Thursday, October 18, 2018

Checkpoint Gaia R80.20

There are two different installation ISOs for R80.20:
  • One that supports gateways and standalone installs with the older (2.6.18) kernel
  • One for Security Management only that has the newer (3.10) kernel
So yes, you can upgrade a standalone to R80.20.


After playing around with R80.20GA gateway for a few hours, the following things caught my eye:

1) Gaia is now required to be 64-bit.

2) Geo Protection can now be directly configured in a whitelist configuration (allow some countries and deny all others).

3) R80.20 gateway ClusterXL does not support Load Sharing (Active/Active) yet?  Not a huge fan of load sharing to begin with but this is taking it to another level...  :-)

4) R80.20 gateways cannot be managed by an R80.20M1 SMS.

5) cphaprob state command now reports *far* more detail about ClusterXL state, including why the current member is active, last state transition & failover count, and active pnote problems.  This extra information appears to be available separately via the new cphaprob show_failover command.

6) cphaconf set_ccp has two new options: auto and unicast  (the latter only works with a 2-member cluster); used to just be broadcast and multicast.

7) Syn Attack (Syn Flood) protection is now implemented in SecureXL and will not cause all traffic handled by it to go F2F. 

8) The undocumented ability for certain ports to be bypassed in the Dynamic Dispatcher  appears to be officially supported via the fw ctl multik add_bypass_port command among others.

9) The new fw ctl multik get_instance command can be used to identify which Firewall Worker core is handling a connection with the matching attributes specified on the command line.

10) The new fw ctl multik print_heavy _conn command will show the attributes of all "heavy" (elephant flow) connections currently pounding the Firewall Worker cores.

11) The new fw ctl multik utilize command will show the size & utilization of the Firewall Worker packet queues.

12) Many new screens added to cpview including Dynamic Routing Stats (routed), Hardware Health & Sensors, Disk I/O utilization, and Advanced...CPAQ.

13) Apparently fw monitor can now capture all traffic traversing the firewall regardless of whether it is accelerated by SecureXL.  Haven't had a chance to verify this myself yet.

14) The long-awaited Network defined by routes antispoofing topology option checks the gateway routing table every second for any route changes that might impact antispoofing enforcement, the timer controlling this interval is located in the SmartConsole under Manage & Settings...Preferences.

15) I don't see the option to define VPN domains per VPN Community, at least not in the SmartConsole.

16) Ensuring that "Font Smoothing" is enabled in your RDP client substantially improves the graphical performance of the SmartConsole inside an RDP Session.


Load Sharing (Active/Active) configuration

Load Sharing Multicast



MB-30
R80.20 ClusterXL does not support Load Sharing mode. Therefore, R80.20 SmartConsole blocks such configuration with a warning message.
This limitation is planned to be resolved during H1 2019.
R80.

just because you were able to do so doesn't mean it is a supported configuration based on the above.



R80.20, part of the Check Point Infinity architecture, delivers the most innovative and effective security that keeps our customers protected against large scale, fifth generation cyber threats.
The release contains innovations and significant improvements in:
  • Gateway performance
  • Advanced Threat Prevention
  • Cloud Security 
  • Access policy 
  • Consolidated network and endpoint management capabilities
  • And much more 
This release is initially recommended for customers who are interested in implementing the new features. We will make it the default version (widely recommended) after significant adoption and make it available in the 'Showing Recommended Packages' section in the CPUSE tab in Gaia portal. 

   Performance Enhancements  
Performance Enhancements
  • HTTPS Inspection performance improvements
  • Session rate improvements on high-end appliances (13000, 15000, 21000 & 23000 Security Gateway models).
  • Acceleration remains active during policy installation, no impact on Security Gateway performance.

VSX Gateways
  • Significant boost to Virtual Systems performance, utilizing up to 32 CoreXL FW instances for each Virtual System.
  • Dynamic Dispatcher - Packets are processed by different FW worker (FWK) instances based on the current instance load.
  • Changes in the number of FW worker instances (FWK) in a VSLS setup do not require downtime.
  • SecureXL Penalty Box supports the contexts of each Virtual System, see sk74520.

   Significant Improvements & New Features      
Advanced Threat Prevention
  • Enhanced configuration and monitor abilities for Mail Transfer Agent (MTA) in SmartConsole for handling malicious mails.
  • Configuration of ICAP Server with Threat Emulation and Anti-Virus Deep Scan in SmartConsole.
  • Automatic download of IPS updates by the Security Gateway.
  • SmartConsole support for multiple Threat Emulation Private Cloud Appliances.
  • SmartConsole support for blocking archives containing prohibited file types.
  • Threat Extraction
    • Full ClusterXL HA synchronization, access to the original files is available after a failover.
    • Support for external storage.
  • Advanced Threat Prevention Indicators (IoC) API
    • Management API support for Advanced Threat Prevention Indicators (IoC).
    • Add, delete, and view indicators through the management API.
  • Advanced Threat Prevention Layers
    • Support layer sharing within Advanced Threat Prevention policy.
    • Support setting different administrator permissions per Advanced Threat Prevention layer.
  • MTA (Mail Transfer Agent)
    • MTA monitoring, e-mails history views and statistics, current e-mails queue status and actions performed on e-mails in queue.
  • MTA configuration enhancements
    • Setting a domain object as next hop.
    • Ability to create an access rule to allow SMTP traffic to a Security Gateway.
    • Create a dedicated Advanced Threat Prevention rule for MTA.
  • MTA enforcement enhancements
    • Replacing malicious links in an email with a configurable template.
    • Configurable format for textual attachments replacement.
    • Ability to add a customized text to malicious e-mails' body or subject.
    • Tagging malicious-mails using X-header
    • Sending a copy of the malicious e-mail to a predefined recipients list
  • Improvements in policy installation performance on R80.10 and above Security Gateways with IPS
  • Performance impact of "Suspicious Mail Activity" protection in Anti-Bot was changed to "High" and is now off by default

CloudGuard IaaS Enhancements
  • Automated Security Transit VPC in Amazon Web Services (AWS) - Automatically deploy and maintain secured scalable architecture in Amazon Web Services.
  • Integration with Google Cloud Platform.
  • Integration with Cisco ISE.
  • Integration with Nuage Networks.
  • Automatic license management with the CloudGuard IaaS Central Licensing utility.
  • Monitoring capabilities integrated into SmartView.
  • Data center objects can now be used in access policy rules installed on 41000, 44000, 61000 and 64000 Scalable Platforms.

Access Policy
  • Updatable Objects – a new type of network objects that represent an external service such as Office 365, Amazon Web Services, Azure GEO locations and more, and can be used in the Source and Destination columns of an Access Control policy. These objects are dynamically updated and kept up-to-date by the Security Gateway without the need to install a policy.
  • Wildcard network object in Access Control that represents a series of IP addresses that are not sequential.
  • Only for Multi-Domain Server: Support for scheduled policy installation with cross-Domain installation targets (Security Gateways or Policy Packages).
  • Rule Base performance improvements, for enhanced Rule Base navigation and scrolling.
  • Global VPN Communities (previously supported in R77.30).
  • Support for using NAT64 and NAT46 objects in Access Control policy.
  • Security Management Server can securely connect to Active Directory through a Security Gateway, if the Security Management Server has no connectivity to the Active Directory environment and the Security Gateway does.

Identity Awareness
  • Identity Tags support the use of tags defined by an external source to enforce users, groups or machines in Access Roles matching.
  • Improved SSO Transparent Kerberos Authentication for Identity Agent, LDAP groups are extracted from the Kerberos ticket.
  • Two Factor Authentication for Browser-Based Authentication (support for RADIUS challenge/response in Captive Portal and RSA SecurID next Token/Next PIN mode).
  • Identity Collector
    • Support for Syslog Messages - ability to extract identities from syslog notifications.
    • Support for NetIQ eDirectory LDAP Servers.
    • Additional filter options - "Filter per Security Gateway" and "Filter by domain".
    • Improvements and stability fixes related to Identity Collector and Web API.
  • New configuration container for Terminal Servers Identity Agents.
  • Active Directory cross-forest trust support for Terminal Servers Agent.
  • Identity Agent automatic reconnection to prioritized PDP gateways.
  • Security Management Server can securely connect to Active Directory via a Security Gateway if the Security Management Server has no connectivity to the Active Directory environment

HTTPS Inspection
  • Hardware Security Module (HSM) support – outbound HTTPS Inspection stores the SSL keys and certificates on a third party dedicated appliance
  • Additional ciphers supports for HTTPS Inspection (for more information, see sk104562)

Mirror and Decrypt
  • Decryption and clone of HTTP and HTTPS traffic
  • Forwarding traffic to a designated interface for mirroring purposes

Clustering
  • New CCP Unicast - a new mode in which a cluster member sends the CCP packets to the unicast address of a peer member
  • New Automatic CCP mode - CCP mode is adaptive to network changes, Unicast, Multicast or Broadcast modes are automatically applied according to network state
  • Enhanced cluster monitoring capabilities
  • Enhanced cluster statistics and debugging capabilities
  • Enhanced Active/Backup Bond
  • Support for more topologies for Synchronization Network over Bond interfaces
  • Improved cluster synchronization and policy installation mechanism
  • New grace mechanism for cluster failover for improved stability
  • New cluster commands in Gaia Clish
  • Improved clustering infrastructure for RouteD (Dynamic Routing) communication

Gaia OS
Upgraded Linux kernel (3.10) - applies to Security Management Server only
  • New file system (xfs)
    • More than 2TB support per a single storage device
    • Enlarged systems storage (up to 48TB)
  • I/O related performance improvements
  • Support of new system tools for debugging, monitoring and configuring the system
    • iotop (provides I/O runtime statistics)
    • lsusb (provides information about all devices connected to USB)
    • lshw (provides detailed information about all hardware)
    • lsscsi (provides information about storage)
    • ps (new version, more counters)
    • top (new version, more counters)
    • iostat (new version, more counters)

Advanced Routing:
  • Allow AS-in-count
  • IPv6 MD5 for BGP
  • IPv4 and IPv6 OSPF multiple instances
  • Bidirectional Forwarding Detection (BFD) for gateways and VSX, including IP Reachability detection and BFD Multihop
  • OSPFv2 HMAC-SHA authentication (replaces OSPFv2 MD5 authentication)

ICAP Client
  • Integrated ICAP Client functionality
   Security Management Enhancements     
SmartConsole
  • SmartConsole Accessibility features
    • Keyboard navigation - ability to use the keyboard alone to navigate between the different SmartConsole fields
    • Improved experience for the visually impaired, color invert for all SmartConsole windows
    • Required fields are highlighted
  • Multiple simultaneous sessions in SmartConsole. One administrator can publish or discard several SmartConsole private sessions, independently of the other sessions.

Logging and Monitoring
  • Log Exporter - an easy and secure method to export Check Point logs over Syslog to any SIEM vendor using standard protocols and formats
  • Ability to export logs directly from a Security Gateway (previously supported in R77.30)
  • Unified logs for Security Gateway, SandBlast Agent and SandBlast Mobile for simplified log investigation
  • Enhanced SmartView in browser:
    • Log viewer with log card, column profile and statistics
    • Export logs with custom or all fields
    • Automatic-refresh for views
    • Relative time frame support
    • Improved log viewer with cards, profiles, statistics and filters
    • I18N support for 6 languages (English, French, Spanish, Japanese, Chinese, Russian)
  • Accessibility support - keyboard navigation and high contrast theme

SmartProvisioning
  • Integration with SmartProvisioning (previously supported in R77.30)
  • Support for the 1400 series appliances
  • Administrators can now use SmartProvisioning in parallel with SmartConsole

Mobile Access
  • Support for reCaptcha, keep abusive automated software activities from interfering with regular portal operations
  • Support for One Time Password (OTP) without any hardware tokens

Endpoint Security Management Server

Endpoint Security Server is now part of the main train.
  • Support for SandBlast Agent, Anti-Exploit and Behavioral Guard policies
  • SandBlast Agent push operation to move/restore files from quarantine
  • Directory Scanner initial scan and full rescan takes significantly less time
  • Stability and performance enhancements for  Automatic Synchronization (High Availability)
Endpoint Security Management features that are included in R77.30.03:
  • Management of new Software Blades:
    • SandBlast Agent Anti-Bot
    • SandBlast Agent Threat Emulation and Anti-Exploit
    • SandBlast Agent Forensics and Anti-Ransomware
    • Capsule Docs
  • New features in existing Software Blades:
    • Full Disk Encryption
      • Offline Mode
      • Self Help Portal
      • XTS-AES Encryption
      • New options for the Trusted Platform Module (TPM)
      • New options for managing Pre-Boot Users
    • Media Encryption & Port Protection
      • New options to configure encrypted container
      • Optical Media Scan
    • Anti-Malware:
      • Web Protection
      • Advanced Disinfection

Compliance
  • User can create custom best practices based on scripts
  • Support for 35 regulations including General Data Protection Regulation (GDPR)

Wednesday, October 17, 2018

Magic Mac -Cluster down, Not Passing Traffic RSA Authentication failed.

