Sunday, April 7, 2024

Troubleshooting IPS

 

[Expert@myfw]# curl_cli -vk https://te.checkpoint.com/tecloud/Ping
*   Trying 52.21.148.145...
* TCP_NODELAY set
* Connected to te.checkpoint.com (52.21.148.145) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
*  subject: CN=*.checkpoint.com
*  start date: Oct 25 18:11:28 2023 GMT
*  expire date: Nov 25 18:11:27 2024 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
< HTTP/1.1 200 
< Date: Sat, 06 Apr 2024 05:23:52 GMT
< Content-Type: text/plain;charset=ISO-8859-1
< Content-Length: 4
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Request-Start: t=1712381032.202
< Set-Cookie: te_cookie=aabd0422269d88cb7d33996ad8cd951b; Path=/; Secure

* Connection #0 to host te.checkpoint.com left intact
Pong
[Expert@myfw]# # cphaprob tablestat 


----   Unique IP's Table  ----

Member          Interface       IP-Address              MAC-Address
-------------------------------------------------------------------------

(Local)
0               3               192.168.110.1            00:1c:ff:46:44:92
0               19              10.114.255.113           00:1c:ff:a3:44:1c
0               22              216.21.183.19            00:1c:ff:a3:44:1f
0               26              172.116.183.2            00:1c:ff:a3:44:4d
0               27              216.21.183.252           00:1c:ff:a3:44:4d

1               3               192.168.110.2            00:1c:ff:46:44:b0
1               19              
10.114.255.114           00:1c:ff:a3:44:a8
1               22              
216.21.183.20            00:1c:ff:a3:44:ab
1               26              172.116.83.3             00:1c:ff:a3:44:51
1               27              216.21.83.253            00:1c:ff:a3:44:51

-------------------------------------------------------------------------

[Expert@myfw]# 



This change was successfully implemented and validated.
 

DNS resolution on Lowell Firewall Standy cluster member -  FIXED
Anti-Bot/Anti-Virus – FIXED
Indeni – Alert – CLEARED
 

 
[Expert@myfw]#  ping updates.checkpoint.com
PING e17340.dscd.akamaiedge.net (23.39.34.118) 56(84) bytes of data.
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=1 ttl=54 time=9.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=2 ttl=54 time=8.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=3 ttl=54 time=8.10 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=4 ttl=54 time=8.08 ms
^C
--- e17340.dscd.akamaiedge.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 8.089/8.346/9.098/0.434 ms
[Expert@M-INT-FW102:0]#
 
[Expert@myfw]# nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53
 
Non-authoritative answer:
Name:   cnn.com
Address: 151.101.131.5
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
 
[Expert@myfw]# 
 
 
[Expert@myfw]#  nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53
 
Non-authoritative answer:
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
Name:   cnn.com
Address: 151.101.131.5
 
[Expert@myfw]# 
 
 
 
 
 
Change CHG0126843 is scheduled for this time period.
 
 Working with Checkpoint on  - [Expert@myfw]#  – Cannot update reach Threat Cloud – Similar internet issue as DNS lookup

 To view it, please click the link below.
 Link: https://bluecrossma.service-now.com/nav_to.do?uri=change_request.do%3Fsys_id=057fbd22dbe1c2d007fbaa2e139619c8%26sysparm_stack=change_request_list.do%3Fsysparm_query=active=true
  •  Description:
  •  Add Kernel Parameter:  to  [Expert@myfw]#  [Expert@myfw]# 
  • fw ctl set int fwha_cluster_hide_active_only 0 <enter>
  • No production impact