More Next Blog

Network Shield
This blog is specially dedicated to those people who are keen learner of networking. You can learn lots of about networking and network
security here. We will share basic networking concept to complex networking, troubleshooting steps here. Also, we will share network security
questions and other stuffs here.

Showing posts with label Checkpoint Firewall Troubleshooting. Show all posts
IP Subnet
Calculator
IP Subnet Calculator
Checkpoint Schedule management database backup
YouTube 969 Local Weather
Report
Know Your Local Weather
Checkpoint Schedule management database backup Report

Network World
Checkpoint
The upgrade_tools (or the migrate command) is a powerful and simple tool that allows us to perform a backup of our Checkpoint database,
Checkpoint Firewall
objects, policies
Troubleshooting
Interview Question
Backing up periodically the Checkpoint congura on allows us to recover quickly from a disaster by se ng up a new SMS (Security Management
ASA (7)
Server). This involves two steps:
Data Interview Question
Checkpoint Firewall Training
Script that exports the Checkpoint congura on (2)

This could be the most simple version of the script (migrate_export.sh for example): F5 (2)
Home
VPN Videos
#!/bin/bash

source $HOME/.bash_profile

TODAY=`date +%Y-%d-%m`
TARGET_PATH=/BACKUPS_FOLDER
TARGET_FILE=$TARGET_PATH/EXPORTDB_$TODAY.tgz

if [ -d $TARGET_PATH ]
then
cpstop &> /dev/null
$FWDIR/bin/upgrade_tools/migrate export -n $TARGET_FILE
cpstart &> /dev/null
fi

It i s i nteres ng a s a n op on to us e a s the ta rget path a mounted vol ume to us e a nother s erver a s a ba ckup repos i tory or stora ge.

I created a "SCRIPTS" subfolder on my user $HOME. Choose the loca on to save your script and then, add execu on permissions.

# chmod +x /home/admin/SCRIPTS/migrate_export.sh

Test it by launching it manually to ensure it works like you want. Then we can con nue with the next step

Schedule the backup periodically

This is a light and fast backup so that we can schedule it to be executed once a week for example.
This example shows an schedule congura on every monday at 7:00 that can be done via Gaia WebUI or command:

G AI A WE BUI

System management Job Scheduler Add

G AI A CO M M AND

add cron job EXPORTDB command /home/admin/SCRIPTS/migrate_export.sh recurrence weekly days 1 time 07:00

When the recurrence is weekly: To specify the days, enter the day by number: 0 is Sunday and 6 is Saturday.
When the recurrence is monthly: To specify the days, enter the day by number: 1 to 31.
Separate several days with commas. For example: for Monday and Thursday enter 1,4

Reinstall SMS server using the database backup

Reactions: funny (0) interesting (0) cool (0)

No comments:

Labels: Checkpoint, Checkpoint Firewall Troubleshooting

Checkpoint Nagios plugin to monitor VS active connections

YouTube 969

Checkpoint Nagios plugin to monitor VS ac ve connec ons

Having our Checkpoint VSX Virtual System ac ve connec ons under control can be very important to avoid problems, congure a higher
connec on limit, be ready for growth (and so scalate our environment)
Nagios and SNMP can be used to congure a VS connec on monitor plugin:

Steps needed to congure the plugin:

1. SNMP OID for virtual systems ac ve connec ons

2. Develop an script to be used as a Nagios plugin
3. Congure Nagios to use a new check command
4. Congure Nagios service using the new check command

Contents [hide]

1 SNMP OID/MIB for virtual systems ac ve connec ons

2 Develop an script to be used as a Nagios plugin
3 Congure Nagios to use a new check command
4 Congure Nagios service using the new check command

SNMP OID/MIB for virtual systems ac ve connec ons

We can use either the OID (.1.3.6.1.4.1.2620.1.16.23.1.1.2) or the MIB object name (vsxCountersConnNum). To download the MIB, this link: sk90470

# /usr/bin/snmpwalk -v1 -c public vsx1 .1.3.6.1.4.1.2620.1.16.23.1.1.2

# /usr/bin/snmpwalk -v1 -c public vsx1 vsxCountersConnNum

This OID/Object shows the ac ve connec ons for the physical VSX (vsxCountersConnNum.1.0) and for each virtual system (f.e.
vsxCountersConnNum.2.0 for VS1, )

Very important! If the queries are unexpectedly returned with value 0, look at this post:
Checkpoint SNMP return 0 value when querying virtual systems

This snmpwalk command is the main element of our plugin script.

Develop an script to be used as a Nagios plugin

This is the check_fw_vs_connec ons.sh script (download it here):

HOST=$1
VS=$2
LIMIT=$3
LIMIT2=$4

Made
SNMP=`/usr/bin/snmpwalk -v1 -c public $HOST vsxCountersConnNum.$VS 2> /dev/null`
of
if [ $? -ne 0 ]
then
echo "UNKNOWN: No SNMP response from $HOST"
exit 3
fi

RESULT=`echo $SNMP | awk '{ print $4 }' 2> /dev/null`

if [ $RESULT -gt $LIMIT2 ]

then
echo "CRITICAL: More than $LIMIT2 connections ($RESULT)|conns=$RESULT"
exit 2
 fi

if [ $RESULT -gt $LIMIT ]

then
echo "WARNING: More than $LIMIT connections ($RESULT)|conns=$RESULT"
exit 1
fi

echo "OK: $RESULT connections|conns=$RESULT"

exit 0

The script receives the host, the virtual system, warning and cri cal number of connec ons and returns exit code as Nagios expects, and the
output shows a message and sends performance data (to generate the graphs).

To be available for Nagios, in my Centreon the plugin must be copied to /usr/lib/nagios/plugins.

Dont forget to chmod +x the le to give execu on permissions.

debiannagios:~# /usr/lib/nagios/plugins/check_fw_vs_connections.sh vsx1 3.0 1000 500

CRITICAL: More than 500 connections (80059)|conns=80059

Congure Nagios to use a new check command

A er crea ng the script and copying it to the nagios plugins folder, the new check command can be congured.
Sec on Congura on / Commands / Checks sec on

For Centreon:

Assign a name and congure this command line (parameters of the script, the rst one is assigned by Nagios using the host value):

$USER1$/check_fw_vs_connections.sh $HOSTADDRESS$ $ARG1$ $ARG2$ $ARG3$

For standard Nagios (checkcommands.cfg):

define command{
command_name check_fw_vs_connections
command_line $USER1$/check_fw_vs_connections.sh $HOSTADDRESS$ $ARG1$ $ARG2$ $ARG3$
}

Congure Nagios service using the new check command

Centreon:

Subnet
Calcula
tor
(CIDR)
Home

Check Command: The value should be the name assigned to the command (check_fw_vs_connec ons) Checkpoint

Args: Will contain 3 parameters, star ng and separated with the character '!' ASA
Interview
Param 1: VS (remember 1.0 is the VSX itself, 2.0 is the VS1) Question

Param 2: Warning connec ons limit F5

 Param 3: Cri cal connec ons number Sunbnet
Calculator

For standard Nagios (services.cfg): Download

define service{
host_name Checkpoint_VSX1, Checkpoint_VSX2
service_description Conns EXTERNAL
_SERVICE_ID 202
use SRV_TEMPLATE_1min
check_command check_fw_vs_connections!2.0!100000!200000
}

This example !2.0!100000!200000 is for Virtual System 1, when connec ons are under 100000 the state is OK, between 100000 and 200000 is
WARNING and more then 200000 is cri cal.

A er restar ng Nagios services, the connec ons should be monitorized and the graphs being generated within some minutes

Reactions: funny (0) interesting (0) cool (0)

No comments:

Labels: Checkpoint, Checkpoint Firewall Troubleshooting

Checkpoint Proxy ARP for manual NAT on VSX

YouTube 969

Checkpoint Proxy ARP for manual NAT on VSX

In my post Checkpoint Automa c NAT vs Manual NAT I explained both types of NAT clarifying that the Manual NAT makes neccesary the Proxy
ARP entry congura on. This example is for a Checkpoint VSX cluster scenario.
This is an example that was used:

The IP that should be congured to answer to ARP request is the 80.80.100.100 (No server in my environment has this IP congured but the Proxy
ARP entry will allow the rewall to manage and NAT the packets sent to that IP).

The entry "links" the IP address with the MAC address of the interface that should manage the packet. There is a le that contains all that
entrys: $FWDIR/conf/local.arp

So, we have to:

1. Congure the Policy Global Proper es to make this work (only once)
2. Log in expert mode and edit the $FWDIR/conf/local.arp (if it does not exist, create it) for all cluster nodes.
3. Install the corresponding policy

Congure the Policy Global Proper es

When "Merge manual proxy ARP congura on" is unchecked the local.arp le is ignored.
So ensure this op on is checked:

Add the entry to the local.arp le

Change to the virtual system where the NAT is performed (this is for my perimetral FW VS1):

[Expert@vsx1:0]# vsenv 1
Context is set to Virtual Device VSX1_EXTERNAL (ID 1).

This is my way to know the MAC address. Surely there are more (and or be er) ways:

[Expert@vsx1:1]# ifconfig | grep 80.80.100 -B 1

wrp65 Link encap:Ethernet HWaddr 00:22:F1:21:C0:0B
inet addr:80.80.100.10 Bcast:80.80.100.255 Mask:255.255.255.0

Add the entry to the le:

[Expert@vsx1:1]# echo "80.80.100.100 00:22:f1:21:c0:0b" >> $FWDIR/conf/local.arp

[Expert@vsx1:1]# cat $FWDIR/conf/local.arp
80.80.100.100 00:22:f1:21:c0:0b
Be careful when adding the entry on all nodes:
Each of them have its own MAC address. Dont copy&paste the same line on all the local.arp les.

Install the corresponding policy

Install the policy of the aected virtual system:

Other scenarios

Be aware that this congura on is valid for virtual systems on a VSX cluster environment.
Check this ocial SK30197 for more scenarios.

Reactions: funny (0) interesting (0) cool (0)

No comments:

Labels: Checkpoint, Checkpoint Firewall Troubleshooting

Checkpoint Reinstall SMS using configuration backup

YouTube 969

Checkpoint Reinstall SMS using congura on backup

Last week my smartcenter server became corrupted (the lesystem) and I could not install any fw policy (checkpoint so ware could not nd some
needed inodes).

Fortunately I perform periodically checkpoint congura on backups (using the migrate export u lity) this way -> Checkpoint Schedule
management database backup

These are the steps to get a working SMS again:

1. Pre install steps

2. Install Checkpoint 1 Install the GAIA OS
3. Install Checkpoint 2 Install the Checkpoint SW
4. Import the Checkpoint congura on backup
5. Post install steps

Before install steps

It is evident but we need a new machine to be used as SMS server. As a best prac ce, if virtual environment is available, the best solu on is to
generate a new virtual machine so the recovery can nished as soon as possible.
If there is no choice the same machine can be used (I completely discourage it). Anyway try to save the data (if s ll can access the old server) you
can miss in another path (scripts, patches). The backup is supposed to be in another secure path.

Finally, shut o the old server if s ll on the network (or change the network to test one on the virtual machine to isolate it).

A er that, get the Checkpoint ISO (the same version that was installed) and run it on the new machine. So the installa on starts

Install Checkpoint 1 Install the GAIA OS

The boot menu Install Gaia

Ok, proceed
Keyboard selec on

Disk par oning, leave it by default or customize. A er the installa on I add a new disk with more space to store the logs so I dont think much
about this congura on

Choose a password to access via SSH or web GUI to the SMS server

Choose the same management IP as the old server!

Ok, proceed if you sure

So the GAIA OS packages and so ware will be installed

A er the installa on a reboot is required and then we can access to the GAIA web portal

Install Checkpoint 2 Install the Checkpoint SW

The rst me congura on lets us congure some basic parameters and nally install the Checkpoint so ware layer

"Con nue with Gaia congura on"

Congure the same parameters as the old server. The hostname is specially important to be the same! (like the management IP)
Again congure the same management IP. (This screenshot shows empty elds but they are prelled with the IP congured on the previous step).

We want to install a "Security Gateway or Security Management"

Date/ me. Use ntp if possible (you may congure it later).

Now we select what Checkpoint SW modules will be installed: "Security Management" as "Primary"

username and password to manage the Smarcenter consoles

Filter the access to the Security Management GUI clients

A er completed the installa on we have a fully func onal SMS server but with empty rewall policies, databases, etc
Import the Checkpoint congura on backup

CO NNE CT T O T HE S M S V I A S S H

Connect via SSH to the SMS server, establish an expert password and enter expert mode

SMS> set expert-password

Enter new expert password:
Enter new expert password (again):
SMS> expert
Enter expert password:

Warning! All configuration should be done through clish

You are in expert mode now.

[Expert@SMS:0]#

CO P Y T HE B A CK UP FI L E

Copy the backup of the Checkpoint congura on to the SMS server (via SCP for example if the backup is located on another Linux machine)

[Expert@SMS:0]# scp root@MYLINUXSERVER:/var/backups/EXPORTDB_2016-04-18.tgz .

root@MYLINUXSERVER's password:
EXPORTDB_2016-04-18.tgz 4% 19MB 9.3MB/s 00:46 ETA

I M P O RT T HE B A CK UP

This will pause the cp services, import all the congura on policies, databases, objects and start the services

[Expert@SMS:0]# $FWDIR/bin/upgrade_tools/migrate import EXPORTDB_2016-04-18.tgz

Extracting the database...

The import operation will stop all Check Point services (cpstop).
Do you want to continue? (y/n) [n]? y
cpwd_admin:
Process DASERVICE terminated
cpwd_admin:
Process SMARTLOG_SERVER isn't monitored by cpWatchDog. Stop request aborts
UEPM: Endpoint Security Management isn't activated
Management Portal: Stopping CPWMD
cpwd_admin:
Process CPWMD terminated
Management Portal: Stopping CPHTTPD
cpwd_admin:
Process CPHTTPD terminated
evstop: dbsync stopped
evstop: Stopping product - SmartEvent Server
evstop: Stopping product - SmartEvent Correlation Unit
Check Point SmartEvent Correlation Unit stopped
Check Point SmartEvent Server stopped
Stopping SmartReporter...
Stopping the SmartReporter Server.
Stopping the SmartReporter Log Consolidator.
Stopping SmartReporter Database.
Note: Database shutdown takes a few minutes. rmdstart will fail while
shutdown is in progress.
SmartView Monitor: Management stopped
VPN-1/FW-1 stopped
Multi portal stopped
Local host is not a FireWall-1 module
SVN Foundation: cpd stopped
SVN Foundation: cpWatchDog stopped
SVN Foundation: Stopping PostgreSQL Database
SVN Foundation stopped
Importing files...

The import operation completed successfully.

Do you wish to start Check Point services? (y/n) [y]? y

Post install steps

A DD L O S T RUL E S A ND P O L I CI E S

Maybe you have lost changes made between the backup and the crash. If possible (documented, emails) add those changes

CO NFI G URE L O S T S E RV E R PA RA M E T E RS

For example, I had to congure some OS level parameters to make the DHCP Relay work. Fortunately, I documented that change.

RE CO NFI G URE S CRI P T S A ND S CHE DUL E D T A S K S

 Dont forget to recongure scheduled tasks like backups, logs rota on, ntp me synchroniza on.

Reactions: funny (0) interesting (0) cool (0)

No comments:

Labels: Checkpoint, Checkpoint Firewall Troubleshooting

Home Older Posts

Subscribe to: Posts (Atom)

Simplilearn

Hive Tutorial
Hive In Hadoop Big Data Tutorial For Beginners

Checkpoint Firewall Training.

***WelCome to CheckPoint Firewall Training Series*** Yes, Finally we are going to start our checkpoint firewall train...

Complete VPN Series Videos

Welcome to VPN Series: Lecture 1: About VPN and Component used to create a successful VPN. Lecture 2: ...

Download CheckPoint IOS Image for Lab

To Download Checkpoint Firewall IOS image for Lab. Just Click on below link: Check_Point_R77.10_T151_Install_and_Upgrade.Gaia (Server 1...

Watermark theme. Powered by Blogger.