Firewall Hints

Firewalls Topics include:-

Firewalls - SNOOP / TCPDump on Nokia 
Firewalls - fw monitor - Interface Packet Monitoring 
Firewalls - Repairing Nokia with Disk Errors 
Firewalls - Remove Nokia Config file 
Firewalls - Nokia IPSO Command Line Reference Guide V3.7 
Firewalls - Checkpoint NG Command Line Reference Guide 
Firewalls - Checkpoint NG ‘Connectivity v’s Security’ – HTTP Content Issues 
Firewalls - Policy Load Problems 
Firewalls - Interface Anti-Spoofing 
Firewalls - UNIX commands supported on IPSO platforms 
Firewalls - Adding Static Routes from CLI (CLISH) 
Firewalls - Troubleshooting VRRP 
Firewalls - Package Install Procedure 
Firewalls - Checkpoint Firewall License Commands  

SNOOP / TCPDump on Nokia

SNOOP / TCPDump on Nokia - from the command prompt: -

accdfw02[admin]# tcpdump -i eth4 host 198.202.183.5
tcpdump: listening on eth4
13:03:06.944096 O 198.202.183.5.1727 > 10.205.26.81.50700: S 3463726333:3463726333
(0) win 32768  (DF)
13:03:06.944286 I 10.205.26.81.50700 > 198.202.183.5.1727: R 0:0(0) ack 3463726334 
win 0 (DF)
13:03:09.212860 O 198.202.183.5.1728 > 10.205.26.81.50700: S 126076115:126076115(0) 
win 32768  (DF)
13:03:09.213049 I 10.205.26.81.50700 > 198.202.183.5.1728: R 0:0(0) ack 126076116 
win 0 (DF)

more examples: -

nemmesis[admin]# tcpdump -i eth-s1p1c0 dst 193.113.32
tcpdump: listening on eth-s1p1c0
15:21:10.715750 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:21:10.963927 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:21:11.014512 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:21:19.383128 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:21:26.893914 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:21:34.905623 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:22:21.135982 I 10.1.1.45.500 > 193.113.32.165.500: [|isakmp]
15:22:21.425470 I 10.1.1.45.500 > 193.113.32.165.500: [|isakmp]
15:22:21.464909 I 10.1.1.45.500 > 193.113.32.165.500: [|isakmp]
15:22:28.983291 I 10.1.1.45.500 > 193.113.32.165.500: [|isakmp]
15:22:36.994594 I 10.1.1.45.500 > 193.113.32.165.500: [|isakmp]
15:22:45.006101 I 10.1.1.45.500 > 193.113.32.165.500: [|isakmp]
15:22:56.824393 I 10.1.1.45.500 > 193.113.32.165.500: [|isakmp]
15:22:56.864905 I 10.1.1.45 > 193.113.32.165: icmp: 10.1.1.45 udp port 500 unree
15:22:56.868369 I 10.1.1.45 > 193.113.32.165: icmp: 10.1.1.45 udp port 500 unree
15:22:56.869599 I 10.1.1.45 > 193.113.32.165: icmp: 10.1.1.45 udp port 500 unree
15:23:26.745214 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:23:26.989982 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:23:27.027646 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:23:35.262870 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:23:43.299806 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:23:51.311336 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:23:59.322837 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:24:26.933026 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:24:41.749849 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:24:42.004427 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:24:42.044858 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:24:46.773257 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:24:53.901265 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:25:01.912729 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:25:09.924208 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:25:16.931428 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:25:17.232353 I 10.1.1.45.500 > 193.113.32.164.500: [|isakmp]
15:25:21.130826 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x2)
15:25:21.881706 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x3)
15:25:22.012227 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x4)
15:25:22.053588 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x5)
15:25:22.110877 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x6)
15:25:22.401857 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x7)
15:25:22.457159 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x8)
15:25:22.622321 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x9)
15:25:22.632475 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0xa)
15:25:22.836791 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0xb)
15:25:22.906865 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0xc)
15:25:22.964791 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0xd)
15:25:23.123266 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0xe)
15:25:23.212977 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0xf)
15:25:23.275673 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x10)
15:25:23.277104 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x11)
15:25:23.384515 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x12)
15:25:23.414104 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x13)
15:25:23.524317 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x14)
15:25:24.390650 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x15)
15:25:24.412809 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x16)
15:25:24.413424 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x17)
15:25:24.885863 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x18)
15:25:25.386547 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x19)
15:25:26.197750 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x1a)
15:25:26.387906 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x1b)
15:25:26.900731 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x1c)
15:25:26.901206 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x1d)
15:25:27.389360 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x1e)
15:25:27.699871 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x1f)
15:25:27.900522 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x20)
15:25:29.392232 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x21)
15:25:29.392769 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x22)
15:25:29.402419 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x23)
15:25:29.905066 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x24)
15:25:29.905574 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x25)
15:25:29.923061 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x26)
15:25:30.188219 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x27)
15:25:30.904725 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x28)
15:25:30.963075 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x29)
15:25:30.964138 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x2a)
15:25:31.184852 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x2b)
15:25:32.909412 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x2c)
15:25:32.909891 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x2d)
15:25:33.187742 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x2e)
15:25:33.397985 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x2f)
15:25:33.398486 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x30)
15:25:33.448208 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x31)
15:25:33.502708 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x32)
15:25:33.553938 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x33)
15:25:33.606735 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x34)
15:25:33.660907 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x35)
15:25:33.714480 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x36)
15:25:33.772454 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x37)
15:25:33.826398 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x38)
15:25:33.911333 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x39)
15:25:33.911973 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x3a)
15:25:34.820186 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x3b)
15:25:34.930312 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x3c)
15:25:35.190692 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x3d)
15:25:35.191170 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x3e)
15:25:36.823047 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x3f)
15:25:36.915456 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x40)
15:25:36.915948 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x41)
15:25:37.463883 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x42)
15:25:37.985326 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x43)
15:25:38.825926 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x44)
15:25:38.826428 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x45)
15:25:39.196363 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x46)
15:25:39.196867 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x47)
15:25:39.919768 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x48)
15:25:39.920269 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x49)
15:25:42.471079 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x4a)
15:25:42.831746 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x4b)
15:25:42.832325 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x4c)
15:25:42.923971 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x4d)
15:25:42.924467 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x4e)
15:25:45.928429 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x4f)
15:25:45.928912 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x50)
15:25:47.198254 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x51)
15:25:47.360351 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x52)
15:25:47.488191 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x53)
15:25:47.546107 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x54)
15:25:48.199285 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x55)
15:25:49.040902 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x56)
15:25:49.082817 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x57)
15:25:49.083390 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x58)
15:25:49.200692 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x59)
15:25:50.202658 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x5a)
15:25:50.542947 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x5b)
15:25:50.834430 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x5c)
15:25:51.704318 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x5d)
15:25:51.764857 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x5e)
15:25:51.808245 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x5f)
15:25:51.808909 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x60)
15:25:51.834685 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x61)
15:25:52.045152 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x62)
15:25:52.590436 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x63)
15:25:52.591012 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x64)
15:25:53.837484 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x65)

nemmesis[admin]# tcpdump -i eth-s1p1c0 host 10.1.1.45 
and 193.113.32.164
tcpdump: listening on eth-s1p1c0
16:06:17.757149 O 193.113.32.164 > 10.1.1.45: ESP(spi=17f77b,seq=0x9dd)
16:06:19.122250 O 193.113.32.164 > 10.1.1.45: ESP(spi=17f77b,seq=0x9de)
16:06:19.123743 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x8b0)
16:06:19.171400 O 193.113.32.164 > 10.1.1.45: ESP(spi=17f77b,seq=0x9df)
16:06:19.239935 O 193.113.32.164 > 10.1.1.45: ESP(spi=17f77b,seq=0x9e0)
16:06:19.241122 I 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x8b1)

nemmesis[admin]# tcpdump -i eth-s3p1c0 host 10.1.1.45 
and 193.113.32.164
tcpdump: listening on eth-s3p1c0
16:12:35.059559 O 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x9bf)
16:12:36.061067 O 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x9c0)
16:12:36.112120 I 193.113.32.164 > 10.1.1.45: ESP(spi=17f77b,seq=0xb0e)
16:12:36.116496 O 10.1.1.45 > 193.113.32.164: ESP(spi=fadf0330,seq=0x9c1)
16:12:36.163588 I 193.113.32.164 > 10.1.1.45: ESP(spi=17f77b,seq=0xb0f)


fw monitor - Interface Packet Monitoring


fw monitor - Interface Packet Monitoring

How can I run a Packet Sniffer on the Firewall? 

Solaris comes with 'snoop'. IPSO and AIX come with 'tcpdump.' However, all 
versions of FireWall-1 since 4.0 come with a 'built-in' packet sniffer called 
'fw monitor', which can be used to monitor various packets going in and out of 
the various parts of FireWall-1. It can show you packets as they are entering 
and leaving various parts of FireWall-1, which is more than a packet sniffer can 
do. Earlier versions of FireWall-1 require the 'fwc' feature, which is included 
in a management console license. This means this feature may not work on your 
firewall module if it does not also contain a management console, or at least a 
management console-type license (a temp license has this feature). More recent 
versions of 
FireWall-1 (4.1 SP5 and NG) don't have this limitation. 
Usage: 

fw monitor [-d] [-D] -e inspect-filter -f filter-file 
[-l len] [-m mask] [-x offset[,len]] [-o file] 

There are four "inspection" points as packets pass through FireWall-1. We choose 
where we want to "see" packets with the -m option: 

Before FireWall-1 processes the packet in the inbound direction (i or PREIN) 

After FireWall-1 processes packet in the inbound direction (I or POSTIN) 

Before FireWall-1 processes the packet in the outbound direction (o or PREOUT) 

After FireWall-1 process the packet in the outbound direction (O or POSTOUT) 

Since there can be lots of packets, we need some way of determining which 
packets we are interested in seeing. We do this by means of an INSPECT filter, 
which can be typed in directly on the command line or via an INSPECT filter 
file. One of these options (-f or -e) is required. Once you execute this 
command, FireWall-1 will compile the specified INSPECT script (either on the 
command line or in a file), load it into the kernel module, and display them in 
the terminal window or to the output file in snoop format. It will continue to 
do this until an interrupt signal is sent to the program (Ctrl-C), after which 
it will unload the filter and exit. 

