PIX 6.3 – Configure an Interface

Below will configure you interface with vlan50, ip address 1.1.1.1 with a name of outside. This will also bring up the interface. nameif ethernet0 outside security0ip address outside 1.1.1.1 255.255.255.0interface ethernet0 autointerface outside vlan50

PIX 6.3 – Enabling SSH

To enable ssh on your PIX (6.3) run the following, hostname myfw domain-name home.net ca gen rsa key 1024 ssh 0 0 inside ssh timeout 60 passwd 123 ca save all When you go to log in your username will be pix and the password 123.

PIX 6.3 – Add a Default Route

The following command will allow you to add a default route to your PIX device: route [interface name] 0 0 [default gw ip] Example route outside 0 0 1.1.1.1

Netscreen – Debugging / Troubleshooting

In order to debug and obtain output for the traffic flow through the Netscreen, you will need action a couple of commands, these are shown below, 5gt-> unset fffilter 0 removed5gt-> undebug all5gt-> clear db 5gt-> set ff dst-port 8080filter added5gt-> debug flow basic5gt-> get db str Below shows you what each command does…. unset … Read more

Netscreen – NSM Issues

Heres a couple of issues I ran into when adding some devices to the NSM, When trying to enable NSM via the GUI you get “No initial ID configured. NSM agent remains disabled” The communication between nsm and screenos is based on public key authentication. You don’t have to enable NSM manually. Cant import the … Read more

Netscreen – MSS

Below shows you the various MSS settings that can be set via the CLI, MSS of netscreen –   set tcp mss 1460 MSS for VPN traffic – set flow tcp-mss 1460 MSS for clear traffic – set flow all-tcp-mss 1460

Check Point – SSH Blocked

Problem You find that your gateway is blocking SSH connections and showing in the logs even though you have the ssh and ssh_version_2 protocols added to your rule. message_info: SSH version 1.x is not allowed Reason On closer inspection when you look at the ssh_version_2 protocol object it says in the comment, Secure Shell, version … Read more

Netscreen – NSRP Basic Setup

Below shows you how to configure basic NSRP cluster, prior to below you would of needed to configure your interfaces. Node A set nsrp rto-mirror syncset nsrp monitor interface eth1set nsrp monitor interface eth3set nsrp cluster id 1set nsrp vsd-group id 0 priority 100save Node B set nsrp rto-mirror syncset nsrp monitor interface eth1set nsrp … Read more

Netscreen – Basic Config

Below is how to set up the basic configuration on a Netscreen firewall.Also bear in mind that if you are setting up a NSRP cluster, be sure to set the management IP to a different IP to the management interface. set hostname myfirewallset ssh enable set admin name rootset admin password mypasswordset admin manager-ip 192.168.1.1 … Read more

Check Point – Installing an HFA

HFA stands for Hot fix accumulator. Which is a bit like a Windows Service Pack but for your Check Point Firewall.The documentation from the Check Point site on how to install these, is very good, and also contains the IPSO installation instructions. Below are the basic instructions on how to install the latest HFA 30 … Read more

SPLAT – Route / Static ARP startup Script

To create a static route script, create a file in /etc/init.d/ with the routes included. Below is an example, #!/bin/bash /sbin/route add -host 192.168.1.25 gateway 10.1.1.25/sbin/route add -host 192.168.1.19 gateway 10.1.1.19 exit 0 Then link this to the startup script, by running, ln -s /etc/init.d/staticroutes /etc/rc3.d/S68Staticroutes You can then do the same for the static … Read more

Check Point – Ive pushed the Wrong Policy

Issue There may be a time where you install the wrong policy onto a Check Point Firewall. This can block your connections, and screw which traffic is allowed through the firewall. Resolution These steps will show you how to remove and reinstall the correct policy via the CLI on the manager (SCS),   1. First … Read more

PIX to Check Point Sample VPN Configuration

Below provide sample configurations required for building a site to site VPN between a Cisco PIX and a Check Point Firewall. PIX Configuration (config)#isakmp enable outside (config)#isakmp policy 10 (config-isakmp-policy)# encryption aes-256 (config-isakmp-policy)# hash sha (config-isakmp-policy)# authentication pre-share (config-isakmp-policy)# group 1 (config-isakmp-policy)# lifetime 86400 (config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth (config)#access-list ED permit … Read more

Check Point – Moving Files using SCP

Method 1 Even though this maybe more of an article for the Linux area, the only reason I came across this is trying to move the output of a upgrade_export from my SPLAT box, so hence it being under Firewalls – Check Point. If you keep getting prompted with a password box when trying to … Read more

Check Point – Stealth / Drop Rule

Stealth Rule The first rule in the rule base which prevents access to the firewall itself. Implicit Drop / Clean Up Rule This is added by the firewall at the bottom of the rule base. Its role is to drop any traffic that hasn’t been matched to any of the previous rules.

Check Point – Debugging NAT

In order to debug NAT on a checkpoint we need to obtain information via the following, Set the debugging buffer to 2 KB Enable 2 debugging flags Output your data Then to reset the debugging flags. The commands are, fw ctl debug -buf 2048fw ctl debug xlate srcfw ctl kdebug -f >& /tmp/kdebug.outfw ctl debug … Read more

Check Point – Acronyms

FWM    Firewall Management e.g. the SmartCenterICA     Internal CA, normally SmartCenterSIC     Secure Internal CommunicationSCS    Smart Centre ServerVTI     Virtual Tunnel Interface (VPNs)MDG    Multi Domain GUI (Provider-1)MDS    Multi Domain Server, Manager or Container (Provider-1)CMA    Customer Management Add-on (Provider-1) – “Smart Center Server”MLM    Multi Customer Log Module (Provider-1)CLM     Customer Log Module (Provider-1)

Check Point – QoS

DiffServ (Differentiated Services)A layer 3 protocol, defined by the IEFT. Used for adding QoS to IP networks. WFRED(Weighted Flow Random Early Drop)A process for managing packet buffers, by dropping packets during periods of network congestion.This is transparent to the user and requires no configuration. IQ (Intelligent Queuing Engine)Using information from the Check Point INSPECT engine … Read more

Check Point Commands

Check Point commands generally come under cp (general), fw (firewall), and fwm (management).    Check Point Gaia commands can be found here. CP, FW & FWM cphaprob stat List cluster status cphaprob -a if List status of interfaces cphaprob syncstat shows the sync status cphaprob list Shows a status in list form cphastart/stop Stops clustering … Read more

Check Point – Ports

General tcp/257    FireWall-1 log transfertcp/18208  CPRID (SmartUpdate)tcp/18190  SmartDashboard to SCStcp/18191  SCS to FW-1 gateway for policy installtcp/18192  SCS monitoring of firewalls (SmartView Status) SIC Ports tcp/18209   NGX Gateways <> ICAs (status, issue, or revoke).tcp/18210   Pulls Certificates from an ICA.tcp/18211   Used by the cpd daemon (on the gateway) to receive Certificates. Authentication tcp/259      Client Authentication (Telnet)tcp/900      … Read more

PIX Commands

Heres a few PIX commands that may come in useful.  Performance / Usage sh mem Shows memory used and amount free sh cpu                                                           Shows % of CPU used sh perfmon Show the performance of various connections sh traffic Show the traffic stats sh resource usage system Shows the system utilization sh service-policy Shows the amount … Read more

Create a Read Only account

Below shows you the commands for creating a read-only account on a Cisco IDS. username <username> privilege viewer password <password>   copy current-config backup-config

Cisco IDS Commands

Event Log commands packet display Traffic sniffer show statistics event-store [clear] IDS Event Logs show statistics event-store  IDS Event Logs show events [type] IDS Event Logs> System commands show interfaces Show interfaces show configuration Show system config show statistics logger System Logs show statistics sdee-server Show sdee server show statistics analysis-engine Show analysis stats show … Read more

Snort/SourceFire – Writing Signatures

Below is a custom signature that would create an alert on traffic running from any source to any destination with a destination port of 22, on flags push and ack, every 600 seconds. alert tcp any any -> any 22 (msg:”SSH TRAFFIC”; flags:PA; classtype:not-suspicious; threshold: type limit, track by_dst, count 1 , seconds 600 ; … Read more

Check Point – Exporting SmartCentre settings

This will show you the steps involved in exporting the settings of a Smart Centre Server for importing into a newly installed Smart Centre server, Download the upgrade_export utility and run it from $FWDIR/bin to export the config to a .tgz Transfer the tgz to another machine Uninstall all ngx packages and reboot Install new … Read more

Check Point – Useful Files

Below are some of the various files and commands which you may find useful on a Check Point. Smart Centre Server $CPDIR/conf – Contains parts of the CPShared system    * cp.license  – license of machine    * sic_cert.p12 – SIC certificate$FWDIR/lib – .def files which are used when the rulebase is complied into inspection code for … Read more

Check Point – FW Monitor

Check Point Inspection Points

FW monitor is a great tool for troubleshooting traffic flow issues with your checkpoint. It works by using 4 inspection points, i – Pre Inbound I – Post Inbound o – Pre Outbound O – Post Outbound Examples fw monitor -e “accept dport=6000;” fw monitor -m iO -e ‘accept dport=80;’ fw monitor -e ‘accept dport;’ … Read more

Check Point – Authentication

When adding an authentication action to a rule there are 3 types, User Session Client User authentication works by intercepting connects going through the FW-1 and prompting the user for authentication. To do this the firewall has to modify the traffic, so this authentication type can only be used with FTP, HTTP, Telnet and RLOGIN. … Read more

Check Point – NAT Explained

There are many types of NAT in the land of Check Point. Here’s a quick overview, Static NAT – One to one translation Hide/Dynamic NAT – Allows you to NAT multiple IPs behind one IP/Interface Automatic NAT – Quick basic address NAT translation. Manual NAT – Allows greater flexibility over automatic NAT. Proxy ARP is … Read more

Check Point – Client vs Server Side NAT

Introduction Client and Server side NAT relates to when we perform destination NAT`ing. The “Translate destination on Server side” option is an legacy option which was included due to pre NG versions of checkpoint using Server-Side NAT. Client Side NAT – The destination address is NAT`d by the inbound Kernel Server Side NAT – The … Read more

SPLAT – Proxy ARP

How do I configure proxy ARP on my SPLAT firewall ?  There are 2 ways to get a packet to a firewall. A Route or a Proxy ARP. Using routes is the perferred method but it may be the case where you havent access to the routers and need to use Proxy ARP. Please note: … Read more

PEMU – Free Cisco PIX Firewall Emulator / Simulator

Introduction This is a guide on how to install a Free pix emulator / simulator onto a linux platform. You can also obtain the windows version, which you can find (along with other tutorials and forum) at the ariscahyadi blog. This software was written by mmm123, and is called PEMU, which is based on the … Read more

PIX – Static NAT

Below is an example of static NAT for FTP when using the outside interface with a DHCP address assigned to it. static (dmz,outside) tcp interface ftp 172.16.1.50 ftp netmask 255.255.255.255 static (dmz,outside) tcp interface ftp-data 172.16.1.50 ftp-data netmask 255.255.255.255  

Nokia`s VRRP

Nokia`s VRRP protocol allows for an active-standby firewall cluster. Nokia have added an extension to VRRP called VRRP monitored circuit which handles both total firewall failure as well as interface failures. Each virtual router uses a mac address of 00-00-5E-00-01-XX. XX being the Virtual Router ID (VRID).The multicast of 224.0.0.18 and IP protocol number 112 … Read more

PIX – Advanced Protocol Handling

When using a “inspect policy map” you need to add it to a “standard policy-map” to allow you to add it to the service policy.For each policy map there would be a class map, the inspect would match the FTP command, and then use the classmap “inspection-default” in the standard policy map. Running Config policy-map … Read more

PIX – VPN – Site 2 Site

Below shows the configuration syntax for configuring a Site to Site VPN on a Cisco PIX firewall. Configuration (config)#isakmp enable outside(config)#isakmp policy 10(config-isakmp-policy)# encryption aes-256(config-isakmp-policy)# hash sha(config-isakmp-policy)# authentication pre-share(config-isakmp-policy)# group 1(config-isakmp-policy)# lifetime 86400(config)#isakmp key shabba address 1.1.1.1 netmask 255.255.255.255 no-xauth(config)#access-list ED permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0(config)#access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.5.0 255.255.255.0(config)#nat (inside) … Read more

PIX – VPN – Remote Access

Below shows 2 examples of a Remote Access configuration on version 6.x and 7.x of the Cisco PIX firewall. 6.x (config)#username 123 password 123(config)#isakmp enable outside(config)#ip local pool VPNIP 10.0.10.10-10.0.10.20 mask 255.255.255.0(config)#isakmp policy 1 authentication pre-share(config)#isakmp policy 1 encryption 3des(config)#isakmp policy 1 hash sha(config)#isakmp policy 1 group 2(config)#isakmp policy 1 lifetime 43200 (config)# crypto ipsec … Read more

PIX Protocol Handling

Below are the steps involved in configuring protocol handling, Create the class-map – Tell the class-map which traffic to match Create Policy-map – Assign class-map to policy map. Tell the class-map what to do to the matched traffic Assign policy map globally or to interface Below will inspect http traffic on port 801 using, and … Read more

PIX – Logging Buffer – View logs on your PIX

If you need to view the logs on your pix, as you haven’t got a syslog server, or you haven’t got access to it, you can access the logs on the pix itself and grep your way through, by using and enabling the logging buffer. Below shows you how to enable and disable the logging … Read more

PIX – Create a Read Only account

Below shows you the commands for creating a read only account on a Cisco PIX firewall. hostname(config)# username client password 123 privilege 5hostname(config)# privilege show level 5 command running-confighostname(config)# privilege show level 5 command startup-confighostname(config)# privilege show level 5 command access-listhostname(config)#aaa authentication ssh console LOCAL

Configuring AAA on a Cisco PIX

Below shows the required configuration commands for configuring AAA. Authentication Interactive user #(config) aaa-server <server name> protocol <tacacs/radius>#(config) aaa-server <server name> <interface> host <AAA server IP>#(config) aaa authentication include <https/https/ftp/telnet>  inbound 0 0 0 0#(config) access-list 111 permit tcp any any eq ftp#(config) aaa authentication match 111 <interface> <AAA server name> Console Access #(config) aaa … Read more

Cisco PIX – Routing

Static To send all traffic to 192.168.0.1 out the outside interface.To send any traffic in 10.0.1.0/24 to 10.0.0.1 out the inside interface (config)#Route outside 0 0 192.168.0.1(config)#Route inside 10.0.1.0 255.255.255.0 10.0.0.1 RIP Allow RIP updates to be received on the outside interface with a key of cisco and id of 2.Pass RIP updates out the … Read more

Enabling ASDM upon your PIX

Below shows you how to enable ASDM upon your PIX. First of all you will need to copy the ASDM image to you PIX firewall. I find the easiest way to do this is to enable scopy (scp) on your pix using the command ssh scopy enable. And then using the putty tool pscp to … Read more

Configuring HA Failover on a PIX Firewall

Below shows you how to configure stateful LAN based failover. Primary (config)#interface eth0(config-if)#nameif inside(config-if)#ip add 10.1.1.10 255.255.255.0 standby 10.1.1.20 (config)#interface eth1(config-if)#no nameif(config-if)#no shut (config)#interface eth2(config-if)#no nameif(config-if)#no shut (config)#failover(config)#failover lan unit primary(config)#failover lan interface failover eth1(config)#failover lan enable(config)#failover key <key>(config)#failover link state eth2(config)#failover interface ip failover 172.16.50.10 255.255.255.0 standby 172.16.50.20(config)#failover interface ip state 172.16.51.10 255.255.255.0 standby … Read more

How do I Enable SNMP on a PIX / ASA ?

Below shows you the commands to enable SNMP (polls or traps) on PIX/ASA v7.x or later….. pix(config)# snmp-server host [interface_name] [ip_address] trap community [community string] pix(config)# snmp-server host [interface_name] [ip_address] poll community [community string]

How to enable SSH on a PIX

Below shows you the necessary steps required to enable SSH on a PIX firewall, crypto key generate rsa modulus 1024ssh [ip] [mask] [interface]aaa authentication ssh console LOCALusername [username] password[password] privilege 15

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial