var/log space is full even after clearing the firewall logs in management server (Checkpoint)

If you are a firewall administrator you might have faced this issue in various occasions.

When Smartview monitor shows as var/log full then login to CLI and check with the command df  –k to ensure the space availability.

Usually when the Var/log is full then the few recommended steps are,

• ü  Remove unwanted backups in the CPbackup
• ü  Clear the unwanted files for database revision control
• ü  Remove any hotfix or tgz file uploaded for installation
• ü  Remove any cpinfo or zdebug logs in the server.

This will be the maximum troubleshooting you could do as per technical documentations available.

But sometimes you will not see any difference in disk space even after clearing them. So what could be the solution here!!

Yes to solve this, first question I would ask you is,

Have you upgraded your firewall recently?

Most of them will reply to “Yes”

If yes then your job is easy. So to the location var/log/opt/cpsuite<olderversion number before upgrade>/fw1

When you check here we will have ton of logs. So clear those and we are good to go.

Now check with smartview monitor and you will have sufficient amount of space available in your checkpoint management server.

Checkpoint ebook for beginners - CCSE R75 Session-01

As a beginner I would like you to be clear on few concepts explained below,

I have seen people who have device experience are not good at these concepts. So read carefully.

SVN – Secure virtual Network Architecture:

SVN allows us to configure and manage various components from a common point.  Consider you create a new policy where this SVN helps us to apply it throughout the organization and help to maintain the uniformity.

SVN helps us to maintain the security of four components in your organization like networks, host, users and applications.

Three tier Architecture:

Checkpoint works with three tier architecture and comprises of the below components

Smart Client – With which you create policies

Smart Server – Where the policies are stored

Enforcement Modules – Where the security rules are applied.

With this three tier architecture we keep the administration, management and enforcement as separate entities.

Once we are clear with these we can move on to the session where we you can learn the exact functionalities of the above components.

Checkpoint - Introuduction to checkpoint CCSE R75 certification

Checkpoint is the word which can make you feel secured from all kinds of network threats.

Yes, I would proudly say I am a very big fan of checkpoint, who holds its certification and happy to work with that technology.

When you are a network or a windows guy who is more interested in security, then I would strongly recommend checkpoint because they are the leader in security market.

Now every company owns their checkpoint device with latest version of OS running on them.
So I am sure you will get the job easily in security industry if you learn checkpoint. (Because that’s the way I got my job J )

So its good to get your latest checkpoint certification CCSE R75.

When I think about the title of my blog (Make it simple) first thing that strikes my mind is Checkpoint.

Checkpoint brought a revolution in this firewall product like,

ü  Provides a best GUI (anyone can create a firewall rules)

ü  Provides various products like smart monitor, tracker, update etc which could make you complete your task in few minutes.

What is interesting?

Lots of stuff are interesting about checkpoint. But i would like to give you a most exceptional one which is not available with any other products.

Every service provider who manages the infra of any company will have a tool where you create a CR and assign for approval. Firewall rules or any change will be implemented once the CR is approved.

You might be aware of this task if you are into this infra industry. OMG!! It’s really hectic.
Even this was made easy by checkpoint with smart workflow where you create a session and implement once it is approved.
In this post I have just mentioned few points which I like the most with checkpoint but there is lot more.

This post is a kind of introduction to my checkpoint tutorial and advanced troubleshooting which will be presented soon in my upcoming posts.

Guys! Let us start our journey towards CCSE R75.

How ping works with machines in different subnet ?

As stated earlier a packet will be created like below

Destination IP

Source IP

Data

Protocol field

 

Now when you ping from the source to destination,

àThe ARP table is checked for the MAC address of the destination , then it sends out an ARP broadcast, even then it is not found

àNow the ARP and IP protocols conclude that the destination is in a different system and start off with the next phase of work.

 àIn Windows machine, the registry is consulted and the default gateway IP address is found.

àNow  a request is sent out with the default gateway IP in the destination field querying for its MAC address. If there is no response then an ARP broadcast is sent. After which the default gateway’s MAC address is learnt.

à The router’s interface which would be the default gateway for the system also stores the MAC address of the source A in its cache. Now the router is aware of the system A’s MAC address and the system A is aware of the Router’s interface (default gateway) MAC address.

 àNow the system A knows where to send the packet next and sends the information to the data link layer and the frame is in the following format.

Destination MAC(default gateway MAC)

Source MAC(system A's MAC address)

FCS(Frame check sequence)-to make sure that the integrity of the packet is not lost

Ether type field(used to find which protocol is encapsulated in the frame, here it is IP)

 

àNow the system passes down to the physical layer and gains entry into the router. This is placed on the wire bit by bit.

àNow the packet gains entry into the router via the default gateway.

àAgain the Data link layer is checked and torn open to take out the IP protocol details.

àThe destination IP would be the system B’s IP and.

àSince the packet has gained entry into the router, the router will have the information of all the hosts in the subnet it lies.

 àNow the ARP cache of the router is checked if the MAC address of the destination IP is available. It would be found or an ARP broadcast is sent and it reaches all the hosts in the subnet.

àThe MAC address that belongs to the IP responds and thus the connectivity from system A to system B is established.

 
àBut this is not the end , the same process is repeated for the return packet as well.

àI think you should now recollect the three types of responses you receive when you ping a machine.  If the connectivity from system A to system B is alone established, think what would be the message you receive,

“Request timed out” is the right answer as you think.

What happens while pinging destination on the same subnet

Hello Everyone,

Once I have tried to find this information online before where I couldn’t find what I exactly wanted.

So I have decided to give this information to you in very simple terms with more technical information.

When you type ping  <ip address>,  the IP protocol creates a packet like below

Destination IP

Source IP

Data

Protocol field

 

You must be wondering why is this protocol field here, that’s not a bad question to ask.

The protocol field has the protocol which should be used by the destination to process the packet according to the request. In this case it is ICMP. Ping works on ICMP.

Also the value of the protocol field would be set to 0x followed by a hexadecimal number and this indicates that it is ICMP.

Now the ARP (Address resolution Protocol) starts its job. There will be an ARP table maintained in every system. ARP is nothing but a protocol which helps to look up the MAC address of a given IP.

 

Since both the source and destination are in the same subnet i.e. there is no layer 3 device that comes in between to do the routing, the ARP checks its cache to lookup the MAC address of the IP mentioned in the destination field. If it is not in the cache, then an ARP broadcast is sent out (ff:ff:ff:ff:ff:ff)

 

It would be either found in the ARP table or by the broadcast, the recipient replies the MAC address and the ARP table gets populated and the packet gets delivered to the destination.

A basic question here, how does the system differentiate if the destination lies in the same subnet or a different one.

If subnet mask is your answer, then you are absolutely right.

Basic analysis and troubleshooting internet with PING operation

Nowadays we can’t imagine the impact when your Internet browser says “Internet Explorer cannot display the webpage”

So it is always good to know the basic troubleshooting to identify the problem and resolve it.

When you are ready for troubleshooting then you should know the command “PING”

What is Ping ?

Ping has become very usual and there cannot be many people who do not know the meaning of this wonder word.

PING- stands for Packet Internet Gopher

You want to check if there is connectivity to some destination. Ping makes your job very simple.

All you have to do is

Open up command prompt in case of windows or the “terminal” incase of Mac and type

Ping  89.69.69.6( the IP you want to )

Tada..you get three types of responses

1.       Reply from 89.69.69.6 (Meaning there is reach ability from your machine to the destination)

2.       Destination host unreachable (There are no routes configured for the destination and there is absolutely no connectivity).

3.       Request timed out ( Meaning you are able to reach the destination, but there is an issue with the reverse path i.e. from the destination to your machine and hence the connectivity is not completely established)

So finally when you get a reply we can conclude that it is not a network issue.

Problem could be with your browser, antivirus, virus infection.

Solution could be the below:

1.       Reset your browser

2.       Run scan with your antivirus.

3.       My personal experience is download Malwarebytes and run it.(if it Is affected with  virus)

Now we understood the importance of ping operation.

To make it more interesting and useful for lovers of technology I will explain about ping from same subnet and different in my next blog.

To read more on ping you can refer to Wiki

Checkpoint mobile for Android configuration in mobile access blade

Mobile access blade is a wonderful feature from checkpoint which can be used for SSL VPN and handheld devices like androids/iPhones.

As we know mobile access blade SSL VPN has a wide variety of features along with security like compliance control etc.

Handheld device support is “bring your office at one touch”

When you use the checkpoint mobile app then initially it requires a site name which could be your VPN terminated IP address.

Then you need to provide a activation key which needs to be provided by the gateway administrator.

How to generate activation key for Androids?

ü  Go to users in smart dashboard.

ü  Right click the user<username> and choose edit

ü  Go to certificates and choose new

ü  Now choose certificates then select registration key.

This registration key will be your activation key for checkpoint mobile

But make sure you enroll it with 14 days or it will expire.

To read more on checkpoint products refer to Checkpoint website

 

Unable to boot from USB in connectra.

You would have read my previous blog about the problems in booting up connectra from USB.

Now I want to share the solution which finally resolved the problem .   

Here the size of the USB matters where we will face problem if the USB size is more than 4GB.

Ensure the USB drive to be 2 or 4 GB which should be perfectly fine or try with CDROM.

Smart View monitor - Gateway(firewall) object shows as problem

Hello Everyone,

As a checkpoint administrator most of you have seen the problem where the checkpoint Connectra or gateway shows as problem in smart view monitor.

But while we search for solution we will really have hard time.

So why this needs to be resolved at the earliest?

When i faced this problem one my manager used a phrase to define the situation.

“Sleeping with Snake"

 That’s true! Anything may happen any time.

What if the active one goes down?

Will the failover happen properly?

Now I know you understood the seriousness of this issue. Good! So what’s the solution for this?

Troubleshoot - Smartview monitor shows gateway or Connectra problem

As a first step check the physical connectivity and ensure all the cables are connected properly. ( It’s always good to start with basics J)

Then try pushing the policy. (It might get resolved here)

Now get into device command line.

1. Login to the expert mode

2. Type the command cphaprob stat.  You will see output similar to below,

Number     Unique Address            Assigned Load   State

1               <IPaddress of active>         100%            Active
2 (local)   <IPaddress of standby>        0%              Standby

Ok, this is to ensure which Gateway is active now.

 3. Run the command “cphaprob list “

Output should show the built in devices, registered devices and its status.
Device Name: Interface Active Check
Current state: OK
 Usually this might be a problem so we can conclude this is related to the interfaces.

4. Finally run “cphaprob –a if”

We should notice that the two cluster members differed on the number of required interfaces and any of the interface may show “disconnected”


Resolution - Smartview monitor shows gateway or Connectra problem

Ok finally we found the problem it is the interface which shows as disconnected.

1.       Ensure if some cable already connected and which might be missing.

2.      If not then look for a file $FWDIR/conf/discntd.if or create on both the gateways.

3.      Now type the interface name which is not used (interface which is in disconnected state).

4.      Then reboot the cluster members one by one.

Open your smartview monitor now,

Both the cluster members should be in the state “OK”

Verify the ClusterXL state which should be perfectly fine.

Run “cphaprob stat” again. Now you can tell the happy news to your Boss J

Country with fastest and cheapest internet

Do you know which country enjoys the Fastes and cheapest internet?

Any Guess?

US, UK, canada or some European country. Absoultely not.

Hong Kong has the best internet speed 49.2 Mbps. They achieve this with the "Fiber To The Home"  technology.

So what about the bigger and stronger countries like US and India.

United states hold 11 the rank with 27.1 Mbps and Inia holds 116th psoition with 6.9 Mbps.

Lets hope to get more speed in future !!

Check this for more info

http://www.siliconindia.com/news/technology/10-Countries-With-Best-Internet-Speed-In-The-World-nid-133791-cid-2.html  

Types of Firewall - Technology

Packet Filter Firewall:

It is a least security type due to lack of broad intelligence

Works at layer 3 of OSI model

Filtering is decided based on Source ip, destination ip source port destination port and  protocol

It doesn’t have a ability to “is this really a smtp packet?”

Drawback:  Less secure

Application firewall:

As name states it works at layer 7. It stays as a middleman and protests the network.

To make it more clear,

Let’s consider you are trying to access a google.com then the request comes to firewall and it proxies the connection.

Drawback:  Very slow and high overhead

Stateful inspection:

Maintain a state table and ensure deep inspection of the packet.

Stateful inspection is developed and patterned by checkpoint

So whenever a connection comes to firewall it will maintain a state table and add a entry about the connection.

Based on this the packet is inspected and filtering decision is made.

Stateful inspection protects network from various external attacks like ip spoofing etc.

So let’s consider port 80 is open for internet access. Then there is chance where anyone can send anything via that port.

OMG!! Then what’s the solution for it.

Stateful inspection is the savior. Even the name looks so promising right!

So when the user in the internal network initiates the traffic then it adds a state table entry. With reference to state table it allows the return traffic.

Ok. I think we all came to a conclusion that stateful inspection is the best technology which can completely protect from attacks.

If so then I am sorry gentleman it is wrong.

Did we think about Trojans and malware which can do lot of harm to you.

Then there is other technology which comes into picture here is Deep Packet Inspection (DPI)

DPI can inspect the data part of the packet and take decisions based on content of the packet.

DPI will combine signature-matching technology with analysis of the data in order to determine the impact of data stream.

So will DPI prevent the network completely?

Answer is “NO” J

Nothing is safe because Black is stronger than white (hat or color).

Ok Guys. Soon we will get deep into the various firewall products available.

Sophos endpoint security icon does not appear at taskbar

Hi Everyone,

Now it’s time for AV J

I would like to give you more tips on this Sophos antivirus which is a very light and perfect for corporate users.

I have seen people suffering to bring the Sophos endpoint security icon in the taskbar. This is mandatory to fetch updates and to view the updating status.

Most of them spend time in searching the windows option to get it done

Fix:

Go to the drive where Sophos is installed and search for exe named “Almon.exe”  at auto update folder.

Run it. Now you can find the icon at taskbar.

You are good to go.

For more information you can also refer to SOPHOS

Connectra to Mobile Access blade - Problems

Hi Everyone,

I would like to share my experience while upgrading checkpoint Connectra appliance to mobile access.

I hope providing this information could help everyone to have a clear vision on it.

Generally we can upgrade the Connectra with two ways,

1.       Having them in cluster with the running various migration packages ( checkpoint recommended)

2.       Other way is breaking the cluster and performing clean installation (Only I would suggest this if you are a pro)

Fine,  I am not a pro so will go with checkpoint recommended style of upgrade. But it is too difficult for the beginners to understand the technical reference guide provided.  so I would like to summarize it before I share my experience.

Steps to upgrade the Connectra (NGX R66)  to higher version R71.X or R75.X

1.       Run the “Gateway migration package” export the configurations.( which initially didn’t  work and modification done on the backup file to make it run)

2.       Take backup of certain files and then full backup from webui.

3.       Then complete the installation of checkpoint with CD or thumb drive (using isomorphic tool)

4.       Import the configuration of old connectra gateway using the restore file available in the same gateway migration package.

5.         Then upgrade the management server connectra object to mobile access gateway object with help of “management migration tool”

6.       Finally push the policy and complete the upgrade.

Sweet, So easy huh..

Yes, when you see this theoretical it is easy but when you want to deploy this then seriously we need to consider various factors.

It is completely new to checkpoint t so even TAC struggles to provide the correct ISO image. 

Lots of hurdles when tried to boot from the USB drive.

This is really hard to complete without user impact so plan it well before you perform.

If you have any queries write to me .

Best Antivirus For computers

We all know that the internet virus threats are consistently increasing which takes the antivirus market to the peak.

How to choose the best antivirus?

ü  Fast scanning engine – how fast the scanning engine of that product ?

ü  Detection rate – What is the threat detection rate of the antivirus?

ü  Features in scanning – what are the types of scanning available?

ü  How easy to use?

When you find the answers for the above then

Congratulations!  You have chosen your best antivirus.

What are the best antiviruses available in market?

Mcafee – Always with best standards and easy to use.

Kaspersky – With the latest features and good to use.

Sophos – Most light antivirus for the best performance.

Symantec – “King of antivirus”

Symantec is the best for corporate computers and home users with good configuration PC.

It has most advanced features and scanning methods with perfectly updated engine.

My vote is always for Symantec !

Firewall Basics

Let us start with basics,

Why firewall?

Based on my first blog I am sure we know the answer for this.

To make it in one line “It is required to keep our environment safe”

Ok let’s go deeper.

 What is Firewall?

It is Point at the perimeter where the incoming and outgoing packets are inspected, dropped and logged if required.

At Which Layer it works?

Generally,  the answer is Layer 3 and Layer 4. But in recent days it can work up to application layer.

Guys!  To know more about the OSI Layer refer to wiki link http://en.wikipedia.org/wiki/OSI_model 

Types of Firewall:

ü  Packet Filtering

ü  Application Layer gateway

ü  Stateful inspection firewall

Now I believe you understood the basic stuff about firewall.  I will explain the types and product in my upcoming blogs.

Network Security

Network Security - This is the common word we come across in our day to day internet experience.

Nowadays most of the IT companies come up with latest technology to fulfill this network security needs.

We need to really think about  below before we access some private data,

Is my network secured?

Am I browsing safely with by personal computer?

What if my account is hacked?

What if my machine is affected by virus?

What if my computer is affected with Trojan? (More serious than virus)

Is someone trying to steal my personal information?

When you try to think about these questions you can understand the importance of network security. Network security can be ensured at various levels with different devices.

Basic well known device which is implemented at the perimeter level is Firewall.

Firewall has lots of latest emerging technologies which is documented in product data sheet and impetmentation guides.

I am sure those stuffs are hard to understand. So I have taken a task to bring this technology visible to everyone in layman language.  

Once we understand that we will keep moving forward to update our knowledge with advanced technologies and different products.

Come lets dive into technology !!!