yurisk.info » Firewall

fw ctl or checkpoint tables by any other name

Yuri — Fri, 09 Apr 2010 05:34:54 +0000

Holidays are over, Checkpoint failures are back, so business as usual. Today I want to draw your attention to often overlooked information source – Checkpoint state tables. While running, the firewall creates, keeps and updates various tables it needs for correct functioning. These tables contain parameters that are mostly of use for firewall itself, but you can query them on the cli, sometimes even flush them as well.
To see all tables with its contents you type –
[Expert@Hollywood]# fw tab
To see only table names –
[Expert@Hollywood]# fw tab | grep “\-\-\-\-\-\-\-”

——– vsx_firewalled ——–
——– firewalled_list ——–
——– external_firewalled_list ——–
——– management_list ——–
——– external_management_list ——–
——– log_server_list ——–
——– tcp_services ——–
——– udp_services ——–
——– internal_interface_list ——–
——– topology_range_list ——–
——– gui_clients_list ——–
——– cp_NG_products_list ——–
——– smtp_av_user_config_match_tab ——–
——– smtp_av_scan_exclusion ——–
——– http_av_user_config_match_tab ——–
——– http_av_scan_exclusion ——–
——– pop3_av_user_config_match_tab ——–
——– pop3_av_scan_exclusion ——–
——– aspam_unique_id ——–
——– aspam_directional_match_tab ——–
——– aspam_smtp_ip_match_tab_src ——–
——– aspam_pop3_ip_match_tab_src ——–
——– aspam_scan_all_traffic ——–
——– auth_rules_on_gw ——–
——– content_security_uf ——–
——– content_security_av ——–
——– content_security_aspam ——–
——– content_security_next_proxy ——–
——– cs_next_proxy_host ——–
——– cs_next_proxy_port ——–
——– module_content_security ——–
——– report_server_list ——–
——– smartPortal_server_list ——–
——– abacus_server_list ——–
——– event_analyzers_list ——–
——– ua_server_list ——–
——– ua_products_list ——–
——– rtm_list ——–
——– cvp_servers_list ——–
——– ufp_servers_list ——–
——– cpmi_clients_list ——–
——– radius_servers_list ——–
——– tacacs_servers_list ——–
——– ldap_servers_list ——–
——– NG_policy_server_list ——–
——– physical_servers_list ——–
——– load_servers_list ——–
——– drop_rejct_rules ——–
——– gsn_quota ——–
——– no_nat_comm_4 ——–
——– community_no_nat ——–
——– http_services ——–
——– ftp_services ——–
——– smtp_services ——–
——– pop3_services ——–
——– cifs_services ——–
——– dns_services ——–
——– sip_services ——–
——– mgcp_services ——–
——– dns_rand_servers ——–
——– aspam_wb_ip ——–
——– mgcp_cmd ——–
——– sip_method ——–
——– non_scv_hosts ——–
——– gtp_apn_params ——–
——– ssl_tunnels_excluded_services ——–
——– ssl_tunnels_excluded_clients ——–
——– syslg_relay_servers_list ——–
——– dcerpc_maps ——–
——– dcerpc_rmaps ——–
——– dcerpc_binds ——–
——– dcerpc_epm_requests ——–
——– dcerpc_map_ports ——–
——– dcerpc_udp_maps ——–
——– dcerpc_udp_rmaps ——–
——– dcerpc_udp_epm_requests ——–
——– dcerpc_udp_hpov_maps ——–
——– dcerpc_logs ——–
——– dcerpc_reply_any_port ——–
——– dcom_objects ——–
——– dcom_remote_activations ——–
——– dcom_call_ids ——–
——– dcom_high_port ——–
——– dcom_sysact_state ——–
——– compiled_cifs_resources ——–
——– userc_rules ——–
——– userc_bind ——–
——– userc_key ——–
——– userc_users ——–
——– userc_pending ——–
——– userc_slan ——–
——– userc_dtm_cache ——–
——– pending ——–
——– rpc_serv_hosts ——–
——– rpc_serv ——–
——– rpc_sessions ——–
——– pmap_req ——–
——– pmap_not_responding ——–
——– logged ——–
——– trapped ——–
——– check_alive ——–
——– auth_services ——–
——– client_auth ——–
——– client_was_auth ——–
——– autoclntauth_fold ——–
——– session_requests ——–
——– pending_session_requests ——–
——– sso_requests ——–
——– auth_status ——–
——– av_cache ——–
——– proxied_conns ——–
——– genufp_requests ——–
——– genufp_matched ——–
——– genufp_mismatched ——–
——– icmp_requests ——–
——– icmp_replies ——–
——– icmp_errors ——–
——– forbidden_tab ——–
——– ipufp_cache ——–
——– ufp_statistic ——–
——– dynobj_cache ——–
——– dns_rand_to_sid ——–
——– dns_sid_to_rand ——–
——– dns_response_misses ——–
——– snid_enc_keys ——–
——– resolve_hostbyname_cache ——–
——– resolve_hostbyaddr_cache ——–
——– voip_host_connections ——–
——– cac_codecs ——–
——– sip_state ——–
——– earlynat_sport ——–
——– sip_dynamic_port ——–
——– sip_cseq ——–
——– mgcp_conn ——–
——– mgcp_tid ——–
——– mgcp_registration ——–
——– mgcp_earlynat_tid ——–
——– mgcp_dynamic_port ——–
——– ssl_v3_conns ——–
——– ssh2_syn_table ——–
——– ssh2_client_seq ——–
——– p2p_sessions ——–
——– edonkey_clients ——–
——– p2p_packets ——–
——– pptp_state ——–
——– first_master ——–
——– mapped_if ——–
——– fwx_sticky_port ——–
——– allowed_ip_options ——–
——– allowed_ipopts_proto ——–
——– hide_behind_low_ports ——–
——– cluster_mcast_nolog ——–
——– hide_services_ports ——–
——– no_hide_services_ports ——–
——– no_fold_services_ports ——–
——– nokia_no_fold_ports ——–
——– no_misp_services_ports ——–
——– pop3d_clients ——–
——– epq_quarantined_host ——–
——– aspam_syn_cache ——–
——– tcp_services_props ——–
——– udp_services_props ——–
——– other_services_props ——–
——– adp_ca_brightstor_tab ——–
——– rc4_table ——–
——– Objhbbbjb ——–
——– ObjUOdnB ——–
——– ObjSRqhab ——–
——– ObjLALMqb ——–
——– ObjsFK9hb ——–
——– Obj4kPyz ——–
——– ObjO80qQb ——–
——– ObjolM2n ——–
——– mhis_tab ——–
——– Obja2fNE ——–
——– ObjQvSXqb ——–
——– ObjGiirDb ——–
——– http_hand_tab ——–
——– Objn_q2i ——–
——– Objo2Goeb ——–
——– ObjdSJuO ——–
——– ObjqYUGFb ——–
——– contnt_prot_state_table ——–
——– backweb_connections ——–
——– freetel_connections ——–
——– iiop_requests ——–
——– x11verify_tab ——–
——– wf_connections ——–
——– exchange_notifies ——–
——– rtsp_tab ——–
——– ncp_table ——–
——– e2e_gwbw_table ——–
——– vpn_range_gateways ——–
——– vpn_range_gateways_valid ——–
——– cvp_connections ——–
——– p2p_logged ——–
——– welchia_tab ——–
——– ssh_sessions ——–
——– gif_rerun_tbl ——–
——– aviwave_table ——–
——– png_tab ——–
——– emf_wmf_tab ——–
——– ObjIqngWb ——–
——– Obj1Pjdc ——–
——– ObjEcVuT ——–
——– ObjBYyIB ——–
——– mpe_pme_tab ——–
——– ObjipTMsb ——–
——– ObjAIP_g ——–
——– Obj1_j2Qb ——–
——– ObjsRmHN ——–
——– ObjgGBn_b ——–
——– Obj8YTItb ——–
——– office_rerun_tab ——–
——– block_office_ppt_start ——–
——– block_office_offset ——–
——– block_office_retrans ——–
——– ObjYpZWX ——–
——– ObjLRkIWb ——–
——– ObjiMhGQ ——–
——– ObjdZJgJb ——–
——– Obji4D8J ——–
——– ObjTBbSbb ——–
——– ObjFYJhJb ——–
——– ObjK3HfXb ——–
——– Obj3Izhfc ——–
——– ObjATGcAb ——–
——– snmp_pdu_types ——–
——– ObjPKm54b ——–
——– ObjpZHv1 ——–
——– ObjNPV8V ——–
——– Objmeh8Ub ——–
——– Obj0XzAN ——–
——– ObjXatVDb ——–
——– syslog_dates ——–
——– buf_table ——–
——– cram_table ——–
——– imap_log_tbl ——–
——– imap_except_tbl ——–
——– flac_table ——–
——– sami_tbl ——–
——– ObjajI9Rb ——–
——– ObjCGXEdb ——–
——– pct_opcode_tab ——–
——– pct_tab ——–
——– Obj1e5hC ——–
——– ObjRztz7 ——–
——– ObjaxeIAb ——–
——– ObjwNbxib ——–
——– word_plflfo_tbl ——–
——– word_sprm_tbl ——–
——– ObjkxWEfc ——–
——– Obj217K1 ——–
——– flash_tab ——–
——– ObjjoQvm ——–
——– ObjUZxDgc ——–
——– ObjlgJhcc ——–
——– ObjaLxvLb ——–
——– rtf_fmp_parse27_tab ——–
——– ssl_counter_tab ——–
——– dns_bruth_tab ——–
——– dns_bruth_tab_case ——–
——– dns_bruth_res_tab ——–
——– pdf_jbig_tbl ——–
——– ObjO5atzb ——–
——– ObjCy5LO ——–
——– ObjmbEnl ——–
——– ObjxZiyv ——–
——– Obj8sHTQb ——–
——– ObjCMpyg ——–
——– ObjMbgQeb ——–
——– ObjHh3It ——–
——– ObjsYf1n ——–
——– ldap_leak_tab ——–
——– ObjhPV7z ——–
——– ObjEkdpjc ——–
——– ObjH3V57 ——–
——– pe_parser_tbl ——–
——– Obj6a6Th ——–
——– ObjHkxoe ——–
——– Obj6yDZpb ——–
——– ObjRpdDu ——–
——– ObjiB_Z4b ——–
——– ms_proj_tab ——–
——– ObjyXqwA ——–
——– sdupdate_dynamic_tab_attrs ——–
——– vpn_active ——–
——– encryption_requests ——–
——– decryption_pending ——–
——– rdp_table ——–
——– rdp_dont_trap ——–
——– userc_encapsulating_clients ——–
——– MSPI_cluster_feedback ——–
——– MSPI_cluster_feedback_new ——–
——– L2TP_MSPI_cluster_feedback ——–
——– MSPI_cluster_update ——–
——– L2TP_MSPI_cluster_update ——–
——– MSPI_cluster_request ——–
——– MSPI_feedback_to_delete ——–
——– ATLAS_ROBO_Objects ——–
——– DAG_ID_to_IP ——–
——– DAG_IP_to_ID ——–
——– ipsec_crypt_pending ——–
——– inbound_SPI ——–
——– outbound_SPI ——–
——– resolving_requests ——–
——– MSPI_requests ——–
——– SPI_requests ——–
——– resolving_req_connections ——–
——– MSPI_req_connections ——–
——– user_auth_groups ——–
——– IKE_SA_table ——–
——– new_IKE_SA_update ——–
——– IPSEC_userc_dont_trap_table ——–
——– SEP_my_IKE_packet ——–
——– tcpt_external_ip ——–
——– L2TP_tunnels ——–
——– L2TP_sessions ——–
——– L2TP_lookup ——–
——– vpn_if_peer_mspi ——–
——– vpn_interfaces_table ——–
——– peer_vpn_if_mapping ——–
——– MSPI_by_methods ——–
——– MSPI_cluster_map ——–
——– resolved_interface ——–
——– MEP_chosen_gw ——–
——– crypt_resolver_db ——–
——– MEP_ls ——–
——– userc_resolve_dont_trap ——–
——– fwz_crypt_pending ——–
——– crypt_resolver_uptag ——–
——– cryptlog_table ——–
——– udp_enc_cln_table ——–
——– cluster_connections_nat ——–
——– IPSEC_mtu_icmp ——–
——– IPSEC_mtu_icmp_wait ——–
——– XPO_names ——–
——– communities_names ——–
——– peers_names ——–
——– local_vpn_routing ——–
——– VIN_SA_to_delete ——–
——– udp_response_nat ——–
——– marcipan_mapping ——–
——– marcipan_ippool_users ——–
——– marcipan_ippool_allocated ——–
——– reliable_trap ——–
——– peers_count ——–
——– IKE_peers ——–
——– ipalloc_tab ——–
——– persistent_tunnels ——–
——– dhcp_nat_params_tab ——–
——– my_daip_ip_to_id ——–
——– om_assigned_ips ——–
——– om_radius ——–
——– tnlmon_listener_list ——–
——– tnlmon_life_sign ——–
——– preferred_MEP_gw ——–
——– tnlmon_job_list ——–
——– udp_enc_route_refcount ——–
——– reload_policy_timer ——–
——– http_vpnd_cookies ——–
——– sslt_om_ip_params ——–
——– ssl_tunnel_id_to_mspi ——–
——– http_ics_pre_auth_cookies ——–
——– vpnd_ics_report_suid ——–
——– vpn_queues ——–
——– ike2esp ——–
——– peer2ike ——–
——– ike2peer ——–
——– initial_contact_pending ——–
——– user_properties ——–
——– rdp_state_repository ——–
——– ike_state_repository ——–
——– get_topology_state_repository ——–
——– ike_temp_DAG_IP_to_ID ——–
——– resolved_link ——–
——– orig_route_params ——–
——– cluster_active_robo ——–
——– edge_clusters ——–
——– outbound_spi_by_peer ——–
——– robo_active_link ——–
——– src_ip_by_peer ——–
——– natt_port ——–
——– frl_table ——–
——– sslt_disconnect_reasons ——–
——– vpn_best_route_cache ——–
——– TunnelTest_NAT ——–
——– slp_active_users ——–
——– dag_dhcp_requests ——–
——– net_quota_exclusion_table ——–
——– sr_enc_domain ——–
——– sr_enc_domain_valid ——–
——– vpn_enc_domain ——–
——– vpn_enc_domain_valid ——–
——– vpn_methods ——–
——– vpn_routing ——–
——– vpn_enable_routing ——–
——– vpn_enable_internet_routing ——–
——– static_interface_resolve ——–
——– daip_ranges ——–
——– Robo_ranges ——–
——– Robo_ids ——–
——– Robo_allowed_ranges ——–
——– Robo_clusters ——–
——– sdb_edge_clusters ——–
——– community_domain_4 ——–
——– community_excl_udp_4 ——–
——– om_protected_group ——–
——– gw_properties ——–
——– vpn_rulematch ——–
——– comm_conn_level ——–
——– ca_servers_addresses ——–
——– target_list10 ——–
——– rulenum_list13 ——–
——– rulenum_list14 ——–
——– rulenum_list15 ——–
——– fwportscn_vertical_exclude ——–
——– fw_allow_out_of_tcp_always ——–
——– spii_proto_tab ——–
——– DAG_range ——–
——– NAT_src_intvl_list ——–
——– NAT_dst_intvl_list ——–
——– NAT_src_any_list ——–
——– NAT_dst_any_list ——–
——– NAT_rules ——–
——– full_service_list11 ——–
——– full_service_list12 ——–
——– ip_list1 ——–
——– ip_list2 ——–
——– ip_list3 ——–
——– ip_list4 ——–
——– ip_list5 ——–
——– ip_list6 ——–
——– ip_list7 ——–
——– ip_list8 ——–
——– ip_list9 ——–
——– dir_scan_addrs_list1 ——–
——– valid_addrs_list1 ——–
——– dir_scan_addrs_list2 ——–
——– valid_addrs_list2 ——–
——– gw2gw_communities_ids ——–
——– tcpt_gws ——–
——– svm_profiler ——–
——– svm_range_gateways ——–
——– svm_range_gateways_valid ——–
——– svm_e2e_gwbw_table ——–
——– vpncl_om2cookier ——–
——– vpncl_cookier2om ——–
——– vpncl_ccc_iphone_sessions ——–
——– vpncl_ccc_sessions ——–
——– vpncl_cpras_topology_policy_id ——–
——– sockstress_blocked ——–
——– sockstress_suspicious ——–
——– sockstress_local ——–
——– sockstress_src ——–
——– sam_L2_requests ——–
——– sam_blocked_ips_v2 ——–
——– sam_requests_v2 ——–
——– sam_uid ——–
——– sam_L2_src_dst_requests ——–
——– mrt_sync_table ——–
——– closed_conns ——–
——– fwarp_arpq_tbl ——–
——– fwneighq_tbl ——–
——– strmap_table ——–
——– fwha_VPN_hash_table ——–
——– cpas_cookie_hash ——–
——– cpas_pmtu ——–
——– h323_registration ——–
——– rules_uid_new_table ——–
——– uid2kbuf ——–
——– tab_name_table ——–
——– sip_registration ——–
——– fwx_cache ——–
——– redirected_conns ——–
——– h323_gk_pending_table ——–
——– cphwd_vpndb ——–
——– host_ip_addrs_all ——–
——– excessive_table ——–
——– scv_held_packets_table ——–
——– conn_info ——–
——– chain_log_unification_table ——–
——– fwx_pending ——–
——– scv_ps_table ——–
——– scv_gw_table ——–
——– string_dictionary_table ——–
——– sam_log ——–
——– sam_requests ——–
——– sam_blocked_ips ——–
——– spii_global_pset2kbuf_map ——–
——– spii_multi_pset2kbuf_map ——–
——– ws_protection_scheme_table ——–
——– saved_kbuf_table ——–
——– son_conns ——–
——– parent_conn ——–
——– connections ——–
——– fwx_cntl_dyn_tab ——–
——– h323_tracer_table ——–
——– fwx_auth ——–
——– host_ip_addrs ——–
——– hold_table ——–
——– frag_table ——–
——– arp_table ——–
——– fwx_alloc ——–

Now round up of some useful for whatever reason tables you should know about.
NOTE – When service is not loaded corresponding table isnt as well
# fw tab -t http_av_scan_exclusion

localhost:
Table http_av_scan_exclusion not loaded: Invalid argument

Most of the time values in these tables are presented as integer or hex values , and almost always they contain IP addresses. Adding –f option to the command deciphers output a bit but not completely , so IP integer-to-decimal converter will be very handy.

To see local encryption domain of this gateway without entering SmartDashboard:
# fw tab -f -t vpn_enc_domain

Using cptfmt
localhost:
Date: Apr 7, 2010
8:26:33 192.168.29.25> : (+)====================================(+); Table_Name: vpn_enc_domain; : (+); Attributes: static, id 381; product: VPN-1 & FireWall-1;

8:26:33 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
;8:26:33 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;

Another command that gives the local encryption domain, on few firewalls I tried the output was the same , so Don’t know what the difference
# fw tab -f -t vpn_enc_domain_valid

Using cptfmt
localhost:
Date: Apr 7, 2010
8:52:30 192.168.29.25> : (+)====================================(+); Table_Name: sr_enc_domain_valid; : (+); Attributes: static, id 380; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;

See encryption domain for Secure Remote users
# fw tab -f -t sr_enc_domain_valid

8:52:30 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;

To see SPI database entries of established VPN tunnels and its parameters
# fw tab -f -t inbound_SPI

Using cptfmt
localhost:
Date: Apr 7, 2010
8:34:56 192.168.29.25> : (+)====================================(+); Table_Name: inbound_SPI; : (+); Attributes: dynamic, id 289, attributes: keep, sync, expires 3600, limit 40800, hashsize 65536, kbuf 1 3, free function f9b32640 0, post sync handler f9b22330; product: VPN-1 & FireWall-1;

8:34:56 192.168.29.25> : (+); SPI: d21c5e68; CPTFMT_sep: ;; Protocol: IPSEC_ESP_SA(2); ,Schema: IKE(3); ,me: 192.168.22.11; ,peer: 122.18.9.20; ,owner: 127.0.0.1; ,MyRange:First: 192.168.21.0; Last: 192.168.21.255; ,PeerRange:First: 192.168.214.0; PeerLast: 192.168.214.255; ,HWInitialized: NO; ,MSPI: 13; ,Host: 192.168.22.11; ,Peer: 122.18.9.20; Expires: 2149/3610; product: VPN-1 & FireWall-1;

To see the active VPN peers with IKE phase up
# fw tab -f -t IKE_peers

Date: Apr 7, 2010
8:36:36 192.168.29.25> : (+)====================================(+); Table_Name: IKE_peers; : (+); Attributes: dynamic, id 333, attributes: keep, sync, expires never, limit 25000, hashsize 512; product: VPN-1 & FireWall-1;

8:36:36 192.168.29.25> IkePeer: 212.13.12.128; : (+); Expires: 876861451/2147483647; product: VPN-1 & FireWall-1;
8:36:36 192.168.29.25> IkePeer: 212.13.12.129; : (+); Expires: 876861451/2147483647; product: VPN-1 & FireWall-1;

Here you can see what port is used for NAT traversal
# fw tab -f -t natt_port

Date: Apr 7, 2010
8:37:34 192.168.29.25> : (+)====================================(+); Table_Name: natt_port; : (+); Attributes: dynamic, id 369, attributes: expires never, limit 25000, hashsize 4; product: VPN-1 & FireWall-1;

8:37:34 192.168.29.25> Key: 00001194; Expires: 876861393/2147483647; product: VPN-1 & FireWall-1;
The value is in hex 0×1194 = 4500

List table of Security Associations
# fw tab -f -t IKE_SA_table

Date: Apr 7, 2010
8:41:47 192.168.29.25> : (+)====================================(+); Table_Name: IKE_SA_table; : (+); Attributes: dynamic, id 297, attributes: keep, sync, expires 3600, limit 40400, hashsize 65536, implies 296, kbuf 1, free function f9b22830 0, post sync handler f9b25d80; product: VPN-1 & FireWall-1;

8:41:47 192.168.29.25> : (+); ,CookieI: 1a4406adfa1e1b26; ,CookieR: a64bea22245f2ac2; CPTFMT_sep: ;; EncryptAlg: 0; ,HashAlg: 0; ,DH_Group: 0; ,AuthMethod: 1; ,Flags: 0; ,RenegotiationTime: 2046191617; Expires: 20089/86399; product: VPN-1 & FireWall-1;

Pretty much the same data , number of peers

# fw tab -f -t peers_count

Date: Apr 7, 2010
8:46:48 192.168.29.25> : (+)====================================(+); Table_Name: peers_count; : (+); Attributes: dynamic, id 332, attributes: keep, expires never, limit 10200, hashsize 16384, kbuf 1; product: VPN-1 & FireWall-1;
8:46:48 192.168.29.25> : (+); IPsec peer: 31.112.182.6; CPTFMT_sep: ;; ,Ref-count: 2; Expires: 876860840/2147483647; product: VPN-1 & FireWall-1;
8:46:48 192.168.29.25> : (+); IPsec peer: 122.18.9.20; CPTFMT_sep: ;; ,Ref-count: 1; Expires: 876860840/2147483647; product: VPN-1 & FireWall-1;

List of hosts with which this firewall has currently open sessions (whatever they may be )
# fw tab -f -t static_interface_resolve

Date: Apr 7, 2010
8:55:59 192.168.29.25> : (+)====================================(+); Table_Name: static_interface_resolve; : (+); Attributes: static, id 387; product: VPN-1 & FireWall-1;

8:55:59 192.168.29.25> : (+); Peer_interface: 10.20.20.1; ,Peer_main_addr: 21.23.9.2; product: VPN-1 & FireWall-1;
8:55:59 192.168.29.25> : (+); Peer_interface: 58.13.2.78; Peer_resolved_addr: 58.13.2.78; ,Peer_main_addr: 58.13.2.78; product: VPN-1 & FireWall-1;

To list NAT rules numbers as appear in the SmartDashboard that have Any as destination and as source correspondingly
# fw tab -f -t NAT_dst_any_list

Date: Apr 7, 2010
9:01:13 192.168.29.25> : (+)====================================(+); Table_Name: NAT_dst_any_list; : (+); Attributes: static, id 434; product: VPN-1 & FireWall-1;

9:01:13 192.168.29.25> Key: 0000000a, 0000000a; product: VPN-1 & FireWall-1; //Rule number 10
9:01:13 192.168.29.25> Key: 0000000c, 0000000c; product: VPN-1 & FireWall-1; //Rule number 12
9:01:13 192.168.29.25> Key: 0000000e, 0000000e; product: VPN-1 & FireWall-1;

# fw tab -f -t NAT_src_any_list

Date: Apr 7, 2010
9:00:31 192.168.29.25> : (+)====================================(+); Table_Name: NAT_src_any_list; : (+); Attributes: static, id 433; product: VPN-1 & FireWall-1;

9:00:31 192.168.29.25> Key: 00000006, 00000006; product: VPN-1 & FireWall-1; // Rule number 6
9:00:31 192.168.29.25> Key: 00000007, 00000007; product: VPN-1 & FireWall-1; // Rule number 7

List all NAT rules .
Some explanation here . Here all IP addresses are in hexadecimal representation . To translate it to usual decimal one I translate (say using calc.exe) Hex -> Integer , then using some Internet converter , Integer -> decimal . In () are my comments
# fw tab -f -t NAT_rules

Date: Apr 7, 2010
9:02:19 192.168.29.25> : (+)====================================(+); Table_Name: NAT_rules; : (+); Attributes: static, id 435; product: VPN-1 & FireWall-1;

9:02:19 192.168.29.25> Key: 00000001(Rule number); CPTFMT_sep: ;; Data: 00000000, 00000000, ff000001 (255.0.0.1) , BD8AFF3C (189.138.255.60 Original Src in Nat rule), BD8AFF3C, c0a8d1fd (192.168.209.253 Translated source IP), ff010202 (255.1.2.2), C0A81596 (192.168.21.150 Original packet destination) , C0A81596, C0A81596, 00000000, 00000000, 00000000, 00000000; product: VPN-1 & FireWall-1;

List open connection to/from the firewall
# fw tab -f -t connections

Date: Apr 7, 2010
10:22:43 80.19.1.150> : (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbuf 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31, expires 60, refresh, limit 75000, hashsize 262144, free function f9faf4e0 0, post sync handler f9fa3470; product: VPN-1 & FireWall-1;

10:22:43 80.19.1.150> : ———————————–(+); Direction: 1; Source: 172.17.110.111; SPort: 1517; Dest: 210.48.77.30; DPort: 443; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 172.17.110.111; SPort_1: 1517; Dest_1: 210.48.77.30; DPort_1: 443; Protocol_1: tcp; FW_symval: 2; product: VPN-1 & FireWall-1;

Something that has to do with IPS I guess
# fw tab -f -t string_dictionary_table

Date: Apr 7, 2010
10:23:52 80.19.1.150> : (+)====================================(+); Table_Name: string_dictionary_table; : (+); Attributes: dynamic, id 8135, attributes: keep level 2, kbuf 1, expires never, limit 32768, hashsize 4096; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: dc17462d0fdcfdfd42c80679dbd63b4; ID: 3672; Data: Microsoft Windows search-ms protocol handler command execution (MS08-075); Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: e36d6da340f3ce9df3d02fd991b07765; ID: 822; Data: Command ‘%s’ is out of expected state ‘%s’; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: c377d9acdbb7a8a3cd182b514df494d; ID: 657; Data: smtp_block_bin_enable; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 34bd42a272028c23476653dfcbac806d; ID: 648; Data: Out of bounds – an offset was given that references outside the packet; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: b8d505cb64b542f15dcea55a93802fb; ID: 2681; Data: Cisco IOS IPv4 Packets Denial of Service; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 30f7c4e2db021c4977c2a92b48bb97ed; ID: 2241; Data: Invalid SIT field in SA payload header; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 29aa7499fca2d0cdc9f9d954c9a7b7d2; ID: 979; Data: Virtual defragmentation error: Memory failure; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: de1c15759f50957189b1ba346bfc07fa; ID: 655; Data: Security violation; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> More_Entries: 7782; product: VPN-1 & FireWall-1;

Fortigate BGP – configure and debug

Yuri — Fri, 26 Mar 2010 14:56:12 +0000

Everyone today speaks BGP: Cisco routers, Juniper routers and ScreenOS firewalls, Fortigate does it,even SonicWall have it as planned feature So question is not whether but how. The opportunity to see how it works on Fortigate recently presented itself and here is the sum up of how I configured and debugged Fortigate BGP set up.
Task at hand: configure BGP peering with Bogon Route project by Team Cymru www.team-cymru.org/Services/Bogons/routeserver.html . More information about the Bogon Routes can be found at the source – www.team-cymru.org/Services/Bogons . But in few words they advertise to you routes that are never to be seen in your network for legitimate reasons. Those are networks not only from RFC 1918 but those reserved by RIPE for special purposes, and those unallocated to anyone as of now.
What we need to know for this set up is this:

They advertise all the networks with no-export community
also they attach 65333:888 community (as per their site)
they use md5 password authentication
they don’t expect you to advertise to them anything
in advertised networks next hop is their advertising router
their AS number is 65333

Based on all the above my Fortigate BGP peer had to :

enable multihop peering
use MD5 password authentication
have route-map to attach no-export community so that we don’t inadvertently advertise learned routes to other peers ( just safety net , in case BGP peer stops attaching no-export community to their routes)
set next hop for the learned routes to Null 0 interface.

Let’s start configuring something. Important surprise here – in Fortigate GUI you can only set 3 parameters:
As number , Peer Ip and networks to be advertised, the rest is to be done on the command line . So here it goes
1) Configuring route-map to set no-export community on learned networks and force next hop to be some reserved Ip (192.0.2.1 ) that in turn is statically routed to Null interface ,

config router route-map
edit “NO-EXPORT”
config rule
edit 3
set set-community “no-advertise”
set set-ip-nexthop 192.0.2.1
next
end
next
End

2) Configure BGP peer

(root) # show router bgp
config router bgp
set as 65002
config neighbor
edit 84.22.96.5
set ebgp-enforce-multihop enable
set remote-as 65333
set route-map-in “NO-EXPORT”
set password “yuiyui”
next
end
config redistribute “connected”
set status enable
end

3) Configure static blackhole route for the reserved IP used as the next hop for this.

(root) # sh router static
config router static
edit 3
set blackhole enable
set dst 192.0.2.1 255.255.255.255
next
End

Validation phase.
All configs are as good as the prove that it works.

List shortly all the peers

(root) # get router info bgp summary

BGP router identifier 10.250.250.2, local AS number 65002
BGP table version is 159
2 BGP AS-PATH entries
0 BGP community entries

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
84.22.96.5   4  65333       4       6      159    0    0 00:00:48        0

Total number of neighbors 1

List all BGP neighbors and their peering state

My-FG (root) # get router info bgp neighbors

BGP neighbor is 84.22.96.5, remote AS 65333, local AS 65002, external link
  BGP version 4, remote router ID 84.22.96.5
  BGP state = Established, up for 00:00:58
  Last read 00:00:58, hold time is 180, keepalive interval is 60 seconds
  Configured hold time is 180, keepalive interval is 60 seconds
  Neighbor capabilities:
    Route refresh: advertised and received (old and new)
    Address family IPv4 Unicast: advertised and received
  Received 4 messages, 0 notifications, 0 in queue
  Sent 6 messages, 0 notifications, 0 in queue
  Route refresh request: received 0, sent 0
  Minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  BGP table version 160, neighbor version 159
  Index 3, Offset 0, Mask 0x8
  Community attribute sent to this neighbor (both)
  Inbound path policy configured
  Route map for incoming advertisements is *NO-EXPORT
  0 accepted prefixes
  19 announced prefixes
  Connections established 1; dropped 0
  External BGP neighbor may be up to 255 hops away.
Local host: 10.250.250.2, Local port: 9188
Foreign host: 84.22.96.5, Foreign port: 179
Nexthop: 10.250.250.1

See the routes learned through the BGP protocol

(root) # get router info bgp network

BGP table version is 161, local router ID is 10.250.250.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 5.0.0.0          192.0.2.1                0             0 65333 65333 i
*> 14.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 23.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 31.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 36.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 37.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 39.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 42.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 49.0.0.0         192.0.2.1                0             0 65333 65333 i
*> 100.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 101.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 102.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 103.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 104.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 105.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 106.0.0.0        192.0.2.1                0             0 65333 65333 i
*> 169.254.0.0      192.0.2.1                0             0 65333 65333 i
*> 172.16.0.0/12    192.0.2.1                0             0 65333 65333 i
*> 176.0.0.0/8      192.0.2.1                0             0 65333 65333 i
*> 177.0.0.0/8      192.0.2.1                0             0 65333 65333 i
*> 179.0.0.0/8      192.0.2.1                0             0 65333 65333 i
*> 181.0.0.0/8      192.0.2.1                0             0 65333 65333 i
*> 185.0.0.0/8      192.0.2.1                0             0 65333 65333 i

List routes that are currently installed in the routing table that were learned by BGP .

(root) # get router info routing-table bgp

B       5.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       14.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       23.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       31.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       36.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       37.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       39.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19
B       42.0.0.0/8 [20/0] via 192.0.2.1 (recursive is directly connected, unknown), 00:00:19

After all is configured and saved (and probably doesn’t work) comes the bgp debug round.
Enable bgp debug on the appliance

#diag ip router bgp all enable

Enable debug output to console

diag debug enable

To stop this output

diagnose debug disable

To verify that debug is on

# diag ip router bgp show

BGP debugging status:
  BGP events debugging is on
  BGP debug level: INFO

If nothing after that happens try clearing all BGP sessions

#exec router clear bgp all

The good way to judge something new is to compare it with something you already know. To continue
With that logic I cross-reference debug output seen on Fortigate with the one seen on the Cisco BGP peer. That
way you can decide what is more informative and who wins the race (Cisco of course, what you thought?).

Case 1
One of the peers is configured with wrong AS number.
In Fortigate you see this:

BGP: 84.22.96.5-Outgoing [FSM] State: Idle Event: 3
BGP: 84.22.96.5-Outgoing [NETWORK] FD=15, Sock Status: 0-Success
BGP: 84.22.96.5-Outgoing [FSM] State: Connect Event: 17
BGP: 84.22.96.5-Outgoing [ENCODE] Msg-Hdr: Type 1
BGP: 84.22.96.5-Outgoing [ENCODE] Open: Ver 4 MyAS 65002 Holdtime 180
BGP: 84.22.96.5-Outgoing [ENCODE] Open: Msg-Size 45
BGP: 84.22.96.5-Outgoing [DECODE] Msg-Hdr: type 3, length 23
BGP: %BGP-3-NOTIFICATION: received from 84.22.96.5 2/2 (OPEN Message Error/Bad Peer AS.) 2 data-bytes

Now let’s compare to the debug from Cisco

#debug ip bgp events

Mar 24 13:14:55.572: %BGP-3-NOTIFICATION: sent to neighbor 10.250.250.2 2/2 (peer in wrong AS) 2 bytes FDEA FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 FAEA 01B4 0AFA EA02 1302 0201 1400 0100 0132 0222 0012 0222 00

Case 2
MD5 authentication is set on Cisco but not on the Fortigate. Again for comparison
debug from Fortigate and debug from Cisco
Cisco:

Jan  5 10:42:14.299: %TCP-6-BADAUTH: No MD5 digest from 10.250.250.2 (1037) to 84.22.96.5(179)

Fortigate:

84.22.96.5-Outgoing [FSM] State: Connect Event: 9
BGP: [RIB] Scanning BGP Network Routes...
84.22.96.5-Outgoing [FSM] State: Connect Event: 9
BGP: [RIB] Scanning BGP Network Routes...

Case 3 (that actually happened when I configured this Fortigate) is mismatched MD5 password on either side

Fortigate:
Doing summary listing showed peering as down :

84.22.96.5   4  65333     934    1036        0    0    0    never Connect

Cisco:

*Mar 24 13:40:28.800: BGP: Regular scanner event timer
*Mar 24 13:40:28.800: BGP: Import timer expired. Walking from 1 to 1
*Mar 24 13:40:42.764: %TCP-6-BADAUTH: Invalid MD5 digest from 10.250.250.2(11064) to 84.22.96.5(179)

Case 4 On Cisco ttl-security is enabled while on Forigate ebgp multi-hop is not .
There is no such thing as TTL security on the Fortigate by the way, all you can do to handle this state is enable ebgp-multihop and them it starts sending BGP packets with ttl = 255 .

Cisco:

Jan  7 13:01:36.992: %BGP-4-INCORRECT_TTL: Discarded message with TTL 2 from 10.250.250.2

Forigate:

BGP: 84.22.96.5-Outgoing [FSM] State: OpenConfirm Event: 11
BGP: 84.22.96.5-Outgoing [ENCODE] Msg-Hdr: Type 4
BGP: 84.22.96.5-Outgoing [ENCODE] Keepalive: 13548 KAlive msg(s) sent
84.22.96.5-Outgoing [FSM] State: OpenConfirm Event: 10
BGP: 84.22.96.5-Outgoing [ENCODE] Msg-Hdr: Type 3
BGP: %BGP-3-NOTIFICATION: sending to 84.22.96.5 4/0 (Hold Timer Expired/Unspecified Error Subcode) 0 data-bytes
BGP: 84.22.96.5-Outgoing [FSM] State: Idle Event: 3
BGP: 84.22.96.5-Outgoing [NETWORK] FD=14, Sock Status: 111-Connection refused
BGP: 84.22.96.5-Outgoing [FSM] State: Connect Event: 18

Bonus Case Bug-not-a-feature thing on the Fortigate – when configuring MD5 password for BGP authentication you get Cross-Site vulnerability protection for free Don’t ask me how XSS is connected to cli configuration of BGP …

set password <2AEARep>

The string contains XSS vulnerability characters
value parse error before ”
Command fail. Return code -173

VPN client stops working in visitor mode after major update

Yuri — Thu, 25 Feb 2010 10:10:35 +0000

Yesterday I got asked to check the Checkpoint VPN Secure Client issue . After upgrade from NGX R65 to R70 VPN client doesn’t connect when Visitor mode is enabled . The moment you disable Visitor mode the same client to the same firewall works just fine. This happens
often so I bring it here . Actually I see it as the “it is a feature not a bug” case -
after major upgrades to the firewall, the Management WebGUI (the one you use after fresh install to run the wizard) listening port will be reset to its default value of 443. This in turn prevents any other daemon/service listening on this port , so Visitor mode (I guess also SSL Extender) will not work.
To fix it you just change listening port for WebGUI. Now lets get to SSH:
To see the problem:

#lsof -i -n | grep https

cp_http_s 1864 nobody 11u IPv4 14977 TCP *:https (LISTEN)

To fix the problem:

#[Expert@fw]# webui disable

Shutting down cp_http_server_wd: [ OK ]

[Expert@fw]# webui enable 4445

Running cp_http_server_wd: [ OK ]

Now WebGUI wil be listening on port 4445 , and vpnd as should will be listening on 443:

[Expert@fw]# lsof -i -n | awk ‘/https/ || /4445/’

vpnd 3564 root 26u IPv4 29060053 TCP *:https (LISTEN)
cp_http_s 10300 nobody 5u IPv4 29100889 TCP *:4445 (LISTEN)

fw monitor add-on

Yuri — Sat, 13 Feb 2010 17:12:00 +0000

There is something I didn’t include in the previous post fw monitor command reference about fw monitor as I think it is rather optional and you can do well without it . I talk about tables in defining filter expressions. INSPECT – proprietary scripting language by the Checkpoint on which filtering expressions are based allows creating tables.
I won’t delve into INSPECT syntax (for today) but will list the following examples you can easily modify to suit your needs.

Legend:
{} – delimit the table
<,> – specify range of values inside (e.g. <22,25> means from 22 up to 25 inclusive)
ifid – interface identifier

#fw monitor -e “bad_ports = static {22,25,443}; accept dport in bad_ports;” packets with destination port being equal to 22,25 or 443
#fw monitor -e ” bad_ports = static {<22,25>} ; accept dport in bad_ports;” packets with destination ports being equal to 22,23,24 or 25
# fw monitor -e ” bad_ports = static {<22,25>,<80,443>} ; accept dport in bad_ports;” packets with destination ports being in ranges 22-25 or 80-443
#fw monitor -e “bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets;” packets originated in range of networks 194.1.0.0 – 194.1.255.255
#fw ctl iflist Here I see what are the index values of each interface card
0 : Internal
1 : External
#fw monitor -e “bad_nets = static {<194.1.0.0,194.1.255.255>} ;accept src in bad_nets and ifid=0;” packets originated in range of networks 194.1.0.0 – 194.1.255.255 and captured on interface eth3 only

Fortigate firewall demo free access. Also FortiManager and FortiAnalyzer

Yuri — Wed, 03 Feb 2010 18:37:25 +0000

As someone said best things in life are free.
Here are links to the demo Forigate firewall, ForiAnalyzer and FortiManager open to access from anywhere . So that you can
familiarize yourself with the Management GUI look and feel.
NOTE: Access is read-only.
NOTE 2: No , it is not me being so generous, it’s Fortinet caring for us.
Fortigate 300 :
user:demo
password: fortigate
fortigate.com
ForiAnalyzer 800:
user:demo
password: fortianalyzer
fortianalyzer.com
FortiManager 400:
user:demo
password: fortimanager
fortimanager.com

Enabling antispam or antivirus on the Checkpoint gateway blocks smtp or http traffic

Yuri — Tue, 26 Jan 2010 19:48:26 +0000

Recently I was unplesantly presented with “it is not a bug ,it is a feature” case with the Checkpoint .
There was some UTM with TS (Total Security) valid license that includes antivirus and antispam services that client paid for and even asked to enable. So far so good. Part of the routine I checked on Gateway properties Antivirus and Antispam features , in Content inspection picked this UTM as enforcing Antispam/Antivirus policy , did install and .. got a call from the client that they can’t send/receive mails . In SmartView Tracker I saw the error of invalid license (it was the most clever disguise Checkpoint could come up with) , on command line fw monitor proved connections to port 25 arrive perfectly and pass pre/post insert points inbound but then nothing happens. Trying to telnet port 25 to the external ip of the mail server got me opened session , then connection was reset.
Only with the help of Checkpoint support (that actually were surprised that after all these years with their
product I haven’t seen this “feature” yet) did I find that issue is known one and caused by that to represent the mail server in LAN I created a MANUAL NAT rule . And ANY security server inside Checkpoint has to
know from security rules or from object properties its ip before and after NAT. Of course this info is
not to be located in any guides.
So to fix the situation you have to either :

replace manual NAT rules with automatic ones;
in security rules relevant to the server in question use BOTH internal and external IPs (that was
what I did and it works ever since – see screenshot below).

I did the rules similar to this:

NB there exist Secureknowledge base articles for it :
sk34862
sk32198

PS I talk here about SMTP but enabling Antivirus for the webserver in LAN with static NAT will have the same
devastating result.

