Check Point Identity Awareness (had to supply all PDC in order to capture all IA.)
AD Query reads these events from the Security Event log:
On Windows Server 2003 domain controllers - 672, 673, 674
On Windows Server 2008 domain controllers - 4624, 4769, 4768, 4770
If the domain controller does not generate these events (by default they are generated), refer to Microsoft Active Directory documentation for instructions on how to configure these events.
Wednesday 6 February 2013
Monday 4 February 2013
VPN Debugging – Check Point
Vpn
debug on – vpn debug off
$FWDIR/log/vpnd.elg
Vpn
debug ikeon // vpn debug ikeoff
$FWDIR/log/ike.elg
vpn tu // remove
all Sas for either the peer which are about the create the tunnel or all
tunnels.
fw
monitor –e ‘accept src=IP or dst=IP;’
SmartDashboard Connectivity Issues
Cpwd_admin list // check for the
fwm whether it is up
fw
debug fwm 0 TDERROR_ALL_ALL=5
tail
–f $FWDIR/log/fwm.elg
Network Troubleshooting – Check Point
Route –n > routes.txt
ifconfig -a > interfaces.txt
SecureXL is enabled or disabled <check on cpconfig>
fw monitor -e "accept src=IP_Number or dst=IP_Number;" -o monitor.out
fw ctl zdebug + drop > ctlzdebug.txt
fw ctl zdebug + dtop > ctlzdebug2.txt
[to stop the logging “Ctrl + C”]
Monday 21 January 2013
Removing old Check Point packages and files after an upgrade
| |||||||||||||||||||||||
| |||||||||||||||||||||||
SYMPTOMS | |||||||||||||||||||||||
Tuesday 8 January 2013
Checkpoint IPSec VPN with Non-Checkpoint Products (Such as, PFsense, DrayTek etc.)
Non-Check Point products does not have "ike_use_largest_possible_subnets (supernetting)" feature, this is the reason why we need to disable that feature on Check Point.
(Exchanging keys with another vendor gateway uses
largest possible subnet –Check Point uses the best possible subnet to increase the performance while doing IKE key exchanges by default)
DNS packets should not be allowed firstly, otherwise that results DNS resolution problems for VPN domains.
------------------------------------------------------------------------------------
# dbedit Enter Server name (ENTER for 'localhost'): Enter User Name: fwadmin Enter User Password: abc123
Friday 21 December 2012
Checkpoint Policy Installation (a lot of buggy stuff)
- No traffic
- while installing policy, a lot of non-meaningful messages;
Firstly, Check /opt whether it is full or not.. It is vital. believe me.
Tufin - Accelerate Policy analysis calculations & Increase the amount of memory for Java
These configs are tested on 12.2 HF6;
1. Accelerate
Policy analysis calculations.
Instruction:
1. Login to SecureTrack’s
GUI.
2. Add stcgitest.htm
at the end of the address (Example: https://192.168.1.1/stcgitest.htm).
3. Choose ‘Edit stconf’
4. Click ‘Fetch current
conf’.
5. Change the following
XML tag from "0" to "1":
<is_calc_topology_based_on_JAVA>1</is_calc_topology_based_on_JAVA>
6. Save the new
configuration by clicking ‘Submit new conf’ on the bottom of the screen.
2. Increase
the amount of memory which can be allocated for Java:
Instruction:
1. Login to SecureTrack’s
CLI as root
2. Run the command: #vi
/usr/jboss-4.2.2.GA/bin/run.conf
3. Find line: JAVA_OPTS="$JAVA_OPTS
-Xms512m -Xmx1024m
4. Change to: JAVA_OPTS="$JAVA_OPTS
-Xms1024m -Xmx4096m
5. Save the file and
exit.
6. Run the command: #service
jboss restart
Tufin Syslog Debug & St Info
SYSLOG Debug
1. Log in to SecureTrack CLI as ‘root’.
2. Run the command: #tcpdump -i eth0 -vv
-w /tmp/Tufin.pcap -s 1500 src <ip address of device> and udp dst port
514
3. Edit the file: vi /etc/sysconfig/stconf.xml
a.
Find
the line <DetailLevel>normal</DetailLevel> and change
‘normal’ to ‘fine’.
b.
Add
the tag: <Number_Of_Syslog_Message_Handlers>1</Number_Of_Syslog_Message_Handlers>
c.
Save
& exit
4. Run the following commands:
#tail -F
/var/log/st/syslog_message_handler_0 > /tmp/syslog_message_handler.log &
#tail -F /var/log/st/syslog_change_log_manager >/tmp/syslog_change_log_manager.log &
#tail -F /var/log/st/syslog_traffic_log_manager >/tmp/syslog_traffic_log_manager.log &
#tail -F /var/log/st/syslog_change_log_manager >/tmp/syslog_change_log_manager.log &
#tail -F /var/log/st/syslog_traffic_log_manager >/tmp/syslog_traffic_log_manager.log &
5. Run the command #st restart syslog
6. Commit a change on the device (e.g. add
a comment) and wait 5 minutes approximately. Wait for this issue to reproduce.
7. Stop writing to temp logs (#killall
tail).
8. revert changes in etc/sysconfig/stconf.xml
9. Run #st restart syslog
10. Send me the log files +
/tmp/Tufin.pcap
-------------------------------------------
st info is smilar to cpinfo in Check Point, it does collect the Tufin's full config, not the monitored device revisions or policies.
Part 2: Create STINFO
file.
1.
Log in to SecureTrack’s CLI as root.
2.
Run the command #st info
Juniper SSG - NS (config buffer problem)
Symptoms
It is caused by the buffer size, when tufin initiates "get config". It displays only limited part of the full config. This creates a problem while tufin is trying to get the full configuration;
Connection error! Reason:
Connection closed by foreign host.
Solution
set console page 0 | > set cli screen-length 0 |
This allows tufin to get the full configuration as Juniper does not limit its display with a limited buffer.
Subscribe to:
Posts (Atom)