Troubleshooting Firewall Management Problems
Client - [Management] - [Firewall Enforcement]Management Server 3 Important Database Files
- $FWDIR/conf/objects_5_0_C (objects - network, host, firewall object)
- $FWDIR/conf/fwauth.NDB (Users, administrators) if fwauth.NDB gets corrupted .. delete it and stop and start firewall it will automatically recreate it from fwauthsav.NDB bakup
- $FWDIR/conf/rulebase_5_0.fws (Rules, NAT, ) and rulebase_5_0.fws.backup is its backup
GuiDBEdit - edit the database
CPMI
Client SmartDashboard <== CPMI protocol==> FWM (Process) Database (user/objects/rulebase)
SmartView Tracker
SmartView Monitor
Database Editing
1. SmartDashboard
2. VI (limited/experience)
3. GUIDbedit (hidden tool GUI client install) (must close smartdashboard)
4. dbedit (command line) advance tool (must close smartdashboard)
database structure [Table => object = Field Name]
Management Roles
- Policy configuration - Rules - object
- Status Monitoring - status CPU/memory
- Certicate Authority - ICA (internal Certifcate /SSL vpn etc, sic
- Log Server - logs users/resources
Firewall Management Primary Role
- Policy Configuration
- Policy Push
Certificate Authority
-ICA
-VPN
-SIC
Log Server
-Logs
-Alerts
Status Monitoring
-Monitoring (CPU/Mem)
-Status (IPS/Clustering/SecureXL)
-Performance (Graphs/Metrics top service/destination etc)
Main Process
- fwm (Listen 18190)- firewall management (serving the different GUI Clients) (manages Databases)(collecting status)(Policy Complication)
- fwd - (listen 257) firewall daemon (received logs fw.log from firewall endforce )
- cpd - Checkpoint daemon - build secure channel (SIC establishment) (Loading policy) (Status Collection)
- cpca (listen 18264 /18265 ) - Checkpoint Certificate authority (Child deamon on fwd process) (ICA Management tool)
- cpwd (listen - Checkpoint watchdog .. monitor all other firewall processes (FWM FWD CPD CPCA etc)
# cpwd_admin list (Checkpoint monitoring processes
Key
APP Application names
Status E (executing) T (Terminating)
CPMI (Checkpoint Point Management Interface) listen on 18190
FWM Debug
Management Station CPD secure channel <== SIC SSL Session ==> CPD Firewall Enforcement
Certificate
CPD passes information to FWD on endpoint Enforcement to kernel
Firewall listen on port 18211 for management to firewall for SIC
CPD - 18192 CDP - cpu/mem/
AMON Application Monitor
https://www.youtube.com/watch?v=zOG7Empolyg
Understanding Check Point Management Station Part 1
Understanding Check Point Management Station Part 2
Troubleshooting Firewall Management Problems
Installation failure on MGNT server occurs in verification or complication stage of the installation. To troubleshoot this failure, follow these steps:
1.
Install policy from the CLI
fwm
–d load $FWDIR/conf/PolicyName.W <target>
2.
Install the policy from the SmartDashboard
a. Clean
the old log files
cd $FWDIR/log
rm fwm.elg
echo ‘ ‘> fwm.elg
enable the fwm debug
fw debug fwm on TDERROR_ALL_ALL=5
fw debug fwm on OPSEC_DEBUG_LEVEL=9
.
Replicate the problem by installing
the policy from the Dashboard GUI
Stop
the fwm debug on the FWMGMT server
fw debug fwm off TDERROR_ALL_ALL=1
fw debug fwm off OPSEC_DEBUG_LEVEL=1
Debug output are stored in fwm.elg, located under $FWDIR/log.
Policy Installation failure could be result of SIC, Misconfigured rules, GUI
client connectivity problems or improper
entered information, expired license. Evaluate output file fwm.elg to determine with of these may
have cause the failure.
Lab Troubleshoot SIC - Policy Installation failure
From A-SMS (FW Management Server)
1.
cpca_client
lscert (use this command to
validate certificate)
2.
fw debug
fwm on Establish
3.
from Client GUI DashBoard, attempt to restablish
SIC
4.
from A-SMS
fw debug fwm off
5.
review debug log output less
$FWDIR/log/fwm.elg
6.
