Sunday, November 17, 2024

Friday, October 18, 2024

Palo Alto Architecting

Strat Cloud Manager ( => move away from Panorama

Prisma Access (Global Protect)
Commits

General Protection

Zone Protection profiles on all interfaces
Migrate to Application-based rules
Shared rules .. eg. geoblocks, bad apps, cleanup
Criticality threshold, medium severity is common
Zero trust
External Dynamic List

Remote User /On-Prem Protection

Threat Protection
URL Filtering
SSL Forward Proxy (SSLD)
Global Protect VPN W/Full Tunnel & HIPs
User-ID
Data Redistribution

Responsiveness

Directional Clean up rulesHA configured locally, not in panorama
Link and path monitoring for hardare
Baseline or referenece device group
use tags
Self-documentation configuration
Security profile group for different use case
Device group tiers and shared templates

Resilience

Automate update installation, config backups
Separate virtual router for secondary ISP
Use path monitoring (not PBF) for route failover
HA configured locally, not in Panorama
Link and path monitoring for Hardware failover
Use monitor profiles for all IPSec tunnels

Palo Alto

Prisma Access - Associate Tenant

Prisma Access - Mobile Developer Tenant

Panorama Gateways

Sunday, September 8, 2024

how to unload a firewall policy

fw unloadlocal

Sunday, August 25, 2024

34" MDF
11" Cut to accomidate 12" Speakers
All Joints are glued for sealed
Terminal Caps
Rectangular Slotted port 1 15/16" Tall, 12 1/8" Wide and 13" Deep (approx 1.5 Cubic Feet Volume)
Decrease the width lower the base frequency

Key Features
1.5 ft³ cabinet
Slotted port design
3/4" MDF construction
All joints glued and caulked
Black carpet covering

buffer flow
x site scripting
sql injection

Wednesday, July 10, 2024

Building a Checkpoint Firewall Cluster (Checklist)

Checklist to Build Cluster
1. Checkpoint Version R81.20
2. Checkpoint JumboHotFix JHF65 (or latest Checkpoint GA)
3. Hostname
4. DNS/NTP
5. Routes /Static/OSPF/Default Route/Route distribution
6. Add to Infoblox or your DNS server
7. Interface Speed/Duplex
8. Integration with Cisco tacacs or Authentication Server
9. RSA Seed files if integration is needed for VPN
10. Serial Connection to Term Server
11. Monitoring
a. Add to SolarWinds
b. Add to Indeni
12. Configure Firewall backup on Indeni
13. Add to Firewall Management Servers
14. Apply Checkpoint License
15. Verify
a. Logs on Logger
b. Policy is applied with software blades IPS/Identity Awareness
16. Configure Out-of-band LOM

Special Configurations
1. Fix CP provided for the talk path issue
/opt/CPsuite-R81.20/fw1/boot/modules/
Vi fwkern.conf
fwmultik_dispatcher_in_tap_mode=1

2. The core 0 CPU fix
/opt/CPsuite-R81.20/fw1/boot/modules/
Vi fwkern.conf
fwmultik_sync_processing_enabled=0

Ref: https://support.checkpoint.com/results/sk/sk165853

Tuesday, June 18, 2024

OSPF Configuration

set ospf

set router-id 100.14.25.12

set ospf area 5 on
set ospf interface eth1-01 area 5 on
set ospf interface eth1-01 cost 1
set ospf interface eth1-01 priority 0
set ospf interface eth1-01 authtype md5 key 1 secret already_scrambled_FFBm4JO9gDBWc=_00000000000000000000000000000000000000000000000000

set ospf interface eth1-04 area 5 on
set ospf interface eth1-04 priority 0
set ospf interface eth1-04 passive on
set ospf area backbone off

Wednesday, April 10, 2024

Troubleshooting Firewalls

[Expert@myfw101:0]# ip route get 216.18.76.16
216.18.76.16 via 10.114.255.11 dev eth1-01 src 10.113.255.14
[Expert@myfw101:0]#

fw ctl zdebug + drop | grep 216.18.76.16

@;20508118;[vs_0];[tid_30];[fw4_30];fw_log_drop_ex: Packet proto=17 216.18.76.16:53 -> 10.113.255.14:39926 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "fw-cluster Security" rule 19;

