Within this tutorial we will be providing the steps required to upgrade your Juniper SRX firewall. Copy Image First of all we copy the image over to the SRX via the use of scp. In this case I have used putty’s pscp. C:\Windows\System32>pscp “C:\Users\admin\Downloads\junos-srxsme-11.4R1.6-domestic.tgz” root@[SRX IP]:/mfs Confirm Hash Next we confirm that the file is … Read more
Below shows the necessary commands to capture ARP packets on a Cisco ASA Firewall. Syntax ASA(config)# capture arp ethernet-type arp interface dmz Display ASA(config)# show capture arp2 packets captured 13:12:23.478229 arp who-has 10.1.1.1 tell 10.1.1.10013:12:26.784194 arp who-has 10.1.1.1 tell 10.1.1.1002 packets shown
Below provides a short guide in configuring source NAT with an address pool on a Juniper SRX. The following example creates a pool with a 10.1.1.0/24 network. This pool of addresses are then used during the translation of source addresses. In addition to the pool we also configure the following options: set address-persistent – this … Read more
Within this article we show you the required steps for obtaining a packet capture on your SRX series firewall. Note : Great care should be taken when applying captures to ensure that only the traffic that you want to capture is defined within the firewall filter. This is to prevent any unnecessary load being placed … Read more
Issue When running the command ‘show service-policy interface outside set connection detail’ the SSH thread incorrectly tries to access the wrong memory area. This results in the Cisco ASA rebooting. This issue is also referenced within the Cisco caveat CSCtf22329. Solution Upgrade to software version 8.2.5(22).
To create a range of ports within the SRX the following command is used. This example creates an application object named UDP-PORT-RANGE with a UDP port range of 5000-6999. set applications application UDP-PORT-RANGE protocol udp destination-port 5000-6999 Once created you can then add this to a group. This group can then be added to the necessary … Read more
Within this example we will configure modular policy framework to define a range of connection limits. This provides a basic means of protecting your environment against DoS attacks. Define Traffic First of all we define which traffic the MPF policy will be applied to. In the example below we exclude the host 8.8.8.8 whilst inspecting … Read more
Being that this command is slightly obscure I thought it was worth documenting. To clear the Cisco ASA connection counter the following command is used. cisco-asa(config)# clear resource usage resource conns
Issue When the transport mechnism TCP is configured for Syslog (trap logging) and the Cisco ASA is unable to reach the designated syslog server, the security appliance will prevent any further new network sessions. Solution In order to ensure that the status of a TCP-based syslog server is irrelevant to new sessions the following command … Read more
Issue When configuring IPv6 on an ASA 5505 running 8.2(5) you may experience issues where you are unable to ping (via IPv6) the ASA`s interfaces. Solution Upgrade to version 8.2(5)3.
Within this article the necessary steps required to configure PPPoE on the SRX platform are described. Note : This configuration is based upon a) the chap authentication method b) the outside/untrust interface being fe-0/0/7.0. Configuration Below shows the required configuration for PPPoE. set interfaces fe-0/0/7 unit 0 encapsulation ppp-over-ether set interfaces pp0 unit 0 ppp-options … Read more
As it stands Juniper SRX (version 11.1R1.10) only provides support for DynDNS (DDNS) via the use of an automation script. Configuration This script can be downloaded here. Once you have downloaded the script transfer it to the SRX directory /var/db/scripts/event/. Finally configure your SRX via the following commands : set system services apply-macro dyndns-client1 hostname XXX.dyndns.orgset … Read more
Within this article we will look at the various steps required in debugging a Site to Site VPN on an SRX series gateway. 1. Confirm Configuration First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end. … Read more
Issue When connecting trying to connect via Dynamic VPN your client displays the following error: IKE Negotiations Failed Within the output of the IKE debug logs you see the following error: Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 …, data[0..0] … Read more
To configure a global deny statement for all your policy entries the following commands are used. set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match source-address any set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match destination-address any set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop … Read more
Below details the nessecary commands required to enable global logging on all security policies. set groups global-logging security policies from-zone <*> to-zone <*> policy <*> then log session-initset security policies apply-groups global-logging
By default IPv4 Path MTU is enabled. However all PMTU options can be located under [set system internet-options ….]. root@srx100# set system internet-options ?Possible completions:+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Don’t inherit configuration data from these groups gre-path-mtu-discovery Enable path MTU discovery for GRE tunnels> icmpv4-rate-limit Rate-limiting parameters for ICMPv4 messages> … Read more
Within this article we will show the required commands to restrict and secure management access to your Juniper SRX series gateway. Note : The following syntax/configuration has been tested with a PPPoE setup. Configure Addresses First of all the addresses that are allowed management access to the device are configured. This also includes any DNS … Read more
