Archive for the ‘Secure Platform’ Category

SmartSPLAT – very nice SSH GUI client for SPLAT

Thursday, September 2nd, 2010

I’d like to share with you that today I got aware of the project SmartSPLAT.

Cagdas Ulucan, CCSE+ from Turkey, developed a nice GUI that uses a simple SSH connection to login into your SPLAT-based box and display, change and collect a lot of useful information.

SmartSPLAT

The three shell windows show output of fw monitor, actual fw logging and the main commands, parameters for them can be set using the GUI.

When you click on a button (for example “debug vpn”), you can actually see what commands are issued to the shell, so here you have a learning effect.

The tool has a build-in ftp and syslog server, so produced debug files can the uploaded easily.

At the first moment you’re overwhelmed of all the tabs that address different (troubleshooting) topics, but I think the GUI will improve and Cagdas will find a way to enhance the presentation of his tool.

What is really cool is the cluster view, where you have a windows with two panes, each representing one cluster member. An easy way to send commands to both cluster members and compare the results!

Try his tool, it’s completely free and very very useful.
Send him his suggestion for improvement and make it even better.

Tobias Lachmann

Posted in Secure Platform, Troubleshooting | No Comments »

resize2fs: Operation not permitted While trying to add group #128

Monday, August 30th, 2010

Today I tried to increase the logical volume on a UTM-1 appliance as described before in this blog.

I got the error
resize2fs: Operation not permitted While trying to add group #128
when issuing the resize2fs command.

The solution to this problem: the journal was to small and had to be re-created:

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal\ size
Journal size: 32M

[Expert@firewall]# tune2fs -O ^has_journal /dev/vg_splat/lv_log

[Expert@firewall]# tune2fs -j /dev/vg_splat/log
Creating journal inode:
done

[Expert@firewall]# dumpe2fs /dev/vg_splat/lv_log | grep Journal\ size
Journal size: 128M

After that do a filesystem check and issue the resize2fs command, which will succeed.

Tobias Lachmann

Posted in Appliance, Secure Platform, UTM-1 | No Comments »

new kernel modules starting with R70

Wednesday, August 25th, 2010

On a SPLAT machine, which is based on (RedHat) linux, the Check Point software is running as user mode process or as linux kernel module.

This modules can be shown using lsmod

[Expert@firewall]# lsmod
Module Size Used by Tainted: PF
rtmmod_smp.2.4.21.cp.i686 281120 1
bridge 27680 0 (autoclean) (unused)
vpnmod_smp.2.4.21.cp.i686 1269512 3
fwmod_smp.2.4.21.cp.i686 7858176 11
simmod_smp.2.4.21.cp.i686 827904 1
vpntmod_smp.2.4.21.cp.i686 13808 0 (unused)
e1000 126728 6
bnx2 79432 2
crc32 3592 0 [bnx2]
sg 38092 0 (autoclean) (unused)
microcode 7072 0 (autoclean)
ide-cd 35840 0 (autoclean)
cdrom 33248 0 (autoclean) [ide-cd]
dm-mod 59428 0
keybdev 3048 0 (unused)
mousedev 5688 0 (unused)
hid 22628 0 (unused)
input 5504 0 [keybdev mousedev hid]
ehci-hcd 20968 0 (unused)
usb-uhci 27308 0 (unused)
usbcore 79680 1 [hid ehci-hcd usb-uhci]
ext3 92840 5
jbd 54056 5 [ext3]
cciss 70432 12
sd_mod 14128 0 (unused)
scsi_mod 118312 2 [sg cciss sd_mod]

When Check Point is referring to the firewall kernel, they’re actually talking about this linux kernel modules.

The Check Point kernel itself is composed of several modules, which can be shown using the fw ctl debug -h command.

In NGX we had the following:

  • fw “Firewall Module”
  • VPN “VPN Module”
  • FG-1 “Floodgate-1 QoS Module”
  • H323 “VoIP H.323 Module”
  • BOA “Malicious Code Protection Module”
  • WS “SmartDefense Web Intelligence Module”
  • CPAS “Active Streaming Module”
  • CLUSTER “ClusterXL Module”
  • RTM “SmartView Monitor Module”

Now with R70 and Software Blades, we have some more kernel modules:

  • kiss ???
  • kissflow ???
  • multik ???
  • SFT ???
  • CI ???
  • fw “Firewall Module”
  • VPN “VPN Module”
  • FG-1 “Floodgate-1 QoS Module”
  • H323 “VoIP H.323 Module”
  • BOA “Malicious Code Protection Module”
  • WS “SmartDefense Web Intelligence Module”
  • CPAS “Active Streaming Module”
  • CLUSTER “ClusterXL Module”
  • RTM “SmartView Monitor Module”

In the moment I have not found any reference for the new modules, no explanation of the modules itself or the modul kernel debugging options.

I opened a service request with Check Point to get this information.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades | Comments Off

UTM-1 1050 and 2050 network problems

Wednesday, July 21st, 2010

So, what is the problem about? Well, NIC connections stay up for about 1 or 2 minutes, then they’re down for about 5 minutes.

We made an upgrade of an UTM-1 2050 series appliance to R71 and got massive connectivity problems. Two days later sk42174 came out which helped us fix the problem. Seems that the Linux Kernel starting with R70 assigns new drivers to the NICs, which are incorrect.
The solution for that problem is to change the settings back to the old driver.

For details please refer to the SK and have it in mind when you’re updating older appliances.

Posted in R71, Secure Platform, UTM-1 | Comments Off

Online partition resizing on UTM-1 appliances

Thursday, June 24th, 2010

Under SPLAT with 2.4 linux kernel (NGX R65) you had to follow a slightly complicated procedure to resize the partitions and the filesystems on an UTM-1 appliance.

Now the R7x releases bring us the 2.6 kernel with lots of improvements. A very nice one it the ability to resize (meaning increase!) the partitions and filesystems online, without the need of unmounting them.

[Expert@volvo]# lvresize -L 12GB vg_splat/lv_current
Extending logical volume lv_current to 12.00 GB
Logical volume lv_current successfully resized

[Expert@volvo]# resize2fs /dev/mapper/vg_splat-lv_current
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/mapper/vg_splat-lv_current is mounted on /; on-line resizing required
Performing an on-line resize of /dev/mapper/vg_splat-lv_current to 3145728 (4k) blocks.
The filesystem on /dev/mapper/vg_splat-lv_current is now 3145728 blocks long.

Please note: this can only be done while increasing the filesystems. Reducing the filesystems requires them to be unmounted!

In that case go with this procedure.

Tobias Lachmann

Posted in Secure Platform, UTM-1 | Comments Off

Update to R71 – enlarging UTM-1 appliance root partitions

Friday, June 18th, 2010

In one of my previous blog entries I described a way to enlarge partitions of UTM-1 appliances. This was necessary especially for the older x50 series appliances, as they had a smaller hard drive and a bad partition layout.

In the past I only enlarged the partition that held the log files because that’s were you have the most data. The procedure was working just fine and I was happy.

A couple of days ago I started updating x50 series appliances from R65 to R71. Even with cleaning up the system of unused files right before the update I got into serious trouble. The cause was that the root partition was nearly about full.

The update process itself came up with no error, but while operating the appliance the root partition was completely full in no time. Especially updating the URL Filterung database, which is now about 370MB, filled the root partition quickly.

When I tried enlarging the root partition with the described procedure I failed.

Resizing requires to unmount the partition before – but you can’t unmount the root partition.

So I had to find another way to modify the partition sizes of the appliance.

Here’s what I did:

I downloaded an ISO-Image of grml, a Linux Live system for sysadmins. Then I modified the ISO to display output on the serial console. You can download this modified ISO here.

I connected an USB-DVD-Drive to the appliance and booted the ISO image.

On the boot screen I added some parameters for the startup process:

Some information and boot options available via keys F2 - F10. http://grml.org/
grml 2010.04 - Release Codename Grmlmonster 2010.04.29
boot: serial debug=noscreen lang=de lvm

When grml was finished, it gave me a console with all the needed tools. LVM was loaded already and I was good to go.

I checked for the volume groups on the hard drive with the vgscan command:

root@grml ~ # vgscan -v
Wiping cache of LVM-capable devices
Wiping internal VG cache
Reading all physical volumes. This may take a while...
Finding all volume groups
Finding volume group "vg_splat"
Found volume group "vg_splat" using metadata type lvm2

Then I activated the logical volumes with vgchange:

root@grml ~ # vgchange -a y
6 logical volume(s) in volume group "vg_splat" now active

You can display the volume group with vgdisplay:

root@grml ~ # vgdisplay
--- Volume group ---
VG Name vg_splat
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 7
VG Access read/write
VG Status resizable
MAX LV 255
Cur LV 6
Open LV 0
Max PV 255
Cur PV 1
Act PV 1
VG Size 72.47 GiB
PE Size 4.00 MiB
Total PE 18553
Alloc PE / Size 7424 / 29.00 GiB
Free PE / Size 11129 / 43.47 GiB
VG UUID dCQA6u-z70X-LIsE-Xhmb-n5ho-ZMrX-JyBePy

You can display the logical volumes with lvscan:

root@grml ~ # lvscan
ACTIVE '/dev/vg_splat/lv_current' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_log' [10.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
ACTIVE '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit

Then I did the resizing of the volumes groups to better values:

root@grml ~ # lvresize -L 11GB /dev/vg_splat/lv_current
Extending logical volume lv_current to 11.00 GiB
Logical volume lv_current successfully resized

root@grml ~ # lvresize -L 25G /dev/vg_splat/lv_log
Extending logical volume lv_log to 25.00 GiB
Logical volume lv_log successfully resized
Keep in mind that you will need some free space for imaging purposes, so don’t use up all the space on the hard drive!

Then a file system check has to be done, followed by the resizing of the file system.

root@grml ~ # e2fsck -f /dev/vg_splat/lv_current
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix? yes

Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vg_splat/lv_current: ***** FILE SYSTEM WAS MODIFIED *****
/dev/vg_splat/lv_current: 26973/655360 files (0.1% non-contiguous), 384238/1310720 blocks

root@grml ~ # resize2fs /dev/vg_splat/lv_current
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_current to 2883584 (4k) blocks.
The filesystem on /dev/vg_splat/lv_current is now 2883584 blocks long.

root@grml ~ # e2fsck -f /dev/vg_splat/lv_log
e2fsck 1.41.11 (14-Mar-2010)
Superblock last mount time is in the future.
(by less than a day, probably due to the hardware clock being incorrectly set) Fix? yes

Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information

/dev/vg_splat/lv_log: ***** FILE SYSTEM WAS MODIFIED *****
/dev/vg_splat/lv_log: 56/1310720 files (3.6% non-contiguous), 49409/2621440 blocks

root@grml ~ # resize2fs /dev/vg_splat/lv_log
resize2fs 1.41.11 (14-Mar-2010)
Resizing the filesystem on /dev/vg_splat/lv_log to 6553600 (4k) blocks.
The filesystem on /dev/vg_splat/lv_log is now 6553600 blocks long.

To finish, deactive the logical volumes:

root@grml ~ # vgchange -a n
0 logical volume(s) in volume group "vg_splat" now active

root@grml ~ # lvscan
inactive '/dev/vg_splat/lv_current' [11.00 GiB] inherit
inactive '/dev/vg_splat/lv_log' [25.00 GiB] inherit
inactive '/dev/vg_splat/lv_hfa' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_upgrade' [5.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd' [2.00 GiB] inherit
inactive '/dev/vg_splat/lv_fcd62' [2.00 GiB] inherit
That’s it. Reboot again and start the Secure Platform.

Check with df -h that you have the desired partition layout:

[Expert@cpmodule]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current
11G 1.4G 8.9G 14% /
none 11G 1.4G 8.9G 14% /dev/pts
/dev/hdc1 145M 13M 125M 9% /boot
none 502M 0 502M 0% /dev/shm
/dev/mapper/vg_splat-lv_log
25G 33M 24G 1% /var/log

Tobias Lachmann

Posted in Secure Platform, Troubleshooting, UTM-1 | Comments Off

UTM-1 hardware

Tuesday, May 25th, 2010

Here is a short list of the hardware used in UTM-1 / Power-1 / Smart-1 appliances.
If you take the appliance hardware together with the throughput stated by Check Point, it might give you an idea how your OpenServer hardware will perform in comparison.

The details can be determined from the command line.

For the CPU details use cat /proc/cpuinfo, for the RAM details use cat /proc/meminfo.

If you have more details on UTM-1 appliances, feel free to send them to blog@lachmann.org

UTM-1 130

  • Intel Celeron M 600 MHz
  • 1 GB RAM
  • 80 GB ATA HDD

UTM-1 270

  • Intel Celeron M 600 MHz
  • 1 GB DDR2 RAM 400 MHz
  • 160 GB ATA HDD

UTM-1 450

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 80 GB ATA HDD

UTM-1 570

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD

UTM-1 1070

  • Intel Celeron M 1.5 GHz
  • 1 GB RAM
  • 160 GB ATA HDD

UTM-1 2050

  • Intel Pentium 4 3.4 GHz
  • 2 GB RAM
  • 80 GB ATA HDD

UTM-1 2070

  • Intel Celeron 440 2.00GHz
  • 2 GB RAM
  • 160 GB ATA HDD

UTM-1 3070

  • Intel Core2 Duo E6400 2.13GHz
  • 3 GB RAM
  • 160 GB ATA HDD

Power-1 5070

  • Intel Xeon E5410 2.33GHz (QC)
  • 2 GB RAM
  • 80 GB ATA HDD

Smart-1 25

  • Intel Core2 Duo CPU T7400 2.16GHz
  • 3 GB RAM
  • 4x 500 GB SATA HDD in RAID 10

Thanks to all the contributors for their info!

Tobias Lachmann

Posted in General, OpenServer, Power-1, Secure Platform, Smart-1, UTM-1 | Comments Off

Delete all ARP entries on SPLAT

Wednesday, May 19th, 2010

We stumbled over this one yesterday: some servers behind a gateway had a problem with ARP resolution and we wanted to make sure that ARP worked. To verify this we tried to delete all ARP entries and see if the ARP cache was filled up again (and correctly).

While Windows has arp -d * as a working command to delete all entries at once, under Linux and therefor SPLAT you have to try something different.

This little script will do the job for you:

#!/bin/bash
for arpentries in `awk -F ' ' '
{ if ( $1 ~ /[0-9{1,3}].[0-9{1,3}].[0-9{1,3}].[0-9{1,3}]/ )
print $1 }' /proc/net/arp`
do
arp -d $arpentries
done

Tobias Lachmann

Posted in Secure Platform, Troubleshooting | Comments Off

Again backup problems after R70.30 upgrade when using SCP

Thursday, May 13th, 2010

We had this before, now it’s back: the problem with not working scheduled backups after upgrading to a R70.xx version. Seen on R70.20, now I upgraded a environment from R70.10 to R70.30 – and the error is still there. The backup files are not correctly transfered to the SCP server configured.

The solution is to disable scheduled backup through the WebUI.

Then go to the /var/CPbackup/conf directory and delete the file backup_sched.conf.

Afterwards open the WebUI again and re-configure scheduled backup.

Next time the backup runs everything will be OK and files are transfered to another server with SCP.

Tobias Lachmann

Posted in Secure Platform | Comments Off

Delete old log files on SPLAT machines

Monday, May 10th, 2010

There is no way to configure your SPLAT box or UTM-1 appliance in a way, that only logs for the last X days were kept.

The only work-around would be to configure on the firewall object -> Logs and Masters -> Required Free Disc Space together with the option Do not delete log files from the last X days.

By configuring a very high value for required free disc space you could have the script run every day and with the other option prevent it from deleting the needed logs.

OR – you could implement a short script:

[Expert@fw1]# cat /usr/bin/del_logs.sh
#!/bin/bash
/usr/bin/find /var/log/opt/CPsuite-R65/fw1/*.log* -ctime +217 -print -exec rm -f {} \;

The parameter ctime is the amount of days for the logs to keep.

Run the script with cron:

[Expert@fw1]# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.19431 installed on Mon May 10 10:21:33 2010)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
42 11 * * * /usr/bin/del_logs.sh
50 2 * * 1,2,3,4,5,6,7 backup_util sched

Now you’re able to delete the old logs as you like. If you backup your firewall or SmartCenter to your local disc, maybe you want to do this with your backups, too?

Tobias Lachmann

Posted in General, Secure Platform | Comments Off

How to build an UTM-1 cluster with SmartCenter HA (aka Full Cluster)

Sunday, May 9th, 2010

Maybe you’ve seen my presentation on CPUGCON 2009 about migration to an UTM-1 cluster from a distributed environment.

Now I was asked to provide a how-to about building this kind of UTM-1 Full Cluster from scratch.

Actually this is very easy. Building UTM-1 clusters was supported from the start, but the SmartCenter could only reside on one appliance. With the introduction of NGX R65 with Messaging Security, we also got SmartCenter High-Availability for free.

In our setup we assume that we have two appliances, one primary and one secondary. Setup both with the normal First Time Configuration Wizard.

Make sure to install the primary on as locally managed and primary cluster member.

The secondary appliance is also installed as locally managed but as secondary cluster member.

On the secondary appliance you also have to fill in a SIC secret to establish the communication later.

After completing the First Time Configuration Wizards on both appliances, connect with the SmartDashboard to the primary UTM-1 appliance.

Now the wizard for configuring the cluster pops up. When defining the secondary cluster member, fill in the SIC secret entered in the WebUI wizard.

Fill in all the details that reflect your cluster. Make sure to have at least one dedicated sync network.

Topology could look like this afterwards:

Now you can define rules, push the policy and make the cluster work. After that check the Management HA in the SmartDashboard:

This picture shows that both cluster members have a SmartCenter installed and are working in Management High-Availability mode.

That’s it for building an UTM-1 cluster with Management High Availability – also known as UTM-1 Full Cluster.

Tobias Lachmann

Posted in CPUG, General, Secure Platform, UTM-1 | Comments Off

SecurePlatform and NTP

Monday, May 3rd, 2010

This is an old problem, but maybe not everyone knows this:

If you work with NTP servers sync on SPLAT, you should also set the timezone to get correct date/time and daylight saving. Unfortunately, this can’t be done in the WebUI. So first configure your NTP servers in the WebUI. Then access the command line and execute sysconfig. Use option 4 to go to time settings and then option 1 for setting the time zone according to your location.

Verify that you got the correct time using the WebUI.

Tobias Lachmann

Posted in Secure Platform | Comments Off

URL Filtering update error

Monday, May 3rd, 2010

When you receive continous update errors within the URL Filtering modul, maybe it’s a good idea to delete the whole database and rebuild it via the update database function in SmartDashboard. Was helpful for me several times…

  • First change to the directory $FWDIR/uf/sc/update/incoming.
  • Delete all the files beginning with “sfcontrol”. The file “sfcontrol” itself is the database, all the others are differentials and status infos.
  • Run cpstop and cpstart for a restart of the services that controll URL Filtering.
  • Go to your SmartDashboard, change to the “Content Inspection” tab and click on “Update Databases Now”.

It will take awhile to download to whole database, but you can watch this process while checking the files and sizes in the directory.

While debugging URL Filtering in general, you may stumble over sk35196 which describes several procedures with the avsu_client command and optional parameters. Please note that Check Point changed the URL Filtering provider, I think with HFA50, from SurfControl to SecureComputing. This engine change comes together with a change in the parameters when you call avsu_client. The application name “URL Filtering” does not provide valid output when you use the SecureComputing engine, you have to use “URL Filtering2″ to get actual results from the installation.

avsu_client -app "URL Filtering" fetch
failed to fetch signature update
err_str=Failed. Message from module: "Server has no available updates".
info=
Local version is date

avsu_client -app "URL Filtering2" fetch
signature file up to date
err_str=Succeeded. Existing signature is up-to-date.
info=
Local version is date

Sadly just calling avsu_client gives no explanation about the changed parameters, it only lists “URL Filtering”.

Tobias Lachmann

Posted in Content Inspection, General, Secure Platform | Comments Off

R71 released

Friday, April 30th, 2010

The version R71 was released. See this article for details. The release notes can be found here.

I will test the upgrade from R70.30 to R71 today and get back to you with more feedback.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, UTM-1, VPN-1 | Comments Off

Neighbour table overflow

Sunday, January 17th, 2010

Under SecurePlatform you can sometimes see the following message in /var/log/messages

Jan 15 13:44:08 fw1 kernel: Neighbour table overflow.

This refers to the ARP cache a.k.a. Neighbour table.

If you’re running a gateway with lot’s of interfaces or big subnets, you might see many nodes over Layer-2, so communication to them fills your ARP table and sometimes overflows it, which can lead to connectivity errors.

The ARP cache table has a maximum size, which can be displayed with cat /proc/sys/net/ipv4/neigh/default/gc_thresh3.
You can verify the actual amount of ARP entries either with arp -an | wc -l or with ip neighbor show |wc -l. Proxy ARP entries are only displayed when using the arp command.

Periodically and automatically the entries in the ARP cache are verified. At a specified interval, a garbage collector is running and removes entries that are no longer used. The interval can be verified with cat /proc/sys/net/ipv4/neigh/default/gc_interval, by default it’s 30 seconds.

The garbage collector is controlled by three variables:
gc_thresh1, which is the minimum number of entries in the ARP cache. If the actual number of entries are below this value, the garbage collector will not run.

gc_thresh2, which is the soft maximum number of entries. If the actual number of entries is above this value for more than 5 seconds, the garbage collector will run.

gc_thresh3, which is the hard maximum number of entries. If the actual number of entries is above this value, the garbage collector with immediately run.

gc_thresh3 is also the maximum value of ARP entries that can be kept in the table.

The default values are quite low, so you might want to increase them.

You can do this on the fly with the following CLI commands:

sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
sysctl -w net.ipv4.neigh.default.gc_thresh1=1024

This does not survice a reboot.

To survive a reboot, add this lines in the /etc/sysctl.conf file

net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024

Afterwards run the command sysctl -p for the changes to take effect and then reboot.

Tobias Lachmann

Posted in Secure Platform, Troubleshooting | Comments Off

Backup error in R70.20 SPLAT

Friday, January 15th, 2010

Yesterday we did an inplace-upgrade of a SPLAT box to R70.20 from NGX R65. Since then, the scheduled backup was broken. When I tried to edit the settings through the WebUI, I got the message GENERAL ERROR.

Fix for this was to disable the scheduled backup on the command line with backup -e off.
Then I was able to edit all the settings through the WebUI again and backup is working now.

This seems to be an error in R70.20, because we had another customer with this error who upgraded from R70.1 to R70.20 and it was working with R70.1

Tobias Lachmann

Posted in General, Secure Platform | Comments Off

Enlarging UTM-1 partitions

Friday, January 1st, 2010

Some users may experience problems with full partitions on Check Point UTM-1 appliances, most likely with the partition holding the log files as this partition is small, especially at the first appliance series.

When you install SecurePlatform, all partitions have fixed sizes except for /var which gets the remaining free space after the creation of the other partitions. Because logs are stored in /var/opt/CPsuite-R70/fw1/log, there’s rarely trouble with disc space.

The UTM-1 appliance work different as they use the Logical Volume Manager (LVM) for handling the partitions. The LVM is assigning the hard disc space to the partitions and allows resizing of partitions.

However, the filesystem is untouched when you resize a partition. So following sk33179 doesn’t give you additional space for your logs.

To achieve this goal you first have to resize the partitions:

  1. View the name of the log partition with lvdisplay, most likely, this name is /dev/vg_splat/lv_log.
  2. Then resize with
    lvresize -L 30GB /dev/vg_splat/lv_log.
    In this example the partition is resized to 30GB.

Reboot the appliance with serial console attached. Access the boot menu by pressing a key when prompted and boot into maintenance mode.

Then execute this commands:

umount /dev/mapper/vg_splat-lv_log
e2fsck -f /dev/mapper/vg_splat-lv_log
resize2fs /dev/mapper/vg_splat-lv_log

This modifies the filesystem and brings it to the new partition size.
Reboot the appliance afterwards and verify with the df -h command that you accomplished the resizing of partition and filesystem correctly.

Tobias Lachmann

Posted in Secure Platform, UTM-1 | Comments Off

Great R70 Performance Optimization Guide

Friday, January 1st, 2010

Check Point has a great Performance Optimization Guide that describes the technology of SecureXL, CoreXL and ClusterXL. It also gives good explanations and hints on how to improve performance. Highly recommended for reading.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades | Comments Off

“It’s Christmas, Theo. It’s the time of miracles, so be of good cheer…” – Hans Gruber in Die Hard

Wednesday, December 23rd, 2009

Since Christmas is the time for kids making their wishlists, I will also give it a try and make my personal wishlist to Check Point. And as Christmas is also the time for miracles, maybe some of my wishes will come true in the next year…. we’ll see.

SecurePlatform
Image Management / Snapshots
Well, we have Gaia coming sooner or later. What I really would like to see in there is the Image Management of the UTM-1 Appliances. Better to handle as Snapshots for most tasks. A really great evolution would be a combination of both. Being able to create and store images locally, as well as taking snaphots/images and storing them over the net using SSH.
Could make data recovery even more easy.
Why not add a dialog during SPLAT installation, where you can choose to use Image Management with LVM or stay with the old partitioning. If Image Management is chosen, you should decide for yourself, how the space should be divided between /var and the image partition.

Time and Date settings
Why can I set NTP parameters together with the GMT in the WebUI, but need to go to the CLI to set time zone?
This should also appear in the WebUI.

Administrator Accounts
I’d like to choose on creation which shell the accounts should use (bash or cpshell) and what the idle timeout of a session should be. Also the ability to scp something to the box using this account should be an option to enable here.

SNMP
The SNMP settings should be configured using the WebUI. Also I’d like to have a download link to the current MIB on the box.

SmartConsole
Adding objects
The new icon with the “+” sign on each cell is very helpful for quick-adding of objects. I’d like to have the opportunity to add a new object, too

Window resizing
Some dialog boxes can’t be resized. Normally these fixed size dialog boxes have too much content and you must use scroll bars to see the content. Examples: Global Properties, Firewall object page, network object page. All windows should be resizable.

Gateway Topology
I have to maintain a gateway cluster with more then 150 interfaces. Whenever I need to make a change to the interface configuration, I have to scroll to the entire list to find the right entry, since the list is unsorted. Not funny.
I’d like to have the ability to sort the list by clicking on the column header.

Troubleshooting
InfoView
We really need a more up to date and stable version of InfoView. Normally I need to try 2-3 times before I can open a cpinfo file because the tool crashes. As far as I known it’s not maintained any longer, but all support partner really need this!

Endpoint Security
SecureClient / Endpoint Connect
Endpoint Connect should be the successor of SecureClient, but it isn’t really. EC lacks the personal firewall feature. For most SME customers the old SecureClient Desktop Policy feature was all they needed. Check Point should understand that Endpoint Security is not the answer to all demands.

Licensing
Check Point does not offer a maintained, up to date VPN client without any costs. For using Endpoint Connect, a Endpoint Security Secure Access license is necessary if you want to use OfficeMode.
Like Cisco, also Check Point should give away a full blown VPN-Client for free!

OS support
Parts of Endpoint Security run on Windows 7? Congratulations. But why do we still have to struggle with VPN clients for MacOS or Linux? Why do we have to use an actual OS like Snow Leopard with a very, very old VPN client like SecureClient?
I think that before integrating new features into Endpoint Security and all other products that have to be installed on clients, you should make sure that you have support for all common OS. Windows XP, Vista, 7 as well as MacOS 10.4, 10.5 and 10.6. Also a client for Linux (Debian, RedHat/CentOS, Ubuntu) should be available.

Version numbering
I nearly lost it with the Endpoint Security version numbers, since it’s not any longer corresponding to the other products. Keep the version numbering more simple.

That’s it for now, but for sure I will extend my wish list in the next days… so much things CP needs to take care of.

Happy XMAS, everybody.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, VPN-1 | Comments Off

Check Point R70.20 is now available

Sunday, December 20th, 2009

The release R70.20 is now available. I checked the documentation and found that it contains many important fixes as well as new features. Especially it takes care of the new multicore licensing scheme, that has been introduced by Check Point.

Check out the What’s new page, the Release Notes, the Known Limitations and the Resolved Issues.

R70.20 is like the HFA60 for NGX R65 from the bugfixing side plus some added features.
Highly recommended for installation.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, UTM-1, VPN-1 | Comments Off

Project Gaia – the new Check Point OS

Friday, December 4th, 2009

Check Point will come up with a new OS platform that will succeed Secure Platform (SPLAT) and IPSO.

Judging by the features that are shown on the project page, it will be based on Linux / SPLAT and many features of the Nokia Voyager will the transfered to the WebUI.
I was able to get some rumours from Check Point, that acknowledge this guess.

At the moment there’s no code available for customers or partners, but I’ll keep you posted as things develop in the next month.

Tobias Lachmann

Posted in Secure Platform | Comments Off

NGX R65 HFA60 available

Wednesday, December 2nd, 2009

The latest Hotfix Accumulator, HFA60 for NGX R65 is available.
At the moment only for Check Point partner, but public release will follow shortly.
The release notes show a huge amount of fixed issues, including some content scanning problems I’ve seen before in the wild.
So the installation of HFA60 is greatly recommended!

Tobias Lachmann

Posted in General, Secure Platform, UTM-1 | Comments Off

Instabil SPLAT system after upgrading to R70

Monday, November 23rd, 2009

Check Point released an important new article in SecureKnowledge, sk43247.

This article states that in SPLAT there’s a recursive soft link (/opt/CPsuite-R65/fw1/PA/conf/PA/PA) after installing two of the following HFAs to the machine: HFA30, HFA40 or HFA50.

When upgrading to R70, this softlink causes the error leading the software to become instable.
The solution is to delete the link before upgrading to R70 (rm -f /opt/CPsuite-R65/fw1/PA/conf/PA/PA).

Please have that in mind when you plan to upgrade to R70.

Tobias Lachmann

Posted in General, Secure Platform | Comments Off

Idle Timeouts in SPLAT

Friday, November 6th, 2009

Ever wondered, how to get a longer timeout when working on SPLAT CLI?

If you use the CPshell as login shell, the command is

IDLE 999

When you are in expert mode or changed the login shell to bash, the command is

UNSET TMOUT

The first command sets the timeout to 999 seconds, the second one disables the timeout.

Tobias Lachmann

Posted in General, Secure Platform | Comments Off

Some stuff posted in MCS customer mag

Friday, October 23rd, 2009

My employer MCS Moorbek Computer Systeme GmbH publishes a customer magazine on a regular basis.

I had same articles about Check Point topics in this magazine, written in german:

Really basic stuff, actually, but worth noticing.

I’ve you’re into Solaris or MySQL, check out the “Admin Tipps & Tricks” in the other issues of the magazine. Usually they’re located on the last pages. Use the link above to access current and older magazines.

Tobias Lachmann

Posted in Secure Platform, Troubleshooting | Comments Off

Presentations from Check Point User Group Conference (CPUGCON) 2009

Wednesday, October 21st, 2009

I think I get started with this blog by posting links to the presentations I held on the Check Point User Group Conference in Chur, Switzerland.

The first presentation is purely for beginners:  Troubleshooting in the Check Point environment, Part I

The second one, which was more liked by the crowd at CPUGCON, is really advanced troubleshooting: Troubleshooting in the Check Point environment, Part II

I benefit from my daily work with a Check Point Collaborative Support Provider (CCSP) for these two presentations, as they reflect the things I’m constantly facing.

From the project side, I did lot’s of migrations from distributed Check Point installations to Check Point UTM-1 Full-Cluster. This means that the firewall / vpn part is working in active/standby cluster and we have also Management High Availability with the two SmartCenters. This is described in the presentation: Migration from a Distributed Environment to a UTM-1 Cluster

Best regards

Tobias Lachmann

Posted in CPUG, Secure Platform, Troubleshooting, UTM-1, UTM-1 Edge, VPN-1 | Comments Off