You may find when you enable vistor mode on the Check Point object that the port is not listening when you run the command netstat -anp | grep vpnd | grep [your port] This can be down to one of the following : The devices management GUI is also listening on that port. For SPLAT … Read more
Below is an example of a basic configuration for an ASA 5505 Firewall. The main difference between the other ASAs is that with the 5505 you have 10 ports which are not assigned to their own bridge groups. So you need to configure you VLANs and then assign you ports to your VLANs. Please Notes … Read more
To debug VPND run the following command : vpn debug trunc To disable the debug run the commands : vpn debug off; vpn debug ikeoff To view the logs run the command : cd $FWDIR/log ; tail -f ike.elg vpnd.elg
When trying to add an LDAP server to your SmartCenter and then clicking on your Domain within the Users tab (located at the bottom) you may receive the error : Failed to bind to LDAP Server – wrong password or wrong dn. Solution Normally this is down to the wrong password or wrong … Read more
Once you have exhusted the cphaprob commands and packet captures have been run for port UDP/8116 all to no avail you may want to run a debug on ClusterXL. The steps are detailed below : Enable debugging fw ctl debug -xfw ctl debug -buf 4096fw ctl debug -m cluster allfw ctl kdebug-f > file_name.txt Disable … Read more
As you will have heard (and if not you will do soon) the new ASA 8.3 brings massive changes. The main change is the way in which the ASA handles NAT. Below provides a number of Auto NAT examples. Auto NAT is configured using the following steps: Create a network object. Within this object define … Read more
All “true” clusters require that certain attributes are syncronised. So that in the event of a failover the newly promoted node can continue where the other node left off. In order to ensure that the State Tables of all your nodes within your Check Point Cluster are syncronised you will need to check the #VALS … Read more
First of all check to see if the Connectra Plugin is installed. [[email protected]]# fwm verThis is Check Point SmartCenter Server NGX (R65) HFA_50, Hotfix 650 – Build 011Installed Plug-ins: Connectra NGX R62CM Uninstall To uninstall follow these steps : Run the plug in clean up ultility /opt/CPPIconnectra*R65/bin/plugin_preuninstall_verifier Then remove the package rpm -e CPPIconnectra-R65-00 Reboot … Read more
ClusterXL Check Point’s ClusterXL is a software-based Load Sharing and High Availability solution that distributes traffic between clusters of redundant Security Gateways High AvailabilityAllows for an Active-Standby setup were one node (Active) passes all the traffic. In the event of failure the Standby node will be promoted to the Active node. New Mode – Both … Read more
Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces. In this example both Firewalls are managed by the same manager. The gateways are : Site A – External 192.168.1.1 Inside 10.1.1.1 Site B … Read more
Below shows you the steps in order to create an SSL VPN on a Check Point Gateway : Create a new network object. This will be used as the remote users IP address. Name this “net_office-mode-IPs” Within the Check Point Object under Tolopogy > VPN Domain add your local domain. Within the Check Point Object … Read more
This example will show you how to create a certificate based VPN between 2 Check Point firewalls which are managed via different Smart Centre Servers. Please note that simplified mode VPN was used along with the Check Point version being R65. Site A Create VPN Community Within your Gateway Object add you local domain to … Read more
By default Client Authentication allows you to authenticate using HTTP (on port 900) or Telnet (on port 259). Both of which can pose security risks due to the username and passwords being sent un-encrypted. To secure Client Authenitcation follow the following steps : Change the following line in $FWDIR/conf/fwauthd.conf, 900 fwssd in.ahclientd wait 900 to … Read more
In order to to allow domain based objects through a Check Point firewall we need to understand how the domain objects actually work. When a packet hits a rule with a domain based object the Check Point does a reverse DNS looking up on the IP address against the domain object to see if they … Read more
Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN. This is a bug with 8.2(2), to resolve the issue you will need add the destination ports to the group-policies … Read more
What is EndPoint Connect ? Check Point`s Endpoint Connect software provides a number of client side security based features such as Anti-virus/Anti-spyware. Firewall/Email Protection, Program Control and Remote Access VPN. This document will only details and discuss the Remote Access VPN section of the Endpoint Connect Software. Note : This document will refer to the … Read more
When using the Check Point Web Visualization tool and trying to obtain the policy for a Cluster object you may receive one of the following errors/issues : The policy is saved as an .html file but it is only showing part of the policy. You receive one of the following errors when running the Web … Read more
Below shows you the required steps for running a packet capture on a SourceFire Sensor. Which Interfaces are Sniffing ? First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump. ps … Read more
