yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Checkpoint NG/NGX/GAIA (page 10 of 10)

Don’t rely on SmartViewTracker only – it may lie

June 20, 2009 / /

Funny case of WYSIWYG misleading the uninitiated. The case involved a seemingly normally functioning firewall Checkpoint which after a client created rule to allow FTP from any to his server in DMZ (no Nat involved) refused to allow connections though. The client being quite experienced himself entered SmartViewTracker did filter on the rule (here rule 77) and saw nothing (of course Log was enabled on the rule) . OK, he thought, he canceled the filter and also started looking on the clean up rule that said Any -> Any = Drop (log enabled) and … again saw no hits at all. And at this stage he approached us with
request to check Linkproof leading to this firewall as ” it doesnt pass traffic to my FTP server”.
I did a usual thing – ssh -> fw monitor on FTP server IP and , hurra, saw
me reaching FTP server IP but on input interface only – “Aha, dropped by a rule
for sure” , then it took me another minute to prove it (to me and to the client)
with this:

Here:
194.99.73.13 – FTP server in DMZ (IP sanitazed of course)
124.92.11.33 – my IP

[Expert@firewall2070]# fw ctl zdebug drop | grep 194.99.73.13
fw_log_drop: Packet proto=6 124.92.11.33:53408 -> 194.99.73.13:21 dropped by fwhold_expires Reason: held chain expired
fw_log_drop: Packet proto=6 124.92.11.33:53408 -> 194.99.73.13:21 dropped by
fw_handle_first_packet Reason: Rulebase drop – rule 77

To remind – rule 77 was Any -> 194.99.73.13 (Service FTP) = Allow (log)

Why rule didn’t work is another question – but reason was messed up rulebase that cleint did, when further
down the rulebase was another rule to the same server partly overlapping this rule, the moment I disabled
second rule all started to work.

So conclusion – don’t rely on the SmartviewTracker only for debug , there can be too many
reasons why it is not logging/showing logs as should.

UTM or Power ? Checkpoint

May 8, 2009 / /

UTM or Power ?
How do you know when logged in with ssh what type of machine you are working with ?
I know 3 ways to find it:

1) By the interfaces names , see the difference:

UTM
(output edited for conciseness)

[Expert@Firewall]# ifconfig
DMZ Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.10 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.20 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.30 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.40 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.50 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.60 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.70 Link encap Ethernet HWaddr 00 90 FB 22 11 00
DMZ.80 Link encap Ethernet HWaddr 00 90 FB 22 11 00

External Link encap Ethernet HWaddr 00 90 FB 22 11 00

Internal Link encap Ethernet HWaddr 00 90 FB 22 11 00

Lan1 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.2 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.3 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.4 Link encap Ethernet HWaddr 00 90 FB 22 11 00
Lan2.5 Link encap Ethernet HWaddr 00 90 FB 22 11 00
lo Link encap:Local Loopback

VPN Power –
(output edited for conciseness)
Here you will see usual output as seen on any Linux- installed server.
[Expert@CP]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:33:12:FD:47:92
eth1 Link encap:Ethernet HWaddr 00:33:12:FD:47:12
eth3 Link encap:Ethernet HWaddr 00:33:12:FD:47:55
lo Link encap:Local Loopback

2) By installed products names (seen it on cpug.org forum somewhere) :

[Expert@CP]#sysconfig
-> Option 10 “Product installatiuon..” -> Next -> Yes , it then presents you with products available for
this hardware .

UTM
The following products are available in this version
Please select product(s)

1 [x] VPN-1 UTM
2 [ ] UserAuthority
3 [x] SmartCenter UTM
4 [x] Eventia Suite
5 [ ] Integrity
6 [ ] Performance Pack
7 [x] SmartPortal

VPN Power

The following products are available in this version
Please select product(s)

1 [x] VPN-1 Power
2 [ ] UserAuthority
3 [x] SmartCenter
4 [ ] Eventia Suite
5 [ ] Integrity
6 [ ] Performance Pack
7 [ ] SmartPortal

3) Yet another way – this time Checkpoint provided us:
/bin/is_power
/bin/is_appliance
When running each of these it prints out to the terminal either 0 or nothing, the tool that prints nothing identifies the
type of the software we are working with.
If you know of other ways to find it feel free to share.

Change password for console expert user Checkpoint Splat

May 2, 2009 / / 3 Comments

[showmyads]
As seen many times Checkpoint has its own way of doing otherwise simple and straightforward tasks. Changing
password for shell account is another example.
By default, when installed, Splat creates two console/OS users – admin and root. You can’t login remotely
(i.e. by ssh) with root as /etc/ssh/sshd_config contains this:
DenyUsers root shutdown halt nobody ntp pcap rpm
AllowGroups root

So , basically you are left with admin user to do all command line tasks (Expert mode) – security flaw by itself, but even more,
when you try to change the password of this user by passwd command
Checkpoint doesn’t let you to. Even worse, it happily goes ahead and notifies you that password has been
successfully changed and … you can still log in only with the old password. The reason is here:

[Expert@cp]# which passwd
alias passwd=’/bin/expert_passwd’
/bin/expert_passwd
[Expert@cp]#

This way Splat tricks you into running some dummy ‘passw’ of its own that is only good for CPshell
environment. So to really change password of Expert user you have 2 options:
1) Through Web device management GUI (not covered her)
2) Use native passwd , see below

[Expert@cp]# /usr/bin/passwd rambo
Changing password for user rambo.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[Expert@cp]#

Here:
/usr/bin/passwd – Linux native passwd utility
rambo – Expert user I added to the system and then blocked remote login for user admin (or type
admin for default user).

Adding Expert user:
To add another user with id = 0 use switch -o:


[Expert@cp]# useradd -u 0 -g 0 -o -s /bin/bash rambo

Then change password as per above and fix /etc/ssh/sshd_config to allow rambo login and block
admin login

DenyUsers root shutdown halt nobody ntp pcap rpm admin
AllowGroups root

Clear ARP table in Checkpoint

October 25, 2008 / / 2 Comments

Yesterday my colleague asked how to clear all entries in the ARP table of the
NGX in question (Splat). I thought the arp command of the Linux would include some switch for that case too – but it didn’t. To delete ARP entry from the ARP  cache you use #arp -d <IP address to be deleted> , and it has no provision for deleting multiple entries in one go. So here is the one-liner
that does just that – clears all entries in ARP cache. I found it in Google and
slightly rearranged for brevity (note- it is one line of text) :

for ip in $(awk '/([[:digit:]]\.)+/ {print $1}' /proc/net/arp) ; do  arp -d $ip ; done

Manage VPN tunnels smartly: forget vpn tu,enter the vpn shell

September 23, 2008 / / 4 Comments

Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is vpn tu that neveretheless has always had a very annoying bug (feature?) – you can delete ALL VPN tunnels at a time and none individually !!  It indeed presents option to delete
” Delete all IPsec SAs for a given peer (GW)” – but it just plain doesn’t work. And once confronted with this problem that could make debug  more devastating than the problem itself I started looking for alternatives. To much of my surprise CP has a perfect alternative for this
vpn shell, that provides acceptable means of managing tunnels. Here are details:
vpn shell can : delete IKE/IPsec SAs selectively, add/delete VTI interfaces,show information about all that.
To enter this shell :
[Expert@gw1]# vpn shell
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data

After hitting enter you are put into subshell that has hierarchy way of moving around, so to continue to show subtree you type show and hit Enter:
VPN shell:[/] > show
 ?             – This help
 ..            – Go up one level
[interface   ] – Show interface(s) and their status
[tunnels     ] – Show SA(s)
VPN shell:[/show] >

Your prompt changes to the path inside vpn shell, to go 1 level up (return) type .. and Enter:
VPN shell:[/show] > ..
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] >

In addition if you know the full path inside vpn shell to the command you wish to run you can type it too:

e.g. To see all IKE tunnels:
[Expert@gw1]# vpn shell
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] > tunnels show IKE all

Peer 193.x.x.x:

        1. IKE SA <8755c7fb24a52e9b,5d46b29d0f0bb5b7>:
VPN shell:[/] >
e.g. 2 To delete IKE SAs for specific peer:
VPN shell:[/] > tunnels delete IKE peer 193.3.3.3

NOTE: interface subtree is for dealing with VTI interfaces.

And finally to leave the vpn shell to SSH shell:
Get to the root by typing .. as many times as needed and then quit:

VPN shell:[/show/tunnels/IKE] > ../../..
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] > quit
[Expert@gw1]#

SSH session timeout in Checkpoint NG/NGX

September 15, 2008 / / 4 Comments

Ever got swearing when in the middle of fw monitor / debug session you got abruptly thrown on session timeout ??  Me too. While thinking naively ssh timeout is managed by sshd/ssh configs I was suprised to know CP did it their way.

Turned out here we get definitions for interactive session : cat /etc/bashrc
<CUT>   

# By default, log out the user after three minutes of unattended prompt
export TMOUT=180
export SHELL=/bin/bash
# Take into account idle setting of cpshell, if available
if [ -f /etc/cpshell/cpshell.state ]; then
   idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//`
   if [ $idle”UNDEFINED” = “UNDEFINED” ]; then
          idle=3
   fi
   export TMOUT=`expr $idle \* 60`
fi

 

So to change the default timeout for ssh session you can:

1) Set idle variable in /etc/cpshell/cpshell.state to be later multiplied

cat /etc/cpshell/cpshell.state
audit=100
idle=100
scroll=1

2) Change last export directly to whatever you wish:

export TMOUT=7000  ; in seconds

I personally when working on client’s firewall am setting it manually  when long  debug session is expected:

[Expert@cp]# TMOUT=700
[Expert@cp]# export TMOUT

Telnet from inside Checkpoint firewall

September 10, 2008 / / 8 Comments

Yesterday I saw a strange problem – connection from outside to Exchange in a LAN times out, while in Tracker all connections to port 25 are in green. Strange was that through VPN client-to-site and from inside LAN all worked prefectly well. So I wasn’t sure 100% it wasn’t a firewall causing this. The next best way to check it would be telnet from inside NGX (R65 in this case) to port 25 to Exchange by its LAN IP … only that Checkpoint don’t have telnet client included in their Splat . If I had enough time I’d compile telnet client statically on some Linux box with the same kernel/libraries then’d copy it to NGX for testing, but to do it ASAP I hacked a small AWK script that emulates (just enough fo ra test) telnet, below these scripts .

BTW this script made it 100% clear there was some problem with Exchange over which I had no control – from firewall its port 25 answered very erratically – once ok , 10 times connection refused. So after a double check

client found that from LAN and VPN it also wasn’t stable as he first thought .

 

General telnet client script :

[Expert@cp]# awk -v ip=192.168.0.1 -v port=25 -f telnet.awk

Where:

  ip – IP to connect to

  port – port to connect to

#!/usr/bin/awk
#This is a simple telnet emulation script purpose of which
# is to try to connect to a given IP on a given port using TCP
# and print to the terminal few lines received from the server
# if session is established. It has no functionality but to
# establish a TCP connection and print out received text from the
# server, after that it just exits.It was created to debug
# connectivity issues on Checkpoint NGX firewall that has no built
# in telnet client .
# Client
     BEGIN {
       (“/inet/tcp/0/” ip “/” port ) |& getline
       print $0
       close((“/inet/tcp/0/” ip “/” port ))
     }

Next is the same cript with add on for port 80 – to get some response from web server:

#!/usr/bin/awk
     BEGIN {
   Portandip = (“/inet/tcp/0/” ip “/” port )
   print “GET /  HTTP/1.1\n\n” |& Portandip
   while  ( ((“/inet/tcp/0/” ip “/” port ) |& getline)>0)
       print $0
       close((“/inet/tcp/0/” ip “/” port ))
     }

 

PS Thanks to Aibulat (see comments) for info, turns out there is a telnet client available on Splat cd-rom .It is just not installed by default when installing Splat.

Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