Ken Felix Security Blog: 2022

Thursday, December 29, 2022

globalprotect client tips

We are going thru some global protect VPN deployment, and the same issues always come up about the server certificate.

1: Ideally, you want the certificate signed by a public CA or your internalCA that is already trusted

2: On Android to install the certificate, you need a file. extension that ends in <name>.crt. the extension.Cert or .cert will not work

3: On unbuntu , download the latest client and dpkg install it.

e.g

sudo dpkg -i ./GlobalProtect_deb-6.0.4.1-28.deb

4: On Android it's sometimes best to use an altName and ip.address value since it's harder to trust private certificates or the DNS name check will mess you up.

5: If you have a rooted phone you cand adb get /etc/systems/hosts and modify the file and push it back into the device

6: Always check logs and cli for successful connections

7: If you need multiple gateways best practice is to use a loop back interface and set up multiple addresses with different gateways

e.g

loop0 IP 1.1.1.1 = gateway1

loop0 IP 1.1.1.2 = gateway2

loop0 IP 1.1.1.3 = gateway3

Doing this will let you craft different auth-profile, different gateways, pools, different rules, etc...

8: Lastly, if remote authentication is required, do not forget any service routes if you are not using the mgmt-interface for the auth access

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Saturday, September 3, 2022

A blackhole mechanism using goBGP

This is a simple method for route-injection of /32s into BGP from a goBGP instance. Here we have a dynamic bgp configuration in gobgpd.conf so the bgp router is passively listening for connections.

[global.config]

as = 2

router-id = "0.0.0.2"

port = 179

[[mrt-dump]]

[mrt-dump.config]

dump-type = "updates"

file-name = "/home/gobgpd/dump.dump"

dump-interval = 180

rotation-interval = 28800

[[peer-groups]]

[peer-groups.config]

peer-group-name = "socpuppets_core_lan"

local-as = 2

peer-as = 1

auth-password = "socpupbgp01"

[[dynamic-neighbors]]

[dynamic-neighbors.config]

prefix = "198.206.234.0/24"

peer-group = "socpuppets_core_lan"

And here's log debug output in plain text

A 100K ft view of the components

GoBGP understand route-refresh initiated by the panos firewall in this example.

test routing bgp virtual-router default restart self

test routing bgp virtual-router default refresh peer GOBGP_injector

NSE ( network security expert) and Route/Switching Engineer

kfelix -----a----t---- socpuppets ---dot---com

^ ^

=( @ @ )=

/ \

Thursday, September 1, 2022

CHKPT diagnostics and cpinfo collections steps

Here's what CHKP support need in order to diagnose heavy cpu%. The collection of these details and cpview can help in diagnostics of high cpu utilizations

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_PerformanceTuning_AdminGuide/Topics-PTG/CPU-Spike-Detective.htm

and if you are running pre R80.40 you might have to enable it manually;

Deploy files:

File	GW placement	Comment
spike_detective	$FWDIR/bin	Execution permissions: chmod +x $FWDIR/bin/spike_detective
spike_detective_conf.xml	$FWDIR/conf

Activate:
[Expert@Firewall]# cpwd_admin start -name "SPIKE_DETECTIVE" -path "$FWDIR/bin/spike_detective" -command "spike_detective"

Check status by running 'cpwd_admin list' and validating status is 1
[Expert@Firewall-dynamite-side-T55-main-take-10:0]# cpwd_admin list | grep SPIKE_DETECTIVE
SPIKE_DETECTIVE 7780 E 1 [09:52:08] 25/11/2020 N spike_detective

Deactivate (if needed):
[Expert@Firewall]# cpwd_admin stop -name "SPIKE_DETECTIVE"
[Expert@Firewall]# cpwd_admin del -name "SPIKE_DETECTIVE"
If we wish the tool's run will 'survive' reboot we can instead run the following commands

Activate

[Expert@Firewall]# cpd_sched_config add 'spike_detective' -c "cpwd_admin start -name SPIKE_DETECTIVE -path $FWDIR/bin/spike_detective -command spike_detective" -s -r -e 604800
[Expert@Firewall]# cpd_sched_config activate 'spike_detective'

Deactivate

[Expert@Firewall]# cpwd_admin stop -name "SPIKE_DETECTIVE"
[Expert@Firewall]# cpwd_admin del -name "SPIKE_DETECTIVE"
[Expert@Firewall]# cpd_sched_config deactivate 'spike_detective'
[Expert@Firewall]# cpd_sched_config delete 'spike_detective'
How is a spike detected?
A CPU core will be consider as 'spiked' if it holds all of the following conditions:

Utilization over 80% (configurable)
Utilization is at least 1.5 times higher than the system average (configurable)
This ensures that a broadly highly utilized system (for example: during performance testing) will not detect all cores as spiked

A thread/process will be consider as 'spiked' if it holds all of the following conditions:

Running on a spiked CPU
Utilization over 70% (configurable)
Utilization is at least 1.5 times higher than the system average (configurable)

What happens when a spike is detected?
Upon detecting a spike the daemon:
Reports the spike to

/var/log/spike_detective/spike_detective.log
cpview, cpview_services

We want to make sure the Variable for the below parameters is set to True

profiler_config	"top_conns_enable"	Enable collecting top connections data during fw worker spike	BOOLEAN	true (Enabled)
profiler_config	"heavy_conns_enable"	Enable collecting heavy connections data during fw worker spike	BOOLEAN	true (Enabled)
cleaner_config	"cleaner_enabled"	Enable/Disable periodic cleanup of old spikes directories	BOOLEAN	true (Enabled)

Its located in the below conf file
Configurable Variables
The CPU Spike Monitor is configured via the file '$FWDIR/conf/spike_detective_conf.xml'
Configuration example:
<?xml version="1.0" encoding="UTF-8"?>
    <config_file>
        <profiler_config>
            <stat name="perf_enable" type="BOOLEAN" value="false"/>
        </profiler_config>
    </config_file>
It should be True but we want to make sure so it captures what we are needing

How to change the configuration values?