WinSCP to transfer fwm.elg file and view in Test Editor to identity source of
problem from debug file
Lab Troubleshoot MisConfigured Rules - Policy Installation Failure
From A-SMS (FW Management Server)
1.
In Expert mode
cd $FWDIR/log
echo >fwm.elg
fw debug fwm on
2.
fw debug
fwm on
TDERROR_ALL_ALL
fwm –d load $FWDIR/conf/standard.W A-GW
Note: you will see the output on
the screen and fwm.elg. you can see additional info if you do a TDERROR_ALL_ALL=5
Stop the debugs
fw debug fwm
off
unset
TDERROR_ALL_ALL
view
fwm.elg less $FWDIR/conf/fwm.elg
Lab Troubleshoot GUI Client Connectivity
Problem
Look at less $FWDIR/con/gui-client file for allowed
IP address
From A-SMS (FW Management Server)
cpconfig command
At the prompt type 3 and enter
Type Y and Enter , Type D and Enter (delete your IP to test failure)
Enter 10.20.59.250
(your IP address)
Exit cpconfig option 9 enter
From the command prompt type
fw debug fwm on
TDERROR_ALL_ALL=5
from your Client 10.20.59.250 Dashboard, launch the GUI
from the FWM stop the debug and view logs of the GUI client
IP
fw debug fwm off
grep 10.20.59.250
$FWDIR/log/fwm.elg | less
How to uninstall and install another policy on firewall
ISSUE
There may be a time where you install the wrong policy onto
a Check Point Firewall. This can block your connections, and screw which
traffic is allowed through the firewall.
RESOLUTION
These steps will show you how to remove and reinstall the
correct policy via the CLI on the manager (SCS),
1. First of all we
look at the policy history, so we can find out the name of the policy we need
to reinstall.
fw stat -l [firewall ip]
2. Next we remove
the security policy from the firewall.
fwm unload [fwname]
3. Finally we
install the correct policy back onto the Firewall.
Note : Note how we add the .W to the policy name as it has
yet to be be compiled into a .cf file (which is what is installed onto the
Firewall/Gateway)
[PolicyName].W
is uncompelled policy
[PolicyName].CF
is compiled Policy
fwm load
[PolicyName].W [fwname]
fwm load
RuleBaseName.W TargetGatewayName
[Expert@MYFWM01]# fwm
load Standard samplegw
Installing policy on
R77 compatible targets:
Standard.W: Security
Policy Script generated into CustomerPolicy.pf
Standard:
Compiled OK.
Installing Security Gateway
policy on: examplegw . ..
Security Gateway
policy installed successfully on examplegw. ..
Security Gateway
policy installation complete
Security Gateway
policy installation succeeded for: examplegw
Installation failed; reason – load on module failed, failed
to load security policy
Recently I tried a policy installation on a Security Gateway
appliance which failed with the message: Installation failed; reason - load on
module failed, failed to load security policy
From my experience I know that a cpstop ; cpstart normaly
solves this problem.
But since I was dealing with a remote site gateway which
also was stand-alone installation, issuing cpstop was no option since it would
interrupt the service.
So I utilized the cpwd_admin command for stopping and
restarting FWM and CPD.
cpwd_admin stop -name FWM -path "$FWDIR/bin/fw"
-command "fw kill fwm"
cpwd_admin start -name FWM -path "$FWDIR/bin/fwm"
-command "fwm"
cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd"
-command "cpd"
Then I checked the status of all my services with cpwd_admin
list.
All services were up and I tried policy installation again,
which worked as expected.
