Tuesday, 15 January 2019

  

Checkpoint Firewall Questions

------------------------------------     --Checkpoint Firewall Questions ------------------------------------------

Q1)What is SIC and How to renew SIC ?
SIC is a secure internal communication which is used to established a connection between SM and SG.
Go into the CLI of the Firewall and type cpconfig then choose Secure Internal Communication.
You will then be prompted to enter a passcode. Enter anything it doesnt matter. Then exit cpconfig using option 10.
Go into the Smart Dashboard and go into the Check Point Object > General Properties > Communication.
Select "reset"
Enter the passcode you previously entered within cpconfig.
Select "Initalize"
The Trust State should now say "Trust established".
Re-push the policy. 

2)On which port does SIC work ?
Ans:SIC works on ports --TCP/18191 and 18192
    Between SG and SM or Vice versa ----TCP/18191
    When we push policy from SM to SG---TCP/18192

 General
tcp/257    FireWall-1 log transfer
tcp/18208  CPRID (SmartUpdate)
tcp/18190  SmartDashboard to SCS
tcp/18191  SCS to FW-1 gateway for policy install
tcp/18192  SCS monitoring of firewalls (SmartView Status)
SIC Ports
tcp/18209   NGX Gateways <> ICAs (status, issue, or revoke).
tcp/18210   Pulls Certificates from an ICA.
tcp/18211   Used by the cpd daemon (on the gateway) to receive Certificates.
Authentication
tcp/259      Client Authentication (Telnet)
tcp/900      Client Authentication (HTTP)
3)On which port Log sharing is done ?
Ans : TCP-257
4)What does fw unloadlocal do ? explanation required
Ans: fw unloadlocal  Unloads the current security policy so no policy is loaded on gateway server.
       This command is very useful if you have lost access to the firewall or if you wish to troubleshoot.
      fw unloadlocal - this uninstalls the security policy completely from the machine. Any active connections like NAT connections or VPN connections
     i.e. any connections going through the Firewall will be dropped

5)What is Three tier architecture in Checkpoint ?
Ans: Three tier architecture separate ADMINISTRATION , MANAGEMENT and ENFORCEMENT function of Checkpoint product.
 
    ADMINISTRATION -Smart clients---Smart clients consists of--
     ---Security policies are defined and managed using GUI
     ---Security Policy is defined in terms of NETWORK OBJECTS (eg hosts,network,gateways)                                                                                 

     SMART DASHBOARD--Policy creation and Editor
     SMART VIEW TRACKER--Log Viewer
     SMART VIEW STATUS---System status
     SMART UPDATE--------Secure Update
    
   
  
    MANAGEMENT------SMART MAMAGEMENT SERVER --maintains firewall DATABASEs
                       Including NETWORK DEFINITIONS,User definitions.Secuirty policy,and Log files for any numberes of firewalled enforement points.
                     --Security Policy is configured on SM,it is pushed to SG which actually implements the policy.

    ENFORCEMENT-----SMART GATEWAYS------------its acts as a junction between Protected network and public network.
         --it implements the security policy
         --SM server downloads the security policy to SG
        


8)What is the Packet flow in checkpoint ?
Ans:Packet flow is as follows (Internat to External)
  
    1)Incoming interfaces
 2)Address Spoofing
 3)Session Lookup
 4)Policy Lookup
 5)NAT-Destination
 6)Routing
 7)NAT-Source
 8)VPN
        9)Engress Interface
       10) Perforem the operation 

9)What is Rule base in Checkpoint?
  Rule base is access policy from souce to destination with required protocols. 
10)Clustering--protocol used in clustering-
Ans - Cluster Control Protocol (CCP) which used UDP/8116

11)How clustering works?
Ans: 
ClusterXL
Check Point's ClusterXL is a software-based Load Sharing and High Availability solution that distributes traffic between clusters of redundant Security Gateways
High Availability
-------------------
Allows for an Active-Standby setup were one node (Active) passes all the traffic. In the event of failure the Standby node will be promoted to the Active node.
New Mode(Cluster XL) - Both devices have their own IP and MAC addresses. A Virtual IP is used which uses the MAC address of the Active gateway.
Traffic is then directed to the VIP and passed to the Active Gateway. Gratuitous ARP is used to update the VIPs MAC address on neighbouring
devices at point of failover.
Legacy Mode - Both gateways use the same IP and MAC address. The standby gateway interfaces remain disabled unless the master fails and
the gateway is promoted to master.
Load Sharing
--------------
Load sharing distributes the traffic between the nodes so that the traffic load is shared.
Multicast - Traffic is sent to both nodes using Multicast (MAC addresses). Between both nodes they then decide which node will process the packet.
Unicast - Traffic is sent to only one node. This is called the pivot node. The pivot node then either processes the packet or passes to the other node for processing.
---------------------------
3rd Party Solutions
Both of the 3rd Party solutions are configured primarily within the IPSO operating system. Though there are a few settings that are still required
within the Check Point Object such as state synchronization.
Nokia VRRP - Interface checking and failover is dealt with by Nokia`s VRRP. This only allows for HA clusters.
Nokia IP Clustering - Interface checking and failover is dealt with by Nokias IP clustering. This allows for both HA and Load Sharing
cluster configurations.
In both cases above you can use and configure ClusterXL for state synchronization.

12) How do I debug ClusterXL at the Kernel level ?
Once you have exhusted the cphaprob commands and packet captures have been run for port UDP/8116 all to no avail you may want to run a
debug on ClusterXL. The steps are detailed below :
Enable debugging
view sourceprint?
1.
fw ctl debug -x
2.
fw ctl debug -buf 4096
3.
fw ctl debug -m cluster all
4.
fw ctl debug-f > file_name.txt
Disable debugging
1.
[ctrl + c]
2.
fw ctl debug 0

Question : - How can I check that my Check Point Cluster is in Sync ?
All "true" clusters require that certain attributes are syncronised. So that in the event of a failover the newly promoted node can continue where the other node left off.
In order to ensure that the State Tables of all your nodes within your Check Point Cluster are syncronised you will need to check the #VALS of your State Table summary on each node.
Note :
You may find that these figures aren`t identical but this is just down to the delay/latancy in which occurs between State Syncronisations. You should only be concerned if the values are hunreds or even thousands out.
The best way to view the State Table summaries (on SPLAT based firewalls) is to run the command watch 'fw tab -t connections -s'.
Below is based on a R65 ClusterXL HA Cluster.
Steps
Check the State Tables on both nodes, checking for the #VAL totals.

1.
[Expert@fw1]# fw tab -t connections -s
2.
HOST                  NAME                               ID #VALS #PEAK #SLINKS
3.
localhost             connections                      8158  3624 36074   14234
1.
[Expert@fw2]# fw tab -t connections -s
2.
HOST                  NAME                               ID #VALS #PEAK #SLINKS
3.
localhost             connections                      8158  3632 36073   14242
You can see here that the #VALS are fairly similar. With this we can safley say that the State Tables are syncronised.


13)Steps in trouble shooting a Checkpoint firewall
14)Source nat and destination
15)TCP Dump

Question 13 : -
Check Point Logging Troubleshooting Guide and 17)We are not getting logs in Tracker? Reason why?--
Below are some basic guidelines for troubleshooting Check Point Logging issues.
Please note : This guide does not cover issues with any OPSEC LEA based issues.
Please note : The FWD (Firewall Daemon) is responsible for sending and receiving the Check Point Logs on port tcp/257.
Are the logs being sent to the manager ?
Ok, so first of all are the logs being sent to the Smart Centre Manager or the necessary Log Manager ? We can check this by confirming whether the gateway is sending the log packets via the FW Log port tcp/257 upon the gateway and the manager. To do this use either or both of the following commands,
netstat -an | grep 257 - This will show the state of the TCP sockets.
tcpdump -ni [interface name] port 257 - This will show a packet capture of the FW Log packets on the subsequent interface.
If the gateway is not sending the logs then this can be down to one of the following issues,
SIC is not established.
The Logging configuration for the Gateway is not configured correctly.
The SmartCentre/Log Manager is not listening on port tcp/257.
There is an issue with FWD on the gateway. In some instances you may need to restart FWD via a cpstart. Though the root cause could be down to a number of factors.
The SmartCentre / Log Manager is not receiving the logs
If the gateway is sending the logs but the SmartCentre / Log Manager is not receiving them then either a device between the 2 nodes is blocking the packets or there is a routing issue.
Why are the logs not being displayed within SmartView tracker ?
Ok so the manager is receiving the logs but you may still not see them within the SmartView tracker this will be down to either the FWD (Firewall Daemon) or the log files being corrupted.
Log Files Corrupted
If the log files are corrupted you should expect to see no logs within the SmartView Tracker. If this is the case you will need to action the following steps :
Close the Log Viewer/SmartView Tracker and Policy Editor/SmartDashboard.
Execute the fwstop or cpstop command (depending on the version) from the command line.
Remove all files starting with fw.log and fw.logptr from the $FWDIR\log directory.
Execute the fwstart or cpstart (depending on the version) command.
Full details can be found at Check Points KB within Solution ID sk6432.
Only some of the logs are not being displayed
If only some of the logs are not being displayed then this could point to an issue with the trust between the manager and the gateway.
To confirm the issue you will need to debug FWD using the following steps.
root@cp-mgnt# fw debug fwd on TDERROR_ALL_ALL=5
root@cp-mgnt# tail -f $FWDIR/log/fwd.elg
root@cp-mgnt# tail -f $FWDIR/log/fwd.elg  | grep -i "Certificate is revoked"
root@cp-mgnt# fw debug fwd off
Within these steps we first enable the debug. Then we run a live tail on the log file. And then we run a grep on the live tail for a specific error. The live tail allows us to view the end of the log file in real time. We finally turn off the debug.
Below shows an example of an error with the SIC trust between the Gateway and Manager obtained from the $FWDIR/log/fwd.elg,
[FWD 2177 1]@cp-mgnt[22 Jan 14:47:32] fwCert_ValCerts: Certificate is revoked. CN=cp-fw1,O=cp-mgnt..bizt7z
[FWD 2177 1]@cp-mgnt[22 Jan 14:47:41] fwCert_ValCerts: Certificate is revoked. CN=cp-fw2,O=cp-mgnt..bizt7z




18)What is Provider 1 , how does it work ?
19)Difference between Cisco and Checkpoint firewall ?

21) Difference  between Reject and Drop  ?
22)What are the best practices for Checkpoint firewall rule base ?
Ans:Best practices for Good Rule base
 (1) The firewall rule base should be as simple as possible. The fewer rules you have,  the more efficient and less error prompt
     the  rule base will be.
 (2) Avoid using "Any" in the service field.
 (3) Use a group  network object instead of many workstation node objects.
 (4) Use groups to gather source, destination or services.
 (5) Anti spoofing should be configured for all the firewall interfaces.
 (6) Place the most commonly accessed rules on top of the rulebase. This will improve performance and make the firewall more efficient. Firewall-1 searches the rulebase in sequential order.              The first rule matching a connection is applied, not the rule that matches best.
  (7) Use good naming conventions to represent network objects (hostname_ip address is a good naming scheme) and services.
     Cool Implement the "Stealth rule" to block and track connection attempts to the firewall module.
 (9) Prefer "Reject" to "Drop" for some services. Services such as "ident" should be rejected to allow better application performance.
 (10) Implement the "Cleanup" rule at the bottom of the rulebase to block and log all traffic. Firewall-1 by default does not log traffic that is dropped. By having the "Cleanup" rule,              logging can be turned on for blocked connections.
 (11) Do NOT use the domain object in the rulebase. Domain objects may cause performance bottlenecks.
 (12) To avoid being flooded by logging of broadcast traffic such as bootp and NBT, create a rule to drop the packets without logging. (Noise Rule)

23)Which command is used to check DROP PKT and NO logs are coming ?
Ans : Command is ---
 #Expert
 #fw ctl zdebug+drop|grep <source IP or Destination IP>
24)Which protocol is used in Clustering -on splat?
Ans:CCP-Cluster Control Protocol ----UDP/8116
25)What does CCP-Cluster Control Protocol do in clustering ?
Ans:CCP has two responsibilities :
   (a)Heart Beat Msgs: Icmp messages are send from Backup to Active device
   (b)State Synchronization :Dynamic objects or Runtime objects are synchronised (ie.Session Table,NAT table,IPSEC SA,DHCP leases)
26)What are types of State Synchronization ?
Ans: Two types:
 (1)Full Sync:(TCP/256)-----Done for the first time when clustering is done
         -----Both firewall make TCP connections
 (2)DELTA Sync:(UDP/8116)---done when changes is done in clustering
         -----Both firewall make UDP connections
27)What is time duration of Delta Sync ?
Ans: Active sends delta sync information after every 110 msec to Standby and standby takes 50 msec to sync it self.Therefore total time taken is 160 msec.    
  
28)What is TCPDUMP ?
Ans: Tcpdump is a common packet analyzer /Packet Sniffing  tool that runs under the command line.
   ---Used to CAPTURE PKTS
   ---Used for Realtime traffic
29)What is FW Monitor ?
Ans: Tool for Inspecting and capturing traffic at the packet level.Captures pkt at multiple capture points along the Firewall inspection chain.
   ---Used in Checkpoint
30)Diff between TCPDUMP and FW Monitor ?
Ans:     TCPDUMP      FWMonitor  
 ------Works on linux     -----Works only on Checkpoint 
 ------Works only in Promiscious mode   -----Shows captured traffic hit on Kernel directly
 ------We can define Interface    -----No need to define Interface
 ------Not CPU intensive     -----CPU Intensive
 ------Always recommended    -----Works only on checkpoint

31)Give some command syntax for TCPDUMP ?
Ans:

31)What is SUSPICIOUS ACTIVITY RULE (SAM)?
Ans:
Suspicious Activity Monitor (SAM) is used to dynamically block IP addresses that are allowed by the Rule Base but are involved in suspicious activity. Suspicious Activity rules are security rules that enable the system administrator to instantly block suspicious connections that are not restricted by the currently enforced security policy. These rules, once set (usually with an expiration date), can be applied immediately without the need to perform an Install Policy operation
 
Expiry of SAM rules depends on your choice as it ask you when you want to have this rule expired. You can choose Next day, Next Week, never, ......or a specific date and time.

32)What is Anti-Spoofing?
Ans: 
33)What is Source NAT and Destination Nat ?
Ans:SOURCE NAT : Source nat changes the source address in IP header of a packet.It may also change the source port in the TCP/UDP headers.Typical usage is to change the private (RFC1918) address/port into a public address/port for packets leaving a network.
DESTINATION NAT:Destination NAT changes the destination add in IP header of a packet.It may also change the destination port in the TCP/UDP headers.Typical usage of this is to redirect incoming packet with a destination of a public address/port to a private IP address/port inside your network.
34)What range of ports is used in HIDE Nat?
Ans)Port numbers are dynamically assigned from two pools of numbers: 600–1023
and 10,000–60,000. If the original source port of a connection is less than 1024,
the translated port is chosen from the first range (600–1023). If the original source
port is greater than 1024, the translated port is chosen from the second range
(10,000–60,000). Based on these pools, the theoretical maximum number of
connections supported by a single valid IP address used for hide NAT is 50,425.
35)What is NAT expiration time for TCP and UDP connection in Hide Nat?
And) For TCP---Nat expiration timer is 3600 Secs
     For UDP---Nat expiration timer is 330 Secs
36)What is the default Limit of NAT table  and the maximum limit ?
Ans) Default limit of Nat table is 25000 and can be extended till 50000 connections it can support.
37)
------------------------------------------------------------------------------------------------------------------------------
CP, FW & FWM
cphaprob stat List cluster status
cphaprob -a if List status of interfaces
cphaprob syncstat shows the sync status
cphaprob list Shows a status in list form
cphastart/stop Stops clustering on the specfic node
cp_conf sic SIC stuff
cpconfig config util
cplic print prints the license
cprestart Restarts all Check Point Services
cpstart Starts all Check Point Services
cpstop Stops all Check Point Services
cpstop -fwflag -proc Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list List checkpoint processes
cplic print Print all the licensing information.
cpstat -f all polsrv Show VPN Policy Server Stats
cpstat
Shows the status of the firewall 
fw tab -t sam_blocked_ips Block IPS via SmartTracker
fw tab -t connections -s
Show connection stats
fw tab -t connections -f  Show connections with IP instead of HEX
fw tab -t fwx_alloc -f Show fwx_alloc with IP instead of HEX
fw tab -t peers_count -s Shows VPN stats
fw tab -t userc_users -s Shows VPN stats
fw checklic Check license details
fw ctl get int [global kernel parameter] Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter]  [value] Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
fw ctl arp Shows arp table
fw ctl install Install hosts internal interfaces
fw ctl ip_forwarding Control IP forwarding
fw ctl pstat System Resource stats
fw ctl uninstall Uninstall hosts internal interfaces
fw exportlog .o Export current log file to ascii file
fw fetch Fetch security policy and install
fw fetch localhost Installs (on gateway) the last installed policy.
fw hastat Shows Cluster statistics
fw lichosts Display protected hosts
fw log -f Tail the current log file
fw log -s -e Retrieve logs between times
fw logswitch Rotate current log file
fw lslogs Display remote machine log-file list
fw monitor Packet sniffer
fw printlic -p Print current Firewall modules
fw printlic Print current license details
fw putkey Install authenication key onto host
fw stat -l     Long stat list, shows which policies are installed
fw stat -s Short stat list, shows which policies are installed
fw unloadlocal Unload policy
fw ver -k Returns version, patch info and Kernal info
fwstart Starts the firewall
fwstop Stop the firewall
fwm lock_admin -v View locked admin accounts
fwm dbexport -f user.txt used to export users , can also use dbimport
fwm_start starts the management processes
fwm -p Print a list of Admin users
fwm -a Adds an Admin
fwm -r Delete an administrator
Provider 1
mdsenv [cma name] Sets the mds environment
mcd  Changes your directory to that of the environment.
mds_setup To setup MDS Servers
mdsconfig Alternative to cpconfig for MDS servers
mdsstat To see the processes status
mdsstart_customer [cma name]  To start cma
mdsstop_customer [cma name] To stop cma
cma_migrate To migrate an Smart center server to CMA
cmamigrate_assist If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server
VPN
vpn tu                                            VPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail‏
Verifies the ipassignment.conf file
dtps lic show desktop policy license status
cpstat -f all polsrv show status of the dtps
vpn shell /tunnels/delete/IKE/peer/[peer ip] delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip] delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip] show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip] show Phase 2 SA
vpn shell show interface detailed [VTI name] show VTI detail
Debugging
fw ctl zdebug drop shows dropped packets in realtime / gives reason for drop
SPLAT Only
router Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd  Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)
backup Allows you to preform a system operating system backup
restore Allows you to restore your backup
snapshot Performs a system backup which includes all Check Point binaries. Note : This issues a cpstop.
VSX
vsx get [vsys name/id] get the current context
vsx set [vsys name/id] set your context
fw -vs [vsys id] getifs show the interfaces for a virtual device
fw vsx stat -l shows a list of the virtual devices and installed policies
fw vsx stat -v shows a list of the virtual devices and installed policies (verbose)
reset_gw resets the gateway, clearing all previous virtual devices and settings.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)