Netscreen Attack Detection and Defense Overview

Below outlines Netcreens Attack Detection and Defense. This is by no means a full guide by acts as a general summary to the various terms and technologies. SCREEN Features legacy security protection, such as SYN, UDP and ICMP floods, Port scans and certain OS-specific DoS attacks. Deep Inspection Allows for inspection at the application layer … Read more

Netscreen – Basic Remote Access (Dial up) VPN

Below will show how to create a basic Remote Access VPN using Pre Shared Keys. This guide presumes that you already have the Netscren Remote VPN Client installed onto your local machine and was created using the following software versions : ScreenOS – 6.2.0r1.0 Netscren Remote VPN Client – 10.8.3 (Build 6) Below is an … Read more

Netscreen – Additional Site 2 Site VPN Options

VPN Monitoring This allows you to ping an IP address through the tunnel. In the event of the tunnel going down a SNMP trap will be generated. The settings can be found under “VPNs > AutoKey IKE > Edit > Advanced > VPN Monitor“. The “rekey” option will cause the Netscreen to continuously try and … Read more

Netscreen – Creating a route based VPN.

Below shows you how to create a route based vpn upon a Netscreen firewall using the firewalls gui interface. This tutorial was created using the ScreenOS version 6.2.0r1.0. The encryption domain for this guide will be, Local Gateway : Local Endpoint : Remote Gateway : Remote Endpoint : Create Tunnel Interface … Read more

Shell Script – Check Point Backup

This script will determine which operating system is running then backup the OS accordingly, once complete it will securely send it to the manager. The script is based on R65 and all backups will be sent to “/var/tmp/backups” on the manager. Each time the backup is run it will write a system log confirming if … Read more

Backup / Restore a Juniper NSM

This article will show you how to backup and restore your Juniper NSM. This article was written using NSM version 2008.2r1.Within NSM the HighAvailSvr contains processes that run in both HA and non-HA mode and handles database backups and a watchdog daemon to restart NSM processes in case of failure. Backup Even though you will … Read more

SmartView Monitor incorrectly shows status as Disconnected

Issue The SmartView Monitor shows the status of your gateway as “Disconnected”. It takes for ages before your gateway shows as “Connected. No AMON (Application Monitoring) packets (tcp/18192) are leaving the SmartCentre Server for the gateway. Solution This can be down to issues within the Database files for the SmartView Monitor. Below will show you … Read more

Messaging Security Threats

SPAM Spam continues to be the major threat affecting email systems today. The term Spam is used to define junk email messages that are usually sent out in high volumes to thousands of users at a time. SPAM Invasion Below contains some examples of some HTML-based filter evasion tactics, Tiny or invisible text that is … Read more

Check Point Solaris – Wrapper completed with error code 239

Issue On Solaris 8 or Solaris 9, installing Check Point package fails with either : /var/opt/cp_tmp/CPsuite-R65/install/request: /var/opt/cp_tmp/CPsuite-R65/install/request: cannot openpkgadd: ERROR: request script did not complete successfullyInstallation of <CPsuite-R65> failed. or /opt/CPInstLog/Wrapper_R65.elg contains[25/02 11:52:36]  Installing “Primary SmartCenter”[25/02 11:52:55]  Installing of “Primary SmartCenter” failed ![25/02 11:52:57]  Fail to install: Primary SmartCenter! See application usage format.[25/02 11:52:57]  Wrapper … Read more

Netscreen – Track IP

IP tracking allows you to track the connectivity of critical IP`s.This allows you to change your routing based on the connectivity of configured IP`s. There are 3 main points to Track IP :  If a Tracked IP becomes unreachable, the weight of the address is added to the overall failed address total. If the total … Read more

NSM – Delayed Logs

Issue Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs.  Solution The NSM device server does a log tuple repair for each log received from the … Read more

NSM – Delayed Logs

Issue Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs.  Solution The NSM device server does a log tuple repair for each log received from the … Read more

Check Point Upgrade to R70: status=1 Patch installation failed

Issue When upgrading to R70 on SPLAT you may receive the following error, CPwrapper: Wrapper part one completed successfully, data saved Upgrading the operating system. Preparing to upgrade Check Point Products. status=1 Exiting .. Patch installation failed. Please Note : This refers to a copied iso file which has been copied to the device and … Read more


This guide attempts to explain Proxy ARP upon the Check Point SPLAT platform. 1. What is Proxy ARP ? There are 2 ways to get a packet to a device. Route the packet to the device. Add a proxy ARP entry so that the network host answers to the ARP queries for IP addresses not … Read more

PIX – BGP Advanced Protocol Inspection

Summary When passing BGP traffic through a PIX you will need to configure the PIX to disable random sequence numbers to prevent MD5 Digest mismatches on either router. Please Note : Below presumes you all ready have a policy map defined with the name of global_policy and this has already been assigned to your device … Read more

Invalid MD5 digest – BGP Traffic Through Check Point

Issue When allowing eBGP traffic through a Check Point Firewall you may receive the following error message on your BGP peered routers. (This error may occur at the point of pushing a policy to your Check Point Firewall), TCP-6-BADAUTH: Invalid MD5 digest from [Source IP]:[Source Port] to [Dest IP]:179 Solution This is down to the … Read more

Netscreen – Routing Basics / Virtual Routers / PBR

Juniper introduces a new feature to the area of routing, called Virtual Routers. The model consists of: interfaces are applied to zones and zones are applied to Virtual Routers. Virtual routers allow for you to segment routing updates in and from the firewall/router. Virtual RoutersThere are 4 different types of routing tables that you can … Read more

Netscreen Syslog Logging Formats

Below are the 2 types of syslog messages. This can be useful to quickly determine on a NSM whether the logs are coming from the NSM or directly from the Firewall via syslog. Syslog from the Firewall Mar 18 17:56:52 [FW IP] [FW NAME]: NetScreen device_id=netscreen2  [Root]system-notification-00257(traffic): start_time=”2009-03-18 16:07:06″ duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 … Read more

Check Point: Migrate Provider-1 R55 CMA to R65 Smart Centre Server

Below are the steps required to migrate a Provider-1 CMA to a Smart Centre Server. This tutorial was based on exporting and migrating from R55 to R65 and will involve the following steps,   1. Export the CMA on the Provider-1 2. Import the CMA into Smart Centre 3. Export and detach license 4. Update the Smart Centre Object … Read more

Check Point – Provider-1 Export / Failed to export Error

Issue When trying to run an upgrade_export from a Provider-1 you get the following error, Failed to export. Please close all Check Point clients. If the failure to export persists, stop all Check Point Services and run the upgrade_export command again. Solution Note: The upgrade_export command is run from the $FWDIR/bin/upgrade_tools directory of the CMA. … Read more

NSM – Files and Folders

There are 3 areas with NSM. DevSvr, GuiSvr and HaSvr. The following files and paths are based on NSM 2008. Below shows the main path structure (Redhat) and what each Server (Svr) does. /usr/netscreen/DevSvr/ – DevSvr – Logging and the NSM database/usr/netscreen/GuiSvr/ – GuiSvr – NSM GUI /usr/netscreen/HaSvr/  – HaSvr  – Backups and High Availability. … Read more

PIX – ASDM Read Only Account

When trying to create a Read only account (Priv Level 5), and logging into the ASDM using your readonly account you receive the following error, you do not have sufficient privileges to execute commands required to load asdm Solution This is due to the privilege levels not being configured correctly. The following will give you … Read more

Check Point: Upgrade to R65 from R55 Causes Traditional Mode Issues

Issue Check Point have now replaced the “Support Key Exchange for subnets” with “VPN Tunnel Sharing” for Traditional mode VPNs. The problem this causes is when you upgrade to R65 is that the “Support Key Exchange for subnets”  setting isn’t transferred. With all Traditional VPN`s being set to “One VPN tunnel per subnet pair” as … Read more

Juniper Netscreen – NAT Explained

Source NAT Interface Based Source NAT – Allows the traffic to NAT its source IP to the IP address of the egress interface which it leaves. This feature is enabled on the interface via “NAT-Mode”. And can be disabled via using “Route Mode”. MIP – Provides a static NAT for the specified host, in which … Read more

PIX / ASA – How to enable ICMP Inspect

Below shows you how to enable ICMP inspection on a PIX 8.0(4)28. Please Note : Below presumes you all ready have a policy map defined with the name of global_policy and this has already been assigned to your device using the service-policy command.  PIX(config-cmap)# policy-map global_policyPIX(config-pmap)# class inspection_defaultPIX(config-pmap-c)# inspect icmp

Netscreen – DDNS : Last response – not init

The below is based on the netscreen ns5gt and the firefox web browser. Issue After setting up your netscreen for DDNS, in the UI of your netscreen the last response is shown as ‘not-init‘ and within the CLI it shows ‘successful updates: 0‘. To get the id of you ddns config run just the command … Read more

PIX / ASA 8.0(4)16 – Site to Site VPN Sample Config

Below is a sample config for 2 site to site vpns from a PIX running 8.0(4)16. One peer being, and the other Please note : This isn’t a tutorial but merely just a sample config that can be used as a reference point.     isakmp enable outside    isakmp policy 10          encryption des         … Read more

Denying Instant Messenger Protocols via Policy Based Rule’s

Below is a list of the main Instant Messenger applications (including ports and destinations) for the denial of use via policy based rules. Please note : With creating policy based rules the following rules will be required, Destination any with a service port of the below ports (excluding http and https) Destination of the below … Read more

Netscreen – Rule Processing Order

Rule Processing Order The general processing order is as follows, Look for a policy between the ingress and egress zones If no policy is found (in step 1), search for a Global policy If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e … Read more

Netscreen – Changing your Duplex settings

This article was written based on the ns5gt. By default all interfaces are set to auto negotiate. Show Duplex ns5gt-> get interface trust port phy Port 1:  link is up, 100 Mbps, auto negotiated to full duplex Port 2:  link is up, 100 Mbps, auto negotiated to full duplex Port 3:  link is up, 100 … Read more

Check Point – Enabling Gratious ARP (Failover)

If you firewall isn’t Gratuitous ARPing when it fails over, you will need to edit the file $FWDIR/boot/modules/fwkern.conf, and add the following line (if it doesn’t exist create it), fwha_use_arp_packet_queue=1 Then reboot the machine.

Cisco ASA – What is the ‘MSS Exceeded’ ASP Feature ?

Background PIX or ASA running 7.0 later introduce a security feature in which any packets containing an MSS larger then the announced size during the 3 way handshake will be dropped.During the 3 way hand shake both sides announce their MSS (Maximum Segment Size). The MSS is the largest TCP payload that the host can … Read more

Netscreen – Console settings

In this article we will be looking at the various console commands available to us on the Juniper Netscreen. From entering the get command we can see the current console settings along with console session details, ns5gt-> get console Console timeout: 10(minute), Page size: 22/22, debug: buffer privilege 200, config has not been changed! ID … Read more

NSM – I`ve Forgotten / Lost my NSM Password

Have you lost, forgotten, misplaced the NSM password ?Below are the steps to reset your “super” account password, NSM 2006.x and below Log into the NSM via SSH as root Stop the NSM Server (you should be able to find the init scripts in /etc/init.d) Run the following command /usr/netscreen/GuiSvr/utils/.hashPasswd <new password>, you will receive … Read more

Check Point – How to Reset SIC

How do i reset SIC ?  Go into the CLI of the Firewall and type cpconfig then choose Secure Internal Communication. You will then be prompted to enter a passcode. Enter anything it doesnt matter. Then exit cpconfig using option 10. cpfw[admin]# cpconfig This program will let you re-configure your Check Point products configuration. Configuration … Read more

Nokia: Install HFA30 to Diskless/Flash-based Check Point Firewall

The following steps will allow HFA30 to install on flash based system if the /opt has less then 400mb. Before we start you should ideally have the following free, /opt = 212184 /prevserve = 480694 mkdir ~/hfa30 cd ~/hfa30 tar xzvf ~/VPN-1_R65_HFA_30.ipso.tgz rm ~/VPN-1_R65_HFA_30.ipso.tgz df -k The output from df -k should now show over … Read more

Netscreen – Snoop

A great debugging tool feature on the Juniper Netscreens is snoop. Snoop is packet capturing tool which allows you to analysis your traffic on a per packet level. Below shows you a example of enabling snoop and viewing its output, 5gt->undebug all5gt->snoop5gt->snoop filter ip>snoop info5gt->clear db 5gt->get db str Ok, so what do these … Read more

Check Point – Desktop Policy / Split Tunnelling

Desktop Policy / Split Tunneling In the world of Check Point remote access there are 2 types of clients that are used for remote VPN access. They are, Secure Remote – Basic Free client Secure Client – Non-free licensed client allowing the enforcement of desktop policies. Desktop Policy Within the Desktop Policy Tab of your … Read more

PIX – View the System Health

Below you will find a bunch of commands that can be used to gain a clear picture of a PIX/ASA`s system health, sh resource usage system sh memory sh cpu sh service-policy sh asp drop sh logging | i -1- sh fail | i This  

IPSO – Enable / Disable Voyager

To enable and disable the voyager please see below, To enable ipso[admin]#clishNokiaIP390:102> set voyager daemon-enable tNokiaIP390:103> save configNokiaIP390:104> exit To disable ipso[admin]#clishNokiaIP390:102> set voyager daemon-enable fNokiaIP390:103> save configNokiaIP390:104> exit      

SPLAT – Unable to log into Smart Portal

Issue When trying to log into Smart Portal on a pre-R65 Check Point firewall using Internet Explorer 7, you are unable to log in. Resolution Within Internet Explorer disable MS XML.This can be done via Tools > internet Options >Advanced > Security, and untick “Enable native XML HTTP support”.

IPSO – Installing a Check Point Package

Below shows you the process of installing a new Check Point package via the CLI, cp1[admin]# newpkg -m IPSO_wrapper_R65.tgzEnter pathname to the packages [ or ‘exit’ to exit ]: /var/emhome/adminLoading Package ListPackage Description: Check Point Suite wrapper package NGX R65Would you like to :1. Install this as a new package2. Upgrade from an old package3. … Read more

Juniper Netscreen Commands

Interface get counter statistics Show interface statistics (CRC errors etc) get interface trust port phy Show physical ports for a certain zone get driver phy Show all link states of interfaces get counter statistics interface ethernet3 Show hardware stats on interface set interface [interface] no-subnet-conflict-check Allows you to configure multiple interfaces in the same IP … Read more

IPSO – Turn off Console Logging

To enable debugging (which will write an event to the messages file and console upon a critical device failure) run the following syntax, ipso[admin]# ipsctl -w net:log:partner:status:debug 1 To turn off the console output, enter the following, ipso[admin]# ipsctl -w net:log:sink:console 0

ASA – Upgrading a ASA

Below shows you how to upgrade your ASA to verson 8.04. 1. Enable scopy on your ASA  firewall(config)#ssh scopy enable 2. Copy the image from your PC to the ASA, the command below is done on your PC via “Start / Run / CMD”. Download pscp here. pscp [image].bin [user]@[asa_ip]:[image].bin 3 .Change the boot order, … Read more

IPSO – Commands

Below are the common IPSO commands that can be used, IPSO commands newimage Installs IPSO OS from the local machine newpkg -m localhost Check Point package Install clish IPSO OS CLI ipsctl -a displays all of the IPSO Settings and Values ipsctl -a ifphys:eth-s5p1:errors|more display errors on eth-s5p1 ipsctl -w net:ip:tcp:default_mss 1460 Change MSS to … Read more

IPSO – How to preform a Factory Reset via the CLI

Below shows you how to factory reset a Nokia IPSO,  Nokia[admin]# ls bin     cdrom   dev     image   proc    tmp     var bootmgr config  etc     opt     sbin    usr     web Nokia[admin]# cd config Nokia[admin]# ls active  db Nokia[admin]# rm active Nokia[admin]# ls db Nokia[admin]# reboot On reboot select bootmgr to start the wizard,  Verifying DMI Pool Data …….. 1   … Read more

IPSO – Installing a new image using bootmgr

Below will show you how to install a IPSO image using the bootmgr, this can be useful if you have lost your password, or cannot get into the IPSO CLI for what ever reason. Reboot Device and on startup press 1 1   Bootmgr 2   IPSO Default: 1 Starting bootmgr Loading boot manager.. Install the image … Read more

PIX – How to view packet captures within Wireshark

Below provides the nessecary steps required to create an a packet capture on an ASA/PIX, and the relevant download method. Note : You will requre pscp (putty pscp) installed onto your PC. Download pscp here. This is only available in the later versions of PIX & ASA. First of all start the capture. capture capturefile … Read more

Netscreen – Create a Policy based VPN

This guide will show you how to create a policy based VPN on a Netscreen firewall. The encryption domain will be, Local Gateway : Local Endpoint : /24 Remote Gateway : Remote Endpoint : /24 1. Log into the Netscreens GUI 2. Click VPNs > Autokey IKE (Autokey IKE Screen is … Read more

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial