Sunday, November 17, 2024

Vintage - Lab

 

My old Lab - Back in the Day .. 


















Friday, October 18, 2024

Palo Alto Architecting

 Strat Cloud Manager ( => move away from Panorama 

Prisma Access (Global Protect)
Commits

General Protection

  • Zone Protection profiles on all interfaces
  • Migrate to Application-based rules
  • Shared rules .. eg.  geoblocks, bad apps, cleanup
  • Criticality threshold, medium severity is common
  • Zero trust
  • External Dynamic List


Remote User /On-Prem Protection

  • Threat Protection
  • URL Filtering
  • SSL Forward Proxy (SSLD)
  • Global Protect VPN W/Full Tunnel & HIPs
  • User-ID
  • Data Redistribution

Responsiveness
  • Directional Clean up rulesHA configured locally, not in panorama
  • Link and path monitoring for hardare 
  • Baseline or referenece device group
  • use tags
  • Self-documentation configuration
  • Security profile group for different use case
  • Device group tiers and shared templates
Resilience
  • Automate update installation, config backups
  • Separate virtual router for secondary ISP
  • Use path monitoring (not PBF) for route failover
  • HA configured locally, not in Panorama
  • Link and path monitoring for Hardware failover
  • Use monitor profiles for all IPSec tunnels

Palo Alto
Prisma  Access - Associate Tenant
Prisma Access - Mobile Developer Tenant
Panorama Gateways

Sunday, September 8, 2024

Sunday, August 25, 2024

Route

 netstat -rn | wc -l


34" MDF
11" Cut to accomidate 12" Speakers
All Joints are glued for sealed
Terminal Caps   
Rectangular Slotted port 1 15/16" Tall,  12 1/8" Wide and 13" Deep  (approx 1.5 Cubic Feet Volume)
Decrease the width lower the base frequency



Key Features
1.5 ft³ cabinet
Slotted port design
3/4" MDF construction
All joints glued and caulked
Black carpet covering


buffer flow 
x site scripting
sql injection 

Wednesday, July 10, 2024

Building a Checkpoint Firewall Cluster (Checklist)

 

Checklist to Build Cluster
1. Checkpoint Version R81.20
2. Checkpoint JumboHotFix JHF65 (or latest Checkpoint GA)
3. Hostname
4. DNS/NTP
5. Routes /Static/OSPF/Default Route/Route distribution
6. Add to Infoblox or your DNS server 
7. Interface Speed/Duplex
8. Integration with Cisco tacacs or Authentication Server
9. RSA Seed files if integration is needed for VPN
10. Serial Connection to Term Server
11. Monitoring
a. Add to SolarWinds
b. Add to Indeni 
12. Configure Firewall backup on Indeni  
13. Add to Firewall Management Servers
14. Apply Checkpoint License
15. Verify 
a. Logs on Logger
b. Policy is applied with software blades IPS/Identity Awareness
16. Configure Out-of-band LOM 



Special Configurations
1. Fix CP provided for the talk path issue 
/opt/CPsuite-R81.20/fw1/boot/modules/
Vi fwkern.conf
fwmultik_dispatcher_in_tap_mode=1

2. The core 0 CPU fix 
/opt/CPsuite-R81.20/fw1/boot/modules/
Vi fwkern.conf
fwmultik_sync_processing_enabled=0


Ref: https://support.checkpoint.com/results/sk/sk165853



a.


Tuesday, June 18, 2024

OSPF Configuration

 set ospf 


set router-id 100.14.25.12


set ospf area 5 on
set ospf interface eth1-01 area 5 on
set ospf interface eth1-01 cost 1
set ospf interface eth1-01 priority 0
set ospf interface eth1-01 authtype md5 key 1 secret already_scrambled_FFBm4JO9gDBWc=_00000000000000000000000000000000000000000000000000

set ospf interface eth1-04 area 5 on
set ospf interface eth1-04 priority 0
set ospf interface eth1-04 passive on
set ospf area backbone off

Wednesday, April 10, 2024

Troubleshooting Firewalls

 

[Expert@myfw101:0]# ip route get 216.18.76.16
216.18.76.16 via 10.114.255.11 dev eth1-01 src 10.113.255.14 
[Expert@myfw101:0]#


fw ctl zdebug + drop | grep 216.18.76.16

@;20508118;[vs_0];[tid_30];[fw4_30];fw_log_drop_ex: Packet proto=17 216.18.76.16:53 -> 10.113.255.14:39926 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "fw-cluster Security" rule 19;


DNS Not active on Standby Cluster Member

fwha_forw_packet_to_not_active=1

Heres the SK in case you need it: 

https://support.checkpoint.com/results/sk/sk43807



enabled_blades
fw stat 
cpinfo -y all


In addition, if you would please upload a cpinfo from your gateway, as well as uploading a HCP report, this will help us to look for known issues in your environment
cpinfo -s 6-0003824777
hcp -r all --include-wts yes



Standby
nslookup google.com 
tcpdump -nni any host 216.18.76.16

Active 
tcpdump -nni any host 216.18.76.16 and host 10.14.55.14

set dns mode default
set dns suffix bcbsma.com
set dns primary 216.118.176.16
set dns secondary 10.115.1.11
set dns tertiary 10.23.210.23
[Expert@myfw101:0]#


142.250.65.238
tcpdump -nni any host 216.118.176.16 and host 10.114.255.14 | grep -i 'google'
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0"
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0" | grep -i 'google'

[Expert@myfw101:0]## cat /var/opt/fw.boot/modules/fwkern.conf
enhanced_ssl_inspection=1
bypass_on_enhanced_ssl_inspection=1
fwmultik_input_queue_len=4096
[Expert@myfw101:0]## 



 hcp -r all


[Expert@myfw101:0]# tcpdump -nni Sync host 216.18.76.16 and host 10.14.255.14 | grep -i 'google'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Sync, link-type EN10MB (Ethernet), capture size 262144 bytes
15:07:27.015688 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:34.015911 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:41.016201 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
^C1648 packets captured
1685 packets received by filter
0 packets dropped by kernel

[Expert@myfw101:0]## 

[Expert@myfw101:0]## fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1
[Expert@myfw101:0]#


[Expert@myfw101:0]# fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1




Sunday, April 7, 2024

Troubleshooting IPS

 

[Expert@myfw]# curl_cli -vk https://te.checkpoint.com/tecloud/Ping
*   Trying 52.21.148.145...
* TCP_NODELAY set
* Connected to te.checkpoint.com (52.21.148.145) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
*  subject: CN=*.checkpoint.com
*  start date: Oct 25 18:11:28 2023 GMT
*  expire date: Nov 25 18:11:27 2024 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
< HTTP/1.1 200 
< Date: Sat, 06 Apr 2024 05:23:52 GMT
< Content-Type: text/plain;charset=ISO-8859-1
< Content-Length: 4
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Request-Start: t=1712381032.202
< Set-Cookie: te_cookie=aabd0422269d88cb7d33996ad8cd951b; Path=/; Secure

* Connection #0 to host te.checkpoint.com left intact
Pong
[Expert@myfw]# # cphaprob tablestat 


----   Unique IP's Table  ----

Member          Interface       IP-Address              MAC-Address
-------------------------------------------------------------------------

(Local)
0               3               192.168.110.1            00:1c:ff:46:44:92
0               19              10.114.255.113           00:1c:ff:a3:44:1c
0               22              216.21.183.19            00:1c:ff:a3:44:1f
0               26              172.116.183.2            00:1c:ff:a3:44:4d
0               27              216.21.183.252           00:1c:ff:a3:44:4d

1               3               192.168.110.2            00:1c:ff:46:44:b0
1               19              
10.114.255.114           00:1c:ff:a3:44:a8
1               22              
216.21.183.20            00:1c:ff:a3:44:ab
1               26              172.116.83.3             00:1c:ff:a3:44:51
1               27              216.21.83.253            00:1c:ff:a3:44:51

-------------------------------------------------------------------------

[Expert@myfw]# 



This change was successfully implemented and validated.
 

DNS resolution on Lowell Firewall Standy cluster member -  FIXED
Anti-Bot/Anti-Virus – FIXED
Indeni – Alert – CLEARED
 

 
[Expert@myfw]#  ping updates.checkpoint.com
PING e17340.dscd.akamaiedge.net (23.39.34.118) 56(84) bytes of data.
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=1 ttl=54 time=9.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=2 ttl=54 time=8.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=3 ttl=54 time=8.10 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=4 ttl=54 time=8.08 ms
^C
--- e17340.dscd.akamaiedge.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 8.089/8.346/9.098/0.434 ms
[Expert@M-INT-FW102:0]#
 
[Expert@myfw]# nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53
 
Non-authoritative answer:
Name:   cnn.com
Address: 151.101.131.5
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
 
[Expert@myfw]# 
 
 
[Expert@myfw]#  nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53
 
Non-authoritative answer:
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
Name:   cnn.com
Address: 151.101.131.5
 
[Expert@myfw]# 
 
 
 
 
 
Change CHG0126843 is scheduled for this time period.
 
 Working with Checkpoint on  - [Expert@myfw]#  – Cannot update reach Threat Cloud – Similar internet issue as DNS lookup

 To view it, please click the link below.
 Link: https://bluecrossma.service-now.com/nav_to.do?uri=change_request.do%3Fsys_id=057fbd22dbe1c2d007fbaa2e139619c8%26sysparm_stack=change_request_list.do%3Fsysparm_query=active=true
  •  Description:
  •  Add Kernel Parameter:  to  [Expert@myfw]#  [Expert@myfw]# 
  • fw ctl set int fwha_cluster_hide_active_only 0 <enter>
  • No production impact


Thursday, February 29, 2024

Tuesday, February 27, 2024

Troubleshooting Traffic across Firewalls

 

First Shell:
tcpdump -penni <external_interface> host <IP> and host <IP> -s0 -w /var/log/TCPExternal.pcap
 
Second Shell:
tcpdump -penni <internal_interface> host <IP> and host <IP>  -s0 -w /var/log/TCPInternal.pcap

Third Shell:
fw monitor -F "0,0,<DST IP>,0,0" -F "<DST IP>,0,0,0,0" -o /var/log/<GW_name>_fw_monitor_bidirectional_traffic.pcap

Fourth Shell:
fw ctl zdebug + drop > traffic_drops.txt

Thursday, January 18, 2024

subnetting on checkpoint

 

https://jodies.de/ipcalc

Address: 192.168.0.1 11000000.10101000.00000000 .00000001

Netmask:   255.255.255.0 = 24    11111111.11111111.11111111 .00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000 .11111111
=> Network: 192.168.0.0/24 11000000.10101000.00000000 .00000000 (Class C)
Broadcast: 192.168.0.255 11000000.10101000.00000000 .11111111
HostMin: 192.168.0.1 11000000.10101000.00000000 .00000001
HostMax: 192.168.0.254 11000000.10101000.00000000 .11111110
Hosts/Net: 254 (Private Internet)


Should you ever forget intricacies of the subnetting Checkpoint bothered not to strip subnetting calculator from their Splat – ipcalc, so use it and litter not your memory with useless info.Given subnet show the 1st Ip (network) :

# ipcalc -n 192.168.34.45/27
NETWORK=192.168.34.32

Given subnet show the last IP (broadcast) :

# ipcalc -b 192.168.34.45/27
BROADCAST=192.168.34.63

Be careful though what you feed as no proof-reading is done by the ipcalc :

# ipcalc -b 192.168.34.45/33
BROADCAST=255.255.255.255

Thursday, January 11, 2024

 
[Expert@myfirewall]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Device Name: Recovery Delay
Current state: OK

Device Name: CoreXL Configuration
Current state: OK

Registered Devices:

Device Name: Fullsync
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1.31105e+06 sec

Device Name: Policy
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1.31105e+06 sec

Device Name: routed
Registration number: 2
Timeout: none
Current state: OK
Time since last report: 164.8 sec

Device Name: cxld
Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 102116 sec
Process Status: UP

Device Name: fwd
Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 102116 sec
Process Status: UP

Device Name: cphad
Registration number: 5
Timeout: 30 sec
Current state: OK
Time since last report: 4.1131e+06 sec
Process Status: UP

Device Name: VSX
Registration number: 6
Timeout: none
Current state: OK
Time since last report: 4.1131e+06 sec

Device Name: Init
Registration number: 7
Timeout: none
Current state: OK
Time since last report: 4.1131e+06 sec

Device Name: Local Probing
Registration number: 8
Timeout: none
Current state: OK
Time since last report: 185.2 sec

[Expert@myfirewall]# 

Friday, January 5, 2024

Fixes to R81.20

 
FIXES
1. Set grub2 password
myfirewall01> set grub2-password
Enter new grub2 password: 
Enter new grub2 password (again): 
myfirewall01> 


2. Update TRAC File

/var/opt/CPsuite-R81.20/fw/conf/trac_client_1.ttm
make a backup copy of file
      )
                :automatic_mep_topology (
                        :gateway (
                                :map (
                                        :false (false)
                                        :true (true)
                                        :client_decide (false)     [ change from Client_Decide to False]
                                )
                                :default (false)  [ change from True to False]
                        )
                )


3. Fix http2
Description:
Similar change was successfully implemented and tested on the lower region (TestVPN)

1. Disable HTTP2 Header Length on myfirewall01 and myfirewall02
To disable http2:
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1
cpstop;cpstart

To enable http2 again:
ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 0
cpstop;cpstart
No production impact, low risk.