Thursday, June 23, 2011

How to configure NTP on Checkpoint Secureplatform / splat

where my Checkpoint Data revision files stores on Checkpoint Provider -1 Server

Checkpoint useful command reference


How to check unwanted Services running in Checkpoint Firewall / SmartCenter Server



gsinsc112[admin]# cat $FWDIR/conf/fwauthd.conf
#21 fwssd in.aftpd wait 0
#80 fwssd in.ahttpd wait -2
#513 fwssd in.arlogind wait 0
#25 fwssd in.asmtpd wait 0
#2525 fwssd in.emaild.smtp wait 0
#110 fwssd in.emaild.pop3 wait 0
#23 fwssd in.atelnetd wait 0
#259 fwssd in.aclientd wait 259
10081 fwssd in.lhttpd wait 0
#900 fwssd in.ahclientd wait 900
0 fwssd in.pingd respawn 0
#0 fwssd in.asessiond respawn 0
#0 fwssd in.aufpd respawn 0
0 vpn vpnd respawn 0
#0 fwssd mdq respawn 0
0 stormd stormd respawn 0
0 sds sdsd respawn 0
0 dtps dtpsd respawn 0
0 dtls dtlsd respawn 0

Good Syntax Examples for TCP DUMP command in Linux / Checkpoint Secureplatform



TCP Dump
=========
How can I show ALL traffic on a specified interface?

tcpdump -i eth0

Will show ALL traffic on interface eth0.

How can I capture a specified number of packets?

tcpdump -c 20 -i eth0

The -c argument specifies the number of packets to capture. For example, this command will capture 20 packets on the specified interface eth0 and quit:

How do I show the MAC address in the capture?

tcpdump -e -i eth0

This filter will display the MAC address as well as the basic information.
How can I look for the Welchia Worm with TCPDUMP?

tcpdump -tnn -i eth0 "icmp[icmptype]==icmp-echo && icmp[8]==0xAA && icmp[9]==0xAA && icmp[10]==0xAA && icmp[11]==0xAA"

Sure can. Try this script. Keep in mind that your sniffer will need to be located where it can see all traffic on your network for this to be useful.

How can I use TCPDUMP to determine the top talker on my network?

tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '

Depending on how busy your network is, you might want to lower the `-c 20000' (packet count) to fit your needs. This script will capture 20,000 packets and sort by top talkers

Chechpoint Firewall / Smartcenter server - Error "Out of Memory: Killed process ()"


These messages may appear in one of the following locations:

* Console

* SmartView Tracker

* messages or dmesg file

If and when encountered, please contact Check Point Support.



"Out of Memory: Killed process ()"


This message appears in the dmesg file and in /var/log/messages files on SecurePlatform.

It means that no more memory is available to Linux in the user space. As a result, Linux starts to kill processes.

"FW-1: Capacity problem detected

Memory consumption has exceeded X%" (Console message)

"Capacity notification: Memory consumption has exceeded X%" (SmartView Tracker message)

These messages indicate that the memory consumption has increased beyond what was defined as the Aggressive Aging threshold (for more details about Aggressive Aging, refer to 'NGX R65 What's New' document, under 'Firewall & SmartDefense', page 2).


"FW-1: Capacity problem detected"

"Connections table capacity has exceeded X%" (Console message)

"Connections table capacity has exceeded X%" (SmartView Tracker message)

These messages indicate that the Connections table capacity has increased beyond what was defined as the Aggressive Aging threshold.

For more details about Aggressive Aging, refer to 'NGX R65 What's New' document, under 'Firewall & SmartDefense', page 2.

"Main database file <(database file name)> is missing - cannot start fwm. If you wish to reset the DB please run 'cpdb new'." (Console message)

The appearance of this error message might indicate a corruption in $FWDIR/conf/objects_5_0.C. As a result, fwm will not start.

"State synchronization is in risk. Please examine your synchronization network to avoid further problems" (in /var/log/messages file)

This message may indicate that the sync network is overloaded. Overloading the sync network can cause traffic loss, unsynchronized kernel tables, and connectivity problems. For more information, refer to sk23695.



"fwlddist_adjust_buf: record too big for sync" (in /var/log/messages file and on the Console)

This message may indicate problems with the sync network. It can cause traffic loss, unsynchronized kernel tables, and connectivity problems. For more information, refer to sk35466.

"Cluster_info: (ClusterXL) member is down" (in SmartView Tracker)

This log message may indicate that the ClusterXL failed over. You can check the member's status and the failed device using the commands cphaprob stat, cphaprob list and cphaprob -a if. For more information regarding the usage of these commands, refer to CheckPoint NGX ClusterXL User Guide.pdf.

If this failover was not initiated on purpose, please contact Check Point Technical Support (as described above).

"Dead loop on virtual device sync, fix it urgently" (in dmesg file)

This message is a SecureXL notification on the outbound connection that may cause the gateway to lose sync traffic. For more information, refer to sk32765.



"FW-1: bpush: push block size error..." (Console message)

For more information, refer to sk32753 , sk59124.


"FW-1: fw_runfilter: illegal kfunc" (Console message)

These message may indicate system instability and should not be ignored.



"FW-1: fw_runfilter: stack overflow" (Console message)


This message may indicate that the number of rules in the firewall has exceeded its limit. If more rules are required, please contact Check Point Technical Support (as described above).

"FW-1: fw_runfilter: stack underflow" (Console message)

This message may indicate memory corruption problems detected by the system. System stability may be impacted.

"FW-1: fw_runfilter: wrong number of arguments..." (Console message)

This message may occur after an unsuccessful upgrade and could precede a system panic.

"FWD Error: Log(s) discarded due to unification process failure" (in SmartView Tracker)

A single "unified" log record is produced by the FireWall-1 kernel driver from a number of "basic" log records. If for some reason the building process (unification process) fails, there is a log discard followed by this error message.

This means that logs are discarded from the system and therefore will be lost.



"Database space check failed. There may not be enough disk space or it may have failed to obtain database capacity information" (in Eventia Reporter's $RTDIR/opt/CPrt-R65/log_consolidator_engine/log/lc_rt.log file).

This message means that the process is not communicating with the mysql process or there might be a problem identifying the disk. The logs will be consolidated once the problem is solved. Please check the disk capacity. Check Point also recommends checking disk sanity (for example, by using the check disk utilities).

"FW-1: panic <(x)>: " (Console message)

<(x)> represents the level of panic induced. represents the message that is associated in the code with this panic.

This error message indicates that fw_panic was called.

"FW-1: fw_kfree: memory already freed at 0x. caller is sz=" (Console message)

represents the pointer. represents the name of the function where the error happened.
This error message indicates that released memory is trying to be released again.

This is forbidden and might lead to a potential panic event.

"FW-1: fw_kfree: wrong magic number at tail end of 0x (0x) caller is sz=" (Console message)

"FW-1: fw_kfree: wrong magic number at 0x. caller is sz=" (Console message)

represents the pointer. represents the name of the function where the error happened.
These error messages might indicate an error in the way memory was handled, which might lead to a potential panic event.



"FW-1: hmem_init: unable to allocate the minimum <(x)>" (Console message)

represents the minimum memory size that is needed.

This error message indicates that the firewall's memory management module is not loaded.



"FW-1: b_create: fw_kmalloc(x) failed" (Console message)

represents the pointer.

This message may indicate an error in memory allocation for binary tables. System stability may be impacted.

"ex_init_timer: Failed to initialize timer" (Console message)

This message might indicate an error in the timer mechanism initialization. This may impact system infrastructures and cause inconsistent behavior.

"FW-1: b_create: fw_kmalloc(x) failed" (Console message)

This message might indicate a critical error in allocating a table. System stability may be impacted.

"FW-1: b_create: fw_kmalloc(x) failed" (Console message)

This message may indicate memory allocation problems. System stability may be impacted.

"fwconn_get_bits: invalid bit category: (x)" (Console message)

This error may indicate a critical error in reading the connections table. It may have a serious impact on connectivity.

"fwconn_set_bits: failed to get bit value for bit category (x)" (Console message)

This error may indicate a critical error in writing to the connections table. It may have a serious impact on connectivity.

"fwconn_chain_fill_bits: invalid bit category: (x)" (Console message)

This error might indicate a memory corruption.



