TYPE VPN
- Domain-based VPN (tunnel mode-community)Domain Based VPN is a method of controlling how VPN traffic is routed between Security Gateways and remote access clients within a community.To route traffic to a host behind a Security Gateway, an encryption domain must be configured for that Security Gateway.Configuration for VPN routing is performed either directly through SmartDashboard or by editing the VPN routing configuration files on the Security Gateways.
- Route-based VPN (interface mode)The use of VPN Tunnel Interfaces (VTI) introduces a new method of configuring VPNs called Route Based VPN. This method is based on the notion that setting up a VTI between peer Security Gateways is much like connecting them directly.
A VTI is an operating system level virtual interface that can be used as a Security Gateway to the encryption domain of the peer Security Gateway.
CCSE R75
Infrastructure
Process
- FWM
- GUI Client - DB manipulation - Policy compilaton - Mgmt Ha Sync
- FWD
- forward log to mgmt - logging - communication with kernel
- CPD (core process)
- SIC -Policy Installation -Status
- FWSSD
- child of FWD
- CPWD
Load Sharing
What is Load Sharing?
In a Load Sharing gateway cluster, all machines in the cluster filter packets. Load Sharing provides High Availability, gives transparent Failover to any of the other machines in the cluster when a Failure occurs and provides enhanced reliability and performance. Load Sharing is also known as Active/Active.
What is Unicast Load Sharing?
In Load Sharing Unicast mode of ClusterXL, one machine (the "Pivot") receives all traffic from a router with a unicast configuration, and redistributes the packets to the other machines in the cluster. The Pivot machine is chosen automatically by ClusterXL.
What is Multicast Load Sharing?
In Load Sharing Multicast mode of ClusterXL, every member of the cluster receives all the packets sent to the cluster IP address. A router or Layer 3 switch forwards packets to all cluster members using multicast. A ClusterXL decision algorithm on all cluster members decides which cluster member should perform enforcement processing on the packet.
Use sharing method based on
By default, packets are distributed among cluster members based on IP addresses, ports and IPSec SPIs, resulting in maximum distribution.
Note:
In some cases, however, an application may require a few connections to go through a specific cluster member. In such cases, you may wish to decrease the distribution of packets in order to increase the probability that a certain connection will pass through a single cluster member on both inbound and outbound directions. This is done by choosing a more "sticky" sharing method.
IGMP Snooping
ClusterXL IGMP Membership feature supports all 3 version of IGMP
IGMP snooping is a method by which Layer 2 devices snoop on IGMP conversations
between hosts and routers to learn the IP Multicast group membership. It configures
multicasting by checking IGMP packets passing through and picks out the group
registration information.
Disable Sync un a cluster member
PDF NGX R65 Known Limitations Supplement. - Check Point
#fw ctl setsync off
#fw ctl setsync start
Synchronizing Clusters on a Wide Area Network
The synchronization network can be spread over remote sites, which makes it easier to deploy geographically distributed clustering.
There are two limitations to this capability:
1. The synchronization network must guarantee no more than 100ms latency and no more than 5% packet loss.
2. The synchronization network may only include switches and hubs. No routers are allowed on the synchronization network, because routers drop Cluster Control Protocol packets.
Fwm Process
This command is used to perform Security Management server operations. It controls fwd and all Check Point daemons.
SmartProvisioning ( From R65 )
Feature | Details |
---|---|
Intuitive Simple User Interface (UI) | Yes (including SmartProvisioning wizard) |
Overview and Status View | View configuration summary, critical notifications and status |
Configuration Wizard | Simplifies profile creation |
Shared Configuration | Provisioning and security profiles |
Granular Device Management | Routing, DNS, Domain, Interfaces, Date&Time (Edge), DHCP (Edge), Backups, VPN configuration, dynamic objects |
Custom Command Line Interface (CLI) |
Supports scripting device configuration
|
Running Scripts and Predefined Operations | Execute scripts remotely from the GUI |
Fetch Configuration | Yes (SecurePlatform only) |
Temporary Disable Central Management | Maintenance mode for local device administration |
Clean the system of all events on SmartEvent
Directory:
$RTDIR/distrib
$RTDIR/events_db
Backup/restore database on SmartEvent
For more info see : sk79660
#eva_db_backup
Upgrade tools
$FWDIR/bin/upgrade_tools/
migrate export
migrate import
migrate import
migrate.conf
plugin_pack.conf
plugin_pack_compare
plugin_upgrade_matcher
ppidb.conf
pre_upgrade_verifier
upgrade_export
upgrade_import
Backup directory
/var/CPbackup/backups (Secure Platform)
/var/log/CPbackup/backups (UTM-1, Power-1 Appliance)
SMS Upgrade and Database Migration
- Prepare the sorce machine for export
- Install New Version on Target (Clean install )
- Export Databadses from Source (with SCP)
- Import Databases to Target
- Test Target Deployment
- Connect Target to Network
Upgrade Cluster Deployment
- Zero Downtime
- Full Connectivity Upgrade
#cphaprob fcustat
#ldapsearch -h 172.31.xx.xx -p 389 -D "CN=ldap-eps,CN=Users,DC=customer,DC=it" -w pippo.00 -b "ou=Area Tecnici,ou=users,ou=Sede-XX Settembre,dc=customer,dc=it" "(sAMAccountName=lrossi)"
FW Monitor
#fwaccel off
Perform a Manual Failover of the FW Cluster
#cphaprob -d STOP -s problem -t 0 register
(create problem notification)
to check
#cphaprob list
#cphaprob -d STOP unregister
(remove problem notification)
another via
#$FWDIR/bin/clusterXL_admin down
#$FWDIR/bin/clusterXL_admin up
Advanced Cluster Configuration Examples
Setting CCP to use Broadcast
#cphaconf set_ccp broadcast
#cphaconf set_ccp multicast
for survive a reboot
to /etc/rc.local
Multicast MAC Address
#cphaconf debug_data
(the output is written on /var/log/messages)
Some LDAP Tools
Run the ldapsearch command from the gateway to test LDAP authentication from the CLI.
Examples:
requiring SSL encryption:
FW-1[admin]# ldapsearch -h 192.168.x.x -p 636 -Z -D "cn=Administrator,cn=users,dc=nightcrawler,dc=local" -w <password> -b "ou=CP_Ottawa_Site,DC=nightcrawler,DC=local" "(sAMAccountName=steve)"
no encryption
FW-1[admin]# ldapsearch -h 192.168.x.x -p 389 -D "cn=Administrator,cn=users,dc=nightcrawler,dc=local" -w <password> -b "ou=CP_Ottawa_Site,DC=nightcrawler,DC=local" "(sAMAccountName=steve)"
-h 192.168.x.x in this example is an LDAP server
-p 636 is the port
-Z (must be upper case) is used to enforce encryption while port is 636 (when port is 389 there is no need for -Z )
-D is LDAP administrators user (to read ldap server)
-w is administrators password
-b is the user and group we query from the LDAP server where "ou=CP_Ottawa_Site,DC=nightcrawler,DC=local" is organization and "(sAMAccountName=steve)" is the user himself
example:
Check Point Port service Web Filtering
18182 /tcp | FW1_ufp | Check Point OPSEC URL Filtering Protocol - Protocol used for communication between FWM and Server for Content Control (e.g. Web Content) |
---------------------------------------------------------------------------------------------
CCSA R70
$FWDIR/bin/cp_admin_convert
Automatically export administrator definitions that were created in cpconfig to SmartDashboard ---------------------------------------------------------------------------------------------
$FWDIR/bin/cpca_client
This command and all its derivatives are used to execute operations on
the ICA.
