| 8 comments ]

Overview

The InfoView utility lets you view and analyze a CPinfo output file collected from a Check Point server.
InfoView
  • The left pane shows the data tree, which holds a hierarchical list of input data, consisting of file and directories, in addition to other text sections.
  • The right pane shows a list of tests that can be applied on the input files.

Basic actions

View file/text section
There are 3 ways to open a text file or a text section:
  • Double-click the text file/section.
  • Right-click the text file/section and select 'Open'.
  • Drag and drop the text file/section into an open window of any text editing software (e.g., Notepad, Word).
Note: With the first 2 options, the file will open in your operating system's default text editing program. You canconfigure InfoView to use a specific text editor instead.
Copy file/text section/folder
You can copy a text file, text section, or folder to any Windows folder directly from InfoView. To do this, either drag and drop the file/folder, or copy and paste it.
View the Policy in the Policy Viewer (SmartDashboard)
To better understand the gateway's set-up, and especially the policies, InfoView lets you view the CPInfo information in SmartDashboard on your desktop.
Note: This is possible only if the CPInfo output file is from a management server (i.e., Security Management/SmartCenter/Provider-1/Standalone).
  1. Make sure you have the corresponding customer version of SmartConsole installed.
  2. In InfoView, click the Policy Viewer button (see in above picture), or select 'Tools' > 'Policy' from the main menu. It might take a few minutes for SmartDashboard to show. If required, manually configure the location of different SmartDashboard versions in InfoView - select 'View' > 'Options', go to the 'Directories' tab.

Viewers

Info TabInfo Tab - Kernel table viewer
IKEViewIKEView
LicViewLicView - Check Point License string viewer
Process ViewerProcess Viewer

Advanced actions

Tree sorting
There are 2 sorting options for the data tree:
  • Sort alphabetically - Alphabetically.
  • Sort by size - By file size.
Tree searching
To search for text in the data tree, either click the 'Find' button on the main toolbar, or use the keyboard shortcut Ctrl+F.
Click the 'Find next' button, or press F3 to repeat the previous search.
Export Object File
You can remove all certificate keys from the object file (objects_5_0.C) that is imbedded in the input file. To do this, from the main menu, select 'File' > 'Export object file (fresh CA)' and save the new file.

Analysis pane

The right pane of InfoView is dedicated to analysis. Here you can see a list of tests that you can run on the input file, as well as the status and results of the tests.
To run a test, either double-click it, or select it and press the 'Test' button.
To see the test results after it has finished running, either double-click it, or select it and press the 'View' button.
Possible test statuses:
OKTest Passed
SuspiciousPossible problem (test this issue manually)
IrrelevantThis test is irrelevant to the given input file
Not TestedThis test has not been executed yet

Icon legend

Text section
Text file
Text file (Unavailable - not collected)
Text file (Soft Link)
Text file (Registry)
Text File (WinMSD)
Folder
Root Icon - Firewall is installed
Root Icon - Meta IP is installed
Root Icon - Provider-1 is installed
Root Icon - SecureClient is installed

