server FQDN (DNS name) or IP address, your user name, and the global shared secret. Switch the 'VPN' option to ON. A password prompt appears. Enter your password or (if used) your RSA secureID one time password. Configuration on gateway: Enable L2TP on the specific gateway (go to 'Gateway properties' > 'Remote Access'). For R71 and higer: In SmartDashboard, go to 'Global Properties' > 'Remote Access' > 'VPN-Authentication' tab and enter the pre-shared key in 'Support L2TP with Pre-Shared Key'. For R70.x and lower: Enter the shared secret into the $FWDIR/conf/l2tp.conf file. Enable office mode (L2TP requirement): Go to 'Gateway Properties' > Remote Access' > 'Office Mode'. *** IMPORTANT NOTE **** The iPhone L2TP/IPSec VPN client does have some limitations and is not fully featured as the VPN Client on the MacOS; EAP (MD5) is not supported, therefore need to change the 'Authentication Method' from 'MD5-CHALLENGE' to 'Smart Card or other certificate...' In the remote access, under the option of ‘L2TP support’. In order fix this you need to disable the built in SecureID feature on the iPhone / iPad (The feature shold be switched to OFF) and instead put the pin-code prior to the token code when entering in the password field: ie: Pin: 1234 Token Code; 777777 So this would make the password: 1234777777 How to debug the L2TP issues To troubleshot the L2TP problems, debug the VPN process by running the vpn debug on command from the command line. From another shell/window run the kernel debug simultaneously: fw ctl debug 0 fw ctl debug –buf 8192 fw ctl debug –m VPN all fw ctl kdebug –f > file_name To turn off the debug, run the following commands: vpn debug off fw ctl debug 0

##############################################################################

• SSL NETWORK EXTENDER

ipassignment.conf located on fw mod $FWDIR/conf

http://www.cpug.org/forums/secureclient-securemote/565-secure-client-ipassignment-conf.html

verify it's config with this splat command:  
#vpn ipafile_check ipassignment.conf detail

Checking the Syntax of the ipassignment.conf file

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25905

I remembered what we did:

1. On the Gateway object, under VPN, VPN Advanced, we enabled Dynamic Interface Resolution for SecuRemote/SecureClient upon tunnel initialization. Prior to that Office mode would not work at all.

2. After that the gateway didn't seem to recognise the name of the firewall in the Module column of the ipassignment.conf, so now we just use *

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

• MOBILE ACCESS BLADE IPHONE/IPAD SUPPORT 

  
  

  Configure iPhone Support 
  You can enable support for iPhone and iPad to allow these devices to access Web applications and
  ActiveSync with the Check Point Mobile for iPhone and iPad.
  When you enable the Mobile Access Software Blade, all users can authenticate to the gateway with the
  iPhone app and with the Mobile Access portal. To change the authentication method for the Mobile Access portal, refer to the R75 Mobile Access Administration Guide
  (http://supportcontent.checkpoint.com/documentation_download?ID=11673).Or, you can disable the Mobile Access portal. 

• To enable support for iPhone and iPad on the Mobile Access gateway:
  1.  On the Mobile Access gateway, run:
  cvpnd_settings set MobileAppAllowed "true" 
  2.  Restart the Mobile Access Software Blade services: cvpnrestart 
  
   
• To disable the Mobile Access portal for all other remote access traffic:   Run: toggleCvpnPortal off  
    
• To enable the portal for all remote access traffic:   Run: toggleCvpnPortal on  
  
  Note - If you use a cluster, repeat each of these actions for all members of a
  cluster. 
  sk53002: Check Point Mobile for iPhone configuration in R71.30 enables user/password authentication to the Mobile Access Blade Portal 

  R75 Support for iPhone and Skype Release Notes

  KNOW LIMITATION

  R71.30

  Check Point Mobile for iPhone and iPad
  00624534	The Link Translation Domain feature is not supported with iPhones. Disable Link Translation Domain on Mobile Access gateways before you connect to them with the iPhone App.
  00573299	If this supplement is installed, the Mobile Access portal supports username and password authentication only.
  00597730	Interactive Simultaneous Login Prevention (SLP) is not supported.
  00568280	Application protection levels that include authentication settings are not supported.

