Juniper SRX – Configuring PPPoE

Within this article the necessary steps required to configure PPPoE on the SRX platform are described. Note : This configuration is based upon a) the chap authentication method b) the outside/untrust interface being fe-0/0/7.0. Configuration Below shows the required configuration for PPPoE. set interfaces fe-0/0/7 unit 0 encapsulation ppp-over-ether set interfaces pp0 unit 0 ppp-options … Read more

Juniper SRX – DynDNS

As it stands Juniper SRX (version 11.1R1.10) only provides support for DynDNS (DDNS) via the use of an automation script. Configuration This script can be downloaded here. Once you have downloaded the script transfer it to the SRX directory /var/db/scripts/event/. Finally configure your SRX via the following commands : set system services apply-macro dyndns-client1 hostname XXX.dyndns.orgset … Read more

Troubleshooting a Site to Site VPN on a SRX Series Gateway

Within this article we will look at the various steps required in debugging a Site to Site VPN on an SRX series gateway. 1. Confirm Configuration First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end. … Read more

SRX Dynamic VPN – No proposal chosen (14)

Issue When connecting trying to connect via Dynamic VPN your client displays the following error:         IKE Negotiations Failed Within the output of the IKE debug logs you see the following error: Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 …, data[0..0] … Read more

Configure Global Explicit Deny on a SRX Series Gateway

To configure a global deny statement for all your policy entries the following commands are used. set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match source-address any set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match destination-address any set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop … Read more

How do I enable Global Logging on a Juniper SRX ?

Below details the nessecary commands required to enable global logging on all security policies. set groups global-logging security policies from-zone <*> to-zone <*> policy <*> then log session-initset security policies apply-groups global-logging

How do I configure PMTU on a Juniper SRX series gateway ?

By default IPv4 Path MTU is enabled. However all PMTU options can be located under [set system internet-options ….]. [email protected]# set system internet-options ?Possible completions:+ apply-groups         Groups from which to inherit configuration data+ apply-groups-except  Don’t inherit configuration data from these groups  gre-path-mtu-discovery  Enable path MTU discovery for GRE tunnels> icmpv4-rate-limit    Rate-limiting parameters for ICMPv4 messages> … Read more

Juniper SRX – Securing Management Access

Within this article we will show the required commands to restrict and secure management access to your Juniper SRX series gateway. Note : The following syntax/configuration has been tested with a PPPoE setup. Configure Addresses First of all the addresses that are allowed management access to the device are configured. This also includes any DNS … Read more

Cisco ASA – HTTP Filtering – Example 3

This example will provide the required configuration to allow a single IP address access to TCP port 80 when the HTTP Host Header matches either or Note : In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic … Read more

Juniper SRX – How to configure NTP

Below provides the basic commands for configuring the date, time and NTP on your Juniper SRX gateway. Configure the Time Zone system time-zone Europe/London Configure NTP set system ntp server preferset system ntp server system ntp server Set the Time/Date set date ntp Confirm [email protected]> show ntp statusstatus=0644 leap_none, sync_ntp, 4 … Read more

Juniper SRX – Destination NAT / Port Forwarding

Within this article destination NAT is configured to port forward traffic through to multiple servers based upon the destination port. This type of NAT configuration is equivalent to a ScreenOS VIP.  This example syntax is based upon the following setup :    –> –>   Configure Address Book First the real addresses … Read more

SRX VPN Issue: packet dropped, pak dropped since re-route failed

Issue VPN fails to route traffic through to the tunnel interface when using Route Based VPN upon a SRX platform. The following is observed : Both Phase 1 and Phase 2 is successfully establishing. Traffic is being received inbound from the Remote Peer and decypted successfully. Multiple VPN policies are assigned to a single tunnel … Read more

Cisco ASA 8.3 – No NAT / NAT Exemption

As we all know Cisco`s new ASA version 8.3 brings massive changes in NAT. This article describes and explains how NAT exemption (no NAT) is now configured. Below provides examples of both pre and post 8.3 no NAT configurations. Example Details Local LAN – Remote LAN – Traffic is arriving on the inside … Read more

Netscreen Traffic Reporting

Traffic reporting on the Juniper Netscreen can be achieved via a number of methods. Various tools and features are available such as the Netscreen Security Manager (NSM), 3rd Party applications along with numerous reporting features on the device itself. This article will look at how to create traffic reports by using just 1. a Netscreen … Read more

Upgrading a CheckPoint Manager from R65.4 to R7x

NGX R65 HFA40 is a standard HFA and can be installed both on Security Gateways and on SmartCenter servers. R65.4 is a Management-based package that in addition to NGX R65 HFA40, also contains various new features and plug-ins. Upgrading from R65.4 can present some significant issues, due the release being a dead end. You will … Read more

Upgrade/Install Check Point Solaris using only the iso file

When upgrading or installing Check Point on a Solaris platform rather then having to use the physical Check Point software CD, the following method allows you install/upgrade your Check Point software directly from the *.iso.  Steps 1. Copy the iso file to your firewall / manager2. Run the following commands lofiadm -a <path>/<filename>.iso /dev/lofi/1mount -F … Read more

Cisco ASA MPF URL Filtering

Within this tutorial will will look at 2 configuration examples in which we will use HTTP inspection within the Cisco ASA to allow access for certain hosts based on specific URL headers. EXAMPLE 1 This example will show the required syntax to allow access to for any host within the network HTTP … Read more

How do i include the cluster state within the ASA hostname ?

The prompt state command was introduced within 7.1. This short example shows you how to configure your ASA to include the cluster state within its name : cisco-firewall# config t cisco-firewall (config)# prompt hostname state  cisco-firewall/act(config)#

How to clear an ASA`s configuration

You may find that there is a time in which you haven’t got access via the standard ASAOS CLI to change, amend or edit your current configuration. In this example we will show you the steps required for removing the configuration via ROMMON mode. Here are the steps : 1. Reboot the device2. On boot … Read more

Check Point – A look at SecureID Files

In order to to enable SecureID authentication you will need to generate an ‘sdconf.rec’ file from your ACE SERVER.You will then need to copy this file to the the  ‘/var/ace‘ directory of your Check Point Firewall (if the directory does not exsist create one). At the point that your ACE SERVER and your ACE AGENT … Read more

ASA Capture Examples

Below are a couple of ASA caputre examples. This is meant for more of a copy and paste function then an overall capture tutorial. access-list based access-list capture1-acl permit ip host [ip] host [ip]capture capture1 type access-list capture1-acl interface [interface] host / port based capture capture2 [interface] match ip host [ip] host [ip]capture capture3 [interface] … Read more

Netscreen IPv6 Tunnel Guide

Below shows you the steps on how to configure a tunnel that will encapsulate your IPv6 traffic within an IPv4 tunnel. Please Note : Below uses the Zone Work which is the equivalent to Trust and contains eth1. Ethernet3 is the untrust interface. Enable IPv6 Add the following command and then reboot your device, set … Read more

Check Point Tool – dbdel ver3.1 is pleased to release dbdel ver3.1. This is basically a wrapper for Check Points existing dbver tool, but allows you to remove 100`s of Database Revisions with one simple command string. Unlike dbver where you have to add each database revision id. This allows you to add the amount your want to remove and … Read more

The Netscreen Proxy ID problem

A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN), or simply use a combination of source IP, destination IP and service in a tunnel policy. When phase 2 of IKE is negotiated, each … Read more

How do I create an IPSO backup via clish ?

The following will show you how to save a full IPSO backup via the clish CLI. This will backup all of the operating system configuration such as routes, proxy arps, interface settings etc. Backup  This will create a backup within the  /var/backup/ directory called ipso-backup_[date].tgz clish -c “set backup manual filename ipso-backup”clish -c “set backup … Read more

Change an IP address on a IPSO Nokia Firewall via clish

Below shows you the commands required to change the IP address of an interface within clish on a IPSO Nokia gateway, add interface eth1c0 address IP [NEW IP]/[NETMASK] delete interface eth1c0 address [OLD IP] set interface eth1 speed 100M duplex full active on set interface eth1c0 enable Below gives you an example : nokia-firewall[admin]# clish … Read more

Site 2 Site VPN Template

The main issue when creating a Site to Site VPN between parties is having the correct information on both sides. Below is a template for the information which is needed to build a VPN Site to2 Site tunnel. This template is designed to be copied and pasted and sent to the other parties. Please remember … Read more

A Quick Guide to Check Points OPSEC LEA

This guide will outline OPSEC LEA and how it works within a Check Point Infrastructure. What is OPSEC LEA ? The OPSEC LEA (Log Export API) provides the ability to pull logs from a Check Point device based on the OPSEC SDK. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which … Read more

Endpoint Connect MEP Tutorial

This guide will explain the various steps required to set up Enpoint Connect using a Multiple Entry Point setup. Ok, so to start with Endpoint Connect is Check Points new Remote Access VPN Client other then SSL Network Extender is the only client supported on Windows 7 64-Bit. The main problem with SNX (SSL Network … Read more

Check Point Remote Access VPN Features

There are a number of Check Point Remote Access VPN terms and features. This guides attempts to explain them. Main Features Office ModeOffice mode allows your remote VPN user to receive an IP address designated by the Check Point Gateway, internal DHCP server or radius server. Visitor Mode Visitor Mode allows your VPN client to … Read more

Port not Listening when Check Points Vistor Mode is Enabled

You may find when you enable vistor mode on the Check Point object that the port is not listening when you run the command netstat -anp | grep vpnd | grep [your port] This can be down to one of the following : The devices management GUI is also listening on that port. For SPLAT … Read more

ASA 5505 Example Configuration

Below is an example of a basic configuration for an ASA 5505 Firewall. The main difference between the other ASAs is that with the 5505 you have 10 ports which are not assigned to their own bridge groups. So you need to configure you VLANs and then assign you ports to your VLANs. Please Notes … Read more

How do I debug VPND on Check Point ?

To debug VPND run the following command : vpn debug trunc To disable the debug run the commands : vpn debug off; vpn debug ikeoff To view the logs run the command : cd $FWDIR/log ; tail -f ike.elg vpnd.elg  

How do I debug ClusterXL at the Kernel level ?

Once you have exhusted the cphaprob commands and packet captures have been run for port UDP/8116 all to no avail you may want to run a debug on ClusterXL. The steps are detailed below : Enable debugging fw ctl debug -xfw ctl debug -buf 4096fw ctl debug -m cluster allfw ctl kdebug-f > file_name.txt Disable … Read more

ASA 8.3 – Auto NAT Examples

As you will have heard (and if not you will do soon) the new ASA 8.3 brings massive changes. The main change is the way in which the ASA handles NAT. Below provides a number of Auto NAT examples. Auto NAT is configured using the following steps: Create a network object. Within this object define … Read more

How can I check that my Check Point Cluster is in Sync ?

All “true” clusters require that certain attributes are syncronised. So that in the event of a failover the newly promoted node can continue where the other node left off. In order to ensure that the State Tables of all your nodes within your Check Point Cluster are syncronised you will need to check the #VALS … Read more

How do I Uninstall / Install the Connectra Plugin ?

First of all check to see if the Connectra Plugin is installed. [[email protected]]# fwm verThis is Check Point SmartCenter Server NGX (R65) HFA_50, Hotfix 650 – Build 011Installed Plug-ins: Connectra NGX R62CM Uninstall To uninstall follow these steps : Run the plug in clean up ultility /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier Then remove the package rpm -e CPPIconnectra-R65-00 Reboot … Read more

Check Point Clustering

ClusterXL Check Point’s ClusterXL is a software-based Load Sharing and High Availability solution that distributes traffic between clusters of redundant Security Gateways High AvailabilityAllows for an Active-Standby setup were one node (Active) passes all the traffic. In the event of failure the Standby node will be promoted to the Active node. New Mode – Both … Read more

Create a Basic Route Based VPN between 2 Check Point Firewalls

Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces. In this example both Firewalls are managed by the same manager. The gateways are : Site A – External Inside Site B … Read more

How do I Create an SSL VPN on a Check Point Gateway ?

 Below shows you the steps in order to create an SSL VPN on a Check Point Gateway : Create a new network object. This will be used as the remote users IP address. Name this “net_office-mode-IPs” Within the Check Point Object under Tolopogy > VPN Domain add your local domain. Within the Check Point Object … Read more

Create Certificate Based Site to Site VPN between 2 Check Point Gateways

This example will show you how to create a certificate based VPN between 2 Check Point firewalls which are managed via different Smart Centre Servers. Please note that simplified mode VPN was used along with the Check Point version being R65. Site A Create VPN Community Within your Gateway Object add you local domain to … Read more

Securing Client Authentication on a Check Point Gateway

By default Client Authentication allows you to authenticate using HTTP (on port 900) or Telnet (on port 259). Both of which can pose security risks due to the username and passwords being sent un-encrypted. To secure Client Authenitcation follow the following steps : Change the following line in $FWDIR/conf/fwauthd.conf, 900     fwssd       in.ahclientd    wait    900 to … Read more

Allow Domain/DNS-based objects through Check Point Firewall

In order to to allow domain based objects through a Check Point firewall we need to understand how the domain objects actually work. When a packet hits a rule with a domain based object the Check Point does a reverse DNS looking up on the IP address against the domain object to see if they … Read more

ASA L2L VPN is not Passing Traffic when VPN Filter is Applied

Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN. This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies … Read more

Endpoint Connect Installation / Troubleshooting Guide

What is EndPoint Connect ? Check Point`s Endpoint Connect software provides a number of client side security based features such as Anti-virus/Anti-spyware. Firewall/Email Protection, Program Control and Remote Access VPN. This document will only details and discuss the Remote Access VPN section of the Endpoint Connect Software. Note : This document will refer to the … Read more

Check Point Web Visualization Only Provides Part of Policy

When using the Check Point Web Visualization tool and trying to obtain the policy for a Cluster object you may receive one of the following errors/issues : The policy is saved as an .html file but it is only showing part of the policy. You receive one of the following errors when running the Web … Read more

IE6 with Passive FTP: File download fails via Netscreen

You may find when trying to download a file from your FTP server using Internet Explorer 6 with “Folder View Enabled” when using Passive FTP the file download transfer will fail after a short time period. This can be down to Internet Explorer sending TCP packets with sequence numbers which are outside that of the … Read more

I am unable to clear the VPN SA`s using the vpn tu command

If you are unable to clear the VPN SA`s using the “vpn tu” command you may want to try using the following commands vpn shell /show/tunnels/ike/peer/[remote gw ip] vpn shell /show/tunnels/ipsec/peer/[remote gw ip] vpn shell /tunnels/delete/IKE/peer/[remote gw ip] vpn shell /tunnels/delete/IPsec/peer/[remote gw ip] The reason to this can be down to a number of issues … Read more

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial