1. SmartDashboard
2. VI (limited/experience)
3. GUIDbedit (hidden tool GUI client install) (must close smartdashboard)
4. dbedit (command line) advance tool (must close smartdashboard)
Understanding Check Point Management Station Part 2
Troubleshooting Firewall Management Problems
Installation failure on MGNT server occurs in verification or
complication stage of the installation. To troubleshoot this failure, follow these
steps:
1.
Install policy from the CLI
fwm
–d load $FWDIR/conf/PolicyName.W <target>
2.
Install the policy from the SmartDashboard
a. Clean
the old log files
cd $FWDIR/log
rm fwm.elg
echo ‘ ‘> fwm.elg
enable the fwm debug
fw debug fwm on TDERROR_ALL_ALL=5
fw debug fwm on OPSEC_DEBUG_LEVEL=9
.
Replicate the problem by installing
the policy from the Dashboard GUI
Stop
the fwm debug on the FWMGMT server
fw debug fwm off TDERROR_ALL_ALL=1
fw debug fwm off OPSEC_DEBUG_LEVEL=1
Debug output are stored in fwm.elg, located under $FWDIR/log.
Policy Installation failure could be result of SIC, Misconfigured rules, GUI
client connectivity problems or improper
entered information, expired license. Evaluate output file fwm.elg to determine with of these may
have cause the failure.
Lab Troubleshoot SIC - Policy Installation failure
From A-SMS (FW Management Server)
1.
cpca_client
lscert (use this command to
validate certificate)
2.
fw debug
fwm on Establish
3.
from Client GUI DashBoard, attempt to restablish
SIC
4.
from A-SMS
fw debug fwm off
5.
review debug log output less
$FWDIR/log/fwm.elg
6.
WinSCP to transfer fwm.elg file and view in Test Editor to identity source of
problem from debug file
Lab Troubleshoot MisConfigured Rules - Policy Installation Failure
From A-SMS (FW Management Server)
1.
In Expert mode
cd $FWDIR/log
echo >fwm.elg
fw debug fwm on
2.
fw debug
fwm on
TDERROR_ALL_ALL
fwm –d load $FWDIR/conf/standard.W A-GW
Note: you will see the output on
the screen and fwm.elg. you can see additional info if you do a TDERROR_ALL_ALL=5
Stop the debugs
fw debug fwm
off
unset
TDERROR_ALL_ALL
view
fwm.elg less $FWDIR/conf/fwm.elg
Lab Troubleshoot GUI Client Connectivity
Problem
Look at less $FWDIR/con/gui-client file for allowed
IP address
From A-SMS (FW Management Server)
cpconfig command
At the prompt type 3 and enter
Type Y and Enter , Type D and Enter (delete your IP to test failure)
Enter 10.20.59.250
(your IP address)
Exit cpconfig option 9 enter
From the command prompt type
fw debug fwm on
TDERROR_ALL_ALL=5
from your Client 10.20.59.250 Dashboard, launch the GUI
from the FWM stop the debug and view logs of the GUI client
IP
fw debug fwm off
grep 10.20.59.250
$FWDIR/log/fwm.elg | less
How to uninstall and install another policy on firewall
ISSUE
There may be a time where you install the wrong policy onto
a Check Point Firewall. This can block your connections, and screw which
traffic is allowed through the firewall.
RESOLUTION
These steps will show you how to remove and reinstall the
correct policy via the CLI on the manager (SCS),
1. First of all we
look at the policy history, so we can find out the name of the policy we need
to reinstall.
fw stat -l [firewall ip]
2. Next we remove
the security policy from the firewall.
fwm unload [fwname]
3. Finally we
install the correct policy back onto the Firewall.
Note : Note how we add the .W to the policy name as it has
yet to be be compiled into a .cf file (which is what is installed onto the
Firewall/Gateway)
[PolicyName].W
is uncompelled policy
[PolicyName].CF
is compiled Policy
fwm load
[PolicyName].W [fwname]
fwm load
RuleBaseName.W TargetGatewayName
[Expert@MYFWM01]# fwm
load Standard samplegw
Installing policy on
R77 compatible targets:
Standard.W: Security
Policy Script generated into CustomerPolicy.pf
Standard:
Compiled OK.
Installing Security Gateway
policy on: examplegw . ..
Security Gateway
policy installed successfully on examplegw. ..
