Wednesday, April 10, 2024

Troubleshooting Firewalls

 

[Expert@myfw101:0]# ip route get 216.18.76.16
216.18.76.16 via 10.114.255.11 dev eth1-01 src 10.113.255.14 
[Expert@myfw101:0]#


fw ctl zdebug + drop | grep 216.18.76.16

@;20508118;[vs_0];[tid_30];[fw4_30];fw_log_drop_ex: Packet proto=17 216.18.76.16:53 -> 10.113.255.14:39926 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "fw-cluster Security" rule 19;


DNS Not active on Standby Cluster Member

fwha_forw_packet_to_not_active=1

Heres the SK in case you need it: 

https://support.checkpoint.com/results/sk/sk43807



enabled_blades
fw stat 
cpinfo -y all


In addition, if you would please upload a cpinfo from your gateway, as well as uploading a HCP report, this will help us to look for known issues in your environment
cpinfo -s 6-0003824777
hcp -r all --include-wts yes



Standby
nslookup google.com 
tcpdump -nni any host 216.18.76.16

Active 
tcpdump -nni any host 216.18.76.16 and host 10.14.55.14

set dns mode default
set dns suffix bcbsma.com
set dns primary 216.118.176.16
set dns secondary 10.115.1.11
set dns tertiary 10.23.210.23
[Expert@myfw101:0]#


142.250.65.238
tcpdump -nni any host 216.118.176.16 and host 10.114.255.14 | grep -i 'google'
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0"
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0" | grep -i 'google'

[Expert@myfw101:0]## cat /var/opt/fw.boot/modules/fwkern.conf
enhanced_ssl_inspection=1
bypass_on_enhanced_ssl_inspection=1
fwmultik_input_queue_len=4096
[Expert@myfw101:0]## 



 hcp -r all


[Expert@myfw101:0]# tcpdump -nni Sync host 216.18.76.16 and host 10.14.255.14 | grep -i 'google'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Sync, link-type EN10MB (Ethernet), capture size 262144 bytes
15:07:27.015688 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:34.015911 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:41.016201 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
^C1648 packets captured
1685 packets received by filter
0 packets dropped by kernel

[Expert@myfw101:0]## 

[Expert@myfw101:0]## fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1
[Expert@myfw101:0]#


[Expert@myfw101:0]# fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1




Posted by at

Sunday, April 7, 2024

Troubleshooting IPS

 

[Expert@myfw]# curl_cli -vk https://te.checkpoint.com/tecloud/Ping
*   Trying 52.21.148.145...
* TCP_NODELAY set
* Connected to te.checkpoint.com (52.21.148.145) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
*  subject: CN=*.checkpoint.com
*  start date: Oct 25 18:11:28 2023 GMT
*  expire date: Nov 25 18:11:27 2024 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
< HTTP/1.1 200 
< Date: Sat, 06 Apr 2024 05:23:52 GMT
< Content-Type: text/plain;charset=ISO-8859-1
< Content-Length: 4
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Request-Start: t=1712381032.202
< Set-Cookie: te_cookie=aabd0422269d88cb7d33996ad8cd951b; Path=/; Secure

* Connection #0 to host te.checkpoint.com left intact
Pong
[Expert@myfw]# # cphaprob tablestat 


----   Unique IP's Table  ----

Member          Interface       IP-Address              MAC-Address
-------------------------------------------------------------------------

(Local)
0               3               192.168.110.1            00:1c:ff:46:44:92
0               19              10.114.255.113           00:1c:ff:a3:44:1c
0               22              216.21.183.19            00:1c:ff:a3:44:1f
0               26              172.116.183.2            00:1c:ff:a3:44:4d
0               27              216.21.183.252           00:1c:ff:a3:44:4d

1               3               192.168.110.2            00:1c:ff:46:44:b0
1               19              10.114.255.114           00:1c:ff:a3:44:a8
1               22              216.21.183.20            00:1c:ff:a3:44:ab
1               26              172.116.83.3             00:1c:ff:a3:44:51
1               27              216.21.83.253            00:1c:ff:a3:44:51

-------------------------------------------------------------------------

[Expert@myfw]# 



This change was successfully implemented and validated.
 

DNS resolution on Lowell Firewall Standy cluster member -  FIXED
Anti-Bot/Anti-Virus – FIXED
Indeni – Alert – CLEARED
 

 
[Expert@myfw]#  ping updates.checkpoint.com
PING e17340.dscd.akamaiedge.net (23.39.34.118) 56(84) bytes of data.
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=1 ttl=54 time=9.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=2 ttl=54 time=8.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=3 ttl=54 time=8.10 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=4 ttl=54 time=8.08 ms
^C
--- e17340.dscd.akamaiedge.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 8.089/8.346/9.098/0.434 ms
[Expert@M-INT-FW102:0]#
 
[Expert@myfw]# nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53
 
Non-authoritative answer:
Name:   cnn.com
Address: 151.101.131.5
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
 
[Expert@myfw]# 
 
 
[Expert@myfw]#  nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53
 
Non-authoritative answer:
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
Name:   cnn.com
Address: 151.101.131.5
 
[Expert@myfw]# 
 
 
 
 
 
Change CHG0126843 is scheduled for this time period.
 
 Working with Checkpoint on  - [Expert@myfw]#  – Cannot update reach Threat Cloud – Similar internet issue as DNS lookup

 To view it, please click the link below.
 Link: https://bluecrossma.service-now.com/nav_to.do?uri=change_request.do%3Fsys_id=057fbd22dbe1c2d007fbaa2e139619c8%26sysparm_stack=change_request_list.do%3Fsysparm_query=active=true
  •  Description:
  •  Add Kernel Parameter:  to  [Expert@myfw]#  [Expert@myfw]# 
  • fw ctl set int fwha_cluster_hide_active_only 0 <enter>
  • No production impact


Posted by at

Thursday, February 29, 2024

Subnet Mask

 








Posted by at

Tuesday, February 27, 2024

Troubleshooting Traffic across Firewalls

 

First Shell:
tcpdump -penni <external_interface> host <IP> and host <IP> -s0 -w /var/log/TCPExternal.pcap
 
Second Shell:
tcpdump -penni <internal_interface> host <IP> and host <IP>  -s0 -w /var/log/TCPInternal.pcap

Third Shell:
fw monitor -F "0,0,<DST IP>,0,0" -F "<DST IP>,0,0,0,0" -o /var/log/<GW_name>_fw_monitor_bidirectional_traffic.pcap

Fourth Shell:
fw ctl zdebug + drop > traffic_drops.txt

Posted by at

Thursday, January 18, 2024

subnetting on checkpoint

 

https://jodies.de/ipcalc

Address: 192.168.0.1 11000000.10101000.00000000 .00000001

Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
Wildcard:  0.0.0.255             00000000.00000000.00000000 .11111111
=>
Network:   192.168.0.0/24        11000000.10101000.00000000 .00000000 (Class C)
Broadcast: 192.168.0.255         11000000.10101000.00000000 .11111111
HostMin:   192.168.0.1           11000000.10101000.00000000 .00000001
HostMax:   192.168.0.254         11000000.10101000.00000000 .11111110
Hosts/Net: 254                   (Private Internet)


Should you ever forget intricacies of the subnetting Checkpoint bothered not to strip subnetting calculator from their Splat – ipcalc, so use it and litter not your memory with useless info.Given subnet show the 1st Ip (network) :

# ipcalc -n 192.168.34.45/27
NETWORK=192.168.34.32

Given subnet show the last IP (broadcast) :

# ipcalc -b 192.168.34.45/27
BROADCAST=192.168.34.63

Be careful though what you feed as no proof-reading is done by the ipcalc :

# ipcalc -b 192.168.34.45/33
BROADCAST=255.255.255.255
Posted by at

Thursday, January 11, 2024

 
[Expert@myfirewall]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Device Name: Recovery Delay
Current state: OK

Device Name: CoreXL Configuration
Current state: OK

Registered Devices:

Device Name: Fullsync
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1.31105e+06 sec

Device Name: Policy
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1.31105e+06 sec

Device Name: routed
Registration number: 2
Timeout: none
Current state: OK
Time since last report: 164.8 sec

Device Name: cxld
Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 102116 sec
Process Status: UP

Device Name: fwd
Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 102116 sec
Process Status: UP

Device Name: cphad
Registration number: 5
Timeout: 30 sec
Current state: OK
Time since last report: 4.1131e+06 sec
Process Status: UP

Device Name: VSX
Registration number: 6
Timeout: none
Current state: OK
Time since last report: 4.1131e+06 sec

Device Name: Init
Registration number: 7
Timeout: none
Current state: OK
Time since last report: 4.1131e+06 sec

Device Name: Local Probing
Registration number: 8
Timeout: none
Current state: OK
Time since last report: 185.2 sec

[Expert@myfirewall]# 

Posted by at

Friday, January 5, 2024

Fixes to R81.20

 
FIXES
1. Set grub2 password
myfirewall01> set grub2-password
Enter new grub2 password: 
Enter new grub2 password (again): 
myfirewall01> 


2. Update TRAC File

/var/opt/CPsuite-R81.20/fw/conf/trac_client_1.ttm
make a backup copy of file
      )
                :automatic_mep_topology (
                        :gateway (
                                :map (
                                        :false (false)
                                        :true (true)
                                        :client_decide (false)     [ change from Client_Decide to False]
                                )
                                :default (false)  [ change from True to False]
                        )
                )


3. Fix http2
Description:
Similar change was successfully implemented and tested on the lower region (TestVPN)

1. Disable HTTP2 Header Length on myfirewall01 and myfirewall02
To disable http2:
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1
cpstop;cpstart

To enable http2 again:
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 0
cpstop;cpstart
No production impact, low risk.


Posted by at
Subscribe to: Posts (Atom)