"FW-1: : data connection "FWCONN6_FMT" already exists in connections table" (Console message)

This error might indicate synchronization problems between clusters.



"FW-1: : failed to get info from %s table" (Console message)

This error might indicate memory management problems.

"FW-1: : fwconn_chain_lookup failed" (Console message)

This error might indicate an inconsistency within the connection table. This may lead to connectivity problems.

"FW-1: illegal access to connections table" (Console message)

This error might indicate connectivity problems.



"FW-1: : Cannot change aggressive timeout without setting the timeout (timeout=, aggr_timeout=)" (Console message)

This error might indicate a program error that might cause Aggressive Aging not to work properly.

"Failed to build the objects schema while initializing database manager with error 0x% ('')" (Console message)

represents internal value of a pointer.

This message can indicate that there is a problem with the schema file that could prevent the fwm process from starting.

fwm not running on the system may lead to problems with connecting with the GUI client and installing the policy.

"fwhandle_get(vpn_tag.c:1275): Table kbufs - Invalid handle f5139a5c (bad pool)" (Console message)

This error message might indicate an error in the way memory was handled. It may cause RemoteAccess Connectivity issues.

"Policy install commit function was unsuccessful due to timeout" (Console message)

This error message appears during security policy installation. It indicates that policy installation on the gateway takes too much time. There is no way to know whether policy was successfully installed or not.

"Failed to get password for connection RT_Database, reason: Could not find path to database socket" (Console message)

This error means that the location of the mysql.sock file is missing. It will prevent the Eventia Reporter from connecting to the database. This problem can be fixed by doing the following:

1. Open the file $RTDIR/Database/conf/my.cnf and copy the directory that the "datadir" is referring to.

2. Run rmdstop (make sure that the database processes are down).

3. Run cd $RTDIR/Database/ .

4. Run the following commands:

bin/mysqld_safe --basedir="$RTDIR/Database"

--ledir="$RTDIR/Database/bin"

--datadir=""

--socket="$RTDIR/Database/mysql.sock" --user=root --log-error=$RTDIR/Database/err.log &

If mysql is not starting up, check the file $RTDIR/Database/err.log for errors.

Note that mysqld_safe and my_print_defaults are not part of the installation. You can download them (in WinZip format) here:

* mysqld_safe
* my_print_defaults


VI Editor Short cut key list



Modes
Vi has two modes insertion mode and command mode. The editor begins in command mode, where the cursor movement and text deletion and pasting occur. Insertion mode begins upon entering an insertion or change command. [ESC] returns the editor to command mode (where you can quit, for example by typing :q!). Most commands execute as soon as you type them except for "colon" commands which execute when you press the ruturn key.



Quitting
:x Exit, saving changes
:q Exit as long as there have been no changes
ZZ Exit and save changes if any have been made
:q! Exit and ignore any changes



Inserting Text
i Insert before cursor
I Insert before line
a Append after cursor
A Append after line
o Open a new line after current line
O Open a new line before current line
r Replace one character
R Replace many characters



Motion
h Move left
j Move down
k Move up
l Move right
w Move to next word
W Move to next blank delimited word
b Move to the beginning of the word
B Move to the beginning of blank delimted word
e Move to the end of the word
E Move to the end of Blank delimited word
( Move a sentence back
) Move a sentence forward
{ Move a paragraph back
} Move a paragraph forward
0 Move to the begining of the line
$ Move to the end of the line
1G Move to the first line of the file
G Move to the last line of the file
nG Move to nth line of the file
:n Move to nth line of the file
fc Move forward to c
Fc Move back to c
H Move to top of screen
M Move to middle of screen
L Move to botton of screen
% Move to associated ( ), { }, [ ]



Deleting Text
Almost all deletion commands are performed by typing d followed by a motion. For example, dw deletes a word. A few other deletes are:
x Delete character to the right of cursor
X Delete character to the left of cursor
D Delete to the end of the line
dd Delete current line
:d Delete current line



Yanking Text
Like deletion, almost all yank commands are performed by typing y followed by a motion. For example, y$ yanks to the end of the line. Two other yank commands are:
yy Yank the current line
:y Yank the current line



Changing text
The change command is a deletion command that leaves the editor in insert mode. It is performed by typing c followed by a motion. For wxample cw changes a word. A few other change commands are:
C Change to the end of the line
cc Change the whole line



Putting text
p Put after the position or after the line
P Put before the poition or before the line



Buffers
Named buffers may be specified before any deletion, change, yank or put command. The general prefix has the form "c where c is any lowercase character. for example, "adw deletes a word into buffer a. It may thereafter be put back into text with an appropriate "ap.



Markers
Named markers may be set on any line in a file. Any lower case letter may be a marker name. Markers may also be used as limits for ranges.
mc Set marker c on this line
`c Go to beginning of marker c line.
'c Go to first non-blank character of marker c line.



Search for strings
/string Search forward for string
?string Search back for string
n Search for next instance of string
N Search for previous instance of string



Replace
The search and replace function is accomplished with the :s command. It is commonly used in combination with ranges or the :g command (below).
:s/pattern/string/flags Replace pattern with string according to flags.
g Flag - Replace all occurences of pattern
c Flag - Confirm replaces.
& Repeat last :s command



Regular Expressions
. (dot) Any single character except newline
* zero or more occurances of any character
[...] Any single character specified in the set
[^...] Any single character not specified in the set
^ Anchor - beginning of the line
$ Anchor - end of line
\< Anchor - begining of word
\> Anchor - end of word
\(...\) Grouping - usually used to group conditions
\n Contents of nth grouping

[...] - Set Examples [A-Z] The SET from Capital A to Capital Z
[a-z] The SET from lowercase a to lowercase z
[0-9] The SET from 0 to 9 (All numerals)
[./=+] The SET containing . (dot), / (slash), =, and +
[-A-F] The SET from Capital A to Capital F and the dash (dashes must be specified first)
[0-9 A-Z] The SET containing all capital letters and digits and a space
[A-Z][a-zA-Z] In the first position, the SET from Capital A to Capital Z
In the second character position, the SET containing all letters

Regular Expression Examples /Hello/ Matches if the line contains the value Hello
/^TEST$/ Matches if the line contains TEST by itself
/^[a-zA-Z]/ Matches if the line starts with any letter
/^[a-z].*/ Matches if the first character of the line is a-z and there is at least one more of any character following it
/2134$/ Matches if line ends with 2134
/\(21|35\)/ Matches is the line contains 21 or 35
Note the use of ( ) with the pipe symbol to specify the 'or' condition
/[0-9]*/ Matches if there are zero or more numbers in the line
/^[^#]/ Matches if the first character is not a # in the line
Notes:
1. Regular expressions are case sensitive
2. Regular expressions are to be used where pattern is specified



Counts
Nearly every command may be preceded by a number that specifies how many times it is to be performed. For example, 5dw will delete 5 words and 3fe will move the cursor forward to the 3rd occurence of the letter e. Even insertions may be repeated conveniently with thismethod, say to insert the same line 100 times.



Ranges
Ranges may precede most "colon" commands and cause them to be executed on a line or lines. For example :3,7d would delete lines 3-7. Ranges are commonly combined with the :s command to perform a replacement on several lines, as with :.,$s/pattern/string/g to make a replacement from the current line to the end of the file.
:n,m Range - Lines n-m
:. Range - Current line
:$ Range - Last line
:'c Range - Marker c
:% Range - All lines in file
:g/pattern/ Range - All lines that contain pattern



Files
:w file Write to file
:r file Read file in after line
:n Go to next file
:p Go to previos file
:e file Edit file
!!program Replace line with output from program



Other
~ Toggle upp and lower case
J Join lines
. Repeat last text-changing command
u Undo last change
U Undo all changes to line

SecurePlatform The netstat Command

netstat is a useful tool for checking your network configuration and activity. It is in fact a collection of several tools lumped together. We discuss each of its functions in the following sections.

Displaying the Routing Table

When you invoke netstat with the –r flag, it displays the kernel routing table in the way we've been doing with route. On vstout, it produces:

# netstat -nr

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
127.0.0.1 * 255.255.255.255 UH 0 0 0 lo
172.16.1.0 * 255.255.255.0 U 0 0 0 eth0
172.16.2.0 172.16.1.1 255.255.255.0 UG 0 0 0 eth0

The –n option makes netstat print addresses as dotted quad IP numbers rather than the symbolic host and network names. This option is especially useful when you want to avoid address lookups over the network (e.g., to a DNS or NIS server).

The second column of netstat 's output shows the gateway to which the routing entry points. If no gateway is used, an asterisk is printed instead. The third column shows the "generality" of the route, i.e., the network mask for this route. When given an IP address to find a suitable route for, the kernel steps through each of the routing table entries, taking the bitwise AND of the address and the genmask before comparing it to the target of the route.

The fourth column displays the following flags that describe the route:

G

The route uses a gateway.

U

The interface to be used is up.

H

Only a single host can be reached through the route. For example, this is the case for the loopback entry 127.0.0.1.

D

This route is dynamically created. It is set if the table entry has been generated by a routing daemon like gated or by an ICMP redirect message (see the section Section 2.5" in Chapter 2).

M

This route is set if the table entry was modified by an ICMP redirect message.
!

The route is a reject route and datagrams will be dropped.

The next three columns show the MSS, Window and irtt that will be applied to TCP connections established via this route. The MSS is the Maximum Segment Size and is the size of the largest datagram the kernel will construct for transmission via this route. The Window is the maximum amount of data the system will accept in a single burst from a remote host. The acronym irtt stands for "initial round trip time." The TCP protocol ensures that data is reliably delivered between hosts by retransmitting a datagram if it has been lost. The TCP protocol keeps a running count of how long it takes for a datagram to be delivered to the remote end, and an acknowledgement to be received so that it knows how long to wait before assuming a datagram needs to retransmitted; this process is called the round-trip time. The initial round-trip time is the value that the TCP protocol will use when a connection is first established. For most network types, the default value is okay, but for some slow networks, notably certain types of amateur packet radio networks, the time is too short and causes unnecessary retransmission. The irtt value can be set using the route command. Values of zero in these fields mean that the default is being used.

Finally, the last field displays the network interface that this route will use.
Displaying Interface Statistics

When invoked with the –i flag, netstat displays statistics for the network interfaces currently configured. If the –a option is also given, it prints all interfaces present in the kernel, not only those that have been configured currently. On vstout, the output from netstat will look like this:

# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flags
lo 0 0 3185 0 0 0 3185 0 0 0 BLRU
eth0 1500 0 972633 17 20 120 628711 217 0 0 BRU

The MTU and Met fields show the current MTU and metric values for that interface. The RX and TX columns show how many packets have been received or transmitted error-free (RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR); how many were dropped (RX-DRP/TX-DRP); and how many were lost because of an overrun (RX-OVR/TX-OVR).

The last column shows the flags that have been set for this interface. These characters are one-character versions of the long flag names that are printed when you display the interface configuration with ifconfig:

B

A broadcast address has been set.
L

This interface is a loopback device.
M

All packets are received (promiscuous mode).
O

ARP is turned off for this interface.
P

This is a point-to-point connection.
R

Interface is running.
U

Interface is up.

Displaying Connections

netstat supports a set of options to display active or passive sockets. The options –t, –u, –w, and –x show active TCP, UDP, RAW, or Unix socket connections. If you provide the –a flag in addition, sockets that are waiting for a connection (i.e., listening) are displayed as well. This display will give you a list of all servers that are currently running on your system.

Invoking netstat -ta on vlager produces this output:

$ netstat -ta
Active Internet Connections
Proto Recv-Q Send-Q Local Address Foreign Address (State)
tcp 0 0 *:domain *:* LISTEN
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 vlager:smtp vstout:1040 ESTABLISHED
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 localhost:1046 vbardolino:telnet ESTABLISHED
tcp 0 0 *:chargen *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 *:discard *:* LISTEN
tcp 0 0 *:echo *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:login *:* LISTEN

This output shows most servers simply waiting for an incoming connection. However, the fourth line shows an incoming SMTP connection from vstout, and the sixth line tells you there is an outgoing telnet connection to vbardolino.[1]

Using the –a flag by itself will display all sockets from all families.