yurisk.info » Checkpoint NG/NGX

Check duplex and speed settings of all interfaces in one go

Yuri — Thu, 16 Feb 2012 18:36:39 +0000

One of the first things you do when checking connectivity issues on the Checkpoint (or any networking gear for that matter) is to see speed and duplex parameters of the interfaces. But have you tried to do it on a firewall with 15-20 interfaces ?
No fun entering one by one interfaces’ names. Here is the one-liner I use to get speed and duplex settings of all interfaces in one go.

# for ii in $(ifconfig | awk ‘/Ethernet/ {print $1}’) ;do ethtool $ii; done | egrep ‘eth|Speed|Duplex’
Settings for eth0:
Speed: 100Mb/s
Duplex: Full
Settings for eth1:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.150:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.160:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.161:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.270:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.271:
Speed: 1000Mb/s
Duplex: Full

Settings for eth1.281:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.35:
Speed: 1000Mb/s
Duplex: Full
Settings for eth2:
Speed: 100Mb/s
Duplex: Full
Settings for eth3:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.112:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.211:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.311:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.71:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.72:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.73:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.413:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.419:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.451:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.407:
Speed: 1000Mb/s
Duplex: Full
Settings for eth4.408:
Speed: 1000Mb/s
Duplex: Full
Settings for eth5:
Speed: 1000Mb/s
Duplex: Full
Settings for eth7:
Speed: 1000Mb/s
Duplex: Full

Funny way to expire Antispam license in Checkpoint

Yuri — Mon, 13 Feb 2012 16:19:35 +0000

After years with Checkpoint products I came to conclusion that if you don’t have logical explanation why something doesn’t work, it is most probably license issue.
My client stopped getting emails behind UTM-132 at some remote branch . Doing the basics – telnet to port 25 (Checkpoint answered as it should),Exchange answering on port 25 as well didn’t come up with anything.
Then I looked at mail spool in the Checkpoint and voila, all the emails that didn’t reach internal Exchange were stuck there for no obvious reason.
The reason became obvious when I looked at the SmartTracker and saw “AntiSpam service license expired” message . Only then did I recall that this UTM had once Total security license that included the Antispam , but had expired long ago.
Why upon expiring license Checkpoint instead of passing mails without Antispam filtering decided to “hijack” the mails is left without answer.

awk weekly – Security rule hits statistics . Checkpoint

Yuri — Tue, 31 Jan 2012 08:50:36 +0000

As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things – for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only – i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted – e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:

awk -F\; ' {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5

Rule number:  Hits: 1197330  Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing
 Rule number: 2 Hits: 9
 Rule number: 5 Hits: 366
 Rule number: 11 Hits: 12296
 Rule number: 9 Hits: 14457
 Rule number: 0 Hits: 17094
 Rule number: 1 Hits: 44066
 Rule number: 7 Hits: 233643
 Rule number: 10 Hits: 366275
 Rule number: 6 Hits: 424639

Update 2012 Below is the script to use Rule ID instead of Rule sequential numbers – this way changing rules order will not affect statistics. The script matches also non-security rules – e.g. email session id, that are a bit shorter then Rule ID, but I didn’t want to slow down the processing with additional formatting .

awk -F\; ' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5

Rule number: D199972C-ED3E-4EB4-8B83-813333156D18 Hits: 175
 Rule number: 85A905A7-951E-4100-A4BA-E13333151D29 Hits: 219
 Rule number: 81333316-E942-4313-BB7D-E1333315802F Hits: 1519
 Rule number: 71333215-2DB5-4A3A-95BC-5080AD0F5564 Hits: 2298
 Rule number: 11331315-AE52-44E0-A42A-711029B5768E Hits: 3755
 Rule number: 01333315-D290-4B05-AFE7-23BF24D889FF Hits: 4116
 Rule number: 121FA62F-3885-4328-8090-BF1333315eB1 Hits: 399793
 Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101
 Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341
Running time for a file of 900 Mb with 4.7 million records
real    5m50.287s
user    4m22.890s
sys     0m3.190s

Time-based access limiting on Checkpoint or any Linux for that matter

Yuri — Mon, 14 Nov 2011 21:08:16 +0000

Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:

Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
Most probably restart the service and we are set.

E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
- Add to file /etc/pam.d/vsftpd the following line
account required /lib/security/pam_time.so
- Set time limits in /etc/security/time.conf with this line
vsftpd;*;ftp_user;Wk0800-1700
- Restart vsftpd to force it using pam_time.so module (need to do it just first time)
#service vsftpd restart
And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .

For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
Example for limiting ssh access to the firewall to working hours only.
/etc/security/time.conf :
sshd;*;client_user;Wk0900-1900
/etc/pam.d/sshd :
account required /lib/security/pam_time.so

Set NTP time source on Checkpoint to have correct log timestamps

Yuri — Sat, 12 Nov 2011 17:29:44 +0000

It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I’ve seen some UTM appliances to drift as much as 40 minutes in just one year ! Even worse is that you can never be sure of the drift distribution over time – it may be incremental drift every day, or sudden jump due to who knows what.
To prevent this from happening I use NTP time synchronization on all of my servers/firewalls. If you have been in system administration for some time it is old news for you – just use ntpd daemon and pool.ntp.org servers located close to you, and you are set in 5 minutes.
In Checkpoint they took the hardening of the underlying OS to extreme and supplied only outdated ntpdate utility for the task, no ntpd for us.
Not a big deal – I use the cron job below to run every 30 minutes ntpdate to update the firewall clock and so better be you.
Cheers
30 * * * * /usr/sbin/ntpdate 1.uk.pool.ntp.org > dev/null

All you need to know about networking in Checkpoint firewall SecurePlatform FAQ

Yuri — Thu, 27 Oct 2011 11:32:13 +0000

Q. How do I see available interfaces, errors on them , IP addresses .
Q. How do I see routing table of the firewall.
Q. How do I see duplex, speed, physical link status of the interface .
Q. How do I manually set duplex, speed, autonegotiation settings of an interface.
Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.
Q. How do I add, delete, change routes.
Q. How do I delete, change IP address on the interface.
Q. How do I add, change, delete VLAN .
Q. How do I see existing VLANs .
Q. Can I combine few interfaces into one logical interface .
Q. How do I shut and unshut an interface.

Q. How do I see available interfaces, errors on them , IP addresses .

A. # ifconfig

Q. How do I see routing table of the firewall.

A. # route -en

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
19.247.195.20   0.0.0.0         255.255.255.252 U         0 0          0 External
10.123.123.0    0.0.0.0         255.255.255.224 U         0 0          0 Lan1

Legend:
Gateway – via which gateway this network is available, 0.0.0.0 means this network is configured locally on the interface
Iface – name of the interface via which this network is reachable

Q. How do I see duplex, speed, physical link status of the interface .

A. # ethtool
e.g. # ethtool External
Settings for External:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Current message level: 0×00000007 (7)
Link detected: yes

Q. How do I manually set duplex, speed, autonegotiation settings of an interface.

A. # ethtool -s speed 100
ethtool -s duplex full
ethtool -s autoneg off
IMPORTANT: the changes above will be active until reboot of the firewall, to set them
permanently see below.

Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.

A. # eth_set [10h|10f|100h|100f|1000h|1000f|autoneg]
e.g # eth_set Lan1 100f

Q. How do I add, delete, change routes.

A. Using #sysconfig utility and its interactive menu (option 6) .

Q. How do I delete, change IP address on the interface

A. # sysconfig then option 5 .

Q. How do I add, change, delete VLAN .

A. # sysconfig , then option 5 .

Q. How do I see existing VLANs .

A Either via #sysconfig , then option 5 or ifconfig, VLAN interfaces will have format of . .
e.g. # ifconfig
eth7.301 Link encap:Ethernet HWaddr 00:1B:4A:CF:26:71

Q. Can I combine few interfaces into one logical interface .

A. Yes , such interface is called Bond. Note that out of all interfaces added to the Bond interface, only one will be active and passing the traffic, the rest will be in standby mode in case active interface fails.
NOTE 2 In new versions it is possible to have bond in Load Sharing mode.

Q. How do I shut and unshut an interface.

A. #ifconfig down
# ifconfig up

Enable RADIUS Authentication for SSH and WEBGui access to the Checkpoint firewall

Yuri — Tue, 02 Aug 2011 06:58:29 +0000

User actions accountability is one of the building blocks of Non-repudiation in Security.
In Checkpoint , nevertheless, the default (and widely used) user authentication for SSH and WEBGui sessions is local. Actually Checkpoint thought about that long ago and have been offering Radius authentication for users accessing the SecurePlatform via SSH or WEBgui for quite long time. I’ll put the discussion why they did it as a separately priced feature aside.
But if you have SecurePlatform Pro license for NGX R65 or earlier or Advanced Networking Blade for R70 or later then you can use it once Pro features are enabled on the SPLAT.
To help you configuring this I recorded this video , so be secure and enjoy.
PS As always feedback is welcome here as well as to the email yuri@yurisk.info.
Direct link to Vimeo

Enable SNMP v3 in Checkpoint video walkthrough

Yuri — Thu, 28 Apr 2011 07:25:16 +0000

SNMP version 3 has been with us for so many years but so very few Checkpoint folks use it that I decided to do this screencast/video showing how to enable and use SNMP v3 in Checkpoint firewall. NOTE - the language of narration is Hebrew .

BTW I think of posting more videos like that . All of them will be available under http://vimeo.com/yurisk

BTW2 If you have free user in Vimeo.com you can download the videos as files as well.

Two tips to secure SSH access from specific IPs to specific users in Checkpoint or any Linux

Yuri — Tue, 05 Apr 2011 07:06:06 +0000

Today I’ll bring you two tips to secure SSH access to the Checkpoint firewall beyond firewall rules itself. SSH access is the most powerful way to own the firewall so it should be secured to the paranoid level and even then it is never enough.
Tip 1 Change the listening port.
You may say obscurity is not security but I will not agree – any measure that makes attacking your system harder without much burden on you is valid. After all there is no such thing total security, only endless arms race. Checkpoint just being a Linux in disguise uses OPenSSH server so changing the port is done via :
NOTE before changing listening port don’t forget to allow incoming connection on this port in firewall rules.

/etc/ssh/sshd_config
#Port 22

You change the above line to (if say I want to change port to 5022):

Port 5022

Then save , then restart the SSH daemon:

[Expert@fireball]# service sshd restart

Now you connect to the firewall #ssh -p 5022 user@IP
Tip 2 Limit SSH access per user and per IP address
Openssh provides the possibility to restrict access for specific user to specific IP addresses. I will look here at few potential scenarios.
Case 1 Limit all SSH users to access from specific IP , here from network 99.19.19.0/24:
At the bottom of the same file /etc/ssh/sshd_config I add:

AllowUsers *@99.19.19.*

Save , restart SSH daemon and this will take effect – only users coming from network
99.19.19.0/24 will be able to login by ssh , any other source IP will always get “Wrong username or password”
Case 2 Limit some users to access from specific IPs but allow others from Any.
Checkpoint comes with default user admin that people often do not change, and I concluded over the years that changing people’s bad behavior is much harder than changing firewalls. So I do this:
When both me and client are managing the firewall, i create the username for me , here yurisk and restrict the username admin to internal nets (for emergency cases) and his specific IP.Here my user is yurisk, client’s user is admin and LAN is 10.88.88.0/24 and client’s WAN IP is 123.123.123.10

/etc/ssh/sshd_config
AllowUsers admin@123.123.123.10 admin@10.88.88.* yurisk

Checkpoint firewall VPN debug cheat sheet

Yuri — Wed, 23 Mar 2011 07:52:51 +0000

I love cheat sheets. Once I learn some product or technology to the level of understanding how it works I find the cheat sheets with all the options to run it and keep it handy. In case of the Checkpoint firewalls such cheat sheets are pretty much absent so I will throw from time to time here cheat sheets from me.
NB And to those claiming you need to know (read – memorize) everything, send them to Albert Einstein quote that when asked what the speed of light is, answered “I don’t memorize things that can be found in any reference”.
Today I’ll do VPN debug , basic stuff, no thrills. But we all started somewhere.
Checkpoint VPN debug cheat sheet

Checkpoint VPN debug cheat sheet , page 1

Checkpoint VPN debug cheat sheet , page 2