Port not Listening when Check Points Vistor Mode is Enabled

You may find when you enable vistor mode on the Check Point object that the port is not listening when you run the command netstat -anp | grep vpnd | grep [your port] This can be down to one of the following : The devices management GUI is also listening on that port. For SPLAT … Read more

ASA 5505 Example Configuration

Below is an example of a basic configuration for an ASA 5505 Firewall. The main difference between the other ASAs is that with the 5505 you have 10 ports which are not assigned to their own bridge groups. So you need to configure you VLANs and then assign you ports to your VLANs. Please Notes … Read more

How do I debug VPND on Check Point ?

To debug VPND run the following command : vpn debug trunc To disable the debug run the commands : vpn debug off; vpn debug ikeoff To view the logs run the command : cd $FWDIR/log ; tail -f ike.elg vpnd.elg  

How do I debug ClusterXL at the Kernel level ?

Once you have exhusted the cphaprob commands and packet captures have been run for port UDP/8116 all to no avail you may want to run a debug on ClusterXL. The steps are detailed below : Enable debugging fw ctl debug -xfw ctl debug -buf 4096fw ctl debug -m cluster allfw ctl kdebug-f > file_name.txt Disable … Read more

ASA 8.3 – Auto NAT Examples

As you will have heard (and if not you will do soon) the new ASA 8.3 brings massive changes. The main change is the way in which the ASA handles NAT. Below provides a number of Auto NAT examples. Auto NAT is configured using the following steps: Create a network object. Within this object define … Read more

How can I check that my Check Point Cluster is in Sync ?

All “true” clusters require that certain attributes are syncronised. So that in the event of a failover the newly promoted node can continue where the other node left off. In order to ensure that the State Tables of all your nodes within your Check Point Cluster are syncronised you will need to check the #VALS … Read more

How do I Uninstall / Install the Connectra Plugin ?

First of all check to see if the Connectra Plugin is installed. [[email protected]]# fwm verThis is Check Point SmartCenter Server NGX (R65) HFA_50, Hotfix 650 – Build 011Installed Plug-ins: Connectra NGX R62CM Uninstall To uninstall follow these steps : Run the plug in clean up ultility /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier Then remove the package rpm -e CPPIconnectra-R65-00 Reboot … Read more

Check Point Clustering

ClusterXL Check Point’s ClusterXL is a software-based Load Sharing and High Availability solution that distributes traffic between clusters of redundant Security Gateways High AvailabilityAllows for an Active-Standby setup were one node (Active) passes all the traffic. In the event of failure the Standby node will be promoted to the Active node. New Mode – Both … Read more

Create a Basic Route Based VPN between 2 Check Point Firewalls

Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces. In this example both Firewalls are managed by the same manager. The gateways are : Site A – External Inside Site B … Read more

How do I Create an SSL VPN on a Check Point Gateway ?

 Below shows you the steps in order to create an SSL VPN on a Check Point Gateway : Create a new network object. This will be used as the remote users IP address. Name this “net_office-mode-IPs” Within the Check Point Object under Tolopogy > VPN Domain add your local domain. Within the Check Point Object … Read more

Create Certificate Based Site to Site VPN between 2 Check Point Gateways

This example will show you how to create a certificate based VPN between 2 Check Point firewalls which are managed via different Smart Centre Servers. Please note that simplified mode VPN was used along with the Check Point version being R65. Site A Create VPN Community Within your Gateway Object add you local domain to … Read more

Securing Client Authentication on a Check Point Gateway

By default Client Authentication allows you to authenticate using HTTP (on port 900) or Telnet (on port 259). Both of which can pose security risks due to the username and passwords being sent un-encrypted. To secure Client Authenitcation follow the following steps : Change the following line in $FWDIR/conf/fwauthd.conf, 900     fwssd       in.ahclientd    wait    900 to … Read more

Allow Domain/DNS-based objects through Check Point Firewall

In order to to allow domain based objects through a Check Point firewall we need to understand how the domain objects actually work. When a packet hits a rule with a domain based object the Check Point does a reverse DNS looking up on the IP address against the domain object to see if they … Read more

ASA L2L VPN is not Passing Traffic when VPN Filter is Applied

Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN. This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies … Read more

Endpoint Connect Installation / Troubleshooting Guide

What is EndPoint Connect ? Check Point`s Endpoint Connect software provides a number of client side security based features such as Anti-virus/Anti-spyware. Firewall/Email Protection, Program Control and Remote Access VPN. This document will only details and discuss the Remote Access VPN section of the Endpoint Connect Software. Note : This document will refer to the … Read more

Check Point Web Visualization Only Provides Part of Policy

When using the Check Point Web Visualization tool and trying to obtain the policy for a Cluster object you may receive one of the following errors/issues : The policy is saved as an .html file but it is only showing part of the policy. You receive one of the following errors when running the Web … Read more

Running a packet capture on a SourceFire Sensor

Below shows you the required steps for running a packet capture on a SourceFire Sensor. Which Interfaces are Sniffing ? First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump. ps … Read more