If your VPN does not pass traffic, cluster down, or you cannot ssh to your gateway
check the following:


  1. Magic Mac
  2. The Checkpoint certificate, issued by the internal management certificate authority, that binds the connection between the cluster and the client - may have expired. This certificate should have a 5 year expiration date.  There should be a notification 60-days prior and leading up to cert expiration when policy is pushed sk101049  sk101049
  3. Sync Cable
  4. Clock Time of both Cluster Members


MY-FWA> cphaprob mmagic

Configuration mode:  Automatic
Configuration phase: Stable

MAC magic:         2
MAC forward magic: 1

Used MAC magic values:
0x01(001)  0x03(003)  0x64(100)

MY-FWA>

# cphaconf set_ccp broadcast

[Expert@FW]# tcpdump -i Sync -nnn -vvv -e port 8116



GAiA is Linux RH based, and it has system 2.6.18 kernel.  And Check Point ClusterXL is still the same as before.

If you are upgrading to GAiA or installing in fresh in a cluster configuration, you may need to take care of so-called "magic mac" settings.

To remind you briefly, "magic mac" is an artificial MAC address used in CCP, Cluster Control Protocol, responsible for probing, messaging and sync communications in ClusterXL. Once you have more than one cluster in the same network, you have to change magic mac settings starting from the second cluster and up.

Some details about the change is mentioned in SK66527.

GAiA or SPLAT, it makes no difference. If you are using ClusterXL and not VRRP, follow the mentioned solution.

For those who do not have the access, here is a quick HOWTO:

First, make sure your magic mac are default. To check that, run fw ctl get int fwha_mac_magic and fw ctl get int fwha_mac_forward_magiccommands, as in the example bellow:

# fw ctl get int fwha_mac_magic
fwha_mac_magic = 254
# fw ctl get int fwha_mac_forward_magic
fwha_mac_forward_magic = 253

The default settings are, as shown 254 and 253.

On the second cluster you will have to do the following: 

On each of the Cluster Modules
1. cd $FWDIR/boot/modules
2. create the fwkern.conf file by: # vi fwkern.conf
3. Add the required parameters and values as given below:
fwha_mac_magic=250
fwha_mac_forward_magic=251


Mind the numbers marked bold should be unique on each cluster you are making changes and non equal to default.
4. Save the fwkern.conf
5. Verify the fwker.conf is correctly configured by: # more fwkern.conf
6. Reboot the Module
7. Verify the new mac magic setups correctly configured by:
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
8. Verify the Cluster Module status by:
# cphaprob stat



 check multicast droping on switch
- check interface errors „netstat -in“ 
  > show for rx-errors (drop,overload,....)


- as next step set ccp to broadcast


Wednesday, October 10, 2018

IPsec VPN Gateway not passing VPN Traffic

IPsec VPN tunnel traffic not passing gateways

  1. Disabled super-netting – global change (sk101219)
  2. Update the user.def file(sk44852) with specific IP range
Debug on  Site to Site IPSec Firewall  shows

;[cpu_11];[fw4_0];fw_log_drop_ex: Packet proto=1 100.140.225.136:2048 -> 172.116.202.134:17162 dropped by fwhold_expires Reason: held chain expired;

ipsec gateway is dropping it .. held chain expired  

A drop for "held chain expired" indicates that key exchange is failing or not completing in a timely manner.  Need the ike debug to see the ike key exchange data to try to understand why it is failing.


We need to start by running a simple IKE debug so we can see what IDs, etc. we are proposing to the peer device for this network.  This debug is very light, and should not cause any issues in most cases.


To enable the debug on the gateway, run the following commands from the expert mode prompt:

vpn debug trunc

vpn debug off


Note:  'vpn debug trunc' will turn on IKE and vpnd debugIt will also rotate the log files.  'vpn debug off' will turn off the vpnd debug, which we do not need at this stage.  It will leave the ike debug running, which is what we want.


Leave the IKE debug running until you reproduce the problem.  Once the problem has been reproduced, run:

vpn debug ikeoff

Then, collect the following files for analysis:    $FWDIR/log/ike*

open file with ikeview.exe