DNS Not active on Standby Cluster Member

fwha_forw_packet_to_not_active=1

Heres the SK in case you need it:

https://support.checkpoint.com/results/sk/sk43807

enabled_blades
fw stat
cpinfo -y all

In addition, if you would please upload a cpinfo from your gateway, as well as uploading a HCP report, this will help us to look for known issues in your environment
cpinfo -s 6-0003824777
hcp -r all --include-wts yes

Standby
nslookup google.com
tcpdump -nni any host 216.18.76.16

Active
tcpdump -nni any host 216.18.76.16 and host 10.14.55.14

set dns mode default
set dns suffix bcbsma.com
set dns primary 216.118.176.16
set dns secondary 10.115.1.11
set dns tertiary 10.23.210.23
[Expert@myfw101:0]#

142.250.65.238
tcpdump -nni any host 216.118.176.16 and host 10.114.255.14 | grep -i 'google'
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0"
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0" | grep -i 'google'

[Expert@myfw101:0]## cat /var/opt/fw.boot/modules/fwkern.conf
enhanced_ssl_inspection=1
bypass_on_enhanced_ssl_inspection=1
fwmultik_input_queue_len=4096
[Expert@myfw101:0]##

hcp -r all

[Expert@myfw101:0]# tcpdump -nni Sync host 216.18.76.16 and host 10.14.255.14 | grep -i 'google'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Sync, link-type EN10MB (Ethernet), capture size 262144 bytes
15:07:27.015688 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:34.015911 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:41.016201 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
^C1648 packets captured
1685 packets received by filter
0 packets dropped by kernel

[Expert@myfw101:0]##

[Expert@myfw101:0]## fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1
[Expert@myfw101:0]#

[Expert@myfw101:0]# fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1

Sunday, April 7, 2024

Troubleshooting IPS

[Expert@myfw]# curl_cli -vk https://te.checkpoint.com/tecloud/Ping
* Trying 52.21.148.145...
* TCP_NODELAY set
* Connected to te.checkpoint.com (52.21.148.145) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Sat Apr 6 01:23:52 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Sat Apr 6 01:23:52 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Sat Apr 6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Sat Apr 6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
* subject: CN=*.checkpoint.com
* start date: Oct 25 18:11:28 2023 GMT
* expire date: Nov 25 18:11:27 2024 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
< HTTP/1.1 200
< Date: Sat, 06 Apr 2024 05:23:52 GMT
< Content-Type: text/plain;charset=ISO-8859-1
< Content-Length: 4
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Request-Start: t=1712381032.202
< Set-Cookie: te_cookie=aabd0422269d88cb7d33996ad8cd951b; Path=/; Secure
<
* Connection #0 to host te.checkpoint.com left intact
Pong
[Expert@myfw]# # cphaprob tablestat

---- Unique IP's Table ----

Member Interface IP-Address MAC-Address
-------------------------------------------------------------------------

(Local)
0 3 192.168.110.1 00:1c:ff:46:44:92
0 19 10.114.255.113 00:1c:ff:a3:44:1c
0 22 216.21.183.19 00:1c:ff:a3:44:1f
0 26 172.116.183.2 00:1c:ff:a3:44:4d
0 27 216.21.183.252 00:1c:ff:a3:44:4d

1 3 192.168.110.2 00:1c:ff:46:44:b0
1 19 10.114.255.114 00:1c:ff:a3:44:a8
1 22 216.21.183.20 00:1c:ff:a3:44:ab
1 26 172.116.83.3 00:1c:ff:a3:44:51
1 27 216.21.83.253 00:1c:ff:a3:44:51

-------------------------------------------------------------------------

[Expert@myfw]#

This change was successfully implemented and validated.

DNS resolution on Lowell Firewall Standy cluster member - FIXED
Anti-Bot/Anti-Virus – FIXED
Indeni – Alert – CLEARED

[Expert@myfw]#  ping updates.checkpoint.com
PING e17340.dscd.akamaiedge.net (23.39.34.118) 56(84) bytes of data.
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=1 ttl=54 time=9.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=2 ttl=54 time=8.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=3 ttl=54 time=8.10 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=4 ttl=54 time=8.08 ms
^C
--- e17340.dscd.akamaiedge.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 8.089/8.346/9.098/0.434 ms
[Expert@M-INT-FW102:0]#

[Expert@myfw]# nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53

Non-authoritative answer:
Name:   cnn.com
Address: 151.101.131.5
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5

[Expert@myfw]#

[Expert@myfw]#  nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53

Non-authoritative answer:
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
Name:   cnn.com
Address: 151.101.131.5

[Expert@myfw]#

Change CHG0126843 is scheduled for this time period.