The INSPECT script should return an "accept" in order for packets to be 
displayed. Any other return code will cause packets not to be displayed. If you 
want to only catch packets on a certain interface, do not use 'le0@all' (for 
example), but instead use 'direction=x,ifid=y' where x=0 for inbound, 1 for 
outbound, and y is an interface number returned by the 'fw ctl iflist' command. 
Do not use table names that are used by the security policy. 

Here is a table of the command line options you can give to 'fw monitor': 

Flag    Description 
-d      Turn on debug flag
-D      Turn on debug flag
-e      Specify an INSPECT program line (multiple -e options
        can be used)
-f      INSPECT filter name. '-' can be used to specify standard
        input. The -f and -e options are mutually exclusive.
-l      Specify how many bytes of the packet should be
        transferred from the kernel.
-m      Specify inspection points mask, any one or more of
        i, I, o, O as explained above. This feature only works
        on 4.0 SP3 or later.
-o      Specify an output file, which can be viewer with the
        'snoop' command on Solaris.
-x      Perform a hex dump of the received data, starting at
        specified offset and printing out 'len' bytes.

Examples

fw monitor -e "[9:1]=6, accept;" -l 100 -m iO -x 20 
will display all TCP packets entering and leaving FireWall-1. 
Up to 80 bytes of TCP header and data will be displayed (assuming no IP Options 
are used) 

fw monitor -e "accept;" -m iI 
will display all packets entering and exiting FireWall-1 in the inbound 
direction (i.e. before the OS routes the packet). 

fw monitor -e "accept src=1.1.1.1;" 
will display all packets originating from 1.1.1.1. 

fw monitor -e "accept src=1.1.1.1,dport=80;" 
will display all packets originating from 1.1.1.1 going to port 80. 

fw monitor -e "accept ((src=1.1.1.1,dst=2.2.2.2) or 
(src=2.2.2.2,dst=1.1.1.1));"  
will display all packets exchanged between 1.1.1.1 and 2.2.2.2

e.g.

fw monitor –e “accept ((src=10.214.13.51,
dst=212.140.220.25) or (src=212.140.220.25,dst=10.214.13.51));”

fw monitor –e “accept ((src=10.250.20.4,dst=51.63.241.220) 
or (src=51.63.241.220,dst=10.250.20.4));”
eth-s1p1c0:I[52]: 10.250.20.4 -> 51.63.241.220 (TCP) len=52 id=48055
TCP: 56288 -> 80 F...A. seq=456c5313 ack=8620c45c
eth3c0:o[52]: 10.250.20.4 -> 51.63.241.220 (TCP) len=52 id=48055
TCP: 56288 -> 80 F...A. seq=456c5313 ack=8620c45c
eth3c0:I[60]: 51.63.241.220 -> 10.250.20.4 (TCP) len=60 id=31917
TCP: 80 -> 56287 .S..A. seq=1f57134b ack=61ad52a7
eth-s1p1c0:o[60]: 51.63.241.220 -> 10.250.20.4 (TCP) len=60 id=31917
TCP: 80 -> 56287 .S..A. seq=1f57134b ack=61ad52a7
eth-s1p1c0:O[60]: 51.63.241.220 -> 10.250.20.4 (TCP) len=60 id=31917
TCP: 80 -> 56287 .S..A. seq=1f57134b ack=61ad52a7
eth-s1p1c0:i[52]: 10.250.20.4 -> 51.63.241.220 (TCP) len=52 id=48059
TCP: 56287 -> 80 ....A. seq=61ad52a7 ack=1f57134c
eth-s1p1c0:I[52]: 10.250.20.4 -> 51.63.241.220 (TCP) len=52 id=48059
TCP: 56287 -> 80 ....A. seq=61ad52a7 ack=1f57134c
eth3c0:o[52]: 10.250.20.4 -> 51.63.241.220 (TCP) len=52 id=48059
TCP: 56287 -> 80 ....A. seq=61ad52a7 ack=1f57134c
eth3c0:I[52]: 51.63.241.220 -> 10.250.20.4 (TCP) len=52 id=36781
TCP: 80 -> 56287 ....A. seq=1f57134c ack=61ad561d

Warnings: 
Don't mess with tables used in the security policy or unexpected results will 
occur, including system crashes. Packets are defragmented as the packets leave 
FireWall-1 in both the inbound and outbound direction. Anything that causes a 
fetch, load, or unload of your security policy will cause fw monitor to exit. 

There is also a known bug on the IPSO version of FireWall-1 where fw monitor 
will exit unexpectedly. This will be fixed in the IPSO 3.3 version of 4.1 SP2. 
In the meantime, you can get around this problem by making sure you filter out 
OSPF packets with a command like like the following: 

fw monitor -e 'accept (ip_p = 89);' 

There is a web page that helps you generate INSPECT code for use with fw monitor 
at http://www.decock.org/ginspect. 

In the meantime, Check Point has a PDF for using the commands: 
http://www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf 
(NO login required) 

In the outputs: -

i – Incoming interface before Virtual Machine
I – Incoming interface after Virtual Machine

routing: -

o – Outgoing interface before Virtual Machine 
O – Outgoing interface after Virtual Machine

 
Repairing Nokia with Disk Errors

Repairing Nokia with Disk Errors from the command prompt: -

# fsck –y


Remove Nokia Config file

Remove Nokia Config file 

Return to Default – i.e. new & unconfigured
 

Test-NOK01[admin]# rm /config/active

e.g.
JHINT-NOK01[admin]# cd /config
JHINT-NOK01[admin]# ls
active  db
JHINT-NOK01[admin]# rm active
JHINT-NOK01[admin]# reboot
 
or 
 
From single user mode:

1. Boot into single user mode
2. Press "return" for shell.
3. nokia[admin]# fsck -y (Ensures 
   filesystems are clean & fixes any problems)
4. nokia[admin]# mount -a (mounts 
   filesystems)
5. nokia[admin]admin# cd /config (At the 
   admin prompt change to the config directory)
6. nokia[admin]# rm active (Remove the file 
   called "active")
7. nokia[admin]# reboot (reboot the 
   appliance)

This will start the machine in the initial configuration routine allowing you to 
setup the box from factory default
 

Nokia IPSO Command Line Reference Guide V3.7


Nokia IPSO CLI RefGuide V3.7


Checkpoint NG Command Line Reference Guide


Checkpoint NG 
Command Line Reference Guide


Checkpoint NG ‘Connectivity v’s Security’ – HTTP Content 
Issues
 

Checkpoint NG ‘Connectivity v’s 
Security’ – HTTP Content Issues


Policy Load Problems


In regard to fixing a policy configuration mistake, the answer is simple: unload 
the policy and repush one that works. Repeat as necessary.  

To do this, use the command "fw unloadlocal" 
Then, reconfigure the policy and push it. 

You shouldn't even have this under the above circumstances because: "In general, 
you can communicate to a firewall module via any one of its interfaces provided 
the connection would be allowed by the global properties or rulebase as well as 
the topology settings. Since antispoofing is basically "anything" in the case of 
a single interface, it should work." 

To get back to the real question at hand, how to configure Anti-Spoofing on a 
module with one interface...this setup is actually pathological. Phoneboy 
explains in below: "Antispoofing on a single-interfaced platform seems kind of 
silly because except in the case where there isn't a default route, any IP 
address coming into that interface could potentially be valid." So, you really 
don't need to have Anti-Spoofing set. 

However, the original author of the question was interested in getting rid of 
the bothersome warnings at every policy push. To do this, convert the host from 
a gateway to a node. In the FW-1 GUI, highlight the enforcement point object of 
the proxy, right-click and select "Convert to Host" option. 


Interface Anti-Spoofing

 
All FireWall-1 uses for "This Net" is the interface's IP and netmask. 

In NG, "This Net" is properly described in the GUI in this manner. For example, 
if your interface is defined with 172.16.0.10 as the IP, 255.255.255.0 as the 
subnet mask and you have "This Net" checked in your anti-spoofing, the only 
addresses considered valid will be 172.16.0.1 through 172.16.0.255 
(The 172.16.0.0/24 network). 

If you have other nets off of an interface of the firewall (e.g. behind 
routers), you will need to use the "Specific" option in anti-spoofing. Create 
a group that contains all the networks reachable from that interface. 


UNIX commands supported on IPSO platforms

UNIX commands supported on IPSO platforms: -
 
Cpstop

Cpstart

Cpconfig

Fw monitor

Fw ver

JHINT-NOK01[admin]# uname -a

IPSO JHINT-NOK01 3.7.1-BUILD004 releng 1227  11.06.2003-010000 i386

Netstat –rn

Ifconfig –a

IPSO is a version of FreeBSD UNIX, thus it contains a wealth of utilities that 
give a wide range of information on its subsystems.

rm filename 
Removes the file "filename"

cp file1 file2 
Makes a copy of file1 and names file2

mv file1 directory 
Moves "file1" to "directory"

pwd
Print working directory name

rmdir directory
Remove directory called "directory"

ls 
List directory contents (use -al switch from details)

find / -name filespec -print
Begin a search in the root directory and all subdirectories for the file named 
"filespec"

ps -awux
Report all active processes in the kernel

ipsofwd on admin
Enables IP forwarding

uptime
Show how long system has been running 

tail filename
Display the last part of a file called "filename"

cat filename
Concatenate and print files called "filename"

netstat -rn
Show the routing table 

arp -an
Displays contents of ARP cache

tcpdump parameters
Displays traffic on a network.

traceroute 10.1.1.1
Print the route packets take to host 10.1.1.1

tar -cvf newarchive.tar dirname
Used to create the tar archive named newarchive.tar containing the contents of 
directory dirname

tar -tvf newarchive.tar
Lists the contents of newarchive.tar without decompressing

gzip newarchive.tar
Compresses the file newarchive.tar.

tar -zvxf newarchive.tar.gz
Used to decompress and untar an archive created by tar and compressed by gzip.

cron
Daemon that executes scheduled commands or script.

date
Display or set date and time.

df
Display free disk space (-a shows all mount points).

vi textfile
Allows the editing of file called "textfile".

mkdir directoryname
Make directory called "directoryname".

chmod xxx
Change file modes [ who::= a | u | g | o symbols ``u'', ``g'', and ``o'' specify the 
user, group, and other parts of the mode bits, respectively. The who symbol ``a'' is 
equivalent to ``ugo''. For example, chmod 777 will give full permissions to all].

ifconfig -a
Display interface information from the command line.

ipsoinfo
IPSO information gathering utility. (note: fwinfo is included in the information 
generated by ipsoinfo).

touch
Utility that sets the modification and access times of files to the current time 
of day. If the file doesn't exist, it is created with default permissions.

mount -a
Mount all HD partitions (single user mode).

mount -o rw /dev/wd0f
Mount /partition for read/write.

mount -t cd9660 -o ro /dev/wcd0c /cdrom
Mounting the CD ROM.

mkdir /var/dos , then mount_msdos /dev/fd0 /var/dos
Mounting a DOS floppy disk.

Config examples: -

FW-NOK01[admin]# ifconfig eth3 af 147.149.192.2 netmask 
255.255.0.0

FW-NOK01[admin]# ifconfig eth1 10.250.2.2 netmask 
255.255.255.0

FW-NOK01[admin]# ifconfig eth1 speed 100m

HGSI-NOK01[admin]# clish

NokiaIP530:1> show interfaces

Physical Interface        eth-s1p1                 
Down                     
Logical Interface         eth-s1p1c0               
Active                    Off                      
Type                      Ethernet

NokiaIP530:9> ver

IPSO FW-NOK01 3.7.1-BUILD004 clish 2.0

NokiaIP530:10>

FW-NOK01[admin]# rm /config/active

Note: 
For more detailed information on how the use these commands visit 
www.freebsd.org/cgi/man.cgi..


Adding Static Routes from CLI (CLISH)

Adding Static Routes from CLI (CLISH): -

GSI-NOK01[admin]# clish

set static-route default nexthop gateway {address or 
ogical} gateway_address priority <1-8> on

set static-route default nexthop gateway address 10.10.10.2 
priority 1 on

set static-route 10.250.5.0/24 nexthop gateway address 10.250.4.1 
priority 1 on

e.g.

JHGSI-NOK02[admin]# clish

NokiaIP530:1> set static-route 10.213.0.0/16 nexthop gateway 
address 10.251.4.1 priority 1 on

NokiaIP530:2> exit

Goodbye..

JHGSI-NOK02[admin]# netstat -r


Troubleshooting VRRP


From Voyager you can view VRRP status (Under Monitor select VRRP)

You will be able to display interface information, and stats on all interfaces. Simply 
select these from within Voyager.

These statistics are also available from the command line with the iclid command. To 
use this type iclid from the command line. Below are some example vrrp commands:

Note: To exit iclid type quit
Note: For help type ? at any point 

test89[admin]# iclid

test89> show vrrp

VRRP State

        Flags:  On

        1 interface enabled

        2 virtual routers configured

                0 in Init state

                0 in Backup state

                2 in Master state

test89> show vrrp interface

VRRP Interfaces

Interface eth-s1p1c0

        Number of virtual routers: 2

        Authentication: SimpleTextPassword (password=test123)

        VRID 29

                State:          Master          Time since transition:  1388

                Priority:       255             Master transitions:     1

                Flags:          Local

                Advertisement interval: 1       Router Dead Interval:   3

                Primary address:        205.226.27.10

                Next advertisement:     0

                Number addresses:       1

                        205.226.27.10

        VRID 27

                State:          Master          Time since transition:  1385

                Priority:       100             Master transitions:     1

                Flags:          

                Advertisement interval: 1       Router Dead Interval:   3

                Primary address:        205.226.27.10

                Next advertisement:     0

                Number addresses:       1

                        205.226.27.110


test89> show vrrp stat

VRRP Stats

Interface eth-s1p1c0

        Rx IP Truncated:        0       Rx Checksum Error:      0

        Rx Unknown Version:     0       Rx Unknown VRID:        0

        Tx IP Truncated:        0

        VRID 29

                Rx Bad TTL:             0       Rx VRRP Truncated:      0

                Rx Not Neighbor:        0       Rx Bad Auth:            0

                Rx Unknown Auth:        0       Rx Unknown Type:        0

                Rx Bad Advert Intvl:    0       Rx Bad Addr List:       0

                Rx Bad Master:          0

                Rx Advertisement:       0       Tx Advertisement        1399

        VRID 27

                Rx Bad TTL:             0       Rx VRRP Truncated:      0

                Rx Not Neighbor:        0       Rx Bad Auth:            0

                Rx Unknown Auth:        0       Rx Unknown Type:        0

                Rx Bad Advert Intvl:    0       Rx Bad Addr List:       0

                Rx Bad Master:          0

                Rx Advertisement:       0       Tx Advertisement        1395

Here is what each of those variables means (all of these relate to VRRP packets)
Rx IP Truncated: Number of packets received that did not contain all of the necessary 
information. 
Rx Checksum Error: Number of packets received where the checksum is invalid.
Rx Unknown Version: Number of packets received with an unknown VRRP version.
Rx Unknown VRID: Number of packets received for VRIDs which we do not know about.
Tx IP Truncated: Number of packets transmitted truncated for one reason or another.
Rx Bad TTL: The TTL of any VRRP packet must be 255. If we receive a VRRP packet with 
any other TTL, we discard it.
Rx VRRP Truncated: Number of packets received that contained incomplete information.
Rx Not Neighbor: Number of VRRP packets we received from hosts on a different LAN segment.
Rx Bad Auth: Number of VRRP packets where a valid authentication scheme is specified 
and the authentication provided is invalid.
Rx Unknown Auth: Number of packets received where the authentication scheme specified 
is unsupported/invalid.
Rx Unknown Type: Number of packet with an unknown VRRP type specified.
Rx Bad Advert Intvl: Number of packets received with an invalid advertisement interval 
specified.
Rx Bad Addr List: Number of packets received with an invalid address list.
Rx Bad Master: Number of packets we discarded because they were VRRP advertisements 
from lower priority routers (i.e. a lower priority router was trying to take over).
Rx Advertisement: How many times we receieve packets from a VRRP master.
Tx Advertisement: How many times we advertise we are a VRRP master.


Viewing VRRP interfaces from ifconfig

When viewing an Interface with ifconfig it will display both local and adopted addresses 
along with virtual router mac address. Below is an example:


root@tpgend02 # ifconfig -a
eth-s1p1c0:  lname external flags=e7
        inet mtu 1500
        inet 205.226.27.10/24 broadcast 205.226.27.255 vrrpmac 0:0:5e:0:1:1d
        inet 205.226.27.110/24 broadcast 205.226.27.255 vrrpmac 0:0:5e:0:1:1b
        phys eth-s1p1 flags=133
        ether 0:0:c0:68:fc:bf speed 10M half duplex

Viewing packets with tcpdump

the tcpdump command can be used to view VRRP packets..

test27-10[admin]# tcpdump -i eth-s1p1c0
tcpdump: listening on eth-s1p1c0
17:23:03.290197 205.226.27.10 > 224.0.0.18:  VRRPv2-adver 20: vrid 29 pri 255
17:23:03.900209 205.226.27.10 > 224.0.0.18:  VRRPv2-adver 20: vrid 27 pri 100

Note on pinging address while it is backed-up

When using VRRP v2, the unit that is backing up an address will not respond to connections
to that address (ping, telnet, http). It will only respond to arp and then forward packets 
though. A backup router when taking over an IP address for a failed master will forward 
packets for that address, but it will not take over the identity of the master. This 
eliminates problems where you may have network mgt issues etc if it did assume the identity.

In Monitored Circuit, you can never ping the VRRP address. IPSO 3.3 will have a feature 
that permits you to ping a VRRP IP address.
 

Package Install Procedure

Package Install Procedure

Login to the Nokia Appliance as user admin. 
Verify the presence of the package. 

nokia[admin]# pwd
/var/admin

nokia[admin]# ll
total 50421
-rwxr-xr-x  1 root  wheel      1039 Jul 23 20:38 .cshrc
-rw-rw-r--  1 root  wheel        21 Aug 27 17:06 .iclid_history
-rwxr-xr-x  1 root  wheel       114 Jul 23 20:38 .login
-rwxr-xr-x  1 root  wheel       573 Jul 23 20:38 .profile
-rw-r--r--  1 root  wheel  51583358 Aug 27 17:16 IPSO3.8_wrapper_R55.tgz

Verify that the MD5 hash matches the posted MD5 hash on the Nokia Support site. 

nokia[admin]# md5 IPSO3.8_wrapper_R55.tgz
MD5 (IPSO3.8_wrapper_R55.tgz) =                 
9ab55f65e1665ae2ac85e6e7671bf2bc
nokia[admin]#
 

Start the newpkg -i script, to install only, and not activate the packages. When 
prompted to choose an installation method, choose option 4. (For further information 
on all available switches for the newpkg and newimage commands please see 
Resolution 1776 ) 

nokia[admin]# newpkg -i

Load new package from:

1. Install from CD-ROM.
2. Install from anonymous FTP server.
3. Install from FTP server with user and password.
4. Install from local filesystem.
5. Exit new package installation.

Choose an installation method (1-5):  4

Enter pathname to the packages [ or 'exit' to exit ]: 
/var/admin 

Loading Package List

Next we will select the type of install we are performing. Because this is a fresh 
install we will choose option 1. If you wish to perform an upgrade from a previously 
installed package you would select option 2 here, and if you did not want to install 
this package, you can choose to skip, and install another package, or exit the 
newpkg script. 

Package Description: Check Point Suite wrapper package NG

with Application Intelligence (R55) for IPSO 3.8

Would you like to : 
1. Install this as a new package
2. Upgrade from an old package
3. Skip this package
4. Exit new package installation

Choose (1-4):  1
 
--------------------------------------------------------------------------------

Note: At this point the pre-install and post install scripts will execute. If you 
run into any errors during this phase a newpkg.log file will be generated in the 
/var/log/ directory. Look over this file, to determine the cause of the failure. 
Common issues are not enough disk space, and Installing a package of the same class. 

--------------------------------------------------------------------------------

Installing IPSO3.8_wrapper_R55.tgz

   Running Pre-install script

   Running Post-install script

************************************************************************

It is required to configure Check Point products before activating them,
you can do so by re-login to the machine and run 'cpconfig'from the command line.

************************************************************************

Done installing IPSO3.8_wrapper_R55

End of new package installation

cleaning up ..done

Use Voyager to activate packages

nokia[admin]#

The Check Point packages have now been installed, and can be enabled through the 
Manage installed packages page in Voyager. In order to issue firewall specific commands 
you will need to logout, and log back into your console session, to update the environment. 
Before you will be able to issue any commands specific to a newly installed package you 
will always need to logout and log back in to your console session. 
Configuring the Check Point package. You are now at the point of configuring the newly 
installed package. To configure a newly installed firewall module, you issue the 
cpconfig command. (before running cpconfig for the first time, ensure that the host 
address assignment has been properly defined in Voyager.) When you start cpconfig 
for the first time you will see the license agreement, you need to accept the terms 
of the license agreement, by typing 'y' and then hit enter. 

nokia[admin]# logout

   IPSO (nokia) (ttyd0)

login: admin
Password: 

Last login: Fri Aug 27 17:21:04 on ttyd0
Aug 27 17:58:09 nokia [LOG_INFO] login: DIALUP ttyd0, admin
Aug 27 17:58:09 nokia [LOG_NOTICE] login: ROOT LOGIN (admin) ON ttyd0
Aug 27 17:58:09 nokia [LOG_NOTICE] login: ROOT LOGIN (admin) ON ttyd0
Aug 27 17:58:09 nokia [LOG_INFO] login: login on ttyd0 as admin

IPSO 3.8-BUILD039 #1404: 07.23.2004 193500

Terminal type? [vt100] vt220

nokia[admin]# cpconfig

Welcome to Check Point Configuration Program
=================================================

Please read the following license agreement. 

Hit 'ENTER' to continue... 

           Check Point Software Technologies Ltd.

                     License Agreement V.NG.2

           [license text snipped out for brevity]

Do you accept all the terms of this license agreement (y/n) ?y

After Accepting the terms of the license you now need to choose the proper type 
of install for your Environment. You are first presented with the option for 
Enterprise/Pro and Check Point Express. We will be choosing Enterprise/Pro as 
this will be in a Distributed environment, we then choose option 2 for Distributed, 
and as this is an Enforcement point, we then choose option 1. This section is 
an import part of the install, as it determines what type of Firewall will be 
installed. To Change these settings once you have installed the package, you 
need to delete and re-install the Check Point package. 

Please select one of the following options:

Check Point Enterprise/Pro - for headquarters and branch offices. 

Check Point Express - for medium-sized businesses.

-------------------------------------------------------------------

(1) Check Point Enterprise/Pro.
(2) Check Point Express.

Enter your selection  (1-2/a-abort) [1]: 1


Select installation type:
-------------------------
(1) Stand Alone - install VPN-1 Pro Gateway and SmartCenter Enterprise.
(2) Distributed - install VPN-1 Pro Gateway, SmartCenter and/or Log Server.

Enter your selection  (1-2/a-abort) [1]: 2


Select installation type:
-------------------------
(1) VPN-1 Pro Gateway.
(2) Enterprise SmartCenter.
(3) Enterprise SmartCenter and VPN-1 Pro Gateway.
(4) Enterprise Log Server.
(5) VPN-1 Pro Gateway and Enterprise Log Server.

Enter your selection  (1-5/a-abort) [1]: 1


Is this a Dynamically Assigned IP Address
gateway installation ? (y/n) [n] ? n
Would you like to install a Check Point clustering product
(CPHA, CPLS or State Synchronization)? (y/n) [n] ?n
 

The install will now finish up, you are asked to install licenses, you can 
choose to skip this, and configure these later. License's can be installed in 
a number of various ways. I prefer to install the license from command line 
with the command 'cplic printlic'. For all available options please refer 
to Resolution 8192. You are then asked to Configure the Random Pool, and 
lastly to Configuring Secure Internal Communication. The Activation Key is 
similar to a shared secret key. You can set this to whatever you would like. 
You must remember this Key, as it will be used to Initialize SIC later from 
your Smart center server. (See Resolution 8250 for information on Initializing SIC.) 

IP forwarding disabled

Hardening OS Security: IP forwarding will be disabled during boot.
Generating default filter
Default Filter installed
Hardening OS Security: Default Filter will be applied during boot.

This program will guide you through several steps where you
will define your VPN-1 & FireWall-1 configuration.
At any later time, you can reconfigure these parameters by
running cpconfig

Configuring Licenses...
=======================
Host             Expiration  Signature                             Features

Note: The recommended way of managing licenses is using SmartUpdate.

cpconfig can be used to manage local licenses only on this machine.

Do you want to add licenses (y/n) [y] ? n

Configuring Random Pool...
==========================
You are now asked to perform a short random keystroke session.
The random data collected in this session will be used in various cryptographic 
operations.

Please enter random text containing at least six different characters. You will 
see the '*' symbol after keystrokes that are too fast or too similar to preceding 
keystrokes. These keystrokes will be ignored.

Please keep typing until you hear the beep and the bar is full.
[....................]   

Thank you.

 
Configuring Secure Internal Communication...
============================================

The Secure Internal Communication is used for authentication between Check Point 
components

Trust State: Uninitialized
Enter Activation Key: 
Again Activation Key: 
The Secure Internal Communication was successfully initialized

initial_module:

Compiled OK.

Hardening OS Security: Initial policy will be applied until the first policy is 
installed.

In order to complete the installation you must reboot the machine.

Do you want to reboot? (y/n) [y] ?

Reboot the Platform, and Configure SIC, and push out a policy. The Install is now 
completed. Please note that if you cannot access the Firewall at this time, that 
a default policy has been loaded. You will need to issue the following command to 
re-gain access to the system fw unloadlocal.


Checkpoint Firewall License Commands

Checkpoint Firewall License Commands

How do I clear the host count for a node-limited license? 

On the firewall module: 

cpstop (or fwstop in 4.1 and earlier) 
Delete $FWDIR/database/fwd.h and $FWDIR/database/fwd.hosts 
cpstart (or fwstart in 4.1 and earlier) 

To avoid bouncing firewall use: # fw tab -t host_table –x command to 
delete the list. 
The list will be deleted after confirmation. Then delete the 2 files as above, they 
will be recreated. 

To see what the current count is at use: # fw tab -t 
host_table -s

Look under the column called VALS.

nemmesis[admin]# fw tab -t host_table -s

HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             host_table                       8185     8     8       0

nemmesis[admin]# fw tab -t host_table -x        

This will clear all the entries in table host_table !!!

Are you sure (yes/no)? [n] y

Clearing table host_table

nemmesis[admin]# fw tab -t host_table -s

HOST                  NAME                               ID #VALS #PEAK #SLINKS
localhost             host_table                       8185     1     8       0

nemmesis[admin]# fw lichosts
eth- 6/3/2006 21:39> host:10.1.1.20 src:10.1.1.20(Colossus) dst:10.1.1.254(nemmesis) 
proto:tcp sport:1285 dport:CPMI
eth- 6/3/2006 22:13> host:10.1.1.1 src:10.1.1.1(Aegis) dst:194.247.47.47 proto:udp 
sport:1290 dport:domain
eth- 6/3/2006 22:38> host:10.1.1.45 src:10.1.1.45(BT-Laptop) dst:194.247.40.126 
proto:udp sport:1773 dport:domain
eth- 7/3/2006 0:33> host:192.168.0.1 src:192.168.0.1(Cyclopse) dst:194.247.47.47 
proto:udp sport:blackjack dport:domain
eth- 7/3/2006 0:36> host:192.168.0.17 src:192.168.0.17 dst:192.168.0.31 proto:udp 
sport:netbios-ns dport:netbios-ns
eth- 9/3/2006 20:7> host:192.168.0.20 src:192.168.0.20 dst:194.247.47.47 proto:udp 
sport:ICKiller dport:domain
eth- 9/3/2006 20:11> host:10.1.1.21 src:10.1.1.21(Athena) dst:194.247.47.47 proto:udp 
sport:1026 dport:domain
eth- 14/3/2006 18:8> host:192.168.0.10 src:192.168.0.10(DHCP-Pool-1) dst:194.247.47.47 
proto:udp sport:netbios-ns dport:netbios-ns
eth- 21/3/2006 17:22> host:192.168.0.10 src:192.168.0.10(DHCP-Pool-1) dst:194.247.47.47 
proto:udp sport:netbios-ns dport:netbios-ns
eth- 21/3/2006 17:22> host:10.1.1.1 src:10.1.1.1(Aegis) dst:194.247.46.1 proto:tcp 
sport:1886 dport:pop3
nemmesis[admin]#