Aquaforest TIFF Junction Evaluation

m Check Point S O F T W A R E T E C H N O L O G I E S LTD.

We Secure the Internet.

Check Point Security Administration NGX III

Student Handbook
P/N:701549
Aquaforest TIFF Junction Evaluation
Aquaforest TIFF Junction Evaluation

© 2006 Check Point S o f t w a r e T e c h n o l o g i e s Ltd.

All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor,
ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, FireWall-1,
Fire Wall-1 GX, Fire Wall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity,
InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home,
Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureServer, SecureUpdate, SecureXL,
SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM,
SmartMap, SmartUpdate, Smart View, Smart View Monitor, Smart View Reporter, Smart View Status, Smart ViewTracker,
Sofa Ware, SSL Network Extender, True Vector, UAM, User-to-Address Mapping, User Authority, VPN-1, VPN-1
Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1
VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered
trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are
trademarks or registered trademarks of their respective owners. The products described in this document are protected
by U.S. Patent No. 5,606,668, 5,835,726, and 6,496,935 and may be protected by other U.S. Patents, foreign patents, or
pending applications.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein
are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express permission of Check Point Software
Technologies, Ltd.

International Headquarters: 3A Jabotinsky Street, Diamond Tower

Ramat Gan 52520 Israel
Tel: 972-3-613 1833
Fax: 972-3-575 9256

U.S. Headquarters: 800 Bridge Parkway

Redwood City, CA 94065
Tel: 650-628-2000
Fax: 650-654-4233
Technical Support, Education & Professional Services: 2505 N. Highway 360, Suite 800
Grand Prairie, TX. 75050
Tel: 817-606-6612
Fax: 817-606-6552

Document #: DOC-Man uaI-VPN-03-S-NGX

Revision: RSNGX001
Content: Steve Luc
Theresa Chung
Graphics: Derek A n d e r s o n
Editing: Mark H o e f l e
Anna G o s l i n g
Aquaforest TIFF Junction Evaluation
Aquaforest TIFF Junction Evaluation

Check Point
S O F T W A R E T E C H N O L O G I E S LTD.

We Secure the Internet

CONTENTS

1 C h e c k Point S e c u r i t y A d m i n i s t r a t i o n N G X III 1
Course Objectives 1
Course Layout 2
Prerequisites 2
Recommended Setup for labs 3
Recommended Lab Topology 4
IP Addresses 5
Lab Terms 7
Lab Stations ..8
Default Rule Base 9

2 General T r o u b l e s h o o t i n g M e t h o d s 11
Objectives 11
Key Terms 12
Troubleshooting Guidelines 13
Identifying the Problem 13
Collecting Related Information 14
Listing Possible Causes 15
Testing Causes Individually and Logically 15
Consulting Various Reference Sources 15
What to Check Before Installing VPN-1 NGX 16
IP Forwarding 16
Routing 17
Connectivity 18
IP Forwarding and Boot Security 20
SIC and ICA Issues .....21
SIC Port Use 21
Root Causes 22
Logging SIC 26
Aquaforest TIFF Junction Evaluation

Debugging SIC 26
Maintaining SIC ....27
Using fwm sic_reset .........31
Network Address Translation ......32
Client-Side Destination NAT 32
Debugging NAT 33
Collecting Data 36
Rule Base Issues 36
NAT Issues 36
Anti-Spoofing Issues 36
SmartDashboard Issues 37
Logging Issues ..37
Cluster Issues 38
Security Server Issues 38
OPSEC Server Issues 39
LDAP Issues 39
Core Dump and Dr. Watson Issues 40
Review ...43
Review Questions 44
Review Answers 45

3 File M a n a g e m e n t . 47
Objectives 47
Key Terms .....48
cpinfo 49
Overview .....49
cpinfo File .....50
Info View 52
Opening SmartDashboard in Info View .......59
objects 5 0.C andobjects.C 61
objects_5 0.C 61
objects.C .....61
Object Properties in objects_5_0.C 62
DbEdit 63
Aquaforest TIFF Junction Evaluation

objects_5_0.C Editing 65
GuiDBedit 67
fwauth.NDB 72
$FWDIR/lib/*.def Files ..73
Example 73
Modifying *.def Files 74
Log Files 75
Active Log Files 75
Audit Log Files 76
Log Mechanism ....76
Troubleshooting Logging Issues 77
Maintaining Logs and Log-Buffer Queue 78
Configuring Object Properties 78
Debugging Logging 81
Analysis Tools 81
Debugging Log 81
Lab 1: Using cpinfo 83
Lab 2: Analyzing cpinfo in Info View 89
Lab 3: Using GuiDBedit 93
Lab 4: Using fw logswitch and fwm logexport 101
Review 107
Review Questions 108
Review Answers 109

4 Protocol A n a l y z e r s 111
Objectives Ill
Key Terms 112
tcpdump 113
tcpdump Syntax 113
tcpdump and Expressions 115
Using tcpdump 116
Viewing tcpdump Output 117
snoop 119
Using snoop 119
Reading snoop Output 120
iii
Aquaforest TIFF Junction Evaluation

snoop and Security 122

snoop Limitations 122
fw monitor 124
Overview 124
fw monitor Syntax 124
INSPECT Virtual Machine 126
Filter Expressions 127
fw ctl chain 127
Buffering Issues 138
Ethereal 140
Using Ethereal 140
Viewing Connection Beginnings 143
Viewing Connections Dropped by Kernel ....143
Using Filters with Ethereal .....143
Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor 149
Review 155
Review Questions 156
Review Answers 157

5 N G X D e b u g g i n g Tools .......159
Objectives 159
Key Terms 160
fw ctl debug 161
fw ctl kdebug 161
Kernel Modules 162
fw ctl debug Flags 164
Debugging fwd/fwm 169
fwd Daemon 169
fwm Process 169
Debugging 169
fwd/fwm Debug Switches 170
Debugging without Restarting fwd/fwm 170
Debugging by Restarting fwd/fwm 172
Stopping fwd debug 173
Aquaforest TIFF Junction Evaluation

Debugging cpd 174

Use 175
Lab 6: Using cpd and fwm Debugging 177
Review 181
Review Questions 181
Review Answers 183

6 fw a d v a n c e d c o m m a n d s . 185
Objectives 185
Key Terms 186
fw Commands 187
fw tab Command 188
fw tab Options 188
Table Attributes 189
fw tab Examples ..194
fw ctl Commands 197
fw ctl install 197
fw ctl uninstall 197
fw ctl iflist 197
fw ctl arp 198
fw ctl pstat 198
fw ctl conn 205
Other fw Commands 207
fw sam 207
fw lichosts 210
fw log 210
fw repairlog 211
fw mergefiles 211
fw fetchlogs 212
fw Advanced Commands 214
fwfwd 215
fw fwm 215
fw fetchlocal 216
fw unloadlocal 217
fw dbloadlocal ..217
V
Aquaforest TIFF Junction Evaluation

fw defaultgen . 218
fw getifs 219
fw stat .....219
fwm Commands 222
Use :.... 222
fwm load ...223
fwm dbload 224
fwm logexport 225
fwm dbexport/fwm dbimport 227
fwm lock admin 228
Lab 7: Using fw ctl pstat 229
Lab 8: Using fw stat, fwm load, and fw unloadlocal 231
Review 233
Review Questions 233
Review Answers ...235

7 Security Servers 237

Objectives 237
Key Terms 238
The Folding Process ....239
Overview 239
Folding-Process Example 240
Content-Security Rule Order 242
Security Server Default Messages 242
HTTP 1.0 and 1.1 243
Troubleshooting Security Server Issues 244
Reviewing CPU and Memory ...245
Editing fwauthd.conf 245
Listing Possible Causes 246
Identifying Issue Sources 247
Analyzing Results 248
Debugging Security Servers 249
TD_ERROR_ALL_ALL Flag 249
FTP Security Servers 249
HTTP Security Servers 250
 251
252
.253
.254
256

8 V P N D e b u g g i n g Tools 257
.257
KeyTe .258
.259
.259
.264
.268
.270
.271
.271
.271
.272
.275
.276
on a VPN .281
.289

291

9 Tr< )ting a n d d e b u g g i n g S e c u R e m o t e / S e c u r e C l i e n t 293

.293
Key Terms .294
.295
the .296
.297
.297
IP .297
 Packet Flow When Connecting/IKE Negotiation 298
Packet Flow When Connecting/Encrypting Data 298
Link Selection for Remote Access 299
Overview 299
Link-Selection Methods in VPN-1 NGX 301
SecuRemote/SecureClient Debugging Tools 306
srfw monitor 306
cpinfo 306
IKE debug 307
sr service Debug 308
IKE and sr_service Debug 308
sc log Debug 309
srfw ctl Debug 309
Enhanced Debugging Tool 311
Troubleshooting Table 313
Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient 319
Lab 11: Running srfw monitor 325
Review 329
Review Question . 330
Review Answer 331

10 Advanced VPN 333

Objectives 333
Key Terms 334
Route-Based VPN 335
Domain-Based VPN 337

VPN Routing Process 338

Best Practices 339

Configuring Numbered VTIs 341

Dynamic VPN Routing

Configuring Dynamic VPN Routing Using OSPF 345
....345
Aquaforest TIFF Junction Evaluation

Wire Mode 350

How Wire Mode Works 350
Wire Mode in Route-Based VPN 353
Directional VPN Rule Match 355
Interface Groups 355
Tunnel Management 358
Permanent Tunnels 358
VPN Tunnel Sharing ...360
Tunnel-Management Configuration 360
VPN Tunnel Sharing Configuration 365
Lab 12: Route-Based VPN Using Static Routes 367
Lab 13: Dynamic VPN Routing Using OSPF 385
Review 401
Review Questions 403
Review Answers 405

11 C I u s t e r X L 407
Objectives 407
Key Terms 408
Configuration Recommendations 409
Recommendations for CIusterXL 409
Recommendations for State Synchronization 410
Troubleshooting CIusterXL 412
cphaprob 412
cphaprob state 414
cphaprob -a if 417
cphaprob -i list 418
cphaprob -d <device> -s problem -t 0 register 419
cpstat ha -f all 420
fw ctl debug -m cluster 421
Kernel Flags 424
fwha_enable_if_probing and fwha_monitor_if_link_state 424
fwha_restrict_mc_sockets (0 by Default) . 425
fwha_use_arp__packet queue (0 by Default) 426
fwha send gratuitous arp var 426
ix
X
Aquaforest TIFF Junction Evaluation

1!
a Check Point
SOFTWARE TECHNOLOGIES LTD.

We Secure the Internet.

CHAPTER 1: CHECK POINT SECURITY ADMINISTRATION

N G X III

Welcome to the Check Point Security Administration NGX III course. This
course offers comprehensive training to enhance enterprise knowledge of
VPN-1 NGX, network planning, route-based VPN, and troubleshooting
procedures. Follow along as the class progresses, and take notes for future
reference.

Course Objectives

1. Troubleshoot NGX product problems using troubleshooting guidelines.

2. Collect data using the cpinfo utility, for off-line viewing and
troubleshooting using the Info View utility.
3. Use protocol analyzers to capture packets and analyze packet-header
formats.
4. Debug NGX issues using NGX debugging commands.
5. Use fw commands to obtain critical information about NGX component
status.
6. Troubleshoot Security Server issues and debug Security Servers.
7. Use VPN debugging tools for common troubleshooting practices.
8. Troubleshoot VPN-1 SecureClient/SecuRemote issues.
9. Configure VPN-1 NGX for route-based VPN and dynamic routing.
10. Configure CIusterXL and troubleshoot CIusterXL issues.

l
Aquaforest TIFF Junction Evaluation

Course Layout

COURSE LAYOUT
11111111111111111111111111111111111111111111111111

This course is designed for CCSEs who manage and support installations of
VPN-1 NGX, and who need the tools to troubleshoot and maintain these
installations. This course is also designed for CCSEs seeking their Check Point
Certified Security Expert Plus NGX (CCSE Plus NGX) certification.

The following professionals benefit best from this course:

• Systems administrators
• Security managers
• Network engineers

Prerequisites

Before taking this course, Check Point recommends you take these courses:
Check Point Security Administration NGX I (Rev 1.1) and Check Point Security
Administration NGXII Rev 1.1. You must pass the CCSE NGX exam before
pursuing the CCSE Plus NGX certification.

Check Point also strongly suggests you have the following knowledge base:

• Working knowledge of TCP/IP

• Working knowledge of Windows and/ UNIX
• Working knowledge of network technology
• Working knowledge of the Internet
• Check Point Certified Security Administrator NGX certification
• Check Point Certified Security Expert NGX certification

2
Aquaforest TIFF Junction Evaluation

Recommended Setup for labs

RECOMMENDED SETUP FOR LABS

IIiiiIIIIIIiIIIIiIiIIiIIiIiIIiI1IIIIiIiIIiIIIIIIIi

The following is a sample setup for the hands-on labs that supplement this
handbook:
• The Internet servers (www.jowrczYv.ep) cannot communicate directly with
the Internet. These servers have private IP addresses. Each Security Gateway
and Internet server has a unique IP address.
• You will use the following passwords in this course:
abcl23 — Windows platforms
qazl23 — SecurePlatform Pro
Your instructor may provide additional passwords:

• This handbook and course use the following conventions for interface
assignments on the Security Gateway in this course:
— ethO is assigned as the external interface.
— ethl is assigned as the internal interface.
— eth2 is assigned as the sync network/leased-line interface.
— All interface-naming schemes are based on a SecurePlatform
installation.

3
Aquaforest TIFF Junction Evaluation

Recommended Setup for labs

Recommended Lab Topology

The following is a sample eight-station lab topology:

webrome fwoslo Hub weboslo

10.1.1.101124 fwint: 10. 1. 1. 1/24 fwint: 10. 2. 2. 1/24 10.2.2.102/24
default gateway fw ext.* 172. 21.101. 1/16 fwext: 172 22.102. 1 /16 default gateway
10.1.1.1124 fw sync: 192.168. 22.101 124 fwsync: 192.168. 22.102/24 10.2.2,1 /24
default gateway default gateway
172.21.101.2.16 172.22.102.2/16

webtoronto fwtoronto
10.1.3.103/24 fwint: 10. 1. 3. 1/24 fwint: 10. 2. 4. 1 /24 10.2.4 104/24
default gateway fw ext: 172. 23.103. 1 /16 fw ext: 172, 24.104. 1 /16 default gateway
10.1.3.1124 fwsync: 192.168. 22.103 /24 fwsync: 192.168. 22.104/24 10.2.4.1 /24
default gateway default gateway
172,23.103.2/16 ^ 172.24.104.2/16 ^
I — - - - - - - J
dalfas
int: 10. 5. 9. 1 /24
ext: 172. 29.109. 1 /16
172.21.101.2/16 default gateway
172.22.102.2/16 172.29.109.2/16
172.23.103.2/16
172 24.104.2/16
172.25,105.2 /16
172.26.106.2/16
172.27.107.2/16
172.28.108.2/16
172.29.109.2 /16
webzurich fwsydney Hub websydney
10.3.5,105/24 fw int: 10. 3. 5. 1/24 fwint: 10. 4. 6. 1 /24 10.4.6.106/24
default gateway fw ext: 172. 25.105. 1 /16 fw ext: 172. 26.106. 1 /16 default gateway
10.3.5.1124 fwsync: 192.168. 22.105 /24 fwsync: 192 168. 22 106 /24 10.4.6.1 /24
default gateway default gateway
172 25.105.2/16 172.26.106.2 /16

webeambridge fwcambridge fwsingapore websingapore

10.3.7.107/24 fw int: 10. 3. 7. 1 / 2 4 fwint: 10. 4. 8. 1/24 10.4.8.108/24
default gateway fw ext: 172. 27.107. 1 /16 fwext: 172 28.108. 1 /16 default gateway
10.3.7.1124 fwsync: 192,168. 22.107/24 fwsync: 192.168. 22.108/24 10.4.8 1 124
default gateway oetBUn gateway
172.27.107,2 /16 172.28.108.2/16
mm mm J
CP00107

4
Aquaforest TIFF Junction Evaluation

Recommended Setup for labs

IP A d d r e s s e s

The table below lists the IP addresses of the Security Gateways in the NGX lab
topology:

VPN-1 NGX NIC IP Address

fwrome fw internal 10.1.1.1/24

fw external 172.21.101.1/16

fw sync 192.168.22.101/24

default gateway 172.21.101.2/16

fwoslo fw internal 10.2.2.1/24

fw external 172.22.102.1/16

fw sync 192.168.22.102/24

default gateway 172.22.102.2/16

fwtoronto fw internal 10.1.3.1/24

fw external 172.23.103.1/16

fw sync 192.168.22.103/24

default gateway 172.23.103.2/16

fwmadrid fw internal 10.2.4.1/24

fw external 172.24.104.1/16

fw sync 192.168.22.104/24

default gateway 172.24.104.2/16

fwzurich fw internal 10.3.5.1/24

fw external 172.25.105.1/16

fw sync 192.168.22.105/24

default gateway 172.25.105.2/16

5
Aquaforest TIFF Junction Evaluation

Recommended Setup for labs

VPN-1 NGX NIC IP Address

fwsydney fw internal 10.4.6.1/24

fw external 172.26.106.1/16

fw sync 192.168.22.106/24

default gateway 172.26.106.2/16

fwcam bridge fw internal 10.3.7.1/24

fw external 172.27.107.1/16

fw sync 192.168.22.107/24

default gateway 172.27.107.2/16

fwsingapore fw internal 10.4.8.1/24

fw external 172.28.108.1/16

fw sync 192.168.22.108/24

default gateway 172.28.108.2/16

This table lists the IP addresses of the Web servers in the NGX lab topology:

Web Server NIC IP Address

Web server: webrome www internal 10.1.1.101/24
Web site: www.rome.cp

default gateway 10.1.1.1/24

Web server: weboslo w w w internal 10.2.2.102/24

Web site: www.oslo.cp

default gateway 10.2.2.1/24

Web server: webtoronto www internal 10.1.3.103/24

Web site: www.toronto.cp

default gateway 10.1.3.1/24

Web server: webmadrid www internal 10.2.4.104/24

Web site: www.madrid.cp

default gateway 10.2.4.1/24

6
Aquaforest TIFF Junction Evaluation

Recommended Setup for labs

Web Server NIC IP Address

Web server: webzurich www internal 10.3.5.105/24
Web site: www.zurich.cp

default gateway 10.3.5.1/24

Web server: websydney www internal 10.4.6.106/24

Web site: www.sydney.cp

default gateway 10.4.6.1/24

Web server: webcambridge www internal 10.3.7.107/24

Web site: www.cambridge.cp

default gateway 10.3.7.1/24

Web server: websingapore www internal 10.4.8.108/24

Web site: www.singapore.cp

default gateway 10.4.8.1/24

Web server: webdallas www internal 172.29.109.1/16

Web site: www.dallas.cp

default gateway 172.29.109.2/16

Lab Terms

Yourcity — the city name for your lab station pair

Partnercity — the name of your partner city

Site number — a number between 1 and 9 assigned to your lab-station pair

7
8
Aquaforest TIFF Junction Evaluation

Recommended Setup for labs

Default Rule Base

The Rule Base below is the default Rule Base used throughout this handbook.
Create this Rule Base now, if your instructor has not already created it for you.
Note that this Rule Base has been created for city sites Rome and Oslo.
Substitute your city site, based on your classroom's topology.

IS NBT 1
! 1 | NetBIOS Rule | "k Any | * Any | [ * j Any Traffic w bootp |@ drop | - None
1 i tin ;
I
i SSH A c c e s s Rule j m fwoslo i [ * j Any Traffic | ssh I accept | J] Log

3 ; Stealth Rule I 1§ ^oslo i [ * j Any Traffic j * Any 1 drop | [g Log

Rule I * Any I • w w w . o s l o . c p j [ * ] Any Traffic I EE http

I accept | H Log

:_Oslo j • Madrid
5 i Partner Cities Rule ! ! [ * ] Any Tr« : http I accept | M Log
:_Madrid j • Oslo

6 Internet A c c e i : Rule ! NetjDslo j * Any

f [7* S Any Traffic | TCP http j ® accept | gg Log

7 Cleanup Rule \ * Any i A Any | [ * j Any Traffic I * Any j | | drop j | J Log

Default Rule Base

9
 Recommended Setup for labs

10
Aquaforest TIFF Junction Evaluation

21
a

Q Check Point
t*®*5* S O F T W A R E T E C H N O L O G I E S LTD.

We Secure the Internet

CHAPTER 2: GENERAL TROUBLESHOOTING METHODS

A critical part of a Security Administrator's responsibilities is to troubleshoot

network problems. Troubleshooting guidelines are provided in this chapter,
defining problems, identifying possible causes, narrowing causes to one or a
few causes, and finding and testing problem fixes.

Objectives

1. Test IP forwarding routing and connectivity, before installing VPN-1 NGX.

2. Monitor the Default Filter and Initial Policy's effect on traffic through a
Security Gateway, to demonstrate protection these offer.
3. Troubleshoot Secure Internal Communications and Internal Certificate
Authority issues.
4. Troubleshoot Network Address Translation (NAT) issues.
5. Given an issue with a particular Check Point product, list the data required
for troubleshooting.

li
Aquaforest TIFF Junction Evaluation

Key Terms

IP forwarding
Default Filter
Initial Policy
Secure Internal Communications (SIC)
Source NAT
Destination NAT
Core file

12
Aquaforest TIFF Junction Evaluation

Troubleshooting Guide I ines

TROUBLESHOOTING GUIDELINES
11111111111111111111111111111111111111111111111111

The variety, flexibility, and complexity of the Check Point product suite can
make every problem seem unique. Despite the challenges inherent in
maintaining and administering rapidly evolving security and connectivity
solutions, standard troubleshooting methods are still relevant. Apply the
guidelines in this section when troubleshooting NGX issues.

I d e n t i f y i n g the Problem

Identifying a problem should begin by asking these general questions:

• Which outcome is specifically desired, but is not happening?

• What is happening, in observable and objective terms?

FAILOVER EXAMPLE

For example, when testing CIusterXL failover, start a continuous Ping from an
internal host to a host outside of the cluster. Unplug the external interface from
the primary member; two Pings are lost, then the Ping continues. This behavior
is not a problem, but is the way CIusterXL is supposed to work. However, if
after unplugging the external interface from a working primary member, the
Ping continues successfully but new connections cannot pass through the
cluster, the problem is probably related to gratuitous ARP.

Using the two questions previously stated, you can:

• Determine the desired activity: New connections traverse the active cluster
member. This is not occurring.
• Determine what is happening, in observable and objective terms: Ping
requests are replied to, but connections cannot be established.

13
Aquaforest TIFF Junction Evaluation

Troubleshooting Guide I ines

Gratuitous ARP can be a probable cause in this issue, since Ping is not as reliant
on each machine having a proper MAC address for IP resolution. In this
specific situation when the failover occurs (unplugging the interface), both
machines are issuing gratuitous ARP replies to announce they have the cluster
IP address assigned. This can create potential problems, such as if interim
switches or routers do not correctly register the updated ARP cache
information, or if a switch did not forward the updated ARP information to an
upstream router. This ""pollutes" the ARP cache of all local machines. Since the
Ping request is looking for its ultimate destination IP upstream of the cluster,
the cluster member at which the Ping packet arrives will simply forward the
Ping to the destination.

In the case of a TCP/IP connection, such as HTTP, the routing mechanism will
not be able to forward the packet through the router. This is because the
indirect-connection mechanism will not be able to determine which cluster
member is actually using the IP address as the next hop.

C o l l e c t i n g Related Information

Once an expected behavior has been identified as a problem, collect related

information by answering the following questions:

• Under what circumstances does this problem occur?

• What changed before the problem occurred?

Collect log messages, error messages, core files, Dr. Watson output, and
relevant information from related documentation. Verify the configuration of
components displaying the same symptoms.

In the failover example stated earlier, the problem occurred when attempting to
initiate a failover in a CIusterXL configuration. Changes before the problem
occurred are currently unknown, other than the specific change initiated by
unplugging the interface of the cluster member. Information related to other
changes can be determined from examining NGX logs. Examining audit logs
may show that another Administrator was working with the cluster object or
specific cluster members. Examining system logs of that cluster member may
show further information as to possible changes in the configuration.
Debugging or examining process error logs can indicate if this is a
configuration issue, or perhaps is a more serious problem.

14
Aquaforest TIFF Junction Evaluation

Troubleshooting Guide I ines

L i s t i n g Possible Causes

Using the information gathered from symptoms and documentation, try to find
as many potential causes for each symptom. Put the most likely cause first on a
list, and organize the others in a similar fashion.

T e s t i n g Causes Individually and Logically

The goal is to narrow the list to a few causes, starting from the most likely to the
least likely causes. From the example failover issue, is this the only cluster
experiencing this issue? If the cluster is disabled, does this problem persist? Are
all connections blocked, or only some types? Does any other type of traffic
other than ICMP cross the cluster?

C o n s u l t i n g Various Reference Sources

Release notes, Web sites, mailing lists, SecureKnowledge, and Check Point
Technical Support are common reference sources. See Check Point's Web site
for these sources: www. checkpoint. com

15
Aquaforest TIFF Junction Evaluation

What to Check Before Installing VPN-1 NGX

WHAT TO CHECK BEFORE INSTALLING

VPN-1 NGX
l l l l l l l l l l l l l l l l l l l l i l l l i l l l i l i l i l l l l l l l l i l l l l l l i l

In general, a machine intended as a Security Gateway must function as a

gateway at the OS level before VPN-1 NGX is installed. The gateway must
route among network interfaces. If routing does not work before installing
VPN-1 NGX, the machine will not function as a Security Gateway.

Verify routing on the gateway system at the OS level. If VPN-1 NGX is already
installed on the gateway, stop the firewall services.

IP F o r w a r d i n g

When a UNIX machine boots with more than one IP interface active, it will
route among interfaces by default. When an NGX Gateway is installed on
UNIX, IP forwarding may be disabled. IP forwarding is the operating system's
ability to forward packets from one interface to another. Manually enable IP
forwarding for testing.

ENABLING/DISABLING IP FORWARDING

• Enable IP forwarding on Solaris by running ndd:

ndd -set /dev/ip ip_forwarding 1
• To disable IP forwarding, run ndd:
ndd -set /dev/ip ip_forwarding 0
• To verify the status of IP forwarding:
ndd -get /dev/ip ip_forwarding
• Verify the IP forwarding setting on SecurePlatform and SecurePlatform Pro,
by checking the value in the following file:
echo /proc/sys/net/ipv4/ip_forward
The output should be 1. If the value is 0, run the following to enable IP
forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

16
Aquaforest TIFF Junction Evaluation

What to Check Before Installing VPN-1 NGX

• Enable IP forwarding on Windows 2000 Server or Windows 2003 Server,

check the value of the key IPEnableRouter in the Registry. Enabling the
Remote Access Server (RAS) service can also be used to enable IP
forwarding. The value should be 1. The path to the Registry key is:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\parameters\
IPEnableRouter

Routing

As a multihomed host, an NGX Gateway has routes automatically generated for

its immediate networks, external and internal. The Gateway can only have one
default gateway (or default route) pointing to its upstream router. If there is
more than one internal network connecting to an internal router behind the
Gateway, add static routes on the Gateway to reach the remote internal
networks from the Gateway.

For the immediate internal network, it is sufficient to point the default gateway
of each internal network's machine to the IP address of the internal interface of
the NGX Gateway.

Before installing an NGX Gateway, one interface on the machine

must be up and running.

17
Aquaforest TIFF Junction Evaluation

What to Check Before Installing VPN-1 NGX

Connectivity

To test connectivity with the NGX Gateway in place. Ping through the Gateway
from internal nodes to nodes on the external side of the Gateway, or Ping to the
upstream router. Run a Ping test as follows:

1. Run fw unloadlocal on the Gateway.

2. Ping from the internal host to the Gateway's internal interface.
3. Ping to the Gateway's external interface.
4. Ping a known Internet site address or name (for example, www.yahoo.com).

To Ping a Web site's fully qualified domain name (FQDN), the

Gateway must have a DNS server entry.

5. If the Ping can only reach the external interface of the Gateway, Ping from
the Gateway to a known Internet site.

When using RFC defined addresses for internal networks, Ping

test replies from the Internet will not be received by the internal
hosts.

6. If you can Ping from the Gateway to the Internet, but cannot reach the
Internet from an internal network, IP forwarding may not be enabled on the
Gateway's OS.
7. If you can Ping all the way through, install a simple Rule Base with
necessary rules (for example, outbound HTTP), then browse known
Internet sites.

To resolve FQDN names, internal hosts must have a DNS server,

either on an internal network or hosted by an ISP on the Internet.
Domain Name over UDP must be allowed.

18
Aquaforest TIFF Junction Evaluation

What to Check Before Installing VPN-1 NGX

%
Q.) One internal host behind an NGX Gateway cannot connect to
the Internet. This host has just been added to the internal network.
All other hosts from the same network segment can connect to the
Internet, as usual. In the Rule Base, there is a rule accepting
outbound HTTP traffic for the entire network, and the rule is
tracked as "Log". When you open Smart View Tracker, you find
no logs from that problematic host. What is the next reasonable
step for troubleshooting this problem?

A.) Check the routing table on that host, and make sure the
default-gateway setting is correct. Test connectivity, using Ping
or traceroute, from the host to the Gateway, or beyond.

Q.) You find a log indicating HTTP is accepted, the source is that
host, and the rule number is correct. But the host's browser
displays "page cannot be displayed". What is the next reasonable
step for troubleshooting this problem?

A.) Run fw monitor, to see if the reply packet returns to the

Gateway's external interface.

19
 IP FORWARDING AND BOOT SECURITY

8
nartView Tracker. You

ep to take?

A.)

20
Aquaforest TIFF Junction Evaluation

SIC and ICA Issues

SIC AND ICA ISSUES

IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIiIIIIIIIIIIIIIIII

Secure Internal Communications (SIC) is a Certificate-based channel among

SmartCenter Servers, Security Gateways, Check Point QoS, and OPSEC
application servers. SIC is based on Secure Sockets Layer (SSL), with digital
Certificates. When a SmartCenter Server is installed, a Certificate Authority
(CA) is created by default. As a CA, the SmartCenter Server is the Internal
Certificate Authority (ICA) to all components it manages. The ICA issues
Certificates for all components that need to communicate with one another. For
example, a Gateway needs a Certificate from a SmartCenter Server before a
Security Policy can be downloaded, or before a license can be attached using
SmartUpdate. Whenever any two entities (SmartCenter Server, Security
Gateway, OPSEC, or Check Point QoS) need to communicate, the file
sicjpolicy.conf is referenced.

SIC Port Use

Communication takes place over SIC, which uses the following ports:

• Port 18209 is used for communication between NGX Gateways and ICAs
(status, issue, or revoke).
• Port 18210 pulls Certificates from an ICA.
• Port 18211 is used by the cpd daemon on an NGX Gateway to receive
Certificates.

SIC is completely NAT-tolerant, as the protocol is based on

Certificates and SIC names, not IP addresses. A NAT device
between a SmartCenter Server and Security Gateway does not
have any effect on the ability of a Check Point-enabled entity to
communicate using SIC.

21
Aquaforest TIFF Junction Evaluation

SIC and ICA Issues

Root C a u s e s

As a baseline for troubleshooting SIC and ICA related issues, test the
following:

• Connectivity: Is any traffic (not just SIC) able to reach the Gateway?
Are the necessary ports open and/or available?
• Domain name and IP resolution: Although SIC is completely NAT-tolerant,
Check Point recommends eliminating this possibility, by verifying if there
has been a DNS or IP address change on the network regarding the
SmartCenter Server and/or any interim routers or Gateways
• Time: If the SmartCenter Server and the Security Gateway are located in
different time zones, verify that this is not causing the conflict
• Certificate Revocation List (CRL): Verify that the SIC Certificate is not in
the CRL, or that the CRL is still reachable for current Certificates.

22
Aquaforest TIFF Junction Evaluation

SIC and ICA Issues

VERIFYING THE CERTIFICATE

View the existing Certificate assigned to the object to verify that Certificate
information is correct for the object. View the certificate in SmartDashboard by
selecting the VPN > Certificates List property of the specific Check Point
Gateway. Select the Certificate to examine, and click the View button. The
Certificate View screen displays:

Subject: CN=fwoslo VPN Certificate.^ =mgmtoslo..uwoypr

issuer: O^mqmtoslo..uwoypr
Not Valid Before: Mon Jan 3016:28:00 2006 Local Time
Not Valid After. Sun Jan 30 16:28:00 2011 Local Time
Serial No.: 65136 ™
Key Size: 1024
S ubject Alternate N arnes:
IP Address: 172.22.102.1
CRL distribution points:
4

Certificate View of fwoslo's ICA Certificate

23
Aquaforest TIFF Junction Evaluation

SIC and ICA Issues

Check Point also includes the ICA Management Tool in VPN -1 NGX, which
can be configured on a SmartCenter Server and used independently of
SmartDashboard to view and manage Certificates:

|Of xf

Address i % j https: /10,2,1.102; 18-65/ zL i3Go 5

J^ Check Point
We Secure the internet

9 Manage Certificates Searrh By

User 1T
' ame r Not
Type }Any J r wot
Status iAny
Serial Number j F l-T<:-t
Seatehj Reset j Advanced ^
Manage Operations
ftew^fr selected | Remove detected j Mail to setectsd I

•^'im^'to ; ! 3 Q-'-steds

ICA Management Tool

Refer to the SmartCenter user guide and sk30501 "Setting up the

ICA Management Tool" at
http: //secureknowledge. checkpoint. com, for configuration
information.

The CRL and Certificates can also be viewed from the CLI using the
vpn crlview command. The syntax for the command is:

vpn crlview -obj Cnetwork object> - c e r t <certobj>

vpn crlview -f <certfile>
vpn crlview -view <crlfile>

24
Aquaforest TIFF Junction Evaluation

SIC and ICA Issues

VERIFYING AVAILABLE CPD PORTS

To determine whether SIC is listening to the cpd ports, use the following
commands:

Windows — netstat -na | find "18211"

UNIX — netstat -na | grep 18211

On SecurePlatform, run this command from the Expert Mode

prompt.

The output is like the following:

TCP 0.0.0.0:18211 0.0.0.0:0 LISTENING

To verify the Gateway is listening for the SmartCenter Server, use the cpd -d
command. The output is below:

SIC initialization started

Read the machine's sic name: CN=module,0=mngmt.domain.com.szno9r

Initialized sic infrastructure

SIC certificate read successfully (means module already has a certificate)

Initialized SIC authentication methods

25
Aquaforest TIFF Junction Evaluation

SIC and ICA Issues

— On SecurePlatform or SecurePlatform Pro, run cpd debug and redirect

the output to a separate file:
s e t 0PSEC_DEBUG__LEVEL=3
s e t TDERR0R_JUjL_MiL=1 / 2 / 3
cpd -d >& cpd-output

If you run cpd -d without >& and the output filename, the output
displays on-screen.

Maintaining SIC

Following are recommended practices to set up and maintain SIC.

USING CORRECT FQDN TO INITIALIZE ICA

If the FQDN for the SmartCenter Server is not correct, the ICA cannot initialize
successfully. Make sure the FQDN has the correct hostname and domain name.
Make sure the SmartCenter Server's hostname is entered correctly in the hosts
file.

AVOIDING RENAMING GATEWAY OBJECT

The Certificate issued by the ICA (SmartCenter Server) is for a specific

hostname and IP address. Once the hostname has changed, the Certificate is no
longer valid. Plan carefully in terms of the naming conventions for all of your
Gateways, including the ICA itself, before you start installing and configuring.
If you must rename a Gateway after SIC is established, follow the steps below:

On the relevant Security Gateway:

1. Rename the hostname according to different OS requirements.

2. Reboot the machine, if necessary.
3. Use the cpconfig tool to reinitialize SIC for the newly created Gateway.
4. Enter a new one-time password.

27
 On the SmartCenter Server, make sure its hosts file has the new hostname and

CHECKING ROUTING AND CPD CONNECTIONS

SYNCHRONIZING CLOCKS

28
Aquaforest TIFF Junction Evaluation

SIC and ICA Issues

%
Q.) Your SmartCenter Server is behind your organization's
perimeter Gateway, with Static NAT configured on the perimeter
Gateway. You have a new NGX Gateway in another city, and you
must set up SIC. When you try to initialize SIC, you receive the
error "initialized but not trusted". What are reasonable steps to
troubleshoot this error?

A.) Check the hosts file on the remote Gateway, and make sure
the SmartCenter's hostname resolves to its public IP address.
Check if there is any rule in the Policy blocking traffic between
the SmartCenter Server and remote Gateway.

RESETTING SIC

The term "resetting SIC" is often used interchangeably for two different
actions. Each has a different level of severity associated with it, depending on
the context.

When working with a Security Gateway, performing a SIC reset

refers to forcing the ICA on SmartCenter Server to update the
CRL, so the specific Gateway's Certificate has been revoked. The
Administrator then creates a new updated Certificate. When
working with a SmartCenter Server, resetting SIC is referring to
initiating the command fwm sicjreset to revoke all Certificates,
and destroying the existing copy of the ICA.

Resetting SIC is not recommended as a first troubleshooting step to fix a SIC

problem. SIC resetting should be performed as a last resort, and should be
scheduled after business hours.

29
30
Aquaforest TIFF Junction Evaluation

SIC and ICA Issues

Using f w m sic_reset

Resetting SIC on the ICA (SmartCenter Server) can have serious implications
for Policy installation, logging, and other important daily functions, such as
VPN. Therefore, Check Point does not recommend resetting SIC on an ICA in
most situations, especially in an enterprise environment where multiple remote
Gateways are communicating through a VPN, using Certificates issued by the
ICA. When you reset SIC on an ICA, VPN tunnels will be interrupted, because
all IKE Certificates are to be destroyed before the ICA can be reset. After the
ICA SIC is reset, you must reset SIC on all managed Gateways.

In some unusual situations, using the fwm sie_reset command is necessary, for
example, when the SmartCenter Server's IP address or hostname is changed.

31
Aquaforest TIFF Junction Evaluation

Network Address Translation

NETWORK ADDRESS TRANSLATION

i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Network Address Translation (NAT) can be used to translate either IP address

in a connection. When translating the IP of the machine initiating the
connection (typically the "client" of the connection) this is referred to as
Source NAT. An example of this would be a network behind a Security
Gateway that uses a nonroutable IP address range, but is hidden behind the
Gateway's external IP address on Internet-bound connections.

Destination NAT is used when the IP address of the machine receiving the
connection is translated. This address is also known as the "server" side of the
connection. An example of this would be a statically translated Web server
behind a Security Gateway.

C l i e n t - S i d e D e s t i n a t i o n NAT

Before VPN-1 NGX, all NAT occurred at the "server side" of the kernel, i.e., on
the outbound side of the kernel closest to the server. When NAT occurs in this
configuration, address spoofing and routing must be configured correctly.
As of VPN-1 NGX, the default method for Destination NAT is "client side",
where NAT occurs on the inbound interface closest to the client. Assume the
client is outside the Gateway, and the server is inside the Gateway with
automatic Static NAT configured. When the client starts a connection to access
the server's NAT IP address, the following happens to the original packet in a
client-side NAT:

ORIGINAL PACKET

1. The packet arrives at the inbound interface, and passes Security Policy
rules.
2. If accepted, the packet is entered into the connections table.
3. The packet is matched against NAT rules for the destination. The packet is
translated if a match is found.

32
Aquaforest TIFF Junction Evaluation

Network Address Translation

4. The packet arrives at the TCP/IP stack of the NGX Gateway, and is routed
to the outbound interface.

The packet is translated, so it is routed correctly without any need

to add a static route to the Gateway.

5. The packet goes through the outbound interface, and is matched against
NAT rules for the source.
6. NAT takes place, if a match is found for translating the source.
7. The packet leaves the Security Gateway.

REPLY PACKET

1. The reply packet arrives at the inbound interface of the Gateway.

2. The packet is passed by the Policy, since it is found in the connections table.
3. The packet's destination, which is the source of the original packet, is
translated according to NAT information in the tables.
4. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the
outbound interface.
5. The packet goes through the outbound interface. The packet's source, the
destination of the original packet, is translated according to the information
in the NAT tables.
6. The packet leaves the Gateway.

Debugging NAT

fw ctl debug is the primary command for observing the NGX kernel's actions
on a packet. It is also used for configuring debugging on almost any action that
VPN-1 NGX can take on a packet or connection. The standard format for the
command is as follows:

fw c t l debug

Running this command from the CLI produces a list of currently running
modules and debugging flags. When the command is issued with an argument
following it, the default kernel module acted on is the fw module.

33
 FW CTL DEBUG A R G U M E N T S

of thei s for fw ctl

-buf
s«i,rersi"use<iby,he<iebosproc"sfor
+ <flag name>

the + , such as ...

fw ctl debug smtp

-x Disables all debugging flags

0 Resets all debugging flag values to default settings

-m
i ™ „ h m 0 d U l e ! W , l l b e " a E 8 e , i m , h e

kdebug -f >&
dTetdh?,,0ere0f,hedeb"8S,n8!e!"°",0,he

DEBUGGING NAT PROCESS

34
35
Aquaforest TIFF Junction Evaluation

Collecting Data

COLLECTING DATA
i I I I i I I I I i II II1 I I i iI Ii I I I I i I I I I i I I I I i I I i I I I I I i I I i I

This section identifies data to be collected for troubleshooting particular issues.

Rule Base Issues

To begin troubleshooting an issue with an NGX Rule Base, collect the relevant
log records, fw monitor capture file, and cpinfo file.

NAT Issues

For NAT issues, collect the following information:

• cpinfo file
• Network-configuration diagram
• fw monitor
• fw ctl debug, as follows:
fw ctl debug -buf

fw ctl debug + xlate xltrc

fw ctl kdebug -f > /tmp/kdebug.out

— Press CTRL + C to stop the debugging session.

— Disable fw ctl debug by running:
fw ctl debug 0

A n t i - S p o o f i n g Issues

To troubleshoot anti-spoofing issues, collect the following:

• cpinfo file
• Network-configuration diagram
• fw monitor capture file

36
Aquaforest TIFF Junction Evaluation

Collecting Data

SmartDashboard Issues

If there is an issue logging in to SmartConsole, verify the following items:

1. SmartDashboard compatibility with the SmartCenter Server: From the Help

menu in SmartDashboard, check the build number of the SmartDashboard.
Make sure the build number is compatible with the SmartCenter Server,
according to NGX release notes.
2. Verify the fwm process is up and running on the SmartCenter Server.
3. Verify the GUI client's IP address is addressed correctly in the cpconfig
utility on the SmartCenter Server. Alternately, verify that the IP address
from where SmartDashboard is launched is defined in the GUI client's file.
4. Collect the following data:
• cpinfo file
• Error messages from the log and console
• fwm debug by running the following commands:
fw debug fwm on TDERR0R__ALL_ALL=4

This will set the fwm to debug "on the fly" and write the output to
$FWDIR/log/fwm.elg

Logging Issues

1. Collect the following:

• Log files
• cpinfo file
2. For Smart View Tracker issues, run the command fwm logexport to ensure all
columns are complete.
3. If log records are not written to the log file and fw log and fwm logexport do
not show new records, run fwd -d -D. This includes a special debugging
option for FW1_L0G connections.

37
Aquaforest TIFF Junction Evaluation

Collecting Data

C l u s t e r Issues

1. Collect the following:

• fw monitor file from relevant interfaces
• cpinfo file from the SmartCenter Server and all cluster members
• Network-configuration diagram
• Information about switches used in the cluster environment, if any
2. Issue the following command simultaneously on all cluster members:
fw tab -s -t connections > filejiame

Since the introduction of per-service synchronization, the

fw tab -u command is not as useful in verifying that State
Synchronization is working in a running cluster.

S e c u r i t y Server Issues

Collect the following:

• cpinfo file
• Error messages from the SmartCenter Server's logs and console
• fw monitor -u
(The -u switch configures fw monitor to capture traffic and include the
UUID of the connections and objects involved in that session).
• Appropriate log files from the Security Gateway's $FWDIR/log directory:
ahttpd.elg
aftpd.elg
asmtpd.elg

38
OPSEC

1. CVP/UFP servers:
to the CVP i
to the UFP!
fwopsec. conf file
cvp.conf file on the CVP serv
2. : fwd debug by

fw debug fwd on

The output is To < : fwd debug, run the

fw debug fwd

LDAP

1. ; LDAP t

LDAP log i

fw moni md LDAP
2. :NGX [LDAP : the ]
LDAP bra

fwd debug

file from an; CA, if 2

39
Aquaforest TIFF Junction Evaluation

Collecting Data

3. To verily if the core dump was caused by VPN-1 NGX, run the command:
• file core

The output is the executable filename that caused the core dump:
• cpinfo, while the system is in the state that caused the core
• Full description of the problem

DR. W A T S O N O U T P U T

Collect the following information:

• Fresh Dr. Watson file (drwtsn32. log); this file should contain only the current
instance of Dr. Watson output.
• cpinfo taken from the system while in the status causing the Dr. Watson error
• Full description of the problem
• user. dmp file
• memory.dmp file
• system, dmp file for blue screen of death

Q.) How do I change the default locations of drwtsn32.log,

QA
user. dmp or memory. dmp?

A.) Open a Dr.Watson screen by running drwtsn32 from the

command prompt. Only an Administrator can change Dr. Watson
configurations.

41
Aquaforest TIFF Junction Evaluation

Collecting Data

42
REVIEW

43
44
Aquaforest TIFF Junction Evaluation

Review

46
 V#

31
Aquaforest TIFF Junction Evaluation

Q Check Point
tfi®*5* S O F T W A R E T E C H N O L O G I E S LTD.

We Secure the Internet

CHAPTER 3: FILE MANAGEMENT

Regular file maintenance is necessary to maintain a properly running system. In

case of emergencies, the cpinfo utility can be used to view configuration details
from an off line copy of the configuration. Log files may give an indication of
what contributed to the emergency.

Objectives

1. Collect data using the cpinfo utility, for off-line viewing and
troubleshooting using the Info View utility.
2. Use DbEdit or GuiDBedit to view and manipulate *.c and *.def files and
observe their impact on Security Gateway functionality.
3. Manage the fwauth.NDB file to maintain the user database.
4. Use log commands to observe and manipulate log files.

47
Key Terms

• cpinfo
objects J J . C
objects.C
DEEDIT

Log Unification Unique ID (LUUID)

48
 FILES

A complete collection of files is obtained from the following NGX directories:

$HDIR/ conf
$FWDIR/lib
$FWDIR/;

$FWDIR/log

: files may be extracted and used to replicate a remote NGX

a test network, for troubleshooting or

The cpinfo file contains detailed information about NGX

<5 cpinfo files should be

Once cpinfo runs, it may take some time to complete. Do not stop

A 09
in the cpinfo file.

cpinfo File

WINDOWS

C:\Windows\FWl\R60\fwl\bin\cpinfo > cpinfo.txt

The resulting file will not be compressed or encoded. Compress this file using a
ZIP utility, if the cpinfo file is sent to Check Point Technical Support for
analysis. The output on a Windows server is a*.txt file, which you can view
with a text editor.
Aquaforest TIFF Junction Evaluation

cpinfo

UNIX

1. Log in as superuser or in Expert Mode.

2. Execute the following script:

$CPDIR/bin/cpinfo | compress | uuencode cpinfo.Z > /tmp/cpinfo.uue

The cpinfo script does the following:

• Runs the cpinfo script, where the directory is compressed to the file
cpinfo.tar
• Uses gzip, to compress the file to fw. tar .gz
• Uuencodes the gzip file to the filename cpinfo
• Compresses cpinfo, using standard UNIX compression; modifies the
name to cpinfo. Z

• Uuencodes cpinfo. Z into the file /temp/cpinfo. uue

To extract the cpinfo. uue file from a UNIX platform, run the following:

1. # uudecode cpinfo.uue, which decodes into the file cpinfo.Z

2. # uncompress cpinfo.Z, to uncompress into the file cpinfo

3. # uudecode cpinfo, to decode into the file fw.tar.gz
4. # gunzip fw.tar.gz, to uncompress the file fw.tar

5. tar -xvf fw. tar, to expand the directories into the following:
conf/

lib/

state

database/

log/

51
Aquaforest TIFF Junction Evaluation

cpinfo

InfoView

A quick and easy way to look at a customer's Rule Base and objects is to open
SmartDashboard using a cpinfo output file. This is done by using InfoView, a
Check Point utility. InfoView is only available for Check Point Certified
Support Partners (CSPs) with valid CSP login credentials. To view cpinfo from
InfoView, open the InfoView window first, and drag cpinfo output to the
InfoView window:

- i P j Xj
y File Edit View Tools Analysis Window

« n jf'ji!Hi^iiT:::i^i W d H i
C : \ W I N D G W 3 \ F W 1 \R 6 0 \ f w 1
Host File WEB,,. Not t e s t e d
C : \ P r o g r a m Files\CheckPomfc'tCPShared\R60 " Hosts
File Title
• CP c o m p o n e n t s License-Object WEB,,, Mot t e s t e d
•• CP P r o d u c t k e y s

Duplicate O b j e c t s W E B , . , Not t e s t e d
VPN-1 Version I n f o r m a t i o n ( " C : \ W I N D O W S \ F W l \ F
FireWall-1 M a n a g e m e n t ( f w m ) Version I n f o r m a t i o n
\ |jj||l A l 1 I n t e r f a c e s WEB... Not t e s t e d
FireWall-1 Version I n f o r m a t i o n ( " C : \ W I N D O W S \ F ' < r ^
m > ... WEB... Not t e s t e d
C P S h a r e d Version I n f o r m a t i o n ( " C : \ P R O G R A ~ l \ C I
FireWall-1 S t a t u s ( " C : \ W I N D O W S \ F W i \ R 6 O \ f w i \ t

M I/F-Object WEB.., Not t e s t e d

The n u m b e r o f Kernel Tables; - 1

II-1 Tables ("C; \ W I N D O W S \ F W 1 \ R 6 0 \ f w 1 \ t ; WEB... Not t e s t e d

il-1 Tables ("C: \ W I N D O W3'i,F W1 \ R 6 0 \ f w 1 \ts

II-1 Tables - Log Format WEB... Not t e s t e d

T
E x p o r t e d L o g file: f w . a d t l o g
FireWall-1 Statistics WEB,., Not t e s t e d

C o n n e c t i o n s ' modutes i n t h e kernel ( " C : \ W I N D O W :

O v e r l a p p i n gg E n c r y p t i o n WEB.., Not t e s t e d

' NUM"
cpinfo Loaded in InfoView

52
Aquaforest TIFF Junction Evaluation

cpinfo

INFORMATION TESTING

Depending on the problem you are troubleshooting, you can look for different
information in cpinfo. The right panel of Info View displays a list of information
you can test, for example, hostname, licensing, and duplicate objects. Info View
gives you quick results, but not detailed information. Detailed information can
be found in the left pane of Info View. Test items and their purpose are shown in
the table below:

Test items Purpose

Hosts File Verify hosts file.

