Undocumented command to install policy on Locally managed Checkpoint UTM 1100 series appliance

I was trying the other day to exclude on UTM 1180 gateway some IP address and service combination from being encrypted inside VPN tunnel and noted that any changes you do to the firewall files on the CLI, in this case – crypt.def, do not take effect . It is actually logical as every SK asking you to do such changes also specifies that “Changes are to be done on SmartCenter/Management server and then you are to install Security Policy” . The catch here is “installing the policy” – if it is what is known as Locally managed UTM, i.e. you manage it via its Web interface, you have no such action – “install policy” .
One solution would be to restart the UTM – works, but kinda harsh. The other solution is this undocumented (not listed in any Checkpoint documentation I searched) command :
* You should be in Expert mode to run it . Also pay attention to the output – there should be no errors.

# fw_configload
FW.pf:
Compiled OK.
Resolver Error 0 (no error)
Resolver Error 0 (no error)
Resolver Error 0 (no error)
Resolver Error 0 (no error)

 

Read More

Useful CLI commands for Cisco CUCM

Useful CLI commands for Cisco CUCM .

I don’t work on the command line of CUCM often, if ever – you may add, but when the need arises here is the short list of commands to keep. A little reminder – the latest (starting version 5 and on) of Cisco CUCM software is Linux (namely Red Hat) based,  which of course includes the terminal access – be it a physical via console or a network one over ssh .
You create a username/password for the terminal during the CUCM  installation.
As Cisco do not want us to mess with the underlying OS, our interaction is limited to a very restricted kind of shell . So you don’t have access to the Linux commands, but you do have a predefined set of CUCM commands of which I present most useful ones here.
I run the examples below on a MCS hardware server so your output may vary.

 

– Changing password for yourself/another user . Know that it is here, but do not play with it risking to lock yourself out of the server.

admin:set password { age* | complexity* | expiry* | inactivity* | user* }

–  Get the disk usage

show diskusage activelog

– Show the status of the fans (irrelevant for VMware based install)

admin:show environment fans
(RPMS)     Lower                     Critical

ID     Current   Threshold Status

Fan Sensor 1 7800     4200      OK
Fan Sensor 2 7950     4200      OK
Fan Sensor 3 7800     4200      OK
Fan Sensor 4 7350     4200      OK
Fan Sensor 5 7200     4200      OK

– Show the server temperature (irrelevant for VMware based install)

show environment temperatures

(Celcius)    Non-Critical   Critical   Threshold    Threshold

     ID       Current  Lower   Upper   Lower   Upper  Location Temperature Sensor
1             
24          53          54           55        62   1

– Show the server hardware (irrelevant for VMware based install)

show hardware

HW Platform    : 7825I4
Processors     : 1
Type           : Intel(R) Core(TM)2 Duo CPU E8400  @ 3.00GHz
CPU Speed      : 3000
Memory         : 2048 MBytes

show logins
administ pts/0     192.168.7.1   Wed Aug 12 09:56   still logged in

– Show physical memory (irrelevant for VMware based install)

show memory modules

Bank  Locator   Size  Active Status
DIMM 1  DIMM 1  1024 MB TRUE OK
DIMM 3  DIMM 3  1024 MB TRUE OK

– Show interface status (more useful for hardware based servers than VMware ones)

show network eth0

Ethernet 0
DHCP      : disabled        Status : up
IP Address   : 192.168.10.1     IP Mask : 255.255.255.000
Link Detected: yes             Mode    : Auto enabled, Full, 100 Mbits/s
Duplicate IP : no
DNS   Not configured.
Gateway   : 192.168.10.254 on Ethernet 0

– Show number of open connections . If there is some network connectivity issue this number will be unusually low as each IP Phone/voice gateway is counted as a connection.
show network ip_conntrack

972

– Show open and accessible over the network ports

show network ipprefs public

Application  IPProtocol   PortValue Type      XlatedPort   Status    Description

———— ———— ———— ———— ———— ———— ————

sshd      tcp       22        public    –         enabled   sftp and ssh access
clm       udp       8500      public    –         enabled   cluster manager
clm       tcp       8500      public    –         enabled   cluster manager
tomcat    tcp       8443      translated   443       enabled   secure web access
tomcat    tcp       8080      translated   80        enabled   web access
ntpd      udp       123       public    –         enabled   network time sync

Read More

Overlooked but nice utility from Checkpoint – cpview

Checkpoint has made available starting with R77 this helpful information utility called cpview of which not many are aware. This is basically a Bash script that runs a bunch of native Checkpoint commands in the background and displays the output on the terminal while updating the data every other second.
– Running the command (you have to be in the Expert mode):
#cpview
– File location:
# which cpview
alias cpview='/bin/cpview_start.sh'

/bin/cpview_start.sh
– Some of the commands the utility runs:
fw ctl pstat
fw ctl multik stat
fw ctl affinity -l -r

Example output:cpview

Read More

Checkpoint Mobile Access support for SHA-256 SSL certificates

The new era of sha-256 as opposed to sha-1 signed SSL certificates is slowly gaining the pace, not without a gentle push from the browser providers . And Checkpoint is catching up in its new version R77.30 for Open Servers.
While on both versions – 77.20 and 77.30 cpopenssl package gives the same version info they do differ:

cpopenssl command accepting -sha-256 option

openssl in R77.30 now supports SHA-256 certificates

It doesn’t mean earlier versions do not support SHA256 certificates – just that you cannot issue CSR requests signed with SHA256. Nevertheless, your SSL certificate provider technically is very much able to issue SHA-256 certificate based on SHA-1 signed CSR requests as both are not really related.

Read More

SNMP in Gaia default community string

Configuring SNMP in Gaia as opposed to SPLAT has been made much simpler. So simple that it is easy to overlook that default configured read-only community is public .
So , it is a good idea to change it while enabling SNMP:
set snmp agent on
set snmp agent-version any
set snmp community public read-only

PS. Another ‘feature’ of the SNMP is that you can either enable SNMP version 1 and 2 or version 3. Trying to enable just version 2c is not possible.

Read More

RIPE database query for a route object, or why my network is not advertised via BGP to the world

Once it was a nice-to-have configuration that most ISPs in the world ignored anyway, but today it is a must if you are planning to advertise your networks via BGP through your uplink provider – your route object in the AS whois database of the uplink provider. If not – you will happily advertise your networks, the uplink provider will duly advertise them to its uplink peers, which will check AS registry database of your provider and not finding this route object will silently drop the advertising.
Of course it is duty of your transit ISP provider to update their records with your network, but after all, you are the one most interested – so as they say in Russian ” Доверяй но проверяй ” , and here is how to do it:
whois -h whois.ripe.net — ‘-a -r -i or -T route AS1680’ | grep route
In this example I assume your uplink provider is Netvision with AS1680 , replace AS number with the correct one.
Output will look like:
route: 109.186.0.0/16
route: 109.253.0.0/16
route: 117.121.245.0/24
route: 138.134.0.0/16
route: 147.161.0.0/16

If you don’t find in such listing your network – Houston, you have a problem here.

Read More