yurisk.info » Checkpoint

Number of connected SecureClient or Secureremote users

Yuri — Tue, 07 Sep 2010 12:42:17 +0000

Here is how to see number of connected to the gateway users. Nothing special/interesting and I am sure somewhere in the SecureKnowledgeBase it is to be found but with recent licensing improvements people ask a lot about that.

# fw tab -t userc_users -s

HOST NAME ID #VALS #PEAK #SLINKS
localhost userc_users 73 1 3 0

Turn netconf.C routes into linux route command

Yuri — Tue, 07 Sep 2010 10:34:37 +0000

I must confess that I prefer good solutions today over perfect solutions tomorrow.
So when the need aroused to do a script that takes netconf.C and transforms all the
route statements in it to the general linux form of "route add xxx" I did this one-liner you can see below. The script looks ugly and sketchy but it works. For those preferring perfect solutionscheck this website Monkey with agun that has script to manage mane networking settings of the SPLAT. I haven’t tried it myself though but looks serious investment of time and effort.

awk ' (/dest/ || /via/) && ! /127.0.0.0/ ' /etc/sysconfig/netconf.C | sed 's/[():]/ /g' | sed ' s/^.* via/ gw/' | sed ' s/^.*dest / route add -net /' | awk ' {if($0~/\/32/) { gsub(/-net/,"-host "); print} else print} '| awk ' {if(NR % 2 == 1) {gsub(/$/," "); printf($0)} else print} '

After you run you will get something like that to the stdout:

route add -net “192.168.9.0/22″ gw 10.20.20.6
route add -net “172.16.11.0/24″ gw 10.20.20.6
route add -net “172.16.12.0/24″ gw 10.20.20.6
route add -net “172.16.13.0/24″ gw 10.20.20.6

Find SmartCenter address on the firewall module

Yuri — Mon, 23 Aug 2010 16:52:37 +0000

I am sure there are gazillion ways to find the IP address of the managing this module SmartCenter but here comes the one I use. Works on firewall module as well as on the SmartCenter itself , even more – gives the same result, surprising no ?

[Expert@FW-XL1]# fw tab -t management_list -f

Using cptfmt
localhost:
Date: Aug 23, 2010
19:26:11 192.168.29.22 > : (+)====================================(+);
Table_Name:
management_list; : (+); Attributes: static, id 3; product: VPN-1 & FireWall-1;
19:26:11 192.168.29.22 > Key: c2ac5801, c2ac5801; product: VPN-1 & FireWall-1;

Subnet calculator in Checkpoint

Yuri — Sun, 22 Aug 2010 09:03:55 +0000

Should you ever forget intricacies of the subnetting Checkpoint bothered not to strip subnetting calculator from their Splat – ipcalc, so use it and litter not your memory with useless info.
Given subnet show the 1st Ip (network) :

# ipcalc -n 192.168.34.45/27

NETWORK=192.168.34.32

Given subnet show the last IP (broadcast) :

# ipcalc -b 192.168.34.45/27

BROADCAST=192.168.34.63

Be careful though what you feed as no proof-reading is done by the ipcalc :

# ipcalc -b 192.168.34.45/33

BROADCAST=255.255.255.255

Restart Checkpoint Smart Center only

Yuri — Thu, 19 Aug 2010 18:38:53 +0000

Neither mine nor new idea, but it comes to the top 10 questions I hear on a daily basis so here is how to restart Smart Center only, that is if it is a stand alone installation where Smartcenter resides on the same machine where the firewall module does,this command will stop then start Smart Center only NOT influencing the firewall function in anyway. This way firewalling will run uninterrupted with no down time.
I guess I took it from CPUG forum .Stop SmartCenter :
cpwd_admin stop -name FWM -path “$FWDIR/bin/fw” -command ” fw kill fwm”

Start it again :
cpwd_admin start -name FWM -path “$FWDIR/bin/fwm” -command “fwm”

Restart SNMP daemon on Checkpoint

Yuri — Sat, 14 Aug 2010 06:26:48 +0000

While not being anything noticeable by itself, the problem was that all monitored snmp values were normal but cpu showed 100% on the Open server with 7 CPUs , it
did remind me that you should always record the current state before doing the changes.
As I said it was an openserver that client monitors with snmp and suddenly it alerted on CPU 100% and as this server has 7 CPUs it was clear that snmp daemon feels bad.
Also the solution was obvious – restart the snmp daemon on the Checkpoint server.
So going this was I found all the instances of snmp running :

ps ax | grep snmp

1061 ? S 0:08 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a -c /etc/snmp/snmpd.users.conf 161
1066 ? S 0:00 /usr/sbin/cpsnmpagentx
5808 ? S 0:00 /opt/CPshrd-R65/bin/cpsnmpd -p 260
18973 ttyp1 S 0:00 grep snmp

Then sent kill signal to each one of them , all went ok. But then my ssh session got abruptly disconnected for unrelated reason, so I didn’t have the list of commands and their options seen above and therefore couldn’t restart them. I do have the privilege of access to the heap of other Checkpoint machines so I just enterd one of them and copied snmp daemon commands from there, but if had no such alternative the time consuming search on the Google/cpug.org would have been granted.
Conclusion – before altering some state take note of the current one and record it somewhere (Notepad rules here).

Keep your IPS updated

Yuri — Tue, 10 Aug 2010 06:56:38 +0000

The IPS protection should be up-to-date, no arguing here. But should it also be automatic ?
Well, here Checkpoint thought that not and put no provision for auto updates for the R70.x series. The only way to update IPS protection is either click on Online Update and do it real-time or check "Check for new updates while the SmartDashboard is active", that in turn will not update anything but get you prompted that new updates are available.
In R71 they changed their mind and added configurable scheduled updates menu.
Anyway ,should you want to check what is the latest IPS version available without running the actual update process the link follows:
Defense Updates by Product

MAC finder script

Yuri — Fri, 02 Jul 2010 05:35:37 +0000

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format , I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx 
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py

$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]

(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Where do I download the Checkpoint Splat image

Yuri — Sat, 26 Jun 2010 07:15:18 +0000

The answer is surprisingly simple – at the Checkpoint.com . On the home page there is a link to download their products Try Our Products (SPLAT, SmartDefense, Endpoint). You need a free General account in UserCenter, then you fill general questions form and get a link to download the real production image of whatever you chose to download. You get an evaluation license for 30 days at the same page , without any license upon install you get unlimited 15-days trial.

8 Things to do before opening ticket with Checkpoint

Yuri — Fri, 25 Jun 2010 10:40:53 +0000

I’ve been doing Checkpoint quite a lot, actually for years now. And this inevitably involves
communicating with the Checkpoint Technical Assistance Centre (TAC) . And while
you can easily come up with impression that it is pretty bad (look around at cpug.org for heated flames about that), my view is that a lot depends on you. The way you manage the ticket and interaction with the Checkpoint TAC is often more important than anything else for successful resolution of the case.
To assist in that I prepared this list of things to do and have in mind before you actually call the TAC and open a case. In my experience following these simple steps will shorten the time and save you nerves substantially.

1.Understand and state the problem exactly.
Clearly defined problem is half the solution. The problem should be described in measurable terms not qualitative ones.
Not "VPN tunnels flap and fail all the time" but "VPN tunnel between this and this peers is coming up for 3-5 minutes then goes down for 10 minutes also communication between sites stops and I see in SmartViewTracker the following… "
Not "If I enable URL filtering all works slow" but "If I enable URL filtering it takes 40 seconds to load the same page that I load in 3 secs without URL-filtering, my download rates from different sites decrease by such and such numbers and in logs I see …"
Screenshots of the error messages are very welcome.

2. "… burden of proof is on the defendant" – gather all needed info even before you get asked to.
Have you worked in a TAC ? No ? Then let me illustrate. The answering Supporter has no slightest idea what the equipment is on your site, what the IP addresses are, whether load-balancers/nat-devices/traffic accelerators are involved, not to mention yours being the 10th case today, in short – he/she knows nothing about your topology, but you ,on the other hand ,having worked for years with the same set up come to think that this knowledge is a known fact to everyone. So please don’t – when approaching the TAC think of it as preparing a presentation that describes your network topology in 10 minutes to a complete stranger on the street (no need to practice this though ).
Topology info you will most probably need to supply:
IP addresses of interfaces and routes of all the devices that are involved in the traffic having a problem.
All NAT/IPS/load balancing/acceleration tempering going on in your network .
Changes in topology that were done just before the problem occurred.

3. Provide Cpinfo files from all the Checkpoint devices involved.
Checkpoint Support engineer most probably has no access to your firewall. And still she/he has to fully understand its configuration and state. The closest to accessing the firewall thing is providing Cpinfo file. If you have a distributed Checkpoint setup do it for all devices as well.
It is also advisable to make sure that all your devices have the latest Cpinfo utility installed [sk30567]. Unfortunately regular users can’t download it from Checkpoint Usercenter you will need at least Partner account with them.

NOTE Regarding handing over files to the Checkpoint TAC. When you supply them Cpinfo files you provide complete information about your firewall – its rules, objects and their properties etc. Think of it as if you were giving them the one-to-one copy of the firewall. So if you have some privacy/confidentiality reservations take it into account .

4. Do a packet capture that also includes the problematic traffic.
Should you have any sort of case demanding serious debug be prepared to attach to the case captured traffic while replicating the problem. Of course consider the load on the firewall but usually to see if there are any drops on the traffic Checkpoint will ask you to do fw monitor –o capture.cap .
Supplement this capture with output of fw ctl zdebug drop > dropped.txt

5.If opening the case through the Checkpoint website and the problem is rather urgent do a follow up call Contact list.
When you open a case it is being put in the queue of all other cases waiting to be assigned to Support Engineers. It happens on FIFO basis (each severity level has its own queue I guess). So it may wait there for few good hours. In such cases and when the case justifies it you may call the TAC and ask the person (not demand) to speed up assigning your case to the Technical Engineer. I used this procedure and usually the case was assigned to someone 15 minutes after my call.

6.Provide correct and most available means to contact you back.
Nothing can be more disheartening for a Supporter than to get a case and then chase you for hours/days.

7. If you work for Checkpoint Partner or proudly hold CCSE/CCSE+ certs do actually some debug yourself .
Working for Checkpoint Partner (as I do) in my opinion not only gives us immediate unrestricted access to the TAC but also the responsibility to do as much as possible to debug the problem ourselves (moreover it sucks to look amateurish) . I should state that I don’t always follow this advice but always try to.
Make the “The NGX Advanced Technical Reference Guide (ATRG) “ [sk31221] your night reading and you will decrease the number of open tickets by 50% guaranteed .
When you do relevant debug even without being able to understand results you save many hours of waiting for the TAC Supporter to just ask you for the very same debug and its logs.

8. In case of emergency call 911 and ask for remote session.
In urgent cases when you experience heavy downtime be prepared and even ask for remote session with the Supporter that got your case. Checkpoint have the TeamViewer-alike software that will allow them to connect to your workstation while it is connected to the firewall. Also the last time I checked this software had no (identifiable) keyloggers/Trojans so don’t worry .