I was able to solve the issue using the following steps i
stumbled on while surfing the net:
1. tellpm
process:monitord
2. ps aux |
grep cpd
3. kill -15
4. tellpm
process:monitord t
5. cpwd_admin
start -name CPD -path “$CPDIR/bin/cpd” -command “cpd”
Here is the expected output:
[Expert@CP-DMZ:0]# tellpm process:monitord
[Expert@CP-DMZ:0]#
Message from syslogd@ at Tue Sep 16 10:27:42 2014 …
CP-M-DMZ monitord[4129]: monitord got killed
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# ps aux | grep cpd
admin 4461 0.0 0.3 212412 3196 ? Dsl Aug06 42:47 cpd
admin 6905 0.0 0.0 1816 492 pts/2 S+ 10:27 0:00 grep cpd
[Expert@CP-DMZ:0]# kill -15 4461
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# tellpm process:monitord t
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# cpwd_admin start -name CPD -path
“$CPDIR/bin/cpd” -command “cpd”
cpwd_admin:
Process CPD started successfully (pid=7030)
[Expert@CP-DMZ:0]#
So the problem was solved without service interruption.
List of Check Point Firewall Ports
Common List Ports that you will need to open on a typical Check Point Firewall. Note: don’t open all of these ports in the list, instead – use this list of ports as a reference for your Check Point firewall configuration.
| PORT | TYPE | SERVICE DESCRIPTION |
|---|---|---|
| 21 | TCP | ftp File transfer Protocol (control) |
| 21 | UDP | ftp File transfer Protocol (control) |
| 22 | Both | ssh SSH remote login |
| 25 | both | SMTP Simple Mail transfer Protocol |
| 50 | Encryption IP protocols esp – IPSEC Encapsulation Security Payload | |
| 51 | Encryption IP protocols ah – IPSEC Authentication Header Protocol | |
| 53 | Both | Domain Name Server |
| 69 | Both | TFTP Trivial File Transfer Protocol |
| 94 | TCP | Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation) |
| 137 | Both | Netbios-ns NETBIOS Name Service |
| 138 | Both | netbios-dgm NETBIOS Datagram |
| 139 | Both | netbios-ssn NETBIOS Session |
| 256 | TCP | FW1 (fwd) policy install port FWD_SVC_PORT |
| 257 | TCP | FW1_log FW1_log FWD_LOG_PORT |
| 258 | TCP | FW1_mgmt FWM_SSVVC_PORT |
| 259 | TCP | FW1_clientauth_telnet |
| 259 | UDP | RDP Reliable Datagram Protocol |
| 260 | TCP | sync |
| 260 | UDP | FW1_snmp FWD_SNMP_PORT |
| 261 | TCP | FW1_snauth Session Authentication Daemon |
| 262 | TCP | MDQ – mail dequer |
| 263 | TCP | dbs |
| 264 | TCP | FW1_topop Check Point SecureClient Topology Requests |
| 265 | TCP | FW1_key Check Point VPN-1 Public key transfer protocol |
| 389 | Both | LDAP Secure Client connecting to LDAP without SSL |
| 443 | SNX VPN can use 443 too | |
| 444 | TCP | SNX VPN SNX VPN tunnel in connectra only |
| 500 | UDP | IPSEC IKE Protocol (formerly ISAKMP/Oakley) |
| 500 | TCP | IKE over TCP |
| 500 | UDP | ISAKMPD_SPORT & ISAKMPD_DPORT |
| 514 | UDP | Syslog Syslog |
| 636 | LDAP Secure Client connecting to LDAP with SSL | |
| 900 | TCP | FW1_clntauth_http Client Authentication Daemon |
| 981 | Management https on the edge | |
| 1247 | ||
| 1494 | TCP | Winframe Citrix |
| 1645 | TCP | Radius |
| 1719 | UDP | VOIP |
| 1720 | TCP | VOIP |
| 2040 | TCP | MIP meta Ip admin server |
| 2746 | UDP | UDP encapsualtion for SR VPN1_IPSEC_encapsulation VPN1_IPSEC encapsulation |
| 2746 | TCP | CPUDPENCap |
| 4000 | Policy Server Port (Redmond) | |
| 4433 | TCP | Connectra Admin HTTPS Connectra admin port |
| 4500 | UDP | NAT-T NAT Traversal |
| 4532 | TCP | SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm, |
| 5001 | TCP | Meta IP Web Connection, MIP |
| 5002 | TCP | Meta IP DHCP Failover |
| 5004 | TCP | Meta IP UAM |
| 5005 | TCP | Meta IP SMC |
| 6969 | UDP | KP_PORT KeyProt |
| 8116 | UDP | Check Point HA SyncMode= CPHAP (new sync mode) |
| 8116 | UDP | Connection table synchronization between firewalls |
| 8989 | TCP | CPIS Messaging MSG_DEFAULT_PORT |
| 8998 | TCP | MDS_SERVER_PORT |
| 9000 | Command Line Port for Secure Client | |
| 10001 | TCP | Default CPRSM listener port for coms with RealSecure Console |
| 18181 | TCP | FW1_cvp Check Point OPSEC Content Vectoring Protocol |
| 18182 | TCP | FW1_ufp Check Point OPSEC URL Filtering Protocol |
| 18183 | TCP | FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM API) |
| 18184 | TCP | FW1_lea Check Point OPSEC Log Export API |
| 18185 | TCP | FW1_omi Check Point OPSEC Objects Management Interface |
| 18186 | TCP | FW1_omi-sic Check Point OPSEC Objects management Interface with Secure Internal Communication |
| 18187 | TCP | FW1_ela Check Point OPSEC Event Loging API |
| 18190 | TCP | CPMI Check Point Management Interface |
| 18191 | TCP | CPD Check Point Daemon Proto NG |
| 18192 | TCP | CPD_amon Check Point Internal Application Monitoring NG |
| 18193 | TCP | FW1_amon Check Point OPSEC Appication Monitoring NG |
| 18201 | TCP | FGD_SVC_PORT |
| 18202 | TCP | CP_rtm Check Point Real time Monitoring |
| 18203 | TCP | FGD_RTMP_PORT |
| 18204 | TCP | CE communication |
| 18205 | TCP | CP_reporting Check Point Reporting Client Protocol |
| 18207 | TCP | FW1_pslogon Check Point Policy Server logon Protocol |
| 18208 | TCP | FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol |
| 18209 | TCP | FWM CA for establishing SIC communication |
| 18210 | TCP | FW1_ica_pull Check Point Internal CA Pull Certificate Service |
| 18211 | TCP | FW1_ica_pull Check Point Internal CA Push Certificate Service |
| 18212 | UDP | Connect Control – Load Agent port |
| 18213 | TCP | cpinp: inp (admin server) |
| 18214 | TCP | cpsmc: SMC |
| 18214 | UDP | cpsmc: SMC Connectionless |
| 18221 | TCP | CP_redundant Check Point Redundant Management Protocol NG |
| 18231 | TCP | FW1_pslogon_NG Check Point NG Policy Server Logon Protocol |
| 18231 | TCP | NG listens on this port by default dtps.exe |
| 18232 | TCP | FW1_sds_logon Check Point SecuRemote Distribution Server Protocol |
| 18233 | UDP | Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive |
| 18241 | UDP | e2ecp |
| 18262 | TCP | CP_Exnet_PK Check Point Public Key Resolution |
| 18263 | TCP | CP_Exnet_resolve Check Point Extranet remote objects resolution |
| 18264 | TCP | FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services |
| 19190 | TCP | FW1_netso Check Point OPSEC User Authority Simple Protocol |
| 19191 | TCP | FW1_uaa Check point OPSEC User Authority API |
| 65524 | FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher) |
Check Point General Common Ports
| PORT | TYPE | SERVICE DESCRIPTION |
|---|---|---|
| 257 | tcp | FireWall-1 log transfer |
| 18208 | tcp | CPRID (SmartUpdate) |
| 18190 | tcp | SmartDashboard to SCS |
| 18191 | tcp | SCS to FW-1 gateway for policy install |
| 18192 | tcp | SCS monitoring of firewalls (SmartView Status) |
Check Point SIC Ports
| PORT | TYPE | SERVICE DESCRIPTION |
|---|---|---|
| 18209 | tcp | NGX Gateways <> ICAs (status, issue, or revoke). |
| 18210 | tcp | Pulls Certificates from an ICA. |
| 18211 | tcp | Used by the cpd daemon (on the gateway) to receive Certificates. |
Check Point Authentication Ports
| PORT | TYPE | SERVICE DESCRIPTION |
|---|---|---|
| 259 | tcp | Client Authentication (Telnet) |
| 900 | tcp | Client Authentication (HTTP) |
Tags: Check Point, Firewall, ports
