Wednesday, June 27, 2012

SNX page can not be displayed error

We have faced this issue again..

Solution:
uninstall this update KB2585542
or
Change the Encryption setting from
AES, 3DES to AES, 3DES, RC4
in the Global Settings for the Remote Access / SSL Network Extender
Install Policy to the Gateway.

Thursday, June 14, 2012

Packet (ping) latency through Checkpoint Firewall

Checkout the antispoofing settings and be sure that its configured on all interfaces and also check securexl settings..

How to Install a public CA to Mobile Access / Connectra

1. Generate the CSR
-------------------------------
run "csr_gen <filename>" and follow the instructions.
!NOTE! If the files <filename>.csr and .key still exists, the files are overwritten without warning!
Output:
-> <filename>.key (keyfile)
This is the private key. You are requested if you want to protect this file with a passphrase - please do so. Protect this file and keep it secure.
You need this file and the passphrase later to install the certificate.
-> <filename>.csr
This is the certificate signing request that you have to send to your CA.
you will receive the signed certificate from your CA (certfile)

2. Convert certfile to PEM-Format
-----------------------------------------------------------
If the file you receive is from your CA is in p12 or pfx format convert the file into PEM format (sk30997):
$CVPNDIR/bin/p12ToPem <input-filename(.p12 /
e.g. $CVPNDIR/bin/p12ToPem cert.pfx
If the file you receive is from your CA is in p7b, spc or PKCS#7 format convert the file into PEM format:
$CVPNDIR/bin/p7bToPem <filename (.p7b, .spc, ...)> <output filename (.crt)>
e.g. $CVPNDIR/bin/p7bToPem cert.p7b cert.crt
Output:
->certfile in PEM-format <filename>.crt

3. Install the generated certificate:
--------------------------------------------------
Use this command to install the previous generated certificate:
$CVPNDIR/bin/InstallCert <certfile> <keyfile> '<passphrase>'
4. Restart Daemon
----------------------------
Run "cvpnrestart" on the Gateway

Repeat step 3. and 4. on each member
Finally reinstall the policy to the cluster.

Sunday, June 10, 2012

Policy Install Load on Module Failed

Last week I was dealing with a policy installation problem,
fwm.elg was pointing to duplicate fw object name and some certificate related problems..
After placing the upgrade_export to a VM test machine, I saw that I can install the policy on it, so I have decided to reset SIC on both members one by one and this resolved our problem.

SmartSPLAT may help you to examine this type of problems..
Load Policy to Firewall
# fwm load $FWDIR/conf/Standard.W FirewallName > /var/tmp/policy_install.ctl 2>&1
Also try
Fetching the Policy from SMC
# fw fetch SMCName
and fetching locally
# fw -d fetchlocal -d $FWDIR/state/__tmp/FW1/

FWM crashes due to corrupted license file

last week I had an interesting license problem
Got the error similar to below;

/bin/cplic_start: line 6:  4777 Segmentation fault      $CPDIR/bin/cplic "$@"

fwm is crashing on the SmartCenter server..

perform the following on SMC
# cpstop
# cd $CPDIR/conf
# rm cp.contract
# rm cp.license (If removing just the cp.contract doesnt resolve the issue try removing this file, you need to reinstall the licenses)
# cd $FWDIR/conf
# rm CPMIL*
# rm applications.C*
# cpstart

also note to check disk size with # df -h at SMC related problems.. /opt may be full