Heres a few PIX commands that may come in useful. Performance / Usage sh mem Shows memory used and amount free sh cpu Shows % of CPU used sh perfmon Show the performance of various connections sh traffic Show the traffic stats sh resource usage system Shows the system utilization sh service-policy Shows the amount … Read more
This will show you the steps involved in exporting the settings of a Smart Centre Server for importing into a newly installed Smart Centre server, Download the upgrade_export utility and run it from $FWDIR/bin to export the config to a .tgz Transfer the tgz to another machine Uninstall all ngx packages and reboot Install new … Read more
Below are some of the various files and commands which you may find useful on a Check Point. Smart Centre Server $CPDIR/conf – Contains parts of the CPShared system * cp.license – license of machine * sic_cert.p12 – SIC certificate$FWDIR/lib – .def files which are used when the rulebase is complied into inspection code for … Read more
FW monitor is a great tool for troubleshooting traffic flow issues with your checkpoint. It works by using 4 inspection points, i – Pre Inbound I – Post Inbound o – Pre Outbound O – Post Outbound Examples fw monitor -e “accept dport=6000;” fw monitor -m iO -e ‘accept dport=80;’ fw monitor -e ‘accept dport;’ … Read more
When adding an authentication action to a rule there are 3 types, User Session Client User authentication works by intercepting connects going through the FW-1 and prompting the user for authentication. To do this the firewall has to modify the traffic, so this authentication type can only be used with FTP, HTTP, Telnet and RLOGIN. … Read more
There are many types of NAT in the land of Check Point. Here’s a quick overview, Static NAT – One to one translation Hide/Dynamic NAT – Allows you to NAT multiple IPs behind one IP/Interface Automatic NAT – Quick basic address NAT translation. Manual NAT – Allows greater flexibility over automatic NAT. Proxy ARP is … Read more
Introduction Client and Server side NAT relates to when we perform destination NAT`ing. The “Translate destination on Server side” option is an legacy option which was included due to pre NG versions of checkpoint using Server-Side NAT. Client Side NAT – The destination address is NAT`d by the inbound Kernel Server Side NAT – The … Read more
How do I configure proxy ARP on my SPLAT firewall ? There are 2 ways to get a packet to a firewall. A Route or a Proxy ARP. Using routes is the perferred method but it may be the case where you havent access to the routers and need to use Proxy ARP. Please note: … Read more
Introduction This is a guide on how to install a Free pix emulator / simulator onto a linux platform. You can also obtain the windows version, which you can find (along with other tutorials and forum) at the ariscahyadi blog. This software was written by mmm123, and is called PEMU, which is based on the … Read more
Below is an example of static NAT for FTP when using the outside interface with a DHCP address assigned to it. static (dmz,outside) tcp interface ftp 172.16.1.50 ftp netmask 255.255.255.255 static (dmz,outside) tcp interface ftp-data 172.16.1.50 ftp-data netmask 255.255.255.255
Nokia`s VRRP protocol allows for an active-standby firewall cluster. Nokia have added an extension to VRRP called VRRP monitored circuit which handles both total firewall failure as well as interface failures. Each virtual router uses a mac address of 00-00-5E-00-01-XX. XX being the Virtual Router ID (VRID).The multicast of 224.0.0.18 and IP protocol number 112 … Read more
When using a “inspect policy map” you need to add it to a “standard policy-map” to allow you to add it to the service policy.For each policy map there would be a class map, the inspect would match the FTP command, and then use the classmap “inspection-default” in the standard policy map. Running Config policy-map … Read more
Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall. Configuration (config)#isakmp enable outside(config)#isakmp policy 10(config-isakmp-policy)# encryption aes-256(config-isakmp-policy)# hash sha(config-isakmp-policy)# authentication pre-share(config-isakmp-policy)# group 1(config-isakmp-policy)# lifetime 86400(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0(config)#nat (inside) … Read more
Below shows 2 examples of a Remote Access configuration on version 6.x and 7.x of the Cisco PIX firewall. 6.x (config)#username 123 password 123(config)#isakmp enable outside(config)#ip local pool VPNIP 10.0.10.10-10.0.10.20 mask 255.255.255.0(config)#isakmp policy 1 authentication pre-share(config)#isakmp policy 1 encryption 3des(config)#isakmp policy 1 hash sha(config)#isakmp policy 1 group 2(config)#isakmp policy 1 lifetime 43200 (config)# crypto ipsec … Read more
Below are the steps involved in configuring protocol handling, Create the class-map – Tell the class-map which traffic to match Create Policy-map – Assign class-map to policy map. Tell the class-map what to do to the matched traffic Assign policy map globally or to interface Below will inspect http traffic on port 801 using, and … Read more
Below shows you the commands for creating a read only account on a Cisco PIX firewall. hostname(config)# username client password 123 privilege 5hostname(config)# privilege show level 5 command running-confighostname(config)# privilege show level 5 command startup-confighostname(config)# privilege show level 5 command access-listhostname(config)#aaa authentication ssh console LOCAL
If you need to view the logs on your pix, as you haven’t got a syslog server, or you haven’t got access to it, you can access the logs on the pix itself and grep your way through, by using and enabling the logging buffer. Below shows you how to enable and disable the logging … Read more
Below shows the required configuration commands for configuring AAA. Authentication Interactive user #(config) aaa-server <server name> protocol <tacacs/radius>#(config) aaa-server <server name> <interface> host <AAA server IP>#(config) aaa authentication include <https/https/ftp/telnet> inbound 0 0 0 0#(config) access-list 111 permit tcp any any eq ftp#(config) aaa authentication match 111 <interface> <AAA server name> Console Access #(config) aaa … Read more
Static To send all traffic to 192.168.0.1 out the outside interface.To send any traffic in 10.0.1.0/24 to 10.0.0.1 out the inside interface (config)#Route outside 0 0 192.168.0.1(config)#Route inside 10.0.1.0 255.255.255.0 10.0.0.1 RIP Allow RIP updates to be received on the outside interface with a key of cisco and id of 2.Pass RIP updates out the … Read more
Below shows you how to enable ASDM upon your PIX. First of all you will need to copy the ASDM image to you PIX firewall. I find the easiest way to do this is to enable scopy (scp) on your pix using the command ssh scopy enable. And then using the putty tool pscp to … Read more
Below shows you how to configure stateful LAN based failover. Primary (config)#interface eth0(config-if)#nameif inside(config-if)#ip add 10.1.1.10 255.255.255.0 standby 10.1.1.20 (config)#interface eth1(config-if)#no nameif(config-if)#no shut (config)#interface eth2(config-if)#no nameif(config-if)#no shut (config)#failover(config)#failover lan unit primary(config)#failover lan interface failover eth1(config)#failover lan enable(config)#failover key <key>(config)#failover link state eth2(config)#failover interface ip failover 172.16.50.10 255.255.255.0 standby 172.16.50.20(config)#failover interface ip state 172.16.51.10 255.255.255.0 standby … Read more
Below shows you the commands to enable SNMP (polls or traps) on PIX/ASA v7.x or later….. pix(config)# snmp-server host [interface_name] [ip_address] trap community [community string] pix(config)# snmp-server host [interface_name] [ip_address] poll community [community string]
Below shows you the necessary steps required to enable SSH on a PIX firewall, crypto key generate rsa modulus 1024ssh [ip] [mask] [interface]aaa authentication ssh console LOCALusername [username] password[password] privilege 15
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial