CheckPoint news and troubleshooting

(no subject)
workinghhhh
middaysniper

Hello all .

Today I am going to talk about migrating to R75 .

There are lots of manuals and documents on checkpoint.com and   Checkpoint oriented sites , but very few of them have what you may call real life behind it .My aim is to give a simple , single project  view , instead of general very high level “big picture” typical for mans and pdfs.
A sort of real life case study – experience most of us hope to have and dread to get into.
 So this is what it was then :

Got to interesting stuffCollapse )

.

Yours truly
Feel free to provide comments and suggestions

Tags:

checkpoint/sofaware VPN глюкинг он ми
koleno
tullamoredew
  Странная фигня - настроен доступ к коробке (N200):
LAN: 192.168.1.0/24
VPN: 192.168.254.0/24
DMZ: 192.168.253.0/24

юзер подключается чекпоинтовским клиентом, получает адрес из .254.0 и прекрасно пингует 192.168.1.1 ("нога" раутера в сети LAN), но за ним ни хрена не видит.
если смотреть в Status/Routes то .254.0 вообще не упомянут нигде.
в Networks добавить маршрут невозможно, потому что IP must be a pingable address in a connected network. При этом он отказыватеся некс хопом поставить тот же 192.168.1.1 или 192.168.254.1

я явно что то упускаю, но что именно... не врубаюсь

new sk
klepysik
ADSL edge connects and after 1 minute disconnects from ISP.

Solution ID: sk62028
Symptoms
Following error can appear : DefaultSimultaneousUse of 1 exceeded

Cause
Default Gateway of Primary Edge internet connection is 1.1.1.1 . In the case and ISP (APNET IP's) they

also have the same IP -1.1.1.1 - then edge will be not able to connect because of the created IP collision.

day by day CheckPoint support work.
klepysik
As you may know, CheckPoint support engineers create most of the SK's that published in our
SecureKnowledge database.
I think I will start to post here my local sk's that I will create for a public view .
Tell me if that interesting to you, posting my sk's here.

This is my first one from today :)
sk62562
Symptoms
pim protocol not appear in Protocol Type Filter field in SmartView Tracker

Cause
By default pim protocol not added in Protocol type field in SVT.

Solution
Procedure :
By default pim protocol not added in Protocol type field in SVT.
In order to add this feature, followig procedure should be implemented.
1. Open GuidBEdit go to -Other - log_field_client_type and choose :
field_type_ENUM_PROTOCOL
2.
Press right click on translation_units in the field name -> add
3. Then new entry will be added at the end of the list
set display_value - pim
set icon_file_name - protocol_other
4.
Press save all and then exit GuidBEdit.
5.
Perform cprestart of the management.

p.s. This change can be applied to any protocol that doesn't appear in SVT.

CCSE
klepysik
Yesterday I passed CCSE R71 exam.
I would like to share information that will help you to prepare for the exam. First of all 50% questions from 109 exam questions are from
dumps that you can find in self study test on checkpoint site.
Questions from both R70 and R71 dumps are appear in the exam.

This exam is better than R65 and R70. There are more logical questions. There was a situation that I didn't knew the answer and based on
logical explanation was able to guess the answer.

These themes are included and below a couple of examples of the questions.
- Data Loss Prevention - DLP. How it works and in which protocols checks are performed and know how to configure DLP for specific files or words.
- Management Portal - Logical questions about permissions for administrators.
- SmartWorkflow
- SmartProvisioning - Statuses , which configurations maybe pushed together for Edge and UTM.
- SSL Portal-Based VPN (Connectra)- Authentication methods for internal and external users, statuses, In which exactly network encryption traffic itself passes.
- Traffic Acceleration (SecureXL & CoreXL)- How many cores are supported, and acceleration CLI basic comands for viewing and analyzing securexl work.
- Management High Availability- How synchronization work and how it works in the case of fail-over.
- ClusterXL (Firewall Clustering)- knowledge of ccp - what port and how it sends the packets (in unicast or broadcast), knowledge of how each mode works- HA-legacy and new mods, LS- multicast and unicast.
- Advanced Networking - Dynamic Routing- basic configuration knowledge.
- Advanced Networking - Web Load Balancing/ConnectControl
- Advanced Networking - QoS- knowledge of how to calculate bandwidth, good knowledge of LLQ, Diffserv, weightfair and other principles. Guaranties and limit differences.
- Check Point IPS - knowledge if it is enabled by default, and about different most popular attacks.
- SmartEvent
- SmartReporter - good knowledge of Eventia and how it works. How many events can be seen at the same time. How works: correlation unit, server and how client works- explain their work.
- Supplement: Advanced Troubleshooting & Debugging - kernel debugging.

8 Things to do before opening ticket with Checkpoint! Good to know.
klepysik
Stolen from :
http://yurisk.info/category/checkpoint-ngngx/


8 Things to do before opening ticket with Checkpoint
I’ve been doing Checkpoint quite a lot, actually for years now. And this inevitably involves
communicating with the Checkpoint Technical Assistance Centre (TAC) . And while
you can easily come up with impression that it is pretty bad (look around at cpug.org for heated flames about that), my view is that a lot depends on you. The way you manage the ticket and interaction with the Checkpoint TAC is often more important than anything else for successful resolution of the case.
To assist in that I prepared this list of things to do and have in mind before you actually call the TAC and open a case. In my experience following these simple steps will shorten the time and save you nerves substantially.

1.Understand and state the problem exactly.
Clearly defined problem is half the solution. The problem should be described in measurable terms not qualitative ones.
Not "VPN tunnels flap and fail all the time" but "VPN tunnel between this and this peers is coming up for 3-5 minutes then goes down for 10 minutes also communication between sites stops and I see in SmartViewTracker the following… "
Not "If I enable URL filtering all works slow" but "If I enable URL filtering it takes 40 seconds to load the same page that I load in 3 secs without URL-filtering, my download rates from different sites decrease by such and such numbers and in logs I see …"
Screenshots of the error messages are very welcome.

2. "… burden of proof is on the defendant" – gather all needed info even before you get asked to.
Have you worked in a TAC ? No ? Then let me illustrate. The answering Supporter has no slightest idea what the equipment is on your site, what the IP addresses are, whether load-balancers/nat-devices/traffic accelerators are involved, not to mention yours being the 10th case today, in short – he/she knows nothing about your topology, but you ,on the other hand ,having worked for years with the same set up come to think that this knowledge is a known fact to everyone. So please don’t – when approaching the TAC think of it as preparing a presentation that describes your network topology in 10 minutes to a complete stranger on the street (no need to practice this though ).
Topology info you will most probably need to supply:
IP addresses of interfaces and routes of all the devices that are involved in the traffic having a problem.
All NAT/IPS/load balancing/acceleration tempering going on in your network .
Changes in topology that were done just before the problem occurred.

3. Provide Cpinfo files from all the Checkpoint devices involved.
Checkpoint Support engineer most probably has no access to your firewall. And still she/he has to fully understand its configuration and state. The closest to accessing the firewall thing is providing Cpinfo file. If you have a distributed Checkpoint setup do it for all devices as well.
It is also advisable to make sure that all your devices have the latest Cpinfo utility installed [sk30567]. Unfortunately regular users can’t download it from Checkpoint Usercenter you will need at least Partner account with them.

NOTE Regarding handing over files to the Checkpoint TAC. When you supply them Cpinfo files you provide complete information about your firewall – its rules, objects and their properties etc. Think of it as if you were giving them the one-to-one copy of the firewall. So if you have some privacy/confidentiality reservations take it into account .

4. Do a packet capture that also includes the problematic traffic.
Should you have any sort of case demanding serious debug be prepared to attach to the case captured traffic while replicating the problem. Of course consider the load on the firewall but usually to see if there are any drops on the traffic Checkpoint will ask you to do fw monitor –o capture.cap .
Supplement this capture with output of fw ctl zdebug drop > dropped.txt

5.If opening the case through the Checkpoint website and the problem is rather urgent do a follow up call Contact list.
When you open a case it is being put in the queue of all other cases waiting to be assigned to Support Engineers. It happens on FIFO basis (each severity level has its own queue I guess). So it may wait there for few good hours. In such cases and when the case justifies it you may call the TAC and ask the person (not demand) to speed up assigning your case to the Technical Engineer. I used this procedure and usually the case was assigned to someone 15 minutes after my call.

6.Provide correct and most available means to contact you back.
Nothing can be more disheartening for a Supporter than to get a case and then chase you for hours/days.

7. If you work for Checkpoint Partner or proudly hold CCSE/CCSE+ certs do actually some debug yourself .
Working for Checkpoint Partner (as I do) in my opinion not only gives us immediate unrestricted access to the TAC but also the responsibility to do as much as possible to debug the problem ourselves (moreover it sucks to look amateurish) . I should state that I don’t always follow this advice but always try to.
Make the “The NGX Advanced Technical Reference Guide (ATRG) “ [sk31221] your night reading and you will decrease the number of open tickets by 50% guaranteed .
When you do relevant debug even without being able to understand results you save many hours of waiting for the TAC Supporter to just ask you for the very same debug and its logs.

8. In case of emergency call 911 and ask for remote session.
In urgent cases when you experience heavy downtime be prepared and even ask for remote session with the Supporter that got your case. Checkpoint have the TeamViewer-alike software that will allow them to connect to your workstation while it is connected to the firewall. Also the last time I checked this software had no (identifiable) keyloggers/Trojans so don’t worry .

Cpug site
klepysik
Как часто вы заходите на http://www.cpug.org/forums/ и заходите ли вообще чтобы найти ответы на вопросы или просто просмотреть темы?

New workers.
klepysik
Checkpoint набирает новых людей в суппорт в Израильское отделение.
Каждый год в примерно одно и то же время сюда приходит около 10 новых людей.
На данный момент самый большой суппорт по колличеству людей находится в Америке.
2 место в Израиле
3 место в Канаде - бывшая Нокия, они так же работают 24 часа в день.
4 место Япония -несколько инженеров суппортят только японских клиентов.
Tags:

Не прошло и пол года....
klepysik
Не прошло и пол года....как наши бравые программисты выпустили R65 HFA70 release.
Очень хорошо поработали над Voip в этом релизе.

Release notes :
http://enews.checkpoint.com/servlet/cc6?JosiQUDRBQUV21Xbex8aG8dywbv2Q8wfVaVR

Так же хочу добавить что большинство фиксов которые есть в R65 hfa60, находятся в R70 hfa 20.
(Походу все добавлены, но не хочу утверждать на 100%)

Ну и традиция с HFA60 -
After upgrading directly from R65 on splat 2.6 to R65 HFA_70, uninstalling the
HFA is not supported as it may cause system instability. Before installing NGX R65 HFA
70 on Splat 2.6, make sure to take a snapshot of the entire system to enable
reverting to the previous state if needed. For details refer to sk42329

However, uninstalling HFA_70 on SecurePlatform 2.6 is supported if done after
upgrading from a previous R65 SPLAT 2.6 supported HFA (HFA_50 or HFA_60) to
HFA_70.

:)news- new HFA 60
klepysik
CheckPoint выпустила новый HFA 60 для 2.6 и 2.4 кернель систем.
Там много всяких новых полезностей, а точнее старых полезностей которые были починены-
про которые можно прочитать в release notes :
http://dl4.checkpoint.com/s/dc/1f/VPN-1_NGX_R65_HFA_60_Release_Notes.pdf?e=1259594527&h=eb40fec550aaf48f34bb11ba1cc430ac

На мой взгляд самое интересное то, что если на 2.6 системе вы хотите убрать этот хотфикс - то вы не можете.
А точнее :
Uninstalling NGX R65 HFA 60 from SecurePlatform 2.6 is not supported as it may
cause system instability.Before installing NGX R65 HFA 60 on SecurePlatform 2.6,
make sure to take a snapshot of the entire system to enable reverting to the previous
state if needed. For details refer to sk42329.
Tags: ,

?

Log in

No account? Create an account