Its April, but I have just realised the new features of Checkpoint Edge Firewall, in my point of view it is the worst firewall I have ever seen regarding the granurality in management or in troubleshooting, but it works fine as its expected and its small and nice and can be integrated under the same management systems where the other, greater checkpoint firewalls are.
It is possible now (in 2012) to test the internet connectivity from CLI! :-)
00-22-ad-44-00-de >help subcommands: ----------------------------------------- help This help authenticate Authenticate a user set Configure a variable's settings show Show configuration variable clear Clear a table delete Delete an item from a table export Export configuration add Add an item to a table swap Swap certain table objects reset Reset appliance settings backup Backup setup to storage device restore Restore setup from storage device updatenow Update the configuration now quit quit diag Diagnose network info Show device information |
Lets try the ping:
00-22-ad-44-00-de >diag Possible completions: ping, traceroute 00-22-ad-44-00-de >diag ping Possible completions: dest_ip, size, src_ip, src_interface, allow_broadcast, qos, ttl, hint, deadline 00-22-ad-44-00-de >diag ping src_interface wan dest_ip 3.3.3.1 00-22-ad-44-00-de >PING 3.3.3.1 (3.3.3.1) from 3.3.3.33 eth1: 56(84) bytes of data. 64 bytes from 3.3.3.1: icmp_seq=1 ttl=255 time=8.08 ms 64 bytes from 3.3.3.1: icmp_seq=2 ttl=255 time=7.93 ms 64 bytes from 3.3.3.1: icmp_seq=3 ttl=255 time=8.01 ms 64 bytes from 3.3.3.1: icmp_seq=4 ttl=255 time=7.98 ms 64 bytes from 3.3.3.1: icmp_seq=5 ttl=255 time=7.96 ms --- 3.3.3.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4036ms rtt min/avg/max/mdev = 7.938/7.997/8.084/0.094 ms 00-22-ad-44-00-de > |
To be able to use it we have to update our libsw files on the management server. The LIBSW officially is the following:
“The LIBSW files hold the definitions for the Implied rules and general functions needed for the UTM-1 Edge Firewall to accept, drop, log and encrypt connections. ”
More info here: sk31448
Just for fun I did an upgrade in a Provider-1 enviroment:
[Expert@myprovider1]# cd /opt/CPmds-R70/customers/mycma01/CPEdgecmp-R70/ [Expert@myprovider1]# ls -lat total 11080 drwxrwx--- 2 root root 20480 Apr 11 10:26 tmp drwxrwx--- 2 root root 4096 Apr 11 10:26 conf drwxrwx--- 15 root root 4096 Nov 4 14:54 .. -rw-rw---- 1 root root 11265898 Nov 1 04:04 CPEdgecmp-R70.tgz drwxrwx--- 11 root root 4096 Nov 1 04:03 . drwxrwx--- 2 root root 4096 Jan 25 2011 libsw drwxrwx--- 2 root root 4096 Dec 2 2010 libsw_old lrwxrwxrwx 1 root root 22 Dec 2 2010 bin -> /opt/CPEdgecmp-R70/bin drwxrwx--- 2 root root 4096 Dec 2 2010 database drwxrwx--- 2 root root 4096 Dec 2 2010 doc drwxrwx--- 3 root root 4096 Dec 2 2010 lib drwxrwx--- 2 root root 4096 Dec 2 2010 log lrwxrwxrwx 1 root root 26 Dec 2 2010 scripts -> /opt/CPEdgecmp-R70/scripts drwxrwx--- 2 root root 4096 Dec 2 2010 state [Expert@myprovider1]# cp -r libsw libsw_old2 [Expert@myprovider1]# cd libsw [Expert@myprovider1]# rm * [Expert@myprovider1]# ftp 3.3.3.3 Connected to 3.3.3.3 (3.3.3.3). 220 Welcome to Baby FTP Server Name (3.3.3.3:admin): anonymous 331 User name ok, need password. Password: 230 User logged in. Remote system type is UNIX. ftp> bin 200 Type set to I. ftp> dir 227 Entering Passive Mode (10,248,100,64,226,46). 150 Opening ASCII mode data connection for directory list. drwx------ 1 user group 0 Apr 13 16:20 libsw8.2.48 -rwx------ 1 user group 512000 Apr 13 16:19 libsw8248.tar 226 Transfer complete ftp> get libsw8248.tar local: libsw8248.tar remote: libsw8248.tar 227 Entering Passive Mode (10,248,100,64,226,47). 150 Opening BINARY mode data connection for file transfer. 226 Transfer complete 512000 bytes received in 0.0252 secs (2e+04 Kbytes/sec) ftp> exit 220 Goodbye. [Expert@myprovider1]# tar -tvf libsw8248.tar drwxr-xr-x rapson/Domain Users 0 2012-01-08 09:26:33 libsw8.2.48/ -r--r--r-- rapson/Domain Users 990 2012-01-08 09:26:22 libsw8.2.48/auth.def -r--r--r-- rapson/Domain Users 28031 2012-01-08 09:26:22 libsw8.2.48/base.def -r--r--r-- rapson/Domain Users 8824 2012-01-08 09:26:22 libsw8.2.48/clcrypt.def -r--r--r-- rapson/Domain Users 9249 2012-01-08 09:26:22 libsw8.2.48/code.def ... [Expert@myprovider1]# tar -xvf libsw8248.tar libsw8.2.48/ libsw8.2.48/auth.def libsw8.2.48/base.def libsw8.2.48/clcrypt.def ... [Expert@myprovider1]# cp ./libsw8.2.48/* . [Expert@myprovider1]# cd libsw8.2.48 [Expert@myprovider1]# rm * [Expert@myprovider1]# cd .. [Expert@myprovider1]# rm libsw8248.tar [Expert@myprovider1]# rmdir libsw8.2.48 |
And of cource we have to Verify the libsw update procedure, if everything all right..:
1. Install the Security Policy on each relevant VPN-1 Edge profile/object in SmartDashboard.
2. Reconnect the VPN-1 Edge gateway to the SmartCenter.
Update from CLI is possible (if the service center already configured):
00-22-ad-44-00-de >updatenow [700980] The connection to the service center is not configured |
3. Consult the VPN-1 Edge event log for a successful policy download message.
4. Verify that the policy name in the Setup>Tools>Diagnostics page of the VPN-1 Edge gateway is the same as created in SmartDashboard. In addition, make sure the policy’s date is correct.
itsecworks 
Posted on April 17, 2012
0