   R75

• 
  00624534  The Link Translation Domain feature is not supported with iPhones. Disable Link
  Translation Domain on Mobile Access gateways before you connect to them with
  the iPhone App. 
• 
  00597730  Interactive Simultaneous Login Prevention (SLP) is not supported.
• 
  00568280  Application protection levels that include authentication settings are not
  supported.
• 
  00644551  After you configure your mail settings, the Mail Setup application is removed from
  the Check Point Mobile application list.
• 
  If you need to configure the mail settings again, tap the Options icon in the
  bottom-left corner of the Check Point Mobile application and set "Enable Mail
  Settings" to On. Now the Mail Setup application is listed again in the Check Point
  Mobile application list.

00643766  Internal user passwords can be up to 8 ASCII characters.

 Native Application 

 -g 1024x768 -l WARN -d domain.local -u $$user 169.169.169.169

More Info : R75.40 Mobile Access Administration Guide

##############################################################################

• IDENTITY AWARENESS

To enable Identity Awareness:

• 1. Log in to SmartDashboard.
• 2. From the Network Objects tree, expand the Check Point branch.
• 3. Double-click the gateway on which to enable Identity Awareness.
• 4. On the General Properties page > Additional Features section, select Identity Awareness.

Or

From the Gateway Properties tree, select Identity Awareness. On the Identity Awareness page, select

Enable Identity Awareness.

The Identity Awareness Configuration wizard opens

• 5. Select one or both options. These options set the methods for acquiring identities of managed and

unmanaged assets.

· AD Query - Lets the Security Gateway seamlessly identify Active Directory users and computers.

· Captive Portal - Sends users to a Web page to acquire identities from unidentified users.

See Choosing Identity Sources (on page 43).

• 6. Click Next.

The Integration With Active Directory window opens.

When SmartDashboard is part of the domain, SmartDashboard suggests this domain automatically. If

you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in

the organization's Active Directory.

Note - We highly recommend that you go to the LDAP Account Unit

and make sure that only necessary domain controllers are in the list. If

AD Query is not required to operate with some of the domain

controllers, delete them from the LDAP Servers list.

With the Identity Awareness configuration wizard you can use existing LDAP Account units or create a

new one for one AD domain. If you create a new domain, the LDAP account unit that the system creates

contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from

other domain controllers, you must add them at a later time manually to the LDAP Servers list after you

complete the wizard.

To view/edit the LDAP Account Unit object, go to the Firewall tab > Servers and OPSEC Applications

tab in the objects tree > LDAP Account Unit.

The LDAP Account Unit name syntax is: <domain name>_ _ AD

• 7. From the Select an Active Directory list, select the Active Directory to configure from the list that

shows configured LDAP account units or create a new domain. If you have not set up Active Directory,

you need to enter a domain name, username, password and domain controller credentials.

• 8. Enter the Active Directory credentials and click Connect to verify the credentials.

Important - For AD Query you must enter domain administrator credentials. For Captive Portal standard

credentials are sufficient.

• 9. If you selected to use Captive Portal and do not wish to configure Active Directory, select I do not wish to configure Captive Portal at this time and click Next.

• 10. Click Next.

If you selected Captive Portal on the first page, the Captive Portal Settings page opens.

• 11. In the Captive Portal Settings page, select a URL for the portal, where unidentified users will be directed.

All IP addresses configured for the gateway show in the list. The IP address selected by default is the

<gateway's main IP address>/connect. 

The same IP address can be used for other portals with different paths.

For example:

· Identity Awareness Captive Portal - 10.10.20.1/connect

· DLP Portal - 2.2.2.2/DLP

· Mobile Access Portal - 2.2.2.2/sslvpn

• 12. By default, the portal is accessible only through internal interfaces. To change this, click Edit. We do not

recommend that you make the portal accessible through external interfaces on a perimeter gateway.

• 13. Click Next to complete the wizard and see what is configured.

The Identity Awareness is Now Active page opens.

14. Click Finish.

15. Select Policy > Install from the SmartDashboard menu.

Results of the Wizard

These are the results of the wizard:

· Depending on the acquisition methods you set, Active Directory and / or Captive Portal become active.

· When you set an Active Directory domain, the system creates an LDAP Account Unit object for the

Active Directory domain.

To view/edit the LDAP Account Unit object, go to the Firewall tab > Servers and OPSEC Applications

tab in the objects tree > LDAP Account Unit.

The LDAP Account Unit name syntax is: <domain name>_ _ AD

For example, CORP.ACME.COM_ _ AD.

