Removing old Check Point packages and files after an upgrade

Check Point releases a great script which erases old CP packages and files causing disc issues later on. Here it is;

Solution ID: sk91060 Product: Security Gateway, Security Management, 2012 Models Security Appliances, UTM-1, Power-1, Smart-1 Version: R70, R71, R75, R75.10, R75.20, R75.30, R75.40, R75.40VS OS: SecurePlatform 2.6, Gaia Platform / Model: All Date Created: 08-Jan-2013 Last Modified: 20-Jan-2013 Rate this document [Click on the stars to rate]

SYMPTOMS

After an upgrade, the packages of the old version are not deleted automatically. For example, when upgrading from R71 to R75, the old R71 packages and files remain on the system. This could lead to a disk space issue, especially after several upgrades.

Checkpoint IPSec VPN with Non-Checkpoint Products (Such as, PFsense, DrayTek etc.)

Non-Check Point products does not have "ike_use_largest_possible_subnets (supernetting)" feature, this is the reason why we need to disable that feature on Check Point.

(Exchanging keys with another vendor gateway uses largest possible subnet –Check Point uses the best possible subnet to increase the performance while doing IKE key exchanges by default)

DNS packets should not be allowed firstly, otherwise that results DNS resolution problems for VPN domains.

------------------------------------------------------------------------------------

# dbedit

Enter Server name (ENTER for 'localhost'): 



Enter User Name: fwadmin

Enter User Password: abc123

Checkpoint Policy Installation (a lot of buggy stuff)

- No traffic
- while installing policy, a lot of non-meaningful messages;

Firstly, Check /opt whether it is full or not.. It is vital. believe me.

Tufin - Accelerate Policy analysis calculations & Increase the amount of memory for Java

These configs are tested on 12.2 HF6;

1.      Accelerate Policy analysis calculations.

Instruction:

1.       Login to SecureTrack’s GUI.

2.       Add stcgitest.htm at the end of the address (Example: https://192.168.1.1/stcgitest.htm).

3.       Choose ‘Edit stconf’

4.       Click ‘Fetch current conf’.

5.       Change the following XML tag from "0" to "1": <is_calc_topology_based_on_JAVA>1</is_calc_topology_based_on_JAVA>

6.       Save the new configuration by clicking ‘Submit new conf’ on the bottom of the screen.

2.      Increase the amount of memory which can be allocated for Java:

Instruction:

1.       Login to SecureTrack’s CLI as root

2.       Run the command: #vi /usr/jboss-4.2.2.GA/bin/run.conf

3.       Find line: JAVA_OPTS="$JAVA_OPTS -Xms512m -Xmx1024m

4.       Change to: JAVA_OPTS="$JAVA_OPTS -Xms1024m -Xmx4096m

5.       Save the file and exit.

6.       Run the command: #service jboss restart

Tufin Syslog Debug & St Info

SYSLOG Debug

1.       Log in to SecureTrack CLI as ‘root’.

2.       Run the command: #tcpdump -i eth0 -vv -w /tmp/Tufin.pcap -s 1500 src <ip address of device> and udp dst port 514

3.       Edit the file: vi /etc/sysconfig/stconf.xml

a.       Find the line  <DetailLevel>normal</DetailLevel> and change ‘normal’ to ‘fine’.

b.      Add the tag: <Number_Of_Syslog_Message_Handlers>1</Number_Of_Syslog_Message_Handlers>

c.       Save & exit

4.       Run the following commands:

#tail -F /var/log/st/syslog_message_handler_0 > /tmp/syslog_message_handler.log &
#tail -F /var/log/st/syslog_change_log_manager >/tmp/syslog_change_log_manager.log &
#tail -F /var/log/st/syslog_traffic_log_manager >/tmp/syslog_traffic_log_manager.log &

5.       Run the command #st restart syslog

6.       Commit a change on the device (e.g. add a comment) and wait 5 minutes approximately. Wait for this issue to reproduce.

7.       Stop writing to temp logs (#killall tail).

8.       revert changes in etc/sysconfig/stconf.xml  

9.       Run #st restart syslog

10.   Send me the log files  + /tmp/Tufin.pcap

-------------------------------------------

st info is smilar to cpinfo in Check Point, it does collect the Tufin's full config, not the monitored device revisions or policies.

Part 2: Create STINFO file.

1.            Log in to SecureTrack’s CLI as root.

2.            Run the command #st info

Juniper SSG - NS (config buffer problem)

Symptoms

It is caused by the buffer size, when tufin initiates "get config". It displays only limited part of the full config. This creates a problem while tufin is trying to get the full configuration;

Connection error! Reason:

Connection closed by foreign host.

Solution

set console page 0

> set cli screen-length 0

This allows tufin to get the full configuration as Juniper does not limit its display with a limited buffer.

Tufin Troubleshooting

Device Specific Communication Problems

1.      The version of SecureTrack; Please verify this by running the #st ver command from CLI.

2.      the output of the #top -cd1 command.

1)  Rise the debug level to high :

# sed -i 's/expect --/expect -d/g' /usr/local/st/*login # sed -I  's/normal/fine/1' /etc/sysconfig/stconf.xml

2) Then use tail for each one of the log files of the problematic device :

# tail -F /var/log/st/var/log/st/securetrack.client.<Device_IP>_<ID> /tmp/device1.log

Make sure to use a capital F ('#tail -F')

3)  Then run the command:

'#st restart'

4) Wait for 10 minutes (depends on the current timeout you have

defined) and let the tail -f collect all information needed.

5) Send all /tmp/client<IP>.log files to the support engineer.

7) When you have finished please run :

# sed -i 's/expect -d/expect --/g' /usr/local/st/*login # sed -i 's/fine/normal/1' /etc/sysconfig/stconf.xml

# st restart

Python

1. Mac OS X
2. Linux 

python - V

----------------------------------------------------------

     3. Windows binary {x86, x64]} .msi

NIX tarball [tgz, tar.bz2]
traditional unix word - install manually (compressed archive files)

-----------------------------------------------------------

Install everything for windows
Python

• Register Extension
• TCL/Tk
• Documentation
• Test suite

------------------------------------------------------------

RPM (redhat, fedora)

.deb (ubuntu) - APT (apt-get)

yum (redhat GUI installation package) 

source (configure, make, install)

------------------------------------------------------------

.py

Disabling SNX Service (Outbound link of Security Gateway)

Disabling SNX Problem.

When you unchecked SSL Extender and SecureClient Mobile under VPN clients tab (Gateway Properties), the SNX service running on http/https (outbound link of FW) would be disabled as well. 

thanks

Login to CP FW with Your Public Key & Changing CP Root Password

After you login with Public key, there was a problem to switch to root access with su – command. 

When you type and change root password with...

#passwd

Although it says root password has changed, it does not change (like a bug).

To solve this issue;

After you give a password to root with the command below 

#/usr/bin/passwd root 

then,

changing mode with '#chmod 4755 /bin/su' is enough to resolve the problem. Now, you can get access from your user account (logged in with the public key) to root access. 

In my understanding, there is a permission issue on the directory placed above which does not allow us to change root password (Although it never says so). 

adios.