Monthly Archives: October 2013

Duplicate Services – Which one gets used?

I was playing with the Match_Any on duplicate services just to see what gets hit when. I was debugging a H323 problem.

So when I created a second Port 80 HTTP with NO Inspect handler and left it checked as Match Any (I did have it checked)matchanychecked

In this rulebase

rule base w two port 80

I got this error

verify error

But when I unchecked it (like you see above) I was able to install and browse with it.

SO what service did it use for browsing? The standard HTTP or the Generic?

What happens if I telnet to port 80 and type in junk??

10-25-2013 5-37-58 PM

They both use the Standard HTTP. Interesting Huh??

OK, get ready to see something even cooler!

Swap the services in the rulebase

swaporder

What do you think will happen????

swapresults

Pretty neat?? The INSPECT handlers do not get invoked even though the header was a HTTP GET command.

Who Cares?So the service logic is pretty dumb and if you have a couple conflicting services in some

huge buried service groups, then you better know which one gets hit first.

So lets look at the ANY rule.

I fix up the rulebase and make both services “Match Any”

fulebase

Look what happens. This is good.

confg

Try it anyways and OK the standard one gets hit.

conflic

So I take OFF the “Match Any” from the Generic HTTP. It all installs fine and see what we get.

resultsOK

Which seems OK. It favors the INSPECT script. Not sure what the INSPECT is doing if it allows Telnet of garbage, but that’s the deal McNeal – beggars can’t be choosers.

Summary:

1) If there are conflicting ports in a rule, the first one found will be used. So if you have huge groups of services make sure there are not any conflicts OR make sure you know which one will be hit first.

2) The “Match For Any” flag is used to put a services into the “Any” group. Note that the bigger this “Any” group is, the slower the rulebase will be so use it judiciously.  If there are conflicts in the “Any” group, then the INSPECT enabled service seems to be favored (but I can’t verify that).

3) Services like H323 are weird because (IMHO) CP’s implementation is flawed (see my previous blog). So if you create new generic services make sure you call them out explicitly in the rule and don’t rely upon the “Any” rule to catch packets that drop from your rule because you will hit the INSPECT H323 rule and not the Generic rule.

Advertisements

CoreXL – VSX implementation

This is kinda hacked but work in progress as I get more info.

I am comparing CoreXL in R75.40VS of a VS standalone gateway (VPG) to a VSX gateway. Look at this.

The VS standalone gateway is configured for 4 CPUS. I then used cpconfig to enable CoreXL for 4 firewall instances. Check out the process list. OK this is cool. I setup 4 fw instances and got 4 worker threads.

10-24-2013 9-09-38 PM

Now with a VSX gateway, I setup in VS0 corexl for 4 firewall instances:

VSX with 4 firewall isntances

NOW check out the process list. Notice the ‘worker’ thing goes away and the VS0 process gets a ‘-i 4’ for the number of firewall instances inside that process?

VSX corexl process list

The other VS1 is a switch and you can’t change the instances. But VS2 I want to change:.. but you have to do it in SmartDashboard.

VSX VS above 0 configure in Dashboard

smartdashboard config

Wonder what happens when I change it??

You guessed it!!! Changes the ‘-i 2’ to reflect the SmartDashboard config

vsx-vs2-corexl-config

Who Cares???

So this is my guess. On Standalone you map real processes to real cores. IN VSX gateway, Each VS gets a process “fwk” and internally they do internal process threading to simulate CoreXL based on the “-i” parameter.

Fact or Fiction?? Sure wish the documentation would talk about this stuff!!! In fact the documentation calls it all “firewall instance” no matter if its a VS standalone process, VSX gateway process, VS process, VS internal thread.. Tomato Tomaaaato.

Why do I care??? Because what do I map to a CPU. The OS process? or the Process Thread?? They are all instances???

…..Ongoing……

So let’s take it a bit further…

I want to make one of the 2 instances from VS2 to a specific core??? Can I do that? Does it make sense??

VS instance to core

Well I guess I can!!! So does that mean that an additional process got generated???

NO! Same process list as before.

SameOlProcessList

So what can I say….Not sure. Is it still an internal thread? You can’t assign an internal thread to a CPU that I know about.

Still a mystery but a very interesting one!

dreez

610000000000 appliance

 

I just saw this for the new 61000 appliance

http://www.checkpoint.com/products/61000-appliances/index.html

http://dl3.checkpoint.com/paid/77/CP_R75.40VS_61000_Security_System_Admin_Guide.pdf?HashKey=1382581795_feb21a171931b7fba729f7d80bcca412&xtn=.pdf

Manual is pretty poor. I was trying to understand how this is different than any other platform.  Looks like they are trying to do a ESX or Xen type VSX implementation.  So the host is like ESX and NOT GAIA with all these special ASG commands.  Then you run VSX as guests on top of it. But you still are in Unix and can see the file system.   Just guessing.

Anyone had any experience?

dreez

 

 

 

 

SSH to gateway cluster hangs – Finally fixed!

Oh this is most bizarre.

All my CheckPoint life I noticed that when you ssh to the standby member it will hang for 30 seconds.  I actually figured out long ago that it was a DNS problem. Member B was sending reverse DNS queries and the DNS request was getting translated to the cluster IP address. When the response came back, the active member (NOT the standby mem ber )was dropping the response because the standby sent it out not the active.

I’ve been tooo lazy to fix every firewall with a NAT rule. But someone showed me this cool but bizarre trick.

  1. In your cluster configuration for clusterXL, select VRRP instead of clusterXL.
  2. Uncheck/Clear the Hide Cluster members outgoing ……..
  3. Set VRRP BACK!!! to clusterXL
  4. Push policy

 

DNS hide behind cluster IP

 

Waaaaalllaaaa! DNS and ssh now works.

Just sniff DNS traffic on both members to verify. NOTE: the tcpdump is wrong on the source IP going OUT but the replies make sense.

Cool huh??

Make sure this doesn’t screw with your OSPF/routed or other gateway initiated traffic because remember all gateway initiated traffic is now from the member IP and not the cluster IP.

NAT away!!!!!

dreez

 

MDS Global Policy Design

Had a long discussion with a long time P1 admin that is brilliant (well, I trained him 15 years ago 🙂  ) and we shared tips on Global Policy design. Here are my notes:

1) Try and keep global policies small or else you will put rules and objects on 100 firewalls that only 2 need them. And as time goes on you have more and more objects and rules and afraid to delete them and your domain databases just grow and grow

2) Local control: If you have a set of firewalls that need more local control, then DON”T add any global policies on the top. Only add global policies on the bottom and let the locals hit first. Well, you lose things like the stealth rule at the global level, but it allows the local policy to have more finer grain control instead of some global rule up high that was more general (any any HTTP).

3) Global Objects, Local Rules: There is a debate about global objects in local rules. The problem is if you ever have to split out domains, rename domains, move domains to new P1 (easier to migrate than upgrade in live environment), then you have to pull the global policy out of the local domain and the global objects in local rules will blow up. You have to replace the global objects in local rules with local objects…pull off the global policy..migrate…redo global policy.

So this can be done if you have just a couple global objects in local rules. You can use placeholders/dummy objects. Move the rules to a new domain and then re-apply global policy and update your dummy objects. However if there are a lot of these instances or a lot of moves it will be a huge hassle.

I am personally like using Global Dynamic Objects sk33256  (sometimes) as placeholders and then having the domains replace the placeholders. Downside is the global name is JUST a template and has no data in it. The data is defined at the domain level, so each domain has to populate. So you lose the effect of 1 central global variable with 1 set of objects in it.

dynamic object

After removing global policy from a domain, you can use the following to move the domain into another new domain….

You can also use the export/import function in dashboard to export and import into another domain. Not great, but better than typing.

export function

You can also use confwiz which I love to export/import a whole domain  into another domain. I love this because its not copying files with all the crap in them, it will use dbedit to add objects/rules 1 at a time. Like typing them in. Then delete the crap you don’t need in Dashboard.

You can also use cp_merge, but I’ve never used it.

4) Rename Global Objects: Another reason I hate using global objects too much is because you cannot rename them cleanly. sk82380. If they are in local policy it blows up R75.46/7/8.  I guess a fix came out for it and now you can rename global objects and it all works.

5) Theoretically all this will be resolved in R90 Uber MDM2. I saw a demo and it looked cool anyways. I would wait about 1 year to work out all the kinks before migrating. So probably about 3 years from now the above problems will be mitigated in MDM2.

Hope this Helps,

dreez

MDS puts customer data in wrong partition

OK I know this has been around a while,  but in R75.40-48 (not sure what other versions) they put the customer/domain databases ($MDSDIR/customers) in the / partition (/var/opt/CPmds-R75.40/customers)…which by default is not all that big. It should go into /var/log/opt/CPmds-R75.40 (if it was my decision). So at some random event when you least expect it your / partition fills up and suprise!!! hope you had backups because you could corrupt your databases.

Oh yeah, backups (mds_backup, mds_restore) by default run in / partition. Also every time a user starts a SmartDashboard in write mode it uses 200MB of data in the / partition.  So any of these factors could give you problems if at same time you are saving a domain if you partition is not big enough.

Anyways…so you can move them to /var/log somewhere but of course backups and restores will blow up when you least expect it. You could use the double secret patch HA 46_184…BUT…. the patch HARD CODES where you have to move the customer data and wires it into /var/log (instead of /var/log/opt/CPmds-R75.40 where it really should be). ALSO it requires that you call it “customers” instead of relying on the sym link “$MDSDIR/customers”.

I got to find this all out at the best time of course…database corruption error(s) that luckily we were able to fix or was a false positive.

Check to make sure your backups are running properly after applying the patch.

Learn from my mistakes..I never do!

Firewalls rule,

dreez

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.