Cisco ASA privilege separation for a local user or read only user on ASA

Yuri — Mon, 18 Jan 2010 15:52:24 +0000

Today I had the need to create a user in ASA that would have read-only permissions and also could issue
only 2 commands: show run and show conn. Here is how to do it.
We talk here about user with local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command to some privilege level different from its default level , then create user with this privilege level :

1) Assign command to specific privilege level ( I pick here level 3 , but it may be any but 15):

(config)# privilege show level 3 mode exec command running-config
(config)# privilege show level 3 mode exec command conn

2) create username with privilege of the command you want him to give
(config)# username Joedoe password asdlgfuwe privilege 3

Now you have 2 options – create general enable password for this given level (3 here) ,so
any user after successful login can enter > enable 3 and enter it to get to level 3 enable
mode. Or , as I did here, not creating enable level 3 password at all and the user will have to enter its
privilege level using login command.
3) now user can connect by ssh (if allowed by Ip of course) :
#ssh Joedoe@10.10.10.7
Joedoe@10.10.10.7password:
ASA> login
Username: Joedoe
Password: **********
# sh curpriv
Username : Joedoe
Current privilege level : 3
Current Mode/s : P_PRIV

Reference:
Cisco ASA Configuration Guide 8.0

Print rulebase in Checkpoint

Yuri — Thu, 31 Dec 2009 13:57:33 +0000

The best place to hide something is to place it before your eyes. Thanks to theacademypro.com I discovered a cool feature of the SmartDashboard – ability to print rules directly from the Dashboard , you just go to File -> Print -> Rule Base.. and that’s it. Just amazing , I have been using Dashboards throughout these years hundreds of times and never noticed it. Seems like you have to learn all your life to just return to the place you started from .
Happy New Year All!

Checkpoint – back up centrally for recovery.

Yuri — Wed, 30 Dec 2009 22:02:07 +0000

Backing up firewall configs for disaster recovery is tedious and mundane task. And if you have enough firewalls doing it manually becomes impractical . To address this case I set up a highly secured server that periodically runs script backing up the clients’ firewalls.

I use here poll model – this central server connects by SSH to the remote firewalls ,issues upgrade_export command then downloads backup using SCP and finally deletes the backup from the firewall itself.
Advantage of such a schema as opposed to the push model where firewalls push backups to the central server I see in that:
- I can secure this server much more as no remotely accessible services are running (so no remote exploit is possible)
- I can have rule in firewall before this server Inbound – > Deny Any Any
- I centrally manage the backup script , if something changes I fix just one script .
Disadvantage – password to enter the firewalls is stored clear text in the script.
Now to the script – I did it in Expect to make life easier , in short it just emulates interactive login by SSH, then runs upgrade_export command, downloads by SCP the backup file, also creating file with md5sum of the backup and downloading it as well. The final action is to login by SSH back and remove the backup file from the firewall.
Naming it does by adding current date to the IP of the firewall. No error checking is done.

Files used in script:
hosts – file containing IPs of the firewalls to backup in the form one per line .

The script goes next (at the end you can download script as file to fix lines wrapping):

#!/usr/local/bin/expect
#set timeout to suffice for the largest backup file to download
set timeout 3000

#set password to enter the firewall
set password “password”
set username “admin”
#set format for naming files
set timeand_date [clock format [clock seconds] -format %B-%Y-%m-%d]
#open hosts file that contains IPs of the firewalls and read it in a loop
set ff [open "hosts" r]
while {[gets $ff hostName] >= 0} {

puts “Entering $hostName”
spawn ssh -l $username $hostName
expect {
        {[Pp]assword:} { send “$password\r” }
”(yes*no)” { send “yes\r”
              expect {[Pp]assword:} {
send “$password\r”
}
}}

#increase timeout of SSH session
expect {*#} {
send “TMOUT=900\r” }
expect {*#} {
send “export TMOUT\r”}
#Create backup directory
expect {*#} {
send “mkdir /var/Upgrade_export_backups\r” }
expect {*#} {
send “cd /var/Upgrade_export_backups\r” }
#Issue the upgrade_export command
expect {*#} {
send “\$FWDIR/bin/upgrade_tools/upgrade_export $timeand_date$hostName\r” }
expect {
{ready} {
send “\r”      }
{(y/n) [n]} {
send “yes\r” }
}
#Calculate md5sum of the newly created backup file and save it to file
expect {*#} {
send “md5sum $timeand_date$hostName.tgz > $timeand_date$hostName.md5sum\r”}

expect {*#} {
send “exit\r”}
spawn scp $username@$hostName:/var/Upgrade_export_backups/\{$timeand_date$hostName.md5sum,$timeand_date$hostName.tgz\}    .
expect {
        {[Pp]assword:} { send “$password\r” }
}
expect {#}   {
#send “exit\r”
}

spawn ssh -l $username $hostName
expect {
        {[Pp]assword:} { send “$password\r” }
”(yes*no)” { send “yes\r”
              expect {[Pp]assword:} {
send “$password\r”
}
}}

#remove created backup file
expect {*#} {
send “cd /var/Upgrade_export_backups\r” }
expect {*#} {
send “rm -f $timeand_date$hostName.tgz\r” }
expect {*#} {
send “exit\r” }
}
close $ff
interact

Script as a file

Checkpoint winscp troubles

Yuri — Sat, 19 Dec 2009 10:47:57 +0000

Checkpoint firewalls have 3 means of transferring files in/out – ftp (client ) , SCP and SFTP (haven’t tried it yet) .

At some stage of the debug/upgrade process you will have to move files in either direction. The most secure is SCP protocol. On windows platforms picking the GUI SCP client is not hard – you only have WinSCP as your choice. And being otherwise reliable and easy to use software it just doesn’t work with Checkpoint many times. To fix this is easier than you can think of.

But first few prerequisites:

To allow SCP connection to the firewall you have to :

– create file named /etc/scpusers

– add to it user per line – with which user you will be connecting for SCP session

– make sure that for this user(s) shell is set to /bin/bash in /etc/passwd file

– and of course allow SSH protocol connection from your host to the firewall.

After all the above done you connect using WinSCP, all goes well, try to download some file and …

Error happens…
The easiest way (and the only one I found so far ) is to .. NOT use WinSCP but instead use wonderful
software PSCP from Putty authour that doesn’t have GUI but works flawlessly with Checkpoint.
Download it here www.chiark.greenend.org.uk/~sgtatham , read instructions and have no regrets ever after.