Sunday, February 27, 2011

Checkpoint site-to-site vpn with Overlapping VPN domain

If two side in a site-to-site vpn has the same ip subnet, then we have to make a scenario similar to below,

Site A and Site B is using the 192.168.0.0/24 subnet,

Site A                                       Site B
LAN_A 192.168.0.0/24               LAN_B 192.168.0.0/24
we will nat to 172.16.0.0/24         and we will nat to 10.0.0.0/24


Site A VPN Domain = LAN_A and NAT_Net A
fw object that represents the Site B vpn domain = NAT_NETB_10.0.0.0

    Add the static nat at Site A


Site B VPN Domain = LAN_B and NAT_Net B
fw object that represents the Site A vpn domain = NAT_NETA_172.16.0.0

    Add the static nat at Site B





Checkpoint Source Based Routing (PBR)

The best and easiest way to do is via SmartSPLAT

You will setup your new environment with in seconds!



In this example, the client node 192.168.0.70 will go to internet through Router1 ,  DMZ network 172.16.0.0/24 will go to internet through Router 2, all other clients will go through Router 0

Define the tables,
echo 100 route1 >> /etc/iproute2/rt_tables
echo 200 route2 >> /etc/iproute2/rt_tables

Define the routes for that tables,
ip route add default via 10.1.1.1 table route1
ip route add default via 10.2.2.1 table route2

Define the client or network that will use these tables
ip rule add from 192.168.0.70 table route1
ip rule add from 172.16.0.0/24 table route2

Define the routes to access each other
ip route add 172.16.0.0/24 dev eth3 table route1
ip route add 192.168.0.0/24 dev eth4 table route2

To be persistent after reboot add them to :     /etc/rc.local
Make routes active:                                     ip route flush cache
To view Routes :                                         ip rule list /  ip route show





Tuesday, February 22, 2011

After installing Endpoint Security VPN R75 users can't ping or access the pc

Endpoint VPN R75 comes with a built-in firewall that uses a default filter.
An easy solution will be ; uninstalling and re-installing the new client without the firewall.

Start the installer from the command line with "FW_INSTALL=NO" added to it.


Run through the wizard as normal, endpoint vpn will be installed without the firewall option.



Packet Capture on ISS IPS

We can measure how much traffic is going through the appliance.
Here is the instruction to get the packet capture.
To log all packets on a Next-gen (1.2 or later firmware) Proventia G, you will need to use tcpdump on the command line. The command is below.

# tcpdump –s 0 -i ProvG_1 -n -w /tmp/capture.enc

Below is an explanation of the parameters in the command above.

       The –s 0 parameter is used to capture all traffic on the wire. Usually, tcpdump will only capture approximately the first 68 bytes.
       The –i ProvG_1  is used to capture all the traffic on all monitoring interfaces. A single interface can not be specified. 
       The -n option is used to disable reverse dns lookup.
       The -w /tmp/capture.enc parameter instructs tcpdump to write the contents to a file on the disk. This file will be in raw format and can be analyzed in ethereal or by running the capture back through tcpdump for a text dump of the headers.
The tcpdump will gather captures before the packets reach PAM or the firewall. Therefore, all traffic, including traffic that the Proventia G would normally block, will be seen in the packet capture

Sunday, February 20, 2011

SmartSPLAT v 3.6 is Released


For this release, Just two words New Style, New Look. 

This was the last release of 3x . With the upcoming version 4 , you will have more control over splat , will download and upload files with one single click.


Thank you for your interest

Cagdas


SmartSPLAT
 FREE SSH Software for Checkpoint Firewalls

Tuesday, February 1, 2011

Endpoint Security VPN R75 HFA1 is available in EA

This is What everybody was waiting for,

Three installation modes:

The following remote-access clients are available as a part of this program:

Check Point SecuRemote R75
•   Replacing SecuRemote NGX
•   Basic remote access functionality
•   Added support for Windows 7 64 bit
•   Unlimited number of connections for any Security Gateway with the IPsec VPN blade
•   Does not require a license

Check Point Mobile for Windows R75
•   New VPN Client
•   Enterprise Grade Remote Access Client
•   Secure Configuration Verification (SCV) is integrated with Windows Security Center for querying status of antivirus, Windows updates, etc
•   Bug fixes
•   In-place upgrade from Endpoint Connect
•   Requires Mobile Access Software Blade on the Security Gateway

Check Point Endpoint Security VPN R75 HFA1
•   Replacing SecureClient and Endpoint Connect
•   Enterprise Grade Remote Access Client, including Desktop firewall and compliance checks
•   Secure Configuration Verification (SCV) is integrated with Windows Security Center for querying status of antivirus, Windows updates, etc
•   Integrated desktop firewall, centrally managed from SmartCenter
•   Bug fixes
•   In-place upgrade from Endpoint Security VPN R75
•   Requires Endpoint Container and Endpoint VPN Software Blade