Wednesday, April 10, 2024

Troubleshooting Firewalls

 

[Expert@myfw101:0]# ip route get 216.18.76.16
216.18.76.16 via 10.114.255.11 dev eth1-01 src 10.113.255.14 
[Expert@myfw101:0]#


fw ctl zdebug + drop | grep 216.18.76.16

@;20508118;[vs_0];[tid_30];[fw4_30];fw_log_drop_ex: Packet proto=17 216.18.76.16:53 -> 10.113.255.14:39926 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "fw-cluster Security" rule 19;


DNS Not active on Standby Cluster Member

fwha_forw_packet_to_not_active=1

Heres the SK in case you need it: 

https://support.checkpoint.com/results/sk/sk43807



enabled_blades
fw stat 
cpinfo -y all


In addition, if you would please upload a cpinfo from your gateway, as well as uploading a HCP report, this will help us to look for known issues in your environment
cpinfo -s 6-0003824777
hcp -r all --include-wts yes



Standby
nslookup google.com 
tcpdump -nni any host 216.18.76.16

Active 
tcpdump -nni any host 216.18.76.16 and host 10.14.55.14

set dns mode default
set dns suffix bcbsma.com
set dns primary 216.118.176.16
set dns secondary 10.115.1.11
set dns tertiary 10.23.210.23
[Expert@myfw101:0]#


142.250.65.238
tcpdump -nni any host 216.118.176.16 and host 10.114.255.14 | grep -i 'google'
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0"
fw monitor -F "10.114.255.14,0,216.118.176.16,0,0" | grep -i 'google'

[Expert@myfw101:0]## cat /var/opt/fw.boot/modules/fwkern.conf
enhanced_ssl_inspection=1
bypass_on_enhanced_ssl_inspection=1
fwmultik_input_queue_len=4096
[Expert@myfw101:0]## 



 hcp -r all


[Expert@myfw101:0]# tcpdump -nni Sync host 216.18.76.16 and host 10.14.255.14 | grep -i 'google'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Sync, link-type EN10MB (Ethernet), capture size 262144 bytes
15:07:27.015688 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:34.015911 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
15:07:41.016201 IP 10.14.255.14.40175 > 216.18.76.16.53: 8827+ A? google.com. (28)
^C1648 packets captured
1685 packets received by filter
0 packets dropped by kernel

[Expert@myfw101:0]## 

[Expert@myfw101:0]## fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1
[Expert@myfw101:0]#


[Expert@myfw101:0]# fw ctl get int fwha_cluster_hide_active_only
fwha_cluster_hide_active_only = 1




Posted by at

Sunday, April 7, 2024

Troubleshooting IPS

 

[Expert@myfw]# curl_cli -vk https://te.checkpoint.com/tecloud/Ping
*   Trying 52.21.148.145...
* TCP_NODELAY set
* Connected to te.checkpoint.com (52.21.148.145) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Sat Apr  6 01:23:52 2024
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
*  subject: CN=*.checkpoint.com
*  start date: Oct 25 18:11:28 2023 GMT
*  expire date: Nov 25 18:11:27 2024 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
< HTTP/1.1 200 
< Date: Sat, 06 Apr 2024 05:23:52 GMT
< Content-Type: text/plain;charset=ISO-8859-1
< Content-Length: 4
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Request-Start: t=1712381032.202
< Set-Cookie: te_cookie=aabd0422269d88cb7d33996ad8cd951b; Path=/; Secure

* Connection #0 to host te.checkpoint.com left intact
Pong
[Expert@myfw]# # cphaprob tablestat 


----   Unique IP's Table  ----

Member          Interface       IP-Address              MAC-Address
-------------------------------------------------------------------------

(Local)
0               3               192.168.110.1            00:1c:ff:46:44:92
0               19              10.114.255.113           00:1c:ff:a3:44:1c
0               22              216.21.183.19            00:1c:ff:a3:44:1f
0               26              172.116.183.2            00:1c:ff:a3:44:4d
0               27              216.21.183.252           00:1c:ff:a3:44:4d

1               3               192.168.110.2            00:1c:ff:46:44:b0
1               19              10.114.255.114           00:1c:ff:a3:44:a8
1               22              216.21.183.20            00:1c:ff:a3:44:ab
1               26              172.116.83.3             00:1c:ff:a3:44:51
1               27              216.21.83.253            00:1c:ff:a3:44:51

-------------------------------------------------------------------------

[Expert@myfw]# 



This change was successfully implemented and validated.
 

DNS resolution on Lowell Firewall Standy cluster member -  FIXED
Anti-Bot/Anti-Virus – FIXED
Indeni – Alert – CLEARED
 

 
[Expert@myfw]#  ping updates.checkpoint.com
PING e17340.dscd.akamaiedge.net (23.39.34.118) 56(84) bytes of data.
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=1 ttl=54 time=9.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=2 ttl=54 time=8.09 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=3 ttl=54 time=8.10 ms
64 bytes from a23-39-34-118.deploy.static.akamaitechnologies.com (23.39.34.118): icmp_seq=4 ttl=54 time=8.08 ms
^C
--- e17340.dscd.akamaiedge.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 8.089/8.346/9.098/0.434 ms
[Expert@M-INT-FW102:0]#
 
[Expert@myfw]# nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53
 
Non-authoritative answer:
Name:   cnn.com
Address: 151.101.131.5
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
 
[Expert@myfw]# 
 
 
[Expert@myfw]#  nslookup cnn.com
Server:         216.118.176.16
Address:        216.118.176.16#53
 
Non-authoritative answer:
Name:   cnn.com
Address: 151.101.3.5
Name:   cnn.com
Address: 151.101.67.5
Name:   cnn.com
Address: 151.101.195.5
Name:   cnn.com
Address: 151.101.131.5
 
[Expert@myfw]# 
 
 
 
 
 
Change CHG0126843 is scheduled for this time period.
 
 Working with Checkpoint on  - [Expert@myfw]#  – Cannot update reach Threat Cloud – Similar internet issue as DNS lookup

 To view it, please click the link below.
 Link: https://bluecrossma.service-now.com/nav_to.do?uri=change_request.do%3Fsys_id=057fbd22dbe1c2d007fbaa2e139619c8%26sysparm_stack=change_request_list.do%3Fsysparm_query=active=true
  •  Description:
  •  Add Kernel Parameter:  to  [Expert@myfw]#  [Expert@myfw]# 
  • fw ctl set int fwha_cluster_hide_active_only 0 <enter>
  • No production impact


Posted by at
Subscribe to: Posts (Atom)