General

Q. Where can I get a port list and definition

A. You can get ours at http://www.tla.ch/biblio/ports.txt

You can also access to our port script: http://www.tla.ch/cgi-bin/port

Q. What is a spare machine?

A. A spare machine allows to swap your firewall machine and allows you maintenance tasks.
The down time is between five to 15 minutes. For most sites this is OK. It will reduce heavily your costs and you will have a redundant system. You need to be licensed on your IP adress and not on your hostid.
To get more information click here

Q. NAT how does it work?

A. Yet another attempt to explain NAT, since every time I do it I'm unsatisfied
with the clarity of the result. This time it follows the progress of a TCP
SYN packet from an external client to an NAT'd server and the server's
SYN+ACK response.

SCENARIO

The simplest of set-ups - an ISP router, FW-1 and a single internal host
with an RFC1918 address. All boxes are assumed to have just been booted,
i.e. routing entries present but ARP tables empty. Addresses as follows :-

INTERNET
|
ISP Router
a.b.c.1 / 010101010101 (IP/MAC)
|
a.b.c.254 / 020202020202
Firewall-1
192.168.1.1 / 030303030303
|
192.168.1.2 / 040404040404
Internal Host (public address = a.b.c.2)

NARRATIVE

We'll start at the point where the remote client's (x.y.z.8) TCP SYN
datagram has reached the ISP router via its Internet i'face. At this point
the relevant addresses are as follows :-

Src MAC = Some other Internet router's
Dst MAC = MAC address of Internet interface of ISP Router
Src IP = x.y.z.8
Dst IP = a.b.c.2

The router looks in its routing table and sees that the a.b.c.0 subnet is
locally attached, so as far as it's concerned the next hop is the Dst IP
address itself. The router sees that it has no MAC address for a.b.c.2 and
does an ARP broadcast out of its a.b.c.1 interface. There's no real host
with address a.b.c.2 to reply to the ARP but if you've set the Firewall up
properly (published ARP entry in Unix, local.arp file entry in NT) it will
reply giving 020202020202 as the MAC address for the IP address a.b.c.2.

The router is now happy, puts an entry in its ARP table to save having to
ARP again (for a while), changes the Src MAC address of the datagram to that
of its a.b.c.1 interface and the Dst MAC address to that of the Firewall (as
per the new ARP entry), thus :-

Src MAC = 010101010101
Dst MAC = 020202020202
Src IP = x.y.z.8
Dst IP = a.b.c.2

The card driver on the external side of the Firewall passes the datagram to
the firewall module which checks that it has a rule allowing x.y.z.8 to talk
to a.b.c.2. It has, so it sticks an entry in the connection table and passes
the datagram up to the IP level UNCHANGED.

IP looks at it and says 'this is not for me' and looks in its routing table.
Since routing always uses the most specific matching entry (i.e. host first,
subnet second, network third and default last) it finds your manually-added
routing entry saying that the next hop for a.b.c.2 is 192.168.1.2. It
doesn't have a MAC address associated with 192.168.1.2 but knows that it is
on the 192.168.1.0 subnet so does an ARP broadcast out of its 102.168.1.1
interface. The Host replies, the FW's IP stack creates an ARP entry and
changes the MAC addresses of the datagram again as follows :-

Src MAC = 030303030303
Dst MAC = 040404040404
Src IP = x.y.z.8
Dst IP = a.b.c.2 (STILL!)

The IP stack passes the datagram down to the firewall module which notes the
need for address translation, alters the Dst IP address to 192.168.1.2 and
records an entry in the translation table. Now we have :-

Src MAC = 030303030303
Dst MAC = 040404040404
Src IP = x.y.z.8
Dst IP = 192.168.1.2

The firewall module passes the translated datagram to the card driver which
pops it on the 192.168.1.0 network.

The Host's IP stack receives a TCP SYN datagram with its MAC address and IP
address, passes it to the listener which replies with a SYN+ACK datagram
addressed to x.y.z.8. The Hosts's IP stack looks at its routing table, sees
the default routing entry pointing to 192.168.1.1, realises that it doesn't
have an ARP entry for 192.168.1.1, does an ARP request, stores the result
and forwards the datagram as follows :-

Src MAC = 040404040404
Dst MAC = 030303030303
Src IP = 192.168.1.2
Dst IP = x.y.z.8

The card driver on the internal interface of the firewall passes the
datagram to the firewall module which sees the entry in the translation
table and modifies the source address of the datagram to a.b.c.2. The module
then looks in the connection table, sees that this is part of an established
connection and passes it up to the IP stack.

The IP stack says 'this is not for me', looks in its routing table,
eventually matches against the default entry pointing to a.b.c.1, ARPs to
get the MAC address of a.b.c.1, adds an ARP table entry, modifies the MAC
addresses and forwards the datagram as follows :-

Src MAC = 020202020202
Dst MAC = 010101010101
Src IP = a.b.c.2
Dst IP = x.y.z.8

and thereafter normal routing takes care of the datagram.

Checkpoint reference:
http://www.checkpoint.com/techsupport/documentation/index.html

Q. FW-1 and Y2000 ?

A. After we has tested Firewall-1, we found that Firewall-I was
miscosistent in creating log file.Before Year 2000, Firewall-1 creates the log file in such manner :

xxxMMDDYY.log

where xxx is the time the log file created
MM is the month the log file created
DD is the date the log file created
YY is the year the log file created (1999 will be 99)

Example :
the log file created on Sep 8, 1999 will has the name xxx090899.log
the log file created on Dec 31, 1999 will has the name xxx123199.log

After Year 2000, Firewall-1 creates the log file in such manner :

xxxMMDDYYY.log

where xxx is the time the log file created
MM is the month the log file created
DD is the date the log file created
YYY is the year the log file created (2000 will be 100,
2001 will be 101)

Example :
the log file created on Jan 1, 2000 will has the name xxx0101100.log
the log file created on Feb 28, 2000 will has the name xxx0228100.log

The "100" represents the number of years since 1900. A number of
applications work this way.

Network addresses and subnetmask

How to integrate wireless devices in a secured environment

 How to stop SMTP relaying at the firewall

How to understand an configure MAD

How to turn MAD off

How to block Kazaa

How to stop Instant Messenger or AIM

How to reconstruct rulebases

Q. Network addresses and subnetmask

Sometimes while configuring a firewall for the subnetmask definition the system requests the mask length, how shall I compute it

A. Here below you will find a table with correspondance between subnet mask value and mask length.

What Files to Back Up?

Q:We want to back Firewall-1 configuration. If Firewall crash, we want to be able to restore it quickly. Which files do we have to backup ?

A:

The following files are considered important and should be backed up regularly. If you have on the same system the management console and the firewall module, backup all files of Management console column and also all additional files from Firewall module column.

Under Windows 2000/NT replace $FWDIR by %FWDIR%

You should also modify any file you may have modified in $FWDIR/lib. If you are going to be upgrading, it is not wise to copy an older version of one of these files over a newer version. If you are running Windows NT and doing static address translation, also backup $FWDIR/state/local.arp.

If the firewall goes completely south, you can re-install to the same patch level as you were running before and copy in the existing configuration files with the firewall stopped. You'll have to re-install your security policy, but it's better than having to completely reset up your firewall rules and network objects.

How do I proceed for restoring 

A. Make sure you stop the firewall before restoring any file.  Make sure you restore all the files you need 

• fwstop
• restore by copying back any file you need
• fwstart

or for Windows 2000/ NT stop the service

This can also be used when you perform an update or when you have a second system run as a spare.

Q. What are the meanings of the different files to backup

A. Of largest significance are your policy file, <policyname>.W, and objects.C -- from these two you can regenerate the rulebases.fws file
(./fw m -g *.W).  

The cp.license file may be useful, but if you know your certificate key, you can request a copy of it from the checkpoint license site.  

The fwauth.NDB (mgmt. module only) file keeps information about your users & user-groups, so unless you're not doing any authentication or
securemote (minus LDAP stored users..), you'll want to grab this file too.  

The fwauth.keys file contains all the putkeys you've set -- backing this up probably isn't necessary since you'll have to redo the putkeys
anyways.  This may not be existant if in single gateway mode with no opsec add-ons tied into it.

The fwmusers (mgmt. station only) file contains all the usernames and passwords (including permissions), for GUI-Client access.

The gui-clients (mgmt. station only) file tells which remote systems are allowed to log into the management station via the GUI and manage it.

The masters file (fw module only) just has the address of the management server in it.  

The product.conf file tells which options you have purchased, want turned on, and such.. restoring it will save some reconfiguring.

The seed file will allow you to utilize the parts that are stored encrypted -- user passwords and such.  Without it, expect to change a
lot of passwords.

The sync.conf (fw modules only) file is used when doing high-availability state-synchronization.

The serverkeys file (or serverkeys.* on unix) are hashes of the putkeys (fwauth.keys file).  

Q. Do you have same backup script examples ?

A.

• Backup procedure for Unix 
• Backup procedure for Nokia
• Windows 2000/NT

Backup script for Solaris 

#!/usr/bin/sh
# author : Christian ALT
# module name: /export/bin/backupfw
# Copyright : Telecom and Logistics Associates, all rights reserved
# Installation : DO NOT FORGET .netrc
# Will backup necessary files for FW-1 and Solaris. It will then transfer the files to my-backup-host by doing an ftp 
# from the firewall to an FTP server.
# This script must be scheduled in crontab with an entry like the following
#      0 5 * * * /export/bin/backupfw
# 8.9.99 Adaptation to fw-1 version 4.0
# 25.10.99 added backup of /etc/hosts and /etc/hostname.*
# 27.10.99 added backup of /usr/local/etc

Nokia

For those of you running a Nokia Application Platform or VPN-1 RemoteLink/Appliance machines, read Jerald Josephs' IP400 specific notes below.

For those of you looking to automate the backup process, read these IP400 Specific Notes contributed by Jerald Josephs. For you non-Nokia people, below may still be helpful as the procedure is fairly generic.

The following is a list of files on an IP400 series integrated firewall-router that should be backed up.  These include FireWall-1files that would be transferred over from the old FireWall-1 management server to the new management server.

( '*' denotes files to be backed up on a Nokia router licensed only as a FireWall or Inspection module router )

*   $FWDIR/conf/fw.license        (FireWall-1 license file)

(This should only occur if the IP400 is replacing another platform and will use its IP addresses. Otherwise, you will have to obtain new FireWall-1 licenses)

   $FWDIR/conf/objects.C          (objects and properties)
   $FWDIR/conf/*.W                (security policy)
   $FWDIR/conf/rulebases.fws      (Combined rule bases for GUI clients)

   $FWDIR/conf/fwauth.NDB         (User database)
   $FWDIR/conf/fwmusers           Adminstrators
   $FWDIR/conf/gui-clients        Allow GUI Adminstrative hosts
*  $FWDIR/conf/smtp.conf          SMTP Security Server configuration file
*  $FWDIR/conf/fwauthd.conf       Security Server configuration file
*  $FWDIR/conf/product.conf       FireWall-1 product description file
*  $FWDIR/conf/fwauth.keys        Control authentication key file
*  $FWDIR/conf/masters            Masters

You should also copy over any ./lib file you may have modified, if-and-only-if you are copying from the same version of FireWall-1. Check Point support engineers have cautioned against copying files from 3.0a to 3.0b platforms.

You should also back up /var/etc/rc.local, if you created one. This is where you could place ARP commands to support Address Translation, IPSO kernel control commands, or automated backup scripts, for example.

Since you might use CRON to automatically schedule this backup, consider adding /var/cron/tabs/root to the backup list.

The current Management Module host has the configuration files for your site.  If this Management Module host is FireWall-1 version 2.x or earlier, then you will have to first upgrade that software version to 3.x before you may transfer the files over to the IP400.

Method of Backing up the files

It may be possible to use a floppy diskette to backup the files. If the files are too large, then FTP can be used to transfer the files across the network.

One idea is to create a file that lists the files to backup. Included in the example below is the path to the IPSO configuration files, the first entry below. Also note that this will backup your backup scripts. Don't forget them!

# cat /var/admin/ipsobackuplist

/config/db/*
/var/admin/ipsobackup
/var/admin/ipsobackuplist
/var/cron/tabs/root
/var/etc/rc.local
$FWDIR/conf/fw.license
$FWDIR/conf/objects.C
$FWDIR/conf/*.W
$FWDIR/conf/rulebases.fws
$FWDIR/conf/fwauth.keys
$FWDIR/conf/fwauthd.conf
$FWDIR/conf/masters
$FWDIR/conf/serverkeys.db
$FWDIR/conf/sync.conf
$FWDIR/conf/fwopsec.conf
$FWDIR/conf/omi.conf
$FWDIR/conf/slapd.conf
$FWDIR/conf/fwauth.NDB
$FWDIR/conf/fwmusers
$FWDIR/conf/gui-clients
$FWDIR/conf/smtp.conf
$FWDIR/conf/product.conf
$FWDIR/database/*
$FWDIR/state/*
$FWDIR/log/*

Create a file in the admin's home directory called ipsobackuplist to contain the file paths listed above.

Create an executable script in the admin's home directory called
ipsobackup
that executes the following commands:

#! /bin/csh
# The following line will define $FWDIR
source /var/admin/.rcm_cshrc
cd /
eval tar cf /var/admin/`uname -n`.`date +%m%d%y-%H%M`.bkup.tar `cat
/var/admin/ipsobackuplist`

    (WARNING: The tar command above should be one line)
    (NOTE: If you wish to retain the leading '/' character, use `tar cPf`)
    (              see `tar --help` for more command line options)

    (This command creates hostname.062298-0600.bkup.tar if the fwbackup script was executed at 6:00am on June 22, 1998).

Execute chmod 755 ipsobackup to make this script executable.

Backing up the files to a floppy diskette:

    cd /
    tar cvf /dev/fd0 `cat $HOME/ipsobackuplist`

You might want to use a DOS formatted floppy diskette. Such a diskette
is mountable across OS platforms:

    mkdir /var/floppy
    /sbin/mount_msdos /dev/fd0  /var/floppy
    cd /var/admin
    ./ipsobackup
    cp *bkup.tar /var/floppy

<or>

    cp `cat ipsobackuplist` /var/floppy

    umount /var/floppy
 

Using CRON to automatically archive these files onto the IPSO filesystem

    Use crontab -e to modify the existing cron file.  Add the following line to this file:

    0 6 * * 0 /var/admin/ipsobackup

    This will create a backup file Sunday morning at 6am

*****Notes for NT to IP400*****

Note that there are some issues with moving from a NT machine to an
IP400.

1.  Do not copy the fwauthd.conf file.  This is not compatible with the IP400 (See resolution # 858 for further information

2. When FTP from Windows NT to an IP400 All of the *.NDB files must be transferred in binary mode and everything else must be transferred ASCII mode.

Q. What do I need to backup on a Nokia

A. One of the beautiful things about the Nokia's is that in my mind, you don't need to back them up at all! So long as you have the host name, IP address, and version information available you can rebuild them in a very
short time. It's important you back up your management console though, since that's where your policy, rule base, and objects information resides. If you have a Nokia device fail, simple build one with the same IP address,
host name, and same versions of voyager and firewall-1, then push the policy to it! It'll probably take less time that it would've to restore from a backup.

Q. We have more and more users accessing napster how can we block the service.

      Napster appears to use any available free port.  One way to defeat
it is to block all incoming and outgoing tcp/ip ports except the ones
that you want to let through (http, ftp, etc).  The other way is to
block out the ip ranges that Napster servers use.  I did this and it
seems to be pretty effective.  The information is as follows:

1. Create 5 network objects in FW-1. Make external and disable broadcast.
    a. IP: 208.178.163.56 mask: 255.255.255.248
    b. IP: 208.178.175.128 mask: 255.255.255.248
    c. IP: 208.49.239.240 mask: 255.255.255.240
    d. IP: 208.49.228.0 mask: 255.255.255.0
    e: IP: 208.184.216.0 mask: 255.255.255.0
2. Put them all into a group (group-napster-deny)
3. Build a rule that says:
    a. Source Any to Destination group-napster-deny Service any Action
Reject/Drop Time Any

 But be aware that Napster servers are constantly changing you cant track them on www.napigator.com  

http://www.napigator.com/

Q. We want to allow our users to access Napster, but we dot want incoming Napster connections. How should we configure our firewall

A. Rules like the one below will specifically block it. Sites using NAT in hide mode will not allow any incoming Napster connection.

Q. How to Secure DNS accesses

A. You will need to restrict services as defined below. But pay a special attention to Dynamic updates if you are using or planning  to use them.

•  

  allow udp 53 in from outside to dns server    [queries to your server]
  allow udp 53 in from dns server to outside    [queries from your server]
  allow tcp 53 in from secondaries or ISP server  to dns server [zone transfers from your server]
  allow tcp 53 out from dns server to outside [zone transfers from primaries, for which you are a secondary]
  Note: queries normally use udp, but apparently also use tcp under load, so restrict queries to udp may cause headaches in some situations.

• If you want to enable dynamic updates, despite the additional risk, use TSIG for better authentication of hosts allowed to make updates. Always restrict updates via an ACL.

Q. What tools do administrators use to monitor firewalls

A. Several toola are available

RRD http://ee-staff.ethz.ch/~oetiker/webtools/rrdtool/, with thia tool is a nice frontend called FwGold that allows a nice monitoring of firewall-1 http://www.rotoni.com/FwGold/

mon -- http://ftp.kernel.org/software/mon/ 

MRTG -- http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html 

BigBrother -- http://www.bb4.com

Q. How to allow MRTG access our routers outside our Firewall

A.  Create a rule that allows snmp to the web server only from your internal network if you use DHCP on the MRTG machine or from the specific address of the MRTG machine if it is using static addressing ... if the firewall is working properly only the address(s) you've defined will be able to access the port.

Q. How to allow DHCP on the firewall or through the firewall

A. In some situations it is necessary to run a DHCP server on the firewall, but it should be avoided when ever possible. As has been mentioned, you probably shouldn't be running a DHCP server on
your firewall.  Your firewall should be your firewall, and little or nothing else.

That said, the only reason FW-1 should interfere with DHCP is if you have   rules preventing the traffic.  You'll need to allow UDP/67 *to* the FW, and UDP/68 *from* the FW, both on the
interfaces that you wish to provide BOOTP/DHCP services to.  Note that your normal stealth rule will prevent any such traffic, and the rules to allow the DHCP traffic will need to be in front of the stealth rule.

On Nokia firewalls you have a DHCP relay capacity that allows you to have access to a DHCP server and that you have to pass through the firewall. Off the main config menu, BOOTP Relay, is what you want.

You will also need to add to your rulebase something to the effect of:

DHCP_Servers Firewalls BOOTP ACCEPT

Q. How to integrate wireless devices in a secured environment

A. Some links of interest for wireless devices integration

This link here explains how to make an antennae that will function up to 10miles away - as long as you have line of sight..
http://www.wwc.edu/~frohro/Airport/Primestar/Primestar.html

Q. How to stop SMTP relaying at the firewall

How to understand and configure MAD

MAD is Malicious Activity Detection, a process that runs on the Management server and will periodically review the logs to find suspicious behaviour. (Multiple auth failures, port scan, syn and land attacks.)

MAD detects/defends: 

• - Syn-Attacks 
• - Spoofing attempts (for local interfaces, too) 
• - portscan detection 
• - blocked ports scan detection 
• - login failures 
• - fast repeated connects 
• - land attacks

MAD land attack
It is CPMAD that tell you it sees a land attack. Check the cpmad_config.conf file (in $FWDIR/conf) and you should find line containing _land_attck_ in it. A land attack sends out just one SYN packet in which the sending device IP address has been replaced with the address of the destination, meaning that it tries to answer to it's own, resulting in loop backed packets ... slowing down the server.

MAD configuration

The configuration of Checkpoint's Malicious Activity Detection System is done through the file $FWDIR/conf/cpmad_config.conf. For Information on how use the variables in the file, take a look in the EntGS.pdf file located on the installation CD-rom (v4.1).

How to turn MAD off

To switch off mad edit the file 'cpmad_config.conf' in the \%fwdir%\conf directory. Set 'mad_system_mode' to 'off' and you're done.

How to block Kazaa and other network sharing programs

Blocking of Kazaa under NG AI is as follows

Open SmartDefence window

Application Intelligence / Web / HTTP Protocol Inspection / Peer to Peer

You will see the application, chech which you want to blok and check Peer to Peer.

Select the configuration apply to all connection in HTTP Protocol Inspection.

If you want to know more about Kazaa or you run a version previous to NG AI

Initial configuration of Kazaa version 1
Kazaa is only one of a whole culture of peer-to-peer file-sharing networks/programs:  Gnutella, eDonkey, BearShare, etc ad infinitum

Kazaa version 2 uses dynamic ports

How to block it on a firewall
Block them by port number.  This doesn't scale well, and fails completely with the ones that search for unblocked port numbers to
use.  (While to you, a firewall should be a "policy enforcement device", to your users and the authors of these applications, it's just an obstacle to be surmounted.)
If a client uses a HTTP port program like KazaaHTTP, there are very few options that you have as it will tunnel the kazaa traffic over HTTP from the client’s desktop. If you have a novice userbase, simply blocking the port of 1214 should suffice.
If you are using Checkpoint NG, FP3 is supposed to include the additional content filtering needed to block applications like Kazaa.
If you are blocking port 1214, you also have to block all outgoing socks-traffic, because kazaa-client supports Socks-Proxy and
there exists enough free socks-proxy.  The second thing, if you are blocking socks then you also have to block all outgoing http/https-traffic, because you can tunnel socks-traffic over http/https with tools like httport.


How to block it on a Cisco router
access-list 101 deny   tcp any any eq 1214

What measure you should take
Add a content-filtering solution to your border security.  This is about the only way you're going to block stuff that piggy-backs on
well-known service ports (80, 25, etc) in order to circumvent firewalls.

What you should also know about Kazaa

Unfortunately when you install KaZaa you also get at least one virus installed on your computer. I call it a virus because by most descriptions I've seen of the term, TopText qualifies as a virus. You don't ask for it. It takes control of your browser and makes changes to everything you read on the Internet.

TopText operates with a browser to highlight words on every web page, inserting a yellow background behind keywords that have been purchased through their media sales company eZula, Inc. If a web user clicks on one of those yellow highlighted words on a web page, the user is whisked away to the site of the company paying the most that day for each click-through. If a user whose browser is infected with TopText visits your web site, they will be offered links to competitor's web sites for every keyword they find on your site for which they have a buyer.

This is not much, if any, different from the Smart Tags system that Microsoft announced for their Windows XP browser. Media and webmaster pressure and outrage caused Microsoft to cancel, for now, their release of that feature.

How to stop Instant Messenger or AIM or Yahoo

The problem with blocking the NEW Yahoo IM is not going to get easier. Yahoo and others have embraced a philosophy of bypassing Firewalls by any means possible. The latest is by using any open outgoing port to the numerous servers located in numerous networks. After a while by adding and relocating even just one IM server users behind your firewall are able to start using the security prone IM's once more.

If you want to stop yahoo services by names here is an ever wandering list:

cs.yahoo.com, scsa.yahoo.com,  messenger.yahoo.com, my.yahoo.com, edit.yahoo.com

 MS-IM \gateway\.dll\?
 AIM   \:20480/

How to reconstruct Rulebases

WARNING: These commands will not work on NG FP2 and above. In fact, in NG FP2, they can cause further corruption of your rulebase file.

On Unix:

    # cd $FWDIR/conf
    # fwm -g *.W

On NT:

    c:\> cd %FWDIR%\conf
    c:\WINNT\FW\conf> for %i in (*.W) do fw fwm -g %i

The differences are:

• On Unix, the * is interpreted as a wildcard, including all .W files
• On NT, the * is not interpreted as a wildcard, so you must list the .W files individually.
• On NT, there is no 'fwm' binary, but it is included as part of fw.exe

Other notes:

• When importing rulebase files, if objects referenced in a specific rulebase no longer exist, then the rulebase in question will not be successfully imported. You will see "Not in Scope" messages when you run this command. This is normal.
• These steps will cause CORRUPTION of your rulebase file in NG FP2 as this command is no longer supported. NG FP3 and later do not allow the commands (e.g. executing fwm -g *.W nets a 'this command is no longer supported' message).

• What is included in the Express license?
• What happens when you go over your node license
• Do I need a seperate License for SecuRemote
• What are the licenses for SecuRemote with NG AI
• How to remove old licenses
• We have the message "to many hosts", what shall we do to unlock the situation
• What is the message External Interface is not set

Q. What is included in the Express license?

• VPN-1 Express Gateway
• VPN-1 SecuRemote
• Firewall-1
• SmartDefense
• SmartCenter

there are other things available as add-ons...

Q. General question... what happens when you go over your node license? Do the firewalls start dropping packets on the "unlicensed" addresses? Are the licenses persistent (with some sort of timeout on each address), or is it total concurrent connections through the devices?

We're currently licensed for 250 nodes, but we're over. Support at Checkpoint tells me it will start to drop packets when its over, but wanted to ask if anyone else has had something similar happen. Seeing packet loss going to the firewall clusters, so this would be a perfect example...

A. As far as I can tell, not a whole lot happens. Check Point told me that there is an algorithm which throttles the traffic going through if you exceed the number of nodes for which your gateway is licensed, but when I asked, they were unable to describe the algorithm to me. Beyond that, I get daily failure license violation e-mails from those boxes that have their SMTP gateway correctly configured. To date, I have received no user complaints as far as performance is concerned, though.

Q. Do I need a seperate License for SecuRemote

A. Yes you will need to generate a seperate license. Aldow you do not pay for it you need a license

Q. What are the licenses for SecuRemote with NG AI

A. Chkpnt NG with AI supports 2 licensing schemes - local and central. If you have multiple Enf modules(EM) and a single SmartCenter server(SCS) to manage all of them - go for central licensing. Central licensing is useful in such cases because even if the EM IP address changes you dont need to regenerate ur license, the only time you need to regenerate your license would be in case if you change the SCS IP(which is rarely the case). Go for Local licensing when you have the SCS and EM on the same machine - standalone configuration. In this case, if you change the IP of your EM, you need to regenerate ur License. Tedious ha ?

SCS always requires a LOCAL license in any case.

This may come as a BOOMER to you - if you have already procured the product with local licensing - and already generated it from usercentre.checkpoint.com - nothing can be done about it now.

If you have not yet purchased the product 

- I would suggest you go for centrallicensing as its better in your case.

Q. How to remove old licenses

A. Use fw printlic to view the current license situation, and then re-enter your current license string (eval or permanent key) with a -o option. This will overwrite all existing licenses.

fw putlic -o ...

Q. We have the message "to many hosts", what shall we do to unlock the situation

A. To remove firewall license limitation use the procedure:

fw lichosts
rm $FWDIR/database/fwd.hosts
rm $FWDIR/database/fwd.h
fwstop
fwstart

Q. What is the message External Interface is not set

The file $FWDIR/conf/external.if should contain the physical device name. You can get this by doing an 

command	Operating  System	interface name
ifconfig -a	Unix	le0, le1, qfe0
ipconfig /all | more	Windows 2000 / NT	El90x1 (as in the letter E, the letter l, the number 9, the number 0, the letter x, and the number 1)
ifconfig -a	IPSO (Nokia)	physical interface name plus c0 :  eth-s1p1c0

The external interface is often the interface facing your Internet router. If you have more than one "external" interface, you should be using an unlimited node license.

Windows 2000 Logon through Firewall

Q. What ports are used for a trust relationship

A. According to Microsoft the services needed for TRUSTS are:

PORT 135 TCP or UDP RPC services
PORT 137 UDP Netbios name service
PORT 138 UDP Netbios datagram
PORT 139 TCP Netbios session
All port above 1024 for RPC communication

Q. How to change the log directory
 A. To direct Log File to directory different then the standard $FWDIR/log. On UNIX system this can be achieved by adding

setenv FWLOGDIR <log-dir>

to the fwstart scripts before running the fwd and them fwm.

To do this in NT, you must upgrade your software to 3.0b, and then use the Registry Editor to add to the key

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1

the value FWLOGDIR with the desired path of the directory (which must exists).

Authentication in more than one NT domain

Q. If an environment has more than one Nt domain, then what should be done?

Let's say 10 NT domain, and the company doesn't want to change the domain structure in their enterprise network. Do we need to install and activate the Radius Srv. on all related domains for authenticating the users?

A. Set up the RADIUS server in its own domain and created trust relationships to the 10 other domains? Since trusts are not transitive, you won't be violating any security precautions set up by the domain structure, although if the trusts are across slow WAN links you may have to tweak the replication governor settings to make sure all that
database replication doesn't choke the lines.

Q. What does the following message in the event log mean, 

FW1: copying: failure copying 56 bytes from =0xF3D9F6B8-> 

Event-Id 1 
Type Error 
Category None 
and 
FW1:-
to 0x000F0010. Error 0xC0000005 >Event-Id 1 
Type Error 
Category None

A. "These errors do not affect FireWall-1 performance, and are not a security issue therefore there is no cause for concern, I believe when using the performance monitor to monitor the FireWall-1 object, a segmentation fault may generate these errors."

• NG SecuRemote license
• Does Office mode work with SecuRemote
• What to do when using Office Mode from a ghost machine ?
• What model of DSL routers works best with SecuRemote/SecureClient
• SecuRemote NG AI MTU path discovery
• Is it possible to use an answer file for SecureClient installation
• How does SecuRemote work
• I need to have SecureRemote from behind a NAT device
• SecuRemote/SecureClient might bring problems when using wireless devices to connect to the network
• Not a certificate Authority
• How can I isolate SecuRemote trafic in the log ?
• Secure Client through a FireWall-1 Firewall

Version history

NG SecuRemote license

The securemote license is separate from other firewall licenses, so if you have a license installed on your management server that contains a string

like (Assuming NG) "CPVP-VSR-XX-NG", you are licensed for securemote. If you don't have a license with this product code in it attached to your

management server, then you aren't licensed. The license is free (as in beer), contact your Checkpoint supplier to obtain one.

Does Office mode work with SecuRemote

A. Office mode only works with SecureClient. You need a new license and will need to pay additionnal fees.

What to do when using Office Mode from a ghost machine ?

From reference ID: sk15132

Symptoms

SecurClient is beeing disconnect. All computers with the ghost image receive the same IP from the VPN for Office mode while they all use different login info and access methods.

Solution

Before making the ghost image, open regedit and delete the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\SecuRemote\5.0\OM"

What model of DSL routers works best with SecuRemote/SecureClient

Here is the result of different tests performed with DSL routers and SecuRemote.

Checkpoint Safe@Home (s-box) works fine

Linksys They are working with SecuRemote. The only issue with Linksys is that they only support a single IPSEC connection from behind the router. I had a Linksys BEFSR41 router and have multiple computers at home, and for the longest time, was wondering why I was having connection/stability problems. I then found out from Linksys' web site that there routers only support a single IPSEC connection.

SMC routers, as we have not had a single problem with them.

NetGear products work fine

3Com officeconnect DSL gateway works fine

Netopia 3351 works fine

Cisco 678 works fine

D-Link 614+ could not work but 714 worked out of the box.

W-Linx 401,  is working perfectly.

Is it possible to use an answer file for SecureClient installation

Is possible to use an answer file with a SecuRemote installation (Build 4200) to be specific? This allows the ability to blindly answer the questions during the install, without the end user having to do anything.

This is possible. In NG FP2/3 checkpoint also ships a tool for modifying these settings. Use the "Secure Client Packaging tool" that is available from the checkpoint site.

You have to install the packaging tool on a machine that has SecuRemote/SecureClient installed and configured. Then run through the options and when it gets to the part where it asks for the Client installed files point it to the directory where it is installed on the current machine (c:\Program Files\Checkpoint\SecuRemote or something close to that) Then generate your package. Now install it on a TEST machine everything should be there.

Q. How does SecuRemote work?

A. Securemote allows \"encrypted\" access between a client machine and a FireWall-1 firewall. The client may run Windows 98 or later, WinCE, MacOS 9.x, or Linux. Architecturally, Secure Client acts a bit like FireWall-1 in that it sits between the data link and network layer in the protocol stack. If the Secure Client functionality is used, it will also block network traffic in much the same way as FireWall-1. securemote uses one of three methods to exchange keys and encrypt data, depending on what you choose:

• IKE: Allows for DES or 3DES to be used to encrypt the packets. Packets are encapsulated in IP Protocol 50 (i.e. IPSEC) or UDP port 2746, depending on whether or not UDP Encapsulation is used.

• fwz without encapsulation (available in NG FP1 and before): Uses fwz1 or DES to encrypt the packets. Only the data portion of the packet is encrypted. The IP headers are left alone.

• fwz with encapsulation (available in NG FP1 and before): Same as above, except packets are encapsulated in IP Protocol 94 packets.

• Visitor Mode (NG AI and above): Tunnels using a standard HTTPS stream. By default, runs over port 443, but can use any port.

When using Transparent Mode in NG, or using 4.1 and earlier, the securemote client will, as it deems necessary, establish an encrypted session with the firewall. Before it can do this, the securemote client needs to know what hosts it can talk to encrypted and what the encryption keys are. This is accomplished by fetching the site from the remote server. This happens on TCP port 264 to the firewall module. securemote 4.0 used TCP port 256 to the management station.

In NG when using Connect Mode, the connection to the encryption domain is controlled by the end user. The connection dialog looks very similar to a dial-up networking. The user can select the site he wishes to connect to, change options, and then connect. Optionally, the start of the VPN connection can be tied into the domain logon in Windows 2000/XP.

Once securemote determines that it needs to encrypt traffic to the firewall, authentication is performed. Authentication can be a simple password, SKey, SecurID, or a certificate, but all data between the firewall and the client is encrypted so the password (even if it is a simple password) is not divulged in the clear. This happens between the firewall and the client on UDP port 259 (source port and destination port) if fwz is used or on UDP port 500 if IKE is used.

Once both of these steps occur successfully, the connection between the source (the securemote client) and the destination (something behind the firewall) proceeds normally except that the packets are encrypted.

Q. Not a certificate Authority
 When you try and add a firewall as a site in securemote, you see the following error message:

Error: Site xxx.xxx.xxx.xxx says that it is not a Certificate Authority. Check whether you have got the right IP address for xxx.xxx.xxx.xxx, and check with the FW-1 system manager there whether xxx.xxx.xxx.xxx is indeed a FW-1 control station.

A. If the management console and firewall module are on separate boxes, you add the IP address of the management console for the firewall in question. You can use the firewall module only if you have securemote licenses installed on the firewall module. Conversely:

1. The management console must have a routable address. If it does not have a routable address, you will need to set up a static address translation for it.
2. securemote Clients must be able to access the management console or firewall via the \"FW1_topo\" service (TCP port 264) if you are using Secure Client 4.1 (4110 and above builds of securemote) with FireWall-1 4.1. You must allow the 'FW1' service (TCP port 256) if you are using a securemote 4.0 client or using FireWall-1 4.0.
3. Your Certificate Authority must have an fwz CA key generated or be configured with IKE. Look at your firewall object, ensure fwz or IKE is checked in the encryption tab, and make sure a CA key is generated for fwz.
4. If you are using Secure Client 4.1 with FireWall-1 4.0, you must have fwz checked in your VPN tab and have encryption keys defined even if you only intend on using ISAKMP. What the user will actually use for encryption is determined in his user record in FireWall-1. Note you can get around this limitation if you uncheck the \"Respond to Cleartext Topology Requests\" in Policy Properties, Encryption tab.
5. In 4.1 SP5 and above, you will want to ensure that \"Respond to Unauthenticated Topology Requests\" is disabled. In NG, this option is not present.

If you just recently installed your securemote licenses, you will need to restart FireWall-1 before the licenses will take effect.

A second point worth mentionning is an other possible cause of the message 

Error: Site xxx.xxx.xxx.xxx says that it is not a Certificate Authority. Check whether you have got the right IP address for xxx.xxx.xxx.xxx, and check with the FW-1 system manager there whether xxx.xxx.xxx.xxx is indeed a FW-1 control station.

I have seen it a few times that a firewall (in this case a 4.0 sp 7) without FWZ encryption defined in the fw object will give an error  about not being a Certificate Authority when an IKE (aka  ISAKMP/Oakley) SecuRemote client attempts to connect to it. If I define  FWZ on the fw object and create the requisite keys the error goes away,  even if the user or client specifies to use IKE. Why does this happen and  if it is brokenness what can be done to fix it?

The error usually only appears when you try to download topology from a management server/firewall module on the same box with no FWZ keys defined, or if you try to download from an enforcement point. The problem has to do with Accept Unauthenticated cleartext topology requests. under policy->properties->desktop security. Uncheck this and it'll go away, but your users will have to authenticated to get topology downloaded.

Q. What is SecureClient

A. It is SecuRemote configured with the Desktop Security feature.

SecureClient == SecuRemote EXCEPT that SecureClient has the capability to function as a "mini-firewall" to prevent hijacking of SecuRemote sessions (this is the "Enable desktop security support" option you see during install
of SecuRemote 41xx - that's the ONLY difference from an install perspective). To use it without the "mini-firewall" functionality, it is free. To use the SecureClient functionality, however, you must purchase licenses for it, which you would install on the management station. You will also need a policy  server function. This also requires FW1 v4.1/2000. Version 4.0 does not offer SecureClient functionality.

Q. What is icmpcryptver?

A. All Gateways and SecuRemote Clients participating in an FWZ VPN must agree on the value of icmpcryptver in order to enable ICMP. icmppcryptver is defined in objects.C on the gateway and in state/userc.set on the SecuRemote client. Its default value is 1 . A value of 0 enables comatibility with version 3.0. In version 4.1, FWZ encrypted ping will not work if value is set to 0.

Q. Do I need a seperate policy server with SecureClient

A. No, this can be on the same system as a VPN/Firewall module

Q. How to connect to NT shares through FW-1

A. First off, you will need to use encapsulation when setting up your encryption domain. This appears to be the only way to get the NBT stuff to tunnel properly. Yes, it will even work if you are using translation! In my case, I already had a network object defined for my RFC 1918 internal network. All I did was set up the encryption, specifying my existing
local-net object as my encryption domain.

OK, question time now. I could only get this to work using FWZ encryption method. I tried to setup SKIP, but it wouldn't happen. What's the real implication of using FWZ/Maual IPSEC/SKIP here? You can still define DES
data encryption when you set up your users. Which of the above is the better method to choose?

Now that you have the domain set up, start creating your user, and add them to a group. Now you can create a rule to allow that group access to your encryption domain. I my case -SR-Users/Local-Net/ANY/Client Encrypt-.

Now comes the fun part. Installing and configuring the client. The thing to remember here is you NEED some sort of netbios name resolution. There are 2 ways this can be done. 1-create an lmhosts file specifying every device on the internal net you need access to. This is the ugly and painful method. Though I made it work ,never could get a clean logon. Even though I got a good logon to the NT domain, I still got error messages about not being able to find a domain controller?? If you have WINS set up, USE IT!!! If you don't, SET IT UP!! Enter the internal address of
your WINS server in your network properties of the client workstation. Not the properties of the dial-up connected!!!

If you also have this client networked via a NIC, you will also have to implement hardware profiles. Make 2 profiles, on for dial-up, and the other for in the office. Disable the NIC for the dial-up profile. Now you can install the SecuRemote client. Reboot, dial up your isp, and you should be able to create your site within the client.

You should now have a fully functional SecuRemote VPN set up. Dial up your isp, and you will be auto magically prompted to authenticate yourself on the firewall. While your trying to type that id and password in, your NT logon
will popup. Remember to finish the SecuRemote Authentication before you enter your NT logon :>

Q. How to configure about SecuRemote and multiple sites:

I have an enterprise firewall at my main office location, with the management console, and have 6 and growing firewall modules spread around the world. SecuRemote is working perfectly to get into the main office, the firewall with the CA & Management console, but I can't for the life of me figure out how to make it work for my remote offices.

If  I add a site in SecuRemote pointed to the remote firewalls, it says this is not a certificate authority.

I've also tried making the Encryption Domain for the main site encompass my entire intranet, and I can see that the other firewall's protected networks get downloaded into the user.c file on the SR client, but no data is able to flow anywhere but in and out of the main office. Is there a trick to make this work, or am I going to have to make every remote firewall a CA, and add all of them to each securemote client ?

A. You only need to add the single certificate authoritiy for your network. Set up an encryption domain for each firewall. When the SecuRemote client gets the information from the CA, it will find, a key for this IPx, I need to talk to X firewall, for  IPy, I need to talk to Y firewall...Just try setting up the encryption domains for each firewall individually...

Q. How can I isolate SecuRemote trafic in the log ?

A. Select from the action tab decrypt

Q.  How to debug Secure Remote

A. Create a file at the root of you C: drive called fwenc.log.

Reboot your computer and all info Secure Remote generates will be logged to this file.

You must kill Secure Remote prior to opening or viewing this file, otherwise you will receive a sharing vialation.

Q. How to have SecuRemote Access to an internal DNS for DNS resolution

A.To solve this problem, proceed as follows:

1 Modify the $FWDIR/conf/dnsinfo.C file on the Management Station to redirect DNS by providing the following information.

• the internal DNS server’s IP address
• the domain for which it resolves names
• the maximum number of labels to resolve (for example, 3 for xxx.hello.com). Suppose the SecuRemote Client’s domain is .hello.com and it fails to resolve yyy.goodbye.com. By default, Windows will then try to resolve yyy.goodbye.com.hello.com, and you will probably not want this query to be encrypted. 
• the network addresses for which it resolves (for reverse DNS)

2 In $FWDIR/conf/dnsinfo.C, 

set :encrypt_dns (true) under :dnsinfo.

3 Instruct the gateway to encrypt DNS by changing the definition of

USERC_DECRYPT_SRC in crypt.def.

4 Reinstall the Security Policy on the gateway so that these changes take effect.

5 On the SecuRemote Client, 

set :dns_encrypt (true) 

under :options in database\userc.C.

Note – :dns_encrypt (true) is the default in VPN-1/FireWall-1 Version 4.1 and higher.

Q. Which dnsinfo.C file is used in distributed environment

A. The answer is from Byoung Sun Yu <byu2@lucent.com>, which says that the dnsinfo.C downloaded to the SR depends on from where SR downloads the topology. It sounds you make SR download the topology from FW module. Then you need to keep it on each and every FW module from which SR downloads topo. If you can let the user access the magement server to download the topology, then you just need to keep dnsinfo.C there.

Q. I need to have SecureRemote from behind a NAT device

A. How to encrypt data between an SR Client behind a NAT device and the LAN behind FW-1, 

You have to distinguish 2 situations

1) Static NAT, Pool NAT, 1 user behind a Hide NAT

2) Hide NAT with multiple users

In the following configuration you solve it for situation 1) :

SR Client ------ NAT device (FW or other) ----- Internet ------ FW-1--- LAN

For this configuration you need VPN-1 version 4.1.

It it supported with FW-1 4.0 (and SR versions above SR4003) by making the following modifications

Stop FireWall-1 with the command

fwstop

Edit the $FWDIR/conf/objects.C file and add (or modify) the following lines which are under the property

set props : :userc_NAT (true) for FWZ,

and :userc_IKE_NAT (true) for ISAKMP (IKE).

Restart FireWall-1 with the command fwstart Install the policy.

Confirm that these changes appear both in $FWDIR/conf/objects.C and in $FWDIR/database/objects.C For Static NAT and Pool NAT, this configuration works fine with the FWZ and IKE encryption schemes.

This works with Static NAT and Pool NAT fine. For Dynamic NAT, it will only work if there is a single SR client behind each hiding IP address.

2) If you are subject to address translation, it is highly recommended to use IKE instead of FWZ. Both encapsulated and unencapsulated FWZ are known not to work with HIDE NAT at all. Static NAT (1-to-1 address mapping) should work with FWZ in either mode provided you allow IP Protocol 94, UDP Port 259, and other services if you use FWZ in unencapsulated mode. However, most NAT gateways will reject unencapsulated FWZ packets because the checksums are changed to support the FWZ encryption scheme.

If you are subject to any form of NAT, IKE is your best bet. However, most NAT gateways can not be configured to perform HIDE NAT on generic IP Datagrams. Provided you can forward UDP Port 500 packets and IP Protocol 50 (IPSEC) packets with your NAT gateway, you can use IKE with NAT.

Secure Client 4.1 SP2 and later when used with FireWall-1 4.1 SP2 and later support a 'UDP Encapsulation Mode' for IKE. Instead of using IP Protocol 50, UDP port 2746 is used. Most NAT gateways can perform address translation on UDP packets and it is designed to work with HIDE NAT, meaning multiple users can make use of SecuRemote behind a HIDE NAT gateway. Provided your clients are able to use TCP port 264 to fetch the topology, UDP port 500 to perform an IKE key exchange, and UDP port 2746, this should work.

You will need to modify objects.C on the management console to permit FireWall-1 to accept connections from NATted SecuRemote users. Edit $FWDIR/conf/objects.C. After the props: line, add:

:userc_NAT (true)
:userc_IKE_NAT (true)

To configure the UDP Encapsulation Mode for FireWall-1 4.1 SP2, create a service called VPN1_IPSEC_encapsulation if it does not already exists. Create it with port UDP 2746. Then add the following section to the section with your gateway object to objects.C:

:isakmp.udpencapsulation (
:resource (
:type (refobj)
:refname
("#_VPN1_IPSEC_encapsulation")
)
:active (true)
)

You have to add this in between the properties defined for your firewall object. Search the Objects.C file for the name of the firewall object ( through which you would like to the UDP encapsulation enabled ) and add these lines in between the various features configured for your firewall object.

Re-install the policy.

Note that in the default configuration, FireWall-1 will determine whether or not to use this mode based on the source port of the incoming UDP 500 packet. If it comes from source port 500, it will not use the UDP encapsulation mode. If it comes from a different source port, UDP encapsulation mode will be used. More details and instructions for disabling or forcing this mode can be found in the Secure Client 4.1 SP2 Release Notes.

Description of UDP Encapsulation. Seeing UDP encapsulation is a new feature and I was concerned about it affecting the users with older securemote software, here is a quick and dirty explanation of UDP Encapsulation. 

1. SR sends IKE packet to VPN-1, one of the IKE proposals it sends to the gateway is to use UDP encapsulation. Note, only SP2 clients can send this UDP encap proposal, SP1 or earlier clients, cannot. 

2. If IKE negotiation (port UDP-500/500) packet's SRC PORT has NOT been translated, then no UDP encapsulation, it just operates like normal SR IKE session (thus SP2 and SP1 and earlier SR's can run side by side against a single gateway): a standard proposal is selected and a VPN tunnel is established. 

3. If IKE SRC PORT != 500, then the gateway assumes that a NAT HIDE device is between the gateway and SR. Then, and only then, does it accept the UDP encapsulation proposal. This selection is communicated to the client. 

4. The client takes note of the selected IKE Proposal (encap or a "normal" one) and if encap, wraps the IPSEC traffic in a UDP packets. It is actually quite an elegant solution, as it is end user transparent and encapsulation (i.e., the extra overhead) is only used when needed... when the SR client is behind such a NAT device. When the SR client is moved to another non-NATed network, no encap takes place.

 Q. UDPencapsulation is using port 0
For UDPencapsulation I did all the requested configuration but it does not work. I manage to authenticate, this is using port 500 but then my SRclient uses UDP port 0 and not UDP port 2746. What is wrong ?

A. I just recently got this all working! The problem with the UDP port zero was that I had turned on force_udp mode in SR, but I don't think the firewall server had it turned on or configured properly. Once I confirmed the firewall HAD been updated, SR didn't start working right with UDP mode until I did I site "update"; then it worked like a charm. I guess in SR you can force UDP, but without the firewall's help, it doesn't assign a port - and some smart programmer defaulted the port to zero to show an obvious
config problem.

Once more  do not forget to reload the last policy on each firewall module

Q. With UDP encapsulation I did all the requested Modifications, on the client and the firewall, and both are version 4.1 SP2, but it is still not working. I see authentication is OK and Keys are exchanged. The client starts to send information on port udp 500 and then on port 2746, but no answer from firewall is received on port 2746.

A. The firewall is still not able to communicate over port 2746. Try to reload the policy on the firewall and if it is not sufficient perform an fwstop followed by an fwstart. 

Q. What ports are used by SecuRemote

A. SecuRemote uses several TCP, UDP, and IP Datagram types depending on whether FWZ or IKE is used.

Source                   Destination              Service                    Action
                                                  FW1
securemote-Client        Remote-Mgmt-Server       FW1_topo                   Accept
                                                  FW1_pslogon

securemote-Client        Remote-FireWall          RDP                        Accept
                                                  IKE

Source                   Destination               Service             Action
securemote-Client        Remote-FireWall           FW1_Encapsulation   Accept
Remote-FireWall          securemote-Client

Source                   Destination              Service             Action
securemote-Client        Remote-FireWall          ESP                 Accept
Remote-FireWall          securemote-Client

Source                   Destination              Service                  Action
securemote-Client        Remote-FireWall          VPN1_IPSEC_encapsulation Accept
Remote-FireWall          securemote-Client

Source                   Destination               Service             Action
securemote-Client        Remote-Servers            Any                 Accept

Source                   Destination              Service                  Action
securemote-Client        Remote-FireWall          FW1_pslogon_NG           Accept
                                                  IKE
                                                  VPN1_UDP_Encapsulation
                                                  Tunnel-Test

• What ports are used by NG for management
• Can't load User Database to firewall in NG AI
• Do you have a procedure for moving  the management server on Windows 2000
• NG re-installation or new deployment
• SecuRemote access to a standalone management station
• Management module separation and SecuRemote
• Management module separation and SecuRemote access through NAT
• What does it mean when I see in the status window System "untrusted"

What ports are used by NG for management

NG uses CPD, and CPD_amon for monitoring

CPD is TCP 18191, and CPD_amon is TCP 18192

CPMI on 18190 is used for GUI to mgmt communication.

Can't load User Database to Firewall in NG AI

When selecting the Install User Database option in NG FP3, no firewall module is listed -- only management modules. To allow the user database to be installed on a firewall module, modify the following parameter in objects_5_0.C:

:allow_install_users_db_on_module (true)

This change is also valid for earlier versions of NG.

NG re-installation or new deployment

R54 has an export tool which allows you to export all your configs from your installation on any FP of NG. You can then reinstall NG from the CD.

How to Check that a Remote module is Running

A. Using the policy editor, click on remote firewall object and click on "Get Version".  button. If it returns the correct version your firewall is at least talking to remote version of Firewall.

On Command line you can check:

fw stat remote-fw

When you cannot contact the remote module you will get a message saying for a firewall you named fw-remote:

Failed to get version for fw-remote

In this case your 2 firewalls are not communicating with one another.

 Do You Really Need to Stop (fwstop) Firewalls for Putkeys to Work?

A. The firewalls have to be stopped and started, but there is a possible workaround. Contrary to all Check Point documentation, Bill Husler found that it isn't always necessary - the reason for the stop/start is simply so that you can exchange keys, prior to the next authentication request. Since this is the case, there exists a small window of time which would allow for successful key exchange, while both firewall processes continue to run. To take advantage of this, Bill found that if he opened two separate administrative windows into the two separate systems, issued the putkey commands, then hit Enter on the management window and Enter on the firewall module window, the exchange happened quick enough to prevent the need for a fwstop.

Q. Is the session between the GUI client and the Management console encrypted?

A. I may be wrong, but I was under the impression that the session between the GUI client and the Management server is encrypted if you are using a version of FW-1 with encryption and clear text if you are using a non-encryption version. The method by which your firewall and management station communicate is defined in the control.map.  Within it are certain variables that mitigate how your firewall will talk to your management, fwz, ssl, or none (no encryption).  By
default the communication that exists between the two is encrypted so long as you have an encryption module loaded.

Q. How can I secure the session between the Management client and a firewall or a Management console

A. If you are running fw-1 on solaris it's no problem install ssh and download the secure crt client on your management client. Configure scrt so it's tunnels all packets that comes from port 258 to your solaris. (it's possible in scrt version 2.3x and above i think) Then in the gui client just enter 127.0.0.1 (localhost) as management sever.
Then all fw-1 management communication is encrypted.

Q. Single Rulebase for Multiple Firewalls?

If I want to manage multiple Remote Firewall modules with a single management station, is it possible with a single rulebase, instead of having 10 different rule bases, one for each individual remote module, we want a single rule base that is installed on all 10 remote modules.  We specify in the rule base what rules apply to what remote modules under the "Install On" column.  Usually, we create separate rule base for every remote module.

 Is this a good practice or is it  bad because it creates a huge single rulebase that is installed on every Firewall. Also, wouldn't this also create allot of CPU overhead, as now every Firewall has to process a rulebase where 80%

 of the rules do not apply to it.

Is there an advantage to having a single rulebase for many remote modules?

A:Either way is correct. Both ways have their plusses and minuses.

If each firewall has a different rulebase file, it is fairly easy to see what security policy is on an individual firewall. Also, it is far easier to specify whether or not a rule is enforced inbound, outbound, or eitherbound. On the other hand, it is possible to install the wrong rulebase on the wrong firewall, thus causing an outage on an individual firewall. Also, if you have to make global changes, you have to change each individual security policy file. If you do not feel to comfortable with firewall policies, go that way, it is much clearer and easier to understand.

A single rulebase is slightly more difficult to maintain.

On the other hand, you can see your entire site's security policy at a glance and it does prevent snafus that occur from installing the wrong rulebase on the wrong firewall. Only the rules that apply to a specific gateway will be installed there. On the downside, when you list specific gateways in the Install-On field, rules are enforced in the eitherbound direction (i.e. they must pass through the rulebase twice). This is only usually noticable with large rulebases on heavily-loaded systems.

If you are going to go with a single security policy file for multiple firewalls, here are my hints:

• Rules that apply to "all" firewalls should have the install-on be listed as gateways (e.g. any any any drop)
• Potentially busy rules on all firewalls should be installed on gateways to increase performance (even if a particular firewall can't enforce the rule).

Q. When I have a separated Management from a remote firewall module what are secret shared passwords

A. When you separate the Firewall Management Console functions from the Inspect module, firewall-1 needs to exchange secret keys. To do this, you need to use the "fw putkey" utility on both boxes. On the Firewall Management Console, login as root or administrator and enter the following -

fw putkey -p <Shared Secret> <Resolvable Name or IP Address of Firewall>

On the firewall that's running the Inspect module, login as root, or administrator and enter the following -

fw putkey -p <Shared Secret> <Resolvable Name or IP Address of Firewall Management Console>

Also, if you haven't purchased/installed any License Encryption Keys for both the Firewall Management console and the Firewall, you will need to edit the $FWDIR/lib/control.map file. By default, Checkpoint attempts to use FWZ to communicate between boxes. If there is no encyption license installed, you will never get them to successfully communicate. To enable the boxes to communicate, you will need to change your control.map file to resemble
something like the following -

The keys are generated using the random number generator, I guess, or some other similar process. The password you enter is only a way to securely exchange those keys over the network, and for initial authentication to the management. No two keys are the same.

Q: I can't get my putkeys to work. What am I doing wrong? 

A. make sure all IPs on both the management and firewall are resolvable to a hostname within the system's local host file and that the systems are configured to look at the local hosts file before looking to DNS.

fw putkey -n local-ip remote-ip 

The "local ip" here depends on which interface you will need to talk out to see the remote system.
The "remote ip" will be the IP address that is closest to you. 

Procedure provided by Lance Spitzner

I have developed and implemented a solution for Management Module to Firewall Module Authentication
problems. This is one of last resort :)

PROBLEM:
I had 10 FW Modules (4.0 SP2 on AIX) that could neither fetch the FW rule base NOR log to the Management Module. I received an authentication error for both. However, the Management Module (4.0 SP2 on Solaris 2.6) CAN push the rule base onto the Firewall Modules. Authentication was working one way, but not the other.

SOLUTION
The standard "putkey with -n" trick did not help here. We needed a more radical approach as the entire authentication database was corrupted. Basically, I blew away the entire authentication  database on the Management Module and all Remote Modules, and then  rebuilt everything from scratch. Bill Burns pointed me in the right  direction, I just had to be a little more "draconian" in the files  I nulled out :)

PROCEDURE
When all else fails, this is the procedure to follow on 4.0 when you are having authentication problems. I recommend you follow the steps exactly as listed.

On the Management Module
- fwstop
- Backup the following files by copying them to <filename>.old
- $FWDIR/database/authkeys.C
- $FWDIR/database/opsec_authkeys.C
- $FWDIR/conf/fwauth.keys
- $FWDIR/serverkeys.pag
- Null out these files with the following command
- cp /dev/null <filename>
- Confirm that $FWDIR/lib/control.map is using the same authentication as the remote modules (fwa1 or skey).
- Make sure /etc/hosts has an entry for the remote module(s).

On the Remote Module
- fwstop
- Backup the following files by copying them to <filename>.old
- $FWDIR/database/autkeys.C
- $FWDIR/database/opsec_authkeys.C
- $FWDIR/conf/fwauth.keys
- $FWDIR/conf/serverkeys.pag
- Null out these files with the following command
- cp /dev/null <filename>
- Confirm that $FWDIR/lib/control.map is using the same authentication as the management module (fwa1 or skey).
- Make sure /etc/hosts has an entry for the management module.

On the Management Module
- fw putkey -p <password> -n <local IP> <remote IP>

On the Remote Module
- fw putkey -p <password> -n <local IP> <remote IP>

On the Mangement Module
- fwstart

On the Remote Module
- fwstart

That's it! If that did not do the trick, follow these two steps.

STEP 1
Ensure all Network Objects in Rule Base match /etc/hosts file and fw putkey IP addresses. Repeat steps above.

If this fails,
STEP 2
Post resume on Internet :)

Hope that helps ...

--- snip snip ---

Lance Spitzner
http://www.enteract.com/~lspitz
Internetworking & Security Engineer
Dimension Enterprises Inc

A good approach for troubleshooting putkey problems

A couple of things worth checking....

Before using fw putkey, stop the firewall daemons then re-start them afterwards (on both the management and inspection hosts). Very simple but not doing this wasted me a good hour!

To prove / disprove / workaround the problem, do the following on both hosts. 

• Take a backup of control.map (in Solaris, this is at $FWDIR/lib/control.map) 
• edit control.map and replace occurances of 'skey' with 'none'
• re-start the firewall daemons

If this works then it is definitely an encryption / fw putkey problem. You may be tempted to leave it like this as 'it works' but this removes all authentication between client and master modules. Once you have resolved the fw putkey problem, remember to restore the original control.map file otherwise somebody else could use their own management module to control your inspection module!

Q: Firewall module does not authenticate Management module. I get the following message when I try and install my security policy from my management console to my remote firewall module: 

Installing Security Policy /etc/fw/conf/TLA20000322.pf on
all.all@fwtla 
Authentication for command load failed 
Failed to Install Security Policy on fwtla: Unauthorized access

A. Redo putkeys on both sides

Q. Even with  redoing the putkeys nothing changed. What's going on? 

A: For some reason, the firewall module is not recognizing the management console as that: the management console. This may be because the management console is described in the GUI with a different IP address than the hosts file on the firewall and management. Correcting the network object and/or the hosts file (possibly re-doing the putkeys)
should solve the problem. 

If this does not work, consider the $FWDIR/lib/control.map file (this is more or less the "default"
control.map file): 

MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1 
CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none 
* :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny opsec/fwn1 */fwa1 

What does this file mean? 

1.When my master talks to me (as defined in $FWDIR/masters), I will: 
Allow stat, getkey, and gettopo functions without authentication 
Require fwn1 authentication for opsec-related functions. 
Require fwa1 authentication for all other functions. 
2.As a client talking to my master (or as a master talking one of the managed firewalls), I
expect to: 

• Authenticate with fwa1 for load, db_download, fetch, and log functions. 
• Authenticate via fwn1 for opsec-related functions. 
• Not authenticate for other functions. 

3.When talking to all other hosts (or other hosts talking to me), I will: 

• give (or require) no authentication for stat, getkey, and gettopo functions. 
• deny authentication for unload, ioctl, load, or db_download functions. 
• give (or require) opsec authentication for opsec functions. 
• give (or require) fwa1 or all other functions. 

To resolve this, you will need to modify the control.map file on the remote firewall. Make a copy of the SERVER line, replacing the word "SERVER" with the IP address of the management console (e.g. a.b.c.d). Place the new "SERVER" line between the existing SERVER and the CLIENT line, so the file looks like this: 

MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1 
a.b.c.d :stat,getkey,gettopo/none opsec/fwn1 */fwa1 
CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none 
* :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny
opsec/fwn1 */fwa1 

This new line means makes it so that when communication takes place with a.b.c.d: 

Allow (or request) stat, getkey, and gettopo functions without authentication 
Require (or give) fwn1 authentication for opsec-related functions. 
Require (or give) fwa1 authentication for all other functions. 

Because this file is processed in order, the order of the lines in control.map is important. Bounce the remote firewall (fwstop; fwstart) and attempt to load security policy and it should succeed. 

If you're still having problems, see Can't Get Putkeys to Work. 

Q. What are the differences between authentication methods between management and firewall module

A. fwa1 is fwn1 with 40 bit encryption

Q. What does it mean for a firewall gateway object to be defined as internal or as external?

A. A gateway object will be defined as external if it is managed by a seperate Management Console. If one or several inspection modules are managed by a central management module, as is the case of remote modules, they will be marked as internal. 

Q. How to configure VPN-1 to work with MRTG

A. To setup MRTG, yo have to setup the snmp facility of the FW1 and assign a password to read the MIB. Since MRTG uses snmp you will need to have an snmp agent running on your NT box, or any other OS, and also allow snmp-read, echo-request & echo-reply services on the fw1 box for mrtg box to access. After that you have to setup MRTG,  you can find a very good document about it at :

http://www.david-guerrero.com/papers/snmp/lj.html

As a reminder you might know snmp service is unsecure. To use this software snmp 161 port must be opened/ or accessible on Firewall infront of web server.

Concerning configuration, you can use the oid values of the accepted dropped etc.. This will allow you to graph the same values you would get from the status monitor. There is a Checkpoint mib that use can be used with snmpwalk to get the oid numbers for the mrtg query. It's pretty easy and it works well.

 Daniel Schade <firewall-1@gmx.de> has published the necessary Oid

Name: fwModuleState Oid: 1.3.6.1.4.1.2620.1.1.1 Description: The state of the fw module. 

Name: fwFilterName Oid: 1.3.6.1.4.1.2620.1.1.2 Description: The name of the loaded filter. 

Name: fwFilterDate Oid: 1.3.6.1.4.1.2620.1.1.3 Description: When was the filter installed (STRING!) 

Name: fwAccepted Oid: 1.3.6.1.4.1.2620.1.1.4 Description: The number of accepted packets. 

Name: fwRejected Oid: 1.3.6.1.4.1.2620.1.1.5 Description: The number of rejected packets. 

Name: fwDropped Oid: 1.3.6.1.4.1.2620.1.1.6 Description: The number of dropped packets. 

Name: fwLogged Oid: 1.3.6.1.4.1.2620.1.1.7 Description: The number of logged packets. 

Name: fwMajor Oid: 1.3.6.1.4.1.2620.1.1.8 Description: FireWall-1 Major Version. 

Name: fwMinor Oid: 1.3.6.1.4.1.2620.1.1.9 Description: FireWall-1 Minor Version. 

Name: fwProduct Oid: 1.3.6.1.4.1.2620.1.1.10 Description: FireWall-1 Product. 

Name: fwEvent Oid: 1.3.6.1.4.1.2620.1.1.11 Description: A string containing the last snmp trap sent via fw

Q. By doing remote management of Solaris firewalls we log under a user account and then perform a su to become root. Then I loose all PATH and other variables, what happens and how can I correct this.

A. By using the su command you work in the su environment which reads its environment from a file in /etc/default/su. To restore your adequate environment variable you have to set them in that file. For the specific case of the PATH variable you will need to modify the SUPATH variable defined in /etc/default/su. Below you will find an example of the SUPATH variable.

SUPATH=/usr/sbin:/usr/bin:/opt/CKPfw/bin:/usr/local/bin

Q. Do you have a procedure for moving  the management server on WIndows 2000

A. Can the Management server run on Windows 2000?
YES

What are the procedures (documentation) for moving a management server?
1. Install the FireWall-1 software on the 2000 server. When setting this software up, designate the firewall module as a remote module. You will be prompted for a
secret key to authenticate management commands. YOU MUST USE THE SAME KEY OF THE FIRST TIME, OR EVEN DO PUTKEYS AGAIN.

2. Remove current objects.* from the 2000 server

3. Transfer these files from the SOLARIS management module to the new 2000 managment module (FTP is fine):

$FWDIR/conf/objects.C (objects and properties)
$FWDIR/conf/*.W (security policy)
$FWDIR/conf/rulebases.fws (Combined rule bases for GUI clients)
$FWDIR/conf/fwauth.NDB (User database)
$FWDIR/conf/fwmusers Adminstrators
$FWDIR/conf/gui-clients Allow GUI Adminstrative hosts

Note: Any *.NDB files must be transferred in binary mode. All other files should be transferred in ASCII mode.

3. Restart the 2000 management station.

4. Sometimes it is neccessary to regenerate the rulebases.fws file and objects.C files once moved to the new management station. This is done when you no longer see your rulebases or objects once you login to the Gui Client on the new mangement console.

Regards,

Matias Siri

Q. SecuRemote access to the management station

The management station is standalone, the firewall module is on a different system.

A. Do a static NAT and let FW1_topo and FW1_ClientAuth through to it If you have a problem try defining a new object with the NAT'ed address of
your Management Server and put it in the same rule.

Q. Management module separation and SecuRemote

Up to now we had the firewall module and the management module on the same system. We have users accessing with SecuRemote. We are going to split the management module from the firewall. Does it mean that we will have to have access to the management module for all Securemote Users.

A. Since all authentication and topology downloads are performed against the Management server, you will certainly need access to the mgmt from the
outside world. It may be NATed, but it has to be accessible.

Q Management module separation and SecuRemote access through NAT

Up to now we had the firewall module and the management module on the same system. We have users accessing with SecuRemote. We are going to split the management module from the firewall. The firewall is performing NAT to the internal LAN. The management station will be located on the LAN. Do we have to use an official IP address for the management station in order to be accessed by SecuRemote, or can we use static NAT. In this situation what is the site name or Ip address does it become the one of the management station ?

A. You can use unroutable address on management server to control remote FM.
However, setting that up is not that straight forward.What you need to do is

•  Configure NAT for management server and make sure connection can be established.
•  In the masters file of the FM, put valid IP address first AND in the next line put internal address as well. Alternatively, you can modify control.map to copy and paste MASTERS line and change the word MASTERS to internal IP address.
• Run putkey on both sides. Remember that you need to designate internal IP address in doing putkey on FM
  
  

From Amin Tora's post

Let me try to help here...

You can license the mgmt station under the invalid address.

However, you will need to do the following to get authentication between the Mgmt server and the remote FW module working:

Assuming you are starting fresh...

0. do an $FWDIR/bin/fwstop on the remote fw module and mgmt module

1. on the fw module:
 
-edit $FWDIR/conf/masters file and add the invalid IP of the managment module
-edit $FWDIR/lib/control.map file;copy the MASTERS line and paste a new line above existing MASTERS line;rename "MASTERS" to the invalid IP of the management server
-do an $FWDIR/bin/fw putkey -p <pass> <mgmt valid ip> <mgmt invalid ip>

2. on the management:

-edit $FWDIR/clients file and add the IP of the remote module
-do an $FWDIR/bin/fw putkey -p <pass> <fw module ip>

3.
-do an $FWDIR/bin/fwstart on mgmt module
-do an $FWDIR/bin/fwstart on fw module

...make sure not to use the "-n <ip>" option when doing the "fw putkey"...else things won't work...

If you are not starting fresh... you may need to remove some files; because re-doing putkeys doesn't work at times...   ;)

...also, I don't remember if you also need the valid IP of the  mgmt station on the fw module's $FWDIR/conf/masters file or not...    

Hope this helps...

Amin Tora
ePlus Technology


Q. What does it mean when I see in the status window System "untrusted"

This is mostly the case, if the authentication between Management and Enforcement Point is not ok. To get it trusted, you can either work with cpconfig on the Firewall and the Management (FW: Master, MM: Remote Module) or do it manually:
At the FW:
- fwstop
- edit $FWDIR/conf/masters and put the IP of the Management here
- fw putkey -p password IP-Management
- fwstart
Do this for all Enforcement Points / Firewalls. Then go to the Management Module:
- edit $FWDIR/conf/clients and put the IP of the Enforcement Points here (not always necessary).
- fw putkey -p password IP-Enforcementpoint1 IP-Enforcementpoint2...

Then try to get the status again - it should be "trusted" then

Q. What do I need to have LDAP

A. First you must have a licence to the AMC - or ldap is not available.  If you are using an eval licence, it will work, but the AMC licence is quite expensive so be careful.

Q. Checkpoint and W2k LDAP integration
can we use Advance Directory (AD) on windows 2000 to perform LDAP authentication

A. Official answer:  Not currently supported, as Active Dir is not fully LDAP standards compliant.  I don't know the exact date for this, but you should be able to get something from the web site, or from Check Point support.
. Unofficial user answer: getting Active Dir from LDAP works fine for me. Just set up Remote Access Services with a rule allowing all users, and turn their Dial-In access on.  Make sure you get the shared secret synced, and firewall-1 works with it fine. At least 4.1SP2 does.

How to use NT domain to authenticate users ?

A. You will find two general approaches, depending on the OS the firewall runs.

• If your firewall runs on NT, we will make it a menber of the NT domain.
• If you are under Unix we use a RADIUS authentication to a NT domain PDC.

Firewall under NT/Windows 2000

Load NT on the firewall and make it a standalone workstation.

Integration
Make the firewall a member of the PDC's domain. This will give us the ability to specify the PDC as the authenticator for logins.

Create a workstation object of type host for the PDC. (my-PDC). 

In the firewall object set Authentication properties to OS Password.

There are two methods that may be utilized for authentication of users to the NT PDC. The first is specifying the authentication method for the user as OS Password, the second is using the "*generic" user.

First
Define a user with authentication set to OS password

The rule that will authenticate the user is the following:

Service-Group: will contain the services you want to allow the user, for example FTP 

Now if the user opens a FTP session, the firewall will trap the session and authenticate the user to the OS password which in this case will be forwarded to the PDC. Hence authentication to the PDC from the firewall.

Second.
Define a user 

generic*

That is to say that the user name is the string generic*

Once created, the firewall will authenticate the user to an external name server, PDC, with the users name.

The second solution will allow any user defined in the PDC to use the access. The first solution restricts users that are defined on the firewall and in the PDC database. you might prefer the first one if you do not want all yur NT domain users to have access through the firewall.

Unix solution

If you are under Unix we use a RADIUS authentication to a NT domain PDC.

• Define the in the firewall properties authentication using RADIUS
• Define a ressource for the RADIUS server
• Set a rule in place to allow authentication using RADIUS

Q. How to install user database

A. The User Database is separate from the Rule Base. Installing a new policy onto a Firewall module does not download the User Database. The User Database may be installed by selecting Install from the User Manager window or by selecting Install database from the Policy menu. You can also execute $FWDIR/bin/fw install to save the transfer the objects and the database to the remote Firewall modules.

Q. When ever anyone tries to log onto the VPN it gives an error that reads
"User xxx Authenticated by Firewall-1.  License Expired 31-Dec 2000.Connection refused."

A. This means that you had users that reached the expiration date for their accounts. By default Firewall-1 was setting an expiration date to the 31.12.2000. If you did not configure it then your accounts are expired. Have a look at the expiration date and change it as you need it.

• How to redirect logs to a different partition
• How do I Rotate the Audit Logs in FireWall-1 NG?
• What  is ELA Proxy
• Does Webtrends  use ELA 
• Log rotation script in Perl
• Periodically the messages from SYN gateway appear in the fw log
• I'm unable to open old log files
• How to redirect logging to an other master
• What shall I do if I want to seperate the  Management Module for Policy repository  and a Management module for logging station.

Q. Periodically the messages from SYN gateway appear in the fw log:

message SYNDefender warning: SYN->SYN-ACK->Timeout or
message SYNDefender warning: SYN->SYN-ACK->RST

I'm sure our local hosts do not try to SYN flood firewall. And because of this errors people sometimes have to reload the www page they try to access or just have lost connections with sites/hosts outside the protected network.

What can be the reason of this?
How can I work around the problem?

Q. You probably have a passive SYN gateway setup. Which means that the firewall keeps track of every TCP connection and sends a RST if a SYN packet does not generate a SYN-ACK. If a SYN-ACK does not get generated, the firewall believes its a SYN flood attack.

btw, the normal TCP connection starts out with a 3-way-handshake. The SYN,
SYN-ACK, ACK

Q. I'm unable to open old log files. 
Error message " lvfile_open:
failed to open logfile d:\fw\log\fw.log log ptrs problem "

A. Remove the old logptr files. They are NOT needed, and cannot be used once
they have been moved, or copied somewhere else.

When you re-open the log file, the logptr file will be re-created.

How do I Rotate the Audit Logs in FireWall-1 NG?

The VPN-1/FireWall-1 NG audit log type files are:

• xx.adtlog - stores the audit log records.
• xx.adtlogptr - provides pointers to the beginning of each log records.
• xx.adtloginitial_ptr - provides pointers to the beginning of each log chain (logs that shared the same connection ID - LUUID).
• xx.adtlogaccount_ptr - provides pointers to the beginning of each accounting record.

To purge/delete the current audit log files without saving it to a backup file, run:

# fw logswitch -audit ""

To logswitch and save the logs to a file, run:

# fw logswitch -audit

Example :

 # fw logswitch -audit
 Trying to switch audit logfile to 2002-06-07_150016.adtlog
 Log File was switched to : 2002-06-07_150016.adtlog

Q. How to redirect logging to an other master

A. A Master is a machine to which Firewall Modules direct Logging. the file $FWDIR/conf/masters contains a list of IP addresses or network object names, one per line. When the firewall Module starts, it reads this file to determine where to direct logging.

If the file does not exist, logging is local

If the file exists logging is directed to the first IP address in the file.

If any address is preceded by the sign + , then all logging are directed to all IP with a + sign.

If the connection to master goes down, it will scan the file and use the next IP addresses. otherwise it will direct logging locally.

Q. In version 2000(4.1) what happened witn fwui.log?

A. fwui.log is now called cpmgmt.aud

Q. What shall I do if I want to seperate the  Management Module for Policy repository  and a Management module for logging station.

A. You can create the file $FWDIR/conf/loggers through a text editor to direct log to a centralized logging station. It contains a list of Ip addresses one per line. The syntax is the same as for the master file.

a + sign, logging will be directed to to all the IP addresses preceded by a + sign

IP addresses preceded by an @ sign wil receive only alerts

How to redirect logs to a different partition

A. 

For logging on Windows :

Regedit

go to HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\5.0

create FWLOGDIR and put the full path to the log you want to go to

For logging on Unix :

ln -s /path/to/new/logdir $FWDIR/log

If you're talking about Windows NT then there is a registry hack.

enter the HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\4.1 path and add a new
string value form the edit-->new menu. name it FWLOGDIR.
add the directory name that you wsih to log to, and create the directory.
then bounce the firewall (fwstop/fwstart).

Q. What  is ELA Proxy

A. ELA is Extended Logging API, a mechanism for 3rd party OPSEC vendors to log their events to the FW-1 logs.  Check with Support, but I don't
think it's needed if you don't have any 3rd party tools using it.  

Q. Does Webtrends  use ELA 

a. Webtrends uses LEA (Log Export API), not ELA.  LEA is the opposite of ELA; it allows FW-1 to send events to a 3rd party reporting application. Although it is possible to use Webtrends with manually exported log files, I believe they recommend using LEA as the preferred interface between the two.

Per Check Point: "WebTrends Firewall Suite integrates with the Log Export API (LEA) of the OPSEC architecture in VPN-1/FireWall-1. When LEA is used, a secure connection is set up between WebTrends Firewall Suite and VPN-1/FireWall-1. This connection provides the mechanism that safely and securely transfers data between the firewall and the analysis engine. By encrypting data at the firewall, LEA ensures that firewall logs are not tampered with during transport. The LEA connection also facilitates the creation of real-time reports without the need to export complete log files at every update interval, saving time and bandwidth resources."

Also see:
ftp://ftp.webtrends.com/firewall/fw_cg.pdf

Log rotation script in Perl

        #!c:\perl\bin\perl

#/************************************************************/
#/* script : classer_mois_fw .pl
#/*
#/*----------------------------------------------------------
#/* Created :
#/*       Author : nfigaro
#/*       Date   : jan 2004
#/*
#/*----------------------------------------------------------
#/* goal : generate exported log, zip and ftp to archiving box
#/* Utilisation : classer_mois_fw.pl
#/* the files are generated at the beginnin of the month for the
previous month
#/************************************************************/
use strict;

# ftp package
use Net::FTP;
use Net::FTP::Common;
my %net_ftp_config = ( Debug => 0, Timeout => 120 );

# hostname converted to lowercase
my $HOSTNAME="\L$ENV{'COMPUTERNAME'}\E";

my $FTPSERVER="a.b.c.d";

my ($FICHIER_LOG,$FICHIER_LOGEXPORT);
my $CPSTOP = "C:\\Program
Files\\CheckPoint\\CPShared\\NG\\bin\\cpstop.exe";
my $CPSTART = "C:\\Program
Files\\CheckPoint\\CPShared\\NG\\bin\\cpstart.exe";

# $FWDIR (could be taken from $ENV perhaps)
my $FWDIR="c:\\winnt\\fw1\\NG";

# I use the wzzip command line tool, but the perl compress package
should do the trick too.
my $WINZIP="\"c:\\program files\\winzip\\wzzip.exe\"";
my $GZIP="c:\\cygwin\\bin\\gzip.exe";
# the log files are moved to a temp directory on the same drive
# to avoid locked files
# cpstop -> move -> cpstart
my $TMPDIR="c:\\temp\\fwlog$$";
system("mkdir $TMPDIR");

my $LOGDIR="$FWDIR\\log";

my ($HEURE,$JOUR,$MOIS,$ANNEE)=(localtime)[2,3,4,5];
my $MOIS_BIS;

$ANNEE+=1900;
$MOIS+=1;

if ( $MOIS lt 10 )
{ $MOIS="0$MOIS";
}

print "hour : $HEURE, day : $JOUR, month : $MOIS, year : $ANNEE\n";

# the files
# only the files that match the previous mont are kept
if ( "$MOIS" == "01" )
{ $MOIS = 12;
  $ANNEE -= 1;
}
else
{ $MOIS-=1;
}

# logs destination local directory
my $ARCHDIR="d:\\logs\\$ANNEE\\$MOIS";
if ( ! -d $ARCHDIR )
{ system("mkdir $ARCHDIR");
}

my $PATTERN=$ANNEE."-".$MOIS."-*";
#print "move $LOGDIR\\$PATTERN $TMPDIR\n";
system "$CPSTOP";
system "move $LOGDIR\\$PATTERN $TMPDIR\n";
system "$CPSTART";

open(LIST,"dir $TMPDIR\\*.log  /b|");
while ()
{ if (/([^\.]+)\.log$/)
  { $PATTERN=$1;
    ($FICHIER_LOGEXPORT,$FICHIER_LOG) =
("$PATTERN.export.txt","$PATTERN.log");
    #$_ =~ /([^\.]+)\.log/;
    chomp $FICHIER_LOG;
    #print "$FWDIR\\bin\\fwm logexport -n -d \"\;\" -i
\"$TMPDIR\\$FICHIER_LOG\" -o \"$TMPDIR\\$FICHIER_LOGEXPORT\"\n";
    system "$FWDIR\\bin\\fwm logexport -n -d \"\;\" -i
\"$TMPDIR\\$FICHIER_LOG\" -o \"$ARCHDIR\\$FICHIER_LOGEXPORT\"\n";
    #print "$WINZIP -x$FICHIER_LOGEXPORT $ARCHDIR\\$PATTERN.log.zip
$TMPDIR\\$PATTERN*\n";
    system "$WINZIP -x$FICHIER_LOGEXPORT $ARCHDIR\\$PATTERN.log.zip
$TMPDIR\\$PATTERN*\n";
    #print "$WINZIP $TMPDIR\\$FICHIER_LOGEXPORT.zip
$TMPDIR\\$FICHIER_LOGEXPORT\n";
    system "$WINZIP $ARCHDIR\\$FICHIER_LOGEXPORT.zip
$ARCHDIR\\$FICHIER_LOGEXPORT\n";
    system "del $ARCHDIR\\$FICHIER_LOGEXPORT\n";
    #system "move $TMPDIR\\* $ARCHDIR\n";
    #system "$GZIP -9 $ARCHDIR\\*\n";
  }
}

system("del /Q $TMPDIR\\*");
system("rmdir $TMPDIR");

# send the results via ftp
my $REMOTEDIR="/$HOSTNAME/$ANNEE/$MOIS";
my %common_cfg     =
     (
      User => 'ftpuser',
      Pass => 'ftppasswd',
      Dir  => $REMOTEDIR,
      Type => 'I'
     );

my $CONNEXION_FTP = Net::FTP::Common->new(\%net_ftp_config,
\%common_cfg);
$CONNEXION_FTP->mkdir($FTPSERVER,Dir => $REMOTEDIR, Recurse =>1);

# creating the directory on teh ftp server

open(LIST,"dir $ARCHDIR\\*.zip  /b|");
while ()
{ $PATTERN=$_;
  chomp $PATTERN;
  $PATTERN="$ARCHDIR\\$PATTERN";
  print "sending file $PATTERN via ftp to $FTPSERVER:$REMOTEDIR";
  $CONNEXION_FTP->send($FTPSERVER,File =>$PATTERN);
}
        

Q How do I add and adminsitrator

a: To add an administrator fom CP2000 use

# fwm -a

You will be prompted to enter the user's name.

Q. How do I remove an administrator

A. The command to remove an administrator on CP2000 is

# fwm -r

You will be prompted to type the user's name

Q. How to drop connection with blocking feature for 'fw sam' as opposed to Reject
I've been playing with 'fw sam' blocking feature. I noticed that it blocks by using the Reject (RST) feature as opposed to Drop. I consider this a  bad thing, as it gives information, specifically yes I am a firewall and I am now blocking you.
If you get right down to it, it should "vanish" the packets. 

A. The code responsible for this is in $FWDIR/lib/code.def. You'll
see the following in the code:

/*
* SAM code
* Check the sam table for ipaddrs which are temporarily blocked -
* such connections will not be allowed to reach the rulebase code.
*/

followed by a bunch of #define and define statements. Then you
will see:

reject (
...
);

The [...] will contain a bunch of refences to SAM functions. Simply
change the "reject" to "drop" or "vanish" and reload your policy.

Q. How to change the password that authenticates internal communication between a firewall module and and its Management Center.

A. Use fw putkey

fw putkey   [-no_opsec] [-opsec] [-p password] [-k num] [-n name] <target>

To use it in a script   do it that way:

fw putkey -p password -n locai-ip remote-ip

Q. How to extract all informations about a firewall installation

A. A usefull command is fwinfo. It will extract all configuration information. The output of this request is somtemines requested by support people. Just be conscious that you are sending all your firewall configuration information by sending this information.

$FWDIR/bin/fwinfo

for Nokia IPSO you will need to download the script contained in resolution 2653

Q. How to monitor what hapens on a management system, or on a system having an evaluation license

A. fw monitor command allows you to monitor network traffic going through the FireWall-1 Kernel Module. This is sort of like tcpdump except that it shows you what things look like from the perspective of various parts of FireWall-1 and can be used to monitor all interfaces simultaneously.

fw monitor [-d] [-D] -e inspect-filter -f filter-file [-l len] [-m mask] [-x offset[,len]] [-o file]

Command Line Options
-d Turn on dodebugptr
-D Turn on dodebugptr
-e Specify an INSPECT program line (multiple -e options can be used)
-f INSPECT filter name ('-' can be used to specify standard input). The -f and -e options are mutually exclusive.
-l Specify how many bytes of the packet should be transferred from the kernel.
-m Specify inspection points mask, any one or more of i, I, o, O as explained above.
-o Specify an output file. They can be viewed with the 'snoop' command on Solaris. This is only valid on 4.0 SP3 and later.
-x Perform a hex dump of the received data, starting at specify offset and printing out 'len' bytes.

Examples
fw monitor -e '[9:1]=6, accept\;' -l 100 -m iO -x 20 will display all TCP packets entering and leaving FireWall-1. Up to 80 bytes of TCP header and data will be displayed (assuming no IP Options are used)

fw monitor -e 'accept\;' -m iI will display all packets entering and exiting FireWall-1 in the inbound direction (i.e. before the OS routes the packet).

fw monitor -e 'accept ifid=0,src=10.0.0.1 or dst=10.0.0.1\;' will show you all packets in interface ID 0 coming from or going to 10.0.0.1. The value used for ifid corresponds to a number given to an interface by FireWall-1. You can determine which interface has which number by using the command fw ctl iflist.

fw monitor -e 'accept ifid=0,src=10.0.0.1 or dst=10.0.0.1,ip_p=47\;' does the same thing as the previous command except it looks for packets of IP Protocol 47 only.

fw monitor -e 'accept tcp,dport=80 or sport=80,src=10.0.0.1 or dst=10.0.0.1\;' shows all tcp packets going to or from 10.0.0.1 with either a source port of 80 or a destination port of 80.

Q. How to obtain debug information from the daemons

A. You will need to kill the fwd daemon and restart it with a debug option

UNIX:

1. Go to $FWDIR/bin
2. Kill the relevant daemon with fw kill {fwd | fwm}
3. Restart the daemon with debug messages. Use 'fwd -d' or 'fwm -d'

NT:

1. Issue fwstop.
2. Enter %SystemRoot%\fw\bin and issue 'fw d -d' or 'fw m -d'.
3. Issue fwstart.

Q. What are the switches to fwd

A. Here are the current list of switches and what they do:

• NG AI MTU path discovery
• NG AI DNS resolution with bad answer
• DNS configuration to resolve internal and external hosts
• Problems establishing a VPN using PPoE

MTU path discovery

I have read several threads where people say MTU should not be an issue with SecuRemote on NG-AI, yet we continually have users that have to run MTUAdjust, in order to connect to certain apps through the VPN. Could we be blocking something, so MTU Path Discovery cannot work properly?

ICMP type 3 (Destination Unreachable) code 4 (Fragmentation Needed and Don't Fragment was Set)

see link for further info:

http://www.iana.org/assignments/icmp-parameters

If a networking device receives a packet that is larger than the devices MTU and the packet has the don't fragment (DF) bit set to "on", then the networking device should respond with an ICMP type 3 code 4 telling the sender to decrease the packet size. This is PathMTU Most of the time a router or firewall would generate this traffic.

Most of the time if this doesnt work its because a router is blocking it (with ACL or interface configured with no ip unreachables) or a firewall is blocking it (because firewall admin's are ignorant of PMTU) If you are doing NAT then the packet can't always make it back to the "original" sender to ask it to drop the packet size. If you are using VPN's then the effective mtu (made that up) is smaller than the sender believes.

NG AI DNS resolution with bad answer

Whenever someone tries to ask the DNS for a domain name I see on the log file:

A. This is a known bug. You need to disable enforce UDP... in SmartDefense.

Q. DNS configuration to resolve internal and external hosts

I have a problem using the 'Get Address' function when defining nodes in SmartDashboard. This works for internet hosts e.g : www.sun.com

A. To be able to resolve those Internal hosts it needs to point at an Internal DNS server. Resolution of external hosts will also go to the internal DNS servers which will resolve them or forward them to an ISP DNS .

Q. Problems establishing a VPN using PPoE

A. The problem with PPPoE is with the MTU size of your client computer.

You can control the size of your MTU through the "mtuadjust.exe" application on you SecuRemote/SecureClient bin directory. Theoretically, 1400 should solve your problem but you should try and see what is the highest MTU you can set and still work properly.

If that doesn’t solve the issue, I would suggest you'll look inside your firewall and client logs.

FTP problems
Q. Since I moved from 40. sp5 to 4.1 sp2 people cannot download from some ftp-sites.
one of them iftp.compaq.com.

The fw rejects the packet comming back from compaq with rule 0.
Saying: unknown established TCP packet.
Other FTP sites are OK any suggesstions?

