View
308
Download
18
Category
Preview:
DESCRIPTION
Check Point Security Administration III NGX- Searchable
Citation preview
Aquaforest TIFF Junction Evaluation
m Check Point S O F T W A R E T E C H N O L O G I E S LTD.
We Secure the Internet.
Check Point Security Administration NGX III Student Handbook
P/N:701549
Aquaforest TIFF Junction Evaluation
Aquaforest TIFF Junction Evaluation
© 2006 Check Point Sof tware Technologies Ltd.
All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, Fire Wall-1 GX, Fire Wall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, Smart View, Smart View Monitor, Smart View Reporter, Smart View Status, Smart ViewTracker, Sofa Ware, SSL Network Extender, True Vector, UAM, User-to-Address Mapping, User Authority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express permission of Check Point Software Technologies, Ltd.
International Headquarters: 3A Jabotinsky Street, Diamond Tower Ramat Gan 52520 Israel Tel: 972-3-613 1833 Fax: 972-3-575 9256
U.S. Headquarters: 800 Bridge Parkway Redwood City, CA 94065 Tel: 650-628-2000 Fax: 650-654-4233
Technical Support, Education & Professional Services: 2505 N. Highway 360, Suite 800 Grand Prairie, TX. 75050 Tel: 817-606-6612 Fax: 817-606-6552
Document #: Revis ion: Content :
DOC-Man ua I -VPN-03 -S-NGX RSNGX001
Steve Luc Theresa Chung Derek Anderson Mark Hoef le Anna Gos l ing
Graphics: Edi t ing:
Aquaforest TIFF Junction Evaluation
Aquaforest TIFF Junction Evaluation
Check Point S O F T W A R E T E C H N O L O G I E S L T D .
We Secure the Internet
CONTENTS
1 Check Point Secur i ty Adminis t ra t ion N G X III 1 Course Objectives 1
Course Layout 2 Prerequisites 2
Recommended Setup for labs 3 Recommended Lab Topology 4 IP Addresses 5 Lab Terms 7 Lab Stations ..8 Default Rule Base 9
2 Genera l Troubleshoot ing Methods 11 Objectives 11 Key Terms 12
Troubleshooting Guidelines 13 Identifying the Problem 13 Collecting Related Information 14 Listing Possible Causes 15 Testing Causes Individually and Logically 15 Consulting Various Reference Sources 15
What to Check Before Installing VPN-1 NGX 16 IP Forwarding 16 Routing 17 Connectivity 18
IP Forwarding and Boot Security 20 SIC and ICA Issues .....21
SIC Port Use 21 Root Causes 22 Logging SIC 26
Aquaforest TIFF Junction Evaluation
Debugging SIC 26 Maintaining SIC ....27 Using fwm sic_reset .........31
Network Address Translation ......32 Client-Side Destination NAT 32 Debugging NAT 33
Collecting Data 36 Rule Base Issues 36 NAT Issues 36 Anti-Spoofing Issues 36 SmartDashboard Issues 37 Logging Issues ..37 Cluster Issues 38 Security Server Issues 38 OPSEC Server Issues 39 LDAP Issues 39 Core Dump and Dr. Watson Issues 40
Review ...43 Review Questions 44 Review Answers 45
3 File Management . 47 Objectives 47 Key Terms .....48
cpinfo 49 Overview .....49 cpinfo File .....50 Info View 52 Opening SmartDashboard in Info View .......59
objects 5 0.C andobjects.C 61 objects_5 0.C 61 objects.C .....61 Object Properties in objects_5_0.C 62 DbEdit 63
Aquaforest TIFF Junction Evaluation
objects_5_0.C Editing 65 GuiDBedit 67
fwauth.NDB 72 $FWDIR/lib/*.def Files ..73
Example 73 Modifying *.def Files 74
Log Files 75 Active Log Files 75 Audit Log Files 76 Log Mechanism ....76 Troubleshooting Logging Issues 77 Maintaining Logs and Log-Buffer Queue 78 Configuring Object Properties 78
Debugging Logging 81 Analysis Tools 81 Debugging Log 81
Lab 1: Using cpinfo 83 Lab 2: Analyzing cpinfo in Info View 89 Lab 3: Using GuiDBedit 93 Lab 4: Using fw logswitch and fwm logexport 101 Review 107
Review Questions 108 Review Answers 109
4 Protocol Analyzers 111 Objectives I l l Key Terms 112
tcpdump 113 tcpdump Syntax 113 tcpdump and Expressions 115 Using tcpdump 116 Viewing tcpdump Output 117
snoop 119 Using snoop 119 Reading snoop Output 120
iii
Aquaforest TIFF Junction Evaluation
snoop and Security 122 snoop Limitations 122
fw monitor 124 Overview 124 fw monitor Syntax 124 INSPECT Virtual Machine 126 Filter Expressions 127 fw ctl chain 127 Buffering Issues 138
Ethereal 140 Using Ethereal 140 Viewing Connection Beginnings 143 Viewing Connections Dropped by Kernel ....143 Using Filters with Ethereal .....143
Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor 149 Review 155
Review Questions 156 Review Answers 157
5 N G X D e b u g g i n g Tools . . . . . . .159 Objectives 159 Key Terms 160
fw ctl debug 161 fw ctl kdebug 161 Kernel Modules 162 fw ctl debug Flags 164
Debugging fwd/fwm 169 fwd Daemon 169 fwm Process 169 Debugging 169 fwd/fwm Debug Switches 170 Debugging without Restarting fwd/fwm 170 Debugging by Restarting fwd/fwm 172 Stopping fwd debug 173
Aquaforest TIFF Junction Evaluation
Debugging cpd 174 Use 175
Lab 6: Using cpd and fwm Debugging 177 Review 181
Review Questions 181 Review Answers 183
6 fw advanced c o m m a n d s . 185 Objectives 185 Key Terms 186
fw Commands 187 fw tab Command 188
fw tab Options 188 Table Attributes 189 fw tab Examples ..194
fw ctl Commands 197 fw ctl install 197 fw ctl uninstall 197 fw ctl iflist 197 fw ctl arp 198 fw ctl pstat 198 fw ctl conn 205
Other fw Commands 207 fw sam 207 fw lichosts 210 fw log 210 fw repairlog 211 fw mergefiles 211 fw fetchlogs 212
fw Advanced Commands 214 fwfwd 215 fw fwm 215 fw fetchlocal 216 fw unloadlocal 217 fw dbloadlocal ..217
V
Aquaforest TIFF Junction Evaluation
fw defaultgen . 218 fw getifs 219 fw stat .....219
fwm Commands 222 Use :.... 222 fwm load ...223 fwm dbload 224 fwm logexport 225 fwm dbexport/fwm dbimport 227 fwm lock admin 228
Lab 7: Using fw ctl pstat 229 Lab 8: Using fw stat, fwm load, and fw unloadlocal 231 Review 233
Review Questions 233 Review Answers ...235
7 Secur i ty Servers 237 Objectives 237 Key Terms 238
The Folding Process ....239 Overview 239 Folding-Process Example 240 Content-Security Rule Order 242 Security Server Default Messages 242 HTTP 1.0 and 1.1 243
Troubleshooting Security Server Issues 244 Reviewing CPU and Memory ...245 Editing fwauthd.conf 245 Listing Possible Causes 246 Identifying Issue Sources 247 Analyzing Results 248
Debugging Security Servers 249 TD_ERROR_ALL_ALL Flag 249 FTP Security Servers 249 HTTP Security Servers 250
251 252
.253
.254 256
8 V P N Debugging Tools
KeyTe
on a VPN
257 .257 .258 .259 .259 .264 .268 .270 .271 .271 .271 .272 .275 .276 .281 .289
291
9 Tr< )ting and debugg ing SecuRemote /SecureC l ien t
Key Terms
the
IP
293 .293 .294 .295 .296 .297 .297 .297
Packet Flow When Connecting/IKE Negotiation 298 Packet Flow When Connecting/Encrypting Data 298
Link Selection for Remote Access 299 Overview 299 Link-Selection Methods in VPN-1 NGX 301
SecuRemote/SecureClient Debugging Tools 306 srfw monitor 306 cpinfo 306 IKE debug 307 sr service Debug 308 IKE and sr_service Debug 308 sc log Debug 309 srfw ctl Debug 309
Enhanced Debugging Tool 311 Troubleshooting Table 313 Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient 319 Lab 11: Running srfw monitor 325 Review 329
Review Question . 330 Review Answer 331
10 A d v a n c e d V P N 3 3 3 Objectives 333 Key Terms 334
Route-Based VPN 335 Domain-Based VPN 337
VPN Routing Process 338
Best Practices 339
Configuring Numbered VTIs 341
Dynamic VPN Routing 345 Configuring Dynamic VPN Routing Using OSPF ....345
Aquaforest TIFF Junction Evaluation
Wire Mode 350 How Wire Mode Works 350 Wire Mode in Route-Based VPN 353
Directional VPN Rule Match 355 Interface Groups 355
Tunnel Management 358 Permanent Tunnels 358 VPN Tunnel Sharing ...360 Tunnel-Management Configuration 360 VPN Tunnel Sharing Configuration 365
Lab 12: Route-Based VPN Using Static Routes 367 Lab 13: Dynamic VPN Routing Using OSPF 385 Review 401
Review Questions 403 Review Answers 405
11 C IusterXL 407 Objectives 407 Key Terms 408
Configuration Recommendations 409 Recommendations for CIusterXL 409 Recommendations for State Synchronization 410
Troubleshooting CIusterXL 412 cphaprob 412 cphaprob state 414 cphaprob -a if 417 cphaprob -i list 418 cphaprob -d <device> -s problem -t 0 register 419 cpstat ha -f all 420 fw ctl debug -m cluster 421
Kernel Flags 424 fwha_enable_if_probing and fwha_monitor_if_link_state 424 fwha_restrict_mc_sockets (0 by Default) . 425 fwha_use_arp__packet queue (0 by Default) 426 fwha send gratuitous arp var 426
ix
X
Aquaforest TIFF Junction Evaluation
1! a Check Point S O F T W A R E T E C H N O L O G I E S L T D .
We Secure the Internet.
CHAPTER 1: CHECK POINT SECURITY ADMINISTRATION
N G X I I I
Welcome to the Check Point Security Administration NGX III course. This course offers comprehensive training to enhance enterprise knowledge of VPN-1 NGX, network planning, route-based VPN, and troubleshooting procedures. Follow along as the class progresses, and take notes for future reference.
Course Objec t ives
1. Troubleshoot NGX product problems using troubleshooting guidelines.
2. Collect data using the cpinfo utility, for off-line viewing and troubleshooting using the Info View utility.
3. Use protocol analyzers to capture packets and analyze packet-header formats.
4. Debug NGX issues using NGX debugging commands.
5. Use fw commands to obtain critical information about NGX component status.
6. Troubleshoot Security Server issues and debug Security Servers.
7. Use VPN debugging tools for common troubleshooting practices.
8. Troubleshoot VPN-1 SecureClient/SecuRemote issues.
9. Configure VPN-1 NGX for route-based VPN and dynamic routing.
10. Configure CIusterXL and troubleshoot CIusterXL issues.
l
Aquaforest TIFF Junction Evaluation
Course Layout
C O U R S E L A Y O U T 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
This course is designed for CCSEs who manage and support installations of VPN-1 NGX, and who need the tools to troubleshoot and maintain these installations. This course is also designed for CCSEs seeking their Check Point Certified Security Expert Plus NGX (CCSE Plus NGX) certification.
The following professionals benefit best from this course:
• Systems administrators
• Security managers
• Network engineers
Prerequ is i t es
Before taking this course, Check Point recommends you take these courses: Check Point Security Administration NGX I (Rev 1.1) and Check Point Security Administration NGXII Rev 1.1. You must pass the CCSE NGX exam before pursuing the CCSE Plus NGX certification.
Check Point also strongly suggests you have the following knowledge base:
• Working knowledge of TCP/IP
• Working knowledge of Windows and/ UNIX
• Working knowledge of network technology
• Working knowledge of the Internet
• Check Point Certified Security Administrator NGX certification
• Check Point Certified Security Expert NGX certification
2
Aquaforest TIFF Junction Evaluation
Recommended Setup for labs
R E C O M M E N D E D S E T U P F O R L A B S I I i i i I I I I I I i I I I I i I i I I i I I i I i I I i I 1 I I I I i I i I I i I I I I I I I i
The following is a sample setup for the hands-on labs that supplement this handbook:
• The Internet servers (www.jowrczYv.ep) cannot communicate directly with the Internet. These servers have private IP addresses. Each Security Gateway and Internet server has a unique IP address.
• You will use the following passwords in this course:
abcl23 — Windows platforms
qazl23 — SecurePlatform Pro
Your instructor may provide additional passwords:
• This handbook and course use the following conventions for interface assignments on the Security Gateway in this course:
— ethO is assigned as the external interface.
— ethl is assigned as the internal interface.
— eth2 is assigned as the sync network/leased-line interface.
— All interface-naming schemes are based on a SecurePlatform installation.
3
Aquaforest TIFF Junction Evaluation
Recommended Setup for labs
R e c o m m e n d e d L a b T o p o l o g y
The following is a sample eight-station lab topology:
webrome 10.1.1.101124
default gateway 10.1.1.1124
fwint: 10. 1. 1. 1 /24 fw ext.* 172. 21.101. 1 /16
fw sync: 192.168. 22.101 124 default gateway 172.21.101.2.16
webtoronto 10.1.3.103/24
default gateway 10.1.3.1124
fwtoronto fwint: 10. 1. 3. 1 /24 fw ext: 172. 23.103. 1 /16
fwsync: 192.168. 22.103 /24 default gateway 172,23.103.2/16 I — - - - - - - J
fwoslo Hub fwint: 10. 2. 2. 1 /24
fwext: 172 22.102. 1 /16 fwsync: 192.168. 22.102/24
default gateway 172.22.102.2/16
weboslo 10.2.2.102/24
default gateway 10.2.2,1 /24
webzurich 10.3.5,105/24
default gateway 10.3.5.1124
fw int: 10. 3. 5. 1 /24 fw ext: 172. 25.105. 1 /16
fwsync: 192.168. 22.105 /24 default gateway 172 25.105.2/16
webeambridge 10.3.7.107/24
default gateway 10.3.7.1124
fwcambridge fw int: 10. 3. 7. 1 /24
fw ext: 172. 27.107. 1 /16 fwsync: 192,168. 22.107/24
default gateway 172.27.107,2 /16
172.21.101.2/16 172.22.102.2/16 172.23.103.2/16 172 24.104.2/16 172.25,105.2 /16 172.26.106.2/16 172.27.107.2/16 172.28.108.2/16 172.29.109.2 /16
fwint: 10. 2. 4. 1 /24 10.2.4 104/24 fw ext: 172, 24.104. 1 /16 default gateway
fwsync: 192.168. 22.104/24 10.2.4.1 /24 default gateway
^ 172.24.104.2/16 ^
dalfas int: 10. 5. 9. 1 /24 ext: 172. 29.109. 1 /16
default gateway 172.29.109.2/16
fwsydney Hub websydney fwint: 10. 4. 6. 1 /24 10.4.6.106/24
fw ext: 172. 26.106. 1 /16 default gateway fwsync: 192 168. 22 106 /24 10.4.6.1 /24
default gateway 172.26.106.2 /16
fwsingapore fwint: 10. 4. 8. 1 /24
fwext: 172 28.108. 1 /16 fwsync: 192.168. 22.108/24
oetBUn gateway 172.28.108.2/16
websingapore 10.4.8.108/24
default gateway 10.4.8 1 124
mm mm J CP00107
4
Aquaforest TIFF Junction Evaluation
Recommended Setup for labs
IP Addresses
The table below lists the IP addresses of the Security Gateways in the NGX lab topology:
VPN-1 NGX NIC IP Address
fwrome fw internal 10.1.1.1/24
fw external 172.21.101.1/16
fw sync 192.168.22.101/24
default gateway 172.21.101.2/16
fwoslo fw internal 10.2.2.1/24
fw external 172.22.102.1/16
fw sync 192.168.22.102/24
default gateway 172.22.102.2/16
fwtoronto fw internal 10.1.3.1/24
fw external 172.23.103.1/16
fw sync 192.168.22.103/24
default gateway 172.23.103.2/16
fwmadrid fw internal 10.2.4.1/24
fw external 172.24.104.1/16
fw sync 192.168.22.104/24
default gateway 172.24.104.2/16
fwzurich fw internal 10.3.5.1/24
fw external 172.25.105.1/16
fw sync 192.168.22.105/24
default gateway 172.25.105.2/16
5
Aquaforest TIFF Junction Evaluation
Recommended Setup for labs
VPN-1 NGX NIC IP Address
fwsydney fw internal 10.4.6.1/24
fw external 172.26.106.1/16
fw sync 192.168.22.106/24
default gateway 172.26.106.2/16
fwcam bridge fw internal 10.3.7.1/24
fw external 172.27.107.1/16
fw sync 192.168.22.107/24
default gateway 172.27.107.2/16
fwsingapore fw internal 10.4.8.1/24
fw external 172.28.108.1/16
fw sync 192.168.22.108/24
default gateway 172.28.108.2/16
This table lists the IP addresses of the Web servers in the NGX lab topology:
Web Server NIC IP Address
Web server: webrome Web site: www.rome.cp
www internal 10.1.1.101/24
default gateway 10.1.1.1/24
Web server: weboslo Web site: www.oslo.cp
www internal 10.2.2.102/24
default gateway 10.2.2.1/24
Web server: webtoronto Web site: www.toronto.cp
www internal 10.1.3.103/24
default gateway 10.1.3.1/24
Web server: webmadrid Web site: www.madrid.cp
www internal 10.2.4.104/24
default gateway 10.2.4.1/24
6
Aquaforest TIFF Junction Evaluation
Recommended Setup for labs
Web Server NIC IP Address
Web server: webzurich Web site: www.zurich.cp
www internal 10.3.5.105/24
default gateway 10.3.5.1/24
Web server: websydney Web site: www.sydney.cp
www internal 10.4.6.106/24
default gateway 10.4.6.1/24
Web server: webcambridge Web site: www.cambridge.cp
www internal 10.3.7.107/24
default gateway 10.3.7.1/24
Web server: websingapore Web site: www.singapore.cp
www internal 10.4.8.108/24
default gateway 10.4.8.1/24
Web server: webdallas Web site: www.dallas.cp
www internal 172.29.109.1/16
default gateway 172.29.109.2/16
Lab Terms
Yourcity — the city name for your lab station pair
Partnercity — the name of your partner city
Site number — a number between 1 and 9 assigned to your lab-station pair
7
8
Aquaforest TIFF Junction Evaluation
Recommended Setup for labs
Default Rule Base
The Rule Base below is the default Rule Base used throughout this handbook. Create this Rule Base now, if your instructor has not already created it for you. Note that this Rule Base has been created for city sites Rome and Oslo. Substitute your city site, based on your classroom's topology.
IS NBT 1 ! 1 | NetBIOS Rule | "k Any | * Any | [ * j Any Traffic
1 w bootp |
i tin ;
@ drop | - None
i SSH A ccess Rule j m fwos lo i [ * j Any Traffic | ssh
3 ; Stealth Rule I 1§ ^oslo i [ * j Any Traffic j * Any
Rule I * Any I • w w w . o s l o . c p j [ * ] Any Traffic I EE http
:_Oslo j • :_Madrid j •
5 i Partner Cities Rule !
6 Internet A c c e i : Rule ! Net jDslo j * Any
7 Cleanup Rule \ * Any i A Any
Madrid Oslo
! [ * ] Any Tr« : http
I I accept | J] Log
1 drop | [g Log
I accept | H Log
I accept | M Log
f 7 [ * S Any Traffic | TCP http j ® accept | gg Log
| [ * j Any Traffic I * Any j | | drop j | J Log
Default Rule Base
9
Recommended Setup for labs
10
a
21 Aquaforest TIFF Junction Evaluation
Q Check Point t * ® * 5 * S O F T W A R E T E C H N O L O G I E S LTD.
We Secure the Internet
CHAPTER 2: GENERAL TROUBLESHOOTING METHODS
A critical part of a Security Administrator's responsibilities is to troubleshoot network problems. Troubleshooting guidelines are provided in this chapter, defining problems, identifying possible causes, narrowing causes to one or a few causes, and finding and testing problem fixes.
Object ives
1. Test IP forwarding routing and connectivity, before installing VPN-1 NGX. 2. Monitor the Default Filter and Initial Policy's effect on traffic through a
Security Gateway, to demonstrate protection these offer.
3. Troubleshoot Secure Internal Communications and Internal Certificate Authority issues.
4. Troubleshoot Network Address Translation (NAT) issues.
5. Given an issue with a particular Check Point product, list the data required for troubleshooting.
l i
Aquaforest TIFF Junction Evaluation
Key Terms
IP forwarding
Default Filter
Initial Policy
Secure Internal Communications (SIC)
Source NAT
Destination NAT
Core file
12
Aquaforest TIFF Junction Evaluation
Troubleshooting Guide I ines
T R O U B L E S H O O T I N G G U I D E L I N E S 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
The variety, flexibility, and complexity of the Check Point product suite can make every problem seem unique. Despite the challenges inherent in maintaining and administering rapidly evolving security and connectivity solutions, standard troubleshooting methods are still relevant. Apply the guidelines in this section when troubleshooting NGX issues.
Ident i fy ing the Problem
Identifying a problem should begin by asking these general questions:
• Which outcome is specifically desired, but is not happening?
• What is happening, in observable and objective terms?
F A I L O V E R E X A M P L E
For example, when testing CIusterXL failover, start a continuous Ping from an internal host to a host outside of the cluster. Unplug the external interface from the primary member; two Pings are lost, then the Ping continues. This behavior is not a problem, but is the way CIusterXL is supposed to work. However, if after unplugging the external interface from a working primary member, the Ping continues successfully but new connections cannot pass through the cluster, the problem is probably related to gratuitous ARP.
Using the two questions previously stated, you can:
• Determine the desired activity: New connections traverse the active cluster member. This is not occurring.
• Determine what is happening, in observable and objective terms: Ping requests are replied to, but connections cannot be established.
13
Aquaforest TIFF Junction Evaluation
Troubleshooting Guide I ines
Gratuitous ARP can be a probable cause in this issue, since Ping is not as reliant on each machine having a proper MAC address for IP resolution. In this specific situation when the failover occurs (unplugging the interface), both machines are issuing gratuitous ARP replies to announce they have the cluster IP address assigned. This can create potential problems, such as if interim switches or routers do not correctly register the updated ARP cache information, or if a switch did not forward the updated ARP information to an upstream router. This ""pollutes" the ARP cache of all local machines. Since the Ping request is looking for its ultimate destination IP upstream of the cluster, the cluster member at which the Ping packet arrives will simply forward the Ping to the destination.
In the case of a TCP/IP connection, such as HTTP, the routing mechanism will not be able to forward the packet through the router. This is because the indirect-connection mechanism will not be able to determine which cluster member is actually using the IP address as the next hop.
Col lec t ing Related Informat ion
Once an expected behavior has been identified as a problem, collect related information by answering the following questions:
• Under what circumstances does this problem occur?
• What changed before the problem occurred?
Collect log messages, error messages, core files, Dr. Watson output, and relevant information from related documentation. Verify the configuration of components displaying the same symptoms.
In the failover example stated earlier, the problem occurred when attempting to initiate a failover in a CIusterXL configuration. Changes before the problem occurred are currently unknown, other than the specific change initiated by unplugging the interface of the cluster member. Information related to other changes can be determined from examining NGX logs. Examining audit logs may show that another Administrator was working with the cluster object or specific cluster members. Examining system logs of that cluster member may show further information as to possible changes in the configuration. Debugging or examining process error logs can indicate if this is a configuration issue, or perhaps is a more serious problem.
14
Aquaforest TIFF Junction Evaluation
Troubleshooting Guide I ines
Lis t ing Possible Causes
Using the information gathered from symptoms and documentation, try to find as many potential causes for each symptom. Put the most likely cause first on a list, and organize the others in a similar fashion.
Test ing Causes Indiv idual ly and Logical ly
The goal is to narrow the list to a few causes, starting from the most likely to the least likely causes. From the example failover issue, is this the only cluster experiencing this issue? If the cluster is disabled, does this problem persist? Are all connections blocked, or only some types? Does any other type of traffic other than ICMP cross the cluster?
Consul t ing Var ious Reference Sources
Release notes, Web sites, mailing lists, SecureKnowledge, and Check Point Technical Support are common reference sources. See Check Point's Web site for these sources: www. checkpoint. com
15
Aquaforest TIFF Junction Evaluation
What to Check Before Installing VPN-1 NGX
W H A T T O C H E C K B E F O R E I N S T A L L I N G V P N - 1 N G X l l l l l l l l l l l l l l l l l l l l i l l l i l l l i l i l i l l l l l l l l i l l l l l l i l
In general, a machine intended as a Security Gateway must function as a gateway at the OS level before VPN-1 NGX is installed. The gateway must route among network interfaces. If routing does not work before installing VPN-1 NGX, the machine will not function as a Security Gateway.
Verify routing on the gateway system at the OS level. If VPN-1 NGX is already installed on the gateway, stop the firewall services.
IP Forward ing
When a UNIX machine boots with more than one IP interface active, it will route among interfaces by default. When an NGX Gateway is installed on UNIX, IP forwarding may be disabled. IP forwarding is the operating system's ability to forward packets from one interface to another. Manually enable IP forwarding for testing.
E N A B L I N G / D I S A B L I N G I P F O R W A R D I N G
• Enable IP forwarding on Solaris by running ndd:
ndd -set /dev/ip ip_forwarding 1
• To disable IP forwarding, run ndd:
ndd -set /dev/ip ip_forwarding 0
• To verify the status of IP forwarding:
ndd -get /dev/ip ip_forwarding
• Verify the IP forwarding setting on SecurePlatform and SecurePlatform Pro, by checking the value in the following file:
echo /proc/sys/net/ipv4/ip_forward
The output should be 1. If the value is 0, run the following to enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
16
Aquaforest TIFF Junction Evaluation
What to Check Before Installing VPN-1 NGX
• Enable IP forwarding on Windows 2000 Server or Windows 2003 Server, check the value of the key IPEnableRouter in the Registry. Enabling the Remote Access Server (RAS) service can also be used to enable IP forwarding. The value should be 1. The path to the Registry key is:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\parameters\
IPEnableRouter
As a multihomed host, an NGX Gateway has routes automatically generated for its immediate networks, external and internal. The Gateway can only have one default gateway (or default route) pointing to its upstream router. If there is more than one internal network connecting to an internal router behind the Gateway, add static routes on the Gateway to reach the remote internal networks from the Gateway.
For the immediate internal network, it is sufficient to point the default gateway of each internal network's machine to the IP address of the internal interface of the NGX Gateway.
Routing
Before installing an NGX Gateway, one interface on the machine must be up and running.
17
Aquaforest TIFF Junction Evaluation
What to Check Before Installing VPN-1 NGX
Connect iv i ty
5. If the Ping can only reach the external interface of the Gateway, Ping from the Gateway to a known Internet site.
When using RFC defined addresses for internal networks, Ping test replies from the Internet will not be received by the internal hosts.
6. If you can Ping from the Gateway to the Internet, but cannot reach the Internet from an internal network, IP forwarding may not be enabled on the Gateway's OS.
7. If you can Ping all the way through, install a simple Rule Base with necessary rules (for example, outbound HTTP), then browse known Internet sites.
To resolve FQDN names, internal hosts must have a DNS server, either on an internal network or hosted by an ISP on the Internet. Domain Name over UDP must be allowed.
To test connectivity with the NGX Gateway in place. Ping through the Gateway from internal nodes to nodes on the external side of the Gateway, or Ping to the upstream router. Run a Ping test as follows:
1. Run fw unloadlocal on the Gateway.
2. Ping from the internal host to the Gateway's internal interface.
3. Ping to the Gateway's external interface.
4. Ping a known Internet site address or name (for example, www.yahoo.com).
To Ping a Web site's fully qualified domain name (FQDN), the Gateway must have a DNS server entry.
18
Aquaforest TIFF Junction Evaluation
What to Check Before Installing VPN-1 NGX
% A.) Check the routing table on that host, and make sure the default-gateway setting is correct. Test connectivity, using Ping or traceroute, from the host to the Gateway, or beyond.
Q.) You find a log indicating HTTP is accepted, the source is that host, and the rule number is correct. But the host's browser displays "page cannot be displayed". What is the next reasonable step for troubleshooting this problem?
A.) Run fw monitor, to see if the reply packet returns to the Gateway's external interface.
Q.) One internal host behind an NGX Gateway cannot connect to the Internet. This host has just been added to the internal network. All other hosts from the same network segment can connect to the Internet, as usual. In the Rule Base, there is a rule accepting outbound HTTP traffic for the entire network, and the rule is tracked as "Log". When you open Smart View Tracker, you find no logs from that problematic host. What is the next reasonable step for troubleshooting this problem?
19
I P F O R W A R D I N G A N D B O O T S E C U R I T Y
8nartView Tracker. You
ep to take?
A.)
20
Aquaforest TIFF Junction Evaluation
SIC and ICA Issues
S I C A N D I C A I S S U E S I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I i I I I I I I I I I I I I I I I I
Secure Internal Communications (SIC) is a Certificate-based channel among SmartCenter Servers, Security Gateways, Check Point QoS, and OPSEC application servers. SIC is based on Secure Sockets Layer (SSL), with digital Certificates. When a SmartCenter Server is installed, a Certificate Authority (CA) is created by default. As a CA, the SmartCenter Server is the Internal Certificate Authority (ICA) to all components it manages. The ICA issues Certificates for all components that need to communicate with one another. For example, a Gateway needs a Certificate from a SmartCenter Server before a Security Policy can be downloaded, or before a license can be attached using SmartUpdate. Whenever any two entities (SmartCenter Server, Security Gateway, OPSEC, or Check Point QoS) need to communicate, the file sicjpolicy.conf is referenced.
SIC Port Use
Communication takes place over SIC, which uses the following ports:
• Port 18209 is used for communication between NGX Gateways and ICAs (status, issue, or revoke).
• Port 18210 pulls Certificates from an ICA.
• Port 18211 is used by the cpd daemon on an NGX Gateway to receive Certificates.
SIC is completely NAT-tolerant, as the protocol is based on Certificates and SIC names, not IP addresses. A NAT device between a SmartCenter Server and Security Gateway does not have any effect on the ability of a Check Point-enabled entity to communicate using SIC.
21
Aquaforest TIFF Junction Evaluation
SIC and ICA Issues
Root Causes
As a baseline for troubleshooting SIC and ICA related issues, test the following:
• Connectivity: Is any traffic (not just SIC) able to reach the Gateway? Are the necessary ports open and/or available?
• Domain name and IP resolution: Although SIC is completely NAT-tolerant, Check Point recommends eliminating this possibility, by verifying if there has been a DNS or IP address change on the network regarding the SmartCenter Server and/or any interim routers or Gateways
• Time: If the SmartCenter Server and the Security Gateway are located in different time zones, verify that this is not causing the conflict
• Certificate Revocation List (CRL): Verify that the SIC Certificate is not in the CRL, or that the CRL is still reachable for current Certificates.
22
Aquaforest TIFF Junction Evaluation
SIC and ICA Issues
V E R I F Y I N G T H E C E R T I F I C A T E
View the existing Certificate assigned to the object to verify that Certificate information is correct for the object. View the certificate in SmartDashboard by selecting the VPN > Certificates List property of the specific Check Point Gateway. Select the Certificate to examine, and click the View button. The Certificate View screen displays:
Subject: CN=fwoslo VPN Certificate.^ =mgmtoslo..uwoypr issuer: O^mqmtoslo..uwoypr Not Valid Before: Mon Jan 3016:28:00 2006 Local Time Not Valid After. Sun Jan 30 16:28:00 2011 Local Time Serial No.: 65136 ™ Key Size: 1024 S ubject Alternate N arnes:
IP Address: 172.22.102.1 CRL distribution points:
4
Certificate View of fwoslo's ICA Certificate
23
Aquaforest TIFF Junction Evaluation
SIC and ICA Issues
Check Point also includes the ICA Management Tool in VPN -1 NGX, which can be configured on a SmartCenter Server and used independently of SmartDashboard to view and manage Certificates:
|Of xf
Address i % j https: //10,2,1.102; 18-65/ zL i3Go 5
J^ Check Point We Secure the internet
9 Manage Certificates Searrh By User 1'Tame r Not Type }Any J r wot Status iAny Serial Number j F l-T<:-t Seatehj Reset j Advanced
Manage Operations ftew fr selected | Remove detected j Mail to setectsd I
•^'im^'to ; ! 3 Q-'-steds
ICA Management Tool
Refer to the SmartCenter user guide and sk30501 "Setting up the ICA Management Tool" at http: //secureknowledge. checkpoint. com, for configuration information.
The CRL and Certificates can also be viewed from the CLI using the vpn crlview command. The syntax for the command is:
vpn crlview -obj Cnetwork object> - c e r t <certobj> vpn crlview -f <certfile> vpn crlview -view <crlfile>
24
Aquaforest TIFF Junction Evaluation
SIC and ICA Issues
V E R I F Y I N G A V A I L A B L E C P D P O R T S
To determine whether SIC is listening to the cpd ports, use the following commands:
Windows — netstat -na | find "18211"
UNIX — netstat -na | grep 18211
The output is like the following:
TCP 0.0.0.0:18211 0.0.0.0:0 LISTENING
To verify the Gateway is listening for the SmartCenter Server, use the cpd -d command. The output is below:
SIC initialization started
Read the machine's sic name: CN=module,0=mngmt.domain.com.szno9r
Initialized sic infrastructure
SIC certificate read successfully (means module already has a certificate)
Initialized SIC authentication methods
On SecurePlatform, run this command from the Expert Mode prompt.
25
Aquaforest TIFF Junction Evaluation
SIC and ICA Issues
— On SecurePlatform or SecurePlatform Pro, run cpd debug and redirect the output to a separate file: s e t 0PSEC_DEBUG__LEVEL=3 s e t TDERR0R_JUjL_MiL=1 /2 / 3 cpd -d >& cpd-output
If you run cpd -d without >& and the output filename, the output displays on-screen.
Following are recommended practices to set up and maintain SIC.
U S I N G C O R R E C T F Q D N T O I N I T I A L I Z E I C A
If the FQDN for the SmartCenter Server is not correct, the ICA cannot initialize successfully. Make sure the FQDN has the correct hostname and domain name. Make sure the SmartCenter Server's hostname is entered correctly in the hosts
A V O I D I N G R E N A M I N G G A T E W A Y O B J E C T
The Certificate issued by the ICA (SmartCenter Server) is for a specific hostname and IP address. Once the hostname has changed, the Certificate is no longer valid. Plan carefully in terms of the naming conventions for all of your Gateways, including the ICA itself, before you start installing and configuring. If you must rename a Gateway after SIC is established, follow the steps below:
On the relevant Security Gateway:
1. Rename the hostname according to different OS requirements.
2. Reboot the machine, if necessary.
3. Use the cpconfig tool to reinitialize SIC for the newly created Gateway.
4. Enter a new one-time password.
Mainta in ing SIC
file.
27
On the SmartCenter Server, make sure its hosts file has the new hostname and
C H E C K I N G R O U T I N G A N D C P D C O N N E C T I O N S
S Y N C H R O N I Z I N G C L O C K S
28
Aquaforest TIFF Junction Evaluation
SIC and ICA Issues
Q.) Your SmartCenter Server is behind your organization's perimeter Gateway, with Static NAT configured on the perimeter Gateway. You have a new NGX Gateway in another city, and you must set up SIC. When you try to initialize SIC, you receive the error "initialized but not trusted". What are reasonable steps to troubleshoot this error?
A.) Check the hosts file on the remote Gateway, and make sure the SmartCenter's hostname resolves to its public IP address. Check if there is any rule in the Policy blocking traffic between the SmartCenter Server and remote Gateway.
R E S E T T I N G S I C
The term "resetting SIC" is often used interchangeably for two different actions. Each has a different level of severity associated with it, depending on the context.
When working with a Security Gateway, performing a SIC reset refers to forcing the ICA on SmartCenter Server to update the CRL, so the specific Gateway's Certificate has been revoked. The Administrator then creates a new updated Certificate. When working with a SmartCenter Server, resetting SIC is referring to initiating the command fwm sicjreset to revoke all Certificates, and destroying the existing copy of the ICA.
Resetting SIC is not recommended as a first troubleshooting step to fix a SIC problem. SIC resetting should be performed as a last resort, and should be scheduled after business hours.
%
29
30
Aquaforest TIFF Junction Evaluation
SIC and ICA Issues
Using f w m sic_reset
Resetting SIC on the ICA (SmartCenter Server) can have serious implications for Policy installation, logging, and other important daily functions, such as VPN. Therefore, Check Point does not recommend resetting SIC on an ICA in most situations, especially in an enterprise environment where multiple remote Gateways are communicating through a VPN, using Certificates issued by the ICA. When you reset SIC on an ICA, VPN tunnels will be interrupted, because all IKE Certificates are to be destroyed before the ICA can be reset. After the ICA SIC is reset, you must reset SIC on all managed Gateways.
In some unusual situations, using the fwm sie_reset command is necessary, for example, when the SmartCenter Server's IP address or hostname is changed.
31
Aquaforest TIFF Junction Evaluation
Network Address Translation
N E T W O R K A D D R E S S T R A N S L A T I O N i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Network Address Translation (NAT) can be used to translate either IP address in a connection. When translating the IP of the machine initiating the connection (typically the "client" of the connection) this is referred to as Source NAT. An example of this would be a network behind a Security Gateway that uses a nonroutable IP address range, but is hidden behind the Gateway's external IP address on Internet-bound connections.
Destination NAT is used when the IP address of the machine receiving the connection is translated. This address is also known as the "server" side of the connection. An example of this would be a statically translated Web server behind a Security Gateway.
Cl ient -S ide D e s t i n a t i o n NAT
Before VPN-1 NGX, all NAT occurred at the "server side" of the kernel, i.e., on the outbound side of the kernel closest to the server. When NAT occurs in this configuration, address spoofing and routing must be configured correctly. As of VPN-1 NGX, the default method for Destination NAT is "client side", where NAT occurs on the inbound interface closest to the client. Assume the client is outside the Gateway, and the server is inside the Gateway with automatic Static NAT configured. When the client starts a connection to access the server's NAT IP address, the following happens to the original packet in a client-side NAT:
O R I G I N A L P A C K E T
1. The packet arrives at the inbound interface, and passes Security Policy rules.
2. If accepted, the packet is entered into the connections table.
3. The packet is matched against NAT rules for the destination. The packet is translated if a match is found.
32
Aquaforest TIFF Junction Evaluation
Network Address Translation
4. The packet arrives at the TCP/IP stack of the NGX Gateway, and is routed to the outbound interface.
5. The packet goes through the outbound interface, and is matched against NAT rules for the source.
6. NAT takes place, if a match is found for translating the source.
7. The packet leaves the Security Gateway.
R E P L Y P A C K E T
1. The reply packet arrives at the inbound interface of the Gateway. 2. The packet is passed by the Policy, since it is found in the connections table.
3. The packet's destination, which is the source of the original packet, is translated according to NAT information in the tables.
4. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the outbound interface.
5. The packet goes through the outbound interface. The packet's source, the destination of the original packet, is translated according to the information in the NAT tables.
6. The packet leaves the Gateway.
fw ct l debug is the primary command for observing the NGX kernel's actions on a packet. It is also used for configuring debugging on almost any action that VPN-1 NGX can take on a packet or connection. The standard format for the command is as follows:
fw ct l debug
Running this command from the CLI produces a list of currently running modules and debugging flags. When the command is issued with an argument following it, the default kernel module acted on is the fw module.
The packet is translated, so it is routed correctly without any need to add a static route to the Gateway.
Debugging NAT
33
F W C T L D E B U G A R G U M E N T S
of thei s for fw ctl
-buf s « i , r e r s i " u s e < i b y , h e < i e b o s p r o c " s f o r
+ <flag name>
the + , such as ... fw ctl debug smtp
- x Disables all debugging flags
0 Resets all debugging flag values to default settings
-m i ™ „ h m 0 d U l e ! W , l l b e " a E 8 e , i m , h e
kdebug -f >& dTetd h?,, 0ere 0 f , h e d e b" 8 S , n 8 ! e !"°" , 0 , h e
D E B U G G I N G N A T P R O C E S S
34
35
Aquaforest TIFF Junction Evaluation
Collecting Data
C O L L E C T I N G D A T A i I I I i I I I I i I I I I 1 I I i i I I i I I I I i I I I I i I I I I i I I i I I I I I i I I i I
This section identifies data to be collected for troubleshooting particular issues.
Rule Base Issues
To begin troubleshooting an issue with an NGX Rule Base, collect the relevant log records, fw monitor capture file, and cpinfo file.
NAT Issues
For NAT issues, collect the following information:
• cpinfo file
• Network-configuration diagram
• fw monitor
• fw ctl debug, as follows:
fw ctl debug -buf
fw ctl debug + xlate xltrc
fw ctl kdebug -f > /tmp/kdebug.out
— Press CTRL + C to stop the debugging session.
— Disable fw ctl debug by running: fw ctl debug 0
Ant i -Spoof ing Issues
To troubleshoot anti-spoofing issues, collect the following:
• cpinfo file
• Network-configuration diagram
• fw monitor capture file
36
Aquaforest TIFF Junction Evaluation
Collecting Data
Smar tDashboard Issues
If there is an issue logging in to SmartConsole, verify the following items:
1. SmartDashboard compatibility with the SmartCenter Server: From the Help menu in SmartDashboard, check the build number of the SmartDashboard. Make sure the build number is compatible with the SmartCenter Server, according to NGX release notes.
2. Verify the fwm process is up and running on the SmartCenter Server.
3. Verify the GUI client's IP address is addressed correctly in the cpconfig utility on the SmartCenter Server. Alternately, verify that the IP address from where SmartDashboard is launched is defined in the GUI client's file.
4. Collect the following data:
• cpinfo file
• Error messages from the log and console
• fwm debug by running the following commands: fw debug fwm on TDERR0R__ALL_ALL=4
This will set the fwm to debug "on the fly" and write the output to $FWDIR/log/fwm.elg
Logging Issues
1. Collect the following: • Log files
• cpinfo file
2. For Smart View Tracker issues, run the command fwm logexport to ensure all columns are complete.
3. If log records are not written to the log file and fw log and fwm logexport do not show new records, run fwd -d -D. This includes a special debugging option for FW1_L0G connections.
37
Aquaforest TIFF Junction Evaluation
Collecting Data
Cluster Issues
Collect the following: • fw monitor file from relevant interfaces
• cpinfo file from the SmartCenter Server and all cluster members
• Network-configuration diagram
• Information about switches used in the cluster environment, if any
Issue the following command simultaneously on all cluster members:
fw tab -s -t connections > filejiame
Since the introduction of per-service synchronization, the fw tab -u command is not as useful in verifying that State Synchronization is working in a running cluster.
Secur i ty Server Issues
Collect the following:
• cpinfo file
• Error messages from the SmartCenter Server's logs and console
• fw monitor -u (The -u switch configures fw monitor to capture traffic and include the UUID of the connections and objects involved in that session).
• Appropriate log files from the Security Gateway's $FWDIR/log directory:
ahttpd.elg
aftpd.elg
asmtpd.elg
1.
2.
38
OPSEC
2.
fwopsec. conf file
cvp.conf file on the CVP serv
: fwd debug by
CVP/UFP servers: to the CVP i to the UFP!
LDAP
fw debug fwd on
The output is
fw debug fwd
To < : fwd debug, run the
; LDAP t
LDAP log i
2.
fw moni
LDAP bra
fwd debug
:NGX
md LDAP
[LDAP : the ]
file from an; CA, if 2
1.
1.
39
Aquaforest TIFF Junction Evaluation
Collecting Data
3. To verily if the core dump was caused by VPN-1 NGX, run the command:
• file core
The output is the executable filename that caused the core dump:
• cpinfo, while the system is in the state that caused the core
• Full description of the problem
D R . W A T S O N O U T P U T
Collect the following information:
• Fresh Dr. Watson file (drwtsn32. log); this file should contain only the current instance of Dr. Watson output.
• cpinfo taken from the system while in the status causing the Dr. Watson error
• Full description of the problem
• user. dmp file
• memory.dmp file
• system, dmp file for blue screen of death
Q.) How do I change the default locations of drwtsn32.log, user. dmp or memory. dmp?
A.) Open a Dr.Watson screen by running drwtsn32 from the command prompt. Only an Administrator can change Dr. Watson configurations.
Q A
41
Aquaforest TIFF Junction Evaluation
Collecting Data
42
R E V I E W
43
44
Aquaforest TIFF Junction Evaluation
Review
46
V #
31 Aquaforest TIFF Junction Evaluation
Q Check Point t f i ® * 5 * S O F T W A R E T E C H N O L O G I E S LTD.
We Secure the Internet
CHAPTER 3: FILE MANAGEMENT
Regular file maintenance is necessary to maintain a properly running system. In case of emergencies, the cpinfo utility can be used to view configuration details from an off line copy of the configuration. Log files may give an indication of what contributed to the emergency.
Object ives
1. Collect data using the cpinfo utility, for off-line viewing and troubleshooting using the Info View utility.
2. Use DbEdit or GuiDBedit to view and manipulate *.c and *.def files and observe their impact on Security Gateway functionality.
3. Manage the fwauth.NDB file to maintain the user database.
4. Use log commands to observe and manipulate log files.
47
Key Terms
• cpinfo
objects J J . C
objects.C
DEEDIT
Log Unification Unique ID (LUUID)
48
cpinfo File
FILES
A complete collection of files is obtained from the following NGX directories:
$HDIR/ conf $FWDIR/lib $FWDIR/;
$FWDIR/log
: files may be extracted and used to replicate a remote NGX a test network, for troubleshooting or
< 5
A
The cpinfo file contains detailed information about NGX
cpinfo files should be
Once cpinfo runs, it may take some time to complete. Do not stop
09 in the cpinfo file.
W I N D O W S
C:\Windows\FWl\R60\fwl\bin\cpinfo > cpinfo.txt
The resulting file will not be compressed or encoded. Compress this file using a ZIP utility, if the cpinfo file is sent to Check Point Technical Support for analysis. The output on a Windows server is a*.txt file, which you can view with a text editor.
Aquaforest TIFF Junction Evaluation
cpinfo
U N I X
1. Log in as superuser or in Expert Mode.
2. Execute the following script:
$CPDIR/bin/cpinfo | compress | uuencode cpinfo.Z > /tmp/cpinfo.uue
The cpinfo script does the following:
• Runs the cpinfo script, where the directory is compressed to the file cpinfo.tar
• Uses gzip, to compress the file to fw. tar .gz
• Uuencodes the gzip file to the filename cpinfo
• Compresses cpinfo, using standard UNIX compression; modifies the name to cpinfo. Z
• Uuencodes cpinfo. Z into the file /temp/cpinfo. uue
To extract the cpinfo. uue file from a UNIX platform, run the following:
1. # uudecode cpinfo.uue, which decodes into the file cpinfo.Z
2. # uncompress cpinfo.Z, to uncompress into the file cpinfo
3. # uudecode cpinfo, to decode into the file fw.tar.gz
4. # gunzip fw.tar.gz, to uncompress the file fw.tar
5. tar -xvf fw. tar, to expand the directories into the following:
conf/
l ib/
state
database/
log/
51
Aquaforest TIFF Junction Evaluation
cpinfo
InfoView
A quick and easy way to look at a customer's Rule Base and objects is to open SmartDashboard using a cpinfo output file. This is done by using InfoView, a Check Point utility. InfoView is only available for Check Point Certified Support Partners (CSPs) with valid CSP login credentials. To view cpinfo from InfoView, open the InfoView window first, and drag cpinfo output to the InfoView window:
y File Edit View Tools Analysis W i n d o w
« n j f ' j i ! H i ^ i i T : : : i ^ i W d H i
- i P j X j
C : \ W I N D G W 3 \ F W 1 \R 6 0 \ f w 1
C : \ P r o g r a m Files\CheckPomfc'tCPShared\R60
File Tit le
• CP c o m p o n e n t s
•• CP P roduc t keys
VPN-1 Vers ion I n f o r m a t i o n ( " C : \ W I N D O W S \ F W l \ F
F i reWal l -1 M a n a g e m e n t ( f w m ) Vers ion In fo rmat ion
F i reWal l -1 Vers ion I n f o r m a t i o n ( " C : \ W I N D O W S \ F ' < r ^
CPShared Vers ion I n f o r m a t i o n ( " C : \ P R O G R A ~ l \ C I
F i reWal l -1 S t a t u s ( " C : \ W I N D O W S \ F W i \ R 6 O \ f w i \ t
The n u m b e r o f Kerne l Tables; -1
II-1 Tables ( "C; \ W I N D O W S \ F W 1 \ R 6 0 \ f w 1 \ t ;
il-1 Tables ( "C: \ W INDO W3'i,F W1 \ R 6 0 \ f w 1 \ts
II-1 Tables - Log Format
E x p o r t e d Log f i le: f w . a d t l o g
F i reWal l -1 Sta t is t ics
Connec t i ons ' modutes i n t h e kernel ( " C : \ W I N D O W :
Ove r l app ing g Enc ryp t i on
'iMSL^L^ Host File WEB, , . Not t e s t e d
" Hosts
License-Object WEB, , , Mot t e s t e d
Dupl icate Ob jec ts WEB, . , Not t e s t e d
\ | j j | | lA l 1 I n t e r f a c e s WEB. . . Not t e s t e d
m >
M I / F -Ob jec t
T
. . . WEB. . . Not t e s t e d
WEB. . , Not t e s t e d
WEB. . . No t t e s t e d
WEB. . . Not t e s t e d
WEB, . , No t t e s t e d
WEB. . , No t t e s t e d
' NUM"
cpinfo Loaded in InfoView
52
Aquaforest TIFF Junction Evaluation
cpinfo
I N F O R M A T I O N T E S T I N G
Depending on the problem you are troubleshooting, you can look for different information in cpinfo. The right panel of Info View displays a list of information you can test, for example, hostname, licensing, and duplicate objects. Info View gives you quick results, but not detailed information. Detailed information can be found in the left pane of Info View. Test items and their purpose are shown in the table below:
Test items Purpose
Hosts File Verify hosts file.
License-Object Verify that every license has a corresponding interface in the machine's object.
Duplicate Objects
Check for duplicate objects in the objects file.
All Interfaces Run tests on all interfaces of the machine.
Machine Interfaces
Verify the validity of the object representing the tested machine.
l/F-Object Verify that the machine is referred to in the objects file.
Process Verify the percent of CPU time of Check Point related processes does not exceed a certain limit (80%).
pstat Check that values in Fire Wall-1 Statistics and SecuRemote Statistics (ctl pstat) are at a reasonable limit.
IP fwd Check IP forwarding.
License Check licensing.
Support HotFix Verify whether there are HotFixes installed on the machine.
53
Thel
• A
; to fail. When the ]
:is a
J to < a cpinfo file.
T E X T I N F O R M A T I O N
it
54
Aquaforest TIFF Junction Evaluation
cpinfo
In the following example, this cpinfo indicates the machine is a primary SmartCenter Server and not a Gateway, because the value of the management key is 1 and FireWall key is 0:
n rp Product keys -
Fi fe E d i t v i e w I n s e r t F o r m a t H e l p
• M i Hi l E M
k e y : C P D I P .
k e y : I S C O N F I G U R E D
C : \ P r o g r a m F i l e s \ C h e c k p o i n t ' ' , C F S h a r e d \ P.60
1
FUJI k e y : A u t h 0
k e y : E n c r y p t i o n 1
k e y : F i r e W a l l 0
k e y : F 1 D I R C : \ WINDCMS\ FTJ1\ R60\ f wl k e y : FWHanagement 1
k e y : IsConfigured 1
k e y : M a n a g e m e n t 1
k e y : P r i m a r y 1
k e y : P r o d u c t N a K i e F i r e W a l l - 1
k e y : Unlimit 1
S e c u R e r a o t e
d For Help., p r e s s F i
CP Product keys Screen
55
Aquaforest TIFF Junction Evaluation
cpinfo
S Y S T E M I N F O R M A T I O N
System information can be found in cpinfo. Information such as OS name, version and build number, environment variables, CPU and memory use of running processes (in ps -auxww), and file system use (in df -k) :
FireWal l -1 Version I n f o r m a t i o n
CPShared Version I n f o r m a t i o n
» I ' " da te
hos tname
uname -a
SecurePla t form Vers ion
host id
OS d a t a f r o m fi le ; / e t c / i s s u e
upt ime
ps a u x w w
vms ta t i 10
Isdev -C
Addi t ional Sys tem i n f o r m a t i o n
env
d f 4
df -1= / o p t / C P s u i t e - R 6 0 / f w 1
Package Manage r R e p o r t ( r p m )
List PCI dev ices
Free Memory I n f o r m a t i o n
Slab I n f o r m a t i o n ( s l ab i n fo )
Addi t ional Memory I n f o r m a t i o n ( m e m i n f o )
Addi t ional Cpu I n f o r m a t i o n ( c p u m f o )
I P I n te r f aces j j !
System Information
I N T E R F A C E A N D R O U T I N G I N F O R M A T I O N
Interface information can also be found in cpinfo. ifconfig -a gives a list of all interfaces and status, fw c t l if l i s t is a list of interfaces bound to the NGX kernel. If fw ct l i f l i s t and ifconfig -a outputs have discrepancies, that means some interfaces are not recognized by the NGX kernel, which can cause various problems, such as Policy installation failure or traffic dropped. The interface names and IP addresses in the ifconfig -a list must be identical to the ones in the Topology screen of the gateway object. Make sure you obtain correct interfaces by names and IPs, when clicking the get button from the Topology screen in the Gateway object.
56
Aquaforest TIFF Junction Evaluation
cpinfo
netstat provides routing table, ARP table and TCP socket information. These are important tools for troubleshooting connectivity issues.
FireWal l -1 V<
CPShared «
System I n f o r m a t i o n
Source File vers ions
FW-1 fi
l l - l Tables
II-1 Tables - Short Format
: The number of tab les; 296
FireWal l -1 Tables - Log Format
IP Interface and netstat Information
57
Aquaforest TIFF Junction Evaluation
cpinfo
F I R E W A L L - 1 T A B L E S
FireWall-1 table information can be found from a Gateway cpinfo. But a SmartCenter Server does not contain table information. The Infotab button displays the content of a table with hexadecimal and decimal format. The following example highlights a FireWall-1 table displayed by clicking the Infotab button at the top. You can tell the types of traffic passing through the Gateway kernel when cpinfo runs. You can compare among two or more cluster members' connections-table information regarding particular traffic.
InfoTab Screen
H I G H A V A I L A B I L I T Y I N F O R M A T I O N
High Availability information can be found from a Gateway's cpinfo file, cpinfo from a SmartCenter Server-only machine does not have High Availability information.
58
Aquaforest TIFF Junction Evaluation
cpinfo
Opening S m a r t D a s h b o a r d in In foView
SmartDashboard can be opened from InfoView, as long as the cpinfo is from a SmartCenter Server, cpinfo from a Gateway-only machine cannot be used to open SmartDashboard.
To open SmartDashboard inside InfoView:
1. Highlight the hostname on the top of the left pane:
+ J C;\WINDOWS\FW 1 't,R60\fw 1
+ JC; ' i .PROGRA--1 \ CHECKP~ 1 \CPShared\R 60
Fiie Tit le
CP c o m p o n e n t s
t . CP P r o d u c t keys
+ S y s t e m I n f o r m a t i o n
VPN-1 Vers ion I n f o r m a t i o n ( " C : \ W I N D O W S \ F '
F i re Wa l l - 1 M a n a g e m e n t ( f w m ) Version In fo r r r
F i reWa l l -1 Vers ion I n f o r m a t i o n ( " C : \ W I N D O W
C P S h a r e d Vers ion I n f o r m a t i o n ( "Ci ' iPROCRA-
•• F i reWa l l -1 S ta tus ( " C ; \ W I N D O W S \ F W 1 \R60\ f
+ IP I n t e r f a c e s
T h e n u m b e r o f Kernel Tables: -1
• F i reWa l l -1 Tables ( "C: \WIMDOW5' i ,FWl \R6Q\ f
1 F i re Wa l l - 1 Tables ("C: \ WINDOWS' ,FW 1 'iRSO'if^JTy
F i reWa l l -1 Tables - Log Format j r j
Hostname Highlighted
2. Click the SmartDashboard icon on the top button, then click Explicit:
SmartDashboard Icon
59
Aquaforest TIFF Junction Evaluation
cpinfo
3. Select the correct FwPolicy.exe file on your local drive, from where you installed SmartConsole:
Look in: j w PROGRAM
Jasmj ie lp
;'jcpml_dir jh tdocs | f rp |gv
CPRegSvr
jFwPolicy
Files of type: j Policy Editor (fwpoiicy.exe)
? .x zi ma &
FwPolicy.exe Selected
4. Click Open. SmartDashboard opens.
60
Aquaforest TIFF Junction Evaluation
objects _5_0. C and objects. C
O B J E C T S _ 5 _ O . C A N D O B J E C T S . C i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
objects_5_0 .C
The objects_5_0.C file contains a section of properties whose values affect global NGX behavior. Normally, this file is not modified directly, but rather through SmartDashboard > Policy > Global Properties. objects_5_0.C also stores network objects, server objects, service objects, time objects, and other miscellaneous data. There are some selections requiring additions or modification that are not controllable through SmartDashboard.
As objects_5_0.C is the master file that fwm recognizes for its normal operation. The file must be created as part of an NGX installation. This file is either newly created on installation of VPN-1 NGX, or is upgraded from VPN-1/FireWall-1 4.1.
objects .C
objects_5_0.C is used only by the SmartCenter Server. During Policy compilation, the objects_5_0.C file creates the objects.C file, which is then passed to the NGX Security Gateway, and contains information required for its operation. The objects_5J).C and objects.C files are located in the $FWDIR/conf/ directory. A new objects.C file is created every time a Policy is installed on a Gateway, along with a new Policy.
61
Aquaforest TIFF Junction Evaluation
objects _5_0. C and objects. C
Object Propert ies in ob jec ts_5_0 .C
objects_5__0.C is a master list of properties. The objects listed in the file are definitions of how VPN-1 NGX manipulates traffic that passes through its kernel to the real-world resources represented by those objects. The properties of these objects further define how VPN-1 NGX inspects and manipulates this traffic. The file starts with global properties, followed by SmartCenter Server object properties, then gateway-object properties, and other objects' properties. The following is gateway object fwoslo's Certificate property:
-=afi!*jj Fite Edit View Insert Format Help
Sma l lO f f i c e ( f a l s e ) UA_server ( f a l s e ' VPN_a l low_re lay ( f a l s e ; VPN_relay_i f_name () ac ld_ad t r_ ru le ( f a l s e ) a l l o w _ e x t r a n e t ( f a l s e ) a l l ow_send_ logs ( f a l s e ) amaEonas_Kiachine ( f a l s e ) apply_nat_for_cp_conns (false) b ac kup_gat e way () ca_wai t_r«ode_speei f ic_signon_menu_enable ( f a l s e ) c e r t i f i c a t e s (
: ( d e f a u l t C e r t :AdminInfo ( : chkp£_u id ( " { 141CBCFF-FC14-45?0-B9FD-0EE2DCS0DACt : ClassNarne ( c e r t i f i c a t e )
I : " S c e r t r e q - p k i - g e n " ( f a l s e ) : " i p k i - h o s t - c e r t - s e t " ( f a l s e ) :ca (ReferenceObjec t : Naire ( i n t e r n a l _ c a )
:Tab le ( s e r v e r s ) :Uid ("{2 6D02974—F0D4—4767-A8E7-A1D48B70734F}") ) : d i r e c t _ c a (Re fe renceOb jec t
:Name ( i n t e r n a l _ c a ) :Tab le ( s e r v e r s ) :Uid ("{2 6D02 974—F0D4—4767-A8E7-A1D48B7073 4F >")
) :dn ("CN=fwosio VPN C e r t i f i c a t e , G = w e b o s l o . . a u d w Q z " ) : gene ra ted_by_au to_en ro l iment ( t r ue ) : p k i s i g n k e y (4 f75ab9794ad57cc l755ea6f ) : s t a t u s (s igned)
A For Help, press F1 I W
objects_5_0.C Properties
62
Aquaforest TIFF Junction Evaluation
objects__5_0. C and objects, C
DbEdit
To modify objects_5_0.C, use the DbEdit utility, which allows the creation, modification, and deletion of objects. The utility is located in the $FWDIR/bin directory. objects_5J).C is modified using the following syntax:
DbEdit [-s server] [-u user] [-p password] [-f filename]
Option Explanation
-s server The IP or resolvable hostname of the SmartCenter Server
-u user The Administrator's username for the SmartCenter Server
-p password The Administrator's password for the SmartCenter server
-f filename The filename containing the creation or modification commands DbEdit is to perform
Using the DbEdit utility allows validation and verification of changes, including Audit log records. This is a better method than editing the files, due to the validation process.
63
Aquaforest TIFF Junction Evaluation
objects _5_0. C and objects. C
D B E D I T C O M M A N D S
Following are the commands for DbEdi t :
C o m m a n d E x p l a n a t i o n
create Creates an object with its default values; this command does not commit the object to the database. The create command may use an extended or owned object.
modify Modifies fields of an object, which are: 1) Stored in the database; the command will lock the object. 2) Newly created by DbEdit; modifications are kept by the client, until committed to the database, by the update or quit commands.
update Updates the database with the object; this command checks object validity and will issue an error message; invalid fields can be modified using the modify command.
delete Deletes an object from the database, and from the client-implicit database
quit Quits and updates the database with modified objects that are not yet committed
The modify c o m m a n d a l lows the use of extended formats for owned objects:
[fieldjiame] = Field_A.Field__B
DbEdit uses the TDERROR mechan i sm to print detailed status and error messages. The TDERROR TopicName is given the DBEDITLOGS value. This is an example of this variable set on Solaris:
set TDERROR DBEDITLOGS = 3
64
Aquaforest TIFF Junction Evaluation
objects _5_0. C and objects. C
S Y N T A X
create <object_type> <object_name>
modify <table_name> <object_name> <field_name> <value>
update <table_name> <object_name>
• Following is an example of the c r e a t e command:
create tcp_service my_service
• Following is an example of the modify command:
modify services my service port 8080
• Once the modifications are complete, an update is necessary:
update services my__service
It is not possible to change the name of a gateway object, because the name is used in the object's Certificate.
objec ts_5_0 .C Edit ing
Before editing the objects_5_0.C file:
1. Close all running instances of SmartConsole.
2. Back up the original $FWDIR/conf/objects_5_0. C to another directory.
3. From a command line, run DbEdit.
4. Enter a resolvable hostname or IP address, when prompted.
5. Enter the username and password of the Administrator when prompted. The following is a sample command, modifying a value in a property under the firewall^properties table in the objects_5J).C file:
modify properties firewalljproperties hclient_enable_new_interface false
The above command changes the hclient_enable_new_interface (true) property to hclient_enable_newj.nterface (false).
65
6. To: ; the
7. To exit DbEdit, issue quit.
8. Install the Policy.
9. Issue quit to exit to save j
The in 5 O . C i b y
66
Aquaforest TIFF Junction Evaluation
objects _5_0. C and objects. C
GuiDBedi t
GuiDBedit, also known as the Cheek Point Database Tool, is a graphical based utility that can be used to manipulate the configuration files of VPN-1 NGX, in the same way that DbEdit is used from the command line. The GuiDBEdit.exe file is installed in the C:\Program Files\CheckPoint \SmartConsole\R6O\PROGRAM directory with the SmartDashboard executable, but no link is created for the file in the start menu's Check Point group.
<0 ^ISSLl^llES^ T a b l e s j Q u e r i e s ]
L a r g e Scale Manager
M a n a g e d Ob jec t s
•«*•» s i t es_ob iec ts
« sofaware_gw_l:ypes ;±: H] OPSEC s I
1 m us qos E " S R e a d - O n l y Con f i gu ra t i on
~ ~ R e p o r t i n g
jjfwtoronto Jjfwrome |Net_Madrid
l E x t _ M a d r i d
;jno_vpn_domain j]Extjroronto j]Net_Toronto
W e d Mar 0 8 1 8 : 4 1 : 2 2 2006 Fri Mar 03 1 6 : 2 6 : 5 2 2006 Thu Mar 02 2 1 : 3 7 : 2 7 2006 Thu Mar 02 2 1 : 3 7 : 1 4 2006 Thu Mar 02 2 1 : 3 7 : 0 8 2006 Thu Mar 02 2 0 : 3 1 : 1 8 2006 Thu Mar 02 2 0 : 3 1 : 1 1 2006 Thu Mar 02 20 :13 :48 2006 Fri Feb 03 1 9 : 5 8 : 0 7 2006 Fri Feb 03 1 9 : 2 1 : 2 2 2006 Fri Feb 03 1 9 : 2 1 : 0 4 2006 Fri Feb 03 1 9 : 1 6 : 1 0 2006 Fri Feb 03 1 9 : 1 5 : 5 3 2006
dynanic.object
Tue Jar Tue J a n 3 1 2 2 : 2 8 : 4 7 2006 Tue Jan 3 1 2 2 : 2 8 : 1 5 2006 Tue Jan 31 2 1 : 4 1 : 1 7 2006 Tue Jan 3 1 2 1 : 4 1 : 1 7 2006 Tue Jan 31 2 1 : 4 1 : 1 7 2006 Tue lar, 11 91 -41 '17 -flnfi zJ
H S a n ' S T
a d d _ a d t r _ r u ! e a d d i t i o n a l __products
c p _ p r o d u c t s _ i n s t a i l ed
boo lean o w n e d object
{NAT, NULL} {SNMP,NULL} •{VPN,NULL}
•{entrust . a l_produc ts ,NULL} :_ce r t i f i ca te , ce r t i f i ca te }
DAG NAT SNMP VPN a d d _ a d t r _ r u l e additional jwo
i _ g t p _ r a t e j r n i t boo lean
c p j a r o d u c t s j t
e n f o r c e _ g t p _ r
g t p j i e j m i t
no t - i ns ta l l ed no t - ins ta l l ed no t - i ns ta l l ed no t - ins ta l l ed
i padd r
l ~ i n t _ m a x - { in ter face, DAG j n t e r f a c e , v p n _ v i r t u a l J n t e r f a c e }
GuiDBedit
67
Aquaforest TIFF Junction Evaluation
objects _5_0. C and objects. C
Double-clicking the GuiDBedit.exe icon opens the GuiDBedit login screen:
Database Tool
N G K R 6 0 i Demo M o d e
Usef N a m e
Cert i f icate j
Password: | SmartCercler S « v e r fm22102~ r R e a d Only
^—>J
Wore Options
Quit
GuiDBedit Login Screen
Use the same credentials as in SmartDashboard to log into GuiDBedit.
G U I D B E D I T P A N E S
1. When GuiDBedit opens, it is divided into three panes: The top left pane has two tabs, Tables and Queries. When the Tables tab is selected, a listing of the tables available on the SmartCenter Server is visible:
T a b l e ; :| Queries j
s i Table r+i m Administrators r+i s Desktop
i+ i m Global Propert ies
i+i m Large Scale Manager
n Managed Objects
r - i m Network. Objects ™ network_ob jee ts m a sites objects
so faware_gw_ types :±; e OPSEC
! + • m Other :+; H Policies
:+; m Provider-1
m QOS +; m Read-Only Conf igurat ion
Tables P a n e
68
Aquaforest TIFF Junction Evaluation
objects _5_0. C and objects. C
2. The top right pane (Objects pane) shows entries in that table:
-fajsrt Warns 2 ass rsian -e { Last Modify Time i | foo gateway jDlain Wed Mar 08 18:41:22 2006 [ Ijfwoslo gateway _d-p Fr: Mar 03 16:26:52 2006 1 Imgmtoslo gatew»y_d<p Thu Mar 02 21:37:27 2006 I j j fw to ro r i t o gateway _ d p Thu Mar 02 21:37:14 2006 fiQfwrome gateway _cl=p Thu Mar 02 21:37:08 2006 lf ]Net_Madrtd network Thu Mar 02 20:31:18 2006 j ^ t j l a d r i d network Thu Mar 02 20:31:11 2006 HQfiwiadr id gateway _ckp Thu Mar 02 20:13:48 2006 lp jno_vpn_domain network_obiect_group Fri Feb 03 19:58:07 2006 I lE . - t_Toro r i t o network Fri Feb 03 19:21:22 2006 1 |]Met_Tororito network Fri Feb 03 19:21:04 2006 i^-Jome i N e t . R o m e
Fri Feb 03 19:16:102006 Fri Feb 03 19:15:53 2006
Imgmtmadr id host jp la in Tue Jan 31 22:41:59 2006 ] E v t j j s l o network Tue Jan 31 22:28:52 2006 ^SynchJ-JetjDslo network Tue Jan 31 22:28:47 2006 ir-Jetj jslo network Tue Jan 31 22:28:15 2006
ft '.PC-Shield dynamic object Tue Jan 3121:41 ; 17.2006
Objects Pane
3. The bottom pane lists properties for selected table entries:
Properties Pane
To perform the same modifications as done with DbEdit, the Administrator opens the Global Properties branch in the Tables pane, then selects the Properties table. In the Objects pane, the firewall properties object opens. When this object is selected, the Properties pane lists all properties available for editing.
69
giving a choice between True or False for this property. SelertFaUe, anc
The box is
Q U E R Y T A B
Aquaforest TIFF Junction Evaluation
objects _5_0. C and objects. C
2. Advanced mode;
Q u e r y E d i t o r - A d v a n c e d
<!> i tr. "r,arr«e= a " & !{cotof=,red')." to §¥ a8 norwed objects so r t i ng with * £PMi Quety 5 —
i l i i ^ ^ imuttrn j Found. p— abjeete
i a : t Modif ied By ~ —~ - - ~
Admirwtrafer j " r Modified After; | ; ' J
GUI Client: — — — ^ P Modified Before: p ^ T ^ ^
Query Editor, Advanced Mode
Refer to the GuiDBedit help files for further information on creating and saving database queries.
71
F W A U T H . N D B
72
Aquaforest TIFF Junction Evaluation
SFWDIR/lib/*. def Files
$ F W D I R / L I B / * . D E F F I L E S i I I I I I I i I I i I i I I I I i i i i I I i i i i I i I I I I I I I I I I i I I I I i I I I I i
There are multiple l ib folders on an NGX SmartCenter, each of them containing a set of *. def files (such as base. def, rtsp. def, dcerpc. def, and others). These files define the behavior and functions of VPN-1 NGX.
Modifying *. def files should only be done when absolutely necessary. Before making any changes to *.def files, the Administrator must know the security implication of those changes. Check Point recommends confirming with Check Point Technical Support the impact of *. def modifications on NGX behavior and functionality.
Changes are made on the SmartCenter Server only. *.def files on a Security Gateway are irrelevant. Changes made to *.def files on a SmartCenter Server are transferred to the Gateway during Policy installation. However, the changes will only apply in the Gateway's kernel, and are not written to the Gateway's individual *.def files. The actual *.def files on the Gateway remain unmodified.
Editing a *. def file on an NGX SmartCenter should be done in the correct folder, according to the managed Gateway's version. When modifying a *. def file when the managed Gateway is not running VPN-1 NGX, the corresponding * .def file will not be located under the $FWDIR/lib directory. It will be located in the /lib directory, under the relevant backward-compatibility directory.
Example
Use the command find / -name dcerpc. def on SecurePlatform, to find the dcerpc.def file located in the following folders:
/opt/CPsui te-R60/fwl/lib/dcerpc.def
/opt/CPsuite-R60/fwl/libsw/dcerpc.def
/opt/CPEdgecmp/lib/dcerpc.def
/opt/CPEdgecinp/libsw/dcerpc. def
/opt/CPngcmp-R60/lib/dcerpc.def
/opt/CPR55WCmp-R60/lib/dcerpc. def 73
$FWDIR/lib/*.def Files
Mod i f y ing *.def Files
: on an a VPN-1/Firewall-1 NG . by an N G X !
edit the /opt/CPngcmp-R60/lib/dcerpc. def folder (not in , R60/fwl/lib/dcerpc.def):
1. On
2.
3.
up the *. def
Modi fy t h e * .
file,
i le to ]
A n y . ; to
4.
5.
. D E F F I L E M O D I F I C A T I O N S B E F O R E V P N - 1 N G X
74
Aquaforest TIFF Junction Evaluation
Log Files
L O G F I L E S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Active Log Fi les
VPN-1 NGX includes the following log files:
Log-File Type Explanation
$FWDIR/log/xx.log Real log records
$FWDIR/log/xx. logptr Pointers to the beginning of each log record
$FWDIR/log/xx.loginitialjptr Pointers to the beginning of each log chain, logs that share the same Log Unification ID (LUUID)
$FWDIR/log/xx.logaccountjptr Pointers to the beginning of each accounting record
$FWDIR\log\xx. logLuuidDB Additional temporary pointer file
Each time current logs are switched using Smart View Tracker or the fw logswitch command, the above five log files are generated. If any .ptr file is missing or corrupted, that particular log file cannot be opened. When saving switched log files, all five of the above log files need to be saved or archived, to open that single log file in Smart View Tracker or with the fw log <logfile> command.
To purge or delete the current log file without saving to a backup file, run this command:
fwm logswitch ""
75
Aquaforest TIFF Junction Evaluation
Log Files
Audit Log Files
In VPN-1 NGX, the audit-log files include the following:
Audit-Log File Types Explanation
xx.adtlog Audit-log records
xx.adtlogptr Pointers to the beginning of each log records
xx.adtloginitialjptr Pointers to the beginning of each log chain, logs that shared the same LUUID
xx.adtlogaccount_ptr Pointers to the beginning of each accounting record
When audit logs are switched in Smart View Tracker or with the logswitch command, the above four types of log files are generated.
To purge or delete the current audit-log file without saving to a backup file, run this command:
fwm logswitch -audit ""
Log Mechanism
The following information is based on Check Point Solution sk24901. See the solution at http: / / secureknowledge. checkpoint. com for more information.
In situations of high load on the SmartCenter Server or log server, the Gateway fwd daemon (which is responsible for log transfer), has a keep-alive mechanism for communicating with its log server. The NGX Gateway caches log records in a dedicated 4,096 KB buffer, as long as the fwd daemon is in communication with the SmartCenter Server. If no response is received from the Server after a couple of keep-alive check ups, the Gateway will start logging locally to $FWDIR/log/fw.log.
76
Aquaforest TIFF Junction Evaluation
Log Files
However, if communication with the SmartCenter Server is restored during the keep-alive rotations, this buffer retransmits logs to the log server. If the connection is restored after the keep-alive cycle ends, the files logged locally will need to be imported to be viewed. After communication is back, the Gateway also reports on this activity with specific logs.
Troubleshoot ing Logging Issues
Logging from the Security Gateway to the SmartCenter Server can fail for numerous reasons. Some possible reasons include:
• VPN-1 Control Connections are not allowed from the Gateway to SmartCenter Server.
• Secure Internal Communications (SIC) failure
• DNS failure
• The Fully Qualified Domain Name (FQDN) does not resolve to the correct IP address or does not resolve the name at all, when an FQDN is used in the $FWDIR/conf/masters file.
• Misconfigured /etc/hosts file
One or more of the following suggestions can help troubleshoot a logging problem:
1. Test general connectivity from the Security Gateway to SmartCenter Server, using Ping, or perhaps trying a Telnet connection to a Check Point port.
2. If VPN-1 Control Connections are not allowed in the Global Policy Properties, a rule to allow TCP 257 between the SmartCenter Server and the Gateway is necessary.
3. Test SIC on the problematic gateway object. If a SIC connection is present, the status reads "communicating".
77
78
Aquaforest TIFF Junction Evaluation
Log Files
I N C R E A S I N G B U F F E R O N S O L A R I S
To increase the buffer size on Solaris, do the following:
1. Edit the /etc/system file on the Gateway and add the set command, as follows ... set fw:fw log_bufsize=xxxxx
... Where xxxx is the desired size in bytes (default = 81,920 KB).
2. Reboot the Gateway for the change to take effect.
It is possible to set buffer size on the fly by running fw ctl set int fw_logJbufsize xxxxx, but the size will not be persistent across reboots.
I N C R E A S I N G B U F F E R O N L I N U X / S E C U R E P L A T F O R M
To increase the buffer size on Linux or SecurePlatform, do the following:
1. Create or modify fwkern. conf (if the file exists) in $FWDIR/boot/modules/ on the Gateway.
2. Add the entry fw_log_bufsize=xxxxx, where xxxx is the desired size in bytes (default = 81,920 KB).
3. Reboot the Gateway for the change to take effect.
The fwjnsgjjjriax parameter does not exist for Linux, Increasing the fw__log bufsize parameter is sufficient. Setting the fw msgjyiiax parameter will cause the NGX kernel not to load.
79
Log Files
I N C R E A S I N G B U F F E R S I Z E O N W I N D O W S
To i size on do the
the Registry key HKLM\System\CurrentControlSet\Services\FWl\
3. In the Globals key, create a DWORD valui fw : key.
4. Modify the new fw log DWORD Value field."
1 set the . in the
6. Close 1 Editor.
80
Aquaforest TIFF Junction Evaluation
Debugging Logging
D E B U G G I N G L O G G I N G i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Analys is Tools
NGX logging unifies various logs for a single connection into one log entry in Smart View Tracker. These individual logs are retained. However, only unified logs are displayed in Smart View Tracker. The logs are given serial numbers, called Log Unification Unique IDs (LUUID). This allows all individual logs to be sorted together using Smart View Reporter, or other Log Export API (LEA) OPSEC tools.
In addition to using Smart View Tracker, you may display NGX log records from the command line. There are four ways to display logs:
1. Initial order: Display unified logs at a specific time. This is the default mode as it displays in Smart View Tracker:
# fw log -m initial
2. Raw log: Display logs from a single connection produced by any kernel driver or Security Server, by incremental log records linked with the same LUUID:
i fw log -m raw
3. Semi unified: Display the unification process in real time:
# fw log -m semi
4. Account unified: Display account logs:
# fw log -m account
Debugging Log
1. To start debugging logs, set the environment as follows: I s e t e n v TDERROR_<flag name> <value l-5>
2. To debug with all flags, set the environment as follows:
# setenv TDERROR ALL 5
81
Aquaforest TIFF Junction Evaluation
Debugging Logging
3. Run fwd in debug mode (fwd -d). All debugging information is saved to the fwd.elg file.
This table displays the various debug flags relevant only for debugging logging, us ing fwd debug mode:
F l a g E x p l a n a t i o n
FWLOGJCLU Prints debugging messages from the log trap
CPLOG JCLU cplog component responsible for unification of kernel logs
FWLOG General logging code in fwd
FWLOG_CYC_BUFF Logs cyclic buffer issues
FWL0G_DIS PATCH Logs the dispatching mechanism
FWL0G_AC Active-connections mechanism
L0G_FILE Log-file input/output
CPLOG_UNIFICATION Prints debugging messages from the unification process
CPLOG General debugging messages from the cplog component
82
Aquaforest TIFF Junction Evaluation
Lab 1: Using cpinfo
L A B 1 : U S I N G C P I N F O i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Scenario: In this lab, you will collect configuration files from the NGX installation.
Objective: Run the cpinfo command and review results.
Topics: The following topics are covered in this lab:
• Running cpinfo on a stand-alone Gateway
• Finding the following information from cpinfo output:
— System information: OS, version, hostname
— Check Point product information: installed products, versions and builds
— License information
— The beginning of objects_5_0.C file
83
Lab 1: Using cpinfo
£ p R U N C P I N F O O N S E C U R E P L A T F O R M A N D T R A N S F E R F I L E S
1. From your Web server, log in to fwyourcity using an SSH client; once logged in, log in to Expert Mode.
SSH Client Session to fwoslo
2. At the Expert Mode prompt for fwyourcity, run the following command:
cpinfo -o fwyourcity.txt
For purposes of this lab, there is no need to compress the output file as specified previously in the chapter. Check Point recommends compressing the output of cpinfo when sending cpinfo files to Check Point Technical Support.
84
Aquaforest TIFF Junction Evaluation
Lab 1: Using cpinfo
The file collection mns for a few seconds. As cpinfo runs, status messages will display:
A SmartCenter Server with large log files may cause cpinfo to run for a long period of time, as it compresses files. Move those log files outside the $FWDIR directory before running cpinfo.
Once cpinfo has finished, the output file fwyourcity.txt will be created in the default directory for the administrator: /home/admin.
3. Start an FTP session to webyourcity from fwyourcity and transfer fvyourcity. txt to your Web server in binary mode. Although the output file has a *. txt extension, there are embedded binary files in the cpinfo output. Transferring the file in ASCII mode would render those embedded sections useless.
SecurePlatform only has FTP client capabilities. You must have an FTP server configured and running on your
^^tif Web server to transfer the files.
4. Once the file has transferred, end the FTP session and log out of your SSH client session.
85
Aquaforest TIFF Junction Evaluation
Lab 1: Using cpinfo
f p E X A M I N E C P I N F O O U T P U T F I L E
1. Navigate to the directory to which you transferred fwyourcity. txt, and open fwyourcity.txt using WordPad.
2. Using the Edit menu's Find selection, look for the following information in the file:
• Check Point product and operating-system information
• License and version
• objects_5_0.C
The following is partial cpinfo. txt output, listing installed components:
vmmmmmrn ^mMMmtiAi File gdit Jjew Insert Format Help QMjBj #tal m M d i d
. Dlx
CP c o m p o n e n t s
F i r e W a l l - 1 S e c u r e P l a t f o r m ADVR C P i n f o FU1_41_BC NGCHP PSSUCnip
Y e s V e r : 5 . 0 Yes V e r : 5 . 0 Yes V e r : 5 . • Y e s V e r : 5 . 0 Unknown Y e s V e r : 5 . 0 Y e s V e r : 5 . 0
CP S t a t u s - FW
C P S t a t u s - FTJ ( / o p t / C P s h r d - R 6 0 / b i n / c p 3 t a t - f p o l i c y f w )
P r o d u c t n a m e : P o l i c y n a m e : P o l i c y i n s t a l l t i m e Num. c o n n e c t i o n s : 1 P e a k num. c o n n e c t i o n s : 6 T o t a l a c c e p t e d p a c k e t s : 2 3 5 6 9
t i l ! For Help, press ft
FireWall-1 Standard Fri Apr 7 10:44:45 2006
SP: 9 SP: 9 SP: 9 SP: 9 SP: 9 SP: 9
MB P: 0 MSP: 0 MSP: 0 MSP: 0 ISP: 0 MSP: 0
=1
Partial cpinfo Output
86
Aquaforest TIFF Junction Evaluation
Lab 1: Using cpinfo
The Security Gateway's version and build number can be found in the file fwyourcity. txt:
File Bit View Inset famat Help
..•Mi» Mil Ml VPN-1 Version I nf o rinat 11
This is Chech Point VPN-1(TH) NGX (R60) - Build 341 kernel: NGX (R60 ) - Build 341
FireWall-1 Management (fam) Version Information
This is Check Point SmartCenter Server NGX (R60) - Build 3 87
FireWall-1 Version Information
This is Check Point VPN-1(TH) £ FireWall-1(R) NGX (R60) - Build 458 kernel: NGX (R60) - Build 458
CPShared Version Information
This is Check Point 3VN Foundation (R) Version NGX ( R 6 0 ) - Build 562
System Information
jJJ ForHefopwssFl
Version and Build Information
87
Aquaforest TIFF Junction Evaluation
Lab 1: Using cpinfo
objects 5_0.C file content is also included in fwyourcity.txt:
File Edit View Inser t Format Hefp
u\mm j§J MMfiLJ id i wi / o p c / C P s u 1 t e - P 6 0 /' f w i / c o n x /;
: a n v o b j ( A n y : c o l o r ( B l u e )
) : s u p e r a n y o f o j f
: ( A n y : c o l o r ( B l u e )
> } : s e r v e r o b j ( s e r v e r o b j j : t r a n s l a t i o n s ( t r a n s l a t i o n s ) : 3 e r v g e n ( ) : l o g - p r o p s { ) : s t a t e - a c t (
: c o m a n n d _ n o t i n s t 2 i r i s t ( ) : c o m m a n d _ n o t i n s t 2 d i 3 ( ) : c o r w m a n d _ i n s 2 n o t i n s t ( s t a t u s _ a l e r t ) : c o n m a n d _ i n s t 2 d i s ( s t a t u s _ a i e r t ) : c o m m a n d _ d i s 2 i n s t ( 1 : c r o m m a n d _ d i s 2 n o t i n s t ()
) : SP l o b j () : v e r s i o n ( 6 . 0 ) : g l o t o a l s (
: ( i l l : A d i n i n l n f o ( ^J
1 J j " Creates a new document 'NUM
objects_5_0.C
CONTINUE Continue to the next lab.
88
Aquaforest TIFF Junction Evaluation
Lab 2: Analyzing cpinfo in Info View
L A B 2 : A N A L Y Z I N G C P I N F O I N I N F O V I E W 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Scenario: In this lab, students will use the fwyourcifcy.txt from the previous lab and analyze it using the InfoView utility.
Objectives:
• Review cpinfo output in InfoView.
• Launch SmartDashboard from InfoView to analyze a Gateway's Rule Base and objects.
Topics:
• Opening cpinfo from InfoView
• Launching SmartDashboard inside InfoView to review the Rule Base and objects
89
Aquaforest TIFF Junction Evaluation
Lab 2: Analyzing cpinfo in Info View
[ 5 O P E N C P I N F O I N I N F O V I E W
1. Download the InfoView utility and install it on your Web server. Alternately, your instructor may have a copy of InfoView you can install on your Web server.
2. Launch InfoView.
3. From the File menu, select Open and browse to the directory where fwyourcity.txt is located:
yt|l© Edit View Toofs Analysis Window He|> j f ] ti|ii-Ui]?ij iijejfflji®]
HMR
jr - • msm
+
+
/ op t /CPsu i t e -R60 / fw l
/opfc/CPshrd-R.60
/opt /CPEdgecmp
File Title
CP components
CP Sta tus
CP Product keys
VPN-1 Version In format ion
FireWal l -1 Management (f>
FireWall-1 Version Informs
CPShared Version Inforrna
Sys tem Informat ion
IP In te r faces
Ne ts ta t In format ion
A
Tes t I . P k h n . ! Stat
Host File Has Is
fwoslo Not tested
License-Object fwoslo Not tested
Y Dupl icate Objects fwoslo Not tested
. ^ ^ ^ P All Inter faces fwoslo Not tested
' V ) l j | j Machine I n t e r f . . . fwoslo Not tested
j | [ I /F -Ob jec t fwoslo Not tested
:PS V : ^ Process fwoslo Not tested
*f Product '.etsic-n !-,de description Internal Code = Euk
ggZ FireWal l -1 5 .9 .0 N6 AI (R60) Dallas 591
O s e c u r e P l a t f . . . 5 . 9 ,0 NG AI(R60) Dallas ???
O ADVR 5 . 9 , 0 NG AI(R60J Dallas ???
O CPinfo 5 .9 ,0 NG AI(R60) Dallas ???
Q N G C M P 5 . 9 , 0 NG AI(R60) Dallas ???
S RBSWCmp 5 . 9 . 0 NG AI (R60) Dallas ???
Comments
~iUMr j j
fwoslo.txt in InfoView
90
Aquaforest TIFF Junction Evaluation
Lab 2: Analyzing cpinfo in Info View
f i p R E V I E W I N S T A L L E D P R O D U C T S , S Y S T E M , L I C E N S E , A N D O T H E R I N F O R M A T I O N
1. Click the System Information tree; the processor type and speed, environment, and other information, such as routing and ARP are displayed.
2. Close the System Information tree.
3. Click the CP products key tree to review the Check Point products installed on your machine:
E m m a M m m a m m m s m : f i le Edit View Inser t Format Help
DSIHI . . . . . . 5 C P s h a r e d
k e y : CPD IB. /opt/CPshrd-R60 k e y : ISCONFIGURED 1
F l l
k e y : A d d S m n p F a i l e d t o f i n d t h e v a l u e k e y : A u t h k e y : Encryption. k e y : F i r e l J a l l k e y : F 1 D I R /opt/CPsuite-R60/£wl k e y : F M a n a g e m e n t k e y : IsConfigured k e y : M a n a g e m e n t k e y : P r i m a r y k e y : ProductName F a i l e d t o f i n d t h e v a l u e k e y : T J n l i m i t k e y : vsx F a i l e d t o f i n d t h e v a l u e
P r o v i d e r - 1
k e y : PRODDIR F a i l e d t o f i n d t h e v a l u e k e y : F T O I R F a i l e d t o f i n d t h e v a l u e k e y : I n i t i a l l y C o n f i g u r e d F a i l e d t o f i n d t h e
- iefp, press F ;
CP Products Installed
4. Close the CP Products tree.
5. Click the CP License tree to review licensing information.
91
Aquaforest TIFF Junction Evaluation
Lab 2: Analyzing cpinfo in Info View
f i p L A U N C H S M A R T D A S H B O A R D I N I N F O V I E W
1. Highlight the hostname in the Info View list. 2. Click the drop-down list of the SmartDashboard icon.
3. Select Explicit:
JT H
C o n f i g u r e , j
Explicit Menu
4. Select the path to SmartConsole and check the box Open as read-only:
JJJSJ Look|re „ , J PROGRAM m & & CJIvwhois ^jMonitorData ^ P r e v i e w , J u t i l
H CPlgv.exe S c p m l . e x e
Z3CPf tegSvr .exe ^ CPSecuremotePW, exe 1 SecureUp
^ j S m a r t C o n ^ s m a r t M a p
2J File name.' |FwPolicy.e Open
Fiies of type: j Policy Editor (fwpolicy. e
P Open as read-only
Cancel
SmartConsole Path Selected
5. SmartDashboard opens in *local mode; use this to review the configuration and Policy.
CONTINUE Continue to the next lab.
92
Aquaforest TIFF Junction Evaluation
Lab 3: Using GuiDBedit
L A B 3 : U S I N G G U I D B E D I T i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Scenario: In this lab, you will use GuiDBedit to create a new service object, a new group object, and to add a service object into a group object. Also in this lab, you will use GuiDBedit to modify a global properties resolve _nrultiple_interf aces value to true.
Objectives:
• Use GuiDBedit to create a new object.
• Use GuiDBedit to modify an object's property.
• Use GuiDBedit to modify a global-property value.
Topics:
• Logging in to GuiDBedit and creating an object
• Modifying global properties
93
Aquaforest TIFF Junction Evaluation
Lab 3: Using GuiDBedit
S L O G I N T O G U I D B E D I T A N D C R E A T E A N O B J E C T
1. Close all SmartConsole sessions. 2. On your Web server, right-click on the desktop, and select New > Shortcut
from the context menu.
3. Run the Create New Shortcut wizard to browse to GuiDBedit. exe, located in C:\Program Files\CheckPoint\SmartConsole\R60\Program.
4. Double-click the newly created GuiDBedit.exe shortcut. A login screen similar to the SmartDashboard log in opens:
Database Tool JRL
N GX R 6 0
.1 D e m o M o d e
<'• Use r N a m e j f w a d m i n
Cer t i f i ca te : | J ; P a s s w o r d 11
Smarf.Cenf.er S erver : j 10 .2 .2 .1
P R e a d On ly
| O K j
M o r e O p t i o n s » i
S u i t |
GuiDBedit Login Screen
94
Aquaforest TIFF Junction Evaluation
Lab 3: Using GuiDBedit
5. Use the same credentials to log in as a standard SmartDashboard Session. The GuiDBedit screen opens:
Tabtei j Querie? \ m !B1ST
Large Scale Manager
; Q Pead-Only Configuration
' B Reporting : | B ] Services • | 0 SmartMap
GuiDBedit Screen
95
Aquaforest TIFF Junction Evaluation
Lab 3: Using GuiDBedit
6. In the Tables pane, open the Services branch and select the services table object. The Objects pane then populates with all available objects in the services table:
• • • • • • Fie View ybjecte Fields Search >jjerm Help
VtrO '< ! Queries |
X* B" La'rge Scale Manager + Q Managed 'I'biects + 0 Network Objects + H OPSEC + B Other + H] Policies + Q Provider-1 + H QOS + H3 Read-Only Configuration + 13 Reporting - 0 Services
+ 0 SmartMap + • H SmartUpdate + B 5tatus
+ H3 Users
~3 Ob^ct.Myie E[|lMAP-55L flfl| MSE;- changelnf ormationStore 3 IQjMSE;'ChangeInformationStore2 |J]M5ExchangeInformationStorel ®]MSE,,:hangeQAdmin IJ|]M5ExchangeDatabase fijt]MSEj:change5toreAdmin3 U] MSExchangeStoreAdmin 1 1)BGP H]MS-WINS-Replication-TCP_SD H]MS-VVINS-Replication-UDP_SD ®Squid_NTLM H]sasser-icmp I® Witty _Worm I f f ] MS-SQL-5erver_SD 5jMS-SQL-Monitor_SD BlMSMQ
tcp_service dcerpc_service dcerpc_service dcerpc_service dcerpc_service dcerpc_serviee dcerpc_service dcerpc_service tcp_service other_service other_service tcp_service other_service other_service other_service other _service dcerpc_service
nsWVajuE™
mzZi Respite ? >1UM •
GuiDBEdit Services Table and Objects
7. Select an object in the Objects pane, which changes the focus of GuiDBedit to the Objects pane and populates the Fields pane.
8. From the Objects drop-down menu, select New. The Create Object box opens.
9. From the Class drop-down menu, select service group, and name the Object "labervices". Click OK.
Class: | s e r v i c e _ g r o u p
O b j e c t [ l abse rv i c e.:j
1 OK 1 Cancel j
Creating labservices Service Group
96
Aquaforest TIFF Junction Evaluation
Lab 3: Using GuiDBedit
The services table automatically refreshes, and in the Objects pane, the focus will now shift to the newly created labservices object.
10. Use the Create Object box to create a new tcp service called "test-service 1".
11. Highlight the test-service 1 object in the Objects pane, and scroll through the Fields pane to find the port field.
12. Double-click the port field to edit it. Configure the new service with port 3333 and click OK:
w m m m m i &
V a l u e : f 3 3 3 3 ^
| QK 1 C a n c e l j
port Field Configured
13. Click the Save All Changed Objects button on the menu, to write all changes to the databases:
I
Save Changed Objects
14. Highlight the labservices object in the Objects pane. In the Fields pane, scroll to the container field, right-click, and choose Add. The Add/Edit element box opens.
15. In the Object drop-down menu, scroll to the test-service 1 object, highlight it, and click OK. This adds test-service 1 to the service group labservice.
R e l d N a m e { . T y p e ] Va lue Val id Values con ta iner s e r v i c e _ o b j e c t r e f e r e n c e t e s t - s e r v i c e 1 ( 'services' t ab le )
color s t r ing b lack c o m m e n t s s t r ing e t m _ e n a b l e d boo lean f a l se g r o u p j : o n v e n t i o n _ q u e r y s t r ing
test-service 1 Added
16. Make the change permanent in objectsJ5_0.C. by clicking the Save All Changed Objects button.
97
Aquaforest TIFF Junction Evaluation
Lab 3: Using GuiDBedit
[ ^ M O D I F Y G L O B A L P R O P E R T I E S
GuiDBedit can also be used to modify specific properties of a given object. You will modify the resolvemultipleinterfaces property of the firewall global properties table:
1. In the GuiDBedit Tables pane, open the Global Properties branch and select the properties table.
2. In the Object pane, select the firewall_properties object.
3. From the toolbar, select the Search menu and choose the Find option. Use the following information to configure the search:
Find W h a t : resolve mult ip le interfaces
Search in: Fields
M a t c h whole str ing only: Checked
Direction: D o w n
llllil B 1D
"-"Wt'ST"""*" +;• 0 Administrators t " H I Desktop *—; |E3 Global Properties
1 ©firewall.
find what; |resolve_multiple_interfaces - Search in
r Tables P Obiecfc F Fields
r Values
P Match string cr# P Case sensitive
- JP « Li>-
I Find Next | Car
EnablsMwUserMorfltonnij EnableUserMonitoring GW_route_traffic_(;or_OM. IKE_wait4syne IP3EC_SPI_alloc_max IPSEC_SPI_alIoe_min iLJ
j lvalues - 5 boolean boolean unumber
string
true true
.d seady mzl"i '^MMfWris f vlt«
GuiDBedit Search Tool
4. Double click resolve multipe interfaces to edit its Boolean value. Select True and click O K .
98
Aquaforest TIFF Junction Evaluation
Lab 3: Using GuiDBedit
5. Click the Save All Changed objects button to save the updated value.
Some properties are global, and some are specific to a Gateway. To modify properties that are unique to specific Gateways' locate the object name in the network objects table in the Network Objects branch of the Tables pane.
Continue to next lab.
