Thursday, November 27, 2014

Checkpoint firewall debugging basics

Hello
here is blog entry I found with basic debugging commands for Checkpoint firewall (http://itsecworks.com/2011/08/09/checkpoint-firewall-debugging-basics/).
The post is not recent but the method is still valid



To debug a checkpoint firewall is not a big deal, but to understand the output is in many cases imposible for those NOT working at Checkpoint.
I write here not about the exact analysation with debugging, just a ‘how to collect the required informations’ that may speed up the troubleshooting.

1. Reset the debugs to the default.
In case someone changed the setting in the past and since then the firewall was not rebooted we should set all back to the defaults.
# fw ctl debug 0
Defaulting all kernel debugging options

2. Check the module list we can use and choose the requied ones
With the following command you can see the modules with their options.

[Expert@sgLondon]# fw ctl debug -m
debug: option requires an argument — m
Usage: fw ctl debug [-d ] [-s “”] [-v (“”|all)] [-x] [-m ] [-e expr | -i | -u] [+|-]
Or: fw ctl debug [-t (NONE|ERR|WRN|NOTICE|INFO)] [-f (RARE|COMMON)]
Or: fw ctl debug -buf [buffer size]
-h – for helpWhere possible options are:Module: kiss
Kernel debugging options: error warning ioctl memory misc chain driver pools handles vbuf pm rem sm dfa pmdump pmint htab bench ghtab mtctx queue thread
Messaging threshold set to type=Info freq=CommonModule: kissflow
Kernel debugging options: error warning memory pm compile dfa
Messaging threshold set to type=Info freq=CommonModule: fw
Kernel debugging options: error warning cookie crypt domain ex driver filter hold if install ioctl kbuf ld log machine memory misc packet q xlate xltrc conn synatk media sip vm chain bridge tcpstr scv packval sync ipopt link nat cifs drop route citrix misp portscan leaks mgcp sock mail spii chainfwd msnms wire balance dynlog smtp wap content mrtsync sam sock malware cmi aspii dos advp multik netquota monitor monitorall dfilter integrity epq cvpnd cptls ftp
Messaging threshold set to type=Info freq=CommonModule: h323
Kernel debugging options: error init h225 h245 ras decode align cpas
Messaging threshold set to type=Info freq=Common

Module: multik
Kernel debugging options: error conn packet api message state packet_err counter event quota ioctl lock clb
Messaging threshold set to type=Info freq=Common
Module: BOA
Kernel debugging options: fatal error warning info stat memory analyzer spider flow stream disasm lock
Messaging threshold set to type=Info freq=Common
Module: WS
Kernel debugging options: fatal error warning info timestamp connection session parser body global stat memory address policy pfinder regexp coverage report_mgr spii uuid ioctl module mem_pool pkt_dump subject sslt cookie stream vs event
Messaging threshold set to type=Info freq=Common
Module: CI
Kernel debugging options: fatal error warning info timestamp coverage subject memory module session address vs regexp ioctl policy profile filter uf av crypto stat
Messaging threshold set to type=Info freq=Common
Module: CPAS
Kernel debugging options: error warning tcp api glue events conns pkts timer tcpinfo http ftp skinny notify sync
Messaging threshold set to type=Info freq=Common
Module: VPN
Kernel debugging options: driver err packet policy sas rdp pcktdmp queue init sr mem comp xl counters mspi cphwd ref vin cluster nat l2tp tnlmon warn tcpt tagging ike ifnotify resolver gtp topology multik multicast
Messaging threshold set to type=Info freq=Common

3. Set the buffer Size
The size of the buffer depends on how much modules and options you choose and how much the are going to generate.

# fw ctl debug -buf 9600
Initialized kernel debugging buffer to size 9600K

4. Choose the modules an their options for the debug
A) If we do not use any options than the default is error and warning or just error (or just error multicast, like at VPN):

# fw ctl debug -m fw
Kernel debugging buffer size: 9600KB
Module: fw
Enabled Kernel debugging options: error warning
Messaging threshold set to type=Info freq=Common
B) if you would set your own options, then just type them after the module name:
# fw ctl debug -m fw packet drop sam
Updated kernel’s debug variable for module fw# fw ctl debug -m fw
Kernel debugging buffer size: 9600KB
Module: fw
Enabled Kernel debugging options: packet drop sam
Messaging threshold set to type=Info freq=Common
C) To add another option type “+”:
# fw ctl debug -m fw + route
Updated kernel’s debug variable for module fw# fw ctl debug -m fw
Kernel debugging buffer size: 9600KB
Module: fw
Enabled Kernel debugging options: packet drop route sam
Messaging threshold set to type=Info freq=Common
D) To delete the option you have set and start it again type “- all”:
# fw ctl debug -m fw – all
Updated kernel’s debug variable for module fw# fw ctl debug -m fw
Kernel debugging buffer size: 9600KB
Module: fw
Enabled Kernel debugging options: None

5. Start writing debug into a file:
Basic command is the “fw ctl kdebug”. The syntax is the following:
One of the most important parameter is the ‘t’ or ‘T’, that write a timestamp to the entries. This is always required.
# fw ctl kdebug ?
Usage: fw ctl kdebug [-i | [-f] -o ] [-b ] [-t|-T] [-p fld1[,fld2..] [-m num [-s size]]
-t/-T to print the time field (seconds/microseconds)
-p to print specific fields all|proc|pid|date|mid|type|freq|topic|time|ticks|tid|text|err|host|vsid|cpu
-m – number of cyclic files, -s – size of each
A) Write it in a file:
# fw ctl kdebug -T -f > samrules.txt(-o filename makes binary file, that is why I use the “>” sign)
B) Or write in a file in background and to the output as well, but give back the cursor:
# fw ctl kdebug -T -f | tee samdebug.txt &

It can happen that the debugging process eats up all the cpu and we loose the control and maybe sessions are dropped.
Before this command ist started it is useful to create a crontab entry or a single script that kills this process after a couple of minutes.

Lets do a bash script that kills debugging after 10 second:

This example script writes in a file samrules.txt and stops after 10 seconds. Those values can be changed if you want.

# vi debug.sh
timeout=10 # in seconds
fw ctl kdebug -T -f > samrules.txt & cmdpid=$! # Command to terminate
# Start “watchdog” process to terminate the command
# after $timeout seconds:
(sleep $timeout; kill -9 $cmdpid) &
watchdogpid=$!
wait $cmdpid # wait for command
kill $watchdogpid >/dev/null 2>&1
Change the file permissions and we can start it:
# chmod +x debug.sh
# ./debug.sh
The time in script should be as long as the reproduction time of the problem. It has no use if it is shorter.

Wednesday, March 19, 2014

How to add space to a Checkpoint firewall

here is a brief procedure on how to add space when you run out of it on a Checkpoint firewall.
Of course this procedure applies to any Linux box.



  1. add disk to system
  2. check with fdisk -l that disk is visible
  3. create partition on system via fdisk and assign type LVM 0x8e (i.e. /dev/sdb1)
  4. pvcreate /dev/sdb1
  5. vgextend VGname Partition ( i.e. vgextend vg_splat /dev/sdb1 )
  6. launch utility lvm_manager
  7. choose to resize the logical volume that needs to be resized

But what if the disk is bigger than 2TB ?
fdisk does not support this kind of disk so you need to use parted

Let's say that you have an HP server and a logical drive with this device driver
/dev/cciss/c0d1
  1. parted
  2. select /dev/cciss/c0d1
  3. mklabel gpt (to create a GPT table )
  4. mkpart primary 0 -1 ( to create a partition using all disk space)
  5. set 1 lvm on ( to change type of partition to LVM)
  6. quit
At this point you can run pvcreate and vgextend as before using /dev/cciss/c0d1p1 partition.


Tuesday, March 11, 2014

Uncover the Meaning of top's Statistics

Interesting article I found on the Internet (http://www.linux.com/learn/tutorials/42048-uncover-the-meaning-of-tops-statistics)

Its name is kind of unique for something that shows system statistics: top. It is a part of the procps package, a set of Linux utilities that provide system information. Besides top, procps also includes free, vmstat, ps, and many other tools.
Top gives you a snapshot of a system's situation, e.g., free physical memory, number of running tasks, percentage of CPU time usage of each processes--all in a single view. So it's like using ps, free, and uptime at the same time. Top gets most of its information from several files under the /proc directory. You might already be aware that this directory provides users with a broad range of system-wide statistics, but thanks to top, we can summarize most of them inside a single organized window.
Furthermore, with top you can do things like:

Tuesday, February 18, 2014

Evasion techniques

Evasion & the limitations of legacy AV tools: Zeus banking malware hides a crucial file in a photo computerworld.com/s/article/9246… via @computerworld http://twitter.com/#!/thecyberwire/status/435843412919476224 > via Android Pro Widgets

Monday, July 15, 2013

Checkpoint Gaia - How to reset expert password in Gaia

If you happen to forget the expert mode password on CheckPoint Gaia OS, you could find the CheckPoint SecureKnowledge SK92347 (http://supportcontent.checkpoint.com/solutions?id=sk92347) that requires Expert access
Actually if you have at least SSH access to the system you do not need much more that the hash from another user's password. With that hash you can execute a CLISH command to fix your problem

From the "show configuration" command you look for the hash, i.e.:

set user lchiavacci password-hash $1$cQ3vKZFw$cHR$T3gMqcyqP0HdKx12P9

 you copy the hash and execute the command

set expert-password-hash $1$cQ3vKZFw$cHR$T3gMqcyqP0HdKx12P9

at this point the expert password is the same of user lchiavacci

Try it and let me know if it works for you


Thursday, July 11, 2013

CheckPoint - Troubleshooting URLF blade e Identity Awareness

Here are some commands that I use to troubleshoot the integration between Identity Awareness and URL Filtering

Adlog
[Expert@cpfirewall01:0]# adlog a dc

Domain controllers:
Domain Name             IP Address              Connection state                Events in the last hour
===============================================================================================
acme.net;   10.100.17.101;            has connection;                 16531
acme.net;   10.100.17.102;            has connection;                 12230
acme.net;   10.200.28.8;              has connection;                 1436
acme.net;   10.200.35.195;            has connection;                 640
acme.net;   10.200.36.71;             has connection;                 2758
acme.net;   10.200.39.76;             has connection;                 656
acme.net;   10.200.52.10;             has connection;                 1768

Ignored domain controllers on this gateway:
acme.net
        => 10.200.32.48
        => 10.200.34.18



Thursday, February 14, 2013

CheckPoint ha rilasciato uno script per rimuovere vecchie versioni di software

ciao a tutti
la sk91060 pubblicata recentemente da CheckPoint sembra risolvere i problemi di vecchie release di software che rimangono sul sistema.

Tutta da provare.