--------------------------------------------------------------------------------------------
$FWDIR/bin/cp_merge
The cp_merge utility has two main functionalities
•Export and import of policy packages
•Merge of objects from a given file into the Security Management
server database
--------------------------------------------------------------------------------------------
$FWDIR/bin/cpwd_admin
cpwd (also known as WatchDog) is a process that invokes and monitors critical processes
such as Check Point daemons on the local machine, and attempts to restart them if they fail.
Among the processes monitored by Watchdog are cpd, fwd, fwm.
fwd does not work in a Security Management Only machine. To work with fwd in a Security Management
Only machine add -n (for example, fwd -n).
cpwd writes monitoring information to the $CPDIR/log/cpwd.elg log file.
In addition, monitoring information is written to the console on UNIX platforms, and to the Windows Event Viewer.
The cpwd_admin utility is used to show the status of processes, and to configure Usage cpwd_admin
--------------------------------------------------------------------------------------------
IpSec Protocol
Ike
--------------------------------------------------------------------------------------------
Fingerprint
Generate on Security Managent Server
Windows SmartConsole applications save the fingerprint on the registry, at:
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Management Clients\[version]\Connection\Known Servers\
--------------------------------------------------------------------------------------------
Temporarily change the MAC address of the Interface
#IP linkset eth0 down
#IP linkset eth0 addr 00:00:00:00:00:00
#IP linkset eth0 up
--------------------------------------------------------------------------------------------
CCSE R70
--------------------------------------------------------------------------------------------
DOC
- ISP redundancy
L’ISP redundancy di Checkpoint permette la connesione a Internet attraverso links ISP
multipli , monitorizza tali links e instrada le connesioni a seconda della modalità
operativa.
Per gestire il doppio link internet su gateway Checkpoint singolo o in cluster esistono
due modalità:
• Primary/Backup
• Load Sharing (il doppio link è supportato da versione NG R55 su SecurePlatform,
RedHat7.2 o superiore e IPSO).
- sk34209: Static NAT (Hide NAT) is failing for outgoing connections through Gateway with ISP Redundancy in Load Sharing mode
- sk40958: How do I verify the status of redundant ISP links from the firewall console ?
- sk40501: DNS Proxy configuration does not change when ISP order is changed in NGX R65
- sk32225: Configuring ISP Redundancy so that certain traffic uses specific ISP
- How to Configure ISP Redundancy in SecurePlatform
L’ISP redundancy di Checkpoint permette la connesione a Internet attraverso links ISP
multipli , monitorizza tali links e instrada le connesioni a seconda della modalità
operativa.
multipli , monitorizza tali links e instrada le connesioni a seconda della modalità
operativa.
Per gestire il doppio link internet su gateway Checkpoint singolo o in cluster esistono
due modalità:
• Primary/Backup
• Load Sharing (il doppio link è supportato da versione NG R55 su SecurePlatform,
RedHat7.2 o superiore e IPSO).
- sk34209: Static NAT (Hide NAT) is failing for outgoing connections through Gateway with ISP Redundancy in Load Sharing mode
- sk40958: How do I verify the status of redundant ISP links from the firewall console ?
- sk40501: DNS Proxy configuration does not change when ISP order is changed in NGX R65
- sk32225: Configuring ISP Redundancy so that certain traffic uses specific ISP
- How to Configure ISP Redundancy in SecurePlatform
--------------------------------------------------------------------------------------------
Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information. It does contain additional information from the firewall on interface and direction.
To view this additional information in wireshark some extra configuration is required.
Select edit/preferences/protocols/ethernet
Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
Select edit/preferences/User Interface/columns
Click add to add a new column and name it interface.
From the format dropdown listbox select FW-1 monitor if/direction and press ok
Save the text below to a file colorise.txt
# DO NOT EDIT THIS FILE! It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@FW-Mon-o@fw1.direction contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@FW-Mon-o@fw1.direction contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]
Select View/coloring rules
Click import and open the saved file from above
Select the last 4 rules and move them to the top of the list by clicking the up button
Press ok
Your now ready to view the fw monitor files in wireshark.
References
Every checkpoint firewall, regardless of platform, includes the packet capture utility fw monitor. The problem with fw monitor is the cryptic inspect syntax that you need to learn to create a capture filter. Unfortunately, if your looking for support from checkpoint then your stuck with fw monitor. To simplify the process I have created a couple of macros that help bridge the gap between the two syntaxes.
When capturing with tcpdump I generally use the host and port commands to reduce the traffic to a particular set of conversations between hosts. An example expression, in tcp dump syntax, to capture all dns traffic either udp or tcp between 192.168.1.1 and 192.168.1.12 is shown below.
"host 192.168.1.1 and 192.168.1.12 and port 53"
After creating a few simple inspect macros we can do the equivalent using fw monitor with
accept host(192.168.1.1) and host(192.168.1.12) and port(53);
This is not a bad approximation. The only differences are brackets needed to pass the parameters to the macro, and a repeat of the host command.
The savings are obvious compared to the complete inspect script syntax shown below.
accept (
(ip_src=192.168.1.1 or ip_src=192.168.1.12) and \
(ip_dst=192.168.1.1 or ip_dst=192.168.1.12) \
) and \
(
(ip_p=PROTO_tcp and (th_sport=53 or th_dport=53)) or \
(ip_p=PROTO_udp and (uh_sport=53 or uh_dport=53)) \
);
(ip_src=192.168.1.1 or ip_src=192.168.1.12) and \
(ip_dst=192.168.1.1 or ip_dst=192.168.1.12) \
) and \
(
(ip_p=PROTO_tcp and (th_sport=53 or th_dport=53)) or \
(ip_p=PROTO_udp and (uh_sport=53 or uh_dport=53)) \
);
The macros can be saved in a separate library file and included in a filter file or you can just include all the macros in one large command file with the filter expression as shown below.
#include "tcpip.def"
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#define port(portnum) ((ip_p=PROTO_tcp and (sport=portnum or dport=portnum)) or \
(ip_p=PROTO_udp and (uh_sport=portnum or uh_dport=portnum)))
#define srcport(portnum) ((ip_p=PROTO_tcp and sport=portnum) or \
(ip_p=PROTO_udp and uh_sport=portnum))
#define dstport(portnum) ((ip_p=PROTO_tcp and dport=portnum) or \
(ip_p=PROTO_udp and uh_dport=portnum))
#define host(hostip) ((src=hostip) or (dst=hostip))
/* dns traffic between hosts */
accept host(192.168.1.1) and host(192.168.1.12) and port(53);
accept host(192.168.1.1) and host(192.168.1.12) and port(53);
Once saved to a file, say myfilter.def, it is a simple matter of running
fw monitor -i -f myfilter.def
and generating, or waiting for the traffic you need to capture.
Enable SCP – sk26258
· Go into expert mode and add users to the /etc/scpusers file. Create the file if necessary.
· Restart sshd using the command service sshd restart
Enable IP Forwarding – sk25818
· Go into expert mode and type the command “echo 1 > /proc/sys/net/ipv4/ip_forward”
Enable SSH Public key Authentication – sk30366
· Go into expert mode
· mkdir $HOME/.ssh
· chmod 0700 $HOME/.ssh
· touch $HOME/.ssh/authorized_keys
· chmod 0600 $HOME/.ssh/authorized_keys
· vi $HOME/.ssh/authorized_keys
· :$ (goes to the last line of the file)
· A (appends to the end of the line)
· paste in the key that you have copied from the client
· esc (get out of insert mode)
· : x (save the file and exit)
To be able to match a login to a users key perform the following steps.
· vi /etc/ssh/sshd_config
· find the Logging section and add en entry LogLevel VERBOSE
· Restart sshd using the command service sshd restart
· The fingerprint of the key used is then recorded in /var/log/secure
· To check the fingerprints you can use the getfingerprints.sh script below
#! /bin/bash
#Generate fingerprints for ssh public keys so we can match logons to users
#Create a temp file and bail out if we can't
TMPFILE=`mktemp /tmp/fingerprint.XXXXXX` || exit 1
FPFILE=/home/admin/fingerprints.txt
#Check to see if a keyfile is specified
if [ -r "$1" ]; then
KEYFILE=$1
else
KEYFILE=/home/admin/.ssh/authorized_keys
fi
#Cleanup temp files on exit
trap "rm -f ${TMPFILE}" 0
#Truncate the output file
cat /dev/null >${FPFILE}
#Hook up the authorized_keys file to File descriptor 3
exec 3< ${KEYFILE}
#loop through each key in the file
while read <&3
do
if (!(echo ${REPLY} | egrep "^\#"i)); then
# If not a comment then save the key and generate a fingerprint
echo "${REPLY}" >${TMPFILE}
/usr/bin/ssh-keygen -l -f ${TMPFILE} >> ${FPFILE}
fi
done
#Close FD 3
exec 3<&-
/bin/echo "The fingerprints for ${KEYFILE} have been saved in ${FPFILE}."
Convert a securecrt ssh public key for use with secureplatform.
This recipe converts IETF multiline key format to the single line format used by openssh on secureplatform.
· Go into expert mode
· create a new file on the firewall with vi. For example vi mypubkey.txt
· Paste in the new key, save the file and exit.
· type “ssh-keygen -i -f mypubkey.txt >>/home/admin/.ssh/authorized_keys
Restrict a public key authentication to a single command
This recipe is useful if you want to restrict users to a particular operation such as shutdown or reboot.
· Go into expert mode
· edit /home/admin/.ssh/authorized_keys
· Paste in the new key or modify the old key
· At the beginning of the line containing the key insert command=”/sbin/shutdown -h now”
· Save and exit
· Change the shell for admin using the command usermod -s /bin/bash -U admin
· If you prefer to go into the cpshell when logging in interactively then execute the command “echo exec /bin/cpshell > /etc/profile.d/zchngshell.sh
Increase OSPF adjacency memberships on SecurePlatform Pro – sk32568
· Go into expert mode
· vi /etc/rc.d/init.d/rc.local
· add the line ” echo 50 > /proc/sys/net/ipv4/igmp_max_memberships"
· save and exit (: x)
Identify network adapters on Secureplatform/Linux
The recipe helps you identify which physical nic is mapped to an alias such as eth1 by flashing them in turn for 15 seconds. Adjust the time to suit yourself
· Go into expert mode
· type the following command all on one line
for i in `egrep "eth[0-9]+" /etc/modules.conf | cut -f2 -d" "`; do echo $i;ethtool -p $i 15; done
------------------------------------------
- Thread: SNMP activation-
----------------------------------------------------------------------------------------------------
- firewall tips -
----------------------------------------------------------------------------------------------------
- forum -
----------------------------------------------------------------------------------------------------
- Information about Check Point VPN-1/FireWall-1 port .... -
----------------------------------------------------------------------------------------------------
- seminar it security -
----------------------------------------------------------------------------------------------------
- self study cp r70 -
----------------------------------------------------------------------------------------------------
- vpn phase 1 phase 2 -
----------------------------------------------------------------------------------------------------
- VPN Trouble shooting -
----------------------------------------------------------------------------------------------------
- BinTec IPsec enabled routers shared secret -
----------------------------------------------------------------------------------------------------
- Fw Monitor A troubleshooting tool (nokia) -
-------------------------------------------------------------------------------------------------
- Fw Monitor A troubleshooting tool (checkpoint) -
-------------------------------------------------------------------------------------------------
- Import of SNMP-MIB files into Paessler Monitoring Applications -
-------------------------------------------------------------------------------------------------
- troubleshooting mtu checkpoint -
-------------------------------------------------------------------------------------------------
- UTM-1 Edges - FAQ -
-------------------------------------------------------------------------------------------------
- How do change an ip address on a ipso firewall via clish -
-------------------------------------------------------------------------------------------------
- Password recovery nokia ipso -
-------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
-
-