Wednesday, May 19, 2010

Checkpoint Tables and the FW Tab Commands

The fw tab command displays the contents of the INSPECT tables. These tables hold all state information on the firewall, including connections, VPNS, nats, etc.

The following options are commonly used:
-s provides a summary the tables
-t tname only displays the requested table
-x tname delete all entries in the specified table
-d debug mode
-all all tables

Useful tables:


This host_table holds the IP addresses of internal machines protected by the VPN-1/FireWall-1 NG Enforcement Module. The table only exists where the VPN-1/FireWall-1 license is limited. The maximum number of entries in this table is the licensed number of internal machines.


The arp_table holds the IP addresses for which the machine is willing to proxy ARP. Proxy ARP is sometimes required when using NAT. If IP addresses that the machine is to resolve are specified in local.arp , this table can be used to check that the IP addresses were correctly specified. The automatic ARP feature also uses this table to cause the machine to resolve translated IP addresses.
Entry format:
1. IP address (name resolving may occur).
2. MAC address of gateway machine interface that will answer ARP requests for the IP address.
3. Interface name (optional).
4. Name of the gateway interface that will proxy ARP for IP addresses.
The fwx_alloc table uses the following formats.
First entry: < 0, hiding IP address, IP protocol, first high port used; next high port to be allocated>
The first field is a space holder and is always 0. The first high port to be used is always 10000.


The fwx_alloc table holds information about the allocation of ports for the translated packets.


The fwx_cntl_dyn_tab table holds information about the allocated IP addresses from the IP Pool of the Enforcement Module, and the connections using the IP addresses.


attributes: keep, expires never, limit 25000, 
hashsize 512, free function 40550248 0 
00000001, 00000e10, 000000c3>


The fwx_auth table holds the original information of a folded connection, so that the Security Server will know the original destination IP and port of the connection.


attributes: expires 300, limit 25000, refresh, keep 
c7cb47e3, 00000017; 286/300>


All IP and network addresses that were stipulated in SAM requests, are shown in sam_blocked_ips , with a requests counter for each prototype of filter that is enforced over each certain IP and network address. Note the overshadowed requests are also accounted for, if present.


-------- sam_blocked_ips --------dynamic, id 8141, attributes: keep, limit 25000, hashsize 512 <05050505;> 00000000, 00000000, 00000000>


The host_ip_addrs table contains the list of IP addresses in the VPN-1/FireWall-1 NG Enforcement Module.


The fwx_ip_lookup_tab table holds information used for IP Pool allocation queries.


attributes: keep, limit 25000, hashsize 512


The fwz_crypt_pending table is used to record a possibly encrypted connection that should obtain their encryption/decryption key. This table is accessed from the VPN kernel, and the VPN daemon. The kernel can obtain a new key from this table stored by the daemon, which negotiated the key exchange with a trusted peer. This table also passes error messages. The fwz_crypt_pending table is dynamic.


Each embedded VPN-1/FireWall-1 system has a feature that indicates how many hosts can be located 'behind' it. The number of hosts can be set to unlimited. This limitation is enforced in the Inspect code using the macro COUNT_HOST .
COUNT_HOST records each packet that comes from the internal interface in a table until the limit is exceeded


IKE SAs are stored in IKE_SA_table . The table entries have four possible formats:
· The top two formats are only used on SecuRemote.
· All non-expired SAs are stored using format 2.
· Format 1 is used to store and retrieve the latest IKE SA.
· Table entries are used to conduct IKE Quick Mode negotiation of IPSEC_SA .
· Entries are extracted from this table when the vpn daemon is trapped for IPSEC_SA renewal. IKE daemon tries to use previously negotiated IKE SA.
· The IKE_SA_table is dynamic.


expires 3600
limit 25000
hashsize 512
kbuf 1


PeerAddress ipaddr IKE peer address.
Me ipaddr on SecuRemote it is the IP address used by SecuRemote when it negotiated this IKE SA; field is used to prevent using an old IKE SA negotiated before SecuRemote obtained a new IP address; if initiator or responder
CookieI u_long [2] initiator cookie (8 bytes). host byte order
CookieR u_long [2] responder cookie (8 bytes). host byte order


IKE_SA kbuf A kbuf storing the fwisakmp_sa structure.
Flags uint currently only 2 flags are defined: (PEER_MOBILE, INITIATOR); used so Enforcement Module does not need to retrieve the whole kbuf from the kernel if we only want to know if this SA was established with a mobile user
RenegotiationTime uint renegotiation time of the SA


-------- IKE_SA_table --------
dynamic, id 77, attributes: keep, sync, expires 3600, 
limit 25000, hashsize 512, kbuf 1, free function 

No comments: