yurisk.info

Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 4 of 24

Check duplex and speed settings of all interfaces in one go

February 16, 2012 / /

One of the first things you do when checking connectivity issues on the Checkpoint (or any networking gear for that matter) is to see speed and duplex parameters of the interfaces. But have you tried to do it on a firewall with 15-20 interfaces ?
No fun entering one by one interfaces’ names. Here is the one-liner I use to get speed and duplex settings of all interfaces in one go.
# for ii in $(ifconfig | awk ' /Ethernet/ {print $1}') ;do ethtool $ii; done | egrep  'eth|Speed|Duplex'
Settings for eth0:
Speed: 100Mb/s
Duplex: Full
Settings for eth1:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.150:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.160:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.161:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.270:
Speed: 1000Mb/s
Duplex: Full
Settings for eth1.271:
Speed: 1000Mb/s
Duplex: Full
Continue reading

Funny way to expire Antispam license in Checkpoint

February 13, 2012 / /

After years with Checkpoint products I came to conclusion that if you don’t have logical explanation why something doesn’t work, it is most probably license issue.
My client stopped getting emails behind UTM-132 at some remote branch . Doing the basics – telnet to port 25 (Checkpoint answered as it should),Exchange answering on port 25 as well didn’t come up with anything.
Then I looked at mail spool in the Checkpoint and voila, all the emails that didn’t reach internal Exchange were stuck there for no obvious reason.
The reason became obvious when I looked at the SmartTracker and saw “AntiSpam service license expired” message . Only then did I recall that this UTM had once Total security license that included the Antispam , but had expired long ago.
Why upon expiring license Checkpoint instead of passing mails without Antispam filtering decided to “hijack” the mails is left without answer.

Finally GEO location blocking has arrived to Fortigate

February 9, 2012 / /

It was predictable thing for Fortinet to do as everyone else has already been doing so.
I haven’t verified myself but according to the informed source (can only say his name – Hen) they are using
Maxmind database . So let’s see how to do it .
First you create in New Address dialog window the Geography type object specifying the country. As you can only pick one country per address use Address Groups to combine few countries together.
After creating such Address object you can use it in Firewall Policy just as you would the usual Address.
Personal Note: While there is an ongoing fuss/hysteria about the cyberwar being waged that started 2 weeks ago when Saudi “hackers” DDOS’ed few Israel websites, from what I see in the field it is more of a FUD campaign, one of the byproducts of which is rush of many website owners in Israel to block Saudi Arabia IPs (or any Arabic world IPs for that matter). What happened in fact was that most of DDOS came from anywhere but Arab world (Russia, China,US) , from botnets-for-hire.
The only reason I can think of why you would use Geo location block is to lower noise/size of logs by silently dropping traffic from unwanted countries.

Convert Fortigate diagnose sniffer packet output into tcpdump format understood by Wireshark

February 6, 2012 / /

Running diagnose sniffer packet on Fortinet Fortigate unit outputs human-readable packet information and packet data . Only that sometimes you would like to have the traffic sniffed at Fortigate in Wireshark-readable format so that it can be analyzed by all powerful Wireshark.
For this case Fortinet came up with the script and application that takes text output of this sniffer command and parses it into tcpdump format (.cap) which you can later open in Wireshark.
I guess there are other scripts available that do just that (after all it is just parsing the text file) , but from Fortinet you can find it here:
kb.fortinet.com/kb/viewContent.do?externalId=11186&sliceId=1

Or by searching their website for
fgt2eth.pl
fgt2eth.zip

awk weekly – Security rule hits statistics . Checkpoint

January 31, 2012 / / 13 Comments

As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things – for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only – i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted – e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:

awk -F\; ' {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5 
Rule number:  Hits: 1197330  Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing
 Rule number: 2 Hits: 9
 Rule number: 5 Hits: 366
 Rule number: 11 Hits: 12296
 Rule number: 9 Hits: 14457
 Rule number: 0 Hits: 17094
 Rule number: 1 Hits: 44066
 Rule number: 7 Hits: 233643
 Rule number: 10 Hits: 366275
 Rule number: 6 Hits: 424639
Update 2012 Below is the script to use Rule ID instead of Rule sequential numbers – this way changing rules order will not affect statistics. The script matches also non-security rules – e.g. email session id, that are a bit shorter then Rule ID, but I didn’t want to slow down the processing with additional formatting .
awk -F\; ' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5 
Rule number: D199972C-ED3E-4EB4-8B83-813333156D18 Hits: 175
 Rule number: 85A905A7-951E-4100-A4BA-E13333151D29 Hits: 219
 Rule number: 81333316-E942-4313-BB7D-E1333315802F Hits: 1519
 Rule number: 71333215-2DB5-4A3A-95BC-5080AD0F5564 Hits: 2298
 Rule number: 11331315-AE52-44E0-A42A-711029B5768E Hits: 3755
 Rule number: 01333315-D290-4B05-AFE7-23BF24D889FF Hits: 4116
 Rule number: 121FA62F-3885-4328-8090-BF1333315eB1 Hits: 399793
 Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101
 Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341
Running time for a file of 900 Mb with 4.7 million records
real    5m50.287s
user    4m22.890s
sys     0m3.190s

Time-based access limiting on Checkpoint or any Linux for that matter

November 14, 2011 / / 2 Comments

Time-based access-lists in Cisco world are available since … last century for sure. But is it possible that Linux doesn’t have anything like that ? No way – of course it can do and do it better. Here is how .
Access control based on time of the day is available via pam module, and as almost all software today supports working with pam modules, it means it is available universally.
Steps to do it are these:

  • Enable pam_time.so module for the software of interest in its config file in /etc/pam.d ;
  • Configure time range(s) when this service is accepting connections using file /etc/security/time.conf
  • Most probably restart the service and we are set.

    • E.g. Let’s restrict user ftp_user so that it is able to connect to vsftpd daemon only during working hours of the weekdays.
    – Add to file /etc/pam.d/vsftpd the following line
    account required /lib/security/pam_time.so
    – Set time limits in /etc/security/time.conf with this line
    vsftpd;*;ftp_user;Wk0800-1700
    – Restart vsftpd to force it using pam_time.so module (need to do it just first time)
    #service vsftpd restart
    And now during the off-limit hours the ftp_user will not be able to connect by FTP, that is it .

    For Checkpoint all the above holds true, but as you don’t have much servers there , the most probable candidate for such restrictions is ssh daemon. For example firewall that the client has access by ssh to it as well – while mail alerts for such access (see Mail alert on ssh access in Checkpoint) will warn me about such access, it does me no good if someone on client side accesses the firewall at 02:00 am at night and I get alert . But if it happens during working hours only, I can see such alert and act in real time.
    Example for limiting ssh access to the firewall to working hours only.
    /etc/security/time.conf :
    sshd;*;client_user;Wk0900-1900
    /etc/pam.d/sshd :
    account required /lib/security/pam_time.so

Set NTP time source on Checkpoint to have correct log timestamps

November 12, 2011 / / 5 Comments

It is hard to argue that logs are as good as correct they are. And correct timestamps of the logs are crucial to this. Internal clock is prone to drifting with time, in my experience I’ve seen some UTM appliances to drift as much as 40 minutes in just one year ! Even worse is that you can never be sure of the drift distribution over time – it may be incremental drift every day, or sudden jump due to who knows what.
To prevent this from happening I use NTP time synchronization on all of my servers/firewalls. If you have been in system administration for some time it is old news for you – just use ntpd daemon and pool.ntp.org servers located close to you, and you are set in 5 minutes.
In Checkpoint they took the hardening of the underlying OS to extreme and supplied only outdated ntpdate utility for the task, no ntpd for us.
Not a big deal – I use the cron job below to run every 30 minutes ntpdate to update the firewall clock and so better be you.
Cheers
30 * * * * /usr/sbin/ntpdate 1.uk.pool.ntp.org > dev/null

« Older posts Newer posts »

© 2016 yurisk.info

Theme by Anders NorenUp ↑