Troubleshoot VPN on Juniper Firewalls

get vpn
get sa cookies
debug ike basic
get event type 536

unset TMOUT

Check Point VSX

#vsx stat
Show the VSYS create on this firewall
#vsx stat –l
Enter in the vsys:
vsx set 1

Check Point NTP

ntp -n <interval> <server1> [<server2>]
ntp -n 3600 171.26.238.126 171.26.238.127

idle XXto increase the idle time out where XX is the number of minutes you want the ssh session to stay active, works on ipso also

Routeto show routes
or
fw getifs gets the interfaces, IP and netmask

ip address showTo show mac address per interface
or
ip link list
***
ip route
ip route show To show the ip/netmask/interface and the VRRP IP that the traffic will use
***
ip neigh showYou can view your machines current arp/neighbor or cache table

Restart cpd on VSX
=====================
Killall cpd
cpwd_admin start -name CPD -path “$CPDIR/bin/cpd” -command “cpd”


SPLAT Platform:
#ethtool ethX
#ethtool –h

Turn on the interface light on splat:
#ethtool –p

Wizard to configure the SPLAT
#sysconfig

Change interface number on HP:
vi /etc/sysconfig/ethtab
ifconfig –a | grep HW


Provider One
cd $MDSDIR
mdsstat
mdsenv CMA_Madrid
cpstart
cpstop  
 
Stop and start all CMAs on Provider One:
mdsstop -s
mdsstart -s  
 
Make a cpstop cpstart (sic reset) and get acces without serial cable after the cpstart:
terminal1: cpstop
terminal2: sleep 300 && fw unloadlocal
terminal1: cpstart
 
Check the checkpoint version
fw ver -k
 
Check the license on checkpoint
cplic print
 
Check the member cluster nokia
cphaprob stat
 
Restart the checkpoint software
cpstop
cpstart
 
Stop/Start all CMAs on provider one
mdstop
mdstart
 
Check checkpoint info
cpinfo
 
Check the ipsec tunnel
vpn tunnelutil

Secure XL:
fwaccel on
fwaccel off
fwaccel stat

Check Nat table:
fw tab -t fwx_alloc -f

Removing The Errors (i.e. Clearing the Host Count)
Type the command fw tab -t host_table -x (to cspan> table).

Save check point routing table:
netstat -rn | grep ^[0-9] | awk ‘{printf “route add -net %-15s gw %-15s netmask %s\n”, $1, $2, $3}’ | sort > exported_routes.out
netstat -rn | grep ^[0-9] | awk ‘{printf “%-15s %-15s %s\n”, $1, $3, $2}’ | sort
netstat -rn | grep 10.50.36. | grep ^[0-9] | awk ‘{printf “%-15s %-15s %s\n”, $1, $3, $2}’ | sort
netstat -rn | grep eth8.10 | grep ^[0-9] | awk ‘{printf “%-15s %-15s %s\n”, $1, $3, $2}’ | sort

[Expert@scbedcl-fw001]# more exported_routes.out
route add -net 0.0.0.0         gw 194.29.97.1     netmask 0.0.0.0


PROVIDER-1 and MLM:
=====================
0 2 * * * find /opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/conf/db_versions/repository/* -mtime +10 -exec rm -R {} \;
10 2 * * * find /opt/CPmds-R75.20/customers/CMADCS2BEF/CPsuite-R75.20/fw1/log/* -mtime +10 -exec rm {} \;

#!/bin/bash

echo “Remove old Logs > 8 days”

find /var/opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/log/*”.log” -mtime +8 -exec rm {} \;
find /var/opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/log/*”.logaccount_ptr” -mtime +8 -exec rm {} \;
find /var/opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/log/*”.loginitial_ptr” -mtime +8 -exec rm {} \;
find /var/opt/CPmds-R75.20/customers/*/CPsuite-R75.20/fw1/log/*”.logptr” -mtime +8 -exec rm {} \;

echo “Done”


for i in $(ls 2011-07*) ; do rm -rf $i ; done
=========================
NOKIA FIREWALL
=========================
Configure physical interface parameters

set [slot <1—15>] interface phys_if_name speed <10M | 100M | 1000M>
duplex <full | half>
auto-advertise <on | off>
link-recog-delay <1–255>
active <on | off>
flow-control <on | off>
Configure new vlan interface

add interface log_if_name vlanid <2—4094> address ip_address/masklen <0—31>
set logical-name new_log_if_name

add interface eth-s2p1 vlanid 306 address 10.91.109.139/29 comments TO_MDS
add interface eth-s2p1 vlanid 307 address 10.91.109.131/29 comments TO_MLM
add mcvr vrid 36 backup-address 10.91.109.137
add mcvr vrid 36 backup-address 10.91.109.129

delete interface eth-s4p1c1

enable | disable

Configure and enable snmp:
echo rocommunity T1vol1 >> /etc/snmp/snmpd.conf
snmp service enable

Start cpconfig, to enable the SNMP Extension (usually option 2)

cpshell
adduser netkir
usermod -s /bin/bash netkir


Configure routes: add route
================================

delete route
set static-route xxx.xxx.xxx.xxx/yy nexthop gateway address xxx.xxx.xxx.xxx off

change default route
set static-route default nexthop gateway address xxx.xxx.xxx.xxx on

Check cluster (IPSO cluster)
show clusters
Check vrrp

show vrrp summary
Check Nokia details

show asset [hardware] [Packages] [Software] Upgrade IPSO

Upload new image ipso.tgz on firewall
newimage -R -b -k -l ipso.tgz
Force IP Forwarding

After a fw unloadlocal you’ll need to force ip forwarding in roder to keep routing packets.
ipsofwd on admin


SIC RESET ON NOKIA FW:
========================
cd $FWDIR/conf
vi initial_module.pf
delete 2 lines containing webgui clients sources for https & ssh

vi initial_management.pf
delete 2 lines containing webgui clients sources for https & ssh

cd $FWDIR/bin
 ./comp_init_policy -g
  cp_conf sic init vpn123;fw unloadlocal
 
OR
===
cp_conf sic init vpn123;fw unloadlocal

FAILOVER CHECK POINT FIREWALLS
==============================
clusterXL_admin down
clusterXL_admin up


Add route in RTIP
GSFR0S2-PE100203#show run | inc 10.50.108.244
ip route vrf VPN0103 93.186.25.33 255.255.255.255 10.50.108.244 tag 103001
ip route vrf VPN0103 193.109.81.33 255.255.255.255 10.50.108.244 tag 103001

 
Get policy back from the nokia:
fw fecth x.x.x.x (cma ip)
 
Unload the policy
fw unloadlocal
 
Make failover
(Juniper – Master)exec nsrp vsd-group 0 mode ineligible
(Juniper – Backup)exec nsrp vsd-group 0 mode master
 
(Checkpoint)shutdown interface
 
Check the packet directly in the interface (nokia)
tcpdump -i src 10.214.32.122 and dst 164.140.215.244
fw monitor -e ‘accept src=10.214.32.122 and dst=164.140.215.244;’ s
snoop –o filename  
snoop from 10.11.3.55  to …
 
Check the status of firewall connection
cpstat fw
cpstat ha
cpstat vpn
cpstat os
cpstat -vs 1 os -f cpu, mem, ifconfig
 
Install an access list  directly on the nokia
fw ctl …
 
Check the hight avaibality
(checkpoint)show vrrp
(juniper)get nssrp
 
Bluecoat:  Create an user
en
conf t
security loca-user-list
user  create   XXX  
user  edit XXX
group  add ReadWrite  
password XXX
exit  exit   exit   exit
 
Bluecoat: Change the group of one user
en
conf t
security loca-user-list
user edit  XXX
group remove ReadOnly
group  add ReadWrite
exit  exit   exit   exit

Check point: check VPN on VSX
vpn -vs id tu

Juniper:
get session ike-nat
 
Juniper: Add a user in read only mode
set admin user Support password 1231456 privilege read-only
 
Find a string in any files on solaris (linux):
find / -type f -exec grep -l “string_here” {} \;   
 
Delete old files:
find /etc/iscan/log -mtime +5 -exec rm {} \;
 
Show the group of one user:
groupview -gm -u INT/Gxxxxx | findstr NWBC
 
Show the number of connection on the port XXX:
netstat -an | grep xxx | wc -l

Show the next hop for a specific host:
ip -s route get x.x.x.x

set network config:
ifconfig Lan2 up
vconfig add Lan2 112
vconfig add Lan2 97
ifconfig Lan2.112 inet 10.24.152.77 netmask 255.255.255.240
ifconfig Lan2.97 inet 10.24.152.61 netmask 255.255.255.240

inet 10.63.136.150 netmask 255.255.255.0

ifconfig eth0 up
vconfig add eth0 104
ifconfig eth0.104 inet 10.50.24.254 netmask 255.255.255.248

ifconfig –save

set routing config:
route add -net 194.29.98.32 netmask 255.255.255.224 gw 10.24.152.1  
route add -net 194.29.98.160 netmask 255.255.255.224 gw 10.24.152.1
route add -host 194.29.98.175 gw 10.24.152.1  
route add -host 194.29.98.184 gw 10.24.152.1  
route add default gw 83.137.242.1
route –save        

This is a quick reference guide to the most popular and widely used Nokia Clish Commands. You can manage the Nokia firewall as much from the Command Line Interface as from Voyager.
—setting default gateway
set static-route default nexthop gateway address 192.168.29.2 priority 1 on
—adding static routes
set static-route 172.23.124.150/32 nexthop gateway address 192.168.29.50 on
—Add proxy arp
add arpproxy address 192.168.29.56 macaddress 0:a0:8e:7d:13:d0
add arpproxy address 192.168.29.57 macaddress 0:a0:8e:7d:13:d0
—Add an interface
set interface eth1 speed 100M duplex full active on
add interface eth1c0 address 192.168.29.54/24 enable
—VRRP
set vrrp accept-connections on
set vrrp coldstart-delay 60
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 priority 100
set vrrp interface eth1c0 monitored-circuit vrid 54 hello-interval 1
set vrrp interface eth1c0 monitored-circuit vrid 54 vmac-mode default-vmac
set vrrp interface eth1c0 monitored-circuit vrid 54 backup-address 192.168.29.1 on
—Set ntp servers
add ntp server 10.1.1.2 version 3 prefer yes
add ntp server 10.1.1.1 version 3 prefer yes
—Setting Time zone
set date timezone-city “Greenwich (GMT)”
—Add hostname
set hostname testbox
—Add Host address assignments
add host name testbox ipv4 192.168.29.54

TCPDUMP
——-
tcpdump -i 0.0 host … -w out.cap
tcpdump -i any host 10.64.128.217 or host 10.64.132.106 or host 10.64.132.103 and port 443
fw monitor -v 1 -e “accept net(192.168.246.110,31) and host(10.64.150.12);”

ONLY ICMP PACKETS:
———————-
fw monitor -v 1 -e “accept host(194.29.98.227) and ip_p=1;”

F5 – TMOS:
===========
tmsh
create ltm node 10.90.126.68%3 screen SCBEDCB-PR001 up
create ltm node 10.90.126.69%3 screen SCBEDCB-PR002 up
modify ltm node 10.90.126.68%3 screen SCBEDCB-PR001

create ltm pool B_PROXY_SERVICEGROUP_8080
modify ltm pool B_PROXY_SERVICEGROUP_8080 members add { 10.90.126.68%3:8080 } members add {10.90.126.69%3:8080}
modify ltm pool B_PROXY_SERVICEGROUP_8080 monitor tcp

create ltm virtual F_PROXY_SERVICEGROUP_8080 destination 10.90.126.193%3:8080 vlans add { VSSERVICEGROUP_INTERNAL_806 } pool B_PROXY_SERVICEGROUP_8080 vlans-enabled disabled


MONITORING F5:
==============
tmsh
modify sys snmp allowed-addresses add { 10.146.244.0/26 }
create sys management-route 10.146.244.0/26 gateway 192.168.240.193
create sys management-route 10.91.0.0/18 gateway 192.168.240.193
create sys management-route 10.91.96.0/19 gateway 192.168.240.193
save sys config


CHECK with TMOS:
================
show ltm node 10.90.126.68%3


SET SYSLOG SERVER:
====================
tmsh modify sys syslog remote-servers add {log2.gdfsuez..net {host 10.91.32.30 remote-port 514 }}
tmsh save sys config

SPLUNK:
=======
Reindex data with oneshot command:
find /opt/splunk/var/log/juniperssl/ | xargs -n 1 -I xxx sudo /opt/splunk/bin/splunk add oneshot xxx -index networksecurity -sourcetype juniperssl_2011 -host scfr0s2-ssl001.mux.isinfra.net

Index one file:
sudo /opt/splunk/bin/splunk add oneshot SGW1_main__2260513230000.log.gz -index networksecurity -sourcetype bluecoat -host scbedcb-pr001.mux.isinfra.net

delete logs in cli:
sudo /opt/splunk/bin/splunk search ‘source=”/opt/splunk/var/log/proxies/belgium/SGL1_main__2250222000000.log.gz” | delete’

PROXIES:
==============
INCREASE TIMEOUT FOR WEBSITE
<proxy>
url.domain = “ocsygen-int.gdfsuez.com” http.server.recv.timeout(1800)

Check the access for user in windows domain:
net user BAH237 /dom
net group “group name” /dom
net LOCALGROUP INTERNET_HTTP_8080 >> C:\INTERNET_HTTP_8080.txt
 
Ip address on laptop:
Show the configuration ip:
netsh interface ip show config
Change Ip address on XBOW laptop:
netsh interface ip set address name=”Local Area Connection” static 192.168.0.100 255.255.255.0 192.168.0.1 1
Export to file:
netsh -c interface dump > c:\location1.txt
Import from file:
netsh -f c:\location1.txt  
Put the interface in DHCP mode:
netsh interface ip set address “Local Area Connection” dhcp

OPENSSL:
=========

OpenSSL (https://www.sslshopper.com/ssl-converter.html):
cd C:\OpenSSL-Win32\bin\
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg

extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem

openssl pkcs12 -in C:\tools\certificate\ -out file.pem
openssl.exe pkcs12 -export -out C:\tools\certificate\wildcard.gdfsuez.net.pfx -inkey C:\tools\certificate\wildcard.gdfsuez.com_chained_globalsign.key -in C:\tools\certificate\wildcard.gdfsuez.com_chained_globalsign.crt
openssl pkcs12 -in C:\tools\certificate\wildcard.gdfsuez.net.pfx -out C:\tools\certificate\certificate.cer -nodes

openssl.exe pkcs7 -in C:\tools\sge\sgeproxy.gdfsuez.com.p7b -out C:\tools\sge\file.pem

openssl x509 -inform der -in C:\tools\sge\sgeproxy.cer -out C:\tools\sge\sgeproxy.pem
openssl x509 -inform der -in MYCERT.cer -out MYCERT.pem

openssl pkcs7 -print_certs -in C:\tools\sge\sgeproxy.p7b -out certificate.cer

openssl x509 -inform der -in C:\tools\sge\sgeproxy.csr.cer -out C:\tools\sge\sgeproxy.pem

openssl.exe pkcs12 -export -out C:\tools\sge\sgeproxy.pfx -inkey C:\tools\sge\sgeproxy.key -in C:\tools\sge\sgeproxy.cer
openssl pkcs12 -in C:\tools\sge\sgeproxy.pfx  -out C:\tools\sge\sgeproxy.pem
sgeproxy.csr.cer


Reset ip stack:
—————
ipconfig /flushdns
nbtstat -R
nbtstat -RR
netsh int reset all
netsh int ip reset
netsh winsock reset

GET INTERNET GROUP ACCESS:
————————–
net user BAH237 /dom | findstr G..[0-9].Users

Linux:
======
df -hP | column -t

Introduction à Vi
——————
== indente la ligne en cours
=} indente la fin du paragrapphe
gg=G indente tout *



Search (Wraped around at end of file):

  Search STRING forward :   / STRING.
  Search STRING backward:   ? STRING.

  Repeat search:   n
  Repeat search in opposite direction:  N  (SHIFT-n)


Replace: Same as with sed, Replace OLD with NEW:

 
 First occurrence on current line:      :s/OLD/NEW
 
 Globally (all) on current line:        :s/OLD/NEW/g

 Between two lines #,#:                 :#,#s/OLD/NEW/g
 
 Every occurrence in file:              :%s/OLD/NEW/g
Commande    Description
:q    Quitte l’éditeur (sans sauvegarder)
:q!    Force l’éditeur à quitter sans sauvegarder (même si des modifications ont été apportées au document)
:wq    Sauvegarde le document et quitte l’éditeur
:filenom    Sauvegarde le document sous le nom spécifié
Les commandes d’édition
Commande    Description
x    Efface le caractère actuellement sous le curseur
dd    Efface la ligne actuellement sous le curseur
dxd    Efface x lignes à partir de celle actuellement sous le curseur
nx    Efface n caractères à partir de celle actuellement sous le curseur
x>>    Indente x lignes vers la droitee à partir de celle actuellement sous le curseur
x<<    Indente x lignes vers la gauche à partir de celle actuellement sous le curseur
La recherche et le remplacement
Pour rechercher un mot dans un document, il vous suffit (en mode normal) de taper / suivi de la chaîne à rechercher, puis de valider par la touche entrée. Il est alors possible d’aller d’occurrence en occurrence grâce à la touche n.
Pour remplacer une chaîne de caractère par une autre sur une ligne, il existe une commande très puissante sous Vi utilisant les expressions régulières. Voici sa syntaxe :
:s/chaine_a_remplacer/chaine_de_remplacement/
Il est possible de la généraliser à tout le document grâce à la syntaxe suivante :
:%s/chaine_a_remplacer/chaine_de_remplacement/
Le copier-coller et couper-coller
Il est possible sous Vi de copier-coller une sélection de lignes. Pour ce faire, il suffit de taper la commande suivante pour copier n lignes :
nyy
Par exemple la commande suivante copiera dans le tampon 16 lignes :
16yy
Pour coller la sélection, il suffit de taper la lettre p.
Une couper-coller de n lignes se fera de façon similaire avec la commande :
ndd
Puis p pour coller !


EXCEL:
========
=IF(B1=”NOT IN CORP”, “NOT IN CORP”,CONCATENATE(LEFT(B1,5),”Users”))


LINUX COMMANDS:
===============
Shell command to delete all but the 1 newest files in a directory:
ls -1t /home/lamp/tmp/netsec.gdfsuez.net | tail -n +10 | xargs -I{} -n1 rm “{}”



Use it:
fw dbexport [ [-g group | -u user ] [-d delim] [-a {attrib1, attrib2,…}] [-f filename] ]


Check Point commands generally come under cp (general), fw (firewall), and fwm (management).

CP, FW & FWM
cphaprob stat     List cluster status
cphaprob -a if     List status of interfaces
cphaprob syncstat
    shows the sync status
cphaprob list
    Shows a status in list form
cphastart/stop     Stops clustering on the specfic node
cp_conf sic     SIC stuff
cpconfig     config util
cplic print     prints the license
cprestart     Restarts all Check Point Services
cpstart     Starts all Check Point Services
cpstop     Stops all Check Point Services
cpstop -fwflag -proc
    Stops all checkpoint Services but keeps policy active in kernel
cpwd_admin list     List checkpoint processes
cplic print     Print all the licensing information.
cpstat -f all polsrv
    Show VPN Policy Server Stats
cpstat
    Shows the status of the firewall