99
Lab 3: Using GuiDBedit
100
Aquaforest TIFF Junction Evaluation
Lab 4: Using fw logswitch and fwm logexport
L A B 4 : U S I N G F W L O G S W I T C H A N D F W M L O G E X P O R T i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i I i i i i i i i i i i i i i i i i i
Scenario: Even though a logswitch can be configured to run regularly via the SmartCenter object in SmartDashboard, or can run via the menu in Smart View Tracker, using the command fw logswitch can sometimes be helpful. In this lab, you will see that 4-5 log-pointer files are generated with the real . log file when the fw logswitch command is executed. A distinction between logswitch and logexport is made in this lab.
Objectives:
• Use the fw logswitch command to switch active and audit logs.
• Use fwm logexport to export logs and view them in a text editor.
Topics:
• Using fw logswitch to switch active logs
• Using fw logswitch to switch audit logs
• Using fwm logexport to export the active log and open it with WordPad
• Identifying log-pointer files after fw logswitch run
101
Lab 4: Using fw i
[ 5 R U N F W L O G S W I T C H T O S W I T C H A C T I V E L O G
1. Open an SSH session to the Security Gateway, and log in to Expert
2.
3. Run the fw
fw
The
Log file has
4. View the new log file
lab-switch.log
lab-switch.logaccount
5. If no to the
to:
dappends the(
.loginitialjptr
Aquaforest TIFF Junction Evaluation
Lab 4: Using fw logswitch and fwm logexport
Log File Listing without Filename
[ 5 P U S E F W L O G S W I T C H T O S W I T C H A U D I T L O G
1. In the same SSH session to the stand-alone Gateway, run:
fw logswitch -audit
The fol lowing message displays:
Log file has been switched to: 2006-04-07J.90037.adtlog
103
Lab 4: Using fw logswitch and fwm logexport
2. Check the n e w generated . adt logs in the $FWDIR\log directory:
New .adt Log Files
The .adt log files generated are the following:
2006-04-07_190037.adtlog
2006-04-07_190037.adtlogaccountj)tr
2006-04-07_190037.adtloginitialj)tr
2006-04-07_190037.adtlogptr
£ p R U N F W M L O G E X P O R T A N D V I E W O U T P U T
1. From the same SSH session, run the fwm logexport command:
fwm logexport -n -p -o exportfwyourcityl
A message similar to the fol lowing displays:
Starting...There are 1 log records in the file.
Aquaforest TIFF Junction Evaluation
Lab 4: Using fw logswitch and fwm logexport
2. View the logexport output file using the less command:
Output of less exportfwoslol
105
Aquaforest TIFF Junction Evaluation
Lab 4: Using fw logswitch and fwm logexport
Or you can FTP the exported log file to your Web server and view it in WordPad:
X. f i fe Edit View Inser t Format fctefp
•Mini' Mai jij 'j±ii£iiJ Si mora; d a t e ; t l i n e ; o r i g ; t y p e ; a c t i o n ; a l e r t ; i / £ _ n a m e ; i / f _ d i r ; p r o d u c t ; 1 o g _ = y = _ m e s 3 a g e 0 ; 7 A p r 2 G 0 6 ; 1 3 : 5 8 : 4 9 ; 1 7 2 . 2 2 . 1 0 2 . 1 ; c o n t r o l ; ; ; d a e m o n ; i n b o u n d ; V P N - 1 & F i r e f a l l - 1 ; L
Jd F:<r Heip, press F:
Logexport Output File
106
Aquaforest TIFF Junction Evaluation
Review
R E V I E W i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
• cpinfo is a troubleshooting utility created by Check Point to collect a "snapshot" of the configuration of a Security Gateway or SmartCenter Server. It can also be used to collect OS and NGX debugging information for later analysis and troubleshooting.
• InfoView is a graphical utility used to analyze the output of cpinfo, including state-table information, routing, licenses, etc. InfoView can be configured to open parts of the SmartDashboard with a reproduction of the Security Policy installed on systems from which cpinfo files are taken.
• objects_5_0. C is the master list of all objects and their properties in an N G X installation, objects.C is a file that is created at Policy installation, based on information in objects_5_0.C.
• Editing objects_5J5. C is done with DbEdit and GuiDBedit.
• fwauth.NDB is the database file that stores all information about users created via SmartDashboard.
• * .def files define certain aspects of the behavior and function of the NGX kernel. In special circumstances, these files can be modified to adjust the function of the NGX kernel. These changes will not survive the application of a HotFix Accumulator (HFA). Always verify that functionality is included in the HFA using HFA release notes. If not, archive the modified *.def file before applying an HFA.
• When the command fw logswitch is run, six different log files are created. All six of these files are necessary when archiving logs. At the same time, five specific types of audit-log files are created. All files are necessary for archiving.
• The NGX logging mechanism has a built-in keep-alive function when running in a distributed environment. Local logging occurs only if the delta for this keep-alive period is exceeded.
• Logging issues may be caused by VPN-1 Control Connections being blocked, SIC failures, or DNS (and/or hostname) resolution errors.
• Logging is a critical security tool. Create a "best practice" logging Policy.
• In some situations, it may be necessary to modify the logging parameters of the NGX kernel for better performance.
107
Aquaforest TIFF Junction Evaluation
Review
Review Answers
1. Which of the following is NOT a recommended method for modifying an NGX object's properties?
C.) Modifying the object by directly editing objects 5 0. C
While this method will work, it is not recommended. If a typographical error or other mistake is made when editing, the change may be ignored, or may cause objects_5_0.C to fail to load or make the Security Gateway inoperable.
2. You are troubleshooting a Policy installation failure in a distributed environment. Your SmartCenter Server is located in Dallas, and your Security Gateway is located in San Francisco. A local technician has sent you the cpinfo file from the Security Gateway. Which information will NOT be available in this file?
D. ) A viewable copy of the installed Policy
The Policy is compiled with the objects files, and is a binary file on the Gateway. This information would be retrieved from Policy information on the SmartCenter Server.
109
Aquaforest TIFF Junction Evaluation
Review
n o
Aquaforest TIFF Junction Evaluation
4f Q Check Point f ® * 5 * S O F T W A R E TECHNOLOGIES LTD,
We Secure the Internet
CHAPTER 4: PROTOCOL ANALYZERS
Protocol analyzers and traffic-capture utilities and commands, such as tcpdump, snoop and fw monitor, can be critical tools in determining the nature of an issue involving VPN-1 NGX. These tools capture and analyze network traffic as it comes to and goes through an NGX Security Gateway, and can help determine if an issue involves VPN-1 NGX and its kernel or is an unrelated problem.
Object ives
1. Use tcpdump to capture packets and analyze packet-header formats.
2. Use snoop to capture packets, and review three output modes.
3. Use fw monitor to capture packets.
4. Review fw monitor output using Ethereal.
ill
Key Terms
112
Aquaforest TIFF Junction Evaluation
tcpdump
T C P D U M P i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
tcpdump is a command-line utility available on most UNIX and Linux based operating systems, which can be used for packet-header analysis, tcpdump sets interfaces into promiscuous mode, capturing the headers of all traffic according to parameters defined in the expression used to configure a tcpdump session. The capture either displays in real time to the screen, or can be written to a capture file, tcpdump has a high degree of flexibility to control the capture and subsequent review of network packet headers.
tcpdump can capture many types of network traffic (such as DECnet or AppleTalk), but as this is not recognized by VPN-1 NGX, only TCP/IP related traffic will be discussed here.
tcpdump Syntax
The following is the syntax of the tcpdump command:
tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ] [ -C file_size ] [ -F file ] -i interface ] [ -m module ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -E algo:secret ] [ expression ]
This table explains several of the commonly used switches and their arguments for tcpdump:
Switch and Argument Explanation
-c Exit after receiving count packets.
-C file size Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. savefile after the first savefile will have the name specified with the -w flag, with a number after it, starting at 2 and continuing upward. The units of file size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
113
Aquaforest TIFF Junction Evaluation
tcpdump
Switch and Argument Explanation
-i interface Listen on interface. If unspecified, tcpdump searches the system-interface list for the lowest-numbered, configured-up interface (excluding loopback). Ties are broken by choosing the earliest match. On Linux systems with 2.2 or later kernels, an interface argument of "any" can be used to capture packets from all interfaces. Note that captures on the "any" device will not be done in promiscuous mode.
-r file Read packets from file (which was created with the -w option). Standard input is used if file is
-s Grab snaplen bytes of data from each packet, rather than the default of 68. (With the Sun OS NIT, the minimum is actually 96.) 68 bytes is adequate for IP, ICMP, TCP and UDP, but may truncate protocol information from name-server and Network File System packets. Packets truncated because of a limited snapshot are indicated in the output with " [ | proto] ", where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets, and effectively decreases the amount of packet buffering. This may cause packets to be lost. Limit snaplen to the smallest number that will capture protocol information required. Setting snaplen to 0 means using the required length to catch whole packets.
- v (Slightly more) verbose output; for example, time to live, identification, total length, and options in an IP packet are printed. Also enables additional packet-integrity checks, such as verifying the IP and ICMP header checksum.
-w Write the raw packets to file, rather than parsing and printing them. Packets can later be printed with the -r option. Standard output is used if the file is
114
Aquaforest TIFF Junction Evaluation
tcpdump
tcpdump and Express ions
An expression selects which packets tcpdump will write to the defined output. If no expression is given, all packets on the network will be dumped. Otherwise, only packets for which the value of expression is 'true' will be dumped.
An expression is typically an ID name or number preceded by one or more qualifiers. There are three different kinds of qualifiers:
type Indicates the thing to which the ID name or number refers; possible types are host, net and port. For example:
host foo
net 128.3 port 20
If there is no type qualifier, host is assumed.
d i r Specifies a particular transfer direction to and/or from ID name or number; possible directions are src, dust, src or dst, and src and dst. For example: src foo dst net 128.3 src or dst port ftp-data
If there is no dir qualifier, src or dst is assumed. For vnull' link layers (i.e., point-to-point protocols, such as SLIP), inbound and outbound qualifiers can be used to specify a desired direction.
proto Restricts the match to a particular protocol; possible protos are ether, ddi, tr, i p , ip6, arp, rarp, decnet, tcp and udp; for example:
ether src foo
arp net 128.3 tcp port 21
If there is no proto qualifier, all protocols consistent with the type are assumed, i.e., src foo means (ip or arp or rarp) src foo. (The latter is not legal syntax). net bar means (ip or arp or rarp) net bar. port 53 means (tcp or udp) port 53.
115
Aquaforest TIFF Junction Evaluation
tcpdump
This is only a partial overview of the syntax for tcpdump. For a complete list of all switches, arguments and further information on using expressions, refer to the man pages for your OS, or to the documentation at http://www. tcpdump.org.
Using tcpdump
Determine if traffic needs to be viewed in real time, or if the information should be captured to a file for later viewing. Once this has been determined, initiate the tcpdump session to get the capture.
The following string captures all traffic coming to all interfaces on Gateway fwoslo, and writes the output to the file capture:
tcpdump -i any -w capture
Unless troubleshooting a network-connectivity issue, this format may show too much information to be useful. It would be better to narrow the input to a specific interface:
tcpdump -i ethl -w capture
This will capture all traffic from the network segment connected to ethl on fwoslo. If there is too much information presented in the capture, tcpdump can also filter for specific protocols. Suppose that in this environment, you are attempting to determine the failure of an FTP session through the Security Gateway fwoslo. From the command line on fwoslo, set tcpdump to filter specifically for FTP traffic on all interfaces, with the following syntax:
tcpdump -i any '(port ftp or ftp-data)' -w capture
This will show if any FTP related traffic is being "heard" on the interfaces of fwoslo.
116
Aquaforest TIFF Junction Evaluation
tcpdump
Viewing tcpdump Output
The output of tcpdump is a binary file viewed using tcpdump, or a protocol-analysis program (such as Ethereal), as long as that program has been written to recognize the tcpdump format. The command to open the file (using the <-w> switch when running the capture) is as follows:
tcpdump -r <filename>
Open the file that was captured using this string ...
tcpdump -i ethl -w capture
... Which displays the following information:
[Expert@fwoslo]# tcpdump -i ethl -r capture
15:28:37.501897 10.2.2.102 > 172.22.102.1: icmp: echo request
15:28:37.501963 172.22.102.1 > 10.2.2.102: icmp: echo reply
15:28:39.494254 arp who-has 10.2.2.102 tell fwoslo
15:28:39.494524 arp reply 10.2.2.102 is-at 0:ll:43:ce:36:e5
15:28:46.156386 10.2.2.102.1641 > fwoslo.ftp: S 754360268:754360268(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
15:28:46.156471 fwoslo.ftp > 10.2.2.102.1641: R 0:0(0) ack 754360269 win 0 (DF)
15:28:46.532969 10.2.2.102.1641 > fwoslo.ftp: S 754360268:754360268(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
15:28:46.533010 fwoslo.ftp > 10.2.2.102.1641: R 0:0(0) ack 1 win 0 (DF)
15:28:46.724479 fwoslo > 224.0.0.5: OSPFv2-hello 56: [len 44] [tos OxcO] [ttl 1]
[Expert@fwoslo]#
117
118
Aquaforest TIFF Junction Evaluation
snoop
S N O O P i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
The snoop utility places a system's interface into promiscuous mode. In promiscuous mode, snoop captures all packets on the network segment to which an interface is attached. This capture can occur in either real time for output to a display, or to a binary capture file. The snoop utility is powerful, because of the level of detailed information it provides. It also allows a high degree of flexibility for controlling the capture and subsequent review of network packets. The snoop utility is available only on UNIX systems.
snoop can also capture and analyze network packets other than IP addresses, such as DECnet and AppleTalk. However, since VPN-1 NGX does not recognize other types of packets than IP addresses, information on these other packets will not be covered in this chapter.
Using snoop
Use snoop to determine if a real-time capture is needed, or if data should be sent to a file for later review. Sending output to a file is probably the best choice, as data displayed on-screen is difficult to read, because it scrolls quickly.
To capture data to a file, use the following command:
#snoop -o filename
The -o option saves data in binary format to a user-defined file. To view data in real-time, exclude the -o option.
Next, determine how many packets need to be captured to view the information. If the number of packets is not determined, snoop will continue gathering packets until you press CTRL + C, or the system runs out of resources.
To set the number of packets, use the following command:
#snoop -o filename -c 1000
In this example, snoop will capture 1,000 packets. This capture will typically take about 60 seconds on a 10 megabits-per-second network. The type of capture taken depends on the type of information required. Keep in mind that snoop can be resource-intensive, depending on the amount of network traffic on a segment. In some cases, a dedicated server for snoop may be needed.
119
Reading snoop Output
120
Aquaforest TIFF Junction Evaluation
snoop
Below is an example of verbose summary mode, using the same packet as the previous example. Notice it provides layer 2 (Ethernet), layer 3 (IP), layer 4 (TCP), layer 7 (Telnet), and ACK and SEQ (sequence number):
17 2.07408 enterprise -> 10.1.1.101 ETHER Type=0800 (IP), size = 70 bytes
17 2.07408 enterprise ->10.1.1.101 IP D=10.1.1.101 S=10.1.1.102 LEN=56, ID=56890
17 2.07408 enterprise -> 10.1.1.101 TCP D=21 S=32797 Ack=73641 Seq=389458204 Len=16 Win=8760
17 2.07408 enterprise -> 10.1.1.101 FTP C port=32797 USER anonymous\r\n
V E R B O S E ( D E T A I L ) M O D E
Verbose mode displays the details of each packet to the bit level in the OSI model. The example below shows the same packet as the previous examples in verbose mode. Detailed information of each layer is captured, including layer 2 (Ethernet), layer 3 (IP), and layer 4 (TCP) headers. The syntax for verbose detailed mode is:
snoop -i -v [filename]
121
Aquaforest TIFF Junction Evaluation
snoop
snoop and Secur i ty
With snoop, Security Administrators can capture data on a network without being noticed. Unlike active measures, such as network discovery using ICMP, snoop does not alert anyone to its presence. This passive behavior allows an analysis of the network's security, without alerting anyone, snoop can run over a longer period of time than active measures running at a single point of time. If a host is down for several minutes while you are Pinging a network, the host is missed. However, snoop picks up these hosts when they send or receive traffic. One security issue is identifying activities on a network. Perhaps there are concerns about specific Web sites or FTP download sites, snoop can be used on a network to look for downloads from known Web sites or FTP servers.
snoop should be used with authorization or for troubleshooting purposes only. Federal law, such as the Wiretap Act, prohibits routine monitoring, unless for troubleshooting or for self-defense purposes for a limited period of time.
snoop helps track down "unknown" hosts in a network. An unknown host could be a dial-up server or gateway configured by a network attacker. Active measures can determine hosts on the network, but only if the machines are on. What if a host is on only at night, or has been configured not to reply to ICMP requests? snoop helps track down rogue hosts, allowing action to be taken.
snoop L imi tat ions
Unlike active measures, but like most sniffers, snoop cannot operate in a switched network, snoop records packets that cross the designated interface on a local network segment, but only captures packets in its collision domain.
To monitor all traffic traveling between a network and the Internet, place the sniffer between the gateway and the border router. This allows capturing of all Internet traffic. This information is compared to the logs in Smart View Tracker, to see specifically which segment of the network needs further inspection with snoop. This comparison is useful when encountering Network Address Translation and traffic originating behind routers.
122
123
Aquaforest TIFF Junction Evaluation
fw monitor
F W M O N I T O R i i i i i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Overview
The fw monitor command monitors network traffic through the interfaces on an NGX Security Gateway. This is done by loading a special INSPECT filter to filter out interesting packets. This filter is different from the INSPECT filter used to implement a Rule Base. A Rule Base determines which packet is accepted, rejected, or dropped; however, the INSPECT filter generated by fw monitor captures kernel-packet flows. You can capture everything through the kernel using fw monitor; alternately, you can capture a particular type of traffic or source.
fw monitor Syntax
fw monitor runs from the command line. The following arguments give information for configuring fw monitor to not only capture and filter traffic through VPN-1 NGX, but also specify which parts of the kernel chain packets pass through are also monitored.
fw monitor syntax is as follows:
fw monitor [-d] [-D] <{-e expr}+|-f <filter-file|-» [-lien] [-m mask] [-x offset[,len]] [-0 <file>]
The fw monitor arguments are listed in this table:
Argument Explanation
-d Provides lower-level debug from the filter-loading process of fw monitor
-D Provides higher-level debug from the filter-loading process of fw monitor
-e Specifies an INSPECT program line; multiple -e options may be used.
-f Specifies an INSPECT filter filename; the file is copied before compilation; the -f and -e options are mutually exclusive.
124
Aquaforest TIFF Junction Evaluation
fw monitor
Argument Explanat ion
-1 Limits the packet length, and specifies how much of the packet should be transferred from the kernel; for packets longer than the specified length, only a prefix will be available for display.
-m Specifies inspection-points mask; any one or more of i, I, o, or 0 can be used; if this option is not specified, all four points are captured.
-o Specifies an output file; saves monitored packets in the output file as they are monitored; during the monitoring, a count of the number of packets saved in the file is displayed; content of the file can later be examined using the snoop -i <f i l e > command.
-x Specifies display parameters; when this option is present, the IP and protocol information will be followed by a hexadecimal dump and printable character display, starting at the offset bytes into the packet for len bytes long; if offset + len is larger than the length specified by the -1 option, only the data available will be displayed; console output only
-h Displays usage string
-u Prints the connection's Universally Unique ID (UUID)
-s Prints the connection's session UUID (for FTP data connections, prints the control connection's UUID)
- t When compiling the INSPECT script, includes tcpip. def; allows the use of tcpip macros in the script
- i After writing each packet, flushes the standard output, if you want to kill fw monitor but write all data to a file
-c <count> Limits the number of inbound (-ci count) and/or outbound (-co count) packets; once the specified number has been reached, the monitor will stop; default is stop on CRTL + C only.
"P Monitors position in the kernel chain; Note: Using this switch with the "all" argument can be very resource-intensive.
125
f\v monitor
INSPECT Vir tual Machine
The INSPECT virtual machine intercepts, analyzes, and takes action on all communication before it enters a Gateway's OS. Cumulative data from communication and application states, network configuration, and Security Policy are used by the virtual machine to enforce the enterprise Policy.
This figure displays how the virtual machine inspects packets:
Virtual-Machine Inspection Points
There are four inspection points as a packet passes through the virtual machine:
• Before the virtual machine, in the inbound direction (i or PREIN)
• After the virtual machine, in the inbound direction (I or POSTIN)
• Before the virtual machine, in the outbound direction (o or PREOUT)
• After the virtual machine, in the outbound direction (0 or P0ST0UT)
Once fw monitor is executed, a specified INSPECT filter is compiled and loaded to the kernel. The fw monitor filter is not to be confused with the filter used in a Policy. The fw monitor filter does not pass or drop any packets, it only "watches" the packets as they pass through the kernel and displays them in the Command Line Interface (CLI). When you press CTRL + C to stop monitoring, the filter is unloaded and exits.
Any parameters following "accept;" in the fw monitor command will be displayed by fw monitor. The same filter is executed on all interfaces in all directions. Packets are inspected in all four points, unless the mask option -m is specified.
126
Aquaforest TIFF Junction Evaluation
fw monitor
Unless the -o option is specified, packets are directed to standard output. The first line displays IP information, and the next lines display protocol-specific information (for TCP, UDP, or ICMP). If the option -x is used, the lines following the command show a hexadecimal dump and printable character display of the packet content. Issuing fw monitor without any arguments will capture all packets to standard output, which is the CLI.
Filter Express ions
In a busy system, running fw monitor without any filters can create a great detail of output, and makes the analysis difficult. The filter expressions are used to specify packets to be captured. The general syntax is fw monitor -e "accept <expression>;".
The following example shows three filters:
fw monitor -e "accept src=172.29.109.1 or dst=172.29.109.1;"
fw monitor -e "accept dport=80;"
fw monitor -m il -e "accept;" -o monitor.out
• The first filter captures all traffic from and to the host 172.29.109.1.
• The second filter captures all HTTP traffic on port 80 only.
• The third filter captures only inbound direction before and after the virtual machine (i and I), and redirects the output to a file.
fw ctl cha in
VPN -1 NGX passes each packet through a list of chain modules. Each module may modify, pass, or drop the packets. You can see this list using the fw ctl chain command, fw monitor can be inserted in any position in the chain.
127
O U T P U T
in chain (10):
0:
1:
2:
3:
4:
5:
6:
7:
8 :
9:
(f99dl2c0)
2000000 (f31a8dd0)
liiiiio (lyyaicau)
IfffffO (f31a8730)
1000000 (f99e9690)
0 (f99a4720)
2000000 (f31a9d70)
10000000 (f99e9b20)
7f600000 (f99cec90)
7f800000 (f99dl570)
out chain (8):
0: -7f800000 (f99dl2c0)
1: - Iffffff (f31a8600)
2: - lfOOOOO (f99afcd0)
3: 0 (f99a4720)
4: 2000000 (f31a9780)
5: 10000000 (f99e9b20)
6: 20000000 (f31a9360)
7: 7f800000 (f99dl570)
IP Options Strip (ipopt^
vpn decrypt (vpn)
Stateless verifications (asm)
vpn decrypt verify (vpnver)
SecureXL connection syn (secxl_
fw VM inbound (fw)
vpn policy inbound (vpnj>ol)
SecureXL inbound (secxl)
fw SCV inbound (scv)
IP Options Restore (ipoptjres)
IP Options Strip (ipopt_strip)
vpn nat o
Stateless
fw i
vpn
SecureXL
vpn encryp
IP Options
(vpnjiat)
(asm)
(fw)
(vpnjpol)
(secxl)
(vpn)
estore (ipoptjres)
fw ctl chain i
be after fw monitor.
t the monitor in the e To ] , use -pi 999 or -pO
Aquaforest TIFF Junction Evaluation
fw monitor
C H A I N I N S E R T I O N P O I N T S
fw monitor is inserted into the chain as a chain module so fw monitor can report on all packets, fw monitor does not change or drop any packets, fw monitor is inserted into the chain at four different points — in positions minus 0x70000000 and 0x70000000 in inbound, and in the same positions in outbound. The inbound position captures packets before they pass most of the chain modules, while the outbound position captures them after they have passed the chain modules. It is possible to change the position of the monitor. This is accomplished with the -p parameter.
This parameter has the following syntax:
fw monitor -p[i|I|o|0] [absolute pos | relative pos | [+|-]alias]
absolute pos — a signed integer that determines the order in which packets pass the modules; the packets start with the smallest number and end with the largest. This number does not depend on the current chain entries.
relative pos — The chain modules are ordered with an ascending number starting with 0. You can use this number to specify the position from which fw monitor inserts, fw monitor does not replace the chain module with this number. The previous module (and all following modules) are moved by one position.
alias (shown in parenthesis) — a short name, which can be used with the -p parameter
The letter following -p is the position you want to change — either inbound or outbound, and either first (lowercase) or last (uppercase) position. You may include this parameter up to four times, to change some or all positions. When using a relative position, type the position of the module before which you want the monitor to enter. If you want the position after all modules, use any number higher than all relative positions. (99 will usually do.) When using an absolute position, type the position where you want the module. If there is a module at this position, the command will fail. When using an alias, you can select if you want the monitor before or after the alias.
129
Jw
R E L A T I V E P O S I T I O N
4.PNote the chain-module numbers and names are not f ixed
vpn decrypt verify; after f w l L n i t S i s^nser ted as relative posit ion 4, chain module 4 has become fw monitor, and vpn decrypt ver i fy has
1. fw ctl chain before inserting fw
in chain (15):
0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipoptjstrip)
2: - Ifffff6 (989a9e80) (00000001) Stateless verifications (asm)
3: - lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)
4: - IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpnver)
5* ~ 1000000 (989dbf40) (00000003) SecureXL conn sync (secxl sync
6: 0 (98954530) (00000001) fw VM inbound (fw)
7: 1 (989blf20) (00000002) wire VM inbound (wire_vm)
8: 10 (9896eb70) (00000001) fw accounting inbound (acct)
9: 2000000 (995a52a0) (00000003) vpn policy inbound (vpnjpol)
10: 10000000 (989dc2e0) (00000003) SecureXL inbound (secxl)
11: 21000000 (99bf7360) (00000001) FG-1 inbound (fgjpol)
12: 7f600000 (989a2b70) (00000001) fw SCV inbound (scv)
13: 7f750000 (98a958c0) (00000001) TCP streaming (in) (cpas)
130
14: 7f800000 (989a9020) ( f f f f f f f f ) IP Options Restore (ipopt__res)
out chain (14):
0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipopt_strip)
1: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn_nat)
2: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)
3: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)
4: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)
5: 0 (98954530) (00000001) fw VM outbound (fw)
6: 1 (989blf20) (00000002) wire VM outbound (wire_vm)
7: 2000000 (995a4b60) (00000003) vpn policy outbound (vpn_pol)
8: 10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)
9: 15000000 (99bf7360) (00000001) FG-1 outbound (fgj>ol)
10: 20000000 (995a3cc0) (00000003) vpn encrypt (vpn)
11: 7f000000 (9896eb70) (00000001) fw accounting outbound (acct)
12: 7f700000 (98a95c20) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipopt_res)
131
2. fw monitor -pi 4 -o monitor.out:
in chain (17):
0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipoptjstrip)
1: - 2000000 (995a3390) (00000003) vpn decrypt (vpn)
2: - lffffffi (989a9e80) (00000001) Stateless verifications (asm)
3: - l f f f f f2 (995c37b0) (00000003) vpn tagging inbound (tagging)
4: - lfffffl (989833a0) (ffffffff) fwmonitor (i/f side)
5: - IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpn_ver)
6: - 1000000 (989dbf40) (00000003) SecureXL conn sync (secxl_sync)
7: 0 (98954530) (00000001) fw VM inbound (fw)
8: 1 (989blf20) (00000002) wire VM inbound (wire_vm)
9: 10 (9896eb70) (00000001) fw accounting inbound (acct)
10: 2000000 (995a52a0) (00000003) vpn policy inbound (vpnjpol)
11: 10000000 (989dc2e0) (00000003) SecureXL inbound (secxl)
12: 21000000 (99bf7360) (00000001) FG-1 inbound (fgjpol)
13: 70000000 (989833a0) (ffffffff) fwmonitor (IP side)
14: 7f600000 (989a2b70) (00000001) fw SCV inbound (scv)
15: 7f750000 (98a958c0) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipoptjres)
132
Aquaforest TIFF Junction Evaluation
fw monitor
out chain (16):
0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipqptstrip)
1: -70000000 (989833a0) (ffffffff) fwmonitor (IP side)
2: - lffffff (995a27c0) (00000003) vpn nat outbound (vpnjiat)
3: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)
4: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)
5: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)
6: 0 (98954530) (00000001) fw VM outbound (fw)
7: 1 (989blf20) (00000002) wire VM outbound (wire_vm)
8: 2000000 (995a4b60) (00000003) vpn policy outbound (vpn_pol)
9: 10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)
10: 15000000 (99bf7360) (00000001) FG-1 outbound (fgj>ol)
11: 20000000 (995a3cc0) (00000003) vpn encrypt (vpn)
12: 70000000 (989833a0) (ffffffff) fwmonitor (i/f side)
13: 7f000000 (9896eb70) (00000001) fw accounting outbound (acct)
14: 7f700000 (98a95c20) (00000001) TCP streaming post VM (cpas)
15: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipoptjres)
133
R E L A T I V E P O S I T I O N U S I N G A L I A S E S
of fw in fw ctl
lias. For verify, use -pi
is to use a module's This can be done using
to insert fw monitc
fw monitor -pi -vpn_ver -o monitor-alias.out
monitor: getting filter (from command line)
monitor:
in chain (17):
0: -7f800000 (989a8d60) (ffffffff) IP
1: - 2000000 (995a3390) (00000003) vpn
2: - lfffffS (989a9e80) (00000001)
Strip (ipopt_strip)
(vpn)
(asm)
lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)
lfffffl (989833a0) (ffffffff) fwmonitor (i/f side)
IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpn_ver)
1000000 (989dbf40) (00000003) SecureXL conn sync
0 (98954530) (00000001) fw VM inbound (fw)
134
Aquaforest TIFF Junction Evaluation
fw monitor
out chain (16):
0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipopt_strip)
1: -70000000 (989833a0) (ffffffff) fwmonitor (IP side)
2: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn__nat)
3: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)
4: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)
5: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)
6: 0 (98954530) (00000001) fw VM outbound (fw)
7: 1 (989blf20) (00000002) wire VM outbound (wire_vm)
8: 2000000 (995a4b60) (00000003) vpn policy outbound (vpnjpol)
9: 10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)
10: 15000000 (99bf7360) (00000001) FG-1 outbound (fgj>ol)
11: 20000000 (995a3cc0) (00000003) vpn encrypt (vpn)
12: 70000000 (989833a0) (ffffffff) fwmonitor (i/f side)
13: 7f000000 (9896eb70) (00000001) fw accounting outbound (acct)
135
A B S O L U T E P O S I T I O N
You can insert fw monitor the second fw VM
its absolute position. The values). Note that the s im-
position is
The following is a partial list of in
in chain (15):
I out chain from fw ctl chain:
(989a8d60) (ffffffff) IP Options Strip
lfffffS (989a9e80) (00000001) Stateless (asm)
lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)
IfffffO (995a2bd0) (00000003) vpn decrypt verify (vp
0
1
10
(98954530) (00000001) fw VM
(989blf20) (00000002) wire VM
(9896eb70) (00000001)
2000000 (995a52a0) (00000003) vpn
10 10000000 (989dc2e0) (00000003) SecureXL
out chain (14)
0:
- 1 1:
2
3
4
- 1
(989a8d60) (ffffffff) IP
(995a27c0) (00000003) vpn nat
(98a95a30) (00000001) TCP
Strip
1000000 (989dbf40) (00000003) SecureXL conn sync (secxl
c)
(fw)
(wire_v
(acct)
(vpnjol)
(secxl)
IffOOOO (995c37b0 (00000003) vpn
lfOOOOO (989a9e80) (00000001 Stateless
(ipopt_st rip)
md (vpnjiat)
(out) (cpas)
(taggi
(asm)
Aquaforest TIFF Junction Evaluation
fw monitor
0 (98954530) (00000001) fw VM outbound (fw)
1 (989blf20) (00000002) wire VM outbound (wire_vm)
2000000 (995a4b60) (00000003) vpn policy outbound (vpnj>ol)
10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)
To insert fw monitor after tcp stream (cpas) for the outbound chain:
fw monitor -po -OxlffffeO -o monitor-absolute.out
out chain (16):
0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipopt_strip)
1: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn nat)
2: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)
3: - IffffeO (989833a0) (ffffffff) fwmonitor (IP side)
4: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)
5: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)
6: 0 (98954530) (00000001) fw VM outbound (fw)
7: 1 (989blf20) (00000002) wire VM outbound (wire vm)
fw ctl chain does not show the preceding Ox in hexadecimal numbers. You must add a preceding Ox in front.
137
S A M P L I N G I N T E R V A L
138
Aquaforest TIFF Junction Evaluation
fw monitor
One of your customers claims she cannot access your internal FTP server. The FTP server is configured with Static NAT on your NGX Gateway. You see your customer's FTP connection is accepted in Smart View Tracker, but you do not know when the kernel drops this connection or when the FTP server resets the connection.
The FTP client's IP address is 100.100.100.1, and the FTP server's private IP address is 192.168.1.1. Its public IP address is 200.200.20.1. Your Gateway's external IP address is 200.200.20.2.
Q.) How do you run fw monitor with proper filters, to capture FTP connections between the server and this client only?
A.) fw monitor -e "accept src=100.100.100.1 or dst= 100.100.100.1;" -o ftp-monitor.out
Q.) What is the procedure for capturing this FTP problem?
A.) Follow these steps:
1. Start fw monitor.
2. Initiate an FTP connection from the client.
3. Wait for the problem to occur, then press CTRL + C to stop fw monitor.
a ft
139
Aquaforest TIFF Junction Evaluation
Ethereal
E T H E R E A L
Ethereal is a graphical tool used to analyze and capture network traffic. Ethereal is available on a wide range of platforms and operating systems, including all major UNIX flavors (Solaris, Linux, BSD, etc.), Windows (Windows 9x, ME, NT 4, 2000 and XP), Mac OS, and many more. Ethereal reads a wide variety of capture formats, including the format used by fw monitor (which is in fact the same format as snoop). Check Point has its own flavour of Ethereal called CPethereal (available for Check Point Certified Support Partners only).
Using Ethereal
Below is fw monitor output in Ethereal:
^ ^ • l ^ p l M l i i i l File Eck aew >jc . Capture Analyze statistics Help
& fe 0 x 0 3 I S * S O 1 1 a . % p E ) m m a
- j Ex^ession. joearj Apply)
m. | Time . ] Source j Cessation ] Protocol I info 103 5.608263 1 0 . 2 . 2 . 1 10 .2 .2 .102 SSH Encrypted response packet len=20-104 5.608273 1 0 . 2 . 2 . 1 10 .2 .2 .102 SSH [TCP Ret ransmiss ion] Encrypted r •espor _ j
106 5.634942 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP 104 5 > h t t p [SYN] Seq=0 Ack=G win=163 107 5.634970 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP 104 5 > h t t p [SYN] Seq=G Ack=Q Win=163 108 5.634989 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP 104 5 > h t t p [SYN] Seq-0 Ack-0 Win=163 109 5.635206 1 0 . 2 . 2 . 1 0 2 172 .29 .109 .1 TCP h t t p > 104 5 [SYN, ACK] Seq-O Act =1 wi 110 5.635231 1 0 . 2 , 2 . 1 0 2 172 .29 .109 .1 TCP h t t p > 104 5 [SYN, ACK] seq -0 Ack =1 wi 111 5.635242 1 0 . 2 . 2 . 1 0 2 172 .29 .109 .1 TCP h t t p > 104 5 [SYN, ACK] Seq-0 Ack =1 wi 112 5.63 52 51 1 0 . 2 . 2 . 1 0 2 172 .29 .109 .1 TCP h t t p > 104 5 [SYN, ACK] seq=0 Ack =1 wi 113 5.635729 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP 104 5 > h t t p [ACK] seq=l Ack=l win=175 114 5. 635746 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP [TCP Dup ACK 113#1] 104 5 > h t t p [ACK] 115 5.635755 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP [TCP Dup ACK 113#2] 104 5 > h t t p [ACK] 116 5.63 5762 1 7 2 . 2 9 . 1 0 9 . 1 TCP [TCP Dup ACK 113#3] 104 5 > h t t p [ACK] 117 5.636631 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 HTTP GET / HTTP/1.1 118 5.636639 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 HTTP GET / HTTP/1,1
JLi 11 ct 5.63664 5 1 7 \ "'Q.IOO.I 1 \ \ 1 i l ? HTTP r;pT / HTTP /I . 1 JLi «f V . I Jj :•:-:• Frame 105 (62 byres on wi re , 62 byres cap tu red ) '•2 E therne t I I , S rc : 00 :00 :00 :00 :00 :00 , Dst : 69 :31:65:74 :68:31
i n t e r n e t P r o t o c o l , Src Addr : 17 2 . 2 9 . 1 0 9 . 1 (172. 2 9 . 1 0 9 . 1 ) , Dst Addr: 10 .2 .2 .102 (10 .2 .2 .102) Transmiss ion c o n t r o l P r o t o c o l , Src P o r t : 104 5 (104 5), Dst Po r t : h t t p (80) , Seq: 0, Ack : 0, Lei
<1 1 H am 69""3i""65" 74 68 Sl'OO'OCT'OO'OO 00"00"08"00"45""00 t let Hi L". 0010 00 30 02 9a 40 00 7f 06 d3 a7 ac Id 6d 01 0a 02 0020 02 66 04 15 00 50 00 82 d9 a7 00 00 00 00 70 02 0030 40 00 3f 0a 00 00 02 04 05 b4 01 01 04 02
acce ss-oslo.out 3SC mjP:U36D 1136 Mi 0
Ethereal G U I
The Ethereal GUI consists of three panes: The top pane is an overview, listing entry ID number, capture time, source and destination address, protocol name (TCP, UDP, FTP, ICMP), and a packet summary with the following information:
140
Aquaforest TIFF Junction Evaluation
Ethereal
Type of packet: SYN, SYN-ACK, ACK, RST, etc.
Sequence number, acknowledge number, and packet length
I 101 5.608204 10.2.2.102 10.2.2.1 TCP 1508 > 22 [ A C K ] Seq=0 Ack-5128 Win-1€ f 102 5.608233 10.2.2.102 10.2.2.1 TCP [TCP Dup ACK 101#1] 1508 > 2 2 [ A O ] f 103 5.608263 10.2.2.1 10.2.2.102 SSH Encrypted response packet len=208 104 5.608273 10.2.2.1 10.2.2.102 SSH [TCP Retransmission] Encrypted respor Encrypts
q=0 Ack=0 li 107 5 108 5 109 5 110 5 111 5 112 5 113 5 114 5 115 5
•942 634970 634989 635206 635231 635242 635251 635729 635746 63 5 75 5 P.l^li--'
.29, 172.29, 172. 29. 10.2.2. 10.2.2. 1 0 . 2 . 2 . 10.2.2. 172.29. 172.29. 172.29.
109.1 109.1 109.1 102 102 102 102 109.1 109.1 109.1
10.2.2. 10.2.2. 10.2.2. 172.29. 172.29. 172.29. 172.29. 10.2.2. 1 0 . 2 . 2 . 1 0 . 2 . 2 .
102 102 102 109.1 109.1 109.1 109.1 102 102 102
TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
104 5 104 5 104 5 http http http http 104 5 TCP j r p
> http > http > http > 104 5 > 104 5 > 104 5 > 104 5 > http Dup ACK Dup ACK
i_'syn] seq-G Ack-Q win-163 "SYN] seq=0 ACK-O Win=163 Isyn] seq-0 Ack-0 win=163 ;syn, ACK] seq-0 Ack =1 wi "SYN, ACK] seq-0 Ack=1 Wi I SYN, ACK] Seq=0 Ack =1 wi I SYN, ACK] seq-0 Ack =1 Wi 'ACK] Seq=l Ack-1 win=175 113/1] 104 5 > http [ACK] j 113#2] 104 5 ::- http [ACK] J . 1 1 3 * * 1 1 f:4 K h t t n f f t - t . 1 T i l
Jj
Ethereal Top Pane
The Time field counts in seconds after fw monitor starts. The Time field is always important for troubleshooting. For example, when a new TCP connection starts, it starts with a TCP handshake: SYN, SYN-ACK, and ACK. Check Point's default limit for the whole TCP handshake is 25 seconds (defined in the tcpstart time-out setting in Global Properties). If you see a SYN packet from client to server, and the server does not reply with SYN-ACK within 25 seconds, the SYN-ACK will be dropped with a "TCP packet out of state" error. By looking at the Time field, you can tell if the connection is finished in time.
141
i f i i l f i f f f i l l i p
Aquaforest TIFF Junction Evaluation
Ethereal
Viewing Connect ion Beginnings
A typical TCP connection starts with a TCP handshake: SYN, SYN-ACK, and ACK. You can observe the TCP handshake in fw monitor without any filtering expressions. You can see the SYN packet from the client to the server with all four entries i, I, o, 0 present. You know the packet arrives at the kernel, and leaves the Gateway successfully.
After the SYN packet leaves the Gateway and gets to the server side, the server side replies with a SYN-ACK. If the reply is successful, you will see i, I, o, 0. The client then sends an ACK packet to the previous SYN-ACK, and you see i, I, o, 0. If you only see SYN but no SYN-ACK, the SYN-ACK packet may not arrive at the Gateway. There may be some routing issues, or the server may not be running.
Viewing Connect ions Dropped by Kernel
Depending on the switch combination with fw monitor, you may see more or less lines per packet. If no particular direction or interfaces are filtered, fw monitor records four lines per packet in Ethereal (i, I, o, 0). If there is any discontinuity in the flow, packets can be either dropped or rerouted by the kernel. For example, a packet has entry i, but no I. The packet may have been dropped by the Rule Base. If you see a packet coming through the inbound interface (i or I) but not through the outbound interfaces (o or 0), the packet can be rerouted by the OS.
Using Fi l ters with Ethereal
When you use fw monitor to capture certain types of traffic, start fw monitor with the proper switches first. Then test the traffic in question, wait until the problem occurs (connection times out or error messages appear), then return to the fw monitor CLI and stop fw monitor with CTRL + C. To transfer the monitor output to a machine running Ethereal, transfer the monitor output in binary.
Ethereal my take a long time to open an fw monitor file, using filters as it interprets the data contained in the monitor.out file. Check Point recommends opening Ethereal as a new session. Then create a filter expression, using the same filters used in the monitor file in the newly created session. This will lessen the amount of time Ethereal takes to open.
143
Aquaforest TIFF Junction Evaluation
Ethereal
Connection starting points normally start with a SYN packet from a client to a server. To find the starting point of a connection, click either source or destination (if either of them is known). In some cases, click the Protocol field, and monitor entries will line up accordingly.
For example, to look for FTP connections only, you can filter by FTP on the Protocol field. The filtered output is like the following:
• a d S I i S ! f i e Edt View 'So Capture Analyze Stattsbcs Help
i ^ ^ l i ei Q* % . m m B M j Expression.., J £tear I Apply f
J=t Source
378 l u . 3 79 10 . 380 10 . 389 10 . 390 10 . 391 10 . 392 10 . 4 4 1 12 . 442 12 . 443 12 . 444 12 . 44 5 12 . 4 4 6 12 . 447 12 . 4 4 8 12 . 509 15 . 510 15 . 511 15 . 512 15 . 513 15 . 514 15 . 515 15 . 516 15 .
;7815 287822 28783 5 413127 413153 413160 413178 428375 428407 428424 428438 431131 431146 431153 431165 137517 137561 137578 137593 140332 140346 140352 140363
1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] P e s p o n s e ; 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t P e t r a n s m i s s i o n ] P e s p o n s e : 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP R e s p o n s e : 220-Thu Oct 27 1 5 : 0 5 : 5 1 I 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e : 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e ; 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e : 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP R e q u e s t : USER t c h u n g 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER 1 7 2 , 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER 1 0 . 2 , 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP R e s p o n s e : 331 Pas sword r e q u i r e d 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 331 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 331 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 331 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP R e q u e s t : PASS a b c l 2 3 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS 1 0 . 2 . 2 . 1 0 2 1 7 2 , 2 9 . 1 0 9 . 1 FTP R e s p o n s e : 230 u s e r l o g g e d i n 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 230 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 230 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] P e s p o n s e : 230
2 2 0 - w e b o s l c 2 2 0 - w e b o s l c 2 2 0 - w e b o s l c :005
220-Thu Oct :
220-Thu Oct 220-Thu Oct
t c h u n g t c h u n g t c h u n g r
Password rec Password rec Password rec
a b c l 2 3 a b c l 2 3 a b c l 2 3
u s e r l o g g e d u s e r l o g g e d u s e r l o g g e d
J Header length: 20 bytes Differentiated services F ie ld: 0-00 (dscp i Total Length: 93
0: Default; ECN:
OuOO 69 "3l'''b5''"74''68 32 00 00 00 00 00"~u0 08'"00 4"5"~00 l i e t h ' i . . . . . . . ". E.' "' 0010 00 5d 8c 42 40 00 80 06 48 d2 0a 02 02 66 ac I d . ] . B<&. . . H f . . 0020 6d 01 00 15 04 18 Id c3 d9 a4 01 0a 5c 19 50 18 m \ . P . 0030 44 70 dl 2d 00 00 32 32 30 2d 77 65 62 6f 73 6c D p . - . . 2 2 0 - w e b o s l 0040 6f 20 58 32 20 57 53 5f 46 54 50 20 53 65 72 76 O WS_ FTP S e r v A
|Fie; access-o^o.oUt 3S0KBtt |P:. 1136 D: 1186 M: rj
Protocol Field
To revert to the original display, click the No. or Time fields.
144
Aquaforest TIFF Junction Evaluation
Ethereal
F O L L O W I N G T C P S T R E A M S
Ethereal can display only specific packets with different colors. The easiest way to display only specific packets is to select a packet in the overview pane, then select Follow TCP Stream from the context menu. This will automatically set a display filter to only display packets of this specific connection, based on source or destination IP addresses and ports. A separate screen displays the data exchanged between client and server.
109 5 . 6 3 5206 110 5 . 6 3 5231 1 1 1 5 . 6 3 524 2 112 5 . 6 3 52 51 113 5 . 6 3 5729 114 5 . 6 3 5746 115 5 .635755 116 5 . 6 3 5762 117 5 . 6 3 6 6 3 1 118 5 .636639 119 5 .636645 120 5 . 6 3 6 6 5 1 1 2 1 5 .641236
io; 102
1 0 . 2 . 2 . 1 0 2 ,102
1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2
Dup ACK 1 1 3 # 3 ] 104 5 ' HTTP/1 .1
HTTP/1 .1 ' HTTP/1 .1
GET / HTTP/1 .1 HTTP/1.1 304 NOT M o d i f i e d
HTTP H T T P / 1 . 1 3 04 NilT M n r i i f i P i i
=1 Win-17520 L/ secj=u Ad =1 win=17520 U' • seq=0 Ad =1 wi n -17520 !/.
Ad =1 'wi ri=17520 L AO] Seq= l A.;k=l win=17520 Leri=0
- 104 5 r i t t p [ a o ] s e q = l Ac 104 5 :- h t t p [ A O ] Seq=l Acs'
I ±1
Follow TCP Stream Selection
The filter expression is automatically populated in the Filter list in the top pane. To clear the filter expression, click the Clear button to the right of the Filter box.
fifter; jfp.adttreej 172.29,1W.1 andip.addr eq IQ.2.3,102)and{tep,porteql045> ~ | Expression... j dear | Applyj
Wo , - j 1 "ime j Source j Desunation 105 ! 5. 634784 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP 1045" > h t t p LsrK Seq=0 A d = u wi n=16384 Len=0 106 ! J. 634942 1 7 2 . 2 9 . 1 0 9 . , 1 1 0 . 2 . 2 . 1 0 2 TCP 104 5 > h t t p ;SYN" seq=0 Ack =0 wiri=16384 Leri=0 107 ! J. 634970 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP 104 5 ;syn; =0 Ack=0 Win=16384 Len=0
109 : i . 635206 1 0 . 2 . 2 . 1 0 2 TCP h t t p [SYN, ACK' seq-0 Ack?win-17520 L' 110 f i . 6 3 5 2 3 1 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 TCP h t t p > 104 5 I SYN, ack; seq=0 Ack-1 Win=17520 L in : i . 635242 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 TCP h t t p > 104 5 'SYN, ACK; Seq-0 A c k - 1 Win=17520 L 112 f » .635251 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 TCP h t t p > 104 5 ISYN, ACK' S e q - 0 A.ck-1 win=17520 L 113 f i. 635729 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP 104 5 > h t t p "ACK] seq= =1 Ack-1 win=1752G Len=u 114 f i . 6 3 5 7 4 6 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP [TCP Dup ACK 113# KL1 104 5 > h t t p [ACK] s e q = l Ac 115 : i. 635755 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP [TCP Dup ACK 113#2] 104 5 > h t t p [ACK] s e q - 1 Ac 116 f i. 63 5762 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP [TCP Dup ACK 1 1 3 # 3 ] 104 5 > h t t p [ACK] S e q - 1 Ac 117 : !. 636631 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 HTTP GET / HTTP/1 .1 U S : i . 636639 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 HTTP GET / HTTP/1 .1 119 5 i. 63664 5 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 HTTP GET / ' HTTP/1 .1 120 : 1.636651 1 7 2 . 2 9 . 1 0 9 . 1 HTTP GET , ' HTTP/1 .1 I^I C 1. 641 1 u , 7 M 0 ? 1 r/Q. i HTTP HTTP/1.1 304 Nnr w n d i f i p d
<1 , , , ,,. .,.,, , ... • I JLj"
Filter Expression
When Follow TCP Stream is selected, a separate screen appears, which displays the connection between the server and client on that particular connection. The TCP stream screen can show whether or not a connection is broken. By
145
Aquaforest TIFF Junction Evaluation
Ethereal
following the TCP stream of a particular FTP packet, the TCP stream screen can show whether or not that particular connection is broken, as shown below:
Stream Content |2 20-Webos To ;-2 wsIftp server 57o"."4:EVAL"(31910133iV 220-Thu Oct 27 15:05:51 2005 220-27 days remaining on evaluation. 220 webosio >.2 ws_FTP Server 5.0.4. EVAL (319101331)
. USER tchunq 331 Password required PASS a b c l 2 3 230 user logged in TYPE I 200 Type s e t t o ifage. POPT 2 72,2 9,109,1,4.26 200 command successful R ET P. m c n 11 o r -rt p. c ut "4UIT
Save As | Print | Entire conversation (351 bytes) : • [ m» ASCII C EBCDIC C Hex Dump C C Arrays C rm
wm
Filter out the stream
Follow T C P Stream Screen
The Follow TCP Stream filter can only use IP addresses and ports.
146
A.) The monitor file has been sent to you in ASCII i ;send the file in 1
1.1
(= ) or greater than (>=).
7. Click Apply.
Aquaforest TIFF Junction Evaluation
Ethereal
148
L A B 5 : C O M P A R I N G C L I E N T - S I D E N A T V S . S E R V E R - S I D E N A T W I T H F W M O N I T O R
f i p C O N F I G U R E A U T O M A T I C S T A T I C N A T F O R W W W . V O l / f l C / 7 - K C P
1. Log in to 2. Edit wQbvonrcitfs
3. Open the NAT sere
4.
5.
6.
7.
172.x.x.3 as the NAT IP ; is 172.22.102.0, and the NAT IP j
172.22.102.3.
OK to exit the host
Policy > Global properties > NAT i
8. Verify 1
9. Verify 1
5 is i
j ARP.
10.
11.
OK to <
| f ? R U N F W M O N I T O R W H I L E W E B D A L L A S B R O W S E S T H E N A T A D D R E S S O F W W W . Y O U R C I T Y . C P
1. Start fw monitor to < (172.29.109.1):
fw
2.
; HTTP [to1
NAT IP to ensur
.1
(172.29.109.1), try to brows<
fw monitor captures an HTTP SYN
.1;" -o
In the lab environment, if irtner city ; of your Web
i its
N A T
Aquaforest TIFF Junction Evaluation
Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor
3. Run fw monitor on your Gateway, filtering for your partner's internal-host IP address as source or destination. For example, if your partner's host IP is 10.2.4.104 (weboslo's partner site webmadrid), run the following command to capture all traffic from or to that partner host:
fw monitor -e "accept src=10.2.4.104 or src=172.24.104.3 or dst=10.2.4.104 or dst=172.24.104.3;" -o monitor-auto-nat.out
4. Use FTP in binary mode to transfer the monitor-output file from your Gateway to www.yoi4rcity.cp, where Ethereal is installed.
5. Open Ethereal and load the monitor-output file.
6. Analyze the NAT process and locate the point where the NAT IP address changes into the private IP. In the following screenshot at I (big I), the destination changes from 172.23.103.3 to 10.1.1.101, which is the private IP of webrome:
file. ! So S-af )tu>e Ar slyze St« iistics ; t MP
NO, | Destnasw 3n 1 ''-Jew Colurr m I 3-otocol | I r fo 1 0, . 0 0 0 0 0 0 1 7 2 . 2 3 , . 103 , . 3 1 7 2 . 2 1 , . 101 , . 3 i e t h o TCP 1092 > h t t p [SYN; ] Seq=1163 4S93 23 -
h t t p [
] Seq=1163 4S93 23 -
3 0, . 0003 68 1 7 2 . 2 3 , . 1 0 3 , . 3 1 0 . 1 . 1 , . 101 e t h o TCP 1092 > h t t p [ " S 'R N' 1 Seq=1163 4893 2 8 A 4 0 , . 0 0 0 4 2 9 1 7 2 . 2 3 , . 1 0 3 , .3 1 0 . 1 . 1 , , 1 0 1 e t h o TCP 1092 > h t t p | ;SYN; I Seq=1163 4893 2 8 A 5 0 , . 0 0 0 6 3 0 1 0 . 1 . 1 . , 1 0 1 1 7 2 . 2 3 . , 103 , . 3 e t h o TCP h t t p > 1092 [ ! SYN, , ACK] S e q = 2 6 1 7 3 0 3
0 , , 000662 1 0 . 1 . 1 . . 1 0 1 1 7 2 . 2 3 , ,103 , . 3 e t h o TCP h t t p > 1092 | "SYN, » ACK] 5 e q = 2 € 1 7 3 03 7 0 , . 000675 1 0 . 1 . 1 , . 1 0 1 1 7 2 . 2 3 . , 103 , , 3 e t h o 0 TCP h t t p > 1092 [ "SYN, , ACK] Seq=2 6173 03 8 0 , . 000693 1 7 2 . 2 1 . , 1 0 1 . .3 1 7 2 . 2 3 . , 103 , .3 o e t h o TCP h t t p > 1092 [ "SYN ACK] S e q = 2 6 1 7 3 0 3 9 0, . 001662 1 7 2 . 2 3 . , 1 0 3 . ,3 1 7 2 . 2 1 . , 101 . .3 i e t h o TCP 1092 > h t t p [ -ack; Seq=1163 4893 2 9 A
10 0 , . 001715 1 7 2 . 2 3 . , 1 0 3 , .3 1 0 . 1 . 1 , , 1 0 1 e t h o i TCP 1092 > h t t p [ "ACK" Seq=1163 4893 2 9 A 11 0 , . 0 0 1 7 3 6 1 7 2 . 2 3 . , 1 0 3 . , 3 1 0 . 1 . 1 . , 1 0 1 e t h o TCP 1092 > h t t p [ : A C K : S e q = l l b 3 4893 2 9 A 12 0 , , 0 0 1 7 5 1 1 7 2 . 2 3 . , 1 0 3 . ,3 1 0 . 1 . 1 . , 1 0 1 e t h o TCP 1092 > h t t p [ "ACK Seq=1163 4893 2 9 A 13 0 . . 001945 1 7 2 . 2 3 . , 1 0 3 . ,3 1 7 2 . 2 1 . ,101. , 3 i e t h o HTTP GET / H T T P / L . 1 14 0 , . 001973 1 7 2 . 2 3 . , 1 0 3 . , 3 1 0 . 1 . 1 . , 1 0 1 e t h o i HTTP GET / H T T P / 1 . 1 15 0. . 001936 1 7 2 . 2 3 . , 1 0 3 . .3 1 0 . 1 . 1 . , 1 0 1 e t h o HTTP GET / HTTP/1. 1 16 0 . . 0 0 1 9 9 9 1 7 2 . 2 3 . , 1 0 3 . , 3 1 0 . 1 . 1 . 101 e t h o HTTP GET / HTTP/1. 1 17 0 . . 003430 1 0 . 1 . 1 . , 1 0 1 1 7 2 . 2 3 . 103 . , 3 e t h o HTTP HTTP/1 . 1 304 NOt M o d i f i e d 18 0, ,003445 1 0 . 1 . 1 . , 1 0 1 1 7 2 . 2 3 . 103 . , 3 e t h o HTTP HTTP/ I . 1 304 NOt M o d i f i e d
F rame 2 (62 b y t e s o n w i r e , 6 2 b y t e s c a p t u r e d ) . f i r r i v a l T i m e : Apr 2(5, 2 0 0 6 0 9 : 0 3 : 3 0 . 8 0 4 4 8 5 0 0 0 [Time d e l t a f r o m p r e v i o u s p a c k e t : o . 0 0 0 3 2 4 0 0 0 s e c o n d s ] [Time s i n c e r e f e r e n c e o r f i r s t f r a m e : 0 . 0 0 0 3 2 4 0 0 0 s e c o n d s ] Frame Number: 2 P a c k e t L e n g t h : 6 2 b y t e s c a p t u r e L e n g t h : 6 2 b y t e s [ P r o t o c o l s i n f r a m e : e t h : f w i : i p : t c p ]
D i r e c t i o n : I e t h o T y p e : I P ( o x o s o o )
• I n t e r n e t P r o t o c o l , S r c : 172.23.103.3 (172.23.103.3), D s t : 10.1.1.101 (10.1.i.101) T r a n s m i s s i o n c o n t r o l P r o t o c o l , s r c p o r t : 1092 (1032), o s t P o r t : h t t p (so), s e q : iib:435:2S, ^ c i ' :
oooo 0 0 1 0 00 30 3d Sf 40 00 7e i 0 0 2 0 01 65 04 44 00 50 45 0 0 3 0 40 00 6a 81 00 00 02
aO b& a c 17 67 03 Oa 01 70 30 00 00 00 00 70 02 05 b4 01 0 1 04 02
e . D . P E Y i. j . . . . .
jCheckponf - FW-1 ; f o l " 4 by re? |F D. M: 0
Monitor Output with Client-Side NAT
151
10.2.2.102 to 172.22.102.3. This occurs at the O (big O) in the
f i p D I S A B L E C L I E N T N A T
1. Select Glo
2. Under Aut side.
3. Leave the
4. Click OK.
5. Install the
: NAT i
: ARP (
C 5 A D D H O S T R O U T E O N FWYOURCITY G A T E W A Y
1. Log in to 1
2. Ru
3. Select Routing from the menu.
4. Select add a host route.
5. Enter the NAT IP address as the
7. Enter e to ex
8. Enter e to &
0 R U N F W M O N I T O R W H I L E B R O W S I N G N A T I P A D D R E S S
1.
2.
•city's
3. Use FTP to s<
to WW
(172.29.109.1). by its NAT IP ;
run fw : NAT
152
153
Aquaforest TIFF Junction Evaluation
Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor
5. Identify the point where the NAT IP changes to the private IP. For inbound, as shown in the screenshot below, the translation occurs at O (big O), since it is closest to the server side. (The client side is webdallas, and the server side is webrome.)
File £0C Go Cap-'.ue jtatists.-s Help
! Mew Column Protocol ] I n f o 1 0, , 000000 172 .29, .109, .5 172 .21, .101, .3 i etho T_p 1351 > http [SYN] S 6 q=15 5 0 4 6 6 3 8 9 > _J 2 0. . 0003 07 172 .29, , 109, , 5 172 . 21, . 101. .3 etho I TCP 1351 http [SYN] S e q=15 5 0 4 6 6 3 8 9 ; 1 0. . 000349 172 • 2 9. . 109, , 5 172 .21, ,101. . 3 etho TCP 1351 ::• http [SYN] Seq=155046€389 t
. 0. , 000614"" 10.' 1.1, ,101" 172 .29, .109. ,'s"" etho " TCP http" > 13 51"' '[SYN, ""ACK]""Seq=lS4979J S 0, ,000649 172 .21. , 101. , 3 172 .29. , 109, ,5 etho TCP http > 1351 [SYN, ACK] Seq—15 49 79E 7 0. ,000662 172 .21. , 101. , 3 172 .29, ,109. ,5 etho 0 TCP http > 1351 [SYN, ACK] Seq=15 497 8 0, ,000677 172 .21. , 101. , 3 172 . 29. , 109. ,5 o etho TCP http > 1351 [SYN, ACK] Seq=154979S 9 0, ,001369 172 .29. , 109. ,5 172 .21. ,101. ,3 i etho TCP 1351 > http [ACK] Seq=1550466390
10 0. ,001416 172 .29, ,109. , 5 172 .21. ,101. ,3 etho I TCP 1351 > http [ACK] Seq=1550466390 ; 11 0. ,00143 8 172 . 29. , 109. , 5 172 .21. ,101. ,3 etho TCP 1351 > http [ACK] Seq=1550466390 y 12 0. i001457 172 .29. ,109. ,5 10.: 1.1. ,101 etho TCP 1351 > http [ACK] Seq=1550466390 13 0. ,002410 172 .29. 109. 5 172 . 21. ,101. ,3 i etho HTTP GET / HTTP/1 .1 14 0. . 002426 172 .29. ,109. 5 172 .21. ,101. 3 etho I HTTP GET , ' HTTP/1 .1 15 0. 002 440 172 . 2 9. 109. 5 172 . 21. 101. ,3 etho HTTP GET , ' HTTP/1 . 1 16 0. 002458 172 .29. 109. 5 10. , 1.1. ,101 etho HTTP GET } ' HTTP/1 . 1 17 0. 004041 10. 1.1. 101 172 .29. 109. 5 etho HTTP HTTP/1.1 304 NOt 1 Modified IS 0. 004059 172 .21. 101. 3 172 .29. 109. 5 etho HTTP HTTP/1. 1 3 04 NOt 1 modified
Frame 4 fS2 bytes on wire, €2 bytes captured) Arrival Time: Apr 26, 2006 09:37:06.666399000 [Time delta from previous packet: 0.000071000 seconds] [Time since reference or first frame: 0.000420000 seconds] Frame Number: 4 Packet Length: 62 bytes Capture Length: 62 bytes [Protocols in frame: eth:fwl: i p:tcp]
. FWI Monitor etho o ethl Direction: 0 ethl
Type: IP f o x o s o o ) internet protocol, src: 172.29.109.5 (172.29.109.5),, ost: 1 0 . 1 . 1 . 1 0 1 ( 1 0 . 1 . 1 . 1 0 1 ) Transmission Control Protocol, src Port: 1 3 5 1 ( 1 3 5 1 ) , Dst Port: http ( 8 0 ) , seq: 1 5 5 0 4 6 6 3 3 9 , ACK:
0000 4f 3 7 65 74 63 31 00 00 0 0 1 0 00 30 CI 15 40 00 7e 06 0 0 2 0 01 65 05 47 00 50 5C 6a 0 0 3 0 40 00 7f 40 00 00 02 04
0 7 e t h l . . . .
. e . G . P \ J =u
00 00 00 00 OS 00 45 00 17 2a ac id 6d 05 Oa 01 3d 55 00 00 00 00 70 02 05 b4 01 01 04 02
, . . E .
" ]P : I cS D. 168 M 0: I File 'Frronitof-titerr.-nafc-grit. out' 31 'B 00.00:11
fw monitor Output with Server-Side NAT
6. Identify the point where the return packet's source address is translated from 10.2.2.102 to 172.22.102.3. It is at the I (big I), because this is the closest point to the server side.
End of lab.
154
Aquaforest TIFF Junction Evaluation
Review
R E V I E W i i i i i i i i i i i i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
• tcpdump is a UNIX utility that captures a sample of packet headers on a network segment, by setting an interface into promiscuous mode.
• snoop is a utility on UNIX based systems that can capture a sampling of all traffic on a network segment, by setting an interface into promiscuous mode, snoop can only capture packets in its local collision domain, not from a switched network.
• fw monitor is a Check Point specific utility, consisting of a special INSPECT filter that can be configured and run on a Security Gateway to capture all traffic passing through that Gateway's interfaces, fw monitor can be set to capture all traffic passing through the NGX kernel, or modified to only capture specific traffic, depending on the need of the Security Administrator.
• The INSPECT virtual machine is the name given to the processing of network traffic packets through the NGX kernel, before those packets enter the operating system's network stack. The virtual machine consists of four points, i (pre-in), I (post-in), o (pre-out), O (post-out).
• fw monitor can be configured to also insert itself into and capture the actions of kernel chains on packets, showing the action each kernel module did or did not take on that packet.
• Ethereal is a multiplatform, graphical network-analysis tool that can be used to capture traffic, and also be used to view the output of tcpdump, snoop and fw monitor. Check Point has produced its own version, called CPEthereal.
155
Aquaforest TIFF Junction Evaluation
Review
Review Answers
1. What sort of traffic will the following fw monitor string capture? fw monitor -e "accept dport=80;"
B.) B.JAll inbound HTTP traffic to the Web server
2. You are troubleshooting an FTP connectivity issue through an NGX Security Gateway. Use the following fw monitor string: fw monitor -e "accept src= 192.168.19.23 or dst= 192.168.19.23;" -o ftp-monitor.out
You have captured all traffic for the FTP server, and are attempting to determine if the problem lies with the server or with clients connecting through the Security Gateway. Which of the following would be the best way to use Ethereal to study the capture?
E.) All of these would useful, but more information about the issue is necessary to determine the next step.
157
Aquaforest TIFF Junction Evaluation
Review
158
5 * ^ ^ m
Aquaforest TIFF Junction Evaluation
a Check Point S O F T W A R E T E C H N O L O G I E S LTD.
We Secure the Internet
CHAPTER 5: N G X DEBUGGING TOOLS
This chapter discusses the debugging tools used for troubleshooting VPN-1 NGX. There are many ways to generate debug information. NGX debugging tools allow in-depth analysis of specific issues.
Objec t ives
1. Perform kernel debugging using the fw ctl debug command.
2. Use fwm debug to analyze SmartCenter Server issues.
3. Use fwd debug to analyze kernel-to-application layer issues.
4. Use cpd debug to analyze SIC issues.
159
K e y T e r m s
• fw ctl debug
• fw debug fwd
• fw debug fwm
• cpd debug
160
Aquaforest TIFF Junction Evaluation
fiv ctl debug
F W C T L D E B U G i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
The fw ct l debug command may be used for a variety of reasons, including performance-baseline measurements, troubleshooting specific issues as they arise, and server-performance improvement. This debugging tool is very useful when determining the cause of issues with a Security Gateway.
The fw ctl debug command has many switches that make it possible to see nearly everything happening in the NGX kernel. How NGX kernel messages are triggered varies according to the situation. Some messages are issued whenever a certain condition occurs. Other messages are issued only when a certain debugging flag is set. It is possible to alter debugging flags, and so choose which messages will appear. By default, messages are written to the console in UNIX systems, which usually collects console messages in a log file, or to the event viewer on Windows. It is possible to change the destination of the messages.
All debugging flags are grouped into modules. Each module represents a product or functionality. Some kernel modules are fw, vpn, h323, and cluster. Each module has a list of debugging flags, each of which can be enabled or disabled. Some of these flags are on by default, and there is usually no reason to reset them. Others are off by default, and may be set when debugging messages are desired. To obtain a list of modules and flags, type fw ctl debug -h.
fw ctl kdebug
If you do not want debugging messages displayed on the console, create a debugging buffer using fw ctl debug -buf. All debugging messages will then print to the buffer. The fw ctl kdebug command is used to read the buffer, and print a message to the standard output, fw ctl kdebug removes all messages it reads from the buffer, and so makes room for more messages. The buffer is cyclic, which means if there is no room in the buffer for a new message, the oldest messages are deleted from the buffer. In such a case, a message is printed to the buffer and the console, indicating messages are lost.
161
cifs
sipvm
smtp wap
ex driver filter q xlate xltrc
sync ipopt link nat mgcp cprx mail spii
V P N M O D U L E ( V P N - 1 )
url dns rtm Is auth log conn
install tcp >sv rates tim
ad time llq pkt
H 3 2 3 M O D U L E ( V O I P H
tror init h225 h245 ras decod
B O A M O D U L E ( M A L I C I O U S C O D E P R O T E C T I O N )
cpas
fatal info stat
162
Aquaforest TIFF Junction Evaluation
fiv ctl debug
W S M O D U L E ( S M A R T D E F E N S E W E B I N T E L L I G E N C E )
Kernel-debugging options: fatal error warning info times tamp connection session parser body global stat memory address policy pfinder regexp coverage reportjngr spii uuid ioctl module memjpool pkt_dump subject sslt sslt_seq
C P A S M O D U L E ( A C T I V E S T R E A M I N G )
Kernel-debugging options: error warning tcp api glue events conns pkts timer tcpinfo http ftp skinny
C L U S T E R M O D U L E ( H I G H A V A I L A B I L I T Y )
Kernel-debugging options: conf if stat select ccp pnote log mac forward df pivot nokia timer accel drop subs
R T M M O D U L E ( S M A R T V I E W M O N I T O R )
Kernel-debugging options: driver err topo policy init chain ioctl import special rtm sort netmasks per__conn perjpckt viewjipdate view_updatel view^add performance con_conn tabs s_err wd accel
163
Aquaforest TIFF Junction Evaluation
fiv ctl debug
fw ctl debug Flags
fw ctl debug is a special c o m m a n d to pass debugging f lags to the modules that make up the N G X kernel, as shown below:
fw ctl debug [-x] [-m <module>] [+|-] <options | all | 0>
fw ctl debug -buf [buffer size]
Flag E x p l a n a t i o n
-h Display usage for running kernel module in debug mode; show the options for that module, if a kernel module is specified.
-buf [buffer size] Assign buffer size in KB; minimum buffer size is 128 KB; maximum is 8,192 KB.
-x Clear all debug options.
-m <module> Specify a module to debug.
+ 1 - Add or remove a debugging option. Note: When using +, that option is passed to the kernel along with all currently running flags.
<options | a l l | 0> Specify one of the following: <option> for an option <al l> for all options <0> to reset all options to default values <CTL + C> to stop debugging
164
Aquaforest TIFF Junction Evaluation
fiv ctl debug
F W C T L D E B U G O P T I O N S
The following table lists available definitions for fw ctl debug options. While not comprehensive, this table does define the most commonly used ones. Contact Check Point Technical Support for further information on options not defined here.
Option Explanation
all Uses all commands — option is not recommended; amount of data is massive, and it is nearly impossible to retrieve useful information; on some platforms, it could crash the system, as the operating system will try to write massive amounts of data to the console.
cookie With the cookie switch turned on. all cookies in the data structure holding the packets are shown; cookies are used to avoid the problems that arise from the various ways operating systems handle packets; unrelated to the HTTP implementation of cookies; VPN-1 NGX uses cookies as packet fragments for consistency between operating systems.
crypt With this option turned on, all encrypted/decrypted packets are printed in cleartext and ciphertext; algorithms and keys in use are also printed.
driver Access to the kernel module, shown as log entries
filter Shows the packet filtering performed by the kernel, and all data loaded into the kernel
hold Holding mechanism, and all packets being held or released, shown when this switch is turned on
if Displays all interface-related information, such as accessing the interface, or installing a filter on an interface
ioctl When this switch is turned on, it shows all Input/Output (ioctl) control messages, such as communication between the kernel and the daemon, and loading and unloading of VPN-1 NGX.
kbuf All informative kbuf-related displays, such as RDP when encrypting; kbuf is the kernel-buffer memory pool; encryption keys use these memory allocations.
Id Displays all table read/write operations; heavy log generation
log Shows everything related to calls in the log
165
Aquaforest TIFF Junction Evaluation
fiv ctl debug
Option Explanation
machine Shows the actual assembler commands being processed; heavy log generation
memory Prints memory allocations of VPN-1 NGX
misc Prints all items not shown with other commands
packet Shows all actions performed on a packet, such as accept, drop, or fragment
q Prints information regarding the driver queue
tcpseq Prints TCP sequences being changed when using Network Address Translation (NAT)
xlate, xltrc
Prints NAT-related information (changing IPs), where the xlate switch is the basic and most commonly used switch; xltrc provides additional information, by showing the actual process of going through the NAT Rule Base for each packet, mostly on Telnet and FTP connections.
winnt Prints special information regarding Windows NT operation
synatk Prints all information regarding SYNDefender
domain Prints Domain Name Service (DNS) queries
install Prints driver installation
profile Prints the number of packets filtered, and the amount of time spent on them
media Makes level information on Windows NT using frames, not packets
ex Displays information about dynamic-table expiration
balance Displays information about logical-server load balancing
chain Displays information about cookie chains
166
Jwctl
S Y N T A X
The syntax for using fw ctl debug is as follows:
fw ctl debug | all | cookie | crypt | driver | filter | hold | if | ioctl |
xltrc | winnt I synatk | domain ^install | profile 'media* | align | ex | balance | chain
fw ctl kdebug -f >& <output_file>
fw ctl kdebug -i <output_file>
F W C T L D E B U G E X A M P L E S
D E B U G G I N G F W D / F W M
169
Aquaforest TIFF Junction Evaluation
Debugging fwd/fwm
f w d / f w m D e b u g Swi tches
The switches in the table below allow a more granular level of control over the fwm and fwd processes:
Switch Explanation
-u VPN-1 SecuRemote server; configures a Security Gateway to allow SecuRemote connections
-n Management only: used to designate a particular server as a management-only module
-s No module; disables unneeded NGX services, such as fwauthd (authentication daemon), and the SMTP server; this can help reduce the amount of services running on a server, to determine if they are conflicting, causing resource shortages, and to see if an issue arises, by loading just the NGX core services.
-1 No logs; disables logging that would normally be generated according to the Rule Base
-A No alerts; disables alerts that would normally be generated according to the Rule Base
-d Debug; debugs processes on the NGX server; this logs a great deal of information in a short time period, and should be used with care.
-D Log debugging; helps troubleshoot issues dealing with log-file generation; if records are not being placed into the log file, this switch should be used.
Debugging w i t h o u t Res ta r t ing f w d / f w m
This method is effective for troubleshooting NGX installations that cannot be stopped, due to network activity. Debugging without restarting fwd/fwm allows processes to continue running as they are placed into debug mode:
1. While the fwd process is running, open a Command Line Interface (CLI). 2. From the CLI, type the following:
fw debug [fwd | fwm] on [<env_variable>=<value>]
/a Choose either fwd or fwm, depending on which process needs to be
d e b U 8 g e d '
3.
run 1
4. Set OPSEC_
5. Set1
.e. Using this op HTTP or FTP
is 1
or , it is i to <
_LEVEL=3 to
(or 5,
To (
level) to
; this type of
6. ; the
fw | fwm
A.)To , use the ; to (
3. AI thisi
JCLII
: to create a ] ;byi
fw
4.
fwm
171
D e b u g g i n g b y R e s t a r t i n g f w d / f w m
In the examples below, the fwd command is used. It may be
Press CRTL + C in the fwd -d screen to stop Next, restart th
UNIX
172
Aquaforest TIFF Junction Evaluation
Debugging fwd/fwm
Stopping fwd debug
To stop an fwd debug, use the following procedure:
1. Run cpstop in the console or CLI in which cpstart was previously executed.
2. Press CRTL + C in the remaining console or CLI where fwd debug is running.
3. Execute the cpstart command to reactivate NGX services.
To redirect fwd output to a file instead of the console, use the following command:
U N I X
fwd -d 2> file_name
W I N D O W S
fw d -d 2> filejiame
When sending the output to a file, the fwd command should run for a short time only, because the output file quickly becomes very large. If the file becomes too large, it will be impractical for troubleshooting. Some general debug information is also stored in the $FWDIR/log/fwd.elg file, including:
• Services and processes starting.
• Configuration-file loading.
• Security Policy loading.
By default, when fwd executes, it uses -u. On a SmartCenter Server, cpstart uses fwd -n.
173
Aquaforest TIFF Junction Evaluation
Debugging cpd
D E B U G G I N G C P D i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
cpd is a Check Point generic daemon, which executes code of application add-ons specified in the Check Point registry, cpd admin is a client utility used to send administration commands to cpd. cpd config is a configuration utility used to configure cpd add-ons. cpd is started by cpstart and stopped by cpstop. Usually Administrators do not start or stop cpd manually.
The cpd process controls Secure Internal Communications (SIC), Policy installation, and shared-management capabilities between Check Point products and OPSEC-partner products, cpd listens on the Certificate distribution port, waiting for fwm to provide cpd with its Certificate.
SIC ports used are:
• Port 18209, used for CA communication (for status, to issue, and revoke) between the SmartCenter Server and the Security Gateway.
• Port 18210, used to pull Certificates from the CA.
• Port 18211, used by the cpd daemon on the Gateway to receive the Certificate (by clicking Initialize in SmartDashboard).
To determine if SIC is listening to its network port on the Gateway or SmartCenter Server, run the netstat -na command to find the above three ports' status; for example:
On Windows 2000 Server and Windows Server 2003, run the following:
netstat -na | find x18211"
On Solaris or Linux (or SecurePlatform in Expert Mode), run the following:
netstat -na | grep 18211
The output should be:
TCP 0.0.0.0:18211 0.0.0.0:0 LISTENING
174
For moi from the CLI.
S E T T I N G E N V I R O N M E N T V A R I A B L E S
TIFF Junction Evaluation
Debugging cpd
The Check Point Watchdog process will restart a failed cpd / 1 \ process within 60 seconds after it has been stopped, cpwatchdog
( logs may prove useful in troubleshooting cpd-related issues.
4. To redirect output to $CPDIR/log/cpd.elg, run cpd without any switches, or run cpd -d. The output displays in the CLI.
5. On Windows, run cpd -d 2> [filename] to redirect the output to a file. On UNIX, run cpd -d >& [filename] to redirect the output to a file.
If the commands are run from a different CLI, no debug information will be gathered. To use separate CLIs, environment variables must be reset.
176
L A B 6 : U S I N G C P D A N D F W M D E B U G G I N G
177
S R U N C P D D E B U G O N T H E G A T E W A Y
1. Identify the PID of the cp ps -aux | grep cpd
2. Kill the PID process by ri
kill -9 <cpd PID>
3. Set debug level and flag:
set 0PSEC_DEBUG_LEVEL=3
set TDERR0R_ALL__MiL=3
4. Run the
cpd -d >&
f p R U N
If you are connected to the:
into the Gatewa ; ALT + F2 ]
via an SSH ses commands. If 3 's to start a new the ALT + F1 :
1.
set 0PSEC_DEBUG_LEVEL=3
set TDERR0R_ALL__ALL=3
2.
fw on
T H E P R O B L E M
a
178
Aquaforest TIFF Junction Evaluation
Lab 6: Using cpd andfwm Debugging
[FPSTOP D E B U G G I N G A N D V I E W T H E O U T P U T
1. On the Gateway, press CTRL + C to stop cpd debugging.
2. Run fw debug fwm off to turn off fwm debugging.
3. View the cpd-debug output file cpd.out, by using the less command.
4. View $FWDIR/log/fwm.elg in a text editor on your Web server.
179
Lab 6: Using cpd and fwm Debugging
Aquaforest TIFF Junction Evaluation
Review
R E V I E W i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
• fw ctl debug can be used to view almost every function of the NGX kernel, by configuring the modules (debugging flags grouped according to product and/or functionality).
• NGX kernel modules are fw, vpn, FG-1 (QoS), h323, BOA, WS, CPAS, and cluster.
• Debugging the fwd and fwm processes can be useful when troubleshooting issues related to NAT, security, logging, alerts, Policy installation, OPSEC, and communication between processes.
• Debugging fwm and fwd can be done by either stopping the process enabling debugging and then restarting the process, or by passing the debug command to the running process.
• The cpd process can be configured for a debugging session to assist in troubleshooting SIC issues, Policy installation, and Check Point/ OPSEC shared management-product communication.
Review Quest ions
1. You are troubleshooting a VPN between a clustered NGX installation at your site, and a single Security Gateway at your partner site. You have already enabled debugging and assigned the buffer size. Which of the following fw ctl debug strings would be useful for troubleshooting this issue in this environment? Choose all that apply:
A.) fw ctl debug -m h323 + decode memory
B.) fw ctl debug —m fw + crypt memory
C.) fw ctl debug -m vpn + ike memory
D.) fw ctl debug -m cluster + nokia memory
181
2 .
A.)jw debug jwm on
B.) OPSECDEB UGJLE VEL=3
C.) TDERROR_ALL_A LL=5
D.) B&C
Aquaforest TIFF Junction Evaluation
Review
Review Answers
1. You are troubleshooting a VPN between a clustered NGX installation at your site, and a single Security Gateway at your partner site. You have already enabled debugging and assigned the buffer size. Which of the following fw ctl debug strings would be useful for troubleshooting this issue in this environment?
B.) fw ctl debug -m fw + aypt memory
C.) fw ctl debug —m vpn + ike memory
2. What part of the following debug command sets the level of information captured from the fwm process written to the *. elg file? fw debug fwm on 0PSEC_DEBUG_LEVEL=3 TDERR0R_ALL_ALL=5
D.) B & C
3. Which of the following issues can you NOT troubleshoot by debugging the CPD daemon?
C.) IKE Certificate exchanges
183
Aquaforest TIFF Junction Evaluation
Review
184
a
61 OI
Aquaforest TIFF Junction Evaluation
Q Check Point S O F T W A R E T E C H N O L O G I E S LTD,
We Secure the Internet
CHAPTER 6: FW ADVANCED COMMANDS
Various fw commands are very helpful to collect necessary data for maintaining NGX Security Gateways and troubleshooting problems, fw commands can be found by typing fw in the command line. Advanced fw commands can be found by typing fw advanced in the command line.
Objectives
1. Identify relevant fw commands to obtain critical information about NGX components' status.
2. Use fw and fw advanced commands with proper options, to obtain critical information for troubleshooting.
185
Key Terms
fw tab
Symbolic link
fw ctl
Connection Module
fw
FW COMMANDS
' f W ( can be found by typing fw at a < the 1
The (
fw command Explanation
fw ver [-h] Displayvers.cn
fw kill t-sig_no] procname Send signal to a daemon.
fw sam Control SAM server.
fw fetch targets Fetch last Security Policy.
fw tab [-h] Display kernel-table content.
fw monitor [-h] Monitor NGX traffic.
fw ctl [args] Control kernel.
fw lichosts Display protected hosts.
fw log [-h] Display logs.
fw logswitch [-h target] [+I-][oldlog]
Create a new log file. The old log has
fw repairlog Recreate log tndex.
fw mergefiles Merge log files.
fw Islogs Display remote machine log-file list.
fw fetchlogs Fetch logs from a remote host.
^ ^ fw tab, fw^cU debug and fw monitor commands are elaborated in
187
F W T A B C O M M A N D
fw tab Options
The following is the standard format for the fw tab command, and a table
fw tab [-all |-conf conffile] [-s]-f [-a number][-u][-t tname][-x tname] [-d]
Parameter Explanation
-all ^isssxisjss^^default -conf <file> Command executed on the targets specified in conf file
-a Displays all tables
-s number of elements
-u Does not limit the number of displayed entries
-m number For each table, displays only its first number of elements (The default is 16.)
-t tname Displays only tname table
targets Command executed on the des.gnated targets
-f Displays the output in decimal format
188
Aquaforest TIFF Junction Evaluation
fw ctl Commands
Table At t r ibutes
A table has a list of associated attributes. Following are some of the attributes a table may have:
Attribute Explanation
free function Call function when an entry is deleted or expires from this table
expires <time> Amount of time the table entry is allowed to stay in the table (seconds)
hashsize <size> Size of the hash table: this value should be the power of 2 closest to the size of the table
implies <table name> Unused
kbuf <x> xth argument in the value section; reference to an internal data structure (mostly used in encryption)
keep Keeps the entries after a Security Policy reinstallation
limit <x> Maximum number of entries allowed in the table
nexpires Elements do not expire, but are removed only when explicitly deleted; nexpires is the default setting.
refresh Resets the expiry timer when an entry in the table is accessed
sync Synchronizes this table if using synchronization
189
Aquaforest TIFF Junction Evaluation
fw ctl Commands
T A B L E S T R U C T U R E
Many tables store entries representing connections. A table has two possible representations:
1. The first five fields (src_ip, sport, dst_ip, dport, IP protocol) follow a common standard. An example of these five fields is shown below, plus the meaning of each field: <c7cb4764, 0000008a, c7cb47ff, 00000050, 00000006 ... >
Field Example Value Explanation
1 c7cb4764 Source IP address guide (src ip)
2 0000008a Source port (sport)
3 c7cb47ff Destination IP address (dst ip)
4 00000050 Destination port (dport)
5 00000006 IP protocol number (IPP), as defined in RFC 1700 (UDP-11, TCP-6, ICMP-1) (IP protocol)
In most cases, connections in other tables contain the same five key fields, but will store different field values. These first five fields are known as the key part of the table entry.
2. A connection can also have a sixth-variable direction, which can be either inbound or outbound. The direction is set by the first packet of the connection, even though the connection may be bidirectional in reality:
0 — inbound
1 — outbound
190
Aquaforest TIFF Junction Evaluation
fw ctl Commands
C O N N E C T I O N S - T A B L E E X A M P L E
fw tab -t connections
The command output looks like this:
dynamic, id 8158, attributes: keep, sync, expires 60, refresh, limit 25000, hashsize 65536, kbuf 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30, free function 71f88108 0
Dynamic Entries can be added, modified or deleted. Another option for this field is static, which means the opposite. Static tables are initialized with values at the beginning of a Policy, and remain with those values throughout the duration of the Policy.
id n# The identification number of the table; every table has a unique id.
A typical connection entry looks like the following:
<00000001, d4968d33, 000003fc, d496cldc, 00000801, 00000011; 00020001, 00020001, 06000000, 00000028, 00000000, 3bb7aea0, 00000001, d4968d33, 000007b6, ffffffff, ffffffff, 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 27/40>
191
(up to the are the key of the
Field Example Value Explanation
00000001 Connection direction (outbound)
d4968d33 Source IP
000003fc Source port
d496cldc Destination IP
00000801 Destination port
00000011 IP protocol
192
Aquaforest TIFF Junction Evaluation
fw ctl Commands
The fields following the semicolon are the values of the entry:
Field Example value Explanation
7 00020001 type/r_ctype
8 00020001 flags/r_cflags
9 06000000 Rule number by which the connection is accepted
10 00000028 Default time-out for the connection
11 00000000 Address of handler function that is called for packets belonging to this connection
12 3bb7aea0 Part of unique id for connection
13 00000001 Part of unique id for connection
14 d4968d33 Part of unique id for connection
Field Example value Explanation
15 000007b6 Part of unique id for connection
16 ffffffff Client inbound interface ID (fw ctl iflist) for connection (ffffffff means none.)
17 ffffffff Client outbound interface ID for connection
18 00000001 Server inbound interface ID for connection
19 00000001 Server outbound interface ID for connection
20 - end Kernel-buffer IDs
Last 27/40 Time left/total time
193
Jwtab
S Y M B O L I C L I N K
A is. The
•the;
a key and a to a
A link in
;hat type of link it
ble looks like the
HAQAri Hr nflflAnftni ! U^JULIUL, UUUUUOUi, 000003fc, d496cldc, 00000011> (00000006)
A link has the same type of key as a regular entry:
direction, src-ip, sport, dst-ip, dport, ipj>rotocol>
in 1
<0, cli .ent-ip,
<1, cli ent-ip,
<0, ser ver-ip,
<1, ser ver-ip,
fw tab
port,
The first entry is a re three are links to the is an appropriate
[to assess the
IP
IP
IP
IP
. No i
F W T A B - U - S
To view a summary list of all •
fw tab -u -s
; in all
• key. The i
; all:
^ S5SSS This isi In a
Q tO : -U
: to
a
a
Aquaforest TIFF Junction Evaluation
fw ctl Commands
Here is a partial list of fw tables:
H O S T NAME ID #VALS # P E A K #SLINKS
localhost firewalled_list 1 2 2 0
localhost externalfirewalledlist 2 0 0 0
localhost management_list 3 1 1 0
localhost extemalmanagementlist 4 0 0 0
localhost log_server_list 5 0 0 0
jfVALS indicates how many entries are in the table. The #SLINKS field contains the number of symbolic links for each table. Symbolic links are not included (counted) as entries in the connections table. A size limit of 25,000 for the connections table means that the table can hold 25,000 "real" connections, plus up to eight symbolic links per connection.
F W T A B - T < T A B L E _ N A M E > - F
To view table content in decimal format, use the -f switch:
fw tab -t <table_name> -f
The following is sample output of the fw -t connections -f command:
Using cptfmt
localhost:
Date: Nov 22, 2005
13:57:45 172.22.102.1 > : (+)==n========^ Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep,sync, expires 25, refresh, limit 25000, hashsize 32768, kbuf 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30, free function 98a35c40 0, post sync handler 98a37510; product: VPN-1 & FireWall-1;
13:57:45 172.22.102.1 > : - — — — — (+); Direction: 0; Source: 10.2.2.102/ SPort: 257; Dest: 10.2.2.1; DPort: 50693; Protocol: tcp; CPTFMT_sep_l: ->; Direction JL: 1; Source_l: 10.2.2.1; SPort_l: 50693; Dest_l: 10.2.2.102; DPort_l: 257; Protocol^: tcp; FW_symval: 6; product: VPN-1 & FireWall-1;
195
Jwtab
13:57:4 172.22.102.1 > !+ ) ; 1; Source: 10.2.2.1; SPort: 50693; Dest: 10.2.2.102; DPort: 257;
tcp; CPTFMT_sep: ;; Type: 176129; Rule: 134217728; Timeout: 67; 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits:
; Expires: 5/20; product: VPN-1 & FireWall-1;
13:57:4 172.22.102.1 > 1; Source: 10.2.2.1; SPort: 22; Dest: 10.2.2.102; DPort: 3010;
Protocol:tcp; CPTFMT_sep_l: ->; Directional: 0; SourceJ: 10.2.2.102; SPort J: 3010; Destl: 10.2.2.1; DPort J: 22; Protocol J.: tcp; FWjsymval: 5; product: VPN-1 & FireWall-1;
22; 13:57:45 172.22.102.1 > : —— —
0; Source: 10.2.2.102; SPort: 3010; Dest: 10.2.2.1; 5; CPTFMTjjep: ;; Type: 114689; Rule: 1; Timeout: 401;
0; Ifncin: 1;Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 0200000000000000; Expires: 3600/3600;product: VPN-1 & FireWall-1;
F W T A B - T < T A B L E _ N A M E > - S
To v
fw tab - t
a i use the •
-s
For (
H O S T N A M E ID
8158
# V A L S
(#VALS)is an heavy load. ]
'is
A table's size a certain type of traffic is under size is 25,000, by default. If a
25,000 most of the time, it
a
2 4 2
Aquaforest TIFF Junction Evaluation
/iv ctl Commands
F W C T L C O M M A N D S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
The fw ctl command provides kernel information about NGX Gateways or SmartCenter Servers, fw ctl options can be found by typing fw ctl -h from the command line. Among the following command options, fw ctl debug, kdebug, and fw ctl chain will be addressed in greater detail in the following chapters.
U S E
Commands: install, uninstall, pstat, iflist, arp, debug, kdebug chain, conn
fw ctl install
The fw ctl install command binds interfaces to the kernel. If you run this command, it does not display any messages, it just returns the prompt. That means the interfaces are bound to the kernel successfully.
fw ctl uninstal l
The fw ctl uninstall command unbinds interfaces from the kernel.
fw ctl if l ist
The fw ctl iflist command displays interfaces bound to the kernel, fw ctl iflist is useful after the fw ctl install or fw ctl uninstall commands have been applied. When fw ctl install is applied, fw ctl iflist should display all active interfaces. Those interfaces' configurations (IP address, subnet mask, and anti-spoofing group) should be obtained successfully in the gateway object's Topology screen. Following is an example of fw ctl iflist output:
0 : ethl
1 : eth2
197
fw ctl if list is run after fw ctl uninstall, the output should be empty.
fw ctl arp
L fw ctl install is run after fw ctl
Aquaforest TIFF Junction Evaluation
fw ctl Commands
Following is an example of fw ctl pstat output explained in parts. The first section is the total kernel memory allocated for the NGX kernel.
K E R N E L M E M O R Y
Hash kernel memory (hmem) statistics:
Total memory allocated: 6291456 bytes in 1535 4KB blocks using 1 pool
Total memory bytes used: 161356 unused: 6130100 (97.44%) peak: 191656
Total memory blocks used: 68 unused: 1467 (95%) peak: 76
Allocations: 24693 alloc, 0 failed alloc, 22079 free
A pool of 6,291,456 bytes (6 MB) is allocated by the Gateway kernel for its internal hash-table items and other kernel-data structures. 6 MB is the default kernel memory. The kernel memory can be adjusted in the gateway object's Capacity Optimization screen:
General Properties Topology
• NAT r+i-vPN
Remote Access Authentication SmartView Monitor
• UserAuthority Server L+; Logs and Masters
Capacity Optimization [+!•• Advanced
Capaci ty Optimization
Capacity Optimization
Maximum concurrent connections:
Calculate connections hash table si2e and memory pool
Automatically
<•' Manually
Comecttom hash table size: 132763
Memory pool sise:
Maxim jm memory pco! size
VPM Capacity Optimization -
Maximum corcu-rent IKE negotiation*
Maximum concurrent 'unneL-
MByte
]30 ^ MByte
Reset to Defaults
200
Capacity Optimization Screen
199
Aquaforest TIFF Junction Evaluation
fiv ctl Commands
I N S P E C T
INSPECT:
33250 packets, 8233028 operations, 189240 lookups, 0 record,
2290321 extract
This information relates to the activity of the virtual machine. The figures relate to virtual-machine operations, lookups and records in tables, and the number of packets inspected.
C O O K I E S
Cookies:
3647246 total, 0 alloc, 0 free,
3320 dup, 3742299 get, 3862 put,
3655403 len, 6 cached len, 0 chain alloc,
0 chain free
VPN-1 NGX uses cookies to represent packets. These statistics relate to the code that handles those cookies, and is used only for heuristic tuning of the code.
C O N N E C T I O N S
Connections:
2965 total, 1278 TCP, 1683 UDP, 4 ICMP,
0 other, 256 anticipated, 52 recovered, 3 concurrent,
41 peak concurrent, 3658055 lookups
The Connections section of the fw ctl pstat command displays information on current and historical connections traversing the Security Gateway.
201
F R A G M E N T S
Fragments:
6 fragments, 3 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures
to Of the 145
TCP/UDP,
O U T P U T E X A M P L E S
Oft Owe 312]
14 TCP/UDP
(hmem) statistics:
allocated: 6291456 bytes in 1535 4KB blocks using 1
bytes used: 161356 unused: 6130100 (97.44%) peak:
used: 68 unused: 1467 (95%) peak: 76
24693 alloc, 0 failed alloc, 22079 free
Aquaforest TIFF Junction Evaluation
fw ctl Commands
System kernel memory (smem) statistics:
Total memory bytes used: 10532520 peak: 11160692
Allocations: 104334 alloc, 0 failed alloc, 104066 free, 0 failed free
Kernel memory (kmem) statistics:
Total memory bytes used: 4394740 peak: 5052316
Allocations: 26315 alloc, 0 failed alloc, 23437 free, 0 failed free
Kernel stacks:
131072 bytes total, 8192 bytes stack size, 16 stacks,
1 peak used, 3956 max stack bytes used, 3956 min stack bytes used,
0 failed stack calls
INSPECT:
33250 packets, 8233028 operations, 189240 lookups,
0 record, 2290321 extract
Cookies:
3647246 total, 0 alloc, 0 free,
3320 dup, 3742299 get, 3862 put,
3655403 len, 6 cached len, 0 chain alloc,
0 chain free
Connections:
2965 total, 1278 TCP, 1683 UDP, 4 ICMP,
0 other, 256 anticipated, 52 recovered, 3 concurrent,
41 peak concurrent, 3658055 lookups
Fragments:
6 fragments, 3 packets, 0 expired, 0 short,
203
0 failures
NAT:
167/0 forw, 145/0 be
0 icmp, 14-14 alloc
Sync:
312
use several fw ctl pstat the numbers i
is using a high portion of
Total
Total
Total
memory (hmem)
allocated: 3145728 bytes in 767 4KB blocks using 1 pool
bytes used: 3141632 unused: 4096 (1%) peak: 3141632
blocks used: 740 unused: 27 (4%)
4301 alloc, 129 failed alloc, 2219 free
emory (kmem) statistics:
bytes used: 3768249 peak: 3936541
Allocations: 1840 alloc, 0 failed alloc, 1533 free, 0 failed free
The
is ] This or
' for this Gateway is heavily used, an
ilures, which is also an is due to high volumes of
in th
, This is i Lofa: lis)
• an error, nor an v VPN-1 NGX
0 0
Aquaforest TIFF Junction Evaluation
fw ctl Commands
fw ctl conn
There are entities within and without the Gateway that monitor or manipulate network traffic. The NGX infrastructure uses the connections table to store information (also called opaque data). These tables also receive notifications of connection-related events, such as connection starting, stopping, etc. These entities are called Connection Modules.
Every Connection Module is registered with a unique ID. Run fw ctl conn on the Gateway to see the Connection Modules currently registered. The Connection Module's ID is important to verify if a Gateway has installed the same products in the same order as another Gateway, when configured in a cluster. If cluster members' Connection Module unique IDs are different in the fw ctl conn table, the cluster may fail over for what appears to be unknown reasons.
Connectivity level 0:
No. Name Used Newconn Packet End
0: Accounting yes 0: Accounting 00000000
1: Authentication yes 1: Authentication 98a45e70
2: CPAS yes 2: CPAS 00000000
3: FG-1 yes 3: FG-1 00000000
4: ISP-Redundancy no 4 ISP-Redundancy 00000000
5 NAT yes 5 NAT 00000000
6 RTM no 6 RTM 00000000
7 RTM2 no 7 RTM2 00000000
8 SPII yes 8 SPII 98a4f220
9 SeqVerifier yes 9 SeqVerifier 989a4fc0
10 SynDefender no 10 SynDefender 00000000
11 Tcpstreaming yes 11 Tcpstreaming 98995710
12 VPN yes 12 VPN 9959ffb0
205
206
Aquaforest TIFF Junction Evaluation
Other fw Commands
O T H E R F W C O M M A N D S I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I
fw sam
The Suspicious Activity Monitoring functions of VPN-1 NGX are usually initiated from Smart View Tracker. The fw sam command provides an alternate method for using it.
U S E
sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] [-t <timeout>] [-1 <log>] [-C] [-e <key=val>]+ -{n|i|I|j|J|b|q} <criteria>
sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] -M -ijnbq {<criteria> | all}
sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] -D
OPTIONS
-C Cancel.
-M Monitor.
-D Delete all.
-v Verbose
-s Server for connection
-S Secure Internal Communications (SIC) name of server
-f Name of target host/group
-t Time-out in seconds
-1 Either nolog, longjioalert, or long__alert
-e Rule information; keys are name, comment and originator.
-i Reject.
-I Reject and close.
-j Drop.
-J Drop and close.
207
Aquaforest TIFF Junction Evaluation
Other fw Commands
-n Notify,
-b Bypass,
-q Quarantine.
C R I T E R I A
src <ip>
dst <ip>
any <ip>
subsrc <ip> <net mask>
subdst <ip> <net mask>
subany <ip> <net mask>
srv <src ip> <dst ip> <service> <protocol>
subsrv <src ip> <net mask> <dst ip> <net mask> <service> <protocol>
subsrvs <sre ip> <net mask> <dst ip> <service> <protocol>
subsrvd <src ip> <dst ip> <net mask> <service> <protocol>
dstsrv <dst ip> <service> <protocol>
subdstsrv <dst ip> <net mask> <service> <protocol>
srcpr <ip> <protocol>
dstpr <ip> <protocol>
subsrcpr <ip> <net mask> <protocol>
subdstpr <ip> <net mask> <protocol>
generic <key=val>+
208
Aquaforest TIFF Junction Evaluation
Other fw Commands
E X A M P L E S
The following command will reject packets from 172.29.109.1 in the next 10 minutes:
fw sam -v -t 600 -i src 172.29.109.1
The following message occurs:
sam: request for 'Inhibit src ip 172.29.109.1 on All' acknowledged
sam: fwoslo (0/1) successfully completed 'Inhibit src ip 172.29.109.1 on All' processing
sam: request for 'Inhibit src ip 172.29.109.1 on All' done
The following command will drop and notify packets from 172.29.109.1:
fw sam -v -s 172.22.102.1 -t 600 -M -ijn src 172.29.109.1
The following message occurs:
sam: request for 'Monitor Inhibit Drop Notify src ip 172.29.109.1 on All' acknowledged
sam: fwoslo (0/1) successfully completed 'Monitor Inhibit Drop Notify src ip 172.29.109.1 on All' processing:
no corresponding SAM requests
sam: request for 'Monitor Inhibit Drop Notify src ip 172.29.109.1 on All' done
To view a list of IP addresses blocked by the sam command, use the fw -t sam_blocked_ips -f command. The output is in decimal format.
209
Other fw
fw l i chos ts
fw log
Use i fw log command to view the active log file (fw.log).
S i accept, but do not use any nam
fw log -f fw.log -n -c accept | more
The following logs appears on the command line:
Date: Nov 2, 2005
10:13:45 ctl weboslo >daemon logjsysjnessage: Log file has been purged; product: VPN-1 & FireWall-1;
10:08:52 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-90F8-27D2C4F08877}; service_id: nbname; src: weboslo; dst: 10.2.2.255; proto: udp; product: VPN-1 7 FireWall-1; service: nbname; sj>ort: nbname;
10:08:54 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-90F8-27D2C4F08877}; servicejd: ssh; src: weboslo; dst: fwoslo; proto: tcp; product: VPN-1 & FireWall-1; service: ssh; s_port: 1735;
10:09:32 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-90F8-27D2C4F08877}; service Jd: nbdatagram; src: weboslo; dst: 10.2.2.255; proto: udp; product: VPN-1 & FireWall-1; service: nbdatagram; sjport:
10:09:54 accept fwoslo >ethl servicej.d: fwoslo; proto: tcp; rule: 0; message j info FireWall-1; service: https; s_port: 1563;
src: 172.29.109.1; dst: rule; product: VPN-1 &
log file can be i with the fw .loginitialjptr,;
fw
fw
: is as :
[-u]
The -u flag i The log file is i
J log file ; -u flag is i
fw mergefiles [-s] [-t <time_conversion_file>] <logJile_l> [<log_
file_2> ... <log_file_name_n>] <output_file__name>
E X A M P L E
fwoslo 2005-11-11JJ73150. log fwoslo_2005-ll-llJ73720.log
211
Other Jw
fw fetchlogs [[-f filename] ...] host
8 iS] Y 8
The active file (fw.log) cannot be fetched. iy> can be used on th
The active file (fw.
E X A M P L E
To fetch a log file on a remote Gateway from the SmartCenter Server, the ame is fwoslo, as shown in th:
fw
File fetching in process. It my take some
File fwoslo_2005-ll-llJ73150.log was fete
Other fw
% Q.) You have a remote VPN-1 Pro Gateway running on
i Pro in another city. When yoi
the i ow do ;
in:
A . ) :
fw logswitch -h <SecurePlatform_h
fw fetchlogs <SecurePlatform_host>
racker, and select File > Open from the menu. 32 file.
F W A D V A N C E D C O M M A N D S
command prompt. The following table lists those commands and a brief explanation for each of them:
fw advanced Command Explanation
fw fwd | fwm avd daemon ifwmdaemon
fw debug Turn debug output on | off.
fw fetchlocal Install Policy files to the kernel.
fw unloadlocal Un.nstallPoHcy to the localhost
fw dbloadlocal Install local database.
fw defaultgen Generate default filter.
fw license_sanity Create initial Policy if no license.
fw ufpfetch Fetch UFP server dictionary.
fw syslog syslog support for router
fw getifs Get interfaces from remote Gateway.
fw stat
fw hastat ha stat P
fw fgstat ?g C sUt r d C 0 m P a t l b l e V e r S 1 0 n 0 f
fw feu Full connectivity upgrade for clusters
fw fullsync Synchronous full sync for clusters
Aquaforest TIFF Junction Evaluation
fw Advanced Commands
fw advanced Command Explanation
fw authd_set Configure fwauthd. conf automatically.
fw isp_link Take down/bring up an ISP link.
fw fwd
Starts the VPN-1 daemon. Do not run this command directly. The fwd daemon is automatically started when running cpstart.
fw fwm
Check Point recommends using the cpconfig tool, fw fwm. fwm must be running on the SmartCenter Server. If there is an Administrator already defined by cpconfig, creating another one using the fwm command is not allowed, fwm is used for adding, updating and deleting administrators.
USE
fwm [-a name [-w{w|u|r|m(] [-s password] [-q] | -r name | -p]
Option Explanation
-a name Update Administrator with username name.
-w Set access level as follows: w - Read/Write u - User Edit r - Read Only m - Monitor Only
-s password Set the Administrator's password.
-q When adding an Administrator, do not prompt for Administrator password (useful for batch updates).
-r name Delete Administrator.
"P Print list of Administrators.
215
E X A M P L E S
To«
fwm -a fwadmin -s -
In the exc
If you want to chan
fwm -a fwadmin -wr
To (
fwm -r fwadmin
You will see the
, type:
You will be
to Read Only ]
.type:
, type:
fw fe tch loca l
fwm -a Howard -s abcl23 -ww
You will see tl
Howard
i (the INSPECT compiler) into tb i of the INSPECT-ML filter code in t
i to fw fetch localhost or cpstart, this Policy is
: 123" ;
by the fwc
Policy is
U S E
fw fetchlocal -d <dir>
Aquaforest TIFF Junction Evaluation
fw Advanced Commands
O P T I O N
Option Explanation
dir Location of compiled INSPECT files to be loaded to the kernel; directory option is mandatory.
EXAMPLE
fw fetchlocal -d $ FWD IR/_tmp/local/FW1
fw fetchlocal loads the compiled INSPECT-ML in the kernel.
fw un load loca l
The fw unloadlocal command removes the currently installed Policy from a Gateway. When a Policy is unloaded from a Gateway, the Gateway accepts any traffic, as long as routing permits, fw unloadlocal is useful in troubleshooting as needed, but should be used with care.
fw db load loca l
fw dbloadlocal loads the database on the local machine, by moving the database file from the /temp to /state directory. This command is performed automatically by a number of other commands (fw dbload for example), after moving files from the SmartCenter Server to the Gateway.
USE
fw dbloadlocal <-d>
O P T I O N
Option Explanation
-d Source directory location of the files; normally \temp\local
217
fw Advanced Commands
fw de fau l tgen \
U S E
E X A M P L E 1
E X A M P L E 2
218
Aquaforest TIFF Junction Evaluation
fw Advanced Commands
fw getifs
The fw getifs command is used for fetching interfaces from a remote Gateway.
U S E
fw getifs <module_name>
O P T I O N
Option Explanation
<module name> Security Gateway object name
E X A M P L E
fw getifs fwoslo
This example produces the following output:
fwoslo ethO 212.150.140.81 255.255.255.0
• fwoslo is the gateway-object name.
• ethO is the interface name.
• 212.150.140.81 is the IP address.
• 255.255.255.0 is the Gateway mask.
fw stat
fw stat displays the status of target hosts in various formats. The default format displays the following information for each host: host name, Rule Base (or Gateway) filename, date and time loaded, the interface installed on, and direction loaded.
U S E
fw stat [-long] [-short] [-inactive] [targets]
fw stat [-all | -conf conffile] [-long | -short] [-inactive] targets
219
Jw Advanced
O P T I O N S
Opt ion Exp lana t ion
-all i n t h e d e f a u l t s y s t e m
-conf conffile Command executed on targets specified in conffile
-long d^sptays number^o™
-short i n t e r f a c e ' R u l e B a s e
-inactive f o m L T a n ^ ^
targets i f t a r g e t s i s n o t
E X A M P L E S
To display the Policy installed on a Gateway locally, use fw stat as follows:
[Expert^SecurePlatform]#fw stat
localhost Standard 10Nov2005 14:43:50 : [>ethl] [>eth2] [<eth2]
To display the Policy installed on a remote Gateway from the SmartCenter Server and display the output in long format use fw stat as follows:
fw stat -1 fwoslo
H O S T IF POLICY DAT TOTAL •T DROI P A C C E PT LC
fwoslo >ethl Standard llNov200E i 14:45:50 1 0 0 1
fwoslo >eth2 Standard HNov2005 i 14:45:50 67 0 1 66
fwoslo <eth2 Standard llNov2005 14:45:50 74 0 8 66
Q.) You cannot log in to
L try to log in to SmartDashboard to verify any
I do you run to:
F W M C O M M A N D S
f w m C o m m a n d Explanation
fwm ver [-f] ... Display version.
fwm load [opts] [filter-file| rule-base] targets
Instal.PoHcy on target,
fwm unload [opts] targets Unmstall targets.
fwm dbload [targets] Download the database.
fwm logexport [-h] . . . Export log to ASCII file.
[ " l n P O r t ] ] router access list. P
fwm dbexport [-h] ... Export the database.
fwm ikecrypt <key> <password> Crypt a secret with a key
fwm dbimport [-h] ... Import to database.
fwm kill [-sig_no] procname Kill firewall process.
fwm lock_admin [-h]
Aquaforest TIFF Junction Evaluation
fwm Commands
fwm load
USE
fwm load [-p <product>] [-S] [-0 <product_option>] [-vN] [-m] [-r] [-a | -c conf-file] <rule-base name> <targets>
O P T I O N S
option Explanation
-P Specify target's product. Only one product can be specified. Possible products: firewall, sofaware gw, interspect, cvpn
-0 Specify product-specific option.
-S Targets are VPN-1 Edge devices.
-vN Retrieve the Security Policy from the version repository. N is the Version ID.
-m All Or None (works only for modules with the same version)
-r Do not perform All Or None for clusters. (The default is to perform.)
-a Execute command on all targets specified in $FWDIR/conf/sys. conf file.
-c Execute command on all targets specified in conf file.
E X A M P L E
From an enterprise SmartCenter Server, run the following command to install a Policy named "Standard" on remote-gateway object fwoslo:
fwm load Standard fwoslo
223
The following i
fwm dbload
for 'filter
Policy On:
in less than a
on
CPMAD
on NGX R60
Standard.W: Security Policy into Standard.pf
Compiled OK.
Installing VPN-1/FireWall-1
VPN-1/FireWall-1 policy installed
VPN-1/FireWall-1 policy
VPN-1/FireWall-1 policy
on fwoslo.
fwm dbload locally.
For
fwm
the i
to
a target Gateway or
on remote Gateway fwoslo,
224
Aquaforest TIFF Junction Evaluation
fwm Commands
To install the user database locally on the SmartCenter Server, run:
fwm dbload localhost
fwm logexport
The fwm logexport command exports a log file, by default the active log (fw. log) to an ASCII format. This is so the file can be open in other platforms, like WordPad or Excel, fw logexport does not switch logs. If you run fw logexport for current active logs (fw.log), the fw.log file stays the same and logs are not moved or purged. Details can be found by typing fwm logexport -h on the command line.
U S E
fwm logexport [-d delimiter] [-i filename] [-0 filename] [-f|-t] [-x
startJ30S] [-y endjpos] [—z] [-n] [-p] [-a] [-u unification_scheme_file] [-m
(initial | semi | raw) ]
O P T I O N S
Options Explanation
-d Set the output delimiter. Default is ;.
- i Input logfile name. Default is the active log file fw.log.
-0 Output filename. Default is printing to the screen.
-f Only in case of active log file; upon reaching end of file, wait for new records and export them.
-t Same as -f flag, only start at end of file.
-x Start exporting at the specified position.
-y End exporting at the specified position.
-z Continue exporting the next records, in case of an error. Default is to stop exporting.
225
226
227
Option Expianation
-v View names of all locked Administrators.
-u Administrator Unlock a single Administrator.
-ua Unlock all locked Administrators.
Aquaforest TIFF Junction Evaluation
Lab 7: Using fw ctl pstat
L A B 7 : U S I N G F W C T L P S T A T i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Scenario: This lab focuses on generating a file on the Security Gateway containing fw ctl pstat information, and interpreting some of the data.
Objective: Run the fw ctl pstat command.
Topics: The following topics are covered in this lab:
• Running the fw ctl pstat command
• Identifying information in the fw ctl pstat file
229
Aquaforest TIFF Junction Evaluation
Lab 7: Using fw ctl pstat
E ? R U N F W C T L P S T A T
1. While logged in to the NGX Security Gateway in Expert Mode, run the following:
[Expertiyourcity] # fw ctl pstat > pstat.txt
The fw command is the same for UNIX and Windows servers.
2. Allow the process to run to completion. [ ^ I D E N T I F Y I N F O R M A T I O N I N F W C T L P S T A T
1. Use the less command to view the pstat. txt file, and identify the following portions of the file:
— Amount of hash-kernel memory, used and available
— Number of packets inspected
— Number of fragments, and how many expired
Based on this output, is the Gateway overloaded or underused?
^ ^ ^ Continue t o next lab.
230
Aquaforest TIFF Junction Evaluation
Lab 8: Using fiv stat, fwm load, and fw unloadlocal
L A B 8 : U S I N G F W S T A T , F W M L O A D , A N D F W U N L O A D L O C A L i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i • i i i i i i i i
Scenario: Policy status for a Gateway is regularly verified in Smart View Tracker. The fw stat command is also useful to verify Policy status. In circumstances where you cannot log in to SmartDashboard, fw unloadlocal can be used to uninstall the Policy.
Objectives:
• Use fw stat to verify a Gateway Policy is installed.
• Use fw unloadlocal to uninstall the Policy.
• Use fwm load to install the Policy from the SmartCenter Server to the Gateway.
Topics:
• Installing the Security Policy and verifying status with fw stat
• Uninstalling the Policy and verifying status with fw stat
• Running fwm load and fw stat to install and verify the Policy
231
Aquaforest TIFF Junction Evaluation
Lab 8: Using fw stat, f\vm toad, and fw unloadlocal
[ ^ I N S T A L L S E C U R I T Y P O L I C Y A N D V E R I F Y S T A T U S W I T H F W S T A T
1. From the SmartDashboard, install the Policy on the gateway object.
2. Log in to the Gateway via the console or SSH screen.
3. Run fw stat. The output looks similar to the following:
HOST POLICY DATE
localhost Standard 10Apr2006 15:56:50 : [>ethl] [<ethl]
f p U N I N S T A L L P O L I C Y A N D V E R I F Y S T A T U S W I T H F W S T A T
1. Run fw unloadlocal from the command line. 2. Verify the status by running fw stat:
HOST POLICY DATE
localhost - - : >ethl <ethl
r f ? R U N F W M L O A D A N D F W S T A T T O I N S T A L L A N D V E R I F Y P O L I C Y
1. Open the command line on the SmartCenter Server, and type the following ...
fwm load Standard fwyourcity
... Where "Standard" is the Policy name, and fwyourcity is the target gateway object.
Verify the Policy is installed successfully, by running fw stat on the Gateway console or SSH session.
If you logged into the Gateway via an SSH session, your session will terminate abruptly, as fwm load does not preserve connections during a Policy install. Log in again and continue with the lab.
End of lab.
232
Aquaforest TIFF Junction Evaluation
Review
R E V I E W i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
• The fw tab command and its subcommands are used to directly access and manipulate the state tables in the NGX kernel's virtual memory, the core of Check Point Stateful Inspection technology.
• The fw ctl command and subcommands are used to view kernel information from SmartCenter Servers or Security Gateways, and can also be used to perform some kernel-level configuration changes and debugging.
• Other fw commands that provide more granular control over VPN-1 N G X include: fw sam — used to manipulate the SAM database fw lichosts — displays the number of protected hosts behind a Gateway fw log — used to view and manipulate active log files fw repairlog — rebuilds .ptr files for corrupted log files fw mergefiles — merges two switched (not active) log files into one fw fetchlogs — used to retrieve log files from a remote Gateway
• fw advanced commands provide command-line methods for more direct access to the N G X daemon, and for working with specific aspects of VPN-1 NGX.
• fwm commands provide an alternate command-line method of performing many SmartCenter Server tasks.
Review Quest ions
1. Which of the following fw tab commands will fetch connection information in decimal format for all connections?
A.) fw tab -t connections -u
B.) fw tab -t connections
C.) fw tab -t connections -s
D.) fw tab -t connections -f
233
Aquaforest TIFF Junction Evaluation
Review
Review Answers
1. Which of the following fw tab commands will fetch connection information in decimal format for all connections?
D.) fw tab -t connections -f
2. You are troubleshooting a NAT problem with a remote Gateway. Looking in the fw monitor capture, it appears that the IP address is translating correctly, but you do not see packets returning to the external interface. Which of the following fw ctl commands would be useful in these circumstances?
D.) fw ctl arp
3. Which of the following switches used with the fwm logexport command will export the active file into a comma-delineated file, without resolving IP addresses?
D.) fwm logexport -d, -o output -n
235
Aquaforest TIFF Junction Evaluation
Review
236
o
7 1 •
Aquaforest TIFF Junction Evaluation
Q Check Point S O F T W A R E T E C H N O L O G I E S L T D .
We Secure the Internet
CHAPTER 7; SECURITY SERVERS
NGX Security Servers inherit the folding process from previous versions of VPN-1. The HTTP Security Server provides URL screening and content checking (by incorporating CVP and UFP applications). Although more functionality from Security Servers is being incorporated into the kernel with each revision of VPN-1, troubleshooting specific Security Server processes can still indicate causes of issues.
Objec t ives
1. Identify different stages in the folding process.
2. Troubleshoot Security Server issues.
3. Debug Security Servers.
237
K e y T e r m s
Folding
fwssd
fwauthd.conf
238
Aquaforest TIFF Junction Evaluation
The Folding Process
T H E F O L D I N G P R O C E S S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Overview
When an NGX kernel matches a connection to a Security Server rule, the kernel folds the connection to the relevant Security Server. Folding is how a Security Server redirects packets. The Security Server opens a connection to the Server to which the client tried to connect. The packet leaving the Security Server has the source IP of the NGX Security Gateway. The outbound kernel translates the source I P to the IP address of the client that originally opened the connection. If the client is configured in the Rule Base for Hide or Static NAT, the source IP is translated, as configured in the Rule Base.
If clients use the HTTP Security Server as a proxy, connections leave the Gateway with the Gateway's IP address as the source IP. No Network Address Translation (NAT) occurs.
T R A N S P A R E N T C O N N E C T I O N S
The default behavior of HTTP, FTP, and Telnet Security Server connections have been changed to transparent in VPN-1 NGX. Only the SMTP Security Server is still non-transparent by default. In other words, if no Hide or Static NAT is involved, and if the client does not set the Gateway as the proxy, packets leave the Gateway with the original client's IP address. The only exception is the SMTP Security Server: The packet leaves the Gateway with the source IP address as the Gateway's IP address, instead of the original client's IP address.
To change this behavior, modify the following properties from true to false in $FWDIR/conf/objects_5_0.C:
http_transparent_server_connection
ftp transparent_server connection
rlogin_transparent_server_connection
telnet_transparent__server_connection
239
240
Aquaforest TIFF Junction Evaluation
The Folding Process
3. The packet's destination address is changed to the NIC address (so it will be sent to Security Server).
4. The connection table is updated with two new entries, which allows the client following the packets to continue without examination:
<125.32.2.3,1234,180.3.42.3,80,TCP>
<125.32.2.3,1234, 125.32.0.1,8832,TCP >
I N B O U N D A F T E R K E R N E L
The packet is <125.32.2.3,1234, 125.32.0.1,8832, TCP> The Security Server listening on port 8832 accepts and examines the packet. After the examination is done, the Security Server opens a new connection to the destination Server. The new connection is recorded in table PROXIED CONNS, with new connection properties (new port) and expiration time of 60 seconds, which means the Security Server must initiate a connection within that period.
The Security Server then sends the packet to its original destination using the FWXAUTH table.
O U T B O U N D B E F O R E K E R N E L
The packet is <125.32.0.1,8832, 180.3.42.3,80,TCP>. The Security Server initiates a connection. The source address is the Security Server and not the original client. The Server returns the packet, destination port, and address to the Security Server. The Security Server checks the FWX_AUTH table and a flag from the C0NN_0XID table, to retranslate the client's address and destination port.
O U T B O U N D A F T E R K E R N E L
The packet is <125.32.2.3,1234,180.3.42.3,80,TCP>, which is the original connection.
241
Content -Secur i ty Rule Order
242
Aquaforest TIFF Junction Evaluation
The Folding Process
HTTP 1.0 and 1.1
The following table lists differences between HTTP 1.0 and HTTP 1.1. This information can be useful when troubleshooting H T T P Security Server related issues.
Features HTTP 1.0 HTTP 1.1
Connections Keep-alive was not used. Keep-alive is recommended.
Multiple requests per connection
Allowed, but the client cannot send multiple request; it must wait for each response to return before submitting another request.
Allowed; the client can send multiple requests, even before the first response has returned. The Server has to return the responses in the same order they were sent.
Data end Two ways: 1. Use the header-field content length. 2. Close the connection when the response is done.
Content length is obligatory.
Chunks Not available Chunking was introduced to allow the Server to send responses with variable length without closing the connection. (In HTTP 1.0, this was the only way.)
243
Aquaforest TIFF Junction Evaluation
Troubleshooting Security Server Issues
T R O U B L E S H O O T I N G S E C U R I T Y S E R V E R I S S U E S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
The following steps help troubleshoot performance problems with HTTP Security Servers. The goal is to determine which object is responsible for performance issues (the HTTP Security Server, the CVP server the machines themselves, and so on), when, and why.
The following is a scenario where the HTTP Security Server is configured with a CVP server on a loaded network:
Security Gateway
C P 0 0 3 3 2
HTTP Security Server in CVP Environment
244
Aquaforest TIFF Junction Evaluation
Troubleshooting Security Server Issues
Reviewing CPU and Memory
There is not an executable file for each Security Server. Instead, each Security Server links to the fwssd executable. Under Windows NT, for example, looking at the Task Manager will not show the Security Server to which each process belongs. To find out which process belongs to each Security Server, proceed as follows:
• Look for the relevant Security Server's process identifier (PID) in the $FWDIR/tmp directory. For example, the HTTP Security Server PID will be written in the in.ahttpd.pid file.
• Once you know the PID number, look for the number on the Windows Task Manager > Processes tab. On UNIX platforms, such as Solaris and SecurePlatform, the process number is found in $FWDIR/tmp. The CPU and memory use can be observed in real time by running the top command.
In some circumstances, adjusting the number of Security Servers spawned by fwssd may help in troubleshooting performance issues. This is done by editing the fwauthd.conf file. The fwauthd.conf file contains configuration information for all child processes started by NGX daemons, not only fwssd. When working with the fwauthd.conf file, ensure that you are only modifying entries relevant to the Security Servers for FTP, HTTP, HTTPS, or Telnet. Some process configurations (such as those for SMTP or clientless VPN) should not be modified unless under direct instruction by Check Point Technical Support. Take care to only modify the line relevant to the process you are troubleshooting.
F W A U T H D . C O N F E X A M P L E
A standard entry in fwauthd.conf looks like this:
# (por t ) Parent Ch i ld Process W a i t # (to be
Edit ing fwau thd .con f
Process name spawned)
-5 80 fwssd in.ahttpd wait
in.aclientd wait 259 fwssd 259
245
Troubleshooting Security Server
List ing Possib le Causes
246
Aquaforest TIFF Junction Evaluation
Troubleshooting Security Server Issues
SECURITY SERVERS
• A general Security Server issue
• A Security Server with a CVP/UFP resource issue
• CVP server
• Limitation of hash tables
C V P S E R V E R S
• Overloaded CPU
• Memory issue
• Possible known/unknown issue
I den t i fy ing Issue Sources
One of the best ways to understand where the issue lies is by eliminating possibilities:
1. Change the rule so the HTTP resource is not used. Replace it with a standard HTTP service. This way, HTTP connections are passed through the kernel and not folded to the Security Server. If this solves the problem, the problem is with the HTTP Security Server: Proceed with step 3. If it does not solve the problem, proceed with step 2.
2. Change the rule to use the HTTP resource again, instead of the standard HTTP service. Do not configure the resource with the CVP server. Under this configuration if the problem does not exist, you know the issue is with the interaction with the CVP server.
3. When the problem occurs, run the following:
• top (on UNIX) or Task Manager (on Windows) Notice which process number is in charge for CPU and memory use. Check $FWDIR/tmp to find the PID of the relevant Security Server process.
• lsof (on Solaris) Run this command to check how many file descriptors are open: lsof | grep <process name> | wc -1
247
248
Aquaforest TIFF Junction Evaluation
Debugging Security Servers
D E B U G G I N G S E C U R I T Y S E R V E R S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
To debug a Security Server, the relevant process must be running. Before starting the debug, verify that the process you wish to debug has a current PID in the $FWDIR/tmp directory, if the process has no PID, the following error will appear: "Cannot find process id for (in.aclientd)"
Check Point recommends debugging all processes on the active process. In circumstances where the process is not starting correctly, stop VPN-1 NGX, set the environment variables for debugging, and then restart VPN-1 NGX.
TD_ERROR_ALL_ALL Flag
When configuring a debugging session, whether for a running process or setting an environment variable for a restarted session, it is important to remember to set the environment variables for that debugging session. While each Security Server will have specific flags relevant to its functionality, all debugging will require a TD__ERR0R__*_* flag to be set.
The TD__ERROR_ALL_ALL flag (most often seen when configuring debugging as set TD_ERR0R_ALL_ALL=3) tells the process being debugged the level of information to write to the output file (typically processname. elg).
The numeric value is a verbosity level between 1 and 5, where 1 is the minimum amount of information to be written, with 5 being maximum verbosity. Check Point recommends setting the verbosity level to 3 or 4, as this will often provide enough information for troubleshooting an issue.
TDERRR0R_*_* is also used to configure specific debugging sequences, as shown in the following sections. Each of the following sections are the standard commands for enabling debugging on running processes, sorted according to the specific Security Server.
FTP Securi ty Servers
To enable debugging all platforms, run:
fw debug in.aftpd on | off FWAFTPD_DEBUG 3
Output is automatically redirected to $FWDIR/log/af tpd. elg.
249
250
252
Aquaforest TIFF Junction Evaluation
Review
R E V I E W i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
• In VPN-1 NGX. the default behavior is for connections folded into a Security Server (except an SMTP Security Server) to be transparent. With transparent connections, the source IP address is untranslated (unless it is translated by the kernel for other reasons, such as with NAT).
• Folding occurs when the NGX kernel updates the state tables associated with a connection on which a Security Server acts.
• Resource rules do not replace standard rules for protocols. When adding a resource rule to a Rule Base, the rule must be placed before any less-restrictive rules that allow protocols, but after rules that reject protocols.
• Edit $FWDIR/conf/spsc/spsc. en_us to modify the default messages produced by a Security Server.
• HTTP 1.0 and 1.1 behave differently, and must be dealt with for troubleshooting accordingly.
• Each Security Server is an iteration of the fwssd process. Locate the PID of the Security Server you are troubleshooting in the $FWDIR/tmp directory. Use this number to find the process information in Task Manager on Windows, or use the top command on UNIX and SecurePlatform.
• Creating a list of possible causes for an issue will help when troubleshooting Security Server issues. The list can include, but is not limited to:
— Limitation of kernel tables.
— A loaded kernel blocking Security Servers.
— A CVP/UFP resource issue.
— CVP server saturation.
— Limitation of hash tables.
• Identifying the source of the issue will also help when troubleshooting Security Server issues. Does the issue persist when the Security Server is disabled? If using CVP, remove the CVP server from the Security Server configuration and retest. Examine the relevant error-log files, get traffic captures, and examine memory use.
• Analyzing the output from any of the sources listed will provide information about the cause.
253
is
folding through a Security Server?
A.) FWX AUTH
B.) A UTH SER VICES
C.) PROXIED CONNS
D.) CONN OXID
254
A.J fw debug in.ahttpd on TDERROR_ALL_s_to_c_read=3
B.) fw debug in.ahttpd on TDERRORJLLL client to_server_mgr=3
C.) fw debug in.ahttpd on TDERROR_ALL_cvp_to_server_mgr=3
D.) fw debug in.ahttpd on OPSEC DEBUG_LEVEL=3
Aquaforest TIFF Junction Evaluation
Review
Review Answers
1. The default behavior for Security Servers in VPN-1 NGX is to leave the source IP address of a connection untranslated. To which of the following configurations will the source IP be translated by a Security Server?
C.) Virus scanning for SMTP servers
2. Which of the following tables is referenced in multiple stages of connection folding through a Security Server?
A.) FWX AUTH
3. You are troubleshooting an issue involving a Security Server working in CVP mode, with a content filtering OPSEC partner. It appears that this issue is related to the browser's connection with the CVP server. Which of the following debug commands will NOT be used to configure the debugging?
D.) fw debug in.ahttpd on OPSEC DEBUG LEVEL =3
256
Aquaforest TIFF Junction Evaluation
We Secure the Internet Q Check Point
SOFTWARE TECHNOLOGIES LTD, SOFTWARE TECHNOLOGIES LTD,
CHAPTER 8: V P N DEBUGGING TOOLS
IKE negotiation consists of two phases, Phase 1 (Main mode), and Phase 2 (Quick mode). The negotiation process in both modes can be observed in ike.elg by an internal Check Point utility called IKEview. This chapter covers guidelines for analyzing ike. elg, and instructions for collecting ike. elg and vpnd.elg data.This chapter assumes a basic comprehension of encryption, cryptography applications (algorithms and hash methods), and configuration of site-to-site VPNs using either pre-shared secrets or Certificates.
1. Identify and explain the two phases of the IKE negotiation process.
2. Use VPN debugging tools for common troubleshooting practices.
3. Use VPN log files and the vpn debug command to troubleshoot VPN connections.
4. Use troubleshooting tables as general guidelines for troubleshooting VPN issues.
Object ives
257
Key Terms
Phase 1 (Main mode)
Phase 2 (Quick Mode)
ike.elg
Aquaforest TIFF Junction Evaluation
IKE Basics
I K E B A S I C S I I I i i I i i i i i I I I i i i i I I I I I I I i I i I i i I I I I i i I i i i I I I I I i I I i
Troubleshooting a VPN requires an understanding of the process of creating a VPN tunnel. The following is a step-by-step process explaining the IKE exchange.
Phase 1
Phase 1 (Main mode) negotiates encryption methods, (i.e., DES, 3DES, etc.), the hash algorithm (SHA1 and MD5), and establishes a key to protect messages of an exchange. The following describes the stages of the Phase 1 process:
1. Stage 1: Peers authenticate using Certificates or a pre-shared secret. 2. Stage 2:
— Each Security Gateway generates a private Diffie-Hellman (DH) key from random-pool bits.
— From the private DH key, each peer derives a DH public key.
— The DH public keys are exchanged.
3. Stage 3:
— Each side generates a shared secret from its private key and its peer's public key.
— The shared secret is the DH key.
4. Stage 4:
— The DH key exchanges key material (random bits and other mathematical data).
— Methods are agreed upon for encryption and integrity for Phase 2.
5. Each side generates a symmetric key, based on the DH key and key material exchanged between sides.
259
Aquaforest TIFF Junction Evaluation
IKE Basics
E X A M P L E
The IKE exchange uses six packets for Phase 1 (Main mode) and three packets for Phase 2 (Quick mode):
1. For Main mode packet 1, the initiator 172.24.104.1 proposes the following information:
• Encryption algorithm: AES-CBC
• Key length: 256 bit
• Hash algorithm: SHA1
• Authentication method: pre-shared key
msz M l - J O f x j j
Edit v » » Special Help
B H B | o i x u i s i e i
IKE Debugging Into 172.24104.1
Pi Main Mode ==,• 'wed Jan 4 2006 From: 14 22.00 To 14 2; MM packet 1 114 22.00]
Header - Secunt_M Association
« propl PROTOJSAKMP
Vendor t MM packet
MM packet +' MM packet - MM packet
Header ID
• Hash E MM packet 6
Header ID Ha:h
H P2 Quid-Mode
ID 2 f14 22.00) 3(14 22:001 4(14 22.00) 5(14-22:001
—- Wed Jan 4 2006 From: 14:22.00 To: 14:22.00
T t a a s f o r a Myla&ei - KTf_IKE
l e x t M f l o a d ; NOHE BesecvedJ 0 Leng th : 00 28 <401 TtatxaSua: 1 T r s n s X d : 1 ReaeEved2: 00 00 (0$
Encryption Algorithm: AES-CBC Key L e n g t h : 2S6 Hasii M g e c x t t e ; SUM-J t a t i i e n c 4 c a t i o » Hethod: F r e ' - s h a s e S k e y Group Description: Alternate 1024-bit HOB? group L i f e Type:- Seconds-l i f e M K f t t i o a : 8640f
Ly X I MM
Phase 1 Packet 1 — Peer Proposing AES-256/SHA1
260
Aquaforest TIFF Junction Evaluation
IKE Basics
2. Packet 2 is from the responder to agree on one encryption and hash algorithm:
. - X
Fife Edit View Specal Help
m m o j x i * l a a & j
if E Debugging info .-: 17224.104.1
pj M a n Mode ==. W e d Jan 4 2006 From. 14.22 00 To 14.22.00 K MM p a r t e d [14 2200] - MM packet 2 [14-22 00)
- Header ' - : S ecunty A.:.: oc laHon
propl FROTOJSftf MP
- Vendor ID MM packet 3 (14:22:001
+ MM packet 4 f14:22:001 MM packet 5 (14 22 001
'+ MM packet 6 (14 22:00) OuickMode == > W e d Jan 4 200S From- 14-22.00 To. 14.22:00
jTran3£c.i:si Peyloic i - EEY_IEE
j l e x t PayLoad: KOUE "rReser^ed: 0 =Length: 00 £3 (40) iTr&nsKiia: 1 ?TransId: I b e s e r v e d S ; 00 00 (0)
\EliCCYptioa Algorithm: AES-CBC Key Length: 256 Hash Algorithm: 3HA1 Autiiettt-ieation Method; Pce-shated Sey
. J -
Group d e s c r i p t i o n : L i f e Type: L i f e D u r a t i o n : .
Alternate 1024-fcit. K0DP group Seconds 66400
"I jT 172.24,104, iiMatn Mode\MM packet 2 (H:?2:O0)\5ecyr«ty Associafon^propUtranl
Phase 1 Packet 2 — Agreeing to AES-256/SHA1
261
Aquaforest TIFF Junction Evaluation
IKE Basics
3. Packets 3 and 4 perform key exchanges and include a large number never used before, called a nonce. A nonce is a set of random numbers sent to the other party, signed and returned to prove the party's identity. These two packets are not generally used in troubleshooting a key exchange with IKE view.
f i e E-Jir. Spec«t Heip
j j a j o j y i T i a s i g j f T l K E D S w T O l r
; -172 24.104.1 £ • f 1 M ain M ode == Wed J an 4 2006 From. 14 22 00 T o 14 22.00
t! MM packet 1 |14 22:001 + MM packet 2 114.22:00)
MM pac+et 3114.22 00) • Header m
•• Nonce + MM p a c k e U l ' l 4.2200) + MM packet 5 |14 2200) + MM packet 6 114.22,00]
S; Qu id Mode —• W e d Jar. 4 2006 From: 14 22:00 To: 14-22:00
Next. P a y i o a d t Mmi :e R e s e r v e d : 0 L e n g t h : 00 84 (1JS) . Key D a t a ;
bo m o s £4 42 5t 7a a£ «Sa 3 5 •Sa ?b 6 a lc ?£ ad 53 afi df 90 4e •T b a 36 3£ 81 ?5 54 4a d.3 tod ue i i Of 7 a 3 t 9e 6 a SO e l 7e 06 ::*-t •: T ... 98 •aa fcd 4£ Oa I f 27 db db be 89 e9 93 Oe 5c 12 •id 68 ? a 74 . i f 3 71 M .-*. 71 12 m I d a l 97 ?4 6c 46 71 £0 S3 m 7a 4b 31? •A i d l c I l l s €2 23 b d ae a« 5b 59 L-- 8d 23 i i cc 67 2b u . dd d7 90 50 22 10 52 7d 09 60 33
t J J z j
l 7 2 , 2 4 , 1 0 4 . i p » M o d e f # T p a c k e t 3 ( 1 4 : 2 2 : 0 0 ) ^
Phase 1 Packet 3
262
Aquaforest TIFF Junction Evaluation
IKE Basics
4. Packets 5 and 6 perform authentication between the peers of the tunnel. The peer's IP address shows in the ID field under MM packet 5:
6 From. 14 22:00 To 14 22:00
File £* View Special Help
gfrjcj a jx j i ig ts j . 11.E Debugging Into
ft 172.24.104.1 - f - i Main Mode ==.- Wed J an 4 21
t ! MM p a d e t 1 II4.22.001 v MM p a d e t 2114.22.001 v MM pact-et 3 |14 22 001 +: MM packer 4114 22 001 - MM pad-et 5 I I 4 22.001
: Header
Hash + MM packet G 1.14 22.001
t 0 uid- M ode == - Wed J an 4 2006 From: 14.22 00 T o: 14.2;
i m f a y i o a d
|HexC P a y l o a d : •Reaerwed; 'L eng th ; ilD t - jpe : i S e r v i c e f f p e : ;Serv ice p o t t : \m P a t a t
jJ^j Hash
00 0c (12) ID_I PV4_AI»DP. Sot- s p e c i f i e d (Cij JJofe s p e c i f i e d <0) ac l<5 6€ 01 a 7 2 . 2 2 . i 0 2 . i t
172.24.104.1s,Main Mode\MH packet 5 (14:22:00)$)
Phase 1 Packet 5
5. Packet 6 shows the peer has agreed to the proposal and has authenticated the initiator:
f i e Edtt View Special Help
&\U\ o x. iuvL : IKE Debugging Into
B- 172.24.104.1 r- Pi Main Mode == - W e d Jan 4 2006 From: 14 22:00 To: 14.22:00
+ MM packet 1 f14:22.00) MM packet 2 (14 22 00)
t MM packet 3 f14 22:001 T MM packet 4 (14:22:00) - MM packet 5 (14:22:00)
= - Header : " ID
H a : h
Hach L Quick Mode —> W e d Jan 4 2006 From: 14:22:00 To: 14:22:00
172.24.104.1 W a n Mode\MM packet 6 CH;22:D0}
W packet. 6 ( 1 4 : 2 2 : 0 0 ) - Wed Jan 4 2 D0«
Transport: PeerIP; FeerPort: Peer Base:
a c i ^ t t.01 5 0 0 f t . n a . a d r i d
» R e c e i v e d from p e e r 1 7 2 . 2 4 . 1 0 4 . 1
J j ^Zi
Phase 1 Packet 6
263
264
Aquaforest TIFF Junction Evaluation
IKE Basics
1. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data:
t '-1 M sin Mode == - Wed Jar 4 2C« From: 09 51.06 Tc CS.51 K - P.; Qui:> m ;de == - Vec Jar, 4 2006 From 03 51 06 To. 03.51.06
QM packet 1 |C?-£1 - |1C 2 4 C 255 255.25!: 0 110 2 2 C :
, prcpl PRCT0JPSEC_E5F ISS 6d =2 49 '
•i OM packet 2. |CS 51 0E; -110 2 4 0 255 255 255 CI -11C 2 2.0 . +. QM packet j 109.51 06i
JU.Li
C3 . l i i i i l l i i i i
IZ CD C3 tO)
J 1
Phase 2 Packet 1
In the ID field, the initiator's VPN Domain configuration displays. In the screenshot below, the VPN Domain for the initiator is the 10.2.4.0/24 network:
o x •
172.22,102.1 i "I Man Mode —; Wed Jan 4 2006 From. 09-51-06 7C- 09-51:06 - f? Ouic> Mode ==.- Wed Jan 4 2006 From 09 51 06 To: 09:51 06
- 0M packet 1 109.51 06) - (10.2.4.0 255.255.255.0l - (10.2.2.0
Phase 2 Packet 1 — ID fielcM
265
Aquaforest TIFF Junction Evaluation
IKE Basics
ID field_2 proposes the peer's VPN Domain configuration. In the screenshot below, the VPN Domain for the peer gateway is the 10.2.2.0/24 network:
Fie Em Vt*w Special Help
'^MMmmm' : Ik E Debugging Into
172 22.102.1 ft PI M a n Mode ==• Wed Jan 4 2006 From 09 51 JUS T0 09 51 06
f ' l Quick Mode == Wed Jan 4 2006 From 09 51 06 To 09 51 06 QM pact et 1 (09 51 061 • 110.2 4 0 255.255.255 0) - (10.2 2.0 2
- Header • •• Hash
If Secmfy fistociation ; - propl PR 0 T 0 J PS E C_E S P I.99 6d 52 49 I
Irani ESP_AES - Nonce
ID Viy ioad
.Nex t Pay load t F e s e t v e d : Length : ID t y p e : S e r a . c e type: S e t w i s e p o e t : . ID D i t a :
± • OM packet 2109 51 06] - (10 2.4 0 2 + OM packet 3109 51 06]
5 255 255 0) - (10.2 2.0 J
jJ
00 10 {16} II>_IP¥4_MJJR_30B1ET N o t s p e c i f i e d (0) Mot s p e c i f i e d (0) Oa 02 02 00 tt It tf 00 ( 1 0 , 2 . 2 , 0 25 .5 .255.255.C
172.22. t02,HQufcMtodeVQM packet 1 (09:51:06;) - (10.2.4,0 2S5.255.255.0) - ao.2.£.0 25S.255.2S5.OniO
Phase 2 Packet 1 — ID field_2
266
Aquaforest TIFF Junction Evaluation
IKE Basics
3. Packet 2 from the responder agrees to its own subnet or host ID, and encryption and hash algorithm:
. s u E * ! - -Fife Ed* Special Hete
s t i m ^ m m m II1 E Debugging Into
172.22.102.1 + • Pi Main Mode ==. W e d Jan 4 2006 From. 09.51 06 To- 09 51.06 - - Ouict Mode == W e d Jan 4 2006 From 03 51 -06 To 09-51 06
f OM pacl et 1 109-51 061 -110 2 4 0 255 255 255 Ol -1'10.2.2.0 2
Header ; Hash
Security Ac;ooation - propl PR 0 T 0 J PS E C_E S P fac 02 ec 6t I
tranl ESP_AES . - Nonce
• OM packet 3(09:51:061
jQH p a c k e t 2 ( 0 9 : Si :061 - Wed J a » 4 200«
(10.2. 4.0 255. 2SS. 255,0; - {10.2,2.0 25.5,255.255.0)
- P e e r I P : | P e e r P o r t : . ;pees: Name:
l l»P aci6t .601
f w o s l o
P e c e i ^ e d f r o i s p a e : 1~2. 2 2 . i i 1 . L
172.22,102. lK 'uckMode^OMpacket 2 (09:51:06) - (10,2.4.0 255,255.255.0) - (10,2.2,0 255,255,255.0
Phase 2 Packet 2
4. Packet 3 completes the IKE negotiation:
File Edit View Special Help
m a i t * i » w i l l • IKE Debugging Into
El-172.22.102.1 + Pi Mam Mode ==/ W e d Jan 4 2006 From. 09 51 06 To. 09:51 C
Quick Mode ==-> W e d Jan 4 2006 From- 09:51 06 To 09:51 C + 0M packet 1 (09:51:061 -110 2.4.0 255.255.255 01 • (10.2.2. it OM packet 2 f09;51 06) - [10.2 4.0 255.255.255.01 - (10 2.2.
- Header - Hash
T r a n s p o r t : P e e r I P : P e e r P o r t : Peer Bame:
j j i i i
1 p a c k e t 3 ( 0 9 : 5 1 : 0 6 ) - f e d J a n 4 2 0 0 6
TOP a c ! 6 S 6 0 1
• S e n t t o peer 1 7 2 . 2 2 . 1 0 2 . 1
j
.Z i -
172.22.102,1 K w * M o d e \ Q M packet 3 (09:S 1 M )
Phase 2 Packet 3
267
Aquaforest TIFF Junction Evaluation
IKE Basics
Q.) You have a site-to-site VPN between two Check Point NGX Gateways. They are managed by their own SmartCenter Servers.
&7 \ You see a lot of IKE Phase 1 failures in Smart View Tracker. You t\ run IKE debug on one Gateway and find out only one packet in
Main mode is transferred. There is no packet in Main mode after packet 1. What is the next step to check the VPN configuration that might caused this problem?
A.) Check VPN settings (including Encryption Algorithm, key length, Hash method) in the Community object. Make sure Phase 1 settings are identical on both sides. Also check Phase 1 settings in the Advanced settings in the Community object, such as group 1 or group 2, aggressive mode, etc. They must be defined identically on both sides.
Q.) You are configuring a site-to-site VPN from a Check Point NGX Gateway to a Cisco device. You see that traffic initiated from the VPN Domain inside the NGX Gateway is dropped with the error "Packet is dropped as there is no valid SA". The Cisco side is sending "Delete SA" to the NGX Gateway. The IKE debug indicates a Phase 2 (Quick mode) failure. What is causing the misconfiguration?
A.) A Quick mode failure usually indicates the VPN Domain is not configured exactly the same for one or both peers. For example, if the NGX Gateway's VPN Domain is a Class B network, but the same network is defined with a Class C subnet mask on the Cisco VPN configuration, then this type of error occurs.
269
T R O U B L E S H O O T I N G O V E R V I E W
Aquaforest TIFF Junction Evaluation
VPN Debugging Tools
V P N D E B U G G I N G T O O L S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
VPN Log Files
The ike.elg and vpnd.elg files contain information about the negotiation process for IKE encryption. VPN debug logging is enabled using the vpn debug on command. The output of the debugging commands writes to two different locations, depending on what is being debugged:
• IKE debugging is written to $FWDIR/log/ike.elg.
• VPN debugging is written to $FWDIR/log/vpn.elg.
vpn debug on [debug topic] = [debug level] sets the specified TDERROR topic to the specified level, without affecting any other debug settings. This may be used to turn specific topics on or off.
vpn debug on TDERR0R_ALL_ALL=1,2,3,4,5 turns on default VPN debugging, i.e., all TDERROR output and default VPN topics, without affecting any other debug settings.
In previous versions of VPN-1, Check Point recommended setting the environment variables to enable VPN debugging. As of VPN-1 NGX, vpn debug on is the preferred method. Setting the environment variables is recommended as a method for debugging, only if there is a VPN tunnel failure.
vpn debug Command
vpn debug contains multiple utilities for troubleshooting vpn issues. The following lists all options for the command:
vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [ -s size (Mb) ] | ikeoff | trunc | truncon | tmncoff | timeon [ SECONDS ] | timeoff | ikefail [ -s size (Mb) ] | mon | moff >
271
VPN Debugging Tools
VPN Debugging Tools
O p t i o n E x p l a n a t i o n
vpn drv < on | off | stat > setting vpn drv to off will tear down all
be used with this command. When vpn drv is set to on. all VPN tunnels are
vpn ver [-k] Displays VPN version
vpn accel < on | off | stat [-1] > Card y P
vpn compreset vpn compreset
vpn exportj?12 T „ 0 l , „ , r P , 2 f ™ O , « w , y
V P N D E B U G O N ! O F F
vpn debug on - Turn on vpn debug, and write the output to vpnd.elg.
vpn debug of f - Disable vpn debug.
V P N D E B U G I K E O N I I K E O F F
vpn debug ikeon — Turn on ike debug and write the output to ike.elg.
vpn debug ikeoff - Disable ike debug.
Aquaforest TIFF Junction Evaluation
VPN Debugging Tools
V P N TU
vpn tu is short for vpn tunnelutil., and is useful for deleting specific IPSec or IKE SAs to a specific peer or user without interrupting other VPN activities. The vpn tu command displays these options:
vpn tu Options
V P N D E B U G T R U N C
When the vpn debug on command runs, the output is written to $FWDIR\log\vpnd.elg file, by default, vpn debug trunc empties vpnd.elg and ike.elg, creates a time stamp, and starts vpnd.elg and ike.elg.
V P N E N V I R O N M E N T V A R I A B L E S
Setting environment variables to enable logging should only be performed in circumstances where VPNs are failing. The following are the commands to enable the variables:
W I N D O W S
set VPN_DEBUG=1
U N I X
set VPN DEBUG 1
274
Aquaforest TIFF Junction Evaluation
VPN Debugging Tools
Compar ing SAs
The following is a quick process to verify that you and a potential VPN partner are configured correctly:
1. Enable VPN debugging on both your and your partner's sites with vpn debug on.
2. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer with which you are about to create the tunnel, or all tunnels.
3. Have your peer initiate the tunnel from its site to yours.
4. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer with which you are about to create the tunnel, or all tunnels.
5. Initiate the tunnel from your site to your peer.
6. Disable debugging on both sites.
7. Examine ike. leg and vpnd.elg, as they will now contain records of the SA sent by your NGX installation, as well as what was received from your partner site.
275
Aquaforest TIFF Junction Evaluation
Troubleshooting Tables
T R O U B L E S H O O T I N G T A B L E S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
The tables in this section present a general guideline for t roubleshooting VPN related issues:
W h e n t r o u b l e s h o o t i n g ... ... U s e t h e s e t o o l s
Connectivity issues: • Logs (SmartView Tracker, *.elg)
• Ports • Ping test • Environment path • fw monitor capture of traffic • Routing • ike debug
• netstat -na
• SmartView Monitor VPN information
Points-of-failure issues: • Logs (SmartView Tracker, *. elg)
• Interesting traffic • ike debug
• Tunnel test • Peer's logs and debugs • Routing to tunnel (for OSPF or • fw monitor capture of traffic
overlapping VPN Domains) • fw monitor capture of traffic
• Phases of IKE • vpn debug
• IKE specific packets • kernel drop + vpn debug
• Authentication (pre-shared secret. Certificate CRLs and time-zone differences)
Configuration issues: • Logs (SmartView Tracker, *. elg) • Gateway main IP • SmartView Monitor VPN • VPN Domain information
• Encryption details • SmartDashboard
• Rules • Global Properties
• VPN Community
• Network Address Translation
276
Aquaforest TIFF Junction Evaluation
Troubleshooting Tables
E N C R Y P T I O N - T R O U B L E S H O O T I N G F L O W
The fo l lowing table provides a model of t roubleshooting encryption at a more granular level. Specifically, this table lists issues and error messages that may occur dur ing the VPN tunnel bui lding process. This table is not meant as a model of h o w a tunnel is created, but is more of a guidel ine for examining issues that would arise during that process.
I f t h i s i s s u e a r i s e s ... ... C h e c k t h e s e t o o l s for i n f o r m a t i o n a n d p o s s i b l e c a u s e s
Pre-IKE decisions: • Interesting traffic is received.
• VPN-1 NGX determines how and where to send the traffic.
Factors to determine if traff ic is to be encrypted or not: • VPN Domains (overlapping or not?)
• MEP configuration parameters
• Peer selection
• Link selection (which peer IP?)
• Examine Smart View Tracker for negotiation messages.
• vpnd.e lg may contain information about setup failures or VPN Domain misconfigurations.
• Use fw monitor to examine the traffic for packet-level information about configuration details.
I K E packet level • VPN-1 NGX determines that this
traffic will be encrypted.
Issues m a y arise from: • Ports open.
• Routing configuration.
• Source address of the VPN traffic.
• The Security Policy.
• Cluster configurations.
• Examine Smart View Tracker for peer information.
• vpnd.e lg will not have much useful information.
• i k e . e l g may contain information about starting the IKE negotiation process.
• fw monitor will show Gateway traffic, which is especially useful in determining if traffic is to or from a VPN Domain.
277
Troubleshooting Tables
... Check these tools for If this issue arises ... information and possible causes
IKE Phase 1 negotiation • Examine SmartView Tracker for IKE
• The peer has been contacted; Phase 1 messages
beginning to build the tunnel. • ike .e lg will contain critical
Issues/Errors seen: information for troubleshooting these
• No proposal chosen issues. • No proposal chosen
• Invalid ID • vpnd.e lg may be helpful, but not as
* Invalid Certificate informative as ike.elg.
• Verify that the CRL retrieval port • Payload malformed (TCP 18264) is available.
• Verify pre-shared secrets.
IKE Phase 2 negotiation • Examine SmartView Tracker for IKE
• Still building the tunnel Phase 2 messages.
Issues/errors seen: • ike .e lg will contain critical
• No proposal chosen information for troubleshooting • No proposal chosen
• Invalid ID • Verify that the subnet, host address. • Invalid ID
c o ^ c d y D ° m a i n ^ C ° n f l g U r e d
max_subnet_f orjrange.
ESP packet plow • ike.elg and vpnd.elg will contain • The IKE exchange was successful, information regarding SAs and SPIs.
and encrypted traffic is going to be • run fw monitor to verify routing to exchanged. and from the Gateway.
Issues/errors seen: • Verify routing, SAs, and SPIs for the • Outbound traffic partner's configuration, especially in
"No valid SA for Peer" cases of cleartext traffic. "Encryption Failure" • Check implicit rules in
• Inbound traffic: "Invalid SPI" SmartDashboard.
• Encryption is OK, but there is no
• ^ ^ p a c k e t f b r
Troubleshooting
\ ie other VPNs. How do you do 1
A.) Run vpn tu from the NGX < : all IPSee and IKE SAs for a given Peer (GW)
Troubleshooting Tables
280
Aquaforest TIFF Junction Evaluation
Lab 9: Running IKE Debugging on a Site-to-Site VPN
L A B 9 : R U N N I N G I K E D E B U G G I N G O N A S I T E - T O - S I T E V P N i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Scenario: In a site-to-site VPN between two cities using pre-shared secrets, run ike debug on both Gateways, and analyze the output using IKE view. Transfer ike.elg from the Gateway to the internal Web server (www.yowre/^.cp) where IKE view is installed. Each city site is a distributed environment, where the city Gateway is managed by its own SmartCenter Server.
Objectives.
• Configure a site-to-site VPN using pre-shared secrets between two Gateways.
• Run vpn debug ikeon on the Gateway, using the Command Line Interface.
• Analyze ike. elg using IKEview.
Topics:
• Configuring the site-to-site VPN using pre-shared secrets and VPN Communities
• Running the vpn debug ikeon command
• Running the vpn debug ikeoff command
• Using IKEview
281
282
Aquaforest TIFF Junction Evaluation
Lab 9: Running IKE Debugging on a Site-to-Site VPN
11. Enter the partner city's internal network object for the VPN Domain setting:
Externally Managed Check Point Gateway -
General Properties
NAT . V P N
V P N A d v a n c e d • • L ink Select ion
Get
Name i IP Address erhl i e th l eth2
Network Mask IP Addresses behi 172.24.104.1 255.255.0.0 E xternal 10.2.4.1 255.255.255.0 This Network 192.168.22.104 255,255.255,0 This Network
A d d . . Edit... Remove Show.
VPN Domain
All IP Addresses behind Gateway based on Topology information.
Manually def ined U ^ T ^ ^ . I
Show V P N Domain | }Net JMadrid I
| OK ] Cancel j Help j
Partner-City Gateway's VPN Domain
12. Click OK to exit the gateway object.
^ C O N F I G U R E V P N C O M M U N I T Y F O R S I T E - T O - S I T E V P N
1. In the VPN manager, open the default meshed-community object. 2. Add your and your partner city's gateway object to the Participant
Gateways.
283
Aquaforest TIFF Junction Evaluation
Lab 9: Running IKE Debugging on a Site-to-Site VPN
3; Make sure VPN settings are defined as follows:
General - Participating Gateway-:
Tunnel Management .£ Advanced Settings
V P N Properties
IKE lPhas-e 1 j Properties
Perform key exchange encryption with: ] AESC'SG j ^ j
Perform data integrity wtth: I s H A I -*-]
IPsec (Phase 2} Properties
Perform IPsec data encryption with' pIFTi 3
Perform data integnty with: [m[~5
Si J Jii | OK ] Cancel J Help j
VPN Properties Screen
4. Open the Shared Secret screen (under Advanced Settings), and check the box Use only Shared Secret for all External members.
284
Aquaforest TIFF Junction Evaluation
Lab 9: Running IKE Debugging on a Site-to-Site VPN
5. Enter the shared secret (abcl23) for your partner city's gateway object:
General Participating Gateways VPN Properties
•• Tunnel Management . • Advanced Settings
•• Excluded Services
Advanced VPN Pr Wire Mode
Shared Secret
P Use only Shared Secret to all External members
Each Externa! member will have the following secret with a8 internal members in this community.
J Jj
Peer Name Shared Secret '1 fwoslo
Remove j
helD
Shared Secret Screen
285
Aquaforest TIFF Junction Evaluation
Lab 9: Running IKE Debugging on a Site-to-Site VPN
6. Select Advanced VPN Properties; make sure settings are defined as follows:
GeneTr A d v a n c e d V P N Properties Participating Gateways VPN Properties
•• Tunnel Management - Advanced Settings
•• Excluded Services Shared Secret
• Wire Mode
IKE {Phase 1]
U$e Diffie-Heliman group
Renegotiate IKE security associations every j1440 ^ mriutes
f Use aggressive mode
IPsec (Phase 2j - - - - - - -
P Use Perfect Forward Secrecy - 3
Renegotiate IPsec security associations every f s e o o " s e c o n d s
f" Support IP compression
Reset All VPN Properties j
i h b b ^ K S I ^ B r Disable NAT inside the VPN community
J J j Heip
Advanced VPN Properties Screen
7. Click OK.
f p C O N F I G U R E L O C A L G A T E W A Y O B J E C T A N D R U L E B A S E
1. Verify that the network object for your city site's internal network object (for example, net oslo for the fwoslo gateway) is selected as the VPN Domain in the Topology screen of your city's gateway object.
2. Click OK.
286
Aquaforest TIFF Junction Evaluation
Lab 9; Running IKE Debugging on a Site-to-Site VPN
[ ^ E N A B L E I K E D E B U G
1. Log in to your city's Gateway via SSH, or locally via the console. 2. Change to Expert Mode and run the command cd $FWDIR/log to change to
the $FWDIR/log directory.
3. Run less ike.elg, to view the contents of ike. elg.
4. Run vpn debug trunc, to clear ike.elg.
5. Run less ike.elg. The file should display:
IKE logging started.
6. Run vpn debug ikeon to enable ike debug.
7. In SmartDashboard, add a rule like the following to your Rule Base after the Stealth Rule:
1 * A n y * A n y ^ M y l n t r a n e t * A n y ® a c c e p t g j L o g
VPN Rule
8. Install the Security Policy.
9. Initiate Ping, and connect via HTTP to the internal Web server on your partner's city site.
10. From your Gateway's console, run the command to disable ike debug:
vpn debug ikeoff
11. Transfer ike. elg to your Web server, where the IKEview utility is installed.
[ ^ A N A L Y Z E I K E . E L G I N I K E V I E W
1. Open IKEview on the desktop of the internal Web server (www .yourcity. cp).
2. Select the ike. elg file you just transferred from the Gateway.
3. Review the total packets in Main and Quick mode.
287
Aquaforest TIFF Junction Evaluation
Lab 9: Running IKE Debugging on a Site-to-Site VPN
4. Open Main mode packet 1 > Security Association > propo PROTO ISAKMP > KEY IKE. Verify that the encryption algorithm and hash method match the Phase 1 configuration in the mesh-community object's VPN properties and Advanced VPN settings.
5. In the KEY IKE section, verify that the authentication method, group description, life type, and life duration match the Phase 2 configuration in the mesh-community object's VPN properties and Advanced VPN settings.
6. In Quick mode packet 1, first ID field, verify that the IP address and netmask in the ID data section in the right pane match the local network object in your city site. The network object should be entered as the VPN Domain in your gateway object's Topology screen.
7. In Quick mode packet 1, second ID field, verify that the IP address and netmask in the ID data section in the right pane matches the VPN Domain settings you defined for your partner-city Gateway. For example, as shown below, the peer's VPN Domain is 10.2.4.0, with subnet mask 255.255.255.0. This configuration should be reciprocal on the peer's side.
ete m SW Specust Help
mm oixiijaasif - PS Mam Mode Tue Apr 11 2006 From 13 5 * ) W f a y l o a i
+ MM packet 1 f13 56:20) - Pi Mam Mode ==> Tue Apr 11 2006 From: 13'5 Nex t Payload: imm
- MM packet 1 (13:58:46) Reserved: Header Lengths 0 0 10 <16}
I -Z Security Association IB t y p e : XD_I f ¥4_M®>R_SQB1ET
V propl PROTOJSAK.MP S e r v i c e typet H o t a p e c i f i e d JO)
• tranl KEYJK.E S e r v i c e p o r t : H o c s p e c i f i e d ( 0 )
Vendor ID + MM packet 2 f13'5&461 t. MM packet 3 (13:58:46) + MM packet 4113:58:46) t MM packet 5 (13.58:46) + MM packet 6 (13:58 461
f " - OuickMode ==, Tue Apr 11 2006 From. 13:E - 0M packet 1 (13:58:46) • (10.2 2.0 255 255
Header Hash
+: Security Association Nonce ID (O
+1- OM packet 2 (13 58.46) - (10.2.2.0 255 2 5 5 ^
<L_ . J Ji -Li
d 172.24, 104.l',Q.jicl<Mode\QM packet 1 U3;58,46> - (10.2.2.0 2! 55.255,255.0)-(10.2.1.0 255.255.255<0}\ID ; F'lJM ::
Quick Mode Packet 1 — !D_2 Field
288
Aquaforest TIFF Junction Evaluation
Review
R E V I E W i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
• IKE encryption consists of two modes, Phase 1 (Main mode) and Phase 2 (Quick mode).
• When troubleshooting IKE VPN issues, the first step is to verify that IKE packets are arriving at the VPN Gateway in SmartView Tracker.
• If no packets are listed in SmartView Tracker, use fw monitor to verify whether VPN traffic is arriving at the Gateway.
• Use vpn debug ikeon to run debugs on a V P N tunnel. Examine the ike.elg file for the captured debugging information.
• vpn tu (the VPN tunnel utility) can be used to reset IKE SA when testing a tunnel.
• IKE Phase 1 consists of six packets, where the encryption and hash method are negotiated, and the first DH key is determined.
• IKE Phase 2 consists of three packets, where the IKE SAs are negotiated, the shared secret for exchanging the security algorithm is determined, and a second DH key is determined.
8 ike.elg and vpnd.elg are the VPN log files.
• The vpn command has many subcommands that can be used to troubleshoot VPN related issues.
Review Quest ions
1. A VPN between your site and a partner is failing. Looking in SmartView Tracker, you see IKE packets are being received by your Gateway, but negotiations are failing in Phase 1. You run vpn debug, which shows that there are no packets after packet 5 from your machine. Which of the following is a possible cause of the failure?
A.) The Certificate being usedfor authentication is invalid.
B. ) The shared secret being used for authentication is incorrect.
C.) Given the amoun t of information, A or B could be correct.
289
mask.
Aquaforest TIFF Junction Evaluation
Review
Review Answers
1. A VPN between your site and a partner is failing. Looking in SmartView Tracker, you see IKE packets are being received by your gateway, but negotiations are failing in phase 1. You run vpn debug, which shows that there are no packets after packet 5 from your machine. Which of the following is a possible cause of the failure?
C.) Given the amount of inf ormation, A or B could he correct.
2. The Quick mode packet 1 error "No Proposal Chosen" can be caused by all of the following, except?
D.)The peer is using a different encryption algorithm.
291
Aquaforest TIFF Junction Evaluation
Review
292
91 m
Aquaforest TIFF Junction Evaluation
Q Check Point ( S ® * 5 * S O F T W A R E T E C H N O L O G I E S LTD.
We Secure the Internet.
CHAPTER 9: TROUBLESHOOTING AND DEBUGGING SECUREMOTE/SECURECLIENT
As an aid for troubleshooting and debugging, the process of site-topology download and tunnel setup, and various stages of connection flows between a Gateway and VPN-1 SecureClient can be identified. The traffic can be captured at a lower level than what is observable in logs, using the ike debug, sr_service debug, and srfw monitor c o m m a n d s .
Object ives
1. Identify necessary ports and their functions when VPN-1 SecuRemote/SecureClient connects to sites.
2. Identify packet flows during SecuRemote/SecureClient connection stages.
3. Use srfw monitor to capture traffic on SecureClient, and fw monitor on a Security Gateway.
4. Use ike debug to capture ike.elg data.
5. Analyze ike. elg in IKEview.
293
Key Terms
• sr_service
• srfw monitor
• srfw ctl debug
• sc debug on
• sc log
294
Aquaforest TIFF Junction Evaluation
Necessary Ports
N E C E S S A R Y P O R T S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
The following table lists ports used by VPN-1 SecuRemote/SecureClient, as seen on the network. These ports must be open on the NGX Gateway to which SecureClient is connecting to and also open on intermediate devices, if any.
If control connections are enabled in the Security Policy's Global Properties, all of the following ports are opened automatically, except UDP 2746. If you do not have control connections enabled in Global Properties, these ports will need to be specified in the Rule Base.
Port Purpose
TCP 264 Topology download
UDP 259 RDP (necessary only for MEP resolving and dynamic interface resolving)
UDP 500 IKE
TCP 500 IKE over TCP (if this option is set)
TCP 18231 Policy Server login (seen on the network using SSL if SecureClient has an IP address in VPN Domain; not necessary to open this port if SecureClient is not in the VPN Domain.)
IP protocol 50 ESP (the actual encrypted data; not necessary to allow this if using UDP encapsulation)
UDP 2746 UDP encapsulation (encapsulates protocol 50 ESP packets)
In Visitor Mode, only port 80 is open or port 443 when traffic is tunnelled.
295
Port Purpose
UDP 18234 Tunnel test
TCP 18231 address is not inrtie VPN Domain)
UDP 18233 SCV update
296
Packet Flow
P A C K E T F L O W
Aquaforest TIFF Junction Evaluation
Link Selection for Remote Access
L I N K S E L E C T I O N F O R R E M O T E A C C E S S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Overview
In VPN-1/FireWall-1 4.0 and 4.1, the IP address on the General tab of a firewalled gateway object is considered the "main" IP. SecuRemote/SecureClient knows the main IP from the userc.C file, when it is downloaded from the site. SecuRemote/SecureClient always sends IKE and subsequent packets to the main IP. Check Point recommends using the external IP address in the General tab.
In some cases, the internal or private IP address needs to be the main IP, for example, for control-connection or routing issues. Sometimes, the firewall does not have a public IP address, because it is behind a NAT device. SecuRemote/SecureClient traffic must enter from a DMZ or internal WAN interface. In these situations, SecuRemote/SecureClient must address packets to the firewall's internal interfaces, so need for interface resolving arises.
S T A T I C - I N T E R F A C E R E S O L V I N G
IP address ranges are calculated for each firewall interface in the Topology screen (including this network and any groups defined). These allowed interface ranges are downloaded to userc. C when creating or updating a site. SecuRemote/SecureClient chooses the range to which its own physical IP belongs, then attempts to connect to the corresponding interface. Static-interface resolving is controlled by the property :resolve_interface_ranges in objects.C (VPN-1/FireWall-1 4.1), objectsJJ.C (VPN-1/FireWall-1 NG and above), and is on by default. The disadvantages of static-interface resolving are as follows:
• SecureClient may choose the wrong interfaces, if the Gateway has multiple external interfaces.
• SecureClient may choose the wrong interface, because its own physical IP (behind NAT) fits into the wrong allowed interface range.
• Static-interface resolving does not accommodate firewalls that are statically translated behind an Internet router.
299
300
Aquaforest TIFF Junction Evaluation
Link Selection for Remote Access
Link-Se lect ion Methods in VPN-1 NGX
In VPN-1 NGX, all of the above link-selection methods can be configured on the Gateway object > VPN > Link Selection screen. The settings on this screen apply to both peer-to-peer and client-to-site VPNs:
General Properties Topology NAT
- j VPN i VPN Advanced
Link Selection •±r Remote Access
Authentication SmartView Monitor U serAuthority Server
r f j - Logs and Masters-Capacity Optimisation
it) Advanced
jJ
Link Selection
IP Selection by Remote Peer -Localy managed VPN peers wtS determine this gateway's IP address using one of the following methods:
Always use this IP addrets: {* Mam address
f ' Selected address from topology table: f
T- Statical lyNATed IP: f ~
r" Calculate IP based on network topology
f™* Use DNS resolving: <r f — —
Use a probing method:
Outgoing Rou te Selection W h e n initiating a tunnel the outgoing interface will be selected by the operating system.
Source SP address settings... j
Tracking ;
Outgoing hrtf tract i r g ] N o n e z!
OK. Cancel Help
Link Selection Screen
301
Aquaforest TIFF Junction Evaluation
Link Selection for Remote Access
G A T E W A Y W I T H S I N G L E E X T E R N A L I N T E R F A C E
The simplest scenario is when an N G X Gateway has only one external IP address. There are three possible ways to configure this on the gateway object 's VPN > Link Selection screen:
1. Main address: The IP address on the general screen wil l be used for SecuRemote/SecureClient to connect. When the main IP is selected as the link-selection method, the ip_resolution_mechanism property will have the main IP as the value in objects_5_0.C under the gateway-object section, as shown below:
E E s a a r a i M B M m m t m s f c - - • .-^j*, file Edit View Insert Format Help
oigiHl ilai 1|J ; accept. 3des_for client less vpn (true) JL' apply resolving mechanism to SP. (true) ava11ab1e_VPN_IP_1i s t () ava i 1 ab 1 e_VPN_ I P_ 1 i s t _GtJ () clientless_VPN_ask_user_for_certificate (none) clientless_proc_nurn (1) disable_no_sa_logs_for_user (true) dns_IP_resolution () dris_ I P_re s o 1 ut i o n_G¥ () enable_internet_rout mg (false) enable_routmg (true) fw_wire_log (false) f W_TJ i r e_ 1 o g_o n 1 y_s yn (true) ike support_nat_t (true) interface_resolving_ha_primary_if () interface resolving_ha_priroary_if_G! () 1p_reso lut.io njtaecltaa-ism - (aaalttipVptt) ipsec.copy_TOS_to_inner (false) ipsec.copy_T03_to_outer (true) ipse c_do nt _f r agirie nt (true) i3akmp.allowed_ca () isakrcip.authraethods () isakwp.dn () isakmp.dns_name () i s a k r r i p . do dns resolve (false) isakmp.email ()
jT NUM
ip_resolution_mechanism in objects_5_0.C
For Help, press F1
302
Aquaforest TIFF Junction Evaluation
Link Selection for Remote Access
When a SecuRemote/SecureClient downloads a site, it downloads userc.C. In the userc.C file, the :allowed_interface_ranges property will show the main IP address specified in the gateway object:
Fii- E'Jt: F s;ucl he.: •MB|«|B>! Mi H - i m - I N :
x j
: k e e p _ I - F _ f l a g _ S R ( f a l s e ) : c o p y D F f l a g SP. ( f a l s e )
:allowed interface ranges (
: ( 1 7 2 . 2 2 . 1 0 2 . 1 : a l l o w e d r a n g e (
• I : t y p e ( m a c h i n e s r a n g e ) : i p a d d r _ f i r s t ( 0 . 0 . 0 . 0 ) : i p a d d r _ l a s t ( 2 5 5 . 2 5 5 . 2 5 5 ,
) . 2 5 5 )
) : i s e x t ( t r u e ) : i s n a t t e d ( f a l s e )
)
: r e s o l v e i n t e r f a c e r a n g e s ( t r u e ) : p e e r s ( ) : g w s u p p o r t n a t t ( t r u e )
) b£_J Fw Help, press Fi
Allowed_interfaces_ranges in userc.C
2. Selected address from the topology table: You can specify an IP address from the Topology screen. SecuRemote/SecureClient will try to connect to that IP as long as routing allows. After connecting, all VPN traffic to the VPN Domain is sent through this specific interface. When a specific IP address is selected as a link selection method, the : ipjresolutionjnechanism property's value is single_VPN_IP in objects_5J).C. userc.C has that specific IP address in the : allowed_interfacej:anges property.
3. IP with Static NAT, if the gateway-object has NAT applied to it.
G A T E W A Y W I T H M U L T I P L E E X T E R N A L I N T E R F A C E S
If an NGX Gateway has multiple external interfaces, use ongoing probing. The SecureClient probes all interfaces listed in the Topology, of the object and connects to the first one that responds. The SecureClient stays connected to that IP, until the IP stops responding.
303
304
1 i! C o n n e c t t o ^ P r e ^ G X G a t e w a y ^ *
M a i n address Main address
S . ^ d a d d r c s s , ™ ^ Ongoing probing
Static NAT Ongoing probing
f o S o r 1 5 ^ 0 " 1 1 6 ^ Mam IP
Uses DNS Ongoing probing
Ongoing probing Ongoing probing
One-time probing One-time probing
S E C U R E M O T E / S E C U R E C L I E N T D E B U G G I N G T O O L S
Aquaforest TIFF Junction Evaluation
SecuRemote/SecureClient Debugging Tools
IKE debug
3. Run from the place where the cpinfo.exe is located while the SecureClient is running:
cpinfo -o output_file
4. cpinfo output can be viewed in Info View.
One option for debugging is to run IKE debug:
1. Stop SecureClient by right-clicking the SecureClient icon in the system tray.
2. Create an empty file fwike_debug.all in the root directory, usually C:\.
3. Start SecureClient.
4. ike.elg is created in $SRDIR\log, which is usually located in c:\Program Files\CheckPoint\SecuRemote\log.
5. To stop IKE debug, stop SecureClient, delete fwikejiebug.all, and restart SecureClient.
ike. elg can be opened and analyzed using the IKEview utility.
307
SecuRemote/Securedient Debugging Tools
Aquaforest TIFF Junction Evaluation
SecuRemote/SecureClient Debugging Tools
sc log Debug
sc log debug also cleans the following files:
sr_service_tde. log
sr_gui_tde.log
sr_watchdog_tde.log
Run the command sc debug on -c.
Run sc debug without restarting SecureClient service:
sc log oil
Disable sc log debug without restarting the SecureClient service,
sc log off
To run sc log on and sc log off, fwike_debug.all and sr_tde.all files must be created under the root directory.
srfw ctl Debug
Kernel debugging on SecureClient is similar to kernel debugging on an NGX VPN-1 Gateway. Kernel debugging is useful mainly to debug dropped packets. From $SRDIR\bin, run these commands:
1. To clear any previous debug options, run srfw ctl debug 0. 2. To set buffer size, run srfw ctl debug -buf 4096.
3. Specify debug options by running srfw ctl debug -m <module> <option>.
4. Start the debug and write to the output file, by running srfw ctl kdebug -f> <filenams>.
5. Use CTRL + C to stop the debug.
309
6. :fw ctl debug , run srfw ctl debug -m fw drop.
, to
To see all i : -m i no i ctl debug -m.
Aquaforest TIFF Junction Evaluation
Enhanced Debugging Tool
E N H A N C E D D E B U G G I N G T O O L i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Since SecuRemote/SecureClient NG with Application Intelligence R56, an enhanced debugging tool has been available in the SecuRemote/SecureClient GUI. No Command Line Interface is necessary.
1. In the SecureClient Settings > Advanced screen, click the button Enable logging.
2. Restart the SecureClient.
3. Recreate the problem, and test traffic.
4. From the Settings > Advanced screen, click the Save logs button.
5. A . tgz file with time and date stamp will be saved in folder UserLogs in the user's Temp folder (e.g., C:\Documents and Settings\johndoe\Local Settings\Temp\UserLogs\SC_logs_xxxxx. tgz).
. i P l x j
= File Edit View Favor i tes Tools Help
Search Folders X to J
• Address j-, „ C:\Doc uments and Set t ings\ tchung\Local 5ett ings\Temp\Us erLogs
.1 See | ? y p e
C j S C J o g s _ l 6_Nov_
i
1
1 KB Text Document 0 5 . 7 . 5 0 _ 5 5 313KB WinZip File
11 /16 /2005 7 :51 AM 11 /16 /2005 7 :50 AM
SecureClient .tgz Output
The . tgz file contains the following debugging information:
• Installation log
• ipconfig output
• Routing-table data
• ike.elg
• Three . tde log files
• userc.C
• Time-stamp file
311
Aquaforest TIFF Junction Evaluation
Enhanced Debugging Tool
-iQixn File Act ions Opt ions Help
e ^ ^ J # Mew Open Favor i tes ••' Extract View Checkou t
• Name • > Type j j
• jJ AutoPlay _NG;<_R60 , elg i ELG File i ' DTApi. log Text Document < j Err or Description, t x t Text Document j : „ f w k e r n . t x t Text Document j j J ir tstal l jcpinf t«_R55W, elg ELG File j ; J install Jwgu i_DAL.e lg ELG File 5 1 'J install _fwgui_R6Q, elg ELG File • _£ j i r istal l_securemote_R56,elg ELG File j _J ir istal l_securemote_R6Q.elg ELG File ; V ipconf ig . tx t Text Document
rou te , t< t Text Document s r_gu i_ tde .bg Text Document sr_serv ice_tde. log Text Document
. s r_watchdog_tde. log Text Document C3j Temp J o g . tar WinZip File
.. t ime.t- . t Text Document ] uninstall J wgui_R60. elg ELG File
' . j userc.C C File
Jj Selected 0 f i fes, 0 by tes To t s ! 18 files, 4,924KB $
R56 Logging Files
6. To disable logging, clear the box Enable logging in the Settings > Advanced screen.
7. Stop and start the SecureClient.
This debug does not include srfw monitor, cpinfo, or kernel debug.
312
Aquaforest TIFF Junction Evaluation
Troubleshooting Table
T R O U B L E S H O O T I N G T A B L E i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
This table is an example of the flow for troubleshooting a remote-access issue. This table is not meant as a model of a SecuRemote connection setup, but uses that as a guideline for troubleshooting specific issues.
I f th is i s s u e a r ises dur ing ... ... Examine t h e s e possib le
causes and check the l isted tools
SecureClient version • Installation issues
• Compatibility with Gateway versions (feature changes)
• Operating-system compatibility
Site creation (topology download and requirements
for connection)
• Verify that the topology is exportable for SecuRemote/SecureClient.
• Verify necessary ports are open.
• Verify split DNS configuration.
• Confirm in userc. C:
Preferred Gateway Connection options Gateway IPs Available profiles Policy Server IP
Pre-IKE decisions (Interesting traffic is receivedfrom SecuRemote/SecureCl ient. VPN-1 NGX determines how and where to send the traffic).
• Method of encryption
• Partially overlapping VPN Domains may cause errors
• Peer selection for Multiple Entry Point (MEP) configurations
• Link selection
• Mode selection:
Connect/AutoConnect Mode
313
c a u s e s l n d check ?he Hsted tools
will be encrypted). ^
• Verify the path to Gateway is open (if
• Verify IKE over TCP ports are open
• Verify UDP encapsulation ports are open (if necessary).
• Verify routing:
• Verify security or SecureClient
• Verify NAT-T ports or MEP are configured in userc.C.
Aquaforest TIFF Junction Evaluation
Troubleshooting Table
I f th is issue ar ises dur ing ... ... E x a m i n e t h e s e poss ib le
causes a n d c h e c k t h e l isted too ls
Phase I/authentication (The Gateway has been contacted\ and is beginning to build the tunnel)
• Verify Phase 1 completes.
• Verify authentication works for the user without SecuRemote/SecureClient configured.
• Verify the authentication method is supported with IKE and the Gateway.
• Verify the third-party authentication server.
• Verify IKE over TCP is enabled.
(This allows for fragmentation of Main mode packet 6 for large Certificates or Certificate Revocation Lists.)
• Verify if Visitor Mode is enabled.
(This encapsulates the entire session over port 80 or 443, when behind a proxy or restricted gateway.)
• Verify the internal/third-party CA and Certificate generation/distribution/ CRL.
• Refer to fw monitor, sr monitor, and IKE debug logs for more data.
315
• Verify Office Mod
ipassignment.conf RADIUS DHCP IP pool configuration
316
Aquaforest TIFF Junction Evaluation
Troubleshooting Table
... E x a m i n e these possib le If th is i ssue ar ises dur ing ... c a u s e s a n d check the l isted too ls
Encrypted data • While this phase is also hidden by the (The IKE exchange was successful, and virtual machine, some data can still encrypted traffic is going to be be gathered from other sources. exchanged.)
• Use fw monitor for viewing ESP packets (IP protocol 50) to and from the SecureClient.
• Verify that UDP encapsulation port 2746 (the Check Point proprietary port) is open.
• Verify the tunnel-test port is open (port 18234).
• Verify the NAT-T port (UDP 4500, the industry standard for UDP encapsulation) is open.
• Verify dynamically assigned IP (DAIP) routing is configured.
• Verify routing to the hub Gateway in MEP configurations.
• Verify the Office Mode IP for MEP configurations is routing to the correct chosen Gateway.
• Check SmartView Tracker for Secure Configuration Verification (SCV) drops, as well as SCV log checks.
• Check SmartView Tracker for Policy Server login and download notification.
317
Troubleshooting Table
Aquaforest TIFF Junction Evaluation
Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient
L A B 1 0 : O B S E R V I N G I K E N E G O T I A T I O N B E T W E E N A G A T E W A Y A N D S E C U R E C L I E N T I I 1 I I 1 I I I I 1 1 1 I I I I I I I I I I I I 1 I 1 I 1 I I I I I 1 I I I I I 1 I 1 1 I I I I I
Scenario: To observe IKE negotiations between an NGX Gateway and SecureClient, you will run ike debug on the Gateway and SecureClient at the same time, and analyze the output using IKEview. In this lab, you and your partner will alternate roles. One side will be the SecureClient, while the other will be the site to which the SecureClient connects. SecureClient is installed on the Windows machine behind your Gateway (for example, weboslo). You are going to create a site and connect to your partner's city site, while both sides are running debugging sessions. Once the debugging sessions are captured, each side will then reverse roles, repeat the debugging from the other side, then examine the debugging sessions.
Objectives:
• Run ike debug on the SecureClient desktop.
• Run ike debug on the NGX Gateway.
• Analyze IKE negotiation using the IKEview utility.
Topics:
• Enabling Office Mode on the Gateway
• Creating the SecureClient user
• Configuring the Remote Access Community
• Installing the open Policy
• Enabling Office Mode on the SecureClient desktop
• Starting IKE debug on the Gateway and SecureClient
• Stopping IKE debug on the Gateway
• Analyzing ike. elg files in IKEview
319
[ ^ D E T E R M I N E R O L E S F O R T H E L A B S C E N A R I O
. be 1
site. If you are the site, skip to
; to 1
[ ^ G A T E W A Y S I D E : E N A B L E O F F I C E M O D E O N T H E G A T E W A Y
1.
2. In
3.
: Access > Office i to all u
Office : Using one o f t methods > IP Pool),;
OfficeJet
10.XX+7.0
x is the second octet of your in x+1 is the third octet+1 of the
network's 5
Net]
4.
5.
OK to i
OK to (
Net Oslo is 10.2.2.0 OfficeJtet for Oslo is 10.2.3.0
255.255.255.0
; the
>
F I P G A T E W A Y S I D E : C R E A T E T H E S E C U R E C L I E N T U S E R
320
3. Click OK to close tb
f p G A T E W A Y S I D E : C O N F I G U R E T H E R E M O T E A C C E S S
1.
2.
3.
4.
the VPN:
the:
Tab of t in
; All Users is in] i User
•to 1
- Net_osio ,:H:F
I the
f p C L I E N T S I D E : I N S T A L L O P E N P O L I C Y
the : is 1 * on the] : be (
rule to 1
1.
2.
3.
t f p C L I E N T S I D E : E N A B L E O F F I C E M O D E O N T H E S E C U R E C L I E N T D E S K T O P
1. Right-click 2. Click the Pi
3. Click the A
4. Check the b
5. Click OK.
L in 1
a
a
321
^ G A T E W A Y S I D E : S T A R T I K E D E B U G O N T H E G A T E W A Y
IKE debug on your city
1. Log in to 1
2. Run th
vpn debug
£ ? C L I E N T S I D E : S T A R T I K E
tray.
2. Create an
3.
4.
5. Ente
6. Opei inc:
7. To si
to < : VPN i
O N S E C U R E C L I E N T
. i n 1
i n C : \ .
[ ^ G A T E W A Y S I D E : S T O P I K E D E B U G O N T H E G A T E W A Y
After your partner city's running vpn debug
stop vpn debug by
322
Aquaforest TIFF Junction Evaluation
Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient
f p C L I E N T S I D E ; T R A N S F E R I K E . E L G F R O M S E C U R E C L I E N T T O Y O U R P A R T N E R S I T E
An FTP server is installed on the Windows machine behind each city site's Gateway.
1. From your SecureClient machine, open an FTP session and log in to your partner city's FTP server.
2. Type binary.
3. Type hash.
4. Type put ike.elg.
5. Exit the FTP session.
£ p R E V E R S E R O L E S
Each side will now perform the steps for the other side of the connection.
t f ? A N A L Y Z E I K E . E L G F I L E S I N I K E V I E W
Using IKEview, analyze your Gateway's ike.elg, and the ike.elg from your partner city's SecureClient.
Continue to next lab.
323
Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient
324
Aquaforest TIFF Junction Evaluation
Lab 11: Running srfw monitor
L A B 1 1 : R U N N I N G S R F W M O N I T O R i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Scenario: Continuing from the last lab, the site that was the SecureClient will continue in that role for the lab. Once each side has completed its capture, each side will switch roles and repeat the procedures for the other side. In this lab, each side will run srfw monitor on the SecureClient desktop and fw monitor on the corresponding NGX Gateway, and will analyze output using Ethereal.
Objectives:
• Run srfw monitor on the SecureClient desktop.
• Run fw monitor on the corresponding Gateway.
• Analyze both monitor outputs in Ethereal.
Topics:
• Running fw monitor on the NGX Gateway
• Running srfw monitor on the SecureClient desktop
• Stopping fw monitor on the Gateway
• Analyzing srfw monitor output using Ethereal
• Analyzing fw monitor using Ethereal
325
f p G A T E W A Y SIDE: R U N F W M O N I T O R O N N G X G A T E W A Y
1. Run fw monitor, filtering on the physical and Office M o d e IP J
fw IP> or
r_gatewayj.ourcity.out
IP> or Mode IP>;" -o
Mode IP> or
^ C L I E N T S I D E : R U N S R F W M O N I T O R O N S E C U R E C L I E N T D E S K T O P
1.
2. On 1
: t O 1
• in the V P N Use FTP or H T T P :'s Web
; (CLI) and i to 1
4. The
[ 3684]
[ 3684]
[ 3684]
426 [ 2952]
(from command
(control-C to
sig 2
5. Test t raff ic by FTP or H T T P < Webi
: C T R L + C keys in the CLI.
f p G A T E W A Y S I D E : S T O P F W M O N I T O R O N T H E G A T E W A Y
; C T R L + C ) in the CLI t o : fw monitor.
R O L E S
326
Aquaforest TIFF Junction Evaluation
Lab 11: Running srfw monitor
[ ^ A N A L Y Z E S R F W M O N I T O R O U T P U T E T H E R E A L
1. Open srfw monitor output using Ethereal:
• • • • • SO V3p t«® a tm&S a « p
i m & e > a * a • J |:<fi»sssraft.,. j Omt j Apply j
4S 1.000000 4 9 1.000000 50 1.000000 51 1.000000 52 1.000000 53 1.000000 54 1.000000
.000000
.000000
.000000
.000000
.000000
.000000
.000000
.4.1
.4.104
.4.104
lu,2.4.104 10.2.4.104 172.22.102.1 10.2.2.102 10.2.3.1 10.2.4.104
| Protocol | Mo Jl! TCP [TCP Retransmission] 18190 :• 13uu [AO . TCP 1300 :- 18190 [AO] seq=322 ACT =19137 w _J
[ T C P DUp A O 4 9#1] 1300 :- 1S190 [ A O ] ' 18190 > 1300 [PSH, AO] Seq=19137 Ack-t [ T C P Retransmission] 18190 > 1300 [ P S H > 1300 > 18190 [AO] Seq=322 ACK=20383 m [ T C P Dup ACK 53#1] 1300 :- 18190 [ACK]
172.22.102.1 •. 104
10. 2
172.22.102.1 10.2.4.104
T C P T C P T C P T C P T C P
ESP ESP T C P T C P ESP H T T P ESP
ESP (SPI=0.'lcdCC810> ESP (_SPI=0.. 52cf04e4) http -.- 1378 [S'vN. AO] Seq=u Ad-=1 W 1378 :- http [AO] Seq=l AD-.=1 win=17: ESP (SPI=0 •IcciccSlOj GET / HTTP/1.1 ESP (SPI=G"IcdccSlOj
Jj • Frame 5 5 (62 bytes on wire, 62 bytes captured) Ethernet II, Src; 63:76:6e:61:00:G0 (63:76:6e:61:00:00). Dst: 6f:31:63:70:5f:73 (6f:31:63:7Q:5f:73) internet Protocol, Src; 10.2.3.1 (10.2.3.1), Dst; 10,2.2.102 (10.2.2.102) Transmission Control Protocol, Src Port: 1378 (1378), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0
oooo efires^o sFTs"63' ei 6i oo oo os'ou'45'oo ' 0010 Ou 30 be 83 40 00 80 06 24 da 0a 02 03 01 0a 02 0020 02 66 05 62 00 50 23 00 6b Of 00 00 00 00 70 02 0030 40 00 95 f3 00 00 02 04 05 b4 01 01 04 02
jP; 431 0:'431 M; 0 '
srfw monitor Output
2. Identify the changes in source and destination addresses, as a packet leaves the SecureClient to access the VPN Domain's internal Web server. In the screenshot above, notice at o (lowercase), the source address is the Office Mode IP 10.2.3.1, and the destination is 10.2.2.102, weboslo. As the packet leaves the SecureClient at 0 (uppercase), the source address changes to fwmadrid's physical IP address, 10.2.4.102, and the destination is fwoslo's external interface, 172.22.102.1.
3. Identify the interface direction for outbound and inbound traffic. For example, for outbound traffic as on lines 55 and 56 (in the No. Column), the interface directions are o, 0; for inbound traffic on lines 57 and 58, the interface directions are i, I.
327
Aquaforest TIFF Junction Evaluation
Lab 11: Running srfw monitor
F P A N A L Y Z E F W M O N I T O R I N E T H E R E A L
1. Open fw monitor output using Ethereal. 2. Locate an HTTP SYN packet, by filtering on the Office Mode IP address in
the Source column.
3. Locate the entry number in the No. column, as in the screenshot below. The number 716 is the HTTP SYN packet.
4. Clear the filter by clicking the No. column.
5. Review the HTTP SYN packet, starting from protocol ESP in number 715.
-iptxn pie Edit View jo Capture Analyze Statistics Haiti
* * SD 1 t : 111 • Q €l •
-J gxprwsmtt- j Gear j Appiv j
T.rne
710 68.568003 10.2.4.104 711 68.568147 10 . 2 . 3 . 1 712 68.568170 10 . 2 . 3 . 1 713 68.568183 10 . 2 . 3 . 1 714 75.843 526 10 . 2 . 3 . 1 ?15 75.8444 57 10.2.4.104
172.22.102.1 ESP ESP (SPI=0..4442c7a8) 10.2.2.102 TCP [TCP Prev ious segment l o s t ] 1416 :- f t p 10.2.2.102 TCP [TCP Dup AO 711#1] 1416 :• f t p [ACK ] S. 10.2.2.102 TCP [TCP Dup ACK 711#2] 1416 > f t p [ACK] S> 10.2.2.102 TCP 1429 :> h t t p [RST] Seq-0 Ack=0 wiri=0 Lei 172.22.102.1 ESP ESP (SPI=0x4442c7a8)
717 75.844735 10 . 2 . 3 . 1 718 75.844756 10 . 2 . 3 . 1 719 75.84 5182 10.2.2.102 720 75.845233 10.2.2.102 721 75.845247 10.2.2.102 722 75.84 5342 172.22.102.1 723 75.846218 10.2.4.104 724 75.846292 10 . 2 . 3 . 1 72 5 75.846302 10 . 2 . 3 . 1
1L
10.2.2.102 TCP 1431 > h t tp [SYN] Seq=0 Ack-0 win=1638< 10.2.2.102 TCP 1431 > h t tp [SYN] Seq-0 Ack=0 win=1638-10 .2 .3 .1 TCP h t tp > 1431 [SYN, ACK] Seq-0 Ack-1 win-10 .2 .3 .1 TCP h t tp > 1431 [SYN, ACK] Seq=0 Ack-1 win 10 .2 .3 .1 TCP h t tp > 1431 [SYN, ACK] seq-0 Ack=l win-10.2.4.104 ESP ESP (SPI=0xdab604eb) 172.22.102.1 ESP ESP (SPI=0x4442c7a8) 10.2.2.102 TCP 1431 ;- h t tp [ACK] Seq=l Ac* =1 win=1731; 10.2.2.102 TCP [TCP Dup ACK 724#1] 1431 > h t tp [AO]
z 'b Frame 716 (62 bytes on w i r e , 62 bytes captured) w Ethernet I I , Src: 00:QQ:00_00:00:QQ (00:00:00:00:00:00), Dst: 49:62:65:74:68:30 (49:62:65:74:68:30) U i i n t e r n e t P r o t o c o l , s r c : 1 0 . 2 . 3 . 1 (10.2 .3 .1) , Dst: 10.2.2.102 (10.2.2.102) s; Transmission control protocol, src Port: 1431 (1431), mt port: http (SO), seq: o, Ack: 0,. ten: 0 0000 4 9 62 65 74 68 30 00 00 0010 00 30 c f CC 00 00 80 06 0020 02 66 05 97 00 50 a9 65 0030 40 00 67 53 00 00 02 04
00 00 uu 08 00 4 5 00 51 91 Oa 02 03 01 Oa 02 13 f4 00 00 00 00 70 02 04 d5 01 01 04 02
ibet'Hb. • Ci . f . . . P. e p.
gs
Fife: "C; \ftpro.3t\morator_.Mte'A.ayJwosio .out" 316 K8 00:01:21 |P: 342 0; 642 M' 0
fw monitor Output
End of lab.
328
Aquaforest TIFF Junction Evaluation
Review
R E V I E W i I i i I i I I I i I I I I I i I I I i I I I I I I I I I I i I I I i I I i i I I I i I I I i I i i
• Commands used in debugging SecureClient-to-Security Gateway connections are ike debug, sr_service debug, and srfw monitor.
• The necessary ports for SecureClient to establish connections are:
— TCP 264, 500, 18231. (80 and 443 are only necessary when in visitor mode.)
— UDP 259, 500, 2746.
— IP Protocol 50 (not required if using UDP encapsulation).
• The ports used by SecureClient inside the tunnel are:
— UDP 18234.
— TCP 18231, 18233.
• srfw monitor can be used to track packet flow in all phases of a SecureClient connection.
• For SecureClient, the IP address in the General Properties screen of the gateway object (normally the external IP) is used as the connection point. This is defined for SecureClient in the userc.C file and is referred to as the main IP. In situations where an internal IP address is used for the main IP, interface resolution can be used to guarantee connection and encryption.
• Static interface resolving is enabled by the property : resolve_interface__ranges, and is enabled by default. Each interface in a Gateway is used to calculate an interface range, and SecureClient reads these ranges from userc.C, then determines to which interface its address belongs.
• Dynamic interface resolving is enabled by the property : resolvejnultiple_interfaces. SecureClient sends RDP packets to all interfaces it is aware of, as defined in userc.C. Whichever interface responds first is the interface with which SecureClient will then encrypt.
• In VPN-1 NGX, SecureClient link selection on single, external-interface systems primarily uses one of three methods: main IP address, selected address from the Topology table, or Static NAT.
• In an NGX system with multiple external interfaces, additional methods can be configured: Calculating IP based on network topology, one-time probing, and ongoing probing
329
331
Aquaforest TIFF Junction Evaluation
Review
332
Aquaforest TIFF Junction Evaluation
10: a Check Point S O F T W A R E T E C H N O L O G I E S L T D .
We Secure the internet
CHAPTER 1 0 ; ADVANCED V P N
VPN-1 NGX introduces a new VPN capability, route-based VPN where VPN traffic is routed within a Community based on static- or dynamic-routing information. Route-based VPN is done using VPN Tunnel Interfaces (VTI), a virtual interface on the OS level.
Object ives
1. Identify differences between route-based VPNs and domain-based VPNs.
2. Configure VTI for route-based VPN Gateways.
3. Configure OSPF for dynamic VPN routing in a Community.
4. Identify the Wire Mode function by testing a VPN failover.
5. Configure Directional VPN Rule Match for route-based VPN.
333
Key Terms
334
Aquaforest TIFF Junction Evaluation
Route-Based VPN
R O U T E - B A S E D V P N
Prior to VPN-1 NGX, a site-to-site VPN required VPN Domains. If a packet's source and destination addresses matched local and certain peer Security Gateways' VPN Domains, the packet was encrypted or decrypted automatically. With a route-based VPN, an NGX Gateway can decide to encrypt and decrypt a packet using a VPN Tunnel Interface (VTI), an OS level virtual interface that provides a door to a VPN tunnel. When properly configured, the packet will then go through a route-based VPN via appropriate VTIs.
Route-based VPN provides VPN redundancy, as in the following example:
Rome Oslo
CPG0551
Route-Based V P N
335
Aquaforest TIFF Junction Evaluation
Domain-Based VPN
D O M A I N - B A S E D V P N I I I I i I i i I I I I I i I i I i I I I I I I I I I I i I i i I I I I I I i I I I i I I I i I I i
Dynamic-routing protocols are not required to implement route-based VPNs. Static routes can achieve the same purpose. As long as the OS level routing mechanism knows how to get to the remote peer's network via the correct VTI, a route-based VPN can work properly. However, static routes need to be updated manually, when there is a routing change.
It is important to note that a route-based VPN does not replace a domain-based VPN, but expands it. Domain-based VPN takes precedence over route-based VPN. Routing through VTIs only applies to traffic that is not routed in VPN Domains. The order between the two VPN routing methods is set by the order of the VPN routing decisions. First, domain-based VPN routing tables are consulted, to determine the proper origin or target VPN Gateway for the traffic. If no domain-based VPN routing applies, the OS routing table is examined, to determine whether the traffic is to be routed through a VTI.
For example, when two Gateways have configured VPN Domains for their site-to-site VPN, the two Gateways always route traffic between the two VPN Domains through the Community, regardless of whether or not there are VTIs. VTIs can be used at first to serve additional traffic that is not handled by VPN Domains. This way, an Open Shortest Path First (OSPF) daemon can be set up to work over a VTI, while the domain-based VPN is still active. Since OSPF uses Multicast Mode for communication, OSPF works only with VTIs.
Once OSPF adjacency is established between the two Gateways, routing information can be exchanged. After verifying that the routing information is correct, gradually remove parts of the VPN Domains' definitions, to allow a route-based VPN to take over.
337
Aquaforest TIFF Junction Evaluation
VPN Tunnel Interface
V P N T U N N E L I N T E R F A C E
A VPN Tunnel Interface (VTI) is a virtual interface on an NGX component, which is associated with an existing VPN tunnel, and is used by IP routing as a point-to-point interface directly connected to a VPN peer Gateway. Each VTI is associated with a single tunnel to a VPN peer Gateway. The tunnel behaves just like a point-to-point link between the two Gateways. The tunnel and its properties are defined by a VPN Community linking the two Gateways. The peer Gateway should also be configured with a VTI. The native IP routing mechanism on each Gateway can then direct traffic into the tunnel, just as the mechanism would do for any other type of interface.
VPN Rout ing Process
O U T B O U N D P A C K E T S
The VPN routing process of an outbound packet can be described as follows:
VPN-1 NGX Security Gateway
VPN-1 NGX Security Gateway
Source Destination
V P N Tunnel Interfaces
• An IP packet with destination address x is matched against the routing table.
• The routing table indicates that IP address x should be routed through a point-to-point link, which is the VTI associated with the peer Gateway.
338
Aquaforest TIFF Junction Evaluation
VPN Tunnel Interface
• The NGX kernel intercepts the packet as it enters the VTI.
• The packet is encrypted using the proper IPsec Security Association parameters with the peer Gateway, as defined in the VPN Community. The new packet receives the peer Gateway's IP address as the destination IP.
• Based on the new destination IP address, the packet is rerouted by VPN-1 NGX to the physical interface, according to the appropriate routing-table entry for the peer Gateway's address.
I N B O U N D P A C K E T S
The opposite is done for inbound packets:
• An IPsec packet enters the machine coming from the peer Gateway.
• VPN-1 NGX intercepts the packet on the physical interface.
• VPN-1 NGX identifies the originating VPN peer Gateway.
• VPN-1 NGX decapsulates the packet, and extracts the original IP packet.
• VPN-1 NGX detects that a VTI exists for the peer VPN Gateway, and reroutes the packet from the physical interface to the associated VTI.
• The packet enters the IP stack through the VTI.
Best Prac t ices
A VTI is best defined symmetrically on both Gateways, although it is possible to have one side work with a domain-based VPN. In this case, the Gateway without the VTI configured on it would not accept just any IP address from its peer Gateway, but only IP addresses specifically defined in the peer's VPN Domain (or any specific alteration of it configured in the vpn_route. conf file).
With VTIs, it is now possible to completely control VPN routing by OS routing. The same infrastructure allows dynamic-routing protocols to control the VPN. A dynamic-routing protocol daemon running on the NGX Gateway (on SecurePlatform Pro and IPSO platforms only) can establish connectivity with a neighboring routing daemon on the other end of an IPsec tunnel, which appears to be a single hop away. The daemons can exchange routing information and dynamically change the IP routing, which naturally changes the traffic directed to the IPsec VPN tunnel.
339
340
Aquaforest TIFF Junction Evaluation
VPN Tunnel Interface
Conf igur ing Numbered VTIs
VTIs can be configured manually using vpn shell on SecurePlatform Pro, or by using Voyager on IPSO. The following example demonstrates creating numbered VTIs among three SecurePlatform Pro NGX Gateways:
192.168.14.0
Security Gateway A ext: 214.214.214.1
VTI: 10.10.0.1 A
VTI: 10.10.0.3 A
VTI
Security Gateway B , /
ext: 215.215.215.1 VTI: 10.10.0.2
Security o u t e r \ Gateway C
VTI: 10.10,0.4
VTI: 10.10.0.5
192.168.15.0 192.168.16.0
VTI for Three Sites
Three NGX Gateways are the minimum required to set up a route-based VPN. Therefore any Gateway in a route-based VPN topology has two VTIs, one for each peer. Assume Gateways A, B, and C are setting up VTIs to each other, to use a route-based VPN.
341
VPN a
F I G U R E N O T E S
IP ; i to
10.10.0.4 i s ;
A and B, 10.10.0.1 is A. 10.10.0.2 is assigned to
A and C, 10.10.0.3 is to Ga teway C.
and C, 10.10.0.5 i s ;
I as i B.
[ to
to
A
B; ito 10.10.0.6 is ass
C R E A T I N G VT IS
The syntax is as fc
vpn shell interface add m name> <VTI
C.
A D D C O M M A N D
On Gateway A, type the
vpn shell vpn shell
On
vpn shell vpn shell
On
vpn shell vpn shell
_B, type 1
C, type 1
If a
<Local VTI IP> <Remote VTP IP> <Peer
vpn shell add <
10.10.0.1 10.10.0.2 Gateway_A to_B 10.10.0.3 10.10.0.4 Gateway_A to~C
vpn shell add command:
10.10.0.2 10.10.0.1 Gateway_B toA 10.10.0.5 10.10.0.6 Gateway_B to_C
vpn shell add command:
10.10.0.4 10.10.0.3 Gateway_C to__A 10.10.0.6 10.10.0.5 Gateway_C to_B
in the vpn shell
^ ^ ^ ^ ^ eight characters The peer name used i n the vpn shell comm in the vpn shell <
342
Aquaforest TIFF Junction Evaluation
VPN Tunnel Interface
V I E W I N G V T I S U S I N G V P N S H E L L S H O W C O M M A N D
To see the list of VTIs you created, run the command in vpn shell:
vpn shell show interface summary all
vpn shell show interface detailed all
A VTI can also be viewed as a regular interface by using the ifconf ig -a command.
A D D I N G S T A T I C R O U T E S
For route-based VPN after VTIs are created, it is necessary to add static routes, pointing to the VTI as the interface to access a peer's internal network. For example, in the example mesh VPN, any hosts behind Security Gateway A that need to access the network behind security Gateway C will need to go through a static route created on Gateway A. This command can be entered via the Command Line Interface (CLI) as:
route add -net 192.168.16.0/24 gw 10.10.0.4
Alternately, when adding the command via the CLI, the VTI name can be used:
route add -net 192.168.16.0/24 to_C
Check Point recommends configuring static routes using sysconfig in SecurePlatform Pro, as these routes will then survive a reboot, whereas using the CLI may not.
343
VTIs
To i : VTIs on Nokia IPSO,
1. Log in to Nokia in
2.
3.
4. Select the FWVPN
5. On the FWVPN Tu
In 1 FireWall-1.
6. it is i
7. Click Apply. The new VTI; i in I
a
345
Aquaforest TIFF Junction Evaluation
Dynamic VPN Routing
OSPF configuration detail is beyond the scope of this chapter. Security Administrators should be familiar with routing protocols, before configuring dynamic routing.
This figure shows VPN dynamic routing over OSPF:
A W E A S I
Security Gateway "A" ext: 214.214.214.1 VTI: 10.10.0.1 VTI: 10.10.0.3
Internal Network 10.10.30.0/24
Security Gateway "B"
ext: 215.215.215.1 VTI: 10.10.0.2 VTI: 10,10.0.5
ethl: 10.10.1.1
Security Gateway "C" exf. 216.216.216.1 VTI: 10,10.0.4 VTI: 10.10.0.6 ethl: 10.10.1.2
Dynamic VPN Routing Among Three Sites
E N A B L I N G A D V A N C E D R O U T I N G
To configure OSPF on SecurePlatform Pro, the gated daemon must be enabled on each NGX Gateway. The gated daemon is available when advanced routing is enabled. By default, advanced routing is disabled on SecurePlatform Pro. To enable advanced routing and configure OSPF, follow these steps:
1. Using the cpconfig utility, select the option to enable advanced routing.
2. Type Y to enable Advanced Routing.
3. Type Y to restart Check Point services, to enable advanced routing.
346
% Q.) You have upgraded a Gateway for VPN-1/FireWall-1 NG ^
gence (R55) to VPN-1 NGX (R60) on How do you make the !
.Pro, so you can use the j
A.) Run the pro enable command in Expert
C O N F I G U R I N G O S P F
2. Enter Expert Mode, an
3. Type ena or enable, to <
4. Start configuring OSPF, by typing conf t in ]
The OSPF process ID should be the same on all
6. Enter router-ID <IP address>; for example, router-id 214.214.214.1
It can be the physical IP address of the
7.
vt-GatewayJ ip ospf 1 area 0.0.0.0
347
VPN1
vt-Gateway_C as area 0:
ip ospf 1 area 0.0.0.0
ethl ip ospf 1 area 51.0.0.0
On
1.
2.
OSPF as the
in router ospf 1 router-id 215.215.215.1
the VTI to
ip ospf 1 area 0.0.oTo
A as J .0:
s ethl as arc B and Gateway_C i
to each other. That network must belong to area 0, because OSPF
ethl ip ospf 1 area 0.0.0.0
348
349
350
Aquaforest TIFF Junction Evaluation
Wire Mode
Wire Mode is usually defined in three places:
1. In the Community > Advanced > Wire Mode screen:
Participating G VPN Properties Bypass the Fifewaif - - -
• Tunnel Management - Advanced S ettng-; Allow uninspected encrypted traffic between Wm mode interfaces
- Excluded Services- o l t i Shared Secret Advanced VPN F'r
! i J _ _ J ±1
| OK | Cancet | Help |
Wire Mode Screen
If Wire Mode Routing is enabled in the Community, it is not necessary to enable Wire Mode per interface.
351
Aquaforest TIFF Junction Evaluation
Wire Mode
2. On the gateway object > VPN > VPN Advanced screen:
• Generai Prcpertie. , Topology
NAT . VPN
Link Selection Remote Aeeees Authentication Logs and Ma iter; Capacity Optimization Advanced
+
, +
VPN Advanced
VPN Turtnet Sharing -- • •
Control the number of VPN tunnels opened between peer Gateways
r i ' Use the community settings
Custom settings
Restart Option* - -
~ Perform an organized shutdown of tunnels upon gateway restart
Wife mode v SufiportV/ire mode {and Wife mode routing- route uninspected
encrypted traffic in VPN routing configurations'!
Select the interfaces where traffic destined to Wire mode communities will bvpai-i the Firewall
JSSSSL.
Adc
v Log Wire mode traffic
NAT traversal [Industry standard)
'•y Support NAT traversal (applies to Remote Access and Site to Site connections)
' ' Caned Help
V P N Advanced Screen
3. Per interface on the Gateway:
Select the c rene l interface-: where 'raffic cen t red to Wire rncde communities wil bypass the Firewall
J ^ ? . . . | Netmask j ethl
_ 10.4 8 1 255 255.255,0
eth'2 132 168.22.101 255.255.255.0
IlIJ^-ZJI ^ 1
Wire mode interfaces Screen 352
Aquaforest TIFF Junction Evaluation
Wire Mode
Configure Wire Mode per interface from the Wire mode interfaces screen:
— Click Add in the list Select the interfaces where traffic destined to Wire mode communities will bypass the Firewall. The internal interfaces on the Gateway will be listed.
— Highlight particular internal interfaces, or select all internal interfaces.
In the following figure, Gateways B and C have Wire Mode enabled, and have trusted internal interfaces defined:
Wire Mode in Route-Based V P N
The Community containing Gateways B and C has Wire Mode and Wire Mode routing enabled. Host 10.10.10.5 (behind Gateway A) sends a packet to 10.10.30.5 (behind Gateway C). Gateway C's Internet connection subsequently fails, so that when 10.10.30.5 tries to reply to 10.10.10.5, the reply packet from 10.10.30.5 will be routed through Gateway B. Without Wire Mode, Stateful Inspection would be enforced at Gateway B, and the packet would be dropped due to "out of state" errors. But with Wire Mode enabled, Gateway B can pass on the traffic and not enforce Stateful Inspection.
Wire Mode in Route-Based VPN
Security Gateway B
internal Network
10.10.20.0 /24
10.10.30.5 CP005Z7
353
354
Aquaforest TIFF Junction Evaluation
Directional VPN Rule Match
D I R E C T I O N A L V P N R U L E M A T C H i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Directional VPN Rule Match is a new access-control feature that matches more precisely on VPN traffic and allows expressing rules based on the direction of the traffic, rather than participating IP addresses. Directional VPN Rule Match matches on traffic based on the type of interface group through which traffic enters the Gateway, and the type of interface group through which traffic exits the Gateway. The interfaces are divided into three main groups: internal, external, and VPN interfaces. Traffic going into a VPN tunnel, or coming out of a VPN tunnel, is considered to have passed through a VPN interface. VPN interfaces are referenced by their associated VPN Community.
The Directional VPN Rule Match is configured in the VPN column of the Rule Base, which can now contain the format of A > B, where A and B each represent an interface group. Such a rule would match on traffic entering the Gateway from interface group A, and leave the Gateway through interface group B.
In ter face Groups
The following is a list of available interface groups:
Default Mylntranet Community, Remote Access Community, or user-defined Community
Represents the VPN tunnels of all Communities, including the Remote Access Community
Represents the VPN tunnels of all site-to-site Communities, i.e., any Community except the Remote Access Community
Represents all interfaces designated as "internal"
Existing VPN Community
Q A l l _ C o m m u n i t i e s
A l l G w T o G w
U | > l n t e r n a l _ c l e a r
355
Aquaforest TIFF Junction Evaluation
Directional VPN Rule Match
Represents all interfaces designated as '"extemaF' ^ E x t e r n a l _ c l e a r
Wild card that matches on any type of traffic [ * j Any Traffic
E X A M P L E S
Consider the following VPN rule:
1 ' * Any ; * Any : A lnternal_clear® ^ Mylntranet j X£ ftp , © accept . gj] Log
Directional VPN Rule Match — One Direction
This rule accepts FTP traffic intercepted on any of the Gateway's internal interfaces, which is about to enter a tunnel in Mylntranet VPN Community.
A route-based VPN makes it possible to not define VPN Domains, while a Directional VPN Rule Match makes it possible to not specify IP addresses for a rule match.
More than one Directional VPN Rule Match condition can be specified in a single rule. Consider the following rule:
^ Inter n a i _ c l e a t E 3 t ^ Mylntranet ZLL ftp ZZ " pn , 1 * Any • * Any : ^ M v | n t r a n ^ ^ ^ ^ e m a L c | e a r ^ p o p . 3 © B L o 9
Directional V P N Rule Match — Both Directions
356
Aquaforest TIFF Junction Evaluation
Directional VPN Rule Match
The above rule can be installed on two or more Gateways that are members of Mylntranet. For each FTP and POP3 connection routed on the tunnel between them, the same rule would match on one Gateway, when traffic passes from an internal interface and into the VPN tunnel. The same rule matches on the other Gateway, when traffic enters the VPN tunnel and passes to the internal interface.
Consider the following example:
Directional V P N Rule Match — Between Communities
A connection may dynamically change its route without breaking. For example, the above rule allows HTTP traffic to be initiated from the internal interface side, and routed into either the CommunityA or Communi tyB VPN tunnel. The routing can change dynamically between these two Communities, without breaking the connection.
H I "k Any
I n t e r n a l j i ' l e a r E S f ^ J Communfty_A Internal j s l ea r fSO^E j f Community_B
http j © accept ! j j Log
357
Aquaforest TIFF Junction Evaluation
Tunnel Management
T U N N E L M A N A G E M E N T i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
In VPN-1 NGX, there are two types of VPN tunnel management:
Permanent Tunnels — This feature keeps VPN tunnels active, allowing real-time monitoring capabilities.
VPN Tunnel Sharing — This feature provides greater interoperability and scalability between Gateways. It also controls the number of VPN tunnels created between peer Gateways.
Permanent Tunnels
As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. It is essential to make sure VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active, and as a result, make it easier to recognize malfunctions and connectivity problems. Security Administrators can monitor the two sides of a VPN tunnel, and identify problems without delay. Each VPN tunnel in a Community may be set to be a Permanent Tunnel. Since Permanent Tunnels are constantly monitored, if a VPN tunnel fails for some reason, a log, alert, or user-defined action can be issued. A VPN tunnel is monitored by periodically sending tunnel-test packets. As long as responses to the packets are received, the VPN tunnel is considered "up". If no response is received within a given time period, the VPN tunnel is considered "down".
Permanent Tunnels can only be established between Check Point Gateways. The configuration of Permanent Tunnels takes place on Community objects. There are three options to configure a Permanent Tunnel:
• For the entire Community; this option sets every VPN tunnel in the Community as permanent.
• For a specific Gateway; use this option to configure specific Gateways to have Permanent Tunnels.
• For a single VPN tunnel; this feature allows configuring specific tunnels between specific Gateways as permanent.
358
Aquaforest TIFF Junction Evaluation
Tunnel Management
T U N N E L T E S T I N G
A tunnel test is a proprietary Check Point protocol that is used to test whether VPN tunnels are active. A tunnel-test packet has an arbitrary length, with only the first byte containing meaningful data — the type field.
The type field can take any of the following values:
1 - Test
2 - Reply
3 - Connect
4 - Connected
Tunnel testing requires two Gateways, one configured as a "Pinger" and one as a "responder". The Pinger Gateway uses the VPN daemon (vpnd) to send encrypted tunnel-testing packets to the responder Gateway. The responder Gateway is configured to listen on port 18234 for special tunnel-testing packets. The Pinger sends type 1 or 3. The responder sends a packet of identical length, with type 2 or 4 respectively. During the connect phase, tunnel testing is used in two ways:
1. A connect message is sent to the Gateway. Receipt of a connect message is the indication that the connection succeeded. Connect messages are retransmitted for up to 10 seconds after the IKE negotiation is over, if no response is received.
2. A series of test messages with various lengths is sent, so as to discover the (Path Maximum Transmission Unit) PMTU of the connection. This may also take up to 10 seconds. This test is executed, to ensure that TCP packets that are too large are not sent. TCP packets that are too large will be fragmented and slow down performance.
359
Aquaforest TIFF Junction Evaluation
Tunnel Management
VPN Tunnel Shar ing
Since various vendors implement IPSec tunnels in a number of different methods, Administrators need to cope with different means of implementing the IPSec framework. VPN Tunnel Sharing provides interoperability and scalability, by controlling the number of VPN tunnels created between peer Gateways. There are three available settings:
1. One VPN Tunnel per each pair of hosts 2. One VPN Tunnel per subnet pair
3. One VPN Tunnel per Gateway pair
Tunne l -Management Conf igurat ion
Tunnel management is configured in the community object:
- General Participating Gateways VPN Properties T timet -Management Advanced Settings
•till
T u n n e l M a n a g e m e n t
Permaient Tunnels
P" Set Permanent T unnefe:
•(* On all tunnels in the community
On all tunnels of specific Gateways
On specific tunnels in the community
J !
I Popup Alert
r Enable Route injection Mechanism [RIM)
Tunnel down track:
Tunnel up track:
VPN Tunnel Sharing
Control 'he rurnber of VPN runnels opened between peer £ ateways
C One VPN tunnel per each pair of hosts
One VPN funnel per subnet pair
One VPN tunnel per Gateway par
"3
zi
JJLi
Help
Tunnel Management Screen
360
Aquaforest TIFF Junction Evaluation
Tunnel Management
P E R M A N E N T - T U N N E L C O N F I G U R A T I O N
To set VPN tunnels as permanent, select Set Permanent Tunnels. The following Permanent Tunnel modes are then made available:
• On all tunnels in the community
• On all tunnels of specific Gateways
• On specific tunnels in the community
To make all VPN tunnels permanent in a Community, select On all tunnels in the community.
To make all VPN tunnels of specific Gateways permanent, select On all tunnels of specific Gateways. Select the specific Gateways you want, and all VPN tunnels to the specific Gateway will be set as permanent.
Select gateways to set permanent tunnels with their peer gateway?.
Iciv'.mi.n ty Merroer:-. Branch-Office-gw
^ Corporste-Cluster-1 if§ Corporate-Cluster-2 fp^ Remote-3-gw [jpn Remote-4-gw J ^ Remcte-S-gw
Selected ja 'ewau : J j^ Remote-1 -gv.-
Remote-2-gw
Gateway T u r r e t Properte:.
Note: in case of a conflict between tunreel properties of two gateways, the default funnel properties which ate defined on the community vvl be used
He!o
Specific Gateways Screen
361
Aquaforest TIFF Junction Evaluation
Tunnel Management
Tracking options can be configured for specific Gateways' VPN tunnels in the Gateway tunnels properties screen. Use Community Tracking Option as the default setting. You can select specific tracking options:
H H M M Set the tract options tot the permanent tunnels of the selected gateways.
^ Use Community Track Options
Set specific track options for these tunnels:
Tunnel down track.
Tunnel up track; | Log zl
I" OK 1 Cancel j Help j
Gateway Tunnel Properties Screen
To configure specific tunnels in a Community to be permanent, select On specific Tunnels in the community. Click the Set Permanent Tunnels button.
SSBS ^ Show ai member gateways f*• Show orriy specific gateways E d " f o ^n fjate*vay„
| : B Remote-'-u.'/ Remote- ae-4-gw Ill®) ffemote-1 -gw fjpi Remote-2 cr/- ........ .. ,
. .. . .iZLl-ZVJ -jigsi Pemute-i-
Select All Tun-ie*
Jj
: Select funnel between i w :
I | * All Member Gateways j » j j : 3t'(<i cokawt: : | | * All Member Gateways
SelectedTLBinel Properties... ;
| OK. 1 Cancel | Heio
Select Permanent Tunnels Screen
In the above screenshot, to make the tunnel between Remote-1 -gw and Remote-3-gw permanent, click in the cell that intersects the Remote-1-gw and Remote-3-gw where a permanent tunnel is required.
362
Aquaforest TIFF Junction Evaluation
Tunnel Management
1. Click Selected Tunnel Properties and the Tunnel Properties screen is displayed:
Tunnelendpoints: | ^ Rem«e-1.gvv * " «=- - m ^ " ^ S ^ g w
y Set these tunnels to be permanent turweb
i V Use Commur iy Track Options
r Set specific track options for these tunnels;
i^r — - 3
| OK | Cancel- j : . Help j
Tunnel Properties Screen
2. Click Select these tunnels to be permanent tunnels.
3. Click OK.
T R A C K I N G O P T I O N S
Several types of alerts can be configured to keep Administrators up-to-date on the status of VPN tunnels. Tracking settings can be configured on the Tunnel Management screen of the Community Properties screen for all VPN tunnels, or they can be set individually when configuring the permanent tunnels themselves. The different options are Log, Popup Alert, Mail Alert, SNMP Trap Alert, and User Defined Alert. Choosing one of these alert types will enable immediate identification of the problem and the ability to respond to these issues more effectively.
A D V A N C E D P E R M A N E N T - T U N N E L C O N F I G U R A T I O N
Several attributes allow for customization of tunnel tests and intervals for permanent tunnels:
1. In SmartDashboard, select Global Properties > SmartDashboard Customization.
2. Click Configure. The Advanced configuration screen is displayed.
363
Aquaforest TIFF Junction Evaluation
Tunnel Management
3. Click VPN Advanced Properties > Tunnel Management to view the five attributes:
Attr ibute P u r p o s e
l ifesigntimeout Designate the amount of time the tunnel test runs without a response before the peer host is declared down.
1 i f e s i gntransmitterinterval Set the time between tunnel tests.
lifesignretransmissionscount When a tunnel test does not receive a reply, another test is resent to confirm that the peer is down. The Life Sign Retransmission Count is set to how many times the tunnel test is resent, without receiving a response.
life_sign_retransmissions_interval Set the time between tunnel tests that are resent, after the tunnel test does not receive a response from the peer.
clusterstaftispollinginterval (Relevant for HA Clusters only)
Set the time between tunnel tests between a primary Gateway and a backup Gateway. The tunnel test is sent by the backup Gateway. When there is no reply, the backup Gateway will become active.
RIMin j ect_peer_interfaces Inject peer's internal network to routing table (in Hide NAT situation).
364
Aquaforest TIFF Junction Evaluation
Tunnel Management
VPN Tunnel Shar ing Conf igura t ion
VPN Tunnel Sharing provides greater interoperability and scalability, by controlling the number of VPN tunnels created between peer Gateways. Configuration of VPN Tunnel Sharing can be set on both the VPN community and gateway objects.
Tunnel Sharing can be configured as follows:
• One VPN tunnel per each pair of hosts; A VPN tunnel is created for every session initiated between every pair of hosts.
• One VPN tunnel per subnet pair; Once a VPN tunnel has been opened between two subnets, subsequent sessions between the same subnets will share the same VPN tunnel. This is the default setting, and is compliant with the IPSec industry standard.
• One VPN tunnel per Gateway pair; One VPN tunnel is created between peer Gateways and shared by all hosts behind each peer Gateway.
If there is a conflict between the tunnel properties of a VPN Community and a gateway object that is a member of that same Community, the "stricter" setting is used. For example, a gateway object that was set to One VPN Tunnel per each pair of hosts, and a community object that was set to One VPN Tunnel per subnet pair, VPN sharing, will use One VPN Tunnel per each pair of hosts.
365
Aquaforest TIFF Junction Evaluation
Tunnel Management
366
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
L A B 1 2 : R O U T E - B A S E D V P N U S I N G S T A T I C R O U T E S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Scenario: In this lab, you will set up route-based VPNs for the four sites in the figure below. You will create VTIs on these SecurePlatform Pro Gateways. You will add static routes on the Gateways, to reach peers' internal networks through the correct VTI. In this lab, each site has its own SmartCenter Server on the internal Web server (www.citysite.cp). SmartConsole is installed with the SmartCenter Server. To provide VPN redundancy, you will enable a third interface on the Gateway. The third interface will use the IP address 192.168.xx. The third interface from two cities connect to one hub.
fwrome iPartnerCity)
rwtoronto (PartnerCity) >
VTI:192.168.137.32 VTI: 192.168.137.31 <4
fwoslo (YourCity)
fwmadrid ^ {PartmrCity)
1/77:192.168.137.42 *>VTI: 192.168.137.41
Route-Based VPN
367
368
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
^ R E I N S T A L L V P N - 1 N G X I N A D I S T R I B U T E D I N S T A L L A T I O N
This lab requires VPN-1 NGX to be running in a distributed installation.
1. Reinstall SecurePlatform as an NGX SecurePlatform Pro Security Gateway, using the same IP addresses as listed in the "Check Point Security Administration NGX III" chapter of this handbook.
2. Uninstall SecureClient NGX from wobyourcity.
3. Install the SmartCenter Server on webyourcity.
1. Recreate the objects as listed in the "Check Point Security Administration NGX III" chapter of this handbook, with the addition of a gateway object for fwyourcity, and host object www.yourcity.cp using the same IP address as webyourcity. Configure your iwyourcity object with Fire Wall and VPN installed.
1. Rebuild the default Policy as listed in the "Check Point Security Administration NGX III" chapter of this handbook. Verify that the Policy is similar to the following:
iBSBiEi^i. mm ' 5 ; NBT
' NetBIOS Rule * A n y ; * A n y [ * ] A n y Tra f f i c TO bootp
rip # drop • - None
2 S S H A c c e i c Rule Net_Oalo H ! f w o s l o [ i t ] A n y Tra f f i c ® accep t 1 Log
3 Stea l th Rule * A n y ® r w o i l o [ ¥ ] A n y Tra f f i c •k A n y # d rop 1 Log
4 '•"•/ebSer./er Rule * A n y • w w w os lo .cp f i t ] A n y Tra f f i c I L L http ^ accep t 1 Log
5 Par tner Cities Pule - M - N e t j O s l o - V - Net_Madr id
^ Net . M a d r i d
- M - N e t j O i l o f i r ] A n y Traf f ic L L W p H i accep t H Log
6 Internet A c c e s t Pule - M - Net_Qsto •k A n y [ * ] A n y Traf f ic 1™. http accep t H Log
7 C leanup Rule •k A n y : * A n y j * ] Any Traff ic • * A n y ® DR°P g L o g
Default Policy
^ C O N F I G U R E F W YOURCITY T O J O I N M Y I N T R A N E T C O M M U N I T Y
1. Log in to your site's SmartCenter Server in SmartDashboard. 2. Create a simple group object named "novpndomain", and leave the
object empty.
369
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
3. Edit the Topology screen of fwyourcity. Select Manually Defined under VPN domain options.
4. Select the simple group object novpndomain, and click OK.
^ C O N F I G U R E F\NPARTNERCITY G A T E W A Y S T O J O I N M Y I N T R A N E T C O M M U N I T Y
1. Create externally managed VPN gateway objects for the other three peer Gateways.
2. Select SecurePlatform Pro as the OS.
3. Select Firewall and VPN in the Check Point products list.
4. In the Topology screen for each fwpartnercity gateway object, select Manually defined, under VPN domain options.
5. Select the simple group object no vpn domain, and click OK.
6. Save the Policy.
S A D D P A R T I C I P A T I N G G A T E W A Y S T O M Y I N T R A N E T
1. From the main menu, select Manage > VPN Communities. 2. From the VPN Communities screen, select Mylntranet and click Edit.
3. On the Meshed Community Properties - Mylntranet screen, select Participating Gateways from the tree.
4. Add the three externally managed VPN gateway objects you just created and fwyourcity to the Mylntranet Community.
5. Under Advanced Settings, select Shared Secret.
6. Check the box Use only Shared Secret for all External members.
7. Enter pre-shared secret abcl23 for all external members.
8. Create a new Policy Package with a simple Rule Base, like the following:
I S i S g
* A n v
i [ * j A n v T ra f f i c http ^ a c c e p t [ j | Loci
[ * ] A n y T -an tc * * n v \W) d r o p g j L e g
Simple Rule Base
370
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
9. Verify and install the Policy.
[ ^ C R E A T E V T I S O N F W YOURCITY
1. Connect to fwyourcity in Expert Mode.
2. The information in the following table will be used to configure the VTIs:
City N a m e VT I N a m e VTI A d d r e s s i n g Convent ion
VTI IP Addresses
Rome vti-fwrome 192.168.137.1x 192.168.137.10 192.168.137.11 192.168.137.12
Oslo vti-fwoslo 192.168.137.2x 192.168.137.20 192.168.137.21 192.168.137.22
Toronto vti-fwtoronto 192.168.137.3x 192.168.137.30 192.168.137.31 192.168.137.32
Madrid vti-fwmadrid 192.168.137.4x 192.168.137.40 192.168.137.41 192.168.137.42
Zurich vti-fwzurich 192.168.138.5x 192.168.138.50 192.168.138.51 192.168.138.52
Sydney vti-fwsydney 192.168.138.6x 192.168.138.60 192.168.138.61 192.168.138.62
Cambridge vti-fwcambridge 192.168.138.7x 192.168.138.70 192.168.138.71 192.168.138.72
Singapore vti-fwsingapore 192.168.138.8x 192.168.138.80 192.168.138.81 192.168.138.82
371
Lab 12: Route-Based VPN Using Static Routes
b 3. Run the vpn shell command to enter vpn shell and configure VTIs.
The syntax for the command is as follows: vpn shell interface add numbered <Local VTI IP> <Remote VTP IP> <Peer Gateway object name> <VTIname>
Use the naming and addressing conventions to configure VTI addressing, so VTI IP addresses between fwyourcity and fwpartnercitys VTIs ends with .xO, the tunnel to the city site across from yours (according to the topology) ends with .xl, and the tunnel from your site to your partner site ends with .x2.
The table above divides the standard lab topology (as outlined in the lab topology the "Check Point Security Administration NGX IIP chapter of this handbook) into two groups of four city sites, in regards to the VTI IP addressing scheme.
A
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
The following figure illustrates this correlation:
Rome VTIs 192,168.137Ax li . .11
.10 .12
V 30
Toronto VTIs 192.168.137.3x
.32
.31
.21
Oslo VTIs 192.168.137.2x
.22 .20
.42
->.41
y
•40 Madrid VTIs *5T" 192.168.137Ax
Zurich VTIs 192.168.138.5x
.50 A
Cambridge VTIs 192.168.138.7X
. .51
.52
¥ .70 .72
.71
-.61
.62
Svdney VTIs 192.168.138M
.82
->.81
.60 4
¥ .80 Singapore VTIs
192.168.138M
VTI IP Correlations for 192.168.137.xx VTIs
For example, the VTIs would be configured on fwrome by entering the following at the vpn shell prompt:
interface add numbered 192.168.137.10 192.168.137.30 fwtoronto vt-fwtoronto
interface add numbered 192.168.137.11 192.168.137.21 fwoslo vt-fwoslo
interface add numbered 192.168.137.12 192.168.137.42 fwmadrid vt-fwmadrid
373
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
4. Verily the VTIs in vpn shell. Using fwrome, for example, the output is similar to the following:
VPN shell:[/] > show/interface/summary/all
Interface Peer Name Peer ID Status
vt-fwmadrid fwmadrid 172.24.104.1 attached
vt-fwoslo fwoslo 172.22.102.1 attached
vt-fwtoronto fwtoronto 172.23.103.1 attached
5. Use the .. command to return to the top level of vpn shell, then type quit to leave vpn shell and return to Expert Mode.
6. Type quit to return to Expert Mode.
[^CONFIGURE VTI TOPOLOGY IN G A T E W A Y OBJECT
1. After VTIs are created successfully on the four Gateways via the command line, open fwyourcity's gateway object's Topology screen in SmartDashboard on the SmartCenter Server.
2. Click the Get button and select Get interfaces with topology. This will retrieve the newly created VTIs. This example is for fwoslo:
IP Address | Network Mask J IP Addresses behind interface ethO e th l eth2
172.22.102,1 10.2.2.1 192.168.2.1
255,255.0.0 255.255,255.0 255.255.255.0
External This Network This Network
vt-fwmadrid 192,168.137.22 255.255.255,255 External vt-fwrome 192,168.137.20 255.255.255.255 External vt-toronto 192.168,137.21 255.255.255.255 External
fwoslo Topology Screen with VTIs
If you attempt to edit VTI interfaces, the VTI interface settings are gray in the General screen. The screen shows local IP addresses and the remote peer Gateway's name and IP address.
374
• all VTIs: a VTI tab. and
on the OK.
; all
[ be set as ; the VTI.
the] 4. Verify and in
I 5 A D D S T A T I C R O U T E S T O I N T E R N A L N E T W O R K S
Y o u r G a t e w a y N e ! m a s k a n d P e e r V T I A d d r e s s
fwrome 10.1.3.0/24 10.2.2.0/24 10.2.4.0/24
192.168.137.30 192.168.137.21 192.168.137.42
fwoslo 10.2.4.0/24 10.1.1.0/24 10.1.3.0/24
192.168.137.40 192.168.137.11 192.168.137.32
fw toronto 10.1.1.0/24 10.2.4.0/24 10.2.2.0/24
192.168.137.10 192.168.137.41 192.168.137.22
fwmadrid 10.2.2.0/24 10.1.3.0/24 10.1.1.0/24
192.168.137.20 192.168.137.31 192.168.137.12
fwzurich 10.3.7.0/24 10.4.6.0/24 10.4.8.0/24
192.168.138.70 192.168.138.61 192.168.138.82
fwsydney 10.4.8.0/24 10.3.5.0/24 10.3.7.0/24
192.168.138.80 192.168.138.51 192.168.138.72
375
Lab 12: Route-Based VPN Using Static Routes
Your Gateway
Peer Internal Network and Netmask Peer VTI Address
fwcambridge 10.3.5.0/24 10.4.8.0/24 10.4.6.0/24
192.168.138.50 192.168.138.81 192.168.138.62
fwSingapore 10.4.6.0/24 10.3.7.0/24 10.3.5.0/24
192.168.138.60 192.168.138.71 192.168.138.52
1. Add static routes to the internal networks of other sites using sysconfig. Use the above table for the network address of the internal network, and the VTI IP address of the peers.
Adding Network Routes via sysconfig
2. Connect via HTTP from each site's internal Web server to another site's server.
3. Launch SmartView Tracker. Verify HTTP traffic is encrypted and decrypted by the correct Gateway.
376
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
4. The outbound traffic from the local network will show in SmartView Tracker from the internal interface of your fwyourcity, while inbound traffic will show as arriving on the VTI from that partner city.
I F P E N A B L E V P N D I R E C T I O N A L R U L E M A T C H
1. In SmartDashboard, Select Policy > Global Properties > VPN Advanced, and check the box Enable VPN Directional Match in VPN Column:
m : FireWall
NAT - Network Addres Aufhenticati:-"i
" VPN Early Versions Corr Encryption Propert
• VPN-1 Edge/'Embedde :+: Remote Access
• SrnartDirectory (LDAP] -•QoS
SmartMap UserAuthority •SE - Open Security E
• Stateful Inspection - SmartLSM Profile : :• >.
± L o g a n d Alert Reporting Tools
•OPSEC . SmartCenter Acce: :
SmartDashboard Cu;tc
f" Enabfe Backup Gateway
r Enable bad distribution for Multiple Entry Pont? configurations (Site To Site connection:}
P' Enable decrypt on accept for gateway to gateway traffic (relevant only <o poltcie? in TradteortatModa)
CRL Brace Period — • — - - -
Grace period before the CRL is v s M
Grace period after the CRL m m longer vaid:
p 5 ~ 3 flSOO ^ ' .eor.d:
"3
Grace period extension for Seeufiemote'SecureQient: j3G00
'>Y.t Denial c* ':er'.'ce prsteoon
Support iK.E DoS protection tfore identified source j S tab le-
Support WE DoS p
Domain name for DNS r<
P Enable VPN Directional Match in VPN Column Ntfe: -»PN Jirectonal Mate".^ a b o r t e d oniPSO. Linux. SectiiePfrtoitr arc SecusesFfelfajrafco-
Jj
V P N Directional Match in VPN Selected
2. Click OK.
3. Highlight your Partner Cities Rule, and select Rules > Add Rule > Below.
377
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
4. In the rule just created, name the rule "Outbound VPN", and use the following table to configure it:
Source Any
Destination Any
VPN Any Traffic
Service HTTP, FTP
Action Accept
Track Log
5. Right-click on the VPN column of the rule you have just created, and select the Edit Cell option.
6. In the VPN Match Conditions screen, select Match Traffic in this direction only, and click Add.
7. Configure the Directional VPN Match Condition screen as follows:
Match on traffic reaching the Gateway from.
Match on traffic leaving the Gateway To.
lnternal_clear j | e H | > Mylntranet j ]
OK Cancel Help
Directional VPN Match Condition Screen
8. Click OK to close the screen, and click OK again to close the VPN Match Conditions screen.
9. Set the action as Accept and the tracking as Log.
378
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
10. Add a rule below the Outbound VPN rule, named "VPN Inbound Rule". Use the following information to configure the rule:
Source Any
Destination Any
VPN Mylntranet > Internal clear
Service HTTP, FTP
Action Accept
Track Log
11. Verify that your rules look like the following:
V P N O u t B o u n d Rule * A n y
V P N I r iBound Rule k A n y
| In terna l_c lear
; ^ M \ 1 n t r a n e t t g f c > „ http
| a c c e p t [§§] L o g
| a c c e p t ( 5 ] L o g
VPN Directional Rules
12. Disable the following rules:
• Webserver Rule
• Partner Cities Rule
• Internet Access Rule
13. Verify and install the Policy.
VPN directional rules can limit traffic, as do Source and Destination in a standard rule. In circumstances where a partner site is not completely trusted, source and destination objects could be configured in the VPN directional rule as an added layer of security.
14. Initiate HTTP traffic from webyourcity to one of your partner cities. Have that partner initiate traffic to you.
379
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
15. Locate the traffic in SmartView Tracker. You should see outbound traffic being logged from fwvourcity's internal interface, while inbound traffic will be logged from the VTI for that partner city:
I lifflfflflfM—Blif-: < • ... Previous ' ' Next Copy . Less Columns j
Number 1297 I Date 14Apr2006 j Time 13:17:23 Product I f s VPN-1 Pro/Express Interface & e th l Origin fwoslo (172,22.102.1) Type 1 Log Action : Encrypt Protocol TCP tcp
Service http (80) Source www.oslo.cp (10.2.2.102) Destination 10.2.4.104 Rule 6 Current Rule Number 6-Standard Rule UID {3E04E9FD-C52B-4716-9311-DF4FC2D95E 34 j Rule Name VPN OutBound Rule Source Port 1451 User Encryption Scheme m IKE VPN Peer Gateway fwmadrid (172.24.104.1) Encryption Methods ESP: AES-128 + MD5 Community Mylntranet Subproduct 0 VPN VPN Feature VPN Information serv ice jd : http Policy Info Policy Name: Standard
Created at: Fri Apr 14 1316 31 2006 Installed from: weboslo
Close
SmartView Tracker — Outbound Traffic
380
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
Source Destination Rule Current Rule Nui Rule HID Rule Name Source Port
; User
Encryption Scheme ( H IKE VPN Peer Gateway fwmadrid (172.24.104.1 ] Encryption Methods ESP: AES-128 + MD5 Community Mylntranet Subproduct 0 VPN VPN Feature VPN Information serviceJd: http Policy Info Policy Name: Standard
Created at: Fri Apr 1413:28:30 2006 Installed from: weboslo
SmartView T racker— Inbound Traffic
[ ^ C O N F I G U R E W I R E M O D E
In this section, three of the four sites in each group participate. The members participating in the first group include: Rome, Oslo, and Toronto. Madrid will not participate. For group two, Singapore is not participating. For the instructions, replace Rome with Zurich, Oslo with Cambridge, and Toronto with Sydney.
1. Enable Wire mode on each of the participating Gateways: Open fwyourcity > VPN > VPN Advanced, and select Support Wire Mode and Log Wire mode traffic.
381
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
2. On each of the participating gateway objects, edit the Mylntranet community object. Select Advanced Settings > Wire mode, and select Allow uninspected encrypted traffic ... fwrome also selects Wire Mode routing.
•• General • Participating Gateways • V P N Properties • Tunne l Management ;• A d v a n c e d Settings
Excluded Services Shared Secret A d v a n c e d V P N Pr
Bypass the Firewall
V Al low uninspected encrypted traffic between W i re mode interfaces of this Community's members
V Wi re mode routing - Al low members to route un inspected encrypted traffic in V P N routing configurations
| OK | Cancel [ Help J
Wire Mode Properties for fwrome (and fwzurich)
3. Verify and install the Policy.
4. fwoslo opens an FTP session to fwtoronto. Run Is to query the directory.
5. Verify in SmartView Tracker that the FTP session is using the configured VTI.
6. fwoslo and fwtoronto edit their routing tables using sysconfig, deleting the routes to each other's internal networks via their respective VTIs.
7. fwolso and fwtoronto use sysconfig to add new network routes to each other's internal networks, using their VTIs to fwrome as the Gateway.
8. fwoslo reissues an Is command to query the directory in the FTP session. 382
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
On fwoslo and fwtoronto, verify in SmartView Tracker that the FTP session was encrypted:
EB T Jl pate ; Time . engirt
, : Ol'l'Uc 1. .;. -27 £-1 B r'\=ro o-.ro :C2H OH i 7-40.05 5Si B r ;525 ArOOlO: 17 41.07 El B O'ti: <525 17 Oil-El B r orvc-
-1 A:-: 110c 1 7 4.,,; | El B fi/-"'-;.: o-v'c : no 4Ar;2001 SI E -X'.r-:-1529 ' 4AD 0001 17 44; ill El B 1500 14 AO; 2100 17 45'IS El E r-cvi onec-; 1501 5 4Ac; 2001 17 40:17 El B f'-Oc-'O-tc-1532 : 14 Ac-2006 17'47; -Q El B ofir-;. : 1533 14Apr20Q6 17,48:14 El B fwtoronto 1534 14Aor2006 17;48;14 El B fwtoronto 1535 14Aot2006 17:48; 14 El B fwtoronto 1536 14Apr2006 17:48:14 El E fwtoronto
.4A-200" 17 4,3: IS El B '"tCf'Ontv :." . 1; El B frororAc:
. : : • :4Ap?'0006 El B J 54 Q 4Ar2C05 17 -53:4J El B fwtoronto = 1541 0 4#wfi0Sll 17:43:41 Pgg B iliitMS 3 542 1 2006 16 El B r<».oronr.o J 54 1 .•iAcrOOC": i~ 50;10 El B f'wf.ororito 1544 4Ac?'200", 17 5!;20 El E fwtoronto U-,45 4ADr2D0ff 17,52:22 El E rwiororito i;:4t- 4AD?200C r: •.. El B fwtoronto 154" 4Apr2C0c 17,54:20 El B fwtoronto 1540 4Apr200c !"• ,55 20 El B fwtoronto 1549 l4Apr2C0r. r 56:10 El B fwroronto 1550 4AD?2005 57,12 El B rwtoronto <J •
i % 2 1 1 ®i i 1 i #1 i ®i 1 €H i ®i i ®i
i #i! i G-w 0 (H. 1
i ® 1 3 i ® 1 ® i © a ® i ® i ® i ®
Destination *»!
TCP ftp 10,2.2.102 www.toronto.cp .UDP. JJDP, SI161 1 : : : . UDP 5116 102,.-0.22.1 UDP 5116 < o" -,j* •*•• • UDP Si 16 1.-2,-18.22 1 .UDP. 5116 1*51.. 18.22 1 j.iDP SI 16 l'J_,.18.„2 -.UDP, Si 16 1-2,106.22 1 UDP 8116 i:,108.12 :
jJEl Ready Tota l records m f i le 1551
SmartView Tracker for fwtoronto
383
Aquaforest TIFF Junction Evaluation
Lab 12: Route-Based VPN Using Static Routes
On fvvrome verify Wire Mode routing was in effect:
.. Previous Next . Copy ' . More Columns
Number 8 5 5 j
Date 14Apr2Q08 Time 17:47:36 Product S S I VPN-1 Pro/Express Interface B vt-twoslo Origin fwrome (172.21.101.1) Type i Log j Action V VPN Routing j Protocol TCP tcp | Service ftp (21) I Source www.oslo.cp (10.2.2.102) I Destination www.toronto.cp (10.1.3.103) Rule 0 - Implied Rules Current Rule Number Rule Name Source Port 1612 User Information connectivity level: Wire
dst scheme: IKE dst methods: ESP: AES-128 + MD5 dst peer gateway: fwtoronto dst community: Mylntranet
Policy Info Policy Name: Standard Created at: Fri Apr 14 17-33'25 2006 Installed from: webrome
Close
V P N Routing Wire Mode Log
Continue to next lab.
384
Aquaforest TIFF Junction Evaluation
Lab 13: Dynamic VPN Routing Using OSPF
L A B 1 3 : D Y N A M I C V P N R O U T I N G U S I N G O S P F i i i i i i i i i i i i i i i i i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i
Scenario: Configure OSPF on participating Security Gateways, to access networks behind Gateways via VTI.
® fwrome fwoslo A (fiartnerCity) i Yourdity> •
VTI: 192.168.137.11 ^ Vl/77 192.168.137.21 VTI: 192.168.137.12 VTI: 192.168.137.22
20
192.168.22.101 / VTI:
192.168.137.10
fwtoronto / (PartnerCity) ^
VTI 192.168.137.32 VTI: 192.168.137.31 *
fwmadrid [PartnerCh VTI: 192.1i VTI 192,168.137.41
V (PartnerCity) ^ V T I 192.168.137.42
Dynamic V P N Routing Using O S P F
385
386
Aquaforest TIFF Junction Evaluation
Lab 13: Dynamic VPN Routing Using OSPF
^ U P D A T E THE POLICY FOR OSPF ROUTING
1. In SmartDashboard > My Intranet > Advanced VPN settings, enable Allow uninspected encrypted traffic ... and Wire Mode routing.
2. Click OK to close the Mylntranet VPN community.
3. From fwyourcity > VPN > Advanced properties, select Support Wire Mode and Log Wire mode traffic. Assign your sync network interface (eth2) to the Wire Mode community object.
4. Add a rule below your VPN Inbound Rule. Configure the rule using the following information:
Name Wire Mode Rule
Source Any
Destination Any
VPN Mylntranet ==>My Intranet
Serviee HTTP FTP
Action accept
Track Log
All four members of each group now have the same Wire Mode configuration.
5. Delete your Web server access rule.
6. Create a new host object using the following information:
Name multicast-ospf
IP address 224.0.0.5
7. Create a new network object using the following information:
Name VTINetworks
Network 192.168.137.0 Address
Network Mask 255.255.255.0
387
Aquaforest TIFF Junction Evaluation
Lab 13: Dynamic VPN Routing Using OSPF
In the Policy, add a rule above the Stealth Rule. Configure it using the following information:
Name OSPF Broadcast Rule
Source VTINetworks Synchro urcityjpartnercity
Destination fw yourcity
multicast-ospf
VPN Any Traffic
Service ospf
Action accept
Track Log
Verify that your Policy is configured similar to the following:
1 NetBIOS Rule * Any ; * Any
2 SSH Access Rub -M" Netjjilc B twoslo
3 OSPF Broadcast V VTI_NeWorti -M" Synch_0-:lo_Madnd 'B'tw lo" D multica?t-Q-:pt
4 Stealth Pule •k Any M two'to
5 Partner Cities Rul Netjj-lo -M- Netjvladrid Jt4- Net_Madnd -M- Netjjilo
6 '•••'Pr-.J OutBound R : * Anv : * Anv
7 VPN InBound Rul * Any * Anv
8 '.'"/ire Mode Rule •k Any * Any
9 Internet Access 1 -M" Net_Otlo * Any
10 Cleanup Rule * air/ * Any
OPSF Routing-Enabled Policy
10. Save, but do not install the Policy.
[*J any Trattic
f*"| Anv Tr attic
j#] Anv Trattic
f*1 Anv Trattic
,--S Internal .cleareS Mylntranet
Mylntranet£§j)tvfi., Internal_clear
& MvlntranetiS Mylntranet
j"*j Anv Trattic
V' m J
bootp n p
li :;h
* Anv ' http „ tie
Z2: http ftp
U: http Li ttp 1™. http ttp http
* ^ nv
i drop
HI accept
^ accept
(§| drop
fH accept
accept
lf| accept
^ accept
HI accept
@ drop
1 Log
1 Loc,
S L c ,
I Log
H Log
II Log
B Log
®Log
388
ss. interfaces and VTIs 3?-172.21.101.1 10.0.0.0
vt-fWmadrid
10.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
Oslo 172.22.102.1 20.0.0.0
ethl 0.0.0.0 0.0.0.0 0.0.0.0
172.23.103.1 30.0.0.0
30.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
172.24.104.1 40.0.0.0
ethl 40.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
172.25.105.1 50.0.0.0
ethl 50.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
172.26.106.1 60.0.0.0
ethl 60.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
389
CltySi te^
interfaces and VTIs Seaper
172.27.107.1 70.0.0.0
ethl eth2
70.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
172.28.108.1 80.0.0.0
ethl 80.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
^ C O N F I G U R E O S P F O N F W YOURCITY
conf 11
1.
router j>spf 1 creates an OSPF routing mstance. 1 is the
390
Lab 13: Dynamic VPN Routing Using OSPF
391
392
Aquaforest TIFF Junction Evaluation
Lab 13: Dynamic VPN Routing Using OSPF
^ R E C O N F I G U R E A N T I - S P O O F I N G O N F W YOURCITY
OSPF configuration has now defined how the GateD daemon will handle any traffic coming to the interfaces and VTIs. Allowing this traffic through VPN-1 NGX requires reconfiguring anti-spoofmg:
1. Right-click fwyourcitv and select Edit. 2. Expand the Topology branch from the Properties screen, and click the Get
button.
3. Select Interfaces with Topology from the drop-down list. A warning message displays:
Check Point Smart'Dashboard
Topology and Ant i -Spoof ing set t ings tha t are already de f ined will be overwr i t ten I \ by results of this opera t i on t h a t contradic t them., if any .
Do you wan t to cont inue?
Anti-Spoofing Warning
4. Click Yes. A status screen opens, showing SmartDashboard attempting to fetch the topology information. On completion, a notice opens about the Topology fetch being incomplete:
»\ Topology f e t ch was incomplete, To make Ant i -5poof ing wo rk correct ly , accept the results., and t h e n manual ly edit the topology def ini t ions.
Topology Fetch Incomplete
393
Aquaforest TIFF Junction Evaluation
Lab 13: Dynamic VPN Routing Using OSPF
The Get Topology Results screen opens, showing the interfaces as they are defined in the fwyourcity object. Since VPN-1 NGX is querying routing information from the operating system, VTIs are considered interfaces by anti-spoofing.
The topology was retrieved successfully. The following table shows every interface found for the given machine. Networks (or a group of them) that reside behind each interface are also shown here.
Name | IP Address 172.22.102.1 192.168.137.21 10.2.2.1 132.168.22.102
O- ethO C> vt-fwrorne S " ethl
eth2 H ® fwoslo_eth2
SynchJD slo_M adrid 192.168.22.0 •V- N et_192.168.137.31 192.168.137.31 •M-Net_192.168.137.12 192.166.137.12
•• NetMadr id 10.2.4.0
3 ' L i i i ^ ... T r""''.. Legend II Hem object amma 1; Existing object was used.
J Network Mask 255.255.0.0 255.255.255.255 255.255.255.0 255.255.255.0
255.255.255.0 255.255.255.255 255.255.255.255 255.255.255.0
I Directio Ext. Ext* Inte Intel
3 d
Get Topology Results Screen
Notice that networks made accessible by configuring OSPF areas in the operating system are included in the simple group attached to eth2, the physical interface configured as part of OSPF area 0.0.0.0.
5. Click Accept. The Get Topology Results screen closes.
394
7. Click OK to close fwyourcity.
8. Save and install the Policy.
( ^ V E R I F Y R O U T E S A N D O S P F C O N F I G U R A T I O N
Verify with your classmates that OSPF is configured on all four Gateways. Run the show ip ospf neighbor and show ip route commands in router privileged
enable
show ip ospf nei
395
Lab 13: Dynamic VPN Routing Using OSPF
4. Review the output. The example below shows fwoslo output:
Neighbor 172.24.104.1, interface address 192.168.22.104 In area 0.0.0.0 interface eth2 Neighbor priority is 1, state is Full 7 state changes DR is 192.168.22.104 BDR is 192.168.22.102 Options is 18 Dead timer is due in 38 seconds
Neighbor 172.23.103.1, interface address 192.168.137.32
Neighbor priority is 0, state is Full 7 state changes DR is 0.0.0.0 BDR is 0.0.0.0 Options is 18 Dead timer is due in 33 seconds
396
Aquaforest TIFF Junction Evaluation
Lab 13: Dynamic VPN Routing Using OSPF
The output will be similar to the following:
Codes: C - connected, S - static, R - RIP, B - BGP, 0 - OSPF D - DVMRP, 3 - 0SPF3, I - IS-IS, K - Kernel A - Aggregate
K 0.0.0.0/0 0 10.1.1.0/24 0 10.1.3.0/24 C 10.2.2.0/24 0 10.2.4.0/24 S 127.0.0.0/8 C 127.0.0.1/32 C 172.22.0.0/16 C 192.168.22.0/24 C 192.168.137.11/32 0 192.168.137.12/32 C 192.168.137.20/32 C 192.168.137.21/32 C 192.168.137.22/32 0 192.168.137.31/32 C 192.168.137.32/32 C 192.168.137.40/32 0 192.168.137.41/32 0 192.168.137.42/32
[0/40] via 172.22.102.2, 05:21:46, ethO [20/10] via 192.168.137.11, 03:44:26, vt-fwrome [20/10] via 192.168.137.32, 03:41:56, vt-fwtoronto [1/0] via 10.2.2.1, 05:21:45, ethl [20/10] via 192.168.22.104, 03:45:29, eth2 [0/0] via 127.0.0.1, 05:21:45, lo [1/0] via 127.0.0.1, 05:21:45, lo [1/0] via 172.22.102.1, 05:21:45, ethO [1/0] via 192.168.22.102, 05:21:45, eth2 [1/0] via 192.168.137.21, 05:21:45, vt-fwrome [20/10] via 192.168.22.104, 03:45:29, eth2 [1/0] via 127.0.0.1, 05:21:45, lo [1/0] via 127.0.0.1, 05:21:45, lo [1/0] via 127.0.0.1, 05:21:45, lo [20/10] via 192.168.22.104, 03:45:29, eth2 [1/0] via 192.168.137.22, 05:21:45, vt-fwtoronto [1/0] via 192.168.137.20, 05:21:45, vt-fwmadrid [20/10] via 192.168.137.32, 03:41:56, vt-fwtoronto [20/10] via 192.168.137.11, 03:44:26, vt-fwrome
As the output of sh ip routes shows, networks available through OSPF area 0.0.0.0 are listed as OSPF created routes. Only the kernel and loopback routes are shown as coming from the network routing configuration. Connected routes are created from the VTI definitions in vpn shell.
C ? T E S T V P N T U N N E L S
1. Start an HTTP or FTP connection from your Web server, to a host behind one of the V P N Peer Gateways.
2. Observe in SmartView Tracker that the connection is decrypted by the peer Gateway on the correct VTI.
3. Start an HTTP or FTP connection to your partner city.
397
Aquaforest TIFF Junction Evaluation
Lab 13: Dynamic VPN Routing Using OSPF
4. Observe in SmartView Tracker that the connection is shown as a cleartext connection, allowed via the Partner Cities Rule:
Mo, ' Date Time Origin 1
Service Source Destination 5823 17Apr2006 18:58:31 s s e fwoslo 1 TCP h t t p www.os lo.cp 10.1.3,103 6 5824 17Apr2006 18:58:21 US E fwoslo i TCP h t tp www.oslo.cp 10.1.3.103 6 5825 17Apr2006 18:58:32 SSI E fwoslo 1 TCP. h t tp www.oslo.cp 10.1.3.103 6 5826 17Apr2006 18:58:32 E » E fwoslo 1 TCP, h t tp www.oslo.cp 10.1.3.103 6 5827 17Apr2006 18:58:32 2 £ E fwoslo i TCP ht tp www.oslo.cp 10.1.3,103 6
5828 17Apr20Q6 18:58:32 as E fwoslo i TCP. h t tp www.oslo.cp 10,1.3.103 6 5829 17 Apr2006 18:58:32 HI E fwoslo i TCP, h t tp www.osb . cp 10.1 ,3 .103 6 5830 17Apr2006 18:58:32 1 - 1 E fwoslo i TCP, h t tp www.oslo.cp 10.1 .3 .103 6 5831 17Apr2006 18:58:32 S E fwoslo i TCP. h t tp www.oslo.cp 10.1.3.103 6 5832 17 Apr2006 18:58:32 9 E fwoslo 1 TCP ht tp www.oslo.cp 10.1.3.103 6 5833 17Apr2006 18:58:32 E€L E fwoslo i TCP. h t tp www.oslo.cp 10.1.3.103 6 5834 17Apr2006 18:58:32 ISS E fwoslo 1 TCP h t tp www. oslo. cp 10.1.3.103 6
5835 17Apr2006 18:58:33 S I E fwoslo i TCP h t tp www.oslo.cp 10,1.3.103 6 5836 17Apr2006 18:58:33 I f f E fwoslo i TCP ht tp www.oslo.cp 10.1.3.103 6 5837 17Apr2006 18:58:33 S E fwoslo 1
TCP ht tp www.oslo.cp 10.1.3.103 6 5838 17Apr2006 18:58:33 I-:-: E fwoslo i
i
.TCP. h t tp www.oslo.cp 10.1.3.103 6 5839 17Apr2006 18:58:33 U S E fwoslo
i i TCP h t tp www.oslo.cp 10.1.3.103 6
5840 17Apr2006 18:58:33 IE E fwoslo i TCP, h t tp WWW. oslo. (Xi i n 1,3,1 i n ft 5841 17Apr2006 18:58:33 N E fwoslo i
© TCP ht tp www.oslo. j w , w. oslo. cp (10.2.2.10211
5842 17Apr2006 18:56:37 E i © TCP. h t tp vvww.osb.cp 10.2,4,104 5
>343 1 ?Apr2006 IS: 58:27 IVT E i © TCP h t tp 10,2.4,104 5
5-344 17Apr2006 18:58:27 E 1 © TCP h t tp w.oslo. Cp 10,2.4.104 5
5645 i 7 Apr 2006 16:53:4? E 1 TCP. http w - w . c d o . c p 10.2.4,104 5
5846 i 7Apr2006 18:58:47 1SS E i © TCP http www. osio. cp 10.2,4.104 5 5347 S ?Apr200r, E p.<nsb i © TCP ht tp www, oslo. cp 10.2.4.104 5
5348 17Apr2006 13:59:50 Z€i E rv 'o^b i © TCP h t tp Wv.«w,oflo.cp 10,2.4,104 5
5849 17Apr2006 18:59:54 £-2 E fwoslo i TCP h t tp www.oslo.cp 10.1.3.103 6 5850 17Apr2006 18:59:54 £-3 E fwoslo s TCP h t tp www.oslo.cp 10.1.3.103 6 5851 17Apr2006 18:59:54 HI E fwoslo
1 TCP. h t tp www.oslo.cp 10.1.3.103 6
5852 17Apr2006 18:59:54 M E fwoslo 1 TCP h t tp www.oslo.cp 10.1.3.103 6 5853 17Apr2006 18:59:54 A E fwoslo 1 TCP h t tp www.oslo.cp 10.1.3.103 6
SmartView Tracker Entries for Three Peer Sites of fwoslo
5. Unplug one side of the leased-line connection between you and your partner city.
6. Reinitiate an HTTP or FTP connection to your partner city.
398
Lab 13: Dynamic VPN Routing Using OSPF
1. Observe in Smart View Tracker that the connection is now encrypted:
N o 5 8 6 2 5 8 6 3 5 8 6 4 5 8 6 5
5 8 6 7
5 8 6 9 5 8 7 0 5 8 7 1 5 8 7 2 5 8 7 3 5 8 7 4 5 8 7 5 5 8 7 6 5 8 7 7 5 8 7 8 5 8 7 9
5 8 8 3
D a t e 17Apr2006 17Apr2006 17 Apr2QG6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 17 Apr2006 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 i 7Apr2006 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 17Apr2006 i 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 17A|
l! 1 8 : 5 9 : 5 5 1 8 : 5 9 : 5 5 1 8 : 5 9 : 5 6 1 8 : 5 9 : 5 6
1 8 : 5 9 : 5 6
1 1 1
1 8 : 5 9 : 5 8 1 8 : 5 9 : 5 8 1 8 : 5 9 : 5 9 1 8 : 5 9 : 5 9 1 8 : 5 9 : 5 9
1 9 : 0 0 : 0 2 1 9 : 0 0 : 0 2 1 9 : 0 0 : 0 2 1 9 : 0 0 : 0 3 1 9 : 0 0 : 0 4 1 9 : 0 0 : 0 4
5 8 8 9 1 7 A p r 2 0 0 6 1 9 : 0 0 : 1 6 5 8 9 0 1 7 A p r 2 0 0 6 1 9 : 0 0 : 2 1 5 8 9 1 1 7 A p r 2 0 0 6 1 9 : 0 0 : 2 1 5892 17Apr2Q06 19:00:21
Serv ice - Source .. <W,0Sl0 CD .",'V, cs lo, Cp w . os lo.cp
w. oslo.cp oslo.cp
rV. oslo.cp M. OSto.CP
w. oslo.cp oslo.cp
A>, os lo.cp
os lo.cp w, os lo .cp
w. os lo.cp
. . Des t i na t i on 1C. 1.3.103 1 0 . 1 . 3 . 1 0 3 1 0 . 1 , 3 . 1 0 3 1 0 . 1 , 3 , 1 0 3 1 0 . 1 , 3 . 1 0 3 1 0 . 1 , 3 . 1 0 3 1 0 . 1 . 3 , 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 . 3 , 1 0 3 1 0 , 1 . 3 . 1 0 3 1 0 . 1 . 3 , 1 0 3 1 0 , 1 . 3 . 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 , 3 . 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 , 1 , 3 , 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 , 3 , 1 0 3 1 0 , 1 . 1 , 1 0 1 10,1.1.101 10.1.1.101
10.1.1.101
1 0 . 1 . 1 . 1 0 1 1 0 . 1 . 1 . 1 0 1
A'. OSIO.CP 10.1,1,101 6 1 0 , 2 . 4 . 1 0 4 5 1 0 . 2 . 4 . 1 0 4 5
10.2,4.104 5
Encrypted Traffic Between fwoslo and fwmadrid
399
Aquaforest TIFF Junction Evaluation
Lab 13: Dynamic VPN Routing Using OSPF
8. Verify with one of your VPN_peer cities that traffic has passed through its site, based on the Wire Mode configuration:
Wo, Date Time Origin Service Source Destination SK B i
i?AofiOGe & 1 .
Eil E»
& B 1 1
0-S* Q-*
-; '"Apr 2006 16,20:4-" Ivi
Bi El
B B B
1 1 1
# ffip
O-f?
:\ & n '-ron'.e
: : : : 16,2.1:53 B i> no? - i 0 TCP nttp -i.for-to,. •.•••.. i o'i'i>? :126 . 16.21:53 Ess B i 0 TCP http '..«••»•", re? onto. ••:•••"'.. r-j ::;:r ; ""i}.r- ji'iiV 16-v £S B 1 v—. >:!:-, a: -. .
i7Ap-2006 :3'23 26 SH B .•WO i TCP r-rtp r i b . c c c; ; ; : :.: ;. E! B O.'v; i TCP KtP -l7Apr2006 i7 Apr 2006
; 6. J0:C4 16:5"?: IS £K
B B
t-nrc-V:? • ;:r~r
i i
Q T£P a- tcp
ssh •fi-p 1 http [80] f''e-cp
'TM i7Af.r ;••'••>. I8'r-•• lc-Iff B j . •forit-i a TCP -rrp K.rrei c-I?pr200r IS'50-15 El B ' -'Of* i I£P "it to JGVe.C i 7Apr20:"'6 • 8:56:17 SSi B f-Hor-:-i ft TCP ht tp '•V,•,•=/•.'.rO-Oc cr I 7 Apr 2006 16:50:17 m B 1 m TCP ht tp Of !•;• cp ',V-•,••.•;,rorr- .:; l7Aor20y6 16:66: ; 8 ss-B 1 TCP rj;t-p 1/Apr 200c 18:59-52 Ei B Ovrooe 1 TCP ht tp ','•".'I'Sb.CD ' .ioroe-CD
. .40 1 7Ads 200"' l ' ; :5 '0:62 El B 1 a-: TCP t ' t tp . C".'-iO. C'P w'-. '- . i -voe c" •1-n i 7 Apr 2006 IS? B r. i I£P ht tp OfM. CP • -••.••.-..r-r-rr-H 2 i 7 A;.12006 16s. 3 SSI B • • " rone i <fsTCP ht tp — .oilo CP ^ - . - . . . • w c c ;
17 Aur 2006 I3 ,5v "54 Ei B fv-ro rte i 9f) IE ncto C-sio. CD i,in.ne.Cl' 144 17Apr200r 18:50:54 Ssh: B ?iA» one i '-•ttp vvww.oslo.cp Wv-v.iC'rne.CD
! ?Anr7.006 SSs B i '.TCP http "•"••"'..t.O'-iO.CD "•••.••••-.•.t-orr 146 17Apr2006 19:00:11 M e fwrome 111 ES3H b u e j b s h u 3 47 l7Apn2006 10.60:1 : & r»''ron<: 1 >frop i-srrp >A'5-vv. r, iricjrid, cp 148 17Apr 2006 19:00:11 Si B r'wrorie 1 V E http www.osto.cp www.madrd.cp
Wire Mode Traffic Between fwoslo and fwmadrid
400
Aquaforest TIFF Junction Evaluation
Review
R E V I E W i i I I i I I I i i i I I I I I i I i i I I i i i I i I I I i I I i i I i I i I I I i I I I I I I I
• Route-based VPNs can encrypt traffic between hosts or networks not specified in a Security Gateway's VPN Domain.
• VPN Tunnel Interfaces (VTIs) are configured with VPN-1 NGX, but work at the OS level, using either static routes defined for the VTIs or dynamic-routing protocols.
• Route-based VPNs expand on VPN Domains, but do not replace them. When VPN-1 NGX determines what to do with a packet, VPN Domain state tables are checked first. If no information is found for the packet, OS routing tables are used to verify whether or not routes for the VTIs are configured.
• Open Shortest Path First (OSPF) relies on multicast protocols and can only be used with VTIs.
• A VTI associated tunnel behaves like a point-to-point link between two Gateways. The tunnel and its properties are defined by a VPN Community linking the two Gateways.
• A VTI can be configured to work with a VPN Domain on a peer, but a VTI-to-VTI tunnel is the recommended configuration.
• VTIs can be numbered or unnumbered. A numbered VTI will have a unique IP address assigned to it, while unnumbered VTI will use a proxied IP address from a physical interface. SecurePlatform Pro uses numbered VTIs, while Nokia IPSO uses unnumbered.
• Dynamic routing (using protocols such as BGP and OSPF) can be used to propagate routing information across VPNs, or between Security Gateways.
• Dynamic routing's key advantage is that if a specific VPN path fails, a new route can be established from OSPF routing information.
• SecurePlatform Pro NGX natively supports the following dynamic-routing protocols: OSPF, BGP, RIPvl, and RIPv2. The following multicast protocols are also supported: PIM-SM, PIM-DM, and IGMP.
• GateP is the daemon that supports dynamic routing on SecurePlatform, and is activated by enabling Advanced Routing using the cpconfig utility.
• Wire Mode is a new feature in VPN-1 NGX that allows a failover mechanism, where Stateful Inspection is bypassed on any interim Gateways between VPN end points.
401
Aquaforest TIFF Junction Evaluation
Review
Review Quest ions
1. Your colleague left work in the middle of configuring your SecurePlatform Pro Gateway for OSPF route-based VPNs. His configuration notes indicate that he was in the process of configuring the interfaces using the GateD Command Line Interface. Which of the following commands would give you the most general overview of where your colleague's notes left off?
A.J localhost Jocaldomain# show interface
B.) local host, local domain^ show running-config
C.) localhost. localdomaintt show ip route
D.) localhost. localdomaintt show history
2. A route-based VPN is configured between your site and a partner site for specific machines on subnets in your internal networks. Each site also has a standard VPN Domain defined, containing these subnets. Will VPN traffic be logged in Smart View Tracker as encrypting via the VTI or the VPN Domain?
A.) The VTI, because the host-based VPN will take precedence over the subnet-based VPN.
B.) The VPN Domain, because subnet-based VPNs will take precedence over VTI host-based VPNs.
C.) The VTI, because VTIs take precedence over VPNs in VPN-I NGX.
D.) The VPN Domain, because VTIs only expand the function of VPN Domains, not replace them.
403
Aquaforest TIFF Junction Evaluation
Review
Review Answers
1. Your colleague left work in the middle of configuring your SecurePlatform Pro Gateway for OSPF route-based VPNs. His configuration notes indicate that he was in the process of configuring the interfaces using the GateD Command Line Interface. Which of the following commands would give you the most general overview of where your colleague's notes left off?
D. localhostJocaldomain# show histoty
2. A route-based VPN is configured between your site and a partner site for specific machines on subnets in your internal networks. Each site also has a standard VPN Domain defined, containing these subnets. Will VPN traffic be logged in SmartView Tracker as encrypting via the VTI or the VPN Domain?
D. The VPN Domain, because VTIs only expand the function of VPN Domains, not replace them.
3. You have a VPN configured between your NGX Security Gateway and a partner company's Cisco VPN concatenater. You and your partner company's Administrator agree that tunnels between these devices need to be consistently active, and that there also needs to be some redundancy available in the tunnels. Which of the following configurations would be best suited for this situation?
Dynamically routed VPNs with Tunnel Sharing configured between subnets
405
Aquaforest TIFF Junction Evaluation
Review
406
Aquaforest TIFF Junction Evaluation
Q Check Point S O F T W A R E T E C H N O L O G I E S L T D .
We Secure the Internet
CHAPTER 1 1 : C L U S T E R X L
This chapter covers best practices for configuring and testing CIusterXL, and provides troubleshooting steps and commands.
Object ives
1. Implement and test CIusterXL by following Check Point configuration recommendations.
2. Troubleshoot CIusterXL problems, using cphaprob and other related commands.
407
Key Terms
cphaprob
cpstat
fw ctl debug -m cluster all
408
Aquaforest TIFF Junction Evaluation
Configuration Recommendations
C O N F I G U R A T I O N R E C O M M E N D A T I O N S i i i i i i i i i i i i i i i i i i i i i i i i i i • i i i i i i i i i i i i i i i i i i i i i i i
These configuration tips will avert the more common problems resulting from misconfiguration of CIusterXL.
Recommendat ions for CIusterXL
• CIusterXL should be installed in a distributed environment. The SmartCenter Server cannot be installed on any cluster members. If an NGX Gateway is installed on the SmartCenter Server, this is called a stand-alone installation, and that Gateway can not be added into the cluster as a member.
• The SmartCenter Server does not have to be on the local network with the cluster. If it is local, the Server can be located in any segment of the cluster. Static routes may be necessary, to access cluster members for Policy installation and logging purposes, if the member-gateway object does not use IP addresses from the same network segment as the SmartCenter Server. For example, if the member-gateway objects have 172.22.102.1 and 172.22.102.2 in the General Properties screens, but the SmartCenter Server is in the 17.16.10.x /24 network, the SmartCenter Server should have a default Gateway pointing to 172.16.10.x (virtual IP address on that network). But if the cluster fails over, SIC might fail, because SmartCenter Server does not know how to get to 172.22.102.1 and 172.22.102.2. Static routes are necessary in this case.
• The SmartCenter server's HotFix Accumulator (HFA) level must be equal to or higher than the cluster members' HFA levels. When an HFA is to be applied to a cluster, it must be applied to the SmartCenter Server before being applied to any cluster members.
• Other than the synchronization network(s), all unsecured networks must at least have one other machine connecting to a hub or switch, because Cluster Control Protocol (CCP) will try to Ping other hosts in a network. If there is no response from other IP addresses in a network, CCP cannot verify if other members are alive. This can cause CIusterXL instability.
• All cluster members must run on the same OS, with the same version and patch level.
409
411
Aquaforest TIFF Junction Evaluation
Troubleshooting CIusterXL
The following table lists and explains cphaprob switches:
Switch Explanat ion
register Register <device> as a critical process.
-d <device> The name of the device as it will appear in the output of the cphaprob list
-t <timeout> If <device> fails to contact the CIusterXL members in <timeout> seconds, <device> will be considered to have failed. To disable this parameter, enter 0 as the time-out value. The state will stay as last reported, until explicitly reported.
-s Status to be reported: ok - <device> is alive, init - <device> is initializing, problem - <device> has failed.
-f <file> register Option to automatically register several devices; file defined in the <file> field should contain the list of devices, with the following parameters: • Device name • Time-out • State
unregister Unregister <device> as a critical process, -a unregister will unregister all devices.
report Report status of <device> to the Security Gateway.
list Display the state of: -i - internal (as well as external) devices, such as interface check, High Availability (HA) initialization, and so on. -e - external devices, such as devices registered by the user or outside the kernel; for example, fwd, sync, filter -i [a] - all devices, including those used for internal purposes, such as note initialization, load-balance configuration, and so on.
state Display the state of this and all other Security Gateways in the HA configuration.
if Display the state of interfaces, -a will give additional information per interface, such as secured, shared, and so on.
413
A
in
To see 1
by <device> should run cphaprob
the proces
- s ok is nc
i to
: of a s • or all ( L the l on i
icphaprob state
Cluster Mode: New High Availability (Active Up)
Number Unique Address Assigned Load State
1 (local) 192.168.1.1 0% standby
2 192.168.1.2 100% active
In the t
•is
Cluster Mode: Load Sharing (Multicast)
Number Unique Address Assigned Load State
1 (local) 192.168.1.1 501 active
2 192.168.1.2 501 active
de in New mode HA is Active Up. The e priority for HA. In N e w mode HA, only
The other member is in: The:
to 1
Aquaforest TIFF Junction Evaluation
Troubleshooting CIusterXL
In Unicast mode, output looks like this:
Cluster Mode: Load Sharing (Unicast)
Number Unique Address Assigned Load State
1 (local) 192.168.1.1 301 active (pivot)
2 192.168.1.2 70% active
In the above example, the pivot machine is identified in the State field. The pivot machine usually takes 30 percent of cluster traffic. The non-pivot machine takes 70 percent of cluster traffic.
Third-party clustering products show active/active, even if one of the members is in the standby state. This is because the cphaprob state command only reports the status of the full synchronization process. For IP clustering, cphaprob state gives accurate cluster status. For VRRP, the status is accurate for a Security Gateway, but it does not correctly reflect the status of each IPSO member. (For example, it does not detect interface failure.)
415
Aquaforest TIFF Junction Evaluation
Troubleshooting CIusterXL
cphaprob -a if
The cphaprob -a if command gives the state of cluster-member and virtual-cluster interfaces. This example illustrates various uses of the cphaprob -a if command:
Required interfaces: 3
Required secured interfaces: 1
ethO UP sync(secured), multicast
ethl UP non sync(non secured), multicast
eth2 UP non sync(non secured), multicast
Virtual cluster interfaces: 2
ethl 172.28.108.3
eth2 10.4.8.3
A N O T E A B O U T I N T E R F A C E S
Interfaces are critical devices. ClusterXL checks the number of good interfaces, and sets a value of required interfaces to the maximum number of good interfaces seen since the last reboot. If the number of good interfaces is less than the required number, ClusterXL initiates failover. A secured interface is the synchronization interface. All other interfaces are labeled as non-secured. Required interfaces should be identical to the cluster-member object's topology information. The virtual cluster-interfaces list should be identical to the cluster object's Topology screen. The number of required interfaces should be the same among cluster members. The same is true for the number of required secured interfaces.
When an interface is down, the interface can neither receive nor transmit CCP packets. This may happen when an interface is malfunctioning, is connected to an incorrect subnet, is unable to pick up multicast Ethernet packets, and so on. The interface may also be able to receive but not transmit CCP packets, in which case the status field is ready. The displayed time is the number of seconds that have elapsed since the interface was last able to receive/transmit a CCP packet. For third-party clustering products, except Nokia IP clustering products, cphaprob -a if should always show virtual-cluster IP addresses.
417
Troubleshooting ClusterXL
Time since last report: 89786.8 sec
Troubleshooting ClusterXL
Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 89786.8 sec
Device Name: fwd
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.8 sec
For Nokia IP clustering, the output is the same as i Point ClusterXL Load Sharing. For <
-d <dev ice> -s problem -t 0
Troubleshooting ClusterXL
HA
HA
HA
yes
fW Ctl
IIP I St
|athO| 192.168.1.1|Up
[ethl|172.28.108.1|Up
10.4.8.1|Up
! | 1 0 . 6 . 8 . 1
|fwd
I Filter
-m cluster
1. Set th<
fw ctl
|OK |
IOK |
IOK |
01
01
0|
01
is used in < to understand. It is 1
01
01
01
as i
; flag to 0:
II
01
01
01
01 I
01 I
I I
21
21
21
21
: is
2
0
fw ctl debug -buf 1024 j 2048 | 4096 (in kilobytes)
3. Set the debug flag to miscellaneous:
fw ctl debug -m cluster <flag>
The all flag generates all
Kernel Flag Description
conf ClusterXL configuration
if Interfaces monitoring and validation
stat Cluster state changes
select Packet selection by ClusterXL
ccp CCP packet creation and handling
pnote pnote devices
drop Drops caused by SDF
mac
forward Forwarding layer
df Decision function
4. Run debug:
fw ctl kdebug -f > <file name>
5. Stop debugging by pressing CTRL + C.
fw ctl debug 0
fw ctl debug should be run on all cluster members, to;
: all cluste
You have set up ClusterXL New mode HA. When the
• is 0Y
: can you do to <
A.) Check hosts files on ( ^ ^
Q.)How do youensun
A.) Try to Pin
All' b h 1' 1 d d Wh h b
423
K E R N E L F L A G S
D E F A U L T B E H A V I O R
Aquaforest TIFF Junction Evaluation
Kernel Flags
5. Since no probe-message reply is received but the Ping requests are answered, the secondary concludes that its own interfaces are up and working, and that the interface of the primary has failed over. The secondary announces, via state messages, that all of its own interfaces are operational.
6. With this report from the secondary, the primary concludes the issue is with its own interface, and changes its state to Down/Dead.
7. The secondary issues gratuitous ARPs for both the physical and cluster address per IP segment, and changes its state to Active/Active-Attention.
N E W B E H A V I O R
With the two kernel flags set to true, the kernel includes a checkup of the link state of all member interfaces. That is, when a cluster member does not receive CCP packets from an interface, it will make a kernel procedure to check the state of the interface. If the member discovers the link state is down, the member will send a message about the link state through working interfaces to the network, saying that its interface state is down. The standby member can then change its state to Active, without the Ping mechanism (since no hosts are available for Ping). The clusters members will then know which cluster has a problem, and can change their states to active. (The cluster that has the highest priority will be active.)
fwha_res t r ic t_mc_sockets (0 by Defaul t )
D E F A U L T B E H A V I O R
The multicast socket is open by CCP when ClusterXL is set up.
N E W B E H A V I O R
Changing the value to 1 will open the multicast socket on synchronization interfaces only.
425
N E W B E H A V I O U R
426
Aquaforest TIFF Junction Evaluation
Kernel Flags
fw_gra tu i tous_arp_ t imeout
This flag sets time-out, which is 600 deciseconds by default, equal to 0.1 seconds.
f w _ a l l o w _ c o n n e c t i o n _ t r a f f i c _ d r o p (1 by Defaul t )
This flag controls the Flush and ACK mechanism on unestablished connections.
F L U S H A N D A C K
When a client and server starts a TCP handshake through a cluster, the SYN packet arrives at member A. Member A will hold the SYN packet and synchronize the SYN packet with member B, then pass the SYN packet to its destination. When a SYN-ACK packet comes from the server to the client, the SYN-ACK packet arrives at member B. With Flush and ACK, member B has the SYN table entry, and member B allows SYN-ACK to pass through and return to the client.
D E F A U L T B E H A V I O R
If the ACK packet from the client comes before member B synchronizes SYN-ACK with member A, by default, member A will drop the packet. This may result in retransmissions and delays in some applications.
N E W B E H A V I O U R
To allow this ACK packet or any packet belonging to an unestablished connection, turn the parameter off. (Change the value to 0.)
427
fwha__aIIow_simuItaneous„ping
This flag allows Pinging the virtual IP (VIP) during a
D E F A U L T B E H A V I O U R
N E W B E H A V I O U R
pair as
Aquaforest TIFF Junction Evaluation
Kernel Flags
fwconn_merge_a l l_syncs
D E F A U L T B E H A V I O U R
Some closed connections hang in the connections table for an entire TCP session time-out, in a Load Sharing configuration. When an NGX cluster member encounters FIN packets from both sides of a TCP connection, it lowers the connection's time-out from the TCP session time-out (by default 3,600 seconds) to the TCP end-session time-out (typically set to less than 1 minute). In Load Sharing configurations with asymmetric routing, one cluster member can find a certain connection is established, while another member has already encountered both FIN packets on the same session. When the machine with the older connections table synchronizes with the machine with the newer connections table, the more updated machine may increase the connection's time-out to the TCP session time-out. The connection then stays in the connections table long after it has closed. Such a scenario is also a possible DoS attack.
N E W B E H A V I O U R
When fwconnjnerge_all_syncs is set to true, NGX cluster members synchronize the TCP state correctly, and any older connection-table entry is not allowed to override an updated one. This parameter can help short TCP connections in Load Sharing configurations with asymmetric-routing, such as with Static NAT, VPNs, or third-party solutions.
fwtcpst r_ re jec t_synced (On by Defau l t )
When asymmetric routing exists in IPSO IP clustering configurations, the connections are sometimes slow. If both of the following conditions are true, disable this flag to improve connections. The conditions are:
1. Quick UFP is not used. 2. Packets going in the same direction on a specific connection always go
through the same cluster member.
429
Kernel Flags
Aquaforest TIFF Junction Evaluation
Lab 14: Manual Fail over Using cphaprob -d device Command
L A B 1 4 : M A N U A L F A I L O V E R U S I N G C P H A P R O B - D D E V I C E C O M M A N D 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Scenario: In New mode HA and Load Sharing Pivot mode clusters, test failover without bringing the active member down. Use the cphaprob -d <device> -s problem register command to generate failover manually.
Objective: Use the cphaprob -d device command to generate a failover.
Topics:
9 Running cphaprob -d <device> -s problem register to generate failover
• Running cphaprob state to verify cluster-member status
• Running cphaprob -d <device> unregister to reactivate the down member
431
432
Lab 14:
Name Standard Lab IP JS2?"
fwrome 172.21.101.1 10.1.1.1 192.168.22.101
172.21.101.1 10.1.1,1 192.168.22.101
fwtoronto 172.23.103.1 10.1.3.1 192.168.22.103
172 21.101.4 10.1.1.4 192.168.22.103
webrome 10.1.1.101 10.1.1.101
webtoronto 10.1.3.103 10.1.1.103
Cluster IPs N/A 172.21.101.5 10.1.1.5
433
In 1
Name Standard Lab IP
s s s s s r 1 "
fwoslo 172.22.102.1 10.2.2.1 192.168.22.102
172.22.102.1 10.2.2.1 192.168.22.102
fwmadrid 172.24.104.1 10.2.4.1 192.168.22.104
17222.102.4 10.2.2.4 192.168.22.104
weboslo 10.2.2.102 10.2.2.102
webmadrid 10.2.4.104 10.2.2.104
Cluster IPs N/A 10.2.2.5
In 1 Zurich's i
Name Standard Lab IP ClusterXL Lab IP
fwzurich 172.25.105.1 10.3.5.1 192.168.22.105
172.25.105.1 10.3.5.1 192.168.22.105
fwcambridge 172.27.107.1 10.3.7.1 192.168.22.107
17225.105.4 10.3.5.4 192.168.22.107
webzurich 10.3.5.105 10.3.5.105
10.3.7.107 10.3.5.107
Cluster IPs N/A 10.3.5.5
434
In 1 Sydney an Sydney's j
Standard Lab IP
fwsydney 172.26.106.1 10.4.6.1 192.168.22.106
172.26.106.1 10.4.6.1 192.168.22.106
fwsmgapore 172.28.108.1 10.4.8.1 192.168.22.108
17226.106.4 10.4.6.4 192.168.22.108
websydney 10.4.6.106 10.4.6.106
websmgapore 10.4.8.108 10.4.6.108
Cluster IPs N/A 172.26.106.5 10.4.6.5
435
[ ^ G E N E R A T E F A I L O V E R I N N E W M O D E H A C L U S T E R
1. Configure the ClusterXL type for HA, then select New J 2. Select Switch to higher priority Gateway, under Upon Gateway recovery
option on the ClusterXL screen.
3. Start an FTP session from www.partnercity.cp to access the internal FTP
4. Verify the active member is still;
state
5. On the active member, register a device named "faildevice" to i
-d faildevice -s problem -t 0
The active member now goes down ,due to faildevice reported as a problem, and the standby member becomes active. The FTP session should continue if
Synchronization is
6. Verify cluster status on both members with the <
state
7. Verify the state of internal and external devices on the down i
The problematic device faildevice should display as a
-d faildevice -s ok
-d faildevice
will become active again, because Switch to higher priority Gateway in the ;reen of the cluster object is <
; lab.
436
Lab 14:
LAB 15: RUNNING CPHASTART -D
: cphastart is usei cphastart -d<
an HA ] HAi
-d.
Topics:
; cphastop to stop <
;cphastart -d on c
Lcphastart -d<
437
Aquaforest TIFF Junction Evaluation
Lab 15: Running cphastart -d
C ^ R U N C P H A S T O P O N C L U S T E R M E M B E R S
1. On each cluster member, run the command: [expert®cpmodule]#cphastop
2. Verify whether ClusterXL has started:
[expert@cpmodule] jtcphaprob state
i f ? R U N C P H A S T A R T - D O N C L U S T E R M E M B E R S
3. Start the cpha service in debug mode, and redirect the output to a text file:
[expert@cpmodule]#cphastart -d >& hastart.txt
4. Wait until the prompt displays.
5. Review the text file and examine the information presented.
End of lab.
438
Aquaforest TIFF Junction Evaluation
Review
R E V I E W I I I i i I I i I i i I i i i i I i I I i I i I I I i I i I I i I I I I I i I I I I I I I I I i i I
• Install ClusterXL only in a distributed configuration. SmartCenter Server cannot be installed on any of cluster member.
• The SmartCenter Server controlling a cluster does not have to be local to the cluster. If local, the Server can be on any network segment, although static routes to each individual cluster member may be necessary to ensure connectivity.
• The SmartCenter Server's version (including HFA version) must be at the same or higher version as cluster members. When applying an upgrade or HFA, the SmartCenter Server must be upgraded first.
• The Cluster Control Protocol (CCP) Pings other hosts in a network segment to verify network status. Always ensure that networks other than the sync networks have other machines besides the cluster members on them.
• All cluster members must be running on the same OS, with equivalent OS patch levels applied.
• All cluster members should have a minimum of three interfaces. It is possible to run sync across an internal interface, but this is not recommended. Ideally, sync should be run across a dedicated network.
• Avoid multiple clusters on the same network segment.
• Active interface numbers need to be the same on each cluster member.
• Switches need to be compatible with Check Point multicast MAC addresses.
• Test cluster functionality by passing traffic through the cluster, not to it.
• Segregate different versions of ClusterXL from each another. Each cluster should be on its on hub, VLAN segment, or switch.
• Verify hostnames in the hosts files on all cluster members.
• Sync networks should have interface-to-interface connectivity, be connected via a hub, as opposed to a crossover cable, and not have a cluster IP assigned to them. Clusters should not share sync networks with other clusters.
• cphaprob, cpstat ha -f all, and fw ctl debug -m cluster are the main troubleshooting commands for ClusterXL.
• Kernel debugging flags are also useful when troubleshooting ClusterXL problems.
439
Aquaforest TIFF Junction Evaluation
Review
Review Answer
1. Connectivity through an NGX Load Sharing Cluster in front of a server farm is intermittent. Smart View Monitor shows the two cluster members as functional. You suspect connectivity problems may be related to the synchronization of state tables. Which of the following kernel flags may help improve performance?
B.) fwconn merge all syncs
With the information given, the above is the most helpful kernel setting to change. This setting allows for connections to be entered into the state tables on both machines.
441
Aquaforest TIFF Junction Evaluation
Review
442
-O
A, I
Aquaforest TIFF Junction Evaluation
Q Check Point S O F T W A R E T E C H N O L O G I E S L T D .
We Secure the Internet
APPENDIX A: USING DBEDIT
This appendix provides an optional lab for individual practice with DbEdit.
Scenario. In this lab, you will use DbEdit to create a new service object, a new group object, and add a service object into a group object. Also in this lab, you will use DbEdit to modify global properties resolve_multiple__interfaces value to true. This lab is ideal for environments that are not able to take advantage of the Database Tool (GuiDBedit). It is important to know that Check Point recommends using the Database Tool utility. When GuiDBedit is not available or convenient, use DbEdit carefully.
In this lab, you will use dbedit from the SmartCenter Server locally. If this command is executed at other machines in the network, the SmartCenter Serve's hostname must be resolvable to its IP address from that host.
Objectives:
1. Use DbEdit to create new object. 2. Use DbEdit to modify an object's property.
3. Use DbEdit to modify a global property value.
Topics.
• Logging in to DBedit • Modifying global properties
443
S L O G I N T O D B E D I T P R O M P T
1. Close all; 2.
3. Type dbedit.
4. Enter the hostname of the! since this is:
5.
6. At
I or console.
ENTER,
to log in to
8. a new TCP
: in 5 O.C, by
5l":
; 3333:
_ort 3333
in objects 5 O.C:
11. si to 1 : following:
r 12. : in
no s;
5 O.C:
i them.)
a
>
>
>
>
444
Aquaforest TIFF Junction Evaluation
( 5 M 0 D I F Y G L O B A L P R O P E R T I E S
1. From the dbedit prompt, change the property resolve multiple interfaces value to true, by typing the following: dbedit > modify properties firewalljproperties resolve muliple_interfaces true
2. Make the change permanent, by typing the following:
dbedit > update properties firewall_properties
3. The message kTirewall_properties updated successfully" appears. Exit dbedit, by typing quit from the dbedit prompt.
Some properties are global, some are specific to a Gateway. To modify properties that are unique to specific Gateway modules, use modify network_objects <gateway_object_name> <property_name> <value>.
End of lab.
445
Aquaforest TIFF Junction Evaluation
446
Recommended