yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Checkpoint NG/NGX/GAIA (page 7 of 10)

fw ctl or checkpoint tables by any other name

April 9, 2010 / / 2 Comments

Holidays are over, Checkpoint failures are back, so business as usual. Today I want to draw your attention to often overlooked information source – Checkpoint state tables. While running, the firewall creates, keeps and updates various tables it needs for correct functioning. These tables contain parameters that are mostly of use for firewall itself, but you can query them on the cli, sometimes even flush them as well.
To see all tables with its contents you type –
[Expert@Hollywood]# fw tab
To see only table names –
[Expert@Hollywood]# fw tab | grep "\-\-\-\-\-\-\-"

——– vsx_firewalled ——–
——– firewalled_list ——–
——– external_firewalled_list ——–
——– management_list ——–
——– external_management_list ——–
——– log_server_list ——–
——– tcp_services ——–
——– udp_services ——–
——– internal_interface_list ——–
——– topology_range_list ——–
——– gui_clients_list ——–
——– cp_NG_products_list ——–
——– smtp_av_user_config_match_tab ——–
——– smtp_av_scan_exclusion ——–
——– http_av_user_config_match_tab ——–
——– http_av_scan_exclusion ——–
——– pop3_av_user_config_match_tab ——–
——– pop3_av_scan_exclusion ——– Continue reading

Install native telnet client on Checkpoint firewall

March 20, 2010 / /

Some time ago Telnet from inside Checkpoint firewall I wrote how to use awk to imitate telnet in Checkpoint firewall. Later in comments to that post the reader pointed out that there is a native telnet client located on the Splat installation iso image.
That’s true , only I think you not always have installation image at hand. For that you can instead use
standalone download SecurePlatformAddOn_R55.tgz While it states R55 in its name the telnet client software it has inside works well even with R70 and also on Splat platforms with 2.6 kernel. Indeed the telnet client that comes with the R70 installation image is bigger by file size but bears the same version name anyway.
In addition there is another useful utility in this package – well known wget. So consider installing it too.
After downloading it go by the usual RPM package install procedure – unzip, untar , rpm –Uvh <name>

Traffic shaping in Checkpoint the Linux way

March 13, 2010 / /

Quite often I need to work on the Checkpoint firewall access to which in SmartDashboard is close to impossible due to the overloaded internet connection to the firewall and there is no out of band access alternative.
Other times doing debug produces huge files (we talk gigabytes here) and if I download such files from the firewall through scp as is it will use up all the bandwidth of the line causing slowness to the client.
For such and alike cases there is a perfect tool provided by Linux kernel – Quality of service (QOS), which allows us to limit used bandwidth with very flexible filter criteria. QOS in Linux is subject enough complicated and extensive not to be dealt in a short post , so I just present some ready to use copy-paste configs just for that.For in-depth coverage see lartc.org/howto
And of course if your firewall has Floodguard license and feature installed (Checkpoint implementation of Quality of service) then you can achieve the same through rules in QOS tab in Smartdashboard.

1) Limiting myself – when downloading some huge file from the firewall I want to limit my traffic to some specific rate.
Here:
eth0 – outgoing interface;
100Mbit – physical rate of the interface;
300Kbit – rate limit I impose on traffic destined to my management station where I download the file;
39.139.3.4 – my management IP.

tc qdisc add dev eth0 root handle 33: htb
tc class add dev eth0 parent 33: classid 33:10 htb rate 100mbit
tc class add dev eth0 parent 33:10 classid 33:200 htb rate 300Kbit
tc filter add dev eth0 parent 33: protocol ip prio 2 u32 match ip dst 39.139.3.4/32 flowid 33:200

2) Line is overloaded and I cant connect with SmartDashboard but still have ssh access.
Here:
30Kbit – rate limit I impose on ANY traffic except to my management IP , see next rule;
200Kbit – rate limit on traffic to my management station.

tc qdisc add dev eth0 root handle 33: htb
tc class add dev eth0 parent 33: classid 33:10 htb rate 100mbit
tc class add dev eth0 parent 33:10 classid 33:100 htb rate 30Kbit
tc filter add dev eth0 protocol ip parent 33:0 prio 5 u32 match ip dst any flowid 33:100
tc class add dev eth0 parent 33:10 classid 33:200 htb rate 200Kbit
tc filter add dev eth0 parent 33: protocol ip prio 2 u32 match ip dst 39.139.3.4/32 flowid 33:200

