Pages

Monday, August 16, 2010

Routing for Office Mode IPs in Checkpoint

When configuring Remote Access VPNs in checkpoint, Office Mode is used very often. When using Office Mode, we can allocate a Network Rage to be assigned to the Remote Access VPN clients. So when the Remote Access VPN clients get connected, they get a private IP from the pool we have assigned. This becomes handy when we want to assign rules that allow internal users/devices to access the remotely connected clients.
We don't want to create an explicit route for the set of Office Mode IPs. This is because, it is routed via the default gateway. But there are instances where you should create a route for the set of office mode IPs. Consider the following example.
The firewall is Internal network is 192.168.x.0/24, and there are branch networks (around 20) with 192.168.w.0/24. You assign the office mode IPs to be 192.168.y.0/24. Since there are many networks internal to the router, the easiest way to configure the routing is to have 192.168.0.0/16 pointed to the internal router.
When you do this kind of a routing configuration, the Remote VPN clients won't get any return packets to them. In simple words, they cannot access any resource which they are intended to access, though the VPN tunnel get established. This because the return traffic is routed to the Internal network because of the summary route we have inserted.f To overcome this issue, you have to add a specific route for the Office Mode IPs. The route should be as follows.
192.168.w.0/24 via Default route.
Say the office mode IPs are assigned from 192.168.23.0/24 network, and the external interface is eth2. Then go to sysconfig. Choose 6 for Routing configuration. Select 1 to Add a Network Route.
Network IP: 192.168.23.0
Subnet mask: 255.255.255.0
Gateway:

This will route the traffic via the VPN tunnel.

Thursday, August 12, 2010

Interface Bonding In SPLAT

The ClusterXL documentation in Checkpoint covers all the necessary things for HA link redundancy. But it does not cover interface redundancy for a standalone installation.
Interface Bonding is supported in almost all Linux/Unix distributions. SPLAT also supports interface bonding. You can configure interface bonding via sysconfig command. In NGX releases prior to R70 (including R70) does not provide the options for "High Availability" and "Load Balancing" when you create Bond interfaces.
But in R70.30 it includes this feature. So when you create a bond interface you are given the option to create the bond to support either HA or Load Balancing.
Configuring Interface bonding is straightforward.

1) First you have to make sure there are no IP addresses configured for the physical interfaces that are going t obe bonded. You can remove the IP addresses by sysconfig command.
  • Choose 5 - Network Connections
  • Choose 2 - Configure Connection
  • Select the appropriate interface
  • Choose 3 - Remove IP address
2) After you have removed all the IP addresses. Select Add new connections in Network Connections configuration menu

3) Select Bond Interface

4) Choose an interface to be slave

5) Choose another interface to be slave

6) After you have done selecting interfaces enter 'n' go to next.

7) Select "1" for High Availability, or select "2" for Load Sharing.

8) If you select Load Balancing you are given two other interfaces. Here I will discuss about HA only.

9) When you select HA you are given two options either to select default advanced parameters or to customize advanced parameters..

10) Selecting default advanced parameters, you will be asked whether you want to select a primary slave interface or not. If you select 'y' then you have to select a primary interface in the bond.

11) Then you will be asked to configure the IP address and the subnetmask for the interface.

The configurations in the SmartDashboard will be the same as you are doing for a normal interface.

Wednesday, August 11, 2010

Checkpoint Standalone Installation - post installation issue

Recently I deployed a Checkpoint Standalone installation in one of our customers. It was a HP DL360 G6 Server, with an additional interface card. The deployment was R70 (actually R70.30).
The first problem I encountered was that the network card was not recognized by SPLAT. Checking the NIC details, it was found that the card which was installed (NC375T) was not supported by SPLAT. Then it was replaced by a compatible card.
After the installation process, when I logged into the SmartDashBoard, the checkpoint object was created automatically. But when I tried to retrieve the interface configurations, all the interfaces were defined as External. There was no option to change it.
Before this implementation, I did a UMT-1 standalone installation with R65, this issue was not encountered.
The solution was not a magical thing. There was an option in the Dashboard itself. When you right-click the checkpoint object, there is an option to convert the object into a Gateway. When you convert it to a gateway, the normal firewall interface configurations can be carried out. :)

Thursday, August 5, 2010

How to crack SPLAT password

SPLAT is the secure hardened OS provided by Checkpoint Software Technologies. There may be instances where firewall administrators have forgotten the password and need to reset the password. This article will give you an insight on how to reset the 'admin' and 'expert' passwords of SPLAT. For this you need physical access to your device, and a Linux live CD (ubuntu, will do the job).
  1. Boot the device using the live CD.
  2. Mount the '/' partition. If you are using Ubuntu, this will be an easy task. Otherwise, change your user to root or login as root. To change into root login, in RedHat based Linux systems issue
    "su -" followed by the root password. In Debian based Linux systems, issue "sudo su -" followed by the account password. After changing into root user issue the following commands,
    mkdir /mnt/_root
    mount /dev/hda1 /mnt/_root (you have to replace hda1 with the appropriate partition)

  3. Open a terminal (you should be in root mode), and browse into the mounted "/" partition. If you mount it using GUI, it will be "/media/_". Then browse into the "etc" folder in the mounted partition. We are going to edit the "passwd" file. So it will be,
    "vi /media/_/etc/passwd"

  4. Notice that the shell set for admin user is "/bin/cpshell". This shell has a limited functionality. So it restricts most of the common Linux commands to be executed using the admin account. You have to change this shell to "bash".
    For this use your favourite CLI based editor. In my case it will be "vi". Replace the "/bin/cpshell" to "/bin/bash" in the admin user's line. Save it and exit.

  5. Now edit the shadow file inside etc folder. "vi /media/_/etc/shadow". In this file delete the hashed password of the admin user. Save it and exit.
  6. Reboot the device.
  7. Once the device is booted. Login as admin. You don't have to provide the password. Now you are in Expert mode. (See it's the bash shell that gives you the Expert view :) )
  8. Issue "passwd" and change the password. This is the password that you provide for the expert.
  9. After you have set the expert password, edit the "/etc/passwd" file. Change the admin user's shell from "/bin/bash" to "/bin/cpshell". Save it and exit.
  10. Now logout from the shell.
  11. The login prompt will appear, login an admin. You don't need any password to login.
  12. Once you have logged in, issue "passwd". When it asks for the current password, just press Enter, because there is no admin password. Then enter the password you desire.
That's all. :D