yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Firewall (page 4 of 4)

Black hole routing to the rescue – Fortigate OS 4 surprise

Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert “..has reached connection limit” and then no traffic goes from LAN to WAN.
Clearly being a resource starvation issue you may never know for sure what causes this , it may be
oversized rulebase, custom IPS , AV set on everything and everywhere, etc.,.. The only way to pinpoint the
misbehaving component is by elimination – disabling one by one until problem disappears. So for this
particular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once this
disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this
website. An internal fair use policy issue ? – yes of course, but the only way to implement the policy
was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would
be the better one I thought – but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt
an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IP
range ) in the WAN facing Cisco router.

In the FortiOS 4 you can configure blackhole routing with no hassle:
FG100 # config router static
FG100 (static) # edit 5
FG100 (5) # set blackhole ?
disable disable setting
enable enable setting
FG100 (5) # set blackhole enable
FG100 (5) # set dst 69.63.176.0/20
FG100 (5) # end

Verify:
FG100 # show router static
config router static
edit 1
----output omitted----
edit 5
set blackhole enable
set dst 69.63.176.0 255.255.240.0
next
end

From station in LAN:
# ping 69.63.184.142
PING 69.63.184.142 (69.63.184.142) 56(84) bytes of data.
From 10.99.99.254 icmp_seq=1 Destination Net Unreachable
From 10.99.99.254 icmp_seq=2 Destination Net Unreachable

Facebook IP range:
whois 69.63.176.140
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Facebook, Inc.
OrgID: THEFA-3
Address: 156 University Ave, 3rd floor
City: Palo Alto
StateProv: CA
PostalCode: 94301
Country: US
NetRange: 69.63.176.0 – 69.63.191.255
CIDR: 69.63.176.0/20

Manage VPN tunnels smartly: forget vpn tu,enter the vpn shell

Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is vpn tu that neveretheless has always had a very annoying bug (feature?) – you can delete ALL VPN tunnels at a time and none individually !!  It indeed presents option to delete
” Delete all IPsec SAs for a given peer (GW)” – but it just plain doesn’t work. And once confronted with this problem that could make debug  more devastating than the problem itself I started looking for alternatives. To much of my surprise CP has a perfect alternative for this
vpn shell, that provides acceptable means of managing tunnels. Here are details:
vpn shell can : delete IKE/IPsec SAs selectively, add/delete VTI interfaces,show information about all that.
To enter this shell :
[Expert@gw1]# vpn shell
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data

After hitting enter you are put into subshell that has hierarchy way of moving around, so to continue to show subtree you type show and hit Enter:
VPN shell:[/] > show
 ?             – This help
 ..            – Go up one level
[interface   ] – Show interface(s) and their status
[tunnels     ] – Show SA(s)
VPN shell:[/show] >

Your prompt changes to the path inside vpn shell, to go 1 level up (return) type .. and Enter:
VPN shell:[/show] > ..
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] >

In addition if you know the full path inside vpn shell to the command you wish to run you can type it too:

e.g. To see all IKE tunnels:
[Expert@gw1]# vpn shell
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] > tunnels show IKE all

Peer 193.x.x.x:

        1. IKE SA <8755c7fb24a52e9b,5d46b29d0f0bb5b7>:
VPN shell:[/] >
e.g. 2 To delete IKE SAs for specific peer:
VPN shell:[/] > tunnels delete IKE peer 193.3.3.3

NOTE: interface subtree is for dealing with VTI interfaces.

And finally to leave the vpn shell to SSH shell:
Get to the root by typing .. as many times as needed and then quit:

VPN shell:[/show/tunnels/IKE] > ../../..
 ?             – This help
 ..            – Go up one level
 quit          – Quit
[interface   ] – Manipulate tunnel interfaces
[show        ] – Show internal data
[tunnels     ] – Manipulate tunnel data
VPN shell:[/] > quit
[Expert@gw1]#

SSH session timeout in Checkpoint NG/NGX

Ever got swearing when in the middle of fw monitor / debug session you got abruptly thrown on session timeout ??  Me too. While thinking naively ssh timeout is managed by sshd/ssh configs I was suprised to know CP did it their way.

Turned out here we get definitions for interactive session : cat /etc/bashrc
<CUT>   

# By default, log out the user after three minutes of unattended prompt
export TMOUT=180
export SHELL=/bin/bash
# Take into account idle setting of cpshell, if available
if [ -f /etc/cpshell/cpshell.state ]; then
   idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//`
   if [ $idle”UNDEFINED” = “UNDEFINED” ]; then
          idle=3
   fi
   export TMOUT=`expr $idle \* 60`
fi

 

So to change the default timeout for ssh session you can:

1) Set idle variable in /etc/cpshell/cpshell.state to be later multiplied

cat /etc/cpshell/cpshell.state
audit=100
idle=100
scroll=1

2) Change last export directly to whatever you wish:

export TMOUT=7000  ; in seconds

I personally when working on client’s firewall am setting it manually  when long  debug session is expected:

[Expert@cp]# TMOUT=700
[Expert@cp]# export TMOUT

Telnet from inside Checkpoint firewall

Yesterday I saw a strange problem – connection from outside to Exchange in a LAN times out, while in Tracker all connections to port 25 are in green. Strange was that through VPN client-to-site and from inside LAN all worked prefectly well. So I wasn’t sure 100% it wasn’t a firewall causing this. The next best way to check it would be telnet from inside NGX (R65 in this case) to port 25 to Exchange by its LAN IP … only that Checkpoint don’t have telnet client included in their Splat . If I had enough time I’d compile telnet client statically on some Linux box with the same kernel/libraries then’d copy it to NGX for testing, but to do it ASAP I hacked a small AWK script that emulates (just enough fo ra test) telnet, below these scripts .

BTW this script made it 100% clear there was some problem with Exchange over which I had no control – from firewall its port 25 answered very erratically – once ok , 10 times connection refused. So after a double check

client found that from LAN and VPN it also wasn’t stable as he first thought .

 

General telnet client script :

[Expert@cp]# awk -v ip=192.168.0.1 -v port=25 -f telnet.awk

Where:

  ip – IP to connect to

  port – port to connect to

#!/usr/bin/awk
#This is a simple telnet emulation script purpose of which
# is to try to connect to a given IP on a given port using TCP
# and print to the terminal few lines received from the server
# if session is established. It has no functionality but to
# establish a TCP connection and print out received text from the
# server, after that it just exits.It was created to debug
# connectivity issues on Checkpoint NGX firewall that has no built
# in telnet client .
# Client
     BEGIN {
       (“/inet/tcp/0/” ip “/” port ) |& getline
       print $0
       close((“/inet/tcp/0/” ip “/” port ))
     }

Next is the same cript with add on for port 80 – to get some response from web server:

#!/usr/bin/awk
     BEGIN {
   Portandip = (“/inet/tcp/0/” ip “/” port )
   print “GET /  HTTP/1.1\n\n” |& Portandip
   while  ( ((“/inet/tcp/0/” ip “/” port ) |& getline)>0)
       print $0
       close((“/inet/tcp/0/” ip “/” port ))
     }

 

PS Thanks to Aibulat (see comments) for info, turns out there is a telnet client available on Splat cd-rom .It is just not installed by default when installing Splat.

Newer posts

© 2016 yurisk.info

Theme by Anders NorenUp ↑