How-To

Tech Short: Capturing packets on Checkpoint

I’ve recently found myself capturing network traffic to troubleshoot reported issues. To successfully capture packets the use of tcpdump is required.  And while you may be familiar with using this tool, the use is slightly different on Checkpoint devices.

The devices in this reference is Checkpoint R77.30 and R80 devices.

To capture the correct network packets you must first disable Checkpoints SecureXL feature which is an acceleration solution that maximizes network performance of the Firewall.

To disable SecureXL, run the command:

fwaccel off

To check the overall SecureXL status:

fwaccel stat

Now that SecureXL has been disabled, continue to the capture steps below:

To capture packets, issue the following command:

tcpdump -s 0 -nni <interface_name> -w capture_file_name.pcap

Press Control-C (Ctrl C) to break the capture

Re-enable SecureXL, by running the following command:

fwaccel on

Retrieve the capture file and review using a tool such a Wireshark

Tech Short: Debug VPN in Checkpoint R77.30

The following tech short will provide a list of commands used to enable debugging in Checkpoint’s R77.30 Firewall. To start you must  SSH into firewall host (or active member).

To turn on VPN debug from the expert mode:

# vpn debug trunc

At this point you want to test your VPN connection and verify that IKE Phases. This can be done with the following commands:

# vpn tu (option 1 and 2), you may need to reset tunnel to test. This is done by using (option 7)

To tune off the VPN debug the following commands should be issued:

# vpn debug off

# vpn debug ike off

 

When completed retrieve the logs vpnd.elg and ike.elg – located under $FWDIR/log

Checkpoint has an IKEView tool which is located on their site, and used to review the logs, else using a tool such as Notepad++ for analysis is helpful.

OpenVPN Access Server on Ubuntu

I recently retired my OpenVPN Turnkey appliance and needed to get my VPN solution up and running again. I decided to go with installing OpenVPN Access Server on a clean install of Ubuntu Server to create a stable and light weight Virtual Private Network (VPN) to access my network.

I chose to go with OpenVPN AS because its using the OpenVPN I know and trust, but it also has the value added feature of an administrative server used for user and access management.

Setup is straight forward after a few small prerequisites are established.

Requirements:

  • Ubuntu Server – Running the latest version and updates. I am using 16.04.2-as my base
  • Root or possibly sudo access

Software:

Download the latest release of the OpenVPN AS Server
https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html

The direct Ubuntu installs here

 

The following steps can be used to download and install:

  1. Download the install package: wget http://swupdate.openvpn.org/as/openvpn-as-2.1.9-Ubuntu16.amd_64.deb
  2. Install the downloaded package: dpkg -i openvpn-as-2.1.9-Ubuntu16.amd_64.deb
  3. Change the password for the openvpn user: passwd openvpn

When the installation has completed, the Access Server web UIs will be available here:
Admin UI: https://<yourip>:943/admin
Client UI: https://<yourip>:943/

 

And just like that you now can take better control over your privacy, security.

Note: I did not go over the configuration of OpenVPN AS, I may do this in another post. I just wanted to run though the steps of getting this software installed.

Disabling SMB1.0/CIFS File Sharing Support

There is a lot of buzz these days about new ransomware hijacking systems worldwide. The malware, dubbed NotPetya because it masquerades as the Petya ransomware. One of the many ways to help the spread of malware is to patch your computer, effectively stopping the SMB exploits by disabling SMBv1.

Here are steps which can be used to disable (remove) SMBv1 support.

For client operating systems:

  1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  3. Restart

For server operating systems:

  1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  3. Restart

Ref: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows

Server 2008 R2, ‘Powershell’ is not recognized as an internal or external command …

While working on a task scheduling a powershell script, it was noticed that the powershell command does not execute from the command prompt on a server. When run I would encounter the following error: ‘powersehll’ is not recognized as an internal or external command, operable program or batch file.

After searching around Google / Bing I gave up and made the following attempt which worked out for myself and the system owners.

Looking at the system PATH variable seems correct with the expected path variable included under system variables: %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\

I decided to check with my user only: I added ‘%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\’ to my user variable with success

In the systems path variables and removed the reference and added it to the end of the line which was successful in resolving the system wide issue.

Notes: This is a snapshot of before and after changes introduced which resolved my issue

original:
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\;C:\Program Files (x86)\Microsoft SQL Server\100\DTS\Binn\

updated:
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\;C:\Program Files (x86)\Microsoft SQL Server\100\DTS\Binn\;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\

Cause of issue is still unknown.  Perhaps an ordering issues in the variables.  If you know please feel free to comment.
Thanks,

Jermal

[SOLVED] Unable to migrate VM’s to other host

I had encountered the following issue when attempting to migrate a live VM to another host w/in my lab cluster.
The error received was: 

Currently connected network interface” ‘Network adapter 1’ cannot use network ‘VM Network’, because “the destination network on the destination host is configured for different offload or security policies than the source network on the source host”.

I was able to fix this by checking the configuration of the virtual switch (vSwitch0) on the ESXi host I was moving the virtual machine guest to.

  1. I click on each host went to the configure
  2. Under the Networking subsection located the virtual switch
  3. Selected edit on that virtual switch.
  4. Reviewed the settings in the Security tab and the Traffic Shaping tab between the hosts.

In my case the issue was with the Security tab.  The destination host did not match the source.
Just another reasons to use host profiles between systems so that settings all match.

 

VMware vCenter 6/6.5: Creating Host Profiles

This post describes how to perform the basic task of creating a host profile.
Description of Hos Profiles:

VMware Host Profiles are available through VMware vCenter Server and enable you to establish standard configurations for VMware ESXi hosts and to automate compliance to these configurations, simplifying operational management of large-scale environments and reducing errors caused by mis-configurations.

Prerequisites:

  1. You need to have a vSphere installation
  2. You need to have admin rights
  3. You need a configured ESXi host that acts as the reference model

Steps:

  1. In vCenter Navigate to the Host profiles view
  2. Click the Extract profile from a host icon
  3. Select the host that will act as the reference model host and click Next
  4. Enter the name and  a description for the new profile and click Next
  5. Review the summary information for the new profile and click Finish
  6. The new profile will appear in the profile list

Video:

Done!

PowerShell: Unlock Active Directory Users Account

Use:

 

  • Listing account lockouts in Active Directory
  • Unlocking locked out accounts

# Open PowerShell or PowerShell ISE with an account with rights to unlock accounts
# Import the Actice Directory Module to PowerShell
#
Import-Module ActiveDirectory
#
# Run the Search-ADAccount command to search for accounts that are locked out
# Accounts locked out will be displayed
#
Search-ADAccount -LockedOut
#
#
# To unlock multiple {All} accounts the following command can be used
Search-ADAccount -LockedOut | Unlock-ADAccount
#

This could be useful if you wanted to somehow send an email to a ticket system so that you log and create IT tickets of account lockouts. A good way for your IT staff to track those types of activities that they do spend time on.

 

PowerCLI: HowTo Remove Floppy Drive From {All} Powered Off VM`s

The following simple script will iterate though your vCenter environment and remove the floppy disk from VMware guest machines that are in a powered off state.

Script text: I used Windows PowerShell ISE

Set-ExecutionPolicy RemoteSigned #may require running as administrator
Import-Module VMware.VimAutomation.Core
Connect-VIServer -Server ‘your.server.here’

$off = Get-VM | where {$_.powerstate -eq “PoweredOff”}
$floppy = Get-FloppyDrive -VM $off
Remove-FloppyDrive -Floppy $floppy -Confirm:$false

Purpose:

The purpose of removing the floppy is to remove potential attack channels to the guest VM itself. It has also been noted that removing such devices will save kernel resources.

Ref: https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-600D24C8-0F77-4D96-B273-A30F256B29D4.html

 

Restore of Checkpoint Fails with “The following hotfixes seem to be missing”

Ran into a slight snag when attempting to restore a production backup into a VM(*VMware*) image of Checkpoint R77.30. I was using the Gaia WebUI to restore image returns a message: “The following hotfixes seem to be missing”.

The message points me to a log file located under /tmp/ which indicates missing updates to the firewall I am restoring to. To get around this the following steps were taken.

 

  1. Log into the Checkpoint firewall via SSH to access the console (You could also console in  (i’m using a vm so the terminal would work also).
  2. Enter ‘Expert’ mode (password required.)
  3. The the command: dbset backup:override_hfs t’ from  the expert mode.
  4. Go back into Gain WebUI and attempt the restore of the backup.

Wait … Wait… The system will reboot and the configuration will be restored.

All done.

Cause of this issue was the backup file was taken from a system which had a version different from the system I was restoring into. In some cases, this message can be safely ignored and the restore can be performed without incident.

Please take time to review your configuration after you restore.