Monday, January 14, 2019

Import Certificate on Windows IIS

Finally you have chosen IIS

Import your certificate in the 'awesome' windows IIS

OK, maybe you are enforced to use IIS as web server, then, i would like to know you that my thoughts are with you.

So, let's see how to import an owned certificate in IIS environment.

Apllication and files needed:
- OpenSSL (
- Certificate (.crt) file
- Private key (.key) file

Are you ready? I hope it...

1- First of all we should create a .pfx file (certificate + private key).
2- Locate your .crt and .key file.
3- Using OpenSSL:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
      - pkcs12 - utility for PCKS#12 files in OpenSSL
      - -export -out certificate.pfx - export and save the PFX file as certificate.pfx
      - privateKey.key - your private key
      - certificate.crt - use certificate.crt as the certificate the private key will be combined with
      - -certfile more.crt – This is optional, this is if you have any additional certificates you would like to      include in the PFX file.
4- When running the above command, you are required to generate a password for exporting file, please don't forget it.
5- You will see a new file, named 'certificate.pfx'.
6- Open IIS dashboard, then in Connections column select your server.
7- Click, on central part of window, Server Certificates icon.

8- After open it, stroke a right click and chose import from 'Actions' menu.

9- Select your newly created 'certificate.pfx' and write your export password down.
10- Click OK.

Now, you are able to see your certificate in the list, so, you can choose it in Sites/Bindings section.

Thanks to:

Wednesday, November 21, 2018

Checkpoint smartcenter - manage size of $FWDIR/log/postgres.elg

In the last few months I have started migrating to R80.10 software and I found an interesting issue with the postgres sql database on smartcenter
No rotation of log file has been added to /etc/cpshell/log_rotation.conf so file , over time, can grow to any size until it fills up all disk space

Simple work around until Checkpoint fixes it

  • edit /etc/cpshell/log_rotation.conf file adding this line 
  • log_start list to verify that your change is visible 
  • cpstop && cpstart on management 
If $FWDIR/log/postgres.elg file is way too BIG I did this fix:

after cpstop you issue cat /dev/null > $FWDIR/log/postgres.elg and file is zeroed

Friday, September 28, 2018

Checkpoint how to clear all tables of IA

The following command  clears all pdp and pep tables on security gateway:

fw tab -t pdp_sessions -t pdp_super_sessions -t pdp_super_sessions -t pdp_encryption_keys -t pdp_whitelist -t pdp_timers -t
pdp_expired_timers -t pdp_ip -t pdp_net_reg -t pdp_net_db -t pdp_cluster_stat -t pep_pdp_db -t pep_networks_to_pdp_db -t
pep_net_reg -t pep_reported_network_masks_db -t pep_port_range_db -t pep_async_id_calls -t pep_client_db -t
pep_identity_index -t pep_revoked_key_clients -t pep_src_mapping_db -t pep_log_completion -x -y

 This commands causes temporary disconnection for all traffic passing the firewall, so use it with caution

Wednesday, April 18, 2018

Checkpoint firewall reimaging via USB disk

Just as a reminder of the options when the serial cable connection messes up the screen

Monday, November 27, 2017

Top CheckPoint CLI commands

This post is a summary of some of the most important Checkpoint commands taken by Checkpoint Community (CheckMates)

fw ctl zdebug drop used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....). USE WITH EXTREME CAUTION 
cpstat fw quickly see stats of number of connections (accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)
fw tab -s -t connections

allowed me to quickly see how much load is (and was i.e "peak" ) on the FW
cphaprob stat used to see state of cluster
fwaccel stats -s to check acceleration status on FW
cphaprob -a if

used to do troubleshooting cluster, verify all interfaces are UP and the Virtual IP address for the cluster interfaces

Friday, October 20, 2017

Policy installation failed after cluster configuration

A few day ago, I've created a new cluster on a mgmt that already manage other clusters.

On this new cluster the only interface configured was the MGMT, the other interfaces were all in shut and not configured, so in topology I defined the MGMT interface as cluster interface.

After creation of the cluster I tried to install policy and the policy installation failed.

This is a classic issue, the cluster always needs a sync interface so in topology I changed the interface and defined it as Sync, although it's not sync if.

After this change everything was ok and I was able to install policy.

Sunday, August 20, 2017

Easy ways to get your IP address on a Linux box

Here are some easy ways to obtain your IP address on a Linux box

  • dig +short
  • curl -s
  • curl -s