Friday, February 8, 2013

Gaia Tips

SecurePlatform sysconfig to Gaia CLI 
ADD User

> add user ifinet_lrossi uid 0 homedir /home/ifinet_lrossi
> set user ifinet_lrossi newpass 1234
> add rba user ifinet_lrossi roles adminRole
> set user ifinet_lrossi shell /etc/  or > set user admin shell /bin/bash
> save config

 > set expert-password plain
    Enter current expert password :
    Enter new expert password:
    Enter new expert password (again):

 ADD Defaut Gateway
> set static-route default nexthop gateway address priority 1 on

ADD Snmp Community
> set snmp agent on
> set snmp agent-version any
> set snmp community name_community read-only
> save conf

For test
#snmpwalk -v2c -c 
name_community localhost
#rpm -qa | grep snmp

CHECK State cache Url Filtering on GW
#fw tab -t urlf_cache_tbl -s

GAiA is Linux RH based, and it has system 2.6.18 kernel.  And Check Point ClusterXL is still the same as before.

Some details about the change is mentioned in sk66527: Recommended configuration of new ClusterXL

This will allow more then one checkpoint cluster to operate on the same VLAN
On each of the Cluster Member
  1. Run cd $FWDIR/boot/modules
  2. Create the fwkern.conf file by running vi fwkern.conf
  3. Add the required parameters and values as given below:
    # fwha_mac_magic = 250
    # fwha_mac_forward_magic = 251
  4. Save the fwkern.conf
  5. Verify the fwkern.conf file is correctly configured by running more fwkern.conf
  6. Reboot the Cluster Member
  7. Verify the new mac magic setups correctly configured by:
    # fw ctl get int fwha_mac_magic
    # fw ctl get int fwha_mac_forward_magic
  8. Verify the Cluster Member status by running cphaprob stat
Note: the 250/251 should be the SAME on both cluster members, but should be DIFFERENT for each different clusters
dhcp server
lan client
lan client fw1
lan client fw2
lan client cluster

1.        To configure the BootP/DHCP Relay Agent, select 'Advanced Routing > DHCP Relay' on the main Configuration menu.
2.        Add interfaces that will need to be listening for the BootP or DHCP packets and click "Apply".
Module 1
Module 2
1.        Enter the address of the BootP or DHCP server into the New Server field and click "Apply".
2.        Be sure to set the Wait Time to "0", as similiar as described above in the "Configuring IPSO" section. Wait Time to "5" for second module
3.        If multiple IP addresses have been defined for a particular interface, Gaia will use the numerically lowest IP address bound to that interface as the Source IP address of any BootP/DHCP Packets sent from that interface.
4.        Similar to IPSO, the administrator can define the use of some other address that is bound to that interface. For example in Fig.1, if multiple addresses have been defined for the internal interface int.if, then the administrator can define the address to be used as the source for BootP/DHCP transmission to "Client". Traffic between the external interface ext.if and the server will use an address bound to ext.if
In SmartDashboard:

Firewall Rule



Nat Rule:



SNMP Custom 

HowTo - cfr sk79280

  • Some SNMP functionality cannot be configured via Gaia's CLI or WebUI.
  • In order to extend the SNMP configuration manually on a Gaia machine, add a new snmpd configuration file:
  • The file should contain legal snmpd settings.
  • Every net-snmp configuration token is valid.
Step by step procedure
  • Shut down snmpd from WebUI or from clish using:
set snmp agent off
  • Go to expert mode:
  • Check that snmpd process is down:
ps -ef | grep snmpd
  • Execute the following commands:
dbset process:snmpd:arg:2 -c
dbset process:snmpd:arg:3 /etc/snmp/userDefinedSettings.conf
  • Add the new configuration file:
vi /etc/snmp/userDefinedSettings.conf
  • Add snmpd settings (warning: path of fw.log depends on software version):
disk / 10%
disk /boot 10%
disk /var/log 10%
file /opt/CPsuite-R75.40/fw1/log/fw.log
  • Start snmpd from WebUI or from clish using:
set snmp agent on
  • Save the configuration from clish:
save config


  • snmpd restart is required upon "/etc/snmp/userDefinedSettings.conf" modification
  • The file might not be backed-up by Gaia's backup functionality
  • The file might not survive an upgrade
  • This capability is planned to be part of a future Gaia release
Example Custom Control

Concurrent remote access users

Create /usr/bin/rausers
fw tab -t userc_users -s 2> /dev/null | grep localhost | awk '{printf $4"\n"}'

Add the following line to /etc/snmp/snmpd.users.conf

exec . numRAusers /usr/bin/rausers
Restart the snmp demon
service snmpd restart
Check it's working with
snmpwalk -c ComunityName -v 2c localhost .

Viewing Checkpoint fw monitor files in Wireshark

Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information. It does contain additional information from the firewall on interface and direction.
To view this additional information in wireshark some extra configuration is required.
Select edit/preferences/protocols/ethernet
Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
Select edit/preferences/User Interface/columns
Click add to add a new column and name it interface.
From the format dropdown listbox select FW-1 monitor if/direction and press ok
Save the text below to a file colorise.txt
# DO NOT EDIT THIS FILE! It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@[email protected] contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]
Select View/coloring rules
Click import and open the saved file from above
Select the last 4 rules and move them to the top of the list by clicking the up button
Press ok
Your now ready to view the fw monitor files in wireshark.

Every checkpoint firewall, regardless of platform, includes the packet capture utility fw monitor. The problem with fw monitor is the cryptic inspect syntax that you need to learn to create a capture filter. Unfortunately, if your looking for support from checkpoint then your stuck with fw monitor. To simplify the process I have created a couple of macros that help bridge the gap between the two syntaxes.
When capturing with tcpdump I generally use the host and port commands to reduce the traffic to a particular set of conversations between hosts. An example expression, in tcp dump syntax, to capture all dns traffic either udp or tcp between and is shown below.
"host and and port 53"
After creating a few simple inspect macros we can do the equivalent using fw monitor with
accept host( and host( and port(53);
This is not a bad approximation. The only differences are brackets needed to pass the parameters to the macro, and a repeat of the host command.
The savings are obvious compared to the complete inspect script syntax shown below.
accept (
(ip_src= or ip_src= and \
(ip_dst= or ip_dst= \
) and \
(ip_p=PROTO_tcp and (th_sport=53 or th_dport=53)) or \
(ip_p=PROTO_udp and (uh_sport=53 or uh_dport=53)) \
The macros can be saved in a separate library file and included in a filter file or you can just include all the macros in one large command file with the filter expression as shown below.

#include "tcpip.def"
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#define port(portnum) ((ip_p=PROTO_tcp and (sport=portnum or dport=portnum)) or \
(ip_p=PROTO_udp and (uh_sport=portnum or uh_dport=portnum)))
#define srcport(portnum) ((ip_p=PROTO_tcp and sport=portnum) or \
(ip_p=PROTO_udp and uh_sport=portnum))
#define dstport(portnum) ((ip_p=PROTO_tcp and dport=portnum) or \
(ip_p=PROTO_udp and uh_dport=portnum))
#define host(hostip) ((src=hostip) or (dst=hostip))
/* dns traffic between hosts */
accept host( and host( and port(53);
Once saved to a file, say myfilter.def, it is a simple matter of running
fw monitor -i -f myfilter.def
and generating, or waiting for the traffic you need to capture.

Enable SCP – sk26258
·         Go into expert mode and add users to the /etc/scpusers file. Create the file if necessary.
·         Restart sshd using the command service sshd restart
Enable IP Forwarding – sk25818
·         Go into expert mode and type the command “echo 1 > /proc/sys/net/ipv4/ip_forward”
Enable SSH Public key Authentication – sk30366
·         Go into expert mode
·         mkdir $HOME/.ssh
·         chmod 0700 $HOME/.ssh
·         touch $HOME/.ssh/authorized_keys
·         chmod 0600 $HOME/.ssh/authorized_keys
·         vi $HOME/.ssh/authorized_keys
·         :$ (goes to the last line of the file)
·         A (appends to the end of the line)
·         paste in the key that you have copied from the client
·         esc (get out of insert mode)
·         : x (save the file and exit)
To be able to match a login to a users key perform the following steps.
·         vi /etc/ssh/sshd_config
·         find the Logging section and add en entry LogLevel VERBOSE
·         Restart sshd using the command service sshd restart
·         The fingerprint of the key used is then recorded in /var/log/secure
·         To check the fingerprints you can use the script below

#! /bin/bash

#Generate fingerprints for ssh public keys so we can match logons to users

#Create a temp file and bail out if we can't
TMPFILE=`mktemp /tmp/fingerprint.XXXXXX` || exit 1

#Check to see if a keyfile is specified
if [ -r "$1" ]; then

#Cleanup temp files on exit
trap "rm -f ${TMPFILE}" 0

#Truncate the output file
cat /dev/null >${FPFILE}

#Hook up the authorized_keys file to File descriptor 3
exec 3< ${KEYFILE}

#loop through each key in the file
while read <&3
        if (!(echo ${REPLY} | egrep "^\#"i)); then
                # If not a comment then save the key and generate a fingerprint
                echo "${REPLY}" >${TMPFILE}
                /usr/bin/ssh-keygen -l -f ${TMPFILE} >> ${FPFILE}

#Close FD 3
exec 3<&-
/bin/echo "The fingerprints for ${KEYFILE} have been saved in ${FPFILE}."
Convert a securecrt ssh public key for use with secureplatform.
This recipe converts IETF multiline key format to the single line format used by openssh on secureplatform.
·         Go into expert mode
·         create a new file on the firewall with vi. For example vi mypubkey.txt
·         Paste in the new key, save the file and exit.
·         type “ssh-keygen -i -f mypubkey.txt >>/home/admin/.ssh/authorized_keys
Restrict a public key authentication to a single command
This recipe is useful if you want to restrict users to a particular operation such as shutdown or reboot.
·         Go into expert mode
·         edit /home/admin/.ssh/authorized_keys
·         Paste in the new key or modify the old key
·         At the beginning of the line containing the key insert command=”/sbin/shutdown -h now”
·         Save and exit
·         Change the shell for admin using the command usermod -s /bin/bash -U admin
·         If you prefer to go into the cpshell when logging in interactively then execute the command “echo exec /bin/cpshell > /etc/profile.d/
Increase OSPF adjacency memberships on SecurePlatform Pro – sk32568
·         Go into expert mode
·         vi /etc/rc.d/init.d/rc.local
·         add the line ” echo 50 > /proc/sys/net/ipv4/igmp_max_memberships"
·         save and exit (: x)
Identify network adapters on Secureplatform/Linux
The recipe helps you identify which physical nic is mapped to an alias such as eth1 by flashing them in turn for 15 seconds.Adjust the time to suit yourself
·         Go into expert mode
·         type the following command all on one line
for i in `egrep "eth[0-9]+" /etc/modules.conf | cut -f2 -d" "`; do echo $i;ethtool -p $i 15; done

- Thread: SNMP activation-
- firewall tips -
- forum - 
-  Information about Check Point VPN-1/FireWall-1 port .... -
- seminar it security - 
- self study cp r70 -
- vpn phase 1 phase 2 -
- VPN Trouble shooting -
- BinTec IPsec enabled routers  shared secret -
- Fw Monitor  A troubleshooting tool (nokia) -
- Fw Monitor  A troubleshooting tool (checkpoint) -
- Import of SNMP-MIB files into Paessler Monitoring Applications - 
- troubleshooting mtu checkpoint - 
UTM-1 Edges - FAQ -
- How do change an ip address on a ipso firewall via clish - 
- Password recovery nokia ipso -  

No comments:

YouTube Channel