Saturday, December 10, 2011

Checkpoint and Multicast Traffic

In order to allow multicast traffic by the gateway, you need to follow sk35996, In addition you also need to create an allow rule with the service “pim”.

Regarding sk31190 Secure platform pro needs to be enabled if you would like the gateway to participate in the multicasting traffic.

If you just want to let that traffic pass through the gateway and the gateway does not need to perform any dynamic routing decisions then there is no need to enable Splat Pro.

Some tips,
# tcpdump ip multicast  will show you multicast packets..

to enable Secure Platform Router Config mode type “pro enable”
This will need a license of “Advanced Routing Blade”
Lets enable multicast routing with sparse mode

[Expert@NGx-gw1]# router config
localhost.localdomain#config t
localhost.localdomain(config)#interface eth0
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config)#interface eth1
localhost.localdomain(config-if)#ip pim sparse-mode
localhost.localdomain(config)#ip pim enable
localhost.localdomain#wr mem

Tuesday, October 18, 2011

Cluster Status Active - Ready

Last night I have faced a problem after replacing cluster nodes to new hardwares,
Although software versions was same at # cphaprob stat command, One node was at active and other was at ready
Solution is at CoreXL: Noticed that enabled cores differs on nodes, #  fw ctl multik stat shows this to you.
number of cores should be same at both members.

Monday, October 10, 2011

R75.20 Console Error

If you are getting the below error at SmartConsole,
Failed to save object firewall_properties.
Server error is:Validation error in field 'SynDefender active mode' at
object 'firewall_properties' @ 'properties' --> The value '0' is not in the list of valid values '1~2'. (Code: 0x800415A6, Object Validation Failed)

Create an upgrade_export then Close all SmartConsoles and open GuiDBedit.exe located at SmartConsole directory X:\Program Files\CheckPoint\SmartConsole\R7X\PROGRAM
Find the related object via CTRL+F,In this example its firewall_properties, Change the value of the property (1) and click saveall, If it gives a similar error continue to fix it with needed parameter.

Mobile Access VPN Policy tab is Empty

An exception occured while constructing the view:
CDIeException Exception:
Error Code: 0(Unspecified error)
User Message: Genera Error: Invalid or No UID
Debug Message:
CDleDereferenceReqHandler::_dereferenceSingleFieldObject not found in CPMI
File Name:
Line number: 207
Inner: NONE

Backup and delete the files
at $FWDIR/conf
This is a general solution for SmartConsole problems..

Updated Note: Checkout connectra_policy.C File , correct the corrupted lines.

Sunday, October 2, 2011

Changing Mac Magic numbers at Checkpoint Cluster

Below operation should be done at the scenario where two checkpoint clusters work on the same network.
To view the values
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
default values are 254 and 253
Lets change them to 251 and 250
# fw ctl set int fwha_mac_magic 251
# fw ctl set int fwha_mac_forward_magic 250
Also we should write these to $FWDIR/boot/modules/fwkern.conf with hex values like the example below

Tuesday, August 23, 2011

R65.X to R7x Upgrade - How to Uninstall Connectra Plugin

Dont forget to uninstall the plugins,

Uninstall Connectra plugin

# /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier
# /opt/CPPIconnectra*R65/bin/plugin_uninstall

Uninstalling VOIP Plugin

# /opt/CPPIvoip-R65/bin/plugin_preuninstall_verifier
# rpm –e CPVOIPCMP
# /opt/CPPIvoip-R65/bin/plugin_uninstall

R75 Console Crash Problem

We have faced some dashboard problems after upgrading to R75 , SmartDashboard or Tracker crashes randomly , There is an improved version named Check_Point_SmartConsole_r75_Improved.exe , I will suggest you to request this file from Checkpoint Support.

R75.20 Upgrade failed via Check_Point_Upgrade_for_R75.20.Splat.tgz

So Interesting but I have encountered this problem at two different customers and
followed a solution with # patch add cd command via Check_Point_R75.20.Splat.iso
As you already know you can use SmartSplat to upload an iso file to firewall and mount it like a CDROM with single clicks.

Thursday, July 7, 2011

How to manually backup SMC

This is a way to backup related files at SMC, can also be used for CMA migration

mkdir /var/tmp/manualyedek
mkdir /var/tmp/manualyedek/conf
mkdir /var/tmp/manualyedek/database
mkdir /var/tmp/manualyedek/conf.cpdir
mkdir /var/tmp/manualyedek/database.cpdir
mkdir /var/tmp/manualyedek/registry
cd $FWDIR/conf
cp -rfL * /var/tmp/manualyedek/conf
cd $FWDIR/database
cp -rfL * /var/tmp/manualyedek/database
cd $CPDIR/conf
cp -rfL * /var/tmp/manualyedek/conf.cpdir
cd $CPDIR/database
cp -rfL * /var/tmp/manualyedek/database.cpdir
cd $CPDIR/registry
cp -rfL * /var/tmp/manualyedek/registry

 cd /var/tmp/
gtar -zcvf manualyedek.tgz manualyedek

The connection has been refused due to one of following SmartCenter Server certificate problems:

1. The SmartCenter Server’s clock is not setup properly.
2. The certificate’s issue date is later than the date of the SmartCentre Server’s clock.
3. The Gui Client’s clock and the SmartCenter Server’s clock are not synchronized.
4. The certificate has expired.
5. The certificate is invalid.

Q:I have several fw modules managing from this SMC, Can they drop traffic or SIC will be reset after this operation ?
A: No, This certificate is related to Smart Console,You dont have to worry about this questions.
Q: Why did I get this warning, What caused this ?
A: May have several issues but most of them are related to low disk space , check usage with # df -h

Solution at SMC :

1. # cd $CPDIR/conf
2. # cp sic_cert.p12 sic_cert.p12old
3. # cpca_client revoke_cert -n "CN=cp_mgmt"
4. # cpca_client create_cert -n "CN=cp_mgmt" -f sic_cert.p12
5. # cpstop;cpstart

Sunday, June 26, 2011

How to reset lost password at IBM ISS MX Firewalls

Use Putty, Hyper terminal wont work with this procedure.

* Open a console terminal session with the M/MX appliance.
* Reboot the appliance.
* Press [Delete] to enter setup.
* When the GRUB menu appears, press 'e'
* Select the kernel that you wish to boot and type 'e' for edit.
* Select the line that starts with 'kernel' and type 'e' to edit the line.
* Go to the end of the line and type 'single' as a separate word (press the [Spacebar] and then type single).
* Press [Enter] to exit edit mode.
* Back at the GRUB screen, type 'b' to boot into single user mode.
* You should get a fairly normal looking boot sequence except that it terminates a little early at a bash prompt.

NOTE: If you get a "Give root password for system maintenance" message, your system has been secured to require the root password for any level of access. In that case, this procedure isn't going to work and you would need to reimage the system to regain access.

Once you get to the command prompt, the / file system may not be mounted as writable. To ensure that it is writable, enter the following
mount -o remount,rw /

* If all is successfull up to this point, you can type the following and change the root password to whatever you like:

* You can also change the command line admin password here using the following command:
passwd admin

* You can change the web interface admin password here using the following command:
htpasswd -m /var/www/auth/htpasswd admin

* Once the passwords have been changed, reboot the appliance with the
shutdown -r now

* After the system has finished rebooting, you should be able to login with the newly changed password.

Checkpoint L2TP Android Configuration

 The only setup difference between Iphone and Android is the L2TP preshared key.This is empty at  Android side.

*Go to Settings -> Wireless & Networks -> VPN Settings

 -vpn name: “set a vpn name”
  -vpn server : “set firewall ip”
  -ipsec preshared key:” set l2tp key ”
  -l2tp preshared key : “disable”

You will be able to connect from Android.

Monday, May 23, 2011

Iphone IPad support for Connectra

Connectra (All versions for now 23.05.2011) does not support Checkpoint Mobile Vpn Software , you cant use the Vpn client because certificate enrollment is not supported you will get an error "Certificate Enrollment Failed" You have to upgrade to Mobile Access Blade.

You only can use safari browser but if you are using ICS then again you wont be able to login to Portal.

Deployment shell internal error at Connectra

To successfully use Connectra Portal ICS (Scanning with compliance policy ) activeX and Java VM should be installed on the pc, If the two components are successfully installed another component deployment shell installation begins , if you have a problem with the two prequiste you cant install the deployment shell and you get the warning deployment shell internal error.
Solution: unregister the pc from windows domain (you wont deal with GPO,User Profiles,Security Templates , etc. ) unistall everything and do a fresh install.

Also, ICS components reside at /opt/CPcvpn-R66/htdocs/ICS/components for R66.1 server ,replace them by the new files from your test vm
and apply the command # cvpn_port_utility.csh.R66_01

Also checkout

use "wusa /uninstall /kb:2562937"    command to uninstall the related update.

Tuesday, May 10, 2011

SmartSPLAT v4 is now Released

    I'm pleased to announce the release of SmartSPLAT v4

This version includes a number of new features,

New Floaty Terminals,
New Floaty HTML Notepad with browser support,
New Recording options, You can now record everything within Shells,
New SCP support you can upload and download files via browsing, (Integrated with Putty PSCP)
New Tufin Terminal Support
New Nokia Terminal Support
New HyperTerminal support for Win7
New External software support , you can now open debug outputs via WordPad or Wireshark,
New Confirmation dialogs and tooltips on commands
New Syslog Server supports Windows 7 and Server 2008

Sunday, April 3, 2011

Basic way to test an IPS via Windows CLI

Telnet to a webserver behind the IPS and execute the command,

GET ../../etc/passwd HTTP/1.0      

Yo will see the HTTP_GET_Malformed signature triggered at SiteProtector

Also you can use this technique at pentests, it gives you to discover if there is an IPS or not.
Open a WireShark and examine the return packets, if you see RST packets or connection time-outs you can be sure that the IPS is active.

Steps are simple, Can be used for any IPS vendor.

Cagdas Ulucan

Wednesday, March 16, 2011

Checkpoint Reverse Proxy Configuration

Checkpoint Reverse Proxy listens requests from the Internet and forwars them to inside web servers, request connects to the proxy and may not be aware of the internal network.
This can be used for loadbalancing , publishing OCS and etc.

We need 2 rules for this,

Source: Any
Service: HTTP -> test
Action: drop

Source: Any
Destination: internalipaddress
Service: HTTP
Action: Accept
URI Resource should be like this;

Tuesday, March 15, 2011

Difference between Install Policy and Install Database

In Some situations Ex: log server, Mail Alert settings and etc. related to SMC should be done with install database, Policy install doesnt include specific Install Database operations.

Always Keep in mind this not to waste your time.

Monday, March 14, 2011

magic number corrupted fwauth.NDB

Cant install policy to one of the cluster member,warning message : magic number corrupted

Copy the fwauth.NDB from  $FWDIR/conf/defaultDatabase  to $FWDIR/conf/database , reinstall policy.

Friday, March 11, 2011

Corruption in the Checkpoint IPS database

IPS reset procedure

1. Delete all IPS profiles except the default profiles (Default_Protection and Recommended_Protection).
2. Prepare the clean IPS files that are listed below from the same version
3. # cpstop
4. # cd $FWDIR/conf
5. Copy the provided IPS files to conf directory:
6. Edit the file $FWDIR/conf/asm.C, change:
need_local_update to "true"
asm_update_version_ips1 to "0"
asm_update_version_vpn1 to "0"
asm_update_version to "0"
7. Delete $FWDIR/conf/CPMILinks* and $FWDIR/conf/applications.C
8. Delete $FWDIR/conf/SMC_Files/asm/crc_marker_db.fws
9. # cpstart
10. fwm should start a process called "sduu", wait until it finish, it can take several minutes.
11. Verify that :asm_update_version_ips1, :asm_update_version_vpn1 and :asm_update_version value has changed and it's not zero now - means the silent update finished successfully.
12. Performed online update.
13. Push policy

/bin/console_age at hyper terminal

Today i had a problem with new Smart-1 appliance that comes with R71.10 image.
If HyperTerminal output stops responding at /bin/console_age
Dont directly think of RMA.
In my case This was a cable error.
The default cable that comes within device or a Standard cisco cable wont work. try an other RS232 connector, I tried a Proventia IPS cable and resolved the problem with it.

you may safety ignore the  "microcode device /dev/cpu/0/microcode doesn't exist" warnings that appears at console.

Sunday, February 27, 2011

Checkpoint site-to-site vpn with Overlapping VPN domain

If two side in a site-to-site vpn has the same ip subnet, then we have to make a scenario similar to below,

Site A and Site B is using the subnet,

Site A                                       Site B
LAN_A               LAN_B
we will nat to         and we will nat to

Site A VPN Domain = LAN_A and NAT_Net A
fw object that represents the Site B vpn domain = NAT_NETB_10.0.0.0

    Add the static nat at Site A

Site B VPN Domain = LAN_B and NAT_Net B
fw object that represents the Site A vpn domain = NAT_NETA_172.16.0.0

    Add the static nat at Site B

Checkpoint Source Based Routing (PBR)

The best and easiest way to do is via SmartSPLAT

You will setup your new environment with in seconds!

In this example, the client node will go to internet through Router1 ,  DMZ network will go to internet through Router 2, all other clients will go through Router 0

Define the tables,
echo 100 route1 >> /etc/iproute2/rt_tables
echo 200 route2 >> /etc/iproute2/rt_tables

Define the routes for that tables,
ip route add default via table route1
ip route add default via table route2

Define the client or network that will use these tables
ip rule add from table route1
ip rule add from table route2

Define the routes to access each other
ip route add dev eth3 table route1
ip route add dev eth4 table route2

To be persistent after reboot add them to :     /etc/rc.local
Make routes active:                                     ip route flush cache
To view Routes :                                         ip rule list /  ip route show

Tuesday, February 22, 2011

After installing Endpoint Security VPN R75 users can't ping or access the pc

Endpoint VPN R75 comes with a built-in firewall that uses a default filter.
An easy solution will be ; uninstalling and re-installing the new client without the firewall.

Start the installer from the command line with "FW_INSTALL=NO" added to it.

Run through the wizard as normal, endpoint vpn will be installed without the firewall option.

Packet Capture on ISS IPS

We can measure how much traffic is going through the appliance.
Here is the instruction to get the packet capture.
To log all packets on a Next-gen (1.2 or later firmware) Proventia G, you will need to use tcpdump on the command line. The command is below.

# tcpdump –s 0 -i ProvG_1 -n -w /tmp/capture.enc

Below is an explanation of the parameters in the command above.

       The –s 0 parameter is used to capture all traffic on the wire. Usually, tcpdump will only capture approximately the first 68 bytes.
       The –i ProvG_1  is used to capture all the traffic on all monitoring interfaces. A single interface can not be specified. 
       The -n option is used to disable reverse dns lookup.
       The -w /tmp/capture.enc parameter instructs tcpdump to write the contents to a file on the disk. This file will be in raw format and can be analyzed in ethereal or by running the capture back through tcpdump for a text dump of the headers.
The tcpdump will gather captures before the packets reach PAM or the firewall. Therefore, all traffic, including traffic that the Proventia G would normally block, will be seen in the packet capture

Sunday, February 20, 2011

SmartSPLAT v 3.6 is Released

For this release, Just two words New Style, New Look. 

This was the last release of 3x . With the upcoming version 4 , you will have more control over splat , will download and upload files with one single click.

Thank you for your interest


 FREE SSH Software for Checkpoint Firewalls

Tuesday, February 1, 2011

Endpoint Security VPN R75 HFA1 is available in EA

This is What everybody was waiting for,

Three installation modes:

The following remote-access clients are available as a part of this program:

Check Point SecuRemote R75
•   Replacing SecuRemote NGX
•   Basic remote access functionality
•   Added support for Windows 7 64 bit
•   Unlimited number of connections for any Security Gateway with the IPsec VPN blade
•   Does not require a license

Check Point Mobile for Windows R75
•   New VPN Client
•   Enterprise Grade Remote Access Client
•   Secure Configuration Verification (SCV) is integrated with Windows Security Center for querying status of antivirus, Windows updates, etc
•   Bug fixes
•   In-place upgrade from Endpoint Connect
•   Requires Mobile Access Software Blade on the Security Gateway

Check Point Endpoint Security VPN R75 HFA1
•   Replacing SecureClient and Endpoint Connect
•   Enterprise Grade Remote Access Client, including Desktop firewall and compliance checks
•   Secure Configuration Verification (SCV) is integrated with Windows Security Center for querying status of antivirus, Windows updates, etc
•   Integrated desktop firewall, centrally managed from SmartCenter
•   Bug fixes
•   In-place upgrade from Endpoint Security VPN R75
•   Requires Endpoint Container and Endpoint VPN Software Blade

Sunday, January 30, 2011

Can't see the events from Proventia M firewall at SiteProtector

Last week this procedure saved our time a lot.
to repair communications issue on Proventia M and Site Protector, the corrupted rsPostSensorEventQueue.adf file must be restored.

follow the steps

1.Login as root.
2.Stop the issDaemon service: service issDaemon stop.
3.Rename the old queue file: mv /cache/spool/crm/rsPostSensorEventQueue.ADF /cache/spool/crm/rsPostSensorEventQueue.old
4.Start the issDaemon service: service issDaemon start

Saturday, January 29, 2011

Debugging NAT problems with SmartSPLAT

I have added a NAT section to SmartSPLAT some commands related to the new tab:

To Debug Nat related issues,

Start debug
# fw ctl debug 0
# fw ctl debug -buf 2048
# fw ctl debug xlate xltrc
# fw ctl kdebug -f > kdebug.out

stop debug
# fw ctl debug 0

My way to debug with fw monitor,
#fw monitor -e 'accept src=xxx or src=yyy or dst=xxx or dst=yyy;' -o fwmon.cap

NAT tables are not cleared upon Security Policy installation.
To manually clear the NAT tables,
#fw tab -t fwx_alloc -x

To see the maximum capacity,
# fw tab -t connections | grep limit

To see the NAT Limit
# fw tab -t fwx_alloc | grep limit

To see NAT Statistics
#fw tab –t fwx_alloc -t fwx_cache –s

 FREE SSH Software for Checkpoint Firewalls

SmartSPLAT Whats New at

Management HA symptoms
ManagementHA has inconsistencies,primary and Secondary HA randomly takes the master role,
rulebase changes that been made at active member does not replicate to other.
on both the cluster members

1. cpstop
2. cd $FWDIR/conf/mgha
3. remove all files.
4. cd $FWDIR/conf/
5. rm applic* and CPMIL*
6. cpstart

note that if you are seeing member leaving and joining messages,
then the cphad and fwd timeouts can be increased on both the cluster members as follows:
# cphaprob -d fwd -t 60 -s ok -p register
# cphaprob -d cphad -t 60 -s ok -p register

Failover occurs in the cluster during Security Policy installation.
Standby member installs the policy faster than the current Active member,
therefore it is the first member to load the new configuration, and as a result the first member to check if there are any Active members with new configuration, so it assumes the Active state.
Enable the "freeze" mechanism on each cluster member (by default this mechanism is disabled).
# fw ctl set int fwha_freeze_state_machine_timeout VALUE_IN_SECONDS (value in HEX format)
# fw ctl set int fwha_freeze_state_machine_timeout 0xb4
B4 = 180 seconds
To disable this mechanism, run:
# fw ctl set int fwha_freeze_state_machine_timeout 0

 FREE SSH Software for Checkpoint Firewalls

Thursday, January 27, 2011

R80 EndPoint Security, Some Notes,

Just for now,No Upgrade available from R73, No Support for SPLAT and reduced functionality of existing R73 products,I think Checkpoint bringed up this  version for New Sales opportunities for the new year.
But a new hfa will be soon for the missing features and it will support existing SmartCenters.
I love the easy way to manage the endpoints with SmartDashboard, user management with AD is so easy,applying different blades to different users,New Compliance feature gives you a basic NAC control solution and the WebChecker upon enabling it i really liked the style of new internet explorer,Ghosty style ;)

Sunday, January 23, 2011

WCG load sharing,Yes it works.

Last week i was dealing with a V10k load sharing project,
v10k does not have load sharing feature so we put an alteon switch front of 4 v10k appliances,
our tests was fine,sessions were sharing along the appliances with round-robin.
Policy Server functions on it's own independent of the Policy Broker so i have left the 3 roles PS,US,FS on V10Ks
Although you can define one policy server during the installation of logserver, we have seen that we can successfully get logs from the 4 policy servers simultaneously,
also another issue was to upgrade v6.3x to 7.5 , dont forget to follow v6 to 7.0 to 7.1 and finally to 7.5

Wednesday, January 12, 2011

Websense DSS Restore Fails

This point is not clear yet in websense kb.
You have to Keep in mind that it was intended for recovery and not migration to new machines.

For instance the following should be identical:

OS installation partition and folder,
(change from 2003 Standard to 2003 Enterprise should be OK and not interfere with the "restore")
Oracle installation partition and folder,
Dss version and patch
IP addresses and NIC configuration

Tuesday, January 11, 2011

Check Point Mobile for iPhone and iPad

You want to make a remote access vpn from IPhone or IPAD device but dont know where to start,
Here is a checklist that i have prepared for you:

Firewall version must be ; R71.10 (only with an EA hotfix) R71.30,A patch that will enable support in R75 is coming shortly
License : Mobile Access Blade

enable the checkbox SSL Vpn "new name Mobile Access"
if you see a 404 page instead of Portal Site keep in mind that CD2 of splat may require with using the command #sysconf_wrapper

also the command #cvpnd_settings set MobileAppAllowed "true" is required to enable support for iPhone and iPad on the Mobile Access gateway continue with restarting the Mobile Access Software Blade services: #cvpnrestart and do a #toggleCvpnPortal off and #toggleCvpnPortal on

At the firewall initiate the certificate on the user that you create during the setup wizard, write it down you will use it at ipad device to pull the certificate from the firewall. 

At the IPAD device, go to APPStore download the Checkpoint Mobile software, you have all the necessary info for two-factor authentication,
fw ip, reg-key "that is the key you created with the initiate button" and the checkpoint user/pass

To view a demo of the business web portal, launch the app and set up the below credentials:

• ACTIVATION KEY: demo-1234
• PASSWORD: cpdemo

And other similar question is, "I have also 64 bit Windows clients How can i make a protocol independently remote vpn from them" answer is simple enable SNX inside SSL VPN Portal, to do this create at least one Native application, also checkout Additional settings - VPN Clients tab for startup options.

Note: Citrix is not supported from ipad / iphone client. If citrix is configured for the SSL VPN portal, ipad / iphone clients will not be able to see it on the portal and also there is no target date to support this feature yet.
and also note that to connect via other protocols you have to use L2TP VPN

Thats all

 FREE SSH Software for Checkpoint Firewalls

ISS IPS Tuned PAM parameters "SYNFLood Protection"

while you have the signature that protects against 'synflood attacks' enabled,
it will only effectively block synflood traffic if the following parameter is configured
''with a value of 'true'.                                                
There are a couple of other tuning parameters available to more granularly configure the synflood protection.
advanced tuning parameters:                                            

To fine-tune your config, make sure that you specifically include these parameters in the local tuning section of the G

You can then modify the limit parameter to suit your needs, depending on network conditions.