yurisk.info » Yuri

How to enroll VPN client with IOS CA

Yuri — Mon, 16 Apr 2012 17:23:20 +0000

If you didn’t notice Cisco IOS routers can serve as CA servers as well. The example configurations are easy to find on the cisco.com but the only trick to know when enrolling Cisco VPN client with IOS CA is the syntax you put as url – the string should look:
http://192.182.12.1:80/cgi-bin/pkiclient.exe
I attach below screenshot so you can see what I mean.
Some references as well .
www.cisco.com
ieoc.com/forums/t/12071.aspx

PKI client enrol with cisco CA

Check duplex and speed settings of all interfaces in one go

Yuri — Thu, 16 Feb 2012 18:36:39 +0000

One of the first things you do when checking connectivity issues on the Checkpoint (or any networking gear for that matter) is to see speed and duplex parameters of the interfaces. But have you tried to do it on a firewall with 15-20 interfaces ?
No fun entering one by one interfaces’ names. Here is the one-liner I use to get speed and duplex settings of all interfaces in one go.

# for ii in $(ifconfig | awk ‘/Ethernet/ {print $1}’) ;do ethtool $ii; done | egrep ‘eth|Speed|Duplex’
Settings for eth0:
Speed: 100Mb/s
Duplex: Full
Settings for eth1:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.150:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.160:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.161:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.270:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.271:
Speed: 1000Mb/s
Duplex: Full

Settings for eth1.281:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.35:
Speed: 1000Mb/s
Duplex: Full
Settings for eth2:
Speed: 100Mb/s
Duplex: Full
Settings for eth3:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.112:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.211:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.311:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.71:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.72:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.73:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.413:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.419:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.451:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.407:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.408:
Speed: 1000Mb/s
Duplex: Full
Settings for eth5:
Speed: 1000Mb/s
Duplex: Full
Settings for eth7:
Speed: 1000Mb/s
Duplex: Full

Funny way to expire Antispam license in Checkpoint

Yuri — Mon, 13 Feb 2012 16:19:35 +0000

After years with Checkpoint products I came to conclusion that if you don’t have logical explanation why something doesn’t work, it is most probably license issue.
My client stopped getting emails behind UTM-132 at some remote branch . Doing the basics – telnet to port 25 (Checkpoint answered as it should),Exchange answering on port 25 as well didn’t come up with anything.
Then I looked at mail spool in the Checkpoint and voila, all the emails that didn’t reach internal Exchange were stuck there for no obvious reason.
The reason became obvious when I looked at the SmartTracker and saw “AntiSpam service license expired” message . Only then did I recall that this UTM had once Total security license that included the Antispam , but had expired long ago.
Why upon expiring license Checkpoint instead of passing mails without Antispam filtering decided to “hijack” the mails is left without answer.

Finally GEO location blocking has arrived to Fortigate

Yuri — Thu, 09 Feb 2012 18:35:47 +0000

It was predictable thing for Fortinet to do as everyone else has already been doing so.
I haven’t verified myself but according to the informed source (can only say his name – Hen) they are using
Maxmind database . So let’s see how to do it .
First you create in New Address dialog window the Geography type object specifying the country. As you can only pick one country per address use Address Groups to combine few countries together.
After creating such Address object you can use it in Firewall Policy just as you would the usual Address.
Personal Note: While there is an ongoing fuss/hysteria about the cyberwar being waged that started 2 weeks ago when Saudi “hackers” DDOS’ed few Israel websites, from what I see in the field it is more of a FUD campaign, one of the byproducts of which is rush of many website owners in Israel to block Saudi Arabia IPs (or any Arabic world IPs for that matter). What happened in fact was that most of DDOS came from anywhere but Arab world (Russia, China,US) , from botnets-for-hire.
The only reason I can think of why you would use Geo location block is to lower noise/size of logs by silently dropping traffic from unwanted countries.

Convert Fortigate diagnose sniffer packet output into tcpdump format understood by Wireshark

Yuri — Mon, 06 Feb 2012 18:06:31 +0000

Running diagnose sniffer packet on Fortinet Fortigate unit outputs human-readable packet information and packet data . Only that sometimes you would like to have the traffic sniffed at Fortigate in Wireshark-readable format so that it can be analyzed by all powerful Wireshark.
For this case Fortinet came up with the script and application that takes text output of this sniffer command and parses it into tcpdump format (.cap) which you can later open in Wireshark.
I guess there are other scripts available that do just that (after all it is just parsing the text file) , but from Fortinet you can find it here:
kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId=1

Or by searching their website for
fgt2eth.pl
fgt2eth.zip

awk weekly – Security rule hits statistics . Checkpoint

Yuri — Tue, 31 Jan 2012 08:50:36 +0000

As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things – for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only – i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted – e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:

awk -F\; ' {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5

Rule number:  Hits: 1197330  Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing
 Rule number: 2 Hits: 9
 Rule number: 5 Hits: 366
 Rule number: 11 Hits: 12296
 Rule number: 9 Hits: 14457
 Rule number: 0 Hits: 17094
 Rule number: 1 Hits: 44066
 Rule number: 7 Hits: 233643
 Rule number: 10 Hits: 366275
 Rule number: 6 Hits: 424639

Update 2012 Below is the script to use Rule ID instead of Rule sequential numbers – this way changing rules order will not affect statistics. The script matches also non-security rules – e.g. email session id, that are a bit shorter then Rule ID, but I didn’t want to slow down the processing with additional formatting .

awk -F\; ' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5

Rule number: D199972C-ED3E-4EB4-8B83-813333156D18 Hits: 175
 Rule number: 85A905A7-951E-4100-A4BA-E13333151D29 Hits: 219
 Rule number: 81333316-E942-4313-BB7D-E1333315802F Hits: 1519
 Rule number: 71333215-2DB5-4A3A-95BC-5080AD0F5564 Hits: 2298
 Rule number: 11331315-AE52-44E0-A42A-711029B5768E Hits: 3755
 Rule number: 01333315-D290-4B05-AFE7-23BF24D889FF Hits: 4116
 Rule number: 121FA62F-3885-4328-8090-BF1333315eB1 Hits: 399793
 Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101
 Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341
Running time for a file of 900 Mb with 4.7 million records
real    5m50.287s
user    4m22.890s
sys     0m3.190s

Time-based access limiting on Checkpoint or any Linux for that matter

Yuri — Mon, 14 Nov 2011 21:08:16 +0000

Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:

Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
Most probably restart the service and we are set.

E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
- Add to file /etc/pam.d/vsftpd the following line
account required /lib/security/pam_time.so
- Set time limits in /etc/security/time.conf with this line
vsftpd;*;ftp_user;Wk0800-1700
- Restart vsftpd to force it using pam_time.so module (need to do it just first time)
#service vsftpd restart
And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .

For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
Example for limiting ssh access to the firewall to working hours only.
/etc/security/time.conf :
sshd;*;client_user;Wk0900-1900
/etc/pam.d/sshd :
account required /lib/security/pam_time.so

Set NTP time source on Checkpoint to have correct log timestamps

Yuri — Sat, 12 Nov 2011 17:29:44 +0000

It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I’ve seen some UTM appliances to drift as much as 40 minutes in just one year ! Even worse is that you can never be sure of the drift distribution over time – it may be incremental drift every day, or sudden jump due to who knows what.
To prevent this from happening I use NTP time synchronization on all of my servers/firewalls. If you have been in system administration for some time it is old news for you – just use ntpd daemon and pool.ntp.org servers located close to you, and you are set in 5 minutes.
In Checkpoint they took the hardening of the underlying OS to extreme and supplied only outdated ntpdate utility for the task, no ntpd for us.
Not a big deal – I use the cron job below to run every 30 minutes ntpdate to update the firewall clock and so better be you.
Cheers
30 * * * * /usr/sbin/ntpdate 1.uk.pool.ntp.org > dev/null

All you need to know about networking in Checkpoint firewall SecurePlatform FAQ

Yuri — Thu, 27 Oct 2011 11:32:13 +0000

Q. How do I see available interfaces, errors on them , IP addresses .
Q. How do I see routing table of the firewall.
Q. How do I see duplex, speed, physical link status of the interface .
Q. How do I manually set duplex, speed, autonegotiation settings of an interface.
Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.
Q. How do I add, delete, change routes.
Q. How do I delete, change IP address on the interface.
Q. How do I add, change, delete VLAN .
Q. How do I see existing VLANs .
Q. Can I combine few interfaces into one logical interface .
Q. How do I shut and unshut an interface.

Q. How do I see available interfaces, errors on them , IP addresses .

A. # ifconfig

Q. How do I see routing table of the firewall.

A. # route -en

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
19.247.195.20   0.0.0.0         255.255.255.252 U         0 0          0 External
10.123.123.0    0.0.0.0         255.255.255.224 U         0 0          0 Lan1

Legend:
Gateway – via which gateway this network is available, 0.0.0.0 means this network is configured locally on the interface
Iface – name of the interface via which this network is reachable

Q. How do I see duplex, speed, physical link status of the interface .

A. # ethtool
e.g. # ethtool External
Settings for External:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Current message level: 0×00000007 (7)
Link detected: yes

Q. How do I manually set duplex, speed, autonegotiation settings of an interface.

A. # ethtool -s speed 100
ethtool -s duplex full
ethtool -s autoneg off
IMPORTANT: the changes above will be active until reboot of the firewall, to set them
permanently see below.

Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.

A. # eth_set [10h|10f|100h|100f|1000h|1000f|autoneg]
e.g # eth_set Lan1 100f

Q. How do I add, delete, change routes.

A. Using #sysconfig utility and its interactive menu (option 6) .

Q. How do I delete, change IP address on the interface

A. # sysconfig then option 5 .

Q. How do I add, change, delete VLAN .

A. # sysconfig , then option 5 .

Q. How do I see existing VLANs .

A Either via #sysconfig , then option 5 or ifconfig, VLAN interfaces will have format of . .
e.g. # ifconfig
eth7.301 Link encap:Ethernet HWaddr 00:1B:4A:CF:26:71

Q. Can I combine few interfaces into one logical interface .

A. Yes , such interface is called Bond. Note that out of all interfaces added to the Bond interface, only one will be active and passing the traffic, the rest will be in standby mode in case active interface fails.
NOTE 2 In new versions it is possible to have bond in Load Sharing mode.

Q. How do I shut and unshut an interface.

A. #ifconfig down
# ifconfig up

Enable 2 factor authentication to protect your Gmail account if you have not done so already

Yuri — Wed, 26 Oct 2011 11:34:42 +0000

Today i did an improvised poll at work who is using the 2 factor authentication with their Gmail mail account and got only one positive answer – me . The question was in turn inspired by the article in Atlantic Monthly where James Fallows depicts in detail his wife’s Gmail account being hacked and how much trouble it was to get it back. I can only add that not using absolutely free and easy feature to safeguard your precious asset, mail account – is pretty reckless in our time . Just imagine what it would be to have ALL your Gmail inbox emptied and have your access to the account lost due to a hack …
I’ve always known that the best way to solve the problems is to prevent them from occurring at all, so go ahead and use this Gmail feature and have less problems in life to solve .
My personal experience of few months is that it works with any mobile provider in Israel and it is pretty much ‘ set and forget ‘ type of configuration, just be able to receive once a month SMS , it can’t be any easier I guess.
Advanced sign-in security for your Google account