Monday, 4 February 2013

VPN Debugging – Check Point

Vpn debug on – vpn debug off

Vpn debug ikeon // vpn debug ikeoff

vpn tu // remove all Sas for either the peer which are about the create the tunnel or all tunnels.
fw monitor –e ‘accept src=IP or dst=IP;’

SmartDashboard Connectivity Issues

Cpwd_admin list // check for the fwm whether it is up

fw debug fwm 0 TDERROR_ALL_ALL=5

tail –f $FWDIR/log/fwm.elg

Network Troubleshooting – Check Point

Route –n > routes.txt

ifconfig  -a > interfaces.txt

SecureXL is enabled or disabled <check on cpconfig>

fw monitor -e "accept src=IP_Number or dst=IP_Number;" -o monitor.out
fw ctl zdebug + drop > ctlzdebug.txt
fw ctl zdebug + dtop > ctlzdebug2.txt

[to stop the logging  “Ctrl + C”]

Monday, 21 January 2013

Removing old Check Point packages and files after an upgrade

Check Point releases a great script which erases old CP packages and files causing disc issues later on. Here it is;
Solution ID:sk91060
Product:Security Gateway, Security Management, 2012 Models Security Appliances, UTM-1, Power-1, Smart-1
Version:R70, R71, R75, R75.10, R75.20, R75.30, R75.40, R75.40VS
OS:SecurePlatform 2.6, Gaia
Platform / Model:All
Date Created:08-Jan-2013
Last Modified:20-Jan-2013
Rate this document
[Click on the stars to rate]
  • After an upgrade, the packages of the old version are not deleted automatically.

    For example, when upgrading from R71 to R75, the old R71 packages and files remain on the system. This could lead to a disk space issue, especially after several upgrades.

Tuesday, 8 January 2013

Checkpoint IPSec VPN with Non-Checkpoint Products (Such as, PFsense, DrayTek etc.)

Non-Check Point products does not have "ike_use_largest_possible_subnets (supernetting)" feature, this is the reason why we need to disable that feature on Check Point.
(Exchanging keys with another vendor gateway uses largest possible subnet –Check Point uses the best possible subnet to increase the performance while doing IKE key exchanges by default)

DNS packets should not be allowed firstly, otherwise that results DNS resolution problems for VPN domains.

# dbedit

Enter Server name (ENTER for 'localhost'): 

Enter User Name: fwadmin

Enter User Password: abc123

Friday, 21 December 2012

Checkpoint Policy Installation (a lot of buggy stuff)

- No traffic
- while installing policy, a lot of non-meaningful messages;

Firstly, Check /opt whether it is full or not.. It is vital. believe me.

Tufin - Accelerate Policy analysis calculations & Increase the amount of memory for Java

These configs are tested on 12.2 HF6;

1.      Accelerate Policy analysis calculations.


1.       Login to SecureTrack’s GUI.
2.       Add stcgitest.htm at the end of the address (Example:
3.       Choose ‘Edit stconf
4.       Click ‘Fetch current conf’.
5.       Change the following XML tag from "0" to "1": <is_calc_topology_based_on_JAVA>1</is_calc_topology_based_on_JAVA>
6.       Save the new configuration by clicking ‘Submit new conf’ on the bottom of the screen.

2.      Increase the amount of memory which can be allocated for Java:


1.       Login to SecureTrack’s CLI as root
2.       Run the command: #vi /usr/jboss-4.2.2.GA/bin/run.conf
3.       Find line: JAVA_OPTS="$JAVA_OPTS -Xms512m -Xmx1024m
4.       Change to: JAVA_OPTS="$JAVA_OPTS -Xms1024m -Xmx4096m
5.       Save the file and exit.
6.       Run the command: #service jboss restart

Tufin Syslog Debug & St Info


1.       Log in to SecureTrack CLI as ‘root’.
2.       Run the command: #tcpdump -i eth0 -vv -w /tmp/Tufin.pcap -s 1500 src <ip address of device> and udp dst port 514
3.       Edit the file: vi /etc/sysconfig/stconf.xml
a.       Find the line  <DetailLevel>normal</DetailLevel> and change ‘normal’ to ‘fine’.
b.      Add the tag: <Number_Of_Syslog_Message_Handlers>1</Number_Of_Syslog_Message_Handlers>
c.       Save & exit
4.       Run the following commands:
#tail -F /var/log/st/syslog_message_handler_0 > /tmp/syslog_message_handler.log &
#tail -F /var/log/st/syslog_change_log_manager >/tmp/syslog_change_log_manager.log &
#tail -F /var/log/st/syslog_traffic_log_manager >/tmp/syslog_traffic_log_manager.log &

5.       Run the command #st restart syslog
6.       Commit a change on the device (e.g. add a comment) and wait 5 minutes approximately. Wait for this issue to reproduce.
7.       Stop writing to temp logs (#killall tail).
8.       revert changes in etc/sysconfig/stconf.xml  
9.       Run #st restart syslog
10.   Send me the log files  + /tmp/Tufin.pcap


st info is smilar to cpinfo in Check Point, it does collect the Tufin's full config, not the monitored device revisions or policies.

Part 2: Create STINFO file.

1.            Log in to SecureTrack’s CLI as root.
2.            Run the command #st info

Juniper SSG - NS (config buffer problem)


It is caused by the buffer size, when tufin initiates "get config". It displays only limited part of the full config. This creates a problem while tufin is trying to get the full configuration;

Connection error! Reason:
Connection closed by foreign host.


set console page 0

> set cli screen-length 0

This allows tufin to get the full configuration as Juniper does not limit its display with a limited buffer.

Tufin Troubleshooting

Device Specific Communication Problems

1.      The version of SecureTrack; Please verify this by running the #st ver command from CLI.
2.      the output of the #top -cd1 command.

1)  Rise the debug level to high :
# sed -i 's/expect --/expect -d/g' /usr/local/st/*login # sed -I  's/normal/fine/1' /etc/sysconfig/stconf.xml

2) Then use tail for each one of the log files of the problematic device :
# tail -F /var/log/st/var/log/st/securetrack.client.<Device_IP>_<ID> /tmp/device1.log

Make sure to use a capital F ('#tail -F')

3)  Then run the command:
'#st restart'

4) Wait for 10 minutes (depends on the current timeout you have
defined) and let the tail -f collect all information needed.

5) Send all /tmp/client<IP>.log files to the support engineer.

7) When you have finished please run :
# sed -i 's/expect -d/expect --/g' /usr/local/st/*login # sed -i 's/fine/normal/1' /etc/sysconfig/stconf.xml
# st restart