##############################################################################

• SMART EVENT

  See Installation and Upgrade Guide 

  See Administrator Guide

 ##############################################################################

• Secure Client E75.x
  

-          Abilitato traffico https da any a firewall 

-          Abilitato supporto Visitor Mode su porta https nel menu IPsec VPN - Remote Access del gateway firewall

##############################################################################

• CERTIFICATE 3rd Party

  Example :

  Rapid SSL

  Download and install CA and CAsub
  https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1549&actp=LIST&viewlocale=en_US
  
  
  Test Site
  https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556
  
  
  How To
  http://www.digicert.com/csr-creation-checkpoint-vpn.htm
  
  

  Add a Root Certificate and Subordinate (Intermediate Certificate) & Request CSR

  1. Open the SmartDashboard so you can see all of your network devices.
  2. Right Click on Trusted CAs > New CA > Trusted...
     
  3. Give it a name: e.g. DigiCert_Root. (http servers needs to be checked in the 2nd tab for that)
     then click the OPSEC PKI tab.
     
  4. Click the Get Button and open the file 'TrustedRoot.crt' that DigiCert sent to you.
     
  5. When asked 'Do you accept this certificate authority certificate?' click Ok.
     
  6. Right Click Trusted CAs > New CA > Subordinate...
     
  7. Give it a name: e.g. DigiCertCA_Intermediate.
     Then click the OPSEC PKI tab and click Get and find DigiCertCA.crt file.
     Then click Ok to trust this certificate.
     
  8. Gateway Cluster > VPN > Add > Certificate Nickname (e.g. FQDN)
     Open the Device properties for the device you want the SSL certificate to be sent out from, click 'Add' to create a CSR.
     
  9. Create a Nickname for the certificate (e.g. DigiCert or yourdomain.com).
     For the CA to enroll from choose the intermediate you made (e.g. DigiCert_Intermediate).
     Then click the Generate button.
     
  10. When a popup window says this can't be undone, click Yes.
      
  11. Enter all of the CSR details into a single line including your country code.DN:CN=vpn.yourdomain.com,O=Your Company Inc,L=City,ST=State,C=USexample : CN=vpn.yourdomain.it,C=ITThen click Ok. If you are getting a SAN certificate click 'Define Alternate Names' and specifies those when prompted.
      
  12. Click View to see the CSR, then choose to either 'Copy to Clipboard' / 'Save to file' for re-entering in the order form.
      
  13. Then during the DigiCert ordering process for Server type: Choose 'Other', then when prompted you can upload or paste your CSR file.
      
      
  
  
  
  

 ##############################################################################

•     ENDPOINT SECURITY SERVER (install/upgrade)

NEW INSTALLATION

·         Deploy 2K8R2

·         Add Features Frameworks 3.5

·         Disable Firewall

·         Install clean E80.30_CheckPoint_Endpoint_Security_Server_Windows.iso

o   Licenze

o   Admin

o   Gui client

·         Reboot

·         Import Configuration

%FWDIR%\bin\upgrade_tools> migrate.exe import <input_file_name>

·         Execute UepmPolicyExport.msi (possibili warning)

·         Upgrade to 80.40

·         Upgrade to 80.41

UPGRADE INSTALLATION

“SNAPSHOT”

·         Export configurazione

%FWDIR%\bin\upgrade_tools> migrate.exe export <output_file_name>

The <output_file_name> can be the output file path. If you do not include an output file path, the utility generates the tgz file in the %FWDIR%\bin\upgrade_tools directory.

·         Run UepmPolicyExport.msi on the E80.3x Endpoint Security Management server (Probably Warning)(This utility exports the policy database from E80.3X)

“SNAPSHOT”

·         Important - If installing from a CD, do not let auto run start the E80.40 installation program.    

                       Run Setup.exe from the E80.40 cd

      When prompted, reboot the computer.

      Upgrading the Endpoint Security Management Server

·         On the Endpoint Security Management server, go to the installation folder of the SmartEndpoint. By default this is C:\Program Files (X86 on 64 bit computers)\CheckPoint\SmartConsole\E80.40\PROGRAM\

Run EPUpgradeImportTool.exe. (run as administrator)

Firs run (possibility error)

Second run (Work fine)

               

·         Upgrade to E80.41

Run Setup.exe from the E80.41 (into tgz file)

 ##############################################################################

ASDSAD