Netl33ts

Juniper SRX random troubleshooting commands

2012-02-15T12:48:00.002-08:00

view available storage: show system storage
Reboot: request system reboot
verify system version: show version

interface config: configure
edit interfaces ge-1/0/0
set unit 0 family inet address 122.16.2.1/24

view interface info: run show interfaces terse
view routes: show route hidden extensive

add host object: edit security zones security-zone DMZ
edit address-book
set address net-172.16.10.0_24 172.168.10.0/24
top

how to view logs: show log messages. If a seperate traffic log is defined: show log traffic-log

Local Upgrade: request system software add no-validate no-copy unlink
ftp upgrade: request system software add ftp://:@192.168.186.208/junos-srxsme-10.4R5.5-domestic.tgz no-validate no-copy unlink
Where are ftp firmware upgrades downloaded to: /cv/var/tmp and then loaded to /cf/packages

configure webui:
set system services web-management http
set system services web-management http interface ge-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0

nat order
1. Static NAT rules
2. Destination NAT rules
3. Route lookup
4. Security policy lookup
5. Reverse mapping of static NAT rules
6. Source NAT rules

order of operations: > SCREEN -> Dst NAT -> Route -> Zones -> Security Policy -> Src NAT -> Services ALG -> Session

Juniper SRX VPN troubleshooting

2012-02-15T12:47:00.002-08:00

phase 1:
> show security ike security-associations
> show security ike security-associations index <#> detail

Clear:

> clear security ike

Phase 2:
> show security ipsec security-associations
> show security ipsec security-associations index <#> detail
> show security ipsec statistics
> show security ipsec statistics index <#>

Clear:

> clear security ipsec security-associations index <#>

vpn logs: show log kmd | match 1.1.1.2
show log kmd | find 1.1.1.2

Determining if a Nokia appliance is Disk or Flash based

2012-02-15T12:43:00.000-08:00

Voyager:

When you login look at the Model Number and will show if Disk or Flash Based.

CLI

fw[admin]# clish -c "show asset software"

For example
fw[admin]# clish -c "show asset software"
IP390 (Flash Based)
IP39

Proxy Arp configurations in SPLAT

2012-02-15T12:39:00.004-08:00

For auto nats do the following:

In Policy > Global Properties, select Automatic ARP configuration

For manual nats do the following:

In Policy > Global Properties, select Automatic ARP configuration

Also select "Merge manual proxy ARP configuration"

Next select "Translate destination on client side"

Add the arp entries to the following file (if the file does not exist, it will be created):

$FWDIR/conf/local.arp

192.31.224.20 00:1C:6F:20:64:E1
192.31.224.22 00:1C:6F:20:64:E1
192.31.224.23 00:1C:6F:20:64:E1
192.31.224.24 00:1C:6F:20:64:E1
192.31.224.25 00:1C:6F:20:64:E1
192.31.224.26 00:1C:6F:20:64:E1
192.31.224.28 00:1C:6F:20:64:E1
192.31.224.29 00:1C:6F:20:64:E1
192.31.224.30 00:1C:6F:20:64:E1

How to turn on VMAC for Cluster XL in Splat

2012-02-15T12:38:00.002-08:00

To enable virtual mac:

fw ctl set int fwha_vmac_global_param_enabled 1

To disable virtual mac:
fw ctl set int fwha_vmac_global_param_enabled 0

Checkpoint: How to determine if CoreXL is active.

2011-11-15T13:43:00.001-08:00

'fw ctl multik stat'

It can be toggled on or off via cpconfig.

Checkpoint: The case of the missing policy

2011-11-15T13:41:00.001-08:00

I recently had an issue with a new Checkpoint R71.30 cluster where the secondary cluster member would randomly lose its policy (fw stat would show initial policy). Upon rebooting, SIC would break and whenever I would run "cpconfig" I would get the following error:

[admin]# cpconfig
cpinst Error: Host name resolution for .
Local host name resolution is required for normal Check Point Security Gateway operation
Please correct this error and run cpstart again:

I then made the mistake of updating the /etc/hosts file with the host name of the firewall, which would resolve the error temporarily. However the next time the firewall would reboot, it would lose its host name again.

It was discovered that the issue was 2 fold.
#1- The firewall was shipped with R70, R71, and R75 packages. And even through clish and Voyager showed that only the desired R71 packages were loaded, the dbget command showed that they were all active. Removing the unnecessary packages solved the policy issue.

dbget -v dynamic:pkgadd
dynamic:pkgadd:CPNGXCMP-R70-00 t
dynamic:pkgadd:CPNGXCMP-R71-00 t
dynamic:pkgadd:CPNGXCMP-R75-00 t
dynamic:pkgadd:CPR71CMP-R75-00 t
dynamic:pkgadd:CPSG80CMP-R75-00 t
dynamic:pkgadd:CPV40Cmp-R70-00 t
dynamic:pkgadd:CPV40Cmp-R71-00 t
dynamic:pkgadd:CPV40Cmp-R75-00 t
dynamic:pkgadd:CPinfo-10-00 t
dynamic:pkgadd:CPsuite-R70-00 t
dynamic:pkgadd:CPsuite-R71-00 t
dynamic:pkgadd:CPsuite-R75-00 t
dynamic:pkgadd:CPuag-R70-00 t
dynamic:pkgadd:CPuag-R71-00 t
dynamic:pkgadd:CPuag-R75-00 t
dynamic:pkgadd:CPvsxngxcmp-R70-00 t
dynamic:pkgadd:Nokinstall6.0-6.0-00 t

#2- The firewall was losing its host name because the host name was never configured in Voyager. Using the linux method will cause the device to lose its config upon reboot.

How to display the number of Cores in IPSO

2011-11-15T13:38:00.000-08:00

sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'

dmesg | grep -i cpu

fw1[admin]# sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'
hw.machine: i386
hw.model: Intel(R) Xeon(R) CPU @ 2.00GHz
hw.ncpu: 2
hw.machine_arch: i386

fw1[admin]# dmesg | grep -i cpu
CPU: Intel(R) Xeon(R) CPU @ 2.00GHz (1995.01-MHz 686-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1
cpu0: on acpi0
coretemp0: on cpu0
acpi_throttle0: on cpu0
cpu1: on acpi0
coretemp1: on cpu1
SMP: AP CPU #1 Launched!

Bluecoat: How to upload an accelerated PAC file

2011-11-15T13:35:00.001-08:00

ssh to the appliance.

#inline accelerated-pac eof

eof

Palo Alto: Where did all the service objects go?

2011-11-15T13:03:00.001-08:00

Palo Alto prefers you to use Application Objects, which uses more than destination ports as its determining factor.

Instead, it uses application characteristics, signature conditions, and patterns to identify an application. In the event that you are attempting to provide access to a less common application, and an Application Object does not exist, you can either utilize service objects, in a more traditional setup, or you can define a custom Application Object

Palo Alto: How to configure an interface

2011-11-15T13:02:00.003-08:00

Interfaces are configures on the Network > Interfaces screen.

Select the desired interface.

The configuration settings available depend on the interface type selected. For example, if this will be an L2 (Layer 2) interface, IP Address settings are not available. By selecting L3, IP address settings become available.

Speed, duplex, and MTU are also configured here.

And much like ScreenOS, the security zone and virtual router are also selected here.

Palo Alto: How to perform a Configuration Diff

2011-11-15T13:02:00.001-08:00

Config diffs are done in Device> Config audit.

The Context option defines how many lines before and after the diff matches are displayed

Palo Alto:Changing the display mode to view set commands

2011-11-15T13:01:00.000-08:00

Changing config display mode
The default view for displaying the running config is a hierarchical view. To view the configuration in a flat command format (think "display set" in Juniper SRX), you must change the default display format.

To display the config in a set format

set cli configuration-output-format set

The display set output can be viewed from config mode.

Palo Alto: SSL Decryption

2011-11-15T12:59:00.000-08:00

Decryption:

Decryption is primarily used to apply policy to encrypted traffic.

Inbound, we have to load the cert on the firewall

Outbound, we have to proxy the connection

Configured under Policies > Decryption

Types of Decryption policies:

SSL Forward Proxy- the policy will decrypt client trffic destined for an external server

SSH Proxy- Decrypt SSHv2 traffic. Can control policy by using the SSH-Tunnel App-ID

SSL Inbound- decrypt SSL inbound

Some nonrfc compliance apps or client side certs will not work. Failed apps are cached for 12 hours, at which time the firewall will not attempt to decrypt. To view excluded sites: show system setting ssl-decrypt exclude-cache

CLI:

confirm proxy is ready: show system setting ssl-decrypt setting

show counter global filter category proxy

debug dataplane pool statistics

Importing, Exporting and Generating Security Certificates
Device > Certificates

Palo Alto: Useful User Identification Commands and Troubleshooting

2011-11-15T12:57:00.000-08:00

User Awareness, is a UTM 2.0 feature that identifies traffic patterns and flows by user names instead of IPs, like traditional firewalls. It works with LDAP, Radius, or Kerberos, to identify users.

This allows policies to be enforced on users, no matter were they reside. It also makes policy management and remediation much easier.

User Awareness is configured in the Server Profiles section of the Management Console.

Additionally, the security zone must be configured to utilize User Awareness (select the box that says User User Identification).

User-ID maps user/groups to Ip address.

The User Agent (PANAgent.exe) is installed on the Domain Controller and listens for auth requests. It then maps the Ip to the User and sends that info to the Palo Alto.

Once the info is received by Palo Alto, it is cached and security policies can be written.

The PAN Agent log can be checked for AD specific events. The agent must have rights to read the security log.

Each domain must use a separate agent.

AD log codes:

On Windows 2003 DCs:

• 672 (Authentication Ticket Granted, which occurs on the logon moment),

• 673 (Service Ticket Granted)

• 674 (Ticket Granted Renewed which may happen several times during the logon session)

On Windows 2008 DCs:

• 4768 (Authentication Ticket Granted)

• 4769 (Service Ticket Granted)

• 4770 (Ticket Granted Renewed)

What does the user agent do?

1. Read Security logs

2. Monitor Open Server Sessions

3. WMI Probe (Windows Management Instrumentation). The WMI consults the client machine locally-maintained login information. WMI must be enabled on each client and netbios must be allowed. This method works well for users who are docked when they authenticate and then undock and use wireless.

Once User Identification takes place, the ACC, App_scope, and Logs will contain User info

Useful commands:

show user pan-agent statistics

show user pan-agent user-IDs

debug device-server dump user-group name

show user ip-iser mapping

show user ip-user mapping ip

debug device-server set agent (all/basic/conn/detail/group/ntlm/sslvpn/tsa)

Palo Alto: How to configure site to site VPN tunnels

2011-11-15T12:54:00.001-08:00

Site to Site VPN configuration:

1. Configure a Tunnel Interface (Network> Interface > New: Tunnel Interface)

A. The zone will be the zone that the local peer gateway resides on (typically Untrust)

2. Create an Ike Gateway (Network >Network Profiles > Ike Gateway > new)

3. Create an IPSec Tunnel (Network > Ipsec Tunnels > New)

A. Select the Tunnel interface configured in step 1.

B. Select the Ike gateway created in step 2.

C. The local IP address would be the local gateway IP

D. Under advanced options, IKE and IPSEC profiles can be selected and/or created (this is where the encryption and has methods are defined).

E. Enter the Preshared Key

4. Add routes for the remote encryption domain(s) (Network > Virtual Routers > )

A. Select the tunnel interface and click Add

B. Enter the remote encryption domain, select the tunnel interface, enter the gateway address (typically the default gateway).

5. Create access rules to filter the VPN traffic.

A. VPN protocols must be allowed between peers

B. Access rules can be used to filter VPN traffic

Logging and troubleshooting:

Monitor > Logs > System will display negotiation errors.

A filter can be added for either the IPSEC tunnel name (in the object column) or the peer ip (in the description column).

Phase 1 success will say "ike-nego-p1-succ" in the Event column

Phase 2 success will say "ike-nego-p2-succ" in the Event column

Network > Network Profiles > Monitor

A tunnel monitor profile specifies how the firewall monitors IPSec tunnels and the actions that are taken

if the tunnel is not available. Tunnel monitor profiles are optional, but can be useful, for example, if you

want to be able to provide failover in the event of tunnel failure.

After creating a tunnel monitor profile, you can select it in the advanced options section of the IPSec

Tunnels page. The firewall then monitors the specified IP address through the tunnel to determine if the

tunnel is working properly.

Network > IPSec Tunnels

To view the status of currently defined IPSec VPN tunnels, open the IPSec Tunnels page. The

following status information is reported on the page:

• Tunnel Status (first status column)—Green indicates an IPSec SA tunnel. Red indicates that

IPSec SA is not available or has expired.

• IKE Gateway Status—Green indicates a valid IKE phase-1 SA. Red indicates that IKE phase-1

SA is not available or has expired.

• Tunnel Interface Status—Green indicates that the tunnel interface is up (because tunnel monitor

is disabled, or because tunnel monitor status is UP). Red indicates that the tunnel interface is down,

because the tunnel monitor is enabled and the status is down.

Cli commands:

show vpn tunnel -view current tunnels

show vpn flow tunnel-id - show VPN specific info such as bytes

clear vpn ike-sa gateway all - Teardown a VPN

test vpn ipsec-sa tunnel - initiate Phase 1 and Phase 2 for a specified tunnel.

Palo Alto:How to test an access rule

2011-11-15T12:53:00.000-08:00

test security-policy-match from to application source destinaion protocol destination-port show-all yes

Will display all rules that allow the requested access

Sample output:

test security-policy-match from Trust-L3 to Untrust-L3 application dns source 192.168.1.2 destinaion 172.16.1.2 protocol 17 destination-port 53 show-all yes

"general internet" {

from Trust-L3;

source any;

source-region any;

to Untrust-L3;

destination any;

destination-region any;

user any;

application/service [http/any/any/any dns/any/any/any ];

action allow;

Cannot transfer large files when ICAP is enabled on the Proxy SG

2011-11-15T12:51:00.000-08:00

Turn on ICAP Feedback to prevent clients from timing out during a large file transfer.

Configuration > External Services > ICAP

Enable the "Provide feedback after x seconds" radio button. Then enable the "Trickle object data from the start" radio button.

There is also a known issue with IE 7 and IE 8 when popup blockers are turned off:
https://kb.bluecoat.com/index?page=content&id=KB4224&actp=search&viewlocale=en_US&searchid=1321389193624

How to change the port Voyager uses and turn off encryption

2011-10-25T03:17:00.000-07:00

To change the default Voyager port via clish:
Ipso pre 6.2: voyager -e 128 8080
Ipso 6.2 or higher: set voyager ssl-port 8080
save config

To turn off ssl encryption:
voyager -e 0 80

How many cores does my Nokia IP appliance have?

2011-10-25T03:13:00.000-07:00

The following commands will display the cores:
sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'
or
dmesg | grep -i cpu

Sample output:

fw1[admin]# sysctl -a | egrep -i 'hw.machine|hw.model|hw.ncpu'
hw.machine: i386
hw.model: Intel(R) Xeon(R) CPU @ 2.00GHz
hw.ncpu: 2
hw.machine_arch: i386

Checkpoint losing policy and host name resolution issues

2011-09-12T09:07:00.000-07:00

I recently had an issue with a new Checkpoint R71.30 cluster where the secondary cluster member would randomly lost its policy (fw stat would show initial policy). Upon rebooting, SIC would break and whenever I would run "cpconfig" I would get the following error:

[admin]# cpconfig
cpinst Error: Host name resolution for .
Local host name resolution is required for normal Check Point Security Gateway operation
Please correct this error and run cpstart again:

I then made the mistake of updating the /etc/hosts file with the host name of the firewall, which would resolve the error temporarily. However the next time the firewall would reboot, it would lose its host name again.

It was discovered that the issue was 2 fold.
#1- The firewall was shipped with R70, R71, and R75 packages. And even through clish and Voyager showed that only the desired R71 packages were loaded, the dbget command showed that they were all active. Removing the unnecessary packages solved the policy issue.

dbget -v dynamic:pkgadd
dynamic:pkgadd:CPNGXCMP-R70-00 t
dynamic:pkgadd:CPNGXCMP-R71-00 t
dynamic:pkgadd:CPNGXCMP-R75-00 t
dynamic:pkgadd:CPR71CMP-R75-00 t
dynamic:pkgadd:CPSG80CMP-R75-00 t
dynamic:pkgadd:CPV40Cmp-R70-00 t
dynamic:pkgadd:CPV40Cmp-R71-00 t
dynamic:pkgadd:CPV40Cmp-R75-00 t
dynamic:pkgadd:CPinfo-10-00 t
dynamic:pkgadd:CPsuite-R70-00 t
dynamic:pkgadd:CPsuite-R71-00 t
dynamic:pkgadd:CPsuite-R75-00 t
dynamic:pkgadd:CPuag-R70-00 t
dynamic:pkgadd:CPuag-R71-00 t
dynamic:pkgadd:CPuag-R75-00 t
dynamic:pkgadd:CPvsxngxcmp-R70-00 t
dynamic:pkgadd:Nokinstall6.0-6.0-00 t

#2- The firewall was losing its host name because the host name was never configured in Voyager. Using the linux method will cause the device to lose its config upon reboot.

Juniper SRX hide nats

2011-08-14T11:50:00.000-07:00

configure

***create a rule-set that defines the zones involved in the nat****
edit security nat source rule-set trust-to-internet
set from zone trust set to zone internet

****define the traffic that will be natted******
set rule internal-hide match source-address 192.168.15.0/24

***define the action******
set rule internal-hide then source-nat interface

show
commit

Juniper SRX packet captures

2011-08-14T11:23:00.000-07:00

1. Configure the forwarding options and limits

configure
set forwarding-options packet-capture file testcap1 pcap files 10 size 10000
set forwarding-options packet-capture maximum-capture-size 15002. Create your filter

set firewall filter PCAP term capture from source-address 192.168.1.1.32
set firewall filter PCAP term capture from destination-address 10.15.61.45/32
set firewall filter PCAP term capture from protocol tcp
set firewall filter PCAP term capture from destination-port 443
set firewall filter PCAP term capture then accept
set firewall filter PCAP term allow-all-else then accept

3. Define the interface(s) that will capture the trafffic
set interfaces ge-0/0/3 unit 0 family inet filter input PCAP
commit and-quit
**** input indicated to capture packets received. PCAP is the name of our firewall filter*****

4. Read the tcpdump file from the shell
start shell
cd /var/tmp
tcpdump –r pcap.ge-0.0.3

5. Cleanup
cli
configure
delete interfaces ge-0/0/3 unit 0 family inet filter input PCAP (stops the cap)
delete firewall filter PCAP (turns off the filter)
delete forward-options packet-capture
commit and-quit

% rm /var/tmp/pcap.ge-0.0.3.

How to configure J-web management from the SRX command line

2011-08-10T16:14:00.000-07:00

set system services web-management http

set system services web-management http interface ge-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/0.0

***To change port***

set system services web-management https port 8443

****To append "webui" to the management url (useful if ssl is in use***
set system services web-management https management-url webgui

set security zones security-zone trust host-inbound-traffic system-services http
set security zones security-zone trust host-inbound-traffic system-services https
set security zones security-zone trust interfaces ge-0/0/0.0

Cisco ASA: Installing Intermediate Certificates

2011-07-19T09:36:00.001-07:00

Installing Certificates

We will be installing a self signed certificate with an intermediate certificate to a root CA.

Terms:

An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate.
The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.

Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.

Installing your SSL Certificate in the Adaptive Security Device Manager (ASDM)

First we are installing the intermediate certificate. Save the intermediate certificate files to your local hard drive with an extension of .crt.
In ASDM select “Configuration” and then “Device Management.”
Expand “Certificate Management” and select “CA Certificates” and then “Add.”
With the option selected to “Install from a file”, browse to the *crt file and then click the “Install Certificate” button at the bottom of the "Install Certificate" window. Your Intermediate certificate file is now installed. You will now need to install the gs_sslcertificate.crt file.
Next we install the Identity Certificate. Save the intermediate certificate files to your local hard drive with an extension of .crt.
In ASDM select “Configuration” and then “Device Management”.
Expand “Certificate Management” and select “Identity Certificates”.
Select the appropriate identity certificate from when your CSR was generated (the “Issued By” field should show as not available and the “Expiry Date” field will show Pending…). Click the Install button.
Browse to the appropriate identity certificate (the gs_sslcertificate.crt provided by GlobalSign) and click “Install Certificate.” At this point you should receive confirmation that the certificate installation was successful.

Configuring WebVPN with ASDM to Use the New SSL Certificate

In ASDM select “Configuration” and then “Device Management”.
Click “Advanced” and then “SSL Settings”
From "Certificates," choose the interface used to terminate WebVPN sessions, and then choose “Edit”.
From the “Certificate” drop-down, select the newly installed certificate, then “OK”, and then “Apply” Configuring your certificate for use with the selected kind of WebVPN session is now complete.

SSL Certificate Installation from the Cisco ASA command line (alternate installation method)

From the ciscoasa(config)# line, enter the following text: crypto ca authenticate my.trustpoint
Where my.trustpoint is the name of trustpoint created when your certificate request was generated.
Next, enter the entire body of the *.crt intermediate certificate file followed by the word “quit” on a line by itself (the *.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted).
When asked to accept the certificate, enter “yes”.
When the certificate has been successfully imported, enter “exit”. Your Intermediate certificate file is now installed. You will now need to install the *.crt file.
From the ciscoasa(config)# line, enter the following text: crypto ca import my.trustpoint certificate
Where my.trustpoint is the name of trustpoint created when your certificate request was generated.
Next, enter the entire body of the *.crt file SSL Certificate file, followed by the word “quit” on a line by itself (the *.crt file can be opened and edited with a standard text editor, and the entire body of that file should be entered when prompted). You should then receive a message that the certificate was successfully imported.

Configuring WebVPN to Use the New SSL Certificate from the Cisco ASA command line

From the ciscoasa(config)# line, enter the following text:

ssl trust-point my.trustpoint outside
wr mem
Where my.trustpoint is the name of trustpoint created when your certificate request was generated and "outside" is the name of the interface being configured.
Make sure to save the configuration.

How to configure an AIP module on a Cisco ASA

2011-07-11T08:37:00.001-07:00

lab-us-atl-casa1# config t

lab-us-atl-casa1(config)# access-list IDP_ACL extended permit ip any any

Configure an ACL that identifies the traffic to be sent to the IPS

lab-us-atl-casa1(config)# class-map ips_class
lab-us-atl-casa1(config-cmap)# match access-list IDP_ACL
Create an IPS class map and attach the acl

lab-us-atl-casa1(config)# policy-map global_policy
lab-us-atl-casa1(config-pmap)# class ips_class
lab-us-atl-casa1(config-pmap-c)# ips inline fail-open
Create a policy map that defines attributes of the IDP

lab-us-atl-casa1(config-pmap-c)# service-policy global_policy global
Assign the policy map to a specific interface or globally

lab-us-atl-casa1(config-pmap-c)# exit
lab-us-atl-casa1(config-pmap)# exit
lab-us-atl-casa1(config)# wri mem

Juniper SRX- identifying files to be deleted

2011-06-29T11:00:00.000-07:00

Juniper SRX is notorious for not providing you enough disk space to use all software blades and hold multiple images for upgrades. As a result, you will find yourself on a mission to locate files to be deleted.

First identify disk space needs:
root@hasrx1> show system storage
node0:
--------------------------------------------------------------------------
Filesystem              Size       Used      Avail Capacity   Mounted on
/dev/da0s1a             293M       203M        67M       75% /
devfs                   1.0K       1.0K         0B      100% /dev
/dev/md0                566M       566M         0B      100% /junos
/cf                     293M       203M        67M       75% /junos/cf
devfs                   1.0K       1.0K         0B      100% /junos/dev/
procfs                  4.0K       4.0K         0B      100% /proc
/dev/bo0s3e              24M       176K        22M        1% /config
/dev/bo0s3f             342M       138M       177M       44% /cf/var
/dev/md1                168M        18M       136M       12% /mfs
/cf/var/jail            342M       138M       177M       44% /jail/var
/cf/var/log             342M       138M       177M       44% /jail/var/log
devfs                   1.0K       1.0K         0B      100% /jail/dev
/dev/md2                 39M       4.0K        36M        0% /mfs/var/run/utm
/dev/md3                1.8M       4.0K       1.7M        0% /jail/mfs
/dev/altroot            293M       203M        67M       75% /altroot

Next run a query to identify the largest files:
find -x /cf/var -type f -exec du -k {} \; | sort -n

Files can be removed using the RM command from the shell.

How to determine the path and interface of a host on SPLAT

2011-05-18T09:42:00.000-07:00

[Expert@lab1]# ip route get 192.168.1.1
192.168.1.10 via 192.168.19.38 dev eth2 src 192.168.19.1
cache mtu 1500 advmss 1460

How to ping the inside interface of an ASA through a VPN tunnel

2011-05-18T09:17:00.000-07:00

This is typically used for testing VPNS.

#conf t
(config)# management-access inside

Confused by all of the recent Checkpoint Releases? Check this out

2011-05-18T09:05:00.000-07:00

Installing A policy on NSM

2011-05-16T09:38:00.000-07:00

Prior to pushing a policy to a device from NSM, a Delta Config should be ran to identify the differences between the policy on NSM and the policy on the security device. To do so, select the device from Device Manager. Right click and select Summarize Delta Config. This may take as long as 5 minutes to run. When complete, it will display the differences between the 2 policies to ensure that the changes being implemented are correct.

Once the changes in the Delta Config are confirmed, you can push policy by right clicking on the device from Device Manager and choose Policy then Assign Policy.

Step backwards for VPN supernetting in R71

2011-05-11T12:03:00.000-07:00

It was recently brought to my attention that Checkpoint's infamous VPN supernetting in R71 can no longer be fixed by changing the VPN Advanced Tunnel Options to "1 VPN Per Pair of Hosts".

As with R55, you have to change the following:
$FWDIR/conf/Objects_5_0.C file. Change “Support Subnets for Key Exchange” to “false”.

It is also believed that migrated VPNS that were previously configured using the Advanced Tunnel Options retain their settings, but new VPNs will not work. If anyone has any more information on this, I would appreciate the input.

It is believed that R75 has gone back to the use of the Advanced VPN Tunnel Options setting.

"Cluster cannot be empty" or "only one interface defined" error on Checkpoint R70 and R71

2011-04-05T11:27:00.000-07:00

Checkpoint has confirmed that this is a bug that occurs occasionally when pushing policy to clusters.

Example:

Firewall and Address Translation Policy Verification: Verifier warnings: There is only one interface defined for object . At least one more interface must be configured for this object in order to use the Anti-Spoofing feature.

"Verifier warnings: A Cluster cannot be empty. It must have Cluster members"

To resolve the issue, open the cluster object for the gateway that you are pushing policy for,

and go into the Topology. Click OK, then OK on the Cluster object and Save. The error should go away.

If this does not fix the issue, the next step would be to perform another Get on the topology and restart the Management Station.

ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a "no forward" command on this interface or on 1 interface(s) with nameif already configured.

2011-02-02T16:41:00.000-08:00

This error will occur during the configuration of a ne wVLAN on an ASA 5505.

This error occurs because there is only a Base license installed on the ASA. The license will need to be upgraded to a Security Plus license.

A base license will only allow 3 VLANS to be created.

Checkpoint R71 bug that will cause migrations to fail

2011-01-31T09:23:00.000-08:00

Checkpoint has acknowledged that there is a bug in R71 that will cause any policy migrations from older versions to fail if there is a tilde (~) in the name of a policy being migrated. This is true even if the policy is not used.
Therefore any policies with a tilde in the name should be renamed before migrating.

Where are database revision control files stored?

2011-01-24T12:01:00.001-08:00

$FWDIR/conf/db_versions/repository/

Static many-to-one nats on a Cisco ASA

2011-01-17T10:12:00.000-08:00

Prior to 8.3 many-to-one static nats were not allowed. Basically each unique private address required a unique public addresss. The following example was not allowed:

static (inside,outside) 10.1.1.1 172.16.1.1 netmask 255.255.255.255
static (inside,outside) 10.1.1.2 172.16.1.1 netmask 255.255.255.255

In 8.3, this is now possible with the use of the unidirectional statement:
object network host-172.16.1.1
host 172.16.1.1
object network host-10.1.1.1
host 10.1.1.1
object network host-10.1.1.2
host 10.1.1.2
nat (outside,inside) 5 source static any any destination static host-10.1.1.1 host-172.16.1.1 unidirectional
nat (outside,inside)6 source static any any destination static host-10.1.12 host-172.16.1.1 unidirectional

How to perform a packet capture on a Cisco IDS

2010-12-27T10:44:00.000-08:00

To perform a tcpdump on a Cisco IDS from the Cisco shell, do the following:

packet display

example: "packet display GigabitEthernet1/2"

DNS doctoring on the Cisco ASA

2010-12-07T14:16:00.000-08:00

Occasionally DNS requests may need to be modified to for web servers with both public and private addresses. A normal Static statement would not work in this case because the static would only modify the header and not the DNS request itself. To perform DNS doctoring, follow these steps:

First turn on DNS inspection:
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 512
exit
exit
show run policy-map type inspect dns
policy-map global_policy
class inspection_default
inspect dns MY_DNS_INSPECT_MAP
exit
exit
show run policy-map
!
show run service-policy

Now configure the static:
static (dmz,outside) 172.20.1.10 10.10.10.10 netmask 255.255.255.255 dns

In the above example, the DNS Server resolves the server as 172.20.1.10 but the ASA modifies the DNS record to the physical IP of 10.10.10.10

SSH server Internal Error on Cisco ASA

2010-11-22T12:01:00.000-08:00

The following error occurs every few minutes, even when no users are connected:

MSSTimestamp=1287962073, FN=syslog, origLog=Oct 24 2010 23:14:33: %ASA-6-315011: SSH session from 10.16.1.24 on interface outside for user "" disconnected by SSH server, reason: "Internal error" (0x00)

According to Cisco TAC, this is an undocumented caveat from the 8.2.3 code. This will not be fixed until 8.2.4 is released.

UPDATE: 8.2.4 has been released

UPDATE#2:
Discovered that this error occurs when a blank user name is sent over during an SSH attempt. The error is generated. On non8.2.4 versions, over time this causes the RSA Key to become corrupt.

Large number of phantom routes in netstat -rn on IPSO

2010-11-15T13:55:00.000-08:00

So the other day I was rebuilding an IPSO IP330 and I noticed that the routes in Voyager and Clish do not match the routes on netstat -rn. I expected a few additional routes to account for directly connected routes and proxy arps, but I found hundreds of additional routes with the iSUW flags.

I discovered that this is a mechanism called Route Cloning that dynamically adds routes for quicker lookups. Basically it will subnet larger static route networks into 32 bit routes for active hosts. For more information, please review Checkpoint sk41131

Junpier Netscreen Policy Based VPN

2010-10-19T09:31:00.000-07:00

I noticed that I had several articles on Route Based VPNS but none on Policy Based. So here goes...

Steps:
1. Configure the address object for the local and remote encryption domains.
2. Configure the Phase 1 (IKE Gateway) parameters.
3. Configure the Phase 2 (VPN) parameters.
4. Configure the policy.
5. Verify and check the status of the IPSec VPN.
Additionally,as wth all VPNS, be cognizant of natting.

Step 1: Configure the address object for the local and remote encryption domains.

set address trust
set address untrust

Step 2: Configure the Phase 1 (IKE Gateway) parameters.

For ScreenOS Version 5.x.x, use the following command:

set ike gateway address main outgoing-interface preshare proposal

For ScreenOS Version 4.x.x, use the following command:

set ike gateway ip main outgoing-interface preshare proposal

Step 3: Configure the Phase 2 (VPN) parameters.

set vpn gateway proposal
set vpn monitor

Step 4: Configure the policy.

set policy top from trust to untrust any tunnel vpn log
set policy top from untrust to trust any tunnel vpn log

Note: If you have multiple encryption domains, you need to add multiple encryption rules for each pair of encryption domains.

Step 5: Verify and check the status of the IPSec VPN.

get sa
get vpn
get ike p1-proposal
get ike p2-proposal

EXAMPLE:
Parameters     Atlanta     to Tokyo
Firewall Hostname     atla-us-ns     tkyo-jp-ns
External Interface IP Address     111.222.191.18     222.33.43.73
Encryption Domain     atl-192.168.1.0/24     Tokoyo-172.16.1.0/24 172.16.2.0/24
Encryption Algorithm     3DES     3DES
Authentication Algorithm     SHA-1     SHA-1
Authentication Method     Pre-Share     Pre-Share
Pre-Shared Key     abc123!     abc123!
Perfect Forward Secrecy     No
Key Exchange     DH Group 2

For Atlanta Site (ScreenOS 5.x.x):

set address trust net-192.168.1.0/24 192.168.1.0/24

set address untrust net-172.16.1.0/24 172.16.1.0/24

set address untrust net-172.16.2.0/24 172.16.2.0/24

set ike gateway gw-tkyo-ns-222.33.43.73 address 222.33.43.73 main outgoing-interface ethernet1 preshare abc123! proposal pre-g2-3des-sha

set vpn vpn-tkyo-ns-222.33.43.73 gateway gw-tkyo-ns-222.33.43.73 proposal nopfs-esp-3des-sha

set vpn vpn-tkyo-ns-222.33.43.73 monitor

set policy top from trust to untrust net-192.168.1.0/24 net-172.16.1.0/24 any tunnel vpn vpn-tkyo-ns-222.33.43.73 log

set policy top from trust to untrust net-192.168.1.0/24 net-172.16.2.0/24 any tunnel vpn vpn-tkyo-ns-222.33.43.73 log

set policy top from untrust to trust net-172.16.1.0/24 net-192.168.1.0/24 any tunnel vpn vpn-tkyo-ns-222.33.43.73 log

set policy top from untrust to trust net-172.16.2.0/24 net-192.168.1.0/24 any tunnel vpn vpn-tkyo-ns-222.33.43.73 log

Clearing the cache on a ProxySG

2010-10-18T08:48:00.001-07:00

To clear the entire cache of a Bluecoat Proxy SG:
#clear-cache

Additionally the cache can be cleared for a specific object store:
#clear-cache byte-cache
#clear-cache dns-cache
#clear-cache object-cache

To delete the cache for a specfic site:
content delete regex
for example: content delete http://www.yahoo.com

Cisco ASA order of operations

2010-08-24T17:21:00.000-07:00

1. FLOW-LOOKUP- This will check for existing connections. I a connection exists, the flow is automatically allowed

2. ROUTE-LOOKUP - This is the inbound route lookup which includes reverse patch, if enabled.

3. Inbound ACCESS-LIST- Checks for an interface ACL

4. CONN-SETTINGS - Application layer checks (Class maps)

5. IP-OPTIONS- RFC 791

6. NAT

7. Outbound ACCESS-LIST (if an outbound access list exists on the egress interface).

9.FLOW-CREATION

10.ROUTE LOOKUP - Destination route lookup

Cisco VPN error: Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding

2010-08-24T14:56:00.000-07:00

This error occurs for the following reasons:

The user is behind a firewall that is blocking ports UDP 4500/500 and/or ESP.
The VPN client is using connecting on TCP and the default TCP port 10000 for NATT is blocked.
The internet connection is not stable and some packets are not reaching the VPN concentrator/server or the replies from the server/concentrator aren’t getting to the client, hence the client thinks the server is no longer available.
The VPN client is behind a NAT device and the VPN Server doesn’t have NAT-T enabled. In this case the user will not be able to send or receive traffic at all. It will be able to connect but that’s all. After some time the software client deletes the VPN tunnel.

How to redirect traffic to a CSC module on an ASA

2010-08-17T13:44:00.000-07:00

First create an ACL that defines what traffic should be scanned.
access-list acl_CSC permit tcp any any eq www
access-list acl_CSC extended permit tcp any any eq smtp
access-list acl_CSC extended permit tcp any any eq pop3

Define a class map and associate the new acl.
class-map csc_inspect
match access-list acl_CSC

Associate the class map to a policy map.
policy-map csc_inspect_policy
class csc_inspect
csc fail-open

Specify the interfaces that should redirect to the CSC module
service-policy csc_inspect_policy interface outside
service-policy csc_inspect_policy interface inside

For more information on configuring the CSC blade or troubleshooting, please refer to Cisco's CSC guide.

How to immediately know if you are logged into the active or standby firewal on ASA

2010-08-17T09:19:00.000-07:00

The prompt (introduced in 7.2(1)) command allows you to customize the hostname of the ASA to include dynamic elements.

prompt state will display the state of the firewall.
for example:
lab-dev-01# config t
lab-dev-01 (config)# prompt state
lab-dev-01/act(config)#

•act—Failover is enabled, and the unit is actively passing traffic.

•stby— Failover is enabled, and the unit is not passing traffic and is in a standby, failed, or other non-active state.

•actNoFailover—Failover is not enabled, and the unit is actively passing traffic.

•stbyNoFailover—Failover is not enabled, and the unit is not passing traffic. This might happen when there is an interface failure above the threshold on the standby unit.

How to allow users to select a group during WebVPN login

2010-08-04T11:56:00.000-07:00

There are 3 ways a group can be selected using WebVPN for Anyconnect. This can be done by specifying a group URL, group alias, or using a certificate map.

To create a Tunnel Group drop down on the Web VPN login screen do the following:

lab1#configure t

lab1(config)#tunnel-group AdminGroup1 webvpn-att
lab1(config-tunnel-webvpn)#group-alias Admins enable
lab1(config-tunnel-webvpn)#exit
lab1(config)#webvpn
lab1(config-webvpn)#tunnel-group-list enable

This will create a drop down that includes a group called Admins that is connected to the AdminGroup1 Tunnel Group.

A group URL is simular to the Group Alias but the other group names are not displayed.
lab1#configure t
lab1(config)#tunnel-group MarketingGroup type remote-access
lab1(config)#tunnel-group MarketingGroup general-attributes
lab1(config)#group-url https://asa-DNS-name/Marketing enable 
lab1(config)#webvpn
lab1(config-webvpn)#tunnel-group-list enableCertificate access will be covered later

Check Point Software Technologies Reports Record Second Quarter 2010 Financial Results

2010-08-02T17:35:00.000-07:00

# Revenue: $261.1 million, representing a 17 percent increase year over year

# Product Revenues: $103.9 million, representing a 25 percent increase year over year

# Non-GAAP Operating Income: $144.7 million, representing a 24 percent increase year over year or 55 percent of revenues versus 52 percent a year ago

# Non-GAAP EPS: $0.58, representing a 21 percent increase year over year

# Cash Flow from Operations: $148.9 million, representing a 32 percent increase year over year

Read the rest of the article at Checkpoint.com

Bluecoat policies overview

2010-08-02T17:00:00.000-07:00

There are 3 types of policies:
Central policy- Contains global settings and behavioral analysis for generic threats.
Forwarding policy-defines forwarding rules
Local policy- user created policies
VPM- Visual Policy Manager. Gui Policy editor.

Default policy enforcement order:

VPM > File-local >Policy File-central >Policy file-forward file

When changing the policy file evaluation order, remember that final decisions can differ because

decisions from files later in the order can override decisions from earlier files (the Forward policy file

order cannot be changed).

To configure policy order via the Management Console:

Configuration> Policy > Policy Options

Via the cli:

(config) policy order v l c

v(VPM) c(central) l(local)

To change the default polcy from the Management Colsole:

Configuration > Policy > Policy Options

Via the cli:

(config) policy proxy-default {allow | deny}

Policy tracing records every policy event at all layers:

To turn on policy tracing via the Management Console:

Configuration > Policy > Policy Options and select Trace all

Individual policy rules can also be traced by selecting Trace on the rule in the VPM

Via the cli:

Policy trace {all|none}

To view the currently installed policy:

If an HTTPS-Console is configured, use

https://ip_address_of_ProxySG:HTTPS-Console_port/Policy/current (the default

port is 8082).

Via the cli

(config) show policy

To view the uncompiled policy:

(config) show configuration

(config) show sources policy {central | local | forward | vpm-cpl |vpm-xml}

Downgrading from Cisco ASA 8.3

2010-08-02T10:00:00.000-07:00

8.3 is the new major update from Cisco that contains so many philosophical changes that it should be considered 9.x. Besides changing the way inbound ACLs are defined, they have also gone to a object based configuration and Natting has been revamped. Unfortunately all of the bugs have not been worked out yet and many people are downgrading. To make matters worse, all new appliances are being sent with 8.3 preloaded, which requires a conversion to get older configurations to work. To properly downgrade, the downgrade command must be used. Cisco has indicated that this command merely replaces some of the manual commands that are ran during a downgrade, like setting the bootsystem, write mem, and loading the config, however I have received confirmation that other steps are actually performed behind the scenes, that does not take place when a manual downgrade is performed.

To downgrade do the following:

ASA(config)# downgrade [/noconfirm] old_image_url old_config_url [activation-key old_key]

Ofcourse this assumes that the old image and old config are on the appliance. If you received a new appliance

and would like to downgrade, the image and config should be copied over first.

ICMP error codes

2010-07-26T08:42:00.001-07:00

Type 0 Echo Reply 
Type 3 Destination Unreachable 

Code 
0 = net unreachable; 
1 = host unreachable; 
2 = protocol unreachable; 
3 = port unreachable; 
4 = fragmentation needed and DF set; 
5 = source route failed. 

Type 4 Source Quench 
Type 5 Redirect 

Code 
0 = Redirect datagrams for the Network. 
1 = Redirect datagrams for the Host. 
2 = Redirect datagrams for the Type of Service and Network. 
3 = Redirect datagrams for the Type of Service and Host. 

Type 8 Echo 
Type 11 Time Exceeded 
Code 

0 = time to live exceeded in transit; 
1 = fragment reassembly time exceeded. 

Type 12 Parameter Problem 

Code 0 = pointer indicates the error. 
Type 13 Timestamp 
Type 14 Timestamp Reply 
Type 15 Information Request 
Type 16 Information Reply

Cisco ASA Policy Based Nat

2010-07-20T15:19:00.000-07:00

Example:
Source address 10.1.1.1 should be translated to 192.168.1.1 when going to 172.16.1.1 and translated to 192.168.1.2 when going to 172.16.1.2

access-list policy_nat1 permit ip host 10.1.1.1 host 192.168.1.1
access-list policy_nat2 permit ip host 10.1.1.1 host 192.168.1.2

static (inside,outside) 172.16.1.1 access-list policy_nat1
static (inside,outside) 172.16.1.2 access-list policy_nat2

Viewing overlapping encryption domains on Checkpoint

2010-07-20T12:35:00.000-07:00

vpn overlap_encdom [communities|traditional]

Example:

#> vpn overlap_encdom
The objects LabFirewall and Lab2 have overlapping encryption domains.
The overlap domain is:
10.2.5.0 - 10.2.5.255

Cisco ASA Reverse Path Forwarding

2010-06-27T18:24:00.000-07:00

Reverse Path Forwarding

RPF errors are typically NAT related (traffic is natted one way in one direction and another way in the other direction).

Example: --->no nat
<--- hide nat

Example of this error:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.25.100 dst dmz:192.168.28.12 (type 8, code 0) denied due to NAT reverse path failure

The other reason is if RPF checking is turned on and the source host comes in on an interface where a route is not defined for the host. This type of RPF check must be configured on a per interface basis, which will cause the firewall to examine the source IP of each packet. This also adds a little additional overhead.

To turn on interface RPF checking run the following interface config command:
ip verify reverse-path interface outside

Juniper SRX notes

2010-06-16T09:21:00.000-07:00

Note, unlike ScreenOS, changes are not actually implimented on the command line until the commit command is entered.At which time, the commands entered on the Control Plane are pushed to the Forwarding Plane(data plane).

Juniper releases SRX updates quarterly. R1 is the only yearly update that contains new features. The other 3 releases are maintenance releases.

SRX retains the last 50 configs which can be rolled back at any time using the rollback command.

When you log in as root, your in the bsd shell (denoted by the % symbol).

Type cli to enable cli mode (denoted by the > symbol).

From cli mode, the start shell command takes you back to bsd. And type exit to go back to cli.

To enter config mode, type con(# denotes config mode)

Piping is now "| match "

In addition to match, you can view the "last" screen full, "except" particular data, "save" to a file, etc.

Reboot from config mode

Run request system reboot

Upgrade:

Request system software add

Show chassis - displays hardware info.

Show interface terse - state of all interfaces

Show interfaces extensive -collisions, cdc, traffic, speed, duplex, mac

Monitor interface - view real time usage details (counters)

Monitor traffic -decode packets

Show version

To run operational commands via config mode, type run followed by the command.

Top level:

System

Interfaces

Protocols -routing

Policy-options -routing policy

Security - zones, trafic, vpns

Snmp

To enter a config level type edit

For example, edit security

The up command moves you up one level

Top takes you to the top level

To view the config for a specific level, type show at that level

To revert to a previous config, use the rollback command.

Configuring zones:

Set security zones

Edit security zones

Set security-zone

Set security-zone interface

To control what services is allowed to an interface:

Set security-zone host-inbound- traffic system services

Show security zones -displays zone info.

Onboard default IDP (Screening)

Edit security screen

Show

Show security screen statistics zone < zone>

Show security screen ids-opt

Each policy must contain a unique name (which can also be a number).

Policy example:

Set policies from-zone trust to-zone untrust policy match source-add any destination-add 10.1.1.1/32 application HTTP

Set policy from-zone trust to zone-untrust policy then permit

To verify the changes;

[edit]

user@host# commit check | display xml

To display a detailed trace of commit script processing, issue the commit check | display detail command:

[edit]

user@host# commit check | display detail

Config private- only commits changes implemented, not the entire config

Delete removes a config setting.

The deactivate command allows you to temporarily disable a config

Save configuration

Saves your entire configuration to a filename.

admin@router# save

To compare a rollback config to the active config:

user@host# show | compare (filename | rollback n)

To display the xml version of the commit changes:

user@host# show | display commit-scripts view

If you want to recreate a configuration by hand, you can see the commands needed by passing a | display set command

[edit]

admin@router# show | display set

Interfaces:

root#edit interfaces

[edit interfaces]

root#set ge-0/0/1 unit 0 family inet address 192.168.5.1/28

review configuration and commit changes

root#run show interfaces terse

root#run show security zones

root#commit check

root#commit and-quit

VLAN tagging:

Edit interface < interface>

Set vlan-tagging

Set unit <#> vlan-id <#>

Edit interface

Set speed

IP Addressing

Edit unit <#>

Set family inet address

To view preshared keys on an IPSEC VPN:

show security ike pre-shared key

master-key >

user-id >

Password reset:

1. Have a console access to the SRX device.

2. Reboot or power cycle the device.

3. At the boot prompt issue the boot -s command to boot the system into single user mode.

Enter recovery when prompted

How to update a ScreenOS license from the cli

2010-06-08T08:34:00.000-07:00

Enter the following:

exec license-key [license key]

Example:
ns5gt_lab-> exec lic 3gLnDlIRMfDshDjjhdKfakljiehnfvaliKSmUUnbIKGWQggJY9
Buhkqte8aqVBQDWJ8twNT/UrH2shN3hPVK5mx3Ak3b50m94kEgVjMfetiVxQRTdoiKg6nPYuoIyLYmccowbaQ8BEtI8/INdzbOTP1P

You have to reset the device to activate the license key.

If you have a version 1 license key, which is 16 characters in length and is only loaded on ScreenOS 4.0.0 and below, then enter the following command:

For the Capacity Key:
set envar capacity_key=[license key]

For the HA/NSRP Key:
set envar nsrp_key=[license key]

Common Clish commands on Nokia IPSO appliances

2010-06-07T17:57:00.001-07:00

---setting default gateway
set static-route default nexthop gateway address 192.168.29.2 priority 1 on

---adding static routes
set static-route 172.23.124.150/32 nexthop gateway address 192.168.29.50 on

---Add proxy arp
add arpproxy address 192.168.29.56 macaddress 0:a0:8e:7d:13:d0
add arpproxy address 192.168.29.57 macaddress 0:a0:8e:7d:13:d0

---Add an interface
set interface eth1 speed 100M duplex full active on
add interface eth1c0 address 192.168.29.54/24
set interface eth1c0 enable

---VRRP

set vrrp accept-connections on
set vrrp coldstart-delay 60

set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 priority 100
set vrrp interface eth1c0 monitored-circuit vrid 54 hello-interval 1
set vrrp interface eth1c0 monitored-circuit vrid 54 vmac-mode default-vmac
set vrrp interface eth1c0 monitored-circuit vrid 54 backup-address 192.168.29.1 on

---Set ntp servers

add ntp server 10.1.1.2 version 3 prefer yes
add ntp server 10.1.1.1 version 3 prefer yes

---Setting Time zone

set date timezone-city "Greenwich (GMT)"

---Add hostname

set hostname testbox

---Add Host address assignments

add host name testbox ipv4 192.168.29.54

Adding Checkpoint and Netscreen devices into Firemon

2010-06-07T17:53:00.001-07:00

Adding a Checkpoint firewall into Firemon.

In Smart Dashboard:

First create an OPSEC object. Select LEA and CPM.

Select NEW next to the host box, and create a host with the IP address of Firemon.

If your vendor appliance is not listed, select Undetermined (as long as LEA and CPM are selected, everything will work).

Initiate SIC and enter a SIC password.

Additionally the firemon server needs to be added to the GUI client (Cpconfig or via the Provider).

In Firemon:

New> Device> Checkpoint

Select Smartcenter Environment Wizard.

Enter the Smartcenter IP and provide credentials for a user with atleast Read Only access.

Click Connect and enter the SIC password when prompted.

If a separate log server (MLM) is used, it will automatically be added along with all devices managed by that Smartcenter server.

If a separate log server is used, go into the properties of that log server and change the authentication method to clear.

Adding a Netscreen to firemon

Point your syslog stream to Firemon

ssg1-> set syslog config "10.16.179.70"

ssg1-> set syslog config "10.16.70" facilities local0 local0

ssg1-> set syslog config "10.16.179.70" log traffic

In Firemon:

Right click on the device group and select New Device

Select ScreenOS

Provide the name, ip and credentials

Notes on SSL Proxy for the Bluecoat Proxy SG

2010-05-25T08:43:00.001-07:00

Benefits of SSL Forwarding Proxy:
Security is increased by Server cert validation , including CRLs and Virus scanning and Url filtering.
There is also an increase in log visibility. In addition, intercepted data can be cached.

The ProxySg will act as a man in the middle. The client will get a digital cert that appears to be from the server but will really be from the ProxySG.

Client sends HELLO to ProxySG
ProxySG sends HELLO to server
Server sends server cert to ProxySG
ProxySG sends its own certificate to client(either its own ca or self signed).

The cert from the ProxySG will look like a server cert but it will not be signed by Verisign or another CA.

The proxy cannot handle client certs (bidirectional certs). Therefore sites that require client certs cannot be intercepted.

The default policy behavior is not to intercept SSL traffic.
You can selectively intercept traffic . For example, you may not want to intercept banking sites.

There is an ssl coprocessor that handles most of the work and does not add a lot of overhead.

The ssl proxy has the ability to distinguish between SSL and non-SSL on the same port.

Determining what HTTPS traffic to intercept:

The Proxy SG has the ability to make intercept decisions based on the certificate host name or site categorization.

Bluecoat provides the following recommendations on intercepting traffic:
- Intercept Intranet Traffic
- Intercept suspicious Internet sites, especially those categorized as NONE.
- Intercept web mail based sites.

You can notify users of ssl intercepted traffic by using the HTML Notify User object after the interception.

SSL Proxy detects the following certificate errors:
-Expired certificates
-Untrusted issuer
-Certificate has been revoked

How to selectively intercept SSL traffic:
1. Launch VPM
2. Add a new SSL Intercept Layer
3. Right click on the destination and select New.
4. Select the Certificate Category then choose your content filter (Bluecoat, Websense, etc).
5. Select the categories you want to intercept.
6. Click OK, then OK
7. Right click on the ACTION field and select NEW.
8. Select SSL Forward Proxy Object and then check the Intercept as HTTPS and Issuer Keyring.
9. Select Ok then OK
10. Apply the policy.

Great Cisco TAC podcast on Anyconnect

2010-05-24T15:33:00.001-07:00

This podcast covers an overview of Anyconnect as well as some great troubleshooting procedures.
http://cisco-podcast.streamguys.net/cdc/security/tac/TACSecurityShow_episode_11.mp3

Forwarding vs Reverse proxies

2010-05-23T14:48:00.001-07:00

Forward proxy- The proxy is on the same networks as the clients

Reverse proxy- The proxy is on the same network as the servers (inbound)

For example:

If a proxy manages all outbound traffic to the web, it is a forward proxy.

If a proxy sits in front of several web servers and uses round robin to balance the load, it is a reverse proxy.

Bluecoat Transparent vs Explicit proxy.

2010-05-23T14:47:00.000-07:00

Explicit vs Transparent Proxy:

In an explicit proxy, the client is configured to communicate with a proxy. In transparent, the client attempts to communicate directly wit a site and the request is intercepted. Neither option is configured on the Proxy SG.

Types of proxy configurations:

Explicit Proxy: Requires client config (ie proxy settings in browser)

Src:client Ip DST: SG IP > Src:SG IP DST:Server IP

Application must be proxiable

One way to deploy explicit proxy can be to use a PAC file (pg 223 of gu ide).

Another method is Proxy Auto-discovery.

Recommended method is group policy.

Traffic must match a service policy

In explicit proxy, when a connection is made for a service that is not running on ProxySG, the connection is rejected.

Transparent:

The SG intercepts the requests.

Option: reflect Client IP can make the SG mock the client IP. Rarely used but can reflect accurate sources on servers where required. This is a global option.

Transparent proxy can use WCCP to redirect traffic or a layer 4 switch can be used to rewrite the mac. Last but not least, LBs can be used.

Also a transparent proxy also does its own DNS lookup but can be turned off (Trust dst Ip).

If the proxy is in bridging mode or acting as a gateway, a service group does not need to be matched.Routing modes requires IP forwarding enabled

The proxysg can also be used as a default gateway, which is not recommended.

Bluecoat Authentication descriptions

2010-05-17T13:36:00.001-07:00

Auto: The default; the mode is automatically selected, based on the request. Auto can choose any of proxy, origin, origin-ip, or origin-cookie-redirect, depending on the kind of connection (explicit or transparent) and the transparent authentication cookie configuration.
Proxy: The ProxySG uses an explicit proxy challenge. No surrogate credentials are used. This is the typical mode for an authenticating explicit proxy. In some situations proxy challenges do not work; origin challenges are then issued.

If you have many requests consulting the back-end authentication authority (such as LDAP, RADIUS, or the BCAAA service), you can configure the ProxySG (and possibly the client) to use persistent connections. This dramatically reduces load on the back-end authentication authority and improves the all-around performance of the network.
Proxy-IP: The ProxySG uses an explicit proxy challenge and the client's IP address as a surrogate credential. Proxy-IP specifies an insecure forward proxy, possibly suitable for LANs of single-user workstations. In some situations proxy challenges do not work; origin challenges are then issued.
Origin: The ProxySG acts like an OCS and issues OCS challenges. The authenticated connection serves as the surrogate credential.
Origin-IP: The ProxySG acts like an OCS and issues OCS challenges. The client IP address is used as a surrogate credential. Origin-IP is used to support IWA authentication to the upstream device when the client cannot handle cookie credentials. This mode is primarily used for automatic downgrading, but it can be selected for specific situations.
Origin-cookie: The ProxySG acts like an origin server and issues origin server challenges. A cookie is used as the surrogate credential. Origin-cookie is used in forward proxies to support pass-through authentication more securely than origin-ip if the client understands cookies. Only the HTTP and HTTPS protocols support cookies; other protocols are automatically downgraded to origin-ip.

This mode could also be used in reverse proxy situations if impersonation (where the proxy uses the user credentials to connect to another computer and access content that the user is authorized to see) is not possible and the origin server requires authentication.
Origin-cookie-redirect: The client is redirected to a virtual URL to be authenticated, and cookies are used as the surrogate credential. The ProxySG does not support origin-redirects with the CONNECT method. For forward proxies, only origin-*-redirect modes are supported for Kerberos/IWA authentication. (Any other mode uses NTLM authentication).

NOTE: During cookie-based authentication, the redirect request to strip the authentication cookie from the URL is logged as a 307 (or 302) TCP_DENIED.
Origin-IP-redirect: The client is redirected to a virtual URL to be authenticated, and the client IP address is used as a surrogate credential. The ProxySG does not support origin-redirects with the CONNECT method. For forward proxies, only origin-*-redirect modes are supported for Kerberos/IWA authentication. (Any other mode uses NTLM authentication.)
SG2: The mode is selected automatically, based on the request, and uses the SGOS 2.x-defined rules.
Form-IP: A form is presented to collect the user's credentials. The form is presented whenever the user's credential cache entry expires.
Form-Cookie: A form is presented to collect the user's credentials. The cookies are set on the OCS domain only, and the user is presented with the form for each new domain. This mode is most useful in reverse proxy scenarios where there are a limited number of domains.
Form-Cookie-Redirect: A form is presented to collect the user's credentials. The user is redirected to the authentication virtual URL before the form is presented. The authentication cookie is set on both the virtual URL and the OCS domain. The user is only challenged when the credential cache entry expires.
Form-IP-redirect: This is similar to form-ip except that the user is redirected to the authentication virtual URL before the form is presented.

Everything you need to know about troubleshooting VRRP on Nokia Checkpoints

2010-05-17T11:00:00.000-07:00

VRRP failover happens when one of the following events takes place:

-a monitored interface looses its link state

-VRRP hello packets from the master not seen on the secondary device

-a critical Checkpoint service or daemon fails to report its status. This requires FW Monitoring to be turned on in Voyager. If turned on, whenever the clock is set backwards, a failover will also occur.

tcpdump -nni eth1 proto VRRP

The packets will contain the vrid and priority.

When a failure occurs, the failed device sends out a priority 0 message on all good interfaces. This tells the secondary to take over.

Example:

PrimaryHA-fw1[admin]# tcpdump -i eth-s1p1c0 proto vrrp

tcpdump: listening on eth-s4p2c0

00:46:11.379961 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:12.399982 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:13.479985 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:14.560007 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 0 [tos 0xc0]

If both firewalls are broadcasting vrrp, and the packets are not seen by the other firewall, there could be a communication problem between the firewalls.

Also ensure that the vrid matches on both firewalls.

Proper VRRP failovers usually only cause 1 or 2 packets lost .

VRRP multicast address is 224.0.0.18

To capture vrrp traffic in fw monitor:

fw monitor -e “accept ip_p = 112;”

Clish

show vrrp

This will show you which devices are in master and backup

Example:

PrimaryFW-A> sh vrrp

VRRP State

Flags: On

6 interface enabled

6 virtual routers configured

0 in Init state

0 in Backup state

6 in Master state

PrimaryFW-A>

PrimaryFW-A> exit

Bye.

PrimaryFW-A[admin]#

SecondaryFW-B[admin]# iclid

SecondaryFW-B> sh vrrp

VRRP State

Flags: On

6 interface enabled

6 virtual routers configured

0 in Init state

4 in Backup state

2 in Master state

SecondaryFW-B>

SecondaryFW-B> exit

show vrrp interfaces

Detailed configuration of VRRP, including priority, hello interval, and VRID

clish -c "show interfacemonitor"

Displays interface transitions

cphaprob -i list

Displays Checkpoint critical processes and their timeouts.

To log critical process failures:

ipsctl -w net:log:partner:status:debug 1

That will log to the console and to /var/log/messages. If you want to turn off:

ipsctl -w net:log:sink:console 0

To change the timeout value of a monitored process:

cphaprob -d [device] -t [timeout] -s [state] -p register

Password reset on a Juniper SRX

2010-05-05T10:44:00.000-07:00

1. Have a console access to the SRX device.

2. Reboot or power cycle the device.

3. At the boot prompt issue the boot -s command to boot the system into single user mode.

4. Perform password recovery using the passwd command.

Vlan tagging on Cisco firewalls (FWSM, ASA, and Pix)

2010-05-04T09:08:00.000-07:00

Fwsm: interface vlan <#>
6.3 : interface NAME VLAN_ID logical
Asa: interface NAME.SUBINTERFACE#
vlan VLAN_ID

Logical vlan interfaces must be carried over physical trunk interfaces.
On the ASA, the subinterface number is an arbitrary number that must be unique.

Packets sent out of the logical VLAN interface are tagged with the VLAN number as they enter the physical trunk link and then stripped off at the far end of the trunk.

Switch config:
interface NAME
switchport
switchport trunk encapsulation dot1q
switchport mode trunk

Notes on WCCP with an ASA

2010-04-28T09:12:00.000-07:00

This is not mentioned in the Cisco documentation so I figured I would mention it here:

-Interface ACLs are enforced before WCCP. Therefore an interface ACL allowing traffic to be proxied is required.

- Redirect ACLS do not like service groups. If individual services need to be redirected (as opposed to ANY), they should be defined individually. If a service group is used, only the first service in the group will be redirected.

-Caveat regarding ASA to Bluecoat WCCP implementations:

WCCP can either use layer 2 or gre to communicate between forwarding and caching devices. However the ASA only supports gre. One downside of the Bluecoat is that it can receive gre packets but redirected traffic will not be forwarded from the Bluecoat through the gre tunnel. So that means that if traffic proxied by the Bluecoat is then sent back to the ASA to go out, the ASA will view it as an out of state connection and drop the packet. The only way that I have been able to get WCCP between and ASA and BC to work is to send forwarded traffic directly out to the internet from the BC and not back to the ASA.

-According to documentation, the cache instructs the Security Device which ports and protocols to redirect and how to distribute the traffic. I have found that this does not always work and I typically have to include the forwarded ports in the redirect acl.

-using the web-cache option instead of a service-number you can only redirect port 80, regardless of how the ACL is configured

-Considering the above 2 bullet points, does this mean that using the web-cache option, with specific ports in the redirect acl will break WCCP?

Additional caveats that is included in the WCCP documentation:
-When the adaptive security appliance knows when a packet needs redirection, it skips TCP state tracking, TCP sequence number randomization, and NAT on these traffic flows.

-A limitation of WCCP on the ASA is that it cannot direct traffic across interfaces on the firewall.

This means if you configure WCCP to redirect traffic on the inside interface of your firewall, you have to have your cache-engine on that same interface.

Fun with the Cisco Alias command

2010-04-21T10:49:00.000-07:00

I know I know. The Alias command is being deprecated. But it has not gone away yet and with luck, its replacement will be able to perform the same functions. But for now, we are able to accomplish a few things with Alias that we cannot perform with the static command.

#1. Arp replies for reverse statics.
Basically, when a standard static is created on an ASA (high, low, low, high), the firewall will respond to arps for inbound requests to the public IP.

Heres an example:
static (Internal,Outside) 10.239.15.11 10.239.15.68 netmask 255.255.255.255

   4: 15:44:00.780522 arp who-has 10.239.15.11 tell 10.239.15.5
   5: 15:44:00.780782 arp reply 10.239.15.11 is-at 0:9:b7:5f:8d:c2

However, if a reverse static is needed (outbound D-nat), the firewall will not respond to arp requests, even if the arp is manually created.


static (Outside,Internal) 10.239.15.68 10.239.15.12 netmask 255.255.255.255
arp Outside 10.239.15.12 0009.b75f.8dc2

4: 15:47:35.131279 arp who-has 10.239.15.12 tell 10.239.15.5
   5: 15:47:35.735313 arp who-has 10.239.15.12 tell 10.239.15.3
   6: 15:47:37.131432 arp who-has 10.239.15.12 tell 10.239.15.5

   footnote: Do not get caught up in the interface names in my examples. In the lab, I had to reverse the security levels.

But if we create an alias instead, the firewall will respond to arp requests, and process the D-nat.
   alias (Outside) 10.239.15.13 10.239.15.68 255.255.255.255

     11: 16:30:45.160880 arp reply 10.239.15.13 is-at 0:9:b7:5f:8d:c2

#2. Perform double natting.
As we all know, nats and statics are processed from top down until a hit is made. Basically the firewall will check for Nat 0> Identity Nat>Statics> Policy nat> Hide nat. Once a hit is made, Nat processing will stop. So if we have both a source and destination nat defined, only one will actually get handled. To get around this limitation, we can use the Alias command to handle the D-nat.

Example:
    nat (Internal) 1 0.0.0.0 0.0.0.0
    global (Outside) 1 interface
    alias (Internal) 10.239.15.68 10.239.15.13 255.255.255.255

As you can see from the packet tracer, both the src and dst nat takes place.


Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Internal) 1 0.0.0.0 0.0.0.0
match ip Internal any Outside any
    dynamic translation to pool 1 (10.239.15.3 [Interface PAT])

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
match ip Outside host 10.239.15.13 Internal any
    alias translation to 10.239.15.68

View VPN defaults on a Cisco ASA

2010-04-19T19:04:00.000-07:00

We often use the "show run crypto map | in" to view a crypto map configuration on "show run tunnel-group" to view the tunnel group settings, however, default settings are not displayed. For example, isakmp keep alives, default lifetimes, Peer validation, inheritance, etc, are not commonly configured in tunnels. To view these settings try the following:

show run all crypto map | in
show run all tunnel-group

Sample output:

crypto map vpn_map 4 match address VPN-acl
crypto map vpn_map 4 set connection-type bi-directional
crypto map vpn_map 4 set peer 192.168.182.100
crypto map vpn_map 4 set transform-set 3des_sha1
crypto map vpn_map 4 set security-association lifetime seconds 28800
crypto map vpn_map 4 set security-association lifetime kilobytes 4608000
crypto map vpn_map 4 set inheritance rule
crypto map vpn_map 4 set phase1-mode main

tunnel-group 192.168.182.100 type ipsec-l2l
tunnel-group 192.168.182.100 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 192.168.182.100 ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2

Manual failover on Netscreen

2010-04-14T13:36:00.000-07:00

1: Display the current NSRP status.

get nsrp

2: Confirm whether preempt mode is turned on. Preempt mode will force a failover back to the master.

get config | i nsrp

To turn off preempt
unset nsrp vsd-group id preempt

3: Synchronize the real-time objects at the current backup device.

exec nsrp sync rto all from peer

4: Set the current master device as primary backup.

exec nsrp vsd-group mode pb

5: If the failover needs to be permanent, decrease the NSRP priority of device that you want to be the master.

set nsrp vsd-group id priority

Note: In NSRP, the device with the lowest the priority number is elected as the master if the current one fails or administratively set as inoperable or primary backup.

6: Verify the successful NSRP failover by running the “get nsrp” command.

Allowing communications between interfaces with the same security level on ASA

2010-04-13T09:11:00.000-07:00

By default, communications between interfaces with the same security level is not allowed.To allow communications, the following command must be entered:

same-security-traffic permit inter-interface

To view the security levels of an interface :

show nameif

Allowing multiple VPN clients behind the same nat device

2010-04-06T11:50:00.000-07:00

In order to accomplish this, you must create multiple Remote IDs (one for each user) located in the Security Gateway. The Client and Primary DNS suffix must also be updated.

Navigating between Unix and Screen OS partitions on SRX

2010-04-06T11:46:00.000-07:00

When your default shell is Screen OS (>), the following command takes you to Unix (%).
root@lab-srxfw1> start shell
root@lab-srxfw1%

If in the Unix shell, the following command takes you to screen OS
root@lab-srxfw1% cli

To go back to Unix
root@ab-srxfw1> exit

2010-03-30T14:43:00.001-07:00

Netl33ts search plugin

More Cisco ASA commands

2010-03-30T10:13:00.000-07:00

Show local-host displays connections and everything related to an ip.

To get total concurrent TCP connections, "show local-host | grep TCP flow". Next copy to notepad and find/replace "/unlimited" with a blank space. Import into excel and sum the count column

Additionally if you would like to view the active connections for a particular protocol:

"sh conn pro tcp port 80 detail"

The above command will list all active http connections

"show running-config | grep ^(ssh|https).*91.204.19" -the output will show both the "ssh" and "http" lines with 91.204.19 in it. The (ssh|http) expression just means that the line should include ssh OR http. Note that I also used a ^ which means as much as "each line beginning with the following character".

show startup-config errors

show proc mem
Displays memory usage per process

show mem detail

Configuring WCCP between an ASA and Ironport for caching

2010-03-23T09:39:00.000-07:00

Note: Interface ACls are not bypassed with WCCP. Traffic must first match the interface ACL before matching the wccp ACL.

On the ASA:

1. Allow the Ironport out through the firewall:

access-list acl_inside extended permit tcp host 192.168.1.1 any

2. Create a new acl containing the members of the wccp group. in our example, it is just 1 Ironport

access-list ironport-allow extended permit ip host 192.168.1.1 any

3. Create an acl that defines what traffic should be redirected to the Ironport

access-l ironport-forward extended permit tcp 192.168.1.0 255.255.255.0 any eq http

4. Configure wccp

wccp web-cache group-list ironport-allow redirect-list ironport-forward

5. Enable wccp on an interface.

wccp interface inside web-cache redirect in

6. Confirm configuration

show wccp

On the Ironport:
Network>Transparent Redirection
Choose WCCP v2 router> click Submit
Select Add service
Click Create a standard service ID, enter the ASA IP address in the box provided

Submit changes

Redundant ISPs on a Cisco ASA

2010-03-22T14:07:00.000-07:00

ISP redundancy can be achieved several different ways however we will focus mainly on achieving redundancy with the use of a backup default gateway.

Basically 2 interfaces need to be configured, each connected to a separate ISP.
Next an SLA monitor needs to be configured that will ping a device on the primary ISP:

sla monitor TRACK
type echo protocol ipIcmpEcho 192.168.1.1 interface outside
num-packets 3
frequency 10

Next the sla monitor is scheduled

sla monitor schedule TRACK life forever start-time now

Next create a track record that is used to map the sla monitor to your default route

track 1 rtr TRACK reachability

Now add the track record to your primary default route

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 track 1

A secondary default route can now be added for your backup interface

route backup 0.0.0.0 0.0.0.0 10.250.250.1 254

Also keep in mind that all inbound access will need to be duplicated for each ISP interface.
The same goes for any statics.

Cisco ASA Dynamic Access Policies (DAP)

2010-03-22T10:50:00.000-07:00

DAP Policies

DAP policies were introduced in 8.x to compliment authentication and filter policies for IPSEC, Remote Access, SSL VPNs as well as cut through proxies. Dap policies enhance AAA and group policy configurations by allowing dynamic decisions to be made without the need to reconfigure user, group, or VPN policies. For example, a dap policy can be defined assigning a user specific rights when he is a member of the ADMINS groups in AD and another set of rights if he is in the USERS group. The dap policy is read from top down, so if the Admin group dap policy has the highest priority, it will be enforced. Otherwise, the USERS group will be enforced.

Another feature of dap policies is the ability to assign access based on enpoint security features such as Antivirus software, applications installed, or Registry keys. For example, a dap policy can be used to specify that a user that has McAfee AV installed can have access to a file server and webmail. Conversely, users that do not have McAfee installed only have access to webmail.

The important thing to understand is that DAP policies are configured via ASDM only. A "show run" will not display the dap configuration because it is stored in a file called dap.xml. To view the contents of this file type : more dap.xml

To confirm that a VPN problem is not related to a DAP policy you can either run debugs (debug dap errors, debug dap trace) or you can test a DAP policy in ASDM by selecting VPN>Dynamic Access Policies> and clicking the Test button.

Configuring DAP policies:
Remote Access VPN>Dynamic Access Policies
The policy is enforced in order of priority.
Select Add and provide a name for the DAP policy.
Under the selection criteria, select "user has ANY of the following". If local authentication will be used, select cisco.username and type the name of the user. This will then require all local VPN users to be added to the attribute list below. More often, this feature will be used for AAA authentication. By choosing "ldap.memberOf", you can specifiy multiple group memberships that the user must be a member of to authenticate.

Select an action (continue will allow the access, terminate will reject).
Select the access-list that matches the traffic allowed. If this is for 1 tunnel, you can use the crypto acl. If this is for all tunnels, a non nat acl can be used.

Additional unsupported parameters can be configured that allow for third party applications like AV to be ran before allowing authentication. In addition, Dap policies can control web filters, file browsing capabilities, http proxies, and port forwarding.

For more information on DAP policies please refer to :
http://www.cisco.com/application/pdf/paws/108000/dap-deploy-guide.pdf

rtm monitor in Checkpoint

2010-03-10T11:11:00.000-08:00

This is a great way to provide trending statistics and troubleshoot bandwidth and throughput issues:

View the Smartview Monitor status
rtm drv stat

If Smartview Monitor is not running this command turns it on:
rtm drv on
rtmstart

rtm monitor [options]-g[entity-1…entity-n]

rtm monitor localhost -filter "[and[[interface 0 [[eth0in]]][svc 1 [telnet http]]]" -y C -g topsrc
Displays conncurrent connections for the top 50 sources pass on eth0 inbound that is not telnet or http.

rtm monitor localhost -filter -g topsvc
Displays the top 50 services passed on any interface in both directions

rtm monitor localhost hme1 -g topsvc -y b
Displays bytes per sec for top 50 services on interface hme1

Other switches:
-i number of seconds
Interface-name specif a specific interface
-y measurement units (bytes,packets, line)
C average concurrent connections
-g grouping optons (svc, src,dst,ip,fgrule,topsvc,topsrc,topdst,topfgrule)
svc monitor according to service
src according to a network object's source
dst
ip monitor src and dst
fgrule QOS rule
topsvc top 50 sources
topdst
topfwm top 50 firewall rules

How to globally change the expiration date of all users on Checkpoint

2010-03-10T10:47:00.000-08:00

Steps 1-3 are only required in a Provider environment.

1. SSH into the MLM for the customer and set your environment to the MLM IP
mdsenv

2. Next "cd $FWDIR" and type "pwd"

3. Confirm that you are placed into the MLM directory for the customer.

4. next run the following command:
fwm expdate

--

example: fwm expdate 02-12-2010

Resolving local logging issues on Checkpoint

2010-03-10T10:24:00.000-08:00

If logs are not appearing in Smartview Tracker, they are probably logging locally.
To determine if logs are being stored locally on the gateway, go to $FWDIR/log.
Locate the fw.log file and see if it's size is incrementing. There may also be additional fw*.log files that have rolled over.
To resolve the issue, first try restarting the MLM (in a Provider environment or the Log Services in a Smartcenter Server environment).
Next, restart the firewall services on the gateway (fw kill fwd followed by fwd).
If that does not work, try restarting the firewall.

Once resolved, you can pull the stored logs from the gateway by running "fw fetchlog " from the log server. In R70, there is also an option to fetch logs in Smartview Tracker (Tools>Remote Files Mgmt)

Allowing scp to SPLAT boxes

2010-03-09T18:01:00.000-08:00

cat /etc/scpusers look for the user name that will be sued to scp.
If the user does not exist: echo >> /etc/scpusers
In order to use WinSCP,
you must also issue the following to change admin's shell to bash:
chsh -s /bin/bash admin
Note: This is a security risk as this bypasses cpshell for this user. Use with
caution.

Configuring SNMP on SPLAT

2010-03-09T17:57:00.000-08:00

step 1: service snmpd restart
step 2: edit /etc/snmp/snmpd.users.conf and replace public with your actual
snmp community string
step 3: service snmpd restart
step 4: netstat -an | grep 161

for checkpoint snmpd port 260:

step 1: modify the $FWDIR/conf/snmp.C file and place the actual snmp
community inside the read and write (). If you leave the write empty,
it will use "private" as the community string. This is a security risk.

step 2: run sysconfig and start the checkpoint snmpd extension

step 3: perform cpstop;cpstart

step 4: netstat -an | grep 260

Running fsck on a flash based system

2010-03-09T17:50:00.001-08:00

fsck -fyb 32

Examining a Screen OS debug packet

2010-03-09T17:30:00.000-08:00

ethernet0/1:10.1.1.1/17152->192.168.1.1/256,1(8/0)
Protocol is 1 (ICMP).
Type 8: Echo
Code 0: No Code
Result:10.1.1.1 is sending an ping to 192.168.1.1

Here is an example of how understanding the type codes could help in troubleshooting a problem.
ethernet0.1:4:10.1.1.1/514->10.17.3.3/1051,1(3/3)
Type 3: Destination Unreachable
Code 3: Port Unreachable

Screen OS Snoop

2010-03-09T15:35:00.000-08:00

The snoop command is the closest you will get to a tcpdump on a Netscreen running ScreenOS. It will display requested info on all traversing interfaces.

clear dbuf clears the debug output

snoop enables snoop

snoop filter ip

snoop filter ip 10.10.0.1 port 22 interface Untrust direction both

snoop filter ip src-ip 10.1.2.1 dst-ip 192.168.1.2 src-port 80

snoop detail len 1514 turns on full packet capture(as opposed to headers)

snoop off turns off snoop

Snoop info displays the snoop status

get bd stream displays L2,3 and 4 headers of each incoming (i) and outgoing (o) packet.

get db stream > tftp send output to tftp

Sample output: Here is an example of a packet entering on eth1/2 (i) and exiting on eth1/1(o). It also shows that the destination is also translated.

11358520.0: ethernet1/2(i) len=98:0006d6b83019->0010dbff2080/0800
10.1.1.1 -> 192.168.1.1/1
vhl=45, tos=00, id=0, frag=4000, ttl=42 tlen=84
icmp:type=8, code=0

11358520.0: ethernet1/1(o) len=98:0010dbff2070->002347b4ce80/0800
10.1.1.1 -> 172.16.1.1/1
vhl=45, tos=00, id=0, f

Adding or removing static routes in NSM

2010-03-07T13:06:00.000-08:00

Networks> Virtual Routes
From here double click on the virtual router that contains the route in question.

Changing the ASDM and SSL VPN port on the Cisco ASA

2010-03-07T13:03:00.000-08:00

This command is useful when implementing SSL VPN, which uses tcp port 443 by default.

ASA(config)# http server enable 444
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# enable outside
For the above scenario, ASDM listens on port 444 while SSL VPN uses the default port 443. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://:444 in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://
B. Change the port of SSL VPN
ASA(config)# http server enable
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside
For the above scenario, ASDM listens on default port 443 while SSL VPN uses port 444. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https:// in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://:444

Cisco Anyconnect sample config

2010-03-07T13:00:00.000-08:00

config t
webvpn
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
! this is a customerized vpn profile, if client does not needed, you can remove the following line using cisco default
! svc profiles VitalProf disk0:/vpn-vig-tdc.xml
tunnel-group-list enable
enable outside
svc enable
exit
ip local pool SSLClientPool 192.168.100.1-192.168.100.50 mask 255.255.255.0
access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpnssl-split extended permit ip 192.168.5.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list NONAT
username userA password test123
username userA attributes
service-type remote-access
exit
username userB password test12345
username userB attributes
service-type remote-access
exit
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.1.51 192.168.1.61
wins-server value 192.168.1.51 192.168.1.61
address-pools value SSLClientPool
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnssl-split
webvpn
vpn-tunnel-protocol svc
svc keep-installer installed
!svc profiles value VitalProf
exit

sysopt connection permit-vpn
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
exit
wr mem
wr stand

debug command
sh vpn-sessiondb svc,
please be noticed, the default license for asa for web vpn or ssl vpn is only 2, you need to notify the client for this license limitation

Creating a Read Only SPLAT user

2010-03-07T12:56:00.000-08:00

Creating a user
1. SSH to the firewall where account will be setup on.
2. From the command line type “adduser ”, here we will add the user with username testuser. The command should read “adduser testuser”
3. Input the desired password when prompted to do so

Changing the users shell
1. Open the passwd file for editing by typing “vi /etc/passwd”
2. Find the line corresponding to the user you just created. If you have created a user with username “testuser”, the line you are looking for is “testuser:x:0:0::/home/test:/bin/cpshell”
3. Change the users shell, to do this we will change “/bin/cpshell” to “/path/to/shell”.
Before the change the line should read:
“testuser:x:0:0::/home/test:/bin/cpshell”
After the change the line will read:
“testuser:x:0:0::/home/test:/etc/scripts/myshell.sh”

Modifying the SPLAT Webmanager port

2010-03-07T12:53:00.000-08:00

The SecurePlatform WebUI default access port is HTTPS 443.

To change it, log in to the SecurePlatform CLI in Standard mode, and run the following command:

webui enable

The firewall presents the following output:

Shutting down cp_http_server_wd [OK]

Shutting down cpwmd_wd [OK]

Running cp_http_server_wd [OK]

Running cpwmd_wd [OK]

To disable access to the WebUI, run the command:

webui disable

Creating a self signed SSL vertificate on an ASA

2010-03-03T18:41:00.000-08:00

asa(config)#crypto key generate rsa label sslvpnkey
asa(config)#crypto ca trustpoint localtrust
asa(config-ca-trustpoint)#enrollment self
asa(config-ca-trustpoint)#fqdn sslvpn. mycompany.com
asa(config-ca-trustpoint)#subject-name CN=sslvpn.mycompany.com
asa(config-ca-trustpoint)#keypair sslvpnkey
asa(config-ca-trustpoint)#crypto ca enroll localtrust noconfirm
asa(config)# ssl trust-point localtrust outside

Show crypto ca certificate displays the cert

Checkpoint port list

2010-03-03T10:19:00.001-08:00

TCP 256: CA and DH key exchange, net topology fetch on older SC versions, and port used to push policy to remote firewalls.

TCP 257: Logging

TCP 258: Mgt console listens for remote GUI connections

TCP 259: Client Auth via telnet

UDP 259: manages encrypted sessions

UDP 260: SNMP for the Checkpoint daemon

TCP 262: Single Sign-on daemon.

TCP 264: SC topology fetch.

UDP 500: ISAKMP

TCP 900: HTTP client auth.

TCP 4532: Session Auth agent

TCP 18181: Content Vectoring Protocol

TCP 18182: URL Filtering Protocol.

TCP 18183: Suspecious Activity Monitoring for IPS.

TCP 18186: SIC between OPSEC products and the gateway.

TCP 18190: Gateway listens for management clients.

TCP 18191: CPD process for communications such as policy installation and certificate revocation.

TCP 18192: CPD monitoring

Trobleshooting the Checkpoint Daemon (CPD)

2010-03-03T10:03:00.001-08:00

The cpd process is responsible for all inter-module communications, and therefore plays a role in SIC initilization.

To check whether the Checkpoint Daemon (cpd) is running, run the following command:
ps -aux | grep cpd

The cpwd_admin list command will also display the status of the daemon.

Cat the $CPDIR/log/cpd.elg file. Look for any indication of a problem.

To restart the daemon:

$CPDIR/bin/cpd &

To debug the daemon (for example, if the daemon is stopping):

cpd_admin debug on TDERROR_ALL_ALL=5 ; cpd_admin debug on OPSEC_DEBUG_LEVEL=3

Once CPD dies on both, they should come back up in non-debug mode, but just to be safe run...

cpd_admin debug off ; cpd_admin debug off

Next generate a cpinfo and send the results to Checkpoint:

cpinfo -z -o

Also you can enable a CPD daemon core dump by doing the following:
1) Run 'um_core enable'
2) Run 'ulimit -c unlimited'
3) reboot

Once the daemon dies again, the core will be dumped to /var/log/dump/usermode

Display top sources using tcpdump

2010-02-15T09:26:00.001-08:00

If you need to know the top sources of traffic in real time, you can run the following command:

tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '

Replace eth0 with the name of the interface that you are working on and change 20000 to a higher number if you want to capture more traffic.

Sample output:
tcpdump: listening on eth3c0
363 I 204.1.1.1
287 O 212.1.1.1
161 I 204.1.1.1
152 O 204.1.1.1
137 I 204.1.1.1
122 I 204.1.1.1
105 O 203.1.1.1
89 O 10.1.1.1
56 O 10.1.1.1

Display top destination ports using tcpdump

2010-02-15T09:24:00.000-08:00

tcpdump -tnn -c 2000 -i eth2c0 | awk -F "." '{print $9}' | awk -F ":" '{print $1}' | sort | uniq -c | sort -nr | awk ' $1 > 50 '

Modifying the script to fit your needs:

-c is the number of packets to capture

-i is the interface to capture on

"> 50" will display the counts over 50

Sample output:
hafw1[admin]# tcpdump -tnn -c 2000 -i eth2c0 | awk -F "." '{print $9}' | awk -F ":" '{print $1}' | sort | uniq -c | sort -nr | awk ' $1 > 10 '
tcpdump: listening on eth2c0
442 80
151 443
129 8443
128 1749
71 1748
53 4620

BlueCoat appliance LED guide

2010-02-01T09:51:00.001-08:00

LED reference guide:

210 Model:

Disk LED:

Green- drive being accessed

Off- no disk activity

Net Adapter:

Off- no link

Green- Link is up

Flashing green to amber- Link is up and network activity is occuring

System indicator:

Off- nothing to report or not powered on

Green- Unit is healthy

Amber- Unit is unhealthy. Perform maintenance check before it becomes critical

Flashing green to amber- critically unhealthy

510/810 Model:

Disk drive:

Off-drive not connected

Green-drive being accessed

Solid amber-drive not well

LCD display- illuminates when the Proxy SG is powered up. The front panel LCD turns off after 30 seconds. This is configurable.

Defining proxy rules on the Proxy SG

2010-02-01T09:48:00.000-08:00

The Visual Policy Manager (VPM) is graphical policy editor included with the ProxySG. VPM allows

you to define Web access and resource control policies without having an in-depth knowledge of Blue

Coat Systems Content Policy Language (CPL) and without the need to manually edit policy files.

This chapter

Policies tell the Proxy SG what to do with intercepted traffic.

Traffic can be forwarded, blocked, redirected to another host or port, sent for webfiltering or AV scanning, etc.

Standard policies are created in the Visual Policy Manager and more complex policies are configured on the command line CPL (not covered here).

Like most policies, the VPN is read from top down in the following order:

• Administration Authentication—Determines how administrators accessing ProxySG must

authenticate.

• Administration Access—Determines who can access the ProxySG to perform administration

tasks.

• DNS Access—Determines how the ProxySG processes DNS requests.

• SOCKS Authentication—Determines the method of authentication for that access the proxy

through SOCKS.

• Web Authentication—Determines whether user clients that access the proxy or the Web must

authenticate.

• Web Access—Determines what user clients accessing the proxy or the Web can access and any

restrictions that apply.

• Web Content—Determines caching behavior, such as verification and ICAP redirection.

• Forwarding—Determines forwarding hosts and methods. Unlike most policies, each policy can have multiple layers. For example, there can be several Web Authentication layers. In the event that multiple layers exist, enforcement is read from left to right. When a hit is made on a particular layer, it then proceeds to the next layer to the right. THE ACTION OF THE LAST LAYER WILL BE ENFORCED.

NOTE:

If a policy is configured to bypass, the proxy traffic must be transparent since all explicit traffic is directed to the proxy server itself and a bypass rule is telling the proxy to ignore this traffic.

After new policies are created, they must be installed by selecting File>Install Policies. If this is not done, all new policies will be lost once the VPM is closed.

However new rules can be created and disabled.

Defining proxied services on the Proxy SG

2010-02-01T09:47:00.000-08:00

Service Groups dictate whether policy is bypassed or intercepted and are defined by port and address range.

Additionally, there is a port detection utility that can be used to detect services over non-standard ports.

Services are configured in the following location:

Configuration> Services>Proxy Services.

If a service is not defined here, it will not be proxied (bypassed).

The proxy drop down in the service creation screen defines which proxy service (aka client worker) handles the traffic. For example, if an http service is created and the proxy service is TCP-Tunnel, the traffic will be evaluated at the tcp layer only. If HTTP is selected, more checks can be performed on the traffic.

If there are overlapping services, the more specific service will be used (for example if one service uses a network and the other uses a host, and both match traffic, the host configuration will be used).

If a service is configured to intercept traffic, policies are checked to determine the action.

If the client connects explicitly to the ProxySG but there is not a service matching that connection that is set to intercept, the connection is refused and the client displays an error.

When the client is transparently proxied, there is a difference between bridging mode and all other transparent proxy deployments. In bridging mode the traffis is allowed to reach the requested origin content server. For all other deployments, verify that the settting ENABLE IP FORWARDING in the management console under Config>Network>Routing>gateways is checked.

Traffic flow:

1.All traffic is processed at the network layer. If traffic matched the bypass list the traffic is passed.

2.The remaining traffic is processed at the service level. If it matches an intercept, the proces moves to step 3.

3.Intercepted traffic goes through policy processing.