A.
1) UNcomment 

#define ALLOW_NON_SYN_RULEBASE_MATCH

in $FWDIR/conf/fwui_head.def 

and 

Stop FW-1 Edit the /$FWDIR/lib/base.def

comment 

#define FTP_ENFORCE_NL

change it to

//#define FTP_ENFORCE_NL

Start FW-1 
RE-INSTALL POLICY

The first one being commented out by default causes a lot of unestablished tcp-connection errror (dropped by rule 0), the second
causes connection lost to ftp servers with no NewLine endings in their data-packets.

Those two "security enhancements" in 4.1SP2 cause a lot of traffic loss.


2)  edited the $FWDIR/lib/base.def and changed the following line -
     Original Value - #define FTPPORT(match) (call KFUNC_FTPPORT <0x1|(match)>)
     New Value - #define FTPPORT(match) (call KFUNC_FTPPORT <(match)>)

Both lines were already in thie base.def file, I just commented out the
Original Value and uncommented the New Value.

Q.How to debug in kernel mode

The FireWall-1 kernel module may be put into debug mode with the following command:

nokia_fw[admin]# fw ctl debug <debug-option>

The following are valid debug-options

• 0 - turn debugging off (fw ctl debug 0)
• all (DO NOT USE)
• all debug features
• The output is excessive, making the system unresponsive. Often, only a cold reboot will restore access to the system.
• cookie - "cookie" (abstract data type of representing packets) related messages
• crypt - encryption related information
• domain - domain queries
• driver - device driver operations
• filter - filter loading and unloading
• hold - packets held and released (related, among other things, to encryption)
• if - interface binding
• install - driver installation
• ioctl - ioctl commands from the daemon
• kbuf - kernel buffers (buffers allocated by the kernel for encryption purposes)
• ld - operations on dynamic tables
• log - log messages sent to the daemon
• machine - virtual machine operation (the virtual machine which executes the INSPECT code compiled from .pf files)
• memory - memory usage
• misc - all others
• packet - packet handling
• profile - performance monitoring
• q - streams and queues operations
• synatk - operations related to syn attack protection
• tcpseq - TCP sequence numbers changed
• winnt - windows NT specific operations
• xlate - address translation for new connections
• xltrc - address translation for telnet and ftp

Redirecting Output to a File

The information is sent by default to the console. It can also be sent to a kernel buffer. This is necessary because the output often is to great to process real-time. Here are some examples of how to redirect the output to a file for examination later:

tla[admin]# fw ctl debug -buf [1024]

The default size is 1024 Kbytes. At this point, you have only enabled the redirection of stdout to a buffer, but the next step is retrieve the contents of this buffer. This is down with the following command

tla[admin]# fw ctl kdebug -f

This will now dump the buffer to stdout, but this is similar to before. The following are the steps to redirect the buffer to a file:

tla[admin]# fw ctl debug -buf

tla[admin]# fw ctl debug <option>

tla[admin]# fw ctl kdebug -f > filespec

tla[admin]# tail -f filespec

When you have gathered enough information, press <CTRL-C> to stop the output to the file. You will have to issue `fw ctl debug 0` in order to actually restore the kernel to normal operation.

Debugging HTTP Security Server

We used these below when we debugged HTTP Security Server problems. One of the vulnerabilities in the HTTP Security Server is that it will block all network connections it is checking if a URL is not resolvable. This is serious in that a DOS of DNS to your firewall can cripple it. For example, if you create a URI resource object to explicitly block HTTP to www.somedomain.com and this does not resolve to an IP address, then all HTTP that is subject to Content Security will be blocked.

tla[admin]# setenv HTTP_DEBUG 1

tla[admin]# setenv FWAHTTPD_DEBUG 1

tla[admin]# setenv FW_DEBUG_EVENT 1

tla[admin]# setenv FWT_DEBUG all

tla[admin]# fw kill fwd; fwd `cat $FWDIR/conf/masters`

The later versions of FireWall-1 enable SMTP_DEBUG and MDQ_DEBUG in another way. These variables should be defined in the $FWDIR/conf/smtp.conf file and then the fwd process should be killed using the –USR1 switch, when this is done, the debugging information will start immediately without the need to restart the daemons.

To remove these environmental variables, execute unsetenv env_variable The output is directed to $FWDIR/log/ahttpd.log. This particular problem produced numerous duplicate entries in the log file that were of this form:

[764@nokia_fw.iprg.nokia.com] calling async resolve for www.unresolveable.com
[port 1023:Connection refused Thu Aug 5 23:42:57 1999] [pid=764]
Failed to connect to server for side = 1 at [Thu Aug 5 23:42:57 1999] [pid=764] write_from_queue : side = 1, clnt = 0,


buf = (


:data (


:resolved_name (www.unresolveable.com)
:type (dns_resolve_byname)


)
:chain_name (resolver_list)
:call_function (cached_resolver_gethostbyname)
:return_function ()
:serial_number_resolver_list0(2)
:current_side(1)

)


The speculation was that FireWall-1 was attempting, over and over, to resolve www.unresolveable.com to an IP address. It was verified that this particular destination was not resolvable. Once the rule using a URI resource object of type Wildcard, which explicitly specified this site, was removed, everything was restored. This bug was verified to be in 4.0 SP4 for Solaris on Aug 6th, 1999. The immediate solution is to not use a URI resource object of type Wildcard to drop or reject HTTP, but to only Accept HTTP.

Debugging SMTP Security Server

We use the following to debug SMTP Security Server. At this point in time, we do not have a good definition of what these variables do with the exception that they all increase the output of debug information. The variables with MDQ put the spool dequeuer process into debug mode. The SMTP_DEBUG environmental variable is shown with three levels. Choose one. FWT_DEBUG is associated with the fwd daemon. OPSEC_DEBUG_LEVEL

tla[admin]# setenv MDQ_DEBUG 1

tla[admin]# setenv FWMDQ_DEBUG 1

tla[admin]# setenv SMTP_DEBUG [1 2 3]

tla[admin]# setenv FWD_DEBUG cvp

tla[admin]# setenv FWT_DEBUG cvp

tla[admin]# setenv OPSEC_DEBUG_LEVEL [1 2 3]

tla[admin]# fw kill fwd;fwd `cat $FWDIR/conf/masters`

To remove these environmental variables, execute unsetenv env_variable.

Debugging SecuRemote/Encapsulation problem.

tla[admin]# fw ctl debug cookie

tla[admin]# fw ctl debug -buf 100

tla[admin]# fw ctl kdebug -f filespec

tla[admin]# tail -f filespec

 

We should see messages of the form "cookie data could not XXX". There will be messages that specifically complain about fragmentation.

(SecuRemote may be placed into debug mode by creating the file, fwenc.log, at the root of your system drive. For example, this might be c:\fwenc.log)

 Debugging the in.pingd daemon

 

tla[admin]# setenv FWPING_DEBUG 1

 

The output of fw tab -t check_alive is also analyzed

 

Q. How to debug IKE encryption problems

A. If the IKE tunnel cannot be established have a look in the FireWall-1 logviewer. 
If the logviewer is not helpful, use the advanced IKE debugging option in FireWall-1:

Set the appropriate debug variable:

setenv FWISAKMP_DEBUG=1 (for FireWall-1 4.0)
setenv FWIKE_DEBUG=1 (for FireWall-1 4.1)

(On NT firewalls, use 'set' instead of setenv)

Rerun the FireWall-1 daemon (do: 'fwstop' and 'fwstart'). 

All subsequent IKE negotiations will be dumped in the file ISAKMP.log in FireWall-1 4.0 
or IKE.elg in FireWall-1 4.1 (both in $FWDIR/log.

An advanced IKE user can use this file to help detect IKE problems. This file should be sent whenever contacting Check Point Support regarding IKE issues.

Q. What's new in Checkpoint 2000 version 4.1

A.Overview of New Features 

• High Availability — Two or more VPN/FireWall Modules can be configured so that each one acts as a backup to the others. Additionally, the VPN/FireWall Modules can be synchronized so that connections will not be lost when a VPN/FireWall
• Desktop Policy Verification — Policy Servers now maintain open connections with SecureClients and are immediately notified when a SecureClient is re-configured. Both Session Authentication and Client Encrypt rules can be applied only when a SecureClient is properly configured. 
• SecuRemote
  • The Secure Domain Logon feature enables Windows NT SecuRemote users to securely log on to a domain controller using both LAN and dial-up connections. 
  • SecuRemote Clients can be configured to automatically update a site’s topology either when starting SecuRemote or just before the key exchange with that site. 
  • SecuRemote Clients can be configured to automatically check the availability of a newer version of SecuRemote Client software before connecting to a site. 
  • SecuRemote Clients can be pre-configured with a partial site topology to reduce exposure of sensitive network information. The first time the SecuRemote Client connects to a site, the user will be given the opportunity to download the complete topology over the authenticated connection. 
  • A smaller SecuRemote (Thin Client) Client installation file set (without the certificate functionality) is available ("Thin Client") 
• Hybrid Mode — VPN-1/FireWall-1 Hybrid Mode authentication extends IKE, enabling it to use any authentication method supported by VPN-1/FireWall-1. 
• Intel RNG — VPN-1/FireWall-1 and SecuRemote support the Intel RNG (pseudo random number generator) hardware for Windows NT 4.0, Windows 98, Windows 95 (OSR2 or later or Windows 95 with IE 3.02 or later). 
• Remote Licensing Management — This feature enables the system administrator to manage VPN-1/FireWall-1 licenses on remote VPN/FireWall Modules from the Management Station. 
• Malicious Activity Detection — VPN-1/FireWall-1’s Malicious Activity Detection (MAD) feature provides a mechanism for detecting intrusion attempts or other suspicious events and notifying the system administrator by an alert or email message. 

To have a complete information look at the CP2000(4.1 with SP1) release Notes

Q From what service pack can I upgrade a version 4.0

A. SP3, if you have an earllier release upgrade first to SP3. Select the save version 4.0 option

A. Control channel problem, between the Management Module and the VPN/FireWall Module

Q. In Check Point 2000, the control channel is encrypted even if there is no encryption license. For this reason, when upgrading a VPN/FireWall Module which has no encryption license from Version 3.0 or Version 4.0 to Check Point 2000, the control channel between the Management Module and the VPN/FireWall Module (created by the fw putkey command) will be lost. To re-establish the control channel, proceed as follows:

After upgrading the Management Module to Check Point 2000, edit the

$FWDIR/lib/control.map file on the Management Module and add a line at the end as

follows:

NON-ENCRYPTED: <list>

where list is a comma-separated list of the IP addresses of all the VPN/FireWall Modules still running the earlier VPN-1/FireWall-1 version without encryption licenses. For example:

NON-ENCRYPTED: 10.2.3.4,10.5.6.7

Q. What should I be aware of when upgrading from version 4.0 to 2000

A. When upgrading from Version 4.0 to Check Point 2000, the Management Station checkbox in the Workstation Properties window will be checked only for the Management Station being upgraded. All other gateways defined on the Management Station will have the Management Station checkbox unchecked by default.

When you upgrade, the $FWDIR/lib/control.map file is replaced. If you have made any changes
to control.map, they will not be preserved in the new control.map, so you must make the same changes in the new version.

Session Authentication Agent — Installing the Version Check Point 2000 Session Authentication Agent does not overwrite the Version 4.0 Session Authentication Agent. You must uninstall the Version 4.0 Session Authentication Agent (using the Control Panel’s Add/Remove Programs applet) and then install the Version Check Point 2000 Session Authentication Agent. Note that the Session Authentication Agent is shut down as part of the uninstallation process, so you must manually restart it (or reboot).

VPN-1/FireWall-1 HP Open View Extension supports Solaris and HP-UX with HP OV version 4.x. HP-UX with HP OV versions 5.x and 6.x is not supported.

 Synchronized VPN/FireWall Modules —

• Synchronized VPN/FireWall Modules must be managed by the same Management Module.
• SecuRemote connections can be synchronized.

Enable Exportable SKIP: If Enable Exportable SKIP (in the Encryption tab of the Properties Setup window) is checked, then if an internal VPN/FireWall Module has Local selected in the Key Manager tab of its SKIP Properties window, you must generate an exportable DH key for it (in its SKIP Properties window). Selective SKIP configuration (that is, some SKIP communications use exportable DH keys and some use non-exportable DH keys) can only be managed in the Rule Base.

Control channel encryption key If you change a Management Server’s control channel encryption key (for example, by using the fw putkey command), then you must restart any ELA proxy that is running on that Management Server. See "Uninstalling VPN-1/FireWall-1" on page 6 for information on how to stop the ELA proxy.

In a High Availability configuration, each VPN/FireWall Module’s license should be issued to its hostid or other unique ("heartbeat" or "configuration IP" interface), since any of the other interfaces can fail.

Do not rename a network object group that is used in the definition of a Logical Server.

Unix platforms — when remote modules are configured using the cpconfig program, if you try to add a new remote module you will not be able to see the list of previously configured modules. However, these modules are still defined and there is no need to reconfigure them. If you do reconfigure them, you must run fw putkey command again for each module.

The default values of properties Setup: The default values of some of the properties in the Security Policy tab of the Properties Setup window have changed as follows:

The new default values apply only to new installations. When you upgrade from a previous version, the existing values will not be changed.

Note – You should verify that the values in the Security Policy tab are what you expect them to be.

backward compatibility feature:  If you are using the VPN-1/FireWall-1 Check Point 2000 backward compatibility feature to manage VPN-1/FireWall-1 Version 4.0 SP1 or SP2 FireWall Modules and you use Client Authentication rules, the following workaround must be applied:

a. Edit the file $FWDIR/lib/base.def (where FWDIR specifies the directory in which the VPN-1/FireWall-1 Version 4.0 software or VPN-1/FireWall-1 Check Point 2000 backward compatibility module is installed), replacing the lines:

define pm_prog [(UDPDATA+40+rpc_cred_len+rpc_ver_len),b] 
#define pm_prot [(UDPDATA+48+rpc_cred_len+rpc_ver_len),b]

by the lines:

#define pm_prog [68, b]
#define pm_prot [68+8, b]

b. Reinstall the Security Policy on the VPN/FireWall Module.

fw expdate command — This command changes the expiration date of the users in the VPN-1/FireWall-1 users database. Any open GUI Client should be closed before running the command, otherwise the GUI will override the changes made by the command. On NT only, if fw expdate is executed while the Management Server was running, the Management Server should be restarted in order for the command to take effect.

Q. My older SecuRemote Client cannot exchange site topology anymore, since we updated to version 4.1 Securemote version 4.0 or previous cannot anymore get/update new sites?

A. Pre-Version 4.1 SecuRemote Clients download site information through the SecuRemote Server port 256. Starting with Version 4.1, site information is downloaded through port 264. If you are using pre-Version 4.1 SecuRemote Clients with a Version 4.1 or higher SecuRemote Server, you must specify a rule that enables the SecuRemote Server to download site information through TCP port 256.

• Source is set to Any because the SecuRemote Client’s IP address is not known in advance.
• Destination must include all the SecuRemote Servers from which pre-Version 4.1 SecuRemote Clients will download site information.
• Install On should be the same as Destination.
• Even though the Action is Accept, the connection will be authenticated unless Respond to Unauthenticated Topology Requests (IKE and FWZ) is checked in the Desktop Security tab of the Properties Setup window.

Q. Can I upgrade SecuRemote client to version 2000(4.1) with a version 4.0 for the Secure Server?

A. If you are using Version 4.1 SecuRemote Client(s) with a pre-Version 4.1 SecuRemote Server, the SecuRemote Client will experience a delay of 30 seconds (in addition to normal network delays) while it attempts to download the SecuRemote Server’s site information. This happens because the pre-Version 4.1 Server expects to download site Note – System administrators can ensure that all company personnel have the same site configuration for SecuRemote by copying a standard userc.c file to the installation diskette set. It is also possible to supply FWZ and IKE users with different userc.c files. Information through port 256 while Version 4.1 Clients open a connection to SecuRemote Server port 264. The Version 4.1 Clients wait 30 seconds and then try to open a connection through SecuRemote Server port 256. There are two different methods to prevent the 30 second timeout:

 A Add a rule similar to the one shown below

• Destination should be the SecuRemote Servers.
• Service should be FW1_topo (the VPN-1/FireWall-1 topology service) on port 264. If it is not defined yu will need to define it.
• Action should be reject to cause the SecuRemote Client to immediately re-try

by connecting to SecuRemote Server port 256 instead of waiting 30 seconds and then timing out.

B Add the following line to the options section of the userc.C files of Version 4.1

SecuRemote Clients:

This method is not recommended, because the change will be overwritten if you upgrade or reinstall SecuRemote.

Q. Running fwpolicy on a version 4.1 requires a seperate license for X-Motif

A. Yes from version 4.1 you have  to pay for a seperate license for X.Motif. You already had to ahve a license with version 4.0, but it was free

Q. Can I manage a version 4.1 firewall module from a version 4.0 management console.

A. This is not possible but, managing a version 4.0 from a 4.1 console is possible.

Q. If I want to reduce my down time how can I proceed

A. Use a spare system as described in this article  click here

Q. In version 2000(4.1) what happened witn fwui.log?

A. fwui.log is now called cpmgmt.aud

Q. VPN between version 4.0 and version 4.1

A. VPN between 4.0 and 4.1 on any supported platform is subject to the restrictions detailed in the release notes for each version of FireWall-1.

• 4.0 SP5 cannot use the CBC-DES MAC keyed hash function with any version of 4.0 prior to SP5 nor can it use this with 4.1. One would have to use either MD5 of SHA-1. This is limited to SKIP or Manual IPSec.
• For IKE, 4.0 SP3 (Nokia) can establish a VPN with 4.1. 
• General platforms SP2 can establish a VPN with 4.1

Q. To configure A version 4.0 firewall under Solaris I used the command fwconfig, what should I use now?

A. Under cp20000 use the command cpconfig instead

Q. How to manage version 4.0 modules from a version 4.1 installation

A 4.1 management console will administor both a 4.1 and a 4.0 firewall, however the catch is that you need to have both a 4.1 and a 4.0 license. 

When you install 4.1 it prompts whether you want to install the 4.0 backward compatibility feature. 

This will install the 4.0 tree structure on the drive (if Solaris it'll install the 4.1 /opt/CPfw1-41 and the 4.0 /opt/CKPfw trees). Then you need to install both licenses. For the 4.1 license do the usual 'fw putlic' with the $FWDIR pointing to the 4.1 tree. 

Then for 4.0 change $FWDIR to the 4.0 tree, then do the '$FWDIR/bin/fw putlic' to install the 4.0 license. 

Then change $FWDIR back again to the 4.1 tree and do your 'fw putkeys' for all your firewall modules. You can now manage both 4.0 and 4.1. 

This information is in the release notes, but you have to really read it carefully and follow the steps exactly. CheckPoint seemed to have gone out of their way to make this one difficult.

If your installation is on Solaris be aware that the version 4.0 backward compatibility requires a seperate package to be installed:

CKPfw the VPN-1/FireWall-1 4.0 backward compatibility component

To help you a bit further here  are the different packages you will find on your CD.

  			
			 Check Point 2000 Enterprise Suite		January 2000



		         Products in this CDROM
			 ----------------------

The suite includes 2 CDS - one CD for NT, Solaris and Linux and the second cd
for AIX, HP and Solaris for x86.


The Check Point Enterprise CD includes the following products:
1. VPN-1 / FireWall-1 4.1
2. FloodGate-1 4.1
3. MetaIP 4.1
4. Reporting Module 4.1
5. VPN-1 SecuRemote / SecureClient 4.1
6. Session Authentication Agent
7. VPN-1 Hardware Accelerator (as an add-on)
8. Check Point Management Clients 4.1
9. Acount Management Client 1.1
10. CVP Manager
11. OPSEC SDK
12. Real Secure 4.1
13. Check Point Utility Package 4.1

			 How to use the CDROM
			 ---------------------
On Solaris, HPUX and AIX:
	Insert the CDROM.
	Activate "installU".
	This program will guide you through the
	installation process.

On Intel based Windows NT:
	Insert the CDROM.
	The CDROM starts the Check Point integrated VPN
	installation program automatically , if for some reason it does not 
        starts automatically then run the demo32.exe which is located under \wrappers\windows

On Linux - for FW-1 installation
	   Insert the CDROM
	   Follow the Linux release notes. 
           
           For Meta IP installation
           Follow the Meta IP release notes under Docs.

   
			Installation without a CD reader
			--------------------------------
1. ftp or copy to the target system from the CDROM the package you wish to install.
2. Install the package as documented in the "Getting Started" guides.
   (example: using pkgadd or by double clicking on setup.exe).
3. If you need to install FloodGate-1 this way, make sure FireWall-1 is already installed.

				
			 Contents
			 --------


Readme.txt		- This file (Unix format)
ReadmeNT.txt		- This file (Windows format)

aix	
	Add-Ons         4.0 FW-1 package
        CKPfw 		the VPN-1/FireWall-1 4.0 backward compatibility component
	CPfw1-41	VPN-1/FireWall-1 including X/Motif GUI
	CPsmc-41        MetaIP SMC
        CPAcountMgmtClnt-11   Account Management Client 1.1
        patches         VPN-1/FireWall-1 4.1 SP1, VPN-1/FireWall-1 4.0 SP5,Check Point management client 4.1 SP1
  
Docs			One folder/directory with documentation for
			VPN-1/FireWall-1, FloodGate-1, MetaIP, OPSEC
			and Reporting Module
			Also includes Acrobat .PDF Files Readers


hpux
	Add-Ons		load agent, HP Open View AddOn
	CKPfw 		the VPN-1/FireWall-1 4.0 backward compatibility component
				(includes also a tar format of the packages which
				should be used when a CDROM driver is limited
				in the depth of directories it can read.)
	CPfw1-41	VPN-1/FireWall-1 including X/Motif GUI
				(includes also a tar format of the packages.
				the tar file should be used when a CDROM driver is limited
				in the depth of directories in can read.)
	CPsmc-41	MetaIP SMC
	CPdhcp-41	MetaIP dhcp server
	CPdns-41        MetaIP dns
        CPAcountMgmtClnt-11   Account Management Client 1.1


linux
	CPfw1-41	VPN-1/FireWall-1
        CPsmc-41	MetaIP SMC
	CPdhcp-41       MetaIP dhcp server
	CPdns-41	MetaIP dns


netware	
	CPuat-41        MetaIP uat

						
solaris2
	Add-Ons		load agent, fwuam, HP Open View AddOn, 4.0 FW-1 package,VPN hardware accelerator
	CKPfw 		the VPN-1/FireWall-1 4.0 backward compatibility component
	CPAcountMgmtClnt-11   Account Management Client 1.1
	CPfw1-41	VPN-1/FireWall-1
	CPgui-41	X/Motif management client
	CPtc-41	        FloodGate-1
	CPsmc-41        MetaIP SMC
	CPcvpm-41       cvpm 4.1
        CPdhcp-41       MetaIP dhcp server
        CPdns-41        MetaIP dns
        CPdtm-41        a combined package of NetSO, Policy server and Malicious ....
        CPopsec-41      opsec 4.1
        patches         VPN-1/FireWall-1 4.1 SP1, VPN-1/FireWall-1 4.0 SP5,Check Point management client 4.1 SP1,FloodGate-1 4.1 SP1
        
solaris2-i86
	Add-Ons		load agent, 4.0 FW-1 package
        CKPfw 		VPN-1/FireWall-1 the 4.0 backward compatibility component
	CPfw1-41	VPN-1/FireWall-1
        patches         VPN-1/FireWall-1 4.1 SP1, VPN-1/FireWall-1 4.0 SP5

windows	
	Add-Ons		4.0 FW-1 package,VPN hardware accelerator, MetaIP mibs, load Balancer and FindDHCP,OsmUpgrade.exe - for OSM users upgrading to OSE
	CPFireWall1-41	VPN-1/FireWall-1 (includes the 4.0 backward compatibility component)
	CPMetaIP-41	MetaIP for Intel
	CPMgmtClnt-41	Check Point management client
	CPReporingClnt-41	Reporting Client
	CPReporting-41	Reporting Module
	CPSecuRemote-41	VPN-1 SecuRemote and SecureClient for Win95, Win98 and WinNT
	CPtrafficCtl-41	FloodGate-1
	CPSessionAgt-41	Session Authentication Agent
	CPAcountMgmtClnt-11   Account Management Client 1.1
        CPcvpm-41       CVP Manager
        CPdtm-41        a combined package of NetSO, Policy server and Malicious ....
        CPopsec-41      opsec 4.1
        CPRealSecure-41 Real Secure 4.1
        CPUtil-41       Check Point Utility Package 4.1
        CPVisualPE-41   visual policy editor 4.1

      

Q. How to change the Ethernet mac adress

a: Use the command ifconfig hme0 ether 8:0:20:bb:ss:89

This is usefull in case you want to replace one interface by an other one or you have to replace a firewall by an other one.

Q. How to desactivate an interface

A: use the command ifconfig  hme0 unplumb

with this the interface hme0 will not appear anymore when you start your Sun server.

Q. How to activate an interface once it was desactivated

A. Use tha Solaris command ifconfig -a hme0 plumb

interface hme0 is then again active. But will not have any Ip address assigned. To assign the Ipadress use the command

ipconfig 

Q. Where in Solaris are assigned the IP addresses at boot time

A. The file /etc/rc2.d/S30sysid.net will take care of the IP address attribution process.

How to armor Solaris 9

How to armor Solaris 9

Use JASS from SUN. It also works for solaris 2.8

Q. Can Firewall-1 run under Solaris 2.6 ?

A. yes

Q. The X/Motif Log Viewer cannot run on Solaris 2.6.

A: Place the library libXm.so.3, which is located on Solaris 2.5 (its full
path depends on the computer), in
$FWGUIDIR/clients/lib.

Q. How to SYNC on Solaris 2.6/cluster patches and FW1-v3.0b 3064 patch

A. I want to pass on some info about SYNC on Solaris 2.6/cluster patches
and FW1-v3.0b 3064 patch. This is undocumented but a must!

This seems to be crucial on systems where the control module and pfm
are not on the same system...

Our config has three systems. Non-vpn and no NAT just packet
filtering...

control
pfm
pfm

Creating /etc/fw/sync.conf and putkey on the pfm modules is not enough!

Modify the file below table.def and comment out the "#define sync"
command.
Then recompile and download your rule sets to the pfm modules...

This seems to be crucial on systems where the control module and pfm
are not on the same system...so if you have two systems

control/pfm
pfm

you will need to do this table.def mod...

$ more /etc/fw/lib/table.def
#ifndef __table_def__
#define __table_def__

//
// (c) Copyright 1993-1997 Check Point Software Technologies Ltd.
// All rights reserved.
//
// This is proprietary information of Check Point Software Technologies
// Ltd., which is provided for informational purposes only and for use
// solely in conjunction with the authorized use of Check Point Software
// Technologies Ltd. products. The viewing and use of this information
is
// subject, to the extent appropriate, to the terms and conditions of
the
// license agreement that authorizes the use of the relevant product.
//
//
// $Header: /fw/cvs/fw-1/fwlib/table.def,v 1.42.2.20 1998/01/01 08:09:47
ofer Ex
p $
//

// The following #define should be removed to enable FW-1
synchronization
//#define sync
...

Q. How to change the hostid of a system under Solaris

A. This gives you a pretty good overview of how the SUN hostid
stuff works, it also covers changing it:

http://www.squirrel.com/squirrel/sun-stuff.html
http://www.squirrel.com/squirrel/sun-nvram-hostid.faq.html

How to install FW-1 to run on 2.7 in 32 bit mode? 

Install Solaris 7 with 64 bits activated and then boot the 32 bits kernel

To disable 64 bits without reinstalling perform:

eeprom "boot-file=kernel/unix"
init 6

Solution:

Try ( # isainfo -b or # isalist ) it displays your OS Architecture 64 or 32 Bit. If its in 64 Bit continue with the procedure.

      /usr/sbin/eeprom |grep boot-file
      If it displays boot-file=/platform/sun4u/kernel/sparcv9/unix then you are in 64 bit OS.

      To Change setting eeprom boot-file variable for 32 bit mode

      /usr/sbin/eeprom boot-file=/platform/sun4u/kernel/unix
      /usr/sbin/eeprom |grep boot-file

Check whether the value for boot-file is got changed to or not /usr/sbin/eeprom |grep boot-file
      boot-file=/platform/sun4u/kernel/unix

 kernel/unix                 -- 32 bit

 kernel/sparcv9/unix         -- 64 bit

Now you have changed the eeprom value so reboot the system now you will get the diplay booting with 32 Bit Architecture.

Just do the above changes and continue with the firewall installation.

Q. Under Solaris we have from time to time fwd that crashes, since we moved to version 2000?

 A. — fwd can sometimes crash when running UAM. The solution is to replace fwuam.so with the new version on the CD, as follows:

a. Stop VPN-1/FireWall-1 (fwstop).

b. Replace /usr/lib/fwuam.so with /solaris2/Add-Ons/fwuam/fwuam.so (on the CD).

c. Restart VPN-1/FireWall-1 (fwstart).

• What is Secure Platform

• On Which OS does SecurePlatform rely

• SecurePlatform and RAID controller, how do you install third party drivers for the Perc4 so that Secureplatform will see the Volume?

A. SecurePlatform is based on the Redhat 2.4 kernel.

Some comments found on the mailing list: " Intel cards work well (gigabit copper or otherwise), it does not support broadcom though, found that out the hard way.  Also, don't use the cheesy intels, we've had problems with them where you have to down and up the interface numerous times to get it accepting packets."

Q. Does SecurePlatform include a cron

A. No, but you can access the underlying OS by going into "expert"
mode and it is from there you can use rpm to install a cron daemon.

Q. How to manage SecuPlatform

A. For this you can use SSH

have installed.I was caught by this too. 

All the CPspupgrade_FP3.tgz does is upgrade the SecurePlatfrom to FP3 (the Linux OS only), none of the modules are upgraded during this process. You have to run the install for each of the modules that you have installed, i.e., SVN Foundation (must be 1st), VPN1/FW1, Performance Pack, Policy Server, etc etc.

Go to the approaite directory on the CD under the linux dir then run rpm -i <filename>.rpm

Also, when running the rpm command do not use -u for 'upgrade'. It must actually be installed using the '-i' It will just sit there for awhile like it is not doing anything, but be patient, it will come back with a status of the upgrade.

Checkpoint's Procedure for upgrading

SecurePlatform and RAID controller, how do you install third party drivers for the Perc4 so that

It's OK with NG R55 but not R54 that doesn't know Perc4 RAID controller.

2. Tech support have recompiled the R54 version to include the MEGARAID driver support that PERC uses. The link is here:

• All Nokia documentation comes with acronym NAP, remind me what it means
• What type of NIC cards does an IP440 support
• We do not find any documentation for Nokia 210 and 220 series
• What are the dimensions of a Nokia box serie IP200 or IP330
• What is the speed supported by ethernet ports
• For international installation do I have to worry about power supply
• Nokia IP330 hangs at boot on DMI pool
• How to change voyager port
• I have now the problem of recovering a VPN210 (without floppy) from the erase of IPSO
• What are the upgrade path for Checkpoint version 4.0 to version 4.1 on a Nokia system
• What about version 4.0 backward compatibility
• Does a Nokia box  support to work on its serial interface as an unnumbered interface
• HowTo Backup a Nokia Box
• Can you provide me with a disaster recovery procedure
• How do I change the admin password when it is lost or unknown?
• How to perform a local simulation for a remote module in order to configure it before shipment
• How to perform a clean installation of firewall-1 on a Nokia Platform
• In a Nokia box I see ACLs, like in a router. In which case should I take care of those
• On a Nokia system I typed fw lichosts and the system is really slow to output results
• IP330 enters the CMOS setup automatically

Q. All Nokia documentation comes with acronym NAP, remind me what it means

A. NAP Network Application Platform

Q. What type of NIC cards does an IP440 support

A. The IP440 uses the Znyx 346Q Quad Ethernet NICs.

You can contact Znyx at:

ZNYX Networks, Inc.
48421 Milmont Drive
Fremont, California 94538
Phone (510) 249-0800
Toll Free Phone (800) 724-0911
Fax (510) 656-2460

Email: info@znyx.com
Contact Support: support@znyx.com
Contact Sales: sales@znyx.com

I have purchased NICs directly from Znyx and used in our Enterprise gateways that handle large amount of Internet traffic. It has worked without problems.

Q. We do not find any documentation for Nokia 210 and 220 series

A. The documentation is the same as for the IP300 series

Q. What are the dimensions of a Nokia box serie IP200 or IP330

A. see below

Q. What is the speed supported by ethernet ports

A. The port works in dual mode either 10 Mbits/sec or 100 Mbits/sec

Q. For international installation do I have to worry about power supply

A. The power supply of the NAP automatically senses the input voltage

115 VAC in fact 90 to 132

220 VAC in fact 180 to 264

Q. NOKIA IP330 Hangs during boot at Verifying DMI Pool

A. Make sure console settings are set to 9600 BAUD, 8-N-1
Flow control = NONE not xon/xoff
Also go into Device Manager and make sure the settings for Com port is set to flow control = NONE

Windows defaults to xon/xoff for com port settings

Also have technician remove the console cable and boot Nokia appliance up and then attach in console cable.

Try also to change the console cable.

Q. The voyager port for this FW is port 80. How do you change it to something else, say 8888?

A. from the command line type "voyager XXXX" where XXXX=port number.

Q. I have now the problem of recovering a VPN210 (without floppy) from the erase of IPSO.

A. If you have a VPN210 system, then you have an IP330 platform.

If there is no IPSO operating system, you might very well be left at the boot manager prompt. However, this is not conclusive. It is possible that the auto boot setting has been turned off. Do you see the following prompt?:

BOOTMGR[0]>

This can happen if you upgraded the boot manager in anticipation to upgrading the OS, and did not follow the instructions that are in the release notes.

Enter the following command at the boot manager prompt:

BOOTMGR[0]>set-defaults <CR>

To be sure, execute the following to display the current settings

BOOTMGR[1]>printenv <CR>

If you see that the value for autoboot is set to no, then enter the following command:

BOOTMGR[2]setenv autoboot yes <CR>

Then, enter "boot" at the prompt to continue booting off of the disk.

If you truly do have a corrupted disk, then you will need to reinstall IPSO from an FTP server. In this case, you would enter "install" at the boot manager prompt and follow the prompts.

Q. What are the upgrade path for Checkpoint version 4.0 to version 4.1 on a Nokia system

A. You must upgrade your system to FireWall-1 version 4.0 SP4.

Just remember the following recommendations from nokia

Backup your unit. Backup instructions can be obtained  on http://www.iprg.nokia.com/support refer to resolution 718 in Knowledge Base.

Turn off the firewall function

Use the command newpkg, it will install or upgrade your firewall package from CD-ROM, an FTP site, or the local file system.

Q. What about version 4.0 backward compatibility

A. By default the backward compatibility is installed by default in IPSO. It is located in $FWDIR/fw40. There is no need to seperately install a backward compatibility package.

Q. Does a Nokia box  support to work on its serial interface as an unnumbered interface

A. No as of 10.10.2000. This unnumbered way to work is often found on routers like cisco but is not possible with Nokia systems. You need a numbered interface.

Q. HowTo Backup a Nokia Box

A. See resolution 718 which is provided below. Note that IPSO 3.2 features an integrated backup utility!

Detailed Resolution View Resolution 718 How do I backup files from my Nokia Security Platform? Check Point FireWall-1,   Other for version: 3.x   last update: 10/13/1999 06:01:59 This resolution offers the steps necessary to backup the configuration files from a Nokia Security Platform that will enable one to completely rebuild the firewall from the beginning. An exerienced administrator can accomplish this task in less than 30 minutes. NOTE: IPSO 3.2 features an integrated backup utility! The following procedures are relevant for IPSO versions 3.1.5 and earlier. With IPSO 3.2, the entire contents of the $FWDIR/conf, $FWDIR/lib, $FWDIR/state, and $FWDIR/etc directories are backed up automatically. In addition to identifying the files to backup, this resolution also suggests a method of automatically archiving these configuration files as well as a method of transferring the files using a floppy diskette. SOLUTION Backing up your IPSO configuration : IPSO main files... The main IPSO database file is in /config active link points to current file, but you may also want to back up other files in /config/db In addition you also want to check to see if you have a /var/etc/rc.local file Backing up FireWall-1 Configuration Files The following is a list of files on an IP400 series integrated firewall-router that should be backed up. ( '*' denotes files to be backed up on a Nokia Security Platform licensed only as a FireWall or Inspection module router) * $FWDIR/conf/fw.license (FireWall-1 license file) (This should only occur if the IP400 is replacing another platform and will use its IP addresses. Otherwise, you will have to obtain new FireWall-1 licenses) $FWDIR/conf/objects.C (objects and properties) // NOTE: remove the current objects.* on the target system before you restore. If you have an objects.C and a objects.C.bak, which has a later modified time, FW-1 will replace your objects.C with the bak file. $FWDIR/conf/*.W (security policy) $FWDIR/conf/rulebases.fws (Combined rule bases for GUI clients) $FWDIR/conf/fwauth.NDB (User database) $FWDIR/conf/fwmusers Adminstrators $FWDIR/conf/gui-clients Allow GUI Adminstrative hosts * $FWDIR/conf/smtp.conf SMTP Security Server configuration file * $FWDIR/conf/fwauthd.conf Security Server configuration file * $FWDIR/conf/product.conf FireWall-1 product description file * $FWDIR/conf/fwauth.keys Control authentication key file * $FWDIR/conf/masters Masters You should also copy over any ./lib file you may have modified, if-and-only-if you are copying from the same version of FireWall-1. Check Point support engineers have cautioned against copying files from 3.0a to 3.0b platforms. You should also back up /var/etc/rc.local, if you created one. This is where you could place ARP commands (IPSO 3.0.4 or earlier) to support Address Translation, IPSO kernel control commands, or automated backup scripts, for example. Since you might use CRON to automatically schedule this backup, consider adding /var/cron/tabs/root to the backup list. The current Management Module host has the configuration files for your site. If this Management Module host is FireWall-1 version 3.x or earlier, then you will have to first upgrade that software version to 4.x before you may transfer the files over to a current 4.x firewall. Method of Backing up the files. It may be possible to use a floppy diskette to backup the files. If the files are too large, then FTP can be used to transfer the files across the network. One idea is to create a file that lists the files to backup. Included in the example below is the path to the IPSO configuration files, the first entry below. Also note that this will backup your backup scripts. Don't forget them! # cat /var/admin/ipsobackuplist /config/db/* /var/admin/ipsobackup /var/admin/ipsobackuplist /var/cron/tabs/root /var/etc/rc.local $FWDIR/conf/fw.license $FWDIR/conf/objects.C $FWDIR/conf/*.W $FWDIR/conf/rulebases.fws $FWDIR/conf/fwauth.keys $FWDIR/conf/fwauthd.conf $FWDIR/conf/masters $FWDIR/conf/serverkeys.db $FWDIR/conf/sync.conf $FWDIR/conf/fwopsec.conf $FWDIR/conf/omi.conf $FWDIR/conf/slapd.conf $FWDIR/conf/fwauth.NDB $FWDIR/conf/fwmusers $FWDIR/conf/gui-clients $FWDIR/conf/smtp.conf $FWDIR/conf/product.conf $FWDIR/database/* $FWDIR/state/* $FWDIR/log/* Create a file in the admin's home directory called ipsobackuplist to contain the file paths listed above. Create an executable script in the admin's home directory called ipsobackup that executes the following commands: #! /bin/csh # The following line will define $FWDIR source /var/etc/rcm_cshrc cd / eval tar cf - `cat /var/admin/ipsobackuplist` | gzip -c > /var/admin/`uname -n`.`date +%m%d%y-%H%M`.bkup.tgz (WARNING: The tar command above should be one line) (NOTE: If you wish to retain the leading '/' character, use `tar cPf`) ( see `tar --help` for more command line options) (This command creates hostname.101399-0600.bkup.tar if the fwbackup script was executed at 6:00am on Oct 13, 1999). Execute chmod 755 ipsobackup to make this script executable. Backing up the files to a floppy diskette: cd / tar cvf /dev/fd0 `cat $HOME/ipsobackuplist` You might want to use a DOS formatted floppy diskette. Such a diskette is mountable across OS platforms: mkdir /var/floppy /sbin/mount_msdos /dev/fd0 /var/floppy cd /var/admin ./ipsobackup cp *bkup.tgz /var/floppy cp `cat ipsobackuplist` /var/floppy umount /var/floppy Using CRON to automatically archive these files onto the IPSO filesystem Use crontab -e to modify the existing cron file. Add the following line to this file: #minute hour mday month wday command # 0 6 * * 0 /var/admin/ipsobackup This will create a backup file Sunday morning at 6am *****Issues and known problems***** 1. For NT Machine moving to IPSO do not copy the fwauthd.conf file. This is not compatible with the IP400 (See resolution # 858 for further information 2. When FTP from Windows NT to an IP400 All of the *.NDB files must be transferred in binary mode and everything else must be transferred ASCII mode. 3. It is also important to replace the entire contents of the conf directory. For example do not keep any original files in the conf directory. Replace all files with the backed up files listed above.

Backup is included on IPSO 3.2.1 what shall I configure

A. within the help you will find all requested information. Here is an extract from that help.

Backup home directories: Specifies if the home directories (/var/admin and /var/monitor) should be backed up. Selecting this option may make your backups take longer if there are large files in the home directories. This only applies if a Backup file name has been specified.

Backup log files: Specifies if the log files (all files in /var/log) should be backed up. Selecting this option may make your backups take longer if your log files are large. This only applies if a Backup file name has been specified.

Restore from backup file in /var/backup:
There are currently no backup files from which to restore.

Restore from file: Specifies the name of the backup file in /var/backup from which a restore will be done. This backup file must have been created using the same version of the base operating system and any packages. After a restore, the system must be rebooted for all the changes to take effect. Be aware that the restore process overwrites files.


Retrieve backup file using browser :
There are currently no backup files to download.


Retrieve backup file using browser: Clicking on one of the listed files from /var/backup will cause that file to be downloaded via your web browser. You will then be able to save it on the machine running the web browser.

Q. Can you provide me with a disaster recovery procedure

A. The best disaster recovery procedure is to maintain an up-to-date backup, which can easily be used to restore an IPSO-based firewall in minutes. System backup have been added to IPSO with the release of IPSO 3.2 to make this far easier.

If you do not have a backup, the IPSO configuration may be restored if /config/active is not damaged. This file holds all of the IPSO configuration information. The critical Check Point FireWall-1 files to back up are:

$FWDIR/conf/objects.C (network objects)
$FWDIR/conf/*.W (security policies)
$FWDIR/conf/fwauth.NDB (user authentication database and encryption keys)

If the firewall is managed remotely, then there is no part of the FireWall-1 configuration that can't be re-created easily enough.

$FWDIR/conf/rulebase.fws may be regenerated by running fwm -g:

# fwm -g *W

$FWDIR/conf/fw.license may be re-created by re-entering the FireWall-1 license.

$FWDIR/conf/product.conf may be re-created by running "fwinstall" (FW-1 3.0) or "fwconfig -install" (FW-1 4.0), or "cpconfig -install" (FW-1 4.1)

Q. How to perform a local simulation for a remote module in order to configure it before shipment

A. Simulation is usefull when you are preparing equipments for remote locations. From the management module you can prepare the policy. But then you will need to download it on the remote module. If you can simulate the remote network locally you will find it easier to prepare and troubleshoot configurations.

External interface is ethernet and will be connected to a router

For the simulation you will need to change the configuration of your Internet router. You will assign a secondary interface to the router's ethernet interface. This address is the one of the remote site Internet router.

!
interface Ethernet0
ip address 192.168.10.253 255.255.255.0 secondary
ip address 194.191.78.36 255.255.255.224

By extending the number of secondary addresses you can simulate several remote locations at the same time.

External interface is on serial Interface

You will need to simulate the serial connection locally. That kind of serial connection can be of type Cisco HDLC, Frame Relay or PPP. For the simulation you will need to use a local cisco router with an available serial port

If your external interface is serial 0 on a cisco router, you will configure it in DCE mode. For this use Cisco DCE cable. The fact to have a DCE cable put the cisco serial interface in a DCE mode. Then configure the serial interface to give a clock rate to the connection. The NAP cannot work in a DCE mode itself. The nokia V.35/X.21 cable will be connected to the cisco DCE cable, and bothe connected to their respectiv serial ports. The IP address given to the serial interface of the router is the one of the remote site Internet router.

!
interface Serial0
ip address 194.193.192.254 255.255.255.252
clockrate 64000

How to switch logs on a Nokia system

A. Here below is an example of log rotation for IPSO

#!/bin/sh
#
# Set environment variables
sh /var/etc/rcm_profile
#
cd /var/fw/log
#
# Switch CheckPoint log into dated file for saving
# Surpress resolving of IP/names
PERIOD=`date "+%d%m%y"`
$FWDIR/bin/fw logswitch $PERIOD 2> /dev/null
#
# output logfile to comma seperated variable file
$FWDIR/bin/fw logexport -d , -i $PERIOD.log -o yesterday -n 2> /dev/null
#
# search for all dropped packets
ATTACK=$PERIOD.attack
grep "drop" yesterday >> $ATTACK
#
# uuencoded files will be interpreted as an attachment by most mail clients
uuencode $ATTACK $PERIOD.csv > $PERIOD.csv
#
# mail attack to system administrator
mail -s "Fire Log Switch" fwadmin@corp.com < $PERIOD.csv

A.

1. In the Voyager interface, use the Manage Installed Packages to turn off the package, then reboot
   
2. In the Voyager interface, on the Manage Installed Packages page, there is a link to a page to delete packages. Follow this link and delete the package
   
3. Use a console connection to delete any remaining log files. For example, FireWall-1 maintains its logs in the /var/fw/log directory. Simply issue an
   # rm /var/fw/log/*
   command to remove all log files.
   
4. Use the "newpkg" command to reinstall the package.
   

Q. How to troubleshoot SSHd problems

A. Troubleshooting tips:

1. Is sshd wrapped with tcp-wrappers? Assuming the sshd daemon is invoked from inetd, your /etc/hosts.allow should list acceptable addresses from which connections are allowed.

2. Is sshd running on the standard port 22 or another? If running on a non-standard
port, make sure that your ssh client is specifying the target port.

3. Which sshd version is running? There are many problems with sshd2 used in
conjunction with tcp-wrappers. sshd1 runs with fewer difficulties wrapped. Also, the
ssh1 client has difficulty connecting to a sshd2 server.

4. Make sure that your /etc/services reflects the ssh service on the designated
port! /etc/services and tcp-wrappers work together when invoking the sshd daemon.

Example: sshd1 running on port 700 should have an entry in /etc/services as such:

ssh1        700/tcp    #ssh1
ssh1        700/udp

While in inetd.conf, the invoking line should read:

ssh1    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/local/sbin/sshd1 -i -p 700

Q. In a Nokia box I see ACLs, like in a router. In which case should I take care of those

A. You need ACLs if you plan on using any of the rate-shaping features. Be aware that ACLs happen before FireWall-1 rules, if  you put in an ACL that drops certain packets, this means that the FW will never see them. In short ACLs take precedence over FW-1 rules.

Q. On a Nokia system I typed fw lichosts and the system is really slow to output results

A.  if you remove all DNS configuration information from IPSO via Voyager (Go to the DNS config page, delete everything, Apply, Save; IPSO doesn't really need it anyway) that fw lichosts will not try to do reverse record lookups, causing it to deliver its output at a much more reasonable speed.

Q. IP330 enters the CMOS setup automatically
IP300 Series Hardware,

The nokia boots up, test its memory and after the test finishes, the following characters are displayed [[5n From that moment on, the IP330 hangs, no disks are detected, and automatically the CMOS setup opens.

Some emulators are known to send out signal along the console cable at boot ([[5n) above could be interpreted as TAB which can interrupt the boot process. Identify hyperterminal type first. The problem has been reported when using Win2000(SP2) and HyperTerminal (8-1-n and no flow control).

Try and use another type of Hyperterminal.

no problem on Win2000 SP2 with Token2

no problem on Win2000 SP2 with CRT 3.4

no problem on Win2000 (no SP1) and HyperTerminal.

no problem on Win2000 (no SP) and KoalaTerm.no problem on Win2000 (SP2) and KoalaTerm.

Resolution 6837

Q. When performing remote management we offen face the message No response from server. WHat shall we do to improve the situation

A. The policy editor needs a response from the management station within 15 seconds. Due to network conditions or long compilation conditions, or large number of rulebase, the timer should be extended to 60 seconds. Below is a recommandation from Nokia explaining how to proceed. A change must be performed on the GUI client.

fwpolicy "Times Out" during a policy install (operation would block)

Check Point FireWall-1,   Distributed Management for version: 3.0b  And Later

Some error messages you may get include: No Response From Server Server Not Responding Operation would block You may get these errors when: 1. Large number of rulebases or network objects 2. Slow links 3. A compilation and installation of a rulebase is taking a long time 4. Some combination of the above

SOLUTION

fwpolicy is set up to require responses from the management console within a certain period of time. The default timeout is 15 seconds. To adjust this timeout, the following changes need to be made on the system running the GUI client. Unix: Set the environment variable SERVER_TIMEOUT before running fwpolicy (e.g. setenv SERVER_TIMEOUT 60 to set the timeout to 60 seconds) NT:For FW-1 3.0 Create the following registry entry as a DWORD, specifying the desired number of seconds for the timeout: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FireWall-1\ServerTimeout NT:For FW-1 4.0 Create the following registry entry as a DWORD, specifying the desired number of seconds for the timeout: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\ServerTimeout Windows GUI: For FW-1 4.0, create the following entry as a DWORD, specifying the desired timeout in seconds: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FireWall-1 GUI\ServerTimeout For FireWall-1 4.1, create the following entry as a DWORD, specifying the desired timeout in seconds: HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Policy Editor\4.1\server_timeout

Is it based on Checkpoint "Small Office Software" ?

No, they called it Embedded NG (does not supportSmartDefense, AI, QoS,Load sharing...)

Was the WebGui improved in the Appliance ?

If you have CP SmartCenter, you can use VPN-1 Edge instead. Since the Safe@Office is for one single office management locally (no central management).

VPN-1 Edge can be managed by SmartCenter centrally.

Is there a cost free Management Server bundled like in former CP small Office Versions ?

No. The Management server bundles is for a short period of time. Then even if you buy SmallOffice, you only can use the WebGUI.

Both Safe@Office & VPN-1 Edge have WebGUI. From the latest firmware, you can customize the firewall rules in the WebGUI.

Management only by WebGui or also from Management Server (Smart Center Server)

Handling of the rules with the WebGui ?

Only VPN-1 Edge can be management by SmartCenter.

Here's the details for the diff between Safe@office & VPN-1 Edge

http://sofaware.infopop.cc/6/ubb.x?a=tpc&s=5006072361&f=2406072361&m=3596037815

What are the vpn experiences with Checkpoint Next Generation FP1-3 as vpn - partner ?

Tested to build VPN with CP 4.1 and NG FP3 successfully.

Possibility for Gateway-Gateway vpn ?

Depends on the model of the appliance, some only support Client-to-site, some supports Gateway-to-Gateway, check with the vendor for the model or take a look at www.sofaware.com

Logging, Logserver ?

Local logs on webUI, syslog or SmartView Tracker (VPN-1 Edge only)

Does it have a backup possibility

Yes, there's an option in WebUI

:isakmp.udpencapsulation (
     :resource (
          :type (refobj)
          :refname ("#_VPN1_IPSEC_encapsulation")
     )
     :active (true)
)

is outdated sorry for not following up

B.fw logswitch command fails since patch 3064
F. No patch is currently available. Try the following in the mean time to set in a script and start it with cron

fw logswitch
fwstop
rm $FWDIR/log/fw.logtrack
fwstart

B. The FW-1 3.0b log view Crashes in Common Desktop CDE, and Solaris 2.6.

F. FIXED:
Copied /usr/dt/lib/libXm.so.3 from CDE v 1.02 of Solaris 2.5.1
into /opt/SUNWfw/clients/lib

-rwxr-xr-x 1 root other 1773260 Jun 22 15:48 libXm.so.3*

Telecom and Logsitics Associates provides several software to manage Checkpoint environment

FLApro the Firewall analysis and Security reporting

Jclntauth Automation of authentication for processes either under Windows, Linux and Unix

Jobjects  Parser for Checkpoint firewall objects. Performs analysis and results are placed in a conventionnal database

From other sources

Object Filler is a migration tool for Cisco PIX, NetScreen, SideWinder or Gauntlet configs. You can also use it to create host or network objects automatically, easing the task of populating the CP SmartCenter.

Perl scripts for logs, rule analysis

Scripts are distributed as is and with no warranty

Documentation

Checkpoint reference:
http://www.checkpoint.com/techsupport/documentation/index.html

Other FW-1 FAQs

http://www.qualix.com/html/faq_list.html

WLAN Port Probing On Firewalls

In this section we provide some answers about port numbers. Use this list to know if you are under an attack attempt. Taken from different security mailing lists, we think that if someone asked once and an answer was provided, then it could be of some help a second time. When we did not find an answer we set the symbol A. ? in place. This list should help firewall administrators.

This list is also part of our Firewall-1 FAQ

In case that you do not find what you are looking for, information about ports can also be found on our site, using the links below :