Troubleshooting and Managing VSX Gateway with CLI

Display the general VSX status

#fw vsx stat
#vsx stat

# fw vsx stat
VSX Gateway Status
==================
Name:            vsx_1
Security Policy: Test_1_VSX
Installed at:     30oct2016  9:44:50
SIC Status:      Trust
Number of Virtual Systems allowed by license:         100
Virtual Systems [active / configured]:                  1 / 1
Virtual Routers and Switches [active / configured]:     2 / 2
Total connections [current / limit]:                    3 / 32000

Display more details about the VSX status (Virtual Switch, Virtual Router, Virtual System, Secure Internal Communication(Sic ), Licenses and Policy Names)

#fw vsx stat -v
#vsx stat -v

# fw vsx stat -v

VSX Gateway Status
==================
Name: vsx_1
Security Policy: vsx_1
Installed at: 3Oct2016 9:44:50
SIC Status: Trust

Number of Virtual Systems allowed by license: 100
Virtual Systems [active / configured]: 1 / 1
Virtual Routers and Switches [active / configured]: 2 / 2
Total connections [current / limit]: 3 / 32000

Virtual Devices Status
======================
ID | Type & Name | Security Policy | Installed at | SIC Stat
-----+-------------------------+-------------------+-----------------+---------
 2 | W vsw | <Not Applicable> | | Trust
 3 | W vsw | <Not Applicable> | | Trust
 4 | S vs | Standard | 3Oct2016 10:03 | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,
 R - Virtual Router, W - Virtual Switch.

#vsx stat -v

Display the virtual device <vsid> status

#fw vsx stat -vs <vsid>
#fw vsx stat <vsid>

fw vsx stat -vs 2

VSID: 4
VRID: 4
Type: Virtual System
Name: vs
Security Policy: Standard
Installed at: 3Oct2016 10:10:59
SIC Status: Trust
Connections number: 0
Connections peak: 0
Connections limit: 15000

 

Display all Virtual System, Virtual Router (VR) and Virtual Swich (VSW) details

#vsx stat -l

vsx stat -l

VSID: 0
VRID: 0
Type: VSX Gateway
Name: vsx_1
Security Policy: vsx_1
Installed at: 3Oct2016 9:36:50
SIC Status: Trust
Connections number: 3
Connections peak: 7
Connections limit: 15000

VSID: 2
VRID: 2
Type: Virtual Switch
Name: vsw
Security Policy: <Not Applicable>
Installed at:
SIC Status: Trust
Connections number: 0
Connections peak: 0
Connections limit: 1000

Verify  the actual context on witch you are connected to

#fw vsx get
#vsx get

To set environment to a specific context

fw vsx set <vsid>
vsx set <vsid>

Display the Virtual System (VS ) security policy status.

fw –vs <vsid> stat
fw stat –vs <vsid>

# fw stat -vs 2
HOST POLICY DATE
localhost Standard 3Oct2016 20:11:59

Get FW-1 tables for a specific VS

#fw –vs <vsid> tab
#fw tab –vs <vsid>

# fw -vs 2 tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 9197 0 0 0

Unload policy of all VS

#fw vsx unloadall

# fw vsx unloadall
This will uninstall security policy from all the Virtual Devices.
Are you sure you wish to proceed? (y|n) [y] y
Uninstalling Security Policy from all.all@vs1 (VSID 1)
Uninstalling Security Policy from all.all@vs2 (VSID 2)
Uninstalling Security Policy from all.all@vs3 (VSID 3)
Uninstalling Security Policy from all.all@vsx

Unload the security policy of a specific VS

#fw –vs <vsid> unloadlocal
#fw unloadlocal –vs <vsid>

# fw unloadlocal -vs 4
Uninstalling Security Policy from all.all@vs (VSID 2)
Done.

Fetch Virtual System configurations and policies from localhost for all VS (from VSX Cluster member)

#fw vsx fetch local

# fw vsx fetch local
Fetching Virtual Systems configuration file (local.vsall)

Installing Security Policy InitialPolicy on all.all@vs (VSID 2)
 Successfully compiled file types magic file.
 Fetching Security Policy Succeeded
SecureXL device has been enabled for vsid 1
Installing Security Policy InitialPolicy on all.all@vs3 (VSID 3)
 Successfully compiled file types magic file.
 Fetching Security Policy Succeeded
SecureXL device has been enabled for vsid 2
Installing Security Policy Standard on all.all@vs4 (VSID 4)
 Successfully compiled file types magic file.
 Fetching Security Policy Succeeded
SecureXL device has been enabled for vsid 4

Fetch VS configurations and policies from Provider-1 Management for all VSs

#fw vsx fetch <management or main cma>

fw vsx fetch 192.10.190.1

Fetching VSX Configuration From: 192.10.190.1
 Local VSX Configuration is Up-To-Date.
 Cleaning un-used Virtual Systems entries (local.vskeep).
 Purge operation succeeded.
 Fetching Virtual Systems configuration file (local.vsall).
SecureXL device has been enabled for vsid 2
SecureXL device has been enabled for vsid 3
SecureXL device has been enabled for vsid 4
Virtual Systems configuration file installed successfully

Fetch the security policy from localhost for a specific VS

fw –vs <vsid> fetchlocal –d $FWDIR/CTX/CTXxxxxx/state/local/FW1
fw fetchlocal –vs <vsid> –d $FWDIR/CTX/CTXxxxxx/state/local/FW1

Note : xxxxx represents the VSID number ConTeXt

# fw -vs 4 fetchlocal -d $FWDIR/CTX/CTX00002/state/local/FW1/

Installing Security Policy Standard on all.all@vs-test (VSID 2)
Successfully compiled file types magic file.
Fetching Security Policy Succeeded

Fetch security policy from management for specific VS

fw –vs <vsid> fetch <CMA_master>
fw fetch –vs <vsid> <CMA_master>

# fw -vs 4 fetch 192.10.100.1

Fetching Security Policy From: 192.10.100.1
 Local Policy is Up-To-Date.
 Reinstalling Local Policy.
Installing Security Policy Standard on all.all@vs (VSID 2)
 Successfully compiled file types magic file.
 Fetching Security Policy Succeeded

CPinfo for specific VS

cpinfo –x <vsid> -o <output file>

 

 

 

 

 

 

How to add Sophos XG image on unetlab

Sophos XG Image work properly on Unetlab . Before using it you should be able to create a custum Sophos template by using checkpoint template .I will show you how to do that quickly , juste follow this steps

Creating a custom node for SOPHOS XG node definition to initialization file /opt/unetlab/html/includes/init.php.

 vi /opt/unetlab/html/includes/init.php    

if (!isset($node_templates)) {
        $node_templates = Array(
           'a10'                 =>      'A10 vThunder',
           'clearpass'           =>      'Aruba ClearPass',
           'timos'               =>      'Alcatel 7750 SR',
           'veos'                =>      'Arista vEOS',
           'brocadevadx'         =>      'Brocade vADX',
           'cpsg'                =>      'CheckPoint Security Gateway VE',
           'sophos'              =>      'sophos XG Firewall',

             

Create a new sophos  node template based on existing checkpoint node template

$ cp /opt/unetlab/html/templates/cpsg.php /opt/unetlab/html/templates/sophos.php

• Edit the template file replacing all occurences of ‘cpsg and CP’ with ‘sophos’

$ sed -i 's/cpsg/sophos/g; s/cpsg/sophos/g' /opt/unetlab/html/templates/sophos.php
$ sed -i 's/CP/sophos/g; s/CP/sophos/g' /opt/unetlab/html/templates/sophos.php

Create a new directory for Sophos VM

mkdir -p /opt/unetlab/addons/qemu/sophos-1

• converte image from vdmk to Qemu 

# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 sf_virtual-disk1.vmdk hda.qcow2
# mv hda.qcow2 /opt/unetlab/addons/qemu/sophos-1
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

 

 

SPLAT and Gaia Usefull TIPS

I- Changing the default shell of SPLAT

a- To enter Expert mode automatically on each login, perform the following steps:

1- Enter Expert mode.

Run the chsh -s /bin/tcsh admin command (to work in tcsh).
Run the chsh -s /bin/bash admin command (to work in bash).

2- To revert back to the default login shell:

Run the chsh -s /bin/cpshell admin command.

II-  Changing the Idle Timeouts in splats

1- Sets the timeout to 999 seconds when your are connecter with CPshell

IDLE 999

2- Disables the timeout in expert Mode .

UNSET TMOUT

III-  Mount USB stick on appliance or SPLAT

Just connect the device to an USB port of your choice.

  1. Load the appropriate kernel module for handling the USB device

modprobe usb-storage

  2. Check which new device was bound, for example /dev/sda1

fdisk -l

  3. Create a mount point

mkdir /mnt/usbdisk

  4. Mount USB device

mount /dev/sdb1 /mnt/usbdisk

  5. Use the device to transfer data as you like

  6. Unmount USB device

umount /mnt/usbdisk

IV- Determine which appliance you’re connected to with a simple command

Determine which appliance you’re connected to with a simple command by executing this command on expert mode

[Expert@fw1]# dmidecode | grep “Product Name”
Product Name: T-140-00
Product Name:

 

Reconstituer Une SmartCenter Checkpoint avec un CPinfo

Il existe une méthode simple pour reproduire  la smartCenter checkpoint d’un client X grace à son CPinfo .

CPInfo is an auto updatable utility that collects diagnostics data on a customer’s machine at the time of execution and uploads it to Check Point servers (it replaces the “cp_uploader” utility for uploading files to Check Point servers). Pour plus d’information.

Step 1: Ouvrir le Cpinfo grace à l’utilitaire InfoView .Si vous ne l’avez pas  , utilisez la sk52780 .

Step 2 : Extraire les fichiers suivants de ce Cpinfo

$FWDIR/conf/objects_5_0.C (bases objects)
$FWDIR/conf/rulebases_5_0.fws (règles FW)
$FWDIR/conf/fwauth.NDB (base Utilisateur CP)

– $FWDIR/database : you can see all of the relevant policy files for the Security Gateway.
– objects_5_0.C :Full database objects file.
– fwauth.NDB :  All users the administrator defined on the SmartDashboard.
– rulebases_5_0.fws :  Contains the rulebases information(with all the information defined in the rulebases)

Step 3 . Installer une VM checkpoint(Même version , même Hostname et même IP de management )

step 4 : Effectuer le wizard (First Install Wizard ) et n’oubliez pas de choisir l’option Smartcenter  et Primary Management Server

step 5 : Rebootez la VM et arretez tous les services checkpoint grace au cpstop

#cpstop

ps : Commande à ne pas lancer en Production

Step 6 : Faire un backup des fichiers  CPMILinksMgr.db ,CPMILinksMgr.db.private,applications.C, applications.C.backup avant leur suppression.

#mv CPMILinksMgr.db.private CPMILinksMgr.db.private.save
– Back up 1 :  $FWDIR/conf/CPMILinksMgr.db
– Backup 2 : $FWDIR/conf/CPMILinksMgr.db.private
– Back up 1:  $FWDIR/conf/applications.C
– Backup 2 : $FWDIR/conf/applications.C.backup

Exemple
# expert
#mv CPMILinksMgr.db CPMILinksMgr.db.save

Step 7 : Supprimez les fichiers  CPMILinksMgr.db , CPMILinksMgr.db.private,applications.C, applications.C.backup

Delete $FWDIR/conf/CPMILinksMgr.db and $FWDIR/conf/CPMILinksMgr.db.private
Delete $FWDIR/conf/applications.C and $FWDIR/conf/applications.C.backup

exemple : # rm -rf CPMILinksMgr.db CPMILinksMgr.db.private applications.C  applications.C.backup

step 6 : relancez les services checkpoint et testez la connection  à la smartcenter grace à une smartDashboard

step 7 Testez  la modification /création objets, ainsi que compilation de règles sur une Gateways.

Merci 🙂