You may find when trying to download a file from your FTP server using Internet Explorer 6 with “Folder View Enabled” when using Passive FTP the file download transfer will fail after a short time period. This can be down to Internet Explorer sending TCP packets with sequence numbers which are outside that of the … Read more
If you are unable to clear the VPN SA`s using the “vpn tu” command you may want to try using the following commands vpn shell /show/tunnels/ike/peer/[remote gw ip] vpn shell /show/tunnels/ipsec/peer/[remote gw ip] vpn shell /tunnels/delete/IKE/peer/[remote gw ip] vpn shell /tunnels/delete/IPsec/peer/[remote gw ip] The reason to this can be down to a number of issues … Read more
When trying to establish a VPN tunnel you may find that the tunnel is built but you receive the error message : encryption failure: According to the policy the packet should not have been decrypted This can be down to either : Overlapping encryption domains for that of the local and remote endpoints. The local … Read more
This article will provide the required troubleshooting steps for resolving the issue of the “Interface Active Check” error within ClusterXL. First of all you spot there is an error within ClusterXL using the following command, [email protected] # cphaprob stat Cluster Mode: Legacy High Availability (Active Up) Number Unique Address Assigned Load State 1 192.168.12.1 100% … Read more
A shared license lets you purchase a large number of SSL VPN sessions and share the sessions as needed amongst a group of security appliances by configuring one of the security appliances as a shared licensing server, and the rest as shared licensing participants.Below shows the steps on how to configure a Shared License server. … Read more
Issue When updating a Device from the NSM the Job Information dialog shows as successful. The Device Status shows as “In Sync” but the device does not show the new configuration, and an additional Delta Config Summerization shows that the NSM configuration is different to that of the device. Cause ScreenOS has a source/destination object … Read more
What is the Accelerated Security Path ? The Accelerated Security Path (ASP) on the ASA appliance comprises of 2 components; The Fast Path and The Session Management Path. In addition to the Accelerated Security Paths there is also the Control Plane Path which is also covered below. The Session Management Path When a new connection … Read more
Below are some basic guidelines for troubleshooting Check Point Logging issues. Please note : This guide does not cover issues with any OPSEC LEA based issues. Please note : The FWD (Firewall Daemon) is responsible for sending and receiving the Check Point Logs on port tcp/257. {loadposition content_lock} logs being sent to the manager … Read more
Below shows you the basic configuration on how to create a VLAN trunk on a Netscreen Firewall. A VLAN trunk is a term used to describe a collection of logical interfaces, each one being able to receive and de-capsulate VLAN tagged packets for its relevant VLAN. In this example our trunk will consist of 2 … Read more
In order to reset a Netscreen back to factory default you will need to first connect via the console connection. This is because you will lose IP connectivity once you reset the devices configuration. You will then need to obtain the devices serial number from either of the device itself or from the CLI, netscreen-> … Read more
In this example we will run through various steps to troubleshoot a Site 2 Site VPN. Confirm General Details This will give us a general overview of our vpn. netscreen(M)-> get vpn Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt Interface ————— ————— —- —– ——————– ——- ——- ———- sitea_vpn sitea tunl Yes g2-esp-3des-sha … Read more
In this article we will show you how to set traffic policing on traffic which is tranversing a VPN. Please Note : The command usage has changed from 8.0.4 to 8.2.1. When matching on a tunnel-group and policing at the same time you will have to also configure the match flow ip destination-address command to … Read more
In this article I will be showing you how to configure a Site 2 Site VPN on a ASA.Also included within this example is a group-policy (named “GROUPPOLICY100”) which we restrict access between the 2 endpoints to just tcp/80 traffic. Please Note : This example presumes that you have already created the object groups for … Read more
In order to assign individual IPs and ranges to certains remote access users, Check Point provides a configuration file allowing you to configure your gateway as required. This configuration file is : $FWDIR/conf/ipassignment.conf This article we will outline some of the possible gotcha`s and also run through the required steps. Within this example we will … Read more
Below is the list of all the commands (including the hidden commands) from a Netscreen NS5GT running ScreenOS 6.2. set fips-mode enable set fips-mode self-test afterkeygen set fips-mode self-test interval set key protection enable set all set vendor-def set envar set clock dst-off set clock dst recurring start-weekday last end-weekday last set clock dst recurring … Read more
Issue Within the Smartview Monitor you may find that the device status is shown as “Problem”. Within Smartview Monitor you are unable to find any further details for what is causing the issue. Troubleshooting Steps This article isn’t a solution to the issue but more of a pointer to a stepping stone on finding what … Read more
Issue The initial SYN packets from your client to your server are translated by your Firewall into ACK packets. This in turn prevents the initial 3 way handshake establishing. Below shows an example, Inbound 15:32:19.546115 I 10.1.1.1.12345 > 192.168.1.1.1111: S 2292544025:2292544025(0) win 49640 <mss 1460,nop,wscale 0,nop,nop,sackOK> (DF) 15:32:22.924625 I 10.1.1.1.12345 > 192.168.1.1.1111: S 2292544025:2292544025(0) win … Read more
The Open Shortest Path First (OSPF) routing protocol is an Interior Gateway rotocol (IGP) intended to operate within a single Autonomous System (AS). A router running OSPF distributes its state information (such as usable interfaces and neighbor reachability) by periodically flooding link-state advertisements (LSAs)throughout the AS. Enabling OSPF on a VR set vrouter trust-vr router-id … Read more
IPSO configuration sets allow you to change (or save) your systems complete current configuration. Allowing you to choose the required configuration (set) of your firewall with a few simple commands. This is useful for importing in configurations from other devices rather then setting up a box from scratch. Configuration Set directory The active configuration file … Read more
Routing Information Protocol (RIP) is a distance vector protocol used as an Interior Gateway Protocol (IGP) in moderate-sized autonomous systems (AS). Enabling RIP on a VR and an Interface set vrouter trust-vr router-id 10 set vrouter trust-vr protocol rip set vrouter trust-vr protocol rip enableset interface trust protocol rip enable Advertise the default route set … Read more
To allow you to view your preshared keys on your PIX ASA use the command `more system:running-config`. You can also view the preshared password with some versions of ASDM. Below shows the example of the command. pixfirewall# show run ! tunnel-group mytunnel type ipsec-rapre-shared-key * telnet timeout 5 Your preshared key ….. pixfirewall# more system:running-config! … Read more
AC-VPN Auto-connect VPN works with a hub and spoke setup. Once static VPNs have been configured between all the spokes and the hubs, AC-VPN and NHRP (Next Hop Routing Protocol) is configured on each spoke and the hub.When traffic is initiated between 2 spokes the traffic is passed via the hub while a dynamic tunnel … Read more
Back to Back VPNs Back to Back VPNs allow you to create a tunnel for each spoke to the hub. The hub will then have a policy to allow traffic from one tunnel to the next. You can either place each tunnel within its own zone and create a policy between each of the zones. … Read more
By default, Netscreen (ScreenOS versions 6.0.0 or below) will cache the source MAC address from the initial packet for a new session. It will then use this MAC address for the return traffic. This can cause problems with external routers running VRRP where traffic is sent using a Virtual IP but a physical MAC address … Read more
There are 3 main types of traffic shaping on the Netscreen firewalls. Interface Based traffic shaping. Bandwidth allocated shaping in policies. Priority based traffic shapping in policies. Policy Based Policing Bandwidth: Traffic beyond this threshold is dropped at the ingress side of the security device.Guaranteed Bandwidth: Traffic below this threshold will be passed with highest … Read more
Internet Group Management Protocol (IGMP) is a communication protocol that multicasts messages and information among all member devices in an IP multicast group. Traffic is sent to a single MAC address but is forwarded out (via the local multicast router) to multiple hosts via multicast. It can be effectively used for gaming and showing online … Read more
NetFlow is a network protocol developed by Cisco Systems to run on a range of network devices for collecting IP traffic information. Previously only Cisco IOS routers and the Cisco 5580 ASA supported Netflow. But now with the introduction of Cisco ASA software 8.2, the complete ASA family now supports Netflow. There are 3 event … Read more
How to Configure an Redundant Interface Below shows you how to configure redundant interfaces on a Netscreen firewall. In the example below all traffic will be passed over eth1, and in event of the link failing traffic will be sent across eth2. ns5gt-> set interface redundant1 zone inside ns5gt-> set interface redundant1 ip 10.1.1.20/24 … Read more
Virtual systems allow you to divide your Netscreen firewall into multiple logical firewalls (domains).Each VSYS (Virtual System) has 3 components which can be shared. Once shared they are available to other systems, virtual systems or root. The components are: Virtual Routers Zones Network Interfaces (Shared) How Virtual Systems work There are 3 ways in which … Read more
HA Setups There are 3 main types of HA setup, they are, Active / Passive – All traffic passes the active node. In the event of failure the backup firewall is activated, and traffic flow is resumed. Active / Active – Both Firewalls share the network load. In the event of failure all traffic is … Read more
Oversimplified Executive Summary -A upgrade_export contains just Check Point configuration -A backup is an upgrade_export plus SPLAT OS configuration -A snapshot is a backup plus binary files, both Check Point and SPLAT OS -As a general rule of thumb, if your restoring on the same hardware a snapshot would be the easiest to use since … Read more
In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 “keys” from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association). To see an overview of your VPN`s run the command, `get vpn` In order to find the current … Read more
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial