Sunday, January 30, 2011

Can't see the events from Proventia M firewall at SiteProtector

Last week this procedure saved our time a lot.
to repair communications issue on Proventia M and Site Protector, the corrupted rsPostSensorEventQueue.adf file must be restored.

follow the steps

1.Login as root.
2.Stop the issDaemon service: service issDaemon stop.
3.Rename the old queue file: mv /cache/spool/crm/rsPostSensorEventQueue.ADF /cache/spool/crm/rsPostSensorEventQueue.old
4.Start the issDaemon service: service issDaemon start

Saturday, January 29, 2011

Debugging NAT problems with SmartSPLAT


I have added a NAT section to SmartSPLAT some commands related to the new tab:


To Debug Nat related issues,

Start debug
# fw ctl debug 0
# fw ctl debug -buf 2048
# fw ctl debug xlate xltrc
# fw ctl kdebug -f > kdebug.out

stop debug
# fw ctl debug 0


My way to debug with fw monitor,
#fw monitor -e 'accept src=xxx or src=yyy or dst=xxx or dst=yyy;' -o fwmon.cap


NAT tables are not cleared upon Security Policy installation.
To manually clear the NAT tables,
#fw tab -t fwx_alloc -x


To see the maximum capacity,
# fw tab -t connections | grep limit


To see the NAT Limit
# fw tab -t fwx_alloc | grep limit


To see NAT Statistics
#fw tab –t fwx_alloc -t fwx_cache –s

SmartSPLAT
 FREE SSH Software for Checkpoint Firewalls

SmartSPLAT Whats New at 3.4.3.2




Management HA symptoms
ManagementHA has inconsistencies,primary and Secondary HA randomly takes the master role,
rulebase changes that been made at active member does not replicate to other.
on both the cluster members

1. cpstop
2. cd $FWDIR/conf/mgha
3. remove all files.
4. cd $FWDIR/conf/
5. rm applic* and CPMIL*
6. cpstart



note that if you are seeing member leaving and joining messages,
then the cphad and fwd timeouts can be increased on both the cluster members as follows:
# cphaprob -d fwd -t 60 -s ok -p register
# cphaprob -d cphad -t 60 -s ok -p register

Failover occurs in the cluster during Security Policy installation.
Standby member installs the policy faster than the current Active member,
therefore it is the first member to load the new configuration, and as a result the first member to check if there are any Active members with new configuration, so it assumes the Active state.
Enable the "freeze" mechanism on each cluster member (by default this mechanism is disabled).
# fw ctl set int fwha_freeze_state_machine_timeout VALUE_IN_SECONDS (value in HEX format)
# fw ctl set int fwha_freeze_state_machine_timeout 0xb4
B4 = 180 seconds
To disable this mechanism, run:
# fw ctl set int fwha_freeze_state_machine_timeout 0


SmartSPLAT
 FREE SSH Software for Checkpoint Firewalls

Thursday, January 27, 2011

R80 EndPoint Security, Some Notes,

Just for now,No Upgrade available from R73, No Support for SPLAT and reduced functionality of existing R73 products,I think Checkpoint bringed up this  version for New Sales opportunities for the new year.
But a new hfa will be soon for the missing features and it will support existing SmartCenters.
I love the easy way to manage the endpoints with SmartDashboard, user management with AD is so easy,applying different blades to different users,New Compliance feature gives you a basic NAC control solution and the WebChecker upon enabling it i really liked the style of new internet explorer,Ghosty style ;)



Sunday, January 23, 2011

WCG load sharing,Yes it works.

Last week i was dealing with a V10k load sharing project,
v10k does not have load sharing feature so we put an alteon switch front of 4 v10k appliances,
our tests was fine,sessions were sharing along the appliances with round-robin.
Policy Server functions on it's own independent of the Policy Broker so i have left the 3 roles PS,US,FS on V10Ks
Although you can define one policy server during the installation of logserver, we have seen that we can successfully get logs from the 4 policy servers simultaneously,
also another issue was to upgrade v6.3x to 7.5 , dont forget to follow v6 to 7.0 to 7.1 and finally to 7.5

Wednesday, January 12, 2011

Websense DSS Restore Fails

This point is not clear yet in websense kb.
You have to Keep in mind that it was intended for recovery and not migration to new machines.

For instance the following should be identical:

OS installation partition and folder,
(change from 2003 Standard to 2003 Enterprise should be OK and not interfere with the "restore")
Oracle installation partition and folder,
Dss version and patch
Hostname
IP addresses and NIC configuration

Tuesday, January 11, 2011

Check Point Mobile for iPhone and iPad

You want to make a remote access vpn from IPhone or IPAD device but dont know where to start,
Here is a checklist that i have prepared for you:

Firewall version must be ; R71.10 (only with an EA hotfix) R71.30,A patch that will enable support in R75 is coming shortly
License : Mobile Access Blade

enable the checkbox SSL Vpn "new name Mobile Access"
if you see a 404 page instead of Portal Site keep in mind that CD2 of splat may require with using the command #sysconf_wrapper

also the command #cvpnd_settings set MobileAppAllowed "true" is required to enable support for iPhone and iPad on the Mobile Access gateway continue with restarting the Mobile Access Software Blade services: #cvpnrestart and do a #toggleCvpnPortal off and #toggleCvpnPortal on

At the firewall initiate the certificate on the user that you create during the setup wizard, write it down you will use it at ipad device to pull the certificate from the firewall. 

At the IPAD device, go to APPStore download the Checkpoint Mobile software, you have all the necessary info for two-factor authentication,
fw ip, reg-key "that is the key you created with the initiate button" and the checkpoint user/pass

To view a demo of the business web portal, launch the app and set up the below credentials:

• SERVER: idemo.checkpoint.com
• ACTIVATION KEY: demo-1234
• PASSWORD: cpdemo

And other similar question is, "I have also 64 bit Windows clients How can i make a protocol independently remote vpn from them" answer is simple enable SNX inside SSL VPN Portal, to do this create at least one Native application, also checkout Additional settings - VPN Clients tab for startup options.

Note: Citrix is not supported from ipad / iphone client. If citrix is configured for the SSL VPN portal, ipad / iphone clients will not be able to see it on the portal and also there is no target date to support this feature yet.
and also note that to connect via other protocols you have to use L2TP VPN


Thats all
Cagdas


SmartSPLAT
 FREE SSH Software for Checkpoint Firewalls

ISS IPS Tuned PAM parameters "SYNFLood Protection"

while you have the signature that protects against 'synflood attacks' enabled,
it will only effectively block synflood traffic if the following parameter is configured
'pam.tcp.synflood.protection'with a value of 'true'.                                                
There are a couple of other tuning parameters available to more granularly configure the synflood protection.
                                                                                                   
advanced tuning parameters:                                            
                                                                      
pam.tcp.synflood.protection.untrusted.rate                             
pam.tcp.synflood.protection.duplicatesyn.retransmit                    
pam.tcp.synflood.protection.duplicatesyn.timeout                       
pam.tcp.synflood.protection.duplicatesyn.enabled                       
pam.tcp.synflood.protection                                            
pam.tcp.synflood.custom.limit                                          
pam.tcp.synflood.custom                                                
pam.tcp.synflood.size                                                  
pam.tcp.synflood.limit

To fine-tune your config, make sure that you specifically include these parameters in the local tuning section of the G
                
NAME=pam.tcp.synflood.protection                                       
VALUE=true
                                                                      
NAME=pam.tcp.synflood.limit                                            
VALUE=1000

You can then modify the limit parameter to suit your needs, depending on network conditions.