Day 1
--------
Hardware: Shuttle
Memory : 16
GB
OS Win7
00371-OEM-8992671-00004
VMWare
Administration
First implied
rule
Implicit Rule
Before Last
implied rule
Last explicit
rule
Implied rule
Stealth - Rule
Anti Spoofing
- Set Anti-spoofing to Detect
Hit Count - Use UID
Analyze the Rule base
Improve Firewall Performance
Understand behavior of the security
Policy
How do you reset head
Copy rule – paste above …
The logs can be impacted based on UID
Use Rule Name
Delete file track headcount
Configuring the head count Display
A Value
B Percentage
C Level
Dual Stack Network configuration
Service IPv4 and IPv6 fields
Application Intelligence
Integrated into Firewall and IPS
Works with application –layer defenses
detect prevent attacks
Route Based VPN
4.1
R50 – NG
NGAI - R50 with Feature
pack 4 .. NG NGAI – NG with Application Intelligence
R55
R60 - NGX
R61
R62
Application Control
- Acquired by instance message product app time appwick –
in 2009 facetime communication
Engineering Level
User Mode
All processes at the application layer
Utilized the OS
Kernel Mode
Privileges
Firewall modules and executed
Faster performance
CDP - SIC function/AMON status pull/Policy
Installation
FWM – UI Client
communication/Database manupilitation/Policy complication/Management HA Sync
FWD – Ability to
forward log/Communication with the Kernel/Child Process that controls security
servers
R.80
-Multiple Admin can work on different policies
- head Count - has creation date, activated
R80 is Management only
R80.10 is when the Security Gateway
Chapter 2 Chain Module
Chain Module
Firewall Kernel consist of inbound and outbound Chain Modules.
Each chain module is independant and redundant
they execute their own unique inspection.
Inbound and Outbound chain modules are secure measures used to modify, pass or drop packets.
They are resonsible for decryption, encryption, rule matching, and policy verfication.
Inspection is perfromed on virtually defragmented packets.
Each packet passes through a list of chain modules which may modify pass or drop packets.
Use "fw ctl chain" command to see this list of Chain Modules
[Expert@bostestint-fwa:0]# fw ctl chain
in chain (11):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: - 1fffff8 (ffffffff8882d050) (00000001) Stateless verifications (in) (asm)
2: - 1fffff7 (ffffffff8886eb00) (00000001) fw multik misc proto forwarding
3: - 1000000 (ffffffff88911d10) (00000003) SecureXL conn sync (secxl_sync)
4: 0 (ffffffff887ceee0) (00000001) fw VM inbound (fw)
5: 10 (ffffffff887e3690) (00000001) fw accounting inbound (acct)
6: 10000000 (ffffffff88910330) (00000003) SecureXL inbound (secxl)
7: 7f600000 (ffffffff88820bf0) (00000001) fw SCV inbound (scv)
8: 7f730000 (ffffffff88a35fb0) (00000001) passive streaming (in) (pass_str)
9: 7f750000 (ffffffff88c53260) (00000001) TCP streaming (in) (cpas)
10: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (10):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff88c534a0) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff88a35fb0) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8882d050) (00000001) Stateless verifications (out) (asm)
4: - 1ff (ffffffff88e6eb80) (00000001) NAC Packet Outbound (nac_tag)
5: 0 (ffffffff887ceee0) (00000001) fw VM outbound (fw)
6: 10000000 (ffffffff88910330) (00000003) SecureXL outbound (secxl)
7: 7f000000 (ffffffff887e3690) (00000001) fw accounting outbound (acct)
8: 7f700000 (ffffffff88c53690) (00000001) TCP streaming post VM (cpas)
9: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (out) (ipopt_res)
[Expert@bostestint-fwa:0]#
with FW Monitor running
[Expert@bostestint-fwa:0]# fw ctl chain
in chain (13):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -70000000 (ffffffff88804d70) (ffffffff) fwmonitor (i/f side)
2: - 1fffff8 (ffffffff8882d050) (00000001) Stateless verifications (in) (asm)
3: - 1fffff7 (ffffffff8886eb00) (00000001) fw multik misc proto forwarding
4: - 1000000 (ffffffff88911d10) (00000003) SecureXL conn sync (secxl_sync)
5: 0 (ffffffff887ceee0) (00000001) fw VM inbound (fw)
6: 10 (ffffffff887e3690) (00000001) fw accounting inbound (acct)
7: 10000000 (ffffffff88910330) (00000003) SecureXL inbound (secxl)
8: 70000000 (ffffffff88804d70) (ffffffff) fwmonitor (IP side)
9: 7f600000 (ffffffff88820bf0) (00000001) fw SCV inbound (scv)
10: 7f730000 (ffffffff88a35fb0) (00000001) passive streaming (in) (pass_str)
11: 7f750000 (ffffffff88c53260) (00000001) TCP streaming (in) (cpas)
12: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (12):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff88804d70) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff88c534a0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff88a35fb0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8882d050) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff88e6eb80) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff887ceee0) (00000001) fw VM outbound (fw)
7: 10000000 (ffffffff88910330) (00000003) SecureXL outbound (secxl)
8: 70000000 (ffffffff88804d70) (ffffffff) fwmonitor (IP side)
9: 7f000000 (ffffffff887e3690) (00000001) fw accounting outbound (acct)
10: 7f700000 (ffffffff88c53690) (00000001) TCP streaming post VM (cpas)
11: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (out) (ipopt_res)
[Expert@bostestint-fwa:0]#
Inbound
-------
NIC
Wireside Acct/Virtual Reass IP Options Strip (in) (ipopt_strip)
VPN Dec
VPN verify
VM/NAT
Accounting
VPN Policy
FG Policy
IQ Engine
RTM/E2E
TCP/IP
Outbound
-------
TCP/IP
Virtual Reass/Wireside Acct
VM/NAT
VPN Policy
FG Policy
VPN Enc
IQ Engine
Accounting
RTM/E2E
NIC
fw debug fwm - view fem.elg to find issues as SIC, Misconfigured rules, Guil Client problems and improper information.
Chain Module
Firewall Kernel consist of inbound and outbound Chain Modules.
Each chain module is independant and redundant
they execute their own unique inspection.
Inbound and Outbound chain modules are secure measures used to modify, pass or drop packets.
They are resonsible for decryption, encryption, rule matching, and policy verfication.
Inspection is perfromed on virtually defragmented packets.
Each packet passes through a list of chain modules which may modify pass or drop packets.
Use "fw ctl chain" command to see this list of Chain Modules
[Expert@bostestint-fwa:0]# fw ctl chain
in chain (11):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: - 1fffff8 (ffffffff8882d050) (00000001) Stateless verifications (in) (asm)
2: - 1fffff7 (ffffffff8886eb00) (00000001) fw multik misc proto forwarding
3: - 1000000 (ffffffff88911d10) (00000003) SecureXL conn sync (secxl_sync)
4: 0 (ffffffff887ceee0) (00000001) fw VM inbound (fw)
5: 10 (ffffffff887e3690) (00000001) fw accounting inbound (acct)
6: 10000000 (ffffffff88910330) (00000003) SecureXL inbound (secxl)
7: 7f600000 (ffffffff88820bf0) (00000001) fw SCV inbound (scv)
8: 7f730000 (ffffffff88a35fb0) (00000001) passive streaming (in) (pass_str)
9: 7f750000 (ffffffff88c53260) (00000001) TCP streaming (in) (cpas)
10: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (10):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff88c534a0) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff88a35fb0) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8882d050) (00000001) Stateless verifications (out) (asm)
4: - 1ff (ffffffff88e6eb80) (00000001) NAC Packet Outbound (nac_tag)
5: 0 (ffffffff887ceee0) (00000001) fw VM outbound (fw)
6: 10000000 (ffffffff88910330) (00000003) SecureXL outbound (secxl)
7: 7f000000 (ffffffff887e3690) (00000001) fw accounting outbound (acct)
8: 7f700000 (ffffffff88c53690) (00000001) TCP streaming post VM (cpas)
9: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (out) (ipopt_res)
[Expert@bostestint-fwa:0]#
with FW Monitor running
[Expert@bostestint-fwa:0]# fw ctl chain
in chain (13):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -70000000 (ffffffff88804d70) (ffffffff) fwmonitor (i/f side)
