tag:blogger.com,1999:blog-41819593469009505412024-02-08T02:40:41.628-05:00Expert ModeCCMA #40 & JNCIE-SEC #166's blog about all things Check Point and JuniperAnonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.comBlogger36125tag:blogger.com,1999:blog-4181959346900950541.post-24028408920850514932016-04-04T11:29:00.000-04:002016-04-04T11:30:04.350-04:00Juniper's new Sandbox (SkyATP) - The Good, The Bad, and the UglyHi Folks,<br />
<br />
Trying out LinkedIn posting for a change, come check it out:<br />
<br />
<a href="https://www.linkedin.com/pulse/junipers-new-sandbox-skyatp-good-bad-ugly-craig-dods?trk=prof-post">https://www.linkedin.com/pulse/junipers-new-sandbox-skyatp-good-bad-ugly-craig-dods?trk=prof-post</a>Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-54136457979772688672016-02-23T12:58:00.000-05:002016-02-24T17:37:22.321-05:00Juniper SRX: High-end SRX Dataplane Packet CaptureFirstly, Juniper has a decent guide with important caveats for this technique located <a href="http://kb.juniper.net/InfoCenter/index?page=content&id=KB21563&smlogin=true&actp=search" target="_blank">here</a>. I've just added some additional colour which seems to be oft-requested.<br />
<br />
These techniques are applicable to the following platforms:<br />
<div class="code">
SRX 1400<br />
SRX 3400<br />
SRX 3600<br />
SRX 5400<br />
SRX 5600<br />
SRX 5800</div>
<br />
<br />
For those of us who are required to troubleshoot relatively complex issues on Juniper's high-end security platform, gaining insight into the exact makeup of transit packets is of the utmost importance. Unfortunately for us, Juniper does not make this easy when compared to its peers...<br />
<br />
While the devices themselves support tcpdump, the tool is only able to capture traffic destined to and from the routing-engine and has no visibility into transit traffic. <br />
<br />
The tool that Juniper does provide us with is called datapath-debugging, and it does not produce an output that is readable by tcpdump/Wireshark by default (it requires conversion). <br />
<br />
In our example, I'll be attempting to record packets going to and from a problematic website. It's important to understand that the filters listed below are <b>stateless</b> and do not match in both directions. If you want to see traffic to <b>and</b> from a particular host, you will need to specify two separate packet-filter statements.<br />
<br />
In our case, the problematic website is located at 208.74.207.25. It may be necessary (due to volume) for you to specify the other end of the connection. It's also important to be aware of NAT in these situations as it can alter your filters.<br />
<br />
<b>First, specify your capture file information (5 files of 10MB) and the snaplen (feel free to choose your own filenames):
</b><br />
<div class="code">
set security datapath-debug capture-file pcap_for_problem<br />
set security datapath-debug capture-file size 10m<br />
set security datapath-debug capture-file files 5<br />
set security datapath-debug maximum-capture-size 1514</div>
<br />
<b>Second, enable the packet-dump action for ingress and egress NP's:</b><br />
<div class="code">
set security datapath-debug action-profile capture event np-egress packet-dump<br />
set security datapath-debug action-profile capture event np-ingress packet-dump</div>
<br />
<b>Third, create two stateless filters that match our traffic:</b><br />
<div class="code">
set security datapath-debug packet-filter OUT action-profile capture<br />
set security datapath-debug packet-filter OUT protocol tcp<br />
set security datapath-debug packet-filter OUT destination-port 80<br />
set security datapath-debug packet-filter OUT destination-prefix 208.74.207.25/32<br />
<br />
set security datapath-debug packet-filter IN action-profile capture<br />
set security datapath-debug packet-filter IN protocol tcp<br />
set security datapath-debug packet-filter IN source-port 80<br />
set security datapath-debug packet-filter IN source-prefix 208.74.207.25/32</div>
<br />
<br />
<b>Fourth, commit your changes:</b><br />
<div class="code">
commit</div>
<br />
<br />
<b>Finally, when ready, enable the packet capture in operational mode and replicate the problem:</b><br />
<div class="code">
request security datapath-debug capture start</div>
<br />
<br />
<b>When complete, disable the packet capture with:</b><br />
<div class="code">
request security datapath-debug capture stop</div>
<br />
<br />
You'll now be presented with file(s) within /var/log with the name you specified in step 1. These will unfortunately not be useful to you immediately.<br />
<br />
<b>To convert the files into something readable by tcpdump (-r) or Wireshark, run the following:</b><br />
<div class="code">
e2einfo -Ccapture -Snormalize -I pcap_for_problem -F pcap_for_problem.pcap</div>
<br />
Once converted, you'll now be able to view them with the tools of your choosing.<br />
<br />
Thanks for reading!<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-10921258802503076732015-07-15T12:30:00.000-04:002015-07-16T09:40:45.746-04:00Juniper SRX: How to manage fxp0 across a VPN (Remote Management Best Practices)This is one of the most common questions I see, both in my professional life as well as on popular Juniper technical forums. Most of this confusion could be avoided if Juniper allowed for fxp0 to be placed in a non-default routing instance, however, for the time being, we're left with having to perform the following (moving all interfaces to a VR instead of just fxp0).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmFPwFEi0ccTlgCKzn1XWrjFN636xwIBKY3MKYfVOgHJt9vmEvOevnvCHAOlZ_Hgvw_59e9aPKKelKH4FwYIyMLrZNRTfMxVB4VOmIGHTocnTHa4Sec6LYl-4hZ3FB_nD3gotjLiSQj48/s1600/SRX_Remote_Fxp0.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmFPwFEi0ccTlgCKzn1XWrjFN636xwIBKY3MKYfVOgHJt9vmEvOevnvCHAOlZ_Hgvw_59e9aPKKelKH4FwYIyMLrZNRTfMxVB4VOmIGHTocnTHa4Sec6LYl-4hZ3FB_nD3gotjLiSQj48/s1600/SRX_Remote_Fxp0.jpg" /></a></div>
<i>For those who are unaware, fxp0 represents a dedicated management interface to the routing-engine of the device. On the SRX, there is complete hardware separation between the routing-engine and the dataplane (which is responsible for the actual forwarding of transit traffic). This is accomplished on the high-end devices by a separate <a href="http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/srx5k-re-1800X4-description.html" target="_blank">hardware module or blade</a> (SRX 650 -> SRX 5800), and by dedicated CPU cores on the shared CPUs on the smaller branch devices.</i><br />
<br />
In this example, our topology will contain the following:<br />
1 Cluster of two SRX to be managed via fxp0 remotely.<br />
1 Stand-Alone SRX acting as our VPN peer. Our SSH Proxy will reside behind this gateway.<br />
1 Virtual-Chassis stack of EX Switches to attach the cluster's fxp0 and management reth to<br />
1 SSH Proxy (172.16.88.100) for remote device management.<br />
<br />
This example assumes the cluster has already been configured, the VPN (route-based) is up and running, etc. If you are unfamiliar with these topics, you can check out previous articles here on how to set them up (or s<a href="http://upport.juniper.net/">upport.juniper.net</a> for the official documentation).<br />
<br />
<b>Step 1:</b> Allocate a new VLAN for management purposes. This VLAN will contain both chassis' fxp0 interfaces, as well as a single reth interface (trunked or otherwise) from the dataplane. Assign the new reth interface to an appropriately named zone (careful not to use 'Management' as it's reserved):<br />
<br />
Interface configurations are as follows:<br />
<div class="code">
set interfaces reth0 vlan-tagging<br />
set interfaces reth0 redundant-ether-options redundancy-group 1<br />
set interfaces reth0 redundant-ether-options minimum-links 1<br />
set interfaces reth0 redundant-ether-options lacp passive<br />
set interfaces reth0 unit 100 description "Outside interface"<br />
set interfaces reth0 unit 100 vlan-id 100<br />
set interfaces reth0 unit 100 family inet address 10.1.1.1/28<br />
set interfaces reth1 redundant-ether-options redundancy-group 1<br />
set interfaces reth1 unit 0 description "Attached to Management VLAN for fxp0 access"<br />
set interfaces reth1 unit 0 family inet address 192.168.0.210/24<br />
set interfaces st0 unit 0 family inet address 1.1.1.1/28<br />
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.0.211/24<br />
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.0.212/24<br />
set security zones security-zone Outside interfaces reth0.100 host-inbound-traffic system-services ike<br />
set security zones security-zone Mgmt interfaces reth1.0<br />
set security zones security-zone VPN interfaces st0.0</div>
<br />
<br />
<b>Step 2:</b> Divide the SRX into (at least) two virtual-routers. One with your management (fxp0) interfaces (in inet.0), and one with all of your revenue ports (reth's or otherwise):
<br />
<div class="code">
set routing-instances Traffic instance-type virtual-router<br />
set routing-instances Traffic interface reth0.100<br />
set routing-instances Traffic interface reth1.0<br />
set routing-instances Traffic interface st0.0<br />
set routing-instances Traffic routing-options static route 172.16.88.0/24 next-hop 1.1.1.2</div>
<b>Step 3:</b> Assign the correct routes to the default routing instance (that should only contain fxp0) so that it has a return path to our SSH Proxy regardless of what state it's in (RPD does not run on the standby node). This requires us to use several pieces of configuration.<br />
The next-hop for all traffic for fxp0 should be our newly created "Mgmt" reth interface (reth1.0)<br />
<br />
<b>a)</b> Create a backup router statement for the device to read at boot. This will only take effect during the RE boot sequence before RPD becomes available. Make sure to use host routes here (/32) with a next-hop address of your reth interface<br />
<div class="code">
set system backup-router 192.168.0.210<br />
set system backup-router destination 172.16.88.100/32</div>
<b>b) </b>Create a mirrored static route for the backup-router statement. This ensures that the secondary node remains reachable post-failover (backup-router is only read during boot).:<br />
<div class="code">
set routing-options static route 172.16.88.100/32 next-hop 192.168.0.210<br />
set routing-options static route 172.16.88.100/32 retain<br />
set routing-options static route 172.16.88.100/32 no-readvertise</div>
<b>c) </b>Create the default route for all other RE (fxp0) traffic to use reth1.0 as well:<br />
<div class="code">
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.210</div>
<div>
<b>d) </b>Inform the device that all dataplane logs for traffic (Accept/Deny/IPS, from the 'security log' configuration) need to be routed to the new virtual-router (Traffic.inet.0) to reach the syslog/SIEM. This ensures they exit a revenue port and are not impacting the RE negatively:<br />
<div class="code">
set routing-options static route IP_of_SYSLOG_Server/32 next-table Traffic.inet.0</div>
<br />
<b>Step 4:</b> Add appropriate security policies for the traffic from the Mgmt zone to the VPN zone (and vice-versa) to permit access to fxp0<br />
<br />
<b>Step 5: </b>Validate that you have access to both devices and view it on the device (test it with both RG0 and RG1 failover scenarios):<br />
<div class="code">
show security flow session source-prefix 172.16.88.100 node 0<br />
node0:<br />
--------------------------------------------------------------------------<br />
<br />
Session ID: 382, Policy name: ANY_ANY_PERMIT/4, State: Active, Timeout: 1800, Valid<br />
In: 172.16.88.100/44411 --> 192.168.0.212/22;tcp, If: st0.0, Pkts: 459, Bytes: 27651<br />
Out: 192.168.0.212/22 --> 172.16.88.100/44411;tcp, If: reth1.0, Pkts: 480, Bytes: 161953<br />
Total sessions: 1</div>
<br />
<div>
<b>Step 6 (Optional):</b> Ensure you can still SSH to the master device if the VPN tunnel goes down by adding SSH accessibility on the outside reth interface.<b> <span style="color: red;">Ensure this is locked down appropriately with firewall filters!</span></b></div>
<div>
<div class="code">
set security zones security-zone Outside interfaces reth0.100 host-inbound-traffic system-services ssh</div>
</div>
<div>
<br /></div>
<div>
<b>Step 7 (Optional): </b>If your cluster requires access to things like public DNS, NTP, or application-services updates (IPS/AppFW, etc), you'll need to add NAT and security policies for fxp0 to access the appropriate resources.</div>
<div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com5tag:blogger.com,1999:blog-4181959346900950541.post-68749375710479964142014-05-16T17:18:00.000-04:002014-08-09T00:03:31.762-04:00Juniper SRX: IF-MAP, source-identity and restrict-source-identity-lookupThe terms for the uninitiated:<br />
<br />
<a href="http://en.wikipedia.org/wiki/IF-MAP" target="_blank"><b>IF-MAP</b></a>, at its core, is a user identity propagation mechanism and protocol. Juniper's implementation allows you to attach 'roles' to a specific user, and create policies that permit or deny traffic based upon said role. In the case of the SRX, the firewall itself does not participate directly in the IF-MAP Federation; It relies on a proprietary communications channel over SSL (JUEP) to an Infranet Controller (IC) to request/receive user identity information.<br />
<br />
<a href="http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/reference/configuration-statement/security-edit-source-identity.html" target="_blank"><b>source-identity</b></a> is a (but not the <i>only - see UAC</i>) policy match term you can use to leverage IF-MAP on the SRX. The term was introduced in 12.1, and relies on a 'first-packet-drop-lookup' mechanism to handle packets that match the policy. Basically, if a new connection matches a policy with source-identity as a match condition, the firewall will proceed to drop the packet and query the local IC for the user identity/role information of the source IP address, assuming there is not already an entry in it's local database. Depending on the response from the IC, the firewall will then match the user's role to the policy and permit the flow, or, if the user identity does not contain the required role for the policy in question, it will continue doing policy lookups until a terminal match is found further down in the rulebase. <b>IE: These policies are not terminal.</b><br />
<b><br /></b>
<b>restrict-source-identity-lookup</b> is a hidden feature/command within the 'unified-access-control' stanza that was added into the 12.1X44D30.4 release which is meant to significantly increase the performance of a device leveraging the <b>source-identity</b> feature. What this command does is quite simple; It makes any rule with source-identity <span style="color: red; font-weight: bold;">terminal</span>. If a flow matches a policy with source-identity while restrict-source-identity-lookup is configured and the user does <b>not</b> have the required role, the session will be denied. As such, it is generally adviseable to place these policies at or near the bottom of the rulebase to avoid issues with unauthenticated (server-to-server) traffic that may share similar source/destination/application information.<br />
<br />
<b>To enable the feature, run:</b><br />
<div class="code">
set services unified-access-control restrict-source-identity-lookup</div>
<div>
<br /></div>
To successfully use the feature in the rulebase however, the security policies themselves get quite a bit more complex. For every policy that utilizes source-identity matching, you must have a 'clone' policy (placed adjacently) that mirrors the match conditions, while using the source-identity of 'unauthenticated-user' AND 'application-services uac-policy'. The second policy with 'unauthenticated-user' is meant to catch an (you guessed it!) unauthenticated user from an unknown source IP and perform a 'first-packet-drop-lookup' to gather their information. Thus, once the source IP address is known, the flow will come back down through the rulebase and match the first source-identity policy with the required role, and either be permitted or outright denied, based on the received information.<br />
<br />
To put this in practice, I've made a policy below which will look for users that have the HR_Management role while using restrict-source-identity-lookup:<br />
<br />
<div class="code">
set security policies from-zone Outside to-zone DMZ policy HR_Mgmt_NO-AUTH match source-address any<br />
set security policies from-zone Outside to-zone DMZ policy HR_Mgmt_NO-AUTH match destination-address any<br />
set security policies from-zone Outside to-zone DMZ policy HR_Mgmt_NO-AUTH match application junos-https<br />
set security policies from-zone Outside to-zone DMZ policy HR_Mgmt_NO-AUTH match source-identity unauthenticated-user<br />
set security policies from-zone Outside to-zone DMZ policy HR_Mgmt_NO-AUTH then permit application-services uac-policy<br />
<br />
set security policies from-zone Outside to-zone DMZ policy HR_Management match source-address any<br />
set security policies from-zone Outside to-zone DMZ policy HR_Management match destination-address any<br />
set security policies from-zone Outside to-zone DMZ policy HR_Management match application junos-https<br />
set security policies from-zone Outside to-zone DMZ policy HR_Management match source-identity HR_Management<br />
set security policies from-zone Outside to-zone DMZ policy HR_Management then permit<br />
<div>
</div>
<br /></div>
<div>
Some additional 'useful' operational commands when dealing with IF-MAP and SRX are:<br />
<br />
<b>View the available roles on the Enforcer (SRX):</b><br />
<div class="code">
show services unified-access-control roles</div>
<br />
<b>View all users currently active on the device: </b><br />
<div class="code">
show services unified-access-control authentication-table</div>
<br />
<b>View connectivity between the SRX and the IC (state should be 'connected'):</b><br />
<div class="code">
show services unified-access-control status</div>
<br />
<b>View available information and roles for a specific IP address:</b><br />
<div class="code">
show services unified-access-control authentication-table ip <i>x.x.x.x </i>detail</div>
<br />
<b>View available information and roles for a specific user:</b><br />
<div class="code">
show services unified-access-control authentication-table user <i>username </i>detail</div>
</div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-88715808248207146952014-03-27T15:05:00.001-04:002014-03-27T15:06:39.033-04:00Juniper SRX - PKI - Certificate-based VPNs - Part 03 - SRX ConfigurationContinuing on with Part 03 of this series (<a href="http://expert-mode.blogspot.ca/2013/12/juniper-srx-pki-certificate-based-vpns_4.html" target="_blank">Part 02 found here</a>),
we'll finish the SRX configuration and bring up the tunnel:<br />
<br />
<div class="code">
set security ike proposal CERT_PROP authentication-method rsa-signatures<br />
set security ike proposal CERT_PROP dh-group group2<br />
set security ike proposal CERT_PROP authentication-algorithm sha1<br />
set security ike proposal CERT_PROP encryption-algorithm aes-128-cbc<br />
set security ike proposal CERT_PROP lifetime-seconds 86400</div>
<div>
<br /></div>
<div class="code">
set security ike policy vSRX_02_CERT mode main<br />
set security ike policy vSRX_02_CERT proposals CERT_PROP<br />
set security ike policy vSRX_02_CERT certificate local-certificate SRX210_key_01<br />
set security ike policy vSRX_02_CERT certificate peer-certificate-type x509-signature</div>
<div>
<br /></div>
<div>
<div class="code">
<div>
set security ike gateway vSRX_02 ike-policy vSRX_02_CERT</div>
<div>
set security ike gateway vSRX_02 address 10.0.0.102</div>
<div>
set security ike gateway vSRX_02 external-interface reth2.0<br />
set security ike gateway vSRX_02 local-identity user-at-hostname "your.email@domain.com"<br />
set security ike gateway vSRX_02 remote-identity user-at-hostname "your.email@domain.com"</div>
</div>
<div>
<br /></div>
<div>
<div class="code">
root@SRX210_A# run show security ike sa 10.0.0.102 detail<br />
node0:<br />
--------------------------------------------------------------------------<br />
IKE peer 10.0.0.102, Index 1917721, Gateway Name: vSRX_02<br />
Role: Responder, State: UP<br />
Initiator cookie: 1bb59a819ce8e2df, Responder cookie: 4daa2c9906f66705<br />
Exchange type: Main, <b>Authentication method: RSA-signatures</b><br />
Local: 192.168.0.211:500, Remote: 10.0.0.102:500<br />
Lifetime: Expires in 86381 seconds<br />
Peer ike-id: your.email@domain.com<br />
Xauth assigned IP: 0.0.0.0<br />
Algorithms:<br />
Authentication : hmac-sha1-96<br />
Encryption : aes128-cbc<br />
Pseudo random function: hmac-sha1<br />
Diffie-Hellman group : DH-group-2<br />
Traffic statistics:<br />
Input bytes : 2516<br />
Output bytes : 2296<br />
Input packets: 5<br />
Output packets: 4<br />
Flags: IKE SA is created<br />
IPSec security associations: 1 created, 0 deleted<br />
Phase 2 negotiations in progress: 0<br />
<br />
Negotiation type: Quick mode, Role: Responder, Message ID: 0<br />
Local: 192.168.0.211:500, Remote: 10.0.0.102:500<br />
Local identity: your.email@domain.com<br />
Remote identity: your.email@domain.com<br />
Flags: IKE SA is created</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-69786525528182395042013-12-04T23:12:00.001-05:002013-12-05T09:34:08.867-05:00Juniper SRX - PKI - Certificate-based VPNs - Part 02 - SRX Configuration & Certificate SigningsContinuing on with Part 02 of this series (<a href="http://expert-mode.blogspot.ca/2013/12/juniper-srx-pki-certificate-based-vpns.html" target="_blank">Part 01 found here</a>), we'll configure the SRX (at least partially) to utilize PKI and generate CSR's and have them signed by our previously configured CA.<br />
<br />
<b><span style="font-size: large;">1. Configure the ca-profile for the CA (version check included for posterity)</span></b><br />
<div class="code">
root@SRX210_A# <b>show security pki | display set</b><br />
set security pki ca-profile Ubuntu01 ca-identity Ubuntu01<br />
set security pki ca-profile Ubuntu01 revocation-check disable</div>
<br />
<div class="code">
root@SRX210_A# <b>run show version</b><br />
node0:<br />
--------------------------------------------------------------------------<br />
Hostname: SRX210_A<br />
Model: srx210h-poe<br />
JUNOS Software Release [11.4R9.4]<br />
<br />
root@vSRX_02#<b> run show version</b><br />
Hostname: vSRX_02<br />
Model: junosv-firefly<br />
JUNOS Software Release [12.1X44-D20.3]</div>
<div>
<br /></div>
<br />
<b><span style="font-size: large;">2. Transfer (copy/paste) /etc/ssl/testCA/cacert.pem from your CA onto your SRX:</span></b><br />
<div class="code">
root@SRX210_A#<b> run start shell</b><br />
root@SRX210_A% <b>cat cacert.pem</b><br />
-----BEGIN CERTIFICATE-----<br />
MIIFtTCCA52gAwIBAgIBADANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJDQTEQ<br />
--------------------------SNIP FOR BREVITY------------------------------------<br />
ymJ/BQZIyKLD9zvqgtjoMK/UoV6r/oVZWzX53B8uLcLBQqbWQivN7jb8j00hf5K9<br />
HOnf7ieBfbYq/J20ik0TXAIsHkWGtKtVTA==<br />
-----END CERTIFICATE-----</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">3. Import the CA's public key into the ca-profile created earlier:</span></b><br />
<div class="code">
<div>
root@SRX210_A><b> request security pki ca-certificate load ca-profile Ubuntu01 filename ~/cacert.pem</b></div>
<div>
node0:</div>
<div>
--------------------------------------------------------------------------</div>
<div>
Fingerprint:</div>
<div>
56:57:3d:71:d2:55:b0:68:e7:f6:ee:53:3c:6a:5f:21:01:3b:8f:d5 (sha1)</div>
<div>
fe:4d:56:cd:6c:9c:34:5b:b8:cf:0d:bd:15:d1:87:15 (md5)</div>
<div>
CA certificate for profile Ubuntu01 loaded successfully</div>
</div>
</div>
<div>
<br /></div>
<div>
<span style="font-size: large;"><b>4. Generate the SRX's private key:</b></span></div>
<div>
<div class="code">
<div>
root@SRX210_A> <b>request security pki generate-key-pair type rsa size 2048 certificate-id SRX210_key_01</b></div>
<div>
node0:</div>
<div>
--------------------------------------------------------------------------</div>
<div>
Generated key pair SRX210_key_01, key size 2048 bits</div>
</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;">5. Generate the Certificate Signing Request (CSR) - no underscores in subject!:</span></b></div>
<div>
<div class="code">
<div>
root@SRX210_A><b>request security pki generate-certificate-request certificate-id SRX210_Key_01 email your.email@domain.com subject "DC=SRX210,CN=SRX210,OU=VPN,O=TestLab,L=Ottawa,ST=Ontario,C=CA"</b></div>
<div>
node0:</div>
<div>
--------------------------------------------------------------------------</div>
<div>
Generated certificate request</div>
<div>
-----BEGIN CERTIFICATE REQUEST-----</div>
<div>
MIIC8jCCAdoCAQAweTEWMBQGCgmSJomT8ixkARkWBlNSWDIxMDEPMA0GA1UEAxMG</div>
<div>
--------------------------SNIP FOR BREVITY------------------------------------</div>
<div>
VwHvUcODc9OBKzYZzxUSDc8ICOkSNtW89WT7YYkBotdmCNbDZ74=</div>
<div>
-----END CERTIFICATE REQUEST-----</div>
<div>
Fingerprint:</div>
<div>
48:1e:f5:a1:da:62:00:10:d9:66:62:3f:20:db:32:fe:5d:37:c8:41 (sha1)</div>
<div>
01:5c:ca:b9:25:ad:1a:f0:c0:ae:16:fb:5a:47:dc:43 (md5)</div>
</div>
<div>
</div>
<br /></div>
<div style="font-size: x-large; font-weight: bold;">
6. Transfer (copy/paste) CSR to CA and verify:</div>
</div>
<div class="code">
<div>
root@Ubuntu01:/etc/ssl/testCa# <b>openssl req -noout -text -in SRX210_key_01.csr</b></div>
<div>
<div>
Certificate Request:</div>
<div>
Data:</div>
<div>
Version: 0 (0x0)</div>
<div>
Subject: DC=SRX210, CN=SRX210, OU=VPN, O=TestLab, L=Ottawa, ST=Ontario, C=CA</div>
<div>
Subject Public Key Info:</div>
<div>
Public Key Algorithm: rsaEncryption</div>
<div>
Public-Key: (2048 bit)</div>
<div>
--------------------------SNIP FOR BREVITY------------------------------------</div>
<div>
cf:08:08:e9:12:36:d5:bc:f5:64:fb:61:89:01:a2:d7:66:08:</div>
<div>
d6:c3:67:be</div>
</div>
</div>
<div>
<div>
<b><span style="font-size: large;">7. Sign the CSR with the CA (cert is placed in certs/ and index.txt will be updated):</span></b><br />
<div class="code">
<div>
root@Ubuntu01:/etc/ssl/testCa# <b>openssl ca -verbose -in SRX210_key_01.csr -out certs/SRX_210.pem -cert cacert.pem -extfile x509ext.txt</b></div>
<div>
Using configuration from /usr/lib/ssl/openssl.cnf</div>
<div>
Enter pass phrase for /etc/ssl/testCa/private/cakey.pem:</div>
<div>
--------------------------SNIP FOR BREVITY------------------------------------</div>
<div>
Certificate is to be certified until Dec 5 02:26:27 2014 GMT (365 days)</div>
<div>
Sign the certificate? [y/n]:y</div>
<div>
<br /></div>
<div>
1 out of 1 certificate requests certified, commit? [y/n]y</div>
<div>
Write out database with 1 new entries</div>
<div>
writing new certificates</div>
<div>
writing /etc/ssl/testCa/newcerts/01.pem</div>
<div>
Data Base Updated</div>
<div>
<br /></div>
<div>
<br /></div>
</div>
<div>
<div class="code">
root@Ubuntu01:/etc/ssl/testCa# <b>cat index.txt ; ls -lh certs/</b><br />
V 141205022627Z 01 unknown /C=CA/ST=Ontario/O=TestLab/OU=VPN/CN=SRX210<br />
total 8.0K<br />
-rw-r--r-- 1 root root 5.2K Dec 4 21:26 SRX_210.pem</div>
</div>
</div>
</div>
<b><span style="font-size: large;">8. Finally, transfer the signed SRX Certificate back to the SRX and import it:</span></b><br />
<div class="code">
root@SRX210_A> <b>request security pki local-certificate load certificate-id SRX210_key_01 filename ~/SRX210.pem</b><br />
node0:<br />
--------------------------------------------------------------------------<br />
<br />
Local certificate loaded successfully<br />
<br />
root@SRX210_A> <b>request security pki local-certificate verify certificate-id SRX210_key_01</b><br />
node0:<br />
--------------------------------------------------------------------------<br />
Local certificate SRX210_key_01 verification success<br />
<div>
<br /></div>
</div>
You'll obviously have to rinse/repeat for each SRX you have in your lab. In Part 03 we'll explore actually <b>using</b> these certificates!Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com2tag:blogger.com,1999:blog-4181959346900950541.post-34545946768816851732013-12-04T21:59:00.000-05:002013-12-04T23:16:03.710-05:00Juniper SRX - PKI - Certificate-based VPNs - Part 01 - Create your own Certificate Authority with LinuxHi Everyone,<br />
<br />
I was having issues getting a fully functional lab setup with PKI to use for testing Cert-based VPN's. I've pieced the following (functional!) steps together from multiple blogs and official OpenSSL documentation. Hopefully you'll find it useful during your studies.<br />
<br />
<b><span style="font-size: large;">1. Prepare the Server - Make sure to modify the email address field</span></b><br />
<div class="code">
<b>mkdir -p testCa/{certs,private,newcerts} ; cd testCa/ ; touch index.txt ; echo "01" > serial</b><br />
<b>echo "subjectAltName=email:your_email_address_here" > x509ext.txt</b></div>
<b><span style="font-size: large;">2. Modify configuration file (/usr/lib/ssl/openssl.cnf) to use our testCA directory, and reduce the "strictness" when signing certificates (<a href="https://raw.github.com/craigdods/Expert_Mode_Storage/master/openssl.cnf" target="_blank">or use the one I've hosted here</a>).</span></b><br />
<div class="code">
[ CA_default ]<br />
dir <b> = /etc/ssl/testCa </b> # Where everything is kept<br />
<br />
# For the CA policy<br />
[ policy_match ]<br />
stateOrProvinceName = <b>supplied</b><br />
organizationName =<b> supplied</b><br />
<br /></div>
<b><span style="font-size: large;">3. Generate the CA's Private Key (Password Required)</span></b><br />
<div class="code">
<b>openssl genrsa -des3 -out private/cakey.pem 4096</b><br />
<br />
root@Ubuntu01:/etc/ssl/testCa# openssl genrsa -des3 -out private/cakey.pem 4096<br />
Generating RSA private key, 4096 bit long modulus<br />
..........................++<br />
............................................................++<br />
e is 65537 (0x10001)<br />
Enter pass phrase for private/cakey.pem:<br />
Verifying - Enter pass phrase for private/cakey.pem:<br />
<br /></div>
<b><span style="font-size: large;">4. Create the CA's Root Certificate (lasts for 5 years) - Fill in your correct details as required - Do not use underscores as they are not ANS.1 compliant</span></b><br />
<div class="code">
<b>openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0</b><br />
<br />
root@Ubuntu01:/etc/ssl/testCa# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1825 -set_serial 0<br />
Enter pass phrase for private/cakey.pem:<br />
You are about to be asked to enter information that will be incorporated<br />
into your certificate request.<br />
What you are about to enter is what is called a Distinguished Name or a DN.<br />
There are quite a few fields but you can leave some blank<br />
For some fields there will be a default value,<br />
If you enter '.', the field will be left blank.<br />
-----<br />
Country Name (2 letter code) [AU]:CA<br />
State or Province Name (full name) [Some-State]:Ontario<br />
Locality Name (eg, city) []:Ottawa<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<br />
Organizational Unit Name (eg, section) []:<br />
Common Name (e.g. server FQDN or YOUR name) []:<br />
Email Address []:
</div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-28342298396511294872013-11-30T14:58:00.001-05:002013-12-01T11:44:04.541-05:00Juniper SRX - IDP CategoriesHi Everyone,<br />
<div>
<br /></div>
<div>
While trying to define some custom attack-groups for IPS, I was unable to actually locate a full list of categories to define my groups with. As such, I've included a list for everyone from the latest Attack Database below:<br />
<br />
<div class="code">
<div>
root@SRX210_A% <b>cli show security idp predefined-attacks | sed 's/\"//g' | awk -F":" '{print $1}' | uniq</b></div>
<div>
<br /></div>
<div>
APP</div>
<div>
CHARGEN</div>
<div>
CHAT</div>
<div>
DB</div>
<div>
DDOS</div>
<div>
DHCP</div>
<div>
DISCARD</div>
<div>
DNS</div>
<div>
DOS</div>
<div>
ECHO</div>
<div>
FINGER</div>
<div>
FTP</div>
<div>
GOPHER</div>
<div>
HTTP</div>
<div>
ICMP</div>
<div>
IDENT</div>
<div>
IKE</div>
<div>
IMAP</div>
<div>
IP</div>
<div>
LDAP</div>
<div>
LPD</div>
<div>
LPR</div>
<div>
MISC</div>
<div>
MS-RPC</div>
<div>
NDMP</div>
<div>
NETBIOS</div>
<div>
NFS</div>
<div>
NNTP</div>
<div>
NTP</div>
<div>
OS</div>
<div>
P2P</div>
<div>
POP3</div>
<div>
PORTMAPPER</div>
<div>
PROTOCOLS</div>
<div>
RADIUS</div>
<div>
REXEC</div>
<div>
RLOGIN</div>
<div>
RPC</div>
<div>
RSH</div>
<div>
RSYNC</div>
<div>
RTSP</div>
<div>
RUSERS</div>
<div>
SCADA</div>
<div>
SCAN</div>
<div>
SHELLCODE</div>
<div>
SMB</div>
<div>
SMTP</div>
<div>
SNMP</div>
<div>
SNMPTRAP</div>
<div>
SPYWARE</div>
<div>
SSH</div>
<div>
SSL</div>
<div>
SYSLOG</div>
<div>
TCP</div>
<div>
TELNET</div>
<div>
TFTP</div>
<div>
TIP</div>
<div>
TROJAN</div>
<div>
UDP</div>
<div>
VIRUS</div>
<div>
VNC</div>
<div>
VOIP</div>
<div>
WHOIS</div>
<div>
WORM</div>
<div>
X11</div>
</div>
<div>
<br /></div>
<div class="code">
<div>
As an aside, I found it mildly interesting to see the protections-per-category breakdown from Juniper:<br />
<br />
root@SRX210_A% <b>cli show security idp predefined-attacks | sed 's/\"//g' | awk -F":" '{print $1}' | sort | uniq -c | sort -n -r</b><br />
4019 HTTP<br />
804 APP<br />
793 SPYWARE<br />
269 TROJAN<br />
260 SCAN<br />
254 SMTP<br />
209 DB<br />
160 CHAT<br />
158 VOIP<br />
156 SMB<br />
155 FTP<br />
145 P2P<br />
114 POP3<br />
109 DNS<br />
108 MS-RPC<br />
101 LDAP<br />
90 SHELLCODE<br />
80 SCADA<br />
76 SNMP<br />
75 WORM<br />
73 TCP<br />
65 IMAP<br />
62 SSL<br />
58 NETBIOS<br />
51 TELNET<br />
51 RPC<br />
47 SNMPTRAP<br />
42 DOS<br />
40 LPR<br />
40 DHCP<br />
37 VNC<br />
33 NTP<br />
33 NFS<br />
33 DDOS<br />
31 TFTP<br />
25 RADIUS<br />
23 RTSP<br />
22 ICMP<br />
20 SSH<br />
18 SYSLOG<br />
17 IKE<br />
17 FINGER<br />
16 RUSERS<br />
15 PROTOCOLS<br />
14 VIRUS<br />
14 PORTMAPPER<br />
14 NNTP<br />
13 OS<br />
13 IP<br />
12 RLOGIN<br />
12 IDENT<br />
10 GOPHER<br />
9 RSH<br />
6 MISC<br />
5 REXEC<br />
4 UDP<br />
4 LPD<br />
4 ECHO<br />
3 X11<br />
3 WHOIS<br />
3 RSYNC<br />
3 DISCARD<br />
3 CHARGEN<br />
2 TIP<br />
1 NDMP<br />
<br /></div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-15708588948692785312013-05-03T13:00:00.003-04:002013-07-22T09:07:46.308-04:00Checkpoint Top Talkers Script - Display top 50 Source/DestinationsHi Everyone,<br />
<br />
I've finished writing a script that should be very useful to most of you. It allows you to determine the top 50 chattiest hosts on your network based on certain criteria.<br />
<br />
This is what it looks like when you run it:<br />
<br />
<div class="code">
Hello, Welcome to the Checkpoint Top Talkers display utility by Craig Dods<br />
-----------------------------------------------<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span> M A I N - M E N U<br />
-----------------------------------------------<br />
Please note that this is for use on devices with SecureXL enabled ONLY<br />
<br />
1. Display the top 50 Source/Destination combos<br />
2. Display the top 50 Source/Destination combos with identical Destination Ports<br />
3. Display the top 50 Source/Destination combos with identical Source Ports<br />
4. Display the top 50 Sources<br />
5. Display the top 50 Destinations<br />
6. Display the top 50 Source/Destination combos on a Custom Destination Port<br />
7. Display the top 50 Source/Destination combos on a Custom Source Port<br />
8. Display the top 50 Sources on a Custom Destination Port<br />
9. Display the top 50 Destinations on a Custom Destination Port<br />
10. Display the top 50 Sources on a Custom Source Port<br />
11. Display the top 50 Destinations on a Custom Source Port<br />
12. Display the top 20 Destination Ports<br />
13. Display the top 20 Source Ports<br />
14. Display Connections From A Specific Host (large list)<br />
15. Display Connections To A Specific Host (large list)<br />
16. Exit</div>
<br />
As you can see, there are quite a few options to choose from.<br />
<br />
As an example, let's say you're simply trying to find out the busiest host-to-host connections and which ports they're using. Press #2 to see the results (the formatting looks better in bash, I swear - IP's are also obfuscated):<br />
<br />
<div class="code">
<b>Please Make A Selection: 2</b><br />
# SRC IP DST IP DPort<br />
9801<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 514 <br />
532<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 443 <br />
464<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 443 <br />
455<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 443 <br />
435<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 53 <br />
431<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 443 <br />
388<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 443 <br />
374<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 443 <br />
369<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 443 <br />
342<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.222.222 192.168.111.181 3995<br />
................................<br />
Press [Enter] key to continue...</div>
<div>
<br />
Another common use case would be if you're trying to determine which host is flooding a certain type of traffic (DNS/Syslog, etc). It's easy to determine who's causing the problem by using one of the 'Custom Port' options:<br />
<br />
Looking for hosts generating DNS requests by using option #8:<br />
<br />
<div class="code">
<b>Please Make A Selection: 8</b><br />
<b>Please enter the specific Destination Port you wish to filter for: </b><br />
<b>53</b><br />
<br />
# SRC IP on DPORT 53<br />
199<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0<br />
142<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0 <br />
94<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0<br />
79<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0 <br />
33<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0<br />
32<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0<br />
26<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0<br />
16<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0<br />
16<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0<br />
13<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.0</div>
<br /></div>
There are obviously many more use cases than I've covered above, so please try it out and let me know how it works!<br />
<br />
Some caveats to keep in mind:<br />
1) This only works on devices with SecureXL enabled<br />
2) This may not work on every device. If you find out something isn't working in your environment, let me know!<br />
3) All of this is based on active connections. At no point are these scripts monitoring actual throughput for any host.<br />
4) Since we're pulling the information from SecureXL tables vs the connection table, there will be some oddities such as an entry for each direction of a connection if using option #1:<br />
<br />
<div class="code">
<b>Please Make A Selection: 1</b><br />
# SRC IP DST IP<br />
9095<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.0.1 192.168.1.1<br />
9095<span class="Apple-tab-span" style="white-space: pre;"> </span>192.168.1.1 192.168.0.1</div>
<br />
<br />
<b>And finally, you can find the <a href="https://raw.github.com/craigdods/scripts/master/top_talkers.sh" target="_blank"><span style="font-size: large;">script right here </span></a>. See my post about WGET if you're not sure on how to pull it down.</b><br />
<b><br /></b>
<b><a href="http://expert-mode.blogspot.ca/2013/02/wget-on-checkpoint.html" target="_blank"><span style="font-size: large;">WGET on Checkpoint</span></a></b><br />
<br />
<br />
<br />
<div>
<br />
<br /></div>
<div>
<br /></div>
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com10tag:blogger.com,1999:blog-4181959346900950541.post-45214314452261587642013-05-01T22:41:00.000-04:002013-05-02T12:21:03.662-04:00Juniper SRX - OSPF over GRE over IPSEC<span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">Hi everyone,</span><br />
<br style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;" />
<span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">As promised, and as a continuation of my JNCIE-SEC studies, a follow up to the basic <a href="http://expert-mode.blogspot.ca/2013/05/juniper-srx-route-based-vpn-howto.html" target="_blank">Route Based VPN article</a>. This is how you can join two separate OSPF domains together across an IPSEC/GRE tunnel. Keep in mind running GRE is not necessary on an SRX<->SRX IPSEC tunnel, however more limited platforms like ASA's require it.</span><br />
<span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"><br /></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">As a recap, this is the topology we're working with:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaiuDL5APiBl1Reehrjz9q1EItOKUa9zh_zO-cQCLbbBxaomje4Ja3Nkx2whLFkPVSZ7IvtjK1zQ6PBs5fTGjHKjrie873NPloJdY_vPF1wRtk09UMUgSVNRTsquhlvFbP7QYe4ILNXBk/s1600/SRXOSPFGRE2+(1).png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaiuDL5APiBl1Reehrjz9q1EItOKUa9zh_zO-cQCLbbBxaomje4Ja3Nkx2whLFkPVSZ7IvtjK1zQ6PBs5fTGjHKjrie873NPloJdY_vPF1wRtk09UMUgSVNRTsquhlvFbP7QYe4ILNXBk/s640/SRXOSPFGRE2+(1).png" width="640" /></a></div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><br /></span></span><span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">We'll do this for SRX210_A only, mirror the config to SRX210_B with slight adjustments if you're following along:</span><br />
<span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;"><br /></span>
<span style="background-color: white; color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 13px; line-height: 18px;">Create the GRE Tunnel and add it to our DMZ Zone, making sure to use st0 as the source/destination:</span><br />
<div class="code">
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set interfaces gr-0/0/0.0 tunnel source 172.16.30.1</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set interfaces gr-0/0/0.0 tunnel destination 172.16.30.2</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set interfaces gr-0/0/0.0 family inet address 172.16.30.5/30</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security zones security-zone DMZ interfaces gr-0/0/0.0 host-inbound-traffic system-services ping</span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"></span></span>
</div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">Ensure VPN allows any system service for the time being (lock it down later):</span></span>
<br />
<div class="code">
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security zones security-zone VPN host-inbound-traffic system-services any-service</span></span>
</div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">Test time - Make sure your GRE tunnel is up and running by trying to reach the remote side:</span></span><br />
<div class="code">
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><b>ping 172.16.30.6 rapid </b></span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">PING 172.16.30.6 (172.16.30.6): 56 data bytes</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">!!!!!</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">--- 172.16.30.6 ping statistics ---</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">5 packets transmitted, 5 packets received, 0% packet loss</span></span><br />
<span style="font-size: 13px; line-height: 18px;"><span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"></span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">round-trip min/avg/max/stddev = 4.811/5.521/6.624/0.703 ms</span></span></div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><br /></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">OSPF Area 0 configuration for GRE and DMZ interfaces:</span></span><br />
<div class="code">
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security zones security-zone DMZ host-inbound-traffic protocols ospf</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set protocols ospf area 0 interface gr-0/0/0.0</span></span><br />
<span style="font-size: 13px; line-height: 18px;"><span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set protocols ospf area 0 interface fe-0/0/5.0</span></span>
</div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><br /></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">Verify OSPF neighbor adjacency across gr-0/0/0.0 and that you're receiving the correct routes:</span></span><br />
<div class="code">
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><b>show ospf neighbor</b></span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">Address Interface State ID Pri Dead</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">172.16.30.6 gr-0/0/0.0 Full 10.200.200.1 128 39</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><br /></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><b>show route protocol ospf </b></span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">inet.0: 16 destinations, 17 routes (16 active, 0 holddown, 0 hidden)</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">+ = Active Route, - = Last Active, * = Both</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">10.200.200.0/24 *[OSPF/10] 00:03:17, metric 2</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"> > via gr-0/0/0.0</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">172.16.30.4/30 [OSPF/10] 00:03:28, metric 1</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"> > via gr-0/0/0.0</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">224.0.0.5/32 *[OSPF/10] 00:03:38, metric 1</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"> MultiRecv</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><br /></span></span>
</div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">You'll notice if you try and ping the remote hosts you'll get drop logs for DMZ -> DMZ:</span></span>
<br />
<div class="code">
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">May 2 09:47:27
192.168.0.212 <b>RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.200.200.100/1->10.100.100.101/36102 icmp 1(8) global_drop_all(global) DMZ DMZ</b> UNKNOWN UNKNOWN N/A(N/A) fe-0/0/5.0 No </span></span>
</div>
<div>
<br /></div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">Finally, create a new policy to allow the new DMZ<->DMZ traffic we've just bridged:</span></span><br />
<div class="code">
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security policies from-zone DMZ to-zone DMZ policy DMZ_to_DMZ match source-address 10.100.100.0/24</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security policies from-zone DMZ to-zone DMZ policy DMZ_to_DMZ match source-address 10.200.200.0/24</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security policies from-zone DMZ to-zone DMZ policy DMZ_to_DMZ match destination-address 10.200.200.0/24</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security policies from-zone DMZ to-zone DMZ policy DMZ_to_DMZ match destination-address 10.100.100.0/24</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security policies from-zone DMZ to-zone DMZ policy DMZ_to_DMZ match application any</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security policies from-zone DMZ to-zone DMZ policy DMZ_to_DMZ then permit</span></span><br />
<span style="font-size: 13px; line-height: 18px;"><span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">set security policies from-zone DMZ to-zone DMZ policy DMZ_to_DMZ then log session-init</span></span>
</div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><br /></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">Verify our connectivity again by pinging from the remote hosts across the tunnel:</span></span><br />
<div class="code">
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><b>show security flow session destination-prefix 10.100.100/24 </b></span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;">Session ID: 38948, Policy name: DMZ_to_DMZ/15, Timeout: 2, Valid</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"> In: 10.200.200.100/17 --> 10.100.100.101/36614;icmp, If: gr-0/0/0.0, Pkts: 1, Bytes: 84</span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"> Out: 10.100.100.101/36614 --> 10.200.200.100/17;icmp, If: fe-0/0/5.0, Pkts: 1, Bytes: 84</span></span>
</div>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><br /></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><b>And we're done!</b></span></span><br />
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; text-decoration: line-through;"><span style="font-size: 13px; line-height: 18px;"><b><br /></b></span></span>
<span style="color: #222222; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="font-size: 13px; line-height: 18px;"><strike>Full configuration will be uploaded to github shortly (once they're done their maintenance).</strike><br /><a href="https://raw.github.com/craigdods/SRX_Configs/master/OSPF_GRE_IPSEC" target="_blank">Full configuration on github</a></span></span>Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com6tag:blogger.com,1999:blog-4181959346900950541.post-24575606062544480172013-05-01T14:09:00.001-04:002013-05-01T21:10:23.233-04:00Juniper SRX - Route Based VPN How To Hi everyone,<br />
<br />
I'm currently working on my JNCIE-SEC, and figured I'd start posting some of the labs I'm working on. This one is the basis for all of my route-based VPN configuration.<br />
<br />
Basic topology (we'll build on this later for more interesting things like OSPF over GRE):<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgANWlc4wOulrqt6DMO78fEv1uUwDp-fEQ8F9EUmnFIbhEHuXfjLjGm-M_q8QVCNQcMGGcdtorAIhu4C90nA49H4LNKpSOW5W1_RmZOefOUfR9ATJUuOGT1sSiXCWAKyodDQbqHGl_YnjI/s1600/SRXOSPFGRE2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgANWlc4wOulrqt6DMO78fEv1uUwDp-fEQ8F9EUmnFIbhEHuXfjLjGm-M_q8QVCNQcMGGcdtorAIhu4C90nA49H4LNKpSOW5W1_RmZOefOUfR9ATJUuOGT1sSiXCWAKyodDQbqHGl_YnjI/s640/SRXOSPFGRE2.png" width="640" /></a></div>
<br />
<br />
We'll do this for SRX210_A only, mirror the config to SRX210_B with slight adjustments if you're following along:<br />
<br />
<b>Creating a route-based IPSEC VPN</b><br />
<br />
<b>Create the Secure Tunnel Interface (st0.0)</b><br />
<br />
<div class="code">
set interfaces st0 unit 0 family inet address 172.16.30.1/30<br />
set security zones security-zone VPN interfaces st0.0</div>
<br />
<b>Create the IKE policy and proposal (phase one)</b><br />
<br />
<div class="code">
set security ike proposal ike_aes_128 dh-group group2<br />
set security ike proposal ike_aes_128 authentication-method pre-shared-keys<br />
set security ike proposal ike_aes_128 authentication-algorithm sha1<br />
set security ike proposal ike_aes_128 encryption-algorithm aes-128-cbc<br />
<br />
set security ike policy phase1_aes_128 mode main<br />
set security ike policy phase1_aes_128 pre-shared-key ascii-text vpn123<br />
set security ike policy phase1_aes_128 proposals ike_aes_128</div>
<br />
<b>Create the IKE Gateway (SRX210_B across ae1.0 - 172.19.1.2)</b><br />
<br />
<div class="code">
set security ike gateway SRX210_B ike-policy phase1_aes_128<br />
set security ike gateway SRX210_B external-interface ae1.0<br />
set security ike gateway SRX210_B address 172.19.1.2</div>
<b>Create the IPSEC policy and proposal (phase two)</b><br />
<br />
<div class="code">
set security ipsec proposal ipsec_aes_128 protocol esp<br />
set security ipsec proposal ipsec_aes_128 authentication-algorithm hmac-sha1-96<br />
set security ipsec proposal ipsec_aes_128 encryption-algorithm aes-128-cbc<br />
set security ipsec policy phase2_aes_128 proposals ipsec_aes_128</div>
<b>Create the VPN and bind it to st0.0</b><br />
<div class="code">
set security ipsec vpn VPN_To_SRX210_B ike gateway SRX210_B<br />
set security ipsec vpn VPN_To_SRX210_B ike ipsec-policy phase2_aes_128<br />
set security ipsec vpn VPN_To_SRX210_B establish-tunnels immediately<br />
set security ipsec vpn VPN_To_SRX210_B bind-interface st0.0</div>
<br />
<b>Verify the tunnel is up and working correctly (after configuring the peer):</b><br />
<div class="code">
<b>show security ike security-associations</b><br />
Index State Initiator cookie Responder cookie Mode Remote Address <br />
2534013 UP 1e051d13d519794d 1d833a97c85cf299 Main 172.19.1.2 <br />
<br />
<b>show security ipsec security-associations</b><br />
Total active tunnels: 1<br />
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <br />
<131073 ESP:aes-128/sha1 c7570e07 3526/ unlim - root 500 172.19.1.2 <br />
>131073 ESP:aes-128/sha1 21a14b61 3526/ unlim - root 500 172.19.1.2</div>
<br />
<b>And we're done! (sort of...)</b><br />
We still have to configure a security policy to allow traffic to traverse between our VPN zone and our internal resources, as well as to create the correct routes for our peer's encryption domains. Since I'll be doing a tutorial on how to setup OSPF over GRE later on (to work with those pesky, lesser vendors), I'll leave this part blank for now. I'm sure you already know how to do this anyways :)<br />
<br />
<a href="https://raw.github.com/craigdods/SRX_Configs/master/Route_Based_VPN_Basic" target="_blank">Github for the full configuration</a><br />
<br />
Edit: Since someone has already asked how to make a generic working-config, this is basically how you do it:<br />
<br />
<b>Add a route for the remote encryption domain pointing to your secure tunnel interface:</b><br />
<div class="code">
set routing-options static route 10.200.200.0/24 next-hop st0.0
</div>
<br />
<b>Add appropriate policies to permit traffic (bidirectional optional):</b><br />
<div class="code">
set security policies from-zone VPN to-zone DMZ policy Allow_All match source-address any destination-address any application any<br />
set security policies from-zone VPN to-zone DMZ policy Allow_All then permit<br />
set security policies from-zone VPN to-zone DMZ policy Allow_All then log session-init<br />
<br />
set security policies from-zone DMZ to-zone VPN policy Allow_All match source-address any destination-address any application any<br />
set security policies from-zone DMZ to-zone VPN policy Allow_All then permit<br />
set security policies from-zone DMZ to-zone VPN policy Allow_All then log session-init</div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-81510659999603143462013-04-22T15:13:00.004-04:002013-05-01T11:41:09.622-04:00Syslog-ng server recording remote syslog streamsJust a quick how-to for capturing remote syslog streams on Gentoo using syslog-ng<br />
<br />
1) Backup your current configuration:<br />
<div class="code">
cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.backup<br />
</div>
<b><br /></b>
2) Modify the existing configuration file to accept any and all syslogs directed at the system (note: not exactly 'organized', but useful for a quick replication):<br />
<br />
Paste the following above '<b>source src {</b>' - modify tcp port/max-connections if required:<br />
<div class="code">
source s_syslog { unix-stream("/dev/log");<br />
udp();<br />
tcp(ip(0.0.0.0) port(5000) max-connections(300));<br />
pipe("/proc/kmsg");<br />
};<br />
<br />
destination d_syslog { file("/var/log/remote-syslog"); };<br />
log { source(s_syslog); destination(d_syslog); };</div>
3) Restart syslog-ng via openrc (or systemd, whatever you're using). Ignore the pipe/FIFO errors:<br />
<div class="code">
# /etc/init.d/syslog-ng restart<br />
* Stopping syslog-ng ...<br />
[ ok ]<br />
* Starting syslog-ng ...<br />
[ ok ]</div>
<div>
4) Check to see that your new syslogs are being recorded to /var/log/remote-syslog:</div>
<div>
<div>
<div class="code">
# tail -f /var/log/remote-syslog<br />
Apr 22 15:10:10 NiXToP syslog-ng[8878]: syslog-ng starting up; version='3.3.5'<br />
Apr 23 02:40:52 192.168.0.211 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.0.10/44870->172.19.1.2/443 junos-https 6(0) global_drop_all(global) Trust Trust UNKNOWN UNKNOWN N/A(N/A) fe-0/0/6.0 No<br />
Apr 23 02:40:56 192.168.0.211 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.0.10/46526->172.19.1.2/80 junos-http 6(0) global_drop_all(global) Trust Trust UNKNOWN UNKNOWN N/A(N/A) fe-0/0/6.0 No </div>
For future reference:<br />
<div class="code">
# uname -r && syslog-ng -V | head -n 1<br />
3.8.6-gentoo<br />
syslog-ng 3.3.5</div>
</div>
<div>
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com2tag:blogger.com,1999:blog-4181959346900950541.post-69131697349207560422013-04-20T22:02:00.002-04:002013-05-01T11:42:36.771-04:00Juniper SRX - Determine exact cause of high CPU on PFEHi Everyone,<br />
<br />
Instead of relying on the sanitized/basic information the SRX generally provides you via usual commands, it's possible to log into the PFE directly and determine which underlying system is causing an issue:<br />
<br />
Log into your PFE (there are LOTS of hidden commands available here, but I'll focus on threads):<br />
<br />
<div class="code">
root@SRX210_A# run start shell pfe network fwdd<br />
<br />
<br />
BSD platform (OCTEON processor, 416MB memory, 8192KB flash)<br />
<div>
<br /></div>
<div>
<div>
FLOWD_OCTEON(SRX210_A vty)# show threads</div>
<div>
PID PR State Name Stack Use Time (Last/Max/Total) cpu</div>
<div>
--- -- ------- --------------------- --------- ---------------------</div>
<div>
1 H asleep Maintenance 976/73824 0/7/14 ms 0%</div>
<div>
2 L running Idle 1296/73824 0/8/10035 ms 0%</div>
<div>
3 H asleep Timer Services 1040/73824 0/8/270 ms 0%</div>
<div>
5 L asleep Ukern Syslog 856/73824 0/0/0 ms 0%</div>
<div>
6 L asleep Sheaf Background 1296/73824 0/0/0 ms 0%</div>
<div>
7 M asleep mac_db 856/73824 0/0/0 ms 0%</div>
<div>
8 M asleep Docsis 1072/73824 0/8/184 ms 0%</div>
<div>
9 M asleep ATMX 1136/73824 0/8/491 ms 0%</div>
<div>
10 M asleep XDSL 1352/73824 0/8/30394 ms 0%</div>
<div>
11 M asleep DSX50ms 1272/73824 0/8/2491 ms 0%</div>
<div>
12 M asleep DSXonesec 1048/73824 0/8/104 ms 0%</div>
<div>
13 M asleep SFP 1216/73824 0/8/295 ms 0%</div>
<div>
14 M asleep Ethernet 1184/73824 0/15/90202 ms 1%</div>
<div>
15 M asleep RSMON syslog thread 1024/73824 0/0/0 ms 0%</div>
<div>
16 L asleep Syslog 1264/73824 0/8/113 ms 0%</div>
<div>
17 M asleep Fwdd Notif Recv 1512/73824 0/8/2816 ms 0%</div>
<div>
18 M asleep Forwarding Thread 2456/73824 0/15/36745 ms 0%</div>
<div>
19 M asleep Periodic 12936/73824 0/15/21958 ms 0%</div>
<div>
20 M asleep USB Thread 1328/73824 0/8/776 ms 0%</div>
<div>
21 M asleep FPC_IPC-Thread 2368/73824 0/0/0 ms 0%</div>
<div>
22 H asleep TTP Receive 1320/73824 0/15/6219 ms 0%</div>
<div>
23 H ready TTP Transmit 1104/73824 0/8/1480 ms 0%</div>
<div>
24 M asleep UDP Input 904/73824 0/0/0 ms 0%</div>
<div>
25 H asleep TCP Timers 1264/73824 0/8/312 ms 0%</div>
<div>
26 H asleep TCP Receive 816/73824 0/0/0 ms 0%</div>
<div>
32 L asleep Console 3504/73824 7/7/7 ms 0%</div>
<div>
.................etc</div>
</div>
</div>
<div>
<br />
You can then look into a certain hook more closely if desired:<br />
<br />
<div class="code">
FLOWD_OCTEON(SRX210_A vty)# show threads 14<br />
PID PR State Name Stack Use Time (Last/Max/Total) cpu<br />
--- -- ------- --------------------- --------- ---------------------<br />
14 M asleep Ethernet 1184/73824 0/15/95814 ms 1%<br />
<br />
Wakeups:<br />
Type ID Enabled Pending Context<br />
Semaphore 00 Yes No 0x489ac008<br />
Timer 00 Yes No 0x489ac158<br />
<br />
Frame 00: sp = 0x48cbab38, pc = 0x08014d94<br />
Frame 01: sp = 0x48cbabb0, pc = 0x08215c98<br />
Frame 02: sp = 0x48cbabf0, pc = 0x0802b960<br />
Frame 03: sp = 0x48cbac18, pc = 0x00012060</div>
<div>
<br /></div>
</div>
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com3tag:blogger.com,1999:blog-4181959346900950541.post-76585261679167814812013-04-20T21:31:00.001-04:002013-05-01T11:43:41.205-04:00Juniper SRX - Compare Rollbacks Hi Everyone,<br />
<br />
As requested, here is how you can do a diff between rollbacks:<br />
<br />
A) Determine which rollback you want to compare via:<br />
<div class="code">
root@SRX210_A> show system commit <br />
0 2013-04-21 08:46:04 UTC by root via cli<br />
1 2013-04-21 08:44:55 UTC by root via cli<br />
2 2013-04-21 08:43:58 UTC by root via cli<br />
3 2013-04-21 08:42:27 UTC by root via cli<br />
4 2013-04-21 08:35:52 UTC by root via cli<br />
5 2013-04-21 08:33:21 UTC by root via cli<br />
6 2013-04-21 08:25:22 UTC by root via cli<br />
7 2013-04-21 08:24:50 UTC by root via cli<br />
8 2013-04-21 07:57:11 UTC by root via cli<br />
9 2013-04-21 07:56:03 UTC by root via cli<br />
10 2013-04-21 07:53:25 UTC by root via cli<br />
11 2013-04-21 07:52:37 UTC by root via cli<br />
12 2013-04-21 07:47:42 UTC by root via cli<br />
13 2013-04-16 20:25:01 UTC by root via cli<br />
<b><br /></b>
</div>
B) Select the rollback you wish to compare based on the above list via:<br />
<br />
<div>
<div>
<div class="code">
root@SRX210_A> show system rollback compare 5 0 <br />
[edit security policies from-zone Trust to-zone Trust policy Trust_to_Trust match]<br />
- source-address Net_192.168.0.0/24;<br />
- destination-address any;<br />
- application any;<br />
+ source-address Net_192.168.0.0/24;<br />
+ destination-address any;<br />
+ application junos-icmp-all;<br />
[edit security zones security-zone Trust address-book]<br />
address Net_192.168.0.0/24 { ... }<br />
+ address Host_192.168.0.10 192.168.0.10/32;<br />
<b><br /></b>
</div>
The output above compares rollback '5' to the active configuration '0'</div>
<div>
<br /></div>
<div>
<br /></div>
<div style="font-weight: bold;">
<br /></div>
</div>
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-62247263665607889702013-04-20T21:16:00.003-04:002013-05-01T11:48:55.196-04:00Juniper SRX - Create Global Drop/Cleanup ruleHi everyone,<br />
<br />
To avoid having to create a drop rule with logging enabled on an SRX for everyone Zone-to-Zone possibility, you can now create a global cleanup rule as of 12.1 like so:<br />
<br />
<div class="code">
# run show configuration security policies global | display set <br />
set security policies global policy global_drop_all match source-address any<br />
set security policies global policy global_drop_all match destination-address any<br />
set security policies global policy global_drop_all match application any<br />
set security policies global policy global_drop_all then deny<br />
set security policies global policy global_drop_all then log session-init<br />
<b><br /></b>
</div>
A 'show security policies' will then show this as the last rule:<br />
Global policies:<br />
<div class="code">
Policy: global_drop_all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 1<br />
Source addresses: any<br />
Destination addresses: any<br />
Applications: any<br />
Action: deny, log</div>
<div>
<br /></div>
<div>
Looking at the log itself it'll show up as:<br />
<br />
<div class="code">
Apr 21 08:36:23 SRX210_A RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.0.10/33514->172.19.1.1/80 junos-http 6(0) global_drop_all(global) Trust Trust UNKNOWN UNKNOWN N/A(N/A) fe-0/0/6.0 No<br />
</div>
<br />
Logging is currently configured as:<br />
<div class="code">
set system syslog file traffic-log any any<br />
set system syslog file traffic-log match RT_FLOW_SESSION</div>
</div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-30976502233291932222013-03-15T12:47:00.001-04:002013-05-02T07:56:26.324-04:00SPLAT R76 fails to install on VMware ESXi 5Hi everyone<br />
<br />
Just a quick one: I went to install the open-server version of SPLAT R76 today on our ESXi host and ran into an error almost immediately. It was the same anaconda error that is found in CheckPoint <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92354&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Security" target="_blank">sk92354</a> :<br />
<br />
<div class="code">
<code>Traceback (most recent call last):<br />File "/usr/bin/anaconda", line 661, in ?<br />intf.run(id, dispatch, configFileData)<br />File "/usr/lib/anaconda/text.py", line 441, in run<br />rc = apply(win, (self.screen, ) + args)<br />File "/usr/lib/anaconda/textw/splat_comps_text.py", line 56, in __call__<br />splatCompProcess("Software Blades", screen, meothod, sc,selectedProductsObj,prodLine)<br />File "/usr/lib/anaconda/textw/splat_comps_text.py", line 48, in splatCompProcess<br />while (sc.copyNextFile(CD) == -1):<br />File "/usr/lib/anaconda/splatcomps.py", line 231, in copyNextFile<br />ret = self.copyFile(source, dir, dest)<br />File "/usr/lib/anaconda/splatcomps.py", line 85, in copyFile<br />os.write(d, count)</code>
</div>
<br />
Changing the SCSI controller from VMware Paravirtual to LSI Logic SAS allows the system to run through the initial configuration/formatting correctly.<br />
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-5217041072692644722013-02-22T14:26:00.001-05:002013-05-01T12:03:39.945-04:00WGET on CheckPointJust a quick post here since I've been asked about the best way of transfering the scripts I host on github to a FW. The answer of course is wget :)<br />
<br />
It's not in the default $PATH of SPLAT/GAIA, however on every version I've looked CP has hidden it somewhere on the device.<br />
<br />
<b>For example:</b><br />
<div class="code">
[Expert@R75-B]# wget<br />
-bash: wget: command not found<br />
[Expert@R75-B]# find / -name wget<br />
/var/tmp/CD1/linux/MiniWrapperForMajor/linux/Actions/wget<br />
/sysimg/CPwrapper/linux/MiniWrapperForMajor/linux/Actions/wget<br />
<br />
</div>
If you want to pull one of my scripts down directly (and assuming you've got a name server in /etc/resolv.conf...), just use the binary in one of the results from find like so:<br />
<br />
<b>Tada:</b><br />
<div class="code">
[Expert@R75-B]# /sysimg/CPwrapper/linux/MiniWrapperForMajor/linux/Actions/wget https://raw.github.com/craigdods/scripts/master/interface_rebuild_splat.sh<br />
--10:14:27-- https://raw.github.com/craigdods/scripts/master/interface_rebuild_splat.sh<br />
=> `interface_rebuild_splat.sh.1'<br />
Resolving raw.github.com... done.<br />
Connecting to raw.github.com[199.27.72.133]:443... connected.<br />
HTTP request sent, awaiting response... 200 OK<br />
Length: 748 [text/plain]<br />
<br />
100%[=================================================================================================================================================================================================>] 748 730.47K/s ETA 00:00<br />
<br />
10:14:27 (730.47 KB/s) - `interface_rebuild_splat.sh.1' saved [748/748]<br />
<div style="font-weight: bold;">
<br /></div>
</div>
<br />
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com3tag:blogger.com,1999:blog-4181959346900950541.post-21208359574175534222013-02-22T14:18:00.003-05:002013-04-22T09:18:36.572-04:00SPLAT: Interface rebuild scriptHi everyone,<br />
<br />
Today I got tired of using sysconfig to create hundreds of subinterfaces while migrating large FWs to new hardware, so I've gone ahead and made a script which does it for you.<br />
<br />
First (optional, really), take a backup of your existing firewall with this script:<br />
<br />
<a href="https://raw.github.com/craigdods/scripts/master/interface_backup.sh" target="_blank">Interface Backup Script</a><br />
<br />
<b>Side note:</b><br />
Instead of using this to restore/migrate interfaces, since the format is extremely easy (interface IP netmask), you can use this to quickly configure a new device as well.<br />
<br />
Second, transfer the file (or create your own) on the new hardware, and run the rebuild script:<br />
<br />
<a href="https://raw.github.com/craigdods/scripts/master/interface_rebuild_splat.sh" target="_blank">Interface Rebuild Script</a><br />
<br />
Here it is in action:<br />
<br />
<b>New firewall (basic config):</b><br />
<br />
[Expert@R75-B]# ifconfig -a | grep -A 1 eth<br />
eth0 Link encap:Ethernet HWaddr 00:0C:29:13:5C:FC <br />
inet addr:192.168.0.60 Bcast:192.168.0.255 Mask:255.255.255.0<br />
--<br />
eth1 Link encap:Ethernet HWaddr 00:0C:29:13:5C:06 <br />
BROADCAST MULTICAST MTU:1500 Metric:1<br />
--<br />
eth2 Link encap:Ethernet HWaddr 00:0C:29:13:5C:10 <br />
BROADCAST MULTICAST MTU:1500 Metric:1<br />
<div>
<br /></div>
<div>
<b>Run the script:</b><br />
<div>
[Expert@R75-B]# ./interface_rebuild_splat.sh </div>
<div>
Hello, please enter the correct log file to analyze</div>
<div>
firewall_interfaces_backup</div>
<div>
Thank you - Recreating interfaces now</div>
<div>
Finished recreating the interfaces...</div>
<div>
</div>
<div>
Please remember to run <b>ifconfig --save</b> when finished!</div>
<div>
Goodbye </div>
<div>
<div>
[Expert@R75-B]# ifconfig --save</div>
</div>
<div>
<br /></div>
<div>
<b>We can now see all of our interfaces have been created and are present in netconf.C:</b><br />
<div>
[Expert@R75-B]# ifconfig -a | grep -A 1 eth</div>
<div>
eth0 Link encap:Ethernet HWaddr 00:0C:29:13:5C:FC </div>
<div>
inet addr:192.168.0.60 Bcast:192.168.0.255 Mask:255.255.255.0</div>
<div>
--</div>
<div>
eth1 Link encap:Ethernet HWaddr 00:0C:29:13:5C:06 </div>
<div>
inet addr:1.1.1.1 Bcast:1.1.1.255 Mask:255.255.255.0</div>
<div>
--</div>
<div>
eth2 Link encap:Ethernet HWaddr 00:0C:29:13:5C:10 </div>
<div>
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div>
<div>
--</div>
<div>
eth2:2 Link encap:Ethernet HWaddr 00:0C:29:13:5C:10 </div>
<div>
inet addr:10.2.2.1 Bcast:10.2.2.255 Mask:255.255.255.0</div>
<div>
--</div>
<div>
eth2:3 Link encap:Ethernet HWaddr 00:0C:29:13:5C:10 </div>
<div>
inet addr:10.3.3.1 Bcast:10.3.3.255 Mask:255.255.255.0</div>
<div>
--</div>
<div>
eth2:4 Link encap:Ethernet HWaddr 00:0C:29:13:5C:10 </div>
<div>
inet addr:10.4.4.1 Bcast:10.4.4.255 Mask:255.255.255.0</div>
<div>
--</div>
<div>
eth2:5 Link encap:Ethernet HWaddr 00:0C:29:13:5C:10 </div>
<div>
inet addr:10.5.5.1 Bcast:10.5.5.255 Mask:255.255.255.0</div>
<div>
--</div>
<div>
eth2:6 Link encap:Ethernet HWaddr 00:0C:29:13:5C:10 </div>
<div>
inet addr:10.6.6.1 Bcast:10.6.6.255 Mask:255.255.255.0</div>
<div>
--</div>
<div>
eth2:7 Link encap:Ethernet HWaddr 00:0C:29:13:5C:10 </div>
<div>
inet addr:10.7.7.1 Bcast:10.7.7.255 Mask:255.255.255.0</div>
<div>
<br /></div>
<div>
etc....<br />
<br />
<b>You can see them via sysconfig:</b><br />
<div>
Choose a connection to display ('e' to exit):</div>
<div>
------------------------------------------------------------------</div>
<div>
1) eth0 4) eth2:10 7) eth2:13 10) eth2:3 13) eth2:6</div>
<div>
2) eth1 5) eth2:11 8) eth2:14 11) eth2:4 14) eth2:7</div>
<div>
3) eth2 6) eth2:12 9) eth2:2 12) eth2:5 15) eth2:8</div>
<div>
------------------------------------------------------------------</div>
<div>
(Note: configuration changes are automatically saved)</div>
<div>
<br /></div>
</div>
</div>
<div>
<b>And it's in netconf.C:</b><br />
<div>
[Expert@R75-B]# cat /etc/sysconfig/netconf.C | grep -B 1 -A 6 eth2:6</div>
<div>
: (conn</div>
<div>
:ifname ("eth2:6")</div>
<div>
:type (3)</div>
<div>
:ipaddr ("10.6.6.1/24")</div>
<div>
:onboot (1)</div>
<div>
:depend-on (eth2)</div>
<div>
:s-code (0)</div>
<div>
)</div>
</div>
<div>
<b><br /></b></div>
<div>
You might find this useful in combination with my route rebuild scripts located here:<br />
<br />
<a href="http://expert-mode.blogspot.ca/2012/08/splatgaia-static-route-migration-scripts.html" target="_blank">Route rebuild scripts for SPLAT+GAIA</a></div>
<div>
<br /></div>
<div>
Hopefully some of you get some use out of this! :)<br />
<br /></div>
<div style="font-weight: bold;">
<br /></div>
</div>
<br />
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com7tag:blogger.com,1999:blog-4181959346900950541.post-69302193555125356862012-12-11T15:21:00.002-05:002013-05-02T07:57:34.882-04:00How to calculate the total amount of FireWall Logs per second### Posting this here for the time being since the support site's SK is broken..<br />
<br />
Edit: Not sure why CP runs this with three separate strings...just copy/paste this and you'll get your numbers (sleeps for 120 seconds):<br />
<br />
<b>SLEEP_TIME=120;SIZE_BEFORE=$(ls -l $FWDIR/log/fw.logptr | awk '{print $5}') ; sleep $SLEEP_TIME ; SIZE_AFTER=$(ls -l $FWDIR/log/fw.logptr | awk '{print $5}');expr \( $SIZE_AFTER - $SIZE_BEFORE \) \/ \( 4 \* $SLEEP_TIME \)</b><br />
<br />
####### <br />
<br />
Follow these steps to calculate/count the total amount of all
FireWall Logs per second that arrive to this Security Management Server
from all its managed Security Gateways:<br />
<ol>
<li>Connect to CLI on Security Management Server - over SSH, or console. <br /><br /> Note:<br /> On Multi-Domain Management Server, go to the context of the relevant Domain Management Server: <code>[Expert@HostName]# <b>mdsenv [Domain_Name|Domain_IP]</b></code> </li>
<li>Go to the Log directory: <br /><br /> <code>[Expert@HostName]# <b>cd $FWDIR/log</b></code> </li>
<li>Check by how much the size of the Pointer File grows during specific time<br /> (the time should be high enough to accumulate enough logs - e.g., 120 sec, 180 sec, etc): <br /><br /> <code>[Expert@HostName]# <b>ls -l fw.logptr ; sleep <i>SLEEP_TIME</i> ; ls -l fw.logptr</b></code> </li>
<li>Calculate the log rate per this formula: <br /><br /> <b><code>RATE = ( SIZE_AFTER - SIZE_BEFORE ) / ( 4 * SLEEP_TIME )</code></b> <br /><br /> Use these <i>three</i> commands to automate the calculations: <br /><br />
<dl><dd><code>[Expert@HostName]# <b>SLEEP_TIME=<i>number_of_seconds</i></b></code> <br />
<br />
<code>[Expert@HostName]# <b>SIZE_BEFORE=$(ls -l fw.logptr | awk '{print $5}') ; sleep $SLEEP_TIME ; SIZE_AFTER=$(ls -l fw.logptr | awk '{print $5}')</b></code> <br />
<br />
<code>[Expert@HostName]# <b>expr \( $SIZE_AFTER - $SIZE_BEFORE \) \/ \( 4 \* $SLEEP_TIME \)</b></code> </dd></dl>
<br /><br /> Note: if the rate value has to be used in a shell script, then use this syntax:<br /> <code>[Expert@HostName]# <b>RATE=$(expr \( $SIZE_AFTER - $SIZE_BEFORE \) \/ \( 4 \* $SLEEP_TIME \))</b></code> </li>
</ol>
Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com1tag:blogger.com,1999:blog-4181959346900950541.post-5552070223864642932012-12-07T08:40:00.002-05:002013-05-02T07:55:18.712-04:00VSX: Policy installation failing due to "Can't open..."Hi everyone,<br />
<br />
Had a new issue happen to me this morning while pushing to an R67 VSLS cluster. During the push, one MVS reported that all of it's configuration files plus those of it's VS were missing.<br />
<br />
This output was taken from $CPDIR/log/cpd.elg, however the message within Dashboard was nearly identical:<br />
<br />
<div class="code">
<span style="font-size: x-small;">[7 Dec 12:46:04] file_digest: Can't open /opt/CPsuite-V40/fw1/policy/local.dt<br /><br />[7 Dec 12:46:04] file_digest: Can't open /opt/CPsuite-V40/fw1/policy/local.scv<br /><br />[7 Dec 12:46:04] file_digest: Can't open /opt/CPsuite-V40/fw1/policy/local.lp<br /><br />[7 Dec 12:46:04] file_digest: Can't open /opt/CPsuite-V40/fw1/policy/local.cfg<br /><br />[7 Dec 12:46:04] file_digest: Can't open /opt/CPsuite-V40/fw1/CTX/CTX00002/policy/local.dt<br /><br />[7 Dec 12:46:04] file_digest: Can't open /opt/CPsuite-V40/fw1/CTX/CTX00002/policy/local.scv<br /><br />[7 Dec 12:46:04] file_digest: Can't open /opt/CPsuite-V40/fw1/CTX/CTX00002/policy/local.lp<br /><br />[7 Dec 12:46:04] file_digest: Can't open /opt/CPsuite-V40/fw1/CTX/CTX00002/policy/local.cfg</span>
</div>
<br />
etc, etc, for all of the VS (13).<br />
<br />
Doing a quick 'ls' for any of those files returned no results...<br />
<br />
I'm still not sure how the issue occured (and on only one of the three MVS in the cluster), but running this will correct the issue for you by creating the files all at once:<br />
<br />
<div class="code">
cat $CPDIR/log/cpd.elg | grep "file_digest: Can't open" | awk '{print "touch",$7}' | sh
</div>
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-31624130973342810742012-11-23T12:24:00.003-05:002013-04-22T09:23:09.227-04:00SPLAT + GAIA : Inaccessible via Console/SSH/GUIHi Everyone,<br />
<br />
Over the last few months I've seen a large amount of SPLAT appliances become completely inaccessible via "normal" methods (R71->R75). Upon further investigation it seems all of them are suffering from the same problem, however it's quite strange as all three methods use separate authentication schemes.<br />
<br />
<b>##It should be noted that *only* CP-branded appliances have been experiencing the issue, open servers seem to be safe from this.</b><br />
<b><br />Edit:: Upon further investigation, it appears that all SPLAT and GAIA devices can be affected by this bug.</b><br />
<br />
Doing a debug of an SSH authentication attempt we can see the firewall immediately close the connection via a FIN, without ever presenting the 'reprompt' as if you typed the wrong password:<br />
<br />
SSH attempt with the -vv flags:<br />
<b>admin@</b><b><b><firewall_IP></b>'s password: <br />debug2: we sent a password packet, wait for reply<br />Connection closed by </b><b><host_IP></b><br />
<br />
TCPDUMP: <b><br /></b><br />
<b><firewall_IP>.22 > <host_IP>.33506: F 1393:1393(0) ack 1269 win 79 <nop,nop,timestamp 3558805529 352019454> (DF)</b><br />
<br />
After trying multiple ways of "breaking in", we gave up and rebooted one of the devices and attempted to access it via maintenance mode, which was succesful.<br />
<br />
Looking at /var/log/messages, we can see faillog is broken in some way:<br />
<b><br />cp_pam_tally[23237]: /var/log/faillog is either world writable or not a normal file</b><br />
<br />
Looking at the file in detail, we saw that it is completely corrupted (filled with ascii/hex symbols).<br />
<br />
Replacing the file with a fresh, empty copy (or simply removing it entirely) corrects the issue.<br />
<br />
However, next time /usr/bin/faillog is called to do a rollover, the file becomes corrupted once again, and all access is lost...<br />
<br />
To prevent this from happening, I've implemented a 'manual' rollover to prevent faillog from doing it itself via CRON (obviously from maintenance mode after the issue occured):<br />
<br />
To create a cron entry:<br />
<b>crontab -e</b><br />
<br />
<b>The editor on SPLAT is still VI(m), so press 'i' to enter input mode, and type:</b><br />
<br />
* * * * * /bin/bash /home/admin/faillog_rollover.sh
<br />
<br />
This will have crond run the faillog_rollover.sh script every minute, which you can grab here (chmod +x it):<br />
<br />
<a href="https://raw.github.com/craigdods/scripts/master/faillog_rollover.sh" target="_blank">faillog_rollover.sh</a><br />
<br />
Make sure to adjust the path for the script in crontab if you don't place it in /home/admin/<br />
<br />
CheckPoint R&D is also aware of the issue and are working on a corrected faillog binary (shadow-utils really), however for the time being this is definitely an easy fix. Until the fixed binary is included in a normal release however, I'd *highly* recommend having this cron job installed on any SPLAT-based Appliance, since fixing the issue once it's occured via maintenance mode isn't the easiest thing to schedule.<br />
<br />
Follow Up: CP has released a fixed shadow-utils RPM that addresses the issue, however they have confirmed GAIA is currently susceptible, and that the rollover fix will be incorporated into the <b>next</b> release of GAIA.<br />
<br />
Thanks for reading,<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com4tag:blogger.com,1999:blog-4181959346900950541.post-56313209111957681072012-08-15T21:42:00.000-04:002013-05-02T07:53:40.247-04:00SPLAT/GAIA Static-Route migration scriptsHi Everyone,<br />
<br />
So I recently came across a situation where I needed to accomplish two things quite quickly:<br />
1) Remove all active interfaces from a device and reconfigure them into load-sharing LACP bonds<br />
2) Restore the previous routing configuration to the device post-interface removal.<br />
<br />
Since #2 involved redoing over 1000 static routes, I of course didn't want to do this manually :)<br />
<br />
I've created two sets of scripts; One for backing up the current configuration, and one for restoring the configuration post config-change. <br />
<br />
(I'd suggest using wget to pull the raw files, however you can copy however you'd like):<br />
<br />
<br />
<b>Backups:</b><br />
<b>GAIA:</b><br />
<a href="https://raw.github.com/craigdods/scripts/master/route_backup_gaia.sh" target="_blank">route_backup_gaia.sh</a><br />
<b>SPLAT:</b><br />
<a href="https://raw.github.com/craigdods/scripts/master/route_backup_splat.sh" target="_blank">route_backup_splat.sh</a><br />
<br />
<b>Restoring:</b><br />
<b>GAIA</b><br />
<a href="https://raw.github.com/craigdods/scripts/master/route_rebuild_gaia.sh" target="_blank">route_rebuild_gaia.sh</a><br />
<b>SPLAT </b><br />
<a href="https://raw.github.com/craigdods/scripts/master/route_rebuild_splat.sh" target="_blank">route_rebuild_splat.sh</a><br />
<br />
<br />
As for how to use them, I'll give you a basic scenario. Currently most routes for my test box are via eth2, however I want to move this link into a bond for better throughput and availability.<br />
<br />
<br />
<b>GAIA1# clish -c "show route"<br />Codes: C - Connected, S - Static, R - RIP, B - BGP,<br /> O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)<br /> A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed<br /><br />S 0.0.0.0/0 via 192.168.0.1, eth0, cost 0, age 4 <br />C 10.100.100.0/24 is directly connected, eth2 <br />S 10.100.101.0/24 via 10.100.100.2, eth2, cost 0, age 5993 <br />S 10.100.102.0/24 via 10.100.100.2, eth2, cost 0, age 1090 <br />S 10.100.103.0/24 via 10.100.100.2, eth2, cost 0, age 1087 <br />S 10.100.104.0/24 via 10.100.100.2, eth2, cost 0, age 1084 <br />C 127.0.0.0/8 is directly connected, lo <br />C 192.168.0.0/24 is directly connected, eth0 </b><br />
<br />
Prior to making our changes, I run the backup script like so:<br />
<b>[Expert@GAIA1]# ./route_backup_gaia.sh <br />Backing up routes now...<br /><br />DONE<br /><br />You can find your routes in /home/admin/150812_195030_GAIA1_routes.txt</b><b></b><br />
<b><br /></b>
Looking through the route file you can see that it's parsed it into a useful format:<br />
<b>[Expert@GAIA1]# cat 150812_195030_GAIA1_routes.txt <br />0.0.0.0/0 192.168.0.1<br />10.100.101.0/24 10.100.100.2<br />10.100.102.0/24 10.100.100.2<br />10.100.103.0/24 10.100.100.2<br />10.100.104.0/24 10.100.100.2</b><br />
<br />
We'll make our interface changes now (remove eth2 - migrate to bond0)<br />
<br />
Post change we can see that we now have bond0 on 10.100.100/24, however all of our routes are now gone:<br />
<br />
<b>GAIA1> show route<br />Codes: C - Connected, S - Static, R - RIP, B - BGP,<br /> O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)<br /> A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed<br /><br />S 0.0.0.0/0 via 192.168.0.1, eth0, cost 0, age 5490 <br />C 10.100.100.0/24 is directly connected, bond0 <br />C 127.0.0.0/8 is directly connected, lo <br />C 192.168.0.0/24 is directly connected, eth0 <br /> </b><br />
Now we want to restore our previous routes:<br />
<b>[Expert@GAIA1]# ./route_rebuild_gaia.sh <br />Hello, please enter the correct log file to analyze<br />150812_195030_GAIA1_routes.txt<br />150812_195030_GAIA1_routes.txt<br />Thank you - Rebuilding the routing table now<br />Finished rebuilding the routing table...<br /><br />Please remember to verify if the routes were rebuilt correctly!!<br />Goodbye <br />[Expert@GAIA1]# clish -c "show route"<br />Codes: C - Connected, S - Static, R - RIP, B - BGP,<br /> O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)<br /> A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed<br /><br />S 0.0.0.0/0 via 192.168.0.1, eth0, cost 0, age 5669 <br />C 10.100.100.0/24 is directly connected, bond0 <br />S 10.100.101.0/24 via 10.100.100.2, bond0, cost 0, age 12 <br />S 10.100.102.0/24 via 10.100.100.2, bond0, cost 0, age 12 <br />S 10.100.103.0/24 via 10.100.100.2, bond0, cost 0, age 12 <br />S 10.100.104.0/24 via 10.100.100.2, bond0, cost 0, age 12 <br />C 127.0.0.0/8 is directly connected, lo <br />C 192.168.0.0/24 is directly connected, eth0</b><br />
<b><br /></b>
And there you have it - nice and simple :)<br />
<br />
SPLAT works the same way, however the scripts themselves are different of course since we need to use CLISH now.<br />
<br />
If you want to get this to work on IPSO, the GAIA script would only need very minor modifications to how it deals with write-locks. If you need some help, let me know :)<br />
<br />
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com8tag:blogger.com,1999:blog-4181959346900950541.post-29786596075249190002012-08-15T16:31:00.001-04:002013-05-01T11:59:48.203-04:00GAIA CLISH Basics (Interfaces,Routes,Bonds,Saving) Here are some really 'basic' GAIA CLISH commands everyone should know <br />
<br />
<br />
Basic Configuration for an interface via CLISH (ifconfig/ethtool still work within expert-shell in case you prefer those):<br />
<br />
Configure the interface with an appropriate ipv4 address and netmask<br />
<div class="code">
<b>GAIA1> set interface eth2 ipv4-address 10.100.100.1 mask-length 24</b><br />
</div>
Interace comments<br />
<div class="code">
<b>GAIA1> set interface eth2 comments "Internal Interface"</b><br />
</div>
Interface speed hardcoding (use 'auto-negotation on' instead if required)<br />
<div class="code">
<b>GAIA1> set interface eth2 link-speed 1000M/full</b><br />
</div>
Turn the interface "on" and active<br />
<div class="code">
<b>GAIA1> set interface eth2 state on</b><br />
</div>
Show current information<br />
<div class="code">
<b>GAIA1> show interface eth2 </b><br />
link-speed 1000M/full<br />
ipv6-autoconfig Not configured<br />
speed 1000M<br />
mac-addr 00:0c:29:38:9f:6d<br />
state on<br />
duplex full<br />
type ethernet<br />
comments {Internal Interface}<br />
mtu 1500<br />
auto-negotiation Not configured<br />
ipv4-address 10.100.100.1/24<br />
ipv6-address Not Configured<br />
<br />
Statistics: <br />
TX bytes:0 packets:0 errors:0 dropped:0 overruns:0 carrier:0<br />
RX bytes:0 packets:0 errors:0 dropped:0 overruns:0 frame:0<br />
<br />
</div>
<br />
Adding static routes in GAIA CLISH:<br />
<br />
Destination of 10.100.101/24 via 10.100.100.2<br />
<div class="code">
<b>GAIA1> set static-route 10.100.101.0/24 nexthop gateway address 10.100.100.2 on</b><br />
<br />
</div
Viewing routes<br />
<div class="code">
<b>GAIA1> show route</b><br />
Codes: C - Connected, S - Static, R - RIP, B - BGP,<br />
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)<br />
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed<br />
<br />
S 0.0.0.0/0 via 192.168.0.1, eth0, cost 0, age 2413 <br />
C 10.100.100.0/24 is directly connected, eth2 <br />
S 10.100.101.0/24 via 10.100.100.2, eth2, cost 0, age 37 <br />
S 10.100.102.0/24 via 10.100.100.2, eth2, cost 0, age 20 <br />
S 10.100.103.0/24 via 10.100.100.2, eth2, cost 0, age 17 <br />
S 10.100.104.0/24 via 10.100.100.2, eth2, cost 0, age 14 <br />
S 10.100.105.0/24 via 10.100.100.2, eth2, cost 0, age 11 <br />
S 10.100.106.0/24 via 10.100.100.2, eth2, cost 0, age 8 <br />
S 10.100.107.0/24 via 10.100.100.2, eth2, cost 0, age 5 <br />
S 10.100.108.0/24 via 10.100.100.2, eth2, cost 0, age 2 <br />
C 127.0.0.0/8 is directly connected, lo <br />
C 192.168.0.0/24 is directly connected, eth0 <br />
<br />
</div>
<br />
Creating a bond from CLISH:<br />
<br />
#Create the bond and assign a slave interface in one command:<br />
<div class="code">
<b>GAIA1> add bonding group 0 interface eth1 </b><br />
Enter an interface to add to the bond group. <br />
Only ethernet interfaces can be added to a bond group.<br />
The interface shouldn't have any IP addresses or aliases configured.<br />
Hit tab to obtain the available interfaces that can be added to the bond group. <br />
</div>
# Set the "mode" of the Bond (I choose 8023ad here - aka LACP)<br />
<div class="code">
<b>GAIA1> set bonding group 0 mode 8023AD</b><br />
</div>
# Set the bond's primary interface:<br />
<div class="code">
<b>GAIA1> set bonding group 0 primary eth1</b><br />
</div>
# View your bond:<br />
<div class="code">
<b>GAIA1> show bonding group 0</b><br />
Bond Configuration<br />
xmit-hash-policy layer2<br />
down-delay 200<br />
primary eth1<br />
lacp-rate slow<br />
mode 8023AD<br />
up-delay 200<br />
mii-interval 100<br />
Bond Interfaces<br />
eth1<br />
<br />
</div>
# This information is also available via Expert mode via /proc:<br />
<div class="code">
<b>[Expert@GAIA1]# cat /proc/net/bonding/bond0 </b><br />
Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)<br />
<br />
Bonding Mode: IEEE 802.3ad Dynamic link aggregation<br />
Transmit Hash Policy: layer2 (0)<br />
MII Status: up<br />
MII Polling Interval (ms): 100<br />
Up Delay (ms): 200<br />
Down Delay (ms): 200<br />
<br />
802.3ad info<br />
LACP rate: slow<br />
Active Aggregator Info:<br />
Aggregator ID: 1<br />
Number of ports: 1<br />
Actor Key: 17<br />
Partner Key: 1<br />
Partner Mac Address: 00:00:00:00:00:00<br />
<br />
Slave Interface: eth1<br />
MII Status: up<br />
Link Failure Count: 0<br />
Permanent HW addr: 00:0c:29:38:9f:63<br />
Aggregator ID: 1<br />
<br />
</div>
<br />
Saving your configuration:<br />
<br />
<div class="code">
<b>GAIA1> save config</b><br />
</div>
<br />Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com2tag:blogger.com,1999:blog-4181959346900950541.post-63562175347708985162012-07-06T21:22:00.002-04:002013-05-01T12:01:06.324-04:00SPLAT/GAIA: How to determine bond status (link/LACP etc)Hi Everyone,<br />
<br />
Had this question asked today: "How do you determine if your LACP (or XOR) bond is up and running and what state is it in?<br />
<br />
Since ethtool and ifconfig don't provide you LACP details, you have to check via /proc like so (removed MACs for privacy):<br />
<br />
<br />
Looking at bond0 here:<br />
<div class="code">
cat /proc/net/bonding/bond0<br />Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)<br /><br />Bonding Mode: IEEE 802.3ad Dynamic link aggregation<br />Transmit Hash Policy: layer3+4 (1)<br />MII Status: up<br />MII Polling Interval (ms): 100<br />Up Delay (ms): 200<br />Down Delay (ms): 200<br /><br />802.3ad info<br />LACP rate: slow<br />Active Aggregator Info:<br /> Aggregator ID: 2<br /> Number of ports: 2<br /> Actor Key: 17<br /> Partner Key: 32773<br /> Partner Mac Address: **************<br /><br />Slave Interface: eth2<br />MII Status: up<br />Link Failure Count: 1<br />Permanent HW addr: **************<br />Aggregator ID: 2<br /><br />Slave Interface: eth3<br />MII Status: up<br />Link Failure Count: 0<br />Permanent HW addr: **************<br />Aggregator ID: 2<br /><br />Slave Interface: eth4<br />MII Status: down<br />Link Failure Count: 0<br />Permanent HW addr: **************<br />Aggregator ID: 3<br /><br />Slave Interface: eth5<br />MII Status: down<br />Link Failure Count: 1<br />Permanent HW addr: **************<br />Aggregator ID: 1<br />
<br />
</div>
You can also configure how Checkpoint monitors the bonds with cphaconf show_bond <br />
<div class="code">
# cphaconf show_bond -a<br />
<br /> |Slaves |Slaves |Slaves <br />Bond name |Mode |State |configured |in use |required <br />-----------+-------------------+------+-----------+-------+--------<br />bond0 | Load Sharing | UP | 4 | 4 | 3 <br />bond1 | Load Sharing | UP | 4 | 4 | 3 <br /><br />Legend:<br />-------<br />UP! - Bond interface state is UP, yet attention is required<br />Slaves configured - number of slave interfaces configured on the bond<br />Slaves in use - number of operational slaves<br />Slaves required - minimal number of operational slaves required for bond to be UP<br />
<br />
</div>
The steps found with <a href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69180&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=SecurePlatform%22" target="_blank">sk69180</a> should also be followed to ensure slave interfaces have been added correctly.Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com0tag:blogger.com,1999:blog-4181959346900950541.post-72065211357733353952012-06-27T17:06:00.000-04:002013-05-01T11:50:37.867-04:00CheckPoint HA: How to force a failover (ClusterXL/VRRP)Hi Everyone,<br />
<br />
Based on some recent conversations I've had, it seems most people don't know how to force or test a failover with Check Point HA. <br />
<br />
There is a single requirement for non-SPLAT/GAIA systems; FW-1 Monitoring State needs to be enabled. If you're running IPSO, you can do this via the VRRP configuration page. <br />
<br />
To force a failover, run the following commands on the current cluster master:<br />
<br />
This creates a pnote (problem notification) that is in problem state:<br />
<div class="code">
cphaprob -d fail -s problem -t 0 register<br />
</div>
Verify it's in problem state with<br />
<div class="code">
cphaprob stat<br />
</div>
and<br />
<div class="code">
cphaprob -i list </div>(you should see 'fail' in problem state)<br />
<br />
Once you've finished your testing, run these two to reset it:<br />
<div class="code">
cphaprob -d fail -s ok report<br />cphaprob -d fail unregister<br /></div>
<br />
Make sure to verify that the pnote has been removed correctly before you log off.<br />
<br />
That's it!Anonymoushttp://www.blogger.com/profile/01987703160016923889noreply@blogger.com19