IE6 with Passive FTP: File download fails via Netscreen

You may find when trying to download a file from your FTP server using Internet Explorer 6 with “Folder View Enabled” when using Passive FTP the file download transfer will fail after a short time period. This can be down to Internet Explorer sending TCP packets with sequence numbers which are outside that of the … Read more

I am unable to clear the VPN SA`s using the vpn tu command

If you are unable to clear the VPN SA`s using the “vpn tu” command you may want to try using the following commands vpn shell /show/tunnels/ike/peer/[remote gw ip] vpn shell /show/tunnels/ipsec/peer/[remote gw ip] vpn shell /tunnels/delete/IKE/peer/[remote gw ip] vpn shell /tunnels/delete/IPsec/peer/[remote gw ip] The reason to this can be down to a number of issues … Read more

ClusterXL Active Attention / Interface Active Check Error

This article will provide the required troubleshooting steps for resolving the issue of the “Interface Active Check” error within ClusterXL. First of all you spot there is an error within ClusterXL using the following command, [email protected] # cphaprob stat Cluster Mode:   Legacy High Availability (Active Up) Number     Unique Address  Assigned Load   State 1   100%            … Read more

How do I configure shared licensing on an ASA ?

A shared license lets you purchase a large number of SSL VPN sessions and share the sessions as needed amongst a group of security appliances by configuring one of the security appliances as a shared licensing server, and the rest as shared licensing participants.Below shows the steps on how to configure a Shared License server. … Read more

NSM fails to update device but shows successful

Issue When updating a Device from the NSM the Job Information dialog shows as successful. The Device Status shows as “In Sync” but the device does not show the new configuration, and an additional Delta Config Summerization shows that the NSM configuration is different to that of the device. Cause ScreenOS has a source/destination object … Read more

What is ASP and how do I troubleshoot ASP drops on an ASA ?

What is the Accelerated Security Path ? The Accelerated Security Path (ASP) on the ASA appliance comprises of 2 components; The Fast Path and The Session Management Path. In addition to the Accelerated Security Paths there is also the Control Plane Path which is also covered below. The Session Management Path When a new connection … Read more

Check Point Logging Troubleshooting Guide

Below are some basic guidelines for troubleshooting Check Point Logging issues. Please note : This guide does not cover issues with any OPSEC LEA based issues. Please note : The FWD (Firewall Daemon) is responsible for sending and receiving the Check Point Logs on port tcp/257. {loadposition content_lock}   logs being sent to the manager … Read more

Creating a VLAN Trunk on a Netscreen Firewall

Below shows you the basic configuration on how to create a VLAN trunk on a Netscreen Firewall. A VLAN trunk is a term used to describe a collection of logical interfaces, each one being able to receive and de-capsulate VLAN tagged packets for its relevant VLAN. In this example our trunk will consist of 2 … Read more

How to reset a Netscreen back to factory default

In order to reset a Netscreen back to factory default you will need to first connect via the console connection. This is because you will lose IP connectivity once you reset the devices configuration. You will then need to obtain the devices serial number from either of the device itself or from the CLI, netscreen-> … Read more

Troubleshooting a Netscreen Site 2 Site VPN

In this example we will run through various steps to troubleshoot a Site 2 Site VPN. Confirm General Details This will give us a general overview of our vpn. netscreen(M)-> get vpn Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface ————— ————— —- —– ——————– ——- ——- ———- sitea_vpn   sitea       tunl Yes   g2-esp-3des-sha      … Read more

Configuring VPN Traffic Policing on an ASA

In this article we will show you how to set traffic policing on traffic which is tranversing a VPN. Please Note : The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to … Read more

ASA – Site to Site VPN Example

In this article I will be showing you how to configure a Site 2 Site VPN on a ASA.Also included within this example is a group-policy (named “GROUPPOLICY100”) which we restrict access between the 2 endpoints to just tcp/80 traffic. Please Note : This example presumes that you have already created the object groups for … Read more

Check Point Per User IP Assignment Using ipassignment.conf

In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is : $FWDIR/conf/ipassignment.conf This article we will outline some of the possible gotcha`s and also run through the required steps. Within this example we will … Read more

Netscreen Command Library for ScreenOS 6.2

Below is the list of all the commands (including the hidden commands) from a Netscreen NS5GT running ScreenOS 6.2. set fips-mode enable set fips-mode self-test afterkeygen set fips-mode self-test interval set key protection enable set all set vendor-def set envar set clock dst-off set clock dst recurring start-weekday last end-weekday last set clock dst recurring … Read more

SmartView Monitor shows device status as Problem

Issue Within the Smartview Monitor you may find that the device status is shown as “Problem”. Within Smartview Monitor you are unable to find any further details for what is causing the issue. Troubleshooting Steps This article isn’t a solution to the issue but more of a pointer to a stepping stone on finding what … Read more

Check Point is changing SYN packets to ACKs ?

Issue The initial SYN packets from your client to your server are  translated by your Firewall into ACK packets. This in turn  prevents the initial 3 way handshake establishing. Below shows an example, Inbound 15:32:19.546115 I > S 2292544025:2292544025(0) win 49640 <mss 1460,nop,wscale 0,nop,nop,sackOK> (DF) 15:32:22.924625 I > S 2292544025:2292544025(0) win … Read more

Netscreen – Enabling OSPF

The Open Shortest Path First (OSPF) routing protocol is an Interior Gateway rotocol (IGP) intended to operate within a single Autonomous System (AS). A router running OSPF distributes its state information (such as usable interfaces and neighbor reachability) by periodically flooding link-state advertisements (LSAs)throughout the AS. Enabling OSPF on a VR set vrouter trust-vr router-id … Read more

IPSO Configuration Sets

IPSO configuration sets allow you to change (or save) your systems complete current configuration. Allowing you to choose the required configuration (set) of your firewall with a few simple commands. This is useful for importing in configurations from other devices rather then setting up a box from scratch. Configuration Set directory The active configuration file … Read more

Enabling RIP on a Netscreen

Routing Information Protocol (RIP) is a distance vector protocol used as an Interior Gateway Protocol (IGP) in moderate-sized autonomous systems (AS). Enabling RIP on a VR and an Interface set vrouter trust-vr router-id 10 set vrouter trust-vr protocol rip set vrouter trust-vr protocol rip enableset interface trust protocol rip enable Advertise the default route set … Read more

PIX / ASA – Display Encrypted Pre-Shared Keys.

To allow you to view your preshared keys on your PIX ASA use the command `more system:running-config`.  You can also view the preshared password with some versions of ASDM. Below shows the example of the command. pixfirewall# show run ! tunnel-group mytunnel type ipsec-rapre-shared-key * telnet timeout 5 Your preshared key ….. pixfirewall# more system:running-config! … Read more

Netscreen – AC-VPN

AC-VPN Auto-connect VPN works with a hub and spoke setup. Once static VPNs have been configured between all the spokes and the hubs, AC-VPN and NHRP (Next Hop Routing Protocol) is configured on each spoke and the hub.When traffic is initiated between 2 spokes the traffic is passed via the hub while a dynamic tunnel … Read more

Netscreen – VPN Topologies

Back to Back VPNs Back to Back VPNs allow you to create a tunnel for each spoke to the hub. The hub will then have a policy to allow traffic from one tunnel to the next. You can either place each tunnel within its own zone and create a policy between each of the zones. … Read more

Netscreen `set arp always-on-dest` command

By default, Netscreen (ScreenOS versions 6.0.0 or below) will cache the source MAC address from the initial packet for a new session. It will then use this MAC address for the return traffic. This can cause problems with external routers running VRRP where traffic is sent using a Virtual IP but a physical MAC address … Read more

Netscreen – Overview of basic Traffic Shaping

There are 3 main types of traffic shaping on the Netscreen firewalls. Interface Based traffic shaping. Bandwidth allocated shaping in policies. Priority based traffic shapping in policies. Policy Based Policing Bandwidth: Traffic beyond this threshold is dropped at the ingress side of the security device.Guaranteed Bandwidth: Traffic below this threshold will be passed with highest … Read more

Netscreen – IGMP / PIM-SM

Internet Group Management Protocol (IGMP) is a communication protocol that multicasts messages and information among all member devices in an IP multicast group. Traffic is sent to a single MAC address but is forwarded out (via the local multicast router) to multiple hosts via multicast. It can be effectively used for gaming and showing online … Read more

ASA – How do I enable Netflow on an ASA?

NetFlow is a network protocol developed by Cisco Systems to run on a range of network devices for collecting IP traffic information. Previously only Cisco IOS routers and the Cisco 5580 ASA supported Netflow. But now with the introduction of Cisco ASA software 8.2, the complete ASA family now supports Netflow. There are 3 event … Read more

Netscreen – Redundant Interfaces – How to ??

  How to Configure an Redundant Interface Below shows you how to configure redundant interfaces on a Netscreen firewall. In the example below all traffic will be passed over eth1, and in event of the link failing traffic will be sent across eth2. ns5gt-> set interface redundant1 zone inside ns5gt-> set interface redundant1 ip … Read more

Netscreen – Virtual Systems / VSYS

Virtual systems allow you to divide your Netscreen firewall into multiple logical firewalls (domains).Each VSYS (Virtual System) has 3 components which can be shared. Once shared they are available to other systems, virtual systems or root. The components are: Virtual Routers Zones Network Interfaces (Shared) How Virtual Systems work There are 3 ways in which … Read more

Netscreen – NSRP

HA Setups There are 3 main types of HA setup, they are, Active / Passive – All traffic passes the active node. In the event of failure the backup firewall is activated, and traffic flow is resumed. Active / Active – Both Firewalls share the network load. In the event of failure all traffic is … Read more

Check Point Backups

Oversimplified Executive Summary -A upgrade_export contains just Check Point configuration -A backup is an upgrade_export plus SPLAT OS configuration -A snapshot is a backup plus binary files, both Check Point and SPLAT OS -As a general rule of thumb, if your restoring on the same hardware a snapshot would be the easiest to use since … Read more

Netscreen – Rekeying a VPN / Clearing the SA`s

In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 “keys” from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association). To see an overview of your VPN`s run the command, `get vpn` In order to find the current … Read more

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial