Troubleshoot VPN on Juniper Firewalls
get vpn
get sa cookies
debug ike basic
get event type 536
unset TMOUTCheck Point VSX
#vsx stat
Show the VSYS create on this firewall
#vsx stat –l
Enter in the vsys:
vsx set 1Check Point NTP
ntp -n <interval> <server1> [<server2>]
ntp -n 3600 171.26.238.126 171.26.238.127idle XXto increase the idle time out where XX is the number of minutes you want the ssh session to stay active, works on ipso also
Routeto show routes
or
fw getifs gets the interfaces, IP and netmask
ip address showTo show mac address per interface
or
ip link list
***
ip route
ip route show To show the ip/netmask/interface and the VRRP IP that the traffic will use
***
ip neigh showYou can view your machines current arp/neighbor or cache table
Restart cpd on VSX
=====================
Killall cpd
cpwd_admin start -name CPD -path “$CPDIR/bin/cpd” -command “cpd”
SPLAT Platform:
#ethtool ethX
#ethtool –h
Turn on the interface light on splat:
#ethtool –p
Wizard to configure the SPLAT
#sysconfig
Change interface number on HP:
vi /etc/sysconfig/ethtab
ifconfig –a | grep HW
Provider One
cd $MDSDIR
mdsstat
mdsenv CMA_Madrid
cpstart
cpstop
Stop and start all CMAs on Provider One:
mdsstop -s
mdsstart -s
Make a cpstop cpstart (sic reset) and get acces without serial cable after the cpstart:
terminal1: cpstop
terminal2: sleep 300 && fw unloadlocal
terminal1: cpstart
Check the checkpoint version
fw ver -k
Check the license on checkpoint
cplic print
Check the member cluster nokia
cphaprob stat
Restart the checkpoint software
cpstop
cpstart
Stop/Start all CMAs on provider one
mdstop
mdstart
Check checkpoint info
cpinfo
Check the ipsec tunnel
vpn tunnelutil
Secure XL:
fwaccel on
fwaccel off
fwaccel stat
Check Nat table:
fw tab -t fwx_alloc -f
Removing The Errors (i.e. Clearing the Host Count)
Type the command fw tab -t host_table -x (to cspan> table).
Save check point routing table:
netstat -rn | grep ^[0-9] | awk ‘{printf “route add -net %-15s gw %-15s netmask %s\n”, $1, $2, $3}’ | sort > exported_routes.out
netstat -rn | grep ^[0-9] | awk ‘{printf “%-15s %-15s %s\n”, $1, $3, $2}’ | sort
netstat -rn | grep 10.50.36. | grep ^[0-9] | awk ‘{printf “%-15s %-15s %s\n”, $1, $3, $2}’ | sort
netstat -rn | grep eth8.10 | grep ^[0-9] | awk ‘{printf “%-15s %-15s %s\n”, $1, $3, $2}’ | sort
[Expert@scbedcl-fw001]# more exported_routes.out
route add -net 0.0.0.0 gw 194.29.97.1 netmask 0.0.0.0
…
PROVIDER-1 and MLM:
=====================
0 2 * * * find /opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/conf/db_versions/repository/* -mtime +10 -exec rm -R {} \;
10 2 * * * find /opt/CPmds-R75.20/customers/CMADCS2BEF/CPsuite-R75.20/fw1/log/* -mtime +10 -exec rm {} \;
#!/bin/bash
echo “Remove old Logs > 8 days”
find /var/opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/log/*”.log” -mtime +8 -exec rm {} \;
find /var/opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/log/*”.logaccount_ptr” -mtime +8 -exec rm {} \;
find /var/opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/log/*”.loginitial_ptr” -mtime +8 -exec rm {} \;
find /var/opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/log/*”.logptr” -mtime +8 -exec rm {} \;
echo “Done”
for i in $(ls 2011-07*) ; do rm -rf $i ; done
=========================
NOKIA FIREWALL
=========================
Configure physical interface parameters
set [slot <1—15>] interface phys_if_name speed <10M | 100M | 1000M>
duplex <full | half>
auto-advertise <on | off>
link-recog-delay <1–255>
active <on | off>
flow-control <on | off>
Configure new vlan interface
add interface log_if_name vlanid <2—4094> address ip_address/masklen <0—31>
set logical-name new_log_if_name
add interface eth-s2p1 vlanid 306 address 10.91.109.139/29 comments TO_MDS
add interface eth-s2p1 vlanid 307 address 10.91.109.131/29 comments TO_MLM
add mcvr vrid 36 backup-address 10.91.109.137
add mcvr vrid 36 backup-address 10.91.109.129
delete interface eth-s4p1c1
enable | disable
Configure and enable snmp:
echo rocommunity T1vol1 >> /etc/snmp/snmpd.conf
snmp service enable
Start cpconfig, to enable the SNMP Extension (usually option 2)
cpshell
adduser netkir
usermod -s /bin/bash netkir
Configure routes: add route
================================
delete route
set static-route xxx.xxx.xxx.xxx/yy nexthop gateway address xxx.xxx.xxx.xxx off
change default route
set static-route default nexthop gateway address xxx.xxx.xxx.xxx on
Check cluster (IPSO cluster)
show clusters
Check vrrp
show vrrp summary
Check Nokia details
show asset [hardware] [Packages] [Software] Upgrade IPSO
Upload new image ipso.tgz on firewall
newimage -R -b -k -l ipso.tgz
Force IP Forwarding
After a fw unloadlocal you’ll need to force ip forwarding in roder to keep routing packets.
ipsofwd on admin
SIC RESET ON NOKIA FW:
========================
cd $FWDIR/conf
vi initial_module.pf
delete 2 lines containing webgui clients sources for https & ssh
vi initial_management.pf
delete 2 lines containing webgui clients sources for https & ssh
cd $FWDIR/bin
./comp_init_policy -g
cp_conf sic init vpn123;fw unloadlocal
OR
===
cp_conf sic init vpn123;fw unloadlocal
FAILOVER CHECK POINT FIREWALLS
==============================
clusterXL_admin down
clusterXL_admin up
Add route in RTIP
GSFR0S2-PE100203#show run | inc 10.50.108.244
ip route vrf VPN0103 93.186.25.33 255.255.255.255 10.50.108.244 tag 103001
ip route vrf VPN0103 193.109.81.33 255.255.255.255 10.50.108.244 tag 103001
Get policy back from the nokia:
fw fecth x.x.x.x (cma ip)
Unload the policy
fw unloadlocal
Make failover
(Juniper – Master)exec nsrp vsd-group 0 mode ineligible
(Juniper – Backup)exec nsrp vsd-group 0 mode master
(Checkpoint)shutdown interface
Check the packet directly in the interface (nokia)
tcpdump -i src 10.214.32.122 and dst 164.140.215.244
fw monitor -e ‘accept src=10.214.32.122 and dst=164.140.215.244;’ s
snoop –o filename
snoop from 10.11.3.55 to …
Check the status of firewall connection
cpstat fw
cpstat ha
cpstat vpn
cpstat os
cpstat -vs 1 os -f cpu, mem, ifconfig
Install an access list directly on the nokia
fw ctl …
Check the hight avaibality
(checkpoint)show vrrp
(juniper)get nssrp
Bluecoat: Create an user
en
conf t
security loca-user-list
user create XXX
user edit XXX
group add ReadWrite
password XXX
exit exit exit exit
Bluecoat: Change the group of one user
en
conf t
security loca-user-list
user edit XXX
group remove ReadOnly
group add ReadWrite
exit exit exit exit
Check point: check VPN on VSX
vpn -vs id tu
Juniper:
get session ike-nat
Juniper: Add a user in read only mode
set admin user Support password 1231456 privilege read-only
Find a string in any files on solaris (linux):
find / -type f -exec grep -l “string_here” {} \;
Delete old files:
find /etc/iscan/log -mtime +5 -exec rm {} \;
Show the group of one user:
groupview -gm -u INT/Gxxxxx | findstr NWBC
Show the number of connection on the port XXX:
netstat -an | grep xxx | wc -l
Show the next hop for a specific host:
ip -s route get x.x.x.x
set network config:
ifconfig Lan2 up
vconfig add Lan2 112
vconfig add Lan2 97
ifconfig Lan2.112 inet 10.24.152.77 netmask 255.255.255.240
ifconfig Lan2.97 inet 10.24.152.61 netmask 255.255.255.240
inet 10.63.136.150 netmask 255.255.255.0
ifconfig eth0 up
vconfig add eth0 104
ifconfig eth0.104 inet 10.50.24.254 netmask 255.255.255.248
ifconfig –save
set routing config:
route add -net 194.29.98.32 netmask 255.255.255.224 gw 10.24.152.1
route add -net 194.29.98.160 netmask 255.255.255.224 gw 10.24.152.1
route add -host 194.29.98.175 gw 10.24.152.1
route add -host 194.29.98.184 gw 10.24.152.1
route add default gw 83.137.242.1
route –save
This is a quick reference guide to the most popular and widely used Nokia Clish Commands. You can manage the Nokia firewall as much from the Command Line Interface as from Voyager.
—setting default gateway
set static-route default nexthop gateway address 192.168.29.2 priority 1 on
—adding static routes
set static-route 172.23.124.150/32 nexthop gateway address 192.168.29.50 on
—Add proxy arp
add arpproxy address 192.168.29.56 macaddress 0:a0:8e:7d:13:d0
add arpproxy address 192.168.29.57 macaddress 0:a0:8e:7d:13:d0
—Add an interface
set interface eth1 speed 100M duplex full active on
add interface eth1c0 address 192.168.29.54/24 enable
—VRRP
set vrrp accept-connections on
set vrrp coldstart-delay 60
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 priority 100
set vrrp interface eth1c0 monitored-circuit vrid 54 hello-interval 1
set vrrp interface eth1c0 monitored-circuit vrid 54 vmac-mode default-vmac
set vrrp interface eth1c0 monitored-circuit vrid 54 backup-address 192.168.29.1 on
—Set ntp servers
add ntp server 10.1.1.2 version 3 prefer yes
add ntp server 10.1.1.1 version 3 prefer yes
—Setting Time zone
set date timezone-city “Greenwich (GMT)”
—Add hostname
set hostname testbox
—Add Host address assignments
add host name testbox ipv4 192.168.29.54
TCPDUMP
——-
tcpdump -i 0.0 host … -w out.cap
tcpdump -i any host 10.64.128.217 or host 10.64.132.106 or host 10.64.132.103 and port 443
fw monitor -v 1 -e “accept net(192.168.246.110,31) and host(10.64.150.12);”
ONLY ICMP PACKETS:
———————-
fw monitor -v 1 -e “accept host(194.29.98.227) and ip_p=1;”
F5 – TMOS:
===========
tmsh
create ltm node 10.90.126.68%3 screen SCBEDCB-PR001 up
create ltm node 10.90.126.69%3 screen SCBEDCB-PR002 up
modify ltm node 10.90.126.68%3 screen SCBEDCB-PR001
create ltm pool B_PROXY_SERVICEGROUP_8080
modify ltm pool B_PROXY_SERVICEGROUP_8080 members add { 10.90.126.68%3:8080 } members add {10.90.126.69%3:8080}
modify ltm pool B_PROXY_SERVICEGROUP_8080 monitor tcp
create ltm virtual F_PROXY_SERVICEGROUP_8080 destination 10.90.126.193%3:8080 vlans add { VSSERVICEGROUP_INTERNAL_806 } pool B_PROXY_SERVICEGROUP_8080 vlans-enabled disabled
MONITORING F5:
==============
tmsh
modify sys snmp allowed-addresses add { 10.146.244.0/26 }
create sys management-route 10.146.244.0/26 gateway 192.168.240.193
create sys management-route 10.91.0.0/18 gateway 192.168.240.193
create sys management-route 10.91.96.0/19 gateway 192.168.240.193
save sys config
CHECK with TMOS:
================
show ltm node 10.90.126.68%3
SET SYSLOG SERVER:
====================
tmsh modify sys syslog remote-servers add {log2.gdfsuez..net {host 10.91.32.30 remote-port 514 }}
tmsh save sys config
SPLUNK:
=======
Reindex data with oneshot command:
find /opt/splunk/var/log/juniperssl/ | xargs -n 1 -I xxx sudo /opt/splunk/bin/splunk add oneshot xxx -index networksecurity -sourcetype juniperssl_2011 -host scfr0s2-ssl001.mux.isinfra.net
Index one file:
sudo /opt/splunk/bin/splunk add oneshot SGW1_main__2260513230000.log.gz -index networksecurity -sourcetype bluecoat -host scbedcb-pr001.mux.isinfra.net
delete logs in cli:
sudo /opt/splunk/bin/splunk search ‘source=”/opt/splunk/var/log/proxies/belgium/SGL1_main__2250222000000.log.gz” | delete’
PROXIES:
==============
INCREASE TIMEOUT FOR WEBSITE
<proxy>
url.domain = “ocsygen-int.gdfsuez.com” http.server.recv.timeout(1800)
Check the access for user in windows domain:
net user BAH237 /dom
net group “group name” /dom
net LOCALGROUP INTERNET_HTTP_8080 >> C:\INTERNET_HTTP_8080.txt
Ip address on laptop:
Show the configuration ip:
netsh interface ip show config
Change Ip address on XBOW laptop:
netsh interface ip set address name=”Local Area Connection” static 192.168.0.100 255.255.255.0 192.168.0.1 1
Export to file:
netsh -c interface dump > c:\location1.txt
Import from file:
netsh -f c:\location1.txt
Put the interface in DHCP mode:
netsh interface ip set address “Local Area Connection” dhcp
OPENSSL:
=========
OpenSSL (https://www.sslshopper.com/ssl-converter.html):
cd C:\OpenSSL-Win32\bin\
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in C:\tools\certificate\ -out file.pem
openssl.exe pkcs12 -export -out C:\tools\certificate\wildcard.gdfsuez.net.pfx -inkey C:\tools\certificate\wildcard.gdfsuez.com_chained_globalsign.key -in C:\tools\certificate\wildcard.gdfsuez.com_chained_globalsign.crt
openssl pkcs12 -in C:\tools\certificate\wildcard.gdfsuez.net.pfx -out C:\tools\certificate\certificate.cer -nodes
openssl.exe pkcs7 -in C:\tools\sge\sgeproxy.gdfsuez.com.p7b -out C:\tools\sge\file.pem
openssl x509 -inform der -in C:\tools\sge\sgeproxy.cer -out C:\tools\sge\sgeproxy.pem
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem
openssl pkcs7 -print_certs -in C:\tools\sge\sgeproxy.p7b -out certificate.cer
openssl x509 -inform der -in C:\tools\sge\sgeproxy.csr.cer -out C:\tools\sge\sgeproxy.pem
openssl.exe pkcs12 -export -out C:\tools\sge\sgeproxy.pfx -inkey C:\tools\sge\sgeproxy.key -in C:\tools\sge\sgeproxy.cer
openssl pkcs12 -in C:\tools\sge\sgeproxy.pfx -out C:\tools\sge\sgeproxy.pem
sgeproxy.csr.cer
Reset ip stack:
—————
ipconfig /flushdns
nbtstat -R
nbtstat -RR
netsh int reset all
netsh int ip reset
netsh winsock reset
GET INTERNET GROUP ACCESS:
————————–
net user BAH237 /dom | findstr G..[0-9].Users
Linux:
======
df -hP | column -t
Introduction à Vi
——————
== indente la ligne en cours
=} indente la fin du paragrapphe
gg=G indente tout *
Search (Wraped around at end of file):
Search STRING forward : / STRING.
Search STRING backward: ? STRING.
Repeat search: n
Repeat search in opposite direction: N (SHIFT-n)
Replace: Same as with sed, Replace OLD with NEW:
First occurrence on current line: :s/OLD/NEW
Globally (all) on current line: :s/OLD/NEW/g
Between two lines #,#: :#,#s/OLD/NEW/g
Every occurrence in file: :%s/OLD/NEW/g
Commande Description
:q Quitte l’éditeur (sans sauvegarder)
:q! Force l’éditeur à quitter sans sauvegarder (même si des modifications ont été apportées au document)
:wq Sauvegarde le document et quitte l’éditeur
:filenom Sauvegarde le document sous le nom spécifié
Les commandes d’édition
Commande Description
x Efface le caractère actuellement sous le curseur
dd Efface la ligne actuellement sous le curseur
dxd Efface x lignes à partir de celle actuellement sous le curseur
nx Efface n caractères à partir de celle actuellement sous le curseur
x>> Indente x lignes vers la droitee à partir de celle actuellement sous le curseur
x<< Indente x lignes vers la gauche à partir de celle actuellement sous le curseur
La recherche et le remplacement
Pour rechercher un mot dans un document, il vous suffit (en mode normal) de taper / suivi de la chaîne à rechercher, puis de valider par la touche entrée. Il est alors possible d’aller d’occurrence en occurrence grâce à la touche n.
Pour remplacer une chaîne de caractère par une autre sur une ligne, il existe une commande très puissante sous Vi utilisant les expressions régulières. Voici sa syntaxe :
:s/chaine_a_remplacer/chaine_de_remplacement/
Il est possible de la généraliser à tout le document grâce à la syntaxe suivante :
:%s/chaine_a_remplacer/chaine_de_remplacement/
Le copier-coller et couper-coller
Il est possible sous Vi de copier-coller une sélection de lignes. Pour ce faire, il suffit de taper la commande suivante pour copier n lignes :
nyy
Par exemple la commande suivante copiera dans le tampon 16 lignes :
16yy
Pour coller la sélection, il suffit de taper la lettre p.
Une couper-coller de n lignes se fera de façon similaire avec la commande :
ndd
Puis p pour coller !
EXCEL:
========
=IF(B1=”NOT IN CORP”, “NOT IN CORP”,CONCATENATE(LEFT(B1,5),”Users”))
LINUX COMMANDS:
===============
Shell command to delete all but the 1 newest files in a directory:
ls -1t /home/lamp/tmp/netsec.gdfsuez.net | tail -n +10 | xargs -I{} -n1 rm “{}”
Use it:
fw dbexport [ [-g group | -u user ] [-d delim] [-a {attrib1, attrib2,…}] [-f filename] ]
Check Point commands generally come under cp (general), fw (firewall), and fwm (management).
CP, FW & FWM
cphaprob stat List cluster status
cphaprob -a if List status of interfaces
cphaprob syncstat
shows the sync status
cphaprob list
Shows a status in list form
cphastart/stop Stops clustering on the specfic node
cp_conf sic SIC stuff
cpconfig config util
cplic print prints the license
cprestart Restarts all Check Point Services
cpstart Starts all Check Point Services
cpstop Stops all Check Point Services
cpstop -fwflag -proc
Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list List checkpoint processes
cplic print Print all the licensing information.
cpstat -f all polsrv
Show VPN Policy Server Stats
cpstat
Shows the status of the firewall
fw tab -t sam_blocked_ips Block IPS via SmartTracker
fw tab -t connections -s
Show connection stats
fw tab -t connections -f
Show connections with IP instead of HEX
fw tab -t fwx_alloc -f
Show fwx_alloc with IP instead of HEX
fw tab -t peers_count -s
Shows VPN stats
fw tab -t userc_users -s
Shows VPN stats
fw checklic Check license details
fw ctl get int [global kernel parameter]
Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter] [value]
Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
fw ctl arp Shows arp table
fw ctl install Install hosts internal interfaces
fw ctl ip_forwarding Control IP forwarding
fw ctl pstat System Resource stats
fw ctl uninstall Uninstall hosts internal interfaces
fw exportlog .o Export current log file to ascii file
fw fetch Fetch security policy and install
fw fetch localhost
Installs (on gateway) the last installed policy.
fw hastat
Shows Cluster statistics
fw lichosts Display protected hosts
fw log -f Tail the current log file
fw log -s -e Retrieve logs between times
fw logswitch Rotate current log file
fw lslogs Display remote machine log-file list
fw monitor Packet sniffer
fw printlic -p Print current Firewall modules
fw printlic Print current license details
fw putkey Install authenication key onto host
fw stat -l
Long stat list, shows which policies are installed
fw stat -s Short stat list, shows which policies are installed
fw unloadlocal Unload policy
fw ver -k Returns version, patch info and Kernal info
fwstart Starts the firewall
fwstop Stop the firewall
fwm lock_admin -v
View locked admin accounts
fwm dbexport -f user.txt used to export users , can also use dbimport
fwm_start
starts the management processes
fwm -p Print a list of Admin users
fwm -a Adds an Admin
fwm -r Delete an administrator
Provider 1
mdsenv [cma name]
Sets the mds environment
mcd
Changes your directory to that of the environment.
mds_setup
To setup MDS Servers
mdsconfig
Alternative to cpconfig for MDS servers
mdsstat To see the processes status
mdsstart_customer [cma name]
To start cma
mdsstop_customer [cma name]
To stop cma
cma_migrate
To migrate an Smart center server to CMA
cmamigrate_assist
If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server
VPN
vpn tu
VPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail?
Verifies the ipassignment.conf file
dtps lic
show desktop policy license status
cpstat -f all polsrv
show status of the dtps
vpn shell /tunnels/delete/IKE/peer/[peer ip]
delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip]
delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip]
show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip]
show Phase 2 SA
vpn shell show interface detailed [VTI name]
show VTI detail
Debugging
fw ctl zdebug drop
shows dropped packets in realtime / gives reason for drop
SPLAT Only
router
Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd
Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)
backup
Allows you to preform a system operating system backup
restore
Allows you to restore your backup
snapshot
Performs a system backup which includes all Check Point binaries. Note : This issues a cpstop.
VSX
vsx get [vsys name/id]
get the current context
vsx set [vsys name/id]
set your context
fw -vs [vsys id] getifs
show the interfaces for a virtual device
fw vsx stat -l
shows a list of the virtual devices and installed policies
fw vsx stat -v
shows a list of the virtual devices and installed policies (verbose)
reset_gw
resets the gateway, clearing all previous virtual devices and settings.
|