Working with Checkpoint on - [Expert@myfw]#  – Cannot update reach Threat Cloud – Similar internet issue as DNS lookup

To view it, please click the link below.
Link: https://bluecrossma.service-now.com/nav_to.do?uri=change_request.do%3Fsys_id=057fbd22dbe1c2d007fbaa2e139619c8%26sysparm_stack=change_request_list.do%3Fsysparm_query=active=true

Description:
Add Kernel Parameter: to [Expert@myfw]# [Expert@myfw]#
fw ctl set int fwha_cluster_hide_active_only 0 <enter>
No production impact

Thursday, February 29, 2024

Subnet Mask

Tuesday, February 27, 2024

Troubleshooting Traffic across Firewalls

First Shell:
tcpdump -penni <external_interface> host <IP> and host <IP> -s0 -w /var/log/TCPExternal.pcap

Second Shell:
tcpdump -penni <internal_interface> host <IP> and host <IP> -s0 -w /var/log/TCPInternal.pcap

Third Shell:
fw monitor -F "0,0,<DST IP>,0,0" -F "<DST IP>,0,0,0,0" -o /var/log/<GW_name>_fw_monitor_bidirectional_traffic.pcap

Fourth Shell:
fw ctl zdebug + drop > traffic_drops.txt

Thursday, January 18, 2024

subnetting on checkpoint

https://jodies.de/ipcalc

Address: 192.168.0.1 11000000.10101000.00000000 .00000001

Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
=>
Network:   192.168.0.0/24        11000000.10101000.00000000 .00000000 (Class C)
Broadcast: 192.168.0.255         11000000.10101000.00000000 .11111111
HostMin:   192.168.0.1           11000000.10101000.00000000 .00000001
HostMax:   192.168.0.254         11000000.10101000.00000000 .11111110
Hosts/Net: 254                   (Private Internet)

Should you ever forget intricacies of the subnetting Checkpoint bothered not to strip subnetting calculator from their Splat – ipcalc, so use it and litter not your memory with useless info.Given subnet show the 1st Ip (network) :

# ipcalc -n 192.168.34.45/27

NETWORK=192.168.34.32

Given subnet show the last IP (broadcast) :

# ipcalc -b 192.168.34.45/27

BROADCAST=192.168.34.63

Be careful though what you feed as no proof-reading is done by the ipcalc :

# ipcalc -b 192.168.34.45/33

BROADCAST=255.255.255.255

Thursday, January 11, 2024

[Expert@myfirewall]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Device Name: Recovery Delay
Current state: OK

Device Name: CoreXL Configuration
Current state: OK

Registered Devices:

Device Name: Fullsync
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1.31105e+06 sec

Device Name: Policy
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1.31105e+06 sec

Device Name: routed
Registration number: 2
Timeout: none
Current state: OK
Time since last report: 164.8 sec

Device Name: cxld
Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 102116 sec
Process Status: UP

Device Name: fwd
Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 102116 sec
Process Status: UP

Device Name: cphad
Registration number: 5
Timeout: 30 sec
Current state: OK
Time since last report: 4.1131e+06 sec
Process Status: UP

Device Name: VSX
Registration number: 6
Timeout: none
Current state: OK
Time since last report: 4.1131e+06 sec

Device Name: Init
Registration number: 7
Timeout: none
Current state: OK
Time since last report: 4.1131e+06 sec

Device Name: Local Probing
Registration number: 8
Timeout: none
Current state: OK
Time since last report: 185.2 sec

[Expert@myfirewall]#

Friday, January 5, 2024

Fixes to R81.20

FIXES
1. Set grub2 password
myfirewall01> set grub2-password
Enter new grub2 password:
Enter new grub2 password (again):
myfirewall01>

2. Update TRAC File

/var/opt/CPsuite-R81.20/fw/conf/trac_client_1.ttm
make a backup copy of file
)
:automatic_mep_topology (
:gateway (
:map (
:false (false)
:true (true)
:client_decide (false) [ change from Client_Decide to False]
)
:default (false) [ change from True to False]
)
)

3. Fix http2
Description:
Similar change was successfully implemented and tested on the lower region (TestVPN)

1. Disable HTTP2 Header Length on myfirewall01 and myfirewall02
To disable http2:
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1
cpstop;cpstart

To enable http2 again:
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 0
cpstop;cpstart
No production impact, low risk.

Dhansham - Engineer's Notebook Checkpoint Firewalls Gaia

2