yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Checkpoint NG/NGX/GAIA (page 5 of 10)

Find SmartCenter address on the firewall module

I am sure there are gazillion ways to find the IP address of the managing this module SmartCenter but here comes the one I use. Works on firewall module as well as on the SmartCenter itself , even more – gives the same result, surprising no ?

[Expert@FW-XL1]# fw tab -t management_list -f
Using cptfmt
localhost:
Date: Aug 23, 2010
19:26:11 192.168.29.22 > : (+)====================================(+);
Table_Name:
management_list; : (+); Attributes: static, id 3; product: VPN-1 & FireWall-1;
19:26:11 192.168.29.22 > Key: c2ac5801, c2ac5801; product: VPN-1 & FireWall-1;

Subnet calculator in Checkpoint

Should you ever forget intricacies of the subnetting Checkpoint bothered not to strip subnetting calculator from their Splat – ipcalc, so use it and litter not your memory with useless info.
Given subnet show the 1st Ip (network) :

# ipcalc -n 192.168.34.45/27
NETWORK=192.168.34.32

Given subnet show the last IP (broadcast) :

# ipcalc -b 192.168.34.45/27
BROADCAST=192.168.34.63

Be careful though what you feed as no proof-reading is done by the ipcalc :

# ipcalc -b 192.168.34.45/33
BROADCAST=255.255.255.255

Restart Checkpoint Smart Center only

Neither mine nor new idea, but it comes to the top 10 questions I hear on a daily basis so here is how to restart Smart Center only, that is if it is a stand alone installation where Smartcenter resides on the same machine where the firewall module does,this command will stop then start Smart Center only NOT influencing the firewall function in anyway. This way firewalling will run uninterrupted with no down time.
I guess I took it from CPUG forum .Stop SmartCenter :
cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command " fw kill fwm"

Start it again :
cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"

Restart SNMP daemon on Checkpoint

While not being anything noticeable by itself, the problem was that all monitored snmp values were normal but cpu showed 100% on the Open server with 7 CPUs , it
did remind me that you should always record the current state before doing the changes.
As I said it was an openserver that client monitors with snmp and suddenly it alerted on CPU 100% and as this server has 7 CPUs it was clear that snmp daemon feels bad.
Also the solution was obvious – restart the snmp daemon on the Checkpoint server.
So going this was I found all the instances of snmp running :

ps ax | grep snmp
1061 ? S 0:08 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a -c /etc/snmp/snmpd.users.conf 161
1066 ? S 0:00 /usr/sbin/cpsnmpagentx
5808 ? S 0:00 /opt/CPshrd-R65/bin/cpsnmpd -p 260
18973 ttyp1 S 0:00 grep snmp

Then sent kill signal to each one of them , all went ok. But then my ssh session got abruptly disconnected for unrelated reason, so I didn’t have the list of commands and their options seen above and therefore couldn’t restart them. I do have the privilege of access to the heap of other Checkpoint machines so I just enterd one of them and copied snmp daemon commands from there, but if had no such alternative the time consuming search on the Google/cpug.org would have been granted.
Conclusion – before altering some state take note of the current one and record it somewhere (Notepad rules here).

Keep your IPS updated

The IPS protection should be up-to-date, no arguing here. But should it also be automatic ?
Well, here Checkpoint thought that not and put no provision for auto updates for the R70.x series. The only way to update IPS protection is either click on Online Update and do it real-time or check "Check for new updates while the SmartDashboard is active", that in turn will not update anything but get you prompted that new updates are available.
In R71 they changed their mind and added configurable scheduled updates menu.
Anyway ,should you want to check what is the latest IPS version available without running the actual update process the link follows:
Defense Updates by Product

MAC finder script

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format <MAC 6 hex digits as a sequence> <VENDOR>, I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx <Vendor>
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py
<now I copy paste output from arp -a in BSD>
$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]
<Hit CTRL+D to signal the end of input>
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya

Some links to download Microsoft Visio stencils of the most popular vendors.
Juniper
Cisco
Avaya
BlueCoat
Fortinet
Dell
Checkpoint happen not to have official stencils set, only Nokia appliances stuff can be found. So someone volunteered and using icons/press releases/PowerPoint presentations done by the Checkpoint turned it into the Visio stencils:
fireverse.org
If nothing else helps here you can find the rest:
nag.ru/projects/visio

Older posts Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