YAOS – Yet Another Ofiller Script (to import IP addresses into MDS or SmartCenter)

Probably 1000 of these, and yes it is a hack but I like learning new tools.

ofiller/odumper is a great tool for large enterprises that need to extract/enter LARGE number IP address and rules into MDS/SmartCenter in an automated way fashion. odumper extracts data into CSV, you can edit and import via ofiller from CSV. This could be especially cool if you want to upgrade/import and get rid of a lot of crap by editing CSV’s and not through the GUI.

So do you have a list of IPs that have to be inputted into MDS or SmartCenter? Well the hump is getting that list of IP addresses into ofiller format.

Here is a VBscript/Excel macro to do just that.

1) INPUT: List of IPs in CSV

2) Run this VB script inside of Excel

3) Voila!!! The output. Ofiller formatted file

 

 

4) Input into ofiller

./ofiller.lin -f ~/mds_import.csv -i csv -o dbedit_input.txt

5) Input into MDS (or smartcenter)

mdsenv
dbedit -f dbedit_input.txt

 

NOTE: R80 will have this built in, but ofiller will still be have a warm place in my heart.

 

Ofiller OUT,

dreez

 

New SmartLog Permissions

UPDATE: 12/1/14: mds_HOTFIX_GYPSY_HF_BASE_748 is the fix and it works in R77.10

UPDATE: 11/13/14: After much hub-bub, this is fixed in R77.30 and they are backporting it to R77.10/20? Will let you know.

With X00 firewalls across X0 domains we live and die by SmartLog. R77.10 SmartLog is awesome, its fast, finally stable. It alone is sufficient reason to chuck any other firewall product.

Except!!!

They changed the way permissions work in R77.10. Now only Domain Super-users and MDS Super users can use  MDS SmartLog. This takes my breath away. Our front-line domain managers (SOC, NOC, Audit, IPS, Security/Risk Management) use SmartLog for debugging not only firewall problems but network problems in general….across all domains. They are not interested what domain the problem is…they just want to know where it is in the enterprise. Domain Super users and MDS Super users only use SmartLog a couple times a week for escalated calls.

So WHY???? restrict permissions to an awesome market changing tool to people that only use it a couple times a week??

Ugh….

dreez

YAFLST – Yet Another Firewall Logging Status Tool

So you might have not noticed but logging HA is not quite the HA you think it is. About 10-20% of our 350 firewalls fail to HA and either just stop logging or log locally until we nudge them….or maybe we screwed something up.

Anyways….So how do you know which ones are not HA?

You don’t, until now. (OKAY it is a kludge but the best I know how)

1. 1) Do this GET LIST OF FIREWALLs.
2. This gets you a list of gateways and cluster members. You can get rid of the ‘gateway_cluster’, usually not needed for logging.Cluster members use their physical IP and not the VIP.
3. Import into a spreadsheet with worksheet label ‘fw’. sort and get rid of obvious junk.
4. On log servers do a ‘netstat -an | fgrep :257’. Lists all of the firewalls logging.
5. Import them into same spreadsheet with worksheet label ‘targets’. Sort and get rid of junk.
6. Import this macro into your spreadsheet: MACROOK, I hacked a VB script. not pretty. You could also use some perl script at this point.
7. Anyways the script will put in column 3 an ‘X’ which firewalls are logging.

Seems to me a $$$$$ gazillion dollar HA logging system should do HA. Probably fixed in R80.

Oh yeah, I’ve been using this in Cattools to nudge them:

cpwd_admin stop -name FWD -path “$FWDIR/bin/fw” -command “fw kill fwd”

cpwd_admin start -name FWD -path “$FWDIR/bin/fwd” -command “fwd”

Logging off

dreez

YADBGT – Yet Another DataBase Grepping Tool

I’ve seen this before but finally used it. SK. Got it from our Diamond guy Taylor. Had to modify to make it work. You can use guidbedit to see all the fields you can grep.

Outputs all the gateways in the DMS database with their name, ip, appliance/open type, version number.

Wish they had this
# Check Point environment variables
. /opt/CPshared/5.0/tmp/.CPprofile.sh
# go to MDS context
mdsenv
mcd
# iterate over the customers

for CMA_NAME in $(ls -1 $MDSDIR/customers)
do
mdsenv ${CMA_NAME}
mcd 1>> /dev/null 2>> /dev/null
echo ” ”
echo “Security Gateways on CMA ${CMA_NAME} :”
echo “———————-”
$MDSDIR/bin/cpmiquerybin attr “” network_objects “type=’gateway’|type=’cluster_member’|type=’gateway_cluster'” -a __name__,ipaddr,svn_version_name,appliance_type
echo
done
exit

The birds are singing – Palo Alto NanoRama Doesn’t Scale

Stand corrected: NanoRama

I’ve heard rumors that PanoRama doesn’t scale, but received more confirmation from one of my peeps. Seems like PanoRama  is more like NanoRama.  My peeps tell me that at one shop that is trying to convert that had one P1/MDM, it took 3-4 NanoRamas to do part of the work that the whole P1/MDM did. They used background scripts to sync objects amongst the NanoVisions.

On the plus side stability was good and app control seems to work.

IMHO CP has to get its new uber R80 MDM out and it has to work. As in the past MDM/Logging has carried CP the distance in the past, and it will in the future —-  as long as it works. Competition is getting stiff out there.

That’s all I got,

dreez

 

 

R80 Gateway

So the birds are singing that they are working on a R80 gateway in order to support the new R80 mgt station features like individual policy module pushes.

Please QA it this time…..

dreez

 

Day 2 – Drinking From the Firehose

Summary: I was asking my friend why CPX was so good this year compared to last years. He said “Less sales RAH RAH, more technical”. He was right. They had about 30 developers in tow that knew the real answers. The “rah rah” team seemed to be in the background and only appeared when you need them which was great.  Oh and the attitude was much more humble this year for whatever reason. Oh, and they even talked about Quality Assurance a bit, wish I could hear more of this! So for the first time I can say I’d spend my own money going to this conference. Next year I think I might head to EuroCPX on my own dime.

41000/61000 – CoreXL/SecureXL

---

The 61000 is basically blades in a cage that cost $1 million. Each blade is 20 processors. In dashboard you only see 1 firewall, not even a cluster. Blades are hot swappable and have a variety of redundancy. The 41000 is a $250K small brother of the 61000. Each blade supports 10-40Gbps?? of throughput. They don’t use any special SecureXL hardware accelerator, they just throw more cores at the problem.

 

R80 SmartEvent/SmartLog Performance

---

SmartLog: They claim they reduced a 5 minute search to 10 seconds in SmartLog. They claim 1:1 index to log size (we were seeing 3:1). SmartEvent is totally rewritten to use its own Smartlog-like index and is suppose to be super fast. You can get R80 now, it is version agnostic works for all versions.

 

SmartDashboard – SubPolicies and Layers

---

I went  back 3 times to the R80 Mgt presentation. I am very excited about the work they are doing and can’t wait to download the EA and try it out.

1. Two types of policies are much more structured in this GUI which is great
   -Access Policies – Rules people write with IP addresses and APPLICATION protocols and User Names. X can get to Y
   -Threat Prevention (dynamic rules responding to threats IPS, AV, Threat emulation,etc).
2. Layers: In the picture you can see the 1/2/3 policies above. Those are called layers. Each can be one of the following: Access Control, Application Control, Compliance, DLP, (and maybe something else). The screen shows we are currently in the data center policy which is an access control policy. This policy is executed first from top to bottom on every packet. Next #2 the  compliance policy is executed and then Next #3 the DLP policy is executed.
3. Cool thing you can install each layer separately from the others so you don’t have to install all of policy and IPS all at the same time. I think I said before that policy and threat measures can be installed separately…finally. You can see the policy installation options in this screen.

1. WITHIN!!! A policy you can create subpolicies. These subpolicies are kinda like the current sections markers we have now except each subpolicy can have its own administrative editors. The policy will be executed from top down including all the subpolicies, but each one has a different editor.
2. Down on the left you can barely see where you can use command line to do everything you want in the GUI. Very cool.
3. They also have a “Web Services” view, where you can build web screens with SOAP/REST scripts to interact with the management station.
4. They also added another column (optional) called data awareness. You can specify what types of files to allow/disallow for upload/downloads. Probably from the DLP blade. In the app control column you can say Frank can access YouTube but only for 60 seconds and 6 meg of data or give a file name they can download.
5. Rules have another action called “Monitor”. They will just log activity but no make enforcement decision so you can play out “What If” scenarios.
6. They do have a view called “Unified” where you can see all policies and threat protection all in 1 pane. Each column per rule is another protection like app control, threat prevention, etc.
7. They finally support multiple concurrent admin audit. You log in and create a session. This session has all your edits. You can save your session, etc. As you work on rules you lock the rule but not the whole DMS. When you are done with your session you publish it. Only after you publish it can it get installed on gateway. When you click on the rule, you can see the history of edits on that rule.
8. You can click on a rule and ask to see all the logs for that rule. Very cool.
9. The gateways can now recognize interfaces as objects like Cisco/Palo/Juniper. You define the interface(s) as a zone and use that as an object.
10. One thing that has me a bit worried. They say they integrated logging, monitoring, smartevent, policy all into one dashboard which would be really cool. But I think in reality you only see a summary in Dashboard and when you click for more detail it kicks off the standalone SmartWhateven client.  Not too impressed, prefer single pane of glass model.
11. You can file Service Requests from SmartDashboard. pretty basic, really hope we don’t have to use it much. PLEASE!!! Not after the last 4 years of pain.
12. Once again, nothing on MDS yet. Still in the thought stage.  But very cool start.
13. I’ll save the best for last. CSV export and import!!!! You can FINALLY import and export objects with CSVs for editing and reimporting. Perfect for enterprises for managing large number of objects. If you are religious, thank you gods.
14. For provisioning, they do have a script manager. Didn’t get to play with it much, seemed pretty basic.
15. Change Control: I guess it will somehow integrate with Change Management systems like HP and Remedy and you can drag and drop from your Change Management on your ticket window into the management station for IP addresses and a column with ticket information like ticket number and comments from the change control ticket.  The links are they, they have to partner up.
16. Web Based Object Management: So if you have an object group that is dynamic and person XXX is responsible for maintaining the group, you can create a web page with WebServices, they log in with AD and manage only that object and nothing else WITHOUT using SmartDashboard.
17. I thought?? I saw CLI access VIA the SIC tunnel port 18191 from SmartDashboard which be very cool. That would supplement WebUI CLI access via 443 and of course CLI via port 22. Helps a ton in case we lock ourselves out of a box somehow, another avenue.

All of the above has the making of THE BEST Enterprise Security Management Environment on the planet. THIS is what makes and differentiates CP from the wannabees. THIS is what makes me so proud to be associated with this product. Two-Thumbs  Plus Up (but please make sure you QA the frigging thing this time. Screw the whiners, take your time and deliver a quality product)

SCADA Demo

---

Kinda anticlimatical. Lots of FUD and when the attack happened I kept asking “what happened” and then it ended. I think I missed the point. I guess they are going after more SCADA traffic signatures for app control and IPS. Not sure how mature it is. If you have SCADA traffic, call them and they are very very ambitious to sniff your traffic and create more signatures.

 

GAIA – Next Steps

---

Nothing really too cool here, incremental which is OK by me as long as they run it through QA. As long as they stabilize the basic firewall features they can go as slow as they like. If the firewall doesn’t work, might as well get a different product.

1. Working on 77.20 for more stability THANK YOU!!!!!
2. They have a routing team in Israel instead of the Nokia crew in California and the Cluster people in Israel. So hopefully routing and clustering will start coming together.
3. More abilities to upgrade from the GUI from the cloud…I missed some of this. I hate upgrading from the GUI because it freezes and dies so I’ll stick with the CLI thanks.
4. You can get detailed reports on HFAs, HFs, versions, etc in the GUI. In future will upload to cloud for more reports. OK start, but need inventory of our whole environment, not just 1 gateway at a time.
5. CPView: Seems to be a really cool CLI tool to view performance issues. Can run on any version NOW. Can see inside the kernel and inside blades to see what they are doing with memory and CPU. Thumbs up.
6. Performance sizer. Runs 24 hours on a system and can tell you if you need a bigger system. We use it and it is so-so. You have to be able to anticipate internal external User base and doesn’t seem to be based on realistic numbers. Neutral.
7. CoreXL and SecureXL can be mostly modified within the GUI instead of the command line. Thank YOU!
8. I saw nothing on fixing licensing hell. Oh well, maybe version R90.
9. LVM Manager. They have a CLI GUI that lets you dynamically change disk partition sizes. Just front end to lvmmanager from Linux but I like it.

Rant and Rave

---

PREQUEL: I had my best discussion with a gentleman from Atlanta who I forgot his name and organization. CP should hire him as their director of marketing because he painted the picture that Gill and marketing have missed for 25 years: “Single Pane of Glass for Policy and Response”.  Right now organizations pick best of breed products. Large ones have 2-3 different firewall products (CP and Cisco), 1 SEIM like Envision (sucks), 1 Threat Emulator like Fireeye (awesome), 1 IPS like SourceFire (awesome). Best of breed. Unfortunately the threats are coming faster than these best of breeds can respond. When SourceFire picks up a DDOS or Fireeye sees a internal compromised system SLOW BUREAUCRATIC UNTRAINED POLITICAL people have to make phone calls and do change control and fight political battles to respond to the threat. Meanwhile the hackers only have one purpose and do not have to fight those political, training, etc battles.

While CP may not have all of the the best of breed point solutions, the do have the best of breed single pane of glass to respond to zero-day threats. It all starts with awesome management and logging which allows organizations to have one political boundary, one trained staff, one  bureaucratic boundaries, one tactical solution solution to react to zero-day threats in one pane of glass.

But does that sell a CSO or CFO? No.

What sells is the ROI. Imagine only having to have X number of security operations personnel instead of 5x, one for firewalls, one for DLP, one for SEIM, one for AV, one for SPAM, one for URL, one for IPS, one for ….. The numbers may be off but you get the idea.

Basically CP marketing is selling technology (performance, appliances, pretty GUIs ). At CPX they pitched their latest theme “Software Defined Protection”. What the heck does that mean? How does that save money? How does that differentiate from competitors? How does that make me want to run to the CP Retail Store and buy 10 610000?? Instead my above description is selling solutions with ROI, and everyone understands ROI. This is the theme The Gill should paint and every talk and demonstration could echo it and every sales and marketing person could lead with. Maybe something like “CP: Your single pane zero-day solution” <<<Rah-Rah do the dance here>>. And then ever year at CPX The Gill should measure and share with us how far they have come to dominating the Security Management market based on their awesome management environment.

(Then again, The Gill has an awesome jet and I drive a 2006 Scion XA. Who Knows Best?)

Snapshot space, GAIA disk space allocation and upgrades

Ya know when you are installing GAIA and it tries to reserve 2000TB for snapshot images? At the time you are thinking “GEEZ Guido, how much space does a single image take???”. So you are not sure how to allocate all the memory.

My suggestions:

1. Snapshots: You really are only going to keep 2 snaphots. 1 after you install/upgrade and then 1 before you upgrade (so you can go backward when it blows up).  So depending if you are dealing big MDS ours has 10GB snapshots. So if you allocation 50GB for snapshots you will be good for at least 2-5 snapshots. If the box has logs on it…then I’m not sure what to tell you but it will be big.
2. Root: This is a funny one. Depends on open server vs appliance. Open appliance they dump all the backups and customer directory into the Root partition even thought the /var/log is suppose to have the biggest partition. So on MDS open appliance assuming you moved everything over to /var/log and have all the patches you can make this about 20GB. But warning, if you didn’t move over to /var/log, then ‘backup’ command will load into this partition. Without backups, you are looking at about 5GB of code to install here. But once again you are warned about moving customer data, and backups into /var/log.
3. /var/log: For an MLM, of course this is your biggest partition. NOTE: if you have bigger than 2TB disks you are going to have to use lvm to link them together. Read my blog about that (its a kernel block size limit).

Allocate ON!

dreez

Defining RADIUS servers in MDS

I know I’m late to the party with this one buthopefully will save others from searching high and low. How do you integrate RADIUS into MDS in R75.40+??? Documentation is sparse

1. Bring up any global policy
2. Click on the Servers and OPSEC tab (below)
3. On Servers create a new RADIUS group
   
4. Add the nodes till you build a group
5. When you assign users, you can specify RADIUS authentication:
   

Done

dreez

MDS Admin Audit

One thing auditors want to know is which MDS admins have access to what and how has that changed over time. Yeah you could use the GUI, but easier to just dump them to text and send email.

Well, its not perfect, but here is a perl script that will text dump MDS users and their permissions. I want to modify it to print in CSV and show the deltas. Work in progress.

Admin Audit Perl Script

Had this for years and used it recently.

Sooooo….wait no longer, the Admin Audit perl script is here:

1.  Retrieve the $MDSDIR/conf/mdsdb/cp-admins.C file
2. Put on local system where you have perl running
3. ./cp-audit.pl cp-admins.C
4. Waaaaala

dreez