NOTE QOS in Linux as presented here works on egress , i.e. it can limit traffic leaving the interface .
Script above therefore limits what would be upload leaving to the Internet from the firewall.
To limit some heavy download the same technique should be applied on Internal,facing the LAN, interface. Usually nevertheless the moment you throttle the upload modern applications will detect it and slow down download as well , but your mileage may vary.

awk weekly rule hits statistics checkpoint again

March 13, 2010 / /

I updated the script and moved it to the 1st page : http://yurisk.info/2012/01/31/awk-weekly-rule-hits-statistics-checkpoint-again/

awk weekly – Checkpoint Anti Spam statistics or viva les Open Relays

March 8, 2010 / / 2 Comments

Goooood day everyone again,
today I have had another fight with the spam cartel that my client fell victim of. Once upon a time there was not so powerful UTM providing internet to not so crowded office in not so security-aware Central Europe.
All would be good and well if not this problem – they could not send emails outside as the IP of the firewall entered every imaginable blacklist on the Earth. Hmm, but the firewall has AntiSpam subscription service up and running.
LAN is blocked on port 25 outbound except the Exchange. Antivirus is everywhere so low chance of spam coming from LAN. In SmartView Tracker lots of SMTP rule logs in red – spam entering Exchange is blocked .

So what the …? tcpdump with -w option for 5 minutes was all I needed to see that Exchange was open relay and kindly offered to relay spam from everyone to everywhere.
To really measure the impact of the event I had to have some statistics and Checkpoint didn’t help me much with that , eventhough this UTM has also SmartView Monitor license it is not suited for the task. So I exported fw.log on the UTM into text human-awk-readable format , that took some 40 mins on 300 Mb log file and produced text file of 475 Mb, and then did whatever I wanted with the data using awk.
Now get some action:
Script 1 – Find all mails rejected in direction from LAN (interface Internal, remember it is UTM) to the Internet (interface External) , then gather statistics of how many mails came from what ip [less relevant here as all mails come from Exchnage, but in environment where hosts send mails directly outside it is] and show us :

# awk -F\; '/Internal to External/ && /reject/ {print $2}' ./fw.log.txt | awk ' {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/,IP); IPS[IP[0]]++ } END { for (spammer_ips in IPS) print spammer_ips " " IPS[spammer_ips]}' | sort -n -k2,2
192.168.14.12 402804

Yahooooo! In the timeframe of 28 hours there were blocked 402804 mails as spam coming from Exchange!
Not bad at all – all this without any malware installed on the client side [my educated by Wireshark guess here as I dont have access to the Exchange],just amazing!

Now let’s have a look at overal number of mails that was accepted and sent outside to the Internet :
Script 2 – Find all mails accepted in direction from LAN (interface Internal) to the Internet (interface External) , then gather statistics of how many mails came from what ip and show us :

# awk -F\; '/Internal to External/ && /accept/ {print $2}' ./fw.log.txt | awk ' {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/,IP); IPS[IP[0]]++ } END { for (spammer_ips in IPS) print spammer_ips " " IPS[spammer_ips]}' | sort -n -k2,2
192.168.14.12 257940

Wow! in addition to 402804 mails blocked by Checkpoint firewall as spam 257940 mails were sent out as clean, given that this is a very small office hardly sending 300 mails a day we get ratio of 39% spam passing through the Checkpoint Antispam , pity . Antispam blocking rate of 61% ? In 21st century ? Wake up !

Just for statistics I also calculated how many spam emails were blocked from outside inbound:
Script 3 – gather how many mails from outside coming in were rejected by Checkpoint as spam.

# awk -F\; '/External to Internal/ && /reject/ {print $2}' ./fw.log.txt | wc
# 5593 11186 112648

So only 5593 incoming spam emails and almost half a million outgoing ones – that’s what I call effectiveness.
Script 4 – gather statistics on blocked emails and IPs it came from:

# awk -F\; '/External to Internal/ && /reject/ {print $2}' ./fw.log.txt | awk ' {match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/,IP); IPS[IP[0]]++ } END { for (spam_ips in IPS) print spam_ips " " IPS[spam_ips]}' | sort -n -k2,2

And here are some results

93.81.26.2 75
91.121.114.1 81
220.168.57.1 87
58.9.205.2 129
122.102.101.1 149
58.137.99.7 160
189.35.231.6 189
60.248.174.6 631

PS I know Checkpoint folks visit here , so if you think I get some data wrong – don’t be shy to correct me,all fixes are gladly welcome.

Abra – the new toy from the Checkpoint

March 3, 2010 / / 2 Comments

Checkpoint announced availability (for inquiries yet,sale date is set on 31 of March) of their new project Abra – secured virtualized desktop solution. I myself haven’t seen nor tried this so can only judge from different sources. In essence we talk here about USB stick of approx. 4 Gb or 8 Gb that includes virtual image of the applications you need to do the work and optionally to connect securely to your workplace (to the Checkpoint gateway of course).
The testing (I know of) was done on their own employees that were given those Abra-sticks to work from home.
The way it works is pretty simple – you have encrypted (so they say) virtual desktop environment on stick ,
which you connect to any PC and upon entering user/pass can work using pre-installed and pre-configured
software on it . The sticks that Checkpoint gave to their workers contained Windows XP with set of usual software – browser, Microsoft Office etc. , also VPN client .
In short nothing new on the market except encryption – do a search on Virtual desktop infrastructure and you’ll get the idea. What interesting here is how they are planning to integrate this new buzz-project with all the rest of their line. Because otherwise it isn’t even worth trying to market it (put on USB VMware Player with windows XP and you get the same but without encryption).
The webpage from the CP is here:
Check Point Abra | Check Point Software
To see what people think about that you may go here:
CPUG.ORG discussion on Abra

NOTE: see the comments for a more correct (than mine) view of this new product

awk weekly – how to see Checkpoint logs on command line

February 26, 2010 / /
Hey Everyone, I decided to start a weekly column of awk scripting where I will bring interesting (I am being subjective I know) short scripts that made my life easier in dealing with actual problems in the wild or just look cool.

Until recently I had never had any need to work with Checkpoint log files without SmartView Tracker , namely on the command line. But there is always first time . Client complained on some dropped mail traffic and to even say if there is any problem or not I had to look at relevant logs, not a big deal except that I had only ssh access to the firewall . Checkpoint provided for such cases fw log command line log extracting utility that reads the binary log file ( fw.log by default) you feed in and outputs it in human-readable format. That’s good, but its filtering possibilities are quite bad . You can see all available options with fw log –h , but selection is limited to source, start/end time,action (drop/reject/etc) . Not that much to say the least . No port/direction filtering . And specifically it was a very busy firewall – some 80 mbytes of traffic passing through at any given moment and log is the default action on any rule. So using fw log filters would help me not.
Here is how I solved this with the help of awk – I exported to text format all logs using

# fw log -n> fw_log.txt &

Note –n option to fw log here – it prevents resolving IP/ports to names , shortens processing time by ~70%
Then I just used all-powerful awk to search the text file to show the client what was the reason (Exchange in LAN was sending heaps of spam that Anti-Spam stopped at its best but nevertheless some spam leaked and caused RBL blocking of the external firewall IP) :

[Expert@Orlean] # awk '/Anti Spam/ && /Internal to External/' fw_log.txt | awk -F: ' {print $5 $6}' 
192.168.143.12; dst 65.55.37.88; proto
192.168.143.12; dst 65.55.92.136; proto
192.168.143.12; dst 65.55.92.136; proto
192.168.143.12; dst 203.216.247.184; proto

Here:
External, Internal – UTM appliance interface names and direction of the Anti-Spam scanning
NOTE: exporting logs from binary to text takes a bit of time, depends on situation. Enabling name resolving sky-rocketed the processing time to 15 minutes , but on the other hand gave some additional insight :

Exchange; dst col0-mc2-f.col0.hotmail.com; proto
Exchange; dst mx1.hotmail.com; proto
Exchange; dst mx1.hotmail.com; proto
Exchange; dst mta19.mail.vip.tnz.yahoo.co.jp; proto
Exchange; dst bay0-mc2-f.bay0.hotmail.com; proto
Exchange; dst mx3.hotmail.com; proto
Older posts Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