Monthly Archives: March 2012

Comandos Checkpoint

Os comandos na CheckPoint geralmente começam com cp (general), fw (firewall), e fwm (management).

CP, FW & FWM

cphaprob stat List cluster status
cphaprob -a if List status of interfaces
cphaprob syncstat <span “>shows the sync status
cphaprob list Shows a status in list form
cphastart/stop Stops clustering on the specfic node
cp_conf sic SIC stuff
cpconfig config util
cplic print prints the license
cprestart Restarts all Check Point Services
cpstart Starts all Check Point Services
cpstop Stops all Check Point Services
cpstop -fwflag -proc Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list List checkpoint processes
cplic print Print all the licensing information.
cpstat -f all polsrv Show VPN Policy Server Stats
cpstat Shows the status of the firewall
fw tab -t sam_blocked_ips Block IPS via SmartTracker
fw tab -t connections -s Show connection stats
fw tab -t connections -f Show connections with IP instead of HEX
fw tab -t fwx_alloc -f Show fwx_alloc with IP instead of HEX
fw tab -t peers_count -s Shows VPN stats
fw tab -t userc_users -s Shows VPN stats
fw checklic Check license details
fw ctl get int [global kernel parameter] Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter] [value] Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
fw ctl arp Shows arp table
fw ctl install Install hosts internal interfaces
fw ctl ip_forwarding Control IP forwarding
fw ctl pstat System Resource stats
fw ctl uninstall Uninstall hosts internal interfaces
fw exportlog .o Export current log file to ascii file
fw fetch Fetch security policy and install
fw fetch localhost Installs (on gateway) the last installed policy.
fw hastat Shows Cluster statistics
fw lichosts Display protected hosts
fw log -f Tail the current log file
fw log -s -e Retrieve logs between times
fw logswitch Rotate current log file
fw lslogs Display remote machine log-file list
fw monitor Packet sniffer
fw printlic -p Print current Firewall modules
fw printlic Print current license details
fw putkey Install authenication key onto host
fw stat -l Long stat list, shows which policies are installed
fw stat -s Short stat list, shows which policies are installed
fw unloadlocal Unload policy
fw ver -k Returns version, patch info and Kernal info
fwstart Starts the firewall
fwstop Stop the firewall
fwm lock_admin -v View locked admin accounts
fwm dbexport -f user.txt used to export users , can also use dbimport
fwm_start starts the management processes
fwm -p Print a list of Admin users
fwm -a Adds an Admin
fwm -r Delete an administrator

Provider 1

mdsenv [cma name] Sets the mds environment
mcd Changes your directory to that of the environment.
mds_setup To setup MDS Servers
mdsconfig Alternative to cpconfig for MDS servers
mdsstat To see the processes status
mdsstart_customer [cma name] To start cma
mdsstop_customer [cma name] To stop cma
cma_migrate To migrate an Smart center server to CMA
cmamigrate_assist If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server

VPN

vpn tu VPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail‏ Verifies the ipassignment.conf file
dtps lic show desktop policy license status
cpstat -f all polsrv show status of the dtps
vpn shell /tunnels/delete/IKE/peer/[peer ip] delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip] delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip] show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip] show Phase 2 SA
vpn shell show interface detailed [VTI name] show VTI detail

Debugging

fw ctl zdebug drop shows dropped packets in realtime / gives reason for drop

SPLAT Only

router Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)
backup Allows you to preform a system operating system backup
restore Allows you to restore your backup
snapshot Performs a system backup which includes all Check Point binaries. Note : This issues a cpstop.

VSX

vsx get [vsys name/id] get the current context
vsx set [vsys name/id] set your context
fw -vs [vsys id] getifs show the interfaces for a virtual device
fw vsx stat -l shows a list of the virtual devices and installed policies
fw vsx stat -v shows a list of the virtual devices and installed policies (verbose)
reset_gw resets the gateway, clearing all previous virtual devices and settings.

SmartDashboard connection cannot be initiated, make sure server is up and running

Solution ID: sk12120 Average Rating:

Error: “connection cannot be initiated, make sure server is up and running”

Product: SmartView Tracker, SmartDashboard
Version: NGX R60, NGX R61, NGX R62, NG AI, NG, NGX R65
Last Modified: 12-十二月-2007

Symptoms

SmartDashboard is unable to connect to the SmartCenter server.
Error message is displayed when attempting to login to the SmartDashboard.
Error: “Check Point Management Client”.
Error: “Connection cannot be initiated.”
Error: “Make sure that the Server ” is up and running.”
Error message is seen in the $FWDIR/log/fwm.elg file on the SmartCenter server.
Error: “Login Failed: is not allowed for remote login”.
Issuing cpstop / cpstart on the SmartCenter server does not address the problem.

Cause

The SmartDashboard machine’s IP address has not been entered successfully with the cpconfig utility.

Solution

This solution addresses the following situations:

GUI client is not properly registered under cpconfig (in SmartCenter Server).

TCP 18190 is blocked/filtered between the GUI client and SmartCenter Server.

The firewall itself (on the SmartCenter Server) is blocking GUI client connections.

This solution does not address situations where the GUI client is on the same machine as the SmartCenter Server.

To enter the SmartDashboard machine’s IP address using the cpconfig utility, proceed as follows:

SOLARIS, IPSO, SPLAT and Linux
On the SmartCenter server

Issue the cpconfig command.

Use the cpconfig utility in the following way (in this example the SmartDashboard machine’s IP address is 192.168.2.100):
—————————————-
# cpconfig
This program will let you re-configure
your VPN-1 & FireWall-1 configuration.

Configuration Options:
———————-
(1) Licenses
(2) Administrators
(3) GUI clients
(4) SNMP Extension
(5) Groups
(6) PKCS#11 Token
(7) Random Pool
(8) Certificate Authority
(9) Certificate’s Fingerprint
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :3

Configuring GUI clients
==================
GUI clients are trusted hosts from which Administrators are allowed to log on to the SmartCenter server using Windows/X-Motif GUI.

Do you want to [C]reate a new list, [A]dd or [D]elete one?: a

Enter resolvable host name or an IP: 192.168.2.100

192.168.2.100 will be added as a GUI client. Are you sure? (y/n) [y] ? y

192.168.2.100 was added successfully!

Do you want to add another one? (y/n) [n] ? n

Configuration Options:
———————-
(1) Licenses
(2) Administrators
(3) GUI clients
(4) SNMP Extension
(5) Groups
(6) PKCS#11 Token
(7) Random Pool
(8) Certificate Authority
(9) Certificate’s Fingerprint
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :11

Thank You…
#
—————————————-

Login with the GUI Client.

WINDOWS
On the SmartCenter server (for Windows NT / 2000)

Select Start > Programs > Check Point Management Clients > Check Point Configuration NG.

In the Check Point Configuration Tool dialog box, select the GUI Clients tab.

Enter the IP address of the GUI Client (ie. 192.168.2.100) in the Remote hostname field.

Click on the “Add ->” button

Click on OK in the Check Point Configuration Tool window.

Note: If procedures above do not resolve the GUI client being unable to successfully connect to the SmartCenter server, verify the TCP port 18190 is not filtered or blocked between the GUI client and the SmartCenter server. On the FireWall-1 NG Policy Editor, TCP port 18190 is a pre-defined service called CPMI (Check Point Management Interface). If a firewall module is filtering or blocking the CPMI (Check Point Management Interface) service between the GUI client and SmartCenter server, a rule similar to the following example may need to be added:

SOURCE: GUI_client (GUI client machine)
DESTINATION: SmartCenter server (SmartCenter server)
SERVICE: CPMI (TCP port 18190)
ACTION: accept
TRACK: Log

In addition to allowing the CPMI (Check Point Management Interface) service between the GUI client and SmartCenter server, verify “Accept VPN-1 & FireWall-1 control connections” is enabled in Global Properties. Since the firewall module on the SmartCenter server itself is filtering or blocking the CPMI (Check Point Management Interface) service in this case, it may be necessary to uninstall the current security policy before a new policy can be installed.
This can be done with the following procedure:On the security gateway, issue the command fwm unload localhost.

Once the security policy is uninstalled from the security gateway, on the SmartCenter server, “Accept VPN-1 & FireWall-1 control connections” can be enabled by the following procedures:

On the SmartDashboard

Select Policy > Global Properties.

In Global Properties dialog box, select FireWall-1 from the left pane.

In FireWall-1 Implied Rules properties, enable “Accept VPN-1 & FireWall-1 control connections”.

Click OK in Global Properties dialog box.

Install security policy.

If the “Accept VPN-1 & FireWall-1 control connections” check box needs to be unchecked in the Global Properties, the CPMI (Check Point Management Interface) service can be allowed between the GUI client and SmartCenter server by an explicitly defined rule in the rulebase. A rule similar to the following example will allow the CPMI (Check Point Management Interface) service between the GUI client and the SmartCenter server:

SOURCE: GUI_client (GUI client machine)
DESTINATION: SmartCenter server (SmartCenter server)
SERVICE: CPMI (TCP port 18190)
ACTION: accept
TRACK: Log.

Note:
If after running a ‘log switch’ you are unable to log in, follow this procedure:

Reboot your SmartCenter server.

When prompted to approve the new fingerprint – Approve.

SmartDashboard should now open successfully.

Nova Certificação Cisco CCNA Service Provider

A Cisco acaba de lançar uma nova Certificação, Cisco Certified Network Associate – Service Provider (CCNA SP) focada na Indústria Core de Service Provider, assegurando a capacidade de configurar e implementar redes de Service Provider de nova geração.

Exames necessários:

640-875SPNGN1 -Building Cisco Service Provider Next-Generation Networks, Part 1(SPNGN1)

640-878SPNGN2 -Building Cisco Service Provider Next-Generation Networks, Part 2(SPNGN2)

640-875 SPNGN1 Exam Topics

IP Networks

  • Describe the purpose and functions of various network devices (at the core, distribution, and access layers)
  • Identify the functional components required to meet a given network specification
  • Describe the OSI and TCP/IP models and their associated protocols to explain how data flows in a network
  • Describe common network applications and their impact on the network
  • Interpret network diagrams
  • Troubleshoot common network problems at layers 1, 2, 3, 4, and 7 using a layered model approach
  • Describe differences between LAN and WAN operation and features

IPv4 and IPv6 Addressing

  • Describe the structure of IPv4 and IPv6 addresses
  • Describe VLSM, CIDR and route summarization concepts
  • Describe the different types of IPv4 and IPv6 addresses
  • Design an IP subnetting plan based on given requirements

Switched Network Technologies I

  • Describe bridging concepts and Layer 2 Ethernet frames
  • Configure basic Spanning Tree operations on Cisco IOS Switches
  • Interpret the output of various basic show and debug commands to verify the operational status of a Cisco switched network
  • Configure basic switch security (i.e, port security, securing unused ports)
  • Describe Ethernet link bundling, LACP, and PAgP and Flex Links

Routed Network Technologies I

  • Describe classful versus classless routing
  • Describe routing protocols basics (metrics, IGP versus EGP)
  • Describe RIPv1, RIPv2, RIPNG
  • Implement EIGRPv4 and EIGRPv6 on Cisco IOS, IOS-XE and IOS-XR routers
  • Describe route redistribution
  • Describe VRF
  • Describe GRE

IP Services

  • Configure NAT (IPv4) on Cisco routers
  • Configure DHCP (IPv4 and IPv6) operations on Cisco routers
  • Describe ICMPv4 and ICMPv6
  • Describe DNS

Cisco Operating Systems and Platforms I

  • Implement basic Cisco IOS, IOS-XE and IOS-XR CLI operations
  • Implement basic Cisco IOS, IOS-XE and IOS-XR routers configurations

