Check Point Security Administration III NGX- Searchable

Aquaforest TIFF Junction Evaluation

m Check Point S O F T W A R E T E C H N O L O G I E S LTD.

We Secure the Internet.

Check Point Security Administration NGX III Student Handbook

P/N:701549



© 2006 Check Point Sof tware Technologies Ltd.

All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1, Fire Wall-1 GX, Fire Wall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, Smart View, Smart View Monitor, Smart View Reporter, Smart View Status, Smart ViewTracker, Sofa Ware, SSL Network Extender, True Vector, UAM, User-to-Address Mapping, User Authority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or pending applications.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express permission of Check Point Software Technologies, Ltd.

International Headquarters: 3A Jabotinsky Street, Diamond Tower Ramat Gan 52520 Israel Tel: 972-3-613 1833 Fax: 972-3-575 9256

U.S. Headquarters: 800 Bridge Parkway Redwood City, CA 94065 Tel: 650-628-2000 Fax: 650-654-4233

Technical Support, Education & Professional Services: 2505 N. Highway 360, Suite 800 Grand Prairie, TX. 75050 Tel: 817-606-6612 Fax: 817-606-6552

Document #: Revis ion: Content :

DOC-Man ua I -VPN-03 -S-NGX RSNGX001

Steve Luc Theresa Chung Derek Anderson Mark Hoef le Anna Gos l ing

Graphics: Edi t ing:



Check Point S O F T W A R E T E C H N O L O G I E S L T D .

We Secure the Internet

CONTENTS

1 Check Point Secur i ty Adminis t ra t ion N G X III 1 Course Objectives 1

Course Layout 2 Prerequisites 2

Recommended Setup for labs 3 Recommended Lab Topology 4 IP Addresses 5 Lab Terms 7 Lab Stations ..8 Default Rule Base 9

2 Genera l Troubleshoot ing Methods 11 Objectives 11 Key Terms 12

Troubleshooting Guidelines 13 Identifying the Problem 13 Collecting Related Information 14 Listing Possible Causes 15 Testing Causes Individually and Logically 15 Consulting Various Reference Sources 15

What to Check Before Installing VPN-1 NGX 16 IP Forwarding 16 Routing 17 Connectivity 18

IP Forwarding and Boot Security 20 SIC and ICA Issues .....21

SIC Port Use 21 Root Causes 22 Logging SIC 26


Debugging SIC 26 Maintaining SIC ....27 Using fwm sic_reset .........31

Network Address Translation ......32 Client-Side Destination NAT 32 Debugging NAT 33

Collecting Data 36 Rule Base Issues 36 NAT Issues 36 Anti-Spoofing Issues 36 SmartDashboard Issues 37 Logging Issues ..37 Cluster Issues 38 Security Server Issues 38 OPSEC Server Issues 39 LDAP Issues 39 Core Dump and Dr. Watson Issues 40

Review ...43 Review Questions 44 Review Answers 45

3 File Management . 47 Objectives 47 Key Terms .....48

cpinfo 49 Overview .....49 cpinfo File .....50 Info View 52 Opening SmartDashboard in Info View .......59

objects 5 0.C andobjects.C 61 objects_5 0.C 61 objects.C .....61 Object Properties in objects_5_0.C 62 DbEdit 63


objects_5_0.C Editing 65 GuiDBedit 67

fwauth.NDB 72 $FWDIR/lib/*.def Files ..73

Example 73 Modifying *.def Files 74

Log Files 75 Active Log Files 75 Audit Log Files 76 Log Mechanism ....76 Troubleshooting Logging Issues 77 Maintaining Logs and Log-Buffer Queue 78 Configuring Object Properties 78

Debugging Logging 81 Analysis Tools 81 Debugging Log 81

Lab 1: Using cpinfo 83 Lab 2: Analyzing cpinfo in Info View 89 Lab 3: Using GuiDBedit 93 Lab 4: Using fw logswitch and fwm logexport 101 Review 107

Review Questions 108 Review Answers 109

4 Protocol Analyzers 111 Objectives I l l Key Terms 112

tcpdump 113 tcpdump Syntax 113 tcpdump and Expressions 115 Using tcpdump 116 Viewing tcpdump Output 117

snoop 119 Using snoop 119 Reading snoop Output 120

iii


snoop and Security 122 snoop Limitations 122

fw monitor 124 Overview 124 fw monitor Syntax 124 INSPECT Virtual Machine 126 Filter Expressions 127 fw ctl chain 127 Buffering Issues 138

Ethereal 140 Using Ethereal 140 Viewing Connection Beginnings 143 Viewing Connections Dropped by Kernel ....143 Using Filters with Ethereal .....143

Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor 149 Review 155


5 N G X D e b u g g i n g Tools . . . . . . .159 Objectives 159 Key Terms 160

fw ctl debug 161 fw ctl kdebug 161 Kernel Modules 162 fw ctl debug Flags 164

Debugging fwd/fwm 169 fwd Daemon 169 fwm Process 169 Debugging 169 fwd/fwm Debug Switches 170 Debugging without Restarting fwd/fwm 170 Debugging by Restarting fwd/fwm 172 Stopping fwd debug 173


Debugging cpd 174 Use 175

Lab 6: Using cpd and fwm Debugging 177 Review 181


6 fw advanced c o m m a n d s . 185 Objectives 185 Key Terms 186

fw Commands 187 fw tab Command 188

fw tab Options 188 Table Attributes 189 fw tab Examples ..194

fw ctl Commands 197 fw ctl install 197 fw ctl uninstall 197 fw ctl iflist 197 fw ctl arp 198 fw ctl pstat 198 fw ctl conn 205

Other fw Commands 207 fw sam 207 fw lichosts 210 fw log 210 fw repairlog 211 fw mergefiles 211 fw fetchlogs 212

fw Advanced Commands 214 fwfwd 215 fw fwm 215 fw fetchlocal 216 fw unloadlocal 217 fw dbloadlocal ..217

V


fw defaultgen . 218 fw getifs 219 fw stat .....219

fwm Commands 222 Use :.... 222 fwm load ...223 fwm dbload 224 fwm logexport 225 fwm dbexport/fwm dbimport 227 fwm lock admin 228

Lab 7: Using fw ctl pstat 229 Lab 8: Using fw stat, fwm load, and fw unloadlocal 231 Review 233

Review Questions 233 Review Answers ...235

7 Secur i ty Servers 237 Objectives 237 Key Terms 238

The Folding Process ....239 Overview 239 Folding-Process Example 240 Content-Security Rule Order 242 Security Server Default Messages 242 HTTP 1.0 and 1.1 243

Troubleshooting Security Server Issues 244 Reviewing CPU and Memory ...245 Editing fwauthd.conf 245 Listing Possible Causes 246 Identifying Issue Sources 247 Analyzing Results 248

Debugging Security Servers 249 TD_ERROR_ALL_ALL Flag 249 FTP Security Servers 249 HTTP Security Servers 250

251 252

.253

.254 256

8 V P N Debugging Tools

KeyTe

on a VPN

257 .257 .258 .259 .259 .264 .268 .270 .271 .271 .271 .272 .275 .276 .281 .289

291

9 Tr< )ting and debugg ing SecuRemote /SecureC l ien t

Key Terms

the

IP

293 .293 .294 .295 .296 .297 .297 .297

Packet Flow When Connecting/IKE Negotiation 298 Packet Flow When Connecting/Encrypting Data 298

Link Selection for Remote Access 299 Overview 299 Link-Selection Methods in VPN-1 NGX 301

SecuRemote/SecureClient Debugging Tools 306 srfw monitor 306 cpinfo 306 IKE debug 307 sr service Debug 308 IKE and sr_service Debug 308 sc log Debug 309 srfw ctl Debug 309

Enhanced Debugging Tool 311 Troubleshooting Table 313 Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient 319 Lab 11: Running srfw monitor 325 Review 329

Review Question . 330 Review Answer 331

10 A d v a n c e d V P N 3 3 3 Objectives 333 Key Terms 334

Route-Based VPN 335 Domain-Based VPN 337

VPN Routing Process 338

Best Practices 339

Configuring Numbered VTIs 341

Dynamic VPN Routing 345 Configuring Dynamic VPN Routing Using OSPF ....345


Wire Mode 350 How Wire Mode Works 350 Wire Mode in Route-Based VPN 353

Directional VPN Rule Match 355 Interface Groups 355

Tunnel Management 358 Permanent Tunnels 358 VPN Tunnel Sharing ...360 Tunnel-Management Configuration 360 VPN Tunnel Sharing Configuration 365

Lab 12: Route-Based VPN Using Static Routes 367 Lab 13: Dynamic VPN Routing Using OSPF 385 Review 401


11 C IusterXL 407 Objectives 407 Key Terms 408

Configuration Recommendations 409 Recommendations for CIusterXL 409 Recommendations for State Synchronization 410

Troubleshooting CIusterXL 412 cphaprob 412 cphaprob state 414 cphaprob -a if 417 cphaprob -i list 418 cphaprob -d <device> -s problem -t 0 register 419 cpstat ha -f all 420 fw ctl debug -m cluster 421

Kernel Flags 424 fwha_enable_if_probing and fwha_monitor_if_link_state 424 fwha_restrict_mc_sockets (0 by Default) . 425 fwha_use_arp__packet queue (0 by Default) 426 fwha send gratuitous arp var 426

ix

X


1! a Check Point S O F T W A R E T E C H N O L O G I E S L T D .


CHAPTER 1: CHECK POINT SECURITY ADMINISTRATION

N G X I I I

Welcome to the Check Point Security Administration NGX III course. This course offers comprehensive training to enhance enterprise knowledge of VPN-1 NGX, network planning, route-based VPN, and troubleshooting procedures. Follow along as the class progresses, and take notes for future reference.

Course Objec t ives

1. Troubleshoot NGX product problems using troubleshooting guidelines.

2. Collect data using the cpinfo utility, for off-line viewing and troubleshooting using the Info View utility.

3. Use protocol analyzers to capture packets and analyze packet-header formats.

4. Debug NGX issues using NGX debugging commands.

5. Use fw commands to obtain critical information about NGX component status.

6. Troubleshoot Security Server issues and debug Security Servers.

7. Use VPN debugging tools for common troubleshooting practices.

8. Troubleshoot VPN-1 SecureClient/SecuRemote issues.

9. Configure VPN-1 NGX for route-based VPN and dynamic routing.

10. Configure CIusterXL and troubleshoot CIusterXL issues.

l


Course Layout

C O U R S E L A Y O U T 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

This course is designed for CCSEs who manage and support installations of VPN-1 NGX, and who need the tools to troubleshoot and maintain these installations. This course is also designed for CCSEs seeking their Check Point Certified Security Expert Plus NGX (CCSE Plus NGX) certification.

The following professionals benefit best from this course:

• Systems administrators

• Security managers

• Network engineers

Prerequ is i t es

Before taking this course, Check Point recommends you take these courses: Check Point Security Administration NGX I (Rev 1.1) and Check Point Security Administration NGXII Rev 1.1. You must pass the CCSE NGX exam before pursuing the CCSE Plus NGX certification.

Check Point also strongly suggests you have the following knowledge base:

• Working knowledge of TCP/IP

• Working knowledge of Windows and/ UNIX

• Working knowledge of network technology

• Working knowledge of the Internet

• Check Point Certified Security Administrator NGX certification

• Check Point Certified Security Expert NGX certification

2


Recommended Setup for labs

R E C O M M E N D E D S E T U P F O R L A B S I I i i i I I I I I I i I I I I i I i I I i I I i I i I I i I 1 I I I I i I i I I i I I I I I I I i

The following is a sample setup for the hands-on labs that supplement this handbook:

• The Internet servers (www.jowrczYv.ep) cannot communicate directly with the Internet. These servers have private IP addresses. Each Security Gateway and Internet server has a unique IP address.

• You will use the following passwords in this course:

abcl23 — Windows platforms

qazl23 — SecurePlatform Pro

Your instructor may provide additional passwords:

• This handbook and course use the following conventions for interface assignments on the Security Gateway in this course:

— ethO is assigned as the external interface.

— ethl is assigned as the internal interface.

— eth2 is assigned as the sync network/leased-line interface.

— All interface-naming schemes are based on a SecurePlatform installation.

3

http://www.jowrczYv.ep



R e c o m m e n d e d L a b T o p o l o g y

The following is a sample eight-station lab topology:

webrome 10.1.1.101124

default gateway 10.1.1.1124

fwint: 10. 1. 1. 1 /24 fw ext.* 172. 21.101. 1 /16

fw sync: 192.168. 22.101 124 default gateway 172.21.101.2.16

webtoronto 10.1.3.103/24


fwtoronto fwint: 10. 1. 3. 1 /24 fw ext: 172. 23.103. 1 /16

fwsync: 192.168. 22.103 /24 default gateway 172,23.103.2/16 I — - - - - - - J

fwoslo Hub fwint: 10. 2. 2. 1 /24

fwext: 172 22.102. 1 /16 fwsync: 192.168. 22.102/24

default gateway 172.22.102.2/16

weboslo 10.2.2.102/24

default gateway 10.2.2,1 /24

webzurich 10.3.5,105/24


fw int: 10. 3. 5. 1 /24 fw ext: 172. 25.105. 1 /16

fwsync: 192.168. 22.105 /24 default gateway 172 25.105.2/16

webeambridge 10.3.7.107/24


fwcambridge fw int: 10. 3. 7. 1 /24

fw ext: 172. 27.107. 1 /16 fwsync: 192,168. 22.107/24

default gateway 172.27.107,2 /16

172.21.101.2/16 172.22.102.2/16 172.23.103.2/16 172 24.104.2/16 172.25,105.2 /16 172.26.106.2/16 172.27.107.2/16 172.28.108.2/16 172.29.109.2 /16

fwint: 10. 2. 4. 1 /24 10.2.4 104/24 fw ext: 172, 24.104. 1 /16 default gateway

fwsync: 192.168. 22.104/24 10.2.4.1 /24 default gateway

^ 172.24.104.2/16 ^

dalfas int: 10. 5. 9. 1 /24 ext: 172. 29.109. 1 /16


fwsydney Hub websydney fwint: 10. 4. 6. 1 /24 10.4.6.106/24

fw ext: 172. 26.106. 1 /16 default gateway fwsync: 192 168. 22 106 /24 10.4.6.1 /24

default gateway 172.26.106.2 /16

fwsingapore fwint: 10. 4. 8. 1 /24

fwext: 172 28.108. 1 /16 fwsync: 192.168. 22.108/24

oetBUn gateway 172.28.108.2/16

websingapore 10.4.8.108/24

default gateway 10.4.8 1 124

mm mm J CP00107

4



IP Addresses

The table below lists the IP addresses of the Security Gateways in the NGX lab topology:

VPN-1 NGX NIC IP Address

fwrome fw internal 10.1.1.1/24

fw external 172.21.101.1/16

fw sync 192.168.22.101/24


fwoslo fw internal 10.2.2.1/24

fw external 172.22.102.1/16

fw sync 192.168.22.102/24


fwtoronto fw internal 10.1.3.1/24

fw external 172.23.103.1/16

fw sync 192.168.22.103/24


fwmadrid fw internal 10.2.4.1/24

fw external 172.24.104.1/16

fw sync 192.168.22.104/24


fwzurich fw internal 10.3.5.1/24

fw external 172.25.105.1/16

fw sync 192.168.22.105/24


5



VPN-1 NGX NIC IP Address

fwsydney fw internal 10.4.6.1/24

fw external 172.26.106.1/16

fw sync 192.168.22.106/24


fwcam bridge fw internal 10.3.7.1/24

fw external 172.27.107.1/16

fw sync 192.168.22.107/24


fwsingapore fw internal 10.4.8.1/24

fw external 172.28.108.1/16

fw sync 192.168.22.108/24


This table lists the IP addresses of the Web servers in the NGX lab topology:

Web Server NIC IP Address

Web server: webrome Web site: www.rome.cp

www internal 10.1.1.101/24


Web server: weboslo Web site: www.oslo.cp



Web server: webtoronto Web site: www.toronto.cp



Web server: webmadrid Web site: www.madrid.cp



6

http://www.rome.cp

http://www.oslo.cp

http://www.toronto.cp

http://www.madrid.cp



Web Server NIC IP Address

Web server: webzurich Web site: www.zurich.cp



Web server: websydney Web site: www.sydney.cp



Web server: webcambridge Web site: www.cambridge.cp



Web server: websingapore Web site: www.singapore.cp



Web server: webdallas Web site: www.dallas.cp

www internal 172.29.109.1/16


Lab Terms

Yourcity — the city name for your lab station pair

Partnercity — the name of your partner city

Site number — a number between 1 and 9 assigned to your lab-station pair

7

http://www.zurich.cp

http://www.sydney.cp

http://www.cambridge.cp

http://www.singapore.cp

http://www.dallas.cp

8



Default Rule Base

The Rule Base below is the default Rule Base used throughout this handbook. Create this Rule Base now, if your instructor has not already created it for you. Note that this Rule Base has been created for city sites Rome and Oslo. Substitute your city site, based on your classroom's topology.

IS NBT 1 ! 1 | NetBIOS Rule | "k Any | * Any | [ * j Any Traffic

1 w bootp |

i tin ;

@ drop | - None

i SSH A ccess Rule j m fwos lo i [ * j Any Traffic | ssh

3 ; Stealth Rule I 1§ ôslo i [ * j Any Traffic j * Any

Rule I * Any I • w w w . o s l o . c p j [ * ] Any Traffic I EE http

:_Oslo j • :_Madrid j •

5 i Partner Cities Rule !

6 Internet A c c e i : Rule ! Net jDslo j * Any

7 Cleanup Rule \ * Any i A Any

Madrid Oslo

! [ * ] Any Tr« : http

I I accept | J] Log

1 drop | [g Log

I accept | H Log

I accept | M Log

f 7 [ * S Any Traffic | TCP http j ® accept | gg Log

| [ * j Any Traffic I * Any j | | drop j | J Log

Default Rule Base

9

http://www.oslo.cp


10

a

21 Aquaforest TIFF Junction Evaluation

Q Check Point t * ® * 5 * S O F T W A R E T E C H N O L O G I E S LTD.


CHAPTER 2: GENERAL TROUBLESHOOTING METHODS

A critical part of a Security Administrator's responsibilities is to troubleshoot network problems. Troubleshooting guidelines are provided in this chapter, defining problems, identifying possible causes, narrowing causes to one or a few causes, and finding and testing problem fixes.

Object ives

1. Test IP forwarding routing and connectivity, before installing VPN-1 NGX. 2. Monitor the Default Filter and Initial Policy's effect on traffic through a

Security Gateway, to demonstrate protection these offer.

3. Troubleshoot Secure Internal Communications and Internal Certificate Authority issues.

4. Troubleshoot Network Address Translation (NAT) issues.

5. Given an issue with a particular Check Point product, list the data required for troubleshooting.

l i


Key Terms

IP forwarding

Default Filter

Initial Policy

Secure Internal Communications (SIC)

Source NAT

Destination NAT

Core file

12


Troubleshooting Guide I ines

T R O U B L E S H O O T I N G G U I D E L I N E S 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

The variety, flexibility, and complexity of the Check Point product suite can make every problem seem unique. Despite the challenges inherent in maintaining and administering rapidly evolving security and connectivity solutions, standard troubleshooting methods are still relevant. Apply the guidelines in this section when troubleshooting NGX issues.

Ident i fy ing the Problem

Identifying a problem should begin by asking these general questions:

• Which outcome is specifically desired, but is not happening?

• What is happening, in observable and objective terms?

F A I L O V E R E X A M P L E

For example, when testing CIusterXL failover, start a continuous Ping from an internal host to a host outside of the cluster. Unplug the external interface from the primary member; two Pings are lost, then the Ping continues. This behavior is not a problem, but is the way CIusterXL is supposed to work. However, if after unplugging the external interface from a working primary member, the Ping continues successfully but new connections cannot pass through the cluster, the problem is probably related to gratuitous ARP.

Using the two questions previously stated, you can:

• Determine the desired activity: New connections traverse the active cluster member. This is not occurring.

• Determine what is happening, in observable and objective terms: Ping requests are replied to, but connections cannot be established.

13



Gratuitous ARP can be a probable cause in this issue, since Ping is not as reliant on each machine having a proper MAC address for IP resolution. In this specific situation when the failover occurs (unplugging the interface), both machines are issuing gratuitous ARP replies to announce they have the cluster IP address assigned. This can create potential problems, such as if interim switches or routers do not correctly register the updated ARP cache information, or if a switch did not forward the updated ARP information to an upstream router. This ""pollutes" the ARP cache of all local machines. Since the Ping request is looking for its ultimate destination IP upstream of the cluster, the cluster member at which the Ping packet arrives will simply forward the Ping to the destination.

In the case of a TCP/IP connection, such as HTTP, the routing mechanism will not be able to forward the packet through the router. This is because the indirect-connection mechanism will not be able to determine which cluster member is actually using the IP address as the next hop.

Col lec t ing Related Informat ion

Once an expected behavior has been identified as a problem, collect related information by answering the following questions:

• Under what circumstances does this problem occur?

• What changed before the problem occurred?

Collect log messages, error messages, core files, Dr. Watson output, and relevant information from related documentation. Verify the configuration of components displaying the same symptoms.

In the failover example stated earlier, the problem occurred when attempting to initiate a failover in a CIusterXL configuration. Changes before the problem occurred are currently unknown, other than the specific change initiated by unplugging the interface of the cluster member. Information related to other changes can be determined from examining NGX logs. Examining audit logs may show that another Administrator was working with the cluster object or specific cluster members. Examining system logs of that cluster member may show further information as to possible changes in the configuration. Debugging or examining process error logs can indicate if this is a configuration issue, or perhaps is a more serious problem.

14



Lis t ing Possible Causes

Using the information gathered from symptoms and documentation, try to find as many potential causes for each symptom. Put the most likely cause first on a list, and organize the others in a similar fashion.

Test ing Causes Indiv idual ly and Logical ly

The goal is to narrow the list to a few causes, starting from the most likely to the least likely causes. From the example failover issue, is this the only cluster experiencing this issue? If the cluster is disabled, does this problem persist? Are all connections blocked, or only some types? Does any other type of traffic other than ICMP cross the cluster?

Consul t ing Var ious Reference Sources

Release notes, Web sites, mailing lists, SecureKnowledge, and Check Point Technical Support are common reference sources. See Check Point's Web site for these sources: www. checkpoint. com

15

http://www.checkpoint.com


What to Check Before Installing VPN-1 NGX

W H A T T O C H E C K B E F O R E I N S T A L L I N G V P N - 1 N G X l l l l l l l l l l l l l l l l l l l l i l l l i l l l i l i l i l l l l l l l l i l l l l l l i l

In general, a machine intended as a Security Gateway must function as a gateway at the OS level before VPN-1 NGX is installed. The gateway must route among network interfaces. If routing does not work before installing VPN-1 NGX, the machine will not function as a Security Gateway.

Verify routing on the gateway system at the OS level. If VPN-1 NGX is already installed on the gateway, stop the firewall services.

IP Forward ing

When a UNIX machine boots with more than one IP interface active, it will route among interfaces by default. When an NGX Gateway is installed on UNIX, IP forwarding may be disabled. IP forwarding is the operating system's ability to forward packets from one interface to another. Manually enable IP forwarding for testing.

E N A B L I N G / D I S A B L I N G I P F O R W A R D I N G

• Enable IP forwarding on Solaris by running ndd:

ndd -set /dev/ip ip_forwarding 1

• To disable IP forwarding, run ndd:

ndd -set /dev/ip ip_forwarding 0

• To verify the status of IP forwarding:

ndd -get /dev/ip ip_forwarding

• Verify the IP forwarding setting on SecurePlatform and SecurePlatform Pro, by checking the value in the following file:

echo /proc/sys/net/ipv4/ip_forward

The output should be 1. If the value is 0, run the following to enable IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

16



• Enable IP forwarding on Windows 2000 Server or Windows 2003 Server, check the value of the key IPEnableRouter in the Registry. Enabling the Remote Access Server (RAS) service can also be used to enable IP forwarding. The value should be 1. The path to the Registry key is:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\parameters\

IPEnableRouter

As a multihomed host, an NGX Gateway has routes automatically generated for its immediate networks, external and internal. The Gateway can only have one default gateway (or default route) pointing to its upstream router. If there is more than one internal network connecting to an internal router behind the Gateway, add static routes on the Gateway to reach the remote internal networks from the Gateway.

For the immediate internal network, it is sufficient to point the default gateway of each internal network's machine to the IP address of the internal interface of the NGX Gateway.

Routing

Before installing an NGX Gateway, one interface on the machine must be up and running.

17



Connect iv i ty

5. If the Ping can only reach the external interface of the Gateway, Ping from the Gateway to a known Internet site.

When using RFC defined addresses for internal networks, Ping test replies from the Internet will not be received by the internal hosts.

6. If you can Ping from the Gateway to the Internet, but cannot reach the Internet from an internal network, IP forwarding may not be enabled on the Gateway's OS.

7. If you can Ping all the way through, install a simple Rule Base with necessary rules (for example, outbound HTTP), then browse known Internet sites.

To resolve FQDN names, internal hosts must have a DNS server, either on an internal network or hosted by an ISP on the Internet. Domain Name over UDP must be allowed.

To test connectivity with the NGX Gateway in place. Ping through the Gateway from internal nodes to nodes on the external side of the Gateway, or Ping to the upstream router. Run a Ping test as follows:

1. Run fw unloadlocal on the Gateway.

2. Ping from the internal host to the Gateway's internal interface.

3. Ping to the Gateway's external interface.

4. Ping a known Internet site address or name (for example, www.yahoo.com).

To Ping a Web site's fully qualified domain name (FQDN), the Gateway must have a DNS server entry.

18

http://www.yahoo.com



% A.) Check the routing table on that host, and make sure the default-gateway setting is correct. Test connectivity, using Ping or traceroute, from the host to the Gateway, or beyond.

Q.) You find a log indicating HTTP is accepted, the source is that host, and the rule number is correct. But the host's browser displays "page cannot be displayed". What is the next reasonable step for troubleshooting this problem?

A.) Run fw monitor, to see if the reply packet returns to the Gateway's external interface.

Q.) One internal host behind an NGX Gateway cannot connect to the Internet. This host has just been added to the internal network. All other hosts from the same network segment can connect to the Internet, as usual. In the Rule Base, there is a rule accepting outbound HTTP traffic for the entire network, and the rule is tracked as "Log". When you open Smart View Tracker, you find no logs from that problematic host. What is the next reasonable step for troubleshooting this problem?

19

I P F O R W A R D I N G A N D B O O T S E C U R I T Y

8nartView Tracker. You

ep to take?

A.)

20


SIC and ICA Issues

S I C A N D I C A I S S U E S I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I i I I I I I I I I I I I I I I I I

Secure Internal Communications (SIC) is a Certificate-based channel among SmartCenter Servers, Security Gateways, Check Point QoS, and OPSEC application servers. SIC is based on Secure Sockets Layer (SSL), with digital Certificates. When a SmartCenter Server is installed, a Certificate Authority (CA) is created by default. As a CA, the SmartCenter Server is the Internal Certificate Authority (ICA) to all components it manages. The ICA issues Certificates for all components that need to communicate with one another. For example, a Gateway needs a Certificate from a SmartCenter Server before a Security Policy can be downloaded, or before a license can be attached using SmartUpdate. Whenever any two entities (SmartCenter Server, Security Gateway, OPSEC, or Check Point QoS) need to communicate, the file sicjpolicy.conf is referenced.

SIC Port Use

Communication takes place over SIC, which uses the following ports:

• Port 18209 is used for communication between NGX Gateways and ICAs (status, issue, or revoke).

• Port 18210 pulls Certificates from an ICA.

• Port 18211 is used by the cpd daemon on an NGX Gateway to receive Certificates.

SIC is completely NAT-tolerant, as the protocol is based on Certificates and SIC names, not IP addresses. A NAT device between a SmartCenter Server and Security Gateway does not have any effect on the ability of a Check Point-enabled entity to communicate using SIC.

21


SIC and ICA Issues

Root Causes

As a baseline for troubleshooting SIC and ICA related issues, test the following:

• Connectivity: Is any traffic (not just SIC) able to reach the Gateway? Are the necessary ports open and/or available?

• Domain name and IP resolution: Although SIC is completely NAT-tolerant, Check Point recommends eliminating this possibility, by verifying if there has been a DNS or IP address change on the network regarding the SmartCenter Server and/or any interim routers or Gateways

• Time: If the SmartCenter Server and the Security Gateway are located in different time zones, verify that this is not causing the conflict

• Certificate Revocation List (CRL): Verify that the SIC Certificate is not in the CRL, or that the CRL is still reachable for current Certificates.

22


SIC and ICA Issues

V E R I F Y I N G T H E C E R T I F I C A T E

View the existing Certificate assigned to the object to verify that Certificate information is correct for the object. View the certificate in SmartDashboard by selecting the VPN > Certificates List property of the specific Check Point Gateway. Select the Certificate to examine, and click the View button. The Certificate View screen displays:

Subject: CN=fwoslo VPN Certificate.^ =mgmtoslo..uwoypr issuer: O^mqmtoslo..uwoypr Not Valid Before: Mon Jan 3016:28:00 2006 Local Time Not Valid After. Sun Jan 30 16:28:00 2011 Local Time Serial No.: 65136 ™ Key Size: 1024 S ubject Alternate N arnes:

IP Address: 172.22.102.1 CRL distribution points:

4

Certificate View of fwoslo's ICA Certificate

23


SIC and ICA Issues

Check Point also includes the ICA Management Tool in VPN -1 NGX, which can be configured on a SmartCenter Server and used independently of SmartDashboard to view and manage Certificates:

|Of xf

Address i % j https: //10,2,1.102; 18-65/ zL i3Go 5

J^ Check Point We Secure the internet

9 Manage Certificates Searrh By User 1'Tame r Not Type }Any J r wot Status iAny Serial Number j F l-T<:-t Seatehj Reset j Advanced

Manage Operations ftew fr selected | Remove detected j Mail to setectsd I

•^'im^'to ; ! 3 Q-'-steds

ICA Management Tool

Refer to the SmartCenter user guide and sk30501 "Setting up the ICA Management Tool" at http: //secureknowledge. checkpoint. com, for configuration information.

The CRL and Certificates can also be viewed from the CLI using the vpn crlview command. The syntax for the command is:

vpn crlview -obj Cnetwork object> - c e r t <certobj> vpn crlview -f <certfile> vpn crlview -view <crlfile>

24


SIC and ICA Issues

V E R I F Y I N G A V A I L A B L E C P D P O R T S

To determine whether SIC is listening to the cpd ports, use the following commands:

Windows — netstat -na | find "18211"

UNIX — netstat -na | grep 18211

The output is like the following:

TCP 0.0.0.0:18211 0.0.0.0:0 LISTENING

To verify the Gateway is listening for the SmartCenter Server, use the cpd -d command. The output is below:

SIC initialization started

Read the machine's sic name: CN=module,0=mngmt.domain.com.szno9r

Initialized sic infrastructure

SIC certificate read successfully (means module already has a certificate)

Initialized SIC authentication methods

On SecurePlatform, run this command from the Expert Mode prompt.

25


SIC and ICA Issues

— On SecurePlatform or SecurePlatform Pro, run cpd debug and redirect the output to a separate file: s e t 0PSEC_DEBUG__LEVEL=3 s e t TDERR0R_JUjL_MiL=1 /2 / 3 cpd -d >& cpd-output

If you run cpd -d without >& and the output filename, the output displays on-screen.

Following are recommended practices to set up and maintain SIC.

U S I N G C O R R E C T F Q D N T O I N I T I A L I Z E I C A

If the FQDN for the SmartCenter Server is not correct, the ICA cannot initialize successfully. Make sure the FQDN has the correct hostname and domain name. Make sure the SmartCenter Server's hostname is entered correctly in the hosts

A V O I D I N G R E N A M I N G G A T E W A Y O B J E C T

The Certificate issued by the ICA (SmartCenter Server) is for a specific hostname and IP address. Once the hostname has changed, the Certificate is no longer valid. Plan carefully in terms of the naming conventions for all of your Gateways, including the ICA itself, before you start installing and configuring. If you must rename a Gateway after SIC is established, follow the steps below:

On the relevant Security Gateway:

1. Rename the hostname according to different OS requirements.

2. Reboot the machine, if necessary.

3. Use the cpconfig tool to reinitialize SIC for the newly created Gateway.

4. Enter a new one-time password.

Mainta in ing SIC

file.

27

On the SmartCenter Server, make sure its hosts file has the new hostname and

C H E C K I N G R O U T I N G A N D C P D C O N N E C T I O N S

S Y N C H R O N I Z I N G C L O C K S

28


SIC and ICA Issues

Q.) Your SmartCenter Server is behind your organization's perimeter Gateway, with Static NAT configured on the perimeter Gateway. You have a new NGX Gateway in another city, and you must set up SIC. When you try to initialize SIC, you receive the error "initialized but not trusted". What are reasonable steps to troubleshoot this error?

A.) Check the hosts file on the remote Gateway, and make sure the SmartCenter's hostname resolves to its public IP address. Check if there is any rule in the Policy blocking traffic between the SmartCenter Server and remote Gateway.

R E S E T T I N G S I C

The term "resetting SIC" is often used interchangeably for two different actions. Each has a different level of severity associated with it, depending on the context.

When working with a Security Gateway, performing a SIC reset refers to forcing the ICA on SmartCenter Server to update the CRL, so the specific Gateway's Certificate has been revoked. The Administrator then creates a new updated Certificate. When working with a SmartCenter Server, resetting SIC is referring to initiating the command fwm sicjreset to revoke all Certificates, and destroying the existing copy of the ICA.

Resetting SIC is not recommended as a first troubleshooting step to fix a SIC problem. SIC resetting should be performed as a last resort, and should be scheduled after business hours.

%

29

30


SIC and ICA Issues

Using f w m sic_reset

Resetting SIC on the ICA (SmartCenter Server) can have serious implications for Policy installation, logging, and other important daily functions, such as VPN. Therefore, Check Point does not recommend resetting SIC on an ICA in most situations, especially in an enterprise environment where multiple remote Gateways are communicating through a VPN, using Certificates issued by the ICA. When you reset SIC on an ICA, VPN tunnels will be interrupted, because all IKE Certificates are to be destroyed before the ICA can be reset. After the ICA SIC is reset, you must reset SIC on all managed Gateways.

In some unusual situations, using the fwm sie_reset command is necessary, for example, when the SmartCenter Server's IP address or hostname is changed.

31


Network Address Translation

N E T W O R K A D D R E S S T R A N S L A T I O N i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Network Address Translation (NAT) can be used to translate either IP address in a connection. When translating the IP of the machine initiating the connection (typically the "client" of the connection) this is referred to as Source NAT. An example of this would be a network behind a Security Gateway that uses a nonroutable IP address range, but is hidden behind the Gateway's external IP address on Internet-bound connections.

Destination NAT is used when the IP address of the machine receiving the connection is translated. This address is also known as the "server" side of the connection. An example of this would be a statically translated Web server behind a Security Gateway.

Cl ient -S ide D e s t i n a t i o n NAT

Before VPN-1 NGX, all NAT occurred at the "server side" of the kernel, i.e., on the outbound side of the kernel closest to the server. When NAT occurs in this configuration, address spoofing and routing must be configured correctly. As of VPN-1 NGX, the default method for Destination NAT is "client side", where NAT occurs on the inbound interface closest to the client. Assume the client is outside the Gateway, and the server is inside the Gateway with automatic Static NAT configured. When the client starts a connection to access the server's NAT IP address, the following happens to the original packet in a client-side NAT:

O R I G I N A L P A C K E T

1. The packet arrives at the inbound interface, and passes Security Policy rules.

2. If accepted, the packet is entered into the connections table.

3. The packet is matched against NAT rules for the destination. The packet is translated if a match is found.

32


Network Address Translation

4. The packet arrives at the TCP/IP stack of the NGX Gateway, and is routed to the outbound interface.

5. The packet goes through the outbound interface, and is matched against NAT rules for the source.

6. NAT takes place, if a match is found for translating the source.

7. The packet leaves the Security Gateway.

R E P L Y P A C K E T

1. The reply packet arrives at the inbound interface of the Gateway. 2. The packet is passed by the Policy, since it is found in the connections table.

3. The packet's destination, which is the source of the original packet, is translated according to NAT information in the tables.

4. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the outbound interface.

5. The packet goes through the outbound interface. The packet's source, the destination of the original packet, is translated according to the information in the NAT tables.

6. The packet leaves the Gateway.

fw ct l debug is the primary command for observing the NGX kernel's actions on a packet. It is also used for configuring debugging on almost any action that VPN-1 NGX can take on a packet or connection. The standard format for the command is as follows:

fw ct l debug

Running this command from the CLI produces a list of currently running modules and debugging flags. When the command is issued with an argument following it, the default kernel module acted on is the fw module.

The packet is translated, so it is routed correctly without any need to add a static route to the Gateway.

Debugging NAT

33

F W C T L D E B U G A R G U M E N T S

of thei s for fw ctl

-buf s « i , r e r s i " u s e < i b y , h e < i e b o s p r o c " s f o r

+ <flag name>

the + , such as ... fw ctl debug smtp

- x Disables all debugging flags

0 Resets all debugging flag values to default settings

-m i ™ „ h m 0 d U l e ! W , l l b e " a E 8 e , i m , h e

kdebug -f >& dTetd h?,, 0ere 0 f , h e d e b" 8 S , n 8 ! e !"°" , 0 , h e

D E B U G G I N G N A T P R O C E S S

34

35


Collecting Data

C O L L E C T I N G D A T A i I I I i I I I I i I I I I 1 I I i i I I i I I I I i I I I I i I I I I i I I i I I I I I i I I i I

This section identifies data to be collected for troubleshooting particular issues.

Rule Base Issues

To begin troubleshooting an issue with an NGX Rule Base, collect the relevant log records, fw monitor capture file, and cpinfo file.

NAT Issues

For NAT issues, collect the following information:

• cpinfo file

• Network-configuration diagram

• fw monitor

• fw ctl debug, as follows:

fw ctl debug -buf

fw ctl debug + xlate xltrc

fw ctl kdebug -f > /tmp/kdebug.out

— Press CTRL + C to stop the debugging session.

— Disable fw ctl debug by running: fw ctl debug 0

Ant i -Spoof ing Issues

To troubleshoot anti-spoofing issues, collect the following:

• cpinfo file


• fw monitor capture file

36


Collecting Data

Smar tDashboard Issues

If there is an issue logging in to SmartConsole, verify the following items:

1. SmartDashboard compatibility with the SmartCenter Server: From the Help menu in SmartDashboard, check the build number of the SmartDashboard. Make sure the build number is compatible with the SmartCenter Server, according to NGX release notes.

2. Verify the fwm process is up and running on the SmartCenter Server.

3. Verify the GUI client's IP address is addressed correctly in the cpconfig utility on the SmartCenter Server. Alternately, verify that the IP address from where SmartDashboard is launched is defined in the GUI client's file.

4. Collect the following data:

• cpinfo file

• Error messages from the log and console

• fwm debug by running the following commands: fw debug fwm on TDERR0R__ALL_ALL=4

This will set the fwm to debug "on the fly" and write the output to $FWDIR/log/fwm.elg

Logging Issues

1. Collect the following: • Log files

• cpinfo file

2. For Smart View Tracker issues, run the command fwm logexport to ensure all columns are complete.

3. If log records are not written to the log file and fw log and fwm logexport do not show new records, run fwd -d -D. This includes a special debugging option for FW1_L0G connections.

37


Collecting Data

Cluster Issues

Collect the following: • fw monitor file from relevant interfaces

• cpinfo file from the SmartCenter Server and all cluster members


• Information about switches used in the cluster environment, if any

Issue the following command simultaneously on all cluster members:

fw tab -s -t connections > filejiame

Since the introduction of per-service synchronization, the fw tab -u command is not as useful in verifying that State Synchronization is working in a running cluster.

Secur i ty Server Issues

Collect the following:

• cpinfo file

• Error messages from the SmartCenter Server's logs and console

• fw monitor -u (The -u switch configures fw monitor to capture traffic and include the UUID of the connections and objects involved in that session).

• Appropriate log files from the Security Gateway's $FWDIR/log directory:

ahttpd.elg

aftpd.elg

asmtpd.elg

1.

2.

38

OPSEC

2.

fwopsec. conf file

cvp.conf file on the CVP serv

: fwd debug by

CVP/UFP servers: to the CVP i to the UFP!

LDAP

fw debug fwd on

The output is

fw debug fwd

To < : fwd debug, run the

; LDAP t

LDAP log i

2.

fw moni

LDAP bra

fwd debug

:NGX

md LDAP

[LDAP : the ]

file from an; CA, if 2

1.

1.

39


Collecting Data

3. To verily if the core dump was caused by VPN-1 NGX, run the command:

• file core

The output is the executable filename that caused the core dump:

• cpinfo, while the system is in the state that caused the core

• Full description of the problem

D R . W A T S O N O U T P U T

Collect the following information:

• Fresh Dr. Watson file (drwtsn32. log); this file should contain only the current instance of Dr. Watson output.

• cpinfo taken from the system while in the status causing the Dr. Watson error

• Full description of the problem

• user. dmp file

• memory.dmp file

• system, dmp file for blue screen of death

Q.) How do I change the default locations of drwtsn32.log, user. dmp or memory. dmp?

A.) Open a Dr.Watson screen by running drwtsn32 from the command prompt. Only an Administrator can change Dr. Watson configurations.

Q A

41


Collecting Data

42

R E V I E W

43

44


Review

46

V #

31 Aquaforest TIFF Junction Evaluation

Q Check Point t f i ® * 5 * S O F T W A R E T E C H N O L O G I E S LTD.


CHAPTER 3: FILE MANAGEMENT

Regular file maintenance is necessary to maintain a properly running system. In case of emergencies, the cpinfo utility can be used to view configuration details from an off line copy of the configuration. Log files may give an indication of what contributed to the emergency.

Object ives

1. Collect data using the cpinfo utility, for off-line viewing and troubleshooting using the Info View utility.

2. Use DbEdit or GuiDBedit to view and manipulate *.c and *.def files and observe their impact on Security Gateway functionality.

3. Manage the fwauth.NDB file to maintain the user database.

4. Use log commands to observe and manipulate log files.

47

Key Terms

• cpinfo

objects J J . C

objects.C

DEEDIT

Log Unification Unique ID (LUUID)

48

cpinfo File

FILES

A complete collection of files is obtained from the following NGX directories:

$HDIR/ conf $FWDIR/lib $FWDIR/;

$FWDIR/log

: files may be extracted and used to replicate a remote NGX a test network, for troubleshooting or

< 5

A

The cpinfo file contains detailed information about NGX

cpinfo files should be

Once cpinfo runs, it may take some time to complete. Do not stop

09 in the cpinfo file.

W I N D O W S

C:\Windows\FWl\R60\fwl\bin\cpinfo > cpinfo.txt

The resulting file will not be compressed or encoded. Compress this file using a ZIP utility, if the cpinfo file is sent to Check Point Technical Support for analysis. The output on a Windows server is a*.txt file, which you can view with a text editor.


cpinfo

U N I X

1. Log in as superuser or in Expert Mode.

2. Execute the following script:

$CPDIR/bin/cpinfo | compress | uuencode cpinfo.Z > /tmp/cpinfo.uue

The cpinfo script does the following:

• Runs the cpinfo script, where the directory is compressed to the file cpinfo.tar

• Uses gzip, to compress the file to fw. tar .gz

• Uuencodes the gzip file to the filename cpinfo

• Compresses cpinfo, using standard UNIX compression; modifies the name to cpinfo. Z

• Uuencodes cpinfo. Z into the file /temp/cpinfo. uue

To extract the cpinfo. uue file from a UNIX platform, run the following:

1. # uudecode cpinfo.uue, which decodes into the file cpinfo.Z

2. # uncompress cpinfo.Z, to uncompress into the file cpinfo

3. # uudecode cpinfo, to decode into the file fw.tar.gz

4. # gunzip fw.tar.gz, to uncompress the file fw.tar

5. tar -xvf fw. tar, to expand the directories into the following:

conf/

l ib/

state

database/

log/

51


cpinfo

InfoView

A quick and easy way to look at a customer's Rule Base and objects is to open SmartDashboard using a cpinfo output file. This is done by using InfoView, a Check Point utility. InfoView is only available for Check Point Certified Support Partners (CSPs) with valid CSP login credentials. To view cpinfo from InfoView, open the InfoView window first, and drag cpinfo output to the InfoView window:

y File Edit View Tools Analysis W i n d o w

« n j f ' j i ! H i ^ i i T : : : i ^ i W d H i

- i P j X j

C : \ W I N D G W 3 \ F W 1 \R 6 0 \ f w 1

C : \ P r o g r a m Files\CheckPomfc'tCPShared\R60

File Tit le

• CP c o m p o n e n t s

•• CP P roduc t keys

VPN-1 Vers ion I n f o r m a t i o n ( " C : \ W I N D O W S \ F W l \ F

F i reWal l -1 M a n a g e m e n t ( f w m ) Vers ion In fo rmat ion

F i reWal l -1 Vers ion I n f o r m a t i o n ( " C : \ W I N D O W S \ F ' < r ^

CPShared Vers ion I n f o r m a t i o n ( " C : \ P R O G R A ~ l \ C I

F i reWal l -1 S t a t u s ( " C : \ W I N D O W S \ F W i \ R 6 O \ f w i \ t

The n u m b e r o f Kerne l Tables; -1

II-1 Tables ( "C; \ W I N D O W S \ F W 1 \ R 6 0 \ f w 1 \ t ;

il-1 Tables ( "C: \ W INDO W3'i,F W1 \ R 6 0 \ f w 1 \ts

II-1 Tables - Log Format

E x p o r t e d Log f i le: f w . a d t l o g

F i reWal l -1 Sta t is t ics

Connec t i ons ' modutes i n t h e kernel ( " C : \ W I N D O W :

Ove r l app ing g Enc ryp t i on

'iMSL^L^ Host File WEB, , . Not t e s t e d

" Hosts

License-Object WEB, , , Mot t e s t e d

Dupl icate Ob jec ts WEB, . , Not t e s t e d

\ | j j | | lA l 1 I n t e r f a c e s WEB. . . Not t e s t e d

m >

M I / F -Ob jec t

T

. . . WEB. . . Not t e s t e d

WEB. . , Not t e s t e d

WEB. . . No t t e s t e d

WEB. . . Not t e s t e d

WEB, . , No t t e s t e d

WEB. . , No t t e s t e d

' NUM"

cpinfo Loaded in InfoView

52


cpinfo

I N F O R M A T I O N T E S T I N G

Depending on the problem you are troubleshooting, you can look for different information in cpinfo. The right panel of Info View displays a list of information you can test, for example, hostname, licensing, and duplicate objects. Info View gives you quick results, but not detailed information. Detailed information can be found in the left pane of Info View. Test items and their purpose are shown in the table below:

Test items Purpose

Hosts File Verify hosts file.

License-Object Verify that every license has a corresponding interface in the machine's object.

Duplicate Objects

Check for duplicate objects in the objects file.

All Interfaces Run tests on all interfaces of the machine.

Machine Interfaces

Verify the validity of the object representing the tested machine.

l/F-Object Verify that the machine is referred to in the objects file.

Process Verify the percent of CPU time of Check Point related processes does not exceed a certain limit (80%).

pstat Check that values in Fire Wall-1 Statistics and SecuRemote Statistics (ctl pstat) are at a reasonable limit.

IP fwd Check IP forwarding.

License Check licensing.

Support HotFix Verify whether there are HotFixes installed on the machine.

53

Thel

• A

; to fail. When the ]

:is a

J to < a cpinfo file.

T E X T I N F O R M A T I O N

it

54


cpinfo

In the following example, this cpinfo indicates the machine is a primary SmartCenter Server and not a Gateway, because the value of the management key is 1 and FireWall key is 0:

n rp Product keys -

Fi fe E d i t v i e w I n s e r t F o r m a t H e l p

• M i Hi l E M

k e y : C P D I P .

k e y : I S C O N F I G U R E D

C : \ P r o g r a m F i l e s \ C h e c k p o i n t ' ' , C F S h a r e d \ P.60

1

FUJI k e y : A u t h 0

k e y : E n c r y p t i o n 1

k e y : F i r e W a l l 0

k e y : F 1 D I R C : \ WINDCMS\ FTJ1\ R60\ f wl k e y : FWHanagement 1

k e y : IsConfigured 1

k e y : M a n a g e m e n t 1

k e y : P r i m a r y 1

k e y : P r o d u c t N a K i e F i r e W a l l - 1

k e y : Unlimit 1

S e c u R e r a o t e

d For Help., p r e s s F i

CP Product keys Screen

55


cpinfo

S Y S T E M I N F O R M A T I O N

System information can be found in cpinfo. Information such as OS name, version and build number, environment variables, CPU and memory use of running processes (in ps -auxww), and file system use (in df -k) :

FireWal l -1 Version I n f o r m a t i o n

CPShared Version I n f o r m a t i o n

» I ' " da te

hos tname

uname -a

SecurePla t form Vers ion

host id

OS d a t a f r o m fi le ; / e t c / i s s u e

upt ime

ps a u x w w

vms ta t i 10

Isdev -C

Addi t ional Sys tem i n f o r m a t i o n

env

d f 4

df -1= / o p t / C P s u i t e - R 6 0 / f w 1

Package Manage r R e p o r t ( r p m )

List PCI dev ices

Free Memory I n f o r m a t i o n

Slab I n f o r m a t i o n ( s l ab i n fo )

Addi t ional Memory I n f o r m a t i o n ( m e m i n f o )

Addi t ional Cpu I n f o r m a t i o n ( c p u m f o )

I P I n te r f aces j j !

System Information

I N T E R F A C E A N D R O U T I N G I N F O R M A T I O N

Interface information can also be found in cpinfo. ifconfig -a gives a list of all interfaces and status, fw c t l if l i s t is a list of interfaces bound to the NGX kernel. If fw ct l i f l i s t and ifconfig -a outputs have discrepancies, that means some interfaces are not recognized by the NGX kernel, which can cause various problems, such as Policy installation failure or traffic dropped. The interface names and IP addresses in the ifconfig -a list must be identical to the ones in the Topology screen of the gateway object. Make sure you obtain correct interfaces by names and IPs, when clicking the get button from the Topology screen in the Gateway object.

56


cpinfo

netstat provides routing table, ARP table and TCP socket information. These are important tools for troubleshooting connectivity issues.

FireWal l -1 V<

CPShared «

System I n f o r m a t i o n

Source File vers ions

FW-1 fi

l l - l Tables

II-1 Tables - Short Format

: The number of tab les; 296

FireWal l -1 Tables - Log Format

IP Interface and netstat Information

57


cpinfo

F I R E W A L L - 1 T A B L E S

FireWall-1 table information can be found from a Gateway cpinfo. But a SmartCenter Server does not contain table information. The Infotab button displays the content of a table with hexadecimal and decimal format. The following example highlights a FireWall-1 table displayed by clicking the Infotab button at the top. You can tell the types of traffic passing through the Gateway kernel when cpinfo runs. You can compare among two or more cluster members' connections-table information regarding particular traffic.

InfoTab Screen

H I G H A V A I L A B I L I T Y I N F O R M A T I O N

High Availability information can be found from a Gateway's cpinfo file, cpinfo from a SmartCenter Server-only machine does not have High Availability information.

58


cpinfo

Opening S m a r t D a s h b o a r d in In foView

SmartDashboard can be opened from InfoView, as long as the cpinfo is from a SmartCenter Server, cpinfo from a Gateway-only machine cannot be used to open SmartDashboard.

To open SmartDashboard inside InfoView:

1. Highlight the hostname on the top of the left pane:

+ J C;\WINDOWS\FW 1 't,R60\fw 1

+ JC; ' i .PROGRA--1 \ CHECKP~ 1 \CPShared\R 60

Fiie Tit le

CP c o m p o n e n t s

t . CP P r o d u c t keys

+ S y s t e m I n f o r m a t i o n

VPN-1 Vers ion I n f o r m a t i o n ( " C : \ W I N D O W S \ F '

F i re Wa l l - 1 M a n a g e m e n t ( f w m ) Version In fo r r r

F i reWa l l -1 Vers ion I n f o r m a t i o n ( " C : \ W I N D O W

C P S h a r e d Vers ion I n f o r m a t i o n ( "Ci ' iPROCRA-

•• F i reWa l l -1 S ta tus ( " C ; \ W I N D O W S \ F W 1 \R60\ f

+ IP I n t e r f a c e s

T h e n u m b e r o f Kernel Tables: -1

• F i reWa l l -1 Tables ( "C: \WIMDOW5' i ,FWl \R6Q\ f

1 F i re Wa l l - 1 Tables ("C: \ WINDOWS' ,FW 1 'iRSO'if^JTy

F i reWa l l -1 Tables - Log Format j r j

Hostname Highlighted

2. Click the SmartDashboard icon on the top button, then click Explicit:

SmartDashboard Icon

59


cpinfo

3. Select the correct FwPolicy.exe file on your local drive, from where you installed SmartConsole:

Look in: j w PROGRAM

Jasmj ie lp

;'jcpml_dir jh tdocs | f rp |gv

CPRegSvr

jFwPolicy

Files of type: j Policy Editor (fwpoiicy.exe)

? .x zi ma &

FwPolicy.exe Selected

4. Click Open. SmartDashboard opens.

60


objects _5_0. C and objects. C

O B J E C T S _ 5 _ O . C A N D O B J E C T S . C i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

objects_5_0 .C

The objects_5_0.C file contains a section of properties whose values affect global NGX behavior. Normally, this file is not modified directly, but rather through SmartDashboard > Policy > Global Properties. objects_5_0.C also stores network objects, server objects, service objects, time objects, and other miscellaneous data. There are some selections requiring additions or modification that are not controllable through SmartDashboard.

As objects_5_0.C is the master file that fwm recognizes for its normal operation. The file must be created as part of an NGX installation. This file is either newly created on installation of VPN-1 NGX, or is upgraded from VPN-1/FireWall-1 4.1.

objects .C

objects_5_0.C is used only by the SmartCenter Server. During Policy compilation, the objects_5_0.C file creates the objects.C file, which is then passed to the NGX Security Gateway, and contains information required for its operation. The objects_5J).C and objects.C files are located in the $FWDIR/conf/ directory. A new objects.C file is created every time a Policy is installed on a Gateway, along with a new Policy.

61



Object Propert ies in ob jec ts_5_0 .C

objects_5__0.C is a master list of properties. The objects listed in the file are definitions of how VPN-1 NGX manipulates traffic that passes through its kernel to the real-world resources represented by those objects. The properties of these objects further define how VPN-1 NGX inspects and manipulates this traffic. The file starts with global properties, followed by SmartCenter Server object properties, then gateway-object properties, and other objects' properties. The following is gateway object fwoslo's Certificate property:

-=afi!*jj Fite Edit View Insert Format Help

Sma l lO f f i c e ( f a l s e ) UA_server ( f a l s e ' VPN_a l low_re lay ( f a l s e ; VPN_relay_i f_name () ac ld_ad t r_ ru le ( f a l s e ) a l l o w _ e x t r a n e t ( f a l s e ) a l l ow_send_ logs ( f a l s e ) amaEonas_Kiachine ( f a l s e ) apply_nat_for_cp_conns (false) b ac kup_gat e way () ca_wai t_r«ode_speei f ic_signon_menu_enable ( f a l s e ) c e r t i f i c a t e s (

: ( d e f a u l t C e r t :AdminInfo ( : chkp£_u id ( " { 141CBCFF-FC14-45?0-B9FD-0EE2DCS0DACt : ClassNarne ( c e r t i f i c a t e )

I : " S c e r t r e q - p k i - g e n " ( f a l s e ) : " i p k i - h o s t - c e r t - s e t " ( f a l s e ) :ca (ReferenceObjec t : Naire ( i n t e r n a l _ c a )

:Tab le ( s e r v e r s ) :Uid ("{2 6D02974—F0D4—4767-A8E7-A1D48B70734F}") ) : d i r e c t _ c a (Re fe renceOb jec t

:Name ( i n t e r n a l _ c a ) :Tab le ( s e r v e r s ) :Uid ("{2 6D02 974—F0D4—4767-A8E7-A1D48B7073 4F >")

) :dn ("CN=fwosio VPN C e r t i f i c a t e , G = w e b o s l o . . a u d w Q z " ) : gene ra ted_by_au to_en ro l iment ( t r ue ) : p k i s i g n k e y (4 f75ab9794ad57cc l755ea6f ) : s t a t u s (s igned)

A For Help, press F1 I W

objects_5_0.C Properties

62


objects__5_0. C and objects, C

DbEdit

To modify objects_5_0.C, use the DbEdit utility, which allows the creation, modification, and deletion of objects. The utility is located in the $FWDIR/bin directory. objects_5J).C is modified using the following syntax:

DbEdit [-s server] [-u user] [-p password] [-f filename]

Option Explanation

-s server The IP or resolvable hostname of the SmartCenter Server

-u user The Administrator's username for the SmartCenter Server

-p password The Administrator's password for the SmartCenter server

-f filename The filename containing the creation or modification commands DbEdit is to perform

Using the DbEdit utility allows validation and verification of changes, including Audit log records. This is a better method than editing the files, due to the validation process.

63



D B E D I T C O M M A N D S

Following are the commands for DbEdi t :

C o m m a n d E x p l a n a t i o n

create Creates an object with its default values; this command does not commit the object to the database. The create command may use an extended or owned object.

modify Modifies fields of an object, which are: 1) Stored in the database; the command will lock the object. 2) Newly created by DbEdit; modifications are kept by the client, until committed to the database, by the update or quit commands.

update Updates the database with the object; this command checks object validity and will issue an error message; invalid fields can be modified using the modify command.

delete Deletes an object from the database, and from the client-implicit database

quit Quits and updates the database with modified objects that are not yet committed

The modify c o m m a n d a l lows the use of extended formats for owned objects:

[fieldjiame] = Field_A.Field__B

DbEdit uses the TDERROR mechan i sm to print detailed status and error messages. The TDERROR TopicName is given the DBEDITLOGS value. This is an example of this variable set on Solaris:

set TDERROR DBEDITLOGS = 3

64



S Y N T A X

create <object_type> <object_name>

modify <table_name> <object_name> <field_name> <value>

update <table_name> <object_name>

• Following is an example of the c r e a t e command:

create tcp_service my_service

• Following is an example of the modify command:

modify services my service port 8080

• Once the modifications are complete, an update is necessary:

update services my__service

It is not possible to change the name of a gateway object, because the name is used in the object's Certificate.

objec ts_5_0 .C Edit ing

Before editing the objects_5_0.C file:

1. Close all running instances of SmartConsole.

2. Back up the original $FWDIR/conf/objects_5_0. C to another directory.

3. From a command line, run DbEdit.

4. Enter a resolvable hostname or IP address, when prompted.

5. Enter the username and password of the Administrator when prompted. The following is a sample command, modifying a value in a property under the firewall^properties table in the objects_5J).C file:

modify properties firewalljproperties hclient_enable_new_interface false

The above command changes the hclient_enable_new_interface (true) property to hclient_enable_newj.nterface (false).

65

6. To: ; the

7. To exit DbEdit, issue quit.

8. Install the Policy.

9. Issue quit to exit to save j

The in 5 O . C i b y

66



GuiDBedi t

GuiDBedit, also known as the Cheek Point Database Tool, is a graphical based utility that can be used to manipulate the configuration files of VPN-1 NGX, in the same way that DbEdit is used from the command line. The GuiDBEdit.exe file is installed in the C:\Program Files\CheckPoint \SmartConsole\R6O\PROGRAM directory with the SmartDashboard executable, but no link is created for the file in the start menu's Check Point group.

<0 ÎSSLl^llES^ T a b l e s j Q u e r i e s ]

L a r g e Scale Manager

M a n a g e d Ob jec t s

•«*•» s i t es_ob iec ts

« sofaware_gw_l:ypes ;±: H] OPSEC s I

1 m us qos E " S R e a d - O n l y Con f i gu ra t i on

~ ~ R e p o r t i n g

jjfwtoronto Jjfwrome |Net_Madrid

l E x t _ M a d r i d

;jno_vpn_domain j]Extjroronto j]Net_Toronto

W e d Mar 0 8 1 8 : 4 1 : 2 2 2006 Fri Mar 03 1 6 : 2 6 : 5 2 2006 Thu Mar 02 2 1 : 3 7 : 2 7 2006 Thu Mar 02 2 1 : 3 7 : 1 4 2006 Thu Mar 02 2 1 : 3 7 : 0 8 2006 Thu Mar 02 2 0 : 3 1 : 1 8 2006 Thu Mar 02 2 0 : 3 1 : 1 1 2006 Thu Mar 02 20 :13 :48 2006 Fri Feb 03 1 9 : 5 8 : 0 7 2006 Fri Feb 03 1 9 : 2 1 : 2 2 2006 Fri Feb 03 1 9 : 2 1 : 0 4 2006 Fri Feb 03 1 9 : 1 6 : 1 0 2006 Fri Feb 03 1 9 : 1 5 : 5 3 2006

dynanic.object

Tue Jar Tue J a n 3 1 2 2 : 2 8 : 4 7 2006 Tue Jan 3 1 2 2 : 2 8 : 1 5 2006 Tue Jan 31 2 1 : 4 1 : 1 7 2006 Tue Jan 3 1 2 1 : 4 1 : 1 7 2006 Tue Jan 31 2 1 : 4 1 : 1 7 2006 Tue lar, 11 91 -41 '17 -flnfi zJ

H S a n ' S T

a d d _ a d t r _ r u ! e a d d i t i o n a l __products

c p _ p r o d u c t s _ i n s t a i l ed

boo lean o w n e d object

{NAT, NULL} {SNMP,NULL} •{VPN,NULL}

•{entrust . a l_produc ts ,NULL} :_ce r t i f i ca te , ce r t i f i ca te }

DAG NAT SNMP VPN a d d _ a d t r _ r u l e additional jwo

i _ g t p _ r a t e j r n i t boo lean

c p j a r o d u c t s j t

e n f o r c e _ g t p _ r

g t p j i e j m i t

no t - i ns ta l l ed no t - ins ta l l ed no t - i ns ta l l ed no t - ins ta l l ed

i padd r

l ~ i n t _ m a x - { in ter face, DAG j n t e r f a c e , v p n _ v i r t u a l J n t e r f a c e }

GuiDBedit

67



Double-clicking the GuiDBedit.exe icon opens the GuiDBedit login screen:

Database Tool

N G K R 6 0 i Demo M o d e

Usef N a m e

Cert i f icate j

Password: | SmartCercler S « v e r fm22102~ r R e a d Only

^—>J

Wore Options

Quit

GuiDBedit Login Screen

Use the same credentials as in SmartDashboard to log into GuiDBedit.

G U I D B E D I T P A N E S

1. When GuiDBedit opens, it is divided into three panes: The top left pane has two tabs, Tables and Queries. When the Tables tab is selected, a listing of the tables available on the SmartCenter Server is visible:

T a b l e ; :| Queries j

s i Table r+i m Administrators r+i s Desktop

i+ i m Global Propert ies

i+i m Large Scale Manager

n Managed Objects

r - i m Network. Objects ™ network_ob jee ts m a sites objects

so faware_gw_ types :±; e OPSEC

! + • m Other :+; H Policies

:+; m Provider-1

m QOS +; m Read-Only Conf igurat ion

Tables P a n e

68



2. The top right pane (Objects pane) shows entries in that table:

-fajsrt Warns 2 ass rsian -e { Last Modify Time i | foo gateway jDlain Wed Mar 08 18:41:22 2006 [ Ijfwoslo gateway _d-p Fr: Mar 03 16:26:52 2006 1 Imgmtoslo gatew»y_d<p Thu Mar 02 21:37:27 2006 I j j fw to ro r i t o gateway _ d p Thu Mar 02 21:37:14 2006 fiQfwrome gateway _cl=p Thu Mar 02 21:37:08 2006 lf ]Net_Madrtd network Thu Mar 02 20:31:18 2006 j ^ t j l a d r i d network Thu Mar 02 20:31:11 2006 HQfiwiadr id gateway _ckp Thu Mar 02 20:13:48 2006 lp jno_vpn_domain network_obiect_group Fri Feb 03 19:58:07 2006 I lE . - t_Toro r i t o network Fri Feb 03 19:21:22 2006 1 |]Met_Tororito network Fri Feb 03 19:21:04 2006 i^-Jome i N e t . R o m e

Fri Feb 03 19:16:102006 Fri Feb 03 19:15:53 2006

Imgmtmadr id host jp la in Tue Jan 31 22:41:59 2006 ] E v t j j s l o network Tue Jan 31 22:28:52 2006 ^SynchJ-JetjDslo network Tue Jan 31 22:28:47 2006 ir-Jetj jslo network Tue Jan 31 22:28:15 2006

ft '.PC-Shield dynamic object Tue Jan 3121:41 ; 17.2006

Objects Pane

3. The bottom pane lists properties for selected table entries:

Properties Pane

To perform the same modifications as done with DbEdit, the Administrator opens the Global Properties branch in the Tables pane, then selects the Properties table. In the Objects pane, the firewall properties object opens. When this object is selected, the Properties pane lists all properties available for editing.

69

giving a choice between True or False for this property. SelertFaUe, anc

The box is

Q U E R Y T A B



2. Advanced mode;

Q u e r y E d i t o r - A d v a n c e d

<!> i tr. "r,arr«e= a " & !{cotof=,red')." to §¥ a8 norwed objects so r t i ng with * £PMi Quety 5 —

i l i i ^ ^ imuttrn j Found. p— abjeete

i a : t Modif ied By ~ —~ - - ~

Admirwtrafer j " r Modified After; | ; ' J

GUI Client: — — — ^ P Modified Before: p ^ T ^ ^

Query Editor, Advanced Mode

Refer to the GuiDBedit help files for further information on creating and saving database queries.

71

F W A U T H . N D B

72


SFWDIR/lib/*. def Files

$ F W D I R / L I B / * . D E F F I L E S i I I I I I I i I I i I i I I I I i i i i I I i i i i I i I I I I I I I I I I i I I I I i I I I I i

There are multiple l ib folders on an NGX SmartCenter, each of them containing a set of *. def files (such as base. def, rtsp. def, dcerpc. def, and others). These files define the behavior and functions of VPN-1 NGX.

Modifying *. def files should only be done when absolutely necessary. Before making any changes to *.def files, the Administrator must know the security implication of those changes. Check Point recommends confirming with Check Point Technical Support the impact of *. def modifications on NGX behavior and functionality.

Changes are made on the SmartCenter Server only. *.def files on a Security Gateway are irrelevant. Changes made to *.def files on a SmartCenter Server are transferred to the Gateway during Policy installation. However, the changes will only apply in the Gateway's kernel, and are not written to the Gateway's individual *.def files. The actual *.def files on the Gateway remain unmodified.

Editing a *. def file on an NGX SmartCenter should be done in the correct folder, according to the managed Gateway's version. When modifying a *. def file when the managed Gateway is not running VPN-1 NGX, the corresponding * .def file will not be located under the $FWDIR/lib directory. It will be located in the /lib directory, under the relevant backward-compatibility directory.

Example

Use the command find / -name dcerpc. def on SecurePlatform, to find the dcerpc.def file located in the following folders:

/opt/CPsui te-R60/fwl/lib/dcerpc.def

/opt/CPsuite-R60/fwl/libsw/dcerpc.def

/opt/CPEdgecmp/lib/dcerpc.def

/opt/CPEdgecinp/libsw/dcerpc. def

/opt/CPngcmp-R60/lib/dcerpc.def

/opt/CPR55WCmp-R60/lib/dcerpc. def 73

$FWDIR/lib/*.def Files

Mod i f y ing *.def Files

: on an a VPN-1/Firewall-1 NG . by an N G X !

edit the /opt/CPngcmp-R60/lib/dcerpc. def folder (not in , R60/fwl/lib/dcerpc.def):

1. On

2.

3.

up the *. def

Modi fy t h e * .

file,

i le to ]

A n y . ; to

4.

5.

. D E F F I L E M O D I F I C A T I O N S B E F O R E V P N - 1 N G X

74


Log Files

L O G F I L E S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Active Log Fi les

VPN-1 NGX includes the following log files:

Log-File Type Explanation

$FWDIR/log/xx.log Real log records

$FWDIR/log/xx. logptr Pointers to the beginning of each log record

$FWDIR/log/xx.loginitialjptr Pointers to the beginning of each log chain, logs that share the same Log Unification ID (LUUID)

$FWDIR/log/xx.logaccountjptr Pointers to the beginning of each accounting record

$FWDIR\log\xx. logLuuidDB Additional temporary pointer file

Each time current logs are switched using Smart View Tracker or the fw logswitch command, the above five log files are generated. If any .ptr file is missing or corrupted, that particular log file cannot be opened. When saving switched log files, all five of the above log files need to be saved or archived, to open that single log file in Smart View Tracker or with the fw log <logfile> command.

To purge or delete the current log file without saving to a backup file, run this command:

fwm logswitch ""

75


Log Files

Audit Log Files

In VPN-1 NGX, the audit-log files include the following:

Audit-Log File Types Explanation

xx.adtlog Audit-log records

xx.adtlogptr Pointers to the beginning of each log records

xx.adtloginitialjptr Pointers to the beginning of each log chain, logs that shared the same LUUID

xx.adtlogaccount_ptr Pointers to the beginning of each accounting record

When audit logs are switched in Smart View Tracker or with the logswitch command, the above four types of log files are generated.

To purge or delete the current audit-log file without saving to a backup file, run this command:

fwm logswitch -audit ""

Log Mechanism

The following information is based on Check Point Solution sk24901. See the solution at http: / / secureknowledge. checkpoint. com for more information.

In situations of high load on the SmartCenter Server or log server, the Gateway fwd daemon (which is responsible for log transfer), has a keep-alive mechanism for communicating with its log server. The NGX Gateway caches log records in a dedicated 4,096 KB buffer, as long as the fwd daemon is in communication with the SmartCenter Server. If no response is received from the Server after a couple of keep-alive check ups, the Gateway will start logging locally to $FWDIR/log/fw.log.

76


Log Files

However, if communication with the SmartCenter Server is restored during the keep-alive rotations, this buffer retransmits logs to the log server. If the connection is restored after the keep-alive cycle ends, the files logged locally will need to be imported to be viewed. After communication is back, the Gateway also reports on this activity with specific logs.

Troubleshoot ing Logging Issues

Logging from the Security Gateway to the SmartCenter Server can fail for numerous reasons. Some possible reasons include:

• VPN-1 Control Connections are not allowed from the Gateway to SmartCenter Server.

• Secure Internal Communications (SIC) failure

• DNS failure

• The Fully Qualified Domain Name (FQDN) does not resolve to the correct IP address or does not resolve the name at all, when an FQDN is used in the $FWDIR/conf/masters file.

• Misconfigured /etc/hosts file

One or more of the following suggestions can help troubleshoot a logging problem:

1. Test general connectivity from the Security Gateway to SmartCenter Server, using Ping, or perhaps trying a Telnet connection to a Check Point port.

2. If VPN-1 Control Connections are not allowed in the Global Policy Properties, a rule to allow TCP 257 between the SmartCenter Server and the Gateway is necessary.

3. Test SIC on the problematic gateway object. If a SIC connection is present, the status reads "communicating".

77

78


Log Files

I N C R E A S I N G B U F F E R O N S O L A R I S

To increase the buffer size on Solaris, do the following:

1. Edit the /etc/system file on the Gateway and add the set command, as follows ... set fw:fw log_bufsize=xxxxx

... Where xxxx is the desired size in bytes (default = 81,920 KB).

2. Reboot the Gateway for the change to take effect.

It is possible to set buffer size on the fly by running fw ctl set int fw_logJbufsize xxxxx, but the size will not be persistent across reboots.

I N C R E A S I N G B U F F E R O N L I N U X / S E C U R E P L A T F O R M

To increase the buffer size on Linux or SecurePlatform, do the following:

1. Create or modify fwkern. conf (if the file exists) in $FWDIR/boot/modules/ on the Gateway.

2. Add the entry fw_log_bufsize=xxxxx, where xxxx is the desired size in bytes (default = 81,920 KB).

3. Reboot the Gateway for the change to take effect.

The fwjnsgjjjriax parameter does not exist for Linux, Increasing the fw__log bufsize parameter is sufficient. Setting the fw msgjyiiax parameter will cause the NGX kernel not to load.

79

Log Files

I N C R E A S I N G B U F F E R S I Z E O N W I N D O W S

To i size on do the

the Registry key HKLM\System\CurrentControlSet\Services\FWl\

3. In the Globals key, create a DWORD valui fw : key.

4. Modify the new fw log DWORD Value field."

1 set the . in the

6. Close 1 Editor.

80


Debugging Logging

D E B U G G I N G L O G G I N G i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Analys is Tools

NGX logging unifies various logs for a single connection into one log entry in Smart View Tracker. These individual logs are retained. However, only unified logs are displayed in Smart View Tracker. The logs are given serial numbers, called Log Unification Unique IDs (LUUID). This allows all individual logs to be sorted together using Smart View Reporter, or other Log Export API (LEA) OPSEC tools.

In addition to using Smart View Tracker, you may display NGX log records from the command line. There are four ways to display logs:

1. Initial order: Display unified logs at a specific time. This is the default mode as it displays in Smart View Tracker:

# fw log -m initial

2. Raw log: Display logs from a single connection produced by any kernel driver or Security Server, by incremental log records linked with the same LUUID:

i fw log -m raw

3. Semi unified: Display the unification process in real time:

# fw log -m semi

4. Account unified: Display account logs:

# fw log -m account

Debugging Log

1. To start debugging logs, set the environment as follows: I s e t e n v TDERROR_<flag name> <value l-5>

2. To debug with all flags, set the environment as follows:

# setenv TDERROR ALL 5

81


Debugging Logging

3. Run fwd in debug mode (fwd -d). All debugging information is saved to the fwd.elg file.

This table displays the various debug flags relevant only for debugging logging, us ing fwd debug mode:

F l a g E x p l a n a t i o n

FWLOGJCLU Prints debugging messages from the log trap

CPLOG JCLU cplog component responsible for unification of kernel logs

FWLOG General logging code in fwd

FWLOG_CYC_BUFF Logs cyclic buffer issues

FWL0G_DIS PATCH Logs the dispatching mechanism

FWL0G_AC Active-connections mechanism

L0G_FILE Log-file input/output

CPLOG_UNIFICATION Prints debugging messages from the unification process

CPLOG General debugging messages from the cplog component

82


Lab 1: Using cpinfo

L A B 1 : U S I N G C P I N F O i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Scenario: In this lab, you will collect configuration files from the NGX installation.

Objective: Run the cpinfo command and review results.

Topics: The following topics are covered in this lab:

• Running cpinfo on a stand-alone Gateway

• Finding the following information from cpinfo output:

— System information: OS, version, hostname

— Check Point product information: installed products, versions and builds

— License information

— The beginning of objects_5_0.C file

83

Lab 1: Using cpinfo

£ p R U N C P I N F O O N S E C U R E P L A T F O R M A N D T R A N S F E R F I L E S

1. From your Web server, log in to fwyourcity using an SSH client; once logged in, log in to Expert Mode.

SSH Client Session to fwoslo

2. At the Expert Mode prompt for fwyourcity, run the following command:

cpinfo -o fwyourcity.txt

For purposes of this lab, there is no need to compress the output file as specified previously in the chapter. Check Point recommends compressing the output of cpinfo when sending cpinfo files to Check Point Technical Support.

84


Lab 1: Using cpinfo

The file collection mns for a few seconds. As cpinfo runs, status messages will display:

A SmartCenter Server with large log files may cause cpinfo to run for a long period of time, as it compresses files. Move those log files outside the $FWDIR directory before running cpinfo.

Once cpinfo has finished, the output file fwyourcity.txt will be created in the default directory for the administrator: /home/admin.

3. Start an FTP session to webyourcity from fwyourcity and transfer fvyourcity. txt to your Web server in binary mode. Although the output file has a *. txt extension, there are embedded binary files in the cpinfo output. Transferring the file in ASCII mode would render those embedded sections useless.

SecurePlatform only has FTP client capabilities. You must have an FTP server configured and running on your

^^tif Web server to transfer the files.

4. Once the file has transferred, end the FTP session and log out of your SSH client session.

85


Lab 1: Using cpinfo

f p E X A M I N E C P I N F O O U T P U T F I L E

1. Navigate to the directory to which you transferred fwyourcity. txt, and open fwyourcity.txt using WordPad.

2. Using the Edit menu's Find selection, look for the following information in the file:

• Check Point product and operating-system information

• License and version

• objects_5_0.C

The following is partial cpinfo. txt output, listing installed components:

vmmmmmrn ^mMMmtiAi File gdit Jjew Insert Format Help QMjBj #tal m M d i d

. Dlx

CP c o m p o n e n t s

F i r e W a l l - 1 S e c u r e P l a t f o r m ADVR C P i n f o FU1_41_BC NGCHP PSSUCnip

Y e s V e r : 5 . 0 Yes V e r : 5 . 0 Yes V e r : 5 . • Y e s V e r : 5 . 0 Unknown Y e s V e r : 5 . 0 Y e s V e r : 5 . 0

CP S t a t u s - FW

C P S t a t u s - FTJ ( / o p t / C P s h r d - R 6 0 / b i n / c p 3 t a t - f p o l i c y f w )

P r o d u c t n a m e : P o l i c y n a m e : P o l i c y i n s t a l l t i m e Num. c o n n e c t i o n s : 1 P e a k num. c o n n e c t i o n s : 6 T o t a l a c c e p t e d p a c k e t s : 2 3 5 6 9

t i l ! For Help, press ft

FireWall-1 Standard Fri Apr 7 10:44:45 2006

SP: 9 SP: 9 SP: 9 SP: 9 SP: 9 SP: 9

MB P: 0 MSP: 0 MSP: 0 MSP: 0 ISP: 0 MSP: 0

=1

Partial cpinfo Output

86


Lab 1: Using cpinfo

The Security Gateway's version and build number can be found in the file fwyourcity. txt:

File Bit View Inset famat Help

..•Mi» Mil Ml VPN-1 Version I nf o rinat 11

This is Chech Point VPN-1(TH) NGX (R60) - Build 341 kernel: NGX (R60 ) - Build 341

FireWall-1 Management (fam) Version Information

This is Check Point SmartCenter Server NGX (R60) - Build 3 87

FireWall-1 Version Information

This is Check Point VPN-1(TH) £ FireWall-1(R) NGX (R60) - Build 458 kernel: NGX (R60) - Build 458

CPShared Version Information

This is Check Point 3VN Foundation (R) Version NGX ( R 6 0 ) - Build 562

System Information

jJJ ForHefopwssFl

Version and Build Information

87


Lab 1: Using cpinfo

objects 5_0.C file content is also included in fwyourcity.txt:

File Edit View Inser t Format Hefp

u\mm j§J MMfiLJ id i wi / o p c / C P s u 1 t e - P 6 0 /' f w i / c o n x /;

: a n v o b j ( A n y : c o l o r ( B l u e )

) : s u p e r a n y o f o j f

: ( A n y : c o l o r ( B l u e )

> } : s e r v e r o b j ( s e r v e r o b j j : t r a n s l a t i o n s ( t r a n s l a t i o n s ) : 3 e r v g e n ( ) : l o g - p r o p s { ) : s t a t e - a c t (

: c o m a n n d _ n o t i n s t 2 i r i s t ( ) : c o m m a n d _ n o t i n s t 2 d i 3 ( ) : c o r w m a n d _ i n s 2 n o t i n s t ( s t a t u s _ a l e r t ) : c o n m a n d _ i n s t 2 d i s ( s t a t u s _ a i e r t ) : c o m m a n d _ d i s 2 i n s t ( 1 : c r o m m a n d _ d i s 2 n o t i n s t ()

) : SP l o b j () : v e r s i o n ( 6 . 0 ) : g l o t o a l s (

: ( i l l : A d i n i n l n f o ( ^J

1 J j " Creates a new document 'NUM

objects_5_0.C

CONTINUE Continue to the next lab.

88


Lab 2: Analyzing cpinfo in Info View

L A B 2 : A N A L Y Z I N G C P I N F O I N I N F O V I E W 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Scenario: In this lab, students will use the fwyourcifcy.txt from the previous lab and analyze it using the InfoView utility.

Objectives:

• Review cpinfo output in InfoView.

• Launch SmartDashboard from InfoView to analyze a Gateway's Rule Base and objects.

Topics:

• Opening cpinfo from InfoView

• Launching SmartDashboard inside InfoView to review the Rule Base and objects

89



[ 5 O P E N C P I N F O I N I N F O V I E W

1. Download the InfoView utility and install it on your Web server. Alternately, your instructor may have a copy of InfoView you can install on your Web server.

2. Launch InfoView.

3. From the File menu, select Open and browse to the directory where fwyourcity.txt is located:

yt|l© Edit View Toofs Analysis Window He|> j f ] ti|ii-Ui]?ij iijejfflji®]

HMR

jr - • msm

+

+

/ op t /CPsu i t e -R60 / fw l

/opfc/CPshrd-R.60

/opt /CPEdgecmp

File Title

CP components

CP Sta tus

CP Product keys

VPN-1 Version In format ion

FireWal l -1 Management (f>

FireWall-1 Version Informs

CPShared Version Inforrna

Sys tem Informat ion

IP In te r faces

Ne ts ta t In format ion

A

Tes t I . P k h n . ! Stat

Host File Has Is

fwoslo Not tested

License-Object fwoslo Not tested

Y Dupl icate Objects fwoslo Not tested

. ^ ^ ^ P All Inter faces fwoslo Not tested

' V ) l j | j Machine I n t e r f . . . fwoslo Not tested

j | [ I /F -Ob jec t fwoslo Not tested

:PS V : ^ Process fwoslo Not tested

*f Product '.etsic-n !-,de description Internal Code = Euk

ggZ FireWal l -1 5 .9 .0 N6 AI (R60) Dallas 591

O s e c u r e P l a t f . . . 5 . 9 ,0 NG AI(R60) Dallas ???

O ADVR 5 . 9 , 0 NG AI(R60J Dallas ???

O CPinfo 5 .9 ,0 NG AI(R60) Dallas ???

Q N G C M P 5 . 9 , 0 NG AI(R60) Dallas ???

S RBSWCmp 5 . 9 . 0 NG AI (R60) Dallas ???

Comments

~iUMr j j

fwoslo.txt in InfoView

90



f i p R E V I E W I N S T A L L E D P R O D U C T S , S Y S T E M , L I C E N S E , A N D O T H E R I N F O R M A T I O N

1. Click the System Information tree; the processor type and speed, environment, and other information, such as routing and ARP are displayed.

2. Close the System Information tree.

3. Click the CP products key tree to review the Check Point products installed on your machine:

E m m a M m m a m m m s m : f i le Edit View Inser t Format Help

DSIHI . . . . . . 5 C P s h a r e d

k e y : CPD IB. /opt/CPshrd-R60 k e y : ISCONFIGURED 1

F l l

k e y : A d d S m n p F a i l e d t o f i n d t h e v a l u e k e y : A u t h k e y : Encryption. k e y : F i r e l J a l l k e y : F 1 D I R /opt/CPsuite-R60/£wl k e y : F M a n a g e m e n t k e y : IsConfigured k e y : M a n a g e m e n t k e y : P r i m a r y k e y : ProductName F a i l e d t o f i n d t h e v a l u e k e y : T J n l i m i t k e y : vsx F a i l e d t o f i n d t h e v a l u e

P r o v i d e r - 1

k e y : PRODDIR F a i l e d t o f i n d t h e v a l u e k e y : F T O I R F a i l e d t o f i n d t h e v a l u e k e y : I n i t i a l l y C o n f i g u r e d F a i l e d t o f i n d t h e

- iefp, press F ;

CP Products Installed

4. Close the CP Products tree.

5. Click the CP License tree to review licensing information.

91



f i p L A U N C H S M A R T D A S H B O A R D I N I N F O V I E W

1. Highlight the hostname in the Info View list. 2. Click the drop-down list of the SmartDashboard icon.

3. Select Explicit:

JT H

C o n f i g u r e , j

Explicit Menu

4. Select the path to SmartConsole and check the box Open as read-only:

JJJSJ Look|re „ , J PROGRAM m & & CJIvwhois ^jMonitorData ^ P r e v i e w , J u t i l

H CPlgv.exe S c p m l . e x e

Z3CPf tegSvr .exe ^ CPSecuremotePW, exe 1 SecureUp

^ j S m a r t C o n ^ s m a r t M a p

2J File name.' |FwPolicy.e Open

Fiies of type: j Policy Editor (fwpolicy. e

P Open as read-only

Cancel

SmartConsole Path Selected

5. SmartDashboard opens in *local mode; use this to review the configuration and Policy.

CONTINUE Continue to the next lab.

92


Lab 3: Using GuiDBedit

L A B 3 : U S I N G G U I D B E D I T i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Scenario: In this lab, you will use GuiDBedit to create a new service object, a new group object, and to add a service object into a group object. Also in this lab, you will use GuiDBedit to modify a global properties resolve _nrultiple_interf aces value to true.

Objectives:

• Use GuiDBedit to create a new object.

• Use GuiDBedit to modify an object's property.

• Use GuiDBedit to modify a global-property value.

Topics:

• Logging in to GuiDBedit and creating an object

• Modifying global properties

93



S L O G I N T O G U I D B E D I T A N D C R E A T E A N O B J E C T

1. Close all SmartConsole sessions. 2. On your Web server, right-click on the desktop, and select New > Shortcut

from the context menu.

3. Run the Create New Shortcut wizard to browse to GuiDBedit. exe, located in C:\Program Files\CheckPoint\SmartConsole\R60\Program.

4. Double-click the newly created GuiDBedit.exe shortcut. A login screen similar to the SmartDashboard log in opens:

Database Tool JRL

N GX R 6 0

.1 D e m o M o d e

<'• Use r N a m e j f w a d m i n

Cer t i f i ca te : | J ; P a s s w o r d 11

Smarf.Cenf.er S erver : j 10 .2 .2 .1

P R e a d On ly

| O K j

M o r e O p t i o n s » i

S u i t |

GuiDBedit Login Screen

94



5. Use the same credentials to log in as a standard SmartDashboard Session. The GuiDBedit screen opens:

Tabtei j Querie? \ m !B1ST

Large Scale Manager

; Q Pead-Only Configuration

' B Reporting : | B ] Services • | 0 SmartMap

GuiDBedit Screen

95



6. In the Tables pane, open the Services branch and select the services table object. The Objects pane then populates with all available objects in the services table:

• • • • • • Fie View ybjecte Fields Search >jjerm Help

VtrO '< ! Queries |

X* B" La'rge Scale Manager + Q Managed 'I'biects + 0 Network Objects + H OPSEC + B Other + H] Policies + Q Provider-1 + H QOS + H3 Read-Only Configuration + 13 Reporting - 0 Services

+ 0 SmartMap + • H SmartUpdate + B 5tatus

+ H3 Users

~3 Ob^ct.Myie E[|lMAP-55L flfl| MSE;- changelnf ormationStore 3 IQjMSE;'ChangeInformationStore2 |J]M5ExchangeInformationStorel ®]MSE,,:hangeQAdmin IJ|]M5ExchangeDatabase fijt]MSEj:change5toreAdmin3 U] MSExchangeStoreAdmin 1 1)BGP H]MS-WINS-Replication-TCP_SD H]MS-VVINS-Replication-UDP_SD ®Squid_NTLM H]sasser-icmp I® Witty _Worm I f f ] MS-SQL-5erver_SD 5jMS-SQL-Monitor_SD BlMSMQ

tcp_service dcerpc_service dcerpc_service dcerpc_service dcerpc_service dcerpc_serviee dcerpc_service dcerpc_service tcp_service other_service other_service tcp_service other_service other_service other_service other _service dcerpc_service

nsWVajuE™

mzZi Respite ? >1UM •

GuiDBEdit Services Table and Objects

7. Select an object in the Objects pane, which changes the focus of GuiDBedit to the Objects pane and populates the Fields pane.

8. From the Objects drop-down menu, select New. The Create Object box opens.

9. From the Class drop-down menu, select service group, and name the Object "labervices". Click OK.

Class: | s e r v i c e _ g r o u p

O b j e c t [ l abse rv i c e.:j

1 OK 1 Cancel j

Creating labservices Service Group

96



The services table automatically refreshes, and in the Objects pane, the focus will now shift to the newly created labservices object.

10. Use the Create Object box to create a new tcp service called "test-service 1".

11. Highlight the test-service 1 object in the Objects pane, and scroll through the Fields pane to find the port field.

12. Double-click the port field to edit it. Configure the new service with port 3333 and click OK:

w m m m m i &

V a l u e : f 3 3 3 3 ^

| QK 1 C a n c e l j

port Field Configured

13. Click the Save All Changed Objects button on the menu, to write all changes to the databases:

I

Save Changed Objects

14. Highlight the labservices object in the Objects pane. In the Fields pane, scroll to the container field, right-click, and choose Add. The Add/Edit element box opens.

15. In the Object drop-down menu, scroll to the test-service 1 object, highlight it, and click OK. This adds test-service 1 to the service group labservice.

R e l d N a m e { . T y p e ] Va lue Val id Values con ta iner s e r v i c e _ o b j e c t r e f e r e n c e t e s t - s e r v i c e 1 ( 'services' t ab le )

color s t r ing b lack c o m m e n t s s t r ing e t m _ e n a b l e d boo lean f a l se g r o u p j : o n v e n t i o n _ q u e r y s t r ing

test-service 1 Added

16. Make the change permanent in objectsJ5_0.C. by clicking the Save All Changed Objects button.

97



[ ^ M O D I F Y G L O B A L P R O P E R T I E S

GuiDBedit can also be used to modify specific properties of a given object. You will modify the resolvemultipleinterfaces property of the firewall global properties table:

1. In the GuiDBedit Tables pane, open the Global Properties branch and select the properties table.

2. In the Object pane, select the firewall_properties object.

3. From the toolbar, select the Search menu and choose the Find option. Use the following information to configure the search:

Find W h a t : resolve mult ip le interfaces

Search in: Fields

M a t c h whole str ing only: Checked

Direction: D o w n

llllil B 1D

"-"Wt'ST"""*" +;• 0 Administrators t " H I Desktop *—; |E3 Global Properties

1 ©firewall.

find what; |resolve_multiple_interfaces - Search in

r Tables P Obiecfc F Fields

r Values

P Match string cr# P Case sensitive

- JP « Li>-

I Find Next | Car

EnablsMwUserMorfltonnij EnableUserMonitoring GW_route_traffic_(;or_OM. IKE_wait4syne IP3EC_SPI_alloc_max IPSEC_SPI_alIoe_min iLJ

j lvalues - 5 boolean boolean unumber

string

true true

.d seady mzl"i '^MMfWris f vlt«

GuiDBedit Search Tool

4. Double click resolve multipe interfaces to edit its Boolean value. Select True and click O K .

98



5. Click the Save All Changed objects button to save the updated value.

Some properties are global, and some are specific to a Gateway. To modify properties that are unique to specific Gateways' locate the object name in the network objects table in the Network Objects branch of the Tables pane.

Continue to next lab.

99


100


Lab 4: Using fw logswitch and fwm logexport

L A B 4 : U S I N G F W L O G S W I T C H A N D F W M L O G E X P O R T i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i I i i i i i i i i i i i i i i i i i

Scenario: Even though a logswitch can be configured to run regularly via the SmartCenter object in SmartDashboard, or can run via the menu in Smart View Tracker, using the command fw logswitch can sometimes be helpful. In this lab, you will see that 4-5 log-pointer files are generated with the real . log file when the fw logswitch command is executed. A distinction between logswitch and logexport is made in this lab.

Objectives:

• Use the fw logswitch command to switch active and audit logs.

• Use fwm logexport to export logs and view them in a text editor.

Topics:

• Using fw logswitch to switch active logs

• Using fw logswitch to switch audit logs

• Using fwm logexport to export the active log and open it with WordPad

• Identifying log-pointer files after fw logswitch run

101

Lab 4: Using fw i

[ 5 R U N F W L O G S W I T C H T O S W I T C H A C T I V E L O G

1. Open an SSH session to the Security Gateway, and log in to Expert

2.

3. Run the fw

fw

The

Log file has

4. View the new log file

lab-switch.log

lab-switch.logaccount

5. If no to the

to:

dappends the(

.loginitialjptr



Log File Listing without Filename

[ 5 P U S E F W L O G S W I T C H T O S W I T C H A U D I T L O G

1. In the same SSH session to the stand-alone Gateway, run:

fw logswitch -audit

The fol lowing message displays:

Log file has been switched to: 2006-04-07J.90037.adtlog

103


2. Check the n e w generated . adt logs in the $FWDIR\log directory:

New .adt Log Files

The .adt log files generated are the following:

2006-04-07_190037.adtlog

2006-04-07_190037.adtlogaccountj)tr

2006-04-07_190037.adtloginitialj)tr

2006-04-07_190037.adtlogptr

£ p R U N F W M L O G E X P O R T A N D V I E W O U T P U T

1. From the same SSH session, run the fwm logexport command:

fwm logexport -n -p -o exportfwyourcityl

A message similar to the fol lowing displays:

Starting...There are 1 log records in the file.



2. View the logexport output file using the less command:

Output of less exportfwoslol

105



Or you can FTP the exported log file to your Web server and view it in WordPad:

X. f i fe Edit View Inser t Format fctefp

•Mini' Mai jij 'j±ii£iiJ Si mora; d a t e ; t l i n e ; o r i g ; t y p e ; a c t i o n ; a l e r t ; i / £ _ n a m e ; i / f _ d i r ; p r o d u c t ; 1 o g _ = y = _ m e s 3 a g e 0 ; 7 A p r 2 G 0 6 ; 1 3 : 5 8 : 4 9 ; 1 7 2 . 2 2 . 1 0 2 . 1 ; c o n t r o l ; ; ; d a e m o n ; i n b o u n d ; V P N - 1 & F i r e f a l l - 1 ; L

Jd F:<r Heip, press F:

Logexport Output File

106


Review

R E V I E W i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

• cpinfo is a troubleshooting utility created by Check Point to collect a "snapshot" of the configuration of a Security Gateway or SmartCenter Server. It can also be used to collect OS and NGX debugging information for later analysis and troubleshooting.

• InfoView is a graphical utility used to analyze the output of cpinfo, including state-table information, routing, licenses, etc. InfoView can be configured to open parts of the SmartDashboard with a reproduction of the Security Policy installed on systems from which cpinfo files are taken.

• objects_5_0. C is the master list of all objects and their properties in an N G X installation, objects.C is a file that is created at Policy installation, based on information in objects_5_0.C.

• Editing objects_5J5. C is done with DbEdit and GuiDBedit.

• fwauth.NDB is the database file that stores all information about users created via SmartDashboard.

• * .def files define certain aspects of the behavior and function of the NGX kernel. In special circumstances, these files can be modified to adjust the function of the NGX kernel. These changes will not survive the application of a HotFix Accumulator (HFA). Always verify that functionality is included in the HFA using HFA release notes. If not, archive the modified *.def file before applying an HFA.

• When the command fw logswitch is run, six different log files are created. All six of these files are necessary when archiving logs. At the same time, five specific types of audit-log files are created. All files are necessary for archiving.

• The NGX logging mechanism has a built-in keep-alive function when running in a distributed environment. Local logging occurs only if the delta for this keep-alive period is exceeded.

• Logging issues may be caused by VPN-1 Control Connections being blocked, SIC failures, or DNS (and/or hostname) resolution errors.

• Logging is a critical security tool. Create a "best practice" logging Policy.

• In some situations, it may be necessary to modify the logging parameters of the NGX kernel for better performance.

107


Review

Review Answers

1. Which of the following is NOT a recommended method for modifying an NGX object's properties?

C.) Modifying the object by directly editing objects 5 0. C

While this method will work, it is not recommended. If a typographical error or other mistake is made when editing, the change may be ignored, or may cause objects_5_0.C to fail to load or make the Security Gateway inoperable.

2. You are troubleshooting a Policy installation failure in a distributed environment. Your SmartCenter Server is located in Dallas, and your Security Gateway is located in San Francisco. A local technician has sent you the cpinfo file from the Security Gateway. Which information will NOT be available in this file?

D. ) A viewable copy of the installed Policy

The Policy is compiled with the objects files, and is a binary file on the Gateway. This information would be retrieved from Policy information on the SmartCenter Server.

109


Review

n o


4f Q Check Point f ® * 5 * S O F T W A R E TECHNOLOGIES LTD,


CHAPTER 4: PROTOCOL ANALYZERS

Protocol analyzers and traffic-capture utilities and commands, such as tcpdump, snoop and fw monitor, can be critical tools in determining the nature of an issue involving VPN-1 NGX. These tools capture and analyze network traffic as it comes to and goes through an NGX Security Gateway, and can help determine if an issue involves VPN-1 NGX and its kernel or is an unrelated problem.

Object ives

1. Use tcpdump to capture packets and analyze packet-header formats.

2. Use snoop to capture packets, and review three output modes.

3. Use fw monitor to capture packets.

4. Review fw monitor output using Ethereal.

ill

Key Terms

112


tcpdump

T C P D U M P i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

tcpdump is a command-line utility available on most UNIX and Linux based operating systems, which can be used for packet-header analysis, tcpdump sets interfaces into promiscuous mode, capturing the headers of all traffic according to parameters defined in the expression used to configure a tcpdump session. The capture either displays in real time to the screen, or can be written to a capture file, tcpdump has a high degree of flexibility to control the capture and subsequent review of network packet headers.

tcpdump can capture many types of network traffic (such as DECnet or AppleTalk), but as this is not recognized by VPN-1 NGX, only TCP/IP related traffic will be discussed here.

tcpdump Syntax

The following is the syntax of the tcpdump command:

tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ] [ -C file_size ] [ -F file ] -i interface ] [ -m module ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -E algo:secret ] [ expression ]

This table explains several of the commonly used switches and their arguments for tcpdump:

Switch and Argument Explanation

-c Exit after receiving count packets.

-C file size Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. savefile after the first savefile will have the name specified with the -w flag, with a number after it, starting at 2 and continuing upward. The units of file size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).

113


tcpdump

Switch and Argument Explanation

-i interface Listen on interface. If unspecified, tcpdump searches the system-interface list for the lowest-numbered, configured-up interface (excluding loopback). Ties are broken by choosing the earliest match. On Linux systems with 2.2 or later kernels, an interface argument of "any" can be used to capture packets from all interfaces. Note that captures on the "any" device will not be done in promiscuous mode.

-r file Read packets from file (which was created with the -w option). Standard input is used if file is

-s Grab snaplen bytes of data from each packet, rather than the default of 68. (With the Sun OS NIT, the minimum is actually 96.) 68 bytes is adequate for IP, ICMP, TCP and UDP, but may truncate protocol information from name-server and Network File System packets. Packets truncated because of a limited snapshot are indicated in the output with " [ | proto] ", where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets, and effectively decreases the amount of packet buffering. This may cause packets to be lost. Limit snaplen to the smallest number that will capture protocol information required. Setting snaplen to 0 means using the required length to catch whole packets.

- v (Slightly more) verbose output; for example, time to live, identification, total length, and options in an IP packet are printed. Also enables additional packet-integrity checks, such as verifying the IP and ICMP header checksum.

-w Write the raw packets to file, rather than parsing and printing them. Packets can later be printed with the -r option. Standard output is used if the file is

114


tcpdump

tcpdump and Express ions

An expression selects which packets tcpdump will write to the defined output. If no expression is given, all packets on the network will be dumped. Otherwise, only packets for which the value of expression is 'true' will be dumped.

An expression is typically an ID name or number preceded by one or more qualifiers. There are three different kinds of qualifiers:

type Indicates the thing to which the ID name or number refers; possible types are host, net and port. For example:

host foo

net 128.3 port 20

If there is no type qualifier, host is assumed.

d i r Specifies a particular transfer direction to and/or from ID name or number; possible directions are src, dust, src or dst, and src and dst. For example: src foo dst net 128.3 src or dst port ftp-data

If there is no dir qualifier, src or dst is assumed. For vnull' link layers (i.e., point-to-point protocols, such as SLIP), inbound and outbound qualifiers can be used to specify a desired direction.

proto Restricts the match to a particular protocol; possible protos are ether, ddi, tr, i p , ip6, arp, rarp, decnet, tcp and udp; for example:

ether src foo

arp net 128.3 tcp port 21

If there is no proto qualifier, all protocols consistent with the type are assumed, i.e., src foo means (ip or arp or rarp) src foo. (The latter is not legal syntax). net bar means (ip or arp or rarp) net bar. port 53 means (tcp or udp) port 53.

115


tcpdump

This is only a partial overview of the syntax for tcpdump. For a complete list of all switches, arguments and further information on using expressions, refer to the man pages for your OS, or to the documentation at http://www. tcpdump.org.

Using tcpdump

Determine if traffic needs to be viewed in real time, or if the information should be captured to a file for later viewing. Once this has been determined, initiate the tcpdump session to get the capture.

The following string captures all traffic coming to all interfaces on Gateway fwoslo, and writes the output to the file capture:

tcpdump -i any -w capture

Unless troubleshooting a network-connectivity issue, this format may show too much information to be useful. It would be better to narrow the input to a specific interface:

tcpdump -i ethl -w capture

This will capture all traffic from the network segment connected to ethl on fwoslo. If there is too much information presented in the capture, tcpdump can also filter for specific protocols. Suppose that in this environment, you are attempting to determine the failure of an FTP session through the Security Gateway fwoslo. From the command line on fwoslo, set tcpdump to filter specifically for FTP traffic on all interfaces, with the following syntax:

tcpdump -i any '(port ftp or ftp-data)' -w capture

This will show if any FTP related traffic is being "heard" on the interfaces of fwoslo.

116

http://www


tcpdump

Viewing tcpdump Output

The output of tcpdump is a binary file viewed using tcpdump, or a protocol-analysis program (such as Ethereal), as long as that program has been written to recognize the tcpdump format. The command to open the file (using the <-w> switch when running the capture) is as follows:

tcpdump -r <filename>

Open the file that was captured using this string ...

tcpdump -i ethl -w capture

... Which displays the following information:

[Expert@fwoslo]# tcpdump -i ethl -r capture

15:28:37.501897 10.2.2.102 > 172.22.102.1: icmp: echo request

15:28:37.501963 172.22.102.1 > 10.2.2.102: icmp: echo reply

15:28:39.494254 arp who-has 10.2.2.102 tell fwoslo

15:28:39.494524 arp reply 10.2.2.102 is-at 0:ll:43:ce:36:e5

15:28:46.156386 10.2.2.102.1641 > fwoslo.ftp: S 754360268:754360268(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

15:28:46.156471 fwoslo.ftp > 10.2.2.102.1641: R 0:0(0) ack 754360269 win 0 (DF)

15:28:46.532969 10.2.2.102.1641 > fwoslo.ftp: S 754360268:754360268(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

15:28:46.533010 fwoslo.ftp > 10.2.2.102.1641: R 0:0(0) ack 1 win 0 (DF)

15:28:46.724479 fwoslo > 224.0.0.5: OSPFv2-hello 56: [len 44] [tos OxcO] [ttl 1]

[Expert@fwoslo]#

117

118


snoop

S N O O P i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

The snoop utility places a system's interface into promiscuous mode. In promiscuous mode, snoop captures all packets on the network segment to which an interface is attached. This capture can occur in either real time for output to a display, or to a binary capture file. The snoop utility is powerful, because of the level of detailed information it provides. It also allows a high degree of flexibility for controlling the capture and subsequent review of network packets. The snoop utility is available only on UNIX systems.

snoop can also capture and analyze network packets other than IP addresses, such as DECnet and AppleTalk. However, since VPN-1 NGX does not recognize other types of packets than IP addresses, information on these other packets will not be covered in this chapter.

Using snoop

Use snoop to determine if a real-time capture is needed, or if data should be sent to a file for later review. Sending output to a file is probably the best choice, as data displayed on-screen is difficult to read, because it scrolls quickly.

To capture data to a file, use the following command:

#snoop -o filename

The -o option saves data in binary format to a user-defined file. To view data in real-time, exclude the -o option.

Next, determine how many packets need to be captured to view the information. If the number of packets is not determined, snoop will continue gathering packets until you press CTRL + C, or the system runs out of resources.

To set the number of packets, use the following command:

#snoop -o filename -c 1000

In this example, snoop will capture 1,000 packets. This capture will typically take about 60 seconds on a 10 megabits-per-second network. The type of capture taken depends on the type of information required. Keep in mind that snoop can be resource-intensive, depending on the amount of network traffic on a segment. In some cases, a dedicated server for snoop may be needed.

119

Reading snoop Output

120


snoop

Below is an example of verbose summary mode, using the same packet as the previous example. Notice it provides layer 2 (Ethernet), layer 3 (IP), layer 4 (TCP), layer 7 (Telnet), and ACK and SEQ (sequence number):

17 2.07408 enterprise -> 10.1.1.101 ETHER Type=0800 (IP), size = 70 bytes

17 2.07408 enterprise ->10.1.1.101 IP D=10.1.1.101 S=10.1.1.102 LEN=56, ID=56890

17 2.07408 enterprise -> 10.1.1.101 TCP D=21 S=32797 Ack=73641 Seq=389458204 Len=16 Win=8760

17 2.07408 enterprise -> 10.1.1.101 FTP C port=32797 USER anonymous\r\n

V E R B O S E ( D E T A I L ) M O D E

Verbose mode displays the details of each packet to the bit level in the OSI model. The example below shows the same packet as the previous examples in verbose mode. Detailed information of each layer is captured, including layer 2 (Ethernet), layer 3 (IP), and layer 4 (TCP) headers. The syntax for verbose detailed mode is:

snoop -i -v [filename]

121


snoop

snoop and Secur i ty

With snoop, Security Administrators can capture data on a network without being noticed. Unlike active measures, such as network discovery using ICMP, snoop does not alert anyone to its presence. This passive behavior allows an analysis of the network's security, without alerting anyone, snoop can run over a longer period of time than active measures running at a single point of time. If a host is down for several minutes while you are Pinging a network, the host is missed. However, snoop picks up these hosts when they send or receive traffic. One security issue is identifying activities on a network. Perhaps there are concerns about specific Web sites or FTP download sites, snoop can be used on a network to look for downloads from known Web sites or FTP servers.

snoop should be used with authorization or for troubleshooting purposes only. Federal law, such as the Wiretap Act, prohibits routine monitoring, unless for troubleshooting or for self-defense purposes for a limited period of time.

snoop helps track down "unknown" hosts in a network. An unknown host could be a dial-up server or gateway configured by a network attacker. Active measures can determine hosts on the network, but only if the machines are on. What if a host is on only at night, or has been configured not to reply to ICMP requests? snoop helps track down rogue hosts, allowing action to be taken.

snoop L imi tat ions

Unlike active measures, but like most sniffers, snoop cannot operate in a switched network, snoop records packets that cross the designated interface on a local network segment, but only captures packets in its collision domain.

To monitor all traffic traveling between a network and the Internet, place the sniffer between the gateway and the border router. This allows capturing of all Internet traffic. This information is compared to the logs in Smart View Tracker, to see specifically which segment of the network needs further inspection with snoop. This comparison is useful when encountering Network Address Translation and traffic originating behind routers.

122

123


fw monitor

F W M O N I T O R i i i i i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Overview

The fw monitor command monitors network traffic through the interfaces on an NGX Security Gateway. This is done by loading a special INSPECT filter to filter out interesting packets. This filter is different from the INSPECT filter used to implement a Rule Base. A Rule Base determines which packet is accepted, rejected, or dropped; however, the INSPECT filter generated by fw monitor captures kernel-packet flows. You can capture everything through the kernel using fw monitor; alternately, you can capture a particular type of traffic or source.

fw monitor Syntax

fw monitor runs from the command line. The following arguments give information for configuring fw monitor to not only capture and filter traffic through VPN-1 NGX, but also specify which parts of the kernel chain packets pass through are also monitored.

fw monitor syntax is as follows:

fw monitor [-d] [-D] <{-e expr}+|-f <filter-file|-» [-lien] [-m mask] [-x offset[,len]] [-0 <file>]

The fw monitor arguments are listed in this table:

Argument Explanation

-d Provides lower-level debug from the filter-loading process of fw monitor

-D Provides higher-level debug from the filter-loading process of fw monitor

-e Specifies an INSPECT program line; multiple -e options may be used.

-f Specifies an INSPECT filter filename; the file is copied before compilation; the -f and -e options are mutually exclusive.

124


fw monitor

Argument Explanat ion

-1 Limits the packet length, and specifies how much of the packet should be transferred from the kernel; for packets longer than the specified length, only a prefix will be available for display.

-m Specifies inspection-points mask; any one or more of i, I, o, or 0 can be used; if this option is not specified, all four points are captured.

-o Specifies an output file; saves monitored packets in the output file as they are monitored; during the monitoring, a count of the number of packets saved in the file is displayed; content of the file can later be examined using the snoop -i <f i l e > command.

-x Specifies display parameters; when this option is present, the IP and protocol information will be followed by a hexadecimal dump and printable character display, starting at the offset bytes into the packet for len bytes long; if offset + len is larger than the length specified by the -1 option, only the data available will be displayed; console output only

-h Displays usage string

-u Prints the connection's Universally Unique ID (UUID)

-s Prints the connection's session UUID (for FTP data connections, prints the control connection's UUID)

- t When compiling the INSPECT script, includes tcpip. def; allows the use of tcpip macros in the script

- i After writing each packet, flushes the standard output, if you want to kill fw monitor but write all data to a file

-c <count> Limits the number of inbound (-ci count) and/or outbound (-co count) packets; once the specified number has been reached, the monitor will stop; default is stop on CRTL + C only.

"P Monitors position in the kernel chain; Note: Using this switch with the "all" argument can be very resource-intensive.

125

f\v monitor

INSPECT Vir tual Machine

The INSPECT virtual machine intercepts, analyzes, and takes action on all communication before it enters a Gateway's OS. Cumulative data from communication and application states, network configuration, and Security Policy are used by the virtual machine to enforce the enterprise Policy.

This figure displays how the virtual machine inspects packets:

Virtual-Machine Inspection Points

There are four inspection points as a packet passes through the virtual machine:

• Before the virtual machine, in the inbound direction (i or PREIN)

• After the virtual machine, in the inbound direction (I or POSTIN)

• Before the virtual machine, in the outbound direction (o or PREOUT)

• After the virtual machine, in the outbound direction (0 or P0ST0UT)

Once fw monitor is executed, a specified INSPECT filter is compiled and loaded to the kernel. The fw monitor filter is not to be confused with the filter used in a Policy. The fw monitor filter does not pass or drop any packets, it only "watches" the packets as they pass through the kernel and displays them in the Command Line Interface (CLI). When you press CTRL + C to stop monitoring, the filter is unloaded and exits.

Any parameters following "accept;" in the fw monitor command will be displayed by fw monitor. The same filter is executed on all interfaces in all directions. Packets are inspected in all four points, unless the mask option -m is specified.

126


fw monitor

Unless the -o option is specified, packets are directed to standard output. The first line displays IP information, and the next lines display protocol-specific information (for TCP, UDP, or ICMP). If the option -x is used, the lines following the command show a hexadecimal dump and printable character display of the packet content. Issuing fw monitor without any arguments will capture all packets to standard output, which is the CLI.

Filter Express ions

In a busy system, running fw monitor without any filters can create a great detail of output, and makes the analysis difficult. The filter expressions are used to specify packets to be captured. The general syntax is fw monitor -e "accept <expression>;".

The following example shows three filters:

fw monitor -e "accept src=172.29.109.1 or dst=172.29.109.1;"

fw monitor -e "accept dport=80;"

fw monitor -m il -e "accept;" -o monitor.out

• The first filter captures all traffic from and to the host 172.29.109.1.

• The second filter captures all HTTP traffic on port 80 only.

• The third filter captures only inbound direction before and after the virtual machine (i and I), and redirects the output to a file.

fw ctl cha in

VPN -1 NGX passes each packet through a list of chain modules. Each module may modify, pass, or drop the packets. You can see this list using the fw ctl chain command, fw monitor can be inserted in any position in the chain.

127

O U T P U T

in chain (10):

0:

1:

2:

3:

4:

5:

6:

7:

8 :

9:

(f99dl2c0)

2000000 (f31a8dd0)

liiiiio (lyyaicau)

IfffffO (f31a8730)

1000000 (f99e9690)

0 (f99a4720)

2000000 (f31a9d70)

10000000 (f99e9b20)

7f600000 (f99cec90)

7f800000 (f99dl570)

out chain (8):

0: -7f800000 (f99dl2c0)

1: - Iffffff (f31a8600)

2: - lfOOOOO (f99afcd0)

3: 0 (f99a4720)

4: 2000000 (f31a9780)

5: 10000000 (f99e9b20)

6: 20000000 (f31a9360)

7: 7f800000 (f99dl570)

IP Options Strip (ipopt^

vpn decrypt (vpn)

Stateless verifications (asm)

vpn decrypt verify (vpnver)

SecureXL connection syn (secxl_

fw VM inbound (fw)

vpn policy inbound (vpnj>ol)

SecureXL inbound (secxl)

fw SCV inbound (scv)

IP Options Restore (ipoptjres)

IP Options Strip (ipopt_strip)

vpn nat o

Stateless

fw i

vpn

SecureXL

vpn encryp

IP Options

(vpnjiat)

(asm)

(fw)

(vpnjpol)

(secxl)

(vpn)

estore (ipoptjres)

fw ctl chain i

be after fw monitor.

t the monitor in the e To ] , use -pi 999 or -pO


fw monitor

C H A I N I N S E R T I O N P O I N T S

fw monitor is inserted into the chain as a chain module so fw monitor can report on all packets, fw monitor does not change or drop any packets, fw monitor is inserted into the chain at four different points — in positions minus 0x70000000 and 0x70000000 in inbound, and in the same positions in outbound. The inbound position captures packets before they pass most of the chain modules, while the outbound position captures them after they have passed the chain modules. It is possible to change the position of the monitor. This is accomplished with the -p parameter.

This parameter has the following syntax:

fw monitor -p[i|I|o|0] [absolute pos | relative pos | [+|-]alias]

absolute pos — a signed integer that determines the order in which packets pass the modules; the packets start with the smallest number and end with the largest. This number does not depend on the current chain entries.

relative pos — The chain modules are ordered with an ascending number starting with 0. You can use this number to specify the position from which fw monitor inserts, fw monitor does not replace the chain module with this number. The previous module (and all following modules) are moved by one position.

alias (shown in parenthesis) — a short name, which can be used with the -p parameter

The letter following -p is the position you want to change — either inbound or outbound, and either first (lowercase) or last (uppercase) position. You may include this parameter up to four times, to change some or all positions. When using a relative position, type the position of the module before which you want the monitor to enter. If you want the position after all modules, use any number higher than all relative positions. (99 will usually do.) When using an absolute position, type the position where you want the module. If there is a module at this position, the command will fail. When using an alias, you can select if you want the monitor before or after the alias.

129

Jw

R E L A T I V E P O S I T I O N

4.PNote the chain-module numbers and names are not f ixed

vpn decrypt verify; after f w l L n i t S i s^nser ted as relative posit ion 4, chain module 4 has become fw monitor, and vpn decrypt ver i fy has

1. fw ctl chain before inserting fw

in chain (15):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipoptjstrip)

2: - Ifffff6 (989a9e80) (00000001) Stateless verifications (asm)

3: - lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)

4: - IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpnver)

5* ~ 1000000 (989dbf40) (00000003) SecureXL conn sync (secxl sync

6: 0 (98954530) (00000001) fw VM inbound (fw)

7: 1 (989blf20) (00000002) wire VM inbound (wire_vm)

8: 10 (9896eb70) (00000001) fw accounting inbound (acct)

9: 2000000 (995a52a0) (00000003) vpn policy inbound (vpnjpol)

10: 10000000 (989dc2e0) (00000003) SecureXL inbound (secxl)

11: 21000000 (99bf7360) (00000001) FG-1 inbound (fgjpol)

12: 7f600000 (989a2b70) (00000001) fw SCV inbound (scv)

13: 7f750000 (98a958c0) (00000001) TCP streaming (in) (cpas)

130

14: 7f800000 (989a9020) ( f f f f f f f f ) IP Options Restore (ipopt__res)

out chain (14):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipopt_strip)

1: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn_nat)

2: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)

3: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)

4: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)

5: 0 (98954530) (00000001) fw VM outbound (fw)

6: 1 (989blf20) (00000002) wire VM outbound (wire_vm)

7: 2000000 (995a4b60) (00000003) vpn policy outbound (vpn_pol)

8: 10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)

9: 15000000 (99bf7360) (00000001) FG-1 outbound (fgj>ol)

10: 20000000 (995a3cc0) (00000003) vpn encrypt (vpn)

11: 7f000000 (9896eb70) (00000001) fw accounting outbound (acct)

12: 7f700000 (98a95c20) (00000001) TCP streaming post VM (cpas)

13: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipopt_res)

131

2. fw monitor -pi 4 -o monitor.out:

in chain (17):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipoptjstrip)

1: - 2000000 (995a3390) (00000003) vpn decrypt (vpn)

2: - lffffffi (989a9e80) (00000001) Stateless verifications (asm)

3: - l f f f f f2 (995c37b0) (00000003) vpn tagging inbound (tagging)

4: - lfffffl (989833a0) (ffffffff) fwmonitor (i/f side)

5: - IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpn_ver)

6: - 1000000 (989dbf40) (00000003) SecureXL conn sync (secxl_sync)

7: 0 (98954530) (00000001) fw VM inbound (fw)

8: 1 (989blf20) (00000002) wire VM inbound (wire_vm)

9: 10 (9896eb70) (00000001) fw accounting inbound (acct)

10: 2000000 (995a52a0) (00000003) vpn policy inbound (vpnjpol)

11: 10000000 (989dc2e0) (00000003) SecureXL inbound (secxl)

12: 21000000 (99bf7360) (00000001) FG-1 inbound (fgjpol)

13: 70000000 (989833a0) (ffffffff) fwmonitor (IP side)

14: 7f600000 (989a2b70) (00000001) fw SCV inbound (scv)

15: 7f750000 (98a958c0) (00000001) TCP streaming (in) (cpas)

16: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipoptjres)

132


fw monitor

out chain (16):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipqptstrip)

1: -70000000 (989833a0) (ffffffff) fwmonitor (IP side)

2: - lffffff (995a27c0) (00000003) vpn nat outbound (vpnjiat)




6: 0 (98954530) (00000001) fw VM outbound (fw)


8: 2000000 (995a4b60) (00000003) vpn policy outbound (vpn_pol)




12: 70000000 (989833a0) (ffffffff) fwmonitor (i/f side)


14: 7f700000 (98a95c20) (00000001) TCP streaming post VM (cpas)

15: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipoptjres)

133

R E L A T I V E P O S I T I O N U S I N G A L I A S E S

of fw in fw ctl

lias. For verify, use -pi

is to use a module's This can be done using

to insert fw monitc

fw monitor -pi -vpn_ver -o monitor-alias.out

monitor: getting filter (from command line)

monitor:

in chain (17):

0: -7f800000 (989a8d60) (ffffffff) IP

1: - 2000000 (995a3390) (00000003) vpn

2: - lfffffS (989a9e80) (00000001)

Strip (ipopt_strip)

(vpn)

(asm)

lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)

lfffffl (989833a0) (ffffffff) fwmonitor (i/f side)

IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpn_ver)

1000000 (989dbf40) (00000003) SecureXL conn sync

0 (98954530) (00000001) fw VM inbound (fw)

134


fw monitor

out chain (16):


1: -70000000 (989833a0) (ffffffff) fwmonitor (IP side)

2: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn__nat)




6: 0 (98954530) (00000001) fw VM outbound (fw)


8: 2000000 (995a4b60) (00000003) vpn policy outbound (vpnjpol)




12: 70000000 (989833a0) (ffffffff) fwmonitor (i/f side)


135

A B S O L U T E P O S I T I O N

You can insert fw monitor the second fw VM

its absolute position. The values). Note that the s im-

position is

The following is a partial list of in

in chain (15):

I out chain from fw ctl chain:

(989a8d60) (ffffffff) IP Options Strip

lfffffS (989a9e80) (00000001) Stateless (asm)

lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)

IfffffO (995a2bd0) (00000003) vpn decrypt verify (vp

0

1

10

(98954530) (00000001) fw VM

(989blf20) (00000002) wire VM

(9896eb70) (00000001)

2000000 (995a52a0) (00000003) vpn

10 10000000 (989dc2e0) (00000003) SecureXL

out chain (14)

0:

- 1 1:

2

3

4

- 1

(989a8d60) (ffffffff) IP

(995a27c0) (00000003) vpn nat

(98a95a30) (00000001) TCP

Strip

1000000 (989dbf40) (00000003) SecureXL conn sync (secxl

c)

(fw)

(wire_v

(acct)

(vpnjol)

(secxl)

IffOOOO (995c37b0 (00000003) vpn

lfOOOOO (989a9e80) (00000001 Stateless

(ipopt_st rip)

md (vpnjiat)

(out) (cpas)

(taggi

(asm)


fw monitor

0 (98954530) (00000001) fw VM outbound (fw)

1 (989blf20) (00000002) wire VM outbound (wire_vm)

2000000 (995a4b60) (00000003) vpn policy outbound (vpnj>ol)

10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)

To insert fw monitor after tcp stream (cpas) for the outbound chain:

fw monitor -po -OxlffffeO -o monitor-absolute.out

out chain (16):


1: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn nat)


3: - IffffeO (989833a0) (ffffffff) fwmonitor (IP side)



6: 0 (98954530) (00000001) fw VM outbound (fw)

7: 1 (989blf20) (00000002) wire VM outbound (wire vm)

fw ctl chain does not show the preceding Ox in hexadecimal numbers. You must add a preceding Ox in front.

137

S A M P L I N G I N T E R V A L

138


fw monitor

One of your customers claims she cannot access your internal FTP server. The FTP server is configured with Static NAT on your NGX Gateway. You see your customer's FTP connection is accepted in Smart View Tracker, but you do not know when the kernel drops this connection or when the FTP server resets the connection.

The FTP client's IP address is 100.100.100.1, and the FTP server's private IP address is 192.168.1.1. Its public IP address is 200.200.20.1. Your Gateway's external IP address is 200.200.20.2.

Q.) How do you run fw monitor with proper filters, to capture FTP connections between the server and this client only?

A.) fw monitor -e "accept src=100.100.100.1 or dst= 100.100.100.1;" -o ftp-monitor.out

Q.) What is the procedure for capturing this FTP problem?

A.) Follow these steps:

1. Start fw monitor.

2. Initiate an FTP connection from the client.

3. Wait for the problem to occur, then press CTRL + C to stop fw monitor.

a ft

139


Ethereal

E T H E R E A L

Ethereal is a graphical tool used to analyze and capture network traffic. Ethereal is available on a wide range of platforms and operating systems, including all major UNIX flavors (Solaris, Linux, BSD, etc.), Windows (Windows 9x, ME, NT 4, 2000 and XP), Mac OS, and many more. Ethereal reads a wide variety of capture formats, including the format used by fw monitor (which is in fact the same format as snoop). Check Point has its own flavour of Ethereal called CPethereal (available for Check Point Certified Support Partners only).

Using Ethereal

Below is fw monitor output in Ethereal:

^ ^ • l ^ p l M l i i i l File Eck aew >jc . Capture Analyze statistics Help

& fe 0 x 0 3 I S * S O 1 1 a . % p E ) m m a

- j Exêssion. joearj Apply)

m. | Time . ] Source j Cessation ] Protocol I info 103 5.608263 1 0 . 2 . 2 . 1 10 .2 .2 .102 SSH Encrypted response packet len=20-104 5.608273 1 0 . 2 . 2 . 1 10 .2 .2 .102 SSH [TCP Ret ransmiss ion] Encrypted r •espor _ j

106 5.634942 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP 104 5 > h t t p [SYN] Seq=0 Ack=G win=163 107 5.634970 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP 104 5 > h t t p [SYN] Seq=G Ack=Q Win=163 108 5.634989 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP 104 5 > h t t p [SYN] Seq-0 Ack-0 Win=163 109 5.635206 1 0 . 2 . 2 . 1 0 2 172 .29 .109 .1 TCP h t t p > 104 5 [SYN, ACK] Seq-O Act =1 wi 110 5.635231 1 0 . 2 , 2 . 1 0 2 172 .29 .109 .1 TCP h t t p > 104 5 [SYN, ACK] seq -0 Ack =1 wi 111 5.635242 1 0 . 2 . 2 . 1 0 2 172 .29 .109 .1 TCP h t t p > 104 5 [SYN, ACK] Seq-0 Ack =1 wi 112 5.63 52 51 1 0 . 2 . 2 . 1 0 2 172 .29 .109 .1 TCP h t t p > 104 5 [SYN, ACK] seq=0 Ack =1 wi 113 5.635729 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP 104 5 > h t t p [ACK] seq=l Ack=l win=175 114 5. 635746 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP [TCP Dup ACK 113#1] 104 5 > h t t p [ACK] 115 5.635755 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 TCP [TCP Dup ACK 113#2] 104 5 > h t t p [ACK] 116 5.63 5762 1 7 2 . 2 9 . 1 0 9 . 1 TCP [TCP Dup ACK 113#3] 104 5 > h t t p [ACK] 117 5.636631 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 HTTP GET / HTTP/1.1 118 5.636639 1 7 2 . 2 9 . 1 0 9 . 1 10 .2 .2 .102 HTTP GET / HTTP/1,1

JLi 11 ct 5.63664 5 1 7 \ "'Q.IOO.I 1 \ \ 1 i l ? HTTP r;pT / HTTP /I . 1 JLi «f V . I Jj :•:-:• Frame 105 (62 byres on wi re , 62 byres cap tu red ) '•2 E therne t I I , S rc : 00 :00 :00 :00 :00 :00 , Dst : 69 :31:65:74 :68:31

i n t e r n e t P r o t o c o l , Src Addr : 17 2 . 2 9 . 1 0 9 . 1 (172. 2 9 . 1 0 9 . 1 ) , Dst Addr: 10 .2 .2 .102 (10 .2 .2 .102) Transmiss ion c o n t r o l P r o t o c o l , Src P o r t : 104 5 (104 5), Dst Po r t : h t t p (80) , Seq: 0, Ack : 0, Lei

<1 1 H am 69""3i""65" 74 68 Sl'OO'OCT'OO'OO 00"00"08"00"45""00 t let Hi L". 0010 00 30 02 9a 40 00 7f 06 d3 a7 ac Id 6d 01 0a 02 0020 02 66 04 15 00 50 00 82 d9 a7 00 00 00 00 70 02 0030 40 00 3f 0a 00 00 02 04 05 b4 01 01 04 02

acce ss-oslo.out 3SC mjP:U36D 1136 Mi 0

Ethereal G U I

The Ethereal GUI consists of three panes: The top pane is an overview, listing entry ID number, capture time, source and destination address, protocol name (TCP, UDP, FTP, ICMP), and a packet summary with the following information:

140


Ethereal

Type of packet: SYN, SYN-ACK, ACK, RST, etc.

Sequence number, acknowledge number, and packet length

I 101 5.608204 10.2.2.102 10.2.2.1 TCP 1508 > 22 [ A C K ] Seq=0 Ack-5128 Win-1€ f 102 5.608233 10.2.2.102 10.2.2.1 TCP [TCP Dup ACK 101#1] 1508 > 2 2 [ A O ] f 103 5.608263 10.2.2.1 10.2.2.102 SSH Encrypted response packet len=208 104 5.608273 10.2.2.1 10.2.2.102 SSH [TCP Retransmission] Encrypted respor Encrypts

q=0 Ack=0 li 107 5 108 5 109 5 110 5 111 5 112 5 113 5 114 5 115 5

•942 634970 634989 635206 635231 635242 635251 635729 635746 63 5 75 5 P.l^li--'

.29, 172.29, 172. 29. 10.2.2. 10.2.2. 1 0 . 2 . 2 . 10.2.2. 172.29. 172.29. 172.29.

109.1 109.1 109.1 102 102 102 102 109.1 109.1 109.1

10.2.2. 10.2.2. 10.2.2. 172.29. 172.29. 172.29. 172.29. 10.2.2. 1 0 . 2 . 2 . 1 0 . 2 . 2 .

102 102 102 109.1 109.1 109.1 109.1 102 102 102

TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP

104 5 104 5 104 5 http http http http 104 5 TCP j r p

> http > http > http > 104 5 > 104 5 > 104 5 > 104 5 > http Dup ACK Dup ACK

i_'syn] seq-G Ack-Q win-163 "SYN] seq=0 ACK-O Win=163 Isyn] seq-0 Ack-0 win=163 ;syn, ACK] seq-0 Ack =1 wi "SYN, ACK] seq-0 Ack=1 Wi I SYN, ACK] Seq=0 Ack =1 wi I SYN, ACK] seq-0 Ack =1 Wi 'ACK] Seq=l Ack-1 win=175 113/1] 104 5 > http [ACK] j 113#2] 104 5 ::- http [ACK] J . 1 1 3 * * 1 1 f:4 K h t t n f f t - t . 1 T i l

Jj

Ethereal Top Pane

The Time field counts in seconds after fw monitor starts. The Time field is always important for troubleshooting. For example, when a new TCP connection starts, it starts with a TCP handshake: SYN, SYN-ACK, and ACK. Check Point's default limit for the whole TCP handshake is 25 seconds (defined in the tcpstart time-out setting in Global Properties). If you see a SYN packet from client to server, and the server does not reply with SYN-ACK within 25 seconds, the SYN-ACK will be dropped with a "TCP packet out of state" error. By looking at the Time field, you can tell if the connection is finished in time.

141

i f i i l f i f f f i l l i p


Ethereal

Viewing Connect ion Beginnings

A typical TCP connection starts with a TCP handshake: SYN, SYN-ACK, and ACK. You can observe the TCP handshake in fw monitor without any filtering expressions. You can see the SYN packet from the client to the server with all four entries i, I, o, 0 present. You know the packet arrives at the kernel, and leaves the Gateway successfully.

After the SYN packet leaves the Gateway and gets to the server side, the server side replies with a SYN-ACK. If the reply is successful, you will see i, I, o, 0. The client then sends an ACK packet to the previous SYN-ACK, and you see i, I, o, 0. If you only see SYN but no SYN-ACK, the SYN-ACK packet may not arrive at the Gateway. There may be some routing issues, or the server may not be running.

Viewing Connect ions Dropped by Kernel

Depending on the switch combination with fw monitor, you may see more or less lines per packet. If no particular direction or interfaces are filtered, fw monitor records four lines per packet in Ethereal (i, I, o, 0). If there is any discontinuity in the flow, packets can be either dropped or rerouted by the kernel. For example, a packet has entry i, but no I. The packet may have been dropped by the Rule Base. If you see a packet coming through the inbound interface (i or I) but not through the outbound interfaces (o or 0), the packet can be rerouted by the OS.

Using Fi l ters with Ethereal

When you use fw monitor to capture certain types of traffic, start fw monitor with the proper switches first. Then test the traffic in question, wait until the problem occurs (connection times out or error messages appear), then return to the fw monitor CLI and stop fw monitor with CTRL + C. To transfer the monitor output to a machine running Ethereal, transfer the monitor output in binary.

Ethereal my take a long time to open an fw monitor file, using filters as it interprets the data contained in the monitor.out file. Check Point recommends opening Ethereal as a new session. Then create a filter expression, using the same filters used in the monitor file in the newly created session. This will lessen the amount of time Ethereal takes to open.

143


Ethereal

Connection starting points normally start with a SYN packet from a client to a server. To find the starting point of a connection, click either source or destination (if either of them is known). In some cases, click the Protocol field, and monitor entries will line up accordingly.

For example, to look for FTP connections only, you can filter by FTP on the Protocol field. The filtered output is like the following:

• a d S I i S ! f i e Edt View 'So Capture Analyze Stattsbcs Help

i ^ ^ l i ei Q* % . m m B M j Expression.., J £tear I Apply f

J=t Source

378 l u . 3 79 10 . 380 10 . 389 10 . 390 10 . 391 10 . 392 10 . 4 4 1 12 . 442 12 . 443 12 . 444 12 . 44 5 12 . 4 4 6 12 . 447 12 . 4 4 8 12 . 509 15 . 510 15 . 511 15 . 512 15 . 513 15 . 514 15 . 515 15 . 516 15 .

;7815 287822 28783 5 413127 413153 413160 413178 428375 428407 428424 428438 431131 431146 431153 431165 137517 137561 137578 137593 140332 140346 140352 140363

1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] P e s p o n s e ; 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t P e t r a n s m i s s i o n ] P e s p o n s e : 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP R e s p o n s e : 220-Thu Oct 27 1 5 : 0 5 : 5 1 I 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e : 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e ; 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e : 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP R e q u e s t : USER t c h u n g 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER 1 7 2 , 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER 1 0 . 2 , 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP R e s p o n s e : 331 Pas sword r e q u i r e d 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 331 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 331 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 331 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP R e q u e s t : PASS a b c l 2 3 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS 1 0 . 2 . 2 . 1 0 2 1 7 2 , 2 9 . 1 0 9 . 1 FTP R e s p o n s e : 230 u s e r l o g g e d i n 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 230 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 230 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 FTP [TCP R e t r a n s m i s s i o n ] P e s p o n s e : 230

2 2 0 - w e b o s l c 2 2 0 - w e b o s l c 2 2 0 - w e b o s l c :005

220-Thu Oct :

220-Thu Oct 220-Thu Oct

t c h u n g t c h u n g t c h u n g r

Password rec Password rec Password rec

a b c l 2 3 a b c l 2 3 a b c l 2 3

u s e r l o g g e d u s e r l o g g e d u s e r l o g g e d

J Header length: 20 bytes Differentiated services F ie ld: 0-00 (dscp i Total Length: 93

0: Default; ECN:

OuOO 69 "3l'''b5''"74''68 32 00 00 00 00 00"~u0 08'"00 4"5"~00 l i e t h ' i . . . . . . . ". E.' "' 0010 00 5d 8c 42 40 00 80 06 48 d2 0a 02 02 66 ac I d . ] . B<&. . . H f . . 0020 6d 01 00 15 04 18 Id c3 d9 a4 01 0a 5c 19 50 18 m \ . P . 0030 44 70 dl 2d 00 00 32 32 30 2d 77 65 62 6f 73 6c D p . - . . 2 2 0 - w e b o s l 0040 6f 20 58 32 20 57 53 5f 46 54 50 20 53 65 72 76 O WS_ FTP S e r v A

|Fie; access-oô.oUt 3S0KBtt |P:. 1136 D: 1186 M: rj

Protocol Field

To revert to the original display, click the No. or Time fields.

144


Ethereal

F O L L O W I N G T C P S T R E A M S

Ethereal can display only specific packets with different colors. The easiest way to display only specific packets is to select a packet in the overview pane, then select Follow TCP Stream from the context menu. This will automatically set a display filter to only display packets of this specific connection, based on source or destination IP addresses and ports. A separate screen displays the data exchanged between client and server.

109 5 . 6 3 5206 110 5 . 6 3 5231 1 1 1 5 . 6 3 524 2 112 5 . 6 3 52 51 113 5 . 6 3 5729 114 5 . 6 3 5746 115 5 .635755 116 5 . 6 3 5762 117 5 . 6 3 6 6 3 1 118 5 .636639 119 5 .636645 120 5 . 6 3 6 6 5 1 1 2 1 5 .641236

io; 102

1 0 . 2 . 2 . 1 0 2 ,102

1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2

Dup ACK 1 1 3 # 3 ] 104 5 ' HTTP/1 .1

HTTP/1 .1 ' HTTP/1 .1

GET / HTTP/1 .1 HTTP/1.1 304 NOT M o d i f i e d

HTTP H T T P / 1 . 1 3 04 NilT M n r i i f i P i i

=1 Win-17520 L/ secj=u Ad =1 win=17520 U' • seq=0 Ad =1 wi n -17520 !/.

Ad =1 'wi ri=17520 L AO] Seq= l A.;k=l win=17520 Leri=0

- 104 5 r i t t p [ a o ] s e q = l Ac 104 5 :- h t t p [ A O ] Seq=l Acs'

I ±1

Follow TCP Stream Selection

The filter expression is automatically populated in the Filter list in the top pane. To clear the filter expression, click the Clear button to the right of the Filter box.

fifter; jfp.adttreej 172.29,1W.1 andip.addr eq IQ.2.3,102)and{tep,porteql045> ~ | Expression... j dear | Applyj

Wo , - j 1 "ime j Source j Desunation 105 ! 5. 634784 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP 1045" > h t t p LsrK Seq=0 A d = u wi n=16384 Len=0 106 ! J. 634942 1 7 2 . 2 9 . 1 0 9 . , 1 1 0 . 2 . 2 . 1 0 2 TCP 104 5 > h t t p ;SYN" seq=0 Ack =0 wiri=16384 Leri=0 107 ! J. 634970 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP 104 5 ;syn; =0 Ack=0 Win=16384 Len=0

109 : i . 635206 1 0 . 2 . 2 . 1 0 2 TCP h t t p [SYN, ACK' seq-0 Ack?win-17520 L' 110 f i . 6 3 5 2 3 1 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 TCP h t t p > 104 5 I SYN, ack; seq=0 Ack-1 Win=17520 L in : i . 635242 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 TCP h t t p > 104 5 'SYN, ACK; Seq-0 A c k - 1 Win=17520 L 112 f » .635251 1 0 . 2 . 2 . 1 0 2 1 7 2 . 2 9 . 1 0 9 . 1 TCP h t t p > 104 5 ISYN, ACK' S e q - 0 A.ck-1 win=17520 L 113 f i. 635729 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP 104 5 > h t t p "ACK] seq= =1 Ack-1 win=1752G Len=u 114 f i . 6 3 5 7 4 6 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP [TCP Dup ACK 113# KL1 104 5 > h t t p [ACK] s e q = l Ac 115 : i. 635755 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP [TCP Dup ACK 113#2] 104 5 > h t t p [ACK] s e q - 1 Ac 116 f i. 63 5762 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 TCP [TCP Dup ACK 1 1 3 # 3 ] 104 5 > h t t p [ACK] S e q - 1 Ac 117 : !. 636631 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 HTTP GET / HTTP/1 .1 U S : i . 636639 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 HTTP GET / HTTP/1 .1 119 5 i. 63664 5 1 7 2 . 2 9 . 1 0 9 . 1 1 0 . 2 . 2 . 1 0 2 HTTP GET / ' HTTP/1 .1 120 : 1.636651 1 7 2 . 2 9 . 1 0 9 . 1 HTTP GET , ' HTTP/1 .1 IÎ C 1. 641 1 u , 7 M 0 ? 1 r/Q. i HTTP HTTP/1.1 304 Nnr w n d i f i p d

<1 , , , ,,. .,.,, , ... • I JLj"

Filter Expression

When Follow TCP Stream is selected, a separate screen appears, which displays the connection between the server and client on that particular connection. The TCP stream screen can show whether or not a connection is broken. By

145


Ethereal

following the TCP stream of a particular FTP packet, the TCP stream screen can show whether or not that particular connection is broken, as shown below:

Stream Content |2 20-Webos To ;-2 wsIftp server 57o"."4:EVAL"(31910133iV 220-Thu Oct 27 15:05:51 2005 220-27 days remaining on evaluation. 220 webosio >.2 ws_FTP Server 5.0.4. EVAL (319101331)

. USER tchunq 331 Password required PASS a b c l 2 3 230 user logged in TYPE I 200 Type s e t t o ifage. POPT 2 72,2 9,109,1,4.26 200 command successful R ET P. m c n 11 o r -rt p. c ut "4UIT

Save As | Print | Entire conversation (351 bytes) : • [ m» ASCII C EBCDIC C Hex Dump C C Arrays C rm

wm

Filter out the stream

Follow T C P Stream Screen

The Follow TCP Stream filter can only use IP addresses and ports.

146

A.) The monitor file has been sent to you in ASCII i ;send the file in 1

1.1

(= ) or greater than (>=).

7. Click Apply.


Ethereal

148

L A B 5 : C O M P A R I N G C L I E N T - S I D E N A T V S . S E R V E R - S I D E N A T W I T H F W M O N I T O R

f i p C O N F I G U R E A U T O M A T I C S T A T I C N A T F O R W W W . V O l / f l C / 7 - K C P

1. Log in to 2. Edit wQbvonrcitfs

3. Open the NAT sere

4.

5.

6.

7.

172.x.x.3 as the NAT IP ; is 172.22.102.0, and the NAT IP j

172.22.102.3.

OK to exit the host

Policy > Global properties > NAT i

8. Verify 1

9. Verify 1

5 is i

j ARP.

10.

11.

OK to <

| f ? R U N F W M O N I T O R W H I L E W E B D A L L A S B R O W S E S T H E N A T A D D R E S S O F W W W . Y O U R C I T Y . C P

1. Start fw monitor to < (172.29.109.1):

fw

2.

; HTTP [to1

NAT IP to ensur

.1

(172.29.109.1), try to brows<

fw monitor captures an HTTP SYN

.1;" -o

In the lab environment, if irtner city ; of your Web

i its

N A T

http://WWW.YOURCITY.CP


Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor

3. Run fw monitor on your Gateway, filtering for your partner's internal-host IP address as source or destination. For example, if your partner's host IP is 10.2.4.104 (weboslo's partner site webmadrid), run the following command to capture all traffic from or to that partner host:

fw monitor -e "accept src=10.2.4.104 or src=172.24.104.3 or dst=10.2.4.104 or dst=172.24.104.3;" -o monitor-auto-nat.out

4. Use FTP in binary mode to transfer the monitor-output file from your Gateway to www.yoi4rcity.cp, where Ethereal is installed.

5. Open Ethereal and load the monitor-output file.

6. Analyze the NAT process and locate the point where the NAT IP address changes into the private IP. In the following screenshot at I (big I), the destination changes from 172.23.103.3 to 10.1.1.101, which is the private IP of webrome:

file. ! So S-af )tu>e Ar slyze St« iistics ; t MP

NO, | Destnasw 3n 1 ''-Jew Colurr m I 3-otocol | I r fo 1 0, . 0 0 0 0 0 0 1 7 2 . 2 3 , . 103 , . 3 1 7 2 . 2 1 , . 101 , . 3 i e t h o TCP 1092 > h t t p [SYN; ] Seq=1163 4S93 23 -

h t t p [

] Seq=1163 4S93 23 -

3 0, . 0003 68 1 7 2 . 2 3 , . 1 0 3 , . 3 1 0 . 1 . 1 , . 101 e t h o TCP 1092 > h t t p [ " S 'R N' 1 Seq=1163 4893 2 8 A 4 0 , . 0 0 0 4 2 9 1 7 2 . 2 3 , . 1 0 3 , .3 1 0 . 1 . 1 , , 1 0 1 e t h o TCP 1092 > h t t p | ;SYN; I Seq=1163 4893 2 8 A 5 0 , . 0 0 0 6 3 0 1 0 . 1 . 1 . , 1 0 1 1 7 2 . 2 3 . , 103 , . 3 e t h o TCP h t t p > 1092 [ ! SYN, , ACK] S e q = 2 6 1 7 3 0 3

0 , , 000662 1 0 . 1 . 1 . . 1 0 1 1 7 2 . 2 3 , ,103 , . 3 e t h o TCP h t t p > 1092 | "SYN, » ACK] 5 e q = 2 € 1 7 3 03 7 0 , . 000675 1 0 . 1 . 1 , . 1 0 1 1 7 2 . 2 3 . , 103 , , 3 e t h o 0 TCP h t t p > 1092 [ "SYN, , ACK] Seq=2 6173 03 8 0 , . 000693 1 7 2 . 2 1 . , 1 0 1 . .3 1 7 2 . 2 3 . , 103 , .3 o e t h o TCP h t t p > 1092 [ "SYN ACK] S e q = 2 6 1 7 3 0 3 9 0, . 001662 1 7 2 . 2 3 . , 1 0 3 . ,3 1 7 2 . 2 1 . , 101 . .3 i e t h o TCP 1092 > h t t p [ -ack; Seq=1163 4893 2 9 A

10 0 , . 001715 1 7 2 . 2 3 . , 1 0 3 , .3 1 0 . 1 . 1 , , 1 0 1 e t h o i TCP 1092 > h t t p [ "ACK" Seq=1163 4893 2 9 A 11 0 , . 0 0 1 7 3 6 1 7 2 . 2 3 . , 1 0 3 . , 3 1 0 . 1 . 1 . , 1 0 1 e t h o TCP 1092 > h t t p [ : A C K : S e q = l l b 3 4893 2 9 A 12 0 , , 0 0 1 7 5 1 1 7 2 . 2 3 . , 1 0 3 . ,3 1 0 . 1 . 1 . , 1 0 1 e t h o TCP 1092 > h t t p [ "ACK Seq=1163 4893 2 9 A 13 0 . . 001945 1 7 2 . 2 3 . , 1 0 3 . ,3 1 7 2 . 2 1 . ,101. , 3 i e t h o HTTP GET / H T T P / L . 1 14 0 , . 001973 1 7 2 . 2 3 . , 1 0 3 . , 3 1 0 . 1 . 1 . , 1 0 1 e t h o i HTTP GET / H T T P / 1 . 1 15 0. . 001936 1 7 2 . 2 3 . , 1 0 3 . .3 1 0 . 1 . 1 . , 1 0 1 e t h o HTTP GET / HTTP/1. 1 16 0 . . 0 0 1 9 9 9 1 7 2 . 2 3 . , 1 0 3 . , 3 1 0 . 1 . 1 . 101 e t h o HTTP GET / HTTP/1. 1 17 0 . . 003430 1 0 . 1 . 1 . , 1 0 1 1 7 2 . 2 3 . 103 . , 3 e t h o HTTP HTTP/1 . 1 304 NOt M o d i f i e d 18 0, ,003445 1 0 . 1 . 1 . , 1 0 1 1 7 2 . 2 3 . 103 . , 3 e t h o HTTP HTTP/ I . 1 304 NOt M o d i f i e d

F rame 2 (62 b y t e s o n w i r e , 6 2 b y t e s c a p t u r e d ) . f i r r i v a l T i m e : Apr 2(5, 2 0 0 6 0 9 : 0 3 : 3 0 . 8 0 4 4 8 5 0 0 0 [Time d e l t a f r o m p r e v i o u s p a c k e t : o . 0 0 0 3 2 4 0 0 0 s e c o n d s ] [Time s i n c e r e f e r e n c e o r f i r s t f r a m e : 0 . 0 0 0 3 2 4 0 0 0 s e c o n d s ] Frame Number: 2 P a c k e t L e n g t h : 6 2 b y t e s c a p t u r e L e n g t h : 6 2 b y t e s [ P r o t o c o l s i n f r a m e : e t h : f w i : i p : t c p ]

D i r e c t i o n : I e t h o T y p e : I P ( o x o s o o )

• I n t e r n e t P r o t o c o l , S r c : 172.23.103.3 (172.23.103.3), D s t : 10.1.1.101 (10.1.i.101) T r a n s m i s s i o n c o n t r o l P r o t o c o l , s r c p o r t : 1092 (1032), o s t P o r t : h t t p (so), s e q : iib:435:2S, ^ c i ' :

oooo 0 0 1 0 00 30 3d Sf 40 00 7e i 0 0 2 0 01 65 04 44 00 50 45 0 0 3 0 40 00 6a 81 00 00 02

aO b& a c 17 67 03 Oa 01 70 30 00 00 00 00 70 02 05 b4 01 0 1 04 02

e . D . P E Y i. j . . . . .

jCheckponf - FW-1 ; f o l " 4 by re? |F D. M: 0

Monitor Output with Client-Side NAT

151

http://www.yoi4rcity.cp

10.2.2.102 to 172.22.102.3. This occurs at the O (big O) in the

f i p D I S A B L E C L I E N T N A T

1. Select Glo

2. Under Aut side.

3. Leave the

4. Click OK.

5. Install the

: NAT i

: ARP (

C 5 A D D H O S T R O U T E O N FWYOURCITY G A T E W A Y

1. Log in to 1

2. Ru

3. Select Routing from the menu.

4. Select add a host route.

5. Enter the NAT IP address as the

7. Enter e to ex

8. Enter e to &

0 R U N F W M O N I T O R W H I L E B R O W S I N G N A T I P A D D R E S S

1.

2.

•city's

3. Use FTP to s<

to WW

(172.29.109.1). by its NAT IP ;

run fw : NAT

152

153


Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor

5. Identify the point where the NAT IP changes to the private IP. For inbound, as shown in the screenshot below, the translation occurs at O (big O), since it is closest to the server side. (The client side is webdallas, and the server side is webrome.)

File £0C Go Cap-'.ue jtatists.-s Help

! Mew Column Protocol ] I n f o 1 0, , 000000 172 .29, .109, .5 172 .21, .101, .3 i etho T_p 1351 > http [SYN] S 6 q=15 5 0 4 6 6 3 8 9 > _J 2 0. . 0003 07 172 .29, , 109, , 5 172 . 21, . 101. .3 etho I TCP 1351 http [SYN] S e q=15 5 0 4 6 6 3 8 9 ; 1 0. . 000349 172 • 2 9. . 109, , 5 172 .21, ,101. . 3 etho TCP 1351 ::• http [SYN] Seq=155046€389 t

. 0. , 000614"" 10.' 1.1, ,101" 172 .29, .109. ,'s"" etho " TCP http" > 13 51"' '[SYN, ""ACK]""Seq=lS4979J S 0, ,000649 172 .21. , 101. , 3 172 .29. , 109, ,5 etho TCP http > 1351 [SYN, ACK] Seq—15 49 79E 7 0. ,000662 172 .21. , 101. , 3 172 .29, ,109. ,5 etho 0 TCP http > 1351 [SYN, ACK] Seq=15 497 8 0, ,000677 172 .21. , 101. , 3 172 . 29. , 109. ,5 o etho TCP http > 1351 [SYN, ACK] Seq=154979S 9 0, ,001369 172 .29. , 109. ,5 172 .21. ,101. ,3 i etho TCP 1351 > http [ACK] Seq=1550466390

10 0. ,001416 172 .29, ,109. , 5 172 .21. ,101. ,3 etho I TCP 1351 > http [ACK] Seq=1550466390 ; 11 0. ,00143 8 172 . 29. , 109. , 5 172 .21. ,101. ,3 etho TCP 1351 > http [ACK] Seq=1550466390 y 12 0. i001457 172 .29. ,109. ,5 10.: 1.1. ,101 etho TCP 1351 > http [ACK] Seq=1550466390 13 0. ,002410 172 .29. 109. 5 172 . 21. ,101. ,3 i etho HTTP GET / HTTP/1 .1 14 0. . 002426 172 .29. ,109. 5 172 .21. ,101. 3 etho I HTTP GET , ' HTTP/1 .1 15 0. 002 440 172 . 2 9. 109. 5 172 . 21. 101. ,3 etho HTTP GET , ' HTTP/1 . 1 16 0. 002458 172 .29. 109. 5 10. , 1.1. ,101 etho HTTP GET } ' HTTP/1 . 1 17 0. 004041 10. 1.1. 101 172 .29. 109. 5 etho HTTP HTTP/1.1 304 NOt 1 Modified IS 0. 004059 172 .21. 101. 3 172 .29. 109. 5 etho HTTP HTTP/1. 1 3 04 NOt 1 modified

Frame 4 fS2 bytes on wire, €2 bytes captured) Arrival Time: Apr 26, 2006 09:37:06.666399000 [Time delta from previous packet: 0.000071000 seconds] [Time since reference or first frame: 0.000420000 seconds] Frame Number: 4 Packet Length: 62 bytes Capture Length: 62 bytes [Protocols in frame: eth:fwl: i p:tcp]

. FWI Monitor etho o ethl Direction: 0 ethl

Type: IP f o x o s o o ) internet protocol, src: 172.29.109.5 (172.29.109.5),, ost: 1 0 . 1 . 1 . 1 0 1 ( 1 0 . 1 . 1 . 1 0 1 ) Transmission Control Protocol, src Port: 1 3 5 1 ( 1 3 5 1 ) , Dst Port: http ( 8 0 ) , seq: 1 5 5 0 4 6 6 3 3 9 , ACK:

0000 4f 3 7 65 74 63 31 00 00 0 0 1 0 00 30 CI 15 40 00 7e 06 0 0 2 0 01 65 05 47 00 50 5C 6a 0 0 3 0 40 00 7f 40 00 00 02 04

0 7 e t h l . . . .

. e . G . P \ J =u

00 00 00 00 OS 00 45 00 17 2a ac id 6d 05 Oa 01 3d 55 00 00 00 00 70 02 05 b4 01 01 04 02

, . . E .

" ]P : I cS D. 168 M 0: I File 'Frronitof-titerr.-nafc-grit. out' 31 'B 00.00:11

fw monitor Output with Server-Side NAT

6. Identify the point where the return packet's source address is translated from 10.2.2.102 to 172.22.102.3. It is at the I (big I), because this is the closest point to the server side.

End of lab.

154


Review

R E V I E W i i i i i i i i i i i i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

• tcpdump is a UNIX utility that captures a sample of packet headers on a network segment, by setting an interface into promiscuous mode.

• snoop is a utility on UNIX based systems that can capture a sampling of all traffic on a network segment, by setting an interface into promiscuous mode, snoop can only capture packets in its local collision domain, not from a switched network.

• fw monitor is a Check Point specific utility, consisting of a special INSPECT filter that can be configured and run on a Security Gateway to capture all traffic passing through that Gateway's interfaces, fw monitor can be set to capture all traffic passing through the NGX kernel, or modified to only capture specific traffic, depending on the need of the Security Administrator.

• The INSPECT virtual machine is the name given to the processing of network traffic packets through the NGX kernel, before those packets enter the operating system's network stack. The virtual machine consists of four points, i (pre-in), I (post-in), o (pre-out), O (post-out).

• fw monitor can be configured to also insert itself into and capture the actions of kernel chains on packets, showing the action each kernel module did or did not take on that packet.

• Ethereal is a multiplatform, graphical network-analysis tool that can be used to capture traffic, and also be used to view the output of tcpdump, snoop and fw monitor. Check Point has produced its own version, called CPEthereal.

155


Review

Review Answers

1. What sort of traffic will the following fw monitor string capture? fw monitor -e "accept dport=80;"

B.) B.JAll inbound HTTP traffic to the Web server

2. You are troubleshooting an FTP connectivity issue through an NGX Security Gateway. Use the following fw monitor string: fw monitor -e "accept src= 192.168.19.23 or dst= 192.168.19.23;" -o ftp-monitor.out

You have captured all traffic for the FTP server, and are attempting to determine if the problem lies with the server or with clients connecting through the Security Gateway. Which of the following would be the best way to use Ethereal to study the capture?

E.) All of these would useful, but more information about the issue is necessary to determine the next step.

157


Review

158

5 * ^ ^ m


a Check Point S O F T W A R E T E C H N O L O G I E S LTD.


CHAPTER 5: N G X DEBUGGING TOOLS

This chapter discusses the debugging tools used for troubleshooting VPN-1 NGX. There are many ways to generate debug information. NGX debugging tools allow in-depth analysis of specific issues.

Objec t ives

1. Perform kernel debugging using the fw ctl debug command.

2. Use fwm debug to analyze SmartCenter Server issues.

3. Use fwd debug to analyze kernel-to-application layer issues.

4. Use cpd debug to analyze SIC issues.

159

K e y T e r m s

• fw ctl debug

• fw debug fwd

• fw debug fwm

• cpd debug

160


fiv ctl debug

F W C T L D E B U G i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

The fw ct l debug command may be used for a variety of reasons, including performance-baseline measurements, troubleshooting specific issues as they arise, and server-performance improvement. This debugging tool is very useful when determining the cause of issues with a Security Gateway.

The fw ctl debug command has many switches that make it possible to see nearly everything happening in the NGX kernel. How NGX kernel messages are triggered varies according to the situation. Some messages are issued whenever a certain condition occurs. Other messages are issued only when a certain debugging flag is set. It is possible to alter debugging flags, and so choose which messages will appear. By default, messages are written to the console in UNIX systems, which usually collects console messages in a log file, or to the event viewer on Windows. It is possible to change the destination of the messages.

All debugging flags are grouped into modules. Each module represents a product or functionality. Some kernel modules are fw, vpn, h323, and cluster. Each module has a list of debugging flags, each of which can be enabled or disabled. Some of these flags are on by default, and there is usually no reason to reset them. Others are off by default, and may be set when debugging messages are desired. To obtain a list of modules and flags, type fw ctl debug -h.

fw ctl kdebug

If you do not want debugging messages displayed on the console, create a debugging buffer using fw ctl debug -buf. All debugging messages will then print to the buffer. The fw ctl kdebug command is used to read the buffer, and print a message to the standard output, fw ctl kdebug removes all messages it reads from the buffer, and so makes room for more messages. The buffer is cyclic, which means if there is no room in the buffer for a new message, the oldest messages are deleted from the buffer. In such a case, a message is printed to the buffer and the console, indicating messages are lost.

161

cifs

sipvm

smtp wap

ex driver filter q xlate xltrc

sync ipopt link nat mgcp cprx mail spii

V P N M O D U L E ( V P N - 1 )

url dns rtm Is auth log conn

install tcp >sv rates tim

ad time llq pkt

H 3 2 3 M O D U L E ( V O I P H

tror init h225 h245 ras decod

B O A M O D U L E ( M A L I C I O U S C O D E P R O T E C T I O N )

cpas

fatal info stat

162


fiv ctl debug

W S M O D U L E ( S M A R T D E F E N S E W E B I N T E L L I G E N C E )

Kernel-debugging options: fatal error warning info times tamp connection session parser body global stat memory address policy pfinder regexp coverage reportjngr spii uuid ioctl module memjpool pkt_dump subject sslt sslt_seq

C P A S M O D U L E ( A C T I V E S T R E A M I N G )

Kernel-debugging options: error warning tcp api glue events conns pkts timer tcpinfo http ftp skinny

C L U S T E R M O D U L E ( H I G H A V A I L A B I L I T Y )

Kernel-debugging options: conf if stat select ccp pnote log mac forward df pivot nokia timer accel drop subs

R T M M O D U L E ( S M A R T V I E W M O N I T O R )

Kernel-debugging options: driver err topo policy init chain ioctl import special rtm sort netmasks per__conn perjpckt viewjipdate view_updatel viewâdd performance con_conn tabs s_err wd accel

163


fiv ctl debug

fw ctl debug Flags

fw ctl debug is a special c o m m a n d to pass debugging f lags to the modules that make up the N G X kernel, as shown below:

fw ctl debug [-x] [-m <module>] [+|-] <options | all | 0>

fw ctl debug -buf [buffer size]

Flag E x p l a n a t i o n

-h Display usage for running kernel module in debug mode; show the options for that module, if a kernel module is specified.

-buf [buffer size] Assign buffer size in KB; minimum buffer size is 128 KB; maximum is 8,192 KB.

-x Clear all debug options.

-m <module> Specify a module to debug.

+ 1 - Add or remove a debugging option. Note: When using +, that option is passed to the kernel along with all currently running flags.

<options | a l l | 0> Specify one of the following: <option> for an option <al l> for all options <0> to reset all options to default values <CTL + C> to stop debugging

164


fiv ctl debug

F W C T L D E B U G O P T I O N S

The following table lists available definitions for fw ctl debug options. While not comprehensive, this table does define the most commonly used ones. Contact Check Point Technical Support for further information on options not defined here.

Option Explanation

all Uses all commands — option is not recommended; amount of data is massive, and it is nearly impossible to retrieve useful information; on some platforms, it could crash the system, as the operating system will try to write massive amounts of data to the console.

cookie With the cookie switch turned on. all cookies in the data structure holding the packets are shown; cookies are used to avoid the problems that arise from the various ways operating systems handle packets; unrelated to the HTTP implementation of cookies; VPN-1 NGX uses cookies as packet fragments for consistency between operating systems.

crypt With this option turned on, all encrypted/decrypted packets are printed in cleartext and ciphertext; algorithms and keys in use are also printed.

driver Access to the kernel module, shown as log entries

filter Shows the packet filtering performed by the kernel, and all data loaded into the kernel

hold Holding mechanism, and all packets being held or released, shown when this switch is turned on

if Displays all interface-related information, such as accessing the interface, or installing a filter on an interface

ioctl When this switch is turned on, it shows all Input/Output (ioctl) control messages, such as communication between the kernel and the daemon, and loading and unloading of VPN-1 NGX.

kbuf All informative kbuf-related displays, such as RDP when encrypting; kbuf is the kernel-buffer memory pool; encryption keys use these memory allocations.

Id Displays all table read/write operations; heavy log generation

log Shows everything related to calls in the log

165


fiv ctl debug

Option Explanation

machine Shows the actual assembler commands being processed; heavy log generation

memory Prints memory allocations of VPN-1 NGX

misc Prints all items not shown with other commands

packet Shows all actions performed on a packet, such as accept, drop, or fragment

q Prints information regarding the driver queue

tcpseq Prints TCP sequences being changed when using Network Address Translation (NAT)

xlate, xltrc

Prints NAT-related information (changing IPs), where the xlate switch is the basic and most commonly used switch; xltrc provides additional information, by showing the actual process of going through the NAT Rule Base for each packet, mostly on Telnet and FTP connections.

winnt Prints special information regarding Windows NT operation

synatk Prints all information regarding SYNDefender

domain Prints Domain Name Service (DNS) queries

install Prints driver installation

profile Prints the number of packets filtered, and the amount of time spent on them

media Makes level information on Windows NT using frames, not packets

ex Displays information about dynamic-table expiration

balance Displays information about logical-server load balancing

chain Displays information about cookie chains

166

Jwctl

S Y N T A X

The syntax for using fw ctl debug is as follows:

fw ctl debug | all | cookie | crypt | driver | filter | hold | if | ioctl |

xltrc | winnt I synatk | domain înstall | profile 'media* | align | ex | balance | chain

fw ctl kdebug -f >& <output_file>

fw ctl kdebug -i <output_file>

F W C T L D E B U G E X A M P L E S

D E B U G G I N G F W D / F W M

169


Debugging fwd/fwm

f w d / f w m D e b u g Swi tches

The switches in the table below allow a more granular level of control over the fwm and fwd processes:

Switch Explanation

-u VPN-1 SecuRemote server; configures a Security Gateway to allow SecuRemote connections

-n Management only: used to designate a particular server as a management-only module

-s No module; disables unneeded NGX services, such as fwauthd (authentication daemon), and the SMTP server; this can help reduce the amount of services running on a server, to determine if they are conflicting, causing resource shortages, and to see if an issue arises, by loading just the NGX core services.

-1 No logs; disables logging that would normally be generated according to the Rule Base

-A No alerts; disables alerts that would normally be generated according to the Rule Base

-d Debug; debugs processes on the NGX server; this logs a great deal of information in a short time period, and should be used with care.

-D Log debugging; helps troubleshoot issues dealing with log-file generation; if records are not being placed into the log file, this switch should be used.

Debugging w i t h o u t Res ta r t ing f w d / f w m

This method is effective for troubleshooting NGX installations that cannot be stopped, due to network activity. Debugging without restarting fwd/fwm allows processes to continue running as they are placed into debug mode:

1. While the fwd process is running, open a Command Line Interface (CLI). 2. From the CLI, type the following:

fw debug [fwd | fwm] on [<env_variable>=<value>]

/a Choose either fwd or fwm, depending on which process needs to be

d e b U 8 g e d '

3.

run 1

4. Set OPSEC_

5. Set1

.e. Using this op HTTP or FTP

is 1

or , it is i to <

_LEVEL=3 to

(or 5,

To (

level) to

; this type of

6. ; the

fw | fwm

A.)To , use the ; to (

3. AI thisi

JCLII

: to create a ] ;byi

fw

4.

fwm

171

D e b u g g i n g b y R e s t a r t i n g f w d / f w m

In the examples below, the fwd command is used. It may be

Press CRTL + C in the fwd -d screen to stop Next, restart th

UNIX

172


Debugging fwd/fwm

Stopping fwd debug

To stop an fwd debug, use the following procedure:

1. Run cpstop in the console or CLI in which cpstart was previously executed.

2. Press CRTL + C in the remaining console or CLI where fwd debug is running.

3. Execute the cpstart command to reactivate NGX services.

To redirect fwd output to a file instead of the console, use the following command:

U N I X

fwd -d 2> file_name

W I N D O W S

fw d -d 2> filejiame

When sending the output to a file, the fwd command should run for a short time only, because the output file quickly becomes very large. If the file becomes too large, it will be impractical for troubleshooting. Some general debug information is also stored in the $FWDIR/log/fwd.elg file, including:

• Services and processes starting.

• Configuration-file loading.

• Security Policy loading.

By default, when fwd executes, it uses -u. On a SmartCenter Server, cpstart uses fwd -n.

173


Debugging cpd

D E B U G G I N G C P D i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

cpd is a Check Point generic daemon, which executes code of application add-ons specified in the Check Point registry, cpd admin is a client utility used to send administration commands to cpd. cpd config is a configuration utility used to configure cpd add-ons. cpd is started by cpstart and stopped by cpstop. Usually Administrators do not start or stop cpd manually.

The cpd process controls Secure Internal Communications (SIC), Policy installation, and shared-management capabilities between Check Point products and OPSEC-partner products, cpd listens on the Certificate distribution port, waiting for fwm to provide cpd with its Certificate.

SIC ports used are:

• Port 18209, used for CA communication (for status, to issue, and revoke) between the SmartCenter Server and the Security Gateway.

• Port 18210, used to pull Certificates from the CA.

• Port 18211, used by the cpd daemon on the Gateway to receive the Certificate (by clicking Initialize in SmartDashboard).

To determine if SIC is listening to its network port on the Gateway or SmartCenter Server, run the netstat -na command to find the above three ports' status; for example:

On Windows 2000 Server and Windows Server 2003, run the following:

netstat -na | find x18211"

On Solaris or Linux (or SecurePlatform in Expert Mode), run the following:

netstat -na | grep 18211

The output should be:

TCP 0.0.0.0:18211 0.0.0.0:0 LISTENING

174

For moi from the CLI.

S E T T I N G E N V I R O N M E N T V A R I A B L E S

TIFF Junction Evaluation

Debugging cpd

The Check Point Watchdog process will restart a failed cpd / 1 \ process within 60 seconds after it has been stopped, cpwatchdog

( logs may prove useful in troubleshooting cpd-related issues.

4. To redirect output to $CPDIR/log/cpd.elg, run cpd without any switches, or run cpd -d. The output displays in the CLI.

5. On Windows, run cpd -d 2> [filename] to redirect the output to a file. On UNIX, run cpd -d >& [filename] to redirect the output to a file.

If the commands are run from a different CLI, no debug information will be gathered. To use separate CLIs, environment variables must be reset.

176

L A B 6 : U S I N G C P D A N D F W M D E B U G G I N G

177

S R U N C P D D E B U G O N T H E G A T E W A Y

1. Identify the PID of the cp ps -aux | grep cpd

2. Kill the PID process by ri

kill -9 <cpd PID>

3. Set debug level and flag:

set 0PSEC_DEBUG_LEVEL=3

set TDERR0R_ALL__MiL=3

4. Run the

cpd -d >&

f p R U N

If you are connected to the:

into the Gatewa ; ALT + F2 ]

via an SSH ses commands. If 3 's to start a new the ALT + F1 :

1.

set 0PSEC_DEBUG_LEVEL=3

set TDERR0R_ALL__ALL=3

2.

fw on

T H E P R O B L E M

a

178


Lab 6: Using cpd andfwm Debugging

[FPSTOP D E B U G G I N G A N D V I E W T H E O U T P U T

1. On the Gateway, press CTRL + C to stop cpd debugging.

2. Run fw debug fwm off to turn off fwm debugging.

3. View the cpd-debug output file cpd.out, by using the less command.

4. View $FWDIR/log/fwm.elg in a text editor on your Web server.

179

Lab 6: Using cpd and fwm Debugging


Review


• fw ctl debug can be used to view almost every function of the NGX kernel, by configuring the modules (debugging flags grouped according to product and/or functionality).

• NGX kernel modules are fw, vpn, FG-1 (QoS), h323, BOA, WS, CPAS, and cluster.

• Debugging the fwd and fwm processes can be useful when troubleshooting issues related to NAT, security, logging, alerts, Policy installation, OPSEC, and communication between processes.

• Debugging fwm and fwd can be done by either stopping the process enabling debugging and then restarting the process, or by passing the debug command to the running process.

• The cpd process can be configured for a debugging session to assist in troubleshooting SIC issues, Policy installation, and Check Point/ OPSEC shared management-product communication.

Review Quest ions

1. You are troubleshooting a VPN between a clustered NGX installation at your site, and a single Security Gateway at your partner site. You have already enabled debugging and assigned the buffer size. Which of the following fw ctl debug strings would be useful for troubleshooting this issue in this environment? Choose all that apply:

A.) fw ctl debug -m h323 + decode memory

B.) fw ctl debug —m fw + crypt memory

C.) fw ctl debug -m vpn + ike memory

D.) fw ctl debug -m cluster + nokia memory

181

2 .

A.)jw debug jwm on

B.) OPSECDEB UGJLE VEL=3

C.) TDERROR_ALL_A LL=5

D.) B&C


Review

Review Answers

1. You are troubleshooting a VPN between a clustered NGX installation at your site, and a single Security Gateway at your partner site. You have already enabled debugging and assigned the buffer size. Which of the following fw ctl debug strings would be useful for troubleshooting this issue in this environment?

B.) fw ctl debug -m fw + aypt memory

C.) fw ctl debug —m vpn + ike memory

2. What part of the following debug command sets the level of information captured from the fwm process written to the *. elg file? fw debug fwm on 0PSEC_DEBUG_LEVEL=3 TDERR0R_ALL_ALL=5

D.) B & C

3. Which of the following issues can you NOT troubleshoot by debugging the CPD daemon?

C.) IKE Certificate exchanges

183


Review

184

a

61 OI


Q Check Point S O F T W A R E T E C H N O L O G I E S LTD,


CHAPTER 6: FW ADVANCED COMMANDS

Various fw commands are very helpful to collect necessary data for maintaining NGX Security Gateways and troubleshooting problems, fw commands can be found by typing fw in the command line. Advanced fw commands can be found by typing fw advanced in the command line.

Objectives

1. Identify relevant fw commands to obtain critical information about NGX components' status.

2. Use fw and fw advanced commands with proper options, to obtain critical information for troubleshooting.

185

Key Terms

fw tab

Symbolic link

fw ctl

Connection Module

fw

FW COMMANDS

' f W ( can be found by typing fw at a < the 1

The (

fw command Explanation

fw ver [-h] Displayvers.cn

fw kill t-sig_no] procname Send signal to a daemon.

fw sam Control SAM server.

fw fetch targets Fetch last Security Policy.

fw tab [-h] Display kernel-table content.

fw monitor [-h] Monitor NGX traffic.

fw ctl [args] Control kernel.

fw lichosts Display protected hosts.

fw log [-h] Display logs.

fw logswitch [-h target] [+I-][oldlog]

Create a new log file. The old log has

fw repairlog Recreate log tndex.

fw mergefiles Merge log files.

fw Islogs Display remote machine log-file list.

fw fetchlogs Fetch logs from a remote host.

^ ^ fw tab, fw^cU debug and fw monitor commands are elaborated in

187

F W T A B C O M M A N D

fw tab Options

The following is the standard format for the fw tab command, and a table

fw tab [-all |-conf conffile] [-s]-f [-a number][-u][-t tname][-x tname] [-d]

Parameter Explanation

-all îsssxisjss^^default -conf <file> Command executed on the targets specified in conf file

-a Displays all tables

-s number of elements

-u Does not limit the number of displayed entries

-m number For each table, displays only its first number of elements (The default is 16.)

-t tname Displays only tname table

targets Command executed on the des.gnated targets

-f Displays the output in decimal format

188


fw ctl Commands

Table At t r ibutes

A table has a list of associated attributes. Following are some of the attributes a table may have:

Attribute Explanation

free function Call function when an entry is deleted or expires from this table

expires <time> Amount of time the table entry is allowed to stay in the table (seconds)

hashsize <size> Size of the hash table: this value should be the power of 2 closest to the size of the table

implies <table name> Unused

kbuf <x> xth argument in the value section; reference to an internal data structure (mostly used in encryption)

keep Keeps the entries after a Security Policy reinstallation

limit <x> Maximum number of entries allowed in the table

nexpires Elements do not expire, but are removed only when explicitly deleted; nexpires is the default setting.

refresh Resets the expiry timer when an entry in the table is accessed

sync Synchronizes this table if using synchronization

189


fw ctl Commands

T A B L E S T R U C T U R E

Many tables store entries representing connections. A table has two possible representations:

1. The first five fields (src_ip, sport, dst_ip, dport, IP protocol) follow a common standard. An example of these five fields is shown below, plus the meaning of each field: <c7cb4764, 0000008a, c7cb47ff, 00000050, 00000006 ... >

Field Example Value Explanation

1 c7cb4764 Source IP address guide (src ip)

2 0000008a Source port (sport)

3 c7cb47ff Destination IP address (dst ip)

4 00000050 Destination port (dport)

5 00000006 IP protocol number (IPP), as defined in RFC 1700 (UDP-11, TCP-6, ICMP-1) (IP protocol)

In most cases, connections in other tables contain the same five key fields, but will store different field values. These first five fields are known as the key part of the table entry.

2. A connection can also have a sixth-variable direction, which can be either inbound or outbound. The direction is set by the first packet of the connection, even though the connection may be bidirectional in reality:

0 — inbound

1 — outbound

190


fw ctl Commands

C O N N E C T I O N S - T A B L E E X A M P L E

fw tab -t connections

The command output looks like this:

dynamic, id 8158, attributes: keep, sync, expires 60, refresh, limit 25000, hashsize 65536, kbuf 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30, free function 71f88108 0

Dynamic Entries can be added, modified or deleted. Another option for this field is static, which means the opposite. Static tables are initialized with values at the beginning of a Policy, and remain with those values throughout the duration of the Policy.

id n# The identification number of the table; every table has a unique id.

A typical connection entry looks like the following:

<00000001, d4968d33, 000003fc, d496cldc, 00000801, 00000011; 00020001, 00020001, 06000000, 00000028, 00000000, 3bb7aea0, 00000001, d4968d33, 000007b6, ffffffff, ffffffff, 00000001, 00000001, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 27/40>

191

(up to the are the key of the

Field Example Value Explanation

00000001 Connection direction (outbound)

d4968d33 Source IP

000003fc Source port

d496cldc Destination IP

00000801 Destination port

00000011 IP protocol

192


fw ctl Commands

The fields following the semicolon are the values of the entry:

Field Example value Explanation

7 00020001 type/r_ctype

8 00020001 flags/r_cflags

9 06000000 Rule number by which the connection is accepted

10 00000028 Default time-out for the connection

11 00000000 Address of handler function that is called for packets belonging to this connection

12 3bb7aea0 Part of unique id for connection

13 00000001 Part of unique id for connection

14 d4968d33 Part of unique id for connection

Field Example value Explanation

15 000007b6 Part of unique id for connection

16 ffffffff Client inbound interface ID (fw ctl iflist) for connection (ffffffff means none.)

17 ffffffff Client outbound interface ID for connection

18 00000001 Server inbound interface ID for connection

19 00000001 Server outbound interface ID for connection

20 - end Kernel-buffer IDs

Last 27/40 Time left/total time

193

Jwtab

S Y M B O L I C L I N K

A is. The

•the;

a key and a to a

A link in

;hat type of link it

ble looks like the

HAQAri Hr nflflAnftni ! U^JULIUL, UUUUUOUi, 000003fc, d496cldc, 00000011> (00000006)

A link has the same type of key as a regular entry:

direction, src-ip, sport, dst-ip, dport, ipj>rotocol>

in 1

<0, cli .ent-ip,

<1, cli ent-ip,

<0, ser ver-ip,

<1, ser ver-ip,

fw tab

port,

The first entry is a re three are links to the is an appropriate

[to assess the

IP

IP

IP

IP

. No i

F W T A B - U - S

To view a summary list of all •

fw tab -u -s

; in all

• key. The i

; all:

^ S5SSS This isi In a

Q tO : -U

: to

a

a


fw ctl Commands

Here is a partial list of fw tables:

H O S T NAME ID #VALS # P E A K #SLINKS

localhost firewalled_list 1 2 2 0

localhost externalfirewalledlist 2 0 0 0

localhost management_list 3 1 1 0

localhost extemalmanagementlist 4 0 0 0

localhost log_server_list 5 0 0 0

jfVALS indicates how many entries are in the table. The #SLINKS field contains the number of symbolic links for each table. Symbolic links are not included (counted) as entries in the connections table. A size limit of 25,000 for the connections table means that the table can hold 25,000 "real" connections, plus up to eight symbolic links per connection.

F W T A B - T < T A B L E _ N A M E > - F

To view table content in decimal format, use the -f switch:

fw tab -t <table_name> -f

The following is sample output of the fw -t connections -f command:

Using cptfmt

localhost:

Date: Nov 22, 2005

13:57:45 172.22.102.1 > : (+)==n========^ Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep,sync, expires 25, refresh, limit 25000, hashsize 32768, kbuf 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30, free function 98a35c40 0, post sync handler 98a37510; product: VPN-1 & FireWall-1;

13:57:45 172.22.102.1 > : - — — — — (+); Direction: 0; Source: 10.2.2.102/ SPort: 257; Dest: 10.2.2.1; DPort: 50693; Protocol: tcp; CPTFMT_sep_l: ->; Direction JL: 1; Source_l: 10.2.2.1; SPort_l: 50693; Dest_l: 10.2.2.102; DPort_l: 257; Protocol^: tcp; FW_symval: 6; product: VPN-1 & FireWall-1;

195

Jwtab

13:57:4 172.22.102.1 > !+ ) ; 1; Source: 10.2.2.1; SPort: 50693; Dest: 10.2.2.102; DPort: 257;

tcp; CPTFMT_sep: ;; Type: 176129; Rule: 134217728; Timeout: 67; 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits:

; Expires: 5/20; product: VPN-1 & FireWall-1;

13:57:4 172.22.102.1 > 1; Source: 10.2.2.1; SPort: 22; Dest: 10.2.2.102; DPort: 3010;

Protocol:tcp; CPTFMT_sep_l: ->; Directional: 0; SourceJ: 10.2.2.102; SPort J: 3010; Destl: 10.2.2.1; DPort J: 22; Protocol J.: tcp; FWjsymval: 5; product: VPN-1 & FireWall-1;

22; 13:57:45 172.22.102.1 > : —— —

0; Source: 10.2.2.102; SPort: 3010; Dest: 10.2.2.1; 5; CPTFMTjjep: ;; Type: 114689; Rule: 1; Timeout: 401;

0; Ifncin: 1;Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 0200000000000000; Expires: 3600/3600;product: VPN-1 & FireWall-1;

F W T A B - T < T A B L E _ N A M E > - S

To v

fw tab - t

a i use the •

-s

For (

H O S T N A M E ID

8158

# V A L S

(#VALS)is an heavy load. ]

'is

A table's size a certain type of traffic is under size is 25,000, by default. If a

25,000 most of the time, it

a

2 4 2


/iv ctl Commands

F W C T L C O M M A N D S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

The fw ctl command provides kernel information about NGX Gateways or SmartCenter Servers, fw ctl options can be found by typing fw ctl -h from the command line. Among the following command options, fw ctl debug, kdebug, and fw ctl chain will be addressed in greater detail in the following chapters.

U S E

Commands: install, uninstall, pstat, iflist, arp, debug, kdebug chain, conn

fw ctl install

The fw ctl install command binds interfaces to the kernel. If you run this command, it does not display any messages, it just returns the prompt. That means the interfaces are bound to the kernel successfully.

fw ctl uninstal l

The fw ctl uninstall command unbinds interfaces from the kernel.

fw ctl if l ist

The fw ctl iflist command displays interfaces bound to the kernel, fw ctl iflist is useful after the fw ctl install or fw ctl uninstall commands have been applied. When fw ctl install is applied, fw ctl iflist should display all active interfaces. Those interfaces' configurations (IP address, subnet mask, and anti-spoofing group) should be obtained successfully in the gateway object's Topology screen. Following is an example of fw ctl iflist output:

0 : ethl

1 : eth2

197

fw ctl if list is run after fw ctl uninstall, the output should be empty.

fw ctl arp

L fw ctl install is run after fw ctl


fw ctl Commands

Following is an example of fw ctl pstat output explained in parts. The first section is the total kernel memory allocated for the NGX kernel.

K E R N E L M E M O R Y

Hash kernel memory (hmem) statistics:

Total memory allocated: 6291456 bytes in 1535 4KB blocks using 1 pool

Total memory bytes used: 161356 unused: 6130100 (97.44%) peak: 191656

Total memory blocks used: 68 unused: 1467 (95%) peak: 76

Allocations: 24693 alloc, 0 failed alloc, 22079 free

A pool of 6,291,456 bytes (6 MB) is allocated by the Gateway kernel for its internal hash-table items and other kernel-data structures. 6 MB is the default kernel memory. The kernel memory can be adjusted in the gateway object's Capacity Optimization screen:

General Properties Topology

• NAT r+i-vPN

Remote Access Authentication SmartView Monitor

• UserAuthority Server L+; Logs and Masters

Capacity Optimization [+!•• Advanced

Capaci ty Optimization

Capacity Optimization

Maximum concurrent connections:

Calculate connections hash table si2e and memory pool

Automatically

<•' Manually

Comecttom hash table size: 132763

Memory pool sise:

Maxim jm memory pco! size

VPM Capacity Optimization -

Maximum corcu-rent IKE negotiation*

Maximum concurrent 'unneL-

MByte

]30 ^ MByte

Reset to Defaults

200

Capacity Optimization Screen

199


fiv ctl Commands

I N S P E C T

INSPECT:

33250 packets, 8233028 operations, 189240 lookups, 0 record,

2290321 extract

This information relates to the activity of the virtual machine. The figures relate to virtual-machine operations, lookups and records in tables, and the number of packets inspected.

C O O K I E S

Cookies:

3647246 total, 0 alloc, 0 free,

3320 dup, 3742299 get, 3862 put,

3655403 len, 6 cached len, 0 chain alloc,

0 chain free

VPN-1 NGX uses cookies to represent packets. These statistics relate to the code that handles those cookies, and is used only for heuristic tuning of the code.

C O N N E C T I O N S

Connections:

2965 total, 1278 TCP, 1683 UDP, 4 ICMP,

0 other, 256 anticipated, 52 recovered, 3 concurrent,

41 peak concurrent, 3658055 lookups

The Connections section of the fw ctl pstat command displays information on current and historical connections traversing the Security Gateway.

201

F R A G M E N T S

Fragments:

6 fragments, 3 packets, 0 expired, 0 short,

0 large, 0 duplicates, 0 failures

to Of the 145

TCP/UDP,

O U T P U T E X A M P L E S

Oft Owe 312]

14 TCP/UDP

(hmem) statistics:

allocated: 6291456 bytes in 1535 4KB blocks using 1

bytes used: 161356 unused: 6130100 (97.44%) peak:

used: 68 unused: 1467 (95%) peak: 76

24693 alloc, 0 failed alloc, 22079 free


fw ctl Commands

System kernel memory (smem) statistics:

Total memory bytes used: 10532520 peak: 11160692

Allocations: 104334 alloc, 0 failed alloc, 104066 free, 0 failed free

Kernel memory (kmem) statistics:

Total memory bytes used: 4394740 peak: 5052316


Kernel stacks:

131072 bytes total, 8192 bytes stack size, 16 stacks,

1 peak used, 3956 max stack bytes used, 3956 min stack bytes used,

0 failed stack calls

INSPECT:

33250 packets, 8233028 operations, 189240 lookups,

0 record, 2290321 extract

Cookies:

3647246 total, 0 alloc, 0 free,

3320 dup, 3742299 get, 3862 put,

3655403 len, 6 cached len, 0 chain alloc,

0 chain free

Connections:

2965 total, 1278 TCP, 1683 UDP, 4 ICMP,

0 other, 256 anticipated, 52 recovered, 3 concurrent,

41 peak concurrent, 3658055 lookups

Fragments:

6 fragments, 3 packets, 0 expired, 0 short,

203

0 failures

NAT:

167/0 forw, 145/0 be

0 icmp, 14-14 alloc

Sync:

312

use several fw ctl pstat the numbers i

is using a high portion of

Total

Total

Total

memory (hmem)

allocated: 3145728 bytes in 767 4KB blocks using 1 pool

bytes used: 3141632 unused: 4096 (1%) peak: 3141632

blocks used: 740 unused: 27 (4%)

4301 alloc, 129 failed alloc, 2219 free

emory (kmem) statistics:

bytes used: 3768249 peak: 3936541


The

is ] This or

' for this Gateway is heavily used, an

ilures, which is also an is due to high volumes of

in th

, This is i Lofa: lis)

• an error, nor an v VPN-1 NGX

0 0


fw ctl Commands

fw ctl conn

There are entities within and without the Gateway that monitor or manipulate network traffic. The NGX infrastructure uses the connections table to store information (also called opaque data). These tables also receive notifications of connection-related events, such as connection starting, stopping, etc. These entities are called Connection Modules.

Every Connection Module is registered with a unique ID. Run fw ctl conn on the Gateway to see the Connection Modules currently registered. The Connection Module's ID is important to verify if a Gateway has installed the same products in the same order as another Gateway, when configured in a cluster. If cluster members' Connection Module unique IDs are different in the fw ctl conn table, the cluster may fail over for what appears to be unknown reasons.

Connectivity level 0:

No. Name Used Newconn Packet End

0: Accounting yes 0: Accounting 00000000

1: Authentication yes 1: Authentication 98a45e70

2: CPAS yes 2: CPAS 00000000

3: FG-1 yes 3: FG-1 00000000

4: ISP-Redundancy no 4 ISP-Redundancy 00000000

5 NAT yes 5 NAT 00000000

6 RTM no 6 RTM 00000000

7 RTM2 no 7 RTM2 00000000

8 SPII yes 8 SPII 98a4f220

9 SeqVerifier yes 9 SeqVerifier 989a4fc0

10 SynDefender no 10 SynDefender 00000000

11 Tcpstreaming yes 11 Tcpstreaming 98995710

12 VPN yes 12 VPN 9959ffb0

205

206


Other fw Commands

O T H E R F W C O M M A N D S I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I

fw sam

The Suspicious Activity Monitoring functions of VPN-1 NGX are usually initiated from Smart View Tracker. The fw sam command provides an alternate method for using it.

U S E

sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] [-t <timeout>] [-1 <log>] [-C] [-e <key=val>]+ -{n|i|I|j|J|b|q} <criteria>

sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] -M -ijnbq {<criteria> | all}

sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] -D

OPTIONS

-C Cancel.

-M Monitor.

-D Delete all.

-v Verbose

-s Server for connection

-S Secure Internal Communications (SIC) name of server

-f Name of target host/group

-t Time-out in seconds

-1 Either nolog, longjioalert, or long__alert

-e Rule information; keys are name, comment and originator.

-i Reject.

-I Reject and close.

-j Drop.

-J Drop and close.

207


Other fw Commands

-n Notify,

-b Bypass,

-q Quarantine.

C R I T E R I A

src <ip>

dst <ip>

any <ip>

subsrc <ip> <net mask>

subdst <ip> <net mask>

subany <ip> <net mask>

srv <src ip> <dst ip> <service> <protocol>

subsrv <src ip> <net mask> <dst ip> <net mask> <service> <protocol>

subsrvs <sre ip> <net mask> <dst ip> <service> <protocol>

subsrvd <src ip> <dst ip> <net mask> <service> <protocol>

dstsrv <dst ip> <service> <protocol>

subdstsrv <dst ip> <net mask> <service> <protocol>

srcpr <ip> <protocol>

dstpr <ip> <protocol>

subsrcpr <ip> <net mask> <protocol>

subdstpr <ip> <net mask> <protocol>

generic <key=val>+

208


Other fw Commands

E X A M P L E S

The following command will reject packets from 172.29.109.1 in the next 10 minutes:

fw sam -v -t 600 -i src 172.29.109.1

The following message occurs:

sam: request for 'Inhibit src ip 172.29.109.1 on All' acknowledged

sam: fwoslo (0/1) successfully completed 'Inhibit src ip 172.29.109.1 on All' processing

sam: request for 'Inhibit src ip 172.29.109.1 on All' done

The following command will drop and notify packets from 172.29.109.1:

fw sam -v -s 172.22.102.1 -t 600 -M -ijn src 172.29.109.1

The following message occurs:

sam: request for 'Monitor Inhibit Drop Notify src ip 172.29.109.1 on All' acknowledged

sam: fwoslo (0/1) successfully completed 'Monitor Inhibit Drop Notify src ip 172.29.109.1 on All' processing:

no corresponding SAM requests

sam: request for 'Monitor Inhibit Drop Notify src ip 172.29.109.1 on All' done

To view a list of IP addresses blocked by the sam command, use the fw -t sam_blocked_ips -f command. The output is in decimal format.

209

Other fw

fw l i chos ts

fw log

Use i fw log command to view the active log file (fw.log).

S i accept, but do not use any nam

fw log -f fw.log -n -c accept | more

The following logs appears on the command line:

Date: Nov 2, 2005

10:13:45 ctl weboslo >daemon logjsysjnessage: Log file has been purged; product: VPN-1 & FireWall-1;

10:08:52 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-90F8-27D2C4F08877}; service_id: nbname; src: weboslo; dst: 10.2.2.255; proto: udp; product: VPN-1 7 FireWall-1; service: nbname; sj>ort: nbname;

10:08:54 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-90F8-27D2C4F08877}; servicejd: ssh; src: weboslo; dst: fwoslo; proto: tcp; product: VPN-1 & FireWall-1; service: ssh; s_port: 1735;

10:09:32 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-90F8-27D2C4F08877}; service Jd: nbdatagram; src: weboslo; dst: 10.2.2.255; proto: udp; product: VPN-1 & FireWall-1; service: nbdatagram; sjport:

10:09:54 accept fwoslo >ethl servicej.d: fwoslo; proto: tcp; rule: 0; message j info FireWall-1; service: https; s_port: 1563;

src: 172.29.109.1; dst: rule; product: VPN-1 &

log file can be i with the fw .loginitialjptr,;

fw

fw

: is as :

[-u]

The -u flag i The log file is i

J log file ; -u flag is i

fw mergefiles [-s] [-t <time_conversion_file>] <logJile_l> [<log_

file_2> ... <log_file_name_n>] <output_file__name>

E X A M P L E

fwoslo 2005-11-11JJ73150. log fwoslo_2005-ll-llJ73720.log

211

Other Jw

fw fetchlogs [[-f filename] ...] host

8 iS] Y 8

The active file (fw.log) cannot be fetched. iy> can be used on th

The active file (fw.

E X A M P L E

To fetch a log file on a remote Gateway from the SmartCenter Server, the ame is fwoslo, as shown in th:

fw

File fetching in process. It my take some

File fwoslo_2005-ll-llJ73150.log was fete

Other fw

% Q.) You have a remote VPN-1 Pro Gateway running on

i Pro in another city. When yoi

the i ow do ;

in:

A . ) :

fw logswitch -h <SecurePlatform_h

fw fetchlogs <SecurePlatform_host>

racker, and select File > Open from the menu. 32 file.

F W A D V A N C E D C O M M A N D S

command prompt. The following table lists those commands and a brief explanation for each of them:

fw advanced Command Explanation

fw fwd | fwm avd daemon ifwmdaemon

fw debug Turn debug output on | off.

fw fetchlocal Install Policy files to the kernel.

fw unloadlocal Un.nstallPoHcy to the localhost

fw dbloadlocal Install local database.

fw defaultgen Generate default filter.

fw license_sanity Create initial Policy if no license.

fw ufpfetch Fetch UFP server dictionary.

fw syslog syslog support for router

fw getifs Get interfaces from remote Gateway.

fw stat

fw hastat ha stat P

fw fgstat ?g C sUt r d C 0 m P a t l b l e V e r S 1 0 n 0 f

fw feu Full connectivity upgrade for clusters

fw fullsync Synchronous full sync for clusters


fw Advanced Commands

fw advanced Command Explanation

fw authd_set Configure fwauthd. conf automatically.

fw isp_link Take down/bring up an ISP link.

fw fwd

Starts the VPN-1 daemon. Do not run this command directly. The fwd daemon is automatically started when running cpstart.

fw fwm

Check Point recommends using the cpconfig tool, fw fwm. fwm must be running on the SmartCenter Server. If there is an Administrator already defined by cpconfig, creating another one using the fwm command is not allowed, fwm is used for adding, updating and deleting administrators.

USE

fwm [-a name [-w{w|u|r|m(] [-s password] [-q] | -r name | -p]

Option Explanation

-a name Update Administrator with username name.

-w Set access level as follows: w - Read/Write u - User Edit r - Read Only m - Monitor Only

-s password Set the Administrator's password.

-q When adding an Administrator, do not prompt for Administrator password (useful for batch updates).

-r name Delete Administrator.

"P Print list of Administrators.

215

E X A M P L E S

To«

fwm -a fwadmin -s -

In the exc

If you want to chan

fwm -a fwadmin -wr

To (

fwm -r fwadmin

You will see the

, type:

You will be

to Read Only ]

.type:

, type:

fw fe tch loca l

fwm -a Howard -s abcl23 -ww

You will see tl

Howard

i (the INSPECT compiler) into tb i of the INSPECT-ML filter code in t

i to fw fetch localhost or cpstart, this Policy is

: 123" ;

by the fwc

Policy is

U S E

fw fetchlocal -d <dir>



O P T I O N

Option Explanation

dir Location of compiled INSPECT files to be loaded to the kernel; directory option is mandatory.

EXAMPLE

fw fetchlocal -d $ FWD IR/_tmp/local/FW1

fw fetchlocal loads the compiled INSPECT-ML in the kernel.

fw un load loca l

The fw unloadlocal command removes the currently installed Policy from a Gateway. When a Policy is unloaded from a Gateway, the Gateway accepts any traffic, as long as routing permits, fw unloadlocal is useful in troubleshooting as needed, but should be used with care.

fw db load loca l

fw dbloadlocal loads the database on the local machine, by moving the database file from the /temp to /state directory. This command is performed automatically by a number of other commands (fw dbload for example), after moving files from the SmartCenter Server to the Gateway.

USE

fw dbloadlocal <-d>

O P T I O N

Option Explanation

-d Source directory location of the files; normally \temp\local

217


fw de fau l tgen \

U S E

E X A M P L E 1

E X A M P L E 2

218



fw getifs

The fw getifs command is used for fetching interfaces from a remote Gateway.

U S E

fw getifs <module_name>

O P T I O N

Option Explanation

<module name> Security Gateway object name

E X A M P L E

fw getifs fwoslo

This example produces the following output:

fwoslo ethO 212.150.140.81 255.255.255.0

• fwoslo is the gateway-object name.

• ethO is the interface name.

• 212.150.140.81 is the IP address.

• 255.255.255.0 is the Gateway mask.

fw stat

fw stat displays the status of target hosts in various formats. The default format displays the following information for each host: host name, Rule Base (or Gateway) filename, date and time loaded, the interface installed on, and direction loaded.

U S E

fw stat [-long] [-short] [-inactive] [targets]

fw stat [-all | -conf conffile] [-long | -short] [-inactive] targets

219

Jw Advanced

O P T I O N S

Opt ion Exp lana t ion

-all i n t h e d e f a u l t s y s t e m

-conf conffile Command executed on targets specified in conffile

-long d^sptays numberô™

-short i n t e r f a c e ' R u l e B a s e

-inactive f o m L T a n ^ ^

targets i f t a r g e t s i s n o t

E X A M P L E S

To display the Policy installed on a Gateway locally, use fw stat as follows:

[Expert^SecurePlatform]#fw stat

localhost Standard 10Nov2005 14:43:50 : [>ethl] [>eth2] [<eth2]

To display the Policy installed on a remote Gateway from the SmartCenter Server and display the output in long format use fw stat as follows:

fw stat -1 fwoslo

H O S T IF POLICY DAT TOTAL •T DROI P A C C E PT LC

fwoslo >ethl Standard llNov200E i 14:45:50 1 0 0 1

fwoslo >eth2 Standard HNov2005 i 14:45:50 67 0 1 66

fwoslo <eth2 Standard llNov2005 14:45:50 74 0 8 66

Q.) You cannot log in to

L try to log in to SmartDashboard to verify any

I do you run to:

F W M C O M M A N D S

f w m C o m m a n d Explanation

fwm ver [-f] ... Display version.

fwm load [opts] [filter-file| rule-base] targets

Instal.PoHcy on target,

fwm unload [opts] targets Unmstall targets.

fwm dbload [targets] Download the database.

fwm logexport [-h] . . . Export log to ASCII file.

[ " l n P O r t ] ] router access list. P

fwm dbexport [-h] ... Export the database.

fwm ikecrypt <key> <password> Crypt a secret with a key

fwm dbimport [-h] ... Import to database.

fwm kill [-sig_no] procname Kill firewall process.

fwm lock_admin [-h]


fwm Commands

fwm load

USE

fwm load [-p <product>] [-S] [-0 <product_option>] [-vN] [-m] [-r] [-a | -c conf-file] <rule-base name> <targets>

O P T I O N S

option Explanation

-P Specify target's product. Only one product can be specified. Possible products: firewall, sofaware gw, interspect, cvpn

-0 Specify product-specific option.

-S Targets are VPN-1 Edge devices.

-vN Retrieve the Security Policy from the version repository. N is the Version ID.

-m All Or None (works only for modules with the same version)

-r Do not perform All Or None for clusters. (The default is to perform.)

-a Execute command on all targets specified in $FWDIR/conf/sys. conf file.

-c Execute command on all targets specified in conf file.

E X A M P L E

From an enterprise SmartCenter Server, run the following command to install a Policy named "Standard" on remote-gateway object fwoslo:

fwm load Standard fwoslo

223

The following i

fwm dbload

for 'filter

Policy On:

in less than a

on

CPMAD

on NGX R60

Standard.W: Security Policy into Standard.pf

Compiled OK.

Installing VPN-1/FireWall-1

VPN-1/FireWall-1 policy installed

VPN-1/FireWall-1 policy

VPN-1/FireWall-1 policy

on fwoslo.

fwm dbload locally.

For

fwm

the i

to

a target Gateway or

on remote Gateway fwoslo,

224


fwm Commands

To install the user database locally on the SmartCenter Server, run:

fwm dbload localhost

fwm logexport

The fwm logexport command exports a log file, by default the active log (fw. log) to an ASCII format. This is so the file can be open in other platforms, like WordPad or Excel, fw logexport does not switch logs. If you run fw logexport for current active logs (fw.log), the fw.log file stays the same and logs are not moved or purged. Details can be found by typing fwm logexport -h on the command line.

U S E

fwm logexport [-d delimiter] [-i filename] [-0 filename] [-f|-t] [-x

startJ30S] [-y endjpos] [—z] [-n] [-p] [-a] [-u unification_scheme_file] [-m

(initial | semi | raw) ]

O P T I O N S

Options Explanation

-d Set the output delimiter. Default is ;.

- i Input logfile name. Default is the active log file fw.log.

-0 Output filename. Default is printing to the screen.

-f Only in case of active log file; upon reaching end of file, wait for new records and export them.

-t Same as -f flag, only start at end of file.

-x Start exporting at the specified position.

-y End exporting at the specified position.

-z Continue exporting the next records, in case of an error. Default is to stop exporting.

225

226

227

Option Expianation

-v View names of all locked Administrators.

-u Administrator Unlock a single Administrator.

-ua Unlock all locked Administrators.


Lab 7: Using fw ctl pstat

L A B 7 : U S I N G F W C T L P S T A T i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Scenario: This lab focuses on generating a file on the Security Gateway containing fw ctl pstat information, and interpreting some of the data.

Objective: Run the fw ctl pstat command.

Topics: The following topics are covered in this lab:

• Running the fw ctl pstat command

• Identifying information in the fw ctl pstat file

229


Lab 7: Using fw ctl pstat

E ? R U N F W C T L P S T A T

1. While logged in to the NGX Security Gateway in Expert Mode, run the following:

[Expertiyourcity] # fw ctl pstat > pstat.txt

The fw command is the same for UNIX and Windows servers.

2. Allow the process to run to completion. [ ^ I D E N T I F Y I N F O R M A T I O N I N F W C T L P S T A T

1. Use the less command to view the pstat. txt file, and identify the following portions of the file:

— Amount of hash-kernel memory, used and available

— Number of packets inspected

— Number of fragments, and how many expired

Based on this output, is the Gateway overloaded or underused?

^ ^ ^ Continue t o next lab.

230


Lab 8: Using fiv stat, fwm load, and fw unloadlocal

L A B 8 : U S I N G F W S T A T , F W M L O A D , A N D F W U N L O A D L O C A L i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i • i i i i i i i i

Scenario: Policy status for a Gateway is regularly verified in Smart View Tracker. The fw stat command is also useful to verify Policy status. In circumstances where you cannot log in to SmartDashboard, fw unloadlocal can be used to uninstall the Policy.

Objectives:

• Use fw stat to verify a Gateway Policy is installed.

• Use fw unloadlocal to uninstall the Policy.

• Use fwm load to install the Policy from the SmartCenter Server to the Gateway.

Topics:

• Installing the Security Policy and verifying status with fw stat

• Uninstalling the Policy and verifying status with fw stat

• Running fwm load and fw stat to install and verify the Policy

231


Lab 8: Using fw stat, f\vm toad, and fw unloadlocal

[ ^ I N S T A L L S E C U R I T Y P O L I C Y A N D V E R I F Y S T A T U S W I T H F W S T A T

1. From the SmartDashboard, install the Policy on the gateway object.

2. Log in to the Gateway via the console or SSH screen.

3. Run fw stat. The output looks similar to the following:

HOST POLICY DATE

localhost Standard 10Apr2006 15:56:50 : [>ethl] [<ethl]

f p U N I N S T A L L P O L I C Y A N D V E R I F Y S T A T U S W I T H F W S T A T

1. Run fw unloadlocal from the command line. 2. Verify the status by running fw stat:

HOST POLICY DATE

localhost - - : >ethl <ethl

r f ? R U N F W M L O A D A N D F W S T A T T O I N S T A L L A N D V E R I F Y P O L I C Y

1. Open the command line on the SmartCenter Server, and type the following ...

fwm load Standard fwyourcity

... Where "Standard" is the Policy name, and fwyourcity is the target gateway object.

Verify the Policy is installed successfully, by running fw stat on the Gateway console or SSH session.

If you logged into the Gateway via an SSH session, your session will terminate abruptly, as fwm load does not preserve connections during a Policy install. Log in again and continue with the lab.

End of lab.

232


Review


• The fw tab command and its subcommands are used to directly access and manipulate the state tables in the NGX kernel's virtual memory, the core of Check Point Stateful Inspection technology.

• The fw ctl command and subcommands are used to view kernel information from SmartCenter Servers or Security Gateways, and can also be used to perform some kernel-level configuration changes and debugging.

• Other fw commands that provide more granular control over VPN-1 N G X include: fw sam — used to manipulate the SAM database fw lichosts — displays the number of protected hosts behind a Gateway fw log — used to view and manipulate active log files fw repairlog — rebuilds .ptr files for corrupted log files fw mergefiles — merges two switched (not active) log files into one fw fetchlogs — used to retrieve log files from a remote Gateway

• fw advanced commands provide command-line methods for more direct access to the N G X daemon, and for working with specific aspects of VPN-1 NGX.

• fwm commands provide an alternate command-line method of performing many SmartCenter Server tasks.

Review Quest ions

1. Which of the following fw tab commands will fetch connection information in decimal format for all connections?

A.) fw tab -t connections -u

B.) fw tab -t connections

C.) fw tab -t connections -s

D.) fw tab -t connections -f

233


Review

Review Answers

1. Which of the following fw tab commands will fetch connection information in decimal format for all connections?

D.) fw tab -t connections -f

2. You are troubleshooting a NAT problem with a remote Gateway. Looking in the fw monitor capture, it appears that the IP address is translating correctly, but you do not see packets returning to the external interface. Which of the following fw ctl commands would be useful in these circumstances?

D.) fw ctl arp

3. Which of the following switches used with the fwm logexport command will export the active file into a comma-delineated file, without resolving IP addresses?

D.) fwm logexport -d, -o output -n

235


Review

236

o

7 1 •


Q Check Point S O F T W A R E T E C H N O L O G I E S L T D .


CHAPTER 7; SECURITY SERVERS

NGX Security Servers inherit the folding process from previous versions of VPN-1. The HTTP Security Server provides URL screening and content checking (by incorporating CVP and UFP applications). Although more functionality from Security Servers is being incorporated into the kernel with each revision of VPN-1, troubleshooting specific Security Server processes can still indicate causes of issues.

Objec t ives

1. Identify different stages in the folding process.

2. Troubleshoot Security Server issues.

3. Debug Security Servers.

237

K e y T e r m s

Folding

fwssd

fwauthd.conf

238


The Folding Process

T H E F O L D I N G P R O C E S S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Overview

When an NGX kernel matches a connection to a Security Server rule, the kernel folds the connection to the relevant Security Server. Folding is how a Security Server redirects packets. The Security Server opens a connection to the Server to which the client tried to connect. The packet leaving the Security Server has the source IP of the NGX Security Gateway. The outbound kernel translates the source I P to the IP address of the client that originally opened the connection. If the client is configured in the Rule Base for Hide or Static NAT, the source IP is translated, as configured in the Rule Base.

If clients use the HTTP Security Server as a proxy, connections leave the Gateway with the Gateway's IP address as the source IP. No Network Address Translation (NAT) occurs.

T R A N S P A R E N T C O N N E C T I O N S

The default behavior of HTTP, FTP, and Telnet Security Server connections have been changed to transparent in VPN-1 NGX. Only the SMTP Security Server is still non-transparent by default. In other words, if no Hide or Static NAT is involved, and if the client does not set the Gateway as the proxy, packets leave the Gateway with the original client's IP address. The only exception is the SMTP Security Server: The packet leaves the Gateway with the source IP address as the Gateway's IP address, instead of the original client's IP address.

To change this behavior, modify the following properties from true to false in $FWDIR/conf/objects_5_0.C:

http_transparent_server_connection

ftp transparent_server connection

rlogin_transparent_server_connection

telnet_transparent__server_connection

239

240


The Folding Process

3. The packet's destination address is changed to the NIC address (so it will be sent to Security Server).

4. The connection table is updated with two new entries, which allows the client following the packets to continue without examination:

<125.32.2.3,1234,180.3.42.3,80,TCP>

<125.32.2.3,1234, 125.32.0.1,8832,TCP >

I N B O U N D A F T E R K E R N E L

The packet is <125.32.2.3,1234, 125.32.0.1,8832, TCP> The Security Server listening on port 8832 accepts and examines the packet. After the examination is done, the Security Server opens a new connection to the destination Server. The new connection is recorded in table PROXIED CONNS, with new connection properties (new port) and expiration time of 60 seconds, which means the Security Server must initiate a connection within that period.

The Security Server then sends the packet to its original destination using the FWXAUTH table.

O U T B O U N D B E F O R E K E R N E L

The packet is <125.32.0.1,8832, 180.3.42.3,80,TCP>. The Security Server initiates a connection. The source address is the Security Server and not the original client. The Server returns the packet, destination port, and address to the Security Server. The Security Server checks the FWX_AUTH table and a flag from the C0NN_0XID table, to retranslate the client's address and destination port.

O U T B O U N D A F T E R K E R N E L

The packet is <125.32.2.3,1234,180.3.42.3,80,TCP>, which is the original connection.

241

Content -Secur i ty Rule Order

242


The Folding Process

HTTP 1.0 and 1.1

The following table lists differences between HTTP 1.0 and HTTP 1.1. This information can be useful when troubleshooting H T T P Security Server related issues.

Features HTTP 1.0 HTTP 1.1

Connections Keep-alive was not used. Keep-alive is recommended.

Multiple requests per connection

Allowed, but the client cannot send multiple request; it must wait for each response to return before submitting another request.

Allowed; the client can send multiple requests, even before the first response has returned. The Server has to return the responses in the same order they were sent.

Data end Two ways: 1. Use the header-field content length. 2. Close the connection when the response is done.

Content length is obligatory.

Chunks Not available Chunking was introduced to allow the Server to send responses with variable length without closing the connection. (In HTTP 1.0, this was the only way.)

243


Troubleshooting Security Server Issues

T R O U B L E S H O O T I N G S E C U R I T Y S E R V E R I S S U E S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

The following steps help troubleshoot performance problems with HTTP Security Servers. The goal is to determine which object is responsible for performance issues (the HTTP Security Server, the CVP server the machines themselves, and so on), when, and why.

The following is a scenario where the HTTP Security Server is configured with a CVP server on a loaded network:

Security Gateway

C P 0 0 3 3 2

HTTP Security Server in CVP Environment

244



Reviewing CPU and Memory

There is not an executable file for each Security Server. Instead, each Security Server links to the fwssd executable. Under Windows NT, for example, looking at the Task Manager will not show the Security Server to which each process belongs. To find out which process belongs to each Security Server, proceed as follows:

• Look for the relevant Security Server's process identifier (PID) in the $FWDIR/tmp directory. For example, the HTTP Security Server PID will be written in the in.ahttpd.pid file.

• Once you know the PID number, look for the number on the Windows Task Manager > Processes tab. On UNIX platforms, such as Solaris and SecurePlatform, the process number is found in $FWDIR/tmp. The CPU and memory use can be observed in real time by running the top command.

In some circumstances, adjusting the number of Security Servers spawned by fwssd may help in troubleshooting performance issues. This is done by editing the fwauthd.conf file. The fwauthd.conf file contains configuration information for all child processes started by NGX daemons, not only fwssd. When working with the fwauthd.conf file, ensure that you are only modifying entries relevant to the Security Servers for FTP, HTTP, HTTPS, or Telnet. Some process configurations (such as those for SMTP or clientless VPN) should not be modified unless under direct instruction by Check Point Technical Support. Take care to only modify the line relevant to the process you are troubleshooting.

F W A U T H D . C O N F E X A M P L E

A standard entry in fwauthd.conf looks like this:

# (por t ) Parent Ch i ld Process W a i t # (to be

Edit ing fwau thd .con f

Process name spawned)

-5 80 fwssd in.ahttpd wait

in.aclientd wait 259 fwssd 259

245

Troubleshooting Security Server

List ing Possib le Causes

246



SECURITY SERVERS

• A general Security Server issue

• A Security Server with a CVP/UFP resource issue

• CVP server

• Limitation of hash tables

C V P S E R V E R S

• Overloaded CPU

• Memory issue

• Possible known/unknown issue

I den t i fy ing Issue Sources

One of the best ways to understand where the issue lies is by eliminating possibilities:

1. Change the rule so the HTTP resource is not used. Replace it with a standard HTTP service. This way, HTTP connections are passed through the kernel and not folded to the Security Server. If this solves the problem, the problem is with the HTTP Security Server: Proceed with step 3. If it does not solve the problem, proceed with step 2.

2. Change the rule to use the HTTP resource again, instead of the standard HTTP service. Do not configure the resource with the CVP server. Under this configuration if the problem does not exist, you know the issue is with the interaction with the CVP server.

3. When the problem occurs, run the following:

• top (on UNIX) or Task Manager (on Windows) Notice which process number is in charge for CPU and memory use. Check $FWDIR/tmp to find the PID of the relevant Security Server process.

• lsof (on Solaris) Run this command to check how many file descriptors are open: lsof | grep <process name> | wc -1

247

248


Debugging Security Servers

D E B U G G I N G S E C U R I T Y S E R V E R S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

To debug a Security Server, the relevant process must be running. Before starting the debug, verify that the process you wish to debug has a current PID in the $FWDIR/tmp directory, if the process has no PID, the following error will appear: "Cannot find process id for (in.aclientd)"

Check Point recommends debugging all processes on the active process. In circumstances where the process is not starting correctly, stop VPN-1 NGX, set the environment variables for debugging, and then restart VPN-1 NGX.

TD_ERROR_ALL_ALL Flag

When configuring a debugging session, whether for a running process or setting an environment variable for a restarted session, it is important to remember to set the environment variables for that debugging session. While each Security Server will have specific flags relevant to its functionality, all debugging will require a TD__ERR0R__*_* flag to be set.

The TD__ERROR_ALL_ALL flag (most often seen when configuring debugging as set TD_ERR0R_ALL_ALL=3) tells the process being debugged the level of information to write to the output file (typically processname. elg).

The numeric value is a verbosity level between 1 and 5, where 1 is the minimum amount of information to be written, with 5 being maximum verbosity. Check Point recommends setting the verbosity level to 3 or 4, as this will often provide enough information for troubleshooting an issue.

TDERRR0R_*_* is also used to configure specific debugging sequences, as shown in the following sections. Each of the following sections are the standard commands for enabling debugging on running processes, sorted according to the specific Security Server.

FTP Securi ty Servers

To enable debugging all platforms, run:

fw debug in.aftpd on | off FWAFTPD_DEBUG 3

Output is automatically redirected to $FWDIR/log/af tpd. elg.

249

250

252


Review


• In VPN-1 NGX. the default behavior is for connections folded into a Security Server (except an SMTP Security Server) to be transparent. With transparent connections, the source IP address is untranslated (unless it is translated by the kernel for other reasons, such as with NAT).

• Folding occurs when the NGX kernel updates the state tables associated with a connection on which a Security Server acts.

• Resource rules do not replace standard rules for protocols. When adding a resource rule to a Rule Base, the rule must be placed before any less-restrictive rules that allow protocols, but after rules that reject protocols.

• Edit $FWDIR/conf/spsc/spsc. en_us to modify the default messages produced by a Security Server.

• HTTP 1.0 and 1.1 behave differently, and must be dealt with for troubleshooting accordingly.

• Each Security Server is an iteration of the fwssd process. Locate the PID of the Security Server you are troubleshooting in the $FWDIR/tmp directory. Use this number to find the process information in Task Manager on Windows, or use the top command on UNIX and SecurePlatform.

• Creating a list of possible causes for an issue will help when troubleshooting Security Server issues. The list can include, but is not limited to:

— Limitation of kernel tables.

— A loaded kernel blocking Security Servers.

— A CVP/UFP resource issue.

— CVP server saturation.

— Limitation of hash tables.

• Identifying the source of the issue will also help when troubleshooting Security Server issues. Does the issue persist when the Security Server is disabled? If using CVP, remove the CVP server from the Security Server configuration and retest. Examine the relevant error-log files, get traffic captures, and examine memory use.

• Analyzing the output from any of the sources listed will provide information about the cause.

253

is

folding through a Security Server?

A.) FWX AUTH

B.) A UTH SER VICES

C.) PROXIED CONNS

D.) CONN OXID

254

A.J fw debug in.ahttpd on TDERROR_ALL_s_to_c_read=3

B.) fw debug in.ahttpd on TDERRORJLLL client to_server_mgr=3

C.) fw debug in.ahttpd on TDERROR_ALL_cvp_to_server_mgr=3

D.) fw debug in.ahttpd on OPSEC DEBUG_LEVEL=3


Review

Review Answers

1. The default behavior for Security Servers in VPN-1 NGX is to leave the source IP address of a connection untranslated. To which of the following configurations will the source IP be translated by a Security Server?

C.) Virus scanning for SMTP servers

2. Which of the following tables is referenced in multiple stages of connection folding through a Security Server?

A.) FWX AUTH

3. You are troubleshooting an issue involving a Security Server working in CVP mode, with a content filtering OPSEC partner. It appears that this issue is related to the browser's connection with the CVP server. Which of the following debug commands will NOT be used to configure the debugging?

D.) fw debug in.ahttpd on OPSEC DEBUG LEVEL =3

256


We Secure the Internet Q Check Point

SOFTWARE TECHNOLOGIES LTD, SOFTWARE TECHNOLOGIES LTD,

CHAPTER 8: V P N DEBUGGING TOOLS

IKE negotiation consists of two phases, Phase 1 (Main mode), and Phase 2 (Quick mode). The negotiation process in both modes can be observed in ike.elg by an internal Check Point utility called IKEview. This chapter covers guidelines for analyzing ike. elg, and instructions for collecting ike. elg and vpnd.elg data.This chapter assumes a basic comprehension of encryption, cryptography applications (algorithms and hash methods), and configuration of site-to-site VPNs using either pre-shared secrets or Certificates.

1. Identify and explain the two phases of the IKE negotiation process.

2. Use VPN debugging tools for common troubleshooting practices.

3. Use VPN log files and the vpn debug command to troubleshoot VPN connections.

4. Use troubleshooting tables as general guidelines for troubleshooting VPN issues.

Object ives

257

Key Terms

Phase 1 (Main mode)

Phase 2 (Quick Mode)

ike.elg


IKE Basics

I K E B A S I C S I I I i i I i i i i i I I I i i i i I I I I I I I i I i I i i I I I I i i I i i i I I I I I i I I i

Troubleshooting a VPN requires an understanding of the process of creating a VPN tunnel. The following is a step-by-step process explaining the IKE exchange.

Phase 1

Phase 1 (Main mode) negotiates encryption methods, (i.e., DES, 3DES, etc.), the hash algorithm (SHA1 and MD5), and establishes a key to protect messages of an exchange. The following describes the stages of the Phase 1 process:

1. Stage 1: Peers authenticate using Certificates or a pre-shared secret. 2. Stage 2:

— Each Security Gateway generates a private Diffie-Hellman (DH) key from random-pool bits.

— From the private DH key, each peer derives a DH public key.

— The DH public keys are exchanged.

3. Stage 3:

— Each side generates a shared secret from its private key and its peer's public key.

— The shared secret is the DH key.

4. Stage 4:

— The DH key exchanges key material (random bits and other mathematical data).

— Methods are agreed upon for encryption and integrity for Phase 2.

5. Each side generates a symmetric key, based on the DH key and key material exchanged between sides.

259


IKE Basics

E X A M P L E

The IKE exchange uses six packets for Phase 1 (Main mode) and three packets for Phase 2 (Quick mode):

1. For Main mode packet 1, the initiator 172.24.104.1 proposes the following information:

• Encryption algorithm: AES-CBC

• Key length: 256 bit

• Hash algorithm: SHA1

• Authentication method: pre-shared key

msz M l - J O f x j j

Edit v » » Special Help

B H B | o i x u i s i e i

IKE Debugging Into 172.24104.1

Pi Main Mode ==,• 'wed Jan 4 2006 From: 14 22.00 To 14 2; MM packet 1 114 22.00]

Header - Secunt_M Association

« propl PROTOJSAKMP

Vendor t MM packet

MM packet +' MM packet - MM packet

Header ID

• Hash E MM packet 6

Header ID Ha:h

H P2 Quid-Mode

ID 2 f14 22.00) 3(14 22:001 4(14 22.00) 5(14-22:001

—- Wed Jan 4 2006 From: 14:22.00 To: 14:22.00

T t a a s f o r a Myla&ei - KTf_IKE

l e x t M f l o a d ; NOHE BesecvedJ 0 Leng th : 00 28 <401 TtatxaSua: 1 T r s n s X d : 1 ReaeEved2: 00 00 (0$

Encryption Algorithm: AES-CBC Key L e n g t h : 2S6 Hasii M g e c x t t e ; SUM-J t a t i i e n c 4 c a t i o » Hethod: F r e ' - s h a s e S k e y Group Description: Alternate 1024-bit HOB? group L i f e Type:- Seconds-l i f e M K f t t i o a : 8640f

Ly X I MM

Phase 1 Packet 1 — Peer Proposing AES-256/SHA1

260


IKE Basics

2. Packet 2 is from the responder to agree on one encryption and hash algorithm:

. - X

Fife Edit View Specal Help

m m o j x i * l a a & j

if E Debugging info .-: 17224.104.1

pj M a n Mode ==. W e d Jan 4 2006 From. 14.22 00 To 14.22.00 K MM p a r t e d [14 2200] - MM packet 2 [14-22 00)

- Header ' - : S ecunty A.:.: oc laHon

propl FROTOJSftf MP

- Vendor ID MM packet 3 (14:22:001

+ MM packet 4 f14:22:001 MM packet 5 (14 22 001

'+ MM packet 6 (14 22:00) OuickMode == > W e d Jan 4 200S From- 14-22.00 To. 14.22:00

jTran3£c.i:si Peyloic i - EEY_IEE

j l e x t PayLoad: KOUE "rReserêd: 0 =Length: 00 £3 (40) iTr&nsKiia: 1 ?TransId: I b e s e r v e d S ; 00 00 (0)

\EliCCYptioa Algorithm: AES-CBC Key Length: 256 Hash Algorithm: 3HA1 Autiiettt-ieation Method; Pce-shated Sey

. J -

Group d e s c r i p t i o n : L i f e Type: L i f e D u r a t i o n : .

Alternate 1024-fcit. K0DP group Seconds 66400

"I jT 172.24,104, iiMatn Mode\MM packet 2 (H:?2:O0)\5ecyr«ty Associafon^propUtranl

Phase 1 Packet 2 — Agreeing to AES-256/SHA1

261


IKE Basics

3. Packets 3 and 4 perform key exchanges and include a large number never used before, called a nonce. A nonce is a set of random numbers sent to the other party, signed and returned to prove the party's identity. These two packets are not generally used in troubleshooting a key exchange with IKE view.

f i e E-Jir. Spec«t Heip

j j a j o j y i T i a s i g j f T l K E D S w T O l r

; -172 24.104.1 £ • f 1 M ain M ode == Wed J an 4 2006 From. 14 22 00 T o 14 22.00

t! MM packet 1 |14 22:001 + MM packet 2 114.22:00)

MM pac+et 3114.22 00) • Header m

•• Nonce + MM p a c k e U l ' l 4.2200) + MM packet 5 |14 2200) + MM packet 6 114.22,00]

S; Qu id Mode —• W e d Jar. 4 2006 From: 14 22:00 To: 14-22:00

Next. P a y i o a d t Mmi :e R e s e r v e d : 0 L e n g t h : 00 84 (1JS) . Key D a t a ;

bo m o s £4 42 5t 7a a£ «Sa 3 5 •Sa ?b 6 a lc ?£ ad 53 afi df 90 4e •T b a 36 3£ 81 ?5 54 4a d.3 tod ue i i Of 7 a 3 t 9e 6 a SO e l 7e 06 ::*-t •: T ... 98 •aa fcd 4£ Oa I f 27 db db be 89 e9 93 Oe 5c 12 •id 68 ? a 74 . i f 3 71 M .-*. 71 12 m I d a l 97 ?4 6c 46 71 £0 S3 m 7a 4b 31? •A i d l c I l l s €2 23 b d ae a« 5b 59 L-- 8d 23 i i cc 67 2b u . dd d7 90 50 22 10 52 7d 09 60 33

t J J z j

l 7 2 , 2 4 , 1 0 4 . i p » M o d e f # T p a c k e t 3 ( 1 4 : 2 2 : 0 0 ) ^

Phase 1 Packet 3

262


IKE Basics

4. Packets 5 and 6 perform authentication between the peers of the tunnel. The peer's IP address shows in the ID field under MM packet 5:

6 From. 14 22:00 To 14 22:00

File £* View Special Help

gfrjcj a jx j i ig ts j . 11.E Debugging Into

ft 172.24.104.1 - f - i Main Mode ==.- Wed J an 4 21

t ! MM p a d e t 1 II4.22.001 v MM p a d e t 2114.22.001 v MM pact-et 3 |14 22 001 +: MM packer 4114 22 001 - MM pad-et 5 I I 4 22.001

: Header

Hash + MM packet G 1.14 22.001

t 0 uid- M ode == - Wed J an 4 2006 From: 14.22 00 T o: 14.2;

i m f a y i o a d

|HexC P a y l o a d : •Reaerwed; 'L eng th ; ilD t - jpe : i S e r v i c e f f p e : ;Serv ice p o t t : \m P a t a t

jJ^j Hash

00 0c (12) ID_I PV4_AI»DP. Sot- s p e c i f i e d (Cij JJofe s p e c i f i e d <0) ac l<5 6€ 01 a 7 2 . 2 2 . i 0 2 . i t

172.24.104.1s,Main Mode\MH packet 5 (14:22:00)$)

Phase 1 Packet 5

5. Packet 6 shows the peer has agreed to the proposal and has authenticated the initiator:

f i e Edtt View Special Help

&\U\ o x. iuvL : IKE Debugging Into

B- 172.24.104.1 r- Pi Main Mode == - W e d Jan 4 2006 From: 14 22:00 To: 14.22:00

+ MM packet 1 f14:22.00) MM packet 2 (14 22 00)

t MM packet 3 f14 22:001 T MM packet 4 (14:22:00) - MM packet 5 (14:22:00)

= - Header : " ID

H a : h

Hach L Quick Mode —> W e d Jan 4 2006 From: 14:22:00 To: 14:22:00

172.24.104.1 W a n Mode\MM packet 6 CH;22:D0}

W packet. 6 ( 1 4 : 2 2 : 0 0 ) - Wed Jan 4 2 D0«

Transport: PeerIP; FeerPort: Peer Base:

a c i ^ t t.01 5 0 0 f t . n a . a d r i d

» R e c e i v e d from p e e r 1 7 2 . 2 4 . 1 0 4 . 1

J j ^Zi

Phase 1 Packet 6

263

264


IKE Basics

1. Packet 1 proposes either a subnet or host ID, an encryption and hash algorithm, and ID data:

t '-1 M sin Mode == - Wed Jar 4 2C« From: 09 51.06 Tc CS.51 K - P.; Qui:> m ;de == - Vec Jar, 4 2006 From 03 51 06 To. 03.51.06

QM packet 1 |C?-£1 - |1C 2 4 C 255 255.25!: 0 110 2 2 C :

, prcpl PRCT0JPSEC_E5F ISS 6d =2 49 '

•i OM packet 2. |CS 51 0E; -110 2 4 0 255 255 255 CI -11C 2 2.0 . +. QM packet j 109.51 06i

JU.Li

C3 . l i i i i l l i i i i

IZ CD C3 tO)

J 1

Phase 2 Packet 1

In the ID field, the initiator's VPN Domain configuration displays. In the screenshot below, the VPN Domain for the initiator is the 10.2.4.0/24 network:

o x •

172.22,102.1 i "I Man Mode —; Wed Jan 4 2006 From. 09-51-06 7C- 09-51:06 - f? Ouic> Mode ==.- Wed Jan 4 2006 From 09 51 06 To: 09:51 06

- 0M packet 1 109.51 06) - (10.2.4.0 255.255.255.0l - (10.2.2.0

Phase 2 Packet 1 — ID fielcM

265


IKE Basics

ID field_2 proposes the peer's VPN Domain configuration. In the screenshot below, the VPN Domain for the peer gateway is the 10.2.2.0/24 network:

Fie Em Vt*w Special Help

'^MMmmm' : Ik E Debugging Into

172 22.102.1 ft PI M a n Mode ==• Wed Jan 4 2006 From 09 51 JUS T0 09 51 06

f ' l Quick Mode == Wed Jan 4 2006 From 09 51 06 To 09 51 06 QM pact et 1 (09 51 061 • 110.2 4 0 255.255.255 0) - (10.2 2.0 2

- Header • •• Hash

If Secmfy fistociation ; - propl PR 0 T 0 J PS E C_E S P I.99 6d 52 49 I

Irani ESP_AES - Nonce

ID Viy ioad

.Nex t Pay load t F e s e t v e d : Length : ID t y p e : S e r a . c e type: S e t w i s e p o e t : . ID D i t a :

± • OM packet 2109 51 06] - (10 2.4 0 2 + OM packet 3109 51 06]

5 255 255 0) - (10.2 2.0 J

jJ

00 10 {16} II>_IP¥4_MJJR_30B1ET N o t s p e c i f i e d (0) Mot s p e c i f i e d (0) Oa 02 02 00 tt It tf 00 ( 1 0 , 2 . 2 , 0 25 .5 .255.255.C

172.22. t02,HQufcMtodeVQM packet 1 (09:51:06;) - (10.2.4,0 2S5.255.255.0) - ao.2.£.0 25S.255.2S5.OniO

Phase 2 Packet 1 — ID field_2

266


IKE Basics

3. Packet 2 from the responder agrees to its own subnet or host ID, and encryption and hash algorithm:

. s u E * ! - -Fife Ed* Special Hete

s t i m ^ m m m II1 E Debugging Into

172.22.102.1 + • Pi Main Mode ==. W e d Jan 4 2006 From. 09.51 06 To- 09 51.06 - - Ouict Mode == W e d Jan 4 2006 From 03 51 -06 To 09-51 06

f OM pacl et 1 109-51 061 -110 2 4 0 255 255 255 Ol -1'10.2.2.0 2

Header ; Hash

Security Ac;ooation - propl PR 0 T 0 J PS E C_E S P fac 02 ec 6t I

tranl ESP_AES . - Nonce

• OM packet 3(09:51:061

jQH p a c k e t 2 ( 0 9 : Si :061 - Wed J a » 4 200«

(10.2. 4.0 255. 2SS. 255,0; - {10.2,2.0 25.5,255.255.0)

- P e e r I P : | P e e r P o r t : . ;pees: Name:

l l»P aci6t .601

f w o s l o

P e c e i ^ e d f r o i s p a e : 1~2. 2 2 . i i 1 . L

172.22,102. lK 'uckModeÔMpacket 2 (09:51:06) - (10,2.4.0 255,255.255.0) - (10,2.2,0 255,255,255.0

Phase 2 Packet 2

4. Packet 3 completes the IKE negotiation:

File Edit View Special Help

m a i t * i » w i l l • IKE Debugging Into

El-172.22.102.1 + Pi Mam Mode ==/ W e d Jan 4 2006 From. 09 51 06 To. 09:51 C

Quick Mode ==-> W e d Jan 4 2006 From- 09:51 06 To 09:51 C + 0M packet 1 (09:51:061 -110 2.4.0 255.255.255 01 • (10.2.2. it OM packet 2 f09;51 06) - [10.2 4.0 255.255.255.01 - (10 2.2.

- Header - Hash

T r a n s p o r t : P e e r I P : P e e r P o r t : Peer Bame:

j j i i i

1 p a c k e t 3 ( 0 9 : 5 1 : 0 6 ) - f e d J a n 4 2 0 0 6

TOP a c ! 6 S 6 0 1

• S e n t t o peer 1 7 2 . 2 2 . 1 0 2 . 1

j

.Z i -

172.22.102,1 K w * M o d e \ Q M packet 3 (09:S 1 M )

Phase 2 Packet 3

267


IKE Basics

Q.) You have a site-to-site VPN between two Check Point NGX Gateways. They are managed by their own SmartCenter Servers.

&7 \ You see a lot of IKE Phase 1 failures in Smart View Tracker. You t\ run IKE debug on one Gateway and find out only one packet in

Main mode is transferred. There is no packet in Main mode after packet 1. What is the next step to check the VPN configuration that might caused this problem?

A.) Check VPN settings (including Encryption Algorithm, key length, Hash method) in the Community object. Make sure Phase 1 settings are identical on both sides. Also check Phase 1 settings in the Advanced settings in the Community object, such as group 1 or group 2, aggressive mode, etc. They must be defined identically on both sides.

Q.) You are configuring a site-to-site VPN from a Check Point NGX Gateway to a Cisco device. You see that traffic initiated from the VPN Domain inside the NGX Gateway is dropped with the error "Packet is dropped as there is no valid SA". The Cisco side is sending "Delete SA" to the NGX Gateway. The IKE debug indicates a Phase 2 (Quick mode) failure. What is causing the misconfiguration?

A.) A Quick mode failure usually indicates the VPN Domain is not configured exactly the same for one or both peers. For example, if the NGX Gateway's VPN Domain is a Class B network, but the same network is defined with a Class C subnet mask on the Cisco VPN configuration, then this type of error occurs.

269

T R O U B L E S H O O T I N G O V E R V I E W


VPN Debugging Tools

V P N D E B U G G I N G T O O L S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

VPN Log Files

The ike.elg and vpnd.elg files contain information about the negotiation process for IKE encryption. VPN debug logging is enabled using the vpn debug on command. The output of the debugging commands writes to two different locations, depending on what is being debugged:

• IKE debugging is written to $FWDIR/log/ike.elg.

• VPN debugging is written to $FWDIR/log/vpn.elg.

vpn debug on [debug topic] = [debug level] sets the specified TDERROR topic to the specified level, without affecting any other debug settings. This may be used to turn specific topics on or off.

vpn debug on TDERR0R_ALL_ALL=1,2,3,4,5 turns on default VPN debugging, i.e., all TDERROR output and default VPN topics, without affecting any other debug settings.

In previous versions of VPN-1, Check Point recommended setting the environment variables to enable VPN debugging. As of VPN-1 NGX, vpn debug on is the preferred method. Setting the environment variables is recommended as a method for debugging, only if there is a VPN tunnel failure.

vpn debug Command

vpn debug contains multiple utilities for troubleshooting vpn issues. The following lists all options for the command:

vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [ -s size (Mb) ] | ikeoff | trunc | truncon | tmncoff | timeon [ SECONDS ] | timeoff | ikefail [ -s size (Mb) ] | mon | moff >

271

VPN Debugging Tools

VPN Debugging Tools

O p t i o n E x p l a n a t i o n

vpn drv < on | off | stat > setting vpn drv to off will tear down all

be used with this command. When vpn drv is set to on. all VPN tunnels are

vpn ver [-k] Displays VPN version

vpn accel < on | off | stat [-1] > Card y P

vpn compreset vpn compreset

vpn exportj?12 T „ 0 l , „ , r P , 2 f ™ O , « w , y

V P N D E B U G O N ! O F F

vpn debug on - Turn on vpn debug, and write the output to vpnd.elg.

vpn debug of f - Disable vpn debug.

V P N D E B U G I K E O N I I K E O F F

vpn debug ikeon — Turn on ike debug and write the output to ike.elg.

vpn debug ikeoff - Disable ike debug.


VPN Debugging Tools

V P N TU

vpn tu is short for vpn tunnelutil., and is useful for deleting specific IPSec or IKE SAs to a specific peer or user without interrupting other VPN activities. The vpn tu command displays these options:

vpn tu Options

V P N D E B U G T R U N C

When the vpn debug on command runs, the output is written to $FWDIR\log\vpnd.elg file, by default, vpn debug trunc empties vpnd.elg and ike.elg, creates a time stamp, and starts vpnd.elg and ike.elg.

V P N E N V I R O N M E N T V A R I A B L E S

Setting environment variables to enable logging should only be performed in circumstances where VPNs are failing. The following are the commands to enable the variables:

W I N D O W S

set VPN_DEBUG=1

U N I X

set VPN DEBUG 1

274


VPN Debugging Tools

Compar ing SAs

The following is a quick process to verify that you and a potential VPN partner are configured correctly:

1. Enable VPN debugging on both your and your partner's sites with vpn debug on.

2. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer with which you are about to create the tunnel, or all tunnels.

3. Have your peer initiate the tunnel from its site to yours.

4. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer with which you are about to create the tunnel, or all tunnels.

5. Initiate the tunnel from your site to your peer.

6. Disable debugging on both sites.

7. Examine ike. leg and vpnd.elg, as they will now contain records of the SA sent by your NGX installation, as well as what was received from your partner site.

275


Troubleshooting Tables

T R O U B L E S H O O T I N G T A B L E S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

The tables in this section present a general guideline for t roubleshooting VPN related issues:

W h e n t r o u b l e s h o o t i n g ... ... U s e t h e s e t o o l s

Connectivity issues: • Logs (SmartView Tracker, *.elg)

• Ports • Ping test • Environment path • fw monitor capture of traffic • Routing • ike debug

• netstat -na

• SmartView Monitor VPN information

Points-of-failure issues: • Logs (SmartView Tracker, *. elg)

• Interesting traffic • ike debug

• Tunnel test • Peer's logs and debugs • Routing to tunnel (for OSPF or • fw monitor capture of traffic

overlapping VPN Domains) • fw monitor capture of traffic

• Phases of IKE • vpn debug

• IKE specific packets • kernel drop + vpn debug

• Authentication (pre-shared secret. Certificate CRLs and time-zone differences)

Configuration issues: • Logs (SmartView Tracker, *. elg) • Gateway main IP • SmartView Monitor VPN • VPN Domain information

• Encryption details • SmartDashboard

• Rules • Global Properties

• VPN Community

• Network Address Translation

276



E N C R Y P T I O N - T R O U B L E S H O O T I N G F L O W

The fo l lowing table provides a model of t roubleshooting encryption at a more granular level. Specifically, this table lists issues and error messages that may occur dur ing the VPN tunnel bui lding process. This table is not meant as a model of h o w a tunnel is created, but is more of a guidel ine for examining issues that would arise during that process.

I f t h i s i s s u e a r i s e s ... ... C h e c k t h e s e t o o l s for i n f o r m a t i o n a n d p o s s i b l e c a u s e s

Pre-IKE decisions: • Interesting traffic is received.

• VPN-1 NGX determines how and where to send the traffic.

Factors to determine if traff ic is to be encrypted or not: • VPN Domains (overlapping or not?)

• MEP configuration parameters

• Peer selection

• Link selection (which peer IP?)

• Examine Smart View Tracker for negotiation messages.

• vpnd.e lg may contain information about setup failures or VPN Domain misconfigurations.

• Use fw monitor to examine the traffic for packet-level information about configuration details.

I K E packet level • VPN-1 NGX determines that this

traffic will be encrypted.

Issues m a y arise from: • Ports open.

• Routing configuration.

• Source address of the VPN traffic.

• The Security Policy.

• Cluster configurations.

• Examine Smart View Tracker for peer information.

• vpnd.e lg will not have much useful information.

• i k e . e l g may contain information about starting the IKE negotiation process.

• fw monitor will show Gateway traffic, which is especially useful in determining if traffic is to or from a VPN Domain.

277


... Check these tools for If this issue arises ... information and possible causes

IKE Phase 1 negotiation • Examine SmartView Tracker for IKE

• The peer has been contacted; Phase 1 messages

beginning to build the tunnel. • ike .e lg will contain critical

Issues/Errors seen: information for troubleshooting these

• No proposal chosen issues. • No proposal chosen

• Invalid ID • vpnd.e lg may be helpful, but not as

* Invalid Certificate informative as ike.elg.

• Verify that the CRL retrieval port • Payload malformed (TCP 18264) is available.

• Verify pre-shared secrets.

IKE Phase 2 negotiation • Examine SmartView Tracker for IKE

• Still building the tunnel Phase 2 messages.

Issues/errors seen: • ike .e lg will contain critical

• No proposal chosen information for troubleshooting • No proposal chosen

• Invalid ID • Verify that the subnet, host address. • Invalid ID

c o ^ c d y D ° m a i n ^ C ° n f l g U r e d

max_subnet_f orjrange.

ESP packet plow • ike.elg and vpnd.elg will contain • The IKE exchange was successful, information regarding SAs and SPIs.

and encrypted traffic is going to be • run fw monitor to verify routing to exchanged. and from the Gateway.

Issues/errors seen: • Verify routing, SAs, and SPIs for the • Outbound traffic partner's configuration, especially in

"No valid SA for Peer" cases of cleartext traffic. "Encryption Failure" • Check implicit rules in

• Inbound traffic: "Invalid SPI" SmartDashboard.

• Encryption is OK, but there is no

• ^ ^ p a c k e t f b r

Troubleshooting

\ ie other VPNs. How do you do 1

A.) Run vpn tu from the NGX < : all IPSee and IKE SAs for a given Peer (GW)


280


Lab 9: Running IKE Debugging on a Site-to-Site VPN

L A B 9 : R U N N I N G I K E D E B U G G I N G O N A S I T E - T O - S I T E V P N i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Scenario: In a site-to-site VPN between two cities using pre-shared secrets, run ike debug on both Gateways, and analyze the output using IKE view. Transfer ike.elg from the Gateway to the internal Web server (www.yowre/^.cp) where IKE view is installed. Each city site is a distributed environment, where the city Gateway is managed by its own SmartCenter Server.

Objectives.

• Configure a site-to-site VPN using pre-shared secrets between two Gateways.

• Run vpn debug ikeon on the Gateway, using the Command Line Interface.

• Analyze ike. elg using IKEview.

Topics:

• Configuring the site-to-site VPN using pre-shared secrets and VPN Communities

• Running the vpn debug ikeon command

• Running the vpn debug ikeoff command

• Using IKEview

281

http://www.yowre/%5e.cp

282



11. Enter the partner city's internal network object for the VPN Domain setting:

Externally Managed Check Point Gateway -

General Properties

NAT . V P N

V P N A d v a n c e d • • L ink Select ion

Get

Name i IP Address erhl i e th l eth2

Network Mask IP Addresses behi 172.24.104.1 255.255.0.0 E xternal 10.2.4.1 255.255.255.0 This Network 192.168.22.104 255,255.255,0 This Network

A d d . . Edit... Remove Show.

VPN Domain

All IP Addresses behind Gateway based on Topology information.

Manually def ined U ^ T ^ ^ . I

Show V P N Domain | }Net JMadrid I

| OK ] Cancel j Help j

Partner-City Gateway's VPN Domain

12. Click OK to exit the gateway object.

^ C O N F I G U R E V P N C O M M U N I T Y F O R S I T E - T O - S I T E V P N

1. In the VPN manager, open the default meshed-community object. 2. Add your and your partner city's gateway object to the Participant

Gateways.

283



3; Make sure VPN settings are defined as follows:

General - Participating Gateway-:

Tunnel Management .£ Advanced Settings

V P N Properties

IKE lPhas-e 1 j Properties

Perform key exchange encryption with: ] AESC'SG j ^ j

Perform data integrity wtth: I s H A I -*-]

IPsec (Phase 2} Properties

Perform IPsec data encryption with' pIFTi 3

Perform data integnty with: [m[~5

Si J Jii | OK ] Cancel J Help j

VPN Properties Screen

4. Open the Shared Secret screen (under Advanced Settings), and check the box Use only Shared Secret for all External members.

284



5. Enter the shared secret (abcl23) for your partner city's gateway object:

General Participating Gateways VPN Properties

•• Tunnel Management . • Advanced Settings

•• Excluded Services

Advanced VPN Pr Wire Mode

Shared Secret

P Use only Shared Secret to all External members

Each Externa! member will have the following secret with a8 internal members in this community.

J Jj

Peer Name Shared Secret '1 fwoslo

Remove j

helD

Shared Secret Screen

285



6. Select Advanced VPN Properties; make sure settings are defined as follows:

GeneTr A d v a n c e d V P N Properties Participating Gateways VPN Properties

•• Tunnel Management - Advanced Settings

•• Excluded Services Shared Secret

• Wire Mode

IKE {Phase 1]

U$e Diffie-Heliman group

Renegotiate IKE security associations every j1440 ^ mriutes

f Use aggressive mode

IPsec (Phase 2j - - - - - - -

P Use Perfect Forward Secrecy - 3

Renegotiate IPsec security associations every f s e o o " s e c o n d s

f" Support IP compression

Reset All VPN Properties j

i h b b ^ K S I ^ B r Disable NAT inside the VPN community

J J j Heip

Advanced VPN Properties Screen

7. Click OK.

f p C O N F I G U R E L O C A L G A T E W A Y O B J E C T A N D R U L E B A S E

1. Verify that the network object for your city site's internal network object (for example, net oslo for the fwoslo gateway) is selected as the VPN Domain in the Topology screen of your city's gateway object.

2. Click OK.

286


Lab 9; Running IKE Debugging on a Site-to-Site VPN

[ ^ E N A B L E I K E D E B U G

1. Log in to your city's Gateway via SSH, or locally via the console. 2. Change to Expert Mode and run the command cd $FWDIR/log to change to

the $FWDIR/log directory.

3. Run less ike.elg, to view the contents of ike. elg.

4. Run vpn debug trunc, to clear ike.elg.

5. Run less ike.elg. The file should display:

IKE logging started.

6. Run vpn debug ikeon to enable ike debug.

7. In SmartDashboard, add a rule like the following to your Rule Base after the Stealth Rule:

1 * A n y * A n y ^ M y l n t r a n e t * A n y ® a c c e p t g j L o g

VPN Rule

8. Install the Security Policy.

9. Initiate Ping, and connect via HTTP to the internal Web server on your partner's city site.

10. From your Gateway's console, run the command to disable ike debug:

vpn debug ikeoff

11. Transfer ike. elg to your Web server, where the IKEview utility is installed.

[ ^ A N A L Y Z E I K E . E L G I N I K E V I E W

1. Open IKEview on the desktop of the internal Web server (www .yourcity. cp).

2. Select the ike. elg file you just transferred from the Gateway.

3. Review the total packets in Main and Quick mode.

287



4. Open Main mode packet 1 > Security Association > propo PROTO ISAKMP > KEY IKE. Verify that the encryption algorithm and hash method match the Phase 1 configuration in the mesh-community object's VPN properties and Advanced VPN settings.

5. In the KEY IKE section, verify that the authentication method, group description, life type, and life duration match the Phase 2 configuration in the mesh-community object's VPN properties and Advanced VPN settings.

6. In Quick mode packet 1, first ID field, verify that the IP address and netmask in the ID data section in the right pane match the local network object in your city site. The network object should be entered as the VPN Domain in your gateway object's Topology screen.

7. In Quick mode packet 1, second ID field, verify that the IP address and netmask in the ID data section in the right pane matches the VPN Domain settings you defined for your partner-city Gateway. For example, as shown below, the peer's VPN Domain is 10.2.4.0, with subnet mask 255.255.255.0. This configuration should be reciprocal on the peer's side.

ete m SW Specust Help

mm oixiijaasif - PS Mam Mode Tue Apr 11 2006 From 13 5 * ) W f a y l o a i

+ MM packet 1 f13 56:20) - Pi Mam Mode ==> Tue Apr 11 2006 From: 13'5 Nex t Payload: imm

- MM packet 1 (13:58:46) Reserved: Header Lengths 0 0 10 <16}

I -Z Security Association IB t y p e : XD_I f ¥4_M®>R_SQB1ET

V propl PROTOJSAK.MP S e r v i c e typet H o t a p e c i f i e d JO)

• tranl KEYJK.E S e r v i c e p o r t : H o c s p e c i f i e d ( 0 )

Vendor ID + MM packet 2 f13'5&461 t. MM packet 3 (13:58:46) + MM packet 4113:58:46) t MM packet 5 (13.58:46) + MM packet 6 (13:58 461

f " - OuickMode ==, Tue Apr 11 2006 From. 13:E - 0M packet 1 (13:58:46) • (10.2 2.0 255 255

Header Hash

+: Security Association Nonce ID (O

+1- OM packet 2 (13 58.46) - (10.2.2.0 255 2 5 5 ^

<L_ . J Ji -Li

d 172.24, 104.l',Q.jicl<Mode\QM packet 1 U3;58,46> - (10.2.2.0 2! 55.255,255.0)-(10.2.1.0 255.255.255<0}\ID ; F'lJM ::

Quick Mode Packet 1 — !D_2 Field

288


Review


• IKE encryption consists of two modes, Phase 1 (Main mode) and Phase 2 (Quick mode).

• When troubleshooting IKE VPN issues, the first step is to verify that IKE packets are arriving at the VPN Gateway in SmartView Tracker.

• If no packets are listed in SmartView Tracker, use fw monitor to verify whether VPN traffic is arriving at the Gateway.

• Use vpn debug ikeon to run debugs on a V P N tunnel. Examine the ike.elg file for the captured debugging information.

• vpn tu (the VPN tunnel utility) can be used to reset IKE SA when testing a tunnel.

• IKE Phase 1 consists of six packets, where the encryption and hash method are negotiated, and the first DH key is determined.

• IKE Phase 2 consists of three packets, where the IKE SAs are negotiated, the shared secret for exchanging the security algorithm is determined, and a second DH key is determined.

8 ike.elg and vpnd.elg are the VPN log files.

• The vpn command has many subcommands that can be used to troubleshoot VPN related issues.

Review Quest ions

1. A VPN between your site and a partner is failing. Looking in SmartView Tracker, you see IKE packets are being received by your Gateway, but negotiations are failing in Phase 1. You run vpn debug, which shows that there are no packets after packet 5 from your machine. Which of the following is a possible cause of the failure?

A.) The Certificate being usedfor authentication is invalid.

B. ) The shared secret being used for authentication is incorrect.

C.) Given the amoun t of information, A or B could be correct.

289

mask.


Review

Review Answers

1. A VPN between your site and a partner is failing. Looking in SmartView Tracker, you see IKE packets are being received by your gateway, but negotiations are failing in phase 1. You run vpn debug, which shows that there are no packets after packet 5 from your machine. Which of the following is a possible cause of the failure?

C.) Given the amount of inf ormation, A or B could he correct.

2. The Quick mode packet 1 error "No Proposal Chosen" can be caused by all of the following, except?

D.)The peer is using a different encryption algorithm.

291


Review

292

91 m


Q Check Point ( S ® * 5 * S O F T W A R E T E C H N O L O G I E S LTD.


CHAPTER 9: TROUBLESHOOTING AND DEBUGGING SECUREMOTE/SECURECLIENT

As an aid for troubleshooting and debugging, the process of site-topology download and tunnel setup, and various stages of connection flows between a Gateway and VPN-1 SecureClient can be identified. The traffic can be captured at a lower level than what is observable in logs, using the ike debug, sr_service debug, and srfw monitor c o m m a n d s .

Object ives

1. Identify necessary ports and their functions when VPN-1 SecuRemote/SecureClient connects to sites.

2. Identify packet flows during SecuRemote/SecureClient connection stages.

3. Use srfw monitor to capture traffic on SecureClient, and fw monitor on a Security Gateway.

4. Use ike debug to capture ike.elg data.

5. Analyze ike. elg in IKEview.

293

Key Terms

• sr_service

• srfw monitor

• srfw ctl debug

• sc debug on

• sc log

294


Necessary Ports

N E C E S S A R Y P O R T S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

The following table lists ports used by VPN-1 SecuRemote/SecureClient, as seen on the network. These ports must be open on the NGX Gateway to which SecureClient is connecting to and also open on intermediate devices, if any.

If control connections are enabled in the Security Policy's Global Properties, all of the following ports are opened automatically, except UDP 2746. If you do not have control connections enabled in Global Properties, these ports will need to be specified in the Rule Base.

Port Purpose

TCP 264 Topology download

UDP 259 RDP (necessary only for MEP resolving and dynamic interface resolving)

UDP 500 IKE

TCP 500 IKE over TCP (if this option is set)

TCP 18231 Policy Server login (seen on the network using SSL if SecureClient has an IP address in VPN Domain; not necessary to open this port if SecureClient is not in the VPN Domain.)

IP protocol 50 ESP (the actual encrypted data; not necessary to allow this if using UDP encapsulation)

UDP 2746 UDP encapsulation (encapsulates protocol 50 ESP packets)

In Visitor Mode, only port 80 is open or port 443 when traffic is tunnelled.

295

Port Purpose

UDP 18234 Tunnel test

TCP 18231 address is not inrtie VPN Domain)

UDP 18233 SCV update

296

Packet Flow

P A C K E T F L O W


Link Selection for Remote Access

L I N K S E L E C T I O N F O R R E M O T E A C C E S S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Overview

In VPN-1/FireWall-1 4.0 and 4.1, the IP address on the General tab of a firewalled gateway object is considered the "main" IP. SecuRemote/SecureClient knows the main IP from the userc.C file, when it is downloaded from the site. SecuRemote/SecureClient always sends IKE and subsequent packets to the main IP. Check Point recommends using the external IP address in the General tab.

In some cases, the internal or private IP address needs to be the main IP, for example, for control-connection or routing issues. Sometimes, the firewall does not have a public IP address, because it is behind a NAT device. SecuRemote/SecureClient traffic must enter from a DMZ or internal WAN interface. In these situations, SecuRemote/SecureClient must address packets to the firewall's internal interfaces, so need for interface resolving arises.

S T A T I C - I N T E R F A C E R E S O L V I N G

IP address ranges are calculated for each firewall interface in the Topology screen (including this network and any groups defined). These allowed interface ranges are downloaded to userc. C when creating or updating a site. SecuRemote/SecureClient chooses the range to which its own physical IP belongs, then attempts to connect to the corresponding interface. Static-interface resolving is controlled by the property :resolve_interface_ranges in objects.C (VPN-1/FireWall-1 4.1), objectsJJ.C (VPN-1/FireWall-1 NG and above), and is on by default. The disadvantages of static-interface resolving are as follows:

• SecureClient may choose the wrong interfaces, if the Gateway has multiple external interfaces.

• SecureClient may choose the wrong interface, because its own physical IP (behind NAT) fits into the wrong allowed interface range.

• Static-interface resolving does not accommodate firewalls that are statically translated behind an Internet router.

299

300



Link-Se lect ion Methods in VPN-1 NGX

In VPN-1 NGX, all of the above link-selection methods can be configured on the Gateway object > VPN > Link Selection screen. The settings on this screen apply to both peer-to-peer and client-to-site VPNs:

General Properties Topology NAT

- j VPN i VPN Advanced

Link Selection •±r Remote Access

Authentication SmartView Monitor U serAuthority Server

r f j - Logs and Masters-Capacity Optimisation

it) Advanced

jJ

Link Selection

IP Selection by Remote Peer -Localy managed VPN peers wtS determine this gateway's IP address using one of the following methods:

Always use this IP addrets: {* Mam address

f ' Selected address from topology table: f

T- Statical lyNATed IP: f ~

r" Calculate IP based on network topology

f™* Use DNS resolving: <r f — —

Use a probing method:

Outgoing Rou te Selection W h e n initiating a tunnel the outgoing interface will be selected by the operating system.

Source SP address settings... j

Tracking ;

Outgoing hrtf tract i r g ] N o n e z!

OK. Cancel Help

Link Selection Screen

301



G A T E W A Y W I T H S I N G L E E X T E R N A L I N T E R F A C E

The simplest scenario is when an N G X Gateway has only one external IP address. There are three possible ways to configure this on the gateway object 's VPN > Link Selection screen:

1. Main address: The IP address on the general screen wil l be used for SecuRemote/SecureClient to connect. When the main IP is selected as the link-selection method, the ip_resolution_mechanism property will have the main IP as the value in objects_5_0.C under the gateway-object section, as shown below:

E E s a a r a i M B M m m t m s f c - - • .-^j*, file Edit View Insert Format Help

oigiHl ilai 1|J ; accept. 3des_for client less vpn (true) JL' apply resolving mechanism to SP. (true) ava11ab1e_VPN_IP_1i s t () ava i 1 ab 1 e_VPN_ I P_ 1 i s t _GtJ () clientless_VPN_ask_user_for_certificate (none) clientless_proc_nurn (1) disable_no_sa_logs_for_user (true) dns_IP_resolution () dris_ I P_re s o 1 ut i o n_G¥ () enable_internet_rout mg (false) enable_routmg (true) fw_wire_log (false) f W_TJ i r e_ 1 o g_o n 1 y_s yn (true) ike support_nat_t (true) interface_resolving_ha_primary_if () interface resolving_ha_priroary_if_G! () 1p_reso lut.io njtaecltaa-ism - (aaalttipVptt) ipsec.copy_TOS_to_inner (false) ipsec.copy_T03_to_outer (true) ipse c_do nt _f r agirie nt (true) i3akmp.allowed_ca () isakrcip.authraethods () isakwp.dn () isakmp.dns_name () i s a k r r i p . do dns resolve (false) isakmp.email ()

jT NUM

ip_resolution_mechanism in objects_5_0.C

For Help, press F1

302



When a SecuRemote/SecureClient downloads a site, it downloads userc.C. In the userc.C file, the :allowed_interface_ranges property will show the main IP address specified in the gateway object:

Fii- E'Jt: F s;ucl he.: •MB|«|B>! Mi H - i m - I N :

x j

: k e e p _ I - F _ f l a g _ S R ( f a l s e ) : c o p y D F f l a g SP. ( f a l s e )

:allowed interface ranges (

: ( 1 7 2 . 2 2 . 1 0 2 . 1 : a l l o w e d r a n g e (

• I : t y p e ( m a c h i n e s r a n g e ) : i p a d d r _ f i r s t ( 0 . 0 . 0 . 0 ) : i p a d d r _ l a s t ( 2 5 5 . 2 5 5 . 2 5 5 ,

) . 2 5 5 )

) : i s e x t ( t r u e ) : i s n a t t e d ( f a l s e )

)

: r e s o l v e i n t e r f a c e r a n g e s ( t r u e ) : p e e r s ( ) : g w s u p p o r t n a t t ( t r u e )

) b£_J Fw Help, press Fi

Allowed_interfaces_ranges in userc.C

2. Selected address from the topology table: You can specify an IP address from the Topology screen. SecuRemote/SecureClient will try to connect to that IP as long as routing allows. After connecting, all VPN traffic to the VPN Domain is sent through this specific interface. When a specific IP address is selected as a link selection method, the : ipjresolutionjnechanism property's value is single_VPN_IP in objects_5J).C. userc.C has that specific IP address in the : allowed_interfacej:anges property.

3. IP with Static NAT, if the gateway-object has NAT applied to it.

G A T E W A Y W I T H M U L T I P L E E X T E R N A L I N T E R F A C E S

If an NGX Gateway has multiple external interfaces, use ongoing probing. The SecureClient probes all interfaces listed in the Topology, of the object and connects to the first one that responds. The SecureClient stays connected to that IP, until the IP stops responding.

303

304

1 i! C o n n e c t t o ^ P r e ^ G X G a t e w a y ^ *

M a i n address Main address

S . ^ d a d d r c s s , ™ ^ Ongoing probing

Static NAT Ongoing probing

f o S o r 1 5 ^ 0 " 1 1 6 ^ Mam IP

Uses DNS Ongoing probing

Ongoing probing Ongoing probing

One-time probing One-time probing

S E C U R E M O T E / S E C U R E C L I E N T D E B U G G I N G T O O L S


SecuRemote/SecureClient Debugging Tools

IKE debug

3. Run from the place where the cpinfo.exe is located while the SecureClient is running:

cpinfo -o output_file

4. cpinfo output can be viewed in Info View.

One option for debugging is to run IKE debug:

1. Stop SecureClient by right-clicking the SecureClient icon in the system tray.

2. Create an empty file fwike_debug.all in the root directory, usually C:\.

3. Start SecureClient.

4. ike.elg is created in $SRDIR\log, which is usually located in c:\Program Files\CheckPoint\SecuRemote\log.

5. To stop IKE debug, stop SecureClient, delete fwikejiebug.all, and restart SecureClient.

ike. elg can be opened and analyzed using the IKEview utility.

307

SecuRemote/Securedient Debugging Tools


SecuRemote/SecureClient Debugging Tools

sc log Debug

sc log debug also cleans the following files:

sr_service_tde. log

sr_gui_tde.log

sr_watchdog_tde.log

Run the command sc debug on -c.

Run sc debug without restarting SecureClient service:

sc log oil

Disable sc log debug without restarting the SecureClient service,

sc log off

To run sc log on and sc log off, fwike_debug.all and sr_tde.all files must be created under the root directory.

srfw ctl Debug

Kernel debugging on SecureClient is similar to kernel debugging on an NGX VPN-1 Gateway. Kernel debugging is useful mainly to debug dropped packets. From $SRDIR\bin, run these commands:

1. To clear any previous debug options, run srfw ctl debug 0. 2. To set buffer size, run srfw ctl debug -buf 4096.

3. Specify debug options by running srfw ctl debug -m <module> <option>.

4. Start the debug and write to the output file, by running srfw ctl kdebug -f> <filenams>.

5. Use CTRL + C to stop the debug.

309

6. :fw ctl debug , run srfw ctl debug -m fw drop.

, to

To see all i : -m i no i ctl debug -m.


Enhanced Debugging Tool

E N H A N C E D D E B U G G I N G T O O L i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Since SecuRemote/SecureClient NG with Application Intelligence R56, an enhanced debugging tool has been available in the SecuRemote/SecureClient GUI. No Command Line Interface is necessary.

1. In the SecureClient Settings > Advanced screen, click the button Enable logging.

2. Restart the SecureClient.

3. Recreate the problem, and test traffic.

4. From the Settings > Advanced screen, click the Save logs button.

5. A . tgz file with time and date stamp will be saved in folder UserLogs in the user's Temp folder (e.g., C:\Documents and Settings\johndoe\Local Settings\Temp\UserLogs\SC_logs_xxxxx. tgz).

. i P l x j

= File Edit View Favor i tes Tools Help

Search Folders X to J

• Address j-, „ C:\Doc uments and Set t ings\ tchung\Local 5ett ings\Temp\Us erLogs

.1 See | ? y p e

C j S C J o g s _ l 6_Nov_

i

1

1 KB Text Document 0 5 . 7 . 5 0 _ 5 5 313KB WinZip File

11 /16 /2005 7 :51 AM 11 /16 /2005 7 :50 AM

SecureClient .tgz Output

The . tgz file contains the following debugging information:

• Installation log

• ipconfig output

• Routing-table data

• ike.elg

• Three . tde log files

• userc.C

• Time-stamp file

311


Enhanced Debugging Tool

-iQixn File Act ions Opt ions Help

e ^ ^ J # Mew Open Favor i tes ••' Extract View Checkou t

• Name • > Type j j

• jJ AutoPlay _NG;<_R60 , elg i ELG File i ' DTApi. log Text Document < j Err or Description, t x t Text Document j : „ f w k e r n . t x t Text Document j j J ir tstal l jcpinf t«_R55W, elg ELG File j ; J install Jwgu i_DAL.e lg ELG File 5 1 'J install _fwgui_R6Q, elg ELG File • _£ j i r istal l_securemote_R56,elg ELG File j _J ir istal l_securemote_R6Q.elg ELG File ; V ipconf ig . tx t Text Document

rou te , t< t Text Document s r_gu i_ tde .bg Text Document sr_serv ice_tde. log Text Document

. s r_watchdog_tde. log Text Document C3j Temp J o g . tar WinZip File

.. t ime.t- . t Text Document ] uninstall J wgui_R60. elg ELG File

' . j userc.C C File

Jj Selected 0 f i fes, 0 by tes To t s ! 18 files, 4,924KB $

R56 Logging Files

6. To disable logging, clear the box Enable logging in the Settings > Advanced screen.

7. Stop and start the SecureClient.

This debug does not include srfw monitor, cpinfo, or kernel debug.

312


Troubleshooting Table

T R O U B L E S H O O T I N G T A B L E i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

This table is an example of the flow for troubleshooting a remote-access issue. This table is not meant as a model of a SecuRemote connection setup, but uses that as a guideline for troubleshooting specific issues.

I f th is i s s u e a r ises dur ing ... ... Examine t h e s e possib le

causes and check the l isted tools

SecureClient version • Installation issues

• Compatibility with Gateway versions (feature changes)

• Operating-system compatibility

Site creation (topology download and requirements

for connection)

• Verify that the topology is exportable for SecuRemote/SecureClient.

• Verify necessary ports are open.

• Verify split DNS configuration.

• Confirm in userc. C:

Preferred Gateway Connection options Gateway IPs Available profiles Policy Server IP

Pre-IKE decisions (Interesting traffic is receivedfrom SecuRemote/SecureCl ient. VPN-1 NGX determines how and where to send the traffic).

• Method of encryption

• Partially overlapping VPN Domains may cause errors

• Peer selection for Multiple Entry Point (MEP) configurations

• Link selection

• Mode selection:

Connect/AutoConnect Mode

313

c a u s e s l n d check ?he Hsted tools

will be encrypted). ^

• Verify the path to Gateway is open (if

• Verify IKE over TCP ports are open

• Verify UDP encapsulation ports are open (if necessary).

• Verify routing:

• Verify security or SecureClient

• Verify NAT-T ports or MEP are configured in userc.C.



I f th is issue ar ises dur ing ... ... E x a m i n e t h e s e poss ib le

causes a n d c h e c k t h e l isted too ls

Phase I/authentication (The Gateway has been contacted\ and is beginning to build the tunnel)

• Verify Phase 1 completes.

• Verify authentication works for the user without SecuRemote/SecureClient configured.

• Verify the authentication method is supported with IKE and the Gateway.

• Verify the third-party authentication server.

• Verify IKE over TCP is enabled.

(This allows for fragmentation of Main mode packet 6 for large Certificates or Certificate Revocation Lists.)

• Verify if Visitor Mode is enabled.

(This encapsulates the entire session over port 80 or 443, when behind a proxy or restricted gateway.)

• Verify the internal/third-party CA and Certificate generation/distribution/ CRL.

• Refer to fw monitor, sr monitor, and IKE debug logs for more data.

315

• Verify Office Mod

ipassignment.conf RADIUS DHCP IP pool configuration

316



... E x a m i n e these possib le If th is i ssue ar ises dur ing ... c a u s e s a n d check the l isted too ls

Encrypted data • While this phase is also hidden by the (The IKE exchange was successful, and virtual machine, some data can still encrypted traffic is going to be be gathered from other sources. exchanged.)

• Use fw monitor for viewing ESP packets (IP protocol 50) to and from the SecureClient.

• Verify that UDP encapsulation port 2746 (the Check Point proprietary port) is open.

• Verify the tunnel-test port is open (port 18234).

• Verify the NAT-T port (UDP 4500, the industry standard for UDP encapsulation) is open.

• Verify dynamically assigned IP (DAIP) routing is configured.

• Verify routing to the hub Gateway in MEP configurations.

• Verify the Office Mode IP for MEP configurations is routing to the correct chosen Gateway.

• Check SmartView Tracker for Secure Configuration Verification (SCV) drops, as well as SCV log checks.

• Check SmartView Tracker for Policy Server login and download notification.

317



Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient

L A B 1 0 : O B S E R V I N G I K E N E G O T I A T I O N B E T W E E N A G A T E W A Y A N D S E C U R E C L I E N T I I 1 I I 1 I I I I 1 1 1 I I I I I I I I I I I I 1 I 1 I 1 I I I I I 1 I I I I I 1 I 1 1 I I I I I

Scenario: To observe IKE negotiations between an NGX Gateway and SecureClient, you will run ike debug on the Gateway and SecureClient at the same time, and analyze the output using IKEview. In this lab, you and your partner will alternate roles. One side will be the SecureClient, while the other will be the site to which the SecureClient connects. SecureClient is installed on the Windows machine behind your Gateway (for example, weboslo). You are going to create a site and connect to your partner's city site, while both sides are running debugging sessions. Once the debugging sessions are captured, each side will then reverse roles, repeat the debugging from the other side, then examine the debugging sessions.

Objectives:

• Run ike debug on the SecureClient desktop.

• Run ike debug on the NGX Gateway.

• Analyze IKE negotiation using the IKEview utility.

Topics:

• Enabling Office Mode on the Gateway

• Creating the SecureClient user

• Configuring the Remote Access Community

• Installing the open Policy

• Enabling Office Mode on the SecureClient desktop

• Starting IKE debug on the Gateway and SecureClient

• Stopping IKE debug on the Gateway

• Analyzing ike. elg files in IKEview

319

[ ^ D E T E R M I N E R O L E S F O R T H E L A B S C E N A R I O

. be 1

site. If you are the site, skip to

; to 1

[ ^ G A T E W A Y S I D E : E N A B L E O F F I C E M O D E O N T H E G A T E W A Y

1.

2. In

3.

: Access > Office i to all u

Office : Using one o f t methods > IP Pool),;

OfficeJet

10.XX+7.0

x is the second octet of your in x+1 is the third octet+1 of the

network's 5

Net]

4.

5.

OK to i

OK to (

Net Oslo is 10.2.2.0 OfficeJtet for Oslo is 10.2.3.0

255.255.255.0

; the

>

F I P G A T E W A Y S I D E : C R E A T E T H E S E C U R E C L I E N T U S E R

320

3. Click OK to close tb

f p G A T E W A Y S I D E : C O N F I G U R E T H E R E M O T E A C C E S S

1.

2.

3.

4.

the VPN:

the:

Tab of t in

; All Users is in] i User

•to 1

- Net_osio ,:H:F

I the

f p C L I E N T S I D E : I N S T A L L O P E N P O L I C Y

the : is 1 * on the] : be (

rule to 1

1.

2.

3.

t f p C L I E N T S I D E : E N A B L E O F F I C E M O D E O N T H E S E C U R E C L I E N T D E S K T O P

1. Right-click 2. Click the Pi

3. Click the A

4. Check the b

5. Click OK.

L in 1

a

a

321

^ G A T E W A Y S I D E : S T A R T I K E D E B U G O N T H E G A T E W A Y

IKE debug on your city

1. Log in to 1

2. Run th

vpn debug

£ ? C L I E N T S I D E : S T A R T I K E

tray.

2. Create an

3.

4.

5. Ente

6. Opei inc:

7. To si

to < : VPN i

O N S E C U R E C L I E N T

. i n 1

i n C : \ .

[ ^ G A T E W A Y S I D E : S T O P I K E D E B U G O N T H E G A T E W A Y

After your partner city's running vpn debug

stop vpn debug by

322



f p C L I E N T S I D E ; T R A N S F E R I K E . E L G F R O M S E C U R E C L I E N T T O Y O U R P A R T N E R S I T E

An FTP server is installed on the Windows machine behind each city site's Gateway.

1. From your SecureClient machine, open an FTP session and log in to your partner city's FTP server.

2. Type binary.

3. Type hash.

4. Type put ike.elg.

5. Exit the FTP session.

£ p R E V E R S E R O L E S

Each side will now perform the steps for the other side of the connection.

t f ? A N A L Y Z E I K E . E L G F I L E S I N I K E V I E W

Using IKEview, analyze your Gateway's ike.elg, and the ike.elg from your partner city's SecureClient.


323


324


Lab 11: Running srfw monitor

L A B 1 1 : R U N N I N G S R F W M O N I T O R i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Scenario: Continuing from the last lab, the site that was the SecureClient will continue in that role for the lab. Once each side has completed its capture, each side will switch roles and repeat the procedures for the other side. In this lab, each side will run srfw monitor on the SecureClient desktop and fw monitor on the corresponding NGX Gateway, and will analyze output using Ethereal.

Objectives:

• Run srfw monitor on the SecureClient desktop.

• Run fw monitor on the corresponding Gateway.

• Analyze both monitor outputs in Ethereal.

Topics:

• Running fw monitor on the NGX Gateway

• Running srfw monitor on the SecureClient desktop

• Stopping fw monitor on the Gateway

• Analyzing srfw monitor output using Ethereal

• Analyzing fw monitor using Ethereal

325

f p G A T E W A Y SIDE: R U N F W M O N I T O R O N N G X G A T E W A Y

1. Run fw monitor, filtering on the physical and Office M o d e IP J

fw IP> or

r_gatewayj.ourcity.out

IP> or Mode IP>;" -o

Mode IP> or

^ C L I E N T S I D E : R U N S R F W M O N I T O R O N S E C U R E C L I E N T D E S K T O P

1.

2. On 1

: t O 1

• in the V P N Use FTP or H T T P :'s Web

; (CLI) and i to 1

4. The

[ 3684]

[ 3684]

[ 3684]

426 [ 2952]

(from command

(control-C to

sig 2

5. Test t raff ic by FTP or H T T P < Webi

: C T R L + C keys in the CLI.

f p G A T E W A Y S I D E : S T O P F W M O N I T O R O N T H E G A T E W A Y

; C T R L + C ) in the CLI t o : fw monitor.

R O L E S

326



[ ^ A N A L Y Z E S R F W M O N I T O R O U T P U T E T H E R E A L

1. Open srfw monitor output using Ethereal:

• • • • • SO V3p t«® a tm&S a « p

i m & e > a * a • J |:<fi»sssraft.,. j Omt j Apply j

4S 1.000000 4 9 1.000000 50 1.000000 51 1.000000 52 1.000000 53 1.000000 54 1.000000

.000000

.000000

.000000

.000000

.000000

.000000

.000000

.4.1

.4.104

.4.104

lu,2.4.104 10.2.4.104 172.22.102.1 10.2.2.102 10.2.3.1 10.2.4.104

| Protocol | Mo Jl! TCP [TCP Retransmission] 18190 :• 13uu [AO . TCP 1300 :- 18190 [AO] seq=322 ACT =19137 w _J

[ T C P DUp A O 4 9#1] 1300 :- 1S190 [ A O ] ' 18190 > 1300 [PSH, AO] Seq=19137 Ack-t [ T C P Retransmission] 18190 > 1300 [ P S H > 1300 > 18190 [AO] Seq=322 ACK=20383 m [ T C P Dup ACK 53#1] 1300 :- 18190 [ACK]

172.22.102.1 •. 104

10. 2

172.22.102.1 10.2.4.104

T C P T C P T C P T C P T C P

ESP ESP T C P T C P ESP H T T P ESP

ESP (SPI=0.'lcdCC810> ESP (_SPI=0.. 52cf04e4) http -.- 1378 [S'vN. AO] Seq=u Ad-=1 W 1378 :- http [AO] Seq=l AD-.=1 win=17: ESP (SPI=0 •IcciccSlOj GET / HTTP/1.1 ESP (SPI=G"IcdccSlOj

Jj • Frame 5 5 (62 bytes on wire, 62 bytes captured) Ethernet II, Src; 63:76:6e:61:00:G0 (63:76:6e:61:00:00). Dst: 6f:31:63:70:5f:73 (6f:31:63:7Q:5f:73) internet Protocol, Src; 10.2.3.1 (10.2.3.1), Dst; 10,2.2.102 (10.2.2.102) Transmission Control Protocol, Src Port: 1378 (1378), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0

oooo efiresô sFTs"63' ei 6i oo oo os'ou'45'oo ' 0010 Ou 30 be 83 40 00 80 06 24 da 0a 02 03 01 0a 02 0020 02 66 05 62 00 50 23 00 6b Of 00 00 00 00 70 02 0030 40 00 95 f3 00 00 02 04 05 b4 01 01 04 02

jP; 431 0:'431 M; 0 '

srfw monitor Output

2. Identify the changes in source and destination addresses, as a packet leaves the SecureClient to access the VPN Domain's internal Web server. In the screenshot above, notice at o (lowercase), the source address is the Office Mode IP 10.2.3.1, and the destination is 10.2.2.102, weboslo. As the packet leaves the SecureClient at 0 (uppercase), the source address changes to fwmadrid's physical IP address, 10.2.4.102, and the destination is fwoslo's external interface, 172.22.102.1.

3. Identify the interface direction for outbound and inbound traffic. For example, for outbound traffic as on lines 55 and 56 (in the No. Column), the interface directions are o, 0; for inbound traffic on lines 57 and 58, the interface directions are i, I.

327



F P A N A L Y Z E F W M O N I T O R I N E T H E R E A L

1. Open fw monitor output using Ethereal. 2. Locate an HTTP SYN packet, by filtering on the Office Mode IP address in

the Source column.

3. Locate the entry number in the No. column, as in the screenshot below. The number 716 is the HTTP SYN packet.

4. Clear the filter by clicking the No. column.

5. Review the HTTP SYN packet, starting from protocol ESP in number 715.

-iptxn pie Edit View jo Capture Analyze Statistics Haiti

* * SD 1 t : 111 • Q €l •

-J gxprwsmtt- j Gear j Appiv j

T.rne

710 68.568003 10.2.4.104 711 68.568147 10 . 2 . 3 . 1 712 68.568170 10 . 2 . 3 . 1 713 68.568183 10 . 2 . 3 . 1 714 75.843 526 10 . 2 . 3 . 1 ?15 75.8444 57 10.2.4.104

172.22.102.1 ESP ESP (SPI=0..4442c7a8) 10.2.2.102 TCP [TCP Prev ious segment l o s t ] 1416 :- f t p 10.2.2.102 TCP [TCP Dup AO 711#1] 1416 :• f t p [ACK ] S. 10.2.2.102 TCP [TCP Dup ACK 711#2] 1416 > f t p [ACK] S> 10.2.2.102 TCP 1429 :> h t t p [RST] Seq-0 Ack=0 wiri=0 Lei 172.22.102.1 ESP ESP (SPI=0x4442c7a8)

717 75.844735 10 . 2 . 3 . 1 718 75.844756 10 . 2 . 3 . 1 719 75.84 5182 10.2.2.102 720 75.845233 10.2.2.102 721 75.845247 10.2.2.102 722 75.84 5342 172.22.102.1 723 75.846218 10.2.4.104 724 75.846292 10 . 2 . 3 . 1 72 5 75.846302 10 . 2 . 3 . 1

1L

10.2.2.102 TCP 1431 > h t tp [SYN] Seq=0 Ack-0 win=1638< 10.2.2.102 TCP 1431 > h t tp [SYN] Seq-0 Ack=0 win=1638-10 .2 .3 .1 TCP h t tp > 1431 [SYN, ACK] Seq-0 Ack-1 win-10 .2 .3 .1 TCP h t tp > 1431 [SYN, ACK] Seq=0 Ack-1 win 10 .2 .3 .1 TCP h t tp > 1431 [SYN, ACK] seq-0 Ack=l win-10.2.4.104 ESP ESP (SPI=0xdab604eb) 172.22.102.1 ESP ESP (SPI=0x4442c7a8) 10.2.2.102 TCP 1431 ;- h t tp [ACK] Seq=l Ac* =1 win=1731; 10.2.2.102 TCP [TCP Dup ACK 724#1] 1431 > h t tp [AO]

z 'b Frame 716 (62 bytes on w i r e , 62 bytes captured) w Ethernet I I , Src: 00:QQ:00_00:00:QQ (00:00:00:00:00:00), Dst: 49:62:65:74:68:30 (49:62:65:74:68:30) U i i n t e r n e t P r o t o c o l , s r c : 1 0 . 2 . 3 . 1 (10.2 .3 .1) , Dst: 10.2.2.102 (10.2.2.102) s; Transmission control protocol, src Port: 1431 (1431), mt port: http (SO), seq: o, Ack: 0,. ten: 0 0000 4 9 62 65 74 68 30 00 00 0010 00 30 c f CC 00 00 80 06 0020 02 66 05 97 00 50 a9 65 0030 40 00 67 53 00 00 02 04

00 00 uu 08 00 4 5 00 51 91 Oa 02 03 01 Oa 02 13 f4 00 00 00 00 70 02 04 d5 01 01 04 02

ibet'Hb. • Ci . f . . . P. e p.

gs

Fife: "C; \ftpro.3t\morator_.Mte'A.ayJwosio .out" 316 K8 00:01:21 |P: 342 0; 642 M' 0

fw monitor Output

End of lab.

328


Review

R E V I E W i I i i I i I I I i I I I I I i I I I i I I I I I I I I I I i I I I i I I i i I I I i I I I i I i i

• Commands used in debugging SecureClient-to-Security Gateway connections are ike debug, sr_service debug, and srfw monitor.

• The necessary ports for SecureClient to establish connections are:

— TCP 264, 500, 18231. (80 and 443 are only necessary when in visitor mode.)

— UDP 259, 500, 2746.

— IP Protocol 50 (not required if using UDP encapsulation).

• The ports used by SecureClient inside the tunnel are:

— UDP 18234.

— TCP 18231, 18233.

• srfw monitor can be used to track packet flow in all phases of a SecureClient connection.

• For SecureClient, the IP address in the General Properties screen of the gateway object (normally the external IP) is used as the connection point. This is defined for SecureClient in the userc.C file and is referred to as the main IP. In situations where an internal IP address is used for the main IP, interface resolution can be used to guarantee connection and encryption.

• Static interface resolving is enabled by the property : resolve_interface__ranges, and is enabled by default. Each interface in a Gateway is used to calculate an interface range, and SecureClient reads these ranges from userc.C, then determines to which interface its address belongs.

• Dynamic interface resolving is enabled by the property : resolvejnultiple_interfaces. SecureClient sends RDP packets to all interfaces it is aware of, as defined in userc.C. Whichever interface responds first is the interface with which SecureClient will then encrypt.

• In VPN-1 NGX, SecureClient link selection on single, external-interface systems primarily uses one of three methods: main IP address, selected address from the Topology table, or Static NAT.

• In an NGX system with multiple external interfaces, additional methods can be configured: Calculating IP based on network topology, one-time probing, and ongoing probing

329

331


Review

332


10: a Check Point S O F T W A R E T E C H N O L O G I E S L T D .

We Secure the internet

CHAPTER 1 0 ; ADVANCED V P N

VPN-1 NGX introduces a new VPN capability, route-based VPN where VPN traffic is routed within a Community based on static- or dynamic-routing information. Route-based VPN is done using VPN Tunnel Interfaces (VTI), a virtual interface on the OS level.

Object ives

1. Identify differences between route-based VPNs and domain-based VPNs.

2. Configure VTI for route-based VPN Gateways.

3. Configure OSPF for dynamic VPN routing in a Community.

4. Identify the Wire Mode function by testing a VPN failover.

5. Configure Directional VPN Rule Match for route-based VPN.

333

Key Terms

334


Route-Based VPN

R O U T E - B A S E D V P N

Prior to VPN-1 NGX, a site-to-site VPN required VPN Domains. If a packet's source and destination addresses matched local and certain peer Security Gateways' VPN Domains, the packet was encrypted or decrypted automatically. With a route-based VPN, an NGX Gateway can decide to encrypt and decrypt a packet using a VPN Tunnel Interface (VTI), an OS level virtual interface that provides a door to a VPN tunnel. When properly configured, the packet will then go through a route-based VPN via appropriate VTIs.

Route-based VPN provides VPN redundancy, as in the following example:

Rome Oslo

CPG0551

Route-Based V P N

335


Domain-Based VPN

D O M A I N - B A S E D V P N I I I I i I i i I I I I I i I i I i I I I I I I I I I I i I i i I I I I I I i I I I i I I I i I I i

Dynamic-routing protocols are not required to implement route-based VPNs. Static routes can achieve the same purpose. As long as the OS level routing mechanism knows how to get to the remote peer's network via the correct VTI, a route-based VPN can work properly. However, static routes need to be updated manually, when there is a routing change.

It is important to note that a route-based VPN does not replace a domain-based VPN, but expands it. Domain-based VPN takes precedence over route-based VPN. Routing through VTIs only applies to traffic that is not routed in VPN Domains. The order between the two VPN routing methods is set by the order of the VPN routing decisions. First, domain-based VPN routing tables are consulted, to determine the proper origin or target VPN Gateway for the traffic. If no domain-based VPN routing applies, the OS routing table is examined, to determine whether the traffic is to be routed through a VTI.

For example, when two Gateways have configured VPN Domains for their site-to-site VPN, the two Gateways always route traffic between the two VPN Domains through the Community, regardless of whether or not there are VTIs. VTIs can be used at first to serve additional traffic that is not handled by VPN Domains. This way, an Open Shortest Path First (OSPF) daemon can be set up to work over a VTI, while the domain-based VPN is still active. Since OSPF uses Multicast Mode for communication, OSPF works only with VTIs.

Once OSPF adjacency is established between the two Gateways, routing information can be exchanged. After verifying that the routing information is correct, gradually remove parts of the VPN Domains' definitions, to allow a route-based VPN to take over.

337


VPN Tunnel Interface

V P N T U N N E L I N T E R F A C E

A VPN Tunnel Interface (VTI) is a virtual interface on an NGX component, which is associated with an existing VPN tunnel, and is used by IP routing as a point-to-point interface directly connected to a VPN peer Gateway. Each VTI is associated with a single tunnel to a VPN peer Gateway. The tunnel behaves just like a point-to-point link between the two Gateways. The tunnel and its properties are defined by a VPN Community linking the two Gateways. The peer Gateway should also be configured with a VTI. The native IP routing mechanism on each Gateway can then direct traffic into the tunnel, just as the mechanism would do for any other type of interface.

VPN Rout ing Process

O U T B O U N D P A C K E T S

The VPN routing process of an outbound packet can be described as follows:

VPN-1 NGX Security Gateway

VPN-1 NGX Security Gateway

Source Destination

V P N Tunnel Interfaces

• An IP packet with destination address x is matched against the routing table.

• The routing table indicates that IP address x should be routed through a point-to-point link, which is the VTI associated with the peer Gateway.

338



• The NGX kernel intercepts the packet as it enters the VTI.

• The packet is encrypted using the proper IPsec Security Association parameters with the peer Gateway, as defined in the VPN Community. The new packet receives the peer Gateway's IP address as the destination IP.

• Based on the new destination IP address, the packet is rerouted by VPN-1 NGX to the physical interface, according to the appropriate routing-table entry for the peer Gateway's address.

I N B O U N D P A C K E T S

The opposite is done for inbound packets:

• An IPsec packet enters the machine coming from the peer Gateway.

• VPN-1 NGX intercepts the packet on the physical interface.

• VPN-1 NGX identifies the originating VPN peer Gateway.

• VPN-1 NGX decapsulates the packet, and extracts the original IP packet.

• VPN-1 NGX detects that a VTI exists for the peer VPN Gateway, and reroutes the packet from the physical interface to the associated VTI.

• The packet enters the IP stack through the VTI.

Best Prac t ices

A VTI is best defined symmetrically on both Gateways, although it is possible to have one side work with a domain-based VPN. In this case, the Gateway without the VTI configured on it would not accept just any IP address from its peer Gateway, but only IP addresses specifically defined in the peer's VPN Domain (or any specific alteration of it configured in the vpn_route. conf file).

With VTIs, it is now possible to completely control VPN routing by OS routing. The same infrastructure allows dynamic-routing protocols to control the VPN. A dynamic-routing protocol daemon running on the NGX Gateway (on SecurePlatform Pro and IPSO platforms only) can establish connectivity with a neighboring routing daemon on the other end of an IPsec tunnel, which appears to be a single hop away. The daemons can exchange routing information and dynamically change the IP routing, which naturally changes the traffic directed to the IPsec VPN tunnel.

339

340



Conf igur ing Numbered VTIs

VTIs can be configured manually using vpn shell on SecurePlatform Pro, or by using Voyager on IPSO. The following example demonstrates creating numbered VTIs among three SecurePlatform Pro NGX Gateways:

192.168.14.0

Security Gateway A ext: 214.214.214.1

VTI: 10.10.0.1 A

VTI: 10.10.0.3 A

VTI

Security Gateway B , /

ext: 215.215.215.1 VTI: 10.10.0.2

Security o u t e r \ Gateway C

VTI: 10.10,0.4

VTI: 10.10.0.5

192.168.15.0 192.168.16.0

VTI for Three Sites

Three NGX Gateways are the minimum required to set up a route-based VPN. Therefore any Gateway in a route-based VPN topology has two VTIs, one for each peer. Assume Gateways A, B, and C are setting up VTIs to each other, to use a route-based VPN.

341

VPN a

F I G U R E N O T E S

IP ; i to

10.10.0.4 i s ;

A and B, 10.10.0.1 is A. 10.10.0.2 is assigned to

A and C, 10.10.0.3 is to Ga teway C.

and C, 10.10.0.5 i s ;

I as i B.

[ to

to

A

B; ito 10.10.0.6 is ass

C R E A T I N G VT IS

The syntax is as fc

vpn shell interface add m name> <VTI

C.

A D D C O M M A N D

On Gateway A, type the

vpn shell vpn shell

On

vpn shell vpn shell

On

vpn shell vpn shell

_B, type 1

C, type 1

If a

<Local VTI IP> <Remote VTP IP> <Peer

vpn shell add <

10.10.0.1 10.10.0.2 Gateway_A to_B 10.10.0.3 10.10.0.4 Gateway_A to~C

vpn shell add command:

10.10.0.2 10.10.0.1 Gateway_B toA 10.10.0.5 10.10.0.6 Gateway_B to_C

vpn shell add command:

10.10.0.4 10.10.0.3 Gateway_C to__A 10.10.0.6 10.10.0.5 Gateway_C to_B

in the vpn shell

^ ^ ^ ^ ^ eight characters The peer name used i n the vpn shell comm in the vpn shell <

342



V I E W I N G V T I S U S I N G V P N S H E L L S H O W C O M M A N D

To see the list of VTIs you created, run the command in vpn shell:

vpn shell show interface summary all

vpn shell show interface detailed all

A VTI can also be viewed as a regular interface by using the ifconf ig -a command.

A D D I N G S T A T I C R O U T E S

For route-based VPN after VTIs are created, it is necessary to add static routes, pointing to the VTI as the interface to access a peer's internal network. For example, in the example mesh VPN, any hosts behind Security Gateway A that need to access the network behind security Gateway C will need to go through a static route created on Gateway A. This command can be entered via the Command Line Interface (CLI) as:

route add -net 192.168.16.0/24 gw 10.10.0.4

Alternately, when adding the command via the CLI, the VTI name can be used:

route add -net 192.168.16.0/24 to_C

Check Point recommends configuring static routes using sysconfig in SecurePlatform Pro, as these routes will then survive a reboot, whereas using the CLI may not.

343

VTIs

To i : VTIs on Nokia IPSO,

1. Log in to Nokia in

2.

3.

4. Select the FWVPN

5. On the FWVPN Tu

In 1 FireWall-1.

6. it is i

7. Click Apply. The new VTI; i in I

a

345


Dynamic VPN Routing

OSPF configuration detail is beyond the scope of this chapter. Security Administrators should be familiar with routing protocols, before configuring dynamic routing.

This figure shows VPN dynamic routing over OSPF:

A W E A S I

Security Gateway "A" ext: 214.214.214.1 VTI: 10.10.0.1 VTI: 10.10.0.3

Internal Network 10.10.30.0/24

Security Gateway "B"

ext: 215.215.215.1 VTI: 10.10.0.2 VTI: 10,10.0.5

ethl: 10.10.1.1

Security Gateway "C" exf. 216.216.216.1 VTI: 10,10.0.4 VTI: 10.10.0.6 ethl: 10.10.1.2

Dynamic VPN Routing Among Three Sites

E N A B L I N G A D V A N C E D R O U T I N G

To configure OSPF on SecurePlatform Pro, the gated daemon must be enabled on each NGX Gateway. The gated daemon is available when advanced routing is enabled. By default, advanced routing is disabled on SecurePlatform Pro. To enable advanced routing and configure OSPF, follow these steps:

1. Using the cpconfig utility, select the option to enable advanced routing.

2. Type Y to enable Advanced Routing.

3. Type Y to restart Check Point services, to enable advanced routing.

346

% Q.) You have upgraded a Gateway for VPN-1/FireWall-1 NG ^

gence (R55) to VPN-1 NGX (R60) on How do you make the !

.Pro, so you can use the j

A.) Run the pro enable command in Expert

C O N F I G U R I N G O S P F

2. Enter Expert Mode, an

3. Type ena or enable, to <

4. Start configuring OSPF, by typing conf t in ]

The OSPF process ID should be the same on all

6. Enter router-ID <IP address>; for example, router-id 214.214.214.1

It can be the physical IP address of the

7.

vt-GatewayJ ip ospf 1 area 0.0.0.0

347

VPN1

vt-Gateway_C as area 0:

ip ospf 1 area 0.0.0.0

ethl ip ospf 1 area 51.0.0.0

On

1.

2.

OSPF as the

in router ospf 1 router-id 215.215.215.1

the VTI to

ip ospf 1 area 0.0.oTo

A as J .0:

s ethl as arc B and Gateway_C i

to each other. That network must belong to area 0, because OSPF

ethl ip ospf 1 area 0.0.0.0

348

349

350


Wire Mode

Wire Mode is usually defined in three places:

1. In the Community > Advanced > Wire Mode screen:

Participating G VPN Properties Bypass the Fifewaif - - -

• Tunnel Management - Advanced S ettng-; Allow uninspected encrypted traffic between Wm mode interfaces

- Excluded Services- o l t i Shared Secret Advanced VPN F'r

! i J _ _ J ±1

| OK | Cancet | Help |

Wire Mode Screen

If Wire Mode Routing is enabled in the Community, it is not necessary to enable Wire Mode per interface.

351


Wire Mode

2. On the gateway object > VPN > VPN Advanced screen:

• Generai Prcpertie. , Topology

NAT . VPN

Link Selection Remote Aeeees Authentication Logs and Ma iter; Capacity Optimization Advanced

+

, +

VPN Advanced

VPN Turtnet Sharing -- • •

Control the number of VPN tunnels opened between peer Gateways

r i ' Use the community settings

Custom settings

Restart Option* - -

~ Perform an organized shutdown of tunnels upon gateway restart

Wife mode v SufiportV/ire mode {and Wife mode routing- route uninspected

encrypted traffic in VPN routing configurations'!

Select the interfaces where traffic destined to Wire mode communities will bvpai-i the Firewall

JSSSSL.

Adc

v Log Wire mode traffic

NAT traversal [Industry standard)

'•y Support NAT traversal (applies to Remote Access and Site to Site connections)

' ' Caned Help

V P N Advanced Screen

3. Per interface on the Gateway:

Select the c rene l interface-: where 'raffic cen t red to Wire rncde communities wil bypass the Firewall

J ^ ? . . . | Netmask j ethl

_ 10.4 8 1 255 255.255,0

eth'2 132 168.22.101 255.255.255.0

IlIJ^-ZJI ^ 1

Wire mode interfaces Screen 352


Wire Mode

Configure Wire Mode per interface from the Wire mode interfaces screen:

— Click Add in the list Select the interfaces where traffic destined to Wire mode communities will bypass the Firewall. The internal interfaces on the Gateway will be listed.

— Highlight particular internal interfaces, or select all internal interfaces.

In the following figure, Gateways B and C have Wire Mode enabled, and have trusted internal interfaces defined:

Wire Mode in Route-Based V P N

The Community containing Gateways B and C has Wire Mode and Wire Mode routing enabled. Host 10.10.10.5 (behind Gateway A) sends a packet to 10.10.30.5 (behind Gateway C). Gateway C's Internet connection subsequently fails, so that when 10.10.30.5 tries to reply to 10.10.10.5, the reply packet from 10.10.30.5 will be routed through Gateway B. Without Wire Mode, Stateful Inspection would be enforced at Gateway B, and the packet would be dropped due to "out of state" errors. But with Wire Mode enabled, Gateway B can pass on the traffic and not enforce Stateful Inspection.

Wire Mode in Route-Based VPN

Security Gateway B

internal Network

10.10.20.0 /24

10.10.30.5 CP005Z7

353

354


Directional VPN Rule Match

D I R E C T I O N A L V P N R U L E M A T C H i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Directional VPN Rule Match is a new access-control feature that matches more precisely on VPN traffic and allows expressing rules based on the direction of the traffic, rather than participating IP addresses. Directional VPN Rule Match matches on traffic based on the type of interface group through which traffic enters the Gateway, and the type of interface group through which traffic exits the Gateway. The interfaces are divided into three main groups: internal, external, and VPN interfaces. Traffic going into a VPN tunnel, or coming out of a VPN tunnel, is considered to have passed through a VPN interface. VPN interfaces are referenced by their associated VPN Community.

The Directional VPN Rule Match is configured in the VPN column of the Rule Base, which can now contain the format of A > B, where A and B each represent an interface group. Such a rule would match on traffic entering the Gateway from interface group A, and leave the Gateway through interface group B.

In ter face Groups

The following is a list of available interface groups:

Default Mylntranet Community, Remote Access Community, or user-defined Community

Represents the VPN tunnels of all Communities, including the Remote Access Community

Represents the VPN tunnels of all site-to-site Communities, i.e., any Community except the Remote Access Community

Represents all interfaces designated as "internal"

Existing VPN Community

Q A l l _ C o m m u n i t i e s

A l l G w T o G w

U | > l n t e r n a l _ c l e a r

355



Represents all interfaces designated as '"extemaF' ^ E x t e r n a l _ c l e a r

Wild card that matches on any type of traffic [ * j Any Traffic

E X A M P L E S

Consider the following VPN rule:

1 ' * Any ; * Any : A lnternal_clear® ^ Mylntranet j X£ ftp , © accept . gj] Log

Directional VPN Rule Match — One Direction

This rule accepts FTP traffic intercepted on any of the Gateway's internal interfaces, which is about to enter a tunnel in Mylntranet VPN Community.

A route-based VPN makes it possible to not define VPN Domains, while a Directional VPN Rule Match makes it possible to not specify IP addresses for a rule match.

More than one Directional VPN Rule Match condition can be specified in a single rule. Consider the following rule:

^ Inter n a i _ c l e a t E 3 t ^ Mylntranet ZLL ftp ZZ " pn , 1 * Any • * Any : ^ M v | n t r a n ^ ^ ^ ^ e m a L c | e a r ^ p o p . 3 © B L o 9

Directional V P N Rule Match — Both Directions

356



The above rule can be installed on two or more Gateways that are members of Mylntranet. For each FTP and POP3 connection routed on the tunnel between them, the same rule would match on one Gateway, when traffic passes from an internal interface and into the VPN tunnel. The same rule matches on the other Gateway, when traffic enters the VPN tunnel and passes to the internal interface.

Consider the following example:

Directional V P N Rule Match — Between Communities

A connection may dynamically change its route without breaking. For example, the above rule allows HTTP traffic to be initiated from the internal interface side, and routed into either the CommunityA or Communi tyB VPN tunnel. The routing can change dynamically between these two Communities, without breaking the connection.

H I "k Any

I n t e r n a l j i ' l e a r E S f ^ J Communfty_A Internal j s l ea r fSOÊ j f Community_B

http j © accept ! j j Log

357


Tunnel Management

T U N N E L M A N A G E M E N T i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

In VPN-1 NGX, there are two types of VPN tunnel management:

Permanent Tunnels — This feature keeps VPN tunnels active, allowing real-time monitoring capabilities.

VPN Tunnel Sharing — This feature provides greater interoperability and scalability between Gateways. It also controls the number of VPN tunnels created between peer Gateways.

Permanent Tunnels

As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. It is essential to make sure VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active, and as a result, make it easier to recognize malfunctions and connectivity problems. Security Administrators can monitor the two sides of a VPN tunnel, and identify problems without delay. Each VPN tunnel in a Community may be set to be a Permanent Tunnel. Since Permanent Tunnels are constantly monitored, if a VPN tunnel fails for some reason, a log, alert, or user-defined action can be issued. A VPN tunnel is monitored by periodically sending tunnel-test packets. As long as responses to the packets are received, the VPN tunnel is considered "up". If no response is received within a given time period, the VPN tunnel is considered "down".

Permanent Tunnels can only be established between Check Point Gateways. The configuration of Permanent Tunnels takes place on Community objects. There are three options to configure a Permanent Tunnel:

• For the entire Community; this option sets every VPN tunnel in the Community as permanent.

• For a specific Gateway; use this option to configure specific Gateways to have Permanent Tunnels.

• For a single VPN tunnel; this feature allows configuring specific tunnels between specific Gateways as permanent.

358


Tunnel Management

T U N N E L T E S T I N G

A tunnel test is a proprietary Check Point protocol that is used to test whether VPN tunnels are active. A tunnel-test packet has an arbitrary length, with only the first byte containing meaningful data — the type field.

The type field can take any of the following values:

1 - Test

2 - Reply

3 - Connect

4 - Connected

Tunnel testing requires two Gateways, one configured as a "Pinger" and one as a "responder". The Pinger Gateway uses the VPN daemon (vpnd) to send encrypted tunnel-testing packets to the responder Gateway. The responder Gateway is configured to listen on port 18234 for special tunnel-testing packets. The Pinger sends type 1 or 3. The responder sends a packet of identical length, with type 2 or 4 respectively. During the connect phase, tunnel testing is used in two ways:

1. A connect message is sent to the Gateway. Receipt of a connect message is the indication that the connection succeeded. Connect messages are retransmitted for up to 10 seconds after the IKE negotiation is over, if no response is received.

2. A series of test messages with various lengths is sent, so as to discover the (Path Maximum Transmission Unit) PMTU of the connection. This may also take up to 10 seconds. This test is executed, to ensure that TCP packets that are too large are not sent. TCP packets that are too large will be fragmented and slow down performance.

359


Tunnel Management

VPN Tunnel Shar ing

Since various vendors implement IPSec tunnels in a number of different methods, Administrators need to cope with different means of implementing the IPSec framework. VPN Tunnel Sharing provides interoperability and scalability, by controlling the number of VPN tunnels created between peer Gateways. There are three available settings:

1. One VPN Tunnel per each pair of hosts 2. One VPN Tunnel per subnet pair

3. One VPN Tunnel per Gateway pair

Tunne l -Management Conf igurat ion

Tunnel management is configured in the community object:

- General Participating Gateways VPN Properties T timet -Management Advanced Settings

•till

T u n n e l M a n a g e m e n t

Permaient Tunnels

P" Set Permanent T unnefe:

•(* On all tunnels in the community

On all tunnels of specific Gateways

On specific tunnels in the community

J !

I Popup Alert

r Enable Route injection Mechanism [RIM)

Tunnel down track:

Tunnel up track:

VPN Tunnel Sharing

Control 'he rurnber of VPN runnels opened between peer £ ateways

C One VPN tunnel per each pair of hosts

One VPN funnel per subnet pair

One VPN tunnel per Gateway par

"3

zi

JJLi

Help

Tunnel Management Screen

360


Tunnel Management

P E R M A N E N T - T U N N E L C O N F I G U R A T I O N

To set VPN tunnels as permanent, select Set Permanent Tunnels. The following Permanent Tunnel modes are then made available:

• On all tunnels in the community

• On all tunnels of specific Gateways

• On specific tunnels in the community

To make all VPN tunnels permanent in a Community, select On all tunnels in the community.

To make all VPN tunnels of specific Gateways permanent, select On all tunnels of specific Gateways. Select the specific Gateways you want, and all VPN tunnels to the specific Gateway will be set as permanent.

Select gateways to set permanent tunnels with their peer gateway?.

Iciv'.mi.n ty Merroer:-. Branch-Office-gw

^ Corporste-Cluster-1 if§ Corporate-Cluster-2 fp^ Remote-3-gw [jpn Remote-4-gw J ^ Remcte-S-gw

Selected ja 'ewau : J j^ Remote-1 -gv.-

Remote-2-gw

Gateway T u r r e t Properte:.

Note: in case of a conflict between tunreel properties of two gateways, the default funnel properties which ate defined on the community vvl be used

He!o

Specific Gateways Screen

361


Tunnel Management

Tracking options can be configured for specific Gateways' VPN tunnels in the Gateway tunnels properties screen. Use Community Tracking Option as the default setting. You can select specific tracking options:

H H M M Set the tract options tot the permanent tunnels of the selected gateways.

^ Use Community Track Options

Set specific track options for these tunnels:

Tunnel down track.

Tunnel up track; | Log zl

I" OK 1 Cancel j Help j

Gateway Tunnel Properties Screen

To configure specific tunnels in a Community to be permanent, select On specific Tunnels in the community. Click the Set Permanent Tunnels button.

SSBS ^ Show ai member gateways f*• Show orriy specific gateways E d " f o ^n fjate*vay„

| : B Remote-'-u.'/ Remote- ae-4-gw Ill®) ffemote-1 -gw fjpi Remote-2 cr/- ........ .. ,

. .. . .iZLl-ZVJ -jigsi Pemute-i-

Select All Tun-ie*

Jj

: Select funnel between i w :

I | * All Member Gateways j » j j : 3t'(<i cokawt: : | | * All Member Gateways

SelectedTLBinel Properties... ;

| OK. 1 Cancel | Heio

Select Permanent Tunnels Screen

In the above screenshot, to make the tunnel between Remote-1 -gw and Remote-3-gw permanent, click in the cell that intersects the Remote-1-gw and Remote-3-gw where a permanent tunnel is required.

362


Tunnel Management

1. Click Selected Tunnel Properties and the Tunnel Properties screen is displayed:

Tunnelendpoints: | ^ Rem«e-1.gvv * " «=- - m ^ " ^ S ^ g w

y Set these tunnels to be permanent turweb

i V Use Commur iy Track Options

r Set specific track options for these tunnels;

i^r — - 3

| OK | Cancel- j : . Help j

Tunnel Properties Screen

2. Click Select these tunnels to be permanent tunnels.

3. Click OK.

T R A C K I N G O P T I O N S

Several types of alerts can be configured to keep Administrators up-to-date on the status of VPN tunnels. Tracking settings can be configured on the Tunnel Management screen of the Community Properties screen for all VPN tunnels, or they can be set individually when configuring the permanent tunnels themselves. The different options are Log, Popup Alert, Mail Alert, SNMP Trap Alert, and User Defined Alert. Choosing one of these alert types will enable immediate identification of the problem and the ability to respond to these issues more effectively.

A D V A N C E D P E R M A N E N T - T U N N E L C O N F I G U R A T I O N

Several attributes allow for customization of tunnel tests and intervals for permanent tunnels:

1. In SmartDashboard, select Global Properties > SmartDashboard Customization.

2. Click Configure. The Advanced configuration screen is displayed.

363


Tunnel Management

3. Click VPN Advanced Properties > Tunnel Management to view the five attributes:

Attr ibute P u r p o s e

l ifesigntimeout Designate the amount of time the tunnel test runs without a response before the peer host is declared down.

1 i f e s i gntransmitterinterval Set the time between tunnel tests.

lifesignretransmissionscount When a tunnel test does not receive a reply, another test is resent to confirm that the peer is down. The Life Sign Retransmission Count is set to how many times the tunnel test is resent, without receiving a response.

life_sign_retransmissions_interval Set the time between tunnel tests that are resent, after the tunnel test does not receive a response from the peer.

clusterstaftispollinginterval (Relevant for HA Clusters only)

Set the time between tunnel tests between a primary Gateway and a backup Gateway. The tunnel test is sent by the backup Gateway. When there is no reply, the backup Gateway will become active.

RIMin j ect_peer_interfaces Inject peer's internal network to routing table (in Hide NAT situation).

364


Tunnel Management

VPN Tunnel Shar ing Conf igura t ion

VPN Tunnel Sharing provides greater interoperability and scalability, by controlling the number of VPN tunnels created between peer Gateways. Configuration of VPN Tunnel Sharing can be set on both the VPN community and gateway objects.

Tunnel Sharing can be configured as follows:

• One VPN tunnel per each pair of hosts; A VPN tunnel is created for every session initiated between every pair of hosts.

• One VPN tunnel per subnet pair; Once a VPN tunnel has been opened between two subnets, subsequent sessions between the same subnets will share the same VPN tunnel. This is the default setting, and is compliant with the IPSec industry standard.

• One VPN tunnel per Gateway pair; One VPN tunnel is created between peer Gateways and shared by all hosts behind each peer Gateway.

If there is a conflict between the tunnel properties of a VPN Community and a gateway object that is a member of that same Community, the "stricter" setting is used. For example, a gateway object that was set to One VPN Tunnel per each pair of hosts, and a community object that was set to One VPN Tunnel per subnet pair, VPN sharing, will use One VPN Tunnel per each pair of hosts.

365


Tunnel Management

366


Lab 12: Route-Based VPN Using Static Routes

L A B 1 2 : R O U T E - B A S E D V P N U S I N G S T A T I C R O U T E S i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Scenario: In this lab, you will set up route-based VPNs for the four sites in the figure below. You will create VTIs on these SecurePlatform Pro Gateways. You will add static routes on the Gateways, to reach peers' internal networks through the correct VTI. In this lab, each site has its own SmartCenter Server on the internal Web server (www.citysite.cp). SmartConsole is installed with the SmartCenter Server. To provide VPN redundancy, you will enable a third interface on the Gateway. The third interface will use the IP address 192.168.xx. The third interface from two cities connect to one hub.

fwrome iPartnerCity)

rwtoronto (PartnerCity) >

VTI:192.168.137.32 VTI: 192.168.137.31 <4

fwoslo (YourCity)

fwmadrid ^ {PartmrCity)

1/77:192.168.137.42 *>VTI: 192.168.137.41

Route-Based VPN

367

http://www.citysite.cp

368



^ R E I N S T A L L V P N - 1 N G X I N A D I S T R I B U T E D I N S T A L L A T I O N

This lab requires VPN-1 NGX to be running in a distributed installation.

1. Reinstall SecurePlatform as an NGX SecurePlatform Pro Security Gateway, using the same IP addresses as listed in the "Check Point Security Administration NGX III" chapter of this handbook.

2. Uninstall SecureClient NGX from wobyourcity.

3. Install the SmartCenter Server on webyourcity.

1. Recreate the objects as listed in the "Check Point Security Administration NGX III" chapter of this handbook, with the addition of a gateway object for fwyourcity, and host object www.yourcity.cp using the same IP address as webyourcity. Configure your iwyourcity object with Fire Wall and VPN installed.

1. Rebuild the default Policy as listed in the "Check Point Security Administration NGX III" chapter of this handbook. Verify that the Policy is similar to the following:

iBSBiEiî. mm ' 5 ; NBT

' NetBIOS Rule * A n y ; * A n y [ * ] A n y Tra f f i c TO bootp

rip # drop • - None

2 S S H A c c e i c Rule Net_Oalo H ! f w o s l o [ i t ] A n y Tra f f i c ® accep t 1 Log

3 Stea l th Rule * A n y ® r w o i l o [ ¥ ] A n y Tra f f i c •k A n y # d rop 1 Log

4 '•"•/ebSer./er Rule * A n y • w w w os lo .cp f i t ] A n y Tra f f i c I L L http ^ accep t 1 Log

5 Par tner Cities Pule - M - N e t j O s l o - V - Net_Madr id

^ Net . M a d r i d

- M - N e t j O i l o f i r ] A n y Traf f ic L L W p H i accep t H Log

6 Internet A c c e s t Pule - M - Net_Qsto •k A n y [ * ] A n y Traf f ic 1™. http accep t H Log

7 C leanup Rule •k A n y : * A n y j * ] Any Traff ic • * A n y ® DR°P g L o g

Default Policy

^ C O N F I G U R E F W YOURCITY T O J O I N M Y I N T R A N E T C O M M U N I T Y

1. Log in to your site's SmartCenter Server in SmartDashboard. 2. Create a simple group object named "novpndomain", and leave the

object empty.

369

http://www.yourcity.cp



3. Edit the Topology screen of fwyourcity. Select Manually Defined under VPN domain options.

4. Select the simple group object novpndomain, and click OK.

^ C O N F I G U R E F\NPARTNERCITY G A T E W A Y S T O J O I N M Y I N T R A N E T C O M M U N I T Y

1. Create externally managed VPN gateway objects for the other three peer Gateways.

2. Select SecurePlatform Pro as the OS.

3. Select Firewall and VPN in the Check Point products list.

4. In the Topology screen for each fwpartnercity gateway object, select Manually defined, under VPN domain options.

5. Select the simple group object no vpn domain, and click OK.

6. Save the Policy.

S A D D P A R T I C I P A T I N G G A T E W A Y S T O M Y I N T R A N E T

1. From the main menu, select Manage > VPN Communities. 2. From the VPN Communities screen, select Mylntranet and click Edit.

3. On the Meshed Community Properties - Mylntranet screen, select Participating Gateways from the tree.

4. Add the three externally managed VPN gateway objects you just created and fwyourcity to the Mylntranet Community.

5. Under Advanced Settings, select Shared Secret.

6. Check the box Use only Shared Secret for all External members.

7. Enter pre-shared secret abcl23 for all external members.

8. Create a new Policy Package with a simple Rule Base, like the following:

I S i S g

* A n v

i [ * j A n v T ra f f i c http ^ a c c e p t [ j | Loci

[ * ] A n y T -an tc * * n v \W) d r o p g j L e g

Simple Rule Base

370



9. Verify and install the Policy.

[ ^ C R E A T E V T I S O N F W YOURCITY

1. Connect to fwyourcity in Expert Mode.

2. The information in the following table will be used to configure the VTIs:

City N a m e VT I N a m e VTI A d d r e s s i n g Convent ion

VTI IP Addresses

Rome vti-fwrome 192.168.137.1x 192.168.137.10 192.168.137.11 192.168.137.12

Oslo vti-fwoslo 192.168.137.2x 192.168.137.20 192.168.137.21 192.168.137.22

Toronto vti-fwtoronto 192.168.137.3x 192.168.137.30 192.168.137.31 192.168.137.32

Madrid vti-fwmadrid 192.168.137.4x 192.168.137.40 192.168.137.41 192.168.137.42

Zurich vti-fwzurich 192.168.138.5x 192.168.138.50 192.168.138.51 192.168.138.52

Sydney vti-fwsydney 192.168.138.6x 192.168.138.60 192.168.138.61 192.168.138.62

Cambridge vti-fwcambridge 192.168.138.7x 192.168.138.70 192.168.138.71 192.168.138.72

Singapore vti-fwsingapore 192.168.138.8x 192.168.138.80 192.168.138.81 192.168.138.82

371


b 3. Run the vpn shell command to enter vpn shell and configure VTIs.

The syntax for the command is as follows: vpn shell interface add numbered <Local VTI IP> <Remote VTP IP> <Peer Gateway object name> <VTIname>

Use the naming and addressing conventions to configure VTI addressing, so VTI IP addresses between fwyourcity and fwpartnercitys VTIs ends with .xO, the tunnel to the city site across from yours (according to the topology) ends with .xl, and the tunnel from your site to your partner site ends with .x2.

The table above divides the standard lab topology (as outlined in the lab topology the "Check Point Security Administration NGX IIP chapter of this handbook) into two groups of four city sites, in regards to the VTI IP addressing scheme.

A



The following figure illustrates this correlation:

Rome VTIs 192,168.137Ax li . .11

.10 .12

V 30

Toronto VTIs 192.168.137.3x

.32

.31

.21

Oslo VTIs 192.168.137.2x

.22 .20

.42

->.41

y

•40 Madrid VTIs *5T" 192.168.137Ax

Zurich VTIs 192.168.138.5x

.50 A

Cambridge VTIs 192.168.138.7X

. .51

.52

¥ .70 .72

.71

-.61

.62

Svdney VTIs 192.168.138M

.82

->.81

.60 4

¥ .80 Singapore VTIs

192.168.138M

VTI IP Correlations for 192.168.137.xx VTIs

For example, the VTIs would be configured on fwrome by entering the following at the vpn shell prompt:

interface add numbered 192.168.137.10 192.168.137.30 fwtoronto vt-fwtoronto

interface add numbered 192.168.137.11 192.168.137.21 fwoslo vt-fwoslo

interface add numbered 192.168.137.12 192.168.137.42 fwmadrid vt-fwmadrid

373



4. Verily the VTIs in vpn shell. Using fwrome, for example, the output is similar to the following:

VPN shell:[/] > show/interface/summary/all

Interface Peer Name Peer ID Status

vt-fwmadrid fwmadrid 172.24.104.1 attached

vt-fwoslo fwoslo 172.22.102.1 attached

vt-fwtoronto fwtoronto 172.23.103.1 attached

5. Use the .. command to return to the top level of vpn shell, then type quit to leave vpn shell and return to Expert Mode.

6. Type quit to return to Expert Mode.

[^CONFIGURE VTI TOPOLOGY IN G A T E W A Y OBJECT

1. After VTIs are created successfully on the four Gateways via the command line, open fwyourcity's gateway object's Topology screen in SmartDashboard on the SmartCenter Server.

2. Click the Get button and select Get interfaces with topology. This will retrieve the newly created VTIs. This example is for fwoslo:

IP Address | Network Mask J IP Addresses behind interface ethO e th l eth2

172.22.102,1 10.2.2.1 192.168.2.1

255,255.0.0 255.255,255.0 255.255.255.0

External This Network This Network

vt-fwmadrid 192,168.137.22 255.255.255,255 External vt-fwrome 192,168.137.20 255.255.255.255 External vt-toronto 192.168,137.21 255.255.255.255 External

fwoslo Topology Screen with VTIs

If you attempt to edit VTI interfaces, the VTI interface settings are gray in the General screen. The screen shows local IP addresses and the remote peer Gateway's name and IP address.

374

• all VTIs: a VTI tab. and

on the OK.

; all

[ be set as ; the VTI.

the] 4. Verify and in

I 5 A D D S T A T I C R O U T E S T O I N T E R N A L N E T W O R K S

Y o u r G a t e w a y N e ! m a s k a n d P e e r V T I A d d r e s s

fwrome 10.1.3.0/24 10.2.2.0/24 10.2.4.0/24

192.168.137.30 192.168.137.21 192.168.137.42

fwoslo 10.2.4.0/24 10.1.1.0/24 10.1.3.0/24

192.168.137.40 192.168.137.11 192.168.137.32

fw toronto 10.1.1.0/24 10.2.4.0/24 10.2.2.0/24

192.168.137.10 192.168.137.41 192.168.137.22

fwmadrid 10.2.2.0/24 10.1.3.0/24 10.1.1.0/24

192.168.137.20 192.168.137.31 192.168.137.12

fwzurich 10.3.7.0/24 10.4.6.0/24 10.4.8.0/24

192.168.138.70 192.168.138.61 192.168.138.82

fwsydney 10.4.8.0/24 10.3.5.0/24 10.3.7.0/24

192.168.138.80 192.168.138.51 192.168.138.72

375


Your Gateway

Peer Internal Network and Netmask Peer VTI Address

fwcambridge 10.3.5.0/24 10.4.8.0/24 10.4.6.0/24

192.168.138.50 192.168.138.81 192.168.138.62

fwSingapore 10.4.6.0/24 10.3.7.0/24 10.3.5.0/24

192.168.138.60 192.168.138.71 192.168.138.52

1. Add static routes to the internal networks of other sites using sysconfig. Use the above table for the network address of the internal network, and the VTI IP address of the peers.

Adding Network Routes via sysconfig

2. Connect via HTTP from each site's internal Web server to another site's server.

3. Launch SmartView Tracker. Verify HTTP traffic is encrypted and decrypted by the correct Gateway.

376



4. The outbound traffic from the local network will show in SmartView Tracker from the internal interface of your fwyourcity, while inbound traffic will show as arriving on the VTI from that partner city.

I F P E N A B L E V P N D I R E C T I O N A L R U L E M A T C H

1. In SmartDashboard, Select Policy > Global Properties > VPN Advanced, and check the box Enable VPN Directional Match in VPN Column:

m : FireWall

NAT - Network Addres Aufhenticati:-"i

" VPN Early Versions Corr Encryption Propert

• VPN-1 Edge/'Embedde :+: Remote Access

• SrnartDirectory (LDAP] -•QoS

SmartMap UserAuthority •SE - Open Security E

• Stateful Inspection - SmartLSM Profile : :• >.

± L o g a n d Alert Reporting Tools

•OPSEC . SmartCenter Acce: :

SmartDashboard Cu;tc

f" Enabfe Backup Gateway

r Enable bad distribution for Multiple Entry Pont? configurations (Site To Site connection:}

P' Enable decrypt on accept for gateway to gateway traffic (relevant only <o poltcie? in TradteortatModa)

CRL Brace Period — • — - - -

Grace period before the CRL is v s M

Grace period after the CRL m m longer vaid:

p 5 ~ 3 flSOO ^ ' .eor.d:

"3

Grace period extension for Seeufiemote'SecureQient: j3G00

'>Y.t Denial c* ':er'.'ce prsteoon

Support iK.E DoS protection tfore identified source j S tab le-

Support WE DoS p

Domain name for DNS r<

P Enable VPN Directional Match in VPN Column Ntfe: -»PN Jirectonal Mate".^ a b o r t e d oniPSO. Linux. SectiiePfrtoitr arc SecusesFfelfajrafco-

Jj

V P N Directional Match in VPN Selected

2. Click OK.

3. Highlight your Partner Cities Rule, and select Rules > Add Rule > Below.

377



4. In the rule just created, name the rule "Outbound VPN", and use the following table to configure it:

Source Any

Destination Any

VPN Any Traffic

Service HTTP, FTP

Action Accept

Track Log

5. Right-click on the VPN column of the rule you have just created, and select the Edit Cell option.

6. In the VPN Match Conditions screen, select Match Traffic in this direction only, and click Add.

7. Configure the Directional VPN Match Condition screen as follows:

Match on traffic reaching the Gateway from.

Match on traffic leaving the Gateway To.

lnternal_clear j | e H | > Mylntranet j ]

OK Cancel Help

Directional VPN Match Condition Screen

8. Click OK to close the screen, and click OK again to close the VPN Match Conditions screen.

9. Set the action as Accept and the tracking as Log.

378



10. Add a rule below the Outbound VPN rule, named "VPN Inbound Rule". Use the following information to configure the rule:

Source Any

Destination Any

VPN Mylntranet > Internal clear

Service HTTP, FTP

Action Accept

Track Log

11. Verify that your rules look like the following:

V P N O u t B o u n d Rule * A n y

V P N I r iBound Rule k A n y

| In terna l_c lear

; ^ M \ 1 n t r a n e t t g f c > „ http

| a c c e p t [§§] L o g

| a c c e p t ( 5 ] L o g

VPN Directional Rules

12. Disable the following rules:

• Webserver Rule

• Partner Cities Rule

• Internet Access Rule


VPN directional rules can limit traffic, as do Source and Destination in a standard rule. In circumstances where a partner site is not completely trusted, source and destination objects could be configured in the VPN directional rule as an added layer of security.

14. Initiate HTTP traffic from webyourcity to one of your partner cities. Have that partner initiate traffic to you.

379



15. Locate the traffic in SmartView Tracker. You should see outbound traffic being logged from fwvourcity's internal interface, while inbound traffic will be logged from the VTI for that partner city:

I lifflfflflfM—Blif-: < • ... Previous ' ' Next Copy . Less Columns j

Number 1297 I Date 14Apr2006 j Time 13:17:23 Product I f s VPN-1 Pro/Express Interface & e th l Origin fwoslo (172,22.102.1) Type 1 Log Action : Encrypt Protocol TCP tcp

Service http (80) Source www.oslo.cp (10.2.2.102) Destination 10.2.4.104 Rule 6 Current Rule Number 6-Standard Rule UID {3E04E9FD-C52B-4716-9311-DF4FC2D95E 34 j Rule Name VPN OutBound Rule Source Port 1451 User Encryption Scheme m IKE VPN Peer Gateway fwmadrid (172.24.104.1) Encryption Methods ESP: AES-128 + MD5 Community Mylntranet Subproduct 0 VPN VPN Feature VPN Information serv ice jd : http Policy Info Policy Name: Standard

Created at: Fri Apr 14 1316 31 2006 Installed from: weboslo

Close

SmartView Tracker — Outbound Traffic

380

http://www.oslo.cp



Source Destination Rule Current Rule Nui Rule HID Rule Name Source Port

; User

Encryption Scheme ( H IKE VPN Peer Gateway fwmadrid (172.24.104.1 ] Encryption Methods ESP: AES-128 + MD5 Community Mylntranet Subproduct 0 VPN VPN Feature VPN Information serviceJd: http Policy Info Policy Name: Standard

Created at: Fri Apr 1413:28:30 2006 Installed from: weboslo

SmartView T racker— Inbound Traffic

[ ^ C O N F I G U R E W I R E M O D E

In this section, three of the four sites in each group participate. The members participating in the first group include: Rome, Oslo, and Toronto. Madrid will not participate. For group two, Singapore is not participating. For the instructions, replace Rome with Zurich, Oslo with Cambridge, and Toronto with Sydney.

1. Enable Wire mode on each of the participating Gateways: Open fwyourcity > VPN > VPN Advanced, and select Support Wire Mode and Log Wire mode traffic.

381



2. On each of the participating gateway objects, edit the Mylntranet community object. Select Advanced Settings > Wire mode, and select Allow uninspected encrypted traffic ... fwrome also selects Wire Mode routing.

•• General • Participating Gateways • V P N Properties • Tunne l Management ;• A d v a n c e d Settings

Excluded Services Shared Secret A d v a n c e d V P N Pr

Bypass the Firewall

V Al low uninspected encrypted traffic between W i re mode interfaces of this Community's members

V Wi re mode routing - Al low members to route un inspected encrypted traffic in V P N routing configurations

| OK | Cancel [ Help J

Wire Mode Properties for fwrome (and fwzurich)


4. fwoslo opens an FTP session to fwtoronto. Run Is to query the directory.

5. Verify in SmartView Tracker that the FTP session is using the configured VTI.

6. fwoslo and fwtoronto edit their routing tables using sysconfig, deleting the routes to each other's internal networks via their respective VTIs.

7. fwolso and fwtoronto use sysconfig to add new network routes to each other's internal networks, using their VTIs to fwrome as the Gateway.

8. fwoslo reissues an Is command to query the directory in the FTP session. 382



On fwoslo and fwtoronto, verify in SmartView Tracker that the FTP session was encrypted:

EB T Jl pate ; Time . engirt

, : Ol'l'Uc 1. .;. -27 £-1 B r'\=ro o-.ro :C2H OH i 7-40.05 5Si B r ;525 ArOOlO: 17 41.07 El B O'ti: <525 17 Oil-El B r orvc-

-1 A:-: 110c 1 7 4.,,; | El B fi/-"'-;.: o-v'c : no 4Ar;2001 SI E -X'.r-:-1529 ' 4AD 0001 17 44; ill El B 1500 14 AO; 2100 17 45'IS El E r-cvi onec-; 1501 5 4Ac; 2001 17 40:17 El B f'-Oc-'O-tc-1532 : 14 Ac-2006 17'47; -Q El B ofir-;. : 1533 14Apr20Q6 17,48:14 El B fwtoronto 1534 14Aor2006 17;48;14 El B fwtoronto 1535 14Aot2006 17:48; 14 El B fwtoronto 1536 14Apr2006 17:48:14 El E fwtoronto

.4A-200" 17 4,3: IS El B '"tCf'Ontv :." . 1; El B frororAc:

. : : • :4Ap?'0006 El B J 54 Q 4Ar2C05 17 -53:4J El B fwtoronto = 1541 0 4#wfi0Sll 17:43:41 Pgg B iliitMS 3 542 1 2006 16 El B r<».oronr.o J 54 1 .•iAcrOOC": i~ 50;10 El B f'wf.ororito 1544 4Ac?'200", 17 5!;20 El E fwtoronto U-,45 4ADr2D0ff 17,52:22 El E rwiororito i;:4t- 4AD?200C r: •.. El B fwtoronto 154" 4Apr2C0c 17,54:20 El B fwtoronto 1540 4Apr200c !"• ,55 20 El B fwtoronto 1549 l4Apr2C0r. r 56:10 El B fwroronto 1550 4AD?2005 57,12 El B rwtoronto <J •

i % 2 1 1 ®i i 1 i #1 i ®i 1 €H i ®i i ®i

i #i! i G-w 0 (H. 1

i ® 1 3 i ® 1 ® i © a ® i ® i ® i ®

Destination *»!

TCP ftp 10,2.2.102 www.toronto.cp .UDP. JJDP, SI161 1 : : : . UDP 5116 102,.-0.22.1 UDP 5116 < o" -,j* •*•• • UDP Si 16 1.-2,-18.22 1 .UDP. 5116 1*51.. 18.22 1 j.iDP SI 16 l'J_,.18.„2 -.UDP, Si 16 1-2,106.22 1 UDP 8116 i:,108.12 :

jJEl Ready Tota l records m f i le 1551

SmartView Tracker for fwtoronto

383




On fvvrome verify Wire Mode routing was in effect:

.. Previous Next . Copy ' . More Columns

Number 8 5 5 j

Date 14Apr2Q08 Time 17:47:36 Product S S I VPN-1 Pro/Express Interface B vt-twoslo Origin fwrome (172.21.101.1) Type i Log j Action V VPN Routing j Protocol TCP tcp | Service ftp (21) I Source www.oslo.cp (10.2.2.102) I Destination www.toronto.cp (10.1.3.103) Rule 0 - Implied Rules Current Rule Number Rule Name Source Port 1612 User Information connectivity level: Wire

dst scheme: IKE dst methods: ESP: AES-128 + MD5 dst peer gateway: fwtoronto dst community: Mylntranet

Policy Info Policy Name: Standard Created at: Fri Apr 14 17-33'25 2006 Installed from: webrome

Close

V P N Routing Wire Mode Log


384

http://www.oslo.cp



Lab 13: Dynamic VPN Routing Using OSPF

L A B 1 3 : D Y N A M I C V P N R O U T I N G U S I N G O S P F i i i i i i i i i i i i i i i i i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Scenario: Configure OSPF on participating Security Gateways, to access networks behind Gateways via VTI.

® fwrome fwoslo A (fiartnerCity) i Yourdity> •

VTI: 192.168.137.11 ^ Vl/77 192.168.137.21 VTI: 192.168.137.12 VTI: 192.168.137.22

20

192.168.22.101 / VTI:

192.168.137.10

fwtoronto / (PartnerCity) ^

VTI 192.168.137.32 VTI: 192.168.137.31 *

fwmadrid [PartnerCh VTI: 192.1i VTI 192,168.137.41

V (PartnerCity) ^ V T I 192.168.137.42

Dynamic V P N Routing Using O S P F

385

386



^ U P D A T E THE POLICY FOR OSPF ROUTING

1. In SmartDashboard > My Intranet > Advanced VPN settings, enable Allow uninspected encrypted traffic ... and Wire Mode routing.

2. Click OK to close the Mylntranet VPN community.

3. From fwyourcity > VPN > Advanced properties, select Support Wire Mode and Log Wire mode traffic. Assign your sync network interface (eth2) to the Wire Mode community object.

4. Add a rule below your VPN Inbound Rule. Configure the rule using the following information:

Name Wire Mode Rule

Source Any

Destination Any

VPN Mylntranet ==>My Intranet

Serviee HTTP FTP

Action accept

Track Log

All four members of each group now have the same Wire Mode configuration.

5. Delete your Web server access rule.

6. Create a new host object using the following information:

Name multicast-ospf

IP address 224.0.0.5

7. Create a new network object using the following information:

Name VTINetworks

Network 192.168.137.0 Address

Network Mask 255.255.255.0

387



In the Policy, add a rule above the Stealth Rule. Configure it using the following information:

Name OSPF Broadcast Rule

Source VTINetworks Synchro urcityjpartnercity

Destination fw yourcity

multicast-ospf

VPN Any Traffic

Service ospf

Action accept

Track Log

Verify that your Policy is configured similar to the following:

1 NetBIOS Rule * Any ; * Any

2 SSH Access Rub -M" Netjjilc B twoslo

3 OSPF Broadcast V VTI_NeWorti -M" Synch_0-:lo_Madnd 'B'tw lo" D multica?t-Q-:pt

4 Stealth Pule •k Any M two'to

5 Partner Cities Rul Netjj-lo -M- Netjvladrid Jt4- Net_Madnd -M- Netjjilo

6 '•••'Pr-.J OutBound R : * Anv : * Anv

7 VPN InBound Rul * Any * Anv

8 '.'"/ire Mode Rule •k Any * Any

9 Internet Access 1 -M" Net_Otlo * Any

10 Cleanup Rule * air/ * Any

OPSF Routing-Enabled Policy

10. Save, but do not install the Policy.

[*J any Trattic

f*"| Anv Tr attic

j#] Anv Trattic

f*1 Anv Trattic

,--S Internal .cleareS Mylntranet

Mylntranet£§j)tvfi., Internal_clear

& MvlntranetiS Mylntranet

j"*j Anv Trattic

V' m J

bootp n p

li :;h

* Anv ' http „ tie

Z2: http ftp

U: http Li ttp 1™. http ttp http

* ^ nv

i drop

HI accept

^ accept

(§| drop

fH accept

accept

lf| accept

^ accept

HI accept

@ drop

1 Log

1 Loc,

S L c ,

I Log

H Log

II Log

B Log

®Log

388

ss. interfaces and VTIs 3?-172.21.101.1 10.0.0.0

vt-fWmadrid

10.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Oslo 172.22.102.1 20.0.0.0

ethl 0.0.0.0 0.0.0.0 0.0.0.0

172.23.103.1 30.0.0.0

30.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

172.24.104.1 40.0.0.0

ethl 40.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

172.25.105.1 50.0.0.0

ethl 50.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

172.26.106.1 60.0.0.0

ethl 60.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

389

CltySi te^

interfaces and VTIs Seaper

172.27.107.1 70.0.0.0

ethl eth2

70.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

172.28.108.1 80.0.0.0

ethl 80.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

^ C O N F I G U R E O S P F O N F W YOURCITY

conf 11

1.

router j>spf 1 creates an OSPF routing mstance. 1 is the

390


391

392



^ R E C O N F I G U R E A N T I - S P O O F I N G O N F W YOURCITY

OSPF configuration has now defined how the GateD daemon will handle any traffic coming to the interfaces and VTIs. Allowing this traffic through VPN-1 NGX requires reconfiguring anti-spoofmg:

1. Right-click fwyourcitv and select Edit. 2. Expand the Topology branch from the Properties screen, and click the Get

button.

3. Select Interfaces with Topology from the drop-down list. A warning message displays:

Check Point Smart'Dashboard

Topology and Ant i -Spoof ing set t ings tha t are already de f ined will be overwr i t ten I \ by results of this opera t i on t h a t contradic t them., if any .

Do you wan t to cont inue?

Anti-Spoofing Warning

4. Click Yes. A status screen opens, showing SmartDashboard attempting to fetch the topology information. On completion, a notice opens about the Topology fetch being incomplete:

»\ Topology f e t ch was incomplete, To make Ant i -5poof ing wo rk correct ly , accept the results., and t h e n manual ly edit the topology def ini t ions.

Topology Fetch Incomplete

393



The Get Topology Results screen opens, showing the interfaces as they are defined in the fwyourcity object. Since VPN-1 NGX is querying routing information from the operating system, VTIs are considered interfaces by anti-spoofing.

The topology was retrieved successfully. The following table shows every interface found for the given machine. Networks (or a group of them) that reside behind each interface are also shown here.

Name | IP Address 172.22.102.1 192.168.137.21 10.2.2.1 132.168.22.102

O- ethO C> vt-fwrorne S " ethl

eth2 H ® fwoslo_eth2

SynchJD slo_M adrid 192.168.22.0 •V- N et_192.168.137.31 192.168.137.31 •M-Net_192.168.137.12 192.166.137.12

•• NetMadr id 10.2.4.0

3 ' L i i i ^ ... T r""''.. Legend II Hem object amma 1; Existing object was used.

J Network Mask 255.255.0.0 255.255.255.255 255.255.255.0 255.255.255.0

255.255.255.0 255.255.255.255 255.255.255.255 255.255.255.0

I Directio Ext. Ext* Inte Intel

3 d

Get Topology Results Screen

Notice that networks made accessible by configuring OSPF areas in the operating system are included in the simple group attached to eth2, the physical interface configured as part of OSPF area 0.0.0.0.

5. Click Accept. The Get Topology Results screen closes.

394

7. Click OK to close fwyourcity.

8. Save and install the Policy.

( ^ V E R I F Y R O U T E S A N D O S P F C O N F I G U R A T I O N

Verify with your classmates that OSPF is configured on all four Gateways. Run the show ip ospf neighbor and show ip route commands in router privileged

enable

show ip ospf nei

395


4. Review the output. The example below shows fwoslo output:

Neighbor 172.24.104.1, interface address 192.168.22.104 In area 0.0.0.0 interface eth2 Neighbor priority is 1, state is Full 7 state changes DR is 192.168.22.104 BDR is 192.168.22.102 Options is 18 Dead timer is due in 38 seconds

Neighbor 172.23.103.1, interface address 192.168.137.32

Neighbor priority is 0, state is Full 7 state changes DR is 0.0.0.0 BDR is 0.0.0.0 Options is 18 Dead timer is due in 33 seconds

396



The output will be similar to the following:

Codes: C - connected, S - static, R - RIP, B - BGP, 0 - OSPF D - DVMRP, 3 - 0SPF3, I - IS-IS, K - Kernel A - Aggregate

K 0.0.0.0/0 0 10.1.1.0/24 0 10.1.3.0/24 C 10.2.2.0/24 0 10.2.4.0/24 S 127.0.0.0/8 C 127.0.0.1/32 C 172.22.0.0/16 C 192.168.22.0/24 C 192.168.137.11/32 0 192.168.137.12/32 C 192.168.137.20/32 C 192.168.137.21/32 C 192.168.137.22/32 0 192.168.137.31/32 C 192.168.137.32/32 C 192.168.137.40/32 0 192.168.137.41/32 0 192.168.137.42/32

[0/40] via 172.22.102.2, 05:21:46, ethO [20/10] via 192.168.137.11, 03:44:26, vt-fwrome [20/10] via 192.168.137.32, 03:41:56, vt-fwtoronto [1/0] via 10.2.2.1, 05:21:45, ethl [20/10] via 192.168.22.104, 03:45:29, eth2 [0/0] via 127.0.0.1, 05:21:45, lo [1/0] via 127.0.0.1, 05:21:45, lo [1/0] via 172.22.102.1, 05:21:45, ethO [1/0] via 192.168.22.102, 05:21:45, eth2 [1/0] via 192.168.137.21, 05:21:45, vt-fwrome [20/10] via 192.168.22.104, 03:45:29, eth2 [1/0] via 127.0.0.1, 05:21:45, lo [1/0] via 127.0.0.1, 05:21:45, lo [1/0] via 127.0.0.1, 05:21:45, lo [20/10] via 192.168.22.104, 03:45:29, eth2 [1/0] via 192.168.137.22, 05:21:45, vt-fwtoronto [1/0] via 192.168.137.20, 05:21:45, vt-fwmadrid [20/10] via 192.168.137.32, 03:41:56, vt-fwtoronto [20/10] via 192.168.137.11, 03:44:26, vt-fwrome

As the output of sh ip routes shows, networks available through OSPF area 0.0.0.0 are listed as OSPF created routes. Only the kernel and loopback routes are shown as coming from the network routing configuration. Connected routes are created from the VTI definitions in vpn shell.

C ? T E S T V P N T U N N E L S

1. Start an HTTP or FTP connection from your Web server, to a host behind one of the V P N Peer Gateways.

2. Observe in SmartView Tracker that the connection is decrypted by the peer Gateway on the correct VTI.

3. Start an HTTP or FTP connection to your partner city.

397



4. Observe in SmartView Tracker that the connection is shown as a cleartext connection, allowed via the Partner Cities Rule:

Mo, ' Date Time Origin 1

Service Source Destination 5823 17Apr2006 18:58:31 s s e fwoslo 1 TCP h t t p www.os lo.cp 10.1.3,103 6 5824 17Apr2006 18:58:21 US E fwoslo i TCP h t tp www.oslo.cp 10.1.3.103 6 5825 17Apr2006 18:58:32 SSI E fwoslo 1 TCP. h t tp www.oslo.cp 10.1.3.103 6 5826 17Apr2006 18:58:32 E » E fwoslo 1 TCP, h t tp www.oslo.cp 10.1.3.103 6 5827 17Apr2006 18:58:32 2 £ E fwoslo i TCP ht tp www.oslo.cp 10.1.3,103 6

5828 17Apr20Q6 18:58:32 as E fwoslo i TCP. h t tp www.oslo.cp 10,1.3.103 6 5829 17 Apr2006 18:58:32 HI E fwoslo i TCP, h t tp www.osb . cp 10.1 ,3 .103 6 5830 17Apr2006 18:58:32 1 - 1 E fwoslo i TCP, h t tp www.oslo.cp 10.1 .3 .103 6 5831 17Apr2006 18:58:32 S E fwoslo i TCP. h t tp www.oslo.cp 10.1.3.103 6 5832 17 Apr2006 18:58:32 9 E fwoslo 1 TCP ht tp www.oslo.cp 10.1.3.103 6 5833 17Apr2006 18:58:32 E€L E fwoslo i TCP. h t tp www.oslo.cp 10.1.3.103 6 5834 17Apr2006 18:58:32 ISS E fwoslo 1 TCP h t tp www. oslo. cp 10.1.3.103 6

5835 17Apr2006 18:58:33 S I E fwoslo i TCP h t tp www.oslo.cp 10,1.3.103 6 5836 17Apr2006 18:58:33 I f f E fwoslo i TCP ht tp www.oslo.cp 10.1.3.103 6 5837 17Apr2006 18:58:33 S E fwoslo 1

TCP ht tp www.oslo.cp 10.1.3.103 6 5838 17Apr2006 18:58:33 I-:-: E fwoslo i

i

.TCP. h t tp www.oslo.cp 10.1.3.103 6 5839 17Apr2006 18:58:33 U S E fwoslo

i i TCP h t tp www.oslo.cp 10.1.3.103 6

5840 17Apr2006 18:58:33 IE E fwoslo i TCP, h t tp WWW. oslo. (Xi i n 1,3,1 i n ft 5841 17Apr2006 18:58:33 N E fwoslo i

© TCP ht tp www.oslo. j w , w. oslo. cp (10.2.2.10211

5842 17Apr2006 18:56:37 E i © TCP. h t tp vvww.osb.cp 10.2,4,104 5

>343 1 ?Apr2006 IS: 58:27 IVT E i © TCP h t tp 10,2.4,104 5

5-344 17Apr2006 18:58:27 E 1 © TCP h t tp w.oslo. Cp 10,2.4.104 5

5645 i 7 Apr 2006 16:53:4? E 1 TCP. http w - w . c d o . c p 10.2.4,104 5

5846 i 7Apr2006 18:58:47 1SS E i © TCP http www. osio. cp 10.2,4.104 5 5347 S ?Apr200r, E p.<nsb i © TCP ht tp www, oslo. cp 10.2.4.104 5

5348 17Apr2006 13:59:50 Z€i E rv 'o^b i © TCP h t tp Wv.«w,oflo.cp 10,2.4,104 5

5849 17Apr2006 18:59:54 £-2 E fwoslo i TCP h t tp www.oslo.cp 10.1.3.103 6 5850 17Apr2006 18:59:54 £-3 E fwoslo s TCP h t tp www.oslo.cp 10.1.3.103 6 5851 17Apr2006 18:59:54 HI E fwoslo

1 TCP. h t tp www.oslo.cp 10.1.3.103 6

5852 17Apr2006 18:59:54 M E fwoslo 1 TCP h t tp www.oslo.cp 10.1.3.103 6 5853 17Apr2006 18:59:54 A E fwoslo 1 TCP h t tp www.oslo.cp 10.1.3.103 6

SmartView Tracker Entries for Three Peer Sites of fwoslo

5. Unplug one side of the leased-line connection between you and your partner city.

6. Reinitiate an HTTP or FTP connection to your partner city.

398

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.osb.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp

http://www.oslo.cp


1. Observe in Smart View Tracker that the connection is now encrypted:

N o 5 8 6 2 5 8 6 3 5 8 6 4 5 8 6 5

5 8 6 7

5 8 6 9 5 8 7 0 5 8 7 1 5 8 7 2 5 8 7 3 5 8 7 4 5 8 7 5 5 8 7 6 5 8 7 7 5 8 7 8 5 8 7 9

5 8 8 3

D a t e 17Apr2006 17Apr2006 17 Apr2QG6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 17 Apr2006 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 i 7Apr2006 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 17Apr2006 i 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 1 7 A p r 2 0 0 6 17A|

l! 1 8 : 5 9 : 5 5 1 8 : 5 9 : 5 5 1 8 : 5 9 : 5 6 1 8 : 5 9 : 5 6

1 8 : 5 9 : 5 6

1 1 1

1 8 : 5 9 : 5 8 1 8 : 5 9 : 5 8 1 8 : 5 9 : 5 9 1 8 : 5 9 : 5 9 1 8 : 5 9 : 5 9

1 9 : 0 0 : 0 2 1 9 : 0 0 : 0 2 1 9 : 0 0 : 0 2 1 9 : 0 0 : 0 3 1 9 : 0 0 : 0 4 1 9 : 0 0 : 0 4

5 8 8 9 1 7 A p r 2 0 0 6 1 9 : 0 0 : 1 6 5 8 9 0 1 7 A p r 2 0 0 6 1 9 : 0 0 : 2 1 5 8 9 1 1 7 A p r 2 0 0 6 1 9 : 0 0 : 2 1 5892 17Apr2Q06 19:00:21

Serv ice - Source .. <W,0Sl0 CD .",'V, cs lo, Cp w . os lo.cp

w. oslo.cp oslo.cp

rV. oslo.cp M. OSto.CP

w. oslo.cp oslo.cp

A>, os lo.cp

os lo.cp w, os lo .cp

w. os lo.cp

. . Des t i na t i on 1C. 1.3.103 1 0 . 1 . 3 . 1 0 3 1 0 . 1 , 3 . 1 0 3 1 0 . 1 , 3 , 1 0 3 1 0 . 1 , 3 . 1 0 3 1 0 . 1 , 3 . 1 0 3 1 0 . 1 . 3 , 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 . 3 , 1 0 3 1 0 , 1 . 3 . 1 0 3 1 0 . 1 . 3 , 1 0 3 1 0 , 1 . 3 . 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 , 3 . 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 , 1 , 3 , 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 . 3 . 1 0 3 1 0 . 1 , 3 , 1 0 3 1 0 , 1 . 1 , 1 0 1 10,1.1.101 10.1.1.101

10.1.1.101

1 0 . 1 . 1 . 1 0 1 1 0 . 1 . 1 . 1 0 1

A'. OSIO.CP 10.1,1,101 6 1 0 , 2 . 4 . 1 0 4 5 1 0 . 2 . 4 . 1 0 4 5

10.2,4.104 5

Encrypted Traffic Between fwoslo and fwmadrid

399



8. Verify with one of your VPN_peer cities that traffic has passed through its site, based on the Wire Mode configuration:

Wo, Date Time Origin Service Source Destination SK B i

i?AofiOGe & 1 .

Eil E»

& B 1 1

0-S* Q-*

-; '"Apr 2006 16,20:4-" Ivi

Bi El

B B B

1 1 1

# ffip

O-f?

:\ & n '-ron'.e

: : : : 16,2.1:53 B i> no? - i 0 TCP nttp -i.for-to,. •.•••.. i o'i'i>? :126 . 16.21:53 Ess B i 0 TCP http '..«••»•", re? onto. ••:•••"'.. r-j ::;:r ; ""i}.r- ji'iiV 16-v £S B 1 v—. >:!:-, a: -. .

i7Ap-2006 :3'23 26 SH B .•WO i TCP r-rtp r i b . c c c; ; ; : :.: ;. E! B O.'v; i TCP KtP -l7Apr2006 i7 Apr 2006

; 6. J0:C4 16:5"?: IS £K

B B

t-nrc-V:? • ;:r~r

i i

Q T£P a- tcp

ssh •fi-p 1 http [80] f''e-cp

'TM i7Af.r ;••'••>. I8'r-•• lc-Iff B j . •forit-i a TCP -rrp K.rrei c-I?pr200r IS'50-15 El B ' -'Of* i I£P "it to JGVe.C i 7Apr20:"'6 • 8:56:17 SSi B f-Hor-:-i ft TCP ht tp '•V,•,•=/•.'.rO-Oc cr I 7 Apr 2006 16:50:17 m B 1 m TCP ht tp Of !•;• cp ',V-•,••.•;,rorr- .:; l7Aor20y6 16:66: ; 8 ss-B 1 TCP rj;t-p 1/Apr 200c 18:59-52 Ei B Ovrooe 1 TCP ht tp ','•".'I'Sb.CD ' .ioroe-CD

. .40 1 7Ads 200"' l ' ; :5 '0:62 El B 1 a-: TCP t ' t tp . C".'-iO. C'P w'-. '- . i -voe c" •1-n i 7 Apr 2006 IS? B r. i I£P ht tp OfM. CP • -••.••.-..r-r-rr-H 2 i 7 A;.12006 16s. 3 SSI B • • " rone i <fsTCP ht tp — .oilo CP ^ - . - . . . • w c c ;

17 Aur 2006 I3 ,5v "54 Ei B fv-ro rte i 9f) IE ncto C-sio. CD i,in.ne.Cl' 144 17Apr200r 18:50:54 Ssh: B ?iA» one i '-•ttp vvww.oslo.cp Wv-v.iC'rne.CD

! ?Anr7.006 SSs B i '.TCP http "•"••"'..t.O'-iO.CD "•••.••••-.•.t-orr 146 17Apr2006 19:00:11 M e fwrome 111 ES3H b u e j b s h u 3 47 l7Apn2006 10.60:1 : & r»''ron<: 1 >frop i-srrp >A'5-vv. r, iricjrid, cp 148 17Apr 2006 19:00:11 Si B r'wrorie 1 V E http www.osto.cp www.madrd.cp

Wire Mode Traffic Between fwoslo and fwmadrid

400

http://www.osto.cp

http://www.madrd.cp


Review

R E V I E W i i I I i I I I i i i I I I I I i I i i I I i i i I i I I I i I I i i I i I i I I I i I I I I I I I

• Route-based VPNs can encrypt traffic between hosts or networks not specified in a Security Gateway's VPN Domain.

• VPN Tunnel Interfaces (VTIs) are configured with VPN-1 NGX, but work at the OS level, using either static routes defined for the VTIs or dynamic-routing protocols.

• Route-based VPNs expand on VPN Domains, but do not replace them. When VPN-1 NGX determines what to do with a packet, VPN Domain state tables are checked first. If no information is found for the packet, OS routing tables are used to verify whether or not routes for the VTIs are configured.

• Open Shortest Path First (OSPF) relies on multicast protocols and can only be used with VTIs.

• A VTI associated tunnel behaves like a point-to-point link between two Gateways. The tunnel and its properties are defined by a VPN Community linking the two Gateways.

• A VTI can be configured to work with a VPN Domain on a peer, but a VTI-to-VTI tunnel is the recommended configuration.

• VTIs can be numbered or unnumbered. A numbered VTI will have a unique IP address assigned to it, while unnumbered VTI will use a proxied IP address from a physical interface. SecurePlatform Pro uses numbered VTIs, while Nokia IPSO uses unnumbered.

• Dynamic routing (using protocols such as BGP and OSPF) can be used to propagate routing information across VPNs, or between Security Gateways.

• Dynamic routing's key advantage is that if a specific VPN path fails, a new route can be established from OSPF routing information.

• SecurePlatform Pro NGX natively supports the following dynamic-routing protocols: OSPF, BGP, RIPvl, and RIPv2. The following multicast protocols are also supported: PIM-SM, PIM-DM, and IGMP.

• GateP is the daemon that supports dynamic routing on SecurePlatform, and is activated by enabling Advanced Routing using the cpconfig utility.

• Wire Mode is a new feature in VPN-1 NGX that allows a failover mechanism, where Stateful Inspection is bypassed on any interim Gateways between VPN end points.

401


Review

Review Quest ions

1. Your colleague left work in the middle of configuring your SecurePlatform Pro Gateway for OSPF route-based VPNs. His configuration notes indicate that he was in the process of configuring the interfaces using the GateD Command Line Interface. Which of the following commands would give you the most general overview of where your colleague's notes left off?

A.J localhost Jocaldomain# show interface

B.) local host, local domain^ show running-config

C.) localhost. localdomaintt show ip route

D.) localhost. localdomaintt show history

2. A route-based VPN is configured between your site and a partner site for specific machines on subnets in your internal networks. Each site also has a standard VPN Domain defined, containing these subnets. Will VPN traffic be logged in Smart View Tracker as encrypting via the VTI or the VPN Domain?

A.) The VTI, because the host-based VPN will take precedence over the subnet-based VPN.

B.) The VPN Domain, because subnet-based VPNs will take precedence over VTI host-based VPNs.

C.) The VTI, because VTIs take precedence over VPNs in VPN-I NGX.

D.) The VPN Domain, because VTIs only expand the function of VPN Domains, not replace them.

403


Review

Review Answers

1. Your colleague left work in the middle of configuring your SecurePlatform Pro Gateway for OSPF route-based VPNs. His configuration notes indicate that he was in the process of configuring the interfaces using the GateD Command Line Interface. Which of the following commands would give you the most general overview of where your colleague's notes left off?

D. localhostJocaldomain# show histoty

2. A route-based VPN is configured between your site and a partner site for specific machines on subnets in your internal networks. Each site also has a standard VPN Domain defined, containing these subnets. Will VPN traffic be logged in SmartView Tracker as encrypting via the VTI or the VPN Domain?

D. The VPN Domain, because VTIs only expand the function of VPN Domains, not replace them.

3. You have a VPN configured between your NGX Security Gateway and a partner company's Cisco VPN concatenater. You and your partner company's Administrator agree that tunnels between these devices need to be consistently active, and that there also needs to be some redundancy available in the tunnels. Which of the following configurations would be best suited for this situation?

Dynamically routed VPNs with Tunnel Sharing configured between subnets

405


Review

406




CHAPTER 1 1 : C L U S T E R X L

This chapter covers best practices for configuring and testing CIusterXL, and provides troubleshooting steps and commands.

Object ives

1. Implement and test CIusterXL by following Check Point configuration recommendations.

2. Troubleshoot CIusterXL problems, using cphaprob and other related commands.

407

Key Terms

cphaprob

cpstat

fw ctl debug -m cluster all

408


Configuration Recommendations

C O N F I G U R A T I O N R E C O M M E N D A T I O N S i i i i i i i i i i i i i i i i i i i i i i i i i i • i i i i i i i i i i i i i i i i i i i i i i i

These configuration tips will avert the more common problems resulting from misconfiguration of CIusterXL.

Recommendat ions for CIusterXL

• CIusterXL should be installed in a distributed environment. The SmartCenter Server cannot be installed on any cluster members. If an NGX Gateway is installed on the SmartCenter Server, this is called a stand-alone installation, and that Gateway can not be added into the cluster as a member.

• The SmartCenter Server does not have to be on the local network with the cluster. If it is local, the Server can be located in any segment of the cluster. Static routes may be necessary, to access cluster members for Policy installation and logging purposes, if the member-gateway object does not use IP addresses from the same network segment as the SmartCenter Server. For example, if the member-gateway objects have 172.22.102.1 and 172.22.102.2 in the General Properties screens, but the SmartCenter Server is in the 17.16.10.x /24 network, the SmartCenter Server should have a default Gateway pointing to 172.16.10.x (virtual IP address on that network). But if the cluster fails over, SIC might fail, because SmartCenter Server does not know how to get to 172.22.102.1 and 172.22.102.2. Static routes are necessary in this case.

• The SmartCenter server's HotFix Accumulator (HFA) level must be equal to or higher than the cluster members' HFA levels. When an HFA is to be applied to a cluster, it must be applied to the SmartCenter Server before being applied to any cluster members.

• Other than the synchronization network(s), all unsecured networks must at least have one other machine connecting to a hub or switch, because Cluster Control Protocol (CCP) will try to Ping other hosts in a network. If there is no response from other IP addresses in a network, CCP cannot verify if other members are alive. This can cause CIusterXL instability.

• All cluster members must run on the same OS, with the same version and patch level.

409

411


Troubleshooting CIusterXL

The following table lists and explains cphaprob switches:

Switch Explanat ion

register Register <device> as a critical process.

-d <device> The name of the device as it will appear in the output of the cphaprob list

-t <timeout> If <device> fails to contact the CIusterXL members in <timeout> seconds, <device> will be considered to have failed. To disable this parameter, enter 0 as the time-out value. The state will stay as last reported, until explicitly reported.

-s Status to be reported: ok - <device> is alive, init - <device> is initializing, problem - <device> has failed.

-f <file> register Option to automatically register several devices; file defined in the <file> field should contain the list of devices, with the following parameters: • Device name • Time-out • State

unregister Unregister <device> as a critical process, -a unregister will unregister all devices.

report Report status of <device> to the Security Gateway.

list Display the state of: -i - internal (as well as external) devices, such as interface check, High Availability (HA) initialization, and so on. -e - external devices, such as devices registered by the user or outside the kernel; for example, fwd, sync, filter -i [a] - all devices, including those used for internal purposes, such as note initialization, load-balance configuration, and so on.

state Display the state of this and all other Security Gateways in the HA configuration.

if Display the state of interfaces, -a will give additional information per interface, such as secured, shared, and so on.

413

A

in

To see 1

by <device> should run cphaprob

the proces

- s ok is nc

i to

: of a s • or all ( L the l on i

icphaprob state

Cluster Mode: New High Availability (Active Up)

Number Unique Address Assigned Load State

1 (local) 192.168.1.1 0% standby

2 192.168.1.2 100% active

In the t

•is

Cluster Mode: Load Sharing (Multicast)


1 (local) 192.168.1.1 501 active

2 192.168.1.2 501 active

de in New mode HA is Active Up. The e priority for HA. In N e w mode HA, only

The other member is in: The:

to 1



In Unicast mode, output looks like this:

Cluster Mode: Load Sharing (Unicast)


1 (local) 192.168.1.1 301 active (pivot)

2 192.168.1.2 70% active

In the above example, the pivot machine is identified in the State field. The pivot machine usually takes 30 percent of cluster traffic. The non-pivot machine takes 70 percent of cluster traffic.

Third-party clustering products show active/active, even if one of the members is in the standby state. This is because the cphaprob state command only reports the status of the full synchronization process. For IP clustering, cphaprob state gives accurate cluster status. For VRRP, the status is accurate for a Security Gateway, but it does not correctly reflect the status of each IPSO member. (For example, it does not detect interface failure.)

415



cphaprob -a if

The cphaprob -a if command gives the state of cluster-member and virtual-cluster interfaces. This example illustrates various uses of the cphaprob -a if command:

Required interfaces: 3

Required secured interfaces: 1

ethO UP sync(secured), multicast

ethl UP non sync(non secured), multicast

eth2 UP non sync(non secured), multicast

Virtual cluster interfaces: 2

ethl 172.28.108.3

eth2 10.4.8.3

A N O T E A B O U T I N T E R F A C E S

Interfaces are critical devices. ClusterXL checks the number of good interfaces, and sets a value of required interfaces to the maximum number of good interfaces seen since the last reboot. If the number of good interfaces is less than the required number, ClusterXL initiates failover. A secured interface is the synchronization interface. All other interfaces are labeled as non-secured. Required interfaces should be identical to the cluster-member object's topology information. The virtual cluster-interfaces list should be identical to the cluster object's Topology screen. The number of required interfaces should be the same among cluster members. The same is true for the number of required secured interfaces.

When an interface is down, the interface can neither receive nor transmit CCP packets. This may happen when an interface is malfunctioning, is connected to an incorrect subnet, is unable to pick up multicast Ethernet packets, and so on. The interface may also be able to receive but not transmit CCP packets, in which case the status field is ready. The displayed time is the number of seconds that have elapsed since the interface was last able to receive/transmit a CCP packet. For third-party clustering products, except Nokia IP clustering products, cphaprob -a if should always show virtual-cluster IP addresses.

417

Troubleshooting ClusterXL

Time since last report: 89786.8 sec


Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK


Device Name: fwd

Registration number: 2

Timeout: 2 sec

Current state: OK


For Nokia IP clustering, the output is the same as i Point ClusterXL Load Sharing. For <

-d <dev ice> -s problem -t 0


HA

HA

HA

yes

fW Ctl

IIP I St

|athO| 192.168.1.1|Up

[ethl|172.28.108.1|Up

10.4.8.1|Up

! | 1 0 . 6 . 8 . 1

|fwd

I Filter

-m cluster

1. Set th<

fw ctl

|OK |

IOK |

IOK |

01

01

0|

01

is used in < to understand. It is 1

01

01

01

as i

; flag to 0:

II

01

01

01

01 I

01 I

I I

21

21

21

21

: is

2

0

fw ctl debug -buf 1024 j 2048 | 4096 (in kilobytes)

3. Set the debug flag to miscellaneous:

fw ctl debug -m cluster <flag>

The all flag generates all

Kernel Flag Description

conf ClusterXL configuration

if Interfaces monitoring and validation

stat Cluster state changes

select Packet selection by ClusterXL

ccp CCP packet creation and handling

pnote pnote devices

drop Drops caused by SDF

mac

forward Forwarding layer

df Decision function

4. Run debug:

fw ctl kdebug -f > <file name>

5. Stop debugging by pressing CTRL + C.

fw ctl debug 0

fw ctl debug should be run on all cluster members, to;

: all cluste

You have set up ClusterXL New mode HA. When the

• is 0Y

: can you do to <

A.) Check hosts files on ( ^ ^

Q.)How do youensun

A.) Try to Pin

All' b h 1' 1 d d Wh h b

423

K E R N E L F L A G S

D E F A U L T B E H A V I O R


Kernel Flags

5. Since no probe-message reply is received but the Ping requests are answered, the secondary concludes that its own interfaces are up and working, and that the interface of the primary has failed over. The secondary announces, via state messages, that all of its own interfaces are operational.

6. With this report from the secondary, the primary concludes the issue is with its own interface, and changes its state to Down/Dead.

7. The secondary issues gratuitous ARPs for both the physical and cluster address per IP segment, and changes its state to Active/Active-Attention.

N E W B E H A V I O R

With the two kernel flags set to true, the kernel includes a checkup of the link state of all member interfaces. That is, when a cluster member does not receive CCP packets from an interface, it will make a kernel procedure to check the state of the interface. If the member discovers the link state is down, the member will send a message about the link state through working interfaces to the network, saying that its interface state is down. The standby member can then change its state to Active, without the Ping mechanism (since no hosts are available for Ping). The clusters members will then know which cluster has a problem, and can change their states to active. (The cluster that has the highest priority will be active.)

fwha_res t r ic t_mc_sockets (0 by Defaul t )


The multicast socket is open by CCP when ClusterXL is set up.

N E W B E H A V I O R

Changing the value to 1 will open the multicast socket on synchronization interfaces only.

425

N E W B E H A V I O U R

426


Kernel Flags

fw_gra tu i tous_arp_ t imeout

This flag sets time-out, which is 600 deciseconds by default, equal to 0.1 seconds.

f w _ a l l o w _ c o n n e c t i o n _ t r a f f i c _ d r o p (1 by Defaul t )

This flag controls the Flush and ACK mechanism on unestablished connections.

F L U S H A N D A C K

When a client and server starts a TCP handshake through a cluster, the SYN packet arrives at member A. Member A will hold the SYN packet and synchronize the SYN packet with member B, then pass the SYN packet to its destination. When a SYN-ACK packet comes from the server to the client, the SYN-ACK packet arrives at member B. With Flush and ACK, member B has the SYN table entry, and member B allows SYN-ACK to pass through and return to the client.


If the ACK packet from the client comes before member B synchronizes SYN-ACK with member A, by default, member A will drop the packet. This may result in retransmissions and delays in some applications.


To allow this ACK packet or any packet belonging to an unestablished connection, turn the parameter off. (Change the value to 0.)

427

fwha__aIIow_simuItaneous„ping

This flag allows Pinging the virtual IP (VIP) during a

D E F A U L T B E H A V I O U R


pair as


Kernel Flags

fwconn_merge_a l l_syncs

D E F A U L T B E H A V I O U R

Some closed connections hang in the connections table for an entire TCP session time-out, in a Load Sharing configuration. When an NGX cluster member encounters FIN packets from both sides of a TCP connection, it lowers the connection's time-out from the TCP session time-out (by default 3,600 seconds) to the TCP end-session time-out (typically set to less than 1 minute). In Load Sharing configurations with asymmetric routing, one cluster member can find a certain connection is established, while another member has already encountered both FIN packets on the same session. When the machine with the older connections table synchronizes with the machine with the newer connections table, the more updated machine may increase the connection's time-out to the TCP session time-out. The connection then stays in the connections table long after it has closed. Such a scenario is also a possible DoS attack.


When fwconnjnerge_all_syncs is set to true, NGX cluster members synchronize the TCP state correctly, and any older connection-table entry is not allowed to override an updated one. This parameter can help short TCP connections in Load Sharing configurations with asymmetric-routing, such as with Static NAT, VPNs, or third-party solutions.

fwtcpst r_ re jec t_synced (On by Defau l t )

When asymmetric routing exists in IPSO IP clustering configurations, the connections are sometimes slow. If both of the following conditions are true, disable this flag to improve connections. The conditions are:

1. Quick UFP is not used. 2. Packets going in the same direction on a specific connection always go

through the same cluster member.

429

Kernel Flags


Lab 14: Manual Fail over Using cphaprob -d device Command

L A B 1 4 : M A N U A L F A I L O V E R U S I N G C P H A P R O B - D D E V I C E C O M M A N D 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Scenario: In New mode HA and Load Sharing Pivot mode clusters, test failover without bringing the active member down. Use the cphaprob -d <device> -s problem register command to generate failover manually.

Objective: Use the cphaprob -d device command to generate a failover.

Topics:

9 Running cphaprob -d <device> -s problem register to generate failover

• Running cphaprob state to verify cluster-member status

• Running cphaprob -d <device> unregister to reactivate the down member

431

432

Lab 14:

Name Standard Lab IP JS2?"

fwrome 172.21.101.1 10.1.1.1 192.168.22.101

172.21.101.1 10.1.1,1 192.168.22.101

fwtoronto 172.23.103.1 10.1.3.1 192.168.22.103

172 21.101.4 10.1.1.4 192.168.22.103

webrome 10.1.1.101 10.1.1.101

webtoronto 10.1.3.103 10.1.1.103

Cluster IPs N/A 172.21.101.5 10.1.1.5

433

In 1

Name Standard Lab IP

s s s s s r 1 "

fwoslo 172.22.102.1 10.2.2.1 192.168.22.102

172.22.102.1 10.2.2.1 192.168.22.102

fwmadrid 172.24.104.1 10.2.4.1 192.168.22.104

17222.102.4 10.2.2.4 192.168.22.104

weboslo 10.2.2.102 10.2.2.102

webmadrid 10.2.4.104 10.2.2.104

Cluster IPs N/A 10.2.2.5

In 1 Zurich's i

Name Standard Lab IP ClusterXL Lab IP

fwzurich 172.25.105.1 10.3.5.1 192.168.22.105

172.25.105.1 10.3.5.1 192.168.22.105

fwcambridge 172.27.107.1 10.3.7.1 192.168.22.107

17225.105.4 10.3.5.4 192.168.22.107

webzurich 10.3.5.105 10.3.5.105

10.3.7.107 10.3.5.107

Cluster IPs N/A 10.3.5.5

434

In 1 Sydney an Sydney's j

Standard Lab IP

fwsydney 172.26.106.1 10.4.6.1 192.168.22.106

172.26.106.1 10.4.6.1 192.168.22.106

fwsmgapore 172.28.108.1 10.4.8.1 192.168.22.108

17226.106.4 10.4.6.4 192.168.22.108

websydney 10.4.6.106 10.4.6.106

websmgapore 10.4.8.108 10.4.6.108

Cluster IPs N/A 172.26.106.5 10.4.6.5

435

[ ^ G E N E R A T E F A I L O V E R I N N E W M O D E H A C L U S T E R

1. Configure the ClusterXL type for HA, then select New J 2. Select Switch to higher priority Gateway, under Upon Gateway recovery

option on the ClusterXL screen.

3. Start an FTP session from www.partnercity.cp to access the internal FTP

4. Verify the active member is still;

state

5. On the active member, register a device named "faildevice" to i

-d faildevice -s problem -t 0

The active member now goes down ,due to faildevice reported as a problem, and the standby member becomes active. The FTP session should continue if

Synchronization is

6. Verify cluster status on both members with the <

state

7. Verify the state of internal and external devices on the down i

The problematic device faildevice should display as a

-d faildevice -s ok

-d faildevice

will become active again, because Switch to higher priority Gateway in the ;reen of the cluster object is <

; lab.

436

http://www.partnercity.cp

Lab 14:

LAB 15: RUNNING CPHASTART -D

: cphastart is usei cphastart -d<

an HA ] HAi

-d.

Topics:

; cphastop to stop <

;cphastart -d on c

Lcphastart -d<

437


Lab 15: Running cphastart -d

C ^ R U N C P H A S T O P O N C L U S T E R M E M B E R S

1. On each cluster member, run the command: [expert®cpmodule]#cphastop

2. Verify whether ClusterXL has started:

[expert@cpmodule] jtcphaprob state

i f ? R U N C P H A S T A R T - D O N C L U S T E R M E M B E R S

3. Start the cpha service in debug mode, and redirect the output to a text file:

[expert@cpmodule]#cphastart -d >& hastart.txt

4. Wait until the prompt displays.

5. Review the text file and examine the information presented.

End of lab.

438


Review

R E V I E W I I I i i I I i I i i I i i i i I i I I i I i I I I i I i I I i I I I I I i I I I I I I I I I i i I

• Install ClusterXL only in a distributed configuration. SmartCenter Server cannot be installed on any of cluster member.

• The SmartCenter Server controlling a cluster does not have to be local to the cluster. If local, the Server can be on any network segment, although static routes to each individual cluster member may be necessary to ensure connectivity.

• The SmartCenter Server's version (including HFA version) must be at the same or higher version as cluster members. When applying an upgrade or HFA, the SmartCenter Server must be upgraded first.

• The Cluster Control Protocol (CCP) Pings other hosts in a network segment to verify network status. Always ensure that networks other than the sync networks have other machines besides the cluster members on them.

• All cluster members must be running on the same OS, with equivalent OS patch levels applied.

• All cluster members should have a minimum of three interfaces. It is possible to run sync across an internal interface, but this is not recommended. Ideally, sync should be run across a dedicated network.

• Avoid multiple clusters on the same network segment.

• Active interface numbers need to be the same on each cluster member.

• Switches need to be compatible with Check Point multicast MAC addresses.

• Test cluster functionality by passing traffic through the cluster, not to it.

• Segregate different versions of ClusterXL from each another. Each cluster should be on its on hub, VLAN segment, or switch.

• Verify hostnames in the hosts files on all cluster members.

• Sync networks should have interface-to-interface connectivity, be connected via a hub, as opposed to a crossover cable, and not have a cluster IP assigned to them. Clusters should not share sync networks with other clusters.

• cphaprob, cpstat ha -f all, and fw ctl debug -m cluster are the main troubleshooting commands for ClusterXL.

• Kernel debugging flags are also useful when troubleshooting ClusterXL problems.

439


Review

Review Answer

1. Connectivity through an NGX Load Sharing Cluster in front of a server farm is intermittent. Smart View Monitor shows the two cluster members as functional. You suspect connectivity problems may be related to the synchronization of state tables. Which of the following kernel flags may help improve performance?

B.) fwconn merge all syncs

With the information given, the above is the most helpful kernel setting to change. This setting allows for connections to be entered into the state tables on both machines.

441


Review

442

-O

A, I




APPENDIX A: USING DBEDIT

This appendix provides an optional lab for individual practice with DbEdit.

Scenario. In this lab, you will use DbEdit to create a new service object, a new group object, and add a service object into a group object. Also in this lab, you will use DbEdit to modify global properties resolve_multiple__interfaces value to true. This lab is ideal for environments that are not able to take advantage of the Database Tool (GuiDBedit). It is important to know that Check Point recommends using the Database Tool utility. When GuiDBedit is not available or convenient, use DbEdit carefully.

In this lab, you will use dbedit from the SmartCenter Server locally. If this command is executed at other machines in the network, the SmartCenter Serve's hostname must be resolvable to its IP address from that host.

Objectives:

1. Use DbEdit to create new object. 2. Use DbEdit to modify an object's property.

3. Use DbEdit to modify a global property value.

Topics.

• Logging in to DBedit • Modifying global properties

443

S L O G I N T O D B E D I T P R O M P T

1. Close all; 2.

3. Type dbedit.

4. Enter the hostname of the! since this is:

5.

6. At

I or console.

ENTER,

to log in to

8. a new TCP

: in 5 O.C, by

5l":

; 3333:

_ort 3333

in objects 5 O.C:

11. si to 1 : following:

r 12. : in

no s;

5 O.C:

i them.)

a

>

>

>

>

444


( 5 M 0 D I F Y G L O B A L P R O P E R T I E S

1. From the dbedit prompt, change the property resolve multiple interfaces value to true, by typing the following: dbedit > modify properties firewalljproperties resolve muliple_interfaces true

2. Make the change permanent, by typing the following:

dbedit > update properties firewall_properties

3. The message kTirewall_properties updated successfully" appears. Exit dbedit, by typing quit from the dbedit prompt.

Some properties are global, some are specific to a Gateway. To modify properties that are unique to specific Gateway modules, use modify network_objects <gateway_object_name> <property_name> <value>.

End of lab.

445


446