Check Point Certified Security Master – Topic 1 – Troubleshooting security problems
Hey!
In this article, I will solve the first topic of CCSM certification: Troubleshoot security problems.
Those questions are available in CCSM Study Guide.
Lestgo!
What command you would use for a packet capture on an absolute position for TCP streaming (out)
1ffffe0?
As seen in sk30583, you can use fw monitor -po <position>
or fw monitor -pO <position>
.
fw monitor -po -0x1ffffe0
or fw monitor -pO -0x1ffffe0
Source: sk30583 – What is FW Monitor?
What type of information the command fw monitor -p all displays
?
fw monitor -p all
is used to capture a network packet in all positions of Check Point kernel chains
Very special thanks to Valeri Loukine from CCMA’s blog
Example:
Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:
[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap
Source: sk30583 – What is FW Monitor?
What command lists the firewall kernel modules on a Security Gateway?
The command fw ctl debug -m
will show a large output with all modules available in the installed version, and, the most importantly, all debugging options available per module
Also, to see all currently enabled options per module use fw ctl debug
command. To see all enabled options for a particular module only, use fw ctl -m <module dame>
command.
Very special thanks to Valeri Loukine from CCMA’s blog
Here’s a printscreen of an example:
So, the basic command is: fw ctl debug -m <module> all
. It will raise all debugging options for the module in question.
Very special thanks to Valeri Loukine from CCMA’s blog
Examples:
Further reading: Checkpoint firewall debugging basics
Source: Kernel Debug Flags (R77)
What flag option(s) you would use to dump the complete table in a user-friendly format, assuming the
connections in the table are more than 100?
fw tab
can help us, as in sk65133:
The usage of fw tab
is:
The flag -f
is explained above.
The flag -u
is for unlimited numbers. You can use -m
to set the maximum values.
So, the right answer to this question is:
fw tab -t connections -f -u
Source: sk65133 – Connections Table Format
The command functions of fw ctl kdebug <params>
?
There are three common commands to start debugging:
fw ctl debug
fw ctl zdebug
fw ctl kdebug
The fw ctl debug
, will generate debug messages to a buffer. Reference
The fw ctl kdebug
will read the buffer that you enabled with fw ctl debug
. If there is no debug buffer, the command will fail. Reference
The fw ctl zdebug
, will enable the debug mode and print it. The buffer will be auto-allocated with 1024.
Reference – sk100808 – How to use " fw ctl zdebug" command
Reference – Troubleshooting and Debugging Tools for Faster Resolution – Page 2
So, the command fw ctl kdebug <params>
will read the kernel debug buffer and print them.
Further reading: Check Point Kernel Debugging, In-Depth
Which command to use to generate a detailed status of your Threat Emulation quota in a specific
Security Gateway?
The command tecli s c q
shows the quota for ThreatCloud emulation
The command tecli show cloud quota
shows data about ThreatCloud monthly emulation quota
So, both tecli show cloud quota
or tecli s c q
will show the same output answering the question.
The fastest way to troubleshoot silent drops, i.e. don’t see any drops in the logs?
As seen in sk100808, you can use the fw ctl zdebug + <flags>
and the most common flag is drop
. In this command, we have a small buffer, so you can debug with kdebug
and debug
to set a bigger buffer. It is mentioned in past question The command functions of fw ctl kdebug ?
Very special thanks to Valeri Loukine from CCMA’s blog
So, the full command to see the silent drops that you can’t see in logs is: fw ctl zdebug drop
This command is also "greppable" so you can search for a string using grep like fw ctl zdebug + drop | grep "10.10.10.10"
if you want to see only silent drops for the IP 10.10.10.10.
If you want to see the drops within IPv6, you use the fw6
instead fw
. So:
fw6 ctl zdebug drop | grep 2001:0db8::0001
What behavior results from enabling the “Match for any” setting on more than one service with the
same destination port?
In this article, Dreezman have done the full lab with this situation. You can check it by yourself.
The results are:
- If there are conflicting ports in a rule, the first one found will be used. So if you have huge groups of services make sure there are not any conflicts OR make sure you know which one will be hit first.
- The “Match For Any” flag is used to put a services into the “Any” group. Note that the bigger this “Any” group is, the slower the rulebase will be so use it judiciously. If there are conflicts in the “Any” group, then the INSPECT enabled service seems to be favored (but I can’t verify that).
- Services like H323 are weird because (IMHO) CP’s implementation is flawed (see my previous blog). So if you create new generic services make sure you call them out explicitly in the rule and don’t rely upon the “Any” rule to catch packets that drop from your rule because you will hit the INSPECT H323 rule and not the Generic rule.
Here we have a video of this lab! 🙂
Source: Duplicate Services – Which one gets used? – DreezSecurityBlog
The issue that would cause connections to be dropped “because the connections table is full” on a firewall under VSX mode when the connections table is big enough?
In sk39555 – Capacity Optimization and Connections Table, they say in the last paragraph of the image below:
It is not recommended to change this setting to a high value for VSs that are not planned to process a large amount of connections in the near future, because a high value of "Maximum concurrent connections" consumes memory, even if no entries are recorded in the connections table.
So, the main cause is that the "Maximum concurrent connections" is badly tuned.
Source: sk39555 – Capacity Optimization and Connections Table
Which gateway directory first receives the new policy files when pushing policy to a security
gateway?
Source: How To Troubleshoot Policy Installation Issues – Page 2
Which debug produces the following output and to which file?
The host is not allowed to connect to the Security Management Server(SMS), so this error occurs.
To start the debug execute the following commands:
[Expert@Hostname]# fw debug fwm on TDERROR_DBG_OPT=time,host,prog,topic,pid,tid [Expert@Hostname]# fw debug fwm on TDERROR_ALL_ALL=5 [Expert@Hostname]# fw debug fwm on OPSEC_DEBUG_LEVEL=3
After this, the debug will be in $FWDIR/log/fwm.elg
file.
Source: sk86186 – How to debug FWM daemon
Which process you should suspect when a Policy installation fails with the following error message:
Failed to load Policy on Module? Especially when you find that –
- You are able to push policy successfully to other gateways from the same management.
- That the policy installation files are not getting updated to the gateway.
In [sk84700 – Methodology for debugging "Load on Module Failed" error](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84700&partition=Advanced&product=Security#Additional debug), is explained how to troubleshoot this error.
The process to troubleshoot is the CPD, because its responsible for installing and fetching the policy:
Source 0: [sk84700 – Methodology for debugging "Load on Module Failed" error](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84700&partition=Advanced&product=Security#Additional debug)
Source 1: sk86320 – How to debug CPD daemon
Source 2: sk97638 – Check Point Processes and Daemons
The MOST LIKELY root cause when Policy installation to a gateway fails with the following error
message:
What dropped by net indicates in the following output?
sk99979 – Getting Check Point Firewall general statistics – ‘fw ctl pstat’ command:
and
sk34476 – ClusterXL Sync Statistics – output of ‘fw ctl pstat’ command:
Which blade do you investigate when you see high CPU caused by the pdpd process?
pdpd
is the Policy Decision Point daemon, used by Identity Awareness
To start a debug, just use pdp debug <parameter> <option>
Source 0: sk97638 – Check Point Processes and Daemons
Source 1: pdp debug – Identity Awareness R77 Versions Administration Guide
That’s all for today!
Thank you so much for reading!
See you in the second topic! 🙂
Vinny
Source: SQL Injection
0 comentário