License Tool for Checkpoint. I found it pretty useful actually as the license issues seem complicated most often. My Products > License Info Tool.
Wednesday, 31 July 2013
Sunday, 21 July 2013
Fortinet Upgrade Procedures
The upgrade processes have usually been a issue with Check Point. However, it is unbelievably easy for security vendor Fortinet (even in the cluster env.)
- .out file is downloaded from the support site.
- it is uploaded through GUI.
then, all process goes on automatically; firstly the active member is upgraded with losing 4 - 6 ping packets, and then 2-3 ping lost while upgrading the second member.
I suppose the reason is truly the architecture difference behind these boxes.
Monday, 13 May 2013
Friday, 22 February 2013
Network Troubleshooting - Cisco Packet Flow
To be or not to be.
Incoming or Outgoing Packets, sometimes understanding these two subjects are very vital in troubleshooting process.
Incoming or Outgoing Packets, sometimes understanding these two subjects are very vital in troubleshooting process.
ip
access-list extended gre-debug-out
permit gre
any any log // optional
permit ip
any any log
ip
access-list extended gre-debug-in
permit gre
any any log // optional
permit ip
any any log
interface
GigabitEthernet0/1
ip
access-group gre-debug-in in
ip
access-group gre-debug-out out
Here it is;
show ip access-list gre-debug-in
show ip access-list gre-debug-out out
Here it is;
show ip access-list gre-debug-in
show ip access-list gre-debug-out out
believe me you will like the result..
:)
Identity Awareness - User & Machine Identification
Even though you see users and/or machines as acquired in Smart Dashboard, pdp monitor is the place where AD query comes in. If you do not see users/machines in pdp monitor, It means that Check Point did not actually acquire the users/machines.
pdp monitor all |more
pdp monitor all |grep machine/username
pdp monitor all |more
pdp monitor all |grep machine/username
Friday, 15 February 2013
IPS Update: ips scheduled update ended with errors
To manually update the IPS database;
1- Close all GUI applications,
2- Open a GUIDBEdit to the SMC (Application:GuiDBedit.exe)
3- Search (Search->Find) for: autoupdate_and_install_status_obj
Once found you will see a field named status under that object.
4- Change the value of status 0
5- Save changes,close GUIDBEDIT
6- Open Dashboard and verify if the issue resolved.
Note : There is a fix for this issue, Request it from Support.
5- Save changes,close GUIDBEDIT
6- Open Dashboard and verify if the issue resolved.
Note : There is a fix for this issue, Request it from Support.
Wednesday, 13 February 2013
ClusterXL - Do not Consume Public IPs for ClusterXL
Configuring Cluster Addresses on Different Subnets
Only one routable IP address is required in a ClusterXL cluster,
for the virtual cluster interface that faces the Internet. All cluster member
physical IP addresses can be non-routable.Configuring different subnets for the
cluster IP addresses and the member addresses is useful in order to:
- Enable a multi-machine cluster to replace a single-machine gateway in a pre-configured network, without the need to allocate new addresses to the cluster members.
- Allow organizations to use only one routable address for the ClusterXL Gateway Cluster. This saves routable addresses.
ClusterXL
virtual IPs and your members physical (or VLAN) interfaces do not need to be on
the same subnet. So you can simply use whichever addresses you like for each of
the cluster interfaces (apart from internal/management and
external/VPN-routable interfaces obviously). And of course this applies to
physical untagged interfaces unlike our case too.
I settled for using tiny Class B private space /30 subnets for each VLAN, enough for just our 2 cluster members like this. The topology would then look like this.
I settled for using tiny Class B private space /30 subnets for each VLAN, enough for just our 2 cluster members like this. The topology would then look like this.
Monday, 11 February 2013
Smart Event & Reporter (CPU Peaks)
# evstop
# rm –r * $RTDIR/distrib/*
# evstart
SmartEvent konsolu içersinden policy install yapalım.
If not resolved,
# fw debug cpsemd on TDERROR_ALL_ALL=5
# fw debug cpsead on TDERROR_ALL_ALL=5
to end debug;
# fw debug cpsemd off TDERROR_ALL_ALL=0
# fw debug cpsead off TDERROR_ALL_ALL=0
Then check these files $RTDIR/log/cpsemd.elg* and $RTDIR/log/cpsead.elg*
Wednesday, 6 February 2013
Check Point - Identity Awareness (Security Event Logs)
Check Point Identity Awareness (had to supply all PDC in order to capture all IA.)
AD Query reads these events from the Security Event log:
On Windows Server 2003 domain controllers - 672, 673, 674
On Windows Server 2008 domain controllers - 4624, 4769, 4768, 4770
If the domain controller does not generate these events (by default they are generated), refer to Microsoft Active Directory documentation for instructions on how to configure these events.
AD Query reads these events from the Security Event log:
On Windows Server 2003 domain controllers - 672, 673, 674
On Windows Server 2008 domain controllers - 4624, 4769, 4768, 4770
If the domain controller does not generate these events (by default they are generated), refer to Microsoft Active Directory documentation for instructions on how to configure these events.
Monday, 4 February 2013
VPN Debugging – Check Point
Vpn
debug on – vpn debug off
$FWDIR/log/vpnd.elg
Vpn
debug ikeon // vpn debug ikeoff
$FWDIR/log/ike.elg
vpn tu // remove
all Sas for either the peer which are about the create the tunnel or all
tunnels.
fw
monitor –e ‘accept src=IP or dst=IP;’
Subscribe to:
Posts (Atom)