License-Object Verify that every license has a corresponding interface in the

machine's object.

Duplicate Check for duplicate objects in the objects file.

Objects

All Interfaces Run tests on all interfaces of the machine.

Machine Verify the validity of the object representing the tested

Interfaces machine.

l/F-Object Verify that the machine is referred to in the objects file.

Process Verify the percent of CPU time of Check Point related

processes does not exceed a certain limit (80%).

pstat Check that values in Fire Wall-1 Statistics and SecuRemote

Statistics (ctl pstat) are at a reasonable limit.

IP fwd Check IP forwarding.

License Check licensing.

Support HotFix Verify whether there are HotFixes installed on the machine.

53
 Thel
• A

; to fail. When the ]

it
:is a

J to <

a cpinfo file.

TEXT INFORMATION

54
Aquaforest TIFF Junction Evaluation

cpinfo

In the following example, this cpinfo indicates the machine is a primary

SmartCenter Server and not a Gateway, because the value of the management
key is 1 and FireWall key is 0:

n rp Product keys -

Fife Edit view Insert Format Help

• M i Hi l E M

key: CP DIP. C: \ P r o g r a m F i l e s \ C h e c k p o i n t ' ' , C F S h a r e d \ P.60

key: ISCONFIGURED 1

FUJI
key: Auth 0
key: Encryption 1
key: FireWall 0
key: F1DIR C : \ WINDCMS\ FTJ1\ R60\ f wl
key: FWHanagement 1
key: IsConfigured 1
key: Management 1
key: Primary 1
key: ProductNaKie FireWall-1
key: Unlimit 1

SecuReraote

d
For Help., p r e s s F i

CP Product keys Screen

55
Aquaforest TIFF Junction Evaluation

cpinfo

SYSTEM INFORMATION

System information can be found in cpinfo. Information such as OS name,

version and build number, environment variables, CPU and memory use of
running processes (in ps -auxww), and file system use (in df -k) :

FireWall-1 Version I n f o r m a t i o n
CPShared Version I n f o r m a t i o n

»I ' "
date
hostname
uname -a
SecurePlatform Version
hostid
OS d a t a f r o m file ; / e t c / i s s u e

uptime
ps a u x w w
v m s t a t i 10
Isdev -C
Additional S y s t e m i n f o r m a t i o n
env
df 4
df -1= / o p t / C P s u i t e - R 6 0 / f w 1
Package M a n a g e r R e p o r t ( r p m )
List PCI devices
Free M e m o r y I n f o r m a t i o n
Slab I n f o r m a t i o n ( s l a b i n f o )
Additional M e m o r y I n f o r m a t i o n ( m e m i n f o )
Additional C p u I n f o r m a t i o n ( c p u m f o )
I P Interfaces jj !

System Information

INTERFACE AND ROUTING INFORMATION

Interface information can also be found in cpinfo. ifconfig -a gives a list of all
interfaces and status, fw c t l if l i s t is a list of interfaces bound to the NGX
kernel. If fw ctl i f l i s t and ifconfig -a outputs have discrepancies, that means
some interfaces are not recognized by the NGX kernel, which can cause various
problems, such as Policy installation failure or traffic dropped. The interface
names and IP addresses in the ifconfig -a list must be identical to the ones in
the Topology screen of the gateway object. Make sure you obtain correct
interfaces by names and IPs, when clicking the get button from the Topology
screen in the Gateway object.

56
Aquaforest TIFF Junction Evaluation

cpinfo

netstat provides routing table, ARP table and TCP socket

information. These are important tools for troubleshooting
connectivity issues.

FireWall-1 V<
CPShared «
System I n f o r m a t i o n

Source File versions

F W - 1 fi
ll-l Tables
II-1 Tables - Short Format
: The n u m b e r of tables; 296
FireWall-1 Tables - Log Format

IP Interface and netstat Information

57
Aquaforest TIFF Junction Evaluation

cpinfo

FIREWALL-1 TABLES

FireWall-1 table information can be found from a Gateway cpinfo. But a

SmartCenter Server does not contain table information. The Infotab button
displays the content of a table with hexadecimal and decimal format. The
following example highlights a FireWall-1 table displayed by clicking the
Infotab button at the top. You can tell the types of traffic passing through the
Gateway kernel when cpinfo runs. You can compare among two or more cluster
members' connections-table information regarding particular traffic.

InfoTab Screen

HIGH AVAILABILITY INFORMATION

High Availability information can be found from a Gateway's cpinfo file,

cpinfo from a SmartCenter Server-only machine does not have High
Availability information.

58
Aquaforest TIFF Junction Evaluation

cpinfo

Opening S m a r t D a s h b o a r d in I n f o V i e w

SmartDashboard can be opened from InfoView, as long as the cpinfo is from a

SmartCenter Server, cpinfo from a Gateway-only machine cannot be used to
open SmartDashboard.

To open SmartDashboard inside InfoView:

1. Highlight the hostname on the top of the left pane:

+ J CW
\; INDOWS\FW 1 't,R60\fw 1
+ JC; 'i.PROGRA--1 \ CHECKP~ 1 \CPShared\R 6 0
Fiie Title
CP c o m p o n e n t s
t. CP Product keys
+ System Information
VPN-1 Version I n f o r m a t i o n ( " C : \ W I N D O W S \ F '
Fire W a l l - 1 M a n a g e m e n t ( f w m ) Version I n f o r r r
F i r e W a l l - 1 Version I n f o r m a t i o n ( " C : \ W I N D O W
C P S h a r e d Version I n f o r m a t i o n ("Ci'iPROCRA-
•• F i r e W a l l - 1 S t a t u s ( " C ; \ W I N D O W S \ F W 1 \R60\f
+ IP I n t e r f a c e s

T h e n u m b e r o f Kernel Tables: - 1
• F i r e W a l l - 1 Tables ("C:\WIMDOW5'i,FWl\R6Q\f
1 Fire W a l l - 1 Tables ("C: \ WINDOWS',FW 1 'iRSO'if^JTy
F i r e W a l l - 1 Tables - Log F o r m a t jrj

Hostname Highlighted

2. Click the SmartDashboard icon on the top button, then click Explicit:

SmartDashboard Icon

59
Aquaforest TIFF Junction Evaluation

cpinfo

3. Select the correct FwPolicy.exe file on your local drive, from where you
installed SmartConsole:

? .x
Look in: j w PROGRAM zi ma &
Jasmjielp

;'jcpml_dir
jhtdocs |frp|gv

^CPRegSvr

jFwPolicy

Files of type: j Policy Editor (fwpoiicy.exe)

FwPolicy.exe Selected

4. Click Open. SmartDashboard opens.

60
Aquaforest TIFF Junction Evaluation

objects _5_0. C and objects. C

OBJECTS_5_O.C AND OBJECTS.C

i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i ii i i i i

objects_5_0.C

The objects_5_0.C file contains a section of properties whose values affect

global NGX behavior. Normally, this file is not modified directly, but rather
through SmartDashboard > Policy > Global Properties. objects_5_0.C also
stores network objects, server objects, service objects, time objects, and other
miscellaneous data. There are some selections requiring additions or
modification that are not controllable through SmartDashboard.

As objects_5_0.C is the master file that fwm recognizes for its normal operation.
The file must be created as part of an NGX installation. This file is either newly
created on installation of VPN-1 NGX, or is upgraded from VPN-1/FireWall-1
4.1.

objects.C

objects_5_0.C is used only by the SmartCenter Server. During Policy

compilation, the objects_5_0.C file creates the objects.C file, which is then
passed to the NGX Security Gateway, and contains information required for its
operation. The objects_5J).C and objects.C files are located in the $FWDIR/conf/
directory. A new objects.C file is created every time a Policy is installed on a
Gateway, along with a new Policy.

61
Aquaforest TIFF Junction Evaluation

objects _5_0. C and objects. C

Object Properties in o b j e c t s _ 5 _ 0 . C

objects_5__0.C is a master list of properties. The objects listed in the file are
definitions of how VPN-1 NGX manipulates traffic that passes through its
kernel to the real-world resources represented by those objects. The properties
of these objects further define how VPN-1 NGX inspects and manipulates this
traffic. The file starts with global properties, followed by SmartCenter Server
object properties, then gateway-object properties, and other objects' properties.
The following is gateway object fwoslo's Certificate property:

-=afi!*jj
Fite Edit View Insert Format Help

SmallOff ice (false)

UA_server ( f a l s e '
VPN_allow_relay (false;
VPN_relay_if_name ()
acld_adtr_rule (false)
allow_extranet (false)
allow_send_logs (false)
amaEonas_Kiachine ( f a l s e )
apply_nat_for_cp_conns (false)
b ac kup_gat e way ()
ca_wait_r«ode_speeif ic_signon_menu_enable (false)
certificates (
: (defaultCert
:AdminInfo (
: c h k p £ _ u i d ( " { 141CBCFF-FC14-45?0-B9FD-0EE2DCS0DACt
: ClassNarne ( c e r t i f i c a t e )
I
: "Scertreq-pki-gen" (false)
: " i p k i - h o s t - c e r t - s e t " (false)
:ca (ReferenceObject
: Naire (internal_ca)
:Table (servers)
:Uid ("{2 6D02974—F0D4—4767-A8E7-A1D48B70734F}")
)
: d i r e c t _ c a (ReferenceObject
:Name ( i n t e r n a l _ c a )
:Table (servers)
:Uid ("{2 6D02 974—F0D4—4767-A8E7-A1D48B7073 4F >")
)
:dn ("CN=fwosio VPN C e r t i f i c a t e , G = w e b o s l o . . a u d w Q z " )
:generated_by_auto_enroliment (true)
: p k i s i g n k e y (4f75ab9794ad57ccl755ea6f)
: s t a t u s (signed)
A
For Help, press F1 IW

objects_5_0.C Properties

62
Aquaforest TIFF Junction Evaluation

objects__5_0. C and objects, C

DbEdit

To modify objects_5_0.C, use the DbEdit utility, which allows the creation,
modification, and deletion of objects. The utility is located in the $FWDIR/bin
directory. objects_5J).C is modified using the following syntax:

DbEdit [-s server] [-u user] [-p password] [-f filename]

Option Explanation

-s server The IP or resolvable hostname of the SmartCenter Server

-u user The Administrator's username for the SmartCenter Server

-p password The Administrator's password for the SmartCenter server

-f filename The filename containing the creation or modification commands

DbEdit is to perform

Using the DbEdit utility allows validation and verification of changes,

including Audit log records. This is a better method than editing the files, due to
the validation process.

63
Aquaforest TIFF Junction Evaluation

objects _5_0. C and objects. C

DBEDIT COMMANDS

Following are the c o m m a n d s f o r D b E d i t :

Command Explanation

create Creates an object with its default values; this command does not
commit the object to the database. The create command may use
an extended or owned object.

modify Modifies fields of an object, which are:

1) Stored in the database; the command will lock the object.
2) Newly created by DbEdit; modifications are kept by the client,
until committed to the database, by the update or quit commands.

update Updates the database with the object; this command checks object
validity and will issue an error message; invalid fields can be
modified using the modify command.

delete Deletes an object from the database, and from the client-implicit
database

quit Quits and updates the database with modified objects that are not
yet committed

T h e modify c o m m a n d a l l o w s the use of e x t e n d e d formats for

o w n e d objects:

[fieldjiame] = Field_A.Field__B

DbEdit u s e s the TDERROR m e c h a n i s m to print detailed status a n d error messages.

The TDERROR T o p i c N a m e is given t h e DBEDITLOGS value. T h i s is an example of
this variable set on Solaris:

set TDERROR DBEDITLOGS = 3

64
Aquaforest TIFF Junction Evaluation

objects _5_0. C and objects. C

SYNTAX

create <object_type> <object_name>

modify <table_name> <object_name> <field_name> <value>

update <table_name> <object_name>

• Following is an example of the c r e a t e command:

create tcp_service my_service

• Following is an example of the m o d i f y command:

modify services my service port 8080

• Once the modifications are complete, an update is necessary:

update services my__service

It is not possible to change the name of a gateway object,

because the name is used in the object's Certificate.

o b j e c t s _ 5 _ 0 . C Editing

Before editing the objects_5_0.C file:

1. Close all running instances of SmartConsole.

2. Back up the original $FWDIR/conf/objects_5_0. C to another directory.
3. From a command line, run DbEdit.
4. Enter a resolvable hostname or IP address, when prompted.
5. Enter the username and password of the Administrator when prompted. The
following is a sample command, modifying a value in a property under the
firewall^properties table in the objects_5J).C file:
modify properties firewalljproperties hclient_enable_new_interface false

The above command changes the hclient_enable_new_interface (true)

property to hclient_enable_newj.nterface (false).

65
 6. To: ; the

7. To exit DbEdit, issue quit.

8. Install the Policy.
9. Issue quit to exit to save j

The in 5 O.Ci by

66
Aquaforest TIFF Junction Evaluation

objects _5_0. C and objects. C

GuiDBedit

GuiDBedit, also known as the Cheek Point Database Tool, is a graphical based
utility that can be used to manipulate the configuration files of VPN-1 NGX, in
the same way that DbEdit is used from the command line. The GuiDBEdit.exe
file is installed in the C:\Program Files\CheckPoint \SmartConsole\R6O\PROGRAM
directory with the SmartDashboard executable, but no link is created for the file
in the start menu's Check Point group.

<0
Tables j Queries] ^ISSLl^llES^
W e d Mar 0 8 1 8 : 4 1 : 2 2 2 0 0 6
Fri Mar 03 1 6 : 2 6 : 5 2 2 0 0 6
Thu Mar 0 2 2 1 : 3 7 : 2 7 2 0 0 6
jfwtoronto Thu Mar 0 2 2 1 : 3 7 : 1 4 2 0 0 6
Jjfwrome Thu Mar 0 2 2 1 : 3 7 : 0 8 2 0 0 6
L a r g e Scale M a n a g e r N
| et_Madrid Thu Mar 0 2 2 0 : 3 1 : 1 8 2 0 0 6
M a n a g e d Objects lExt_Madrid Thu Mar 0 2 2 0 : 3 1 : 1 1 2 0 0 6
Thu Mar 0 2 2 0 : 1 3 : 4 8 2 0 0 6
;jno_vpn_domain Fri F e b 0 3 1 9 : 5 8 : 0 7 2 0 0 6
•«*•» sites_obiects j]Extjroronto Fri F e b 0 3 1 9 : 2 1 : 2 2 2 0 0 6

« sofaware_gw_l:ypes j]Net_Toronto Fri Feb 03 1 9 : 2 1 : 0 4 2 0 0 6

;±: H] OPSEC Fri F e b 0 3 1 9 : 1 6 : 1 0 2 0 0 6

sI Fri F e b 0 3 1 9 : 1 5 : 5 3 2 0 0 6

1 Tue Jar
Tue J a n 3 1 2 2 : 2 8 : 4 7 2 0 0 6
m us qos Tue J a n 3 1 2 2 : 2 8 : 1 5 2 0 0 6
E" S Read-Only Configuration Tue J a n 3 1 2 1 : 4 1 : 1 7 2 0 0 6
~~ Reporting Tue J a n 3 1 2 1 : 4 1 : 1 7 2 0 0 6
dynanic.object Tue Jan 3 1 2 1 : 4 1 : 1 7 2 0 0 6
Tue lar, 11 91 -41 '17 -flnfi zJ
H S a n ' S T DAG
{NAT, NULL} NAT
{SNMPN , ULL} SNMP
•{VPNN
, ULL} VPN
add_adtr_ru!e boolean add_adtr_rule
a d d i t i o n a l __products owned object al_products,NULL} additional jwo
•{entrust.: _ c e r t i f i c a t e , c e r t i f i c a t e }

cp_products_inst ailed cpjaroductsjt

i_gtp_ratejrnit boolean enforce_gtp_r

not-installed not-installed
not-installed not-installed
gtpjiejmit l~int_max
-{interface, DAG j n t e r f a c e , v p n _ v i r t u a l J n t e r f a c e }
ipaddr

GuiDBedit

67
Aquaforest TIFF Junction Evaluation

objects _5_0. C and objects. C

Double-clicking the GuiDBedit.exe icon opens the GuiDBedit login screen:

Database Tool
NGKR60
i Demo Mode

Usef N a m e

Certificate j
^—>J

Password: |
SmartCercler S « v e r fm22102~
r R e a d Only
Wore Options

Quit

GuiDBedit Login Screen

Use the same credentials as in SmartDashboard to log into GuiDBedit.

GUIDBEDIT PANES

1. When GuiDBedit opens, it is divided into three panes: The top left pane has
two tabs, Tables and Queries. When the Tables tab is selected, a listing of
the tables available on the SmartCenter Server is visible:

T a b l e ; :| Queries j

s i Table
r+i m Administrators
r+i s Desktop
i+i m Global Properties
i+im Large Scale Manager
n M a n a g e d Objects
r-i m Network. Objects
™ network_objeets
ma sites objects
sofaware_gw_types
:±; e OPSEC
!+• m Other
:+; H Policies
:+; m Provider-1
m QOS
+; m Read-Only Configuration

Tables P a n e

68
Aquaforest TIFF Junction Evaluation

objects _5_0. C and objects. C

2. The top right pane (Objects pane) shows entries in that table:

-fajsrt Warns 2 ass rsian -e { Last Modify Time

i |foo gateway jDlain W e d Mar 08 18:41:22 2006
[ Ijfwoslo gateway _d-p Fr: Mar 03 16:26:52 2006
1 Imgmtoslo gatew»y_d<p Thu Mar 02 21:37:27 2006
I jjfwtororito gateway _ d p Thu Mar 02 21:37:14 2006
fiQfwrome gateway _cl=p Thu Mar 02 21:37:08 2006
lf]Net_Madrtd network Thu Mar 02 20:31:18 2006
j ^tjladrid network Thu Mar 02 20:31:11 2006
HQfiwiadrid gateway _ckp Thu Mar 02 20:13:48 2006
lpjno_vpn_domain network_obiect_group Fri Feb 03 19:58:07 2006
IlE.-t_Tororito network Fri Feb 03 19:21:22 2006
1 |]Met_Tororito network Fri Feb 03 19:21:04 2006
i^-Jome Fri Feb 03 19:16:102006
iNet.Rome Fri Feb 03 19:15:53 2006
Imgmtmadrid hostjplain Tue Jan 31 22:41:59 2006
]Evtjjslo network Tue Jan 31 22:28:52 2006
^SynchJ-JetjDslo network Tue Jan 31 22:28:47 2006
ir-Jetjjslo network Tue Jan 31 22:28:15 2006
ft '.PC-Shield dynamic object Tue Jan 3121:41; 17.2006

Objects Pane

3. The bottom pane lists properties for selected table entries:

Properties Pane

To perform the same modifications as done with DbEdit, the Administrator

opens the Global Properties branch in the Tables pane, then selects the
Properties table. In the Objects pane, the firewall properties object opens. When
this object is selected, the Properties pane lists all properties available for
editing.

69
giving a choice between True or False for this property. SelertFaUe, anc

The box is

QUERY TAB
Aquaforest TIFF Junction Evaluation

objects _5_0. C and objects. C

2. Advanced mode;

Query Editor - Advanced

<!> i tr. "r,arr«e= a " & !{cotof= red')." to §¥ a8 norwed objects s o r t i n g with *
,

£PMi Quety 5 —

i l i i ^ ^
imuttrn j Found. p— abjeete
i a : t Modified B y ~ —~ - - ~

Admriwtrafer j " r Modified After; | ; ' J

GUI Client: — — — ^ P Modified Before: p ^ T ^ ^

Query Editor, Advanced Mode

Refer to the GuiDBedit help files for further information on

creating and saving database queries.

71
 FWAUTH.NDB

72
Aquaforest TIFF Junction Evaluation

SFWDIR/lib/*. def Files

$FWDIR/LIB/*.DEF FILES
i I I I I I I i I I i I i I I I I i i i i I I i i i i I i I I I I I I I I I I i I I I I i I I I I i

There are multiple lib folders on an NGX SmartCenter, each of them

containing a set of *. def files (such as base. def, rtsp. def, dcerpc. def, and
others). These files define the behavior and functions of VPN-1 NGX.

Modifying *. def files should only be done when absolutely necessary. Before
making any changes to *.def files, the Administrator must know the security
implication of those changes. Check Point recommends confirming with Check
Point Technical Support the impact of *. def modifications on NGX behavior
and functionality.

Changes are made on the SmartCenter Server only. *.def files on a Security
Gateway are irrelevant. Changes made to *.def files on a SmartCenter Server
are transferred to the Gateway during Policy installation. However, the changes
will only apply in the Gateway's kernel, and are not written to the Gateway's
individual *.def files. The actual *.def files on the Gateway remain
unmodified.

Editing a *. def file on an NGX SmartCenter should be done in the correct

folder, according to the managed Gateway's version. When modifying a *. def
file when the managed Gateway is not running VPN-1 NGX, the corresponding
* .def file will not be located under the $FWDIR/lib directory. It will be located in
the /lib directory, under the relevant backward-compatibility directory.

Example

Use the command find / -name dcerpc. def on SecurePlatform, to find the
dcerpc.def file located in the following folders:

/opt/CPsui te-R60/fwl/lib/dcerpc.def

/opt/CPsuite-R60/fwl/libsw/dcerpc.def

/opt/CPEdgecmp/lib/dcerpc.def

/opt/CPEdgecinp/libsw/dcerpc. def

/opt/CPngcmp-R60/lib/dcerpc.def

/opt/CPR55WCmp-R60/lib/dcerpc. def
73
 $FWDIR/lib/*.def Files

M o d i f y i n g *.def Files

: on an a VPN-1/Firewall-1 NG
. by an N G X !
edit the /opt/CPngcmp-R60/lib/dcerpc. def folder (not in ,
R60/fwl/lib/dcerpc.def):

1. On

2. up the *. def file,

3. Modify the*. i l e to ]

Any. ; to

4.

5.

.DEF FILE MODIFICATIONS BEFORE VPN-1 NGX

74
Aquaforest TIFF Junction Evaluation

Log Files

LOG FILES
i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Active Log Files

VPN-1 NGX includes the following log files:

Log-File Type Explanation

$FWDIR/log/xx.log Real log records

$FWDIR/log/xx. logptr Pointers to the beginning of each log

record

$FWDIR/log/xx.loginitialjptr Pointers to the beginning of each log

chain, logs that share the same Log
Unification ID (LUUID)

$FWDIR/log/xx.logaccountjptr Pointers to the beginning of each

accounting record

$FWDIR\log\xx. logLuuidDB Additional temporary pointer file

Each time current logs are switched using Smart View Tracker or the
fw logswitch command, the above five log files are generated. If any .ptr file is
missing or corrupted, that particular log file cannot be opened. When saving
switched log files, all five of the above log files need to be saved or archived, to
open that single log file in Smart View Tracker or with the fw log <logfile>
command.

To purge or delete the current log file without saving to a backup file, run this
command:

fwm logswitch ""

75
Aquaforest TIFF Junction Evaluation

Log Files

Audit Log Files

In VPN-1 NGX, the audit-log files include the following:

Audit-Log File Types Explanation

xx.adtlog Audit-log records

xx.adtlogptr Pointers to the beginning of each log records

xx.adtloginitialjptr Pointers to the beginning of each log chain, logs

that shared the same LUUID

xx.adtlogaccount_ptr Pointers to the beginning of each accounting

record

When audit logs are switched in Smart View Tracker or with the logswitch
command, the above four types of log files are generated.

To purge or delete the current audit-log file without saving to a backup file, run
this command:

fwm logswitch -audit ""

Log Mechanism

The following information is based on Check Point Solution

sk24901. See the solution at
http: / / secureknowledge. checkpoint. com for more information.

In situations of high load on the SmartCenter Server or log server, the Gateway
fwd daemon (which is responsible for log transfer), has a keep-alive mechanism
for communicating with its log server. The NGX Gateway caches log records in
a dedicated 4,096 KB buffer, as long as the fwd daemon is in communication
with the SmartCenter Server. If no response is received from the Server after a
couple of keep-alive check ups, the Gateway will start logging locally to
$FWDIR/log/fw.log.

76
Aquaforest TIFF Junction Evaluation

Log Files

However, if communication with the SmartCenter Server is restored during the

keep-alive rotations, this buffer retransmits logs to the log server. If the
connection is restored after the keep-alive cycle ends, the files logged locally
will need to be imported to be viewed. After communication is back, the
Gateway also reports on this activity with specific logs.

T r o u b l e s h o o t i n g L o g g i n g Issues

Logging from the Security Gateway to the SmartCenter Server can fail for
numerous reasons. Some possible reasons include:

• VPN-1 Control Connections are not allowed from the Gateway to

SmartCenter Server.
• Secure Internal Communications (SIC) failure
• DNS failure
• The Fully Qualified Domain Name (FQDN) does not resolve to the correct
IP address or does not resolve the name at all, when an FQDN is used in the
$FWDIR/conf/masters file.
• Misconfigured /etc/hosts file

One or more of the following suggestions can help troubleshoot a logging

problem:

1. Test general connectivity from the Security Gateway to SmartCenter

Server, using Ping, or perhaps trying a Telnet connection to a Check Point
port.
2. If VPN-1 Control Connections are not allowed in the Global Policy
Properties, a rule to allow TCP 257 between the SmartCenter Server and
the Gateway is necessary.
3. Test SIC on the problematic gateway object. If a SIC connection is present,
the status reads "communicating".

77
78
Aquaforest TIFF Junction Evaluation

Log Files

INCREASING BUFFER ON SOLARIS

To increase the buffer size on Solaris, do the following:

1. Edit the /etc/system file on the Gateway and add the set command, as
follows ...
set fw:fw log_bufsize=xxxxx

... Where xxxx is the desired size in bytes (default = 81,920 KB).
2. Reboot the Gateway for the change to take effect.
It is possible to set buffer size on the fly by running
fw ctl set int fw_logJbufsize xxxxx, but the size will not be
persistent across reboots.

INCREASING BUFFER ON LINUX/SECUREPLATFORM

To increase the buffer size on Linux or SecurePlatform, do the following:

1. Create or modify fwkern. conf (if the file exists) in $FWDIR/boot/modules/ on

the Gateway.
2. Add the entry fw_log_bufsize=xxxxx, where xxxx is the desired size in bytes
(default = 81,920 KB).
3. Reboot the Gateway for the change to take effect.
The fwjnsgjjjriax parameter does not exist for Linux,
Increasing the fw__log bufsize parameter is sufficient. Setting
the fw msgjyiiax parameter will cause the NGX kernel not to
load.

79
 Log Files

INCREASING BUFFER SIZE ON WINDOWS

To i size on do the

the Registry key

HKLM\System\CurrentControlSet\Services\FWl\

3. In the Globals key, create a DWORD valui

fw :
key.
4. Modify the new fw log 1 set the . in the
DWORD Value field."

6. Close 1 Editor.

80
Aquaforest TIFF Junction Evaluation

Debugging Logging

DEBUGGING LOGGING
iiiIiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Analysis Tools

NGX logging unifies various logs for a single connection into one log entry in
Smart View Tracker. These individual logs are retained. However, only unified
logs are displayed in Smart View Tracker. The logs are given serial numbers,
called Log Unification Unique IDs (LUUID). This allows all individual logs
to be sorted together using Smart View Reporter, or other Log Export API
(LEA) OPSEC tools.

In addition to using Smart View Tracker, you may display NGX log records
from the command line. There are four ways to display logs:

1. Initial order: Display unified logs at a specific time. This is the default
mode as it displays in Smart View Tracker:
# fw log -m initial

2. Raw log: Display logs from a single connection produced by any kernel
driver or Security Server, by incremental log records linked with the same
LUUID:
i fw log -m raw

3. Semi unified: Display the unification process in real time:

# fw log -m semi

4. Account unified: Display account logs:

# fw log -m account

D e b u g g i n g Log

1. To start debugging logs, set the environment as follows:

I setenv TDERROR_<flag name> <value l-5>

2. To debug with all flags, set the environment as follows:

# setenv TDERROR ALL 5

81
Aquaforest TIFF Junction Evaluation

Debugging Logging

3. R u n fwd in d e b u g m o d e (fwd -d). All debugging information is saved to the

fwd.elg file.

T h i s table displays the various debug flags relevant only for debugging logging,
using fwd debug mode:

Flag Explanation

FWLOGJCLU Prints debugging messages from the log trap

CPLOG JCLU cplog component responsible for unification of kernel logs

FWLOG General logging code in fwd

FWLOG_CYC_BUFF Logs cyclic buffer issues

FWL0G_DIS PATCH Logs the dispatching mechanism

FWL0G_AC Active-connections mechanism

L0G_FILE Log-file input/output

CPLOG_UNIFICATION Prints debugging messages from the unification process

CPLOG General debugging messages from the cplog component

82
Aquaforest TIFF Junction Evaluation

Lab 1: Using cpinfo

LAB 1: USING CPINFO

i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i ii i i i i

Scenario: In this lab, you will collect configuration files from the NGX
installation.

Objective: Run the cpinfo command and review results.

Topics: The following topics are covered in this lab:

• Running cpinfo on a stand-alone Gateway

• Finding the following information from cpinfo output:
— System information: OS, version, hostname
— Check Point product information: installed products, versions and
builds
— License information
— The beginning of objects_5_0.C file

83
 Lab 1: Using cpinfo

£pRUN CPINFO ON SECUREPLATFORM AND TRANSFER FILES

1. From your Web server, log in to fwyourcity using an SSH client; once
logged in, log in to Expert Mode.

S S H Client Session to fwoslo

2. At the Expert Mode prompt for fwyourcity, run the following command:
cpinfo -o fwyourcity.txt

For purposes of this lab, there is no need to compress the output

file as specified previously in the chapter. Check Point
recommends compressing the output of cpinfo when sending
cpinfo files to Check Point Technical Support.

84
Aquaforest TIFF Junction Evaluation

Lab 1: Using cpinfo

The file collection mns for a few seconds. As cpinfo runs, status messages will
display:

A SmartCenter Server with large log files may cause cpinfo to

run for a long period of time, as it compresses files. Move those
log files outside the $FWDIR directory before running cpinfo.

Once cpinfo has finished, the output file fwyourcity.txt will be created in the
default directory for the administrator: /home/admin.

3. Start an FTP session to webyourcity from fwyourcity and transfer

fvyourcity. txt to your Web server in binary mode. Although the output file
has a *. txt extension, there are embedded binary files in the cpinfo output.
Transferring the file in ASCII mode would render those embedded sections
useless.

SecurePlatform only has FTP client capabilities.

You must have an FTP server configured and running on your
^^tif Web server to transfer the files.

4. Once the file has transferred, end the FTP session and log out of your SSH
client session.

85
Aquaforest TIFF Junction Evaluation

Lab 1: Using cpinfo

f p E X A M I N E C P I N F O O U T P U T FILE

1. Navigate to the directory to which you transferred fwyourcity. txt, and open
fwyourcity.txt using WordPad.
2. Using the Edit menu's Find selection, look for the following information in
the file:
• Check Point product and operating-system information
• License and version
• objects_5_0.C
The following is partial cpinfo. txt output, listing installed components:

vmmmmmrn
^mMMmtiAi . Dlx
File gdit Jjew Insert Format Help
QMjBj #tal m Mdid
CP c o m p o n e n t s
=1
FireWall-1 Yes Ver:5.0 SP: 9 MB P: 0
SecurePlatform Yes Ver:5.0 SP: 9 MSP: 0
ADVR Yes Ver:5.• SP: 9 MSP: 0
CPinfo Yes Ver:5.0 SP: 9 MSP: 0
FU1_41_BC Unknown
NGCHP Yes Ver:5.0 SP: 9 ISP: 0
PSSUCnip Yes Ver:5.0 SP: 9 MSP: 0

CP S t a t u s - FW

CP Status - FTJ (/opt/CPshrd-R60/bin/cp3tat -f p o l i c y fw)

P r o d u c t name: FireWall-1
P o l i c y name: Standard
Policy i n s t a l l time Fri Apr 7 10:44:45 2006
Num. c o n n e c t i o n s : 1
P e a k num. c o n n e c t i o n s : 6
Total accepted packets: 23569

til!
For Help, press ft

Partial cpinfo Output

86
Aquaforest TIFF Junction Evaluation

Lab 1: Using cpinfo

The Security Gateway's version and build number can be found in the file
fwyourcity. txt:

File Bit View Inset f a m a t Help

..•Mi» M i l Ml
VPN-1 Version I nf o rinat 11

This is Chech Point VPN-1(TH) NGX (R60) - Build 341

kernel: NGX ( R 6 0 ) - Build 341

FireWall-1 Management (fam) Version Information

This is Check Point SmartCenter Server N G X (R60) - Build 3 87

FireWall-1 Version Information

This is Check Point VPN-1(TH) £ FireWall-1(R) NGX (R60) - Build 458

kernel: NGX (R60) - Build 458

CPShared Version Information

This is Check Point 3VN Foundation (R) V e r s i o n N G X ( R 6 0 ) - Build 562

System Information

jJJ
ForHefopwssFl

Version and Build Information

87
Aquaforest TIFF Junction Evaluation

Lab 1: Using cpinfo

objects 5_0.C file content is also included in fwyourcity.txt:

File Edit View Insert Format Hefp

u\mm j§J MMfiLJ id

i^wi
/ o p c / C P s u 1 t e - P 6 0 /' f w i / c o n x /;

:anvobj (Any
:color (Blue)
)
:superanyofoj f
: (Any
: color (Blue)
>
}
:serverobj (serverobjj
:translations (translations)
: 3 e r v g e n ()
: l o g - p r o p s {)
:state-act (
: c o m a n n d _ n o t i n s t 2 i r i s t ()
: c o m m a n d _ n o t i n s t 2 d i 3 ()
: corwmand_ins2notinst (status_alert)
:conmand_inst2dis (status_aiert)
: c o m m a n d _ d i s 2 i n s t (1
: c r o m m a n d _ d i s 2 n o t i n s t ()
)
: S P l o b j ()
:version (6.0)
:glotoals (
: (ill
: Adininlnfo ( ^J

1 Jj "
Creates a new document N
'UM

objects_5_0.C

CONTINUE Continue to the next lab.

88
Aquaforest TIFF Junction Evaluation

Lab 2: Analyzing cpinfo in Info View

LAB 2: ANALYZING CPINFO IN INFOVIEW

11111111111111111111111111111111111111111111111111

Scenario: In this lab, students will use the fwyourcifcy.txt from the previous lab
and analyze it using the InfoView utility.

Objectives:

• Review cpinfo output in InfoView.

• Launch SmartDashboard from InfoView to analyze a Gateway's Rule Base
and objects.

Topics:

• Opening cpinfo from InfoView

• Launching SmartDashboard inside InfoView to review the Rule Base and
objects

89
Aquaforest TIFF Junction Evaluation

Lab 2: Analyzing cpinfo in Info View

[ 5 O P E N CPINFO IN INFOVIEW

1. Download the InfoView utility and install it on your Web server.

Alternately, your instructor may have a copy of InfoView you can install on
your Web server.
2. Launch InfoView.
3. From the File menu, select Open and browse to the directory where
fwyourcity.txt is located:

HMR
yt|l© Edit Veiw Toofs Analysis Wnidow He>
|
j f ] ti|ii-Ui]?ij iijejfflji®] jr - • msm
Test I . P k h n . ! Stat
+ /opt/CPsuite-R60/fwl
Host File fwoslo Not tested
+ /opfc/CPshrd-R.60 Has Is
/opt/CPEdgecmp
License-Object fwoslo Not tested
File Title
CP components
Y Duplicate Objects fwoslo Not tested
CP Status
CP Product keys
. ^ ^ ^ P All Inter faces fwoslo Not tested
VPN-1 Version Information
FireWall-1 Management (f>
FireWall-1 Version Informs ' V ) l j | j Machine I n t e r f . . . fwoslo Not tested

CPShared Version Inforrna

System Information j | [ I/F-Object fwoslo Not tested

IP I n t e r f a c e s
:PS
N e t s t a t Information V : ^ Process fwoslo Not tested

A *f
Product '.etsic-n !-,de description Internal Code E
=uk Comments
ggZ FireWall-1 5.9.0 N6 A I (R60) Dallas 591
OsecurePlatf... 5.9,0 NG AI(R60) Dallas ???
O ADVR 5.9,0 NG AI(R60J Dallas ???
O CPinfo 5.9,0 NG AI(R60) Dallas ???
QNGCMP 5.9,0 NG AI(R60) Dallas ???
S RBSWCmp 5.9.0 NG AI (R60) Dallas ???

jj
~iUMr

fwoslo.txt in InfoView

90
Aquaforest TIFF Junction Evaluation

Lab 2: Analyzing cpinfo in Info View

fipREVIEW INSTALLED PRODUCTS, SYSTEM, LICENSE,

AND OTHER INFORMATION

1. Click the System Information tree; the processor type and speed,
environment, and other information, such as routing and ARP are
displayed.
2. Close the System Information tree.
3. Click the CP products key tree to review the Check Point products installed
on your machine:

E m m a M m m a m m m s m :
file Edit View Insert Format Help

DSIHI
...... 5
CPshared

key: CPD IB. /opt/CPshrd-R60

key: ISCONFIGURED 1

Fll

key: AddSmnp Failed to find the value

key: Auth
key: Encryption.
key: FirelJall
key: F1DIR /opt/CPsuite-R60/£wl
key: F Management
key: IsConfigured
key: Management
key: Primary
key: ProductName Failed to find the value
key: TJnlimit
key: vsx Failed to find the value

Provider-1

key: PRODDIR Failed to find the value

key: FTOIR Failed to find the value
key: InitiallyConfigured Failed to find the

- i efp, press F;

CP Products Installed

4. Close the CP Products tree.

5. Click the CP License tree to review licensing information.

91
Aquaforest TIFF Junction Evaluation

Lab 2: Analyzing cpinfo in Info View

fipLAUNCH SMARTDASHBOARD IN INFOVIEW

1. Highlight the hostname in the Info View list.

2. Click the drop-down list of the SmartDashboard icon.
3. Select Explicit:

JT H
Configure,j

Explicit Menu

4. Select the path to SmartConsole and check the box Open as read-only:

JJJSJ
Look|re „ , J PROGRAM m & &
CJIvwhois
^jMonitorData
^Preview
Z3CPftegSvr.exe
^ CPSecuremotePW, exe 1 SecureUp
^jSmartCon
^smartMap
,Jutil
H CPlgv.exe
Scpml.exe

2J
File name.' |FwPolicy.e Open

Fiies of type: j Policy Editor (fwpolicy. e Cancel

P Open as read-only

SmartConsole Path Selected

5. SmartDashboard opens in *local mode; use this to review the configuration

and Policy.

CONTINUE Continue to the next lab.

92
Aquaforest TIFF Junction Evaluation

Lab 3: Using GuiDBedit

LAB 3: USING GUIDBEDIT

i i i i i i i i i i i i i i i i i i i i i i i i i i i ii i i i i i i i i i i i i i i i i i i i i i

Scenario: In this lab, you will use GuiDBedit to create a new service object, a
new group object, and to add a service object into a group object. Also in this
lab, you will use GuiDBedit to modify a global properties
resolve _nrultiple_interf aces value to true.

Objectives:

• Use GuiDBedit to create a new object.

• Use GuiDBedit to modify an object's property.
• Use GuiDBedit to modify a global-property value.

Topics:

• Logging in to GuiDBedit and creating an object

• Modifying global properties

93
Aquaforest TIFF Junction Evaluation

Lab 3: Using GuiDBedit

S L O G IN TO GUIDBEDIT AND CREATE AN OBJECT

1. Close all SmartConsole sessions.

2. On your Web server, right-click on the desktop, and select New > Shortcut
from the context menu.
3. Run the Create New Shortcut wizard to browse to GuiDBedit. exe, located in
C:\Program Files\CheckPoint\SmartConsole\R60\Program.

4. Double-click the newly created GuiDBedit.exe shortcut. A login screen

similar to the SmartDashboard log in opens:

Database Tool JRL

N GX R60

.1 Demo Mode

<'• User N a m e jfwadmin

Certificate: |
J ;
Password 11

Smarf.Cenf.er S erver: j 10.2.2.1

P R e a d Only
More Options » i

| OK j Suit |

GuiDBedit Login Screen

94
Aquaforest TIFF Junction Evaluation

Lab 3: Using GuiDBedit

5. Use the same credentials to log in as a standard SmartDashboard Session.

The GuiDBedit screen opens:

Tabtei j Querie? \ m
!B1ST

Large Scale Manager

; Q Pead-Only Configuration
' B Reporting
: |B] Services
• |0 SmartMap

GuiDBedit Screen

95
Aquaforest TIFF Junction Evaluation

Lab 3: Using GuiDBedit

6. In the Tables pane, open the Services branch and select the services table
object. The Objects pane then populates with all available objects in the
services table:

Fie Veiw ybjecte Fields Search >jjerm Help

••••••
VtrO '<
! Queries | Ob^ct.Myie
El[M
| AP-55L tcp_service
X* B" La'rge Scale Manager ~3 flfl| MSE;- changelnf ormationStore 3 dcerpc_service
+ Q Managed 'I'biects IQjMSE;'ChangeInformationStore2 dcerpc_service
+ 0 Network Objects |J]M5ExchangeInformationStorel dcerpc_service
+ H OPSEC ®]MSE:,hangeQAdmin dcerpc_service
+ B Other IJ|]M5ExchangeDatabase dcerpc_serviee
+ H] Policies fijt]MSEj:change5toreAdmin3 dcerpc_service
+ Q Provider-1 U] MSExchangeStoreAdmin 1 dcerpc_service
+ H QOS 1)BGP tcp_service
+ H3 Read-Only Configuration H]MS-WINS-Replication-TCP_SD other_service
+ 13 Reporting H]MS-VVINS-Replication-UDP_SD other_service
- 0 Services ®Squdi_NTLM tcp_service
H]sasser-icmp other_service
I® Witty _Worm other_service
+ 0 SmartMap
Iff] MS-SQL-5erver_SD other_service
+• H SmartUpdate
5tatus 5jMS-SQL-Monitor_SD other _service
+B BlMSMQ dcerpc_service
+ H3 Users

nsWVajuE™

mzZi Respite ? >1UM •

GuiDBEdit Services Table and Objects

7. Select an object in the Objects pane, which changes the focus of GuiDBedit
to the Objects pane and populates the Fields pane.
8. From the Objects drop-down menu, select New. The Create Object box
opens.
9. From the Class drop-down menu, select service group, and name the
Object "labervices". Click OK.

Class: |service_group

Object [ l a b s e r v i c e.:j

1 OK 1 Cancel j

Creating labservices Service Group

96
Aquaforest TIFF Junction Evaluation

Lab 3: Using GuiDBedit

The services table automatically refreshes, and in the Objects pane, the focus
will now shift to the newly created labservices object.
10. Use the Create Object box to create a new tcp service called "test-service 1".
11. Highlight the test-service 1 object in the Objects pane, and scroll through
the Fields pane to find the port field.
12. Double-click the port field to edit it. Configure the new service with port
3333 and click OK:

w m m m m i &

Value: f 3 3 3 3 ^

| QK 1 Cancel j

port Field Configured

13. Click the Save All Changed Objects button on the menu, to write all
changes to the databases:

Save Changed Objects

14. Highlight the labservices object in the Objects pane. In the Fields pane,
scroll to the container field, right-click, and choose Add. The Add/Edit
element box opens.
15. In the Object drop-down menu, scroll to the test-service 1 object, highlight
it, and click OK. This adds test-service 1 to the service group labservice.

Reld Name {.Type ] Value Valid Values

container service_object
reference t e s t - s e r v i c e 1 ('services' t a b l e )
color string black
comments string
etm_enabled boolean false
group j : o n v e n t i o n _ q u e r y string

test-service 1 Added

16. Make the change permanent in objectsJ5_0.C. by clicking the Save All
Changed Objects button.

97
Aquaforest TIFF Junction Evaluation

Lab 3: Using GuiDBedit

[^MODIFY GLOBAL PROPERTIES

GuiDBedit can also be used to modify specific properties of a given object. You
will modify the resolvemultipleinterfaces property of the firewall global
properties table:

1. In the GuiDBedit Tables pane, open the Global Properties branch and select
the properties table.
2. In the Object pane, select the firewall_properties object.
3. From the toolbar, select the Search menu and choose the Find option. Use
the following information to configure the search:

Find W h a t : resolve multiple interfaces

Search in: Fields
M a t c h whole string only: Checked
Direction: Down

llllil
B 1D
©firewall.
"-"Wt'ST"""*"
+;• 0
t" HI
Administrators
Desktop
*—; |E3 Global Properties
1
find what; |resolve_multiple_interfaces
- Search in
r Tables P Match string cr#
P Obiecfc P Case sensitive
F Fields
r Values - JP « Li>-

I Find Next | Car

j lvalues
EnablsM^wUserMorfltonnij true -5
EnableUserMonitoring boolean true
GW_route_traffic_(;or_OM. boolean
IKE_wait4syne unumber
IP3EC_SPI_alloc_max
IPSEC_SPI_alIoe_min string .d
iLJ
seady mzl"i '^MMfWris f vlt«

GuiDBedit Search Tool

4. Double click resolve multipe interfaces to edit its Boolean value. Select
True and click O K .

98
Aquaforest TIFF Junction Evaluation

Lab 3: Using GuiDBedit

5. Click the Save All Changed objects button to save the updated value.
Some properties are global, and some are specific to a
Gateway. To modify properties that are unique to specific
Gateways' locate the object name in the network objects table
in the Network Objects branch of the Tables pane.

Continue to next lab.

99
 Lab 3: Using GuiDBedit

100
Aquaforest TIFF Junction Evaluation

Lab 4: Using fw logswitch and fwm logexport

LAB 4: USING FW LOGSWITCH AND

FWM LOGEXPORT
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiIiiiiiiiiiiiiiiiii

Scenario: Even though a logswitch can be configured to run regularly via the
SmartCenter object in SmartDashboard, or can run via the menu in Smart View
Tracker, using the command fw logswitch can sometimes be helpful. In this lab,
you will see that 4-5 log-pointer files are generated with the real . log file when
the fw logswitch command is executed. A distinction between logswitch and
logexport is made in this lab.

Objectives:

• Use the fw logswitch command to switch active and audit logs.

• Use fwm logexport to export logs and view them in a text editor.

Topics:

• Using fw logswitch to switch active logs

• Using fw logswitch to switch audit logs
• Using fwm logexport to export the active log and open it with WordPad
• Identifying log-pointer files after fw logswitch run

101
Lab 4: Using fw i

[ 5 R U N FW L O G S W I T C H TO S W I T C H ACTIVE LOG

1. Open an SSH session to the Security Gateway, and log in to Expert

2.
3. Run the fw
fw

The
Log file has to:

4. View the new log file

lab-switch.log

lab-switch.logaccount

5. If no dappends the(
to the

.loginitialjptr
Aquaforest TIFF Junction Evaluation

Lab 4: Using fw logswitch and fwm logexport

Log File Listing without Filename

[5PUSE FW L O G S W I T C H TO SWITCH AUDIT LOG

1. In the same S S H session to the stand-alone Gateway, run:

fw logswitch -audit

T h e following m e s s a g e displays:

Log file has been switched to: 2006-04-07J.90037.adtlog

103
Lab 4: Using fw logswitch and fwm logexport

2. C h e c k the n e w generated . adt logs in the $FWDIR\log directory:

New .adt Log Files

T h e .adt log files generated are the following:

2006-04-07_190037.adtlog

2006-04-07_190037.adtlogaccountj)tr

2006-04-07_190037.adtloginitialj)tr

2006-04-07_190037.adtlogptr

£pRUN FWM LOGEXPORT AND VIEW OUTPUT

1. F r o m the s a m e SSH session, run the fwm logexport c o m m a n d :

fwm logexport -n -p -o exportfwyourcityl

A m e s s a g e similar to the following displays:

Starting...There are 1 log records in the file.

Aquaforest TIFF Junction Evaluation

Lab 4: Using fw logswitch and fwm logexport

2. View the logexport output file using the less command:

Output of less exportfwoslol

105
Aquaforest TIFF Junction Evaluation

Lab 4: Using fw logswitch and fwm logexport

Or you can FTP the exported log file to your Web server and view it in
WordPad:

X.
fife Edit View Insert Format fctefp

•Mini' Mai jij 'j±ii£iiJ Si

mora; d a t e ; t l i n e ; o r i g ; t y p e ; a c t i o n ; a l e r t ; i / £ _ n a m e ; i / f _ d i r ; p r o d u c t ; 1 o g _ = y = _ m e s 3 a g e
0;7Apr2G06; 13:58:49; 1 7 2 . 2 2 . 1 0 2 . 1 ; c o n t r o l ; ;;daemon;inbound;VPN-1 & Firefall-1;L

Jd
F:<r Heip, press F:

Logexport Output File

106
Aquaforest TIFF Junction Evaluation

Review

REVIEW
i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

• cpinfo is a troubleshooting utility created by Check Point to collect a

"snapshot" of the configuration of a Security Gateway or SmartCenter
Server. It can also be used to collect OS and NGX debugging information for
later analysis and troubleshooting.
• InfoView is a graphical utility used to analyze the output of cpinfo, including
state-table information, routing, licenses, etc. InfoView can be configured to
open parts of the SmartDashboard with a reproduction of the Security Policy
installed on systems from which cpinfo files are taken.
• objects_5_0. C is the master list of all objects and their properties in an N G X
installation, objects.C is a file that is created at Policy installation, based on
information in objects_5_0.C.
• Editing objects_5J5. C is done with DbEdit and GuiDBedit.
• fwauth.NDB is the database file that stores all information about users created
via SmartDashboard.
• * .def files define certain aspects of the behavior and function of the NGX
kernel. In special circumstances, these files can be modified to adjust the
function of the NGX kernel. These changes will not survive the application
of a HotFix Accumulator (HFA). Always verify that functionality is included
in the HFA using HFA release notes. If not, archive the modified *.def file
before applying an HFA.
• When the command fw logswitch is run, six different log files are created.
All six of these files are necessary when archiving logs. At the same time,
five specific types of audit-log files are created. All files are necessary for
archiving.
• The NGX logging mechanism has a built-in keep-alive function when
running in a distributed environment. Local logging occurs only if the delta
for this keep-alive period is exceeded.
• Logging issues may be caused by VPN-1 Control Connections being
blocked, SIC failures, or DNS (and/or hostname) resolution errors.
• Logging is a critical security tool. Create a "best practice" logging Policy.
• In some situations, it may be necessary to modify the logging parameters of
the NGX kernel for better performance.

107
Aquaforest TIFF Junction Evaluation

Review

Review A n s w e r s

1. Which of the following is NOT a recommended method for modifying an

NGX object's properties?

C.) Modifying the object by directly editing objects 5 0. C

While this method will work, it is not recommended. If a typographical error

or other mistake is made when editing, the change may be ignored, or may
cause objects_5_0.C to fail to load or make the Security Gateway inoperable.

2. You are troubleshooting a Policy installation failure in a distributed

environment. Your SmartCenter Server is located in Dallas, and your
Security Gateway is located in San Francisco. A local technician has sent
you the cpinfo file from the Security Gateway. Which information will NOT
be available in this file?

D. ) A viewable copy of the installed Policy

The Policy is compiled with the objects files, and is a binary file on the
Gateway. This information would be retrieved from Policy information on
the SmartCenter Server.

109
Aquaforest TIFF Junction Evaluation

Review

no
Aquaforest TIFF Junction Evaluation

4f
Q Check Point
f®* 5 * S O F T W A R E TECHNOLOGIES LTD,

We Secure the Internet

CHAPTER 4: PROTOCOL ANALYZERS

Protocol analyzers and traffic-capture utilities and commands, such as tcpdump,

snoop and fw monitor, can be critical tools in determining the nature of an issue
involving VPN-1 NGX. These tools capture and analyze network traffic as it
comes to and goes through an NGX Security Gateway, and can help determine
if an issue involves VPN-1 NGX and its kernel or is an unrelated problem.

Objectives

1. Use tcpdump to capture packets and analyze packet-header formats.

2. Use snoop to capture packets, and review three output modes.
3. Use fw monitor to capture packets.
4. Review fw monitor output using Ethereal.

ill
Key Terms

112
Aquaforest TIFF Junction Evaluation

tcpdump

TCPDUMP
i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

tcpdump is a command-line utility available on most UNIX and Linux based

operating systems, which can be used for packet-header analysis, tcpdump sets
interfaces into promiscuous mode, capturing the headers of all traffic
according to parameters defined in the expression used to configure a tcpdump
session. The capture either displays in real time to the screen, or can be written
to a capture file, tcpdump has a high degree of flexibility to control the capture
and subsequent review of network packet headers.

tcpdump can capture many types of network traffic (such as

DECnet or AppleTalk), but as this is not recognized by VPN-1
NGX, only TCP/IP related traffic will be discussed here.

tcpdump Syntax

The following is the syntax of the tcpdump command:

tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ] [ -C file_size ] [ -F file ]

-i interface ] [ -m module ] [ -r file ] [ -s snaplen ] [ -T type ]
[ -w file ] [ -E algo:secret ] [ expression ]

This table explains several of the commonly used switches and their arguments
for tcpdump:

Switch
and Argument Explanation

-c Exit after receiving count packets.

-C file size Before writing a raw packet to a savefile, check whether the
file is currently larger than file_size and, if so, close the
current savefile and open a new one. savefile after the first
savefile will have the name specified with the -w flag, with a
number after it, starting at 2 and continuing upward. The units
of file size are millions of bytes (1,000,000 bytes, not
1,048,576 bytes).

113
Aquaforest TIFF Junction Evaluation

tcpdump

Switch
and A r g u m e n t Explanation

-i interface Listen on interface. If unspecified, tcpdump searches the

system-interface list for the lowest-numbered, configured-up
interface (excluding loopback). Ties are broken by choosing
the earliest match.
On Linux systems with 2.2 or later kernels, an interface
argument of "any" can be used to capture packets from all
interfaces. Note that captures on the "any" device will not be
done in promiscuous mode.

-r file Read packets from file (which was created with the -w
option). Standard input is used if file is

-s Grab snaplen bytes of data from each packet, rather than the
default of 68. (With the Sun OS NIT, the minimum is actually
96.) 68 bytes is adequate for IP, ICMP, TCP and UDP, but may
truncate protocol information from name-server and Network
File System packets.
Packets truncated because of a limited snapshot are indicated
in the output with " [ | proto] ", where proto is the name of the
protocol level at which the truncation has occurred.
Note that taking larger snapshots both increases the amount of
time it takes to process packets, and effectively decreases the
amount of packet buffering. This may cause packets to be lost.
Limit snaplen to the smallest number that will capture
protocol information required. Setting snaplen to 0 means
using the required length to catch whole packets.

-v (Slightly more) verbose output; for example, time to live,

identification, total length, and options in an IP packet are
printed. Also enables additional packet-integrity checks, such
as verifying the IP and ICMP header checksum.

-w Write the raw packets to file, rather than parsing and printing
them. Packets can later be printed with the -r option.
Standard output is used if the file is

114
Aquaforest TIFF Junction Evaluation

tcpdump

t c p d u m p and E x p r e s s i o n s

An expression selects which packets tcpdump will write to the defined output. If
no expression is given, all packets on the network will be dumped. Otherwise,
only packets for which the value of expression is 'true' will be dumped.

An expression is typically an ID name or number preceded by one or more

qualifiers. There are three different kinds of qualifiers:

type Indicates the thing to which the ID name or number refers; possible
types are host, net and port. For example:

host foo
net 128.3
port 20

If there is no type qualifier, host is assumed.

dir Specifies a particular transfer direction to and/or from ID name or
number; possible directions are src, dust, src or dst, and src and dst.
For example:
src foo
dst net 128.3
src or dst port ftp-data

If there is no dir qualifier, src or dst is assumed. For vnull' link

layers (i.e., point-to-point protocols, such as SLIP), inbound and
outbound qualifiers can be used to specify a desired direction.

proto Restricts the match to a particular protocol; possible protos are ether,
ddi, tr, i p , ip6, arp, rarp, decnet, tcp and udp; for example:

ether src foo

arp net 128.3
tcp port 21

If there is no proto qualifier, all protocols consistent with the type are
assumed, i.e., src foo means (ip or arp or rarp) src foo.
(The latter is not legal syntax).
net bar means (ip or arp or rarp) net bar.
port 53 means (tcp or udp) port 53.

115
Aquaforest TIFF Junction Evaluation

tcpdump

This is only a partial overview of the syntax for tcpdump. For a

complete list of all switches, arguments and further information
on using expressions, refer to the man pages for your OS, or to
the documentation at http://www. tcpdump.org.

Using tcpdump

Determine if traffic needs to be viewed in real time, or if the information should

be captured to a file for later viewing. Once this has been determined, initiate
the tcpdump session to get the capture.

The following string captures all traffic coming to all interfaces on Gateway
fwoslo, and writes the output to the file capture:

tcpdump -i any -w capture

Unless troubleshooting a network-connectivity issue, this format may show too

much information to be useful. It would be better to narrow the input to a
specific interface:

tcpdump -i ethl -w capture

This will capture all traffic from the network segment connected to ethl on
fwoslo. If there is too much information presented in the capture, tcpdump can
also filter for specific protocols. Suppose that in this environment, you are
attempting to determine the failure of an FTP session through the Security
Gateway fwoslo. From the command line on fwoslo, set tcpdump to filter
specifically for FTP traffic on all interfaces, with the following syntax:

tcpdump -i any '(port ftp or ftp-data)' -w capture

This will show if any FTP related traffic is being "heard" on the interfaces of
fwoslo.

116
Aquaforest TIFF Junction Evaluation

tcpdump

Viewing tcpdump Output

The output of tcpdump is a binary file viewed using tcpdump, or a protocol-

analysis program (such as Ethereal), as long as that program has been written to
recognize the tcpdump format. The command to open the file (using the <-w>
switch when running the capture) is as follows:

tcpdump -r <filename>

Open the file that was captured using this string ...

tcpdump -i ethl -w capture

... Which displays the following information:

[Expert@fwoslo]# tcpdump -i ethl -r capture

15:28:37.501897 10.2.2.102 > 172.22.102.1: icmp: echo request

15:28:37.501963 172.22.102.1 > 10.2.2.102: icmp: echo reply

15:28:39.494254 arp who-has 10.2.2.102 tell fwoslo

15:28:39.494524 arp reply 10.2.2.102 is-at 0:ll:43:ce:36:e5

15:28:46.156386 10.2.2.102.1641 > fwoslo.ftp: S 754360268:754360268(0)

win 16384 <mss 1460,nop,nop,sackOK> (DF)

15:28:46.156471 fwoslo.ftp > 10.2.2.102.1641: R 0:0(0) ack 754360269 win

0 (DF)

15:28:46.532969 10.2.2.102.1641 > fwoslo.ftp: S 754360268:754360268(0)

win 16384 <mss 1460,nop,nop,sackOK> (DF)

15:28:46.533010 fwoslo.ftp > 10.2.2.102.1641: R 0:0(0) ack 1 win 0 (DF)

15:28:46.724479 fwoslo > 224.0.0.5: OSPFv2-hello 56: [len 44] [tos OxcO]
[ttl 1]

[Expert@fwoslo]#

117
118
Aquaforest TIFF Junction Evaluation

snoop

SNOOP
i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

The snoop utility places a system's interface into promiscuous mode. In

promiscuous mode, snoop captures all packets on the network segment to
which an interface is attached. This capture can occur in either real time for
output to a display, or to a binary capture file. The snoop utility is powerful,
because of the level of detailed information it provides. It also allows a high
degree of flexibility for controlling the capture and subsequent review of
network packets. The snoop utility is available only on UNIX systems.

snoop can also capture and analyze network packets other than IP addresses,
such as DECnet and AppleTalk. However, since VPN-1 NGX does not
recognize other types of packets than IP addresses, information on these other
packets will not be covered in this chapter.

Using snoop

Use snoop to determine if a real-time capture is needed, or if data should be sent

to a file for later review. Sending output to a file is probably the best choice, as
data displayed on-screen is difficult to read, because it scrolls quickly.

To capture data to a file, use the following command:

#snoop -o filename

The -o option saves data in binary format to a user-defined file. To view data in
real-time, exclude the -o option.

Next, determine how many packets need to be captured to view the information.
If the number of packets is not determined, snoop will continue gathering
packets until you press CTRL + C, or the system runs out of resources.

To set the number of packets, use the following command:

#snoop -o filename -c 1000

In this example, snoop will capture 1,000 packets. This capture will typically
take about 60 seconds on a 10 megabits-per-second network. The type of
capture taken depends on the type of information required. Keep in mind that
snoop can be resource-intensive, depending on the amount of network traffic on
a segment. In some cases, a dedicated server for snoop may be needed.
119
Reading snoop Output

120
Aquaforest TIFF Junction Evaluation

snoop

Below is an example of verbose summary mode, using the same packet as the
previous example. Notice it provides layer 2 (Ethernet), layer 3 (IP), layer 4
(TCP), layer 7 (Telnet), and ACK and SEQ (sequence number):

17 2.07408 enterprise -> 10.1.1.101 ETHER Type=0800 (IP), size = 70 bytes

17 2.07408 enterprise ->10.1.1.101 IP D=10.1.1.101 S=10.1.1.102 LEN=56,

ID=56890

17 2.07408 enterprise -> 10.1.1.101 TCP D=21 S=32797 Ack=73641 Seq=389458204

Len=16 Win=8760

17 2.07408 enterprise -> 10.1.1.101 FTP C port=32797 USER anonymous\r\n

VERBOSE (DETAIL) MODE

Verbose mode displays the details of each packet to the bit level in the OSI
model. The example below shows the same packet as the previous examples in
verbose mode. Detailed information of each layer is captured, including layer 2
(Ethernet), layer 3 (IP), and layer 4 (TCP) headers. The syntax for verbose
detailed mode is:

snoop -i -v [filename]

121
Aquaforest TIFF Junction Evaluation

snoop

snoop and Security

With snoop, Security Administrators can capture data on a network without

being noticed. Unlike active measures, such as network discovery using ICMP,
snoop does not alert anyone to its presence. This passive behavior allows an
analysis of the network's security, without alerting anyone, snoop can run over
a longer period of time than active measures running at a single point of time. If
a host is down for several minutes while you are Pinging a network, the host is
missed. However, snoop picks up these hosts when they send or receive traffic.
One security issue is identifying activities on a network. Perhaps there are
concerns about specific Web sites or FTP download sites, snoop can be used on
a network to look for downloads from known Web sites or FTP servers.

snoop should be used with authorization or for troubleshooting

purposes only. Federal law, such as the Wiretap Act, prohibits
routine monitoring, unless for troubleshooting or for self-defense
purposes for a limited period of time.

snoop helps track down "unknown" hosts in a network. An unknown host could
be a dial-up server or gateway configured by a network attacker. Active
measures can determine hosts on the network, but only if the machines are on.
What if a host is on only at night, or has been configured not to reply to ICMP
requests? snoop helps track down rogue hosts, allowing action to be taken.

snoop Limitations

Unlike active measures, but like most sniffers, snoop cannot operate in a
switched network, snoop records packets that cross the designated interface on
a local network segment, but only captures packets in its collision domain.

To monitor all traffic traveling between a network and the Internet, place the
sniffer between the gateway and the border router. This allows capturing of all
Internet traffic. This information is compared to the logs in Smart View Tracker,
to see specifically which segment of the network needs further inspection with
snoop. This comparison is useful when encountering Network Address
Translation and traffic originating behind routers.

122
123
Aquaforest TIFF Junction Evaluation

fw monitor

FW MONITOR
i i i i i i i I i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Overview

The fw monitor command monitors network traffic through the interfaces on an

NGX Security Gateway. This is done by loading a special INSPECT filter to
filter out interesting packets. This filter is different from the INSPECT filter
used to implement a Rule Base. A Rule Base determines which packet is
accepted, rejected, or dropped; however, the INSPECT filter generated by
fw monitor captures kernel-packet flows. You can capture everything through
the kernel using fw monitor; alternately, you can capture a particular type of
traffic or source.

fw monitor Syntax

fw monitor runs from the command line. The following arguments give
information for configuring fw monitor to not only capture and filter traffic
through VPN-1 NGX, but also specify which parts of the kernel chain packets
pass through are also monitored.

fw monitor syntax is as follows:

fw monitor [-d] [-D] <{-e expr}+|-f <filter-file|-» [-lien] [-m mask]

[-x offset[,len]] [-0 <file>]

The fw monitor arguments are listed in this table:

Argument Explanation

-d Provides lower-level debug from the filter-loading process of

fw monitor

-D Provides higher-level debug from the filter-loading process of

fw monitor

-e Specifies an INSPECT program line; multiple -e options may be

used.

-f Specifies an INSPECT filter filename; the file is copied before

compilation; the -f and -e options are mutually exclusive.

124
Aquaforest TIFF Junction Evaluation

fw monitor

Argument Explanation

-1 Limits the packet length, and specifies how much of the packet
should be transferred from the kernel; for packets longer than the
specified length, only a prefix will be available for display.

-m Specifies inspection-points mask; any one or more of i, I, o, or 0 can

be used; if this option is not specified, all four points are captured.

-o Specifies an output file; saves monitored packets in the output file as

they are monitored; during the monitoring, a count of the number of
packets saved in the file is displayed; content of the file can later be
examined using the snoop -i <f i l e > command.

-x Specifies display parameters; when this option is present, the IP and

protocol information will be followed by a hexadecimal dump and
printable character display, starting at the offset bytes into the packet
for len bytes long; if offset + len is larger than the length specified by
the -1 option, only the data available will be displayed; console
output only

-h Displays usage string

-u Prints the connection's Universally Unique ID (UUID)

-s Prints the connection's session UUID (for FTP data connections,

prints the control connection's UUID)

-t When compiling the INSPECT script, includes tcpip. def; allows the
use of tcpip macros in the script

-i After writing each packet, flushes the standard output, if you want to
kill fw monitor but write all data to a file

-c <count> Limits the number of inbound (-ci count) and/or outbound

(-co count) packets; once the specified number has been reached, the
monitor will stop; default is stop on CRTL + C only.

"P Monitors position in the kernel chain; Note: Using this switch with
the "all" argument can be very resource-intensive.

125
 f\v monitor

INSPECT Virtual Machine

The INSPECT virtual machine intercepts, analyzes, and takes action on all
communication before it enters a Gateway's OS. Cumulative data from
communication and application states, network configuration, and Security
Policy are used by the virtual machine to enforce the enterprise Policy.

This figure displays how the virtual machine inspects packets:

Virtual-Machine Inspection Points

There are four inspection points as a packet passes through the virtual machine:

• Before the virtual machine, in the inbound direction (i or PREIN)

• After the virtual machine, in the inbound direction (I or POSTIN)
• Before the virtual machine, in the outbound direction (o or PREOUT)
• After the virtual machine, in the outbound direction (0 or P0ST0UT)

Once fw monitor is executed, a specified INSPECT filter is compiled and loaded

to the kernel. The fw monitor filter is not to be confused with the filter used in a
Policy. The fw monitor filter does not pass or drop any packets, it only
"watches" the packets as they pass through the kernel and displays them in the
Command Line Interface (CLI). When you press CTRL + C to stop monitoring,
the filter is unloaded and exits.

Any parameters following "accept;" in the fw monitor command will be

displayed by fw monitor. The same filter is executed on all interfaces in all
directions. Packets are inspected in all four points, unless the mask option -m is
specified.

126
Aquaforest TIFF Junction Evaluation

fw monitor

Unless the -o option is specified, packets are directed to standard output. The
first line displays IP information, and the next lines display protocol-specific
information (for TCP, UDP, or ICMP). If the option -x is used, the lines
following the command show a hexadecimal dump and printable character
display of the packet content. Issuing fw monitor without any arguments will
capture all packets to standard output, which is the CLI.

Filter E x p r e s s i o n s

In a busy system, running fw monitor without any filters can create a great
detail of output, and makes the analysis difficult. The filter expressions are used
to specify packets to be captured. The general syntax is
fw monitor -e "accept <expression>;".

The following example shows three filters:

fw monitor -e "accept src=172.29.109.1 or dst=172.29.109.1;"

fw monitor -e "accept dport=80;"
fw monitor -m il -e "accept;" -o monitor.out

• The first filter captures all traffic from and to the host 172.29.109.1.
• The second filter captures all HTTP traffic on port 80 only.
• The third filter captures only inbound direction before and after the virtual
machine (i and I), and redirects the output to a file.

fw ctl c h a i n

VPN -1 NGX passes each packet through a list of chain modules. Each module
may modify, pass, or drop the packets. You can see this list using the
fw ctl chain command, fw monitor can be inserted in any position in the chain.

127
OUTPUT

in chain (10):

0: (f99dl2c0) IP Options Strip (ipopt^

1: 2000000 (f31a8dd0) vpn decrypt (vpn)

2: liiiiio (lyyaicau) Stateless verifications (asm)

3: IfffffO (f31a8730) vpn decrypt verify (vpnver)

4: 1000000 (f99e9690) SecureXL connection syn (secxl_

5: 0 (f99a4720) fw VM inbound (fw)

6: 2000000 (f31a9d70) vpn policy inbound (vpnj>ol)

7: 10000000 (f99e9b20) SecureXL inbound (secxl)

8: 7f600000 (f99cec90) fw SCV inbound (scv)

9: 7f800000 (f99dl570) IP Options Restore (ipoptjres)

out chain (8):

0: -7f800000 (f99dl2c0) IP Options Strip (ipopt_strip)

1: - Iffffff (f31a8600) vpn nat o (vpnjiat)

2: - lfOOOOO (f99afcd0) Stateless (asm)

3: 0 (f99a4720) fw i (fw)

4: 2000000 (f31a9780) vpn (vpnjpol)

5: 10000000 (f99e9b20) SecureXL (secxl)

6: 20000000 (f31a9360) vpn encryp (vpn)

7: 7f800000 (f99dl570) IP Options estore (ipoptjres)

fw ctl chain i

be after fw monitor.

To ] t the monitor in the e , use -pi 999 or -pO

Aquaforest TIFF Junction Evaluation

fw monitor

CHAIN INSERTION POINTS

fw monitor is inserted into the chain as a chain module so fw monitor can report
on all packets, fw monitor does not change or drop any packets, fw monitor is
inserted into the chain at four different points — in positions minus
0x70000000 and 0x70000000 in inbound, and in the same positions in
outbound. The inbound position captures packets before they pass most of the
chain modules, while the outbound position captures them after they have
passed the chain modules. It is possible to change the position of the monitor.
This is accomplished with the -p parameter.

This parameter has the following syntax:

fw monitor -p[i|I|o|0] [absolute pos | relative pos | [+|-]alias]

absolute pos — a signed integer that determines the order in which packets pass
the modules; the packets start with the smallest number and end with the
largest. This number does not depend on the current chain entries.

relative pos — The chain modules are ordered with an ascending number
starting with 0. You can use this number to specify the position from which fw
monitor inserts, fw monitor does not replace the chain module with this number.
The previous module (and all following modules) are moved by one position.

alias (shown in parenthesis) — a short name, which can be used with the -p
parameter

The letter following -p is the position you want to change — either inbound or
outbound, and either first (lowercase) or last (uppercase) position. You may
include this parameter up to four times, to change some or all positions. When
using a relative position, type the position of the module before which you want
the monitor to enter. If you want the position after all modules, use any number
higher than all relative positions. (99 will usually do.) When using an absolute
position, type the position where you want the module. If there is a module at
this position, the command will fail. When using an alias, you can select if you
want the monitor before or after the alias.

129
 Jw

RELATIVE POSITION

4. P Note the chain-module n u m b e r s and n a m e s are n o t f i x e d

vpn decrypt verify; after f w l L n i t S is^nserted as relative position 4,

chain m o d u l e 4 has b e c o m e fw monitor, a n d vpn decrypt v e r i f y has

1. fw ctl chain b e f o r e inserting fw

in chain (15):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipoptjstrip)

2: - Ifffff6 (989a9e80) (00000001) Stateless verifications (asm)

3: - lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)

4: - IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpnver)

5* ~ 1000000 (989dbf40) (00000003) SecureXL conn sync (secxl sync

6: 0 (98954530) (00000001) fw VM inbound (fw)

7: 1 (989blf20) (00000002) wire VM inbound (wire_vm)

8: 10 (9896eb70) (00000001) fw accounting inbound (acct)

9: 2000000 (995a52a0) (00000003) vpn policy inbound (vpnjpol)

10: 10000000 (989dc2e0) (00000003) SecureXL inbound (secxl)

11: 21000000 (99bf7360) (00000001) FG-1 inbound (fgjpol)

12: 7f600000 (989a2b70) (00000001) fw SCV inbound (scv)

13: 7f750000 (98a958c0) (00000001) TCP streaming (in) (cpas)

130
 14: 7f800000 (989a9020) ( f f f f f f f f ) IP Options Restore (ipopt__res)

out chain (14):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipopt_strip)

1: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn_nat)

2: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)

3: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)

4: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)

5: 0 (98954530) (00000001) fw VM outbound (fw)

6: 1 (989blf20) (00000002) wire VM outbound (wire_vm)

7: 2000000 (995a4b60) (00000003) vpn policy outbound (vpn_pol)

8: 10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)

9: 15000000 (99bf7360) (00000001) FG-1 outbound (fgj>ol)

10: 20000000 (995a3cc0) (00000003) vpn encrypt (vpn)

11: 7f000000 (9896eb70) (00000001) fw accounting outbound (acct)

12: 7f700000 (98a95c20) (00000001) TCP streaming post VM (cpas)

13: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipopt_res)

131
 2. fw monitor -pi 4 -o monitor.out:

in chain (17):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipoptjstrip)

1: - 2000000 (995a3390) (00000003) vpn decrypt (vpn)

2: - lffffffi (989a9e80) (00000001) Stateless verifications (asm)

3: - l f f f f f 2 (995c37b0) (00000003) vpn tagging inbound (tagging)

4: - lfffffl (989833a0) (ffffffff) fwmonitor (i/f side)

5: - IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpn_ver)

6: - 1000000 (989dbf40) (00000003) SecureXL conn sync (secxl_sync)

7: 0 (98954530) (00000001) fw VM inbound (fw)

8: 1 (989blf20) (00000002) wire VM inbound (wire_vm)

9: 10 (9896eb70) (00000001) fw accounting inbound (acct)

10: 2000000 (995a52a0) (00000003) vpn policy inbound (vpnjpol)

11: 10000000 (989dc2e0) (00000003) SecureXL inbound (secxl)

12: 21000000 (99bf7360) (00000001) FG-1 inbound (fgjpol)

13: 70000000 (989833a0) (ffffffff) fwmonitor (IP side)

14: 7f600000 (989a2b70) (00000001) fw SCV inbound (scv)

15: 7f750000 (98a958c0) (00000001) TCP streaming (in) (cpas)

16: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipoptjres)

132
Aquaforest TIFF Junction Evaluation

fw monitor

out chain (16):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipqptstrip)

1: -70000000 (989833a0) (ffffffff) fwmonitor (IP side)

2: - lffffff (995a27c0) (00000003) vpn nat outbound (vpnjiat)

3: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)

4: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)

5: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)

6: 0 (98954530) (00000001) fw VM outbound (fw)

7: 1 (989blf20) (00000002) wire VM outbound (wire_vm)

8: 2000000 (995a4b60) (00000003) vpn policy outbound (vpn_pol)

9: 10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)

10: 15000000 (99bf7360) (00000001) FG-1 outbound (fgj>ol)

11: 20000000 (995a3cc0) (00000003) vpn encrypt (vpn)

12: 70000000 (989833a0) (ffffffff) fwmonitor (i/f side)

13: 7f000000 (9896eb70) (00000001) fw accounting outbound (acct)

14: 7f700000 (98a95c20) (00000001) TCP streaming post VM (cpas)

15: 7f800000 (989a9020) (ffffffff) IP Options Restore (ipoptjres)

133
 RELATIVE POSITION USING ALIASES

of fw is to use a module's
in fw ctl This can be done using
lias. For to insert fw monitc
verify, use -pi

fw monitor -pi -vpn_ver -o monitor-alias.out

monitor: getting filter (from command line)

monitor:

in chain (17):

0: -7f800000 (989a8d60) (ffffffff) IP Strip (ipopt_strip)

1: - 2000000 (995a3390) (00000003) vpn (vpn)

2: - lfffffS (989a9e80) (00000001) (asm)

lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)

lfffffl (989833a0) (ffffffff) fwmonitor (i/f side)

IfffffO (995a2bd0) (00000003) vpn decrypt verify (vpn_ver)

1000000 (989dbf40) (00000003) SecureXL conn sync

0 (98954530) (00000001) fw VM inbound (fw)

134
Aquaforest TIFF Junction Evaluation

fw monitor

out chain (16):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipopt_strip)

1: -70000000 (989833a0) (ffffffff) fwmonitor (IP side)

2: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn__nat)

3: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)

4: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)

5: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)

6: 0 (98954530) (00000001) fw VM outbound (fw)

7: 1 (989blf20) (00000002) wire VM outbound (wire_vm)

8: 2000000 (995a4b60) (00000003) vpn policy outbound (vpnjpol)

9: 10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)

10: 15000000 (99bf7360) (00000001) FG-1 outbound (fgj>ol)

11: 20000000 (995a3cc0) (00000003) vpn encrypt (vpn)

12: 70000000 (989833a0) (ffffffff) fwmonitor (i/f side)

13: 7f000000 (9896eb70) (00000001) fw accounting outbound (acct)

135
ABSOLUTE POSITION

You can insert fw monitor its absolute position. The position is

the second values). Note that the
fw VM s im-

The following is a partial list of in I out chain from fw ctl chain:

in chain (15):

(989a8d60) (ffffffff) IP Options Strip

lfffffS (989a9e80) (00000001) Stateless (asm)

lfffff2 (995c37b0) (00000003) vpn tagging inbound (tagging)

IfffffO (995a2bd0) (00000003) vpn decrypt verify (vp

1000000 (989dbf40) (00000003) SecureXL conn sync (secxl

c)
0 (98954530) (00000001) fw VM
(fw)
1 (989blf20) (00000002) wire VM (wire_v
10 (9896eb70) (00000001) (acct)

2000000 (995a52a0) (00000003) vpn (vpnjol)

10 10000000 (989dc2e0) (00000003) SecureXL (secxl)

out chain (14)

0: (989a8d60) (ffffffff) IP Strip (ipopt_st

rip)
- 1 (995a27c0) (00000003) vpn nat md (vpnjiat)
1:
- 1 (98a95a30) (00000001) TCP (out) (cpas)
2

3 IffOOOO (995c37b0 (00000003) vpn (taggi

4 lfOOOOO (989a9e80) (00000001 Stateless (asm)

Aquaforest TIFF Junction Evaluation

fw monitor

0 (98954530) (00000001) fw VM outbound (fw)

1 (989blf20) (00000002) wire VM outbound (wire_vm)
2000000 (995a4b60) (00000003) vpn policy outbound (vpnj>ol)
10000000 (989dc2e0) (00000003) SecureXL outbound (secxl)

To insert fw monitor after tcp stream (cpas) for the outbound chain:

fw monitor -po -OxlffffeO -o monitor-absolute.out

out chain (16):

0: -7f800000 (989a8d60) (ffffffff) IP Options Strip (ipopt_strip)

1: - lffffff (995a27c0) (00000003) vpn nat outbound (vpn nat)

2: - IfffffO (98a95a30) (00000001) TCP streaming (out) (cpas)

3: - IffffeO (989833a0) (ffffffff) fwmonitor (IP side)

4: - IffOOOO (995c37b0) (00000003) vpn tagging outbound (tagging)

5: - lfOOOOO (989a9e80) (00000001) Stateless verifications (asm)

6: 0 (98954530) (00000001) fw VM outbound (fw)

7: 1 (989blf20) (00000002) wire VM outbound (wire vm)

fw ctl chain does not show the preceding Ox in hexadecimal

numbers. You must add a preceding Ox in front.

137
 SAMPLING INTERVAL

138
Aquaforest TIFF Junction Evaluation

fw monitor

One of your customers claims she cannot access your internal

a ft
FTP server. The FTP server is configured with Static NAT on
your NGX Gateway. You see your customer's FTP connection is
accepted in Smart View Tracker, but you do not know when the
kernel drops this connection or when the FTP server resets the
connection.

The FTP client's IP address is 100.100.100.1, and the FTP

server's private IP address is 192.168.1.1. Its public IP address is
200.200.20.1. Your Gateway's external IP address is
200.200.20.2.

Q.) How do you run fw monitor with proper filters, to capture FTP
connections between the server and this client only?

A.) fw monitor -e "accept src=100.100.100.1 or

dst= 100.100.100.1;" -o ftp-monitor.out

Q.) What is the procedure for capturing this FTP problem?

A.) Follow these steps:

1. Start fw monitor.

2. Initiate an FTP connection from the client.

3. Wait for the problem to occur, then press CTRL + C to stop

fw monitor.

139
Aquaforest TIFF Junction Evaluation

Ethereal

ETHEREAL

Ethereal is a graphical tool used to analyze and capture network traffic.

Ethereal is available on a wide range of platforms and operating systems,
including all major UNIX flavors (Solaris, Linux, BSD, etc.), Windows
(Windows 9x, ME, NT 4, 2000 and XP), Mac OS, and many more. Ethereal
reads a wide variety of capture formats, including the format used by fw monitor
(which is in fact the same format as snoop). Check Point has its own flavour of
Ethereal called CPethereal (available for Check Point Certified Support
Partners only).

Using Ethereal

Below is fw monitor output in Ethereal:

^ ^ • l ^ p l M l i i i l
File Eck aew >jc. Capture Analyze statistics Help

& fe 0 x 0 3 IS * SO 1 1 a. % p E) m m a

- j Ex^ession. joearj Apply)

m. | Time . ] Source j Cessation ] Protocol I info

103 5.608263 10.2.2.1 10.2.2.102 SSH Encrypted r e s p o n s e packet len=20-
104 5.608273 10.2.2.1 10.2.2.102 SSH [TCP R e t r a n s m i s s i o n ] Encrypted r•espor _ j
106 5.634942 172.29.109.1 10.2.2.102 TCP 104 5 > h t t p [SYN] Seq=0 Ack=G win=163
107 5.634970 172.29.109.1 10.2.2.102 TCP 104 5 > h t t p [SYN] Seq=G Ack=Q Win=163
108 5.634989 172.29.109.1 10.2.2.102 TCP 104 5 > h t t p [SYN] Seq-0 Ack-0 Win=163
109 5.635206 10.2.2.102 172.29.109.1 TCP h t t p > 104 5 [SYN, ACK] Seq-O Act =1 wi
110 5.635231 10.2,2.102 172.29.109.1 TCP h t t p > 104 5 [SYN, ACK] s e q - 0 Ack =1 wi
111 5.635242 10.2.2.102 172.29.109.1 TCP h t t p > 104 5 [SYN, ACK] Seq-0 Ack =1 wi
112 5.63 52 51 10.2.2.102 172.29.109.1 TCP h t t p > 104 5 [SYN, ACK] seq=0 Ack =1 wi
113 5.635729 172.29.109.1 10.2.2.102 TCP 104 5 > h t t p [ACK] seq=l Ack=l win=175
114 5. 635746 172.29.109.1 10.2.2.102 TCP [TCP Dup ACK 113#1] 104 5 > h t t p [ACK]
115 5.635755 172.29.109.1 10.2.2.102 TCP [TCP Dup ACK 113#2] 104 5 > h t t p [ACK]
116 5.63 5762 172.29.109.1 TCP [TCP Dup ACK 113#3] 104 5 > h t t p [ACK]
117 5.636631 172.29.109.1 10.2.2.102 HTTP GET / HTTP/1.1
118 5.636639 172.29.109.1 10.2.2.102 HTTP GET / HTTP/1,1
11 ct 5.63664 5 1 7 \ "'Q.IOO.I 1 \ \1il? HTTP r;pT / HTTP /I . 1 JLi
«f V . I Jj
:•:-:• Frame 105 (62 b y r e s on w i r e , 62 byres c a p t u r e d )
'•2 E t h e r n e t I I , S r c : 0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 0 , Dst: 6 9 : 3 1 : 6 5 : 7 4 : 6 8 : 3 1
i n t e r n e t P r o t o c o l , Src Addr : 17 2 . 2 9 . 1 0 9 . 1 (172. 2 9 . 1 0 9 . 1 ) , Dst Addr: 1 0 . 2 . 2 . 1 0 2 ( 1 0 . 2 . 2 .102)
T r a n s m i s s i o n c o n t r o l P r o t o c o l , Src P o r t : 104 5 (104 5), Dst P o r t : h t t p ( 8 0 ) , Seq: 0, Ack : 0, Lei

<1 1 H
am 69""3i""65" 74 68 Sl'OO'OCT'OO'OO 00"00"08"00"45""00 t let Hi L".
0010 00 30 02 9a 40 00 7f 06 d3 a7 ac I d 6d 01 0a 02
0020 02 66 04 15 00 50 00 82 d9 a7 00 00 00 00 70 02
0030 40 00 3f 0a 00 00 02 04 05 b4 01 01 04 02

access-oslo.out 3SCmjP:U36D 1136 Mi 0

Ethereal GUI

The Ethereal GUI consists of three panes: The top pane is an overview, listing
entry ID number, capture time, source and destination address, protocol name
(TCP, UDP, FTP, ICMP), and a packet summary with the following
information:
140
Aquaforest TIFF Junction Evaluation

Ethereal

Type of packet: SYN, SYN-ACK, ACK, RST, etc.

Sequence number, acknowledge number, and packet length

I
101 5.608204 10.2.2.102 10.2.2.1 TCP 1 5 0 8 > 22 [ A C K ] Seq=0 Ack-5128 Win-1€ f
102 5.608233 10.2.2.102 10.2.2.1 TCP [TCP Dup ACK 101#1] 1508 > 2 2 [ A O ] f
103 5.608263 10.2.2.1 10.2.2.102 SSH Encrypted response packet len=208
104 5.608273 10.2.2.1 10.2.2.102 SSH [TCP Retransmission] Encrypts
Encrypted respor

li •942 .29, 109.1 10.2.2. 102 TCP 104 5 > http i_'syn] seq-G q=0 Ack=0
Ack-Q win-163
107 5 634970 172.29, 109.1 10.2.2. 102 TCP 104 5 > http "SYN] seq=0 ACK-O Win=163
108 5 634989 172. 29. 109.1 10.2.2. 102 TCP 104 5 > http Isyn] seq-0 Ack-0 win=163
109 5 635206 10.2.2. 102 172.29. 109.1 TCP http > 104 5 ;syn, ACK] seq-0 Ack =1 wi
110 5 635231 10.2.2. 102 172.29. 109.1 TCP http > 104 5 "SYN, ACK] seq-0 Ack=1 Wi
111 5 635242 1 0 . 2 . 2 . 102 172.29. 109.1 TCP http > 104 5 I SYN, ACK] Seq=0 Ack =1 wi
112 5 635251 10.2.2. 102 172.29. 109.1 TCP http > 104 5 I SYN, ACK] seq-0 Ack =1 Wi
113 5 635729 172.29. 109.1 10.2.2. 102 TCP 104 5 > http 'ACK] Seq=l Ack-1 win=175
114 5 635746 172.29. 109.1 1 0 . 2 . 2 . 102 TCP TCP Dup ACK 113/1] 104 5 > http [ACK] j
115 5 63 5 75 5 172.29. 109.1 1 0 . 2 . 2 . 102 TCP jrp Dup ACK 113#2] 104 5 ::- http [ACK] J
P.l^li--' . 1 1 3 * * 1 1 f:4 K h t t n fft-t. 1 T i l
Jj
Ethereal Top Pane

The Time field counts in seconds after fw monitor starts. The Time field is
always important for troubleshooting. For example, when a new TCP
connection starts, it starts with a TCP handshake: SYN, SYN-ACK, and ACK.
Check Point's default limit for the whole TCP handshake is 25 seconds (defined
in the tcpstart time-out setting in Global Properties). If you see a SYN packet
from client to server, and the server does not reply with SYN-ACK within 25
seconds, the SYN-ACK will be dropped with a "TCP packet out of state" error.
By looking at the Time field, you can tell if the connection is finished in time.

141
i f i i l f i f f f i l l i p
Aquaforest TIFF Junction Evaluation

Ethereal

Viewing Connection Beginnings

A typical TCP connection starts with a TCP handshake: SYN, SYN-ACK, and
ACK. You can observe the TCP handshake in fw monitor without any filtering
expressions. You can see the SYN packet from the client to the server with all
four entries i, I, o, 0 present. You know the packet arrives at the kernel, and
leaves the Gateway successfully.

After the SYN packet leaves the Gateway and gets to the server side, the server
side replies with a SYN-ACK. If the reply is successful, you will see i, I, o, 0.
The client then sends an ACK packet to the previous SYN-ACK, and you see i,
I, o, 0. If you only see SYN but no SYN-ACK, the SYN-ACK packet may not
arrive at the Gateway. There may be some routing issues, or the server may not
be running.

Viewing Connections Dropped by Kernel

Depending on the switch combination with fw monitor, you may see more or
less lines per packet. If no particular direction or interfaces are filtered,
fw monitor records four lines per packet in Ethereal (i, I, o, 0). If there is any
discontinuity in the flow, packets can be either dropped or rerouted by the
kernel. For example, a packet has entry i, but no I. The packet may have been
dropped by the Rule Base. If you see a packet coming through the inbound
interface (i or I) but not through the outbound interfaces (o or 0), the packet can
be rerouted by the OS.

Using Filters with Ethereal

When you use fw monitor to capture certain types of traffic, start fw monitor
with the proper switches first. Then test the traffic in question, wait until the
problem occurs (connection times out or error messages appear), then return to
the fw monitor CLI and stop fw monitor with CTRL + C. To transfer the monitor
output to a machine running Ethereal, transfer the monitor output in binary.

Ethereal my take a long time to open an fw monitor file, using

filters as it interprets the data contained in the monitor.out file.
Check Point recommends opening Ethereal as a new session.
Then create a filter expression, using the same filters used in the
monitor file in the newly created session. This will lessen the
amount of time Ethereal takes to open.

143
Aquaforest TIFF Junction Evaluation

Ethereal

Connection starting points normally start with a SYN packet from a client to a
server. To find the starting point of a connection, click either source or
destination (if either of them is known). In some cases, click the Protocol field,
and monitor entries will line up accordingly.

For example, to look for FTP connections only, you can filter by FTP on the
Protocol field. The filtered output is like the following:

•adSIiS!
fie Edt View 'So Capture Analyze Stattsbcs Help

i ^ ^ l i ei Q* % . m m B M
j Expression.., J £tear I Apply f

Source

378 lu. ;7815 1 0 . 2 . 2 . 1 0 2 172.29.109.1 FTP

J=t
[TCP F a s t R e t r a n s m i s s i o n ] P e s p o n s e ; 2 2 0 - w e b o s l c
3 79 1 0 . 287822 10.2.2.102 172.29.109.1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e 2 2 0 - w e b o s l c
380 1 0 . 28783 5 10.2.2.102 172.29.109.1 FTP [TCP F a s t P e t r a n s m i s s i o n ] P e s p o n s e : 2 2 0 - w e b o s l c
389 1 0 . 413127 10.2.2.102 172.29.109.1 FTP R e s p o n s e : 2 2 0 - T h u Oct 2 7 1 5 : 0 5 : 5 1 I :005
390 1 0 . 413153 10.2.2.102 172.29.109.1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e : 2 2 0 - T h u Oct :
391 1 0 . 413160 10.2.2.102 172.29.109.1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e ; 2 2 0 - T h u Oct
392 1 0 . 413178 10.2.2.102 172.29.109.1 FTP [TCP F a s t R e t r a n s m i s s i o n ] R e s p o n s e : 2 2 0 - T h u Oct
441 1 2 . 428375 172.29.109.1 10.2.2.102 FTP R e q u e s t : USER t c h u n g
442 1 2 . 428407 172.29.109.1 10.2.2.102 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER t c h u n g
443 1 2 . 428424 172,29.109.1 10.2.2.102 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER t c h u n g
444 1 2 . 428438 172.29.109.1 10.2.2.102 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : USER t c h u n g r
44 5 1 2 . 431131 10.2,2.102 172.29.109.1 FTP Response: 331 Password r e q u i r e d
446 1 2 . 431146 10.2.2.102 172.29.109.1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 3 3 1 Password rec
447 1 2 . 431153 10.2.2.102 172.29.109.1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 3 3 1 Password rec
448 1 2 . 431165 10.2.2.102 172.29.109.1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 3 3 1 Password rec
509 1 5 . 137517 172.29.109.1 10.2.2.102 FTP R e q u e s t : PASS a b c l 2 3
510 1 5 . 137561 172.29.109.1 10.2.2.102 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS a b c l 2 3
511 1 5 . 137578 172.29.109.1 10.2.2.102 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS a b c l 2 3
512 1 5 . 137593 172.29.109.1 10.2.2.102 FTP [TCP R e t r a n s m i s s i o n ] R e q u e s t : PASS a b c l 2 3
513 1 5 . 140332 10.2.2.102 172,29.109.1 FTP R e s p o n s e : 230 u s e r l o g g e d i n
514 1 5 . 140346 10.2.2.102 172.29.109.1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 230 u s e r l o g g e d
515 1 5 . 140352 10.2.2.102 172.29.109.1 FTP [TCP R e t r a n s m i s s i o n ] R e s p o n s e : 230 u s e r l o g g e d
516 1 5 . 140363 10.2.2.102 172.29.109.1 FTP [TCP R e t r a n s m i s s i o n ] P e s p o n s e : 230 u s e r l o g g e d

Header length: 20 bytes

Differentiated services Field:
Total Length: 93
0-00 (dscp i 0: Default; ECN: J
OuOO 69 "3l'''b5''"74''68 32 00 00 00 00 00"~u0 08'"00 4"5"~00 l i e t h ' i . . . . . . . ". E.' "'
0010 00 5d 8c 42 4 0 00 80 06 48 d2 0a 02 02 66 ac Id . ] . B<&. . . H f . .
0020 6d 01 00 15 04 18 Id c3 d9 a4 01 0a 5c 19 50 18 m \.P.
0030 44 70 dl 2d 00 00 32 32 30 2d 77 65 62 6f 73 6c D p . - . . 2 2 0-webosl
0040 6f 20 58 32 20 57 53 5f 46 54 50 20 53 65 72 76 O WS_ FTP S e r v
|Fie; access-o^o.oUt 3S0KBtt |P:. 1136 D: 1186 M: rj
A

Protocol Field

To revert to the original display, click the No. or Time fields.

144
Aquaforest TIFF Junction Evaluation

Ethereal

FOLLOWING TCP STREAMS

Ethereal can display only specific packets with different colors. The easiest way
to display only specific packets is to select a packet in the overview pane, then
select Follow TCP Stream from the context menu. This will automatically set a
display filter to only display packets of this specific connection, based on
source or destination IP addresses and ports. A separate screen displays the data
exchanged between client and server.

