When trying to establish a VPN tunnel you may find that the tunnel is built but you receive the error message : encryption failure: According to the policy the packet should not have been decrypted This can be down to either : Overlapping encryption domains for that of the local and remote endpoints. The local … Read more
This article will provide the required troubleshooting steps for resolving the issue of the “Interface Active Check” error within ClusterXL. First of all you spot there is an error within ClusterXL using the following command, root@firewall # cphaprob stat Cluster Mode: Legacy High Availability (Active Up) Number Unique Address Assigned Load State 1 192.168.12.1 100% … Read more
A shared license lets you purchase a large number of SSL VPN sessions and share the sessions as needed amongst a group of security appliances by configuring one of the security appliances as a shared licensing server, and the rest as shared licensing participants.Below shows the steps on how to configure a Shared License server. … Read more
Issue When updating a Device from the NSM the Job Information dialog shows as successful. The Device Status shows as “In Sync” but the device does not show the new configuration, and an additional Delta Config Summerization shows that the NSM configuration is different to that of the device. Cause ScreenOS has a source/destination object … Read more
What is the Accelerated Security Path ? The Accelerated Security Path (ASP) on the ASA appliance comprises of 2 components; The Fast Path and The Session Management Path. In addition to the Accelerated Security Paths there is also the Control Plane Path which is also covered below. The Session Management Path When a new connection … Read more
Below are some basic guidelines for troubleshooting Check Point Logging issues. Please note : This guide does not cover issues with any OPSEC LEA based issues. Please note : The FWD (Firewall Daemon) is responsible for sending and receiving the Check Point Logs on port tcp/257. {loadposition content_lock} logs being sent to the manager … Read more
Below shows you the basic configuration on how to create a VLAN trunk on a Netscreen Firewall. A VLAN trunk is a term used to describe a collection of logical interfaces, each one being able to receive and de-capsulate VLAN tagged packets for its relevant VLAN. In this example our trunk will consist of 2 … Read more
In order to reset a Netscreen back to factory default you will need to first connect via the console connection. This is because you will lose IP connectivity once you reset the devices configuration. You will then need to obtain the devices serial number from either of the device itself or from the CLI, netscreen-> … Read more
In this example we will run through various steps to troubleshoot a Site 2 Site VPN. Confirm General Details This will give us a general overview of our vpn. netscreen(M)-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface ————— ————— —- —– ——————– ——- ——- ———- sitea_vpn sitea tunl Yes g2-esp-3des-sha … Read more
In this article we will show you how to set traffic policing on traffic which is tranversing a VPN. Please Note : The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to … Read more
In this article I will be showing you how to configure a Site 2 Site VPN on a ASA.Also included within this example is a group-policy (named “GROUPPOLICY100”) which we restrict access between the 2 endpoints to just tcp/80 traffic. Please Note : This example presumes that you have already created the object groups for … Read more
In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is : $FWDIR/conf/ipassignment.conf This article we will outline some of the possible gotcha`s and also run through the required steps. Within this example we will … Read more
Below is the list of all the commands (including the hidden commands) from a Netscreen NS5GT running ScreenOS 6.2. set fips-mode enable set fips-mode self-test afterkeygen set fips-mode self-test interval set key protection enable set all set vendor-def set envar set clock dst-off set clock dst recurring start-weekday last end-weekday last set clock dst recurring … Read more
Issue Within the Smartview Monitor you may find that the device status is shown as “Problem”. Within Smartview Monitor you are unable to find any further details for what is causing the issue. Troubleshooting Steps This article isn’t a solution to the issue but more of a pointer to a stepping stone on finding what … Read more
Issue The initial SYN packets from your client to your server are translated by your Firewall into ACK packets. This in turn prevents the initial 3 way handshake establishing. Below shows an example, Inbound 15:32:19.546115 I 10.1.1.1.12345 > 192.168.1.1.1111: S 2292544025:2292544025(0) win 49640 <mss 1460,nop,wscale 0,nop,nop,sackOK> (DF) 15:32:22.924625 I 10.1.1.1.12345 > 192.168.1.1.1111: S 2292544025:2292544025(0) win … Read more
The Open Shortest Path First (OSPF) routing protocol is an Interior Gateway rotocol (IGP) intended to operate within a single Autonomous System (AS). A router running OSPF distributes its state information (such as usable interfaces and neighbor reachability) by periodically flooding link-state advertisements (LSAs)throughout the AS. Enabling OSPF on a VR set vrouter trust-vr router-id … Read more
IPSO configuration sets allow you to change (or save) your systems complete current configuration. Allowing you to choose the required configuration (set) of your firewall with a few simple commands. This is useful for importing in configurations from other devices rather then setting up a box from scratch. Configuration Set directory The active configuration file … Read more
Routing Information Protocol (RIP) is a distance vector protocol used as an Interior Gateway Protocol (IGP) in moderate-sized autonomous systems (AS). Enabling RIP on a VR and an Interface set vrouter trust-vr router-id 10 set vrouter trust-vr protocol rip set vrouter trust-vr protocol rip enableset interface trust protocol rip enable Advertise the default route set … Read more
To allow you to view your preshared keys on your PIX ASA use the command `more system:running-config`. You can also view the preshared password with some versions of ASDM. Below shows the example of the command. pixfirewall# show run ! tunnel-group mytunnel type ipsec-rapre-shared-key * telnet timeout 5 Your preshared key ….. pixfirewall# more system:running-config! … Read more
AC-VPN Auto-connect VPN works with a hub and spoke setup. Once static VPNs have been configured between all the spokes and the hubs, AC-VPN and NHRP (Next Hop Routing Protocol) is configured on each spoke and the hub.When traffic is initiated between 2 spokes the traffic is passed via the hub while a dynamic tunnel … Read more
Back to Back VPNs Back to Back VPNs allow you to create a tunnel for each spoke to the hub. The hub will then have a policy to allow traffic from one tunnel to the next. You can either place each tunnel within its own zone and create a policy between each of the zones. … Read more
By default, Netscreen (ScreenOS versions 6.0.0 or below) will cache the source MAC address from the initial packet for a new session. It will then use this MAC address for the return traffic. This can cause problems with external routers running VRRP where traffic is sent using a Virtual IP but a physical MAC address … Read more
There are 3 main types of traffic shaping on the Netscreen firewalls. Interface Based traffic shaping. Bandwidth allocated shaping in policies. Priority based traffic shapping in policies. Policy Based Policing Bandwidth: Traffic beyond this threshold is dropped at the ingress side of the security device.Guaranteed Bandwidth: Traffic below this threshold will be passed with highest … Read more
Internet Group Management Protocol (IGMP) is a communication protocol that multicasts messages and information among all member devices in an IP multicast group. Traffic is sent to a single MAC address but is forwarded out (via the local multicast router) to multiple hosts via multicast. It can be effectively used for gaming and showing online … Read more
NetFlow is a network protocol developed by Cisco Systems to run on a range of network devices for collecting IP traffic information. Previously only Cisco IOS routers and the Cisco 5580 ASA supported Netflow. But now with the introduction of Cisco ASA software 8.2, the complete ASA family now supports Netflow. There are 3 event … Read more
How to Configure an Redundant Interface Below shows you how to configure redundant interfaces on a Netscreen firewall. In the example below all traffic will be passed over eth1, and in event of the link failing traffic will be sent across eth2. ns5gt-> set interface redundant1 zone inside ns5gt-> set interface redundant1 ip 10.1.1.20/24 … Read more
Virtual systems allow you to divide your Netscreen firewall into multiple logical firewalls (domains).Each VSYS (Virtual System) has 3 components which can be shared. Once shared they are available to other systems, virtual systems or root. The components are: Virtual Routers Zones Network Interfaces (Shared) How Virtual Systems work There are 3 ways in which … Read more
HA Setups There are 3 main types of HA setup, they are, Active / Passive – All traffic passes the active node. In the event of failure the backup firewall is activated, and traffic flow is resumed. Active / Active – Both Firewalls share the network load. In the event of failure all traffic is … Read more
Oversimplified Executive Summary -A upgrade_export contains just Check Point configuration -A backup is an upgrade_export plus SPLAT OS configuration -A snapshot is a backup plus binary files, both Check Point and SPLAT OS -As a general rule of thumb, if your restoring on the same hardware a snapshot would be the easiest to use since … Read more
In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 “keys” from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association). To see an overview of your VPN`s run the command, `get vpn` In order to find the current … Read more
Below outlines Netcreens Attack Detection and Defense. This is by no means a full guide by acts as a general summary to the various terms and technologies. SCREEN Features legacy security protection, such as SYN, UDP and ICMP floods, Port scans and certain OS-specific DoS attacks. Deep Inspection Allows for inspection at the application layer … Read more
Below will show how to create a basic Remote Access VPN using Pre Shared Keys. This guide presumes that you already have the Netscren Remote VPN Client installed onto your local machine and was created using the following software versions : ScreenOS – 6.2.0r1.0 Netscren Remote VPN Client – 10.8.3 (Build 6) Below is an … Read more
VPN Monitoring This allows you to ping an IP address through the tunnel. In the event of the tunnel going down a SNMP trap will be generated. The settings can be found under “VPNs > AutoKey IKE > Edit > Advanced > VPN Monitor“. The “rekey” option will cause the Netscreen to continuously try and … Read more
Below shows you how to create a route based vpn upon a Netscreen firewall using the firewalls gui interface. This tutorial was created using the ScreenOS version 6.2.0r1.0. The encryption domain for this guide will be, Local Gateway : 1.1.1.1 Local Endpoint : 10.1.1.25/24 Remote Gateway : 192.168.1.107 Remote Endpoint : 172.28.16.0/24 Create Tunnel Interface … Read more
This script will determine which operating system is running then backup the OS accordingly, once complete it will securely send it to the manager. The script is based on R65 and all backups will be sent to “/var/tmp/backups” on the manager. Each time the backup is run it will write a system log confirming if … Read more
This article will show you how to backup and restore your Juniper NSM. This article was written using NSM version 2008.2r1.Within NSM the HighAvailSvr contains processes that run in both HA and non-HA mode and handles database backups and a watchdog daemon to restart NSM processes in case of failure. Backup Even though you will … Read more
Issue The SmartView Monitor shows the status of your gateway as “Disconnected”. It takes for ages before your gateway shows as “Connected. No AMON (Application Monitoring) packets (tcp/18192) are leaving the SmartCentre Server for the gateway. Solution This can be down to issues within the Database files for the SmartView Monitor. Below will show you … Read more
Issue On Solaris 8 or Solaris 9, installing Check Point package fails with either : /var/opt/cp_tmp/CPsuite-R65/install/request: /var/opt/cp_tmp/CPsuite-R65/install/request: cannot openpkgadd: ERROR: request script did not complete successfullyInstallation of <CPsuite-R65> failed. or /opt/CPInstLog/Wrapper_R65.elg contains[25/02 11:52:36] Installing “Primary SmartCenter”[25/02 11:52:55] Installing of “Primary SmartCenter” failed ![25/02 11:52:57] Fail to install: Primary SmartCenter! See application usage format.[25/02 11:52:57] Wrapper … Read more
IP tracking allows you to track the connectivity of critical IP`s.This allows you to change your routing based on the connectivity of configured IP`s. There are 3 main points to Track IP : If a Tracked IP becomes unreachable, the weight of the address is added to the overall failed address total. If the total … Read more
Issue Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs. Solution The NSM device server does a log tuple repair for each log received from the … Read more
Issue Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs. Solution The NSM device server does a log tuple repair for each log received from the … Read more
Issue When upgrading to R70 on SPLAT you may receive the following error, CPwrapper: Wrapper part one completed successfully, data saved Upgrading the operating system. Preparing to upgrade Check Point Products. status=1 Exiting .. Patch installation failed. Please Note : This refers to a copied iso file which has been copied to the device and … Read more
This guide attempts to explain Proxy ARP upon the Check Point SPLAT platform. 1. What is Proxy ARP ? There are 2 ways to get a packet to a device. Route the packet to the device. Add a proxy ARP entry so that the network host answers to the ARP queries for IP addresses not … Read more
Summary When passing BGP traffic through a PIX you will need to configure the PIX to disable random sequence numbers to prevent MD5 Digest mismatches on either router. Please Note : Below presumes you all ready have a policy map defined with the name of global_policy and this has already been assigned to your device … Read more
Issue When allowing eBGP traffic through a Check Point Firewall you may receive the following error message on your BGP peered routers. (This error may occur at the point of pushing a policy to your Check Point Firewall), TCP-6-BADAUTH: Invalid MD5 digest from [Source IP]:[Source Port] to [Dest IP]:179 Solution This is down to the … Read more
Juniper introduces a new feature to the area of routing, called Virtual Routers. The model consists of: interfaces are applied to zones and zones are applied to Virtual Routers. Virtual routers allow for you to segment routing updates in and from the firewall/router. Virtual RoutersThere are 4 different types of routing tables that you can … Read more
Below are the 2 types of syslog messages. This can be useful to quickly determine on a NSM whether the logs are coming from the NSM or directly from the Firewall via syslog. Syslog from the Firewall Mar 18 17:56:52 [FW IP] [FW NAME]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time=”2009-03-18 16:07:06″ duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 … Read more
Below are the steps required to migrate a Provider-1 CMA to a Smart Centre Server. This tutorial was based on exporting and migrating from R55 to R65 and will involve the following steps, 1. Export the CMA on the Provider-1 2. Import the CMA into Smart Centre 3. Export and detach license 4. Update the Smart Centre Object … Read more
Issue When trying to run an upgrade_export from a Provider-1 you get the following error, Failed to export. Please close all Check Point clients. If the failure to export persists, stop all Check Point Services and run the upgrade_export command again. Solution Note: The upgrade_export command is run from the $FWDIR/bin/upgrade_tools directory of the CMA. … Read more
There are 3 areas with NSM. DevSvr, GuiSvr and HaSvr. The following files and paths are based on NSM 2008. Below shows the main path structure (Redhat) and what each Server (Svr) does. /usr/netscreen/DevSvr/ – DevSvr – Logging and the NSM database/usr/netscreen/GuiSvr/ – GuiSvr – NSM GUI /usr/netscreen/HaSvr/ – HaSvr – Backups and High Availability. … Read more
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial