Checkpoint HA probe show HA down Cores did not match on nodes

I ran into a Checkpoint Security gateway HA issues where the XLcore did not match on the two security-gateways


Here's what happens, this is a VM and it has multiple vCPU. The primary and secondary node matches from a vmWare perspective but the configuration details did not.

the cpconfig also provided a clue based on the line option did not exist on the primary sec-gw, if you do not have the correct Cores listed the option 10 will not be presented

So the file /etc/fw.boot/boot.conf has to match on members

As you can clearly see, they did not. I had to unix-vi that file and reboot node cpsg101 and re-execute a "cphaprob state" command to  verify after the reboot


ID         Unique Address  Assigned Load   State          Name

1 (local)  10.1.20.5    100%            ACTIVE          cpsg101
2              10.1.20.6    0%              STANDBY            cpsg102


I hope this can help some one if you  do not have a healthy HA state.

Ken Felix 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

HOWTO: build discard routes to drop traffic by country for junos

In this thread, we will use a very simple python script to write discard routes for junos. You can create a "set config" and load that into your junos device.

The geoip source used in this example comes from denyip which keeps a up to date list. You can also use other geodata such as { https://www.ip2location.com/free/visitor-blocker } and call up the country and cidr format in your request.

I like  ipdeny since the data is clear and simple formatted. Just make sure to change the 2-letter country.code to the country that you want.

      https://www.ipdeny.com/ipblocks/data/countries/ch.zone

they are working on a firewall configuration-tool that I hope would be ready soon.








Just set the two-letter country code in your request when pulling down the CIDR blocks.

Next, just call the python script and read the text file back and in to generate the junos set commands.


#  file.txt would be the name prefix list in CIDR format

#!/usr/bin/python
#
#  junos discard route creator version1.0
#   socpuppets
#
#  set the two letter country code to whatever country of interest
#  
#        ch=china in this example
#
# https://www.ipdeny.com/ipblocks/data/countries/ch.zone

with open("file.text") as f:
         next(f)

         for prefix in f:
             print "set routing-options static route" , prefix.rstrip(), "discard"


This will format the discard routes in a similar fashion;

set routing-options static route 1.0.8.0/21 discard
set routing-options static route 1.0.32.0/19 discard
set routing-options static route 1.1.0.0/24 discard
set routing-options static route 1.1.2.0/23 discard
set routing-options static route 1.1.4.0/22 discard
set routing-options static route 1.1.8.0/24 discard
set routing-options static route 1.1.9.0/24 discard
set routing-options static route 1.1.10.0/23 discard
set routing-options static route 1.1.12.0/22 discard
set routing-options static route 1.1.16.0/20 discard
set routing-options static route 1.1.32.0/19 discard
set routing-options static route 1.2.0.0/23 discard
set routing-options static route 1.2.2.0/24 discard
set routing-options static route 1.2.4.0/24 discard
set routing-options static route 1.2.5.0/24 discard

Just save the above text into a file and then load that into the juniper device and commit the changes.


./china_blocks.py  > junos_china_netblocks.set-format

scp ./junos_china_netblocks.set-format    kfelix@juniper.example.com:

and then login and commit the changes on the juniper device


ssh  kfelix@juniper.example.com

 config 
   commit check
      load set china_netblocks.set
 commit and-quit 


I hope this demo will show you a quick means for blocking address from a particular country. Great if you need to quickly block a country due to unwarranted activities.

Ken FelixNSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

decrypted fortios password with fpr fortios password recovery

Here's a simple example on how to decode passwords on fortios. This does NOT work with the latest fortios version 6.4.1

fpr "fortios password recovery"

The utility is called "fpr" https://github.com/inm7ripe/Fortigate-password-recovery

grab the enc password field

here's guest user

Now echo  and pipe the string into fpr

And boom shaka laka, "guest" is the password for guest . This utility works for user local accounts, vpn-psk,  but system admin seems to core dump. YMMV


 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

HOWTO" verify geo-protection blocks on Checkpoint Security Gateway

If you ever deploy geo-protection policies and block specific countries, you can easily witness blocks by logging into the checkpoint appliance and by running the follow command

   fw ctl zdebug drop | grep -i geo 


geo.database file is located in the IpToCountry.csv and you can verify that it's been updated by looking at it's timestamp

The above will display traffic that is blocked by the geo-protection. Keep in mind geo-protection rules are analyze before the access.rule

You can use maxmind to verify src of origination

So if you block let's say "russia" via geo-protection and then write an access-rule to allow a specific russian host in, that would not work unless you had a geo-protection exception for that ipv4 source.


 

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \