How to check how many Remote Access VPN clients are taking up licenses

The number of Office Mode IP addresses assigned are counted, and then compared to the size of the license. You can see how many Office Mode IP addresses are assigned in the following ways:

1. SmartView Monitor: In the left pane, it is possible to filter according to "users". The table then shows all connected users and which clients they are using. When the value in the leftmost column "Office Mode" is "True", it means the client received an Office Mode IP address. Each Office Mode IP address takes up a license.

Note: This requires a SmartView Monitor license (CPSB-MNTR) on the Management Server.

2. Check the number of Office Mode IP addresses that are currently assigned by the Security Gateway:

[Expert@GW]# fw tab -t om_assigned_ips -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost om_assigned_ips 372 1 1 0

The above output (#VALS = 1) means that currently one client is assigned an Office Mode IP. This also includes SNX users with Office Mode IP addresses, who take up from a different license (SSL). In order to find out how many SNX users there are and subtract them to leave only IPsec VPN clients (i.e. SecureClient, Endpoint Security VPN, Endpoint Connect), check the following table:

[Expert@HostName]# fw tab -t sslt_om_ip_params -s

3. The "dtps lic" command is obsolete and should not be used anymore for diagnostics.

How to change interface naming on Open Servers in Gaia OS

Solution ID: sk69621
Product: Security Gateway, Security Management, Multi-Domain Management / Provider-1
Version: R75.40, R75.40VS, R75.45, R75.46, R76
OS: Gaia
Platform / Model: Intel/PC
Date Created: 26-mars-2012
Last Modified: 11-juin-2013

SOLUTION

This solution describes how to change the names of interfaces on an Open Server platform (non-appliance).

In Gaia the interface naming for Open Servers is kept in the /etc/udev/rules.d/00-OS-XX.rules file. This file is created during the installation by default, so user should be able to edit it even if user did not create it.

Example for the contents of this file:

BUS=="pci", SYSFS{address}=="ac:16:2d:70:2b:e0", NAME="eth0"
BUS=="pci", SYSFS{address}=="ac:16:2d:70:2b:e1", NAME="eth1"
BUS=="pci", SYSFS{address}=="ac:16:2d:70:2b:e2", NAME="eth2"
BUS=="pci", SYSFS{address}=="ac:16:2d:70:2b:e3", NAME="eth3"
BUS=="pci", SYSFS{address}=="90:e2:ba:26:41:08", NAME="eth4"
BUS=="pci", SYSFS{address}=="90:e2:ba:26:41:09", NAME="eth5"

Where the "ID" field describes a PCI Bus ID, while the "NAME" field is the desired name for the interface.

To map PCI Bus ID into actual interfaces, use the following method:

Run ethtool -p , for example:

# ethtool -p eth1

On most interface cards, this command causes the link LED to blink. After identifying the physical interfaces, their names can be modified in the /etc/udev/rules.d/00-OS-XX.rules file.

Notes:

Machine has to be rebooted in order for the changes to take effect.
The /etc/udev/rules.d/00-OS-XX.rules file can be copied only between identical machines.
Every change to the PCI Bus, such as insertion or removal of a card, may change PCI Bus IDs for all other cards in the system.

How to migrate Full HA environment to Distributed

Solution ID:
 
sk44201
Product:
 
ClusterXL, UTM-1, Power-1
Version:
 
NGX R65 w/ Messaging Security, R70, R71, R75
OS:
 
SecurePlatform, SecurePlatform 2.6
Platform / Model:
 
UTM-1, Power-1
Date Created:
 
07-nov.-2010
Last Modified:
 
03-août-2012

SOLUTION

The below procedure should be performed on the Primary member of Full HA cluster.

  1. To minimize downtime, perform a manual fail-over from Primary cluster member to Secondary cluster member.
    To do so, run the ‘clusterXL_admin down' command on Primary cluster member (refer to sk55081 - Best practice for manual fail-over in ClusterXL) and let the Secondary cluster member to run as the Active member in the cluster to continue passing traffic.
  2. Remove the cluster peer member on the Primary cluster member. Run:
    # cp_conf fullha del_peer
  3. Restart Check Point services on the Primary cluster member. Run:
    # cpstop ; cpstart 
  4. After all Check Point services are running again, disable Full HA mechanism on the Primary cluster member. Run:
    # cp_conf fullha disable
  5. Reboot the Primary cluster member.
  6. After the Primary cluster member is up and running again, connect to it with the SmartDashboard.
    You should see that the Full HA cluster object was replaced by a normal Stand-Alone object.
  7. Open the object properties window and clear the 'Firewall' and the 'VPN' checkboxes.
  8. Save the changes and install database to the existing Smart Management server.
    Now the Primary cluster member machine is running only with a Smart Management server product.
  9. Export the current database using the upgrade_export command. This upgrade_export file should be imported later on into the new Smart Management server.
  10. Import the upgrade_export file to the new Smart Management server and confirm successful migration.
  11. Reinstall the Primary cluster member as a normal cluster member (running only Firewall and Cluster products).
  12. Re-initiate the SIC between the cluster members machines.
  13. Using the cluster Configuration Wizard in the SmartDashboard, recreate the cluster configuration.

CheckPoint – Fichier ELG corrompu (NULLNULL)

Log files can become corrupted when running debug of Check Point daemons on SecurePlatform / Gaia OS

Solution ID: sk52120
Product: Security Management, Security Gateway
Version: R75, R71, NGX R62, NGX R65, R70, NGX R61, NGX R60, R75.20, R75.40, R75.40VS, R75.45, R75.46
OS: SecurePlatform, SecurePlatform 2.6, Gaia
Platform / Model: All
Date Created: 15-oct.-2010
Last Modified: 18-févr.-2013

 

SYMPTOMS

  • When running debug of Check Point daemons (FWM, CPD, FWD , VPND, etc), the corresponding log files (.ELG) might become corrupted : when open the file, it is mostly filled with ‘NULL’ characters (dots), and only at the end of the file, there are some readable lines.

 

CAUSE

The problem happens due to the fact that two different mechanisms open the ELG files for ‘Write’ operation.

1) When the daemon is under debug, the log file (.ELG) will be rotated by internal TDERROR mechanism.

2) However, there is another mechanism – a Task ‘RotateLogs’ registered under CPD daemon, which is called every 100 sec to rotate a log file if it reached the maximal configured size.

[Expert@FW]# cpd_sched_config print

Task: "RotateLogs"

Command: /sbin/cp_logrotate

Arguments:

Interval: 100

Active: true

RunAtStart: true

Most probable reason that today there are two different mechanisms for log rotation is due to historical reasons – the TDERROR mechanism was added later in time…

SOLUTION

Introduction:

Before collecting the debugs of Check Point daemons (FWM, CPD, FWD, VPND, etc), user needs to disable the rotation of the relevant log files (.ELG) through ‘/sbin/cp_logrotate’ command from Task ‘RotateLogs’, which is registered under CPD daemon, so it would not access the log files.

The Task ‘RotateLogs’ registered under CPD daemon is controlled by ‘/bin/log_start‘ shell script.

All the settings for various log files are stored in ‘/etc/cpshell/log_rotation.conf‘ file.

Important Note: starting in R75.20, the most imortant Check Point daemons were removed from this rotation – FWM, CPD, FWD, VPND.

 

Background:

It is possible to control the rotation of the relevant ELG log files in two ways:

  • Either run the ‘/bin/log_start’ script, which edits the ‘/etc/cpshell/log_rotation.conf’ file (preferred way).
  • Or edit the ‘/etc/cpshell/log_rotation.conf’ file manually.

This is the general syntax:

[Expert@HostName]# /bin/log_start

Usage: log –help

log list

log limit <log-index> <max-size> <backlog-copies>

log unlimit

log show <log-index> [<lines>]

[Expert@HostName]#

 

This is the default list of log files and their parameters (on versions lower than R75.20):

[Expert@HostName]# /bin/log_start   list
 Index File                                     Max-Size  Back-logs
    0) messages                                    65536          4
    1) routing_messages                            64536          4
    2) wtmp                                        65536          4
    3) lastlog                                    262400          4
    4) secure                                      64536          4
    5) cpstart.log                               1048576          4
    6) CPbackup.elg                                64536          4
    7) backup_logs.elg                             64536          4
    8) fwd.elg                                     64536          4
    9) dtlsd.elg                                 1048576          4
   10) dtpsd.elg                                 1048576          4
   11) sdsd.elg                                  1048576          4
   12) vpnd.elg                                  1048576          4
   13) aftpd.elg                                 1048576          4
   14) atelnetd.elg                              1048576          4
   15) ahttpd.elg                                1048576          4
   16) unifiedd.elg                              1048576          4
   17) aclientd.elg                              1048576          4
   18) ahclientd.elg                             1048576          4
   19) arlogind.elg                              1048576          4
   20) asessiond.elg                             1048576          4
   21) asmtpd.elg                                1048576          4
   22) aufpd.elg                                 1048576          4
   23) genericd.elg                              1048576          4
   24) lhttpd.elg                                1048576          4
   25) pingd.elg                                 1048576          4
   26) mdq.elg                                   1048576          4
   27) snauth.elg                                1048576          4
   28) cp_http_server.elg                        1048576          4
   29) cpwd.elg                                  1048576          4
   30) cpd.elg                                   1048576          4
   31) cpwd.elg                                  1048576          4
   32) stormc.elg                                1048576          4
   33) cprid.elg                                 1048576          4
   34) rtmd.elg                                  1048576          4
   35) fwm.elg                                   1048576          4
   36) fgd50.elg                                 1048576          4
   37) boot.log                                  1048576          4
[Expert@HostName]#

This is the default content of configuration file (on versions lower than R75.20):

[Expert@HostName]# cat   /etc/cpshell/log_rotation.conf
/var/log/messages                        65536          4
/var/log/routing_messages                64536          4
/var/log/wtmp                            65536          4
/var/log/lastlog                        262400          4
/var/log/secure                          64536          4
$CPDIR/log/cpstart.log                 1048576          4
/var/log/CPbackup.elg                    64536          4
/var/CPbackup/log/backup_logs.elg        64536          4
$FWDIR/log/fwd.elg                     1048576          4
$FWDIR/log/dtlsd.elg                   1048576          4
$FWDIR/log/dtpsd.elg                   1048576          4
$FWDIR/log/sdsd.elg                    1048576          4
$FWDIR/log/vpnd.elg                    1048576          4
$FWDIR/log/aftpd.elg                   1048576          4
$FWDIR/log/atelnetd.elg                1048576          4
$FWDIR/log/ahttpd.elg                  1048576          4
$FWDIR/log/unifiedd.elg                1048576          4
$FWDIR/log/aclientd.elg                1048576          4
$FWDIR/log/ahclientd.elg               1048576          4
$FWDIR/log/arlogind.elg                1048576          4
$FWDIR/log/asessiond.elg               1048576          4
$FWDIR/log/asmtpd.elg                  1048576          4
$FWDIR/log/aufpd.elg                   1048576          4
$FWDIR/log/genericd.elg                1048576          4
$FWDIR/log/lhttpd.elg                  1048576          4
$FWDIR/log/pingd.elg                   1048576          4
$FWDIR/log/mdq.elg                     1048576         10
$FWDIR/log/snauth.elg                  1048576          4
$CPDIR/log/cp_http_server.elg          1048576          4
$CPDIR/log/cpwd.elg                    1048576          4
$CPDIR/log/cpd.elg                     1048576          4
$CPDIR/log/cpwd.elg                    1048576          4
$FWDIR/log/stormc.elg                  1048576          4
$CPDIR/log/cprid.elg                   1048576          4
$FWDIR/log/rtmd.elg                    1048576          4
$FWDIR/log/fwm.elg                     1048576          4
$FGDIR/log/fgd50.elg                   1048576          4
/var/log/boot.log                      1048576          4
[Expert@HostName]#

 

Action plan:

(Step 1) Backup the configuration file:

[Expert@HostName]# cp /etc/cpshell/log_rotation.conf /etc/cpshell/log_rotation.conf_BACKUP

(Step 2) Find the index of the relevant logs in the configuration file:

[Expert@HostName]# /bin/log_start list

Example:

[Expert@FW]# /bin/log_start   list | grep -E "fwd|cpd|fwm"
8) fwd.elg                                    1048576          4
30) cpd.elg                                   1048576          4
35) fwm.elg                                   1048576          4

 

(Step 3) Disable the rotation of each relevant log:

 

[Expert@HostName]# /bin/log_start   unlimit   LOG-INDEX

(run '/bin/log_start list' to verify)

 

Example for CPD.elg:

[Expert@HostName]# /bin/log_start   list
....................
30) cpd.elg                                   1048576          4
....................

 

[Expert@HostName]# /bin/log_start   unlimit   30

 

[Expert@HostName]# /bin/log_start   list
....................
30) cpd.elg                                   unlimited          unlimited
....................

 

Notes about '/bin/log_start unlimit LOG-INDEX' command:

  • applies immediately
  • does not require any additional actions (no need to 'cpstop;cpstart' or 'reboot')
  • survives 'cpstop;cpstart'
  • survives reboot

 

(Step 4) Collect the necessary debugs of the relevant daemons with TDERROR:

(A) Start:

[Expert@HostName]# fw  debug  fwm  on  TDERROR_ALL_ALL=5
[Expert@HostName]# cpd_admin  debug  on  TDERROR_ALL_ALL=5
[Expert@HostName]# fw  debug  fwd  on  TDERROR_ALL_ALL=5

(B) Replicate the problem.

(C) Stop:

[Expert@HostName]# fw  debug  fwm  off  TDERROR_ALL_ALL=0
[Expert@HostName]# cpd_admin  debug  off  TDERROR_ALL_ALL=0
[Expert@HostName]# fw debug  fwd  off  TDERROR_ALL_ALL=0

(D) Collect the ELG log files.

 

Note:
When the log rotation by SPLAT OS is disabled via '/bin/log_start unlimit' command,
the log files will be rotated by TDERROR mechanism :
--- when the log size reaches 20 MB, it will be rotated
--- maximal number of log files will be 10

These numbers are hard-coded and can not be changed.

 

(Step 5) Restore the original settings for each log we changed:

(A) either with '/bin/log_start limit' command:

 

[Expert@HostName]# /bin/log_start   limit   LOG-INDEX   MAX-SIZE   BACKLOG-COPIES

(run '/bin/log_start list' to verify)

 

Example for CPD.elg:

[Expert@HostName]# /bin/log_start   list
....................
30) cpd.elg                                   unlimited          unlimited
....................

 

[Expert@HostName]# /bin/log_start   limit   30   1048576   4

 

[Expert@HostName]# /bin/log_start   list
....................
30) cpd.elg                                   1048576          4
....................

 

Notes about '/bin/log_start limit LOG-INDEX' command :

  • applies immediately
  • does not require any additional actions (no need to 'cpstop;cpstart' or 'reboot')
  • survives 'cpstop;cpstart'
  • survives reboot

 

(B) or by simply restoring the original configuration file:

 

[Expert@HostName]# cp -f   /etc/cpshell/log_rotation.conf_BACKUP   /etc/cpshell/log_rotation.conf

Le nouveau wizard de migration CheckPoint

Checkpoint vient de mettre à disposition un nouveau wizard de migration sur le Check Point Support Portal.

Cet outils aidera à choisir les chemins d’upgrade et les source d’installation.

Screen Shot 2012-12-27 at 9.36.58 AM

Source : http://checkpoint-master-architect.blogspot.fr/2012/12/installation-upgrade-wizard.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+CcmasBlog+(CCMA’s+blog)

Configuring speed/duplex on SecurePlatform via ‘eth_set’ and ‘ethtool’ commands and ‘/etc/sysconfig/netconf.C’ file

 

Solution ID: sk61141

In order to set speed and/or duplex for Network Interface Card (NIC) on SecurePlatform, the following commands can be used:

  • ethtool (Linux tool, http://linux.die.net/man/8/ethtool)
    Usage: ethtool -s ethX [speed 10|100|1000] [duplex half|full] [autoneg on|off]

    NOTE: in order for the settings to be applied at each boot, the command for specific NIC should be added to a start-up script (e.g., to /etc/rc.d/rc.local)

  • eth_set (SecurePlatform shell script /bin/eth_set)
    Usage: eth_set  [<10h|10f|100h|100f|1000h|1000f|autoneg>]

    NOTE: this is the preferred command for SecurePlatform - the changes are applied and saved in /etc/sysconfig/netconf.C configuration file.

 

The following is the example from SecurePlatform - we set speed and duplex for NIC
and show how this changes are applied and saved in a configuration file:

    1. 10h : Speed = 10 Mbit/sec , Duplex = Half

      [Expert@FW]# eth_set eth0 10h
      Configured speed/duplex settings:        10h
      NIC reported speed/duplex settings:      10h
      NIC reported speed/duplex capabilities:  10h,100h,10f,100f,1000f,autoneg
      [Expert@FW]# 
      
      [Expert@FW]# ethtool eth0
      Settings for eth0:
              Supported ports: [ TP ]
              Supported link modes:   10baseT/Half 10baseT/Full 
                                      100baseT/Half 100baseT/Full 
                                      1000baseT/Full 
              Supports auto-negotiation: Yes
              Advertised link modes: Not reported
              Advertised auto-negotiation: No
              Speed: 10Mb/s
              Duplex: Half
              Port: Twisted Pair
              PHYAD: 1
              Transceiver: internal
              Auto-negotiation: off
              Supports Wake-on: umbg
              Wake-on: g
              Current message level: 0x00000007 (7)
              Link detected: yes
      [Expert@FW]# 
      
      [Expert@FW]# head -n 15 /etc/sysconfig/netconf.C
      (conf
              : (conns
                      : (conn
                              :ifname (eth0)
                              :type (1)
                              :dhcpc (0)
                              :ipaddr ("10.10.10.22/24")
                              :mtu (1500)
                              :onboot (1)
                              :iff-up (1)
                              :hwaddr ("00:11:22:33:44:55")
                              :ethtool (1)
                              :s-code (0)
                      )
                      : (conn
      [Expert@FW]#
    1. 10f : Speed = 10 Mbit/sec , Duplex = Full

      [Expert@FW]# eth_set eth0 10f
      Configured speed/duplex settings:        10f
      NIC reported speed/duplex settings:      off
      NIC reported speed/duplex capabilities:  10h,100h,10f,100f,1000f,autoneg
      [Expert@FW]# 
      
      [Expert@FW]# ethtool eth0
      Settings for eth0:
              Supported ports: [ TP ]
              Supported link modes:   10baseT/Half 10baseT/Full 
                                      100baseT/Half 100baseT/Full 
                                      1000baseT/Full 
              Supports auto-negotiation: Yes
              Advertised link modes: Not reported
              Advertised auto-negotiation: No
              Speed: 10Mb/s
              Duplex: Full
              Port: Twisted Pair
              PHYAD: 1
              Transceiver: internal
              Auto-negotiation: off
              Supports Wake-on: umbg
              Wake-on: g
              Current message level: 0x00000007 (7)
              Link detected: yes
      [Expert@FW]# 
      
      [Expert@FW]# head -n 15 /etc/sysconfig/netconf.C
      (conf
              : (conns
                      : (conn
                              :ifname (eth0)
                              :type (1)
                              :dhcpc (0)
                              :ipaddr ("10.10.10.22/24")
                              :mtu (1500)
                              :onboot (1)
                              :iff-up (1)
                              :hwaddr ("00:11:22:33:44:55")
                              :ethtool (2)
                              :s-code (0)
                      )
                      : (conn
      [Expert@FW]#
    1. 100h : Speed = 100 Mbit/sec , Duplex = Half

      [Expert@FW]# eth_set eth0 100h
      Configured speed/duplex settings:        100h
      NIC reported speed/duplex settings:      off
      NIC reported speed/duplex capabilities:  10h,100h,10f,100f,1000f,autoneg
      [Expert@FW]# 
      
      [Expert@FW]# ethtool eth0
      Settings for eth0:
              Supported ports: [ TP ]
              Supported link modes:   10baseT/Half 10baseT/Full 
                                      100baseT/Half 100baseT/Full 
                                      1000baseT/Full 
              Supports auto-negotiation: Yes
              Advertised link modes: Not reported
              Advertised auto-negotiation: No
              Speed: 100Mb/s
              Duplex: Half
              Port: Twisted Pair
              PHYAD: 1
              Transceiver: internal
              Auto-negotiation: off
              Supports Wake-on: umbg
              Wake-on: g
              Current message level: 0x00000007 (7)
              Link detected: yes
      [Expert@FW]# 
      
      [Expert@FW]# head -n 15 /etc/sysconfig/netconf.C
      (conf
              : (conns
                      : (conn
                              :ifname (eth0)
                              :type (1)
                              :dhcpc (0)
                              :ipaddr ("10.10.10.22/24")
                              :mtu (1500)
                              :onboot (1)
                              :iff-up (1)
                              :hwaddr ("00:11:22:33:44:55")
                              :ethtool (4)
                              :s-code (0)
                      )
                      : (conn
      [Expert@FW]#
    1. 100f : Speed = 100 Mbit/sec , Duplex = Full

      [Expert@FW]# eth_set eth0 100f
      Configured speed/duplex settings:        100f
      NIC reported speed/duplex settings:      off
      NIC reported speed/duplex capabilities:  10h,100h,10f,100f,1000f,autoneg
      [Expert@FW]# 
      
      [Expert@FW]# ethtool eth0
      Settings for eth0:
              Supported ports: [ TP ]
              Supported link modes:   10baseT/Half 10baseT/Full 
                                      100baseT/Half 100baseT/Full 
                                      1000baseT/Full 
              Supports auto-negotiation: Yes
              Advertised link modes: Not reported
              Advertised auto-negotiation: No
              Speed: 100Mb/s
              Duplex: Full
              Port: Twisted Pair
              PHYAD: 1
              Transceiver: internal
              Auto-negotiation: off
              Supports Wake-on: umbg
              Wake-on: g
              Current message level: 0x00000007 (7)
              Link detected: yes
      [Expert@FW]# 
      
      [Expert@FW]# head -n 15 /etc/sysconfig/netconf.C
      (conf
              : (conns
                      : (conn
                              :ifname (eth0)
                              :type (1)
                              :dhcpc (0)
                              :ipaddr ("10.10.10.22/24")
                              :mtu (1500)
                              :onboot (1)
                              :iff-up (1)
                              :hwaddr ("00:11:22:33:44:55")
                              :ethtool (8)
                              :s-code (0)
                      )
                      : (conn
      [Expert@FW]#
    1. 1000f : Speed = 1000 Mbit/sec , Duplex = Full

      NOTE: speed of 1000 Mbit/sec (1 Gb) can be set only in Full duplex, and has to be negotiated (advertised)

      [Expert@FW]# eth_set eth0 1000f
      Configured speed/duplex settings:        1000f
      NIC reported speed/duplex settings:      on
      NIC reported speed/duplex capabilities:  10h,100h,10f,100f,1000f,autoneg
      [Expert@FW]# 
      
      [Expert@FW]# ethtool eth0
      Settings for eth0:
              Supported ports: [ TP ]
              Supported link modes:   10baseT/Half 10baseT/Full 
                                      100baseT/Half 100baseT/Full 
                                      1000baseT/Full 
              Supports auto-negotiation: Yes
              Advertised link modes: 1000baseT/Full 
              Advertised auto-negotiation: Yes
              Speed: 1000Mb/s
              Duplex: Full
              Port: Twisted Pair
              PHYAD: 1
              Transceiver: internal
              Auto-negotiation: on
              Supports Wake-on: umbg
              Wake-on: g
              Current message level: 0x00000007 (7)
              Link detected: yes
      [Expert@FW]# 
      
      [Expert@FW]# head -n 15 /etc/sysconfig/netconf.C
      (conf
              : (conns
                      : (conn
                              :ifname (eth0)
                              :type (1)
                              :dhcpc (0)
                              :ipaddr ("10.10.10.22/24")
                              :mtu (1500)
                              :onboot (1)
                              :iff-up (1)
                              :hwaddr ("00:11:22:33:44:55")
                              :ethtool (32)
                              :s-code (0)
                      )
                      : (conn
      [Expert@FW]#
  1. Auto-Negotiation

    [Expert@FW]# eth_set eth0 autoneg
    Configured speed/duplex settings:        autoneg
    NIC reported speed/duplex settings:      on
    NIC reported speed/duplex capabilities:  10h,100h,10f,100f,1000f,autoneg
    [Expert@FW]# 
    
    [Expert@FW]# ethtool eth0
    Settings for eth0:
            Supported ports: [ TP ]
            Supported link modes:   10baseT/Half 10baseT/Full 
                                    100baseT/Half 100baseT/Full 
                                    1000baseT/Full 
            Supports auto-negotiation: Yes
            Advertised link modes:  10baseT/Half 10baseT/Full 
                                    100baseT/Half 100baseT/Full 
                                    1000baseT/Full 
            Advertised auto-negotiation: Yes
            Speed: 1000Mb/s
            Duplex: Full
            Port: Twisted Pair
            PHYAD: 1
            Transceiver: internal
            Auto-negotiation: on
            Supports Wake-on: umbg
            Wake-on: g
            Current message level: 0x00000007 (7)
            Link detected: yes
    [Expert@FW]# 
    
    [Expert@FW]# head -n 15 /etc/sysconfig/netconf.C
    (conf
            : (conns
                    : (conn
                            :ifname (eth0)
                            :type (1)
                            :dhcpc (0)
                            :ipaddr ("10.10.10.22/24")
                            :mtu (1500)
                            :onboot (1)
                            :iff-up (1)
                            :hwaddr ("00:11:22:33:44:55")
                            :ethtool (64)
                            :s-code (0)
                    )
                    : (conn
    [Expert@FW]#

 


Exclure l’adresse d’une passerelle VPN du domaine d’encryption

Je sais pas si c’est nouveau, mais depuis la MAJ de notre cluster en R75.20, j’ai était confronté au problème suivant :

- Lorsque l’on essaye de joindre un port via l’adresse WAN d’un firewall avec lequel on monte un VPN, il essaye de passer dans le VPN. Ce qui est problématique car on souhaiterais que cela passe en clair.

L’explication à était trouvé sur le blog de Lachmann (http://blog.lachmann.org/) :

When you define a peer gateway for a VPN community, you also have to define the topology of the gateway that is used for VPN connections. This is the encryption domain.

Defining an encryption domain for external VPN peer

What you don’t see is that the encryption domain does not only include the IP addresses of networks associated with the gateway, but also the gateway IP address itself.

This behaviour is not shared by others vendors like Cisco for example, they only use the explictly defined encryption domains.

Common scenario:

You have a VPN with a partner and exchange encrypted traffic. In addition, the partner offers you webpages available over the Internet and reachable over the official IP address of his VPN gateway.

When you try for example to access this webpage from within your network, the traffic will be send encrypted to the remote gateway, let’s say a Cisco ASA Firewall.

The Cisco ASA does not see it’s outside IP address as within the own encryption domain and refuses to create a SA. So your connection attempt will fail.

The solution to this is to exclude the external IP address of the remote VPN peer gateway from VPN.

Une SK CheckPoint indique bien la résolution (sk44014) :

Procedure:

  1. On the Security Management server add the following lines at the end of the $FWDIR/lib/crypt.def file:

    change the line
    #define NON_VPN_TRAFFIC_RULES 0
    to:
    #define NON_VPN_TRAFFIC_RULES (dst= IP_Address_Of_VPN_Peer)

    The <IP address> is the IP address of the remote peer which should be excluded from the VPN-1 gateway's remote encryption domain.

    Note: location of crypt.def file depands on the software version.

    • R75.20 = $FWDIR/lib/crypt.def
    • R75 - R75.10 = CPR75CMP-R75.20/lib/crypt.def
    • R70.x - R71.x = CPR71CMP-R75.20/lib/crypt.def
    • R65 = CPNGXCMP-R75.20/lib/crypt.def
  2. Install the Security policy.

 

Si comme moi vous vous dites, mais comment j'en rajoute plusieurs, il suffit de faire quelque chose du genre : (dst=x.x.x.x or dst=y.y.y.y or dst=z.z.z.z)

Utilisation du netconf.C

Toutes les personnes ayant régulièrement à installer un CheckPoint SPLAT, fait le même constat :

Il est fastidieux de créer en double (sur chacun des membres d’un cluster) la configuration réseau et routage.

Pour le routage, on peux toujours appliquer la procédure que je vous avez déjà fourni sur ce blog : http://mguyard.wordpress.com/2011/07/24/migrer-la-table-de-routage-dune-splat-a-une-autre mais si l’on a beaucoup d’interfaces réseau, on risque de se tromper.

Sur les SPLAT, se trouve un fichier netconf.C qui se trouve dans /etc/sysconfig.

Ce fichier contient l’ensemble des informations concernant les interfaces réseaux ainsi que la table de routage.

Ce fichier peut donc tout à fais être utiliser pour configurer le réseau et le routage d’un membre secondaire.

Pour cela, récupérer le fichier /etc/sysconfig/netconf.C de votre membre principal. Modifier le (pensez bien à mettre les bonnes adresses MAC dedans) avec les adresses IP de votre nouveau membre.

Déposer votre fichier modifié dans le /etc/sysconfig de votre nouveau membre avec les droits suivant :

-rw-r–r–    1 root     root         8719 Dec 27 15:17 /etc/sysconfig/netconf.C

Exécutez ensuite cette commande en Expert sur le nouveau membre :

cpnetconf load

Vous n’avez plus qu’a redémarré votre membre et vous pouvez voir les interfaces et le routage en place.

Attention : Vérifier bien à utiliser un editeur qui ne rajoute pas de "^M" à la fin des lignes sinon, cela bloquera l’import. Personnellement, j’utilise Notepad++ qui est gratuit.

Passer un Management en primaire ou en secondaire

As this is by desing no ‘solution’ is required.

However there are instances where a customer’s Primary server has failed and it is required to export the database from the Secondary without reinstalling the Primary and Synchronizing.

Further ‘migrate export/upgrade_export’ requires that all SmartConsoles be disconnected before running it. therefore if the ‘Primary’ is up and is ‘Active’ it might be useful if the export could be run on a ‘Standby’.

The Primary is the Security Management Server installed first in an environment and the rest will all be Secondary. Further the Primary can be Standby while a Secondary is Active. Please read sk65370 for further details.

To verify the Primary/Secondary state of the server, run

# cpprod_util FwIsPrimary

This should return ’1′ if the server is the Primary

or ’0′ if the server is Secondary.

So the workaround is to trick the migration script into believing that its running on the Primary and not on a Secondary.

To do this you should run this command.

# cpprod_util FwSetPrimary 1

Verify this change by running the "cpprod_utill FwIsPrimary" command again. Once this parameter is set to ’1′, you should be able to run ‘migrate export’ or ‘upgrade_export’ (depending on the version) without it causing an issue.

Once the export is complete change the setting back to ’0′ by running the following command.

# cpprod_util FwSetPrimary 0

Bonnes pratiques d’implémentation de règles CheckPoint

Voici quelques conseils de bonnes pratiques pour l’implémentation de règles sur un CheckPoint

  1. Faire des règles simples. Plus les règles sont simples, moins il y a d’erreurs et plus elles sont efficaces
  2. Eviter d’utiliser « ANY » en services. Toujours analysé les ports nécessaires en amont de l’implémentation
    • Même si des ports doivent être ouvert au fur et à mesure des blocages.
  3. Privilégier les objets NETWORK au lieu de plusieurs objets HOST
  4. Utiliser des groupes pour regroupes les sources/destinations/services
  5. Toujours activer l’antispoofing sur l’ensemble des interfaces du firewall
  6. Placez les règles les plus fréquemment consultés sur le dessus de la base de règles. Cela permettra d’améliorer les performances et le pare-feu est plus efficace.
    • Le firewall recherches la base de règles dans l’ordre séquentiel.
    • La première règle correspondante à une connexion est appliqué, non pas la règle qui correspond le mieux.
  7. Utiliser de bonnes conventions de nommage pour représenter les objets du réseau et les services.
  8. Mettre en œuvre la «règle Stealth" pour bloquer et de suivre les tentatives de connexion au module pare-feu.Mettre en œuvre une règle au bas de la base de règles et en fin de bandeau pour bloquer et enregistrer tout le trafic (clean-up). Firewall-1 par défaut ne trace pas le trafic qui est arrêté.
  9. Ne pas utiliser d’objet de domaine dans la base de règles. Les objets de domaine peuvent entraîner des goulots d’étranglement sur les performances.
  10. Eviter de mettre trop de niveau d’arborescence pour les bandeaux (nous conseillons de ne pas dépasser 3 niveaux pour que cela reste simple en lecture)
  11. Pour éviter d’être inondés par le trafic de diffusion broadcast tels que bootp et le NBT, créer une règle pour « droper » les paquets sans les tracer. Ident est un service utilisé par le protocole SMTP pour essayer d’identifier les clients de messagerie. En «rejectant» le service, et non en le « dropant », l’application SMTP gagne en performance car il n’a pas à attendre que la connexion ident parte en timeout.
  12. Vous préférez "Reject" à "Drop" pour certains services. Les services tels que «ident» devrait être rejeté afin de permettre une meilleure performance d’application.
    • Quand une action Drop est prise, l’expéditeur n’est pas informé.
    • Une action Reject se comporte de cette façon :
Services Actions
TCP L’expéditeur est notifié.
UDP Envoie une erreur ICMP port inaccessible à l’expéditeur.
d’autres Idem que Drop .

Lire la suite

Suivre

Recevez les nouvelles publications par mail.

Rejoignez 142 autres abonnés