Security Gateway
policy installation complete
Security Gateway
policy installation succeeded for: examplegw
Installation failed; reason – load on module failed, failed
to load security policy
Recently I tried a policy installation on a Security Gateway
appliance which failed with the message: Installation failed; reason - load on
module failed, failed to load security policy
From my experience I know that a cpstop ; cpstart normaly
solves this problem.
But since I was dealing with a remote site gateway which
also was stand-alone installation, issuing cpstop was no option since it would
interrupt the service.
So I utilized the cpwd_admin command for stopping and
restarting FWM and CPD.
cpwd_admin stop -name FWM -path "$FWDIR/bin/fw"
-command "fw kill fwm"
cpwd_admin start -name FWM -path "$FWDIR/bin/fwm"
-command "fwm"
cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd"
-command "cpd"
Then I checked the status of all my services with cpwd_admin
list.
All services were up and I tried policy installation again,
which worked as expected.
I was able to solve the issue using the following steps i
stumbled on while surfing the net:
1. tellpm
process:monitord
2. ps aux |
grep cpd
3. kill -15
4. tellpm
process:monitord t
5. cpwd_admin
start -name CPD -path “$CPDIR/bin/cpd” -command “cpd”
Here is the expected output:
[Expert@CP-DMZ:0]# tellpm process:monitord
[Expert@CP-DMZ:0]#
Message from syslogd@ at Tue Sep 16 10:27:42 2014 …
CP-M-DMZ monitord[4129]: monitord got killed
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# ps aux | grep cpd
admin 4461 0.0 0.3 212412 3196 ? Dsl Aug06 42:47 cpd
admin 6905 0.0 0.0 1816 492 pts/2 S+ 10:27 0:00 grep cpd
[Expert@CP-DMZ:0]# kill -15 4461
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# tellpm process:monitord t
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# cpwd_admin start -name CPD -path
“$CPDIR/bin/cpd” -command “cpd”
cpwd_admin:
Process CPD started successfully (pid=7030)
[Expert@CP-DMZ:0]#
So the problem was solved without service interruption.
List of Check Point Firewall Ports
Common List Ports that you will need to open on a typical Check Point Firewall. Note: don’t open all of these ports in the list, instead – use this list of ports as a reference for your Check Point firewall configuration.
PORT | TYPE | SERVICE DESCRIPTION |
21 | TCP | ftp File transfer Protocol (control) |
21 | UDP | ftp File transfer Protocol (control) |
22 | Both | ssh SSH remote login |
25 | both | SMTP Simple Mail transfer Protocol |
50 | | Encryption IP protocols esp – IPSEC Encapsulation Security Payload |
51 | | Encryption IP protocols ah – IPSEC Authentication Header Protocol |
53 | Both | Domain Name Server |
69 | Both | TFTP Trivial File Transfer Protocol |
94 | TCP | Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation) |
137 | Both | Netbios-ns NETBIOS Name Service |
138 | Both | netbios-dgm NETBIOS Datagram |
139 | Both | netbios-ssn NETBIOS Session |
256 | TCP | FW1 (fwd) policy install port FWD_SVC_PORT |
257 | TCP | FW1_log FW1_log FWD_LOG_PORT |
258 | TCP | FW1_mgmt FWM_SSVVC_PORT |
259 | TCP | FW1_clientauth_telnet |
259 | UDP | RDP Reliable Datagram Protocol |
260 | TCP | sync |
260 | UDP | FW1_snmp FWD_SNMP_PORT |
261 | TCP | FW1_snauth Session Authentication Daemon |
262 | TCP | MDQ – mail dequer |
263 | TCP | dbs |
264 | TCP | FW1_topop Check Point SecureClient Topology Requests |
265 | TCP | FW1_key Check Point VPN-1 Public key transfer protocol |
389 | Both | LDAP Secure Client connecting to LDAP without SSL |
443 | | SNX VPN can use 443 too |
444 | TCP | SNX VPN SNX VPN tunnel in connectra only |
500 | UDP | IPSEC IKE Protocol (formerly ISAKMP/Oakley) |
500 | TCP | IKE over TCP |
500 | UDP | ISAKMPD_SPORT & ISAKMPD_DPORT |
514 | UDP | Syslog Syslog |
636 | | LDAP Secure Client connecting to LDAP with SSL |
900 | TCP | FW1_clntauth_http Client Authentication Daemon |
981 | | Management https on the edge |
1247 | | |
