Check Point
After few requests I received from a colleague of mine I would like to upload a brief guide on the basic use configuration and troubleshooting of a Check Point firewall.
So let's start from the beginning, most of the configuration is done via the GUI client of the FW, the Smart Dashboard, to use it we just use our Login credentials and the IP of the "Management" server ( the device responsible of managing the actual Gateways – firewalls).
As soon as we enter the first thing we see is the Policy, like most firewall's out there here we'll find most of the "rules" we wish to apply on our network, by default we get a Firewall with one purpose in life – block all traffic, at this point we need to change that and add Rules that will pass some traffic ( by the Security policy of our organization ) and off course block all other.
For example – we wish to allow web access from one host in our network to any destination out there.
To create the new rule use the Rules > Add Rule > TOP
Lets hang here for a moment, The position of the rule in the policy is very important, the firewall will look at the rules top to bottom till the first match, so if we position a rule in the wrong order we may not get the desired result.
After we create the rule, we get one that says "any source with any destination on any service/port gets dropped"
To change it simply click each section and change to the desired content, in our case we click the source the new (for new host) and put a name and IP for the host we wish to allow the web access, when we click OK the rule will become
"New Host to any destination on any service/port get dropped".
Now let's add one more Object, the Service, click on the service section and add the HTTP and click the Action and change to Accept.
Now we have the following rule: "from New Host to any destination on TCP Port 80 Pass" .
So basically at the moment we have 2 rules at the moment – one that allows "New Host" to use HTTP to any destination and another to block any other traffic.
Now we'll assume "New Host" is a PC in Our LAN network, and it has a privet IP, for example 192.168.0.1
As we all know a privet IP can't be router along the internet and we have to add NAT (make the firewall hide the IP for the sake of web browsing).
So we need to create a NAT statement for this type of traffic, to do so – use the NAT section.
A big surprise – another Policy page, use it same as the Firewall policy, create a new rule (remember the position is very important)
change the original source to contain our "New Host" to match our traffic, the service to HTTP and the Translated source to any Host that has Routable IP.
So that the new NAT rule will say "look for any HTTP packet with the source of New Host and change the source IP to Routable IP"
So now New Host can browse the internet, but let's say that after a few hours we saw that the user is overloading the internet line and we decided to limit the browsing a bit and block the access to youtube.com and block all Facebook application (only allow the site itself)
To do so, get to the " Application & URL filtering" section, add our gateway here (to allow thin on our Gateway) and navigate to Applications/Sites, here we'll create a new group, name it, and click add, now add all content we wish to block, in our case search for "facebook" and select everything, for Youtube we need to create a site so New > Site and add "youtube.com" and "*.youtube.com"
Now to the Policy, in here we also create a new rule, Source will be our host (New Host) destination will be the Internet, application will be both application we just created, and of course action will be Block.
To ensure allowing all other sites, create another rule to allow everything from New Host to the internet.
This should cover some of the basic configuration on the Check Point Firewall.
Checkpoint Site to Site VPN
The
second part of the tunnel, the Checkpoint NGX, a bit more things to do compared
to the Forti, but again very simple stuff.
First
create a network object to represent the internal network of the Forti , than
an interoperable device to represent the Forti gateway and add the object as
its encryption domain
Now creating
the community – the settings for the tunnel, very straight forward, choose a
name then add both the local firewall and the forti object (Just created)
Choose
the encryption and authentication algorithms (make sure to use same settings as
the other peer)
Enable
shared secret and set correct secret on the peer
And last
one for the community, set the DH groups and key life times, again must be same
as the other peer
One to
allow IKE from and to the peer and another is the actual traffic inside the
tunnel
Some
firewalls can only work with aggressive mode in case of problems suggest to try
using it instead of the main mode.
Check Point Commands
ia commands can be found here.
