Friday, May 28, 2010

How to configure SSH session timeout in Checkpoint NG/NGX??


Ever got swearing when in the middle of fw monitor / debug session you got abruptly thrown on session timeout ?? Me too. While thinking naively ssh timeout is managed by sshd/ssh configs I was suprised to know CP did it their way.
Turned out here we get definitions for interactive session : cat /etc/bashrc
# By default, log out the user after three minutes of unattended prompt
export TMOUT=180
export SHELL=/bin/bash
# Take into account idle setting of cpshell, if available
if [ -f /etc/cpshell/cpshell.state ]; then
idle=`grep idle /etc/cpshell/cpshell.state | sed s/idle=//`
if [ $idle"UNDEFINED" = "UNDEFINED" ]; then
idle=3
fi
export TMOUT=`expr $idle \* 60`
fi
So to change the default timeout for ssh session you can:
1) Set idle variable in /etc/cpshell/cpshell.state to be later multiplied
cat /etc/cpshell/cpshell.state
audit=100
idle=100
scroll=1
2) Change last export directly to whatever you wish:
export TMOUT=7000 ; in seconds
I personally when working on client's firewall am setting it manually when long debug session is expected:
[Expert@cp]# TMOUT=700
[Expert@cp]# export TMOUT

How to debug VPN tunnels on checkpoint Gateway ?


Deleting IKE/IPsec security associations of established VPNs is inevitable part of any VPN related debug. The standard tool promoted by Checkpoint (take CCSA,CCSE etc.,) is vpn tuthat neveretheless has always had a very annoying bug (feature?) – you can delete ALL VPN tunnels at a time and none individually !! It indeed presents option to delete
" Delete all IPsec SAs for a given peer (GW)" – but it just plain doesn't work. And once confronted with this problem that could make debug more devastating than the problem itself I started looking for alternatives. To much of my surprise CP has a perfect alternative for this
- vpn shell, that provides acceptable means of managing tunnels. Here are details:
vpn shell can : delete IKE/IPsec SAs selectively, add/delete VTI interfaces,show information about all that.
To enter this shell :
[Expert@gw1]# vpn shell
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
After hitting enter you are put into subshell that has hierarchy way of moving around, so to continue to show subtree you type show and hit Enter:
VPN shell:[/] > show
? – This help
.. – Go up one level
[interface ] – Show interface(s) and their status
[tunnels ] – Show SA(s)
VPN shell:[/show] >
Your prompt changes to the path inside vpn shell, to go 1 level up (return) type .. and Enter:
VPN shell:[/show] > ..
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] >
In addition if you know the full path inside vpn shell to the command you wish to run you can type it too:
e.g. To see all IKE tunnels:
[Expert@gw1]# vpn shell
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] > tunnels show IKE all
Peer 193.x.x.x:
1. IKE SA <8755c7fb24a52e9b,5d46b29d0f0bb5b7>:
VPN shell:[/] >
e.g. 2 To delete IKE SAs for specific peer:
VPN shell:[/] > tunnels delete IKE peer 193.3.3.3
NOTE: interface subtree is for dealing with VTI interfaces.
And finally to leave the vpn shell to SSH shell:
Get to the root by typing .. as many times as needed and then quit:
VPN shell:[/show/tunnels/IKE] > ../../..
? – This help
.. – Go up one level
quit – Quit
[interface ] – Manipulate tunnel interfaces
[show ] – Show internal data
[tunnels ] – Manipulate tunnel data
VPN shell:[/] > quit
[Expert@gw1]#


Configuring SSH login mail alert on checkpoint secureplatform..


I once SSH login alert presented the way to send mail alert after successful login by ssh to any Linux-based machine , including Checkpoint firewalls. Now, thanks to folks at cpug.orgthat draw my attention to it, I will show how to get mail Alert on ANY rule in the security rulebase of the firewall, and also simplified script using Checkpoint version Of the sendmail.
First , rules alerts – on any rule in the Security Rulebase you can set in its Track column toMail . Now all hits
On such rule will be sending mail alerts to specified recipient(s) through the specified mail server (Checkpoint doesn't have a mail server of its own) . So, if you create rule that allows access by SSH you can set in Track Mail and each time this rule is used to access the firewall mail will be sent. Now how to configure mail server settings, you do it in
Policy -> Global Properties -> Log and Alert -> Alert Commands , check " Send mail alert to SmartviewView Monitor" and "Run mail alert script" . In the "Run mail alert script" field set to the string of form:
internal_sendmail -s [subject of the mail] -t [ip of mail server to receive mail goes here] -f [from_who_field_in_mail] [to_whom_send_this_mail]
e.g. internal_sendmail -s SSH_login_alert -t 63.161.169.140 -f yurisk@yurisk.info president@whitehouse.gov

The mail you get on such alert looks like:
 6Jan2010  7:29:55 accept fw-tokyo  >External mail rule: 2; rule_uid: {85A905A7-951E-4100-A23A-E280FAAA1D29}; SmartDefense profile: Default_Protection; service_id: ssh; src: my-management-host; dst: fw-tokyo  ; proto: tcp; product: VPN-1 & FireWall-1; service: ssh; s_port: 47145; 
NOTE. Some don'ts
- You can't send to multiple recepients;
- You can't send using IP of the firewall for the mail server
- The mail server you specify should be the one accepting mails for the recepient's address or be doing
mail relay without authentication. And no, Checkpoint sendmail doesn't support authentication.

Ports used by Checkpoint gateway and management server between there internal communication..

Symptoms
  • VPN-1 binds to some well-known ports and a few not-so well known ports. This document will explain what ports these are, what they are used for, and, if applicable, how to disable them.
Solution
Various parts of FireWall-1 bind to various ports on the system. Typically, they intercept connections traversing through the firewall, but in order for this to work correctly, they must bind to their own port and listen. In general, the services bound to these ports do not pose any sort of security risk. If no policy is in place or the policy permits access to these ports inadvertenly, the processes themselves are smart enough to reject direct requests to these ports. In the case of the SAM and LEA ports (see below), these ports require authentication in much the same way that remote management does, so it is not believed to be a security risk.
TCP Port 256 is used for three important things:
  • Exchange of CA and DH keys in FWZ and SKIP encryption between two FireWall-1 Management Consoles
  • SecuRemote build 4005 and earlier uses this port to fetch the network topology and encryption keys from a FireWall-1 Management Console
  • When instaling a policy, the management console uses this port to push the policy to the remote firewall.
TCP Port 257 (FW1_log) is used for logging purposes.
TCP Port 258 is used by the fwpolicy remote GUI. FireWall-1 will only listen to this port on a management console.
TCP Port 259 is used for Client Authentication via telnet. FireWall-1 will only listen to this port on a firewall module.
UDP Port 259 is used in FWZ encryption to manage the encrypted session (SecuRemote and FireWall-1 to FireWall-1 VPNs).
UDP Port 260 and UDP Port 161 are used for the SNMP daemon that Check Point FireWall-1 Provides.
TCP Port 262 is used by netsod, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains netsod in $FWDIR/conf/fwauthd.conf.
TCP Port 264 is used for Secure Client (SecuRemote) build 4100 and later to fetch network topology and encryption keys from a FireWall-1 Management Console. FireWall-1 will only listen to this port on a management console.
UDP Port 500 is used for ISAKMP key exchange between firewalls or between a firewall and a host running Secure Client. FireWall-1 will only listen to this port on a firewall module.
TCP Port 900 is used by FireWall-1's HTTP Client Authentication mechanism. This can be disabled by commenting the appropriate line in $FWDIR/bin/fwauthd.conf.
TCP Port 4532 is used for the Session Auth agent, asessiond.
TCP Ports above 1024, other than the ones listed below, are generally any Security Servers that are active. The actual ports used by these servers will vary. 1024 is the lowest & 65535 is the highest port a Security Server process will use for a connection. If you wish to minimize the number of ports listening, comment out the appropriate lines from $FWDIR/conf/fwauthd.conf. Note that if you disable a security server in this fashion, you can not use its capabilities (like content security or authentication), so make sure you only do it for the security servers you know you are not using.
TCP Port 18181 is used for CVP (Content Vectoring Protocol, for anti-virus scanning). FireWall-1 will not listen on this port.
TCP Port 18182 is used for UFP (URL Filtering Protocol, for WebSense and the like). FireWall-1 will not listen on this port.
TCP Port 18183 is used for SAM (Suspicious Activity Monitoring, for intrusion detection). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18184 is used for Log Export API (lea). If you do not use these features, you can comment out the appropriate lines in $FWDIR/conf/fwopsec.conf.
TCP Port 18186 (FW1_omi-sic) is used for Secure Internal Communications (SIC) between OPSEC certified products and a NG FireWall module.
TCP Port 18190 (CPMI) is used by the FireWall Management process (FWM) to listen for NG Management Clients attempting to connect to the management module.
TCP Port 18191 (CPD) is used by the CPD process for communications such as policy installation, certificate revocation, and status queries.
TCP Port 18192 (CPD_amon) is used by the CPD process FireWall Application Monitoring.
TCP Port 18196 is used for CPEPS which is part of User Monitor.
TCP Port 18207 is used by polsrvd, which is the Single Sign-on Daemon. This can be disabled by commenting out the line that contains polsrvd in $FWDIR/conf/fwauthd.conf.
TCP Port 18210 (FW1_ica_pull): The CPD process, on the management module, is listening on TCP port 18210 for certificates to be "pulled" by a FireWall module from a management module.
TCP Port 18211 (FW1_ica_push): The Check Point Daemon (CPD) process, running on the FireWall module, listens on TCP port 18211 for certificate creation and for the "push" of the certificate to the FireWall module from the management module.
Should you make any changes above, the 'fwd' process will need to be restarted as follows:
nokia[admin]# fw kill fwd
nokia[admin]# fwd `cat $FWDIR/conf/masters`

How to check rule hit count / statistics in checkpoint?


As I mentioned before once you export firewall logs into human-readable format you can do lots of interesting things – for example script that gives statistics of how many times each Security rule was hit .
Be aware that this counts explicit Security rules only – i.e. the ones you see in Security tab of the Smartdashboard. No other rules you usually see in Smartview Tracker are counted – e.g. SmartDefense,Web Filtering etc. Also afterwards I sort it by number of hits to see what rules are used most:
awk -F\; ' {match($0,/rule: +([0-9]+)/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5
Rule number:  Hits: 1197330  Ignore this line as it counts non-matched lines I dont want to filter with additional conditions and added time processing  Rule number: 2 Hits: 9  Rule number: 5 Hits: 366  Rule number: 11 Hits: 12296  Rule number: 9 Hits: 14457  Rule number: 0 Hits: 17094  Rule number: 1 Hits: 44066  Rule number: 7 Hits: 233643  Rule number: 10 Hits: 366275  Rule number: 6 Hits: 424639

How to Install native telnet client on Checkpoint server / firewall - secureplatform?.

Some time ago Telnet from inside Checkpoint firewall I wrote how to use awk to imitate telnet in Checkpoint firewall. Later in comments to that post the reader pointed out that there is a native telnet client located on the Splat installation iso image.
That's true , only I think you not always have installation image at hand. For that you can instead use
standalone download SecurePlatformAddOn_R55.tgz While it states R55 in its name the telnet client software it has inside works well even with R70 and also on Splat platforms with 2.6 kernel. Indeed the telnet client that comes with the R70 installation image is bigger by file size but bears the same version name anyway.
In addition there is another useful utility in this package – well known wget. So consider installing it too.
After downloading it go by the usual RPM package install procedure – unzip, untar , rpm –Uvh

How to enable Telnet client / how do telnet from checkpoint gateway?


Yesterday I saw a strange problem – connection from outside to Exchange in a LAN times out, while in Tracker all connections to port 25 are in green. Strange was that through VPN client-to-site and from inside LAN all worked prefectly well. So I wasn't sure 100% it wasn't a firewall causing this. The next best way to check it would be telnet from inside NGX (R65 in this case) to port 25 to Exchange by its LAN IP … only that Checkpoint don't have telnet client included in their Splat . If I had enough time I'd compile telnet client statically on some Linux box with the same kernel/libraries then'd copy it to NGX for testing, but to do it ASAP I hacked a small AWK script that emulates (just enough fo ra test) telnet, below these scripts .
BTW this script made it 100% clear there was some problem with Exchange over which I had no control – from firewall its port 25 answered very erratically – once ok , 10 times connection refused. So after a double check
client found that from LAN and VPN it also wasn't stable as he first thought .
General telnet client script :
[Expert@cp]# awk -v ip=192.168.0.1 -v port=25 -f telnet.awk
Where:
ip - IP to connect to
port – port to connect to
#!/usr/bin/awk
#This is a simple telnet emulation script purpose of which
# is to try to connect to a given IP on a given port using TCP
# and print to the terminal few lines received from the server
# if session is established. It has no functionality but to
# establish a TCP connection and print out received text from the
# server, after that it just exits.It was created to debug
# connectivity issues on Checkpoint NGX firewall that has no built
# in telnet client .
# Client
BEGIN {
("/inet/tcp/0/" ip "/" port ) |& getline
print $0
close(("/inet/tcp/0/" ip "/" port ))
}
Next is the same cript with add on for port 80 – to get some response from web server:
#!/usr/bin/awk
BEGIN {
Portandip = ("/inet/tcp/0/" ip "/" port )
print "GET / HTTP/1.1\n\n" |& Portandip
while ( (("/inet/tcp/0/" ip "/" port ) |& getline)>0)
print $0
close(("/inet/tcp/0/" ip "/" port ))
}

How to configure RADIUS authentication for Checkpoint?


I got asked few times on this rather rarely used feature, and as surfing through the Checkpoint docs can be a bit tedious, I'll put it here. SSH user authentication against external server, in this case using Radius protocol, is possible but only if you have VPN Pro featured firewall and accordingly VPN Pro license (Advanced Networking Blade if using Blades). Then using firewall's WebGUI you will have an option to configure external Radius server to authenticate operating system users. See screenshots below.

http://yurisk.info/Radius1big.png
http://yurisk.info/Radius2big.png

fw ctl or checkpoint tables details


Holidays are over, Checkpoint failures are back, so business as usual. Today I want to draw your attention to often overlooked information source – Checkpoint state tables. While running, the firewall creates, keeps and updates various tables it needs for correct functioning. These tables contain parameters that are mostly of use for firewall itself, but you can query them on the cli, sometimes even flush them as well.
To see all tables with its contents you type –
[Expert@Hollywood]# fw tab
To see only table names –
[Expert@Hollywood]# fw tab | grep "\-\-\-\-\-\-\-"

——– vsx_firewalled ——–
——– firewalled_list ——–
——– external_firewalled_list ——–
——– management_list ——–
——– external_management_list ——–
——– log_server_list ——–
——– tcp_services ——–
——– udp_services ——–
——– internal_interface_list ——–
——– topology_range_list ——–
——– gui_clients_list ——–
——– cp_NG_products_list ——–
——– smtp_av_user_config_match_tab ——–
——– smtp_av_scan_exclusion ——–
——– http_av_user_config_match_tab ——–
——– http_av_scan_exclusion ——–
——– pop3_av_user_config_match_tab ——–
——– pop3_av_scan_exclusion ——–
——– aspam_unique_id ——–
——– aspam_directional_match_tab ——–
——– aspam_smtp_ip_match_tab_src ——–
——– aspam_pop3_ip_match_tab_src ——–
——– aspam_scan_all_traffic ——–
——– auth_rules_on_gw ——–
——– content_security_uf ——–
——– content_security_av ——–
——– content_security_aspam ——–
——– content_security_next_proxy ——–
——– cs_next_proxy_host ——–
——– cs_next_proxy_port ——–
——– module_content_security ——–
——– report_server_list ——–
——– smartPortal_server_list ——–
——– abacus_server_list ——–
——– event_analyzers_list ——–
——– ua_server_list ——–
——– ua_products_list ——–
——– rtm_list ——–
——– cvp_servers_list ——–
——– ufp_servers_list ——–
——– cpmi_clients_list ——–
——– radius_servers_list ——–
——– tacacs_servers_list ——–
——– ldap_servers_list ——–
——– NG_policy_server_list ——–
——– physical_servers_list ——–
——– load_servers_list ——–
——– drop_rejct_rules ——–
——– gsn_quota ——–
——– no_nat_comm_4 ——–
——– community_no_nat ——–
——– http_services ——–
——– ftp_services ——–
——– smtp_services ——–
——– pop3_services ——–
——– cifs_services ——–
——– dns_services ——–
——– sip_services ——–
——– mgcp_services ——–
——– dns_rand_servers ——–
——– aspam_wb_ip ——–
——– mgcp_cmd ——–
——– sip_method ——–
——– non_scv_hosts ——–
——– gtp_apn_params ——–
——– ssl_tunnels_excluded_services ——–
——– ssl_tunnels_excluded_clients ——–
——– syslg_relay_servers_list ——–
——– dcerpc_maps ——–
——– dcerpc_rmaps ——–
——– dcerpc_binds ——–
——– dcerpc_epm_requests ——–
——– dcerpc_map_ports ——–
——– dcerpc_udp_maps ——–
——– dcerpc_udp_rmaps ——–
——– dcerpc_udp_epm_requests ——–
——– dcerpc_udp_hpov_maps ——–
——– dcerpc_logs ——–
——– dcerpc_reply_any_port ——–
——– dcom_objects ——–
——– dcom_remote_activations ——–
——– dcom_call_ids ——–
——– dcom_high_port ——–
——– dcom_sysact_state ——–
——– compiled_cifs_resources ——–
——– userc_rules ——–
——– userc_bind ——–
——– userc_key ——–
——– userc_users ——–
——– userc_pending ——–
——– userc_slan ——–
——– userc_dtm_cache ——–
——– pending ——–
——– rpc_serv_hosts ——–
——– rpc_serv ——–
——– rpc_sessions ——–
——– pmap_req ——–
——– pmap_not_responding ——–
——– logged ——–
——– trapped ——–
——– check_alive ——–
——– auth_services ——–
——– client_auth ——–
——– client_was_auth ——–
——– autoclntauth_fold ——–
——– session_requests ——–
——– pending_session_requests ——–
——– sso_requests ——–
——– auth_status ——–
——– av_cache ——–
——– proxied_conns ——–
——– genufp_requests ——–
——– genufp_matched ——–
——– genufp_mismatched ——–
——– icmp_requests ——–
——– icmp_replies ——–
——– icmp_errors ——–
——– forbidden_tab ——–
——– ipufp_cache ——–
——– ufp_statistic ——–
——– dynobj_cache ——–
——– dns_rand_to_sid ——–
——– dns_sid_to_rand ——–
——– dns_response_misses ——–
——– snid_enc_keys ——–
——– resolve_hostbyname_cache ——–
——– resolve_hostbyaddr_cache ——–
——– voip_host_connections ——–
——– cac_codecs ——–
——– sip_state ——–
——– earlynat_sport ——–
——– sip_dynamic_port ——–
——– sip_cseq ——–
——– mgcp_conn ——–
——– mgcp_tid ——–
——– mgcp_registration ——–
——– mgcp_earlynat_tid ——–
——– mgcp_dynamic_port ——–
——– ssl_v3_conns ——–
——– ssh2_syn_table ——–
——– ssh2_client_seq ——–
——– p2p_sessions ——–
——– edonkey_clients ——–
——– p2p_packets ——–
——– pptp_state ——–
——– first_master ——–
——– mapped_if ——–
——– fwx_sticky_port ——–
——– allowed_ip_options ——–
——– allowed_ipopts_proto ——–
——– hide_behind_low_ports ——–
——– cluster_mcast_nolog ——–
——– hide_services_ports ——–
——– no_hide_services_ports ——–
——– no_fold_services_ports ——–
——– nokia_no_fold_ports ——–
——– no_misp_services_ports ——–
——– pop3d_clients ——–
——– epq_quarantined_host ——–
——– aspam_syn_cache ——–
——– tcp_services_props ——–
——– udp_services_props ——–
——– other_services_props ——–
——– adp_ca_brightstor_tab ——–
——– rc4_table ——–
——– Objhbbbjb ——–
——– ObjUOdnB ——–
——– ObjSRqhab ——–
——– ObjLALMqb ——–
——– ObjsFK9hb ——–
——– Obj4kPyz ——–
——– ObjO80qQb ——–
——– ObjolM2n ——–
——– mhis_tab ——–
——– Obja2fNE ——–
——– ObjQvSXqb ——–
——– ObjGiirDb ——–
——– http_hand_tab ——–
——– Objn_q2i ——–
——– Objo2Goeb ——–
——– ObjdSJuO ——–
——– ObjqYUGFb ——–
——– contnt_prot_state_table ——–
——– backweb_connections ——–
——– freetel_connections ——–
——– iiop_requests ——–
——– x11verify_tab ——–
——– wf_connections ——–
——– exchange_notifies ——–
——– rtsp_tab ——–
——– ncp_table ——–
——– e2e_gwbw_table ——–
——– vpn_range_gateways ——–
——– vpn_range_gateways_valid ——–
——– cvp_connections ——–
——– p2p_logged ——–
——– welchia_tab ——–
——– ssh_sessions ——–
——– gif_rerun_tbl ——–
——– aviwave_table ——–
——– png_tab ——–
——– emf_wmf_tab ——–
——– ObjIqngWb ——–
——– Obj1Pjdc ——–
——– ObjEcVuT ——–
——– ObjBYyIB ——–
——– mpe_pme_tab ——–
——– ObjipTMsb ——–
——– ObjAIP_g ——–
——– Obj1_j2Qb ——–
——– ObjsRmHN ——–
——– ObjgGBn_b ——–
——– Obj8YTItb ——–
——– office_rerun_tab ——–
——– block_office_ppt_start ——–
——– block_office_offset ——–
——– block_office_retrans ——–
——– ObjYpZWX ——–
——– ObjLRkIWb ——–
——– ObjiMhGQ ——–
——– ObjdZJgJb ——–
——– Obji4D8J ——–
——– ObjTBbSbb ——–
——– ObjFYJhJb ——–
——– ObjK3HfXb ——–
——– Obj3Izhfc ——–
——– ObjATGcAb ——–
——– snmp_pdu_types ——–
——– ObjPKm54b ——–
——– ObjpZHv1 ——–
——– ObjNPV8V ——–
——– Objmeh8Ub ——–
——– Obj0XzAN ——–
——– ObjXatVDb ——–
——– syslog_dates ——–
——– buf_table ——–
——– cram_table ——–
——– imap_log_tbl ——–
——– imap_except_tbl ——–
——– flac_table ——–
——– sami_tbl ——–
——– ObjajI9Rb ——–
——– ObjCGXEdb ——–
——– pct_opcode_tab ——–
——– pct_tab ——–
——– Obj1e5hC ——–
——– ObjRztz7 ——–
——– ObjaxeIAb ——–
——– ObjwNbxib ——–
——– word_plflfo_tbl ——–
——– word_sprm_tbl ——–
——– ObjkxWEfc ——–
——– Obj217K1 ——–
——– flash_tab ——–
——– ObjjoQvm ——–
——– ObjUZxDgc ——–
——– ObjlgJhcc ——–
——– ObjaLxvLb ——–
——– rtf_fmp_parse27_tab ——–
——– ssl_counter_tab ——–
——– dns_bruth_tab ——–
——– dns_bruth_tab_case ——–
——– dns_bruth_res_tab ——–
——– pdf_jbig_tbl ——–
——– ObjO5atzb ——–
——– ObjCy5LO ——–
——– ObjmbEnl ——–
——– ObjxZiyv ——–
——– Obj8sHTQb ——–
——– ObjCMpyg ——–
——– ObjMbgQeb ——–
——– ObjHh3It ——–
——– ObjsYf1n ——–
——– ldap_leak_tab ——–
——– ObjhPV7z ——–
——– ObjEkdpjc ——–
——– ObjH3V57 ——–
——– pe_parser_tbl ——–
——– Obj6a6Th ——–
——– ObjHkxoe ——–
——– Obj6yDZpb ——–
——– ObjRpdDu ——–
——– ObjiB_Z4b ——–
——– ms_proj_tab ——–
——– ObjyXqwA ——–
——– sdupdate_dynamic_tab_attrs ——–
——– vpn_active ——–
——– encryption_requests ——–
——– decryption_pending ——–
——– rdp_table ——–
——– rdp_dont_trap ——–
——– userc_encapsulating_clients ——–
——– MSPI_cluster_feedback ——–
——– MSPI_cluster_feedback_new ——–
——– L2TP_MSPI_cluster_feedback ——–
——– MSPI_cluster_update ——–
——– L2TP_MSPI_cluster_update ——–
——– MSPI_cluster_request ——–
——– MSPI_feedback_to_delete ——–
——– ATLAS_ROBO_Objects ——–
——– DAG_ID_to_IP ——–
——– DAG_IP_to_ID ——–
——– ipsec_crypt_pending ——–
——– inbound_SPI ——–
——– outbound_SPI ——–
——– resolving_requests ——–
——– MSPI_requests ——–
——– SPI_requests ——–
——– resolving_req_connections ——–
——– MSPI_req_connections ——–
——– user_auth_groups ——–
——– IKE_SA_table ——–
——– new_IKE_SA_update ——–
——– IPSEC_userc_dont_trap_table ——–
——– SEP_my_IKE_packet ——–
——– tcpt_external_ip ——–
——– L2TP_tunnels ——–
——– L2TP_sessions ——–
——– L2TP_lookup ——–
——– vpn_if_peer_mspi ——–
——– vpn_interfaces_table ——–
——– peer_vpn_if_mapping ——–
——– MSPI_by_methods ——–
——– MSPI_cluster_map ——–
——– resolved_interface ——–
——– MEP_chosen_gw ——–
——– crypt_resolver_db ——–
——– MEP_ls ——–
——– userc_resolve_dont_trap ——–
——– fwz_crypt_pending ——–
——– crypt_resolver_uptag ——–
——– cryptlog_table ——–
——– udp_enc_cln_table ——–
——– cluster_connections_nat ——–
——– IPSEC_mtu_icmp ——–
——– IPSEC_mtu_icmp_wait ——–
——– XPO_names ——–
——– communities_names ——–
——– peers_names ——–
——– local_vpn_routing ——–
——– VIN_SA_to_delete ——–
——– udp_response_nat ——–
——– marcipan_mapping ——–
——– marcipan_ippool_users ——–
——– marcipan_ippool_allocated ——–
——– reliable_trap ——–
——– peers_count ——–
——– IKE_peers ——–
——– ipalloc_tab ——–
——– persistent_tunnels ——–
——– dhcp_nat_params_tab ——–
——– my_daip_ip_to_id ——–
——– om_assigned_ips ——–
——– om_radius ——–
——– tnlmon_listener_list ——–
——– tnlmon_life_sign ——–
——– preferred_MEP_gw ——–
——– tnlmon_job_list ——–
——– udp_enc_route_refcount ——–
——– reload_policy_timer ——–
——– http_vpnd_cookies ——–
——– sslt_om_ip_params ——–
——– ssl_tunnel_id_to_mspi ——–
——– http_ics_pre_auth_cookies ——–
——– vpnd_ics_report_suid ——–
——– vpn_queues ——–
——– ike2esp ——–
——– peer2ike ——–
——– ike2peer ——–
——– initial_contact_pending ——–
——– user_properties ——–
——– rdp_state_repository ——–
——– ike_state_repository ——–
——– get_topology_state_repository ——–
——– ike_temp_DAG_IP_to_ID ——–
——– resolved_link ——–
——– orig_route_params ——–
——– cluster_active_robo ——–
——– edge_clusters ——–
——– outbound_spi_by_peer ——–
——– robo_active_link ——–
——– src_ip_by_peer ——–
——– natt_port ——–
——– frl_table ——–
——– sslt_disconnect_reasons ——–
——– vpn_best_route_cache ——–
——– TunnelTest_NAT ——–
——– slp_active_users ——–
——– dag_dhcp_requests ——–
——– net_quota_exclusion_table ——–
——– sr_enc_domain ——–
——– sr_enc_domain_valid ——–
——– vpn_enc_domain ——–
——– vpn_enc_domain_valid ——–
——– vpn_methods ——–
——– vpn_routing ——–
——– vpn_enable_routing ——–
——– vpn_enable_internet_routing ——–
——– static_interface_resolve ——–
——– daip_ranges ——–
——– Robo_ranges ——–
——– Robo_ids ——–
——– Robo_allowed_ranges ——–
——– Robo_clusters ——–
——– sdb_edge_clusters ——–
——– community_domain_4 ——–
——– community_excl_udp_4 ——–
——– om_protected_group ——–
——– gw_properties ——–
——– vpn_rulematch ——–
——– comm_conn_level ——–
——– ca_servers_addresses ——–
——– target_list10 ——–
——– rulenum_list13 ——–
——– rulenum_list14 ——–
——– rulenum_list15 ——–
——– fwportscn_vertical_exclude ——–
——– fw_allow_out_of_tcp_always ——–
——– spii_proto_tab ——–
——– DAG_range ——–
——– NAT_src_intvl_list ——–
——– NAT_dst_intvl_list ——–
——– NAT_src_any_list ——–
——– NAT_dst_any_list ——–
——– NAT_rules ——–
——– full_service_list11 ——–
——– full_service_list12 ——–
——– ip_list1 ——–
——– ip_list2 ——–
——– ip_list3 ——–
——– ip_list4 ——–
——– ip_list5 ——–
——– ip_list6 ——–
——– ip_list7 ——–
——– ip_list8 ——–
——– ip_list9 ——–
——– dir_scan_addrs_list1 ——–
——– valid_addrs_list1 ——–
——– dir_scan_addrs_list2 ——–
——– valid_addrs_list2 ——–
——– gw2gw_communities_ids ——–
——– tcpt_gws ——–
——– svm_profiler ——–
——– svm_range_gateways ——–
——– svm_range_gateways_valid ——–
——– svm_e2e_gwbw_table ——–
——– vpncl_om2cookier ——–
——– vpncl_cookier2om ——–
——– vpncl_ccc_iphone_sessions ——–
——– vpncl_ccc_sessions ——–
——– vpncl_cpras_topology_policy_id ——–
——– sockstress_blocked ——–
——– sockstress_suspicious ——–
——– sockstress_local ——–
——– sockstress_src ——–
——– sam_L2_requests ——–
——– sam_blocked_ips_v2 ——–
——– sam_requests_v2 ——–
——– sam_uid ——–
——– sam_L2_src_dst_requests ——–
——– mrt_sync_table ——–
——– closed_conns ——–
——– fwarp_arpq_tbl ——–
——– fwneighq_tbl ——–
——– strmap_table ——–
——– fwha_VPN_hash_table ——–
——– cpas_cookie_hash ——–
——– cpas_pmtu ——–
——– h323_registration ——–
——– rules_uid_new_table ——–
——– uid2kbuf ——–
——– tab_name_table ——–
——– sip_registration ——–
——– fwx_cache ——–
——– redirected_conns ——–
——– h323_gk_pending_table ——–
——– cphwd_vpndb ——–
——– host_ip_addrs_all ——–
——– excessive_table ——–
——– scv_held_packets_table ——–
——– conn_info ——–
——– chain_log_unification_table ——–
——– fwx_pending ——–
——– scv_ps_table ——–
——– scv_gw_table ——–
——– string_dictionary_table ——–
——– sam_log ——–
——– sam_requests ——–
——– sam_blocked_ips ——–
——– spii_global_pset2kbuf_map ——–
——– spii_multi_pset2kbuf_map ——–
——– ws_protection_scheme_table ——–
——– saved_kbuf_table ——–
——– son_conns ——–
——– parent_conn ——–
——– connections ——–
——– fwx_cntl_dyn_tab ——–
——– h323_tracer_table ——–
——– fwx_auth ——–
——– host_ip_addrs ——–
——– hold_table ——–
——– frag_table ——–
——– arp_table ——–
——– fwx_alloc ——–
Now round up of some useful for whatever reason tables you should know about.
NOTE – When service is not loaded corresponding table isnt as well
# fw tab -t http_av_scan_exclusion
localhost:
Table http_av_scan_exclusion not loaded: Invalid argument
Most of the time values in these tables are presented as integer or hex values , and almost always they contain IP addresses. Adding –f option to the command deciphers output a bit but not completely , so IP integer-to-decimal converter will be very handy.
To see local encryption domain of this gateway without entering SmartDashboard:
# fw tab -f -t vpn_enc_domain
Using cptfmt
localhost:
Date: Apr 7, 2010
8:26:33 192.168.29.25> : (+)====================================(+); Table_Name: vpn_enc_domain; : (+); Attributes: static, id 381; product: VPN-1 & FireWall-1;

8:26:33 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
;8:26:33 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;
Another command that gives the local encryption domain, on few firewalls I tried the output was the same , so Don't know what the difference
# fw tab -f -t vpn_enc_domain_valid
Using cptfmt
localhost:
Date: Apr 7, 2010
8:52:30 192.168.29.25> : (+)====================================(+); Table_Name: sr_enc_domain_valid; : (+); Attributes: static, id 380; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;
See encryption domain for Secure Remote users
# fw tab -f -t sr_enc_domain_valid
Using cptfmt
localhost:
Date: Apr 7, 2010
8:52:30 192.168.29.25> : (+)====================================(+); Table_Name: sr_enc_domain_valid; : (+); Attributes: static, id 380; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;
To see SPI database entries of established VPN tunnels and its parameters
# fw tab -f -t inbound_SPI
Using cptfmt
localhost:
Date: Apr 7, 2010
8:34:56 192.168.29.25> : (+)====================================(+); Table_Name: inbound_SPI; : (+); Attributes: dynamic, id 289, attributes: keep, sync, expires 3600, limit 40800, hashsize 65536, kbuf 1 3, free function f9b32640 0, post sync handler f9b22330; product: VPN-1 & FireWall-1;
8:34:56 192.168.29.25> : (+); SPI: d21c5e68; CPTFMT_sep: ;; Protocol: IPSEC_ESP_SA(2); ,Schema: IKE(3); ,me: 192.168.22.11; ,peer: 122.18.9.20; ,owner: 127.0.0.1; ,MyRange:First: 192.168.21.0; Last: 192.168.21.255; ,PeerRange:First: 192.168.214.0; PeerLast: 192.168.214.255; ,HWInitialized: NO; ,MSPI: 13; ,Host: 192.168.22.11; ,Peer: 122.18.9.20; Expires: 2149/3610; product: VPN-1 & FireWall-1;
To see the active VPN peers with IKE phase up
# fw tab -f -t IKE_peers
Date: Apr 7, 2010
8:36:36 192.168.29.25> : (+)====================================(+); Table_Name: IKE_peers; : (+); Attributes: dynamic, id 333, attributes: keep, sync, expires never, limit 25000, hashsize 512; product: VPN-1 & FireWall-1;
8:36:36 192.168.29.25> IkePeer: 212.13.12.128; : (+); Expires: 876861451/2147483647; product: VPN-1 & FireWall-1;
8:36:36 192.168.29.25> IkePeer: 212.13.12.129; : (+); Expires: 876861451/2147483647; product: VPN-1 & FireWall-1;
Here you can see what port is used for NAT traversal
# fw tab -f -t natt_port
Date: Apr 7, 2010
8:37:34 192.168.29.25> : (+)====================================(+); Table_Name: natt_port; : (+); Attributes: dynamic, id 369, attributes: expires never, limit 25000, hashsize 4; product: VPN-1 & FireWall-1;
8:37:34 192.168.29.25> Key: 00001194; Expires: 876861393/2147483647; product: VPN-1 & FireWall-1;
The value is in hex 0×1194 = 4500
List table of Security Associations
# fw tab -f -t IKE_SA_table
Date: Apr 7, 2010
8:41:47 192.168.29.25> : (+)====================================(+); Table_Name: IKE_SA_table; : (+); Attributes: dynamic, id 297, attributes: keep, sync, expires 3600, limit 40400, hashsize 65536, implies 296, kbuf 1, free function f9b22830 0, post sync handler f9b25d80; product: VPN-1 & FireWall-1;
8:41:47 192.168.29.25> : (+); ,CookieI: 1a4406adfa1e1b26; ,CookieR: a64bea22245f2ac2; CPTFMT_sep: ;; EncryptAlg: 0; ,HashAlg: 0; ,DH_Group: 0; ,AuthMethod: 1; ,Flags: 0; ,RenegotiationTime: 2046191617; Expires: 20089/86399; product: VPN-1 & FireWall-1;
Pretty much the same data , number of peers
# fw tab -f -t peers_count
Date: Apr 7, 2010
8:46:48 192.168.29.25> : (+)====================================(+); Table_Name: peers_count; : (+); Attributes: dynamic, id 332, attributes: keep, expires never, limit 10200, hashsize 16384, kbuf 1; product: VPN-1 & FireWall-1;
8:46:48 192.168.29.25> : (+); IPsec peer: 31.112.182.6; CPTFMT_sep: ;; ,Ref-count: 2; Expires: 876860840/2147483647; product: VPN-1 & FireWall-1;
8:46:48 192.168.29.25> : (+); IPsec peer: 122.18.9.20; CPTFMT_sep: ;; ,Ref-count: 1; Expires: 876860840/2147483647; product: VPN-1 & FireWall-1;
List of hosts with which this firewall has currently open sessions (whatever they may be )
# fw tab -f -t static_interface_resolve
Date: Apr 7, 2010
8:55:59 192.168.29.25> : (+)====================================(+); Table_Name: static_interface_resolve; : (+); Attributes: static, id 387; product: VPN-1 & FireWall-1;
8:55:59 192.168.29.25> : (+); Peer_interface: 10.20.20.1; ,Peer_main_addr: 21.23.9.2; product: VPN-1 & FireWall-1;
8:55:59 192.168.29.25> : (+); Peer_interface: 58.13.2.78; Peer_resolved_addr: 58.13.2.78; ,Peer_main_addr: 58.13.2.78; product: VPN-1 & FireWall-1;
To list NAT rules numbers as appear in the SmartDashboard that have Any as destination and as source correspondingly
# fw tab -f -t NAT_dst_any_list
Date: Apr 7, 2010
9:01:13 192.168.29.25> : (+)====================================(+); Table_Name: NAT_dst_any_list; : (+); Attributes: static, id 434; product: VPN-1 & FireWall-1;
9:01:13 192.168.29.25> Key: 0000000a, 0000000a; product: VPN-1 & FireWall-1; //Rule number 10
9:01:13 192.168.29.25> Key: 0000000c, 0000000c; product: VPN-1 & FireWall-1; //Rule number 12
9:01:13 192.168.29.25> Key: 0000000e, 0000000e; product: VPN-1 & FireWall-1;
# fw tab -f -t NAT_src_any_list
Date: Apr 7, 2010
9:00:31 192.168.29.25> : (+)====================================(+); Table_Name: NAT_src_any_list; : (+); Attributes: static, id 433; product: VPN-1 & FireWall-1;
9:00:31 192.168.29.25> Key: 00000006, 00000006; product: VPN-1 & FireWall-1; // Rule number 6
9:00:31 192.168.29.25> Key: 00000007, 00000007; product: VPN-1 & FireWall-1; // Rule number 7
List all NAT rules .
Some explanation here . Here all IP addresses are in hexadecimal representation . To translate it to usual decimal one I translate (say using calc.exe) Hex -> Integer , then using some Internet converter , Integer -> decimal . In () are my comments
# fw tab -f -t NAT_rules
Date: Apr 7, 2010
9:02:19 192.168.29.25> : (+)====================================(+); Table_Name: NAT_rules; : (+); Attributes: static, id 435; product: VPN-1 & FireWall-1;
9:02:19 192.168.29.25> Key: 00000001(Rule number); CPTFMT_sep: ;; Data: 00000000, 00000000, ff000001 (255.0.0.1) , BD8AFF3C (189.138.255.60 Original Src in Nat rule), BD8AFF3C, c0a8d1fd (192.168.209.253 Translated source IP), ff010202 (255.1.2.2), C0A81596 (192.168.21.150 Original packet destination) , C0A81596, C0A81596, 00000000, 00000000, 00000000, 00000000; product: VPN-1 & FireWall-1;
List open connection to/from the firewall
# fw tab -f -t connections
Date: Apr 7, 2010
10:22:43 80.19.1.150> : (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbuf 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31, expires 60, refresh, limit 75000, hashsize 262144, free function f9faf4e0 0, post sync handler f9fa3470; product: VPN-1 & FireWall-1;
10:22:43 80.19.1.150> : ———————————–(+); Direction: 1; Source: 172.17.110.111; SPort: 1517; Dest: 210.48.77.30; DPort: 443; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 172.17.110.111; SPort_1: 1517; Dest_1: 210.48.77.30; DPort_1: 443; Protocol_1: tcp; FW_symval: 2; product: VPN-1 & FireWall-1;
Something that has to do with IPS I guess
# fw tab -f -t string_dictionary_table
Date: Apr 7, 2010
10:23:52 80.19.1.150> : (+)====================================(+); Table_Name: string_dictionary_table; : (+); Attributes: dynamic, id 8135, attributes: keep level 2, kbuf 1, expires never, limit 32768, hashsize 4096; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: dc17462d0fdcfdfd42c80679dbd63b4; ID: 3672; Data: Microsoft Windows search-ms protocol handler command execution (MS08-075); Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: e36d6da340f3ce9df3d02fd991b07765; ID: 822; Data: Command '%s' is out of expected state '%s'; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: c377d9acdbb7a8a3cd182b514df494d; ID: 657; Data: smtp_block_bin_enable; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 34bd42a272028c23476653dfcbac806d; ID: 648; Data: Out of bounds – an offset was given that references outside the packet; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: b8d505cb64b542f15dcea55a93802fb; ID: 2681; Data: Cisco IOS IPv4 Packets Denial of Service; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 30f7c4e2db021c4977c2a92b48bb97ed; ID: 2241; Data: Invalid SIT field in SA payload header; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 29aa7499fca2d0cdc9f9d954c9a7b7d2; ID: 979; Data: Virtual defragmentation error: Memory failure; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: de1c15759f50957189b1ba346bfc07fa; ID: 655; Data: Security violation; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> More_Entries: 7782; product: VPN-1 & FireWall-1;