109 5 . 6 3 5206 io; =1 Win-17520 L/

110 5 . 6 3 5231 102 secj=u Ad =1 win=17520 U' •
111 5 . 6 3 524 2 10.2.2.102 s e q = 0 Ad =1 wi n - 1 7 5 2 0 !/.
112 5 . 6 3 52 51 ,102 Ad =1 'wi ri=17520 L
113 5 . 6 3 5729 172.29.109.1 A O ] S e q = l A.;k=l w i n = 1 7 5 2 0 Leri=0
114 5 . 6 3 5746 172.29.109.1 - 104 5 r i t t p [ a o ] s e q = l Ac
115 5.635755 172.29.109.1 104 5 :- h t t p [ A O ] S e q = l Acs'
116 5 . 6 3 5762 172.29.109.1 Dup ACK 1 1 3 # 3 ] 104 5
117 5.636631 172.29.109.1 ' HTTP/1.1
118 5.636639 172.29.109.1 HTTP/1.1
119 5.636645 172.29.109.1 ' HTTP/1.1
120 5.636651 172.29.109.1 GET / H T T P / 1 . 1
121 5.641236 10.2.2.102 HTTP/1.1 304 NOT M o d i f i e d
HTTP H T T P / 1 . 1 3 04 NilT M n r i i f i P i i
I ±1
Follow T C P Stream Selection

The filter expression is automatically populated in the Filter list in the top pane.
To clear the filter expression, click the Clear button to the right of the Filter box.

fifter; jfp.adttreej 172.29,1W.1 andip.addr eq IQ.2.3,102)and{tep,porteql045> ~ | Expression... j dear | Applyj

Wo , - j "ime
1 j Source j Desunation
105 !5. 634784 172.29.109.1 10.2.2.102 TCP 1045" > h t t p LsrKsSeq=0 A d = u wi n=16384 Len=0
1 0 6 !J. 634942 172.29.109.,1 10.2.2.102 TCP 104 5 > h t t p ;SYN" eq=0 Ack =0 wiri=16384 Leri=0
1 0 7 !J. 634970 172.29.109.1 10.2.2.102 TCP 104 5 ;syn; =0 Ack=0 Win=16384 Len=0

1 0 9 :i. 635206 10.2.2.102 TCP http [SYN, ACK' seq-0 Ack?win-17520 L'
f
110 i.635231 10.2.2.102 172.29.109.1 TCP h t t p > 104 5 I SYN, ack;
s e q = 0 Ack-1 Win=17520 L
in : i. 635242 10.2.2.102 172.29.109.1 TCP h t t p > 104 5 'SYN, ACK; S e q - 0 A c k - 1 Win=17520 L
112 f » . 6 3 5 2 5 1 10.2.2.102 172.29.109.1 TCP h t t p > 104 5 ISYN, ACK' S e q - 0 A.ck-1 w i n = 1 7 5 2 0 L
113 f i. 635729 172.29.109. 1 10.2.2.102 TCP 104 5 > h t t p "ACK] seq= =1 A c k - 1 win=1752G Len=u
114 f i . 6 3 5 7 4 6 172.29.109. 1 10.2.2.102 TCP [TCP Dup ACK 113# KL1 104 5 > h t t p [ACK] s e q = l Ac
115 :i. 635755 172.29.109. 1 10.2.2.102 TCP [TCP Dup ACK 113#2]104 5 > h t t p [ACK] s e q - 1 Ac
1 1 6 f i. 63 5762 172.29.109. 1 10.2.2.102 TCP [TCP Dup ACK 1 1 3 # 3 ] 104 5 > h t t p [ACK] S e q - 1 Ac
1 1 7 :!. 6 3 6 6 3 1 172.29.109. 1 10.2.2.102 HTTP GET / H T T P / 1 . 1
U S :i . 6 3 6 6 3 9 172.29.109. 1 10.2.2.102 HTTP GET / H T T P / 1 . 1
1 1 9 5i. 63664 5 172.29.109. 1 10.2.2.102 HTTP GET /' H T T P / 1 . 1
120 : 1.636651 172.29.109. 1 HTTP GET ,' H T T P / 1 . 1
I^I C 1. 641 1u,7M0? 1 r/Q. i HTTP HTTP/1.1 304 Nnr
wndifipd
<1 , , , ,,. .,.,, , ... • I JLj"

Filter Expression

When Follow TCP Stream is selected, a separate screen appears, which displays
the connection between the server and client on that particular connection. The
TCP stream screen can show whether or not a connection is broken. By

145
Aquaforest TIFF Junction Evaluation

Ethereal

following the TCP stream of a particular FTP packet, the TCP stream screen
can show whether or not that particular connection is broken, as shown below:

wm
Stream Content
|2 20-Webos To ;-2 wsIftp server 57o"."4:EVAL"(31910133iV
2 2 0 - T h u Oct 2 7 1 5 : 0 5 : 5 1 2005
2 2 0 - 2 7 days r e m a i n i n g on e v a l u a t i o n .
220 w e b o s i o >.2 ws_FTP Server 5.0.4. EVAL ( 3 1 9 1 0 1 3 3 1 )
. USER tchunq
331 Password required
PASS a b c l 2 3
2 3 0 user l o g g e d in
TYPE I
200 Type s e t t o ifage.
POPT 2 72,2 9 , 1 0 9 , 1 , 4 . 2 6
200 c o m m a n d successful
R ET P. m c n 11 o r -rt p. c ut
"4UIT

Save As | Print | Entire conversation (351 bytes) : • [ m» ASCII C EBCDIC C Hex Dump C C Arrays C rm

Filter out the stream

Follow T C P Stream Screen

The Follow TCP Stream filter can only use IP addresses and
ports.

146
A.) The monitor file has been sent to you in ASCII i
;send the file in 1

1.1

( = ) or greater than (>=).

7. Click Apply.
Aquaforest TIFF Junction Evaluation

Ethereal

148
LAB 5: C O M P A R I N G CLIENT-SIDE NAT
VS. S E R V E R - S I D E NAT WITH FW M O N I T O R
fipCONFIGURE AUTOMATIC STATIC NAT FOR
WWW. VOl/flC/7-KCP

1. Log in to
2. Edit wQbvonrcitfs
3. Open the NAT sere

4.
5. 172.x.x.3 as the NAT IP ;
is 172.22.102.0, and the NAT IP j
172.22.102.3.
6. OK to exit the host
7. Policy > Global properties > NAT i
8. Verify 1 5 is i
9. Verify 1 j ARP.
10. OK to <
11.

|f?RUN FW MONITOR WHILE WEBDALLAS BROWSES

THE NAT A D D R E S S OF W W W . Y O U R C I T Y . C P

1. Start fw monitor to < ; HTTP [to1

(172.29.109.1):
fw .1 .1;" -o

2. (172.29.109.1), try to brows< i its

NAT IP
to ensur fw monitor captures an HTTP SYN
In the lab environment, if
irtner city NAT
; of your Web
Aquaforest TIFF Junction Evaluation

Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor

3. Run fw monitor on your Gateway, filtering for your partner's internal-host

IP address as source or destination. For example, if your partner's host IP is
10.2.4.104 (weboslo's partner site webmadrid), run the following command
to capture all traffic from or to that partner host:
fw monitor -e "accept src=10.2.4.104 or src=172.24.104.3 or
dst=10.2.4.104 or dst=172.24.104.3;" -o monitor-auto-nat.out

4. Use FTP in binary mode to transfer the monitor-output file from your
Gateway to www.yoi4rcity.cp, where Ethereal is installed.
5. Open Ethereal and load the monitor-output file.
6. Analyze the NAT process and locate the point where the NAT IP address
changes into the private IP. In the following screenshot at I (big I), the
destination changes from 172.23.103.3 to 10.1.1.101, which is the private
IP of webrome:

;
file. ! So S-af )tu>e A r slyze St«iistics tMP
NO, | Destnasw3n 1 ''-Jew Colurrm I 3-otocol | I r f o
1 0,. 0 0 0 0 0 0 1 7 2 . 2 3 , . 103 ., 3 1 7 2 . 2 1 , .101,. 3 i etho TCP 1092 > h t t p [SYN;] S e q = 1 1 6 3 4S93 23 -

3 0,. 0 0 0 3 68 1 7 2 . 2 3 , .103,. 3 1 0 . 1 . 1 , . 101 etho TCP 1092 > http [" S R ' 1N' S e q = 1 1 6 3 4 8 9 3 2 8 A
4 0,. 0 0 0 4 2 9 1 7 2 . 2 3 , .103,.3 1 0 . 1 . 1 ,,101 etho TCP 1092 > http |;SYN;I S e q = 1 1 6 3 4 8 9 3 2 8 A
5 0,. 0 0 0 6 3 0 1 0 . 1 . 1 . ,101 1 7 2 . 2 3 . ,103,. 3 etho TCP http > 1092 [! SYN,, ACK] S e q = 2 6 1 7 3 0 3
0 , , 000662 1 0 . 1 . 1 . .101 1 7 2 . 2 3 , , 1 0 3 ,. 3 etho TCP http > 1092 |"SYN,» ACK] 5 e q = 2 € 1 7 3 03
7 0,. 0 0 0 6 7 5 10.1.1,.101 1 7 2 . 2 3 . ,103,, 3 etho 0 TCP http > 1092 ["SYN,, ACK] Seq=2 6 1 7 3 03
8 0,.000693 1 7 2 . 2 1 . , 1 0 1 . .3 1 7 2 . 2 3 . , 103 .3 , o etho TCP http > 1092 [" S Y N ACK] S e q = 2 6 1 7 3 0 3
9 0,. 001662 1 7 2 . 2 3 . , 1 0 3 . ,3 1 7 2 . 2 1 . , 1 0 1 . .3 i etho TCP 1092 > http [- a c k ; S e q = 1 1 6 3 4 8 9 3 2 9 A
10 0 , . 0 0 1 7 1 5 1 7 2 . 2 3 . , 1 0 3 , .3 1 0 . 1 . 1 , ,101 etho i TCP 1092 > http ["ACK" S e q = 1 1 6 3 4 8 9 3 2 9 A
11 0,. 0 0 1 7 3 6 1 7 2 . 2 3 . , 1 0 3 ., 3 1 0 . 1 . 1 .,101 etho TCP 1092 > http [: A C K : S e q = l l b 3 4 8 9 3 2 9 A
12 0 , , 0 0 1 7 5 1 1 7 2 . 2 3 . , 1 0 3 . ,3 1 0 . 1 . 1 .,101 etho TCP 1092 > http ["ACK S e q = 1 1 6 3 4 8 9 3 2 9 A
13 0 . . 0 0 1 9 4 5 1 7 2 . 2 3 . , 1 0 3 . ,3 1 7 2 . 2 1 . ,101., 3 i etho HTTP GET / H T T P / L . 1
14 0 , . 0 0 1 9 7 3 1 7 2 . 2 3 . , 1 0 3 ., 3 10.1.1., 101 etho i HTTP GET / H T T P / 1 . 1
15 0. . 0 0 1 9 3 6 1 7 2 . 2 3 . , 1 0 3 . .3 1 0 . 1 . 1 . ,101 etho HTTP G E T / HTTP/1. 1
16 0 . . 0 0 1 9 9 9 1 7 2 . 2 3 . , 1 0 3 ., 3 1 0 . 1 . 1 . 101 etho HTTP GET / HTTP/1. 1
17 0 . . 0 0 3 4 3 0 1 0 . 1 . 1 . ,101 1 7 2 . 2 3 . 103 ., 3 etho HTTP H T T P / 1 . 1 304 NOt M o d i f i e d
18 0, , 0 0 3 4 4 5 1 0 . 1 . 1 . , 101 1 7 2 . 2 3 . 1 0 3 ., 3 etho HTTP H T T P / I . 1 304 NOt M o d i f i e d

Frame 2 (62 b y t e s on w i r e , 62 b y t e s c a p t u r e d )
. f i r r i v a l T i m e : Apr 2(5, 2 0 0 6 0 9 : 0 3 : 3 0 . 8 0 4 4 8 5 0 0 0
[Time d e l t a f r o m p r e v i o u s p a c k e t : o . 0 0 0 3 2 4 0 0 0 s e c o n d s ]
[Time s i n c e r e f e r e n c e o r f i r s t f r a m e : 0 . 0 0 0 3 2 4 0 0 0 s e c o n d s ]
F r a m e Number: 2
Packet Length: 62 bytes
capture Length: 62 bytes
[Protocols in frame: eth:fwi: ip: tcp]

Direction: I
etho
Type: IP ( o x o s o o )
• Internet Protocol, Src: 172.23.103.3
(172.23.103.3), D s t : 10.1.1.101 (10.1.i.101)
Transmission control Protocol, src p o r t : ost Port: http 1092 (1032), (so), s e q : iib:435:2S, ^ci':

oooo
0010 00 30 3d Sf 40 00 7 e i aO b& a c 17 67 03 Oa 0 1
0020 01 65 04 44 00 50 45 7 0 30 00 0 0 00 00 70 02 e.D.PEY
0030 40 00 6a 81 00 00 02 05 b4 0 1 0 1 04 02 i. j . . . . .

jCheckponf - FW-1 ; f o l " 4 b y r e ? |F D. M: 0

Monitor Output with Client-Side NAT

151
 10.2.2.102 to 172.22.102.3. This occurs at the O (big O) in the

fipDISABLE CLIENT NAT

1. Select Glo
2. Under Aut : NAT i
side.
3. Leave the : ARP (
4. Click OK.
5. Install the

C5ADD HOST ROUTE ON FWYOURCITY GATEWAY

1. Log in to 1

2. Ru
3. Select Routing from the menu.
4. Select add a host route.
5. Enter the NAT IP address as the

7. Enter e to ex
8. Enter e to &

0 R U N F W M O N I T O R W H I L E B R O W S I N G NAT I P A D D R E S S

1. to WW by its NAT IP ;
(172.29.109.1).
2.
run fw : NAT
•city's

3. Use FTP to s<

152
153
Aquaforest TIFF Junction Evaluation

Lab 5: Comparing Client-Side NAT vs. Server-Side NAT with fw monitor

5. Identify the point where the NAT IP changes to the private IP. For inbound,
as shown in the screenshot below, the translation occurs at O (big O), since
it is closest to the server side. (The client side is webdallas, and the server
side is webrome.)

File £0C Go Cap-'.ue jtatists.-s Help

! Mew Column Protocol ] I n f o

1 0,, 000000 172 .29,.109,.5 172 .21,.101,.3 i etho T_p 1351 > http [SYN] S 6 q=15 5 0 4 6 6 3 8 9 > _ J
2 0.. 0003 07 172 .29,, 109,
, 5 172 . 21,
. 101.
.3 etho I TCP 1351 http [SYN] S e q=15 5 0 4 6 6 3 8 9 ;
1 0.. 000349 172 • 2 9.
. 109,
, 5 172 .21,,101.. 3 etho TCP 1351 ::• http [SYN] Seq=155046€389 t

. 0., 000614"" 10.'1.1,,101" 172 .29,.109.,'s"" etho " TCP http" > 13 51"''[SYN,""ACK]""Seq=lS4979J
S 0,,000649 172 .21., 101., 3 172 .29., 109,
,5 etho TCP http > 1351 [SYN, ACK] Seq—15 49 79E
7 0.,000662 172 .21., 101., 3 172 .29,,109.,5 etho 0 TCP http > 1351 [SYN, ACK] Seq=15 4 9 7
8 0,,000677 172 .21., 101., 3 172 . 29. ,5
, 109. o etho TCP http > 1351 [SYN, ACK] Seq=154979S
9 0,,001369 172 .29., 109.,5 172 .21.,101.,3 i etho TCP 1351 > http [ACK] Seq=1550466390
10 0.,001416 172 .29,,109., 5 172 .21.,101.,3 etho I TCP 1351 > http [ACK] Seq=1550466390 ;
11 0.,00143 8 172 . 29.
, 109., 5 172 .21.,101.,3 etho TCP 1351 > http [ACK] Seq=1550466390 y
12 0.i001457 172 .29.,109.,5 10.:1.1.,101 etho TCP 1351 > http [ACK] Seq=1550466390
13 0.,002410 172 .29. 109. 5 172 . 21.
,101.,3 i etho HTTP G E T / HTTP/1 .1
14 0.. 002426 172 .29.,109. 5 172 .21.,101. 3 etho I HTTP G E T ,' HTTP/1.1
15 0. 002 440 172 . 2 9.109. 5 172 . 21.101.,3 etho HTTP G E T ,' HTTP/1. 1
16 0. 002458 172 .29. 109. 5 , ,101
10. 1.1. etho HTTP GET }' HTTP/1. 1
17 0. 004041 10. 1.1. 101 172 .29. 109. 5 etho HTTP HTTP/1.1 304 NOt 1Modified
IS 0. 004059 172 .21. 101. 3 172 .29. 109. 5 etho HTTP HTTP/1. 1 3 04 NOt 1modified

Frame 4 fS2 bytes on w i r e , €2 bytes captured)

Arrival Time: Apr 26, 2006 09:37:06.666399000
[Time d e l t a from previous packet: 0.000071000 seconds]
[Time since reference or first frame: 0.000420000 seconds]
Frame Number: 4
Packet Length: 62 bytes
Capture Length: 62 bytes
[Protocols in frame: eth:fwl: i p:tcp]
. FWI Monitor etho o ethl
Direction: 0
ethl
Type: I P f o x o s o o )
internet protocol, src: 172.29.109.5 (172.29.109.5),, ost: 1 0 . 1 . 1 . 1 0 1 ( 1 0 . 1 . 1 . 1 0 1 )
T r a n s m i s s i o n Control Protocol, src Port: 1 3 5 1 ( 1 3 5 1 ) , Dst Port: http ( 8 0 ) , seq: 1 5 5 0 4 6 6 3 3 9 , ACK:

0000 4f 37 65 74 63 31 00 00 00 00 00 00 OS 00 45 00 07ethl.. .. , . . E .
0010 00 30 CI 15 40 00 7e 06 17 2a ac id 6d 05 O a 01
0020 01 65 05 47 00 50 5C 6a 3d 55 00 00 00 00 70 02 .e.G.P\J =u
0030 40 00 7f 40 00 00 02 04 05 b4 01 01 04 02
I File 'Frronitof-titerr.-nafc-grti. out' 31 'B 00.00:11 " ] P : I c S D. 168 M 0:

fw monitor Output with Server-Side NAT

6. Identify the point where the return packet's source address is translated
from 10.2.2.102 to 172.22.102.3. It is at the I (big I), because this is the
closest point to the server side.

End of lab.

154
Aquaforest TIFF Junction Evaluation

Review

REVIEW
iiiiiiiiiiiiiiIiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

• tcpdump is a UNIX utility that captures a sample of packet headers on a

network segment, by setting an interface into promiscuous mode.
• snoop is a utility on UNIX based systems that can capture a sampling of all
traffic on a network segment, by setting an interface into promiscuous mode,
snoop can only capture packets in its local collision domain, not from a
switched network.
• fw monitor is a Check Point specific utility, consisting of a special
INSPECT filter that can be configured and run on a Security Gateway to
capture all traffic passing through that Gateway's interfaces, fw monitor can
be set to capture all traffic passing through the NGX kernel, or modified to
only capture specific traffic, depending on the need of the Security
Administrator.
• The INSPECT virtual machine is the name given to the processing of
network traffic packets through the NGX kernel, before those packets enter
the operating system's network stack. The virtual machine consists of four
points, i (pre-in), I (post-in), o (pre-out), O (post-out).
• fw monitor can be configured to also insert itself into and capture the actions
of kernel chains on packets, showing the action each kernel module did or
did not take on that packet.
• Ethereal is a multiplatform, graphical network-analysis tool that can be used
to capture traffic, and also be used to view the output of tcpdump, snoop and
fw monitor. Check Point has produced its own version, called CPEthereal.

155
Aquaforest TIFF Junction Evaluation

Review

Review A n s w e r s

1. What sort of traffic will the following fw monitor string capture?

fw monitor -e "accept dport=80;"

B.) B.JAll inbound HTTP traffic to the Web server

2. You are troubleshooting an FTP connectivity issue through an NGX Security

Gateway. Use the following fw monitor string:
fw monitor -e "accept src= 192.168.19.23 or dst= 192.168.19.23;" -o
ftp-monitor.out

You have captured all traffic for the FTP server, and are attempting to
determine if the problem lies with the server or with clients connecting
through the Security Gateway. Which of the following would be the best
way to use Ethereal to study the capture?
E.) All of these would useful, but more information about the issue is
necessary to determine the next step.

157
Aquaforest TIFF Junction Evaluation

Review

158
Aquaforest TIFF Junction Evaluation

a Check Point
5*
S O F T W A R E T E C H N O L O G I E S LTD.

We Secure the Internet

^ ^ m

CHAPTER 5: N G X DEBUGGING TOOLS

This chapter discusses the debugging tools used for troubleshooting

VPN-1 NGX. There are many ways to generate debug information. NGX
debugging tools allow in-depth analysis of specific issues.

Objectives

1. Perform kernel debugging using the fw ctl debug command.

2. Use fwm debug to analyze SmartCenter Server issues.
3. Use fwd debug to analyze kernel-to-application layer issues.
4. Use cpd debug to analyze SIC issues.

159
Key Terms

• fw ctl debug
• fw debug fwd
• fw debug fwm
• cpd debug

160
Aquaforest TIFF Junction Evaluation

fiv ctl debug

FW CTL DEBUG
iiiiiiiiiiiiiiiiiiii iiiiiiiiiiiiiiiiiiiiiii

The fw ctl debug command may be used for a variety of reasons, including
performance-baseline measurements, troubleshooting specific issues as they
arise, and server-performance improvement. This debugging tool is very useful
when determining the cause of issues with a Security Gateway.

The fw ctl debug command has many switches that make it possible to see
nearly everything happening in the NGX kernel. How NGX kernel messages
are triggered varies according to the situation. Some messages are issued
whenever a certain condition occurs. Other messages are issued only when a
certain debugging flag is set. It is possible to alter debugging flags, and so
choose which messages will appear. By default, messages are written to the
console in UNIX systems, which usually collects console messages in a log file,
or to the event viewer on Windows. It is possible to change the destination of
the messages.

All debugging flags are grouped into modules. Each module represents a
product or functionality. Some kernel modules are fw, vpn, h323, and cluster.
Each module has a list of debugging flags, each of which can be enabled or
disabled. Some of these flags are on by default, and there is usually no reason to
reset them. Others are off by default, and may be set when debugging messages
are desired. To obtain a list of modules and flags, type fw ctl debug -h.

fw ctl kdebug

If you do not want debugging messages displayed on the console, create a

debugging buffer using fw ctl debug -buf. All debugging messages will then
print to the buffer. The fw ctl kdebug command is used to read the buffer, and
print a message to the standard output, fw ctl kdebug removes all messages it
reads from the buffer, and so makes room for more messages. The buffer is
cyclic, which means if there is no room in the buffer for a new message, the
oldest messages are deleted from the buffer. In such a case, a message is printed
to the buffer and the console, indicating messages are lost.

161
 ex driver filter
q xlate xltrc
sipvm sync ipopt link nat
cifs mgcp cprx mail spii
smtp wap

VPN MODULE (VPN-1)

install tcp ad time

url dns rtm Is auth log conn >sv rates tim llq pkt

H323 M O D U L E (VOIP H

tror init h225 h245 ras decod cpas

BOA MODULE (MALICIOUS CODE PROTECTION)

fatal info stat

162
Aquaforest TIFF Junction Evaluation

fiv ctl debug

WS MODULE (SMARTDEFENSE WEB INTELLIGENCE)

Kernel-debugging options: fatal error warning info times tamp connection

session parser body global stat memory address policy pfinder regexp
coverage reportjngr spii uuid ioctl module memjpool pkt_dump subject sslt
sslt_seq

CPAS MODULE (ACTIVE STREAMING)

Kernel-debugging options: error warning tcp api glue events conns pkts timer
tcpinfo http ftp skinny

CLUSTER MODULE (HIGH AVAILABILITY)

Kernel-debugging options: conf if stat select ccp pnote log mac forward df
pivot nokia timer accel drop subs

RTM MODULE (SMARTVIEW MONITOR)

Kernel-debugging options: driver err topo policy init chain ioctl import
special rtm sort netmasks per__conn perjpckt viewjipdate view_updatel
view^add performance con_conn tabs s_err wd accel

163
Aquaforest TIFF Junction Evaluation

fiv ctl debug

fw ctl debug Flags

fw ctl debug is a special c o m m a n d to pass d e b u g g i n g f l a g s to the m o d u l e s that

m a k e up the N G X kernel, as s h o w n below:

fw ctl debug [-x] [-m <module>] [+|-] <options | all | 0>

fw ctl debug -buf [buffer size]

Flag Explanation

-h Display usage for running kernel module in debug mode;

show the options for that module, if a kernel module is
specified.

-buf [buffer size] Assign buffer size in KB; minimum buffer size is
128 KB; maximum is 8,192 KB.

-x Clear all debug options.

-m <module> Specify a module to debug.

+ 1 - Add or remove a debugging option. Note: When using +,

that option is passed to the kernel along with all currently
running flags.

<options | a l l | 0> Specify one of the following:

<option> for an option
<all> for all options
<0> to reset all options to default values
<CTL + C> to stop debugging

164
Aquaforest TIFF Junction Evaluation

fiv ctl debug

FW CTL DEBUG OPTIONS

The following table lists available definitions for fw ctl debug options. While
not comprehensive, this table does define the most commonly used ones.
Contact Check Point Technical Support for further information on options not
defined here.

Option Explanation

all Uses all commands — option is not recommended; amount of data is

massive, and it is nearly impossible to retrieve useful information; on
some platforms, it could crash the system, as the operating system
will try to write massive amounts of data to the console.

cookie With the cookie switch turned on. all cookies in the data structure
holding the packets are shown; cookies are used to avoid the
problems that arise from the various ways operating systems handle
packets; unrelated to the HTTP implementation of cookies; VPN-1
NGX uses cookies as packet fragments for consistency between
operating systems.

crypt With this option turned on, all encrypted/decrypted packets are
printed in cleartext and ciphertext; algorithms and keys in use are also
printed.

driver Access to the kernel module, shown as log entries

filter Shows the packet filtering performed by the kernel, and all data
loaded into the kernel

hold Holding mechanism, and all packets being held or released, shown
when this switch is turned on

if Displays all interface-related information, such as accessing the

interface, or installing a filter on an interface

ioctl When this switch is turned on, it shows all Input/Output (ioctl)
control messages, such as communication between the kernel and the
daemon, and loading and unloading of VPN-1 NGX.

kbuf All informative kbuf-related displays, such as RDP when encrypting;

kbuf is the kernel-buffer memory pool; encryption keys use these
memory allocations.

Id Displays all table read/write operations; heavy log generation

log Shows everything related to calls in the log

165
Aquaforest TIFF Junction Evaluation

fiv ctl debug

Option Explanation

machine Shows the actual assembler commands being processed; heavy log
generation

memory Prints memory allocations of VPN-1 NGX

misc Prints all items not shown with other commands

packet Shows all actions performed on a packet, such as accept, drop, or

fragment

q Prints information regarding the driver queue

tcpseq Prints TCP sequences being changed when using Network Address
Translation (NAT)

xlate, Prints NAT-related information (changing IPs), where the xlate

xltrc switch is the basic and most commonly used switch; xltrc provides
additional information, by showing the actual process of going
through the NAT Rule Base for each packet, mostly on Telnet and
FTP connections.

winnt Prints special information regarding Windows NT operation

synatk Prints all information regarding SYNDefender

domain Prints Domain Name Service (DNS) queries

install Prints driver installation

profile Prints the number of packets filtered, and the amount of time spent on
them

media Makes level information on Windows NT using frames, not packets

ex Displays information about dynamic-table expiration

balance Displays information about logical-server load balancing

chain Displays information about cookie chains

166
 Jwctl

SYNTAX

The syntax for using fw ctl debug is as follows:

fw ctl debug | all | cookie | crypt | driver | filter | hold | if | ioctl |

xltrc | winnt I synatk | domain ^install | profile 'media* | align | ex |

balance | chain

fw ctl kdebug -f >& <output_file>

fw ctl kdebug -i <output_file>

FW CTL DEBUG EXAMPLES

DEBUGGING FWD/FWM

169
Aquaforest TIFF Junction Evaluation

Debugging fwd/fwm

fwd/fwm Debug Switches

The switches in the table below allow a more granular level of control over the
fwm and fwd processes:

Switch Explanation

-u VPN-1 SecuRemote server; configures a Security Gateway to allow

SecuRemote connections

-n Management only: used to designate a particular server as a management-

only module

-s No module; disables unneeded NGX services, such as fwauthd

(authentication daemon), and the SMTP server; this can help reduce the
amount of services running on a server, to determine if they are
conflicting, causing resource shortages, and to see if an issue arises, by
loading just the NGX core services.

-1 No logs; disables logging that would normally be generated according to

the Rule Base

-A No alerts; disables alerts that would normally be generated according to

the Rule Base

-d Debug; debugs processes on the NGX server; this logs a great deal of
information in a short time period, and should be used with care.

-D Log debugging; helps troubleshoot issues dealing with log-file generation;

if records are not being placed into the log file, this switch should be used.

Debugging without Restarting fwd/fwm

This method is effective for troubleshooting NGX installations that cannot be

stopped, due to network activity. Debugging without restarting fwd/fwm allows
processes to continue running as they are placed into debug mode:

1. While the fwd process is running, open a Command Line Interface (CLI).
2. From the CLI, type the following:
fw debug [fwd | fwm] on [<env_variable>=<value>]

/a Choose either fwd or fwm, depending on which process needs to be

debU8ged
'
3. or
.e. Using this op , it is i to <
HTTP or FTP To ( ; this type of
run 1
4. Set OPSEC_ _LEVEL=3 to
1
5. Set (or 5, is 1 level) to

6. ; the
fw | fwm

A.)To , use the ; to (

JCLII

3. AI : to create a ]
thisi ;byi

fw fwm

4.

171
Debugging by Restarting fwd/fwm

In the examples below, the fwd command is used. It may be

Press CRTL + C in the fwd -d screen to stop

Next, restart th

UNIX

172
Aquaforest TIFF Junction Evaluation

Debugging fwd/fwm

Stopping f w d d e b u g

To stop an fwd debug, use the following procedure:

1. Run cpstop in the console or CLI in which cpstart was previously

executed.
2. Press CRTL + C in the remaining console or CLI where fwd debug is
running.
3. Execute the cpstart command to reactivate NGX services.

By default, when fwd executes, it uses -u. On a SmartCenter

Server, cpstart uses fwd -n.

To redirect fwd output to a file instead of the console, use the following
command:

UNIX

fwd -d 2> file_name

WINDOWS

fw d -d 2> filejiame

When sending the output to a file, the fwd command should run for a short time
only, because the output file quickly becomes very large. If the file becomes too
large, it will be impractical for troubleshooting. Some general debug
information is also stored in the $FWDIR/log/fwd.elg file, including:

• Services and processes starting.

• Configuration-file loading.
• Security Policy loading.

173
Aquaforest TIFF Junction Evaluation

Debugging cpd

DEBUGGING CPD
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

cpd is a Check Point generic daemon, which executes code of application add-
ons specified in the Check Point registry, cpd admin is a client utility used to
send administration commands to cpd. cpd config is a configuration utility
used to configure cpd add-ons. cpd is started by cpstart and stopped by cpstop.
Usually Administrators do not start or stop cpd manually.

The cpd process controls Secure Internal Communications (SIC), Policy

installation, and shared-management capabilities between Check Point products
and OPSEC-partner products, cpd listens on the Certificate distribution port,
waiting for fwm to provide cpd with its Certificate.

SIC ports used are:

• Port 18209, used for CA communication (for status, to issue, and revoke)
between the SmartCenter Server and the Security Gateway.
• Port 18210, used to pull Certificates from the CA.
• Port 18211, used by the cpd daemon on the Gateway to receive the
Certificate (by clicking Initialize in SmartDashboard).

To determine if SIC is listening to its network port on the Gateway or

SmartCenter Server, run the netstat -na command to find the above three ports'
status; for example:

On Windows 2000 Server and Windows Server 2003, run the following:
netstat -na | find x18211"
On Solaris or Linux (or SecurePlatform in Expert Mode), run the following:
netstat -na | grep 18211
The output should be:

TCP 0.0.0.0:18211 0.0.0.0:0 LISTENING

174
 For moi
from the CLI.

SETTING ENVIRONMENT VARIABLES

TIFF Junction Evaluation

Debugging cpd

The Check Point Watchdog process will restart a failed cpd

/ 1 \ process within 60 seconds after it has been stopped, cpwatchdog
( logs may prove useful in troubleshooting cpd-related issues.

4. To redirect output to $CPDIR/log/cpd.elg, run cpd without any switches, or

run cpd -d. The output displays in the CLI.
5. On Windows, run cpd -d 2> [filename] to redirect the output to a file. On
UNIX, run cpd -d >& [filename] to redirect the output to a file.

If the commands are run from a different CLI, no debug

information will be gathered. To use separate CLIs,
environment variables must be reset.

176
LAB 6: USING CPD AND FWM DEBUGGING

177
 S R U N CPD DEBUG ON THE GATEWAY

1. Identify the PID of the cp

ps -aux | grep cpd
2. Kill the PID process by ri
kill -9 <cpd PID>
3. Set debug level and flag:
set 0PSEC_DEBUG_LEVEL=3
set TDERR0R_ALL__MiL=3
4. Run the
cpd -d >&

fpRUN

If you are connected to the: via an SSH ses a

commands. If 3
into the Gatewa ; ALT + F2 ] 's to start a new
the ALT + F1 :

1.
set 0PSEC_DEBUG_LEVEL=3

set TDERR0R_ALL__ALL=3

2.
fw on

THE PROBLEM

178
Aquaforest TIFF Junction Evaluation

Lab 6: Using cpd andfwm Debugging

[FPSTOP D E B U G G I N G A N D V I E W T H E O U T P U T

1. On the Gateway, press CTRL + C to stop cpd debugging.

2. Run fw debug fwm off to turn off fwm debugging.
3. View the cpd-debug output file cpd.out, by using the less command.
4. View $FWDIR/log/fwm.elg in a text editor on your Web server.

179
Lab 6: Using cpd and fwm Debugging
Aquaforest TIFF Junction Evaluation

Review

REVIEW
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

• fw ctl debug can be used to view almost every function of the NGX kernel,
by configuring the modules (debugging flags grouped according to product
and/or functionality).
• NGX kernel modules are fw, vpn, FG-1 (QoS), h323, BOA, WS, CPAS, and
cluster.
• Debugging the fwd and fwm processes can be useful when troubleshooting
issues related to NAT, security, logging, alerts, Policy installation, OPSEC,
and communication between processes.
• Debugging fwm and fwd can be done by either stopping the process
enabling debugging and then restarting the process, or by passing the debug
command to the running process.
• The cpd process can be configured for a debugging session to assist in
troubleshooting SIC issues, Policy installation, and Check Point/ OPSEC
shared management-product communication.

Review Questions

1. You are troubleshooting a VPN between a clustered NGX installation at your

site, and a single Security Gateway at your partner site. You have already
enabled debugging and assigned the buffer size. Which of the following
fw ctl debug strings would be useful for troubleshooting this issue in this
environment? Choose all that apply:

A.) fw ctl debug -m h323 + decode memory

B.) fw ctl debug —m fw + crypt memory
C.) fw ctl debug -m vpn + ike memory
D.) fw ctl debug -m cluster + nokia memory

181
2.

A.)jw debug jwm on

B.) OPSECDEB UGJLE VEL=3
C.) TDERROR_ALL_A LL=5
D.) B&C
Aquaforest TIFF Junction Evaluation

Review

Review A n s w e r s

1. You are troubleshooting a VPN between a clustered NGX installation at your

site, and a single Security Gateway at your partner site. You have already
enabled debugging and assigned the buffer size. Which of the following
fw ctl debug strings would be useful for troubleshooting this issue in this
environment?

B.) fw ctl debug -m fw + aypt memory

C.) fw ctl debug —m vpn + ike memory

2. What part of the following debug command sets the level of information
captured from the fwm process written to the *. elg file?
fw debug fwm on 0PSEC_DEBUG_LEVEL=3 TDERR0R_ALL_ALL=5

D.) B & C

3. Which of the following issues can you NOT troubleshoot by debugging the
CPD daemon?

C.) IKE Certificate exchanges

183
Aquaforest TIFF Junction Evaluation

Review

184
Aquaforest TIFF Junction Evaluation
a

Q Check Point
S O F T W A R E T E C H N O L O G I E S LTD,

We Secure the Internet

CHAPTER 6: FW ADVANCED COMMANDS

61
OI

Various fw commands are very helpful to collect necessary data for maintaining
NGX Security Gateways and troubleshooting problems, fw commands can be
found by typing fw in the command line. Advanced fw commands can be found
by typing fw advanced in the command line.

Objectives

1. Identify relevant fw commands to obtain critical information about NGX

components' status.
2. Use fw and fw advanced commands with proper options, to obtain critical
information for troubleshooting.

185
Key Terms

fw tab
Symbolic link
fw ctl
Connection Module
fw
FW C O M M A N D S

'fW( can be found by typing fw at a < The (

the 1

fw c o m m a n d Explanation

fw ver [-h] Displayvers.cn

fw kill t-sig_no] procname Send signal to a daemon.

fw sam Control SAM server.

fw fetch targets Fetch last Security Policy.

fw tab [-h] Display kernel-table content.

fw monitor [-h] Monitor NGX traffic.

fw ctl [args] Control kernel.

fw lichosts Display protected hosts.

fw log [-h] Display logs.

fw logswitch [-h target] Create a new log file. The old log has
[+I-][oldlog]

fw repairlog Recreate log tndex.

fw mergefiles Merge log files.

fw Islogs Display remote machine log-file list.

fw fetchlogs Fetch logs from a remote host.

^ ^ fw tab, fw^cU debug and fw monitor commands are elaborated in

187
 FW TAB COMMAND

fw tab Options

The following is the standard format for the fw tab command, and a table

fw tab [-all |-conf conffile] [-s]-f [-a number][-u][-t tname][-x tname] [-d]

Parameter Explanation

-all
^isssxisjss^^default
-conf <file> Command executed on the targets specified in conf file

-a Displays all tables

-s
number of elements

-u Does not limit the number of displayed entries

-m number For each table, displays only its first number of elements
(The default is 16.)

-t tname Displays only tname table

targets Command executed on the des.gnated targets

-f Displays the output in decimal format

188
Aquaforest TIFF Junction Evaluation

fw ctl Commands

Table A t t r i b u t e s

A table has a list of associated attributes. Following are some of the attributes a
table may have:

Attribute Explanation

free function Call function when an entry is deleted or expires from

this table

expires <time> Amount of time the table entry is allowed to stay in the
table (seconds)

hashsize <size> Size of the hash table: this value should be the power of
2 closest to the size of the table

implies <table name> Unused

kbuf <x> xth argument in the value section; reference to an

internal data structure (mostly used in encryption)

keep Keeps the entries after a Security Policy reinstallation

limit <x> Maximum number of entries allowed in the table

nexpires Elements do not expire, but are removed only when

explicitly deleted; nexpires is the default setting.

refresh Resets the expiry timer when an entry in the table is

accessed

sync Synchronizes this table if using synchronization

189
Aquaforest TIFF Junction Evaluation

fw ctl Commands

TABLE STRUCTURE

Many tables store entries representing connections. A table has two possible
representations:

1. The first five fields (src_ip, sport, dst_ip, dport, IP protocol) follow a
common standard. An example of these five fields is shown below, plus the
meaning of each field:
<c7cb4764, 0000008a, c7cb47ff, 00000050, 00000006 ... >

Field Example Value Explanation

1 c7cb4764 Source IP address guide (src ip)

2 0000008a Source port (sport)

3 c7cb47ff Destination IP address (dst ip)

4 00000050 Destination port (dport)

5 00000006 IP protocol number (IPP), as defined in RFC 1700

(UDP-11, TCP-6, ICMP-1) (IP protocol)

In most cases, connections in other tables contain the same five key fields,
but will store different field values. These first five fields are known as the
key part of the table entry.

2. A connection can also have a sixth-variable direction, which can be either

inbound or outbound. The direction is set by the first packet of the
connection, even though the connection may be bidirectional in reality:
0 — inbound
1 — outbound

190
Aquaforest TIFF Junction Evaluation

fw ctl Commands

CONNECTIONS-TABLE EXAMPLE

fw tab -t connections

The command output looks like this:

dynamic, id 8158, attributes: keep, sync, expires 60, refresh, limit 25000,
hashsize 65536, kbuf 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30,
free function 71f88108 0

Dynamic Entries can be added, modified or deleted. Another option

for this field is static, which means the opposite. Static
tables are initialized with values at the beginning of a
Policy, and remain with those values throughout the
duration of the Policy.

id n# The identification number of the table; every table has a

unique id.

A typical connection entry looks like the following:

<00000001, d4968d33, 000003fc, d496cldc, 00000801, 00000011; 00020001,

00020001, 06000000, 00000028, 00000000, 3bb7aea0, 00000001, d4968d33,
000007b6, ffffffff, ffffffff, 00000001, 00000001, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 27/40>

191
 (up to the are the key of the

Field Example Value Explanation

00000001 Connection direction (outbound)

d4968d33 Source IP

000003fc Source port

d496cldc Destination IP

00000801 Destination port

00000011 IP protocol

192
Aquaforest TIFF Junction Evaluation

fw ctl Commands

The fields following the semicolon are the values of the entry:

Field Example value Explanation

7 00020001 type/r_ctype

8 00020001 flags/r_cflags

9 06000000 Rule number by which the connection is

accepted

10 00000028 Default time-out for the connection

11 00000000 Address of handler function that is called for

packets belonging to this connection

12 3bb7aea0 Part of unique id for connection

13 00000001 Part of unique id for connection

14 d4968d33 Part of unique id for connection

Field Example value Explanation

15 000007b6 Part of unique id for connection

16 ffffffff Client inbound interface ID (fw ctl iflist)

for connection (ffffffff means none.)

17 ffffffff Client outbound interface ID for connection

18 00000001 Server inbound interface ID for connection

19 00000001 Server outbound interface ID for connection

20 - end Kernel-buffer IDs

Last 27/40 Time left/total time

193
 Jwtab

SYMBOLIC LINK

A a key and a ;hat type of link it

is. The to a
•the; A link in ble looks like the

! HAQAri Hr nflflAnftni
U^JULIUL, UUUUUOUi,
000003fc, d496cldc, 00000011> (00000006)

A link has the same type of key as a regular entry:

direction, src-ip, sport, dst-ip, dport, ipj>rotocol>

in 1

<0, cli.ent-ip, IP

<1, cli ent-ip, port, IP

<0, server-ip, IP
<1, server-ip, IP

The first entry is a re • key. The i

three are links to the . No i a
is an appropriate ; all:
[to assess the

fw tab

FW TAB -U -S

To view a summary list of all • ; in all

fw tab -u -s

Q tO : to
This isi

^ S5SSS
: -U
In a
a
Aquaforest TIFF Junction Evaluation

fw ctl Commands

Here is a partial list of fw tables:

HOST NAME ID #VALS #PEAK #SLINKS

localhost firewalled_list 1 2 2 0
localhost externalfirewalledlist 2 0 0 0
localhost management_list 3 1 1 0
localhost extemalmanagementlist 4 0 0 0
localhost log_server_list 5 0 0 0

jfVALS indicates how many entries are in the table. The #SLINKS field contains the
number of symbolic links for each table. Symbolic links are not included
(counted) as entries in the connections table. A size limit of 25,000 for the
connections table means that the table can hold 25,000 "real" connections, plus
up to eight symbolic links per connection.

FW TAB -T <TAB LE_N AM E> -F

To view table content in decimal format, use the -f switch:

fw tab -t <table_name> -f

The following is sample output of the fw -t connections -f command:

Using cptfmt

localhost:

Date: Nov 22, 2005

13:57:45 172.22.102.1 > : (+)==n========^

Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes:
keep,sync, expires 25, refresh, limit 25000, hashsize 32768, kbuf 16 17 18 19
20 21 22 23 24 25 26 27 28 29 30, free function 98a35c40 0, post sync handler
98a37510; product: VPN-1 & FireWall-1;

13:57:45 172.22.102.1 > : - — — — — (+);

Direction: 0; Source: 10.2.2.102/ SPort: 257; Dest: 10.2.2.1; DPort: 50693;
Protocol: tcp; CPTFMT_sep_l: ->; Direction JL: 1; Source_l: 10.2.2.1;
SPort_l: 50693; Dest_l: 10.2.2.102; DPort_l: 257; Protocol^: tcp;
FW_symval: 6; product: VPN-1 & FireWall-1;
195
Jwtab

13:57:4 172.22.102.1 > !+);

1; Source: 10.2.2.1; SPort: 50693; Dest: 10.2.2.102; DPort: 257;
tcp; CPTFMT_sep: ;; Type: 176129; Rule: 134217728; Timeout: 67;
0; Ifncin: -1; Ifncout: -1; Ifnsin: 1; Ifnsout: 1; Bits:
; Expires: 5/20; product: VPN-1 & FireWall-1;

13:57:4 172.22.102.1 >

1; Source: 10.2.2.1; SPort: 22; Dest: 10.2.2.102; DPort: 3010;
Protocol:tcp; CPTFMT_sep_l: ->; Directional: 0; SourceJ: 10.2.2.102;
SPort J: 3010; Destl: 10.2.2.1; DPort J: 22; Protocol J.: tcp; FWjsymval: 5;
product: VPN-1 & FireWall-1;

13:57:45 172.22.102.1 > : —— —

0; Source: 10.2.2.102; SPort: 3010; Dest: 10.2.2.1; 22;
5; CPTFMTjjep: ;; Type: 114689; Rule: 1; Timeout: 401;
0; Ifncin: 1;Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits: 0200000000000000;
Expires: 3600/3600;product: VPN-1 & FireWall-1;

FW TAB -T <TAB LE_N AME> -S

To v ai a use the • For (

fw tab - t -s

HOST NAME ID #VALS

8158 2 4 2

A table's size
(#VALS)is an a certain type of traffic is under
heavy load. ] size is 25,000, by default. If a
'is 25,000 most of the time, it
Aquaforest TIFF Junction Evaluation

/iv ctl Commands

FW CTL C O M M A N D S
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

The fw ctl command provides kernel information about NGX Gateways or

SmartCenter Servers, fw ctl options can be found by typing fw ctl -h from the
command line. Among the following command options, fw ctl debug, kdebug,
and fw ctl chain will be addressed in greater detail in the following chapters.

USE

Commands: install, uninstall, pstat, iflist, arp, debug, kdebug chain,

conn

fw ctl install

The fw ctl install command binds interfaces to the kernel. If you run this
command, it does not display any messages, it just returns the prompt. That
means the interfaces are bound to the kernel successfully.

fw ctl uninstall

The fw ctl uninstall command unbinds interfaces from the kernel.

fw ctl iflist

The fw ctl iflist command displays interfaces bound to the kernel, fw ctl
iflist is useful after the fw ctl install or fw ctl uninstall commands have
been applied. When fw ctl install is applied, fw ctl iflist should display all
active interfaces. Those interfaces' configurations (IP address, subnet mask,
and anti-spoofing group) should be obtained successfully in the gateway
object's Topology screen. Following is an example of fw ctl iflist output:

0 : ethl

1 : eth2

197
 fw ctl if list is run after fw ctl uninstall, the output should be empty.

L fw ctl install is run after fw ctl

fw ctl arp
Aquaforest TIFF Junction Evaluation

fw ctl Commands

Following is an example of fw ctl pstat output explained in parts. The first

section is the total kernel memory allocated for the NGX kernel.

KERNEL MEMORY

Hash kernel memory (hmem) statistics:

Total memory allocated: 6291456 bytes in 1535 4KB blocks using 1 pool

Total memory bytes used: 161356 unused: 6130100 (97.44%) peak: 191656

Total memory blocks used: 68 unused: 1467 (95%) peak: 76

Allocations: 24693 alloc, 0 failed alloc, 22079 free

A pool of 6,291,456 bytes (6 MB) is allocated by the Gateway kernel for its
internal hash-table items and other kernel-data structures. 6 MB is the default
kernel memory. The kernel memory can be adjusted in the gateway object's
Capacity Optimization screen:

General Properties Capacity Optimization

Topology
• NAT Capacity Optimization
r+i-vPN
Remote Access Maximum concurrent connections:
Authentication
SmartView Monitor Calculate connections hash table si2e and memory pool
• UserAuthority Server
L+; Logs and Masters Automatically
Capacity Optimization <•' Manually
[+!•• Advanced
Comecttom hash table size: 132763

Memory pool sise: MByte

Maxim jm memory pco! size ]30 ^ MByte

Reset to Defaults

VPM Capacity Optimization -

Maximum corcu-rent IKE negotiation* 200

Maximum concurrent 'unneL-

Capacity Optimization Screen

199
Aquaforest TIFF Junction Evaluation

fiv ctl Commands

INSPECT

INSPECT:

33250 packets, 8233028 operations, 189240 lookups, 0 record,

2290321 extract

This information relates to the activity of the virtual machine. The figures relate
to virtual-machine operations, lookups and records in tables, and the number of
packets inspected.

COOKIES

Cookies:

3647246 total, 0 alloc, 0 free,

3320 dup, 3742299 get, 3862 put,

3655403 len, 6 cached len, 0 chain alloc,

0 chain free

VPN-1 NGX uses cookies to represent packets. These statistics relate to the
code that handles those cookies, and is used only for heuristic tuning of the
code.

CONNECTIONS

Connections:

2965 total, 1278 TCP, 1683 UDP, 4 ICMP,

0 other, 256 anticipated, 52 recovered, 3 concurrent,

41 peak concurrent, 3658055 lookups

The Connections section of the fw ctl pstat command displays information on

current and historical connections traversing the Security Gateway.

201
FRAGMENTS

Fragments:
6 fragments, 3 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

to Oft
Of the 145 Owe 312]
TCP/UDP, 14 TCP/UDP

OUTPUT EXAMPLES

(hmem) statistics:
allocated: 6291456 bytes in 1535 4KB blocks using 1
bytes used: 161356 unused: 6130100 (97.44%) peak:
used: 68 unused: 1467 (95%) peak: 76
24693 alloc, 0 failed alloc, 22079 free
Aquaforest TIFF Junction Evaluation

fw ctl Commands

System kernel memory (smem) statistics:

Total memory bytes used: 10532520 peak: 11160692
Allocations: 104334 alloc, 0 failed alloc, 104066 free, 0 failed free

Kernel memory (kmem) statistics:

Total memory bytes used: 4394740 peak: 5052316
Allocations: 26315 alloc, 0 failed alloc, 23437 free, 0 failed free

Kernel stacks:
131072 bytes total, 8192 bytes stack size, 16 stacks,
1 peak used, 3956 max stack bytes used, 3956 min stack bytes used,
0 failed stack calls

INSPECT:
33250 packets, 8233028 operations, 189240 lookups,
0 record, 2290321 extract

Cookies:
3647246 total, 0 alloc, 0 free,
3320 dup, 3742299 get, 3862 put,
3655403 len, 6 cached len, 0 chain alloc,
0 chain free

Connections:
2965 total, 1278 TCP, 1683 UDP, 4 ICMP,
0 other, 256 anticipated, 52 recovered, 3 concurrent,
41 peak concurrent, 3658055 lookups

Fragments:
6 fragments, 3 packets, 0 expired, 0 short,

203
 0 0 0 failures

NAT:
167/0 forw, 145/0 be 312
0 icmp, 14-14 alloc
Sync:

use several fw ctl pstat

the numbers i
is using a high portion of

memory (hmem)
Total allocated: 3145728 bytes in 767 4KB blocks using 1 pool
Total bytes used: 3141632 unused: 4096 (1%) peak: 3141632
Total blocks used: 740 unused: 27 (4%)
4301 alloc, 129 failed alloc, 2219 free
emory (kmem) statistics:
bytes used: 3768249 peak: 3936541
Allocations: 1840 alloc, 0 failed alloc, 1533 free, 0 failed free

The ' for this Gateway is heavily used, an

ilures, which is also an

is ] This is due to high volumes of
or in th

, This is i • an error, nor an

Lofa: lis) v VPN-1 NGX
Aquaforest TIFF Junction Evaluation

fw ctl Commands

fw ctl conn

There are entities within and without the Gateway that monitor or manipulate
network traffic. The NGX infrastructure uses the connections table to store
information (also called opaque data). These tables also receive notifications of
connection-related events, such as connection starting, stopping, etc. These
entities are called Connection Modules.

Every Connection Module is registered with a unique ID. Run fw ctl conn on
the Gateway to see the Connection Modules currently registered. The
Connection Module's ID is important to verify if a Gateway has installed the
same products in the same order as another Gateway, when configured in a
cluster. If cluster members' Connection Module unique IDs are different in the
fw ctl conn table, the cluster may fail over for what appears to be unknown
reasons.

Connectivity level 0:

No. Name Used Newconn Packet End

0: Accounting yes 0: Accounting 00000000
1: Authentication yes 1: Authentication 98a45e70
2: CPAS yes 2: CPAS 00000000
3: FG-1 yes 3: FG-1 00000000
4: ISP-Redundancy no 4 ISP-Redundancy 00000000
5 NAT yes 5 NAT 00000000
6 RTM no 6 RTM 00000000
7 RTM2 no 7 RTM2 00000000
8 SPII yes 8 SPII 98a4f220
9 SeqVerifier yes 9 SeqVerifier 989a4fc0
10 SynDefender no 10 SynDefender 00000000
11 Tcpstreaming yes 11 Tcpstreaming 98995710
12 VPN yes 12 VPN 9959ffb0

205
206
Aquaforest TIFF Junction Evaluation

Other fw Commands

OTHER FW COMMANDS
I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I I

fw sam

The Suspicious Activity Monitoring functions of VPN-1 NGX are usually

initiated from Smart View Tracker. The fw sam command provides an alternate
method for using it.

USE

sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>]
[-t <timeout>] [-1 <log>] [-C] [-e <key=val>]+ -{n|i|I|j|J|b|q} <criteria>

sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] -M -ijnbq
{<criteria> | all}

sam [-v] [-s <sam server>] [-S <server sic name>] [-f <fw host>] -D

OPTIONS

-C Cancel.
-M Monitor.
-D Delete all.
-v Verbose
-s Server for connection
-S Secure Internal Communications (SIC) name of server
-f Name of target host/group
-t Time-out in seconds
-1 Either nolog, longjioalert, or long__alert
-e Rule information; keys are name, comment and originator.
-i Reject.
-I Reject and close.
-j Drop.
-J Drop and close.

207
Aquaforest TIFF Junction Evaluation

Other fw Commands

-n Notify,
-b Bypass,
-q Quarantine.

CRITERIA

src <ip>
dst <ip>
any <ip>
subsrc <ip> <net mask>
subdst <ip> <net mask>
subany <ip> <net mask>
srv <src ip> <dst ip> <service> <protocol>
subsrv <src ip> <net mask> <dst ip> <net mask> <service> <protocol>
subsrvs <sre ip> <net mask> <dst ip> <service> <protocol>
subsrvd <src ip> <dst ip> <net mask> <service> <protocol>
dstsrv <dst ip> <service> <protocol>
subdstsrv <dst ip> <net mask> <service> <protocol>
srcpr <ip> <protocol>
dstpr <ip> <protocol>
subsrcpr <ip> <net mask> <protocol>
subdstpr <ip> <net mask> <protocol>
generic <key=val>+

208
Aquaforest TIFF Junction Evaluation

Other fw Commands

EXAMPLES

The following command will reject packets from 172.29.109.1 in the next 10
minutes:

fw sam -v -t 600 -i src 172.29.109.1

The following message occurs:

sam: request for 'Inhibit src ip 172.29.109.1 on All' acknowledged

sam: fwoslo (0/1) successfully completed 'Inhibit src ip 172.29.109.1 on

All' processing

sam: request for 'Inhibit src ip 172.29.109.1 on All' done

The following command will drop and notify packets from 172.29.109.1:

fw sam -v -s 172.22.102.1 -t 600 -M -ijn src 172.29.109.1

The following message occurs:

sam: request for 'Monitor Inhibit Drop Notify src ip 172.29.109.1 on All'
acknowledged

sam: fwoslo (0/1) successfully completed 'Monitor Inhibit Drop Notify src ip
172.29.109.1 on All' processing:

no corresponding SAM requests

sam: request for 'Monitor Inhibit Drop Notify src ip 172.29.109.1 on All'
done

To view a list of IP addresses blocked by the sam command, use the

fw -t sam_blocked_ips -f command. The output is in decimal format.

209
 Other fw

fw l i c h o s t s

fw log

Use i fw log command to view the active log file (fw.log).

S
i accept, but do not use any nam

fw log -f fw.log -n -c accept | more

The following logs appears on the command line:

Date: Nov 2, 2005

10:13:45 ctl weboslo >daemon logjsysjnessage: Log file has been purged;
product: VPN-1 & FireWall-1;

10:08:52 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-

90F8-27D2C4F08877}; service_id: nbname; src: weboslo; dst: 10.2.2.255;
proto: udp; product: VPN-1 7 FireWall-1; service: nbname; sj>ort: nbname;

10:08:54 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-

90F8-27D2C4F08877}; servicejd: ssh; src: weboslo; dst: fwoslo; proto: tcp;
product: VPN-1 & FireWall-1; service: ssh; s_port: 1735;

10:09:32 accept fwoslo >eth2 rule: 1; rulejiid: {1E341611-4B90-44F1-

90F8-27D2C4F08877}; service Jd: nbdatagram; src: weboslo; dst: 10.2.2.255;
proto: udp; product: VPN-1 & FireWall-1; service: nbdatagram; sjport:
10:09:54 accept fwoslo >ethl servicej.d: src: 172.29.109.1; dst:
fwoslo; proto: tcp; rule: 0; message j i n f o rule; product: VPN-1 &
FireWall-1; service: https; s_port: 1563;

log file can be i with the fw

.loginitialjptr,;

fw : is as :

fw [-u]

The -u flag i J log file

The log file is i ; -u flag is i

fw mergefiles [-s] [-t <time_conversion_file>] <logJile_l> [<log_

file_2> ... <log_file_name_n>] <output_file__name>

EXAMPLE

fwoslo 2005-11-11JJ73150. log fwoslo_2005-ll-llJ73720.log

211
Other Jw

fw fetchlogs [[-f filename] ...] host

8 Y 8
iS]

The active file (fw.

(fw.log) cannot be fetched.
iy> can be used on th

EXAMPLE

To fetch a log file on a remote Gateway from the SmartCenter Server, the
ame is fwoslo, as shown in th:

fw

File fetching in process. It my take some

File fwoslo_2005-ll-llJ73150.log was fete

 Other fw

%
Q.) You have a remote VPN-1 Pro Gateway running on
i Pro in another city. When yoi

the i
ow do ;
in:

A.):

fw logswitch -h <SecurePlatform_h

fw fetchlogs <SecurePlatform_host>

racker, and select File > Open from the menu.

32 file.
FW ADVANCED COMMANDS

command prompt. The following table lists those commands and a brief
explanation for each of them:

fw advanced C o m m a n d Explanation

fw fwd | fwm avd daemon ifwmdaemon

fw debug Turn debug output on | off.

fw fetchlocal Install Policy files to the kernel.

fw unloadlocal Un.nstallPoHcy to the localhost

fw dbloadlocal Install local database.

fw defaultgen Generate default filter.

fw license_sanity Create initial Policy if no license.

fw ufpfetch Fetch UFP server dictionary.

fw syslog syslog support for router

fw getifs Get interfaces from remote Gateway.

fw stat

fw hastat
P
ha stat

fw fgstat
?gCsUtrdC0mPatlbleVerS10n0f

fw feu Full connectivity upgrade for clusters

fw fullsync Synchronous full sync for clusters

Aquaforest TIFF Junction Evaluation

fw Advanced Commands

fw advanced C o m m a n d Explanation

fw authd_set Configure fwauthd. conf automatically.

fw isp_link Take down/bring up an ISP link.

fw fwd

Starts the VPN-1 daemon. Do not run this command directly. The fwd daemon
is automatically started when running cpstart.

fw fwm

Check Point recommends using the cpconfig tool, fw fwm. fwm must be running
on the SmartCenter Server. If there is an Administrator already defined by
cpconfig, creating another one using the fwm command is not allowed, fwm is
used for adding, updating and deleting administrators.

USE

fwm [-a name [-w{w|u|r|m(] [-s password] [-q] | -r name | -p]

Option Explanation

-a name Update Administrator with username name.

-w Set access level as follows:

w - Read/Write
u - User Edit
r - Read Only
m - Monitor Only

-s password Set the Administrator's password.

-q When adding an Administrator, do not prompt for Administrator

password (useful for batch updates).

-r name Delete Administrator.

"P Print list of Administrators.

215
 EXAMPLES

To« , type:

fwm -a fwadmin -s -

In the exc You will be

If you want to chan^ to Read Only ] , type:

fwm -a fwadmin -wr

To ( .type:

fwm -r fwadmin

You will see the

: 123";

fwm -a Howard -s abcl23 -ww

You will see tl

Howard

fw fetchlocal

by the fwc
i (the INSPECT compiler) into tb
i of the INSPECT-ML filter code in t Policy is

i to fw fetch localhost or cpstart, this Policy is

USE

fw fetchlocal -d <dir>
Aquaforest TIFF Junction Evaluation

fw Advanced Commands

OPTION

Option Explanation

dir Location of compiled INSPECT files to be loaded to the kernel; directory

option is mandatory.

EXAMPLE

fw fetchlocal -d $ FWD IR/_tmp/local/FW1

fw fetchlocal loads the compiled INSPECT-ML in the kernel.

fw u n l o a d l o c a l

The fw unloadlocal command removes the currently installed Policy from a

Gateway. When a Policy is unloaded from a Gateway, the Gateway accepts any
traffic, as long as routing permits, fw unloadlocal is useful in troubleshooting as
needed, but should be used with care.

fw dbloadlocal

fw dbloadlocal loads the database on the local machine, by moving the database
file from the /temp to /state directory. This command is performed
automatically by a number of other commands (fw dbload for example), after
moving files from the SmartCenter Server to the Gateway.

USE

fw dbloadlocal <-d>

OPTION

Option Explanation

-d Source directory location of the files; normally \temp\local

217
 fw Advanced Commands

fw d e f a u l t g e n
\

USE

EXAMPLE 1

EXAMPLE 2

218
Aquaforest TIFF Junction Evaluation

fw Advanced Commands

fw getifs

The fw getifs command is used for fetching interfaces from a remote Gateway.

USE

fw getifs <module_name>

OPTION

Option Explanation

<module name> Security Gateway object name

EXAMPLE

fw getifs fwoslo

This example produces the following output:

fwoslo ethO 212.150.140.81 255.255.255.0

• fwoslo is the gateway-object name.

• ethO is the interface name.
• 212.150.140.81 is the IP address.
• 255.255.255.0 is the Gateway mask.

fw stat

fw stat displays the status of target hosts in various formats. The default format
displays the following information for each host: host name, Rule Base (or
Gateway) filename, date and time loaded, the interface installed on, and
direction loaded.

USE

fw stat [-long] [-short] [-inactive] [targets]

fw stat [-all | -conf conffile] [-long | -short] [-inactive] targets

219
Jw Advanced

OPTIONS

Option Explanation

-all
in the default system

-conf conffile Command executed on targets specified in conffile

-long
d^sptays number^o™

-short
interface'Rule Base

-inactive
fomLTan^^

targets
if t a r g e t s is not

EXAMPLES

To display the Policy installed on a Gateway locally, use fw stat as follows:

[Expert^SecurePlatform]#fw stat

localhost Standard 10Nov2005 14:43:50 : [>ethl] [>eth2] [<eth2]

To display the Policy installed on a remote Gateway from the SmartCenter

Server and display the output in long format use fw stat as follows:

fw stat -1 fwoslo

HOST IF POLICY DAT TOTAL •T DROIP A C C EPT LC

fwoslo >ethl Standard llNov200Ei 14:45:50 1 0 0 1
fwoslo >eth2 Standard HNov2005i 14:45:50 67 0 1 66
fwoslo <eth2 Standard llNov2005 14:45:50 74 0 8 66
Q.) You cannot log in to

L try to log in to SmartDashboard to verify any

I do you run to:

FWM COMMANDS

fwm Command Explanation

fwm ver [-f] ... Display version.

fwm load [opts] [filter-file| Instal.PoHcy on target,

rule-base] targets

fwm unload [opts] targets Unmstall targets.

fwm dbload [targets] Download the database.

fwm logexport [-h] . . . Export log to ASCII file.

P
[ "lnPOrt]] router access list.

fwm dbexport [-h] ... Export the database.

fwm ikecrypt <key> <password> Crypt a secret with a key

fwm dbimport [-h] ... Import to database.

fwm kill [-sig_no] procname Kill firewall process.

fwm lock_admin [-h]

Aquaforest TIFF Junction Evaluation

fwm Commands

fwm load

USE

fwm load [-p <product>] [-S] [-0 <product_option>] [-vN] [-m] [-r] [-a | -c
conf-file] <rule-base name> <targets>

OPTIONS

option Explanation

-P Specify target's product. Only one product can be specified.

Possible products: firewall, sofaware gw, interspect, cvpn

-0 Specify product-specific option.

-S Targets are VPN-1 Edge devices.

-vN Retrieve the Security Policy from the version repository. N is the
Version ID.

-m All Or None (works only for modules with the same version)

-r Do not perform All Or None for clusters. (The default is to

perform.)

-a Execute command on all targets specified in

$FWDIR/conf/sys. conf file.

-c Execute command on all targets specified in conf file.

EXAMPLE

From an enterprise SmartCenter Server, run the following command to install a

Policy named "Standard" on remote-gateway object fwoslo:

fwm load Standard fwoslo

223
 The following i

for 'filter in less than a

Policy On:

on

CPMAD

on NGX R60

Standard.W: Security Policy into Standard.pf

Compiled OK.

Installing VPN-1/FireWall-1

VPN-1/FireWall-1 policy installed on fwoslo.

VPN-1/FireWall-1 policy

VPN-1/FireWall-1 policy

f w m dbload

fwm dbload the i a target Gateway or

locally.

For to on remote Gateway fwoslo,

fwm

224
Aquaforest TIFF Junction Evaluation

fwm Commands

To install the user database locally on the SmartCenter Server, run:

fwm dbload localhost

fwm logexport

The fwm logexport command exports a log file, by default the active log (fw. log)
to an ASCII format. This is so the file can be open in other platforms, like
WordPad or Excel, fw logexport does not switch logs. If you run fw logexport
for current active logs (fw.log), the fw.log file stays the same and logs are not
moved or purged. Details can be found by typing fwm logexport -h on the
command line.

USE

fwm logexport [-d delimiter] [-i filename] [-0 filename] [-f|-t] [-x
startJ30S] [-y endjpos] [—z] [-n] [-p] [-a] [-u unification_scheme_file] [-m
(initial | semi | raw) ]

OPTIONS

Options Explanation

-d Set the output delimiter. Default is ;.

-i Input logfile name. Default is the active log file fw.log.

-0 Output filename. Default is printing to the screen.

-f Only in case of active log file; upon reaching end of file, wait for new
records and export them.

-t Same as -f flag, only start at end of file.

-x Start exporting at the specified position.

-y End exporting at the specified position.

-z Continue exporting the next records, in case of an error. Default is to

stop exporting.

225
226
227
Option Expianation

-v View names of all locked Administrators.

-u Administrator Unlock a single Administrator.

-ua Unlock all locked Administrators.

Aquaforest TIFF Junction Evaluation

Lab 7: Using fw ctl pstat

LAB 7: USING FW CTL PSTAT

iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Scenario: This lab focuses on generating a file on the Security Gateway

containing fw ctl pstat information, and interpreting some of the data.

Objective: Run the fw ctl pstat command.

Topics: The following topics are covered in this lab:

• Running the fw ctl pstat command

• Identifying information in the fw ctl pstat file

229
Aquaforest TIFF Junction Evaluation

Lab 7: Using fw ctl pstat

E?RUN FW CTL PSTAT

1. While logged in to the NGX Security Gateway in Expert Mode, run the
following:

[Expertiyourcity] # fw ctl pstat > pstat.txt

The fw command is the same for UNIX and Windows servers.

2. Allow the process to run to completion.

[ ^ I D E N T I F Y INFORMATION IN FW CTL PSTAT

1. Use the less command to view the pstat. txt file, and identify the following
portions of the file:
— Amount of hash-kernel memory, used and available
— Number of packets inspected
— Number of fragments, and how many expired
Based on this output, is the Gateway overloaded or underused?

^ ^ ^ Continue t o next lab.

230
Aquaforest TIFF Junction Evaluation

Lab 8: Using fiv stat, fwm load, and fw unloadlocal

LAB 8: USING FW STAT, FWM LOAD,

AND FW UNLOADLOCAL
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii•iiiiiiii

Scenario: Policy status for a Gateway is regularly verified in Smart View

Tracker. The fw stat command is also useful to verify Policy status. In
circumstances where you cannot log in to SmartDashboard, fw unloadlocal can
be used to uninstall the Policy.

Objectives:

• Use fw stat to verify a Gateway Policy is installed.

• Use fw unloadlocal to uninstall the Policy.
• Use fwm load to install the Policy from the SmartCenter Server to the
Gateway.

Topics:

• Installing the Security Policy and verifying status with fw stat

• Uninstalling the Policy and verifying status with fw stat
• Running fwm load and fw stat to install and verify the Policy

231
Aquaforest TIFF Junction Evaluation

Lab 8: Using fw stat, f\vm toad, and fw unloadlocal

[ ^ I N S T A L L SECURITY POLICY AND VERIFY STATUS

WITH FW STAT

1. From the SmartDashboard, install the Policy on the gateway object.

2. Log in to the Gateway via the console or SSH screen.
3. Run fw stat. The output looks similar to the following:
HOST POLICY DATE

localhost Standard 10Apr2006 15:56:50 : [>ethl] [<ethl]

fpUNINSTALL POLICY AND VERIFY STATUS WITH FW STAT

1. Run fw unloadlocal from the command line.

2. Verify the status by running fw stat:
HOST POLICY DATE

localhost - - : >ethl <ethl

rf?RUN FWM LOAD AND FW STAT TO INSTALL AND VERIFY

POLICY

1. Open the command line on the SmartCenter Server, and type the
following ...
fwm load Standard fwyourcity

... Where "Standard" is the Policy name, and fwyourcity is the target
gateway object.
If you logged into the Gateway via an SSH session, your
session will terminate abruptly, as fwm load does not preserve
connections during a Policy install. Log in again and continue
with the lab.

Verify the Policy is installed successfully, by running fw stat on the

Gateway console or SSH session.

End of lab.

232
Aquaforest TIFF Junction Evaluation

Review

REVIEW
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

• The fw tab command and its subcommands are used to directly access and
manipulate the state tables in the NGX kernel's virtual memory, the core of
Check Point Stateful Inspection technology.
• The fw ctl command and subcommands are used to view kernel information
from SmartCenter Servers or Security Gateways, and can also be used to
perform some kernel-level configuration changes and debugging.
• Other fw commands that provide more granular control over VPN-1 N G X
include:
fw sam — used to manipulate the SAM database
fw lichosts — displays the number of protected hosts behind a Gateway
fw log — used to view and manipulate active log files
fw repairlog — rebuilds .ptr files for corrupted log files
fw mergefiles — merges two switched (not active) log files into one
fw fetchlogs — used to retrieve log files from a remote Gateway
• fw advanced commands provide command-line methods for more direct
access to the N G X daemon, and for working with specific aspects of
VPN-1 N G X .
• fwm commands provide an alternate command-line method of performing
many SmartCenter Server tasks.

Review Questions

1. Which of the following fw tab commands will fetch connection information

in decimal format for all connections?

A.) fw tab -t connections -u

B.) fw tab -t connections
C.) fw tab -t connections -s
D.) fw tab -t connections -f

233
Aquaforest TIFF Junction Evaluation

Review

Review Answers

1. Which of the following fw tab commands will fetch connection information

in decimal format for all connections?

D.) fw tab -t connections -f

2. You are troubleshooting a NAT problem with a remote Gateway. Looking in

the fw monitor capture, it appears that the IP address is translating correctly,
but you do not see packets returning to the external interface. Which of the
following fw ctl commands would be useful in these circumstances?

D.) fw ctl arp

3. Which of the following switches used with the fwm logexport command will
export the active file into a comma-delineated file, without resolving IP
addresses?

D.) fwm logexport -d, -o output -n

235
Aquaforest TIFF Junction Evaluation

Review

236
Aquaforest TIFF Junction Evaluation o

Q Check Point
71
SOFTWARE TECHNOLOGIES LTD.

We Secure the Internet

•
CHAPTER 7; SECURITY SERVERS

NGX Security Servers inherit the folding process from previous versions of
VPN-1. The HTTP Security Server provides URL screening and content
checking (by incorporating CVP and UFP applications). Although more
functionality from Security Servers is being incorporated into the kernel with
each revision of VPN-1, troubleshooting specific Security Server processes can
still indicate causes of issues.

Objectives

1. Identify different stages in the folding process.

2. Troubleshoot Security Server issues.
3. Debug Security Servers.

237
Key T e r m s

Folding
fwssd

fwauthd.conf

238
Aquaforest TIFF Junction Evaluation

The Folding Process

THE FOLDING PROCESS

i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

Overview

When an NGX kernel matches a connection to a Security Server rule, the kernel
folds the connection to the relevant Security Server. Folding is how a Security
Server redirects packets. The Security Server opens a connection to the Server
to which the client tried to connect. The packet leaving the Security Server has
the source IP of the NGX Security Gateway. The outbound kernel translates the
source I P to the IP address of the client that originally opened the connection. If
the client is configured in the Rule Base for Hide or Static NAT, the source IP is
translated, as configured in the Rule Base.

If clients use the HTTP Security Server as a proxy, connections leave the
Gateway with the Gateway's IP address as the source IP. No Network Address
Translation (NAT) occurs.

TRANSPARENT CONNECTIONS

The default behavior of HTTP, FTP, and Telnet Security Server connections
have been changed to transparent in VPN-1 NGX. Only the SMTP Security
Server is still non-transparent by default. In other words, if no Hide or Static
NAT is involved, and if the client does not set the Gateway as the proxy, packets
leave the Gateway with the original client's IP address. The only exception is
the SMTP Security Server: The packet leaves the Gateway with the source IP
address as the Gateway's IP address, instead of the original client's IP address.

To change this behavior, modify the following properties from true to false in
$FWDIR/conf/objects_5_0.C:

http_transparent_server_connection

ftp transparent_server connection

rlogin_transparent_server_connection

telnet_transparent__server_connection

239
240
Aquaforest TIFF Junction Evaluation

The Folding Process

3. The packet's destination address is changed to the NIC address (so it will be
sent to Security Server).
4. The connection table is updated with two new entries, which allows the
client following the packets to continue without examination:
<125.32.2.3,1234,180.3.42.3,80,TCP>

<125.32.2.3,1234, 125.32.0.1,8832,TCP >

INBOUND AFTER KERNEL

The packet is <125.32.2.3,1234, 125.32.0.1,8832, TCP> The Security Server

listening on port 8832 accepts and examines the packet. After the examination
is done, the Security Server opens a new connection to the destination Server.
The new connection is recorded in table PROXIED CONNS, with new connection
properties (new port) and expiration time of 60 seconds, which means the
Security Server must initiate a connection within that period.

The Security Server then sends the packet to its original destination using the
FWXAUTH table.

OUTBOUND BEFORE KERNEL

The packet is <125.32.0.1,8832, 180.3.42.3,80,TCP>. The Security Server

initiates a connection. The source address is the Security Server and not the
original client. The Server returns the packet, destination port, and address to
the Security Server. The Security Server checks the FWX_AUTH table and a flag
from the C0NN_0XID table, to retranslate the client's address and destination port.

OUTBOUND AFTER KERNEL

The packet is <125.32.2.3,1234,180.3.42.3,80,TCP>, which is the original

connection.

241
Content-Security Rule Order

242
Aquaforest TIFF Junction Evaluation

The Folding Process

HTTP 1.0 and 1.1

The following table lists differences between H T T P 1.0 and H T T P 1.1. This
information can be useful when troubleshooting H T T P Security Server related
issues.

Features HTTP 1.0 HTTP 1.1

Connections Keep-alive was not used. Keep-alive is

recommended.

Multiple requests Allowed, but the client cannot Allowed; the client can
per connection send multiple request; it must wait send multiple requests,
for each response to return before even before the first
submitting another request. response has returned.
The Server has to return
the responses in the
same order they were
sent.

Data end Two ways: Content length is

1. Use the header-field content obligatory.
length.
2. Close the connection when the
response is done.

Chunks Not available Chunking was

introduced to allow the
Server to send responses
with variable length
without closing the
connection. (In HTTP
1.0, this was the only
way.)

243
Aquaforest TIFF Junction Evaluation

Troubleshooting Security Server Issues

TROUBLESHOOTING SECURITY SERVER

ISSUES
i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

The following steps help troubleshoot performance problems with HTTP

Security Servers. The goal is to determine which object is responsible for
performance issues (the HTTP Security Server, the CVP server the machines
themselves, and so on), when, and why.

The following is a scenario where the HTTP Security Server is configured with
a CVP server on a loaded network:

Security
Gateway

CP00332

HTTP Security Server in CVP Environment

244
Aquaforest TIFF Junction Evaluation

Troubleshooting Security Server Issues

Reviewing CPU and M e m o r y

There is not an executable file for each Security Server. Instead, each Security
Server links to the fwssd executable. Under Windows NT, for example, looking
at the Task Manager will not show the Security Server to which each process
belongs. To find out which process belongs to each Security Server, proceed as
follows:

• Look for the relevant Security Server's process identifier (PID) in the
$FWDIR/tmp directory. For example, the HTTP Security Server PID will be
written in the in.ahttpd.pid file.
• Once you know the PID number, look for the number on the Windows Task
Manager > Processes tab. On UNIX platforms, such as Solaris and
SecurePlatform, the process number is found in $FWDIR/tmp. The CPU and
memory use can be observed in real time by running the top command.

Editing f w a u t h d . c o n f

In some circumstances, adjusting the number of Security Servers spawned by

fwssd may help in troubleshooting performance issues. This is done by editing
the fwauthd.conf file. The fwauthd.conf file contains configuration information
for all child processes started by NGX daemons, not only fwssd. When working
with the fwauthd.conf file, ensure that you are only modifying entries relevant to
the Security Servers for FTP, HTTP, HTTPS, or Telnet. Some process
configurations (such as those for SMTP or clientless VPN) should not be
modified unless under direct instruction by Check Point Technical Support.
Take care to only modify the line relevant to the process you are
troubleshooting.

FWAUTHD.CONF EXAMPLE

A standard entry in fwauthd.conf looks like this:

# (port) Parent C h i l d Process Wait # (to be

Process name spawned)
80 fwssd in.ahttpd wait -5

259 fwssd in.aclientd wait 259

245
 Troubleshooting Security Server

Listing P o s s i b l e C a u s e s

246
Aquaforest TIFF Junction Evaluation

Troubleshooting Security Server Issues

SECURITY SERVERS

• A general Security Server issue

• A Security Server with a CVP/UFP resource issue
• CVP server
• Limitation of hash tables

CVPSERVERS

• Overloaded CPU
• Memory issue
• Possible known/unknown issue

I d e n t i f y i n g Issue Sources

One of the best ways to understand where the issue lies is by eliminating
possibilities:

1. Change the rule so the HTTP resource is not used. Replace it with a
standard HTTP service. This way, HTTP connections are passed through
the kernel and not folded to the Security Server. If this solves the problem,
the problem is with the HTTP Security Server: Proceed with step 3. If it
does not solve the problem, proceed with step 2.
2. Change the rule to use the HTTP resource again, instead of the standard
HTTP service. Do not configure the resource with the CVP server. Under
this configuration if the problem does not exist, you know the issue is with
the interaction with the CVP server.
3. When the problem occurs, run the following:
• top (on UNIX) or Task Manager (on Windows)
Notice which process number is in charge for CPU and memory use.
Check $FWDIR/tmp to find the PID of the relevant Security Server process.

• lsof (on Solaris)

Run this command to check how many file descriptors are open:
lsof | grep <process name> | wc -1

247
248
Aquaforest TIFF Junction Evaluation

Debugging Security Servers

DEBUGGING SECURITY SERVERS

i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

To debug a Security Server, the relevant process must be running. Before

starting the debug, verify that the process you wish to debug has a current PID
in the $FWDIR/tmp directory, if the process has no PID, the following error will
appear: "Cannot find process id for (in.aclientd)"

Check Point recommends debugging all processes on the active process. In

circumstances where the process is not starting correctly, stop VPN-1 NGX, set
the environment variables for debugging, and then restart VPN-1 NGX.

T D _ E R R O R _ A L L _ A L L Flag

When configuring a debugging session, whether for a running process or setting

an environment variable for a restarted session, it is important to remember to
set the environment variables for that debugging session. While each Security
Server will have specific flags relevant to its functionality, all debugging will
require a TD__ERR0R__*_* flag to be set.

The TD__ERROR_ALL_ALL flag (most often seen when configuring debugging as

set TD_ERR0R_ALL_ALL=3) tells the process being debugged the level of
information to write to the output file (typically processname. elg).

The numeric value is a verbosity level between 1 and 5, where 1 is the

minimum amount of information to be written, with 5 being maximum
verbosity. Check Point recommends setting the verbosity level to 3 or 4, as this
will often provide enough information for troubleshooting an issue.

TDERRR0R_*_* is also used to configure specific debugging sequences, as shown

in the following sections. Each of the following sections are the standard
commands for enabling debugging on running processes, sorted according to
the specific Security Server.

FTP Security S e r v e r s

To enable debugging all platforms, run:

fw debug in.aftpd on | off FWAFTPD_DEBUG 3

Output is automatically redirected to $FWDIR/log/af tpd. elg.

249
250
252
Aquaforest TIFF Junction Evaluation

Review

REVIEW
i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

• In VPN-1 NGX. the default behavior is for connections folded into a

Security Server (except an SMTP Security Server) to be transparent. With
transparent connections, the source IP address is untranslated (unless it is
translated by the kernel for other reasons, such as with NAT).
• Folding occurs when the NGX kernel updates the state tables associated with
a connection on which a Security Server acts.
• Resource rules do not replace standard rules for protocols. When adding a
resource rule to a Rule Base, the rule must be placed before any less-
restrictive rules that allow protocols, but after rules that reject protocols.
• Edit $FWDIR/conf/spsc/spsc. en_us to modify the default messages produced
by a Security Server.
• HTTP 1.0 and 1.1 behave differently, and must be dealt with for
troubleshooting accordingly.
• Each Security Server is an iteration of the fwssd process. Locate the PID of
the Security Server you are troubleshooting in the $FWDIR/tmp directory. Use
this number to find the process information in Task Manager on Windows, or
use the top command on UNIX and SecurePlatform.
• Creating a list of possible causes for an issue will help when troubleshooting
Security Server issues. The list can include, but is not limited to:
— Limitation of kernel tables.
— A loaded kernel blocking Security Servers.
— A CVP/UFP resource issue.
— CVP server saturation.
— Limitation of hash tables.
• Identifying the source of the issue will also help when troubleshooting
Security Server issues. Does the issue persist when the Security Server is
disabled? If using CVP, remove the CVP server from the Security Server
configuration and retest. Examine the relevant error-log files, get traffic
captures, and examine memory use.
• Analyzing the output from any of the sources listed will provide information
about the cause.

253
 is

folding through a Security Server?

A.) FWX AUTH

B.) A UTH SER VICES
C.) PROXIED CONNS
D.) CONN OXID

254
A.J fw debug in.ahttpd on TDERROR_ALL_s_to_c_read=3
B.) fw debug in.ahttpd on TDERRORJLLL client to_server_mgr=3
C.) fw debug in.ahttpd on TDERROR_ALL_cvp_to_server_mgr=3
D.) fw debug in.ahttpd on OPSEC DEBUG_LEVEL=3
Aquaforest TIFF Junction Evaluation

Review

Review Answers

1. The default behavior for Security Servers in VPN-1 NGX is to leave the
source IP address of a connection untranslated. To which of the following
configurations will the source IP be translated by a Security Server?

C.) Virus scanning for SMTP servers

2. Which of the following tables is referenced in multiple stages of connection

folding through a Security Server?

A.) FWX AUTH

3. You are troubleshooting an issue involving a Security Server working in

CVP mode, with a content filtering OPSEC partner. It appears that this issue
is related to the browser's connection with the CVP server. Which of the
following debug commands will NOT be used to configure the debugging?

D.) fw debug in.ahttpd on OPSEC DEBUG LEVEL =3

256
Aquaforest TIFF Junction Evaluation

Q Check Point
SOFTWARE TECHNOLOGIES LTD,

We Secure the Internet

CHAPTER 8: V P N DEBUGGING TOOLS

IKE negotiation consists of two phases, Phase 1 (Main mode), and Phase 2
(Quick mode). The negotiation process in both modes can be observed in
ike.elg by an internal Check Point utility called IKEview. This chapter covers
guidelines for analyzing ike. elg, and instructions for collecting ike. elg and
vpnd.elg data.This chapter assumes a basic comprehension of encryption,
cryptography applications (algorithms and hash methods), and configuration of
site-to-site VPNs using either pre-shared secrets or Certificates.

Objectives

1. Identify and explain the two phases of the IKE negotiation process.
2. Use V P N debugging tools for common troubleshooting practices.
3. Use V P N log files and the vpn debug command to troubleshoot V P N
connections.
4. Use troubleshooting tables as general guidelines for troubleshooting V P N
issues.

257
Key Terms

Phase 1 (Main mode)

Phase 2 (Quick Mode)

ike.elg
Aquaforest TIFF Junction Evaluation

IKE Basics

IKE BASICS
I I I i i I i i i i i I I I i i i i I I I I I I I i I i I i i I I I I i i I i i i I I I I I i I I i

Troubleshooting a VPN requires an understanding of the process of creating a

VPN tunnel. The following is a step-by-step process explaining the IKE
exchange.

Phase 1

Phase 1 (Main mode) negotiates encryption methods, (i.e., DES, 3DES, etc.),
the hash algorithm (SHA1 and MD5), and establishes a key to protect messages
of an exchange. The following describes the stages of the Phase 1 process:

1. Stage 1: Peers authenticate using Certificates or a pre-shared secret.

2. Stage 2:
— Each Security Gateway generates a private Diffie-Hellman (DH) key
from random-pool bits.
— From the private DH key, each peer derives a DH public key.
— The DH public keys are exchanged.
3. Stage 3:
— Each side generates a shared secret from its private key and its peer's
public key.
— The shared secret is the DH key.
4. Stage 4:
— The DH key exchanges key material (random bits and other
mathematical data).
— Methods are agreed upon for encryption and integrity for Phase 2.
5. Each side generates a symmetric key, based on the DH key and key material
exchanged between sides.

259
Aquaforest TIFF Junction Evaluation

IKE Basics

EXAMPLE

The IKE exchange uses six packets for Phase 1 (Main mode) and three packets
for Phase 2 (Quick mode):

1. For Main mode packet 1, the initiator 172.24.104.1 proposes the following
information:
• Encryption algorithm: AES-CBC
• Key length: 256 bit
• Hash algorithm: SHA1
• Authentication method: pre-shared key

msz M l -JOfxjj
Edit v»» Special Help

BHB| o i x u i s i e i

IKE Debugging Into T t a a s f o r a Myla&ei - KTf_IKE

172.24104.1
Pi Main Mode ==,• 'wed Jan 4 2006 From: 14 22.00 To 14 2; lext Mfload; NOHE
MM packet 1 114 22.00] BesecvedJ 0
Header Length: 00 28 <401
- Secunt_M Association TtatxaSua: 1
« propl PROTOJSAKMP TrsnsXd: 1
ReaeEved2: 00 00 (0$
Vendor ID
Encryption Algorithm: AES-CBC
t MM packet 2 f14 22.00)
Key L e n g t h : 2S6
MM packet 3(14 22:001
Hasii M g e c x t t e ; SUM-
+' MM packet 4(14 22.00) J t a t i i e n c 4 c a t i o » Hethod: Fre'-shaseS key
- MM packet 5(14-22:001 Group Description: Alternate 1024-bit HOB? group
Header L i f e Type:- Seconds-
ID l i f e MKfttioa: 8640f
• Hash
E MM packet 6
Header
ID
Ha:h
H P2 Quid-Mode —- Wed Jan 4 2006 From: 14:22.00 To: 14:22.00

Ly
MM
XI

Phase 1 Packet 1 — Peer Proposing AES-256/SHA1

260
Aquaforest TIFF Junction Evaluation

IKE Basics

2. Packet 2 is from the responder to agree on one encryption and hash

algorithm:

. - X
Fife Edit View Specal Help

m m o j x i * l a a & j

if E Debugging info jTran3£c.i:si P e y l o i c i - EEY_IEE . J -

.-: 17224.104.1
pj M a n Mode ==. W e d Jan 4 2006 From. 14.22 00 To 14.22.00 j l e x t PayLoad: KOUE
K MM p a r t e d [14 2200] "rReser^ed: 0
- MM packet 2 [14-22 00) =Length: 00 £3 (40)
- Header iTr&nsKiia: 1
'-: S ecunty A.:.: oc laHon ?TransId: I
beservedS; 00 00 (0)
propl FROTOJSftf MP

\EliCCYptioa Algorithm: AES-CBC

- Vendor ID
Key Length: 256
MM packet 3 (14:22:001
Hash Algorithm: 3HA1
+ MM packet 4 f14:22:001
Autiiettt-ieation Method; Pce-shated Sey
MM packet 5(14 22 001 Group d e s c r i p t i o n : Alternate 1024-fcit. K0DP group
'+ MM packet 6 (14 22:00) L i f e Type: Seconds
OuickMode == > W e d Jan 4 200S From- 14-22.00 To. 14.22:00 Life Duration:. 66400

"I
jT
172.24,104, iiMatn Mode\MM packet 2 (H:?2:O0)\5ecyr«ty Associafon^propUtranl

Phase 1 Packet 2 — Agreeing to AES-256/SHA1

261
Aquaforest TIFF Junction Evaluation

IKE Basics

3. Packets 3 and 4 perform key exchanges and include a large number never
used before, called a nonce. A nonce is a set of random numbers sent to the
other party, signed and returned to prove the party's identity. These two
packets are not generally used in troubleshooting a key exchange with
IKE view.

fie E-Jir. Spec«t Heip

j j a j ojyiTiasigj
fTlKEDSwTOlr
;-172 24.104.1
£ • f 1 M ain M ode == Wed J an 4 2006 From. 14 22 00 T o 14 22.00 Next. P a y i o a d t Mmi
:e
t! MM packet 1 |14 22:001 Reserved: 0
+ MM packet 2 114.22:00) Length: 00 8 4 (1JS).
Key D a t a ;
MM pac+et 3114.22 00)
• Header bo m o s £4 42 5t7a a£ «Sa 3 5 •Sa ? b 6 a lc
m
•• Nonce
?£ ad 53 afi
? 5 5 4 4a d.3
df
tod
90 4e
ue i i
•T b a
Of
36
7 a 3 t 9e 6 a
3£ 81

SO e l 7 e 06 ::*-t •: T ... 98 •aa fcd 4£ Oa If

+ MM p a c k e U l ' l 4.2200) 27 db db be 89 e9 93 Oe 5c 12 •id 68 ? a 74 . i
+ MM packet 5 |14 2200) f 3 71 M .-*. 71 12 m Id al 97 ?4 6 c 46 71 £0

S;
+ MM packet 6 114.22,00]
Q u i d Mode —• W e d Jar. 4 2006 From: 14 22:00 To: 14-22:00
S3 m 7a 4b 31? •A id lc Ills €2 23 bd ae
a « 5b 59 L-- 8d 23 i i cc 67 2b u . d d d7 90 50
22 10 52 7d 09 60 33

t J J
zj
l72,24,104.ip»Modef#Tpacket 3 ( 1 4 : 2 2 : 0 0 ) ^

Phase 1 Packet 3

262
Aquaforest TIFF Junction Evaluation

IKE Basics

4. Packets 5 and 6 perform authentication between the peers of the tunnel. The
peer's IP address shows in the ID field under MM packet 5:

File £* View Special Help

gfrjcj a j x j i i g t s j
. 11.E Debugging Into im fayioad jJ^j
ft 172.24.104.1
- f-i Main Mode ==.- Wed J an 4 21 6 From. 14 22:00 To 14 22:00 |HexC P a y l o a d : Hash
t! MM p a d e t 1 II4.22.001 •Reaerwed;
v MM p a d e t 2114.22.001 'Length; 00 0c (12)
v MM pact-et 3 |14 22 001 ilD t - j p e : ID_I PV4_AI»DP.
i Service f f p e : Sot- s p e c i f i e d (Cij
+: MM packer 4114 22 001
;Service p o t t : JJofe s p e c i f i e d <0)
- MM pad-et 5 I I 4 22.001
\m P a t a t ac l<5 6€ 01 a72.22.i02.it
: Header

Hash
+ MM packet G 1.14 22.001
t 0 uid- M ode == - W e d J an 4 2006 From: 14.22 00 T o: 14.2;

172.24.104.1s,Main Mode\MH packet 5 (14:22:00)$)

Phase 1 Packet 5

5. Packet 6 shows the peer has agreed to the proposal and has authenticated
the initiator:

fie Edtt View Special Help

&\U\ o x.iuvL
: IKE Debugging Into W packet. 6 (14:22:00)- Wed Jan 4 2 D0«
B- 172.24.104.1
r- Pi Main Mode == - W e d Jan 4 2006 From: 14 22:00 To: 14.22:00 Transport:
+ MM packet 1 f14:22.00) PeerIP; a c i ^ t t.01
MM packet 2 (14 22 00) FeerPort: 500
t MM packet 3 f14 22:001 Peer Base: ft.na.adrid
T MM packet 4 (14:22:00)
» R e c e i v e d from p e e r 1 7 2 . 2 4 . 1 0 4 . 1
- MM packet 5 (14:22:00)
= - Header
: " ID
Ha:h

Hach
L Quick Mode —> W e d Jan 4 2006 From: 14:22:00 To: 14:22:00

J j ^Zi
172.24.104.1 W a n Mode\MM packet 6 CH;22:D0}

Phase 1 Packet 6

263
264
Aquaforest TIFF Junction Evaluation

IKE Basics

1. Packet 1 proposes either a subnet or host ID, an encryption and hash

algorithm, and ID data:

t '-1 M sin Mode == - Wed Jar 4 2C« From: 09 51.06 Tc CS.51 K

- P.; Qui:> m ;de == - Vec Jar, 4 2006 From 03 51 06 To. 03.51.06
QM packet 1 |C?-£1 - |1C 2 4 C 255 255.25!: 0 110 2 2 C : C3 .
liiiilliiii
IZ
CD C3 tO)
, prcpl PRCT0JPSEC_E5F ISS 6d =2 49 '

•i OM packet 2. |CS 51 0E; -110 2 4 0 255 255 255 CI -11C 2 2.0 .

+. QM packet j 109.51 06i

JU.Li J 1

Phase 2 Packet 1

In the ID field, the initiator's VPN Domain configuration displays. In the

screenshot below, the VPN Domain for the initiator is the 10.2.4.0/24
network:

o x •

172.22,102.1
i "I Man Mode —; Wed Jan 4 2006 From. 09-51-06 7C- 09-51:06
- f? Ouic> Mode ==.- Wed Jan 4 2006 From 09 51 06 To: 09:51 06
- 0M packet 1 109.51 06) - (10.2.4.0 255.255.255.0l - (10.2.2.0

Phase 2 Packet 1 — ID fielcM

265
Aquaforest TIFF Junction Evaluation

IKE Basics

ID field_2 proposes the peer's VPN Domain configuration. In the

screenshot below, the VPN Domain for the peer gateway is the 10.2.2.0/24
network:

Fie Em Vt*w Special Help

'^MMmmm'
: Ik E Debugging Into ID V i y i o a d
172 22.102.1
ft PI M a n Mode ==• W e d Jan 4 2006 From 09 51 JUS T 0 09 51 06 .Next Payloadt
f ' l Quick Mode == W e d Jan 4 2006 From 09 51 06 To 09 51 06 Fesetved:
QM pact et 1 (09 51 061 • 110.2 4 0 255.255.255 0) - (10.2 2.0 2 L e n g t h : 0 0 10 {16}
- Header ID t y p e : II>_IP¥4_MJJR_30B1ET
S e r a . c e type: N o t s p e c i f i e d (0)
• •• Hash
Setwise poet: . Mot s p e c i f i e d (0)
If Secmfy fistociation
; - propl PR 0 T 0 J PS E C_E S P I.99 6d 52 49 I
ID D i t a : Oa 02 02 0 0 tt It tf 00 (10,2.2,0 25.5.255.255.C
Irani ESP_AES
- Nonce

± • OM packet 2109 51 06] - (10 2.4 0 2 5 255 255 0)-(10.2 2.0 J

+ OM packet 3109 51 06]

jJ
172.22. t02,HQufcMtodeVQM packet 1 (09:51:06;) - (10.2.4,0 2S5.255.255.0) - ao.2.£.0 25S.255.2S5.OniO

Phase 2 Packet 1 — ID field_2

266
Aquaforest TIFF Junction Evaluation

IKE Basics

3. Packet 2 from the responder agrees to its own subnet or host ID, and
encryption and hash algorithm:

.suE*!--
Fife Ed* Special Hete

stim^mmm
II1 E Debugging Into jQH p a c k e t 2 ( 0 9 : S i : 0 6 1 - Wed J a » 4 200«
172.22.102.1
+ • Pi Main Mode ==. W e d Jan 4 2006 From. 09.51 06 To- 09 51.06
-- Ouict Mode == W e d Jan 4 2006 From 03 51 -06 To 09-51 06 (10.2. 4.0 255. 2SS. 255,0; - {10.2,2.0 25.5,255.255.0)
f OM pacl et 1 109-51 061 -110 2 4 0 255 255 255 Ol -1'10.2.2.0 2
ll»P
Header -PeerIP: aci6t.601
|PeerPort: .
; Hash
;pees: Name: fwoslo
Security Ac;ooation
- propl PR 0 T 0 J PS E C_E S P fac 02 ec 6t I
P e c e i ^ e d f r o i s p a e : 1~2. 2 2 . i i 1 . L
tranl ESP_AES
. - Nonce

• OM packet 3(09:51:061

172.22,102. lK'uckMode^OMpacket 2 (09:51:06) - (10,2.4.0 255,255.255.0) - (10,2.2,0 255,255,255.0

Phase 2 Packet 2

4. Packet 3 completes the IKE negotiation:

File Edit View Special Help

ma it*i» will
• IKE Debugging Into 1 packet 3 (09:51:06)- f e d Jan 4 2006
El-172.22.102.1
+ Pi Mam Mode ==/ W e d Jan 4 2006 From. 09 51 06 To. 09:51 C Transport: TOP
Quick Mode ==-> W e d Jan 4 2006 From- 09:51 06 To 09:51 C PeerIP: ac!6S601
+ 0M packet 1 (09:51:061 -110 2.4.0 255.255.255 01 • (10.2.2. PeerPort:
it OM packet 2 f09;51 06) - [10.2 4.0 255.255.255.01 - (10 2.2. Peer Bame:

• Sent to peer 1 7 2 . 2 2 . 1 0 2 . 1
- Header
- Hash

j j i i i .Zi-

172.22.102,1 K w * M o d e \ Q M packet 3 (09:S 1 M )

Phase 2 Packet 3

267
Aquaforest TIFF Junction Evaluation

IKE Basics

Q.) You have a site-to-site VPN between two Check Point NGX
Gateways. They are managed by their own SmartCenter Servers.
&7\ You see a lot of IKE Phase 1 failures in Smart View Tracker. You
t\ run IKE debug on one Gateway and find out only one packet in
Main mode is transferred. There is no packet in Main mode after
packet 1. What is the next step to check the VPN configuration
that might caused this problem?

A.) Check VPN settings (including Encryption Algorithm, key

length, Hash method) in the Community object. Make sure Phase
1 settings are identical on both sides. Also check Phase 1 settings
in the Advanced settings in the Community object, such as group
1 or group 2, aggressive mode, etc. They must be defined
identically on both sides.

Q.) You are configuring a site-to-site VPN from a Check Point

NGX Gateway to a Cisco device. You see that traffic initiated
from the VPN Domain inside the NGX Gateway is dropped with
the error "Packet is dropped as there is no valid SA". The Cisco
side is sending "Delete SA" to the NGX Gateway. The IKE
debug indicates a Phase 2 (Quick mode) failure. What is causing
the misconfiguration?

A.) A Quick mode failure usually indicates the VPN Domain is

not configured exactly the same for one or both peers. For
example, if the NGX Gateway's VPN Domain is a Class B
network, but the same network is defined with a Class C subnet
mask on the Cisco VPN configuration, then this type of error
occurs.

269
TROUBLESHOOTING OVERVIEW
Aquaforest TIFF Junction Evaluation

VPN Debugging Tools

VPN DEBUGGING TOOLS

i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

VPN Log Files

The ike.elg and vpnd.elg files contain information about the negotiation
process for IKE encryption. VPN debug logging is enabled using the
vpn debug on command. The output of the debugging commands writes to two
different locations, depending on what is being debugged:

• IKE debugging is written to $FWDIR/log/ike.elg.

• VPN debugging is written to $FWDIR/log/vpn.elg.

vpn debug on [debug topic] = [debug level] sets the specified TDERROR topic to the
specified level, without affecting any other debug settings. This may be used to
turn specific topics on or off.

vpn debug on TDERR0R_ALL_ALL=1,2,3,4,5 turns on default VPN debugging, i.e.,

all TDERROR output and default VPN topics, without affecting any other debug
settings.

In previous versions of VPN-1, Check Point recommended setting the

environment variables to enable VPN debugging. As of VPN-1 NGX, vpn debug
on is the preferred method. Setting the environment variables is recommended
as a method for debugging, only if there is a VPN tunnel failure.

vpn debug Command

vpn debug contains multiple utilities for troubleshooting vpn issues. The
following lists all options for the command:

vpn debug < on [ DEBUG_TOPIC=level ] | off | ikeon [ -s size (Mb) ] | ikeoff |

trunc | truncon | tmncoff | timeon [ SECONDS ] | timeoff | ikefail
[ -s size (Mb) ] | mon | moff >

271
VPN Debugging Tools
 VPN Debugging Tools

Option Explanation

vpn drv < on | off | stat >

setting vpn drv to off will tear down all

be used with this command. When vpn

drv is set to on. all VPN tunnels are

vpn ver [-k] Displays VPN version

vpn accel < on | off | stat [-1] >

y P
Card

vpn compreset

vpn exportj?12 T„0l,„, r P ,2f™O,«w, y

VPN D E B U G ON ! OFF

vpn debug on - Turn on vpn debug, and write the output to vpnd.elg.

vpn debug of f - Disable vpn debug.

VPN DEBUG IKEON I IKEOFF

vpn debug ikeon — Turn on ike debug and write the output to ike.elg.

vpn debug ikeoff - Disable ike debug.

Aquaforest TIFF Junction Evaluation

VPN Debugging Tools

V P N TU

vpn tu is short for vpn tunnelutil., and is useful for deleting specific IPSec or
IKE SAs to a specific peer or user without interrupting other VPN activities.
The vpn tu command displays these options:

vpn tu Options

VPN DEBUG TRUNC

When the vpn debug on command runs, the output is written to

$FWDIR\log\vpnd.elg file, by default, vpn debug trunc empties vpnd.elg and
ike.elg, creates a time stamp, and starts vpnd.elg and ike.elg.

VPN ENVIRONMENT VARIABLES

Setting environment variables to enable logging should only be performed in

circumstances where VPNs are failing. The following are the commands to
enable the variables:

WINDOWS

set VPN_DEBUG=1

UNIX

set VPN DEBUG 1

274
Aquaforest TIFF Junction Evaluation

VPN Debugging Tools

Comparing SAs

The following is a quick process to verify that you and a potential VPN partner
are configured correctly:

1. Enable VPN debugging on both your and your partner's sites with
vpn debug on.
2. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer with
which you are about to create the tunnel, or all tunnels.
3. Have your peer initiate the tunnel from its site to yours.
4. Use vpn tunnelutil (vpn tu) to remove all SAs for either the peer with
which you are about to create the tunnel, or all tunnels.
5. Initiate the tunnel from your site to your peer.
6. Disable debugging on both sites.
7. Examine ike. leg and vpnd.elg, as they will now contain records of the SA
sent by your NGX installation, as well as what was received from your
partner site.

275
Aquaforest TIFF Junction Evaluation

Troubleshooting Tables

TROUBLESHOOTING TABLES
i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i

T h e tables in this section present a general guideline for troubleshooting V P N

related issues:

W h e n t r o u b l e s h o o t i n g ... ... U s e t h e s e t o o l s

Connectivity issues: • Logs (SmartView Tracker, *.elg)

• Ports • Ping test
• Environment path • fw monitor capture of traffic
• Routing • ike debug
• netstat -na
• SmartView Monitor VPN
information

Points-of-failure issues: • Logs (SmartView Tracker, *. elg)

• Interesting traffic • ike debug
• Tunnel test • Peer's logs and debugs
• Routing to tunnel (for OSPF or • fw monitor capture of traffic
overlapping VPN Domains)
• vpn debug
• Phases of IKE
• kernel drop + vpn debug
• IKE specific packets
• Authentication (pre-shared secret.
Certificate CRLs and time-zone
differences)

Configuration issues: • Logs (SmartView Tracker, *. elg)

• Gateway main IP • SmartView Monitor VPN
• VPN Domain information

• Encryption details • SmartDashboard

• Rules • Global Properties

• VPN Community
• Network Address Translation

276
Aquaforest TIFF Junction Evaluation

Troubleshooting Tables

ENCRYPTION-TROUBLESHOOTING FLOW

T h e f o l l o w i n g table provides a m o d e l of troubleshooting encryption at a m o r e

granular level. Specifically, this table lists issues and error messages that m a y
occur d u r i n g the V P N tunnel building process. This table is not meant as a
model of h o w a tunnel is created, b u t is m o r e of a guideline for examining
issues that w o u l d arise during that process.

... C h e c k t h e s e t o o l s f o r
If t h i s i s s u e a r i s e s ... information and possible causes

Pre-IKE decisions: • Examine Smart View Tracker for

• Interesting traffic is received. negotiation messages.

• VPN-1 NGX determines how and • v p n d . e l g may contain information

where to send the traffic. about setup failures or VPN Domain
misconfigurations.
Factors to determine if traffic is to be
encrypted or not: • Use fw monitor to examine the
• VPN Domains (overlapping or not?) traffic for packet-level information
about configuration details.
• MEP configuration parameters
• Peer selection
• Link selection (which peer IP?)

I K E packet level • Examine Smart View Tracker for peer

• VPN-1 NGX determines that this information.
traffic will be encrypted. • vpnd.elg will not have much useful
Issues m a y arise from: information.
• Ports open. • i k e . e l g may contain information
about starting the IKE negotiation
• Routing configuration.
process.
• Source address of the VPN traffic.
• fw monitor will show Gateway
• The Security Policy. traffic, which is especially useful in
• Cluster configurations. determining if traffic is to or from a
VPN Domain.

277
Troubleshooting Tables

... Check these tools for

If this issue arises ... information and possible causes

IKE Phase 1 negotiation • Examine SmartView Tracker for IKE

• The peer has been contacted; Phase 1 messages
beginning to build the tunnel. • i k e . e l g will contain critical
Issues/Errors seen: information for troubleshooting these
issues.
• No proposal chosen
• Invalid ID • v p n d . e l g may be helpful, but not as
informative as ike.elg.
* Invalid Certificate
• Verify that the CRL retrieval port
• Payload malformed (TCP 18264) is available.
• Verify pre-shared secrets.

IKE Phase 2 negotiation • Examine SmartView Tracker for IKE

• Still building the tunnel Phase 2 messages.

Issues/errors seen: • i k e . e l g will contain critical

information for troubleshooting
• No proposal chosen
• Verify that the subnet, host address.
• Invalid ID
D
co^cdy °main ^ C
°nflgUred

max_subnet_f orjrange.

ESP packet plow • ike.elg and vpnd.elg will contain

• The IKE exchange was successful, information regarding SAs and SPIs.
and encrypted traffic is going to be • run fw monitor to verify routing to
exchanged. and from the Gateway.
Issues/errors seen: • Verify routing, SAs, and SPIs for the
• Outbound traffic partner's configuration, especially in
"No valid SA for Peer" cases of cleartext traffic.
"Encryption Failure" • Check implicit rules in
• Inbound traffic: "Invalid SPI" SmartDashboard.
• Encryption is O K , but there is no

• ^ ^ p a c k e t f b r
 Troubleshooting

\ ie other VPNs. How do you do 1

A.) Run vpn tu from the NGX <

: all IPSee and IKE SAs for a given Peer (GW)
 Troubleshooting Tables

280
Aquaforest TIFF Junction Evaluation

Lab 9: Running IKE Debugging on a Site-to-Site VPN

LAB 9: R U N N I N G IKE D E B U G G I N G ON A
SITE-TO-SITE VPN
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Scenario: In a site-to-site VPN between two cities using pre-shared secrets, run
ike debug on both Gateways, and analyze the output using IKE view. Transfer
ike.elg from the Gateway to the internal Web server (www.yowre/^.cp) where
IKE view is installed. Each city site is a distributed environment, where the city
Gateway is managed by its own SmartCenter Server.

Objectives.

• Configure a site-to-site VPN using pre-shared secrets between two

Gateways.
• Run vpn debug ikeon on the Gateway, using the Command Line Interface.
• Analyze ike. elg using IKEview.

Topics:

• Configuring the site-to-site VPN using pre-shared secrets and VPN

Communities
• R u n n i n g the vpn debug ikeon c o m m a n d

• R u n n i n g the vpn debug ikeoff c o m m a n d

• Using IKEview

281
282
Aquaforest TIFF Junction Evaluation

Lab 9: Running IKE Debugging on a Site-to-Site VPN

11. Enter the partner city's internal network object for the VPN Domain setting:

Externally Managed Check Point Gateway -

General Properties

Get
NAT
. VPN
Name i IP Address Network Mask IP Addresses behi
VPN Advanced erhli 172.24.104.1 255.255.0.0 E xternal
• • Link Selection ethl 10.2.4.1 255.255.255.0 This Network
eth2 192.168.22.104 255,255.255,0 This Network

Add.. Edit... Remove Show.

VPN Domain

All IP Addresses behind Gateway based on Topology information.

Manually defined U ^ T ^ ^ . I

Show V P N Domain | }Net JMadrid I

| OK ] Cancel j Help j

Partner-City Gateway's VPN Domain

12. Click OK to exit the gateway object.

^ C O N F I G U R E VPN C O M M U N I T Y FOR S I T E - T O - S I T E VPN

1. In the VPN manager, open the default meshed-community object.

2. Add your and your partner city's gateway object to the Participant
Gateways.

283
Aquaforest TIFF Junction Evaluation

Lab 9: Running IKE Debugging on a Site-to-Site VPN

3; Make sure VPN settings are defined as follows:

General V P N Properties
- Participating Gateway-:
IKE lPhas-e 1 j Properties
Tunnel Management
.£ Advanced Settings Perform key exchange encryption with: ] AESC'SG j^j

Perform data integrity wtth: IsHAI -*-]

IPsec (Phase 2} Properties

Perform IPsec data encryption with' pIFTi 3

Perform data integnty with: [m[~5

Si J Jii
| OK ] Cancel J Help j

VPN Properties Screen

4. Open the Shared Secret screen (under Advanced Settings), and check the
box Use only Shared Secret for all External members.

284
Aquaforest TIFF Junction Evaluation

Lab 9: Running IKE Debugging on a Site-to-Site VPN

5. Enter the shared secret (abcl23) for your partner city's gateway object:

General Shared Secret

Participating Gateways
VPN Properties
P Use only Shared Secret to all External members
•• Tunnel Management
. • Advanced Settings
Each Externa! member will have the following
•• Excluded Services secret with a8 internal members in this community.

Advanced VPN Pr
Wire Mode

Peer Name Shared Secret '1

fwoslo

Remove j

J Jj
helD

Shared Secret Screen

285
Aquaforest TIFF Junction Evaluation

Lab 9: Running IKE Debugging on a Site-to-Site VPN

6. Select Advanced VPN Properties; make sure settings are defined as

follows:

GeneTr A d v a n c e d V P N Properties
Participating Gateways
VPN Properties IKE {Phase 1]
•• Tunnel Management
U$e Diffie-Heliman group
- Advanced Settings
•• Excluded Services
Shared Secret
Renegotiate IKE security associations every j1440 ^ mriutes
• Wire Mode
f Use aggressive mode

IPsec (Phase 2j - - - - - - -

P Use Perfect Forward Secrecy

-3

Renegotiate IPsec security associations every f s e o o " s e c o n d s

f" Support IP compression

Reset All VPN Properties j

i h b b ^ K S I ^ B
r Disable NAT inside the VPN community

J Jj
Heip

Advanced VPN Properties Screen

7. Click OK.

fpCONFIGURE LOCAL GATEWAY OBJECT AND RULE BASE

1. Verify that the network object for your city site's internal network object
(for example, net oslo for the fwoslo gateway) is selected as the VPN
Domain in the Topology screen of your city's gateway object.
2. Click OK.

286
Aquaforest TIFF Junction Evaluation

Lab 9; Running IKE Debugging on a Site-to-Site VPN

[^ENABLE IKE DEBUG

1. Log in to your city's Gateway via SSH, or locally via the console.
2. Change to Expert Mode and run the command cd $FWDIR/log to change to
the $FWDIR/log directory.

3. R u n less ike.elg, to view the contents of ike. elg.

4. R u n vpn debug trunc, to clear ike.elg.

5. Run less ike.elg. The file should display:

IKE logging started.

6. R u n vpn debug ikeon to enable ike debug.

7. In SmartDashboard, add a rule like the following to your Rule Base after
the Stealth Rule:

1 * Any * Any ^ Mylntranet * Any ® accept gj L o g

VPN Rule

8. Install the Security Policy.

9. Initiate Ping, and connect via HTTP to the internal Web server on your
partner's city site.
10. From your Gateway's console, run the command to disable ike debug:
vpn debug ikeoff

11. Transfer ike. elg to your Web server, where the IKEview utility is installed.

[^ANALYZE IKE.ELG IN IKEVIEW

1. Open IKEview on the desktop of the internal Web server

(www .yourcity. cp).
2. Select the ike. elg file you just transferred from the Gateway.
3. Review the total packets in Main and Quick mode.

287
Aquaforest TIFF Junction Evaluation

Lab 9: Running IKE Debugging on a Site-to-Site VPN

4. Open Main mode packet 1 > Security Association > propo

PROTO ISAKMP > KEY IKE. Verify that the encryption algorithm and
hash method match the Phase 1 configuration in the mesh-community
object's VPN properties and Advanced VPN settings.
5. In the KEY IKE section, verify that the authentication method, group
description, life type, and life duration match the Phase 2 configuration in
the mesh-community object's VPN properties and Advanced VPN settings.
6. In Quick mode packet 1, first ID field, verify that the IP address and
netmask in the ID data section in the right pane match the local network
object in your city site. The network object should be entered as the VPN
Domain in your gateway object's Topology screen.
7. In Quick mode packet 1, second ID field, verify that the IP address and
netmask in the ID data section in the right pane matches the VPN Domain
settings you defined for your partner-city Gateway. For example, as shown
below, the peer's VPN Domain is 10.2.4.0, with subnet mask
255.255.255.0. This configuration should be reciprocal on the peer's side.

ete m SW Specust Help

mm oixiijaasif
- PS Mam Mode Tue Apr 11 2006 From 13 5 * ) W fayloai
+ MM packet 1 f13 56:20)
- Pi Mam Mode ==> Tue Apr 11 2006 From: 13'5 Nex t Payload: imm
- MM packet 1 (13:58:46) Reserved:
Header Lengths 0 0 10 <16}
I -Z Security Association IB t y p e : XD_I f ¥ 4 _ M ® > R _ S Q B 1 E T
Service typet H o t a p e c i f i e d JO)
V propl PROTOJSAK.MP
Service port: Hoc s p e c i f i e d (0)
• tranl KEYJK.E
Vendor ID
+ MM packet 2 f13'5&461
t. MM packet 3 (13:58:46)
+ MM packet 4113:58:46)
t MM packet 5 (13.58:46)
+ MM packet 6 (13:58 461
f"- OuickMode ==, Tue Apr 11 2006 From. 13:E
- 0M packet 1 (13:58:46) • (10.2 2.0 255 255
Header
Hash
+: Security Association
Nonce
ID
(O
+1- OM packet 2 (13 58.46) - (10.2.2.0 255 2 5 5 ^

<L_ . J Ji -Li
d
172.24, 104.l',Q.jicl<Mode\QM packet 1 U3;58,46> - (10.2.2.0 2!55.255,255.0)-(10.2.1.0 255.255.255<0}\ID ; F'lJM ::

Quick Mode Packet 1 — !D_2 Field

288
Aquaforest TIFF Junction Evaluation

Review

REVIEW
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

• IKE encryption consists of two modes, Phase 1 (Main mode) and Phase 2
(Quick mode).
• When troubleshooting IKE VPN issues, the first step is to verify that IKE
packets are arriving at the VPN Gateway in SmartView Tracker.
• If no packets are listed in SmartView Tracker, use fw monitor to verify
whether VPN traffic is arriving at the Gateway.
• U s e vpn debug ikeon to run debugs on a V P N tunnel. E x a m i n e the ike.elg
file for the captured debugging information.
• vpn tu (the VPN tunnel utility) can be used to reset IKE SA when testing a
tunnel.
• IKE Phase 1 consists of six packets, where the encryption and hash method
are negotiated, and the first DH key is determined.
• IKE Phase 2 consists of three packets, where the IKE SAs are negotiated, the
shared secret for exchanging the security algorithm is determined, and a
second DH key is determined.
8
ike.elg and vpnd.elg are the V P N log files.

• The vpn command has many subcommands that can be used to troubleshoot
VPN related issues.

R e v i e w Questions

1. A VPN between your site and a partner is failing. Looking in SmartView

Tracker, you see IKE packets are being received by your Gateway, but
negotiations are failing in Phase 1. You run vpn debug, which shows that
there are no packets after packet 5 from your machine. Which of the
following is a possible cause of the failure?

A.) The Certificate being usedfor authentication is invalid.

B. ) The shared secret being used for authentication is incorrect.
C.) Given the amoun t of information, A or B could be correct.

289
mask.
Aquaforest TIFF Junction Evaluation

Review

Review Answers

1. A VPN between your site and a partner is failing. Looking in SmartView

Tracker, you see IKE packets are being received by your gateway, but
negotiations are failing in phase 1. You run vpn debug, which shows that there
are no packets after packet 5 from your machine. Which of the following is a
possible cause of the failure?

C.) Given the amount of inf ormation, A or B could he correct.

2. The Quick mode packet 1 error "No Proposal Chosen" can be caused by all
of the following, except?

D.)The peer is using a different encryption algorithm.

291
Aquaforest TIFF Junction Evaluation

Review

292
Aquaforest TIFF Junction Evaluation

91
Q Check Point
(S®*5* S O F T W A R E T E C H N O L O G I E S LTD.

We Secure the Internet.

m

CHAPTER 9: TROUBLESHOOTING AND DEBUGGING

SECUREMOTE/SECURECLIENT

As an aid for troubleshooting and debugging, the process of site-topology

download and tunnel setup, and various stages of connection flows between a
Gateway and VPN-1 SecureClient can be identified. The traffic can be captured
at a lower level than what is observable in logs, using the ike debug, sr_service
debug, and srfw monitor c o m m a n d s .

Objectives

1. Identify necessary ports and their functions when VPN-1

SecuRemote/SecureClient connects to sites.
2. Identify packet flows during SecuRemote/SecureClient connection stages.
3. Use srfw monitor to capture traffic on SecureClient, and fw monitor on a
Security Gateway.
4. Use ike debug to capture ike.elg data.

5. Analyze ike. elg in IKEview.

293
Key T e r m s

• sr_service

• srfw monitor

• srfw ctl debug

• sc debug on

• sc log

294
Aquaforest TIFF Junction Evaluation

Necessary Ports

NECESSARY PORTS
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

The following table lists ports used by VPN-1 SecuRemote/SecureClient, as

seen on the network. These ports must be open on the NGX Gateway to which
SecureClient is connecting to and also open on intermediate devices, if any.

If control connections are enabled in the Security Policy's Global Properties, all
of the following ports are opened automatically, except UDP 2746. If you do
not have control connections enabled in Global Properties, these ports will need
to be specified in the Rule Base.

Port Purpose

TCP 264 Topology download

UDP 259 RDP (necessary only for MEP resolving and dynamic interface
resolving)

UDP 500 IKE

TCP 500 IKE over TCP (if this option is set)

TCP 18231 Policy Server login (seen on the network using SSL if
SecureClient has an IP address in VPN Domain; not necessary to
open this port if SecureClient is not in the VPN Domain.)

IP protocol 50 ESP (the actual encrypted data; not necessary to allow this if
using UDP encapsulation)

UDP 2746 UDP encapsulation (encapsulates protocol 50 ESP packets)

In Visitor Mode, only port 80 is open or port 443 when traffic is

tunnelled.

295
 Port Purpose

UDP 18234 Tunnel test

TCP 18231
address is not inrtie VPN Domain)

UDP 18233 SCV update

296
 Packet Flow

PACKET FLOW
Aquaforest TIFF Junction Evaluation

Link Selection for Remote Access

LINK SELECTION FOR REMOTE ACCESS

iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Overview

In VPN-1/FireWall-1 4.0 and 4.1, the IP address on the General tab of a

firewalled gateway object is considered the "main" IP.
SecuRemote/SecureClient knows the main IP from the userc.C file, when it is
downloaded from the site. SecuRemote/SecureClient always sends IKE and
subsequent packets to the main IP. Check Point recommends using the external
IP address in the General tab.

In some cases, the internal or private IP address needs to be the main IP, for
example, for control-connection or routing issues. Sometimes, the firewall does
not have a public IP address, because it is behind a NAT device.
SecuRemote/SecureClient traffic must enter from a DMZ or internal WAN
interface. In these situations, SecuRemote/SecureClient must address packets to
the firewall's internal interfaces, so need for interface resolving arises.

STATIC-INTERFACE RESOLVING

IP address ranges are calculated for each firewall interface in the Topology
screen (including this network and any groups defined). These allowed
interface ranges are downloaded to userc. C when creating or updating a site.
SecuRemote/SecureClient chooses the range to which its own physical IP
belongs, then attempts to connect to the corresponding interface. Static-
interface resolving is controlled by the property :resolve_interface_ranges in
objects.C (VPN-1/FireWall-1 4.1), objectsJJ.C (VPN-1/FireWall-1 NG and
above), and is on by default. The disadvantages of static-interface resolving are
as follows:

• SecureClient may choose the wrong interfaces, if the Gateway has multiple
external interfaces.
• SecureClient may choose the wrong interface, because its own physical IP
(behind NAT) fits into the wrong allowed interface range.
• Static-interface resolving does not accommodate firewalls that are statically
translated behind an Internet router.

299
300
Aquaforest TIFF Junction Evaluation

Link Selection for Remote Access

L i n k - S e l e c t i o n Methods in VPN-1 NGX

In VPN-1 NGX, all of the above link-selection methods can be configured on

the Gateway object > VPN > Link Selection screen. The settings on this screen
apply to both peer-to-peer and client-to-site VPNs:

General Properties Link Selection

Topology
IP Selection by Remote Peer -
NAT
- j VPN Localy managed VPN peers wtS determine this gateway's IP address using one
of the following methods:
i VPN Advanced
Link Selection Always use this IP addrets:
•±r Remote Access {* Mam address
Authentication
SmartView Monitor f' Selected address from topology table: f jJ
U serAuthority Server
T- StaticallyNATed IP: f ~
rfj- Logs and Masters-
Capacity Optimisation r" Calculate IP based on network topology
it) Advanced
f™* U s e DNS resolving:
<r f — —

Use a probing method:

Outgoing R o u t e Selection
W h e n initiating a tunnel the outgoing interface will be selected by the
operating system.

Source SP address settings... j

Tracking ;
Outgoing hrtf tract i r g ]None z!

OK. Cancel Help

Link Selection Screen

301
Aquaforest TIFF Junction Evaluation

Link Selection for Remote Access

GATEWAY WITH SINGLE EXTERNAL INTERFACE

The simplest scenario is w h e n an N G X Gateway has only o n e external IP

address. There are three possible w a y s to configure this on the gateway object's
V P N > Link Selection screen:

1. Main address: The IP address on the general screen will be used for
SecuRemote/SecureClient to connect. W h e n the m a i n IP is selected as the
link-selection m e t h o d , the ip_resolution_mechanism property will have the
main IP as the value in objects_5_0.C under the g a t e w a y - o b j e c t section, as
s h o w n below:

EEsaaraiMBMmmtmsfc-- • .-^j*,
file Edit View Insert Format Help

oigiHl ilai 1|J ;

accept. 3des_for client less vpn (true) JL'
apply resolving mechanism to SP. (true)
ava11ab1e_VPN_IP_1i s t ()
ava i 1 ab 1 e_VPN_ I P_ 1 i s t _GtJ ()
clientless_VPN_ask_user_for_certificate (none)
clientless_proc_nurn (1)
disable_no_sa_logs_for_user (true)
dns_IP_resolution ()
dris_ I P_re s o 1 ut i o n_G¥ ()
enable_internet_rout mg (false)
enable_routmg (true)
fw_wire_log (false)
f W_TJ i r e_ 1 o g_o n 1 y_s yn (true)
ike support_nat_t (true)
interface_resolving_ha_primary_if ()
interface resolving_ha_priroary_if_G! ()
1p_reso lut.io njtaecltaa-ism - (aaalttipVptt)
ipsec.copy_TOS_to_inner (false)
ipsec.copy_T03_to_outer (true)
ipse c_do nt _f r agirie nt (true)
i3akmp.allowed_ca ()
isakrcip.authraethods ()
isakwp.dn ()
isakmp.dns_name ()
i s a k r r i p . do dns resolve (false)
isakmp.email ()
jT
For Help, press F1 NUM

ip_resolution_mechanism in objects_5_0.C

302
Aquaforest TIFF Junction Evaluation

Link Selection for Remote Access

When a SecuRemote/SecureClient downloads a site, it downloads userc.C.

In the userc.C file, the :allowed_interface_ranges property will show the
main IP address specified in the gateway object:

xj
Fii- E'Jt: F s;ucl he.:
•MB|«|B>! Mi H - i m - I N :
:keep_I-F_flag_SR (false)
: copy DF f l a g SP. (false)
:allowed i n t e r f a c e r a n g e s (
: (172.22.102.1
:allowed range (
• I
:type (machines range)
:ipaddr_first (0.0.0.0)
:ipaddr_last ( 2 5 5 . 2 5 5 . 2 5 5 ,. 2 5 5 )
)
)
:is ext (true)
:is natted (false)
)

:resolve interface ranges (true)

:peers ()
:gw support nat t (true)
)
b£_J
Fw Help, press Fi

Allowed_interfaces_ranges in userc.C

2. Selected address from the topology table: You can specify an IP address
from the Topology screen. SecuRemote/SecureClient will try to connect to
that IP as long as routing allows. After connecting, all VPN traffic to the
VPN Domain is sent through this specific interface. When a specific IP
address is selected as a link selection method, the : ipjresolutionjnechanism
property's value is single_VPN_IP in objects_5J).C. userc.C has that specific
IP address in the : allowed_interfacej:anges property.

3. IP with Static NAT, if the gateway-object has NAT applied to it.

GATEWAY WITH MULTIPLE EXTERNAL INTERFACES

If an NGX Gateway has multiple external interfaces, use ongoing probing. The
SecureClient probes all interfaces listed in the Topology, of the object and
connects to the first one that responds. The SecureClient stays connected to that
IP, until the IP stops responding.

303
304
 Connect t o ^ P r e ^ G X G a t e w a y ^ *
1

i!

M a i n address M a i n address

S . ^ d a d d r c s s , ™ ^ Ongoing probing

Static NAT Ongoing probing

Mam IP
1 5 0 1 1 6
f o S o r ^ " ^

Uses DNS Ongoing probing

Ongoing probing Ongoing probing

One-time probing One-time probing

SECUREMOTE/SECURECLIENT DEBUGGING
TOOLS
Aquaforest TIFF Junction Evaluation

SecuRemote/SecureClient Debugging Tools

3. Run from the place where the cpinfo.exe is located while the SecureClient
is running:
cpinfo -o output_file
4. cpinfo output can be viewed in Info View.

IKE debug

One option for debugging is to run IKE debug:

1. Stop SecureClient by right-clicking the SecureClient icon in the system

tray.
2. Create an empty file fwike_debug.all in the root directory, usually C:\.
3. Start SecureClient.
4. ike.elg is created in $SRDIR\log, which is usually located in
c:\Program Files\CheckPoint\SecuRemote\log.
5. To stop IKE debug, stop SecureClient, delete fwikejiebug.all, and restart
SecureClient.

ike. elg can be opened and analyzed using the IKEview utility.

307
SecuRemote/Securedient Debugging Tools
Aquaforest TIFF Junction Evaluation

SecuRemote/SecureClient Debugging Tools

sc log Debug

sc log debug also cleans the following files:

sr_service_tde. log
sr_gui_tde.log
sr_watchdog_tde.log

Run the command sc debug on -c.

Run sc debug without restarting SecureClient service:

sc log oil

Disable sc log debug without restarting the SecureClient service,

sc log off

To run sc log on and sc log off, fwike_debug.all and sr_tde.all

files must be created under the root directory.

srfw ctl Debug

Kernel debugging on SecureClient is similar to kernel debugging on an NGX

VPN-1 Gateway. Kernel debugging is useful mainly to debug dropped packets.
From $SRDIR\bin, run these commands:

1. To clear any previous debug options, run srfw ctl debug 0.

2. To set buffer size, run srfw ctl debug -buf 4096.
3. Specify debug options by running srfw ctl debug -m <module> <option>.
4. Start the debug and write to the output file, by running srfw ctl kdebug -f>
<filenams>.
5. Use CTRL + C to stop the debug.

309
6. :fw ctl debug , to
, run srfw ctl debug -m fw drop.

To see all i : -m
i no i ctl debug -m.
Aquaforest TIFF Junction Evaluation

Enhanced Debugging Tool

ENHANCED DEBUGGING TOOL

iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Since SecuRemote/SecureClient NG with Application Intelligence R56, an

enhanced debugging tool has been available in the SecuRemote/SecureClient
GUI. No Command Line Interface is necessary.

1. In the SecureClient Settings > Advanced screen, click the button Enable
logging.
2. Restart the SecureClient.
3. Recreate the problem, and test traffic.
4. From the Settings > Advanced screen, click the Save logs button.
5. A . tgz file with time and date stamp will be saved in folder UserLogs in the
user's Temp folder (e.g., C:\Documents and Settings\johndoe\Local
Settings\Temp\UserLogs\SC_logs_xxxxx. tgz).

. iPl x j

= File Edit View Favorites Tools Help

J
Search Folders
X to
• Address j-, „ C:\Doc uments and Settings\tchung\Local 5ettings\Temp\UserLogs

.1 See | ? y p e
1 KB Text Document 1 1 / 1 6 / 2 0 0 5 7 : 5 1 AM
C j S C J o g s _ l 6_Nov_ 0 5 . 7 . 5 0 _ 5 5 313KB WinZip File 1 1 / 1 6 / 2 0 0 5 7 : 5 0 AM

1
SecureClient .tgz Output

The . tgz file contains the following debugging information:

• Installation log
• ipconfig output
• Routing-table data
• ike.elg
• Three . tde log files
• userc.C
• Time-stamp file

311
Aquaforest TIFF Junction Evaluation

Enhanced Debugging Tool

-iQixn
File Actions Options Help

e ^ ^ J #
Mew Open Favorites ••' Extract View Checkout

• Name • > Type jj

• jJ AutoPlay _NG;<_R60 , elg i ELG File i
' DTApi.log Text Document <
j Err or Description, t x t Text Document j
: „ fwkern.txt Text Document j
j J irtstalljcpinf t«_R55W, elg ELG File j
;J install J w g u i _ D A L . e l g ELG File 5
1 'J install _fwgui_R6Q, elg ELG File
• _ £ j iristall_securemote_R56,elg ELG File
j _ J iristall_securemote_R6Q.elg ELG File
; V ipconfig.txt Text Document
route,t<t Text Document
sr_gui_tde.bg Text Document
sr_service_tde.log Text Document
. sr_watchdog_tde.log Text Document
C3j Temp J o g . tar WinZip File
.. time.t-.t Text Document
] uninstall J wgui_R60. elg ELG File
' . j userc.C C File

Jj
Selected 0 fifes, 0 b y t e s T o t s ! 18 files, 4,924KB $

R56 Logging Files

6. To disable logging, clear the box Enable logging in the Settings >
Advanced screen.
7. Stop and start the SecureClient.

This debug does not include srfw monitor, cpinfo, or kernel

debug.

312
Aquaforest TIFF Junction Evaluation

Troubleshooting Table

TROUBLESHOOTING TABLE
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

This table is an example of the flow for troubleshooting a remote-access issue.

This table is not meant as a model of a SecuRemote connection setup, but uses
that as a guideline for troubleshooting specific issues.

... E x a m i n e t h e s e possible
If t h i s i s s u e a r i s e s d u r i n g ... c a u s e s a n d c h e c k t h e listed tools

SecureClient version • Installation issues

• Compatibility with Gateway versions
(feature changes)
• Operating-system compatibility

Site creation • Verify that the topology is exportable

(topology download and requirements for SecuRemote/SecureClient.
for connection) • Verify necessary ports are open.
• Verify split DNS configuration.
• Confirm in userc. C:
Preferred Gateway
Connection options
Gateway IPs
Available profiles
Policy Server IP

Pre-IKE decisions • Method of encryption

(Interesting traffic is receivedfrom • Partially overlapping VPN Domains
SecuRemote/SecureCl ient. may cause errors
VPN-1 NGX determines how and where
to send the traffic). • Peer selection for Multiple Entry
Point (MEP) configurations
• Link selection
• Mode selection:
Connect/AutoConnect Mode

313
 c a u s e s l n d check ?he Hsted tools

• Verify the path to Gateway is open (if

will be encrypted). ^ • Verify IKE over TCP ports are open

• Verify UDP encapsulation ports are

open (if necessary).
• Verify routing:

• Verify security or SecureClient

• Verify NAT-T ports or MEP are

configured in userc.C.
Aquaforest TIFF Junction Evaluation

Troubleshooting Table

... E x a m i n e t h e s e p o s s i b l e
If this issue arises d u r i n g ... c a u s e s a n d c h e c k t h e listed t o o l s

Phase I/authentication • Verify Phase 1 completes.

(The Gateway has been contacted\ and • Verify authentication works for the
is beginning to build the tunnel) user without
SecuRemote/SecureClient
configured.
• Verify the authentication method is
supported with IKE and the Gateway.
• Verify the third-party authentication
server.
• Verify IKE over TCP is enabled.
(This allows for fragmentation of
Main mode packet 6 for large
Certificates or Certificate
Revocation Lists.)
• Verify if Visitor Mode is enabled.
(This encapsulates the entire session
over port 80 or 443, when behind a
proxy or restricted gateway.)
• Verify the internal/third-party CA and
Certificate generation/distribution/
CRL.
• Refer to fw monitor, sr monitor, and
IKE debug logs for more data.

315
 • Verify Office Mod

ipassignment.conf
RADIUS
DHCP
IP pool configuration

316
Aquaforest TIFF Junction Evaluation

Troubleshooting Table

... E x a m i n e these possible

If t h i s i s s u e arises d u r i n g ... c a u s e s a n d check t h e listed t o o l s

Encrypted data • While this phase is also hidden by the

(The IKE exchange was successful, and virtual machine, some data can still
encrypted traffic is going to be be gathered from other sources.
exchanged.)
• Use fw monitor for viewing ESP
packets (IP protocol 50) to and from
the SecureClient.
• Verify that UDP encapsulation port
2746 (the Check Point proprietary
port) is open.
• Verify the tunnel-test port is open
(port 18234).
• Verify the NAT-T port (UDP 4500,
the industry standard for UDP
encapsulation) is open.
• Verify dynamically assigned IP
(DAIP) routing is configured.
• Verify routing to the hub Gateway in
MEP configurations.
• Verify the Office Mode IP for MEP
configurations is routing to the
correct chosen Gateway.
• Check SmartView Tracker for Secure
Configuration Verification (SCV)
drops, as well as SCV log checks.
• Check SmartView Tracker for Policy
Server login and download
notification.

317
Troubleshooting Table
Aquaforest TIFF Junction Evaluation

Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient

L A B 10: O B S E R V I N G IKE N E G O T I A T I O N
BETWEEN A GATEWAY AND SECURECLIENT
I I 1 I I 1 I I I I 1 1 1 I I I I I I I I I I I I 1 I 1 I 1 I I I I I 1 I I I I I 1 I 1 1 I I I I I

Scenario: To observe IKE negotiations between an NGX Gateway and

SecureClient, you will run ike debug on the Gateway and SecureClient at the
same time, and analyze the output using IKEview. In this lab, you and your
partner will alternate roles. One side will be the SecureClient, while the other
will be the site to which the SecureClient connects. SecureClient is installed on
the Windows machine behind your Gateway (for example, weboslo). You are
going to create a site and connect to your partner's city site, while both sides are
running debugging sessions. Once the debugging sessions are captured, each
side will then reverse roles, repeat the debugging from the other side, then
examine the debugging sessions.

Objectives:

• Run ike debug on the SecureClient desktop.

• Run ike debug on the NGX Gateway.
• Analyze IKE negotiation using the IKEview utility.

Topics:

• Enabling Office Mode on the Gateway

• Creating the SecureClient user
• Configuring the Remote Access Community
• Installing the open Policy
• Enabling Office Mode on the SecureClient desktop
• Starting IKE debug on the Gateway and SecureClient
• Stopping IKE debug on the Gateway
• Analyzing ike. elg files in IKEview

319
 [ ^ D E T E R M I N E R O L E S FOR T H E LAB SCENARIO

. be 1
site. If you are the ; to 1
site, skip to

[ ^ G A T E W A Y SIDE: ENABLE OFFICE MODE ON THE GATEWAY

1. > : Access > Office i

to all u
2. In Office : Using one o f t methods >
IP Pool),;
3.

OfficeJet
10.XX+7.0

x is the second octet of your in network's 5

x+1 is the third octet+1 of the

Net Oslo is 10.2.2.0

OfficeJtet for Oslo is 10.2.3.0
Net] 255.255.255.0

4. OK to i ; the
5. OK to (

FIPGATEWAY SIDE: CREATE THE SECURECLIENT USER

320
3. Click OK to close tb

fpGATEWAY SIDE: CONFIGURE THE REMOTE ACCESS

1. the VPN: Tab o f t in

2. the:

3. ; All Users is
in] i User
4. a •to 1

- Net_osio ,:H:F

I the

fpCLIENT SIDE: INSTALL OPEN POLICY

the : is 1 a * on the]
: be (

1.
2. rule to 1
3.

tfpCLIENT SIDE: ENABLE OFFICE MODE ON THE SECURECLIENT

DESKTOP

1. Right-click L in 1
2. Click the Pi
3. Click the A
4. Check the b
5. Click OK.
321
 ^ G A T E W A Y SIDE: START IKE DEBUG ON THE GATEWAY

IKE debug on your city to < : VPN i

1. Log in to 1

2. Run th

vpn debug

£ ? C L I E N T SIDE: S T A R T IKE ON SECURECLIENT

. in 1
tray.
2. Create an in C:\.

3.
4.

5. Ente
6. Opei
inc:
7. To si

[ ^ G A T E W A Y SIDE: STOP IKE DEBUG ON THE GATEWAY

After your partner city's stop vpn debug by

running vpn debug

322
Aquaforest TIFF Junction Evaluation

Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient

f p C L I E N T SIDE; TRANSFER IKE.ELG FROM SECURECLIENT

TO YOUR PARTNER SITE

An FTP server is installed on the Windows machine behind each city site's
Gateway.
1. From your SecureClient machine, open an FTP session and log in to your
partner city's FTP server.
2. Type binary.
3. Type hash.
4. Type put ike.elg.
5. Exit the FTP session.

£pREVERSE ROLES

Each side will now perform the steps for the other side of the connection.

tf?ANALYZE IKE.ELG FILES IN IKEVIEW

Using IKEview, analyze your Gateway's ike.elg, and the ike.elg from your
partner city's SecureClient.

Continue to next lab.

323
 Lab 10: Observing IKE Negotiation Between a Gateway and SecureClient

324
Aquaforest TIFF Junction Evaluation

Lab 11: Running srfw monitor

L A B 11: RUNNING SRFW MONITOR

iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Scenario: Continuing from the last lab, the site that was the SecureClient will
continue in that role for the lab. Once each side has completed its capture, each
side will switch roles and repeat the procedures for the other side. In this lab,
each side will run srfw monitor on the SecureClient desktop and fw monitor on
the corresponding NGX Gateway, and will analyze output using Ethereal.

Objectives:

• Run srfw monitor on the SecureClient desktop.

• Run fw monitor on the corresponding Gateway.
• Analyze both monitor outputs in Ethereal.

Topics:

• Running fw monitor on the NGX Gateway

• Running srfw monitor on the SecureClient desktop
• Stopping fw monitor on the Gateway
• Analyzing srfw monitor output using Ethereal
• Analyzing fw monitor using Ethereal

325
 f p G A T E W A Y SIDE: R U N F W M O N I T O R O N N G X G A T E W A Y

1. R u n fw monitor, filtering on the physical and Office M o d e IP J

fw IP> or Mode IP> or

IP> or Mode IP>;" -o
r_gatewayj.ourcity.out

^ C L I E N T SIDE: RUN SRFW MONITOR ON SECURECLIENT

DESKTOP

1. : tO 1
:'s Web
• in the V P N Use FTP or H T T P
2. On 1 ; (CLI) and
i to 1

4. The

[ 3684] (from command

[ 3684]

[ 3684] (control-C to

426 [ 2952] sig 2

5. Test traffic by F T P or H T T P < Webi

: C T R L + C keys in the C L I .

f p G A T E W A Y SIDE: STOP FW MONITOR ON THE GATEWAY

; CTRL + C ) in the C L I t o : fw monitor.

ROLES

326
Aquaforest TIFF Junction Evaluation

Lab 11: Running srfw monitor

[^ANALYZE SRFW MONITOR OUTPUT ETHEREAL

1. Open srfw monitor output using Ethereal:

SO V3pt«® a tm&S a«p

•••••
i m & e>a * a •
J |:<fi»sssraft.,. j Omt j Apply j
| Protocol | Mo Jl!
4S 1.000000 .4.1 TCP [TCP Retransmission] 18190 :• 13uu [AO .
4 9 1.000000 .4.104 TCP 1300 :- 18190 [AO] seq=322 ACT =19137 w _J
50 1.000000 .4.104 TCP [ T C P DUp A O 4 9#1] 1300 :
- 1S190 [ A O ] '
51 1.000000 TCP 18190 > 1300 [PSH, AO] Seq=19137 Ack-t
52 1.000000 TCP [ T C P Retransmission] 18190 > 1300 [ P S H >
53 1.000000 TCP 1300 > 18190 [AO] Seq=322 ACK=20383 m
54 1.000000 lu,2.4.104 TCP [ T C P Dup ACK 53#1] 1300 :- 18190 [ACK]
.000000 10.2.4.104 172.22.102.1 ESP ESP (SPI=0.'lcdCC810>
.000000 172.22.102.1 •. 104 ESP ESP (_SPI=0.. 52cf04e4)
.000000 10.2.2.102 10. 2 TCP http -.- 1378 [S'vN. AO] Seq=u Ad-=1 W
.000000 10.2.3.1 TCP 1378 :- http [AO] Seq=l AD-.=1 win=17:
.000000 10.2.4.104 172.22.102.1 ESP ESP (SPI=0 •IcciccSlOj
.000000 HTTP GET / HTTP/1.1
.000000 10.2.4.104 ESP ESP (SPI=G"IcdccSlOj
Jj
• Frame 5 5 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src; 63:76:6e:61:00:G0 (63:76:6e:61:00:00). Dst: 6f:31:63:70:5f:73 (6f:31:63:7Q:5f:73)
internet Protocol, Src; 10.2.3.1 (10.2.3.1), Dst; 10,2.2.102 (10.2.2.102)
Transmission Control Protocol, Src Port: 1378 (1378), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0

oooo efires^o sFTs"63' ei 6i oo oo os'ou'45'oo '

0010 Ou 30 be 83 40 00 80 06 24 da 0a 02 03 01 0a 02
0020 02 66 05 62 00 50 23 00 6b Of 00 00 00 00 70 02
0030 40 00 95 f3 00 00 02 04 05 b4 01 01 04 02
jP; 431 0:'431 M; 0 '

srfw monitor Output

2. Identify the changes in source and destination addresses, as a packet leaves

the SecureClient to access the VPN Domain's internal Web server. In the
screenshot above, notice at o (lowercase), the source address is the Office
Mode IP 10.2.3.1, and the destination is 10.2.2.102, weboslo. As the packet
leaves the SecureClient at 0 (uppercase), the source address changes to
fwmadrid's physical IP address, 10.2.4.102, and the destination is fwoslo's
external interface, 172.22.102.1.

3. Identify the interface direction for outbound and inbound traffic. For
example, for outbound traffic as on lines 55 and 56 (in the No. Column), the
interface directions are o, 0; for inbound traffic on lines 57 and 58, the
interface directions are i, I.

327
Aquaforest TIFF Junction Evaluation

Lab 11: Running srfw monitor

FPANALYZE FW MONITOR IN ETHEREAL

1. Open fw monitor output using Ethereal.

2. Locate an HTTP SYN packet, by filtering on the Office Mode IP address in
the Source column.
3. Locate the entry number in the No. column, as in the screenshot below. The
number 716 is the HTTP SYN packet.
4. Clear the filter by clicking the No. column.
5. Review the HTTP SYN packet, starting from protocol ESP in number 715.

-iptxn
pie Edit View jo Capture Analyze Statistics Haiti

* * SD 1 t : 111 • Q €l •
-J gxprwsmtt- j Gear j Appiv j
T.rne
710 68.568003 10.2.4.104 172.22.102.1 ESP ESP (SPI=0..4442c7a8)
711 68.568147 10.2.3.1 10.2.2.102 TCP [TCP P r e v i o u s segment l o s t ] 1416 :- f t p
712 68.568170 10.2.3.1 10.2.2.102 TCP [TCP Dup AO 711#1] 1416 :• f t p [ACK ] S.
713 68.568183 10.2.3.1 10.2.2.102 TCP [TCP Dup ACK 711#2] 1416 > f t p [ACK] S>
714 75.843 526 10.2.3.1 10.2.2.102 TCP 1429 :> h t t p [RST] Seq-0 Ack=0 wiri=0 Lei
?15 75.8444 57 10.2.4.104 172.22.102.1 ESP ESP (SPI=0x4442c7a8)

717 75.844735 10.2.3.1 10.2.2.102 TCP 1431 > h t t p [SYN] Seq=0 A c k - 0 win=1638<
718 75.844756 10.2.3.1 10.2.2.102 TCP 1431 > h t t p [SYN] Seq-0 Ack=0 win=1638-
719 75.84 5182 10.2.2.102 10.2.3.1 TCP http > 1431 [SYN, ACK] Seq-0 A c k - 1 win-
720 75.845233 10.2.2.102 10.2.3.1 TCP http > 1431 [SYN, ACK] Seq=0 Ack-1 w i n
721 75.845247 10.2.2.102 10.2.3.1 TCP http > 1431 [SYN, ACK] s e q - 0 Ack=l win-
722 75.84 5342 172.22.102.1 10.2.4.104 ESP ESP (SPI=0xdab604eb)
723 75.846218 10.2.4.104 172.22.102.1 ESP ESP (SPI=0x4442c7a8)
724 75.846292 10.2.3.1 10.2.2.102 TCP 1431 ;- h t t p [ACK] Seq=l Ac* =1 win=1731;
72 5 75.846302 10.2.3.1 10.2.2.102 TCP [TCP Dup ACK 724#1] 1431 > h t t p [ A O ]

1L z
'b Frame 716 (62 b y t e s on w i r e , 62 b y t e s c a p t u r e d )
w E t h e r n e t I I , S r c : 00:QQ:00_00:00:QQ ( 0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 0 ) , D s t : 4 9 : 6 2 : 6 5 : 7 4 : 6 8 : 3 0 (49:62:65:74:68:30)
Ui i n t e r n e t P r o t o c o l , s r c : 1 0 . 2 . 3 . 1 (10.2.3.1), Dst: 10.2.2.102 (10.2.2.102)
s; Transmission control protocol, src Port: 1431 (1431), mt port: http (SO), seq: o, Ack: 0,. ten: 0
0000 49 62 65 74 68 30 00 00 00 00 uu 08 00 4 5 00 ibet'Hb.
0010
0020
00
02
30
66
cf
05
CC
97
00
00
00
50
80
a9
06
65
51 91 Oa 02 03 01 Oa 02 •
. f . . . P. e
Ci p.
13 f 4 00 00 00 00 70 02
0030 40 00 67 53 00 00 02 04 04 d5 01 01 04 02 gs

Fife: "C; \ftpro.3t\morator_.Mte'A.ayJwosio .out" 316 K8 00:01:21 |P: 342 0; 642 M' 0

fw monitor Output

End of lab.

328
Aquaforest TIFF Junction Evaluation

Review

REVIEW
i I i i I i I I I i I I I I I i I I I i I I I I I I I I I I i I I I i I I i i I I I i I I I i I i i

• Commands used in debugging SecureClient-to-Security Gateway

connections are ike debug, sr_service debug, and srfw monitor.
• The necessary ports for SecureClient to establish connections are:
— TCP 264, 500, 18231. (80 and 443 are only necessary when in visitor
mode.)
— UDP 259, 500, 2746.
— IP Protocol 50 (not required if using UDP encapsulation).
• The ports used by SecureClient inside the tunnel are:
— UDP 18234.
— TCP 18231, 18233.
• srfw monitor can be used to track packet flow in all phases of a SecureClient
connection.
• For SecureClient, the IP address in the General Properties screen of the
gateway object (normally the external IP) is used as the connection point.
This is defined for SecureClient in the userc.C file and is referred to as the
main IP. In situations where an internal IP address is used for the main IP,
interface resolution can be used to guarantee connection and encryption.
• Static interface resolving is enabled by the property
: resolve_interface__ranges, and is enabled by default. Each interface in a
Gateway is used to calculate an interface range, and SecureClient reads these
ranges from userc.C, then determines to which interface its address belongs.
• Dynamic interface resolving is enabled by the property
: resolvejnultiple_interfaces. SecureClient sends RDP packets to all
interfaces it is aware of, as defined in userc.C. Whichever interface responds
first is the interface with which SecureClient will then encrypt.
• In VPN-1 NGX, SecureClient link selection on single, external-interface
systems primarily uses one of three methods: main IP address, selected
address from the Topology table, or Static NAT.
• In an NGX system with multiple external interfaces, additional methods can
be configured: Calculating IP based on network topology, one-time probing,
and ongoing probing

329
331
Aquaforest TIFF Junction Evaluation

Review

332
Aquaforest TIFF Junction Evaluation

a Check Point
SOFTWARE TECHNOLOGIES

We Secure the internet

CHAPTER 1 0 ; ADVANCED V P N
LTD.

10:
VPN-1 NGX introduces a new VPN capability, route-based VPN where VPN
traffic is routed within a Community based on static- or dynamic-routing
information. Route-based VPN is done using VPN Tunnel Interfaces (VTI), a
virtual interface on the OS level.

Objectives

1. Identify differences between route-based VPNs and domain-based VPNs.

2. Configure VTI for route-based VPN Gateways.
3. Configure OSPF for dynamic VPN routing in a Community.
4. Identify the Wire Mode function by testing a VPN failover.
5. Configure Directional VPN Rule Match for route-based VPN.

333
Key Terms

334
Aquaforest TIFF Junction Evaluation

Route-Based VPN

ROUTE-BASED VPN

Prior to VPN-1 NGX, a site-to-site VPN required VPN Domains. If a packet's

source and destination addresses matched local and certain peer Security
Gateways' VPN Domains, the packet was encrypted or decrypted
automatically. With a route-based VPN, an NGX Gateway can decide to
encrypt and decrypt a packet using a VPN Tunnel Interface (VTI), an OS level
virtual interface that provides a door to a VPN tunnel. When properly
configured, the packet will then go through a route-based VPN via appropriate
VTIs.

Route-based VPN provides VPN redundancy, as in the following example:

Rome Oslo

CPG0551

Route-Based V P N

335
Aquaforest TIFF Junction Evaluation

Domain-Based VPN

DOMAIN-BASED VPN
I I I I i I i i I I I I I i I i I i I I I I I I I I I I i I i i I I I I I I i I I I i I I I i I I i

Dynamic-routing protocols are not required to implement route-based VPNs.

Static routes can achieve the same purpose. As long as the OS level routing
mechanism knows how to get to the remote peer's network via the correct VTI,
a route-based VPN can work properly. However, static routes need to be
updated manually, when there is a routing change.

It is important to note that a route-based VPN does not replace a domain-based

VPN, but expands it. Domain-based VPN takes precedence over route-based
VPN. Routing through VTIs only applies to traffic that is not routed in VPN
Domains. The order between the two VPN routing methods is set by the order
of the VPN routing decisions. First, domain-based VPN routing tables are
consulted, to determine the proper origin or target VPN Gateway for the traffic.
If no domain-based VPN routing applies, the OS routing table is examined, to
determine whether the traffic is to be routed through a VTI.

For example, when two Gateways have configured VPN Domains for their site-
to-site VPN, the two Gateways always route traffic between the two VPN
Domains through the Community, regardless of whether or not there are VTIs.
VTIs can be used at first to serve additional traffic that is not handled by VPN
Domains. This way, an Open Shortest Path First (OSPF) daemon can be set up
to work over a VTI, while the domain-based VPN is still active. Since OSPF
uses Multicast Mode for communication, OSPF works only with VTIs.

Once OSPF adjacency is established between the two Gateways, routing

information can be exchanged. After verifying that the routing information is
correct, gradually remove parts of the VPN Domains' definitions, to allow a
route-based VPN to take over.

337
Aquaforest TIFF Junction Evaluation

VPN Tunnel Interface

VPN TUNNEL INTERFACE

A VPN Tunnel Interface (VTI) is a virtual interface on an NGX component,

which is associated with an existing VPN tunnel, and is used by IP routing as a
point-to-point interface directly connected to a VPN peer Gateway. Each VTI is
associated with a single tunnel to a VPN peer Gateway. The tunnel behaves just
like a point-to-point link between the two Gateways. The tunnel and its
properties are defined by a VPN Community linking the two Gateways. The
peer Gateway should also be configured with a VTI. The native IP routing
mechanism on each Gateway can then direct traffic into the tunnel, just as the
mechanism would do for any other type of interface.

VPN Routing Process

OUTBOUND PACKETS

The VPN routing process of an outbound packet can be described as follows:

VPN-1 NGX VPN-1 NGX

Security Gateway Security Gateway

Source Destination

V P N Tunnel Interfaces

• An IP packet with destination address x is matched against the routing table.

• The routing table indicates that IP address x should be routed through a
point-to-point link, which is the VTI associated with the peer Gateway.
338
Aquaforest TIFF Junction Evaluation

VPN Tunnel Interface

• The NGX kernel intercepts the packet as it enters the VTI.

• The packet is encrypted using the proper IPsec Security Association
parameters with the peer Gateway, as defined in the VPN Community. The
new packet receives the peer Gateway's IP address as the destination IP.
• Based on the new destination IP address, the packet is rerouted by
VPN-1 NGX to the physical interface, according to the appropriate routing-
table entry for the peer Gateway's address.

INBOUND PACKETS

The opposite is done for inbound packets:

• An IPsec packet enters the machine coming from the peer Gateway.
• VPN-1 NGX intercepts the packet on the physical interface.
• VPN-1 NGX identifies the originating VPN peer Gateway.
• VPN-1 NGX decapsulates the packet, and extracts the original IP packet.
• VPN-1 NGX detects that a VTI exists for the peer VPN Gateway, and
reroutes the packet from the physical interface to the associated VTI.
• The packet enters the IP stack through the VTI.

Best P r a c t i c e s

A VTI is best defined symmetrically on both Gateways, although it is possible

to have one side work with a domain-based VPN. In this case, the Gateway
without the VTI configured on it would not accept just any IP address from its
peer Gateway, but only IP addresses specifically defined in the peer's VPN
Domain (or any specific alteration of it configured in the vpn_route. conf file).

With VTIs, it is now possible to completely control VPN routing by OS routing.

The same infrastructure allows dynamic-routing protocols to control the VPN.
A dynamic-routing protocol daemon running on the NGX Gateway (on
SecurePlatform Pro and IPSO platforms only) can establish connectivity with a
neighboring routing daemon on the other end of an IPsec tunnel, which appears
to be a single hop away. The daemons can exchange routing information and
dynamically change the IP routing, which naturally changes the traffic directed
to the IPsec VPN tunnel.

339
340
Aquaforest TIFF Junction Evaluation

VPN Tunnel Interface

Configuring N u m b e r e d VTIs

VTIs can be configured manually using vpn shell on SecurePlatform Pro, or by

using Voyager on IPSO. The following example demonstrates creating
numbered VTIs among three SecurePlatform Pro NGX Gateways:

192.168.14.0
Security Gateway A
ext: 214.214.214.1

VTI: 10.10.0.1 VTI: 10.10.0.3

A A

VTI

Security Security
Gateway B ,/ outer \ Gateway C
ext: 215.215.215.1
VTI: 10.10.0.2 VTI: 10.10,0.4

VTI:
10.10.0.5

192.168.15.0 192.168.16.0

VTI for Three Sites

Three NGX Gateways are the minimum required to set up a route-based VPN.
Therefore any Gateway in a route-based VPN topology has two VTIs, one for
each peer. Assume Gateways A, B, and C are setting up VTIs to each other, to
use a route-based VPN.

341
 VPN a

FIGURE NOTES

A a n d B, 10.10.0.1 is I as i
IP; i to A. 10.10.0.2 is assigned to B.

A a n d C, 10.10.0.3 is [to A
10.10.0.4 i s ; to G a t e w a y C.

and C, 10.10.0.5 i s ; to B;
10.10.0.6 is ass ito C.

CREATING VTIS ADD COMMAND

T h e syntax is as fc

vpn shell interface add m <Local VTI IP> <Remote VTP IP> <Peer
name> <VTI

On G a t e w a y A, type the vpn shell add <

vpn shell 10.10.0.1 10.10.0.2 Gateway_A to_B

vpn shell 10.10.0.3 10.10.0.4 Gateway_A to~C

On _B, type 1 vpn shell add c o m m a n d :

vpn shell 10.10.0.2 10.10.0.1 Gateway_B t o A

vpn shell 10.10.0.5 10.10.0.6 Gateway_B to_C

On C, type 1 vpn shell add c o m m a n d :

vpn shell 10.10.0.4 10.10.0.3 Gateway_C to__A

vpn shell 10.10.0.6 10.10.0.5 Gateway_C to_B

If a in the vpn shell

^ ^ ^ ^ ^ eight characters ^ T h e p e e r n a m e used i in the vpn shell

n the shell <comm

342
Aquaforest TIFF Junction Evaluation

VPN Tunnel Interface

VIEWING VTIS USING VPN SHELL SHOW COMMAND

To see the list of VTIs you created, run the command in vpn shell:

vpn shell show interface summary all

vpn shell show interface detailed all

A VTI can also be viewed as a regular interface by using the ifconf ig -a

command.

ADDING STATIC ROUTES

For route-based VPN after VTIs are created, it is necessary to add static routes,
pointing to the VTI as the interface to access a peer's internal network. For
example, in the example mesh VPN, any hosts behind Security Gateway A that
need to access the network behind security Gateway C will need to go through a
static route created on Gateway A. This command can be entered via the
Command Line Interface (CLI) as:

route add -net 192.168.16.0/24 gw 10.10.0.4

Alternately, when adding the command via the CLI, the VTI name can be used:

route add -net 192.168.16.0/24 to_C

Check Point recommends configuring static routes using sysconfig in

SecurePlatform Pro, as these routes will then survive a reboot, whereas using
the CLI may not.

343
 VTIs

To i : VTIs on Nokia IPSO,

1. Log in to Nokia in
2.
3. In 1 FireWall-1.

4. Select the FWVPN

5. On the FWVPN Tu

6. a it is i

7. Click Apply. The new VTI; i in I

345
Aquaforest TIFF Junction Evaluation

Dynamic VPN Routing

OSPF configuration detail is beyond the scope of this chapter.

Security Administrators should be familiar with routing
protocols, before configuring dynamic routing.

This figure shows VPN dynamic routing over OSPF:

Security
Gateway "A"
ext: 214.214.214.1
AWEASI VTI: 10.10.0.1
VTI: 10.10.0.3

Internal Network
10.10.30.0/24

Security Security
Gateway "B" Gateway "C"
ext: 215.215.215.1 exf. 216.216.216.1
VTI: 10.10.0.2 VTI: 10,10.0.4
VTI: 10,10.0.5 VTI: 10.10.0.6
ethl: 10.10.1.1 ethl: 10.10.1.2

Dynamic V P N Routing Among Three Sites

ENABLING ADVANCED ROUTING

To configure OSPF on SecurePlatform Pro, the gated daemon must be enabled

on each NGX Gateway. The gated daemon is available when advanced routing
is enabled. By default, advanced routing is disabled on SecurePlatform Pro. To
enable advanced routing and configure OSPF, follow these steps:

1. Using the cpconfig utility, select the option to enable advanced routing.
2. Type Y to enable Advanced Routing.
3. Type Y to restart Check Point services, to enable advanced routing.

346
 %
Q.) You have upgraded a Gateway for VPN-1/FireWall-1 NG ^
gence (R55) to VPN-1 NGX (R60) on
How do you make the !
.Pro, so you can use the j

A.) Run the pro enable command in Expert

CONFIGURING OSPF

2. Enter Expert Mode, an

3. Type ena or enable, to <
4. Start configuring OSPF, by typing conf t in ]

The OSPF process ID should be the same on all

6. Enter router-ID <IP address>; for example, router-id 214.214.214.1

It can be the physical IP address of the

7.

vt-GatewayJ
ip ospf 1 area 0.0.0.0

347
 VPN1

vt-Gateway_C as area 0:

ip ospf 1 area 0.0.0.0

ethl
ip ospf 1 area 51.0.0.0

On OSPF as the

1. in
router ospf 1
router-id 215.215.215.1

2. the VTI to A as J .0:

ip ospf 1 area 0.0.oTo

s ethl as arc
B and Gateway_C i
to each other. That network must belong to area 0, because OSPF

ethl
ip ospf 1 area 0.0.0.0

348
349
350
Aquaforest TIFF Junction Evaluation

Wire Mode

Wire Mode is usually defined in three places:

1. In the Community > Advanced > Wire Mode screen:

Participating G
VPN Properties Bypass the Fifewaif - - -
• Tunnel Management
- Advanced S ettng-; Allow uninspected encrypted traffic between Wm mode interfaces
- Excluded Services- olti
Shared Secret
Advanced VPN F'r

! i J _ _ J ±1
| OK | Cancet | Help |

Wire Mode Screen

If Wire Mode Routing is enabled in the Community, it is not

necessary to enable Wire Mode per interface.

351
Aquaforest TIFF Junction Evaluation

Wire Mode

2. On the gateway object > VPN > VPN Advanced screen:

• Generai Prcpertie. VPN Advanced

, Topology
NAT VPN Turtnet Sharing -- • •
. VPN
Control the number of VPN tunnels opened between peer Gateways
Link Selection ri' Use the community settings
Remote Aeeees
Authentication Custom settings
+ Logs and Ma iter;
Capacity Optimization
, + Advanced

Restart Option* - -

~ Perform an organized shutdown of tunnels upon gateway restart

Wife mode
v SufiportV/ire mode {and Wife mode routing- route uninspected
encrypted traffic in VPN routing configurations'!
Select the interfaces where traffic destined to Wire mode communities will
bvpai-i the Firewall

JSSSSL.

Adc

v Log Wire mode traffic

NAT traversal [Industry standard)

'•y Support NAT traversal (applies to Remote Access and Site to Site connections)

' ' Caned Help

V P N Advanced Screen

3. Per interface on the Gateway:

Select the c r e n e l interface-: where 'raffic centred to Wire rncde

communities wil bypass the Firewall

J^?...
ethl
_ | Netmask j
10.4 8 1 255 255.255,0
eth'2 132 168.22.101 255.255.255.0

IlIJ^-ZJI ^ 1

Wire mode interfaces Screen

352
Aquaforest TIFF Junction Evaluation

Wire Mode

Configure Wire Mode per interface from the Wire mode interfaces screen:
— Click Add in the list Select the interfaces where traffic destined to Wire
mode communities will bypass the Firewall. The internal interfaces on
the Gateway will be listed.
— Highlight particular internal interfaces, or select all internal interfaces.

Wire Mode in Route-Based VPN

In the following figure, Gateways B and C have Wire Mode enabled, and have
trusted internal interfaces defined:

internal
Security Network
Gateway B 10.10.20.0 /24

10.10.30.5
CP005Z7

Wire Mode in Route-Based V P N

The Community containing Gateways B and C has Wire Mode and Wire Mode
routing enabled. Host 10.10.10.5 (behind Gateway A) sends a packet to
10.10.30.5 (behind Gateway C). Gateway C's Internet connection subsequently
fails, so that when 10.10.30.5 tries to reply to 10.10.10.5, the reply packet from
10.10.30.5 will be routed through Gateway B. Without Wire Mode, Stateful
Inspection would be enforced at Gateway B, and the packet would be dropped
due to "out of state" errors. But with Wire Mode enabled, Gateway B can pass
on the traffic and not enforce Stateful Inspection.

353
354
Aquaforest TIFF Junction Evaluation

Directional VPN Rule Match

DIRECTIONAL VPN RULE MATCH

iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Directional VPN Rule Match is a new access-control feature that matches

more precisely on VPN traffic and allows expressing rules based on the
direction of the traffic, rather than participating IP addresses. Directional VPN
Rule Match matches on traffic based on the type of interface group through
which traffic enters the Gateway, and the type of interface group through which
traffic exits the Gateway. The interfaces are divided into three main groups:
internal, external, and VPN interfaces. Traffic going into a VPN tunnel, or
coming out of a VPN tunnel, is considered to have passed through a VPN
interface. VPN interfaces are referenced by their associated VPN Community.

The Directional VPN Rule Match is configured in the VPN column of the Rule
Base, which can now contain the format of A > B, where A and B each
represent an interface group. Such a rule would match on traffic entering the
Gateway from interface group A, and leave the Gateway through interface
group B.

Interface Groups

The following is a list of available interface groups:

Existing VPN Default Mylntranet Community, Remote Access

Community Community, or user-defined Community

Represents the VPN tunnels of all Communities,

Q All_Communities
including the Remote Access Community

Represents the VPN tunnels of all site-to-site

All GwToGw Communities, i.e., any Community except the Remote
Access Community

Represents all interfaces designated as "internal"

U | > lnternal_clear

355
Aquaforest TIFF Junction Evaluation

Directional VPN Rule Match

Represents all interfaces designated as '"extemaF'

^ External_clear

Wild card that matches on any type of traffic

[ * j Any Traffic

EXAMPLES

Consider the following VPN rule:

1 ' * Any ; * Any : A lnternal_clear®^^ Mylntranet j X£ ftp , © accept . gj] Log

Directional VPN Rule Match — One Direction

This rule accepts FTP traffic intercepted on any of the Gateway's internal
interfaces, which is about to enter a tunnel in Mylntranet VPN Community.

A route-based VPN makes it possible to not define VPN Domains,

while a Directional VPN Rule Match makes it possible to not
specify IP addresses for a rule match.

More than one Directional VPN Rule Match condition can be specified in a
single rule. Consider the following rule:

^ Inter n a i _ c l e a t E 3 t ^ Mylntranet ZLL ftp ZZ " pn ,

1 * Any • * Any : ^ M v | n t r a n ^ ^ ^^emaLc|ea r ^ pop.3 © B Lo9

Directional V P N Rule Match — Both Directions

356
Aquaforest TIFF Junction Evaluation

Directional VPN Rule Match

The above rule can be installed on two or more Gateways that are members of
Mylntranet. For each FTP and POP3 connection routed on the tunnel between
them, the same rule would match on one Gateway, when traffic passes from an
internal interface and into the VPN tunnel. The same rule matches on the other
Gateway, when traffic enters the VPN tunnel and passes to the internal
interface.

Consider the following example:

H I n t e r n a l j i ' l e a r E S f ^ J Communfty_A
I "k Any Internal j s l e a r f S O ^ E j f Community_B
http j © accept ! jj Log

Directional V P N Rule Match — Between Communities

A connection may dynamically change its route without breaking. For example,
the above rule allows HTTP traffic to be initiated from the internal interface
side, and routed into either the CommunityA or C o m m u n i t y B VPN tunnel.
The routing can change dynamically between these two Communities, without
breaking the connection.

357
Aquaforest TIFF Junction Evaluation

Tunnel Management

TUNNEL MANAGEMENT
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

In VPN-1 NGX, there are two types of VPN tunnel management:

Permanent Tunnels — This feature keeps VPN tunnels active, allowing real-
time monitoring capabilities.

VPN Tunnel Sharing — This feature provides greater interoperability and

scalability between Gateways. It also controls the number of VPN tunnels
created between peer Gateways.

Permanent T u n n e l s

As companies have become more dependent on VPNs for communication to

other sites, uninterrupted connectivity has become more crucial than ever
before. It is essential to make sure VPN tunnels are kept up and running.
Permanent Tunnels are constantly kept active, and as a result, make it easier to
recognize malfunctions and connectivity problems. Security Administrators can
monitor the two sides of a VPN tunnel, and identify problems without delay.
Each VPN tunnel in a Community may be set to be a Permanent Tunnel. Since
Permanent Tunnels are constantly monitored, if a VPN tunnel fails for some
reason, a log, alert, or user-defined action can be issued. A VPN tunnel is
monitored by periodically sending tunnel-test packets. As long as responses to
the packets are received, the VPN tunnel is considered "up". If no response is
received within a given time period, the VPN tunnel is considered "down".

Permanent Tunnels can only be established between Check Point Gateways.

The configuration of Permanent Tunnels takes place on Community objects.
There are three options to configure a Permanent Tunnel:

• For the entire Community; this option sets every VPN tunnel in the
Community as permanent.
• For a specific Gateway; use this option to configure specific Gateways to
have Permanent Tunnels.
• For a single VPN tunnel; this feature allows configuring specific tunnels
between specific Gateways as permanent.

358
Aquaforest TIFF Junction Evaluation

Tunnel Management

TUNNEL TESTING

A tunnel test is a proprietary Check Point protocol that is used to test whether
VPN tunnels are active. A tunnel-test packet has an arbitrary length, with only
the first byte containing meaningful data — the type field.

The type field can take any of the following values:

1 - Test

2 - Reply

3 - Connect

4 - Connected

Tunnel testing requires two Gateways, one configured as a "Pinger" and one as
a "responder". The Pinger Gateway uses the VPN daemon (vpnd) to send
encrypted tunnel-testing packets to the responder Gateway. The responder
Gateway is configured to listen on port 18234 for special tunnel-testing packets.
The Pinger sends type 1 or 3. The responder sends a packet of identical length,
with type 2 or 4 respectively. During the connect phase, tunnel testing is used in
two ways:

1. A connect message is sent to the Gateway. Receipt of a connect message is

the indication that the connection succeeded. Connect messages are
retransmitted for up to 10 seconds after the IKE negotiation is over, if no
response is received.
2. A series of test messages with various lengths is sent, so as to discover the
(Path Maximum Transmission Unit) PMTU of the connection. This may
also take up to 10 seconds. This test is executed, to ensure that TCP packets
that are too large are not sent. TCP packets that are too large will be
fragmented and slow down performance.

359
Aquaforest TIFF Junction Evaluation

Tunnel Management

VPN Tunnel S h a r i n g

Since various vendors implement IPSec tunnels in a number of different

methods, Administrators need to cope with different means of implementing
the IPSec framework. VPN Tunnel Sharing provides interoperability and
scalability, by controlling the number of VPN tunnels created between peer
Gateways. There are three available settings:

1. One VPN Tunnel per each pair of hosts

2. One VPN Tunnel per subnet pair
3. One VPN Tunnel per Gateway pair

Tunnel-Management Configuration

Tunnel management is configured in the community object:

•till J!

- General Tunnel Management

Participating Gateways
VPN Properties Permaient Tunnels
T timet -Management
Advanced Settings P" Set Permanent T unnefe:

•(* On all tunnels in the community

On all tunnels of specific Gateways

On specific tunnels in the community

r Enable Route injection Mechanism [RIM)

Tunnel down track: I Popup Alert "3

Tunnel up track:
zi
VPN Tunnel Sharing

Control 'he rurnber of VPN runnels opened between peer £ ateways

C One VPN tunnel per each pair of hosts
One VPN funnel per subnet pair
One VPN tunnel per Gateway par

JJLi
Help

Tunnel Management Screen

360
Aquaforest TIFF Junction Evaluation

Tunnel Management

PERMANENT-TUNNEL CONFIGURATION

To set VPN tunnels as permanent, select Set Permanent Tunnels. The following
Permanent Tunnel modes are then made available:

• On all tunnels in the community

• On all tunnels of specific Gateways
• On specific tunnels in the community

To make all VPN tunnels permanent in a Community, select On all tunnels in

the community.

To make all VPN tunnels of specific Gateways permanent, select On all tunnels
of specific Gateways. Select the specific Gateways you want, and all VPN
tunnels to the specific Gateway will be set as permanent.

Select gateways to set permanent tunnels with their peer gateway?.

Iciv'.mi.n ty Merroer:-. Selected j a ' e w a u :

Branch-Office-gw Jj^ Remote-1 -gv.-
^ Corporste-Cluster-1 Remote-2-gw
if§ Corporate-Cluster-2
fp^ Remote-3-gw
[jpn Remote-4-gw
J ^ Remcte-S-gw

Gateway T u r r e t Properte:.

Note: in case of a conflict between tunreel properties of two gateways, the default
funnel properties which ate defined on the community vvl be used

He!o

Specific Gateways Screen

361
Aquaforest TIFF Junction Evaluation

Tunnel Management

Tracking options can be configured for specific Gateways' VPN tunnels in the
Gateway tunnels properties screen. Use Community Tracking Option as the
default setting. You can select specific tracking options:

HHMM
Set the tract options tot the permanent tunnels of the selected gateways.

^ Use Community Track Options

Set specific track options for these tunnels:

Tunnel down track.

Tunnel up track; | Log zl

I" OK 1 Cancel j Help j

Gateway Tunnel Properties Screen

To configure specific tunnels in a Community to be permanent, select On

specific Tunnels in the community. Click the Set Permanent Tunnels button.

SSBS
^ Show ai member gateways
f*• Show orriy specific gateways E d " f o ^ n fjate*vay„

|Ill®) ff:emote-1 -gwB Remote-'-u.'/ Remote-

........ .. ,
ae-4-gw Select All Tun-ie*

fjpi Remote-2 cr/-. .. . .iZLl-ZVJ

: Select funnel between i w :
- I | * All Member Gateways j » j j
jigsi Pemute-i- : 3t'(<i cokawt: :
Jj | | * All Member Gateways

SelectedTLBinel Properties... ;

| OK. 1 Cancel | Heio

Select Permanent Tunnels Screen

In the above screenshot, to make the tunnel between Remote-1 -gw and
Remote-3-gw permanent, click in the cell that intersects the Remote-1-gw and
Remote-3-gw where a permanent tunnel is required.

362
Aquaforest TIFF Junction Evaluation

Tunnel Management

1. Click Selected Tunnel Properties and the Tunnel Properties screen is

displayed:

Tunnelendpoints: | ^ Rem«e-1.gvv * " «=- - m ^ " ^ S ^ g w

y Set these tunnels to be permanent turweb

iV Use Commuriy Track Options

r Set specific track options for these tunnels;

i^r — -3

| OK | Cancel- j : . Help j

Tunnel Properties Screen

2. Click Select these tunnels to be permanent tunnels.

3. Click OK.

TRACKING OPTIONS

Several types of alerts can be configured to keep Administrators up-to-date on

the status of VPN tunnels. Tracking settings can be configured on the Tunnel
Management screen of the Community Properties screen for all VPN tunnels,
or they can be set individually when configuring the permanent tunnels
themselves. The different options are Log, Popup Alert, Mail Alert, SNMP Trap
Alert, and User Defined Alert. Choosing one of these alert types will enable
immediate identification of the problem and the ability to respond to these
issues more effectively.

ADVANCED PERMANENT-TUNNEL CONFIGURATION

Several attributes allow for customization of tunnel tests and intervals for
permanent tunnels:

1. In SmartDashboard, select Global Properties > SmartDashboard

Customization.
2. Click Configure. The Advanced configuration screen is displayed.
363
Aquaforest TIFF Junction Evaluation

Tunnel Management

3. Click VPN Advanced Properties > Tunnel Management to view the five
attributes:

Attribute Purpose

lifesigntimeout Designate the amount of time the tunnel test

runs without a response before the peer host
is declared down.

1 i f e s i gntransmitterinterval Set the time between tunnel tests.

lifesignretransmissionscount When a tunnel test does not receive a reply,

another test is resent to confirm that the peer
is down. The Life Sign Retransmission
Count is set to how many times the tunnel
test is resent, without receiving a response.

life_sign_retransmissions_interval Set the time between tunnel tests that are

resent, after the tunnel test does not receive
a response from the peer.

clusterstaftispollinginterval Set the time between tunnel tests between a

(Relevant for HA Clusters only) primary Gateway and a backup Gateway.
The tunnel test is sent by the backup
Gateway. When there is no reply, the backup
Gateway will become active.

R I M i n j ect_peer_interfaces Inject peer's internal network to routing

table (in Hide NAT situation).

364
Aquaforest TIFF Junction Evaluation

Tunnel Management

VPN Tunnel Sharing C o n f i g u r a t i o n

VPN Tunnel Sharing provides greater interoperability and scalability, by

controlling the number of VPN tunnels created between peer Gateways.
Configuration of VPN Tunnel Sharing can be set on both the VPN community
and gateway objects.

Tunnel Sharing can be configured as follows:

• One VPN tunnel per each pair of hosts; A VPN tunnel is created for every
session initiated between every pair of hosts.
• One VPN tunnel per subnet pair; Once a VPN tunnel has been opened
between two subnets, subsequent sessions between the same subnets will
share the same VPN tunnel. This is the default setting, and is compliant with
the IPSec industry standard.
• One VPN tunnel per Gateway pair; One VPN tunnel is created between peer
Gateways and shared by all hosts behind each peer Gateway.

If there is a conflict between the tunnel properties of a VPN Community and a

gateway object that is a member of that same Community, the "stricter" setting
is used. For example, a gateway object that was set to One VPN Tunnel per
each pair of hosts, and a community object that was set to One VPN Tunnel per
subnet pair, VPN sharing, will use One VPN Tunnel per each pair of hosts.

365
Aquaforest TIFF Junction Evaluation

Tunnel Management

366
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

LAB 12: R O U T E - B A S E D V P N U S I N G
STATIC ROUTES
iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Scenario: In this lab, you will set up route-based VPNs for the four sites in the
figure below. You will create VTIs on these SecurePlatform Pro Gateways. You
will add static routes on the Gateways, to reach peers' internal networks
through the correct VTI. In this lab, each site has its own SmartCenter Server on
the internal Web server (www.citysite.cp). SmartConsole is installed with the
SmartCenter Server. To provide VPN redundancy, you will enable a third
interface on the Gateway. The third interface will use the IP address
192.168.xx. The third interface from two cities connect to one hub.

fwrome fwoslo
iPartnerCity) (YourCity)

rwtoronto fwmadrid
(PartnerCity) > ^ {PartmrCity)
VTI:192.168.137.32 1/77:192.168.137.42
VTI: 192.168.137.31 <4 *>VTI: 192.168.137.41

Route-Based V P N

367
368
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

^ R E I N S T A L L VPN-1 NGX IN A DISTRIBUTED INSTALLATION

This lab requires VPN-1 NGX to be running in a distributed installation.

1. Reinstall SecurePlatform as an NGX SecurePlatform Pro Security Gateway,

using the same IP addresses as listed in the "Check Point Security
Administration NGX III" chapter of this handbook.
2. Uninstall SecureClient NGX from wobyourcity.
3. Install the SmartCenter Server on webyourcity.
1. Recreate the objects as listed in the "Check Point Security Administration
NGX III" chapter of this handbook, with the addition of a gateway object
for fwyourcity, and host object www.yourcity.cp using the same IP address
as webyourcity. Configure your iwyourcity object with Fire Wall and VPN
installed.
1. Rebuild the default Policy as listed in the "Check Point Security
Administration NGX III" chapter of this handbook. Verify that the Policy is
similar to the following:

iBSBiEi^i. '5; NBT

mm
' NetBIOS Rule * Any ; * Any [ * ] A n y Traffic TO bootp # drop • - None
rip

2 S S H A c c e i c Rule Net_Oalo H! fwoslo [ i t ] A n y Traffic ® accept 1 Log

3 Stealth Rule * Any ® rwoilo [ ¥ ] A n y Traffic •k A n y # drop 1 Log

4 '•"•/ebSer./er Rule * Any • www oslo.cp f i t ] A n y Traffic I L L http ^ accept 1 Log

-M- NetjOslo ^ Net . M a d r i d

5 Partner Cities Pule f i r ] A n y Traffic LL Wp Hi accept H Log
- V - Net_Madrid -M- NetjOilo

6 Internet A c c e s t Pule - M - Net_Qsto •k Any [ * ] A n y Traffic 1™. http accept H Log

7 C l e a n u p Rule •k Any : * Any j * ] A n y Traffic • * Any ® DR°P g L o g

Default Policy

^CONFIGURE F W YOURCITY T O JOIN MYINTRANET COMMUNITY

1. Log in to your site's SmartCenter Server in SmartDashboard.

2. Create a simple group object named "novpndomain", and leave the
object empty.

369
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

3. Edit the Topology screen of fwyourcity. Select Manually Defined under

VPN domain options.
4. Select the simple group object novpndomain, and click OK.

^CONFIGURE F\NPARTNERCITY GATEWAYS TO JOIN

MYINTRANET COMMUNITY

1. Create externally managed VPN gateway objects for the other three peer
Gateways.
2. Select SecurePlatform Pro as the OS.
3. Select Firewall and VPN in the Check Point products list.
4. In the Topology screen for each fwpartnercity gateway object, select
Manually defined, under VPN domain options.
5. Select the simple group object no vpn domain, and click OK.
6. Save the Policy.

SADD PARTICIPATING GATEWAYS TO MYINTRANET

1. From the main menu, select Manage > VPN Communities.

2. From the VPN Communities screen, select Mylntranet and click Edit.
3. On the Meshed Community Properties - Mylntranet screen, select
Participating Gateways from the tree.
4. Add the three externally managed VPN gateway objects you just created
and fwyourcity to the Mylntranet Community.
5. Under Advanced Settings, select Shared Secret.
6. Check the box Use only Shared Secret for all External members.
7. Enter pre-shared secret abcl23 for all external members.
8. Create a new Policy Package with a simple Rule Base, like the following:

ISiSg
i [ * j A n v Traffic http ^ accept [ j | Loci

* Anv [ * ] A n y T-antc * *nv \W) d r o p gj Leg

Simple Rule Base

370
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

9. Verify and install the Policy.

[^CREATE VTIS ON F W YOURCITY

1. Connect to fwyourcity in Expert Mode.

2. The information in the following table will be used to configure the VTIs:

VTI A d d r e s s i n g VTI IP
City N a m e VTI N a m e Convention Addresses

Rome vti-fwrome 192.168.137.1x 192.168.137.10

192.168.137.11
192.168.137.12

Oslo vti-fwoslo 192.168.137.2x 192.168.137.20

192.168.137.21
192.168.137.22

Toronto vti-fwtoronto 192.168.137.3x 192.168.137.30

192.168.137.31
192.168.137.32

Madrid vti-fwmadrid 192.168.137.4x 192.168.137.40

192.168.137.41
192.168.137.42

Zurich vti-fwzurich 192.168.138.5x 192.168.138.50

192.168.138.51
192.168.138.52

Sydney vti-fwsydney 192.168.138.6x 192.168.138.60

192.168.138.61
192.168.138.62

Cambridge vti-fwcambridge 192.168.138.7x 192.168.138.70

192.168.138.71
192.168.138.72

Singapore vti-fwsingapore 192.168.138.8x 192.168.138.80

192.168.138.81
192.168.138.82

371
Lab 12: Route-Based VPN Using Static Routes

The table above divides the standard lab topology (as outlined in

b
the lab topology the "Check Point Security Administration NGX
IIP chapter of this handbook) into two groups of four city sites,
in regards to the VTI IP addressing scheme.

3. Run the vpn shell command to enter vpn shell and configure VTIs.
The syntax for the command is as follows:
vpn shell interface add numbered <Local VTI IP> <Remote VTP IP>
<Peer Gateway object name> <VTIname>
Use the naming and addressing conventions to configure VTI

A
addressing, so VTI IP addresses between fwyourcity and
fwpartnercitys VTIs ends with .xO, the tunnel to the city site
across from yours (according to the topology) ends with .xl,
and the tunnel from your site to your partner site ends with .x2.
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

The following figure illustrates this correlation:

li
Rome VTIs Oslo VTIs
192,168.137Ax 192.168.137.2x
. .11 ^.21

.10 .12 .22 .20

V y
30 .32 .42
Toronto VTIs •40 Madrid VTIs
192.168.137.3x *5T" 192.168.137Ax
.31 ->.41

Zurich VTIs Svdney VTIs

192.168.138.5x 192.168.138M
. .51 -.61

.50 .52 .62 .60

A 4

¥ ¥
.70 .72 .82 .80
Cambridge VTIs Singapore VTIs
192.168.138.7X 192.168.138M
.71 ->.81

VTI IP Correlations for 192.168.137.xx VTIs

For example, the VTIs would be configured on fwrome by entering the

following at the vpn shell prompt:

interface add numbered 192.168.137.10 192.168.137.30 fwtoronto vt-

fwtoronto

interface add numbered 192.168.137.11 192.168.137.21 fwoslo vt-fwoslo

interface add numbered 192.168.137.12 192.168.137.42 fwmadrid vt-fwmadrid

373
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

4. Verily the VTIs in vpn shell. Using fwrome, for example, the output is
similar to the following:
VPN shell:[/] > show/interface/summary/all

Interface Peer Name Peer ID Status

vt-fwmadrid fwmadrid 172.24.104.1 attached

vt-fwoslo fwoslo 172.22.102.1 attached

vt-fwtoronto fwtoronto 172.23.103.1 attached

5. Use the .. command to return to the top level of vpn shell, then type quit
to leave vpn shell and return to Expert Mode.
6. Type quit to return to Expert Mode.

[ ^ C O N F I G U R E VTI T O P O L O G Y IN G A T E W A Y O B J E C T

1. After VTIs are created successfully on the four Gateways via the command
line, open fwyourcity's gateway object's Topology screen in
SmartDashboard on the SmartCenter Server.
2. Click the Get button and select Get interfaces with topology. This will
retrieve the newly created VTIs. This example is for fwoslo:

IP Address | Network Mask J IP Addresses behind interface

ethO 172.22.102,1 255,255.0.0 External
ethl 10.2.2.1 255.255,255.0 This Network
eth2 192.168.2.1 255.255.255.0 This Network
vt-fwmadrid 192,168.137.22 255.255.255,255 External
vt-fwrome 192,168.137.20 255.255.255.255 External
vt-toronto 192.168,137.21 255.255.255.255 External

fwoslo Topology Screen with VTIs

If you attempt to edit VTI interfaces, the VTI interface settings are gray in
the General screen. The screen shows local IP addresses and the remote peer
Gateway's name and IP address.

374
 • all VTIs: a VTI
tab. on the
and OK.

; all

[ be set as ;
the VTI.
4. Verify and in the]

I 5 A D D STATIC ROUTES TO INTERNAL NETWORKS

Your Gateway Ne!maskand Peer VTI Address

fwrome 10.1.3.0/24 192.168.137.30

10.2.2.0/24 192.168.137.21
10.2.4.0/24 192.168.137.42

fwoslo 10.2.4.0/24 192.168.137.40

10.1.1.0/24 192.168.137.11
10.1.3.0/24 192.168.137.32

fw toronto 10.1.1.0/24 192.168.137.10

10.2.4.0/24 192.168.137.41
10.2.2.0/24 192.168.137.22

fwmadrid 10.2.2.0/24 192.168.137.20

10.1.3.0/24 192.168.137.31
10.1.1.0/24 192.168.137.12

fwzurich 10.3.7.0/24 192.168.138.70

10.4.6.0/24 192.168.138.61
10.4.8.0/24 192.168.138.82

fwsydney 10.4.8.0/24 192.168.138.80

10.3.5.0/24 192.168.138.51
10.3.7.0/24 192.168.138.72

375
 Lab 12: Route-Based VPN Using Static Routes

Peer Internal
Network and
Your Gateway Netmask Peer VTI Address

fwcambridge 10.3.5.0/24 192.168.138.50

10.4.8.0/24 192.168.138.81
10.4.6.0/24 192.168.138.62

fwSingapore 10.4.6.0/24 192.168.138.60

10.3.7.0/24 192.168.138.71
10.3.5.0/24 192.168.138.52

1. Add static routes to the internal networks of other sites using sysconfig.
Use the above table for the network address of the internal network, and the
VTI IP address of the peers.

Adding Network Routes via sysconfig

2. Connect via HTTP from each site's internal Web server to another site's
server.
3. Launch SmartView Tracker. Verify HTTP traffic is encrypted and
decrypted by the correct Gateway.

376
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

4. The outbound traffic from the local network will show in SmartView
Tracker from the internal interface of your fwyourcity, while inbound traffic
will show as arriving on the VTI from that partner city.

IFPENABLE VPN DIRECTIONAL RULE MATCH

1. In SmartDashboard, Select Policy > Global Properties > VPN Advanced,

and check the box Enable VPN Directional Match in VPN Column:

m
: FireWall
NAT - Network Addres
Aufhenticati:-"i
" VPN f" Enabfe Backup Gateway
Early Versions Corr r Enable b a d distribution for Multiple Entry Pont? configurations (Site To Site connection:}
Encryption Propert
P' Enable decrypt on accept for gateway to gateway traffic (relevant only <o poltcie?
• VPN-1 Edge/'Embedde in TradteortatModa)
:+: Remote Access
CRL Brace Period — • — - - -
• SrnartDirectory (LDAP]
-•QoS Grace period before the CRL is v s M p5~3
SmartMap
UserAuthority Grace period after the CRL m m longer vaid: flSOO ^ '.eor.d:
•SE - Open Security E
• Stateful Inspection Grace period extension for Seeufiemote'SecureQient: j3G00
- SmartLSM Profile : :• >. '>Y.t Denial c* ':e r '.'ce prsteoon
± L o g a n d Alert
Reporting Tools Support iK.E DoS protection tfore identified source j Stable-
•OPSEC
Support WE DoS p
. SmartCenter Acce:: "3
SmartDashboard Cu;tc

Domain name for DNS r<

P Enable VPN Directional Match in VPN Column

Ntfe: -»PN Jirectonal Mate".^ a b o r t e d oniPSO. Linux. SectiiePfrtoitr arc
SecusesFfelfajrafco-

Jj

V P N Directional Match in VPN Selected

2. Click OK.
3. Highlight your Partner Cities Rule, and select Rules > Add Rule > Below.

377
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

4. In the rule just created, name the rule "Outbound VPN", and use the
following table to configure it:

Source Any
Destination Any
VPN Any Traffic
Service HTTP, FTP
Action Accept
Track Log

5. Right-click on the VPN column of the rule you have just created, and select
the Edit Cell option.
6. In the VPN Match Conditions screen, select Match Traffic in this direction
only, and click Add.
7. Configure the Directional VPN Match Condition screen as follows:

Match on traffic reaching Match on traffic leaving

the Gateway from. the Gateway To.

lnternal_clear j| eH|> Mylntranet j]

OK Cancel Help

Directional V P N Match Condition Screen

8. Click OK to close the screen, and click OK again to close the VPN Match
Conditions screen.
9. Set the action as Accept and the tracking as Log.

378
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

10. Add a rule below the Outbound VPN rule, named "VPN Inbound Rule".
Use the following information to configure the rule:

Source Any
Destination Any
VPN Mylntranet > Internal clear
Service HTTP, FTP
Action Accept
Track Log

11. Verify that your rules look like the following:

V P N O u t B o u n d Rule * Any | Internal_clear | accept [§§] L o g

„ http
V P N IriBound Rule k Any ; ^ M\1ntranettgfc> | accept (5] Log

VPN Directional Rules

12. Disable the following rules:

• Webserver Rule
• Partner Cities Rule
• Internet Access Rule
13. Verify and install the Policy.

VPN directional rules can limit traffic, as do Source and

Destination in a standard rule. In circumstances where a partner
site is not completely trusted, source and destination objects
could be configured in the VPN directional rule as an added layer
of security.

14. Initiate HTTP traffic from webyourcity to one of your partner cities. Have
that partner initiate traffic to you.

379
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

15. Locate the traffic in SmartView Tracker. You should see outbound traffic
being logged from fwvourcity's internal interface, while inbound traffic will
be logged from the VTI for that partner city:

I lifflfflflfM—Blif-: < •
... Previous ' ' Next Copy . Less Columns j

Number 1297 I
Date 14Apr2006 j
Time 13:17:23
Product I f s VPN-1 Pro/Express
Interface & ethl
Origin fwoslo (172,22.102.1)
Type 1 Log
Action : Encrypt
Protocol TCP tcp
Service http (80)
Source www.oslo.cp (10.2.2.102)
Destination 10.2.4.104
Rule 6
Current Rule Number 6-Standard
Rule UID {3E04E9FD-C52B-4716-9311-DF4FC2D95E 34 j
Rule Name VPN OutBound Rule
Source Port 1451
User
Encryption Scheme m IKE
VPN Peer Gateway fwmadrid (172.24.104.1)
Encryption Methods ESP: AES-128 + MD5
Community Mylntranet
Subproduct 0 VPN
VPN Feature VPN
Information servicejd: http
Policy Info Policy Name: Standard
Created at: Fri Apr 14 1 3 1 6 31 2006
Installed from: weboslo

Close

SmartView Tracker — Outbound Traffic

380
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

Source
Destination
Rule
Current Rule Nui
Rule HID
Rule Name
Source Port
; User
Encryption Scheme ( H IKE
VPN Peer Gateway fwmadrid (172.24.104.1 ]
Encryption Methods ESP: AES-128 + MD5
Community Mylntranet
Subproduct 0 VPN
VPN Feature VPN
Information serviceJd: http
Policy Info Policy Name: Standard
Created at: Fri Apr 1413:28:30 2006
Installed from: weboslo

SmartView T r a c k e r — Inbound Traffic

[^CONFIGURE WIRE MODE

In this section, three of the four sites in each group participate. The members
participating in the first group include: Rome, Oslo, and Toronto. Madrid will
not participate. For group two, Singapore is not participating. For the
instructions, replace Rome with Zurich, Oslo with Cambridge, and Toronto
with Sydney.

1. Enable Wire mode on each of the participating Gateways:

Open fwyourcity > VPN > VPN Advanced, and select Support Wire Mode
and Log Wire mode traffic.

381
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

2. On each of the participating gateway objects, edit the Mylntranet

community object. Select Advanced Settings > Wire mode, and select
Allow uninspected encrypted traffic ... fwrome also selects Wire Mode
routing.

•• General
• Participating Gateways
• V P N Properties Bypass the Firewall
• Tunnel Management
;• A d v a n c e d Settings V Allow uninspected encrypted traffic between W i r e m o d e interfaces
Excluded Services of this Community's members
Shared Secret
A d v a n c e d V P N Pr V Wire mode routing - Allow members to route uninspected
encrypted traffic in V P N routing configurations

| OK | Cancel [ Help J

Wire Mode Properties for fwrome (and fwzurich)

3. Verify and install the Policy.

4. fwoslo opens an FTP session to fwtoronto. Run Is to query the directory.
5. Verify in SmartView Tracker that the FTP session is using the configured
VTI.
6. fwoslo and fwtoronto edit their routing tables using sysconfig, deleting the
routes to each other's internal networks via their respective VTIs.
7. fwolso and fwtoronto use sysconfig to add new network routes to each
other's internal networks, using their VTIs to fwrome as the Gateway.
8. fwoslo reissues an Is command to query the directory in the FTP session.
382
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

On fwoslo and fwtoronto, verify in SmartView Tracker that the FTP session
was encrypted:

EB T Jl
pate ; Time . engirt Destination *»!
, :
C
^Ol'l'Uc 1. .;. -2£7-1 B r'\=ro o-.ro i % 2
:2H OH i 7-40.055Si B r 1
;525 ^ArOOlO: 17 41.07El B O'ti: 1 ® i
<525 17 Oil-El B r orvc- i
-1 A:-: 110c
1 7 4.,,;El| B fi/-"'-;.: o-v'c1
: no 4Ar;2001 SI E -X'.r-:- i # 1
1529 ' 4AD 000117 44; ilEl l B i ®i
;
1500 14 AO; 210017 45'ISEl E r-^cvi onec- 1 € H
1501 5 4Ac; 200117 40:17El B f'-Oc-'O-tc- i ® i
1532 :14 Ac-2006 17'47; -QEl B ofir-;. i ® i
: 1533 14Apr20Q6 17,48:14 El B fwtoronto
1534 14Aor2006 17;48;14 El B fwtoronto
1535 14Aot2006 17:48; 14El B fwtoronto
1536 14Apr2006 17:48:14 El E fwtoronto
.4A-200" 17 4,3: IEl S B ^'"tCf'Ontv i #i!
:." . 1;El B f^rororAc: i G-w
.::• :4Ap?'0006 El B 0 (H.
J 54 Q 4Ar^2C05 17 -53:4JEl B fwtoronto 1
= 1541 04#wfi0Sll 17:43:41 Pgg B iliitMS TCP ftp 10,2.2.102 www.toronto.cp
3 542 1 2006 16 El B r<»^.oronr.o i ® .UDP. 1
J 54 1 .•iAcrOOC": i~ 50;10El B f'wf.ororito 1 3 JJDP, SI16 1 : ::.
1544 4Ac?'200", 17 5!;20El E fwtoronto i ® UDP 5116 102,.-0.22.1
U- ,45 4ADr2D0ff 17,52:22 El E rwiororito 1 ® UDP 5116 < o" -,j* •*•• •
i;:4t- 4AD?200C r: •.. El B fwtoronto i © UDP Si 16 1.-2,-18.22 1
154" 4Apr2C0c 17,54:20 El B fwtoronto a ® .UDP. 5116 1*51.. 18.22 1
1540 4Apr200c !"• ,55 20 El B fwtoronto i ® j.iDP SI 16 l'J_,.18.„2 -
1549 l4Apr2C0r. r 56:10 El B fwroronto i ® .UDP, Si 16 1-2,106.22 1
1550 4AD?2005 57,12 El B rwtoronto i ® UDP 8116 i^:,108.12 :
<J • jJEl
Ready Total records m file 1551

SmartView Tracker for fwtoronto

383
Aquaforest TIFF Junction Evaluation

Lab 12: Route-Based VPN Using Static Routes

On fvvrome verify Wire Mode routing was in effect:

.. Previous Next . Copy ' . More Columns

Number 855 j

Date 14Apr2Q08
Time 17:47:36
Product S S I VPN-1 Pro/Express
Interface B vt-twoslo
Origin fwrome (172.21.101.1)
Type i Log j
Action V VPN Routing j
Protocol TCP tcp |
Service ftp (21) I
Source www.oslo.cp (10.2.2.102) I
Destination www.toronto.cp (10.1.3.103)
Rule 0 - Implied Rules
Current Rule Number
Rule Name
Source Port 1612
User
Information connectivity level: Wire
dst scheme: IKE
dst methods: ESP: AES-128 + MD5
dst peer gateway: fwtoronto
dst community: Mylntranet
Policy Info Policy Name: Standard
Created at: Fri Apr 14 17-33'25 2006
Installed from: webrome

Close

V P N Routing Wire Mode Log

Continue to next lab.

384
Aquaforest TIFF Junction Evaluation

Lab 13: Dynamic VPN Routing Using OSPF

LAB 13: D Y N A M I C VPN R O U T I N G

USING OSPF
iiiiiiiiiiiiiiiiiiiIiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

Scenario: Configure OSPF on participating Security Gateways, to access

networks behind Gateways via VTI.

® fwrome fwoslo A
20
(fiartnerCity) i Yourdity> •
VTI: 192.168.137.11 ^ Vl/77 192.168.137.21
VTI: 192.168.137.12 VTI: 192.168.137.22

192.168.22.101
/ VTI:
192.168.137.10

fwtoronto / fwmadrid
(PartnerCity) ^ V [PartnerCh
(PartnerCity)
VTI 192.168.137.32 T I 192.1i
^ VVTI: 192.168.137.42
VTI: 192.168.137.31 * VTI 192,168.137.41

Dynamic V P N Routing Using O S P F

385
386
Aquaforest TIFF Junction Evaluation

Lab 13: Dynamic VPN Routing Using OSPF

^ U P D A T E THE POLICY FOR OSPF ROUTING

1. In SmartDashboard > My Intranet > Advanced VPN settings, enable Allow

uninspected encrypted traffic ... and Wire Mode routing.
2. Click OK to close the Mylntranet VPN community.
3. From fwyourcity > VPN > Advanced properties, select Support Wire Mode
and Log Wire mode traffic. Assign your sync network interface (eth2) to the
Wire Mode community object.
4. Add a rule below your VPN Inbound Rule. Configure the rule using the
following information:

Name Wire Mode Rule

Source Any
Destination Any
VPN Mylntranet ==>My Intranet
Serviee HTTP
FTP
Action accept
Track Log

All four members of each group now have the same Wire Mode
configuration.

5. Delete your Web server access rule.

6. Create a new host object using the following information:

Name multicast-ospf
IP address 224.0.0.5

7. Create a new network object using the following information:

Name VTINetworks
Network 192.168.137.0
Address
Network Mask 255.255.255.0

387
Aquaforest TIFF Junction Evaluation

Lab 13: Dynamic VPN Routing Using OSPF

In the Policy, add a rule above the Stealth Rule. Configure it using the
following information:

Name OSPF Broadcast Rule

Source VTINetworks
Synchro urcityjpartnercity
Destination fw yourcity
multicast-ospf
VPN Any Traffic
Service ospf
Action accept
Track Log

Verify that your Policy is configured similar to the following:

V' m J
1 NetBIOS Rule * Any ; * Any [*J any Trattic i drop
bootp
np
2 SSH Access Rub -M" Netjjilc B twoslo f*"| Anv Tr attic li :;h HI accept
V VTI_N eWor ti 'B'tw^lo"
3 OSPF Broadcast-M" Synch_0-:lo_MadndD multica?t-Q-:pt j#] Anv Trattic ^ accept 1 Log
4 Stealth Pule •k Any M two ' to f*1 Anv Trattic * Anv (§| drop 1 Loc,
4
N
e tjj-lo
5 Partner Cities Rul-M- Netjvladrid Jt- N et _Ma dnd ' http
-M- Netjjilo „ tie fH accept S L c ,
6 '•••'Pr-.J OutBound:R * Anv : * Anv ,--S Internal .cleareS^ Mylntranet http accept I Log
Z2:
ftp
7 VPN InBound Rul* Any * Anv Mylntranet£§j)tvfi., Internal_clearU: http lf| acceptH Log
Li ttp
8 '.'"/ire Mode Rule •k Any * Any & MvlntranetiS^ Mylntranet 1™. http ^ accept II Log
ttp
9 Internet Access 1 -M" Net_Otlo * Any j"*j Anv Trattic http HI accept B Log
10 Cleanup Rule * air/ * Any * ^ nv @ drop ®Log

OPSF Routing-Enabled Policy

10. Save, but do not install the Policy.

388
ss. interfaces and VTIs 3?-
10.0.0.0
172.21.101.1 0.0.0.0
10.0.0.0 0.0.0.0
vt-fWmadrid 0.0.0.0

Oslo ethl
172.22.102.1 0.0.0.0
20.0.0.0 0.0.0.0
0.0.0.0

30.0.0.0
172.23.103.1 0.0.0.0
30.0.0.0 0.0.0.0
0.0.0.0

ethl 40.0.0.0
172.24.104.1 0.0.0.0
40.0.0.0 0.0.0.0
0.0.0.0

ethl 50.0.0.0
172.25.105.1 0.0.0.0
50.0.0.0 0.0.0.0
0.0.0.0

ethl 60.0.0.0
172.26.106.1 0.0.0.0
60.0.0.0 0.0.0.0
0.0.0.0

389
 eaper
S
CltySite^

interfaces and VTIs

ethl 70.0.0.0
172.27.107.1 eth2 0.0.0.0
70.0.0.0 0.0.0.0
0.0.0.0

ethl 80.0.0.0
172.28.108.1 0.0.0.0
80.0.0.0 0.0.0.0
0.0.0.0

^CONFIGURE OSPF ON F W YOURCITY

conf 11

1.

router j>spf 1 creates an OSPF routing mstance. 1 is the

390
Lab 13: Dynamic VPN Routing Using OSPF

391
392
Aquaforest TIFF Junction Evaluation

Lab 13: Dynamic VPN Routing Using OSPF

^RECONFIGURE ANTI-SPOOFING ON F W YOURCITY

OSPF configuration has now defined how the GateD daemon will handle any
traffic coming to the interfaces and VTIs. Allowing this traffic through
VPN-1 NGX requires reconfiguring anti-spoofmg:

1. Right-click fwyourcitv and select Edit.

2. Expand the Topology branch from the Properties screen, and click the Get
button.
3. Select Interfaces with Topology from the drop-down list. A warning
message displays:

Check Point Smart'Dashboard

Topology a n d Anti-Spoofing settings t h a t are already defined will be o v e r w r i t t e n

I \ by results of this o p e r a t i o n t h a t contradict them., if a n y .
Do y o u w a n t to continue?

Anti-Spoofing Warning

4. Click Yes. A status screen opens, showing SmartDashboard attempting to

fetch the topology information. On completion, a notice opens about the
Topology fetch being incomplete:

»\ Topology f e t c h was incomplete, To make Anti-5poofing w o r k correctly,

accept t h e results., a n d t h e n manually edit t h e topology definitions.

Topology Fetch Incomplete

393
Aquaforest TIFF Junction Evaluation

Lab 13: Dynamic VPN Routing Using OSPF

The Get Topology Results screen opens, showing the interfaces as they are
defined in the fwyourcity object. Since VPN-1 NGX is querying routing
information from the operating system, VTIs are considered interfaces by
anti-spoofing.

The topology was retrieved successfully.

The following table shows every interface found for the given machine.
Networks (or a group of them) that reside behind each interface are also shown here.

Name | IP Address J Network Mask I Directio

O - ethO 172.22.102.1 255.255.0.0 Ext.
C> vt-fwrorne 192.168.137.21 255.255.255.255 Ext*
S " ethl 10.2.2.1 255.255.255.0 Inte
eth2 132.168.22.102 255.255.255.0 Intel
H ® fwoslo_eth2
SynchJD slo_M adrid 192.168.22.0 255.255.255.0
•V- N et_192.168.137.31 192.168.137.31 255.255.255.255
•M-Net_192.168.137.12 192.166.137.12 255.255.255.255
•• NetMadrid 10.2.4.0 255.255.255.0
d
3 ' L iii^ ... T r""''.. 3
Legend
II Hem object amma
1; Existing object was used.

Get Topology Results Screen

Notice that networks made accessible by configuring OSPF

areas in the operating system are included in the simple
group attached to eth2, the physical interface configured as
part of OSPF area 0.0.0.0.

5. Click Accept. The Get Topology Results screen closes.

394
7. Click OK to close fwyourcity.
8. Save and install the Policy.

( ^ V E R I F Y R O U T E S AND O S P F C O N F I G U R A T I O N

Verify with your classmates that OSPF is configured on all four Gateways. Run
the show ip ospf neighbor and show ip route commands in router privileged

enable

show ip ospf nei

395
 Lab 13: Dynamic VPN Routing Using OSPF

4. Review the output. The example below shows fwoslo output:

Neighbor 172.24.104.1, interface address 192.168.22.104

In area 0.0.0.0 interface eth2
Neighbor priority is 1, state is Full 7 state changes
DR is 192.168.22.104 BDR is 192.168.22.102
Options is 18
Dead timer is due in 38 seconds
Neighbor 172.23.103.1, interface address 192.168.137.32

Neighbor priority is 0, state is Full 7 state changes

DR is 0.0.0.0 BDR is 0.0.0.0
Options is 18
Dead timer is due in 33 seconds

396
Aquaforest TIFF Junction Evaluation

Lab 13: Dynamic VPN Routing Using OSPF

The output will be similar to the following:

Codes: C - connected, S - static, R - RIP, B - BGP, 0 - OSPF

D - DVMRP, 3 - 0SPF3, I - IS-IS, K - Kernel
A - Aggregate

K 0.0.0.0/0 [0/40] via 172.22.102.2, 05:21:46, ethO

0 10.1.1.0/24 [20/10] via 192.168.137.11, 03:44:26, vt-fwrome
0 10.1.3.0/24 [20/10] via 192.168.137.32, 03:41:56, vt-fwtoronto
C 10.2.2.0/24 [1/0] via 10.2.2.1, 05:21:45, ethl
0 10.2.4.0/24 [20/10] via 192.168.22.104, 03:45:29, eth2
S 127.0.0.0/8 [0/0] via 127.0.0.1, 05:21:45, lo
C 127.0.0.1/32 [1/0] via 127.0.0.1, 05:21:45, lo
C 172.22.0.0/16 [1/0] via 172.22.102.1, 05:21:45, ethO
C 192.168.22.0/24 [1/0] via 192.168.22.102, 05:21:45, eth2
C 192.168.137.11/32 [1/0] via 192.168.137.21, 05:21:45, vt-fwrome
0 192.168.137.12/32 [20/10] via 192.168.22.104, 03:45:29, eth2
C 192.168.137.20/32 [1/0] via 127.0.0.1, 05:21:45, lo
C 192.168.137.21/32 [1/0] via 127.0.0.1, 05:21:45, lo
C 192.168.137.22/32 [1/0] via 127.0.0.1, 05:21:45, lo
0 192.168.137.31/32 [20/10] via 192.168.22.104, 03:45:29, eth2
C 192.168.137.32/32 [1/0] via 192.168.137.22, 05:21:45, vt-fwtoronto
C 192.168.137.40/32 [1/0] via 192.168.137.20, 05:21:45, vt-fwmadrid
0 192.168.137.41/32 [20/10] via 192.168.137.32, 03:41:56, vt-fwtoronto
0 192.168.137.42/32 [20/10] via 192.168.137.11, 03:44:26, vt-fwrome

As the output of sh ip routes shows, networks available through OSPF area

0.0.0.0 are listed as OSPF created routes. Only the kernel and loopback routes
are shown as coming from the network routing configuration. Connected routes
are created from the VTI definitions in vpn shell.

C?TEST VPN TUNNELS

1. Start an HTTP or FTP connection from your Web server, to a host behind
one of the V P N Peer Gateways.
2. Observe in SmartView Tracker that the connection is decrypted by the peer
Gateway on the correct VTI.

3. Start an HTTP or FTP connection to your partner city.

397
Aquaforest TIFF Junction Evaluation

Lab 13: Dynamic VPN Routing Using OSPF

4. Observe in SmartView Tracker that the connection is shown as a cleartext

connection, allowed via the Partner Cities Rule:

Mo, ' Date Time Origin Service Source Destination

5823 17Apr2006 18:58:31 s s e fwoslo 1 TCP h t t p www.oslo.cp 10.1.3,103 6
5824 17Apr2006 18:58:21 US E fwoslo i TCP h t t p www.oslo.cp 10.1.3.103 6
5825 17Apr2006 18:58:32 SSI E fwoslo 1 TCP. http www.oslo.cp 10.1.3.103 6
5826 17Apr2006 18:58:32 E» E fwoslo 1 TCP, http www.oslo.cp 10.1.3.103 6
5827 17Apr2006 18:58:32 2£ E fwoslo i TCP http www.oslo.cp 10.1.3,103 6
5828 17Apr20Q6 18:58:32 as E fwoslo i TCP. h t t p www.oslo.cp 10,1.3.103 6
5829 17 Apr2006 18:58:32 HI E fwoslo i TCP, http www.osb.cp 10.1,3.103 6
5830 17Apr2006 18:58:32 1-1 E fwoslo i TCP, http www.oslo.cp 10.1.3.103 6
5831 17Apr2006 18:58:32 S E fwoslo i TCP. h t t p www.oslo.cp 10.1.3.103 6
5832 17 Apr2006 18:58:32 9 E fwoslo 1 TCP http www.oslo.cp 10.1.3.103 6
5833 17Apr2006 18:58:32 E€L E fwoslo i TCP. http www.oslo.cp 10.1.3.103 6
5834 17Apr2006 18:58:32 ISS E fwoslo 1 TCP http w w w . oslo. cp 10.1.3.103 6
5835 17Apr2006 18:58:33 SI E fwoslo i TCP http www.oslo.cp 10,1.3.103 6
5836 17Apr2006 18:58:33 Iff E fwoslo i TCP http www.oslo.cp 10.1.3.103 6
5837 17Apr2006 18:58:33 S E fwoslo TCP http www.oslo.cp 10.1.3.103 6
1
5838 17Apr2006 18:58:33 I-:-: E fwoslo i .TCP. http www.oslo.cp 10.1.3.103 6
5839 17Apr2006 18:58:33 US E fwoslo i TCP http www.oslo.cp 10.1.3.103 6
5840 17Apr2006 18:58:33 IE E fwoslo i TCP, http WWW. oslo. (Xi i n 1,3,1 i n ft
5841 17Apr2006 18:58:33 N E fwoslo i TCP http www.oslo. j w ,w. oslo. cp (10.2.2.10211
5842 17Apr2006 18:56:37 E i © TCP. http vvww.osb.cp 10.2,4,104 5
>343 1 ?Apr2006 IS: 58:27 IVT E i © TCP http 10,2.4,104 5
5-344 17Apr2006 18:58:27 E 1 © TCP http w.oslo. Cp 10,2.4.104 5
5645 i 7 Apr 2006 16:53:4? E 1 TCP. http w-w.cdo.cp 10.2.4,104 5
5846 i 7Apr2006 18:58:47 1SS E i © TCP http www. osio. cp 10.2,4.104 5
5347 S ?Apr200r, E p.<nsb i © TCP http w w w , oslo. cp 10.2.4.104 5
5348 17Apr2006 13:59:50 Z€i E rv'o^b i © TCP http Wv.«w,oflo.cp 10,2.4,104 5
5849 17Apr2006 18:59:54 £-2 E fwoslo i TCP http www.oslo.cp 10.1.3.103 6
5850 17Apr2006 18:59:54 £-3 E fwoslo s TCP http www.oslo.cp 10.1.3.103 6
5851 17Apr2006 18:59:54 HI E fwoslo TCP. http www.oslo.cp 10.1.3.103 6
5852 17Apr2006 18:59:54 M E fwoslo 1 TCP h t t p www.oslo.cp 10.1.3.103 6
5853 17Apr2006 18:59:54 A E fwoslo 1 TCP http www.oslo.cp 10.1.3.103 6

SmartView Tracker Entries for Three Peer Sites of fwoslo

5. Unplug one side of the leased-line connection between you and your
partner city.
6. Reinitiate an HTTP or FTP connection to your partner city.

398
 Lab 13: Dynamic VPN Routing Using OSPF

1. Observe in Smart View Tracker that the connection is now encrypted:

No Date Service - Source .. . . Destination

5862 17Apr2006 l! <W,0Sl0 CD 1C. 1.3.103
5863 17Apr2006 1 8 : 5 9 : 5 5 .",'V, cslo, Cp 10.1.3.103
5864 17 Apr2QG6 1 8 : 5 9 : 5 5 w . oslo.cp 10.1,3.103
5865 17Apr2006 18:59:56 10.1,3,103
17Apr2006 18:59:56 w. oslo.cp 10.1,3.103
5867 17Apr2006 oslo.cp 10.1,3.103
17Apr2006 18:59:56 rV. oslo.cp 10.1.3,103
5869 17 Apr2006 M. OSto.CP 10.1.3.103
5870 17Apr2006 10.1.3,103
5871 17Apr2006 1 10,1.3.103

5872 17Apr2006 1 w. oslo.cp 10.1.3,103

5873 17Apr2006 1 oslo.cp 10,1.3.103

5874 17Apr2006 10.1.3.103

5875 17Apr2006 18:59:58 A>, oslo.cp 10.1.3.103

5876 17Apr2006 18:59:58 10.1,3.103

5877 17Apr2006 18:59:59 oslo.cp 10.1.3.103

5878 17Apr2006 18:59:59 w, oslo.cp 10,1,3,103

5879 17Apr2006 18:59:59 10.1.3.103

i 7Apr2006 10.1.3.103
17Apr2006 10.1,3,103
17Apr2006 19:00:02 10,1.1,101

5883 17Apr2006 19:00:02 10,1.1.101

i7Apr2006 19:00:02 10.1.1.101
17Apr2006 10.1.1.101
19:00:03 w. oslo.cp
17Apr2006 19:00:04 10.1.1.101
17A| 19:00:04 10.1.1.101

5889 17Apr2006 19:00:16 A'. OSIO.CP 10.1,1,101 6

5890 17Apr2006 19:00:21 10,2.4.104 5
5891 17Apr2006 19:00:21 10.2.4.104 5
5892 17Apr2Q06 19:00:21 10.2,4.104 5

Encrypted Traffic Between fwoslo and fwmadrid

399
Aquaforest TIFF Junction Evaluation

Lab 13: Dynamic VPN Routing Using OSPF

8. Verify with one of your VPN_peer cities that traffic has passed through its
site, based on the Wire Mode configuration:

Wo, Date Time Origin Service Source Destination

SK B i
i?AofiOGe & 1
Eil & 1 0-S*
. E» B 1 Q-*
; '"Apr 200616,20:4-" Ivi B 1 # ffip:\ & n '-ron'.e
- Bi B 1
El B 1 O-f?
::::
:
16,2.1:53 B i> no? - i 0 TCP nttp -i.for-to,^. •.•••.. i o'i'i>?
126 . 16.21:53 Ess B i 0 TCP http '..«••»•", re? onto. ••:•••"'.. r-j
;" "i}.r- ji'iiV16-v £S B 1 v—. >:!:-, a:
r
::;: -. .
i7Ap-2006 :3'23 26 SH B .•WO i TCP r-rtp rib.cc c;
; ; : :.: ;. E! B O.'v; i TCP KtP -
l77Apr2006 ; 6. J0:C4 B t-nrc-V:? i Q T£P ssh 1 http [80] f''- e cp
i Apr 2006 16:5"?: IcS£K B • ;:r~r i a- tcp •fi-p
'TM i7Af.r ;••'••>. I8'r-•• l-Iff B j . •forit-i a TCP -rrp K.rrei c-
I?^pr200:r IS'50-15 El B ' -'Of* i I£P "it to JGVe.C
i 7Apr20"'6 • 8:56:17SSi B f-Hor-:-i ft TCP http '•V,•,•=/•.'.rO-Oc cr
I Apr 2006
7 16:50:17 m B 1 m TCP http Of !•;• cp ',V-•,••.•;,rorr- .:;
l7Aor20y6 16:66:; 8 ss- B 1 TCP rj;t-p
1/Apr 200c 18:59-52 Ei B Ovrooe 1 TCP http ','•".'I'Sb.CD ' .ioroe-CD
..40 1 7Ads 200"' l';:5'0:62 El B 1 a-: TCPt'ttp . C".'-iO. C'Pw'-.'-.i -voe c"
•1-n i Apr 2006
7 IS? B r. i I£P http OfM. CP • -••.••.-..r-r-rr-
H2 i A;.12006
7 16 . s 3 SSI B • • "rone i <fsTCP http — .oilo CP ^ - . - . . . • w c c ;
17 Aur 2006 I 3 , 5 v " 5 4 Ei B fviA-ro rte i 9f) IE ncto C-sio. CD i,in.ne.Cl'
144 17Apr200r 18:50:54 Ssh:B ?» one i '-•ttp vvww.oslo.cp W^v-v.iC'rne.CD
! ?Anr7.006 SSs B i ^'.TCP http "•"••"'..t.O'-iO.CD "•••.••••-.•.t-orr^
146 17Apr2006 19:00:11 M e fwrome 111 ES3Hb u e j b s h u
3 47 l7Apn2006 10.60:1 : & r»''ron<: 1 >frop i-srrp >A'5-^vv. r, iricjrid, cp
148 17Apr 2006 19:00:11 Si B r'wrorie 1 V E http www.osto.cp www.madrd.cp

Wire Mode Traffic Between fwoslo and fwmadrid

400
Aquaforest TIFF Junction Evaluation

Review

REVIEW
i i I I i I I I i i i I I I I I i I i i I I i i i I i I I I i I I i i I i I i I I I i I I I I I I I

• Route-based VPNs can encrypt traffic between hosts or networks not

specified in a Security Gateway's VPN Domain.
• VPN Tunnel Interfaces (VTIs) are configured with VPN-1 NGX, but work at
the OS level, using either static routes defined for the VTIs or dynamic-
routing protocols.

• Route-based VPNs expand on VPN Domains, but do not replace them.

When VPN-1 NGX determines what to do with a packet, VPN Domain state
tables are checked first. If no information is found for the packet, OS routing
tables are used to verify whether or not routes for the VTIs are configured.
• Open Shortest Path First (OSPF) relies on multicast protocols and can only
be used with VTIs.
• A VTI associated tunnel behaves like a point-to-point link between two
Gateways. The tunnel and its properties are defined by a VPN Community
linking the two Gateways.
• A VTI can be configured to work with a VPN Domain on a peer, but a VTI-
to-VTI tunnel is the recommended configuration.
• VTIs can be numbered or unnumbered. A numbered VTI will have a unique
IP address assigned to it, while unnumbered VTI will use a proxied IP
address from a physical interface. SecurePlatform Pro uses numbered VTIs,
while Nokia IPSO uses unnumbered.
• Dynamic routing (using protocols such as BGP and OSPF) can be used to
propagate routing information across VPNs, or between Security Gateways.
• Dynamic routing's key advantage is that if a specific VPN path fails, a new
route can be established from OSPF routing information.
• SecurePlatform Pro NGX natively supports the following dynamic-routing
protocols: OSPF, BGP, RIPvl, and RIPv2. The following multicast protocols
are also supported: PIM-SM, PIM-DM, and IGMP.
• GateP is the daemon that supports dynamic routing on SecurePlatform, and
is activated by enabling Advanced Routing using the cpconfig utility.
• Wire Mode is a new feature in VPN-1 NGX that allows a failover
mechanism, where Stateful Inspection is bypassed on any interim Gateways
between VPN end points.

401
Aquaforest TIFF Junction Evaluation

Review

Review Q u e s t i o n s

1. Your colleague left work in the middle of configuring your SecurePlatform

Pro Gateway for OSPF route-based VPNs. His configuration notes indicate
that he was in the process of configuring the interfaces using the GateD
Command Line Interface. Which of the following commands would give
you the most general overview of where your colleague's notes left off?

A.J localhost Jocaldomain# show interface

B.) local host, local domain^ show running-config
C.) localhost. localdomaintt show ip route
D.) localhost. localdomaintt show history

2. A route-based VPN is configured between your site and a partner site for
specific machines on subnets in your internal networks. Each site also has a
standard VPN Domain defined, containing these subnets. Will VPN traffic
be logged in Smart View Tracker as encrypting via the VTI or the VPN
Domain?

A.) The VTI, because the host-based VPN will take precedence over the
subnet-based VPN.
B.) The VPN Domain, because subnet-based VPNs will take precedence over
VTI host-based VPNs.
C.) The VTI, because VTIs take precedence over VPNs in VPN-I NGX.
D.) The VPN Domain, because VTIs only expand the function of VPN
Domains, not replace them.

403
Aquaforest TIFF Junction Evaluation

Review

Review Answers

1. Your colleague left work in the middle of configuring your SecurePlatform

Pro Gateway for OSPF route-based VPNs. His configuration notes indicate
that he was in the process of configuring the interfaces using the GateD
Command Line Interface. Which of the following commands would give
you the most general overview of where your colleague's notes left off?

D. localhostJocaldomain# show histoty

2. A route-based VPN is configured between your site and a partner site for
specific machines on subnets in your internal networks. Each site also has a
standard VPN Domain defined, containing these subnets. Will VPN traffic
be logged in SmartView Tracker as encrypting via the VTI or the VPN
Domain?

D. The VPN Domain, because VTIs only expand the function of VPN
Domains, not replace them.

3. You have a VPN configured between your NGX Security Gateway and a
partner company's Cisco VPN concatenater. You and your partner
company's Administrator agree that tunnels between these devices need to
be consistently active, and that there also needs to be some redundancy
available in the tunnels. Which of the following configurations would be
best suited for this situation?

Dynamically routed VPNs with Tunnel Sharing configured between subnets

405
Aquaforest TIFF Junction Evaluation

Review

406
Aquaforest TIFF Junction Evaluation

Q Check Point
S O F T W A R E T E C H N O L O G I E S LTD.

We Secure the Internet

CHAPTER 1 1 : C L U S T E R X L

This chapter covers best practices for configuring and testing CIusterXL, and
provides troubleshooting steps and commands.

Objectives

1. Implement and test CIusterXL by following Check Point configuration

recommendations.
2. Troubleshoot CIusterXL problems, using cphaprob and other related
commands.

407
Key Terms

cphaprob
cpstat
fw ctl debug -m cluster all

408
Aquaforest TIFF Junction Evaluation

Configuration Recommendations

CONFIGURATION RECOMMENDATIONS
iiiiiiiiiiiiiiiiiiiiiiiiii•iiiiiiiiiiiiiiiiiiiiiii

These configuration tips will avert the more common problems resulting from
misconfiguration of CIusterXL.

R e c o m m e n d a t i o n s for CIusterXL

• CIusterXL should be installed in a distributed environment. The

SmartCenter Server cannot be installed on any cluster members. If an NGX
Gateway is installed on the SmartCenter Server, this is called a stand-alone
installation, and that Gateway can not be added into the cluster as a member.
• The SmartCenter Server does not have to be on the local network with the
cluster. If it is local, the Server can be located in any segment of the cluster.
Static routes may be necessary, to access cluster members for Policy
installation and logging purposes, if the member-gateway object does not
use IP addresses from the same network segment as the SmartCenter Server.
For example, if the member-gateway objects have 172.22.102.1 and
172.22.102.2 in the General Properties screens, but the SmartCenter Server
is in the 17.16.10.x /24 network, the SmartCenter Server should have a
default Gateway pointing to 172.16.10.x (virtual IP address on that
network). But if the cluster fails over, SIC might fail, because SmartCenter
Server does not know how to get to 172.22.102.1 and 172.22.102.2. Static
routes are necessary in this case.
• The SmartCenter server's HotFix Accumulator (HFA) level must be equal to
or higher than the cluster members' HFA levels. When an HFA is to be
applied to a cluster, it must be applied to the SmartCenter Server before
being applied to any cluster members.
• Other than the synchronization network(s), all unsecured networks must at
least have one other machine connecting to a hub or switch, because Cluster
Control Protocol (CCP) will try to Ping other hosts in a network. If there is
no response from other IP addresses in a network, CCP cannot verify if other
members are alive. This can cause CIusterXL instability.
• All cluster members must run on the same OS, with the same version and
patch level.

409
411
Aquaforest TIFF Junction Evaluation

Troubleshooting CIusterXL

The following table lists and explains cphaprob switches:

Switch Explanation

register Register <device> as a critical process.

-d <device> The name of the device as it will appear in the output of the
cphaprob list

-t <timeout> If <device> fails to contact the CIusterXL members in

<timeout> seconds, <device> will be considered to have
failed. To disable this parameter, enter 0 as the time-out
value. The state will stay as last reported, until explicitly
reported.

-s Status to be reported:
ok - <device> is alive,
init - <device> is initializing,
problem - <device> has failed.

-f <file> register Option to automatically register several devices; file

defined in the <file> field should contain the list of
devices, with the following parameters:
• Device name
• Time-out
• State

unregister Unregister <device> as a critical process, -a unregister

will unregister all devices.

report Report status of <device> to the Security Gateway.

list Display the state of:

-i - internal (as well as external) devices, such as interface
check, High Availability (HA) initialization, and so on.
-e - external devices, such as devices registered by the user
or outside the kernel; for example, fwd, sync, filter
-i [a] - all devices, including those used for internal
purposes, such as note initialization, load-balance
configuration, and so on.

state Display the state of this and all other Security Gateways in
the HA configuration.

if Display the state of interfaces, -a will give additional

information per interface, such as secured, shared, and so
on.

413
A by <device> should run cphaprob - s ok i to
is nc
in the proces

To see 1 : of a s • or all ( L the

l on i

icphaprob state

Cluster Mode: New High Availability (Active Up)

Number Unique Address Assigned Load State

1 (local) 192.168.1.1 0% standby

2 192.168.1.2 100% active

In the t de in N e w mode HA is Active Up. The

e priority for HA. In N e w mode HA, only
•is The other member is in:
The:

to 1

Cluster Mode: Load Sharing (Multicast)

Number Unique Address Assigned Load State

1 (local) 192.168.1.1 501 active

2 192.168.1.2 501 active

Aquaforest TIFF Junction Evaluation

Troubleshooting CIusterXL

In Unicast mode, output looks like this:

Cluster Mode: Load Sharing (Unicast)

Number Unique Address Assigned Load State

1 (local) 192.168.1.1 301 active (pivot)

2 192.168.1.2 70% active

In the above example, the pivot machine is identified in the State field. The
pivot machine usually takes 30 percent of cluster traffic. The non-pivot machine
takes 70 percent of cluster traffic.

Third-party clustering products show active/active, even if one

of the members is in the standby state. This is because the
cphaprob state command only reports the status of the full
synchronization process. For IP clustering, cphaprob state gives
accurate cluster status. For VRRP, the status is accurate for a
Security Gateway, but it does not correctly reflect the status of
each IPSO member. (For example, it does not detect interface
failure.)

415
Aquaforest TIFF Junction Evaluation

Troubleshooting CIusterXL

cphaprob -a if

The cphaprob -a if command gives the state of cluster-member and virtual-

cluster interfaces. This example illustrates various uses of the cphaprob -a if
command:

Required interfaces: 3

Required secured interfaces: 1

ethO UP sync(secured), multicast

ethl UP non sync(non secured), multicast

eth2 UP non sync(non secured), multicast

Virtual cluster interfaces: 2

ethl 172.28.108.3

eth2 10.4.8.3

A NOTE ABOUT INTERFACES

Interfaces are critical devices. ClusterXL checks the number of good interfaces,
and sets a value of required interfaces to the maximum number of good
interfaces seen since the last reboot. If the number of good interfaces is less
than the required number, ClusterXL initiates failover. A secured interface is
the synchronization interface. All other interfaces are labeled as non-secured.
Required interfaces should be identical to the cluster-member object's topology
information. The virtual cluster-interfaces list should be identical to the cluster
object's Topology screen. The number of required interfaces should be the same
among cluster members. The same is true for the number of required secured
interfaces.

When an interface is down, the interface can neither receive nor transmit CCP
packets. This may happen when an interface is malfunctioning, is connected to
an incorrect subnet, is unable to pick up multicast Ethernet packets, and so on.
The interface may also be able to receive but not transmit CCP packets, in
which case the status field is ready. The displayed time is the number of seconds
that have elapsed since the interface was last able to receive/transmit a CCP
packet. For third-party clustering products, except Nokia IP clustering products,
cphaprob -a if should always show virtual-cluster IP addresses.

417
Troubleshooting ClusterXL

Time since last report: 89786.8 sec

 Troubleshooting ClusterXL

Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 89786.8 sec

Device Name: fwd

Registration number: 2

Timeout: 2 sec

Current state: OK

Time since last report: 0.8 sec

For Nokia IP clustering, the output is the same as i

Point ClusterXL Load Sharing. For <

-d < d e v i c e > -s problem -t 0

 Troubleshooting ClusterXL

HA yes

HA

HA 2

IIP I St

|athO| 192.168.1.1|Up 01 II 21

[ethl|172.28.108.1|Up 01 01 21

10.4.8.1|Up 01 01 21

!| 10.6.8.1 01 21

|fwd |OK | 01 01 I

IOK | 01 01 I

I Filter IOK | 0| I I

01

fW Ctl -m cluster

is used in < : is
to understand. It is 1

as i

1. Set th< ; flag to 0:

fw ctl 0
 fw ctl debug -buf 1024 j 2048 | 4096 (in kilobytes)

3. Set the debug flag to miscellaneous:

fw ctl debug -m cluster <flag>

The all flag generates all

Kernel Flag Description

conf ClusterXL configuration

if Interfaces monitoring and validation

stat Cluster state changes

select Packet selection by ClusterXL

ccp CCP packet creation and handling

pnote pnote devices

drop Drops caused by SDF

mac

forward Forwarding layer

df Decision function

4. Run debug:
fw ctl kdebug -f > <file name>

5. Stop debugging by pressing CTRL + C.

fw ctl debug 0
fw ctl debug should be run on all cluster members, to;

: all cluste

You have set up ClusterXL New mode HA. When the

• is 0Y

: can you do to <

A.) Check hosts files on ( ^ ^

Q.)How do youensun

A.) Try to Pin

All' b h 1' 1 d d Wh h b

423
KERNEL FLAGS

DEFAULT BEHAVIOR
Aquaforest TIFF Junction Evaluation

Kernel Flags

5. Since no probe-message reply is received but the Ping requests are

answered, the secondary concludes that its own interfaces are up and
working, and that the interface of the primary has failed over. The
secondary announces, via state messages, that all of its own interfaces are
operational.
6. With this report from the secondary, the primary concludes the issue is with
its own interface, and changes its state to Down/Dead.
7. The secondary issues gratuitous ARPs for both the physical and cluster
address per IP segment, and changes its state to Active/Active-Attention.

NEW BEHAVIOR

With the two kernel flags set to true, the kernel includes a checkup of the link
state of all member interfaces. That is, when a cluster member does not receive
CCP packets from an interface, it will make a kernel procedure to check the
state of the interface. If the member discovers the link state is down, the
member will send a message about the link state through working interfaces to
the network, saying that its interface state is down. The standby member can
then change its state to Active, without the Ping mechanism (since no hosts are
available for Ping). The clusters members will then know which cluster has a
problem, and can change their states to active. (The cluster that has the highest
priority will be active.)

f w h a _ r e s t r i c t _ m c _ s o c k e t s (0 by Default)

DEFAULT BEHAVIOR

The multicast socket is open by CCP when ClusterXL is set up.

NEW BEHAVIOR

Changing the value to 1 will open the multicast socket on synchronization

interfaces only.

425
 NEW BEHAVIOUR

426
Aquaforest TIFF Junction Evaluation

Kernel Flags

fw_gratuitous_arp_timeout

This flag sets time-out, which is 600 deciseconds by default, equal to 0.1
seconds.

f w _ a l l o w _ c o n n e c t i o n _ t r a f f i c _ d r o p (1 by Default)

This flag controls the Flush and ACK mechanism on unestablished

connections.

FLUSH AND ACK

When a client and server starts a TCP handshake through a cluster, the SYN
packet arrives at member A. Member A will hold the SYN packet and
synchronize the SYN packet with member B, then pass the SYN packet to its
destination. When a SYN-ACK packet comes from the server to the client, the
SYN-ACK packet arrives at member B. With Flush and ACK, member B has
the SYN table entry, and member B allows SYN-ACK to pass through and
return to the client.

DEFAULT BEHAVIOR

If the ACK packet from the client comes before member B synchronizes
SYN-ACK with member A, by default, member A will drop the packet. This
may result in retransmissions and delays in some applications.

NEW BEHAVIOUR

To allow this ACK packet or any packet belonging to an unestablished

connection, turn the parameter off. (Change the value to 0.)

427
fwha__aIIow_simuItaneous„ping

This flag allows Pinging the virtual IP (VIP) during a

DEFAULT BEHAVIOUR

NEW BEHAVIOUR

pair as
Aquaforest TIFF Junction Evaluation

Kernel Flags

fwconn_merge_all_syncs

DEFAULT BEHAVIOUR

Some closed connections hang in the connections table for an entire TCP
session time-out, in a Load Sharing configuration. When an NGX cluster
member encounters FIN packets from both sides of a TCP connection, it lowers
the connection's time-out from the TCP session time-out (by default 3,600
seconds) to the TCP end-session time-out (typically set to less than 1 minute).
In Load Sharing configurations with asymmetric routing, one cluster member
can find a certain connection is established, while another member has already
encountered both FIN packets on the same session. When the machine with the
older connections table synchronizes with the machine with the newer
connections table, the more updated machine may increase the connection's
time-out to the TCP session time-out. The connection then stays in the
connections table long after it has closed. Such a scenario is also a possible DoS
attack.

NEW BEHAVIOUR

When fwconnjnerge_all_syncs is set to true, NGX cluster members synchronize

the TCP state correctly, and any older connection-table entry is not allowed to
override an updated one. This parameter can help short TCP connections in
Load Sharing configurations with asymmetric-routing, such as with Static NAT,
VPNs, or third-party solutions.

f w t c p s t r _ r e j e c t _ s y n c e d (On by D e f a u l t )

When asymmetric routing exists in IPSO IP clustering configurations, the

connections are sometimes slow. If both of the following conditions are true,
disable this flag to improve connections. The conditions are:

1. Quick UFP is not used.

2. Packets going in the same direction on a specific connection always go
through the same cluster member.

429
Kernel Flags
Aquaforest TIFF Junction Evaluation

Lab 14: Manual Fail over Using cphaprob -d device Command

LAB 14: M A N U A L F A I L O V E R U S I N G
CPHAPROB -D DEVICE COMMAND
11111111111111111111111111111111111111111111111111

Scenario: In New mode HA and Load Sharing Pivot mode clusters, test
failover without bringing the active member down. Use the cphaprob -d
<device> -s problem register command to generate failover manually.

Objective: Use the cphaprob -d device command to generate a failover.

Topics:

9
Running cphaprob -d <device> -s problem register to generate failover
• Running cphaprob state to verify cluster-member status
• Running cphaprob -d <device> unregister to reactivate the down member

431
432
 Lab 14:

Name
Standard Lab IP
JS2?"
fwrome 172.21.101.1 172.21.101.1
10.1.1.1 10.1.1,1
192.168.22.101 192.168.22.101

fwtoronto 172.23.103.1 172 21.101.4

10.1.3.1 10.1.1.4
192.168.22.103 192.168.22.103

webrome 10.1.1.101 10.1.1.101

webtoronto 10.1.3.103 10.1.1.103

Cluster IPs N/A 172.21.101.5

10.1.1.5

433
 In 1

Standard Lab IP
Name sssssr1"
fwoslo 172.22.102.1 172.22.102.1
10.2.2.1 10.2.2.1
192.168.22.102 192.168.22.102

fwmadrid 172.24.104.1 17222.102.4

10.2.4.1 10.2.2.4
192.168.22.104 192.168.22.104

weboslo 10.2.2.102 10.2.2.102

webmadrid 10.2.4.104 10.2.2.104

Cluster IPs N/A

10.2.2.5

In 1
Zurich's i

Standard Lab IP ClusterXL Lab IP

Name

fwzurich 172.25.105.1 172.25.105.1

10.3.5.1 10.3.5.1
192.168.22.105 192.168.22.105

fwcambridge 172.27.107.1 17225.105.4

10.3.7.1 10.3.5.4
192.168.22.107 192.168.22.107

webzurich 10.3.5.105 10.3.5.105

10.3.7.107 10.3.5.107

Cluster IPs N/A

10.3.5.5

434
In 1 Sydney an
Sydney's j

Standard Lab IP

fwsydney 172.26.106.1 172.26.106.1

10.4.6.1 10.4.6.1
192.168.22.106 192.168.22.106

fwsmgapore 172.28.108.1 17226.106.4

10.4.8.1 10.4.6.4
192.168.22.108 192.168.22.108

websydney 10.4.6.106 10.4.6.106

websmgapore 10.4.8.108 10.4.6.108

Cluster IPs N/A 172.26.106.5

10.4.6.5

435
 [ ^ G E N E R A T E FAILOVER IN NEW MODE HA CLUSTER

1. Configure the ClusterXL type for HA, then select New J

2. Select Switch to higher priority Gateway, under Upon Gateway recovery
option on the ClusterXL screen.
3. Start an FTP session from www.partnercity.cp to access the internal FTP

4. Verify the active member is still;

state

5. On the active member, register a device named "faildevice" to i

-d faildevice -s problem -t 0

The active member now goes down ,due to faildevice reported as a problem,
and the standby member becomes active. The FTP session should continue if
Synchronization is ^
6. Verify cluster status on both members with the <
state

7. Verify the state of internal and external devices on the down i

The problematic device faildevice should display as a

-d faildevice -s ok

-d faildevice

will become active again, because Switch to higher priority Gateway in the
;reen of the cluster object is <

; lab.

436
 Lab 14:

L A B 15: RUNNING C P H A S T A R T -D

: cphastart is usei an HA ]
cphastart -d< HAi

-d.

Topics:

; cphastop to stop <

;cphastart -d on c

Lcphastart -d<

437
Aquaforest TIFF Junction Evaluation

Lab 15: Running cphastart -d

C^RUN CPHASTOP ON CLUSTER MEMBERS

1. On each cluster member, run the command:

[expert®cpmodule]#cphastop

2. Verify whether ClusterXL has started:

[expert@cpmodule] jtcphaprob state

if?RUN CPHASTART -D ON CLUSTER MEMBERS

3. Start the cpha service in debug mode, and redirect the output to a text file:
[expert@cpmodule]#cphastart -d >& hastart.txt

4. Wait until the prompt displays.

5. Review the text file and examine the information presented.

End of lab.

438
Aquaforest TIFF Junction Evaluation

Review

REVIEW
IIIiiIIiIiiIiiiiIiIIiIiIIIiIiIIiIIIIIiIIIIIIIIIiiI

• Install ClusterXL only in a distributed configuration. SmartCenter Server

cannot be installed on any of cluster member.
• The SmartCenter Server controlling a cluster does not have to be local to the
cluster. If local, the Server can be on any network segment, although static
routes to each individual cluster member may be necessary to ensure
connectivity.
• The SmartCenter Server's version (including HFA version) must be at the
same or higher version as cluster members. When applying an upgrade or
HFA, the SmartCenter Server must be upgraded first.
• The Cluster Control Protocol (CCP) Pings other hosts in a network segment
to verify network status. Always ensure that networks other than the sync
networks have other machines besides the cluster members on them.
• All cluster members must be running on the same OS, with equivalent OS
patch levels applied.
• All cluster members should have a minimum of three interfaces. It is
possible to run sync across an internal interface, but this is not
recommended. Ideally, sync should be run across a dedicated network.
• Avoid multiple clusters on the same network segment.
• Active interface numbers need to be the same on each cluster member.
• Switches need to be compatible with Check Point multicast MAC addresses.
• Test cluster functionality by passing traffic through the cluster, not to it.
• Segregate different versions of ClusterXL from each another. Each cluster
should be on its on hub, VLAN segment, or switch.
• Verify hostnames in the hosts files on all cluster members.
• Sync networks should have interface-to-interface connectivity, be connected
via a hub, as opposed to a crossover cable, and not have a cluster IP assigned
to them. Clusters should not share sync networks with other clusters.
• cphaprob, cpstat ha -f all, and fw ctl debug -m cluster are the main
troubleshooting commands for ClusterXL.
• Kernel debugging flags are also useful when troubleshooting ClusterXL
problems.

439
Aquaforest TIFF Junction Evaluation

Review

Review Answer

1. Connectivity through an NGX Load Sharing Cluster in front of a server farm

is intermittent. Smart View Monitor shows the two cluster members as
functional. You suspect connectivity problems may be related to the
synchronization of state tables. Which of the following kernel flags may help
improve performance?

B.) fwconn merge all syncs

With the information given, the above is the most helpful kernel setting to
change. This setting allows for connections to be entered into the state tables
on both machines.

441
Aquaforest TIFF Junction Evaluation

Review

442
Aquaforest TIFF Junction Evaluation

Q Check Point
SOFTWARE TECHNOLOGIES

We Secure the Internet

APPENDIX A: USING DBEDIT

LTD.

AI ,
-O

This appendix provides an optional lab for individual practice with DbEdit.

Scenario. In this lab, you will use DbEdit to create a new service object, a new
group object, and add a service object into a group object. Also in this lab, you
will use DbEdit to modify global properties resolve_multiple__interfaces value
to true. This lab is ideal for environments that are not able to take advantage of
the Database Tool (GuiDBedit). It is important to know that Check Point
recommends using the Database Tool utility. When GuiDBedit is not available or
convenient, use DbEdit carefully.

In this lab, you will use dbedit from the SmartCenter Server locally. If this
command is executed at other machines in the network, the SmartCenter
Serve's hostname must be resolvable to its IP address from that host.

Objectives:

1. Use DbEdit to create new object.

2. Use DbEdit to modify an object's property.

3. Use DbEdit to modify a global property value.

Topics.

• Logging in to DBedit
• Modifying global properties

443
 S L O G IN TO DBEDIT PROMPT

1. Close all;
2. a I or console.
3. Type dbedit.
4. Enter the hostname of the! ENTER,
since this is:
5. to log in to

6. At

>

: in 5 O.C, by

8. a new TCP 5l":

>

; 3333:
> _ort 3333

in objects 5 O.C:
>

11. si to 1 : following:

r no s; i them.)
12. : in 5 O.C:

444
Aquaforest TIFF Junction Evaluation

(5M0DIFY GLOBAL PROPERTIES

1. From the dbedit prompt, change the property resolve multiple interfaces
value to true, by typing the following:
dbedit > modify properties firewalljproperties resolve muliple_interfaces
true

2. Make the change permanent, by typing the following:

dbedit > update properties firewall_properties

3. The message kTirewall_properties updated successfully" appears. Exit

dbedit, by typing quit from the dbedit prompt.
Some properties are global, some are specific to a Gateway.
To modify properties that are unique to specific Gateway
modules, use modify network_objects <gateway_object_name>
<property_name> <value>.

End of lab.

445
Aquaforest TIFF Junction Evaluation

446