Friday, June 26, 2020

Checkpoint HA probe show HA down Cores did not match on nodes

I ran into a Checkpoint Security gateway HA issues where the XLcore did not match on the two security-gateways


Here's what happens, this is a VM and it has multiple vCPU. The primary and secondary node matches from a vmWare perspective but the configuration details did not.

the cpconfig also provided a clue based on the line option did not exist on the primary sec-gw, if you do not have the correct Cores listed the option 10 will not be presented





So the file /etc/fw.boot/boot.conf has to match on members




As you can clearly see, they did not. I had to unix-vi that file and reboot node cpsg101 and re-execute a "cphaprob state" command to  verify after the reboot


ID         Unique Address  Assigned Load   State          Name

1 (local)  10.1.20.5    100%            ACTIVE          cpsg101
2              10.1.20.6    0%              STANDBY            cpsg102


I hope this can help some one if you  do not have a healthy HA state.





Ken Felix 
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Posted by at No comments:

Friday, June 19, 2020

HOWTO: build discard routes to drop traffic by country for junos


In this thread, we will use a very simple python script to write discard routes for junos. You can create a "set config" and load that into your junos device.

The geoip source used in this example comes from denyip which keeps a up to date list. You can also use other geodata such as { https://www.ip2location.com/free/visitor-blocker } and call up the country and cidr format in your request.

I like  ipdeny since the data is clear and simple formatted. Just make sure to change the 2-letter country.code to the country that you want.

      https://www.ipdeny.com/ipblocks/data/countries/ch.zone


they are working on a firewall configuration-tool that I hope would be ready soon.








Just set the two-letter country code in your request when pulling down the CIDR blocks.

Next, just call the python script and read the text file back and in to generate the junos set commands.


#  file.txt would be the name prefix list in CIDR format

#!/usr/bin/python
#
#  junos discard route creator version1.0
#   socpuppets
#
#  set the two letter country code to whatever country of interest
#  
#        ch=china in this example
#
https://www.ipdeny.com/ipblocks/data/countries/ch.zone

with open("file.text") as f:
         next(f)

          for prefix in f:
             print "set routing-options static route" , prefix.rstrip(), "discard"


This will format the discard routes in a similar fashion;

 set routing-options static route 1.0.8.0/21 discard
set routing-options static route 1.0.32.0/19 discard
set routing-options static route 1.1.0.0/24 discard
set routing-options static route 1.1.2.0/23 discard
set routing-options static route 1.1.4.0/22 discard
set routing-options static route 1.1.8.0/24 discard
set routing-options static route 1.1.9.0/24 discard
set routing-options static route 1.1.10.0/23 discard
set routing-options static route 1.1.12.0/22 discard
set routing-options static route 1.1.16.0/20 discard
set routing-options static route 1.1.32.0/19 discard
set routing-options static route 1.2.0.0/23 discard
set routing-options static route 1.2.2.0/24 discard
set routing-options static route 1.2.4.0/24 discard
set routing-options static route 1.2.5.0/24 discard

Just save the above text into a file and then load that into the juniper device and commit the changes.


./china_blocks.py  > junos_china_netblocks.set-format

 scp ./junos_china_netblocks.set-format    kfelix@juniper.example.com:

and then login and commit the changes on the juniper device


ssh  kfelix@juniper.example.com

  config 
   commit check
      load set china_netblocks.set
 commit and-quit 


I hope this demo will show you a quick means for blocking address from a particular country. Great if you need to quickly block a country due to unwarranted activities.





Ken FelixNSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Posted by at No comments:

Monday, June 8, 2020

decrypted fortios password with fpr fortios password recovery

Here's a simple example on how to decode passwords on fortios. This does NOT work with the latest fortios version 6.4.1

fpr "fortios password recovery"

The utility is called "fprhttps://github.com/inm7ripe/Fortigate-password-recovery

grab the enc password field

here's guest user



Now echo  and pipe the string into fpr




And boom shaka laka, "guest" is the password for guest . This utility works for user local accounts, vpn-psk,  but system admin seems to core dump. YMMV


 






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \

Posted by at No comments:

Tuesday, June 2, 2020

HOWTO" verify geo-protection blocks on Checkpoint Security Gateway

If you ever deploy geo-protection policies and block specific countries, you can easily witness blocks by logging into the checkpoint appliance and by running the follow command

   fw ctl zdebug drop | grep -i geo 


geo.database file is located in the IpToCountry.csv and you can verify that it's been updated by looking at it's timestamp



The above will display traffic that is blocked by the geo-protection. Keep in mind geo-protection rules are analyze before the access.rule

You can use maxmind to verify src of origination




So if you block let's say "russia" via geo-protection and then write an access-rule to allow a specific russian host in, that would not work unless you had a geo-protection exception for that ipv4 source.


 






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Sunday, May 31, 2020

Understanding fortios phase1 diag outputs

Here's a diag vpn ike gateway for a tunnel that is being worked on. I'm going to go over some details of this output


Version == Indicate the IKE version ( 1 or  2)

addr == the ike-gateway address for the vpn-tunnel peers (yours and his )

created == the total time of the phase1 being established, here it's 508k seconds and 18 re-keys ( if you do simple math  of 18 x 28800 ) you will get a number close to the 508k seconds

The IKE and IPSEC SA is crucial for telling you if and how many are created. Here no IPSEC SA  have ever been created.

Direction == is afield that provide details if you imitated or respond for the connection

status == the ike-lifetime counter and count down for the next rekey ( 28800-24466 )

proposal == the active proposal set,

lifetime/rekey == shows 28800/4033

DPD  == counter for send and receive, if you repeat the command you can easily ascertain DPD-interval which in this case is 5secs.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


Posted by at No comments:

Thursday, May 28, 2020

junos automation via netconf

I was working on some automation ideal and trying to come up with a script and found one that works


https://blog.karotte.org/2017/05/12/juniper-netconf-ssh/


#! /bin/bash
# Use like: bgpq3 ... stuff | netconf-merge-wrapper | ssh admin@router netconf
cat <<_END
<rpc>
    <load-configuration action="merge" format="text">
        <configuration-text>
_END
cat -
cat <<_END
        </configuration-text>
    </load-configuration>
</rpc>
_END
if [ "$1" == "commit" ]; then
        cat <<_END
<rpc>
    <commit/>
</rpc>
_END
fi
So what we are doing is running irrpt prefix generate and piping the output into the the wrapper and the into the junos device.

If you set the commit the rpc call with load the configuration. It's a very simplified means to update bgp prefixes for filter lists


irrpt_pfxgen <AS_NUMBER>  | ./wrappper.sh commit | ssh  kenfelix@<router ipv4 address>








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:

Friday, May 22, 2020

Multiple Phase2 in Srongswan configuations

When you have more than 1 local-remote subnets pair, you  have a few ways to add multiples phase2  in the config,

In fortiOS we build multiple phase2 and reference the phase1 interface and in strongswan it's very similar approach


1
2
3
4
5
6
/* sample 2x phase2 connection srx1 */
conn srx1
leftsubnet=10.198.198.0/24
rightsubnet=192.168.1.0/24
also=srx
auto=route


1
2
3
4
5
6
/* sample 2x phase2 connection srx2*/
conn srx2
leftsubnet=10.197.197.0/24
rightsubnet=192.168.1.0/24
also=srx
auto=route


The connection "srx" is the parent for the 2x srx1 and srx2

Here's a full config take heed of the parent conn srx and the two associated child srx1 srx2





Also now the ipsec status will show the 2 child connections srx1 and srx2 when executed.



That's how easy it is to associate multiple local/remote-subnets in strongswan.








NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \
Posted by at No comments:
Subscribe to: Posts (Atom)