Checkpoint CCSE R65 SPLAT *****Mgmt High Availability***** Create a new Checkpoint host and choose products Secondary SmartCenter Server and Log This requires a special SIC initialization Force a sync between both Management Servers, Policy-> Management High Availability Server To choose when sync Management Servers,Global Properties->Management High Availability (options:Policy Installed,Policy Saved, Timed) Advanced or Collision state? Advanced - the peer SMS is more up-to-date. In this case, manual synchronization must be initiated by the system administrator by changing the Active SMS to a Standby SMS. Perform a synch me operation from the more advanced server to the Standby SMS. Change the Standby SMS to the Active SMS. Collision - the Active SMS and its peer have different installed policies and databases. The administrator must perform manual synchronization and decide which of the SMSs to overwrite. *****HA Cluster***** Converting a security gateway to a cluster member, the following data will remain: SIC Topology VPN NAT (except for IP Pools) After setup HA Cluster, check status of gateways using SmartView Monitor !HA Status Active/Passive member cphaprob stat !Interfaces beeing monitored cphaprob -a if !ClusterXL Control Protocol (CCP) packets should be sent with a broadcast or multicast destination MAC address cphaconf set_ccp broadcast !CP HA Mechanisms cphaprob -i list *****Load Sharing Clusters***** Multicast and Unicast Mode Unicast Mode methods:[IPs,Ports,SPIs (default)],[IPs,Ports], [IPs] Use Sticky function- attached at only on firewall the remain connections Pivot in Unicast mode decides which FW gets the majority load assigning % Load *****Smart Update & Local upgrades***** To upgrade via CLI do: tar -xzvf Check_Point_NGZ_R65_HFA_50.linux.tgz and run UnixInstallScript *****Cluster Trouble Shooting***** !Active connections in table fw tab -t connections -s !NAT table fw tab -t fwx_alloc -s !Useful info about hardware cd /proc/ more cpuinfo more meminfo !to forward traffic need to be 1 more /proc/sys/net/ipv4/ip_forward !Allows multiple pings to virtual/physical ip fw ctl get int fw_allow_simultaneous_ping fw ctl set int fw_allow_simultaneous_ping 0 !To keep changes after reboot, we need create a fwkern.conf cd $FWDIR/boot cd modules vi fwkern.conf fw ctl set int fw_allow_simultaneous_ping 1 !Machine Capacity,Kernel Memory, Connections,NATmSync fw ctl pstat *****Encryption***** Phase 1 1.Encryption:DES,3DES,AES,CAST 2.Hash:MD5,SHA 3.Authentication method:Pre-Shared,Certificate 4.Diffie-Hellman group Phase 2 1.IPsec protocol:ESP,AH,ESP+AH 2.Hash:md5,sha1 *****Domain Based VPN***** Group of gateways *****SSL VPN***** Office Mode - gives user an IP of a IP Pool defined in each gateway Visitor Mode - Allow only a certain protocol SSL Clients - to use this you need have visitor mode selected SecuRemote doesn´t support Office mode If Mobile blade activated, you need reconfigure SNX on Mobile Blade *****Remote Access VPN (IKE)***** Authentication Timeout for SecuRemote/SecureClient - 1 day Global Properties - Simplified mode or traditional mode Hub mode - router all traffic when connected Desktop security can be used by Secure Client *****Route Based VPN (VTI)***** VTI - Virtual Tunnel Interface -To enable Dynamic routing on SPLAT run "pro enable" and reboot gateway.Note:Dynamic Routing a license --Go global properties->Advanced->Enable VPN Directional Match in VPN Column -Create a new BlankGroup Encryption domain in Topology (VPN Domain) -On VPN policy (VPN Match Conditions) use internal-clear->RemoteAccess and RemoteAccess->internal-clear RemoteAccess->Remote access !Use VPN shell to setup vti interfaces vpn shell interface add numbered must match the object name in dashboard numbered 10.20.50.2 10.20.60.1 Nugget-FW-B VTI2-B show interface detailed all !Routing daemon cligated enable config router ospf 1 router-id 192.168.2.10 network 10.20.60.1 0.0.0.0 area 0.0.0.0 redistribute direct redistribute kernel write mem *****Peer VPN's***** With External Managed is not possible establish a SIC, you need choose blades installed and define Topology manually With External Managed is possible use certificates to authenticate instead of pre-shared secret keys, just need import CA on both firewalls *****SCP on Splat***** vi /etc/scpusers admin :wq! scp filename admin@10.10.10.1:/var/backups/ add user NEWUSER uid 0 homedir /home/NEWUSER set user NEWUSER gid 100 shell /bin/bash set user NEWUSER password-hash $1$************ / OR / set user NEWUSER password add rba user NEWUSER roles adminRole *****Smart Center Recovery***** !Generate CPinfo, it´s available for management and gateways cpinfo -o nugget.cpinfo !Important Files !All objects more $FWDIR/conf/objects_5_0.C !Policy rules more $FWDIR/conf/rulebases_5_0.fws !Local users, etc more $FWDIR/conf/fwauth.NDB It´s possible recover a Management server from files above (hostname of management must be equal). These files don´t contain SIC or VPN info After delete rulesbases file, Dashboard looks broken so you need remove files below: !Files which take care of SmartDashboard rm -r applications.C rm -r CPMILinksMGr.db rm -r CPMILinksMGr.db.private To rebuild VPN, because of IKE certificates you need delete gateways from VPM communities and remove VPN blade from gateways. !Look for :certificates and delete this section section but leave :certificate vi objects_5_0.C !destroy SIC certificates fwm sic_reset type cpconfig and option 6 to initialize Certificate Authority Gateways will show on management that SIC is established, but if you test SIC status that will fail, so you need re-sic all gateways *****Disaster Recovery of Cluster Member***** !To detach from cluster click on gateway->more->Detach from cluster !How to check management server from gateway more $FWDIR/conf/masters !Restore policy from management fw fetch 10.1.1.1 *****Final Note***** backups folder /var/CPbackup !Check free memory free vmstat *****CCSE Welcome R70 Update***** *****Mgmt Portal***** !Changing shell for admin user chsh -s /bin/bash admin Management portal is a web version of smartdashboard running in :4433 port, it´s possible to implement new rules and pull it to gateways !to start and stop portal daemon smartportalstop smartportalstart more /opt/CPortal-R70/portal/log/cphttpd.elg more /opt/CPortal-R70/portal/log/cpwmd.elg most of the config is under more /opt/CPortal-R70/portal/conf/cp_httpd_admin.conf *****R70 Cluster***** Default user/password for CLI admin/admin Negate Cell concept ClusterXL Modes High Availability (New, Legacy), LoadSharing (Multicast, Unicast) Sticky Decision Function *****Command Line World Part 1***** cpconfig to enable CoreXL CoreXL with more than 8 , will be x_cores - 2 available for FW instance CoreXL with more than 4 , will be x_cores - 1 available for FW instance !Get info of Distributed CPUs [Expert@Fw-VSX-Internal1:0]# fw ctl multik stat ID | Active | CPU | Connections | Peak ---------------------------------------------- 0 | Yes | 2-11 | 9 | 29 1 | Yes | 2-11 | 10 | 91 2 | Yes | 2-11 | 0 | 17 3 | Yes | 2-11 | 0 | 14 fw monitor -e "accept src=8.8.8.8" There are four inspection points when a packet passes through a Security Gateway: Before the FireWall Virtual Machine, in the inbound direction - Pre-Inbound - marked as i After the FireWall Virtual Machine, in the inbound direction - Post-Inbound - marked as I Before the FireWall Virtual Machine, in the outbound direction - Pre-Outbound - marked as o After the FireWall Virtual Machine, in the outbound direction - Post-Outbound - marked as O Note: The direction (inbound/outbound) relates to each specific packet, and not to the connection. Let us examine a TCP handshake in the following topology: [Source/Client] --- (eth1)[Security Gateway](eth2) --- [Destination/Server] TCP SYN from [Source/Client] will pass through Pre-Inbound and Post-Inbound on interface eth1 TCP SYN from [Source/Client] will pass through Pre-Outbound and Post-Outbound on interface eth2 TCP SYN-ACK from [Destination/Server] will pass through Pre-Inbound and Post-Inbound on interface eth2 TCP SYN-ACK from [Destination/Server] will pass through Pre-Outbound and Post-Outbound on interface eth1 TCP ACK from [Source/Client] will pass through Pre-Inbound and Post-Inbound on interface eth1 TCP ACK from [Source/Client] will pass through Pre-Outbound and Post-Outbound on interface eth2 [Expert@HQ-FW:0]# fw monitor -e "accept src=10.2.101.254;" monitor: getting filter (from command line) monitor: compiling monitorfilter: Compiled OK. monitor: loading monitor: monitoring (control-C to stop) [vs_0][fw_0] eth2:i[84]: 10.2.101.254 -> 200.0.0.10 (ICMP) len=84 id=19180 ICMP: type=0 code=0 echo reply id=16974 seq=1 [vs_0][fw_0] eth2:I[84]: 10.2.101.254 -> 172.22.254.2 (ICMP) len=84 id=19180 ICMP: type=0 code=0 echo reply id=16974 seq=1 [vs_0][fw_0] eth0:o[84]: 10.2.101.254 -> 172.22.254.2 (ICMP) len=84 id=19180 ICMP: type=0 code=0 echo reply id=16974 seq=1 [vs_0][fw_0] eth0:O[84]: 10.2.101.254 -> 172.22.254.2 (ICMP) len=84 id=19180 ICMP: type=0 code=0 echo reply id=16974 seq=1 [Expert@HQ-FW:0]# fw monitor -e "accept dst=10.2.101.254;" monitor: getting filter (from command line) monitor: compiling monitorfilter: Compiled OK. monitor: loading monitor: monitoring (control-C to stop) [vs_0][fw_0] eth0:i[84]: 172.22.254.2 -> 10.2.101.254 (ICMP) len=84 id=0 ICMP: type=8 code=0 echo request id=1614 seq=1 [vs_0][fw_0] eth0:I[84]: 172.22.254.2 -> 10.2.101.254 (ICMP) len=84 id=0 ICMP: type=8 code=0 echo request id=1614 seq=1 [vs_0][fw_0] eth2:o[84]: 172.22.254.2 -> 10.2.101.254 (ICMP) len=84 id=0 ICMP: type=8 code=0 echo request id=1614 seq=1 [vs_0][fw_0] eth2:O[84]: 200.0.0.10 -> 10.2.101.254 (ICMP) len=84 id=0 ICMP: type=8 code=0 echo request id=1614 seq=1 Another key values dport,sport Capture everything, save the data into the file: [Expert@HostName]# fw monitor -e "accept;" -o /var/log/fw_mon.cap Capture everything except port X: [Expert@HostName]# fw monitor -e "((sport=!x) or (dport=!x)), accept;" -o /var/log/fw_mon.cap In addition: To specify TCP protocol, you can explicitly use "tcp, accept;" To specify UDP protocol, you can explicitly use "udp, accept;" To specify ICMPv4 protocol, you can explicitly use "icmp, accept;" or "icmp4, accept;" To specify ICMPv6 protocol, you can explicitly use "icmp6, accept;" https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30583 *****Command Line World Part 2***** [Expert@HQ-FW:0]# tcpdump -s 320 -vv host 10.2.101.254 To capture all the bytes in a packet, specify a size of "0". [Expert@HQ-FW:0]# tcpdump host 10.2.101.254 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 21:33:04.433862 IP 172.22.254.2 > 10.2.101.254: ICMP echo request, id 24661, seq 1, length 64 21:33:04.437079 IP 10.2.101.254 > 172.22.254.2: ICMP echo reply, id 24661, seq 1, length 64 [Expert@HQ-FW:0]# tcpdump host 10.2.101.254 and not port 22 -w file_output.pcap [Expert@HQ-FW:0]# time real 0m0.000s user 0m0.000s sys 0m0.000s [Expert@HQ-FW:0]# clock Mon Jul 6 16:36:44 2015 -0.026311 seconds [Expert@HQ-FW:0]# fw ver This is Check Point's software version R77.20 - Build 221 [Expert@HQ-FW:0]# fw ver -k This is Check Point's software version R77.20 - Build 221 kernel: R77.20 - Build 221 [Expert@HQ-FW:0]# fwm ver This is not a Security Management Server station. *****Smart Provisioning***** It´s possible to create profiles with:DNS,Hosts,Domain Name,Routing, Interfaces, Backups and deploy across the network Has most of functions as SmartUpdate https://sc1.checkpoint.com/documents/R77/CP_R77_SmartProvisioning_WebAdmin/index.html *****Smart Analyzer***** Create Policy and install it. Automatic Reactions (Block, email it) *****Smart Reporter***** !Folder of reports, mail setup,Activity Log, Sort Parameters Tools->Options Consolidation session Standard (generated from consolidate session) and Express (pulled from smartview monitor) https://sc1.checkpoint.com/documents/R77/CP_R77_SmartReporter_WebAdminGuide/html_frameset.htm