Below outlines Netcreens Attack Detection and Defense. This is by no means a full guide by acts as a general summary to the various terms and technologies. SCREEN Features legacy security protection, such as SYN, UDP and ICMP floods, Port scans and certain OS-specific DoS attacks. Deep Inspection Allows for inspection at the application layer … Read more
Below will show how to create a basic Remote Access VPN using Pre Shared Keys. This guide presumes that you already have the Netscren Remote VPN Client installed onto your local machine and was created using the following software versions : ScreenOS – 6.2.0r1.0 Netscren Remote VPN Client – 10.8.3 (Build 6) Below is an … Read more
VPN Monitoring This allows you to ping an IP address through the tunnel. In the event of the tunnel going down a SNMP trap will be generated. The settings can be found under “VPNs > AutoKey IKE > Edit > Advanced > VPN Monitor“. The “rekey” option will cause the Netscreen to continuously try and … Read more
Below shows you how to create a route based vpn upon a Netscreen firewall using the firewalls gui interface. This tutorial was created using the ScreenOS version 6.2.0r1.0. The encryption domain for this guide will be, Local Gateway : 1.1.1.1 Local Endpoint : 10.1.1.25/24 Remote Gateway : 192.168.1.107 Remote Endpoint : 172.28.16.0/24 Create Tunnel Interface … Read more
This script will determine which operating system is running then backup the OS accordingly, once complete it will securely send it to the manager. The script is based on R65 and all backups will be sent to “/var/tmp/backups” on the manager. Each time the backup is run it will write a system log confirming if … Read more
This article will show you how to backup and restore your Juniper NSM. This article was written using NSM version 2008.2r1.Within NSM the HighAvailSvr contains processes that run in both HA and non-HA mode and handles database backups and a watchdog daemon to restart NSM processes in case of failure. Backup Even though you will … Read more
Issue The SmartView Monitor shows the status of your gateway as “Disconnected”. It takes for ages before your gateway shows as “Connected. No AMON (Application Monitoring) packets (tcp/18192) are leaving the SmartCentre Server for the gateway. Solution This can be down to issues within the Database files for the SmartView Monitor. Below will show you … Read more
SPAM Spam continues to be the major threat affecting email systems today. The term Spam is used to define junk email messages that are usually sent out in high volumes to thousands of users at a time. SPAM Invasion Below contains some examples of some HTML-based filter evasion tactics, Tiny or invisible text that is … Read more
Issue On Solaris 8 or Solaris 9, installing Check Point package fails with either : /var/opt/cp_tmp/CPsuite-R65/install/request: /var/opt/cp_tmp/CPsuite-R65/install/request: cannot openpkgadd: ERROR: request script did not complete successfullyInstallation of <CPsuite-R65> failed. or /opt/CPInstLog/Wrapper_R65.elg contains[25/02 11:52:36] Installing “Primary SmartCenter”[25/02 11:52:55] Installing of “Primary SmartCenter” failed ![25/02 11:52:57] Fail to install: Primary SmartCenter! See application usage format.[25/02 11:52:57] Wrapper … Read more
IP tracking allows you to track the connectivity of critical IP`s.This allows you to change your routing based on the connectivity of configured IP`s. There are 3 main points to Track IP : If a Tracked IP becomes unreachable, the weight of the address is added to the overall failed address total. If the total … Read more
Issue Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs. Solution The NSM device server does a log tuple repair for each log received from the … Read more
Issue Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs. Solution The NSM device server does a log tuple repair for each log received from the … Read more
Issue When upgrading to R70 on SPLAT you may receive the following error, CPwrapper: Wrapper part one completed successfully, data saved Upgrading the operating system. Preparing to upgrade Check Point Products. status=1 Exiting .. Patch installation failed. Please Note : This refers to a copied iso file which has been copied to the device and … Read more
This guide attempts to explain Proxy ARP upon the Check Point SPLAT platform. 1. What is Proxy ARP ? There are 2 ways to get a packet to a device. Route the packet to the device. Add a proxy ARP entry so that the network host answers to the ARP queries for IP addresses not … Read more
Summary When passing BGP traffic through a PIX you will need to configure the PIX to disable random sequence numbers to prevent MD5 Digest mismatches on either router. Please Note : Below presumes you all ready have a policy map defined with the name of global_policy and this has already been assigned to your device … Read more
Issue When allowing eBGP traffic through a Check Point Firewall you may receive the following error message on your BGP peered routers. (This error may occur at the point of pushing a policy to your Check Point Firewall), TCP-6-BADAUTH: Invalid MD5 digest from [Source IP]:[Source Port] to [Dest IP]:179 Solution This is down to the … Read more
Juniper introduces a new feature to the area of routing, called Virtual Routers. The model consists of: interfaces are applied to zones and zones are applied to Virtual Routers. Virtual routers allow for you to segment routing updates in and from the firewall/router. Virtual RoutersThere are 4 different types of routing tables that you can … Read more
Below are the 2 types of syslog messages. This can be useful to quickly determine on a NSM whether the logs are coming from the NSM or directly from the Firewall via syslog. Syslog from the Firewall Mar 18 17:56:52 [FW IP] [FW NAME]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time=”2009-03-18 16:07:06″ duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 … Read more
Below are the steps required to migrate a Provider-1 CMA to a Smart Centre Server. This tutorial was based on exporting and migrating from R55 to R65 and will involve the following steps, 1. Export the CMA on the Provider-1 2. Import the CMA into Smart Centre 3. Export and detach license 4. Update the Smart Centre Object … Read more
Issue When trying to run an upgrade_export from a Provider-1 you get the following error, Failed to export. Please close all Check Point clients. If the failure to export persists, stop all Check Point Services and run the upgrade_export command again. Solution Note: The upgrade_export command is run from the $FWDIR/bin/upgrade_tools directory of the CMA. … Read more
There are 3 areas with NSM. DevSvr, GuiSvr and HaSvr. The following files and paths are based on NSM 2008. Below shows the main path structure (Redhat) and what each Server (Svr) does. /usr/netscreen/DevSvr/ – DevSvr – Logging and the NSM database/usr/netscreen/GuiSvr/ – GuiSvr – NSM GUI /usr/netscreen/HaSvr/ – HaSvr – Backups and High Availability. … Read more
When trying to create a Read only account (Priv Level 5), and logging into the ASDM using your readonly account you receive the following error, you do not have sufficient privileges to execute commands required to load asdm Solution This is due to the privilege levels not being configured correctly. The following will give you … Read more
Issue Check Point have now replaced the “Support Key Exchange for subnets” with “VPN Tunnel Sharing” for Traditional mode VPNs. The problem this causes is when you upgrade to R65 is that the “Support Key Exchange for subnets” setting isn’t transferred. With all Traditional VPN`s being set to “One VPN tunnel per subnet pair” as … Read more
Source NAT Interface Based Source NAT – Allows the traffic to NAT its source IP to the IP address of the egress interface which it leaves. This feature is enabled on the interface via “NAT-Mode”. And can be disabled via using “Route Mode”. MIP – Provides a static NAT for the specified host, in which … Read more
Below shows you how to enable ICMP inspection on a PIX 8.0(4)28. Please Note : Below presumes you all ready have a policy map defined with the name of global_policy and this has already been assigned to your device using the service-policy command. PIX(config-cmap)# policy-map global_policyPIX(config-pmap)# class inspection_defaultPIX(config-pmap-c)# inspect icmp
The below is based on the netscreen ns5gt and the firefox web browser. Issue After setting up your netscreen for DDNS, in the UI of your netscreen the last response is shown as ‘not-init‘ and within the CLI it shows ‘successful updates: 0‘. To get the id of you ddns config run just the command … Read more
Below is a sample config for 2 site to site vpns from a PIX running 8.0(4)16. One peer being 192.168.2.100, and the other 192.168.1.100. Please note : This isn’t a tutorial but merely just a sample config that can be used as a reference point. isakmp enable outside isakmp policy 10 encryption des … Read more
Below is a list of the main Instant Messenger applications (including ports and destinations) for the denial of use via policy based rules. Please note : With creating policy based rules the following rules will be required, Destination any with a service port of the below ports (excluding http and https) Destination of the below … Read more
Rule Processing Order The general processing order is as follows, Look for a policy between the ingress and egress zones If no policy is found (in step 1), search for a Global policy If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e … Read more
This article was written based on the ns5gt. By default all interfaces are set to auto negotiate. Show Duplex ns5gt-> get interface trust port phy Port 1: link is up, 100 Mbps, auto negotiated to full duplex Port 2: link is up, 100 Mbps, auto negotiated to full duplex Port 3: link is up, 100 … Read more
If you firewall isn’t Gratuitous ARPing when it fails over, you will need to edit the file $FWDIR/boot/modules/fwkern.conf, and add the following line (if it doesn’t exist create it), fwha_use_arp_packet_queue=1 Then reboot the machine.
Background PIX or ASA running 7.0 later introduce a security feature in which any packets containing an MSS larger then the announced size during the 3 way handshake will be dropped.During the 3 way hand shake both sides announce their MSS (Maximum Segment Size). The MSS is the largest TCP payload that the host can … Read more
In this article we will be looking at the various console commands available to us on the Juniper Netscreen. From entering the get command we can see the current console settings along with console session details, ns5gt-> get console Console timeout: 10(minute), Page size: 22/22, debug: buffer privilege 200, config has not been changed! ID … Read more
Have you lost, forgotten, misplaced the NSM password ?Below are the steps to reset your “super” account password, NSM 2006.x and below Log into the NSM via SSH as root Stop the NSM Server (you should be able to find the init scripts in /etc/init.d) Run the following command /usr/netscreen/GuiSvr/utils/.hashPasswd <new password>, you will receive … Read more
How do i reset SIC ? Go into the CLI of the Firewall and type cpconfig then choose Secure Internal Communication. You will then be prompted to enter a passcode. Enter anything it doesnt matter. Then exit cpconfig using option 10. cpfw[admin]# cpconfig This program will let you re-configure your Check Point products configuration. Configuration … Read more
The following steps will allow HFA30 to install on flash based system if the /opt has less then 400mb. Before we start you should ideally have the following free, /opt = 212184 /prevserve = 480694 mkdir ~/hfa30 cd ~/hfa30 tar xzvf ~/VPN-1_R65_HFA_30.ipso.tgz rm ~/VPN-1_R65_HFA_30.ipso.tgz df -k The output from df -k should now show over … Read more
A great debugging tool feature on the Juniper Netscreens is snoop. Snoop is packet capturing tool which allows you to analysis your traffic on a per packet level. Below shows you a example of enabling snoop and viewing its output, 5gt->undebug all5gt->snoop5gt->snoop filter ip 10.1.1.1005gt->snoop info5gt->clear db 5gt->get db str Ok, so what do these … Read more
Desktop Policy / Split Tunneling In the world of Check Point remote access there are 2 types of clients that are used for remote VPN access. They are, Secure Remote – Basic Free client Secure Client – Non-free licensed client allowing the enforcement of desktop policies. Desktop Policy Within the Desktop Policy Tab of your … Read more
Below you will find a bunch of commands that can be used to gain a clear picture of a PIX/ASA`s system health, sh resource usage system sh memory sh cpu sh service-policy sh asp drop sh logging | i -1- sh fail | i This
To enable and disable the voyager please see below, To enable ipso[admin]#clishNokiaIP390:102> set voyager daemon-enable tNokiaIP390:103> save configNokiaIP390:104> exit To disable ipso[admin]#clishNokiaIP390:102> set voyager daemon-enable fNokiaIP390:103> save configNokiaIP390:104> exit
Issue When trying to log into Smart Portal on a pre-R65 Check Point firewall using Internet Explorer 7, you are unable to log in. Resolution Within Internet Explorer disable MS XML.This can be done via Tools > internet Options >Advanced > Security, and untick “Enable native XML HTTP support”.
Below shows you the process of installing a new Check Point package via the CLI, cp1[admin]# newpkg -m IPSO_wrapper_R65.tgzEnter pathname to the packages [ or ‘exit’ to exit ]: /var/emhome/adminLoading Package ListPackage Description: Check Point Suite wrapper package NGX R65Would you like to :1. Install this as a new package2. Upgrade from an old package3. … Read more
Interface get counter statistics Show interface statistics (CRC errors etc) get interface trust port phy Show physical ports for a certain zone get driver phy Show all link states of interfaces get counter statistics interface ethernet3 Show hardware stats on interface set interface [interface] no-subnet-conflict-check Allows you to configure multiple interfaces in the same IP … Read more
To enable debugging (which will write an event to the messages file and console upon a critical device failure) run the following syntax, ipso[admin]# ipsctl -w net:log:partner:status:debug 1 To turn off the console output, enter the following, ipso[admin]# ipsctl -w net:log:sink:console 0
Below shows you how to upgrade your ASA to verson 8.04. 1. Enable scopy on your ASA firewall(config)#ssh scopy enable 2. Copy the image from your PC to the ASA, the command below is done on your PC via “Start / Run / CMD”. Download pscp here. pscp [image].bin [user]@[asa_ip]:[image].bin 3 .Change the boot order, … Read more
Below are the common IPSO commands that can be used, IPSO commands newimage Installs IPSO OS from the local machine newpkg -m localhost Check Point package Install clish IPSO OS CLI ipsctl -a displays all of the IPSO Settings and Values ipsctl -a ifphys:eth-s5p1:errors|more display errors on eth-s5p1 ipsctl -w net:ip:tcp:default_mss 1460 Change MSS to … Read more
Below shows you how to factory reset a Nokia IPSO, Nokia[admin]# ls bin cdrom dev image proc tmp var bootmgr config etc opt sbin usr web Nokia[admin]# cd config Nokia[admin]# ls active db Nokia[admin]# rm active Nokia[admin]# ls db Nokia[admin]# reboot On reboot select bootmgr to start the wizard, Verifying DMI Pool Data …….. 1 … Read more
Below will show you how to install a IPSO image using the bootmgr, this can be useful if you have lost your password, or cannot get into the IPSO CLI for what ever reason. Reboot Device and on startup press 1 1 Bootmgr 2 IPSO Default: 1 Starting bootmgr Loading boot manager.. Install the image … Read more
Below provides the nessecary steps required to create an a packet capture on an ASA/PIX, and the relevant download method. Note : You will requre pscp (putty pscp) installed onto your PC. Download pscp here. This is only available in the later versions of PIX & ASA. First of all start the capture. capture capturefile … Read more
This guide will show you how to create a policy based VPN on a Netscreen firewall. The encryption domain will be, Local Gateway : 2.2.2.2 Local Endpoint : 10.1.1.0 /24 Remote Gateway : 1.1.1.1 Remote Endpoint : 192.1.1.0 /24 1. Log into the Netscreens GUI 2. Click VPNs > Autokey IKE (Autokey IKE Screen is … Read more