Edge troubleshooting note

Posted on April 17, 2012

0



Its April, but I have just realised the new features of Checkpoint Edge Firewall, in my point of view it is the worst firewall I have ever seen regarding the granurality in management or in troubleshooting, but it works fine as its expected and its small and nice and can be integrated under the same management systems where the other, greater checkpoint firewalls are.
It is possible now (in 2012) to test the internet connectivity from CLI! :-)

00-22-ad-44-00-de >help

subcommands:
-----------------------------------------
help                            This help
authenticate                    Authenticate a user
set                             Configure a variable's settings
show                            Show configuration variable
clear                           Clear a table
delete                          Delete an item from a table
export                          Export configuration
add                             Add an item to a table
swap                            Swap certain table objects
reset                           Reset appliance settings
backup                          Backup setup to storage device
restore                         Restore setup from storage device
updatenow                       Update the configuration now
quit                            quit
diag                            Diagnose network
info                            Show device information

Lets try the ping:

00-22-ad-44-00-de >diag
Possible completions:
ping, traceroute
00-22-ad-44-00-de >diag ping
Possible completions:
dest_ip, size, src_ip, src_interface, allow_broadcast, qos, ttl, hint, deadline
00-22-ad-44-00-de >diag ping src_interface wan dest_ip 3.3.3.1

00-22-ad-44-00-de >PING 3.3.3.1 (3.3.3.1) from 3.3.3.33 eth1: 56(84) bytes of data.
64 bytes from 3.3.3.1: icmp_seq=1 ttl=255 time=8.08 ms
64 bytes from 3.3.3.1: icmp_seq=2 ttl=255 time=7.93 ms
64 bytes from 3.3.3.1: icmp_seq=3 ttl=255 time=8.01 ms
64 bytes from 3.3.3.1: icmp_seq=4 ttl=255 time=7.98 ms
64 bytes from 3.3.3.1: icmp_seq=5 ttl=255 time=7.96 ms

--- 3.3.3.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4036ms
rtt min/avg/max/mdev = 7.938/7.997/8.084/0.094 ms

00-22-ad-44-00-de >

To be able to use it we have to update our libsw files on the management server. The LIBSW officially is the following:
“The LIBSW files hold the definitions for the Implied rules and general functions needed for the UTM-1 Edge Firewall to accept, drop, log and encrypt connections. ”
More info here: sk31448

Just for fun I did an upgrade in a Provider-1 enviroment:

[Expert@myprovider1]# cd /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/
[Expert@myprovider1]# ls -lat
total 11080
drwxrwx---    2 root     root        20480 Apr 11 10:26 tmp
drwxrwx---    2 root     root         4096 Apr 11 10:26 conf
drwxrwx---   15 root     root         4096 Nov  4 14:54 ..
-rw-rw----    1 root     root     11265898 Nov  1 04:04 CPEdgecmp-R70.tgz
drwxrwx---   11 root     root         4096 Nov  1 04:03 .
drwxrwx---    2 root     root         4096 Jan 25  2011 libsw
drwxrwx---    2 root     root         4096 Dec  2  2010 libsw_old
lrwxrwxrwx    1 root     root           22 Dec  2  2010 bin -> /opt/CPEdgecmp-R70/bin
drwxrwx---    2 root     root         4096 Dec  2  2010 database
drwxrwx---    2 root     root         4096 Dec  2  2010 doc
drwxrwx---    3 root     root         4096 Dec  2  2010 lib
drwxrwx---    2 root     root         4096 Dec  2  2010 log
lrwxrwxrwx    1 root     root           26 Dec  2  2010 scripts -> /opt/CPEdgecmp-R70/scripts
drwxrwx---    2 root     root         4096 Dec  2  2010 state
[Expert@myprovider1]# cp -r libsw libsw_old2
[Expert@myprovider1]# cd libsw
[Expert@myprovider1]# rm *
[Expert@myprovider1]# ftp 3.3.3.3
Connected to 3.3.3.3 (3.3.3.3).
220 Welcome to Baby FTP Server
Name (3.3.3.3:admin): anonymous
331 User name ok, need password.
Password:
230 User logged in.
Remote system type is UNIX.
ftp> bin
200 Type set to I.
ftp> dir
227 Entering Passive Mode (10,248,100,64,226,46).
150 Opening ASCII mode data connection for directory list.
drwx------ 1 user group              0 Apr 13 16:20 libsw8.2.48
-rwx------ 1 user group         512000 Apr 13 16:19 libsw8248.tar
226 Transfer complete
ftp> get libsw8248.tar
local: libsw8248.tar remote: libsw8248.tar
227 Entering Passive Mode (10,248,100,64,226,47).
150 Opening BINARY mode data connection for file transfer.
226 Transfer complete
512000 bytes received in 0.0252 secs (2e+04 Kbytes/sec)
ftp> exit
220 Goodbye.
[Expert@myprovider1]# tar -tvf libsw8248.tar
drwxr-xr-x rapson/Domain Users 0 2012-01-08 09:26:33 libsw8.2.48/
-r--r--r-- rapson/Domain Users 990 2012-01-08 09:26:22 libsw8.2.48/auth.def
-r--r--r-- rapson/Domain Users 28031 2012-01-08 09:26:22 libsw8.2.48/base.def
-r--r--r-- rapson/Domain Users  8824 2012-01-08 09:26:22 libsw8.2.48/clcrypt.def
-r--r--r-- rapson/Domain Users  9249 2012-01-08 09:26:22 libsw8.2.48/code.def
...
[Expert@myprovider1]# tar -xvf libsw8248.tar
libsw8.2.48/
libsw8.2.48/auth.def
libsw8.2.48/base.def
libsw8.2.48/clcrypt.def
...
[Expert@myprovider1]# cp ./libsw8.2.48/* .
[Expert@myprovider1]# cd libsw8.2.48
[Expert@myprovider1]# rm *
[Expert@myprovider1]# cd ..
[Expert@myprovider1]# rm libsw8248.tar
[Expert@myprovider1]# rmdir libsw8.2.48

And of cource we have to Verify the libsw update procedure, if everything all right..:
1. Install the Security Policy on each relevant VPN-1 Edge profile/object in SmartDashboard.
2. Reconnect the VPN-1 Edge gateway to the SmartCenter.

Update from CLI is possible (if the service center already configured):

00-22-ad-44-00-de >updatenow
[700980] The connection to the service center is not configured

3. Consult the VPN-1 Edge event log for a successful policy download message.
4. Verify that the policy name in the Setup>Tools>Diagnostics page of the VPN-1 Edge gateway is the same as created in SmartDashboard. In addition, make sure the policy’s date is correct.

Advertisements
Posted in: Checkpoint, Edge, Security