1494 | TCP | Winframe Citrix |
1645 | TCP | Radius |
1719 | UDP | VOIP |
1720 | TCP | VOIP |
2040 | TCP | MIP meta Ip admin server |
2746 | UDP | UDP encapsualtion for SR VPN1_IPSEC_encapsulation VPN1_IPSEC encapsulation |
2746 | TCP | CPUDPENCap |
4000 | | Policy Server Port (Redmond) |
4433 | TCP | Connectra Admin HTTPS Connectra admin port |
4500 | UDP | NAT-T NAT Traversal |
4532 | TCP | SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm, |
5001 | TCP | Meta IP Web Connection, MIP |
5002 | TCP | Meta IP DHCP Failover |
5004 | TCP | Meta IP UAM |
5005 | TCP | Meta IP SMC |
6969 | UDP | KP_PORT KeyProt |
8116 | UDP | Check Point HA SyncMode= CPHAP (new sync mode) |
8116 | UDP | Connection table synchronization between firewalls |
8989 | TCP | CPIS Messaging MSG_DEFAULT_PORT |
8998 | TCP | MDS_SERVER_PORT |
9000 | | Command Line Port for Secure Client |
10001 | TCP | Default CPRSM listener port for coms with RealSecure Console |
18181 | TCP | FW1_cvp Check Point OPSEC Content Vectoring Protocol |
18182 | TCP | FW1_ufp Check Point OPSEC URL Filtering Protocol |
18183 | TCP | FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM API) |
18184 | TCP | FW1_lea Check Point OPSEC Log Export API |
18185 | TCP | FW1_omi Check Point OPSEC Objects Management Interface |
18186 | TCP | FW1_omi-sic Check Point OPSEC Objects management Interface with Secure Internal Communication |
18187 | TCP | FW1_ela Check Point OPSEC Event Loging API |
18190 | TCP | CPMI Check Point Management Interface |
18191 | TCP | CPD Check Point Daemon Proto NG |
18192 | TCP | CPD_amon Check Point Internal Application Monitoring NG |
18193 | TCP | FW1_amon Check Point OPSEC Appication Monitoring NG |
18201 | TCP | FGD_SVC_PORT |
18202 | TCP | CP_rtm Check Point Real time Monitoring |
18203 | TCP | FGD_RTMP_PORT |
18204 | TCP | CE communication |
18205 | TCP | CP_reporting Check Point Reporting Client Protocol |
18207 | TCP | FW1_pslogon Check Point Policy Server logon Protocol |
18208 | TCP | FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol |
18209 | TCP | FWM CA for establishing SIC communication |
18210 | TCP | FW1_ica_pull Check Point Internal CA Pull Certificate Service |
18211 | TCP | FW1_ica_pull Check Point Internal CA Push Certificate Service |
18212 | UDP | Connect Control – Load Agent port |
18213 | TCP | cpinp: inp (admin server) |
18214 | TCP | cpsmc: SMC |
18214 | UDP | cpsmc: SMC Connectionless |
18221 | TCP | CP_redundant Check Point Redundant Management Protocol NG |
18231 | TCP | FW1_pslogon_NG Check Point NG Policy Server Logon Protocol |
18231 | TCP | NG listens on this port by default dtps.exe |
18232 | TCP | FW1_sds_logon Check Point SecuRemote Distribution Server Protocol |
18233 | UDP | Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive |
18241 | UDP | e2ecp |
18262 | TCP | CP_Exnet_PK Check Point Public Key Resolution |
18263 | TCP | CP_Exnet_resolve Check Point Extranet remote objects resolution |
18264 | TCP | FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services |
19190 | TCP | FW1_netso Check Point OPSEC User Authority Simple Protocol |
19191 | TCP | FW1_uaa Check point OPSEC User Authority API |
65524 | | FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher) |
Check Point General Common Ports
PORT | TYPE | SERVICE DESCRIPTION |
257 | tcp | FireWall-1 log transfer |
18208 | tcp | CPRID (SmartUpdate) |
18190 | tcp | SmartDashboard to SCS |
18191 | tcp | SCS to FW-1 gateway for policy install |
18192 | tcp | SCS monitoring of firewalls (SmartView Status) |
Check Point SIC Ports
PORT | TYPE | SERVICE DESCRIPTION |
18209 | tcp | NGX Gateways <> ICAs (status, issue, or revoke). |
18210 | tcp | Pulls Certificates from an ICA. |
18211 | tcp | Used by the cpd daemon (on the gateway) to receive Certificates. |
Check Point Authentication Ports
PORT | TYPE | SERVICE DESCRIPTION |
259 | tcp | Client Authentication (Telnet) |
900 | tcp | Client Authentication (HTTP) |