Transport Technologies

  • Describe SONET and SDH
  • Describe DWDM, IPoDWDM, and ROADM
  • Configure 10 Gigabit Ethernet, 40 Gigabit Ethernet, and 100 Gigabit Ethernet interfaces on Cisco routers
  • Describe Frame Relay
  • Describe ATM
  • Describe Metro Ethernet
  • Describe DSL
  • Describe T1, T3, E1, E3, and ISDN
  • Implement PPP encapsulation on Cisco routers serial and POS interfaces
  • Describe cable (DOCSIS)
  • Describe the main BRAS and BNG routers functions in IP NGN
  • Describe various Passive Optical Network (PON) access technologies and FTTx

Security in the Network

  • Describe Layer 2 security features on Cisco IOS switches
  • Configure management plane security on Cisco routers and IOS switches
  • Describe IPsec
  • Describe control plane security
  • Configure basic AAA (TACACS+ and RADIUS) services on Cisco routers
  • Configure routing protocols authentication between Cisco routers
  • Describe the relationships between users, user groups, tasks groups and task IDs in IOS-XR
  • Describe common types of network attacks

Network Management

  • Configure NTP server or client on Cisco routers
  • Configure IP SLA on Cisco routers
  • Configure CDP on Cisco routers and IOS switches
  • Configure SNMP on Cisco routers
  • Configure NetFlow on Cisco routers
  • Configure logging to Syslog server on Cisco routers
  • Describe the Cisco IOS Call-Home feature
  • Describe Cisco TAC procedure and navigate Cisco support tools (CCO)
  • Implement management access (SSH, telnet, and out-of-band management design)
  • Implement SPAN, RSPAN, and ERSPAN
  • Implement file transfers to manage network devices configurations and images using FTP, SCP, TFTP, SFTP, and RCP

640-878 SPNGN2 Exam Topics

IP NGN Architecture

  • Identify the functional components that are required to meet a given network specification
  • Troubleshoot common network problems at Layers 1, 2, 3, 4, and 7 using a layered-model approach
  • Describe the different types of service providers
  • Describe service provider principal and reference next-generation network (NGN) architecture
  • Describe the IP address and autonomous system (AS) number allocation process via the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs)

Switched Network Technologies II

  • Configure enhanced switching technologies (including Rapid Spanning Tree Protocol [RSTP], Multiple Spanning Tree [MST], and Per VLAN Spanning Tree [PVST]) on Cisco IOS Software switches
  • Describe how VLANs create logically separate networks and the need for routing between them
  • Configure VLANs on Cisco IOS Software switches
  • Configure trunking on Cisco IOS Software switches
  • Configure inter-VLAN routing
  • Configure Resilient Ethernet Protocol (REP) on Cisco IOS Software switches
  • Configure queue-in-queue (QinQ) on Cisco IOS Software switches

Routed Network Technologies II

  • Configure basic single-area Open Shortest Path First version 2 (OSPFv2) and OSPF version 3 (OSPFv3) routing on Cisco routers
  • Configure basic single-area Intermediate System-to-Intermediate System (IS-IS) routing on Cisco routers
  • Describe the differences between static versus dynamic routing as well as distance vector versus link-state routing protocol operations
  • Configure basic Border Gateway Protocol (BGP) routing on Cisco routers
  • Describe the address family concept on Cisco routers
  • Describe IPv6 transitioning technologies
  • Configure First Hop Redundancy Protocol (FHRP) (including Hot Standby Router Protocol [HSRP], Virtual Router Redundancy Protocol [VRRP], and Gateway Load Balancing Protocol [GLBP]) on Cisco routers
  • Implement access control list (ACL) on Cisco routers
  • Describe carrier-grade NAT (CGN) and Network Address Translation 64 (NAT64)
  • Describe Multiprotocol Label Switching (MPLS) functions in the service provider IP NGN
  • Configure Label Distribution Protocol (LDP) on Cisco routers

Cisco Operating Systems and Platforms II

  • Manage the Cisco IOS XR configurations and software packages
  • Describe Cisco IOS XE software packages
  • Describe Cisco service provider router platforms, their operating system, and their placement in the service provider IP NGN