Data tree

Server Information
To see the server information, right-click the server name (the root of the tree) and select 'Properties'.
Here you can see the server version, if the server is a Security Gateway or Security Management and more.
$FWDIR directory
The tree shows the $FWDIR directory collected by the CPInfo utility from the server. Here you can find some useful files, such as:
  • In the conf directory:
    • objects_5_0.C - Full database objects file.
    • fwauth.NDB - All users the administrator defined on the SmartDashboard.
    • fwauthd.conf - Configuration file of the Security Servers.
    • asm.C - IPS configuration file.
    • classes.C - Definitions of the fields in the CP Database files.
  • In the log directory:
    • fwd.elg - fwd process log file. In the output file, you can find any messages that may have occurred on or about the time a problem was identified. Dates are associated with messages in the file.
    • fwm.elg - fwm process log file.
  • In the database directory, you can see all of the relevant policy files for the Security Gateway.
$CPDIR directory
The tree shows the $CPDIR directory collected by the CPInfo utility from the server.
Here you can find some useful files, such as:
  • In the log directory:
    • cpd.elg - CPD log file. Shows useful information about SIC related issues, CP WatchDog log files (cpwd.elg), processes crashes and more.
  • In the registry directory:
    • HKLM_registry.data - Shows all products and fixes installed on the system.
Other items on the data tree:
  • CP components - Shows overview information about the products installed on the system (such as Acceleration [PPACK], Advanced routing [ADVR], etc.). Might be useful for comparing cluster members.
  • CP Status - Shows policy name and install time, FW connections and packet statistics (per interface as well).
  • FireWall-1 Version Information - Shows the FW & OS patch level including HFAs.
  • System Information:
    • date - Date and time on the machine when the CPInfo was collected (useful for sync issues and logs referral).
    • ethtool - Interface configuration and status.
    • ethtool -i - Interface driver version.
    • uname -a - OS information, date of OS kernel compilation.
    • uptime - When the system was last rebooted.
    • ps auxww - Processes list (CPU/Memory consumption, PID, full process path).
    • vmstat 1 10 - Machine CPU consumption. User/Kernel space (us=user space, sy=kernel space, id=idle cpu).
    • top -n 2 - System resources usage. Overview: system (kernel), user, softirq (CPU software interrupts), iowait (HD operation), memory usage status, and processes list (as in ps auxww).
    • env - Environment variables.
    • df -k - Hard disk space information.
    • Package Manager Report (RPM) - Output of rpm -qa command. List of RPMs installed.
    • List PCI devices (lspci -nv) - list of hardware devices. Class 0200 stands for Interface Card (NIC). Class and Subsystem information will assist you to identify the exact NIC model in the PCI IDs list . See theHardware Compatibility List to make sure the NIC is supported.
    • Interrupts Information (/proc/interrupts) - Hardware device per IRQ list.
    • Memory Information (free -k -t) - Free memory available. Calculated as explained in sk32206.
    • Loaded Modules (lsmod) - List of kernel modules currently loaded (FW, VPN, acceleration kernel modules, interface drivers, etc).
    • Additional Memory Information (meminfo) - Output of cat /proc/meminfo. for additional memory details such as 'HighTotal' > high kernel memory allocated by the OS during reboot.
    • Additional CPU Information (cpuinfo) - Output of cat /proc/cpuinfo. Specifies the CPU vendor and model, and number of processors.
    • System's Hardware - Server vendor and model details, bios details.
  • IP Interfaces:
    • ifconfig -a - Full details about the interfaces: MAC, MTU, IP, Mask, etc. Can assist in identifying the master in a VRRP cluster (only the master has 'vrrpmac' addresses in this output.
    • fw ctl iflist - Interfaces mapping to the IDs given by the OS during boot. In the kernel debug's output, the interfaces are identified with those IDs, instead of the interfaces' names.
    • fw getifs - Summary display of IP addresses per interface.
  • Netstat Information:
    • netstat -rnv - Full routing table (for routing/advanced routing troubleshooting, cluster members comparison).
    • netstat -i - Interface packets statistics, RX/TX drops and errors per interface.
    • netstat -s - OS statistics per protocol (ICMP, IP, UDP, TCP).
    • netstat -nap - List of open (listening) ports per process, and established connections per process (helps to identify which process is occupying each port at the time the CPInfo was collected).
    • arp -a - ARP table output. Use the MAC addresses to crossover information with traffic captures. If the word "Incomplete" is shown in the output file, it may be an indication that automatic ARP is not working.
  • FW-1 Accelerator - Acceleration device (SecureXL/PPACK) status, build, statistics, accelerated connections and SIM affinity information. "accel packets"/"F2F packets" ratio will give you indication regarding acceleration efficiency. SIM affinity customization can increase performance as well - see sk33506.
  • FireWall-1 Tables - Short Format - Output of fwtab -t -s, list of all kernel tables (connections table ['connections' / ID 8158], NAT table ['fwx_alloc' / ID 8187], etc) and current value of each table (#VALS column).
  • FireWall-1 Statistics (fw ctl pstat) - The last parameter in the output file is State Sync (used for Cluster troubleshooting). It show 'off' when it is off, and shows packets statistics when it is on.
  • FireWall-1 Debug (fw ctl debug) - Shows which kernel debug flags are on.
  • FireWall-1 Chain/Connections Modules - Output of 'fw ctl chain/connections', list of loaded FW chains (corresponds with installed products). Must be identical between cluster members.
  • Overlapping Encryption Domains - Might cause VPN related issues.
  • High Availability - Clustering-related information
    • High Availability State (cphaprob state) - Indicates the cluster mode, the status of the cluster member itself and how this cluster member perceives the status of other cluster members. View and compare statuses of each cluster member.
    • High Availability -i list (cphaprob -i list) - View a Pnote "device" that may be in a problem state. Cluster member status is 'down' when a Pnote is in 'Problem' state.
    • High Availability interfaces (cphaprob -a if) - This output file shows the status of the interfaces for that cluster and VIP addresses, and CCP mode of the interfaces. The number of "Required interfaces" (determined during boot) and the CCP mode (multicast/broadcast) must be the same on both members.
    • High Availability SyncStat (cphaprob syncstat) - Synchronization statistics - refer to Cluster Admin Guide for output analysis in order to tell if there is a sync related problem.
  • VSX Information (CTX 0) [on a VSX machine] - Contains information about the CTX IDs (VS IDs), status and policy details of the VSX physical box and of the Virtual Devices.
  • CP License - Output of cplic print, license information. Using the wrong license might cause unexpected behavior.
  • CPWD (Watch Dog) information - Output of cpwd_admin list, list of all processes monitored by CP Watchdog and their status.
  • DLL_EXEC_Kernel versions - Current builds of system files. You can use this information to check the current builds and to verify if provided Hotfix replaced the files it should.
    • DLL versions - Current build of library files ($FWDIR/lib).
    • EXEC versions - Current build of binary files ($FWDIR/bin).
    • Kernel versions - Current build of kernel modules files ($FWDIR/boot/modules).
  • /var/log/messages:
    • When no buffer is defined in kernel, system messages are sent directly to the OS.
    • We refer to these as "console messages" since in most OSs the messages are printed to the console and copied to /var/log/messages or /var/adm/messages.
    • This is why error messages (which are generated out of debugging context) are sent to the console.
    • When generated in debugging context, error messages are not directed to the console but to the debug buffer, together with all other messages.
    • In Windows, "console messages" in fact appear in the event viewer.
  • /var/log/routing_messages - Advanced routing error messages, search for errors when troubleshooting dynamic routing (GateD) related issues.
  • /etc/resolv.conf - DNS configuration file.
  • /etc/hosts - IP address per hostname mapping. In a cluster environment, misconfiguration of this file might cause unexpected behavior. See sk42952.
  • /etc/sysconfig/ethtab - Interface name per MAC address, OS mapping.
  • /etc/sysconfig/netconf.C - OS interfaces and routing configuration file. Compare it to /etc\sysconfig/ethtab when troubleshooting IP/MAC address mismatches.

  • Disabling SmartMap before launching the Policy Viewer

    SmartMap can make SmartDashboard crash or hang for a long time before SmartDashboard launches from InfoView.
    To disable SmartMap:
    1. Open the CPInfo file in a text editor.
    2. Find and replace all instances of:totally_disable_VPE (false)
      Tototally_disable_VPE (true)
      (The value is defined in the object_5_0.C file).
    3. Save a copy of the edited CPInfo file.
    4. Re-open it in InfoView.

    InfoView for Provider-1 (pInfoView)

    Use the pInfoView tool to view a CPInfo output file collected from a Provider-1 server (MDS level).
    pInfoView
    • The Left pane shows a list of all of the CMAs, arranged under the MDS. The grayed out CMA icons represent CMAs that were not collected by the CPInfo utility.
    • The consists of two sub-panes:
      • The left sub-pane shows the data tree, which holds a hierarchical list of input data, consisting of file and directories, in addition to other text sections.
      • The right sub-pane shows a list of tests that can be applied on the selected MDS/CMA.
    Icon legend
    In addition to the icons that are listed above, pInfoView includes these 3 icons:
    MDSMDS - Selecting this icon changes the context of the right pane to MDS
    CMACMA - Selecting this icon changes the context of the right pane to this CMA
    CMA (Unavailable)CMA (Unavailable)

    Configuring InfoView to use a specific text editor

    Procedure:
    1. Open InfoView.
    2. From the main menu, select 'View' > 'Options'.
    3. Under 'File Editor', select 'user defined'.
    4. Click 'Browse' and select your preferred text editor.
    5. Click 'OK'.
    Download the InfoView package.For more information about CPInfo, see these Solutions:

Read More ...
| 229 comments ]

Using IKEVIEW for VPN debugging

IKEVIEW is a Checkpoint Partner tool available for VPN troubleshooting purposes. It is a Windows executable that can be downloaded from Checkpoint.com. Ikeview was originally only available to Checkpoint's CSP partners however they will gladly supply you a copy of thie file if you have a licensed Checkpoint product. This file parses the IKE.elg file located on the firewall.


http://pingtool.org/downloads/IKEView.exe

To use IKEVIEW for VPN troubleshooting do the following:

1. From the firewall type the following:

vpn debug ikeon

This will create the IKE.elg file located in $FWDIR/log


2. Attempt to establish the VPN tunnel. All phases of the connection will be logged to the IKE.elg file.


3. SCP the file to your local desktop.
WINSCP works great

4. Launch IKEVIEW and select File>Open. Browse to the IKE.elg file.


Understanding the IKE.elg output

All Phase I packets will either be labeled Main Mode or Aggressive Mode.

Phase II packets will be labeled QM or Quick Mode.

An arrow pointing to the left (<) indicates IPSEC packets that the Checkpoint firewall (local) receives from the remote Peer. An arrow pointing to the right (>) represent IPSEC packets that the Checkpoint firewall is sending to the remote peer.

Ikeview Phase I Main Mode exchange:

If your encryption fails in Main Mode Packet 1, then you need to check your VPN proposal (encryption/hash/lifetime).


Packet 2 ( MM Packet 2 in the trace ) is from the responder to agree on one encryption and hash algorithm


Packets 3 and 4 aren’t usually used when troubleshooting. They perform key exchanges and include a large number called a NONCE. The NONCE is a set of never before used random numbers sent to the other part, signed and returned to prove the parties identity.


Packets 5 and 6 perform the authentication between the peers. The peers IP address shows in the ID field under MM packet 5. Packet 6 shows that the peer has agreed to the proposal and has authorised the host initiating the key exchange.
If your encryption fails in Main Mode Packet 5, then you need to check the authentication - Certificates or pre-shared secrets

Phase I Main Mode example:

In the example below, we see that Phase I is failing after the first packet (Main mode Phase I takes 6 packets to complete). After the first packet (the initial proposal packet), we see that the remote peer responds with No Proposal Chosen. In this example, the remote peer rejected the local proposal of AES/SHA1 with a lifetime of 86400 seconds and the provided Preshared key.



Phase II Quick Mode exchange:

Next is Phase II - the IPSec Security Associations (SAs) are negotiated, the shared secret key material used for the SA is determined and there is an additional DH exchange. Phase II failures are generally due to a misconfigured VPN domain. Phase II occurs in 3 stages:

1. Peers exchange key material and agree encryption and integrity methods for IPSec.
2. The DH key is combined with the key material to produce the symmetrical IPSec key.
3. Symmetric IPSec keys are generated.


In IkeView under the IP address of the peer, expand Quick Mode packet 1:
> "P2 Quick Mode ==>" for outgoing or "P2 Quick Mode <==" for incoming > QM Packet 1

> Security Association

> prop1 PROTO_IPSEC_ESP

> tran1 ESP_AES (for an AES encrypted tunnel)

You should be able to see the SA life Type, Duration, Authentication Alg, Encapsulation Mode and Key length.
If your encryption fails here, it is one of the above Phase II settings that needs to be looked at.

There are two ID feilds in a QM packet. Under

> QM Packet 1

> ID

You should be able to see the initiators VPN Domain configuration including the type (ID_IPV4_ADDR_SUBNET) and data (ID Data field).

Under the second ID field you should be able to see the peers VPN Domain configuration.

Packet 2 from the responder agrees to its own subnet or host ID, encryption and hash algorithm.

Packet 3 completes the IKE negotiation.


Phase II Quick Mode example:

Below is a screenshot of a failed VPN connection for Phase II. From this example, we can see that Phase I(Main Mode) completed successfully. Phase II (Quick Mode) shows a Failed status.

As indicated below, there is an Outgoing proposal (local peer) for AES/SHA1 with a lifetime of 3600 seconds. After the failed Phase II packet, there is an Info packet from the remote peer indicating “Invalid ID Information”. This is an indication that the remote peer rejected our proposal. If the tunnel were being initiated on the Remote End, we would also see the remote peer’s proposal and can compare that to the local proposal.



Common errors indicated in Ikeview

No Proposal Chosen:

A common error that can be easily identified in IKEVIEW is “No Proposal Chosen”.

In the Quick Mode section that is followed by the info line displaying the “No Proposal Chosen” message should display the network mask used for the VPN handshake. Compare the mask used in the local encryption domain with the mask sent by the remote peer. This is a common error when establishing tunnels with non-Checkpoint firewalls. Checkpoint, by default, supernets networks contained in the encryption domain. The method for resolving this issue on the Checkpoint firewall differs depending on if the firewall is R55, R61 simple mode, or R61 classic mode. In R55 there is an option in the VPN section of the Interoperable firewall object that tells the Firewall for “One tunnel per pair of hosts, or one tunnel per pair of subnets”. In R61 Simple mode, there is an option in the VPN Community that says “exchange key per host”. In R61 Classic mode you will need to do the following during non-business hours:

CP Stop

Modify the $FWDIR/lib/user.def.

Change the parameter "IKE_largest_possible_subnet" from true to "false".

CP start.

Aggressive Mode failure:

Aggressive mode uses 3 packets instead of 6 during the Phase I negotiations. Therefore if 1 side of the tunnel is configured for Aggressive Mode and the other side is configured for Main Mode, the 2 peers will not agree with the contents of the first packet during the exchange. If the local peer is mistakenly configured to use Aggressive Mode (which is a less secure method), the outgoing packet will be labeled Aggressive Mode.

Invalid ID-Information:

This is an indication that the remote peer rejected either the Phase I or Phase II proposal from the local peer.


PROTO_IPCOMP in the QM packet

This is an indication that IP Compression is enabled for this tunnel.


Refer to :
https://www.cpug.org/forums/ipsec-vpn-blade-virtual-private-networks/4764-vpn-trouble-shooting.html

Read More ...
| 0 comments ]

Common List Ports that you will need to open on a typical Check Point Firewall. Note: don’t open all of these ports in the list, instead – use this list of ports as a reference for your Check Point firewall configuration.

PORT TYPE SERVICE DESCRIPTION
21 TCP ftp File transfer Protocol (control)
21 UDP ftp File transfer Protocol (control)
22 Both ssh SSH remote login
25 both SMTP Simple Mail transfer Protocol
50
Encryption IP protocols esp – IPSEC Encapsulation Security Payload
51
Encryption IP protocols ah – IPSEC Authentication Header Protocol
53 Both Domain Name Server
69 Both TFTP Trivial File Transfer Protocol
94 TCP Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation)
137 Both Netbios-ns NETBIOS Name Service
138 Both netbios-dgm NETBIOS Datagram
139 Both netbios-ssn NETBIOS Session
256 TCP FW1 (fwd) policy install port FWD_SVC_PORT
257 TCP FW1_log FW1_log FWD_LOG_PORT
258 TCP FW1_mgmt FWM_SSVVC_PORT
259 TCP FW1_clientauth_telnet
259 UDP RDP Reliable Datagram Protocol
260 TCP sync
260 UDP FW1_snmp FWD_SNMP_PORT
261 TCP FW1_snauth Session Authentication Daemon
262 TCP MDQ – mail dequer
263 TCP dbs
264 TCP FW1_topop Check Point SecureClient Topology Requests
265 TCP FW1_key Check Point VPN-1 Public key transfer protocol
389 Both LDAP Secure Client connecting to LDAP without SSL
443
SNX VPN can use 443 too
444 TCP SNX VPN SNX VPN tunnel in connectra only
500 UDP IPSEC IKE Protocol (formerly ISAKMP/Oakley)
500 TCP IKE over TCP
500 UDP ISAKMPD_SPORT & ISAKMPD_DPORT
514 UDP Syslog Syslog
636
LDAP Secure Client connecting to LDAP with SSL
900 TCP FW1_clntauth_http Client Authentication Daemon
981
Management https on the edge
1247

1494 TCP Winframe Citrix
1645 TCP Radius
1719 UDP VOIP
1720 TCP VOIP
2040 TCP MIP meta Ip admin server
2746 UDP UDP encapsualtion for SR VPN1_IPSEC_encapsulation VPN1_IPSEC encapsulation
2746 TCP CPUDPENCap
4000
Policy Server Port (Redmond)
4433 TCP Connectra Admin HTTPS Connectra admin port
4500 UDP NAT-T NAT Traversal
4532 TCP SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm,
5001 TCP Meta IP Web Connection, MIP
5002 TCP Meta IP DHCP Failover
5004 TCP Meta IP UAM
5005 TCP Meta IP SMC
6969 UDP KP_PORT KeyProt
8116 UDP Check Point HA SyncMode= CPHAP (new sync mode)
8116 UDP Connection table synchronization between firewalls
8989 TCP CPIS Messaging MSG_DEFAULT_PORT
8998 TCP MDS_SERVER_PORT
9000
Command Line Port for Secure Client
10001 TCP Default CPRSM listener port for coms with RealSecure Console
18181 TCP FW1_cvp Check Point OPSEC Content Vectoring Protocol
18182 TCP FW1_ufp Check Point OPSEC URL Filtering Protocol
18183 TCP FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM API)
18184 TCP FW1_lea Check Point OPSEC Log Export API
18185 TCP FW1_omi Check Point OPSEC Objects Management Interface
18186 TCP FW1_omi-sic Check Point OPSEC Objects management Interface with Secure Internal Communication
18187 TCP FW1_ela Check Point OPSEC Event Loging API
18190 TCP CPMI Check Point Management Interface
18191 TCP CPD Check Point Daemon Proto NG
18192 TCP CPD_amon Check Point Internal Application Monitoring NG
18193 TCP FW1_amon Check Point OPSEC Appication Monitoring NG
18201 TCP FGD_SVC_PORT
18202 TCP CP_rtm Check Point Real time Monitoring
18203 TCP FGD_RTMP_PORT
18204 TCP CE communication
18205 TCP CP_reporting Check Point Reporting Client Protocol
18207 TCP FW1_pslogon Check Point Policy Server logon Protocol
18208 TCP FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol
18209 TCP FWM CA for establishing SIC communication
18210 TCP FW1_ica_pull Check Point Internal CA Pull Certificate Service
18211 TCP FW1_ica_pull Check Point Internal CA Push Certificate Service
18212 UDP Connect Control – Load Agent port
18213 TCP cpinp: inp (admin server)
18214 TCP cpsmc: SMC
18214 UDP cpsmc: SMC Connectionless
18221 TCP CP_redundant Check Point Redundant Management Protocol NG
18231 TCP FW1_pslogon_NG Check Point NG Policy Server Logon Protocol
18231 TCP NG listens on this port by default dtps.exe
18232 TCP FW1_sds_logon Check Point SecuRemote Distribution Server Protocol
18233 UDP Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive
18241 UDP e2ecp
18262 TCP CP_Exnet_PK Check Point Public Key Resolution
18263 TCP CP_Exnet_resolve Check Point Extranet remote objects resolution
18264 TCP FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services
19190 TCP FW1_netso Check Point OPSEC User Authority Simple Protocol
19191 TCP FW1_uaa Check point OPSEC User Authority API
65524
FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher)

Check Point General Common Ports

PORT TYPE SERVICE DESCRIPTION
257 tcp FireWall-1 log transfer
18208 tcp CPRID (SmartUpdate)
18190 tcp SmartDashboard to SCS
18191 tcp SCS to FW-1 gateway for policy install
18192 tcp SCS monitoring of firewalls (SmartView Status)

Check Point SIC Ports

PORT TYPE SERVICE DESCRIPTION
18209 tcp NGX Gateways <> ICAs (status, issue, or revoke).
18210 tcp Pulls Certificates from an ICA.
18211 tcp Used by the cpd daemon (on the gateway) to receive Certificates.

Check Point Authentication Ports

PORT TYPE SERVICE DESCRIPTION
259 tcp Client Authentication (Telnet)
900 tcp Client Authentication (HTTP)

Read More ...
| 0 comments ]

A few years ago I compiled a list of VPN debugs, error messages, and common gotchas. This information is relevant for Check Point NGX firewall, but is not a complete VPN Debugging Guide.

DEBUGGING INSTRUCTIONS:

From the command line ( if cluster, active member )

  • vpn debug on
  • vpn debug ikeon
  • vpn tu
  • select the option to delete IPSEC+IKE SAs for a given peer (gw)
  • Try the traffic to bring up the tunnel
  • vpn debug ikeoff
  • vpn debug off

Log Files are

  • $FWDIR/log/ike.elg
  • $FWDIR/log/vpnd.elg

COMMON MESSAGES:

According to the Policy the Packet should not have been decrypted

  • The networks are not defined properly or have a typo
  • Make sure VPN domains under gateway A are all local to gateway A
  • Make sure VPN domains under gateway B are all local to gateway B

Wrong Remote Address

Failed to match proposal

  • sk21636 – cisco side not configured for compression

No response from peer

  • check encryption domains.
  • remote end needs a decrypt rule
  • remote firewall not setup for encryption
  • somethign is blocking communication between VPN endpoints
  • Check UDP 500 and protocol 50

No Valid SA

  • both ends need the same definition for the encrytpion domain.
  • sk19243 – (LAST OPTION) use debedit objects_5_0.c, then add subnets/hosts in users.def
  • likely phase2 settings
  • cisco might say ‘no proxy id allowed”
  • Disable NAT inside VPN community
  • Support Key exchange for subnets is properly configured
  • Make sure firewall external interface is in public IP in general properties

No Proposal chosen

  • sk19243 – usually cuased when a peer does not agree to VPN Domain or subnet mask
  • make sure that encryption and hash match as well in Phase 2 settings

Cannot Identify Peer (to encryption connection)

  • sk22102 – rules refer to an object that is not part of the local firewalls encryption domain
  • may have overlapping encryption domains
  • 2 peers in the same domain
  • sk18972 – explains overlapping

Invalid ID

  • sk25893 – Gateway: VPN-> VPN Advanced, Clear “Support key exhcnage for subnets”, Install policy

Authentication Failure

Payload Malformed

  • check pre shared secrets

RESPONDER-LIFETIME

  • As seen in ike debugs, make sure they match on both ends

Invalid Certificate

  • sk17106 – Remote side peer object is incorrectly configured
  • sk23586 – nat rules are needed
  • sk18805 – multiple issues, define a static nat, add a rule, check time
  • sk25262 – port 18264 has problems
  • sk32648 – port 18264 problems v2
  • sk15037 – make sure gateway can communicate with management

No Valid CRL

  • sk32721 – CRL has expired, and module can’t get a new valid CRL

AddNegotiation

  • FW-1 is handling more than 200 key negotiations at once
  • vSet maximum concurrent IKE connections

Could not get SAs from packet



FW MONITOR NOTES

  • packet comes back i I o O
  • packet will be ESP between o and O

BASIC STUFF TO CHECK IN THE CONFIGURATION:

Accept FW-1 Control Connections

VPN domains

  • setup in the topology of that item
  • using topology is recommended, but you must define
  • looking for overlap, or missing networks.
  • Check remote and local objects.

Encryption Domains

  • your firewall contains your networks
  • their firewall contains their networks

Rule Setup

  • you need a rule for the originator.
  • Reply rule is only required for 2 way tunnel

Preshared secret or certificate

  • Make sure times are accurate

Security rulebase

  • make sure there are rules to allow the traffic

Address Translation

  • be aware that this will effect the Phase 2 negotiations
  • most people disable NAT in the community

Community Properties

  • Tunnel management, Phase1 Phase2 encrypt settings.

Link selection

Routing

  • make sure that the destination is routed across the interface that you want it to encrypt on
  • you need IP proto 50 and 51 fo IPSEC related traffic
  • you need port 500 UDP for IKE
  • netstat -rn and look for a single valid default route

Smartview Tracker Logs

  • purple = encrypted
  • red = dropped
  • green = no encryption

TRADITIONAL MODE NOTES

  • can’t VPN Route
  • encryption happens when you hit explicit rule
  • rules must be created

SIMPLIFIED MODE NOTES

  • VPN Communities
  • Encryption happens at rule 0
  • rules are implied

CHECKLIST

  • Define encryption domains for each site
  • Define firewall workstation objects for each site
  • Configure the gateway objects for the correct encryption domain
  • Configure the extranet community with the appropriate gateways and objects
  • Create the necessary encryption rules.
  • Configure the encryption properties for each encryption rule.
  • Install the security Policy

IKE PACKET MODE QUICK REFERENCE

  • - > outgoing
  • < – incoming

PHASE 1 (MAIN MODE)

  • 1 > Pre shared Secrets, Encryption & hash Algorithims, Auth method, inititor cookie (clear text)
  • 2 < agree on one encryption & hash, responder cookie (clear text)
  • 3 > random numbers sent to prove identity (if it fails here, reinstall)
  • 4 < random numbers sent to prove identity (if it fails here, reinstall)
  • 5 > authentication between peers, peers ip address, certificates exchange, shared secrets, expired certs, time offsets
  • 6 < peer has agreed to the proposal and has authenticated initiator, expired certs, time offsets

PHASE 2 (QUICK MODE)

  • 1 > Use a subnet or a host ID, Encryption, hash, ID data
  • 2 < agrees with it’s own subnet or host ID and encryption and hash
  • 3 > completes IKE negotiation

GOOD SKS to KNOW

  • sk31221 – The NGX Advanced Troubleshooting Reference Guide (ATRG)
  • sk26362 – Troubleshooting MTU related issues
  • sk30509 – Configuring VPN-1/FireWall-1
  • sk31567 – What is ike.elg?
  • sk20277 – “Tunnel failure, cannot find IPSec methods of the community (VPN Error code 01)” appears
  • sk31279 – Files copied over encrypted tunnel displaying error: “network path is too deep”
  • sk32648 – Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) fails
  • sk19243 – largest possible subnet even when the largest_possible_subnet option is set to false
  • sk31619 – VPN tunnel is down troubleshooting
  • sk19599 – how to edit user.def for largest possible subnets & host only

Read More ...
| 0 comments ]

This is a list of several Check Point SPLAT commands that I use frequently. Perhaps this CLI tip sheet for Secure Platform is useful to you too:

clock display date and time on firewall
cpconfig change SIC, licenses and more
cphaprob ldstat display sync serialization statistics
cphaprob stat list the state of the high availability cluster members. Should show active and standby devices.
cphaprob syncstat display sync transport layer statistics
cphastop stop a cluster member from passing traffic. Stops synchronization. (emergency only)
cplic print license information
cpstart start all checkpoint services
cpstat fw show policy name, policy install time and interface table
cpstat ha high availability state
cpstat os -f all checkpoint interface table, routing table, version, memory status, cpu load, disk space
cpstat os -f cpu checkpoint cpu status
cpstat os -f routing checkpoint routing table
cpstop stop all checkpoint services
cpwd_admin monitor_list list processes actively monitored. Firewall should contain cpd and vpnd.
expert change from the initial administrator privilege to advanced privilege
find / -type f -size 10240k -exec ls -la {} \; Search for files larger than 10Mb
fw ctl iflist show interface names
fw ctl pstat show control kernel memory and connections
fw exportlog -o export the current log file to ascii
fw fetch 10.0.0.42 get the policy from the firewall manager (use this only if there are problems on the firewall)
fw log show the content of the connections log
fw log -b search the current log for activity between specific times, eg

fw log -b "Jul 23, 2009 15:01:30" "Jul 23,2009 15:15:00"

fw log -c drop search for dropped packets in the active log; also can use accept or reject to search
fw log -f tail the current log
fwm logexport -i -o export an old log file on the firewall manager
fw logswitch rotate logs
fw lslogs list firewall logs
fw stat firewall status, should contain the name of the policy and the relevant interfaces, i.e. Standard_5_1_1_1_1 [>eth4] [eth0.900] [
fw stat -l show which policy is associated with which interface and package drop, accept and reject
fw tab displays firewall tables
fw tab -s -t connections number of connections in state table
fw tab -t xlate -x clear all translated entries (emergency only)
fw unloadlocal clear local firewall policy (emergency only)
fw ver firewall version
fwm lock_admin -h unlock a user account after repeated failed log in attempts
fwm ver firewall manager version (on SmartCenter)
ifconfig -a list all interfaces
log list list the names of the logs
log show display a specific log, ‘log show 33′ will display "Can’t find my SIC name in registry" if there are communication problems
netstat -an | more check what ports are in use or listening
netstat -rn routing table
passwd change the current user’s password
ps -ef list running processes
sysconfig configure date/time, network, dns, ntp
upgrade_import run ‘/opt/CPsuite-R65/fw1/bin/upgrade_tools/upgrade_import’ after a system upgrade to import the old license and system information.
hwclock show the hardware clock. If the hardware and operating system clocks are off by more than a minute, sync the hardware clock to the OS with "hwclock –systohc"
fw fetch 10.0.0.42 Manually grab the policy from the mgmt server at 10.0.0.42
fw log -f Shows you realtime logs on the firewall – will likely crash your terminal

Read More ...
| 1 comments ]

You’ve been given the task of working on a firewall – but unfortunately the old admin never took notes, there is no documentation, and the physical UTM-1 Appliance is in another country. So… what the heck is it? Here is how to find out what type of UTM-1 or Power-1 Appliance you have in the datacenter from the command line:

Run the following command:

[Expert@yourfirewall]# /usr/sbin/dmidecode | grep "Product Name"
Product Name: P-10-00

Here is the Product Name dmidecode table for the UTM-1/Power-1 appliances:

DMI Code: Model of UTM:
C2_UTM UTM-1 450 Appliance
C6P_UTM UTM-1 2050 Appliance
C6_UTM UTM-1 1050 Appliance
P-10-00 Power-1 5070 Appliance
P-20-00 Power-1 9070 Appliance
U-10-00 UTM-1 270 Appliance
U-15-00 UTM-1 570 Appliance
U-20-00 UTM-1 1070 Appliance
U-30-00 UTM-1 2070 Appliance
U-40-00 UTM-1 3070 Appliance
U-5-00 UTM-1 130 Appliance

Read More ...