2: - 1fffff8 (ffffffff8882d050) (00000001) Stateless verifications (in) (asm)
3: - 1fffff7 (ffffffff8886eb00) (00000001) fw multik misc proto forwarding
4: - 1000000 (ffffffff88911d10) (00000003) SecureXL conn sync (secxl_sync)
5: 0 (ffffffff887ceee0) (00000001) fw VM inbound (fw)
6: 10 (ffffffff887e3690) (00000001) fw accounting inbound (acct)
7: 10000000 (ffffffff88910330) (00000003) SecureXL inbound (secxl)
8: 70000000 (ffffffff88804d70) (ffffffff) fwmonitor (IP side)
9: 7f600000 (ffffffff88820bf0) (00000001) fw SCV inbound (scv)
10: 7f730000 (ffffffff88a35fb0) (00000001) passive streaming (in) (pass_str)
11: 7f750000 (ffffffff88c53260) (00000001) TCP streaming (in) (cpas)
12: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (12):
0: -7f800000 (ffffffff8882b820) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff88804d70) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff88c534a0) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff88a35fb0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8882d050) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff88e6eb80) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff887ceee0) (00000001) fw VM outbound (fw)
7: 10000000 (ffffffff88910330) (00000003) SecureXL outbound (secxl)
8: 70000000 (ffffffff88804d70) (ffffffff) fwmonitor (IP side)
9: 7f000000 (ffffffff887e3690) (00000001) fw accounting outbound (acct)
10: 7f700000 (ffffffff88c53690) (00000001) TCP streaming post VM (cpas)
11: 7f800000 (ffffffff8882bbe0) (ffffffff) IP Options Restore (out) (ipopt_res)
[Expert@bostestint-fwa:0]#
Inbound
-------
NIC
Wireside Acct/Virtual Reass IP Options Strip (in) (ipopt_strip)
VPN Dec
VPN verify
VM/NAT
Accounting
VPN Policy
FG Policy
IQ Engine
RTM/E2E
TCP/IP
Outbound
-------
TCP/IP
Virtual Reass/Wireside Acct
VM/NAT
VPN Policy
FG Policy
VPN Enc
IQ Engine
Accounting
RTM/E2E
NIC
fw debug fwm - view fem.elg to find issues as SIC, Misconfigured rules, Guil Client problems and improper information.
Use the command fw ctl chain to study chain module behavior. Observe how policy changes impact the chain
Use the command fw debug fwm on and
review the file fwm.elg to find such
issues as SIC, mis configured rules, GUI client connectivity problems and improperly
entered information.
Studying Chain Module
behavior
Inbound and outbound
Independent and redundant
Unique inspection
fw ctl chain
fw monitor inspection points
inbound minus - coming in
Inbound - about to leave inbound
outbound minus - coming in
Outbound - about
to leave outbound
Fw monitor –pi -vpn_ver –o monitor
Policy Installation
Failure
Fw –d load
$FWDIR/config/PoliceName.W
<target>
a.Clean the old all
files
Cd $FWDIR/log
Rm fwm.elg
Echo ‘ ‘ > fwm.elg
b. Enable the fwm
debug
fw debug fwm on
TDERROR_ALL_ALL=5
fw debug fwm on
OPSEC_DEBUG_LEVEL=1
fw debug fwm off
LAB 1 and 2
Lunch
CHAPTER 3 NAT
Fw ctl debug
Generates debug messages to a buffer
Produces a list of currently running modules and debugging
flags
Fw monitor
Captures and filters traffic
Specifices with parts of the kernel chain packets pass
through
-d
-e (very packet 4
times)
-f
-m i, I o, O
From CLI run the following command:
fw monitor –e “accept;” - outputfile.cap -ci 10000
open another shell and run the following commands:
fw ctl debug 0
fw ctl debug –buf 32000
fw ctl debug –m fw + conn packet nat xlate xltrc
fw ctl kdebug –T –f > /var/kernel debug.ctl (see page 80)
replicate issue
stop the firewall monitoring capture with Ctrl C
stop kernel debug by running the following command:
fw ctl debug –x
MANUAL NAT
Connection from internet -
any to Public IP -- any destination
(DMZ
Automatic NAT (see
Global Properties)
-------------------
Allow Bi-directional NAT
Translate destination on client side (on the inbound side from internet)
Automatic ARP configuration
Real Entry
Symbolic Lync
6 Tuple
Block Suspicious Actively in Smartview Monitor (SAM Rule)
table.def file
no