    
fw tab -t sam_blocked_ips     Block IPS via SmartTracker
fw tab -t connections -s
    Show connection stats
fw tab -t connections -f
    Show connections with IP instead of HEX
fw tab -t fwx_alloc -f
    Show fwx_alloc with IP instead of HEX
fw tab -t peers_count -s
    Shows VPN stats
fw tab -t userc_users -s
    Shows VPN stats
fw checklic     Check license details
fw ctl get int [global kernel parameter]
    Shows the current value of a global kernel parameter
fw ctl set int [global kernel parameter]  [value]
    Sets the current value of a global keneral parameter. Only Temp ; Cleared after reboot.
fw ctl arp     Shows arp table
fw ctl install     Install hosts internal interfaces
fw ctl ip_forwarding     Control IP forwarding
fw ctl pstat     System Resource stats
fw ctl uninstall     Uninstall hosts internal interfaces
fw exportlog .o     Export current log file to ascii file
fw fetch     Fetch security policy and install
fw fetch localhost
    Installs (on gateway) the last installed policy.
fw hastat
    Shows Cluster statistics
fw lichosts     Display protected hosts
fw log -f     Tail the current log file
fw log -s -e     Retrieve logs between times
fw logswitch     Rotate current log file
fw lslogs     Display remote machine log-file list
fw monitor     Packet sniffer
fw printlic -p     Print current Firewall modules
fw printlic     Print current license details
fw putkey     Install authenication key onto host
fw stat -l    
    Long stat list, shows which policies are installed
fw stat -s     Short stat list, shows which policies are installed
fw unloadlocal     Unload policy
fw ver -k     Returns version, patch info and Kernal info
fwstart     Starts the firewall
fwstop     Stop the firewall

    
fwm lock_admin -v
    View locked admin accounts
fwm dbexport -f user.txt     used to export users , can also use dbimport
fwm_start
    starts the management processes
fwm -p     Print a list of Admin users
fwm -a     Adds an Admin
fwm -r     Delete an administrator

Provider 1
mdsenv [cma name]
    Sets the mds environment
mcd
    Changes your directory to that of the environment.
mds_setup
    To setup MDS Servers
mdsconfig
    Alternative to cpconfig for MDS servers
mdsstat     To see the processes status
mdsstart_customer [cma name]
    To start cma
mdsstop_customer [cma name]
    To stop cma
cma_migrate
    To migrate an Smart center server to CMA
cmamigrate_assist
    If you dont want to go through the pain of tar/zip/ftp and if you wish to enable FTP on Smart center server

VPN
vpn tu                                           
    VPN utility, allows you to rekey vpn
vpn ipafile_check ipassignment.conf detail?
    Verifies the ipassignment.conf file
dtps lic
    show desktop policy license status
cpstat -f all polsrv
    show status of the dtps
vpn shell /tunnels/delete/IKE/peer/[peer ip]
    delete IKE SA
vpn shell /tunnels/delete/IPsec/peer/[peer ip]
    delete Phase 2 SA
vpn shell /show/tunnels/ike/peer/[peer ip]
    show IKE SA
vpn shell /show/tunnels/ipsec/peer/[peer ip]
    show Phase 2 SA
vpn shell show interface detailed [VTI name]
    show VTI detail

Debugging
fw ctl zdebug drop
    shows dropped packets in realtime / gives reason for drop

SPLAT Only
router
    Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd
    Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)
backup
    Allows you to preform a system operating system backup
restore
    Allows you to restore your backup
snapshot
    Performs a system backup which includes all Check Point binaries. Note : This issues a cpstop.

VSX
vsx get [vsys name/id]
    get the current context
vsx set [vsys name/id]
    set your context
fw -vs [vsys id] getifs
    show the interfaces for a virtual device
fw vsx stat -l
    shows a list of the virtual devices and installed policies
fw vsx stat -v
    shows a list of the virtual devices and installed policies (verbose)
reset_gw
    resets the gateway, clearing all previous virtual devices and settings.

|

simon.melotte

0 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *