Monthly Archives: May 2012

Part 1 – Identity Awareness and AD Integration

This is a two part series on integrating IA and Application Control into Active Directory AD.

Lately I’ve become an IA “expert” (insert smiley). Well I exagerate but I wanted to share some of the things I learned while App Control integrating into a large AD forest.

First step is integrating IA.  IA is used for 2 things: authentication for access control by the gateways and identity translation by logging server. IA will keep track of what users are on what IP address. This is done by SmartCenter and gateways registering with AD via WMI to get notices of when people log in. NOTE: more specifically the gateways have to register with EACH domain controller at EACH site throughout the forest!!! Not just the top domain. The domain controllers keep track of logins/logouts, not the top level domain or the top global catalog.

The first thing is you need an AD expert to translate all the DC, OU, CN stuff. I am not it. What I learned is that if you have AD subdomains, your paths will be:

DC=sub,DC=domain,DC=top  Example: DC=sales,DC=acme,DC=corp or sales.acme.corp

But if you have a site your path will be with an OU

OU=sub,DC=domain,DC=top  Example: OU=sales,DC=acme,DC=corp

Sites are easier to manage because permissions are set all at the top and not each individual domain controller at all the sites.

Once you have this info you are ready to start. Go the the servers/OPSEC tab to create LDAP account units or the users tab to edit the units (right click).

One the first page you have to specify what domain you will be querying. NOTE if its a site you use the top level domain, if its a subdomain then enter the subdomain

I like to make the permissions read-only, no one can blame the firewall for screwing up AD.

I like to use wbemtest.exe in Win7 to verify DC credentials on a DC by DC basis.

Also add the Account Unit into the gateway’s IA configuration. See the picture below

Phase 2: Testing

So assuming you got all that working, the first test is going into the user tab and double clicking on an LDAP object to see if it retrieves AD information.

For sanity check you can tcpdump port 389 on SmartCenter to verify the query actually went out (sometimes it hangs).  If this works, then theoretically you are a LDAP expert.

For extra points, remember these commands.

SmartCenter/LogServers uses LDAP to map login names to user names for the logs.  The gateways use a similar command but for credentials and authentication. This is important for this next command

adlog l dc     – ” l ” is for the log server and lists connectivity to the DCs for the Log Servers
adlog a dc    – ” a ” is for authentication and lists connectivity to the DCs for the gateways

adlog is the process and database for the IP to User mapping. You can see traffic come from the DCs to the gateway and LogServer on port 1026, the AD port. make sure you are on the ACTIVE cluster member (or on load balanced probably the non-pivot) to get the latest results. Watch the last column for increasing event counts. These are events that DCs report back to SmartLog and gateways. This shows that the DCs are talking to the gateways and logging servers

adlog a query all
adlog l query all

will dump the adlog database of user->IP.

Make sure all have connectivity. If they don’t they you screwed up your credentials, DNs, firewalls blocking ports to the DCs. cpstop;cpstart works miracles too. Make sure your AD account is not getting locked out by looking in AD security logs.

If that works, then on the GATEWAYS you use these commands:

      (WARNING: Insert grains of salt, I only get about 75% of the following. TBD work in progress)

pdp is the process that monitors user activity and keeps track of recent events coming from AD where credentials are required. File mapping is probably the most common, log in and some log outs(if someone formally logs out).

pdp monitor all

<insert picture>

Will dump all the users/machines and all the activity records associated with them. I usually pipe it through grep looking for user information ‘pdp monitor all | fgrep -i endrizzi’

pep is the process that is referenced to enforce security decisions based on user credentials. These processes can sync with each other throughout a network of firewalls that are participating in a AD Identity Awareness forest. There are optimization where firewalls share pep information and don’t have to get it from DCs and flood WAN links.


pep show all (fix this)

<show dump>

Dumps user records showing which users are being used to enforce security decisions.


1) Fetch Branches will NOT verify credentials and will reset the DN string.
2) Hung LDAP queries: You can enumerate the LDAP tree, but port 389 will have NO traffic
and the query will hang. Suggest cpstop;cpstart
3) LDAP queries not all working, some DCs responding with no records: Suggest cpstop;cpstart, worked for me
4) Firewalls lose credential info – Make sure you put a username into the blocked pages in active portal. If these start coming up blank you know that firewalls are losing credential info.
5) NOTE: SmartDashboard does NOT verify LDAP account unit credentials for domain controllers!!! Make sure you get the right credentials. Check your AD security event log to make sure the LDAP account is not getting locked out. WARNING: You will get weird random rippled login failures that are a pain to track down. Sometimes it works, other times all the DCs are locked out. Has to do with the AD lockout and delay in DC replication.
Make Sure
5) Make sure you use domain\user to login
6) Make sure your LDAP account  user has enterprise privs to make life easy otherwise I’m not sure what will
happen in real life
7) Make sure you enable “Assume that only one user is connected per computer” otherwise multiple users will be associated with an IP and the permissions accumulate. This is a good SK:

The iPhone of the SEI (Security Event Integration) Market – SmartLog

I now know that I have to be a total geek and will never make it in sales. IPS, DLP, NAC, AV, app control, URL filtering get all the glamour. More gadgets to build a security empire. But logging….boring.

Until Now!!

Oh my gawd Smartlog is the iPhone of the SEI market. Smartlog will take logs from your whole environment (including syslog) and provide one google like view with google like scalability into real-time events in your environment. Dump you bloated  overpriced RSA Envisions, Arcsights, etc and go to your local CheckPoint retail store and pick up Smartlog for free! Imagine putting google on top of SmartTracker and you have a screaming Event Integration and correlation tool.

Why does this give me such a viagra techie buzz? Because for the first time in my life the damn tool is integrated with the rest of the management environment. Its like 6th graders being able to fly Air Force drones. The controls are all the same all integrated into a single environment. It took me days to figure out RSA Envision and another couple days for the damn queries to complete they were so slow. If you can search google you can search SmartLog. One person can run the whole environment and not a team of silo’d individuals working on specific products. You can get a single vision into your environment and not 10 reports from 10 different tools.

Unified Centralized Management – Once again Check Point hits it out of the park with their strength. Unified Centralized Management. Lower costs to train, maintain, upgrade, etc. Higher availability because fewer people are required to debug the environment because they are using a single tool.  Scalability – like Google scales.


So here are some of the hints when setting up the environment that I can share with you:

  • Separate system with lots of memory. This baby eats memory like chocolate. Go crazy: 64 gig is a nice round number.
  • Big disks 1Tera or more. You will store your logs side by side with the SmartLog index’s. SmartLog increases disk usage by 70%
  • Might as well install SmartEvent and Reporter on same box as your Log Server and Smart Log. They all will work off your local logserver.
  • NOTE: SmartLog will be installed wherever you install a log server. You just have to enable it in dashboard to turn on the indexing. SmartDashboard->Logs->Smartlog
  • Direct your firewalls to log to the log server where SmartLog is residing
  • SmartConsole SmartLog client needs .NET 3.5 SP1. Have to install separately.
  • Index’s for the logs are stored in $SMARTLOGDIR/data/Index*

I’ll update as I learn more about how to best integrate into MDM.

I’m in techie wonder land!!



MDM Architecture – Part Tre III

Yesterday while jogging I was listening to RadioLab on Godel’s incompleteness theorem and the Barber Theorem. Basically what is the basis of all math: numbers or sets. Answer: Basically there is no answer.

Same with MDS’s. What is the basis of MDS’s….while Godel might say there is no answer it doesn’t prevent me from taking a whack at it.

The answer is: Objects.

Done deal. That wasn’t so hard. Am I the next Godel now?

For those of you who haven’t arrived at this conclusion I guess I’ll drool on for a bit.

Let’s look at what we have in an MDM system:

  • Objects: used to create policies
  • Policies: use objects to make rules
  • Firewalls: enforce rules on security zones
  • SmartCenters: Hold local policy and objects and apply to firewalls
  • MDSs: Hold global policy and objects and apply to SmartCenters

Do you see a pattern? Nice little hierarchy huh?

Who cares?

Well, if you are a large enterprise and you are hitting the 250 limit on MDS’s, how are you going to organize/group your MDM architecture?


  1. Determine your security zones (refer to my MDM Part II)
  2. Find common set of zones that share a huge swath of OBJECTS
  3. Group those zones into a Domain/SmartCenter and develop policies from those common OBJECT. Common rule of thumb is 10-15 policies per Domain/SmartCenter. Make sure you use the APPLYTO field so that the policies get loaded onto the right firewall (s).
  4. MDS Prime Directive: NEVER use global objects in local rules. So in a similar vein build MDSs around groups of global objects. For example: If you are international and you have a MDS for each country or region (North America), then build global objects for your SNMP mgr – g_NA_snmp_mgr.
  5. Build global policies from those global objects.
  6. Apply those global policies to a group of Domains. How big the group? Currently MDS starts creaking at 100 Domains but can hold up to 250.

The above process was built with the known limitations of MDS in mind:

  • MDS Prime directive
  • Can’t delete global objects used in local rules
  • MDS limit of 250 domains, avg of 100 domains
  • SmartCenter’s human administrative support limit of 10-15 policies

If these physical limits change with the advance of GAIA, I may revise the above process.

Well, time for a jog and more RadioLab. Maybe it will inspire my next MDM Nobel prize.

Later MDM geeks,


H323 INSPECT is broken

So I recently had the lovely experience of dealing with H323. H323 is admittedly a ugly protocol but its been around for years. I assumed CP had it figured out…WRONG.

Basically you have to turn off the INSPECT script on H323 and let it go natively.

1) sniff the net for used ports, I used these

TCP: 1718-1721
TCP: 2253-2263
UDP: 1718-1721, 2253-2263, 49152-49239, 61750-61790

2) Create a service for each of the above
3) In the service,->Advanced
4) Protocol Type->None (turns of inspect)
5)  if H323 hits on a ANY service rule then disable “Match on any”
6) Create a specific rule with the src/dst of all the VC servers and add these services

7) Make sure you create a rule for each direction. So two rules.
1) ANY                323Servers     323Services #request packets
2) 323Servers   ANY                  323Services #reply packets

Creates a basic packet filter (allowing return packets).

Make sure you test this with failover. Some phones don’t like gratuitous arps if they are on directly connected VLANs.

I just saved you 2 days of hunting.

Support center should have this one wired but they don’t.


Performance Boosts

I learned this at CPX.

So you have 1 gateway that is a total dog and you are looking at GAIA and that sleek 64-bit kernel handling 50 gajillion magawatts of power.  Drool Drool Drool.

But now you have to upgrade. Oh geez, now I have to upgrade my management. Oh geez, new OS, so now I have to train people. UGH!!!! And then it blows up on the launch pad. Oh Oh.

Here are some tips from the backroom.

1) Look at your high performance, INSPECT intensive traffic: HTTP? H323?: Well everytime that packet hits a “ANY” service the kernel goes through the WHOLE list of INSPECT services to see if it should INSPECT it to death. This takes time, memory, etc.

Instead create a special rule for that service AND on the “advanced service” tab, remove it from the “Remove from Any” rule.

Whaaala: Our client went from 1G/sec throughput to 9.5G/sec throughput

2) NOTE: Global-Properties->Statefull Inspection->Timeouts: Crank these down to create more space in the connection table. Note that the specific SERVICE timeouts override the Global Properties ones.

Whaaaalaaa: You can put off GAIA a couple more days.


Helen's Loom

"Peculiar travel suggestions are dancing lessons from God." - Kurt Vonnegut

Life Stories from Dreez

These are stories from my travels. Generally I like to write stories about local people that I meet and also brag about living the retirement dream with my #1 wife Gaby. She is also my only wife.