Wednesday, January 20, 2016

Engineering Notebook -

DISCLAIMER: This is my private professional blog - for Certified Checkpoint Master Architect -CCMA -my engineering notebook with  raw notes on supporting Checkpoint R81.20 Environment.  All IP addresses and names are fictitious.  I've been working with Checkpoint products for more than 30 years. Everything expressed in this blog is my very own opinion and does not express any official opinion of Checkpoint. I've fun working with these products for the last three decades and hopefully will continue to do so in the future. I'll NOT reveal any information given to me under NDA and given to me in private by Check Point employees. I'll not reveal any internal documentation or training documents. For resolution of your technical issues related to Checkpoint products and systems always follow standard support procedures. 

I hope this blog serves you well May God Bless You, Keep you safe and bring you peace! JaiSaiRam


Checkpoint Gaia R81.20 with Software Blades

Firewall                                            Application Control
IPSec VPN                                       Application URL Filtering
Mobile Access                                 QOS - rate limiting
IPS                                                   Data Loss Prevention DLP
Anti Bot                                           Threat Emulation
Anti Virus                                        ClusterXL
Anti Spam/Email Security               Monitoring
Identity Awareness
Firewall Security Book                    SandBlast -Threat-Emulation

Checkpoint Stateful Inspection Patent No 5,606,668 so who invented Checkpoint's  Stateful Inspection Nir Zuk or Gil Shwed?  Inventor: Gil Shwed, Jerusalem, Israel

How to  -Configuration

Checkpoint Command

Revert back to Factory default set fcd revert Gaia_R77.30
How to load configuration from file load configuration config
How to add static route  set static-route 10.0.0.0/8 nexthop gateway address 10.15.29.13 on
How to set Management interface set management interface eth3-04
How to set Hostname set hostname myvpn-fwa
How to set Domain Name set domainname mydomain.com
How to set DNS set dns suffix mydomain.com
set dns primary 216.188.176.160
set dns secondary 100.250.210.160
How to set NTP set ntp active on 
set ntp server primary 216.188.176.160 version 1 
set ntp server secondary 100.250.210.16 version 1 
How to turn on an Interface  set interface eth3-01 state on
set interface eth3-01 auto-negotiation on
set interface eth3-01 mtu 1500
set interface eth3-01 ipv4-address 16.11.190.78 mask-length 25
set interface eth3-01 comments "internet"
How to shutdown interface set interface eth3-02 state off
How to set default route  set static-route default nexthop gateway address 16.11.19.2 on
How to turn off a default route set static-route default nexthop gateway address 192.168.1.254 off
How to add a static route set static-route 148.91.83.0/24 nexthop gateway address 10.150.249.113 on
How to config OSPF set ospf area backbone off
set ospf area 25.10.10.3 on
set ospf interface eth1-01 area 25.10.10.3 on
set ospf interface eth1-01 cost 1
set ospf interface eth1-01 priority 0
Add User add user scp uid 0 homedir /home/scp 
set user scp gid 100 shell /bin/bash 
set user scp password-hash $1$iAGC7iEO$PtD4i6lb)7/KpeJ8iSfdGE1 
How to Print Static-Routes netstat -nr | grep -v D
netstat -rn |grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort >routes.txt
netstat -rn |grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort | wc -l


Unload Local Firewall Policy   fwnload local



Ace directory is created when the VPN firewall is first pushed.


sdconf.rec - Seed File from RSA for testvpn-fwb
sdopts.rec - file contains the gateway IP address for RSA  CLIENT_IP=100.105.249.61
sdstatus.12 - Created automatically with gateway first contacted RSA for authentication




[Expert@mytestvpn-fwb:0]# cd /var/ace
[Expert@mytestvpn-fwb:0]# ls -lt
total 12
-rw-rw-r-- 1 admin root 2418 Mar 10 23:22 sdstatus.12
-rw-r----- 1 admin root   22 Mar 10 22:07 sdopts.rec
-rw-r----- 1 admin root 2757 Mar  8 13:58 sdconf.rec
[Expert@[Expert@mytestvpn-fwb:0]# cat  sdopts.rec
CLIENT_IP=10.15.249.61
[Expert@mytestvpn-fwb:0]# :0]#



[Expert@mytestvpn-fwb:0]# cat  sdopts.rec
CLIENT_IP=100.105.249.61
Expert@mytestvpn-fwb:0]#





Update default settings in trac_client_1.ttm on both member cluster


:client_decide (client_decide)  to  :client_decide (false)
:default (true)  to  :default (false)


mytestvpn-fwa:#
mytestvpn-fwa:# cd /var/opt/CPsuite-R77/fw1/conf
more trac_client_1.ttm

mytestvpn-fw

                :automatic_mep_topology (
                        :gateway (
                                :map (
                                        :false (false)
                                        :true (true)
                                        :client_decide (client_decide)
                                )
                                :default (true)



bostestvpn-fw

                :automatic_mep_topology (
                        :gateway (
                                :map (
                                        :false (false)
                                        :true (true)
                                        :client_decide (false)
                                )
                                :default (false)

License Seats

[Expert@MY-VPN]# grep --binary-files=text sc_users $FWDIR/database/fwauth.NDB
        :sc_users (25500)
[Expert@MY-VPN]#