Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Checkpoint NG/NGX/GAIA (page 2 of 10)

SCP and Checkpoint R75 problems

There is a known issue with transferring big files (bigger than 1 Mb) from/to SecurePlatform firewall by Checkpoint you should be aware of. The file transfer fails with some error about buffers. The problem is that Checkpoint SPLAT comes with old opensshd daemon , which has a bug in it dated 2006  ( https://bugzilla.redhat.com/show_bug.cgi?id=184357 ) causing transfer to fail if SCP client is trying to  use buffer bigger than 1 Mb . And as (the only) Windows based client WinSCP (that in turn uses putty code) has  been using buffer larger than that for ages, trying to use versions of WinSCP newer than 3.x results in failure .
Checkpoint have a hotfix for that, according to SK sk66195, but the less intrusive alternative is to use  older versions – pscp 0.60 and Winscp 3.x (e.g. 3.7.4)

Check duplex and speed settings of all interfaces in one go

One of the first things you do when checking connectivity issues on the Checkpoint (or any networking gear for that matter) is to see speed and duplex parameters of the interfaces. But have you tried to do it on a firewall with 15-20 interfaces ?
No fun entering one by one interfaces’ names. Here is the one-liner I use to get speed and duplex settings of all interfaces in one go.
# for ii in $(ifconfig | awk ' /Ethernet/ {print $1}') ;do ethtool $ii; done | egrep  'eth|Speed|Duplex'
Settings for eth0:
Speed: 100Mb/s
Duplex: Full
Settings for eth1:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.150:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.160:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.161:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.270:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.271:
Speed: 1000Mb/s
Duplex: Full
Continue reading

Funny way to expire Antispam license in Checkpoint

After years with Checkpoint products I came to conclusion that if you don’t have logical explanation why something doesn’t work, it is most probably license issue.
My client stopped getting emails behind UTM-132 at some remote branch . Doing the basics – telnet to port 25 (Checkpoint answered as it should),Exchange answering on port 25 as well didn’t come up with anything.
Then I looked at mail spool in the Checkpoint and voila, all the emails that didn’t reach internal Exchange were stuck there for no obvious reason.
The reason became obvious when I looked at the SmartTracker and saw “AntiSpam service license expired” message . Only then did I recall that this UTM had once Total security license that included the Antispam , but had expired long ago.
Why upon expiring license Checkpoint instead of passing mails without Antispam filtering decided to “hijack” the mails is left without answer.

awk weekly – Security rule hits statistics . Checkpoint

As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things – for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only – i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted – e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:

awk -F\; ' {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5
Rule number:  Hits: 1197330  Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing
 Rule number: 2 Hits: 9
 Rule number: 5 Hits: 366
 Rule number: 11 Hits: 12296
 Rule number: 9 Hits: 14457
 Rule number: 0 Hits: 17094
 Rule number: 1 Hits: 44066
 Rule number: 7 Hits: 233643
 Rule number: 10 Hits: 366275
 Rule number: 6 Hits: 424639 
Update 2012 Below is the script to use Rule ID instead of Rule sequential numbers – this way changing rules order will not affect statistics. The script matches also non-security rules – e.g. email session id, that are a bit shorter then Rule ID, but I didn’t want to slow down the processing with additional formatting .
awk -F\; ' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5
Rule number: D199972C-ED3E-4EB4-8B83-813333156D18 Hits: 175
 Rule number: 85A905A7-951E-4100-A4BA-E13333151D29 Hits: 219
 Rule number: 81333316-E942-4313-BB7D-E1333315802F Hits: 1519
 Rule number: 71333215-2DB5-4A3A-95BC-5080AD0F5564 Hits: 2298
 Rule number: 11331315-AE52-44E0-A42A-711029B5768E Hits: 3755
 Rule number: 01333315-D290-4B05-AFE7-23BF24D889FF Hits: 4116
 Rule number: 121FA62F-3885-4328-8090-BF1333315eB1 Hits: 399793
 Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101
 Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341
Running time for a file of 900 Mb with 4.7 million records
real    5m50.287s
user    4m22.890s
sys     0m3.190s

Time-based access limiting on Checkpoint or any Linux for that matter

Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:

  • Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
  • Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
  • Most probably restart the service and we are set.
  • E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
    – Add to file /etc/pam.d/vsftpd the following line
    account required /lib/security/pam_time.so
    – Set time limits in /etc/security/time.conf with this line
    – Restart vsftpd to force it using pam_time.so module (need to do it just first time)
    #service vsftpd restart
    And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .

    For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
    Example for limiting ssh access to the firewall to working hours only.
    /etc/security/time.conf :
    /etc/pam.d/sshd :
    account required /lib/security/pam_time.so

Set NTP time source on Checkpoint to have correct log timestamps

It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I’ve seen some UTM appliances to drift as much as 40 minutes in just one year ! Even worse is that you can never be sure of the drift distribution over time – it may be incremental drift every day, or sudden jump due to who knows what.
To prevent this from happening I use NTP time synchronization on all of my servers/firewalls. If you have been in system administration for some time it is old news for you – just use ntpd daemon and pool.ntp.org servers located close to you, and you are set in 5 minutes.
In Checkpoint they took the hardening of the underlying OS to extreme and supplied only outdated ntpdate utility for the task, no ntpd for us.
Not a big deal – I use the cron job below to run every 30 minutes ntpdate to update the firewall clock and so better be you.
30 * * * * /usr/sbin/ntpdate 1.uk.pool.ntp.org > dev/null

All you need to know about networking in Checkpoint firewall SecurePlatform FAQ

Q. How do I see available interfaces, errors on them , IP addresses .
Q. How do I see routing table of the firewall.
Q. How do I see duplex, speed, physical link status of the interface .
Q. How do I manually set duplex, speed, autonegotiation settings of an interface.
Q. How do I save changes to the interface duplex ,speed or autonegotiaiton permanently.
Q. How do I add, delete, change routes.
Q. How do I delete, change IP address on the interface.
Q. How do I add, change, delete VLAN .
Q. How do I see existing VLANs .
Q. Can I combine few interfaces into one logical interface .
Q. How do I shut and unshut an interface.

A. # ifconfig

A. # route -en

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface U 0 0 0 External U 0 0 0 Lan1

Gateway – via which gateway this network is available, means this network is configured locally on the interface
Iface – name of the interface via which this network is reachable

A. # ethtool <name of the interface you want to check, names are case-sensitive>
e.g. # ethtool External
Settings for External:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Current message level: 0x00000007 (7)
Link detected: yes

A. # ethtool -s <name of interface> speed 100
ethtool -s <name of interface> duplex full
ethtool -s <name of interface> autoneg off
IMPORTANT: the changes above will be active until reboot of the firewall, to set them
permanently see below.

A. # eth_set <interface> [10h|10f|100h|100f|1000h|1000f|autoneg]
e.g # eth_set Lan1 100f

A. Using #sysconfig utility and its interactive menu (option 6) .

A. # sysconfig then option 5 .

A. # sysconfig , then option 5 .

A Either via #sysconfig , then option 5 or ifconfig, VLAN interfaces will have format of <physical interface name>.<vlan number> .
e.g. # ifconfig
eth7.301 Link encap:Ethernet HWaddr 00:1B:4A:CF:26:71

A. Yes , such interface is called Bond. Note that out of all interfaces added to the Bond interface, only one will be active and passing the traffic, the rest will be in standby mode in case active interface fails.
NOTE 2 In new versions it is possible to have bond in Load Sharing mode.

A. #ifconfig <interface name > down
# ifconfig <interface name > up

Older posts Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