This example will provide the required configuration to allow a single IP address access to TCP port 80 when the HTTP Host Header matches either EXAMPLE1.DOMAIN.net or EXAMPLE2.DOMAIN.net. Note : In addition to the commands below you will also need to grant the relevant access via your interface based ACL`s. This is because your HTTP traffic … Read more
Below provides the basic commands for configuring the date, time and NTP on your Juniper SRX gateway. Configure the Time Zone system time-zone Europe/London Configure NTP set system ntp server 0.uk.pool.ntp.org preferset system ntp server 1.uk.pool.ntp.orgset system ntp server 2.uk.pool.ntp.org Set the Time/Date set date ntp 0.uk.pool.ntp.org Confirm user@switch> show ntp statusstatus=0644 leap_none, sync_ntp, 4 … Read more
Within this article destination NAT is configured to port forward traffic through to multiple servers based upon the destination port. This type of NAT configuration is equivalent to a ScreenOS VIP. This example syntax is based upon the following setup : 172.16.1.2:2222 –> 192.168.1.5:22172.16.1.2:3389 –> 192.168.1.6:3389 Configure Address Book First the real addresses … Read more
Issue VPN fails to route traffic through to the tunnel interface when using Route Based VPN upon a SRX platform. The following is observed : Both Phase 1 and Phase 2 is successfully establishing. Traffic is being received inbound from the Remote Peer and decypted successfully. Multiple VPN policies are assigned to a single tunnel … Read more
As we all know Cisco`s new ASA version 8.3 brings massive changes in NAT. This article describes and explains how NAT exemption (no NAT) is now configured. Below provides examples of both pre and post 8.3 no NAT configurations. Example Details Local LAN – 192.168.0.0/24 Remote LAN – 172.168.0.0/24 Traffic is arriving on the inside … Read more
Traffic reporting on the Juniper Netscreen can be achieved via a number of methods. Various tools and features are available such as the Netscreen Security Manager (NSM), 3rd Party applications along with numerous reporting features on the device itself. This article will look at how to create traffic reports by using just 1. a Netscreen … Read more
NGX R65 HFA40 is a standard HFA and can be installed both on Security Gateways and on SmartCenter servers. R65.4 is a Management-based package that in addition to NGX R65 HFA40, also contains various new features and plug-ins. Upgrading from R65.4 can present some significant issues, due the release being a dead end. You will … Read more
When upgrading or installing Check Point on a Solaris platform rather then having to use the physical Check Point software CD, the following method allows you install/upgrade your Check Point software directly from the *.iso. Steps 1. Copy the iso file to your firewall / manager2. Run the following commands lofiadm -a <path>/<filename>.iso /dev/lofi/1mount -F … Read more
Within this tutorial will will look at 2 configuration examples in which we will use HTTP inspection within the Cisco ASA to allow access for certain hosts based on specific URL headers. EXAMPLE 1 This example will show the required syntax to allow access to yahoo.com for any host within the network 10.1.1.0 255.255.0.0. HTTP … Read more
The Cisco IPS Sensor generates risk ratings that are assigned to alerts which provides the administrator with an indication to the severity of the alert. There are six values which are used in the calculation of the Risk Rating : ASR (Attack severity rating) TVR (Target Value Rating) SFR (Signature fidelity Rating) ARR (Attack relevancy rating) … Read more
IDSM-2 The IDSM-2 Module is a Cisco IDS blade for the Cisco 6500 switch.Once you install the module into the switch the module uses following logical ports : Port 1 Used for TCP Resets (In Promiscuous Mode) Port 2 Command and Control Port 7 Sensing Port Port 8 Sensing Port Below details the steps required … Read more
There are a number of reasons or circumstances where you may need to rebuild your Cisco IDS. Rebuilding refers to the reinstallation of the application software. This will tho mean that all of your configuration changes will be wiped, apart from your management configuration when reimaging your sensor via the CLI. There are 3 ways … Read more
Digital Signatures A Digital Signature is a method to ensure data authenticity. A digital signature is created by generating a hash (message digest) against the data and then encrypting this digest using the cryptography (public or private) key. This signature is then appended to the data. Once the recipient has received the data + signature … Read more
This article provides the steps required for restoring a CS-MARS configuration (incidents, events, configuration etc) to another CS-MARS device whilst maintaining the devices original IP settings. The following steps are based on restoring the an archive from a device which is the same model and is also running the same software version. NFS Ensure that … Read more
The prompt state command was introduced within 7.1. This short example shows you how to configure your ASA to include the cluster state within its name : cisco-firewall# config t cisco-firewall (config)# prompt hostname state cisco-firewall/act(config)#
There are 4 main types of IDS alerts. These are : True Positive Bad traffic which triggers an alert. False Positive Good traffic which triggers an alert. False Negative Bad traffic, but no alert is raised. True Negative Good traffic, and no alert is raised.