CP, FW & FWM
| cphaprob stat | List cluster status |
| cphaprob -a if | List status of interfaces |
| cphaprob syncstat | shows the sync status |
| cphaprob list | Shows a status in list form |
| cphastart/stop | Stops clustering on the specfic node |
| cp_conf sic | SIC stuff |
| cpconfig | config util |
| cplic print | prints the license |
| cprestart | Restarts all Check Point Services |
| cpstart | Starts all Check Point Services |
| cpstop | Stops all Check Point Services |
| cpstop -fwflag -proc | Stops all checkpoint Services but keeps policy active in kernel |
| cpwd_admin list | List checkpoint processes |
| cplic print | Print all the licensing information. |
| cpstat -f all polsrv | Show VPN Policy Server Stats |
| cpstat |
Shows the status of the firewall |
| fw tab -t sam_blocked_ips | Block IPS via SmartTracker |
| fw tab -t connections -s |
Show connection stats |
| fw tab -t connections -f | Show connections with IP instead of HEX |
| fw tab -t fwx_alloc -f | Show fwx_alloc with IP instead of HEX |
| fw tab -t peers_count -s | Shows VPN stats |
| fw tab -t userc_users -s | Shows VPN stats |
| fw checklic | Check license details |
| fw ctl get int [global kernel parameter] | Shows the current value of a global kernel parameter |
| fw ctl set int [global kernel parameter] [value] | Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot. |
| fw ctl arp | Shows arp table |
| fw ctl install | Install hosts internal interfaces |
| fw ctl ip_forwarding | Control IP forwarding |
| fw ctl pstat | System Resource stats |
| fw ctl uninstall | Uninstall hosts internal interfaces |
| fw exportlog .o | Export current log file to ascii file |
| fw fetch | Fetch security policy and install |
| fw fetch localhost | Installs (on gateway) the last installed policy. |
| fw hastat | Shows Cluster statistics |
| fw lichosts | Display protected hosts |
| fw log -f | Tail the current log file |
| fw log -s -e | Retrieve logs between times |
| fw logswitch | Rotate current log file |
| fw lslogs | Display remote machine log-file list |
| fw monitor | Packet sniffer |
| fw printlic -p | Print current Firewall modules |
| fw printlic | Print current license details |
| fw putkey | Install authenication key onto host |
| fw stat -l | Long stat list, shows which policies are installed |
| fw stat -s | Short stat list, shows which policies are installed |
| fw unloadlocal | Unload policy |
| fw ver -k | Returns version, patch info and Kernal info |
| fwstart | Starts the firewall |
| fwstop | Stop the firewall |
| fwm lock_admin -v | View locked admin accounts |
| fwm dbexport -f user.txt | used to export users , can also use dbimport |
| fwm_start | starts the management processes |
| fwm -p | Print a list of Admin users |
| fwm -a | Adds an Admin |
| fwm -r | Delete an administrator |
Provider 1
| mdsenv [cma name] | Sets the mds environment |
| mcd | Changes your directory to that of the environment. |
| mds_setup | To setup MDS Servers |
| mdsconfig | Alternative to cpconfig for MDS servers |
| mdsstat | To see the processes status |
| mdsstart_customer [cma name] | To start cma |
| mdsstop_customer [cma name] | To stop cma |
| cma_migrate | To migrate an Smart center server to CMA |
| cmamigrate_assist | If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server |
VPN
| vpn tu | VPN utility, allows you to rekey vpn |
| vpn ipafile_check ipassignment.conf detail |
Verifies the ipassignment.conf file |
| dtps lic | show desktop policy license status |
| cpstat -f all polsrv | show status of the dtps |
| vpn shell /tunnels/delete/IKE/peer/[peer ip] | delete IKE SA |
| vpn shell /tunnels/delete/IPsec/peer/[peer ip] | delete Phase 2 SA |
| vpn shell /show/tunnels/ike/peer/[peer ip] | show IKE SA |
| vpn shell /show/tunnels/ipsec/peer/[peer ip] | show Phase 2 SA |
| vpn shell show interface detailed [VTI name] | show VTI detail |
Debugging
| fw ctl zdebug drop | shows dropped packets in realtime / gives reason for drop |
SPLAT Only
| router | Enters router mode for use on Secure Platform Pro for advanced routing options |
| patch add cd | Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only) |
| backup | Allows you to preform a system operating system backup |
| restore | Allows you to restore your backup |
| snapshot | Performs a system backup which includes all Check Point binaries. Note : This issues a cpstop. |
VSX
| vsx get [vsys name/id] | get the current context |
| vsx set [vsys name/id] | set your context |
| fw -vs [vsys id] getifs | show the interfaces for a virtual device |
| fw vsx stat -l | shows a list of the virtual devices and installed policies |
| fw vsx stat -v | shows a list of the virtual devices and installed policies (verbose) |
| reset_gw | resets the gateway, clearing all previous virtual devices and settings. |
No comments:
Post a Comment