Advanced Technical Reference Guide VPN-1/FireWall-1® Check Point 2000
If you are reading this in a PDF file Note that the entries in this Table of Contents are not links.
If you are reading this in a PDF file Note that the entries in this Table of Contents are not links.
If you are reading this in a PDF file Note that the entries in this Table of Contents are not links.
If you are reading this in a PDF file Note that the entries in this Table of Contents are not links.
Preface Scope The FireWall-1 Advanced Technical Reference Guide is intended to help the System Administrators: 1. Resolve common problems 2. Implement complex features The guide was put together by the Check Point Escalation Support team, and makes available some of their real-world experience in assisting customers. Every chapter was written by a specialist in the field. This guide does not duplicate the User Guides or Courseware.
Preface Summary of Contents What would you like to see in this guide? Is there too much detail or not enough? Summary of Contents The Advanced Technical Reference Guide contains the following chapters.
Chapter 1: Troubleshooting Overview Troubleshooting VPN-1/FireWall-1 issues can be very complex. Problems can be caused by network topologies, platform issues and the wide range of VPN-1/FireWall-1 features. Efficient troubleshooting must start with a carefully organized plan. Troubleshooting Guidelines 1. Define the problem as a list of symptoms. Every problem can be described as a collection of symptoms. The first step is to define these symptoms.
Chapter 12 Troubleshooting Overview Information to Gather Advanced Technical Reference Guide 4.
Chapter 2: Troubleshooting Tools In This Chapter: fwinfo...................................................................................................................................................................6 Introduction .......................................................................................................................................................6 How to create fwinfo ........................................................................................................
Chapter 2 Troubleshooting Tools fwinfo Troubleshooting Tools This chapter describes the most important tools for Troubleshooting VPN-1/FireWall-1 problems. These tools include fwinfo, Control (fw ctl) commands, the Monitor (fw monitor) Command and debugging with INSPECT. fwinfo Introduction fwinfo is used to collect information that is used for debugging and solving VPN-1/FireWall-1 problems.
Chapter 2 Troubleshooting Tools fwinfo How to use the fwinfo output file The fwinfo file contains a lot of information. It is intended mainly for analysis by Check Point Support. However you can use it to solve problems by examining the file contents yourself. You will probably find only a small portion of it to be useful.
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands VPN-1/FireWall-1 Control Commands fw ctl fw ctl commands send control information to the VPN/FireWall Kernel module. This syntax and explanation is based on the VPN-1/FireWall-1 Administration Guide (version 4.0) or the VPN-1/FireWall-1 Reference Guide (version 4.1 and Check Point 2000). This section focuses on the understanding the displayed VPN-1/FireWall-1 internal statistics, and the debug options of the fw ctl commands.
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands fw ctl pstat The following is an explanation of some typical output from the fw ctl pstat command, which generates internal statistics. It prints detailed information about the hash kernel memory in use (controlled by the parameter fwhmem) and the system kernel memory in use, including peak values of both.
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands fw ctl debug The fw ctl debug command is a powerful debugging tool, which is very helpful when debugging VPN-1/FireWall-1. With its many commands it is possible to see nearly everything that happens in the kernel module.
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands Option Meaning driver Access to the kernel module is shown (log entries). Example Output fw_read: fw_read: fw_read: fw_read: non blocking read log_first = 1276, log_first = 1316, log_first = 1356, returns len = 36 len = 36 len = 52 Explanation: Those are kernel calls about log entries read.
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands crypt With this option turned on, all the encrypted/decrypted packets are printed in clear text and cipher text. The algorithms and keys that used are also printed Example Encrypting ICMP with fwz1 using SecuRemote. (The line numbers are not shown in the actual debugging and have been added for convenience). Output 1. fw_crypt: op=decrypt method=0 md=1 entry=4 len=60 offset=24 2.
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands 9. The actual data in the packet still encrypted (the first 20 is header, then 8 ICMP header, the rest is the actual data in this packet - ICMP echo request). 10. mdlen=16 – the MD5 checksum length is 16. md=(B1,8B,69,CA,62,FE,AB,67,79,27,88,55,15,14,7F,B4) the actual MD5 hash - no errors are reported meaning the data integrity is not compromised. 11.
Chapter 2 Troubleshooting Tools VPN-1/FireWall-1 Control Commands ,51,52,6B,63,4,C2) - the actual MD5 key. 6. niv=4 iv=(1C,4,0,0) - the initialization vector used in the process of calculating the data encryption key. 7. Crunched iv=(1C,4,0,0,1C,4) – the actual initial vector that is used in the data encryption key calculation. 8. just before calling fwcrypto_do() - a debugging line that says that the actual function that does the encryption is about to be called. 9.
Chapter 2 Troubleshooting Tools Explanation VPN-1/FireWall-1 Control Commands 1. VPN-1/FireWall-1 receives a back connection type 8 code 0 2. The request is ICMP echo request (type 8) 3. VPN-1/FireWall-1 understands that the connection must be an outgoing connection (type 8 is echo request and not echo reply). 4. The connection matches the rule base 5.
Chapter 2 Troubleshooting Tools FireWall-1 Monitor Command FireWall-1 Monitor Command The fw monitor command can be used to monitor network traffic through the FireWall. This is done by loading a special INSPECT filter (separate from the one that is used to implement the security policy) that is used to filter out interesting packets which are then displayed to the user.
Chapter 2 Troubleshooting Tools FireWall-1 Monitor Command Options Switch: Explanation: -d Provides lower level debug output from the filter loading process -D Provides higher level debug output from the filter loading process -e Specify an INSPECT program line (multiple -e options can be used) . -f Specify an INSPECT filter file name ('-' means the standard input), the file is copied before compilation. The -f and -e options are mutually exclusive.
Chapter 2 Troubleshooting Tools FireWall-1 Monitor Command snoop. Where snoop is the only way to obtain information, verify that the Sun patches have been applied before running the snoop. Files Filename: Explanation: $FWDIR/tmp/monitorfilter.pf The (copied) INSPECT filter file. $FWDIR/tmp/monitorfilter.* (.* for .fc, .ft, etc.) Output files of the compilation. These are removed before the program exits.
Chapter 2 Troubleshooting Tools Debugging with INSPECT Debugging with INSPECT Important: Check Point will not support customer changes to the Inspect code. There are two main ways of using the INSPECT language to debug the Security policy: 1. Changing the log format in order to display additional information about packets going through the FireWall. 2. Inserting debug lines in the INSPECT code to show run time information and to check where the code is entered.
Chapter 2 Troubleshooting Tools More Information Using the debug command The debug command makes it possible to see which part of the code is entered and when. Insert a debug command at the end of the condition that you want to test. In the following example, we want to see when the test for an ftp connection is verified and to know what was the source (Ip_Src is defined in tcpip.def) of the packet.
Chapter 3: Troubleshooting Network Address Translation In This Chapter: Introduction ......................................................................................................................................................22 Resolving Common NAT Problems ...............................................................................................................22 Optimizing Network Performance with NAT ..........................................................................................
Chapter 3 Troubleshooting Network Address Translation Introduction Troubleshooting Network Address Translation Introduction Network Address Translation (NAT) involves replacing one IP address in a packet by another IP address. NAT is used in two cases: 1. The network administrator wishes to conceal IP addresses in the internal networks from the Internet 2. The IP addresses of the internal network use invalid Internet addresses.
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems How to set up Hide Mode Address Translation behind a dynamic address To hide a range of address behind a dynamic IP address, hide the range behind the IP address 0.0.0.0. VPN1/FireWall-1 will determine the exact IP of the hiding address as the address that the packets exit from. 1. Open the security policy editor. 2. Create a new workstation object for the network/address range being NATed. 3.
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems Note: The following instructions show how to change both the source and destination address in address translation rules. The procedure makes it possible to use the server's illegal IP address in the internal network by creating the following address translation rule: 1. Original Packet Source | Destination | Service Internal-1 network | Server's Illegal | any 2.
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems If there is a VPN/FireWall module on the client side of the Internet, as follows: Server-------FW-1-------Internet---------FW-1 ---------Client You can use DST Static Address Translation, which will translate the illegal IP address of the server to it's legal IP address. For example, suppose that the server's illegal IP address is 10.0.0.1, and it's legal IP address is 197.3.5.10.
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems “Leaky” NAT For some connections, (usually those with long timeouts) the internal IP address of the Address Translated object “leaks” through VPN-1/FireWall-1. This sometimes causes the connection to fail since the reply is to an unknown IP address. Cause Leaky NAT is caused by the TCP timeout of that specific connection. When a TCP connection is inactive for too long, it is deleted from the NAT tables.
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems default value is 1 Minute. This value is the waiting value between a SYN packet and a SYN-ACK packet. If this counter is timed out, the connection will be erased from the tables. If the connection is resumed and is no longer in the tables it can pass with no translation because it is absent from the NAT tables.
Chapter 2 Troubleshooting Network Address Translation Debugging NAT Debugging NAT Note: See “Chapter 2: Troubleshooting Tools,” page 5 for more information on the fw ctl debug, fwinfo, and the fw monitor commands. To debug NAT problems, make use of the following debug commands. They should be issued in an environment that produces the problem.
Chapter 4: Troubleshooting Routers and Embedded Systems In This Chapter Introduction ......................................................................................................................................................30 Management Server Architecture...................................................................................................................30 VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router ..............................................
Chapter 4 Troubleshooting Routers and Embedded Systems Introduction Troubleshooting Routers and Embedded Systems Introduction A VPN-1/FireWall-1 enforcement point is a machine or device that enforces at least some part of the Security Policy. An enforcement point can be a workstation, router, switch or any machine that can be managed by a Management Module by installing a Security Policy or an Access List.
Chapter 4 Troubleshooting Routers and Embedded Systems VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router Management Server to GUI Client Communications • Communication between Management Server and GUI Client (including Username/Password) is encrypted on port #258 VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router Functions supported in VPN-1/FireWall-1 on Nortel routers The functions supported in VPN-1/FireWall-1 on a Nortel (Bay Networks) BayRS router are: •
Chapter 4 Troubleshooting Routers and Embedded Systems VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router Does SynDefenser work on Nortel (Bay) router? See the SecureKnowledge Solution (ID: 36.0.764381.2490623) in the Check Point Technical Services site To configure a Nortel router with VPN-1/FireWall-1 Do the following 1. Perform a regular installation of the router (boot bn/asn/arn.exe ti.cfg, and then install.
Chapter 4 Troubleshooting Routers and Embedded Systems VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router Licenses The license for the embedded system capabilities is installed only on the Management Module – NOT on the router. Problems and bugs • Sometimes there are no log entries: Additional putkeys and fwstop/fwstart at the VPN-1/FireWall-1 Management, as well as boots to the router, usually fix this.
Chapter 4 Troubleshooting Routers and Embedded Systems 2. VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router Press the "SNMP Info..." button to Enter the "SNMP Information" window, and in it change the values of both "Read" and "Write" fields to the new community you've defined previously using the Nortel (Bay) Site Manager. Make rules which have either "Routers" or the specific router in the "Install On" field.
Chapter 4 Troubleshooting Routers and Embedded Systems VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router To show the amount of memory used on each slot: get wfKernelEntry.2.* To show the amount of memory free on each slot: get wfKernelEntry.3.* VPN-1/FireWall-1 Commands: To save the "secret" password for use in connecting and communicating with the management station: fwputkey secret xxx.xxx.xxx.xxx To erase all the current password entries in the NVRAM.
Chapter 4 Troubleshooting Routers and Embedded Systems VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router firewall pri 1.1.1.1 loc 2.2.2.2 3. Typing info at this point will show you the currently defined firewall information. Back up management stations can be defined at this point. 4. Now the individual interfaces must be configured to use the firewall. Type back twice to return to the root menu. Type in the name of the first interface: ethernet/1/1 5.
Chapter 4 Troubleshooting Routers and Embedded Systems VPN-1/FireWall-1 configuration for a Nortel (Bay Networks) BayRS router wfRFwallGroup.wfRFwallLocalHostIpInt.0 = 0 wfRFwallGroup.wfRFwallVersion.0 = 2 wfRFwallGroup.wfRFwallHmemMin.0 = 50000 wfRFwallGroup.wfRFwallHmemMax.0 = 100000 wfRFwallGroup.wfRFwallLogHostIpBkp1.0 = 0.0.0.0 wfRFwallGroup.wfRFwallLogHostIpIntBkp1.0 = 0 wfRFwallGroup.wfRFwallLogHostIpBkp2.0 = 0.0.0.0 wfRFwallGroup.wfRFwallLogHostIpIntBkp2.
Chapter 4 Troubleshooting Routers and Embedded Systems VPN-1/FireWall-1 configuration for a Xylan switch VPN-1/FireWall-1 configuration for a Xylan switch You should have a management control module. It is called the Enterprise Management Console or EMC (VPN/FireWall management module). For a switch to support VPN-1/FireWall-1 functionality it requires a licensed inspection module (VPN/FireWall module).
Chapter 4 Troubleshooting Routers and Embedded Systems Debugging Routers and Embedded Debugging Routers and Embedded In order to solve your problem, your technical support representative will need all relevant information about the problem and its environment. For each type of problem, the Support representative will ask for specific records and files.
Chapter 4 Troubleshooting Routers and Embedded Systems More Information More Information For more information on Routers and Embedded Systems, See Version 4.1 SP1 Check Point 2000 Administration Guide: Chapter 17 Routers and Embedded Systems. Chapter 4: Network objects, Router properties, pages 118-141 Version 4.1 Administration Guide: Chapter 17 Routers and Embedded Systems. Chapter 4: Network objects, Router properties, pages 114-139 Version 4.
Chapter 5: Troubleshooting Open Security Extension In This Chapter: Introduction ......................................................................................................................................................42 Nortel (Bay) Routers: Configuration and Problem Resolution....................................................................42 To configure an SNMP password on a Nortel (Bay) Router ..........................................................................
Chapter 5 Troubleshooting Open Security Extension Introduction Troubleshooting Open Security Extension Introduction Open Security Extension is a product that enables a VPN/FireWall management module to generate and download Access Lists and configure security for routers (3com, Nortel, Microsoft RRAS (Steelhead), and Cisco) and Integrated FireWall (Cisco PIX). This chapter provides additional information about Routers, not covered in the User Guides.
Chapter 5 Troubleshooting Open Security Extension Nortel (Bay) Routers: Configuration and Problem Resolution 7. Exit the "Managers" and the SNMP Community List windows (Don't erase the "Public" default community yet. Do it later). 8. In the Configuration Manager, save your definition in a file, preferably with the ".cfg" suffix (File Save As).
Chapter 5 Troubleshooting Open Security Extension Cisco Routers: Problem Resolution and Debugging OSE does not work when Anti Spoofing is set to other+ See the SecureKnowledge Solution (ID: 10043.0.6958228.2640175) in the Check Point Technical Services site Cisco Routers: Problem Resolution and Debugging Differences between Cisco router version 9 and 11: Support for AntiSpoofing Version 9 routers do not support anti-spoofing. These routers do not distinguish between inbound and outbound or outbound.
Chapter 5 Troubleshooting Open Security Extension Cisco Pix Firewall: Problem Resolution Syntax router_load -cisco OR: router_load -cisco OR: router_load -cisco [-command ] OR: router_load -cisco <
Chapter 5 Troubleshooting Open Security Extension 3COM routers: Problem Resolution and Debugging 3COM routers: Problem Resolution and Debugging Common problems resolution for 3Com Routers Cannot get logs from the router See the SecureKnowledge Solution (ID: 10022.0.527050.2411096) in the Check Point Technical Services site Error message while trying to install new license (only for 4.1) See the SecureKnowledge Solution (ID: 10043.0.4395816.
Chapter 5 Troubleshooting Open Security Extension Microsoft RRAS (SteelHead) Routers: Problem Resolution and Debugging Microsoft RRAS (SteelHead) Routers: Problem Resolution and Debugging Common problems resolution Cannot get logs from the router See the SecureKnowledge Solution (ID: 10022.0.527050.2411096) in the Check Point Technical Services site Error message while trying to install new license (only for 4.1) See the SecureKnowledge Solution (ID: 10043.0.4395816.
Chapter 6: Troubleshooting Anti-Spoofing In This Chapter: Introduction ......................................................................................................................................................49 Common Problems Resolution.......................................................................................................................49 Meaning of log message: Rule 0 – spoof attempt..........................................................................................
Chapter 6 Troubleshooting Anti-Spoofing Introduction Troubleshooting Anti-Spoofing Introduction Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a packet’s IP address to make it appear as though the packet originated in a part of the network with higher access privileges. VPN1/FireWall-1 has a sophisticated anti-spoofing feature, which detects such packets by requiring that the interface on which a packet enters a gateway corresponds to its IP address.
Chapter 6 Troubleshooting Anti-Spoofing Common Problems Resolution How to configure anti-spoofing with DHCP protocol DHCP requests are being dropped on rule 0 in the log. This is because FireWall-1 triggers the Anti-Spoofing, since it detects illegal addresses being broadcast when DHCP requests from the workstations try to get an IP address. This is seen by the FireWall as a spoof attempt. To solve this, 1.
Chapter 2 Troubleshooting Anti-Spoofing Debugging Anti-Spoofing Debugging Anti-Spoofing In order to solve your problem, your technical support representative will need all relevant information about the problem and its environment. For each type of problem, the Support representative will ask for specific records and files.
Chapter 7: Troubleshooting Security Servers and Content Security In This Chapter: HTTP Security server How to Improve HTTP Security Server performance in a High Performance Environment.....................54 Environment ...................................................................................................................................................54 Hardware ....................................................................................................................................
Chapter 7 Troubleshooting Security Servers and Content Security How to Improve HTTP Security Server performance in a High Performance Environment SMTP Security Server SMTP Email Process........................................................................................................................................71 The SMTP Security Server Process ...............................................................................................................
Chapter 7 Troubleshooting Security Servers and Content Security How to Improve HTTP Security Server performance in a High Performance Environment HTTP Security server In This Section This section describes how to Improve VPN-1/FireWall-1 HTTP Security Server performance in a High Performance Environment, and how to resolve and troubleshoot problems related to HTTP Security Servers “How to Improve HTTP Security Server performance in a High Performance Environment”, page 54 “Resolving Common HTTP Security Se
Chapter 7 Troubleshooting Security Servers and Content Security How to Improve HTTP Security Server performance in a High Performance Environment 1. c0t8d0 /pci@1f,4000/scsi@3/sd@8,0 AVAILABLE SWAP: Total: 7848k bytes allocated + 1640k reserved = 9488k used, 400496k available IP Interface Issuing the ifconfig -a command resulted in: lo0: flags=849 mtu 8232 inet 127.0.0.
Chapter 7 Troubleshooting Security Servers and Content Security How to Improve HTTP Security Server performance in a High Performance Environment Diagram of the environment Note: The WebSense Server was moved to a separate interface on the FireWall (100 Mbps Ethernet) Tuning System parameters The following system parameters were set: set set set set set set noexec_user_stack = 1 noexec_user_stack_log = 1 rlim_fd_cur=4096 rlim_fd_max=4096 tcp:tcp_conn_hash_size = 16384 fw:fwhmem = 0x1000000 TCP/IP stack
Chapter 7 Troubleshooting Security Servers and Content Security How to Improve HTTP Security Server performance in a High Performance Environment 2. Increase proxied_conns table limit to 50,000 In $FWDIR/lib/table.def add to the end of line proxied_conns = limit 50000 3. Increase NAT table limit to 50,000 and hashsize to 65536. In $FWDIR/conf/objects.C change the following lines, :nat_limit (50000) :nat_hashsize (65536) 4. Add http_buffer_size parameter (applies to VPN-1/FireWall-1 4.
Chapter 7 Troubleshooting Security Servers and Content Security How to Improve HTTP Security Server performance in a High Performance Environment Excessive Log Grace period to 30 sec (See the SecureKnowledge Solution in the Check Point Technical Services site (ID 110022.0.1679268.2471760)), and then re-installed the policy. 9. Test ended approx. 1:15 p.m., and after change no. 8, it appeared that there were no more log buffer messages on the console.
Chapter 7 Troubleshooting Security Servers and Content Security Resolving Common HTTP Security Server Problems 2. Installed Solaris 2.6 and harden according to customer specs. 3. Installed VPN-1/FireWall-1 4.1 4. Tuned the parameters including /dev/hme, /dev/tcp, file descriptors, and VPN-1/FireWall-1 parameters described above. 5. Increased the number of instances of the httpss to between 8 and 10. 6. Modify the Rule Base to eliminate the logging of legitimate drops. 7.
Chapter 7 Troubleshooting Security Servers and Content Security Resolving Common HTTP Security Server Problems Another instance of this problem is the range request. The client can ask the server to send just part of the response. It can do it by adding the range request header. In that way the smart client (Trojan horse) can get the second half first and then get the first half.
Chapter 7 Troubleshooting Security Servers and Content Security Resolving Common HTTP Security Server Problems The problem The redirect response includes two major headers: the action header, which has the return code (e.g. HTTP/1.0 302 Not Allowed), and the location header, which direct the browser to the new URL (e.g. Location: http://199.203.71.111/index.html).
Chapter 7 Troubleshooting Security Servers and Content Security Resolving Common HTTP Security Server Problems URI Resource – In the Match tab the Host field contains URL name In order for the VPN-1/FireWall-1 Security Server to be able to do match on that specific rule which contains a URL name in the host filed of the match tab of the URI Resource, it has to do a Reverse DNS lookup for each HTTP request.
Chapter 7 Troubleshooting Security Servers and Content Security Troubleshooting Security Server Performance problems Troubleshooting Security Server Performance problems Where there are problems with the HTTP security server and attempts to troubleshoot the problem have been unsuccessful, it is worth testing the configuration to determine which object is responsible for the slowing down and blocking of the HTTP security CVP servers, and the reason why.
Chapter 7 Troubleshooting Security Servers and Content Security Troubleshooting Security Server Performance problems What are the possible causes? It is worth defining the possible causes of the problem. Assume that every one of the involved objects can be a cause of the problem, and that the problem may arise from a combination of causes. Possible causes for each object: The Solaris machines 1. Overloaded CPU 2. Memory problem 3. Running out of File descriptors The VPN/FireWall module 1.
Chapter 7 Troubleshooting Security Servers and Content Security Troubleshooting Security Server Performance problems Test Results From the tests you should be able to determine: 1. The faulty object. From now on you can be more focused in your resolution. 2. A measurement of the load (accounts, logs, snoops) and the network view (snoops). 3. The state of the machine resources. 4. The VPN-1/FireWall-1 and/or CVP server limitation/bug. Advanced Technical Reference Guide 4.
Chapter 7 Troubleshooting Security Servers and Content Security The FTP security server FTP Security Server In this section This section describes the permitted FTP security server commands, and how to solve common problems “The FTP security server,” page 66 “Resolving Common FTP security server problems,” page 66 The FTP security server The FireWall-1 FTP security server is optimized for security.
Chapter 7 Troubleshooting Security Servers and Content Security Resolving Common FTP security server problems 1. Delete the FireWall-1 service(s) that are causing the problem. This is the easiest solution, but is not always feasible. (Pre-defined high-port TCP services are listed below). 2. Delete the FireWall-1 service(s) that are causing the problem, and recreate them as a service type of 'Other'. That way FireWall-1 will not see them as known TCP services.
Chapter 7 Troubleshooting Security Servers and Content Security Resolving Common FTP security server problems 2626 2649,2651 2998 5190 5510 5631 6000-6063 6499 6660-6670 7000 7070 12468-12469 16384 18181-18184 18187 AP-Defender, AT-Defender IIOP RealSecure AOL SecurID-prop PCanywhere X11 IS411 IRC IRC2 RealAudio WebTheater ConnectedOnline CVP, UFP, SAM, LEA ELA See the SecureKnowledge Solution (ID: 47.0.707710.
Chapter 7 Troubleshooting Security Servers and Content Security Resolving Common FTP security server problems Reducing the MTU on the FireWall should help the situation. The FireWall will then require the server to fragment the packets into smaller pieces, avoiding this problem. If the application does not allow fragmentation of the packet, then it will not work with encryption. See the SecureKnowledge Solution (ID: 33.0.241016.
Chapter 7 Troubleshooting Security Servers and Content Security Resolving Common FTP security server problems How to cross several VPN-1/FireWall-1 Authentication Daemons See the SecureKnowledge Solution (ID: 3.0.114740.2192532) in the Check Point Technical Services site. How to add a support for a new command to the ftp security server The following commands are supported by ftp Security Server ABOR, MACB, NOOP, SITE, XMKD, ACCT, MAIL, PASS, SIZE, XPWD, ALLO, MDTM, PASV, SOCK, XRMD.
Chapter 7 Troubleshooting Security Servers and Content Security SMTP Email Process SMTP Security Server In This Section This section describes the SMTP email and security server processes, how to troubleshoot VPN-1/FireWall-1 SMTP Security Server problems, error handling and the solutions to some common problems.
Chapter 7 Troubleshooting Security Servers and Content Security The SMTP Security Server Process The SMTP Security Server Process Figure 3. SMTP Security Server - flow of events When using the VPN-1/FireWall-1 SMTP Security Server, a certain flow of events takes place from the time the user sends the message, to the time the message arrives to the actual mail server: 1.
Chapter 7 Troubleshooting Security Servers and Content Security Troubleshooting Common SMTP Security Server problems • R stands for Ready file, which is a file that is ready to be sent on. • E stands for Error file, a file that cannot be sent for some reason and needs to be processed. 6. The SMTP Security Server receives a file that starts with T and turns it into an R type. 7. The dequeuer takes the R file and sends it on, or processes it into an E file. 8.
Chapter 7 Troubleshooting Security Servers and Content Security Understanding the error handling mechanism of the SMTP daemon Connection between the Firewall Mail Dequeuer and the Anti Virus Server fails Troubleshoot the connection between the VPN-1/FireWall-1 Mail Dequeuer and the Anti Virus Server as follows: 1. Make sure VPN-1/FireWall-1 can ping the Anti Virus Server 2. If this is successful, then see if the Anti Virus software has received an email from the VPN-1/FireWall-1.
Chapter 7 Troubleshooting Security Servers and Content Security How SMTP Security Server deals with envelope format How SMTP Security Server deals with envelope format The envelope format is: Mail from: sender Rcpt to: recipient However if there are multiple recipients the envelope format is: Mail from: sender Rcpt to: recipientA Rcpt to: recipientB … Rcpt to: recipientN VPN-1/FireWall-1 SMTP Security Server examines the first "Rcpt to" in the envelope, and matches the resource according to what it finds.
Chapter 7 Troubleshooting Security Servers and Content Security Log Viewer Error Messages See the SecureKnowledge Solution (ID: 3.0.132201.2193912) in the Check Point Technical Services site III. Error: "agent mail server ...
Chapter 7 Troubleshooting Security Servers and Content Security What commands are supported by the VPN-1/FireWall-1 SMTP Security Server? What commands are supported by the VPN-1/FireWall-1 SMTP Security Server? Solution: The commands that are supported are the basic SMTP commands. VPN-1/FireWall-1 does not currently support the ESMTP command structure. The commands that are offered by the Security Server are: HELO MAIL RCPT DATA RSET NOOP QUIT HELP See the SecureKnowledge Solution (ID: 47.0.
Chapter 2 Troubleshooting Security Servers and Content Security What commands are supported by the VPN-1/FireWall-1 SMTP Security Server? Debugging Security servers In order to solve your problem, your technical support representative will need all relevant information about the problem and its environment. For each type of problem, the Support representative will ask for specific records and files.
Chapter 2 Troubleshooting Security Servers and Content Security More Information: Security servers and content Security More Information: Security servers and content Security • VPN-1/FireWall-1 4.0 Architecture and Administration User’s Guide Chapter 2: Security Servers Chapter 3: Content Security • VPN-1/FireWall-1 4.1 and 4.1 SP1 (Check Point 2000) Administration Guides Chapter 11: Security Servers and Content Security Advanced Technical Reference Guide 4.
Chapter 8: Troubleshooting LDAP Servers and the AMC In This Chapter Introduction ......................................................................................................................................................81 LDAP problems ..............................................................................................................................................81 Introduction to Account Management.....................................................................................
Chapter 8 Troubleshooting LDAP Servers and the AMC Introduction Troubleshooting LDAP Servers and the AMC Introduction This document contains useful information about LDAP Servers and the VPN-1/FireWal~1 Account Management feature. To implement the VPN-1/FireWal~1 4.
Chapter 8 Troubleshooting LDAP Servers and the AMC Troubleshooting LDAP Issues Lightweight Directory Access Protocol Lightweight Directory Access Protocol (LDAP) is used to communicate with a server that maintains information about users and items within an organization. LDAP is the lightweight version of the X.500 ISO standard. Each LDAP server is called an “Account Unit.
Chapter 8 Troubleshooting LDAP Servers and the AMC • Choose Manage Users and define a default user. • In the policy editor, enter a user authentication rule. • Test the connection. • If the problem persists, then it is not related to the LDAP server. Installation Issues 2. If the problem disappeared, try to initiate a “user authentication action” rule with users defined on the LDAP. 3. If the problem disappeared, then it might be a SR or encryption issue. 4.
Chapter 8 Troubleshooting LDAP Servers and the AMC • Member • objectclass Configuration Issues These indexes reduce lookup time, but there is a trade-off between faster lookup times and the extra disk space needed to store the additional indexes. (See Known limitation for search related issues). Schema Checking The LDAP schema is a description of the structure of the data in an LDAP directory. Each LDAP should have instructions regarding the way to set the VPN-1/FireWall-1 Schema.
Chapter 8 Troubleshooting LDAP Servers and the AMC Known configuration problems AMC Property Meaning GroupRequiresMember=TRUE This variable is set to FALSE by default, and groups are created without members when they are defined. However some servers force the groupOfNames type by disallowing empty group. Setting this variable to TRUE will create the group with a dummy member.
Chapter 8 Troubleshooting LDAP Servers and the AMC 2. Known configuration problems Confirm the administrator’s name and password. This establishes communications between the LDAP and administration server. Do not change the administrator’s name or password. The previous step is done to establish communications between the LDAP Server and the Administration Server.
Chapter 8 Troubleshooting LDAP Servers and the AMC Working with the AMC Working with the AMC Before Starting the Account Management Client The LDAP Server must be running in the background before starting the AMC. The server and AMC must bind with each other before being able to talk to one another. Before starting the AMC, you must do the following: 1. Confirm that Use LDAP Account Management is checked in the Security Policy GUI Properties Setup window LDAP tab. 2.
Chapter 8 Troubleshooting LDAP Servers and the AMC Working with the AMC changetype: delete control-d to end the input 5. The following message appears: deleting entry ou=name,o=name 6. Close and restart AMC to reflect the changes. Creating a Tree Object If a “X” overlies a node in the tree, then one of the following conditions is true: • It is defined in the slapd.conf file (on the LDAP Server) with the suffix parameter, but it does not exist in the LDAP directory.
Chapter 8 Troubleshooting LDAP Servers and the AMC • The cache times out. • The Security Policy is installed. • The user database is downloaded. Working with LDAP Working with LDAP Managing LDAP through the command line If the AMC is not available, or if it has not been installed, you can manage the LDAP directory from a remote terminal, using the command line.
Chapter 8 Troubleshooting LDAP Servers and the AMC Known LDAP and AMC problems On AMC versions (below build 140) there was a problem with the AMC reading the synchronized groups (and the user associations), in the LDAP database. Even though the NT groups appear in the Netscape "Users & Groups" console window, they do not appear in the AMC.
Chapter 8 Troubleshooting LDAP Servers and the AMC • Special Configurations ldapmodify – ldap modify entry tool. Alternatively use Novell ConsoleOne. See: NDS users cannot be deleted from the AMC (Solution ID: 10043.0.1133507.2535007) in the Check Point Technical Services site Fix: AMC build 142 fixed this issue.
Chapter 8 Troubleshooting LDAP Servers and the AMC Known Limitations Known Limitations Performance issue when the large groups of users (more than around 1000 - 1500 users) are defined on the LDAP server (Solution ID: 10043.0.5520148.2585567) in the Check Point Technical Services site. This limitation is related to two issues: The VPN-1/FireWal~1 looks up for the groups the user is member in, any time the user supposed to be fetched. The query used to bring the whole group object from the LDAP.
Chapter 2 Troubleshooting LDAP Servers and the AMC Debugging LDAP Debugging LDAP In order to solve your problem, your technical support representative will need all relevant information about the problem and its environment. For each type of problem, the Support representative will ask for specific records and files.
Chapter 2 Troubleshooting LDAP Servers and the AMC Debugging LDAP fw ldapsearch Using this function you can access the LDAP server, and get all the information it contains— including the CRL (Certificate Revocation List). Syntax ldapsearch [options] filter [attributes...
Chapter 2 Troubleshooting LDAP Servers and the AMC More Information fw ldapsearch -h host -b 'cn=CRL1, o=check point, c=IL' certificaterevocationlist=\* certificaterevocationlist on Solaris machines There are also other parameters: -D ‘o=Check Point, c=IL’ –w password Example: to check the link with LDAP server: fw ldapsearch -h host -D "o=Check Point, c=IL" -w password -b "o=CheckPoint,c=IL" objectClass=* you will get all the LDAP information.
Chapter 9: Troubleshooting Active Network Management Troubleshooting Synchronization Synchronization and High Availability...........................................................................................................98 Feature Not Supported by synchronization ....................................................................................................98 What Tables are synchronized ...........................................................................................................
Chapter 9 Troubleshooting Active Network Management Synchronization and High Availability Debugging the Connect Control Module .....................................................................................................109 Check_alive table .........................................................................................................................................109 Logical Server of type “Other” using the round robin for the Load Balance does not work .........................
Chapter 9 Troubleshooting Active Network Management Synchronization and High Availability Troubleshooting Synchronization Synchronization and High Availability Note: The section on Synchronization Applies to VPN-1/FireWall-1 4.1 SP1 only. High Availability machines do not have to be synchronized. Synchronization ensures that no connections are lost when a machine takes control from a machine that has gone down.
Chapter 9 Troubleshooting Active Network Management • User Authentication • Accounting Synchronization and High Availability What Tables are synchronized Not all tables are synchronized. In general, during fail-over, all the tables in the VPN/FireWall kernel that are signed with the keyword "sync" will be synchronized. To check which tables are synchronized during fail-over, issue the fw tab -t
command, and look for the sync keyword in the attributes line.Chapter 9 Troubleshooting Active Network Management Resolving Common Synchronization Problems Resolving Common Synchronization Problems This section lists some common problems and solution from the Check Point Technical Services SecureKnowledge knowledge base. How to add a table to the Synchronization Tables In the '$FWDIR/lib/table.def' file, search for the table that has to be synchronized, and add the string 'sync' to it. See the SecureKnowledge Solution (ID: 10043.0.3280520.
Chapter 9 Troubleshooting Active Network Management Fail-over in High Availability Applications Troubleshooting Fail-over Fail-over in High Availability Applications Note: The section on Fail-over in High Availability Applications Applies to: versions: 4.1 SP1 Introduction As enterprises have become more dependent on the Internet for their core applications, uninterrupted connectivity has become more crucial to their success. Beginning with VPN-1/FireWall-1 Version 4.
Chapter 9 Troubleshooting Active Network Management Table 1: Fail-over in High Availability Applications HA Cluster machine states State: Explanation: DEAD INIT (In practice this is very similar to DEAD.) STANDBY (Possible in HA modes only, not in Load Balancing (LB) mode.) READY This is a transient state that should usually not last more than a fraction of a second. This state is used when a machine wants to change its state to ACTIVE.
Chapter 9 Troubleshooting Active Network Management Fail-over in High Availability Applications Problems detected by the VPN/FireWall module should also be reported using the Active Check Device Interface- for example, if the fwd daemon is running on each module. How to check the modules status using the chaprob command The cphaprob command may be used to register or un-register devices, to report problems, print the list of devices currently registered and the state of each device.
Chapter 9 Troubleshooting Active Network Management Fail-over in High Availability Applications Interface Fail tests - Primary-up mode # Test Description Test Configuration Expected result Remarks 1. Disconnect 1 interface on the ACTIVE machines and reconnect it after a successful fail-over. Cluster machines in primary-up High Availability (HA) mode. The secondary Machine will become ACTIVE and The primary machine Dead.
Chapter 9 Troubleshooting Active Network Management Fail-over in High Availability Applications # Test Description Test Configuration Expected result 4. Disconnect 1interface from the primary machine, then 1interface from the secondary, plug back (secondary first). Cluster machines in Active-up High Availability (HA) mode. The active machine should be the one with most active interfaces and remain so even if a machine with a lower serial number has the same amount of active interfaces.
Chapter 2 Troubleshooting Active Network Management Debugging High-Availability Debugging High-Availability In order to solve your problem, your technical support representative will need all relevant information about the problem and its environment. For each type of problem, the Support representative will ask for specific records and files.
Chapter 2 Troubleshooting Active Network Management How Server Load Balancing Works Troubleshooting Load Balancing How Server Load Balancing Works Load Balancing allows several servers in one network to share and distribute the load among themselves while being protected by VPN-1/FireWall-1. This reduces the load to any one server and helps the security engineer manage network traffic from VPN-1/FireWall-1. The following explanation summarizes how load balancing works.
Chapter 2 Troubleshooting Active Network Management Load Balancing Configuration Guides Load Balancing Configuration Guides How to configure VPN-1/FireWall-1 with Connect Control (LoadBalance across multiple servers) See the configuration document How to Configure VPN-1/FireWall-1 With Connect Control (Load-Balance across multiple servers (ID 55.0.2061878.2576947) in the Check Point Technical Services SecureKnowledge site (6 pages).
Chapter 2 Troubleshooting Active Network Management Debugging the Connect Control Module Load balancing does not work on HPUX when the web servers are on virtual interfaces No solution available at this time See the SecureKnowledge Solution (ID 10043.0.3487758.2562155) in the Check Point Technical Services site.
Chapter 2 Troubleshooting Active Network Management Debugging the Connect Control Module Check_Alive table 1 2 3 4 5 6 7 IP address Magic (1 or 2) 1= Client Auth.
Chapter 2 Troubleshooting Active Network Management Debugging the Connect Control Module How long does the Persistent Server Mode last? The Persistent Server Mode allows a specific client to be assigned a specific server for the duration of the Persistent Server timeout, the default being 30 minutes. The default persistency timeout is 30 minutes and is refreshable (every new connection to the persistent server will reset the timer). It is defined in the '$FWDIR/lib/table.
Chapter 2 Troubleshooting Active Network Management Debugging the Load Balancing daemon lhttpd LOGICAL_CACHE_TABLE = dynamic refresh sync expires LOGICAL_CACHE_TIMEOUT limit LOGICAL_CACHE_SIZE; 2. Save the file and Install the policy. How to increase the size of the logical cache The logical_cache is limited to LOGICAL_CACHE_SIZE which is set by default to 1000 entries. To increase it, edit the table.def and modify the LOGICAL_CACHE_SIZE parameter.
Chapter 2 Troubleshooting Active Network Management • Debugging the Server-Load Load balancing algorithm If this value is 0, a check is made that "period_until_measure" has elapsed since the last time a measurement was taken. "period_until_measure" is a variable that specifies the number of "lbalance_period_wakeup_sec" periods to wait until a new measurement is taken.
Chapter 10: Troubleshooting SNMP In This Chapter: Introduction ....................................................................................................................................................115 How to configure HP Open View to work with FireWall-1 4.0....................................................................115 Resolving Common SNMP Problems ..........................................................................................................115 What to check first .......
Chapter 10 Troubleshooting SNMP Introduction Troubleshooting SNMP Introduction With the increase in the size of the computer network in an organization, it becomes increasingly important centrally manage the variety of network devices. The Simple Network Management Protocol (SNMP) enables a standard way of managing TCP/IP networks. SNMP uses a “Management Information Base” (MIB), which is a tree structure of variables. Every vendor can add appropriate variables to the existing standard ones.
Chapter 10 Troubleshooting SNMP More Information 3. Make sure that the community strings are correctly defined when trying to establish an SNMP connection. On Unix platforms, the community strings are defined by $FWDIR/conf/snmp.C . Network object community strings are defined in the Network Objects window. 4. Use snoop to check SNMP connections. 100% CPU usage when trying to poll information from the FireWall-1 snmpd One of the most common problems with SNMP is on Solaris 2.
Chapter 11: Troubleshooting Licensing In This Chapter: Check Point Licensing Policy .......................................................................................................................118 VPN-1/FireWall-1 Licensing .........................................................................................................................118 Licensing Example 1: Single VPN/-1FireWall-1 Gateway ........................................................................
Chapter 11 Troubleshooting Licensing Check Point Licensing Policy Troubleshooting Licensing For the latest information about operational aspects of Check Point product licensing, see the Check Point License center http://license.checkpoint.com/ Check Point Licensing Policy VPN-1/FireWall-1 Licensing Licensing for Check Point VPN-1/FireWall-1 is based on the total number of internal nodes protected.
Chapter 11 Troubleshooting Licensing Check Point Licensing Policy Licensing Example 2: Multiple VPN-1/FireWall-1 Gateways The configuration below shows a network with two FireWall-1 installations: one providing Internet security, and a second delivering intranet security. VPN-1/FireWall-1 licensing is based on the total number of protected nodes in the organization.
Chapter 11 Troubleshooting Licensing Check Point Licensing Policy FireWall-1 and VPN-1 licenses are based on the total number of protected nodes. This requirement does not change when using any intermediate proxy or device capable of IP address translation. For the network shown in the diagram above, the VPN-1/FireWall-1 license must support all "n+1" internal nodes. The one additional node accounts for the Proxy.
Chapter 11 Troubleshooting Licensing Product Features Lists 3. Number of requested licenses per BCK 4. Email address for PO confirmation (The BCK and the number of licenses that it can generate will be sent as a PO confirmation). Product Features Lists Firewall-1 4.0 Features For a complete list of VPN-1/FireWall-1 4.0 features, see the SecureKnowledge Solution (ID: 36.0.285147.
Chapter 11 Troubleshooting Licensing Resolving Common Licensing Problems Remote License Keywords Remote licenses are for remote policy installation on embedded and non-embedded VPN/FireWall modules Table 2: Remote License Keywords Keyword: Supported in VPN-1/FireWall-1 Version: Meaning: remote1 renmote2 remote4 4.0 SP5 and higher The numbers at the end of the keywords specify the number of licenses (e.g. remote2 specifies two licenses for remote installation). remote 3.0 and 4.
Chapter 11 Troubleshooting Licensing Type Eval 807dafa7 807dafa8 807dafa7 807dafa7 Expiration 15Jul96 Never Never Never Never Resolving Common Licensing Problems Ver 4.x 4.x 4.x 3.x 4.x Features pfm control pfm control pfm control pfm control pfm control routers routers routers routers routers encryption [Invalid] encryption encryption encryption The FireWall in question contains four licenses. The first is an evaluation license, which is valid for all computers, but only until July 15th, 1996.
Chapter 11 Troubleshooting Licensing Resolving Common Licensing Problems The license string components are as follows: K1: holds the expiration date of the license. K2, K3: holds the signature of the unique license. The signature is checked according to the 3 fields. License installation Table 3: Location of License file for VPN-1/FireWall-1 versions 4.0 and 4.1 Product Location of License file VPN-1/FireWall-1 4.
Chapter 11 Troubleshooting Licensing Resolving Common Licensing Problems There is a new file on VPN-1/FireWall-1 4.1 on NT and UNIX called $FWDIR/conf/cp.macro. It contains mapping between product SKUs and license features and grouping of features. Error: "Failed to add license" when trying to add license via the GUI or "fw putlic" command The cause for these messages could be one of the following: 1. The license may have been mistyped 2.
Chapter 11 Troubleshooting Licensing Resolving Common Licensing Problems Error: "only ### internal hosts allowed" This warning message can be ignored if it • Appears only when fwd is started • Is not followed by a list of IP addresses • Causes no problem in the operation of VPN-1/FireWall-1 operation, and • Specifies the true number of hosts allowed If you get a list of so-called 'internal' IP addresses detected, check if they are all internal, or whether some of them are external.
Chapter 12: What To Send Technical Support In This Chapter Introduction ....................................................................................................................................................128 Rule Base ........................................................................................................................................................128 Network Address translation ..............................................................................................
Chapter 2 What To Send Technical Support Introduction What To Send Technical Support Introduction In order to solve your problem, your technical support representative will need all relevant information about the problem and its environment. For each type of problem, the Support representative will ask for specific records and files.
Chapter 2 What To Send Technical Support INSPECT INSPECT If a specific Service is suspected as being part of the problem, gather the following information 1. How does the service work? 2. On which protocol does the service work? 3. On which ports does the service work? 4. fw monitor files are important to understand the protocol. 5.
Chapter 2 What To Send Technical Support High Availability High Availability 1. fw monitor file that is relevant for the problem. 2. fwinfo file from management and both modules. 3. sync.conf file on both sides. 4. Network topology. 5. Issue the command fw tab –u –t connections > file on both VPN-1/FireWall-1 machines at the same time (connections may be replaced by any other table that should be synchronized but isn’t). Send the files to support@ts.checkpoint.com.
Chapter 2 What To Send Technical Support LDAP LDAP 1. fwinfo 2. LDAP log files 3. fw.log 4. fw monitor : between the client and the FireWall Between the FireWall and the LDAP 5. Problem description and LDAP version Send the files to support@ts.checkpoint.com. Routers and Embedded Systems (OEM) BAY Router 1. Router’s config file. 2. Output of stamp command. 3. Router model (BLN, ASN, ARN). 4. Control.map and clients files. 5. fwinfo of the management. Send the files to support@ts.
Chapter 2 What To Send Technical Support Open Security Extension (OSE) Open Security Extension (OSE) Bay 1. Router’s config file. 2. Output of “stamp” command. 3. Router’s model (BLN, ASN, ARN). 4. fwinfo of the management (if it’s VPN-1/FireWall-1 with an OSE feature). Or the conf directory Send the files to support@ts.checkpoint.com. Cisco 1. A copy of the router configuration 2. Cisco software version. 3. fwinfo of the management (if it’s VPN-1/FireWall-1 with an OSE feature).
Chapter 13: Check Point Support Information The latest version of this chapter can be found on the Check Point Technical Services Premium Support site at http://www.checkpoint.com/support/technical/general_info.html In This Chapter Mission Statement .........................................................................................................................................134 Check Point Worldwide Technical Services General Process ...............................................................
Chapter 13 Check Point Support Information Mission Statement Check Point Support Information Mission Statement Check Point Worldwide Technical Services is committed to building strategic relationships with Check Point customers by providing consistent, dependable, high quality, measurable services which effectively utilize Check Point Software Technologies Ltd. products to meet network connectivity and security objectives.
Chapter 13 Check Point Support Information Contacting Check Point Worldwide Technical Services by Telephone possible to provide this information, Check Point may be hindered in the ability to bring resolution to an issue in a timely fashion. 1. Complete contact information, (name, title, company name, e-mail address, phone number, pager number, fax number, onsite phone number, time zone) for all parties involved in the issue.
Chapter 13 Check Point Support Information Contacting Check Point Worldwide Technical Services by E-mail Contacting Check Point Worldwide Technical Services by E-mail E-mail: support@ts.checkpoint.com All requests to open a trouble ticket will be routed to the Check Point WTS call-tracking database. A Support Center Team Member will send a response with a unique Trouble Number.
Chapter 13 Check Point Support Information Problem Severity Definitions Problem Severity Definitions Severity 1 error An error that renders product inoperative or causes the product to fail catastrophically; e.g. major system impact, system down. A reported defect in the licensed product which cannot be reasonably circumvented, in which there is an emergency condition that significantly restricts the use of the licensed product to perform necessary business functions.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 In This Appendix: What are State Tables?..................................................................................................................................141 fw tab ............................................................................................................................................................141 Syntax ..................................................................................................................
Appendix A: State Tables for VPN-1/FireWall-1 4.0 What are State Tables? VPN tables.......................................................................................................................................................153 Encryption tables ..........................................................................................................................................153 decryption_pending table........................................................................................
Appendix A: State Tables for VPN-1/FireWall-1 4.0 What are State Tables? Specific services tables.................................................................................................................................167 icmp_connections table ................................................................................................................................167 h323_tracer_table table......................................................................................................
Appendix A: State Tables for VPN-1/FireWall-1 4.0 What are State Tables? State Tables for VPN-1/FireWall-1 4.0 Note: The information in this appendix is updated to VPN-1/FireWall-1 4.0 SP6. The information for VPN-1/FireWall-1 4.1 and 4.1 SP1 (Check Point 2000) is virtually the same, apart from the addition of new tables in the later versions.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 The basic structure of a connection in a table entry Table Attributes A table may have the following attributes: Attribute Description expcall Call function when an entry is deleted or expires from this table. Can also appear as “free function”. expires
Appendix A: State Tables for VPN-1/FireWall-1 4.0 General tables General tables connections table The connections table contains data on all active connections.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 General tables Value of ‘l’ Description 0 Match by protocol (the most common value) 1 Match by offset (never used) 2 Match by RPC (for RPC connections) 3 Match by getport (for RPC connections) 4 Match by callit (for RPC connections) 5 Match by seq/ack change (for encrypted/NATed connections where the SEQ/ACK numbers may be changed Digit ‘k’ is interpreted as four binary digits of the form 0xyz.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 General tables Hexadecimal value Description 0x90, 0x91, 0x92, 0x93, 0x94, 0x95 Xtreme connections 0xa1 VDOlive connection 0xa3, 0xa4, 0xa5 RealAudio / RTSP connections 0xa8 RTP connection 0xaa NetShow connection 0x00 Any other connection Byte h holds the interface ID (the number of the interface in "fw ctl iflist") of the interface in the direction of the destination.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 General tables However, FireWall–1 tries to maintain the connection by sending a garbage packet to the destination of the original packet, with the header of the original packet. This step is taken so that if the connection still exists, the internal host will ask the server to re-send, and resume the connection. If the connection is resumed, the only evidence to what has happened is the log entry marking this packet as 'rejected'.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 SAMP tables The magic number is an arbitrary number that identifies the VPN-1/FireWall-1 “entity” that recorded this entry, and will need to use the entry later on. Usually the magic number is meaningful when looked upon as 4 ASCII characters.
Appendix A: State Tables for VPN-1/FireWall-1 4.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Logging tables forbidden table is first checked to see if an alert has already been sent for that source. If the alert has not been sent, the source IP address is recorded and the alert is sent. Example attributes: expires 300 The forbidden_tab table format is a list of IP addresses in hexadecimal format. host_table table This table holds the IP addresses of internal machines protected by the FireWall.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Logging tables The first five fields are the “key” fields mentioned above. The time field represents the time measured in seconds since 1/1/1970. The counter runs from 0-10 (0xa), and when it reaches 10 (i.e. every 10th packet) a trap is sent to the daemon to update the live connections log, or a synchronized VPN/FireWall module if such exists.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 NAT tables fw_route table Information about this table will be available in the next update to this document. NAT tables Address Translation Connection tables The fwx_forw and fwx_backw tables serve as a connection table for address translated connections for outgoing (forw) and incoming (backw) connections. Each entry holds both the original connection and the translated connection.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 NAT tables Address Translation “partial connections” tables The fwx_anticipate and fwx_anticipate_rev (reverse) tables are used when translating packets in situations where it is not known on which port the answer will come. When this happens the connections are inserted into these tables with port 0 until the actual packet arrives and the port is known.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 VPN tables Third entry: <0, hiding IP address, IP protocol, first low port to be used; next port to be allocated> The first field is a space holder and is always 0. The first low port to be used is always 600. fwx_auth table The fwx_auth table holds the original information of a folded connection, so that back connections can work properly.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 VPN tables The encryption_requests table uses the following format: rejected_encryptions table Connections that need to be encrypted according to the Rule Base, but cannot be due to problems (wrong scheme, timed out encryption request, failure in key exchange or generation…) are inserted into the rejected_encryptions table.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 VPN tables The key1 and key2 fields are actually the first and last parts of the same key and are used to identify each key. skip_key_requests table The skip_key_requests table holds the requests for skip encryption including the two gateways and their NSIDs. Example attributes: refresh, expires 60 <00000000, c0a80c1f, 00000000, c073cd1c; 59/60> The skip_key_requests table uses one of the following formats.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 VPN tables The skip_keyid table uses the following format: The encryption methods field contains eight hexadecimal digits that should be interpreted as four bytes of the form ghij.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 SecuRemote — client side tables SPI_table table Information about this table will be available in the next update to this document. SecuRemote — client side tables When running SecuRemote, the machine actually runs a minimal version of FireWall-1. Therefore the connections are managed using the FireWall-1 state tables. The state tables below are special tables that appear only on the SecuRemote client side.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 SecuRemote — client side tables Used by SecuRemote Client: Yes. Used by FW daemon: No. Keys: Values: None. Timeout: None. Comments: Used by the client to check whether packets should be encrypted (if they are a part of the topology) or not. userc_session table The userc_session table holds the session key for the encryption.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 SecuRemote — server side tables Used by SecuRemote Client: Yes. Used by FW daemon: No. Keys: Values: None Timeout: None Comments: Used by SecuRemote kernel to decide whether to encapsulate packets. Note that decryption is done based on the IP protocol. userc_request table attributes: expires 60 Includes a list of gateways, with which the SecuRemote client has a pending encryption request.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 SecuRemote — server side tables Used by SecuRemote Client: No Used by FW daemon: Yes Keys: Values: 0 or 1 (intersect with user database or not) Timeout: 900 sec. Comments: Client encrypt rules check this table to see if the connection belongs to SecuRemote clients.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 SecuRemote — server side tables Used by SecuRemote Client: No. Used by FW daemon: Yes Keys: Values: 0 (don’t trap) or 1 (trap again only when rule ignores destination restrictions) Timeout: 10 sec. Comments: Used by the daemon to indicate to the kernel that packets coming from a user should not be trapped again because there is already an open RDP connection for those packets.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Security Server and Authentication tables userc_request_extended table Information about this table will be available in the next update to this document. userc_resolved_gw table Information about this table will be available in the next update to this document. userc_DNS_A table Information about this table will be available in the next update to this document.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Security Server and Authentication tables Example attributes: sync expires 60 <00000002, c0a80c01; 00000005, 00000384; 57/60> <00000002, c0a80c01, 00000001; 00000005, 00000384, 8029dc98; 55/60> <000000002, c0a80c01, c073cd59, 00000050, 00000006, 00000000; 00000005, 00000384; 53/60> <000000002, c0a80c01, c073cd59, 00000050, 00000006, 00000000, 00000001; 00000005, 00000384, 8029dc98; 47/60> The client_auth table uses one of the following formats.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Security Server and Authentication tables The proxied_conns table uses the following format. For the first half of the entry (line 1 above): The destination IP address is the interface of the FireWall machine that is closest to the source IP address.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Load balancing tables <-1 (ffffffff), source IP address, source port, destination IP address, destination port, IP protocol; time left/total time> • For the third part of the entry: (line 3 above): <-2 (fffffffe), source IP address, source port, destination IP address, destination port, IP protocol; time left/total time> The second and third entries are used to ensure that only one client can work after the authentication.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Load balancing tables Example attributes: expires 180 The logical_requests table uses the following format: logical_servers_table table The logical_servers_table table holds a list of the logical servers.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 • Specific services tables The values are the IP addresses of the physical servers. The number of values may change, as not all server groups are the same size. logical_cache_table table The logical_cache_table table holds cache information for load balancing. Each connection is recorded in the table so it will always be directed to the same security server.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Specific services tables Example attributes: refresh, expires 900 The data length field is the length of the data in bytes. The direction field is either 0 (incoming) or 1 (outgoing).
Appendix A: State Tables for VPN-1/FireWall-1 4.0 RPC tables Netshow_tab table Information about this table will be available in the next update to this document. Cooltalk_datatab table Information about this table will be available in the next update to this document. Sqlnet_port_tab table Information about this table will be available in the next update to this document. X11_verify_tab table Information about this table will be available in the next update to this document.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 RPC tables Example attributes: refresh, expires 800 The rpc_serv table uses the following format: The source IP address is that of the responding server. The answer port is the answer for the port request in the pmap_req table. Refer to the pmap_req table below for information on the program number field.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 DCE/RPC tables DCE/RPC tables dcerpc_maps table The dcerpc_maps table relates to the DCE/RPC port mapper’s replies. Example attributes: sync refresh expires 86400 keep The dcerpc_maps table uses the following format: Its keys are the Endpoint Mapper’s IP address and the GUID requested by the client (which takes 4 fields, since it is 16 bytes long), and the value is the port of the port mapper’s response.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 IIOP tables dcom_remote_activations table Th dcom_remote_activations table holds data on DCOM remote activation requests. Example attributes: sync refresh expires 60 The dcom_remote_activations table uses the following format: . Exchange_notifiers table Information about this table will be available in the next update to this document.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Static tables (lists) CVP server IP address firewalled_list table The firewalled_list table holds a static list of FireWalled IP addresses. Example c0a86e01 c7cb471e The firewalled_list table uses the following format: FireWalled IP address Object Lists tables Object Lists tables are tables that correspond to groups that appear in rules.
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Static tables (lists) servers_list table The servers_list table holds the IP addresses of the computers that participate in load balancing. There need not be a rule that involves load balancing for the IP addresses to appear in this table (unlike the logical_servers_table table).
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Static tables (lists) Example -------- udp_services -------00000007 00000009 0000000d 00000025 The udp_services table uses the following format: Time Objects tables The following tables are a list of time objects that were created in FireWall-1 Security Policy (this is only an example, as FireWall-1 administrator may create any time objects he or she sees fit).
Appendix A: State Tables for VPN-1/FireWall-1 4.0 Static tables (lists) The table_target_list table uses the following format: In the case of single-host address translation, the first IP address in range equals the second IP address in range.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 The Properties section of the $FWDIR/conf/objects.C file The objects.C file includes a section of properties whose values affect the VPN-1/FireWall-1 behavior. These properties exist in addition to network objects, server objects, service objects, time objects and other miscellaneous data.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.C ? (1 = yes, 0 = user has to add entry) Default Value allow_encryption_outgoing _first 0 Allow encryption rules even if "allow outgoing packets" is set to "first" (true) or send outgoing packets unencrypted in that case (false) allowed_telnet_option 0 The number of telnet option to be allowed (between 0 and 40.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.C ? (1 = yes, 0 = user has to add entry) Default Value http_force_down_to_10 0 Force HTTP 1.1 connections into HTTP 1.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.C ? (1 = yes, 0 = user has to add entry) Default Value http_skip_redirect_free 0 Free memory when redirecting a connection for authentication, to prevent memory leaks (true) or avoid freeing session’s memory (false) http_sup_continue 0 Send HTTP 1.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.C ? (1 = yes, 0 = user has to add entry) Default Value isakmp.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.C ? (1 = yes, 0 = user has to add entry) Default Value manualminspi 1 Lowest SPI value (only through VPN-1/FireWall-1 0x100 version 4.0 SP-6 and 4.1 SP-1. No longer used in later versions) maxprocess 1 This property is no longer used 256 nat_hashsize 0 Hash size for NAT tables.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.C ? (1 = yes, 0 = user has to add entry) Default Value radius_send_framed 1 Send the framed host (source IP of the connection) to the RADIUS server FALSE radius_user_timeout 0 Timeout interval for the the user to respond to a RADIUS challenge, in seconds 600 raudioenable 0 Enable RealAudio (only in FireWall-1 version 3.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.
Appendix B: Object.C Properties in VPN-1/FireWall-1 4.0 Property The Properties section of the $FWDIR/conf/objects.C file Property always Explanation appears in object.C ? (1 = yes, 0 = user has to add entry) Default Value vdolivenable 0 Enable VDOlive (only for FireWall-1 version 3.x or true if vdolive appears backward compatibility with version 3.x) in the rulebase, false otherwise. vlog_switch_size 1 Size in KBytes that the active connections log is automatically switched (i.e.
Appendix C: Log Viewer "info" Messages In This Chapter: Messages in the 'info' column of the log viewer.........................................................................................190 More Information............................................................................................................................................192 HTTP Security Server "Reason" Messages .................................................................................................
Appendix C: Log Viewer "info" Messages Messages in the 'info' column of the log viewer FIELD MEANING ip_vers Contains the I.P. version (normally 4). Key update for The name of the module for which a key update has occurred. Len Contains the length of the packet, when 'long' logging is used. License violation detected This field exists when a license violation is detected. Contains the list of internal addresses (one address for each log record) in ip format (e.g. 192.168.160.1).
Appendix C: Log Viewer "info" Messages More Information FIELD MEANING Command The command given in a session. Used for live connections.