Within CS-MARS there are 2 types of rules. Inspection Rules and Drop Rules. Inspection Rules allow you to trigger events based on certain triggers such as keywords, source, destination etc. Drop rule is an exception rule which MARS uses to ignore a behaviour that would otherwise trigger an event. In this example we will configure … Read more
Horizontal Scan A horizontal scan is described as scan against a group of IPs for a single port. Vertical Scan A vertical scan is described as a single IP being scanned for multiple ports. Box Scanning A combination of both vertical and horizontal scans.
Web services rely on the transfer of XML data. This poses a threat from the point of view that every packet possible could be malicious. Hackers may send SOAP (Simple Object Access Protocol) packets containing executable messages, crafted windows/SQL executables within XML packets or even initiate a XDoS (XML DoS attack). As the name suggested … Read more
Below shows you the steps required in install Cisco MARS 6.0.7 onto VMware. !! This is purley a proof of concept and we do not endorse the use of the steps below in any environment (or situation) !! Steps : First of all download the recovery ISO from Cisco for CS MARS 6.0.7. Download the … Read more
You may find that there is a time in which you haven’t got access via the standard ASAOS CLI to change, amend or edit your current configuration. In this example we will show you the steps required for removing the configuration via ROMMON mode. Here are the steps : 1. Reboot the device2. On boot … Read more
In order to to enable SecureID authentication you will need to generate an ‘sdconf.rec’ file from your ACE SERVER.You will then need to copy this file to the the ‘/var/ace‘ directory of your Check Point Firewall (if the directory does not exsist create one). At the point that your ACE SERVER and your ACE AGENT … Read more
Below are a couple of ASA caputre examples. This is meant for more of a copy and paste function then an overall capture tutorial. access-list based access-list capture1-acl permit ip host [ip] host [ip]capture capture1 type access-list capture1-acl interface [interface] host / port based capture capture2 [interface] match ip host [ip] host [ip]capture capture3 [interface] … Read more
Below shows you the steps on how to configure a tunnel that will encapsulate your IPv6 traffic within an IPv4 tunnel. Please Note : Below uses the Zone Work which is the equivalent to Trust and contains eth1. Ethernet3 is the untrust interface. Enable IPv6 Add the following command and then reboot your device, set … Read more
Fir3net.com is pleased to release dbdel ver3.1. This is basically a wrapper for Check Points existing dbver tool, but allows you to remove 100`s of Database Revisions with one simple command string. Unlike dbver where you have to add each database revision id. This allows you to add the amount your want to remove and … Read more
A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN), or simply use a combination of source IP, destination IP and service in a tunnel policy. When phase 2 of IKE is negotiated, each … Read more
The following will show you how to save a full IPSO backup via the clish CLI. This will backup all of the operating system configuration such as routes, proxy arps, interface settings etc. Backup This will create a backup within the /var/backup/ directory called ipso-backup_[date].tgz clish -c “set backup manual filename ipso-backup”clish -c “set backup … Read more
Below shows you the commands required to change the IP address of an interface within clish on a IPSO Nokia gateway, add interface eth1c0 address IP [NEW IP]/[NETMASK] delete interface eth1c0 address [OLD IP] set interface eth1 speed 100M duplex full active on set interface eth1c0 enable Below gives you an example : nokia-firewall[admin]# clish … Read more
The main issue when creating a Site to Site VPN between parties is having the correct information on both sides. Below is a template for the information which is needed to build a VPN Site to2 Site tunnel. This template is designed to be copied and pasted and sent to the other parties. Please remember … Read more
This guide will outline OPSEC LEA and how it works within a Check Point Infrastructure. What is OPSEC LEA ? The OPSEC LEA (Log Export API) provides the ability to pull logs from a Check Point device based on the OPSEC SDK. OPSEC LEA listens on port tcp/18184 on the device (OPSEC LEA Server) which … Read more
This guide will explain the various steps required to set up Enpoint Connect using a Multiple Entry Point setup. Ok, so to start with Endpoint Connect is Check Points new Remote Access VPN Client other then SSL Network Extender is the only client supported on Windows 7 64-Bit. The main problem with SNX (SSL Network … Read more
There are a number of Check Point Remote Access VPN terms and features. This guides attempts to explain them. Main Features Office ModeOffice mode allows your remote VPN user to receive an IP address designated by the Check Point Gateway, internal DHCP server or radius server. Visitor Mode Visitor Mode allows your VPN client to … Read more
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial