Networking-Blog

My WordPress Blog

Check Point: Load on Module failed – failed to load Security Policy

I have been working on this issue for some time now, and today, after escalating this to someone higher in Check Point TAC, we finally got some resolution to this.  We have a pair of clustered Check Point 5075 appliances, with a distributed management station.  We started out running R75.20.  Everything was fine, until we added URL filtering. So, when we would push policy to the cluster, we would get the following error:

Installation failed:  Reason: Load on Module failed – failed to load Security Policy.”

Now, what changed?  Well, we added URL filtering.  So, when we unchecked URL filtering, we can push policy.  See below where I mean when we “unchecked” URL Filtering.  This is added on the Properties of our clustered Check Points:

urlfiltering
So, after some trials and pain, we finally upgraded to R75.30, to try to fix this issue.  We were told by Check Point that R75.30 fixed a ton of issues.  So, we were pro-active and we did the upgrade.  Well, it didn’t fix the issue, although according to Check Point, we did get a little further into the policy push.  Im glad we did the upgrade, even though it didn’t fix completely the issue.

What we found was that on the “Application and URL Filtering” page, we had “URLs are defined as Regular Expression” checked.  We also had in our URL List *.myspace.com that we put in.  Well, it turns out that the “*” was keeping us from pushing policy.  CP cant determine that the * is not a regular expression, and because of this, it wont allow you to push policy.  * is a wildcard, and not an expression.  When we unchecked this, we can push policy, and we still have URL Filtering capability.  See below the screenshot of where Im talking about in this:

screenshot

 

Resetting The BMC – LOM

Q: My system’s IPMI interface is unresponsive. Can I reboot or refresh the interface?

A: If you have local access or SSH access to the system, you can run commands with ipmitool and IPMICFG to attempt to regain accessibility to IPMI.

Resets the management console without rebooting the BMC

# ipmitool mc reset warm

Reboots the BMC

# ipmitool mc reset cold
 

If this fails to restore usability of the interface, you can also attempt a cold reset from Supermicro’s IPMICFG.

# ipmicfg -nm reset

Finally, you can reset the BMC to factory defaults with IPMICFG or ipmitool. Be aware that this will wipe any existing settings on the BMC that you may have set from the web interface, but excludes network settings.

# ipmicfg -fd

or

# ipmitool raw 0x3c 0x40

To reset your network settings along with the factory reset, use the following IPMICFG command:

# ipmicfg -fde

Check Point – Resetting the UTM-1 Appliance to Defaults

You can reset the UTM-1 appliance to defaults via the Web management interface (software) or by manually pressing the Reset button (hardware) located at the back of the UTM-1 appliance.

When resetting the appliance via the UTM-1 Portal, you can choose to keep the current firmware or to revert to the firmware version that shipped with the UTM-1 appliance. In contrast, using the Reset button automatically reverts the firmware version.

To reset the UTM-1 appliance to factory defaults via the Web interface

  1. Click Setup in the main menu, and click the Tools tab.

    The Tools page appears.

  2. Click Factory Settings.

    A confirmation message appears.

  3. To revert to the firmware version that shipped with the appliance, select the check box.
  4. Click OK.
    • The Please Wait screen appears.
    • The UTM-1 appliance returns to its factory defaults.
    • The UTM-1 appliance is restarted.

      This may take a few minutes.

    • The Login page appears.

To reset the UTM-1 appliance to factory defaults using the Reset button

  1. Make sure the UTM-1 appliance is powered on.
  2. Using a pointed object, press the RESET button on the back of the UTM-1 appliance steadily for seven seconds and then release it.
  3. Allow the UTM-1 appliance to boot-up until the system is ready.

    For information on the appliance’s front and rear panels, see the Getting to Know Your Appliance section in Introduction.

Warning: If you choose to reset the UTM-1 appliance by disconnecting the power cable and then reconnecting it, be sure to leave the UTM-1 appliance disconnected for at least three seconds. Disconnecting and reconnecting the power without waiting might cause permanent damage.

How to enable or disable NTP on IP appliances

Time

All Security Gateways, Security Management Servers and cluster members must synchronize their system clocks. This is important for these reasons:

  • SIC trust can fail if devices are not synchronized correctly.
  • Cluster synchronization requires precise clock synchronization between members.
  • SmartEvent correlation uses time stamps that must be synchronized to approximately one a second.
  • To make sure that cron jobs run at the correct time.
  • To do certificate validation for applications based on the correct time.

You can use these methods to set the system date and time:

  • Network Time Protocol (NTP).
  • Manually, using the WebUI or the CLI.

Network Time Protocol (NTP)

Network Time Protocol (NTP) is an Internet standard protocol used to synchronize the clocks of computers in a network to the millisecond.

NTP runs as a background client program on a client computer. It sends periodic time requests to specified servers to synchronize the client computer clock. We recommend that you configure more than one NTP server for redundancy.

Setting the Time and Date – WebUI

To set time and date automatically using NTP:

  1. In the WebUI tree, click System Management > Time.
  2. Click Set Time and Date.
  3. In the Time and Date Settings window, select Set Time and Date automatically using Network Time Protocol (NTP).
  4. Enter the URL or IP address of the primary and (optionally) secondary NTP servers.
  5. Select the NTP version for the applicable server.
  6. Click OK.

To set the system time and date:

  1. In the tree view, click System Management > Time.
  2. Click Set Time and Date.
  3. Enter the time and date in the applicable fields.
  4. Click OK.

To set the time zone:

  1. In the tree view, click System Management > Time.
  2. Click Set time Zone and select the time zone from the list.
  3. Click OK.

Configuring NTP – CLI (ntp)

NTP
Use this command to configure and troubleshoot the Network Time Protocol (NTP).
To monitor and troubleshoot your NTP implementation:

show ntp active
show ntp current
show ntp servers

To add a new NTP server:

set ntp active [On|Off]
set ntp server primary VALUE version VALUE
set ntp server secondary VALUE version VALUE
To delete an NTP server:

delete ntp server <IP>

Parameters

active
Shows the active NTP server or Enables or disables NTP. Valid values are On or Off.

current
Shows the host name or IP address of the NTP server you are using now.

primary
Set the host name or IP address of the primary NTP server.

secondary
The host name or IP address of the secondary NTP server.

version
The version number of the NTP server (from 1 to 4).

server
Keyword that identifies the NTP server.

Example
show ntp servers

 

Oput
IP Address Type Version
pool.ntp.org Primary 4

 

 

Comments – Server-Specifies the host name or IP address of the time server from which your system synchronizes its clock. The specified time server does not synchronize to the local clock of your system.
Version – The version number Specifies which version of NTP to run. Check Point recommends that you run version 3.

Showing the Time & Date – CLI (clock)
Clock

Show current system date and time
show clock

clock
The current system day, date, and time. The current system time is in HH:MM:SS format.

show clock
Thu Oct 6 15:20:00 2011 IST

Setting the Date – CLI (date)

set date <date>
show date

<date>
The date in the YYYY-MM-DD format.

Example :

set date 2012-08-10
Setting the Time – CLI (Time)
Set the system time in HH:MM:SS format

Syntax
set time <time of day>
show time

<time of day>
The current system time in HH:MM:SS format

Example
show time
Output
12:03:54

Setting the Time Zone – CLI (timezone)
Time Zone
Description


Show and Set the system time zone.

Syntax
set timezone <Area> / <Region>
Note: The spaces before and after the ‘/’ character are important.

show timezone
Region within the specified area.

Example
set timezone America / Detroit

 

Disable NTP :

/etc/init.d/ntp stop

If NTP services auto restart on a reboot that enter these values to force it to update incorrect values which will stop NTP from updating it’s clock.

set ntp server primary 0.0.0.0 version 3
set ntp server secondary 255.255.255.255 version 3

ICMP TYPE NUMBERS

ICMP TYPE NUMBERS

The Internet Control Message Protocol (ICMP) has many messages that
are identified by a "type" field.

Type	Name					Reference
----	-------------------------		---------
  0	Echo Reply				 [RFC792]
  1	Unassigned				    [JBP]
  2	Unassigned				    [JBP]
  3	Destination Unreachable			 [RFC792]
  4	Source Quench			 	 [RFC792]
  5	Redirect				 [RFC792]
  6	Alternate Host Address			    [JBP]
  7	Unassigned				    [JBP]
  8	Echo Request			        [RFC792]
  9	Router Advertisement			[RFC1256]
 10	Router Selection			[RFC1256]
 11	Time Exceeded				 [RFC792]
 12	Parameter Problem			 [RFC792]
 13	Timestamp				 [RFC792]
 14	Timestamp Reply				 [RFC792]
 15	Information Request			 [RFC792]
 16	Information Reply			 [RFC792]
 17	Address Mask Request                     [RFC950]
 18	Address Mask Reply			 [RFC950]
 19	Reserved (for Security)			   [Solo]
 20-29	Reserved (for Robustness Experiment)	    [ZSu]
 30	Traceroute				[RFC1393]
 31	Datagram Conversion Error		[RFC1475]
 32     Mobile Host Redirect              [David Johnson]
 33     IPv6 Where-Are-You                 [Bill Simpson]
 34     IPv6 I-Am-Here                     [Bill Simpson]
 35     Mobile Registration Request        [Bill Simpson]
 36     Mobile Registration Reply          [Bill Simpson]
 37     Domain Name Request                     [Simpson]
 38     Domain Name Reply                       [Simpson]
 39     SKIP                                    [Markson]
 40     Photuris                                [Simpson]
 41-255 Reserved				    [JBP]

Check Point R77 Creating Rules NAT and PAT

In this tutorial we will look at creating a simple rulebase from a fresh install of Check Point R77. We will create a basic rule that will allow the internal network access to all services outbound and also enable NAT to hide behind the external IP address of the firewall. Following this rule we will create another rule that will PAT remote desktop 3389 from the external interface ip to my Windows 2008 server called server2k8.

The lab is setup as follows:
network-diagram


Creating NAT and PAT Rules with Check Point R77

 

1. Open up the Check Point SmartDashboard and login to your firewall management station.

01-check-point-rules
2. First up we’ll be creating a network object that will represent the internal network subnet. Right click on the Network Folder and select Network.

02-check-point-rules

3. Type in a Name, the network address and subnet mask. For the colours of object I like to use red for external, green for internal and orange for DMZ. If you expand the colours and click manage you can add in red and green.

03-check-point-rules

4. Add in red and green.

04-check-point-rules

5. For my internal LAN I’ve selected green.

05-check-point-rules

6. Now we’ll click on the NAT tab and tick the Add Automatic Address Translation rules, select Hide, and select Hide behind Gateway. This will hide the internal network subnet behind the external interface of the gateway. If you are using a DMZ interface, it will also NAT behind the DMZ interface.

06-check-point-rules
7. Now that we’ve created an object lets create a few rules. Click on the Rules Menu and select Add Rule.

07-check-point-rules

8. Under the source column where it says Any, right click and select Network Object. As you can see we can also add a User or other objects as the source.

08-check-point-rules
9. Select Internal-LAN as our source.

09-check-point-rules
10. Under the Action column, right click and select accept.

10-check-point-rules
11. Under the Track column select Log so we can see the traffic passing through.

11-check-point-rules
12. Right click in under the comment column and select edit. You can type any comment you like to help remember what the rule is for.

12-check-point-rules
13. Now add in another rule which must always be at the bottom. This rule will drop packet that does not match a rule and also log it. The Check Point rules are always process from top to bottom.

13-check-point-rules
14. To help organise our Check Point Rule Base a little better we can add in section titles. Right click on the rule where you would like to add a section title above and select Add Section title – Above.

14-check-point-rules
15. As you can see I’ve added two section titles to my Check Point Rule Base which makes it is much easier to organize rules.

15-check-point-rules
16. If we click on the NAT tab we can see that the NAT we added earlier in step 6 has been automatically added to the NAT rule base for Internal-LAN.

16-check-point-rules
17. Lets add a resource for a single server. Right click on Nodes and select Node – Host.

17-check-point-rules
18. enter in the Name, IP address and an optional comment. I’ve select green color for internal objects. Click OK.

18-check-point-rules
19. I’ll create another object that will represent the PAT’d ip address that i’ll be using to remote desktop from the internet to my internal host.

19-check-point-rules
20. Now let’s create a PAT rule. Under the NAT tab click on the Rules menu and add a new rule at the top.

20-check-point-rules
21. Lets add a destination for External-192-168-1-2, service Remote_Desktop under the Original Packet column. Under the Translated Packet column lets add server2k8 for destination and Remote_Desktop for service. So any ip that tries to use Remote Desktop to 192.168.1.2 will get translated to our internal host server2k8 192.168.10.10 for Remote_Desktop 3389.

21-check-point-rules
22. After creating the PAT rule we now need to create the firewall rule. Click on the firewall tab, add a new section title of External-Internal and make the destination External-192-168-1-2, service Remote_Desktop, Action Accept, and Track Log.

22-check-point-rules
23. Click on the box that says Verify Policies. Your Check Point Rule Base will be checked for any errors or mis-configuration before applying.

23-check-point-rules

24. Click OK.

24-check-point-rules
25. Click Save and continue.

25-check-point-rules
26. Click OK.

26-check-point-rules
27. Policy Verification is OK. Click OK.

27-check-point-rules
28. Now it’s time to Install our policy. Click Install Policy.

28-check-point-rules
29. Click OK.

29-check-point-rules
30. The policy was install successfully. Click Close.

30-check-point-rules
31. Click on the Window menu and select SmartView Tracker.

31-check-point-rules
32. The Check Point SmartView Tracker is where all the logging happens. To demonstrate accessing a webpage from my server2k8 server I simply browsed to www.google.com.au which produced the following logs.

32-check-point-rules

 33. You can double click on a log entry and display more information.

33-check-point-rules
34. Now let’s try our remote desktop rule. I will remote desktop from a PC out on the internet to 192.168.1.2.

34-check-point-rules
35. As you can see in the log the packet is allowed and I can connect via remote desktop to the server.

35-check-point-rules

Trunking on Check Point SecurePlatform

Trunking on Check Point SecurePlatform.

Trunking is a feature that will pass the VLAN database between network devices. Usually this mechanism is used between switches-routers or switches-switces.

Maybe some of us wonder about configuring trunking on Check Point devices that using SPLAT operating system. This trunking configuration is needed when we lack of switch devices and want to do an interVLAN routing to the  Check Point device.

In general, Check Point won’t refer  this as a VLAN  trunking , that is  why you won’t see it in their console/portal/ brochures. You will see  only mentioned an 802.1q support which is the VLAN mechanism that is supported.

 

Below are the steps that will help us to configure VLAN trunking on Check Point SPLAT:

1. Go to the WebUI. Then under the intefaces, you can add a new VLAN interface by being asked the VLAN ID, IP address, subnet mask, and the physical inteface.

 

2. For example, we create the VLAN 13, 20, 22, 75 on physical interface called LAN 3

 

3. The configuration will result like below:

 

4. Remember to not configure the IP address on the physical interface. In this example, don’t configure the IP address on  “LAN 3″ interface.

 

5. The physical interface will be the trunking port automatically.

 

6. If you are not able to configure the VLANs via WebUI then add the VLANs manually via CLI by executing command “sysconfig“. After executing sysconfig, you must configure the same steps like above.

 

7. Don’t forget to configure your switch device to allow VLAN 13,20,22,75 from the Check Point firewall. In this example, we use Cisco Switch and the configuration is like below:

interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk switchport trunk allowed vlan 13,20,22,75

 

Hope our steps will help you configure the trunking on Check Point SPLAT.

ASA – Group Object

Create a Object-Group icmp-type ICMP traffic :

object-group icmp-type INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded

Create a Object-Group service for TCP traffic :

object-group service INBOUND tcp
description Inbound Access
port-object eq 3389
port-object range 9998 9999

ADSL2 v ADSL2+

There’s a common misconception that ADSL2+ is faster than ADSL2 on any line.
That’s not really the case. In simple terms,

ADSL2+ utilises twice the frequency range available on your phone line that ADSL2 does.
This again, in simple terms means twice as fast BUT that is only seen on short low attenuation lines.

If your line is only capable of supporting 7meg on ADSL2 then it’s only capable of supporting 7meg on ADSL2+
as it can only usually allow the use of the same frequencies for both (see below).

However, if you’re lucky enough to have a line that can support higher frequencies then you get up to :
 
12meg
on ADSL2 (the maximum possible)
but up to
24meg on ADSL2+.

The cross over between ADSL2 and ADSL2+ is therefore in the 10-12 meg range (typically 35-40db if the line is relatively noise free).

It can give faster speeds but usually only on short lines as explained above.
The only time that wouldn’t be true is for a moderately short line
(that offered some higher frequencies above those usable by ADSL2)
that had induced noise at the lower frequencies and was clean at higher frequencies,
in which case ADSL2+ would possibly be better as it could use those higher frequencies.

There is also the possibility that a network uses equipment whose firmware works better in
certain conditions with specific ADSL modes hence why it is mentioned G.DMT sometimes being
better for problem lines.

Cisco: 1841 – 3G Configuration

This configuration example is for use with a 3G WIC card within a Cisco based
Router.

This was configured with a Vodafone Network.

Initialization

Place the SIM card into it, then insert the card in the router and power it on.

Create a Profile specific to your mobile ISP

  • Insert the APN told by your ISP (Vodafone UK: ‘Internet’ username: ‘web’ password: ‘web’)
  • Insert the authentication method (chap or pap) and the credentials, also supplied from your ISP

Below is an example of a Vodafone UK Cellar Profilule.
Router# cellular 0/0/0 gsm profile create 1 Internet chap web web

From the profile you’ve just created, you can review it using command

router# sh cellular 0 profile

Profile Information
====================
Profile 1 = ACTIVE
--------
PDP Type = IPv4
PDP address = 192.168.1.1
Access Point Name (APN) = Internet
Authentication = PAP
Username: web, Password: web 

* - Default profile

Configuration

You need to define a chat script first, which is used for modem setup and call
initialization. If you are familiar with IOS dial configurations, you feel at home.
Please note that the last number in the dial string (1 in the example below) refers
to the modem profile number you hopefully have defined earlier.

! your chat script
chat-script vodafone “” “ATDT*98*1#” TIMEOUT 60 CONNECT

! the bare interface config
! subcommands at the Cellular interface

interface Cellular0/0/0
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string vodafone
dialer-group 1
async mode interactive
ppp chap hostname web
ppp chap password 0 web
ppp ipcp dns request

!

ip route 0.0.0.0 0.0.0.0 Cellular0
dialer-list 1 protocol ip permit

! this is the async line assigned to the 3G modem
you need to specify your chat script here

line 0/0/0
script dialer vodaphone
no exec
rxspeed 3600000
txspeed 384000

If cellular int does not get an ip address, might need to go into
config t and add this line
even thou we see it above :

line 0/0/0
script dialer vodaphone

!
!

show command:

Just in case you need it for troubleshooting, here are the show commands to use.

  • show cellular 0 network
  • show cellular 0 hardware
  • show cellular 0 connection
  • show cellular 0 radio
  • show cellular 0 profile
  • show cellular 0 security
  • show cellular 0 all Debug commands :
  • debug chat Rather than reloading the router to restart the module, you can
    actually using CLI to reset or reboot the module
    :

    debug chat

    router(config)# service internal
    router(config)# exit
    router# test cellular 0 modem-power-cycle ! for rebooting
    router# test cellular 0 modem-reset ! for resetting

    debug commands :

    debug chat
    debug modem
    debug dialer events
    debug ppp authentication

  • Remember to create the Cellular Profile, after tftp config to router :
    cellular 0/0/0 gsm profile create 1 Internet chap web web
  • This is the bare configuration, you will need to add NAT, firewalls etc etc.