Check Point Certified Security Master – Topic 1 – Troubleshooting security problems

Publicado por Vinícius Neves em março 15, 2017

Hey!

In this article, I will solve the first topic of CCSM certification: Troubleshoot security problems.

Those questions are available in CCSM Study Guide.

Lestgo!

What command you would use for a packet capture on an absolute position for TCP streaming (out)
1ffffe0?

As seen in sk30583, you can use fw monitor -po <position> or fw monitor -pO <position>.

fw monitor -po -0x1ffffe0 or fw monitor -pO -0x1ffffe0

Source: sk30583 – What is FW Monitor?

What type of information the command fw monitor -p all displays?

fw monitor -p all is used to capture a network packet in all positions of Check Point kernel chains

Very special thanks to Valeri Loukine from CCMA’s blog

Example:
Capture everything between hosts X,Z and hosts Y,Z on all Check Point kernel chains:

[Expert@HostName]# fw monitor -p all -e "((src=x.x.x.x or dst=z.z.z.z) and (src=y.y.y.y or dst=z.z.z.z)), accept ;" -o /var/log/fw_mon.cap

Source: sk30583 – What is FW Monitor?

What command lists the firewall kernel modules on a Security Gateway?

The command fw ctl debug -m will show a large output with all modules available in the installed version, and, the most importantly, all debugging options available per module

Also, to see all currently enabled options per module use fw ctl debug command. To see all enabled options for a particular module only, use fw ctl -m <module dame> command.

Very special thanks to Valeri Loukine from CCMA’s blog

Here’s a printscreen of an example:

So, the basic command is: fw ctl debug -m <module> all. It will raise all debugging options for the module in question.

Very special thanks to Valeri Loukine from CCMA’s blog

Examples:

Further reading: Checkpoint firewall debugging basics

Source: Kernel Debug Flags (R77)

What flag option(s) you would use to dump the complete table in a user-friendly format, assuming the
connections in the table are more than 100?

fw tab can help us, as in sk65133:

The usage of fw tab is:

The flag -f is explained above.
The flag -u is for unlimited numbers. You can use -m to set the maximum values.

So, the right answer to this question is:

fw tab -t connections -f -u

Source: sk65133 – Connections Table Format

The command functions of fw ctl kdebug <params> ?

There are three common commands to start debugging:

fw ctl debug
fw ctl zdebug
fw ctl kdebug

The fw ctl debug, will generate debug messages to a buffer. Reference

The fw ctl kdebug will read the buffer that you enabled with fw ctl debug. If there is no debug buffer, the command will fail. Reference

The fw ctl zdebug, will enable the debug mode and print it. The buffer will be auto-allocated with 1024.
Reference – sk100808 – How to use " fw ctl zdebug" command

Reference – Troubleshooting and Debugging Tools for Faster Resolution – Page 2

So, the command fw ctl kdebug <params> will read the kernel debug buffer and print them.

Further reading: Check Point Kernel Debugging, In-Depth

Which command to use to generate a detailed status of your Threat Emulation quota in a specific
Security Gateway?

The command tecli s c q shows the quota for ThreatCloud emulation

The command tecli show cloud quota shows data about ThreatCloud monthly emulation quota

So, both tecli show cloud quota or tecli s c q will show the same output answering the question.

Source 0

The fastest way to troubleshoot silent drops, i.e. don’t see any drops in the logs?

As seen in sk100808, you can use the fw ctl zdebug + <flags> and the most common flag is drop. In this command, we have a small buffer, so you can debug with kdebug and debug to set a bigger buffer. It is mentioned in past question The command functions of fw ctl kdebug ?

Very special thanks to Valeri Loukine from CCMA’s blog

So, the full command to see the silent drops that you can’t see in logs is: fw ctl zdebug drop

This command is also "greppable" so you can search for a string using grep like fw ctl zdebug + drop | grep "10.10.10.10" if you want to see only silent drops for the IP 10.10.10.10.

If you want to see the drops within IPv6, you use the fw6 instead fw. So:

fw6 ctl zdebug drop | grep 2001:0db8::0001

Source0

What behavior results from enabling the “Match for any” setting on more than one service with the
same destination port?

In this article, Dreezman have done the full lab with this situation. You can check it by yourself.

The results are:

If there are conflicting ports in a rule, the first one found will be used. So if you have huge groups of services make sure there are not any conflicts OR make sure you know which one will be hit first.

The “Match For Any” flag is used to put a services into the “Any” group. Note that the bigger this “Any” group is, the slower the rulebase will be so use it judiciously. If there are conflicts in the “Any” group, then the INSPECT enabled service seems to be favored (but I can’t verify that).

Services like H323 are weird because (IMHO) CP’s implementation is flawed (see my previous blog). So if you create new generic services make sure you call them out explicitly in the rule and don’t rely upon the “Any” rule to catch packets that drop from your rule because you will hit the INSPECT H323 rule and not the Generic rule.

Here we have a video of this lab! 🙂

Source: Duplicate Services – Which one gets used? – DreezSecurityBlog

The issue that would cause connections to be dropped “because the connections table is full” on a firewall under VSX mode when the connections table is big enough?

In sk39555 – Capacity Optimization and Connections Table, they say in the last paragraph of the image below:

It is not recommended to change this setting to a high value for VSs that are not planned to process a large amount of connections in the near future, because a high value of "Maximum concurrent connections" consumes memory, even if no entries are recorded in the connections table.

So, the main cause is that the "Maximum concurrent connections" is badly tuned.

Source: sk39555 – Capacity Optimization and Connections Table

Which gateway directory first receives the new policy files when pushing policy to a security
gateway?

Source: How To Troubleshoot Policy Installation Issues – Page 2

Which debug produces the following output and to which file?

The host is not allowed to connect to the Security Management Server(SMS), so this error occurs.
To start the debug execute the following commands:

[Expert@Hostname]# fw debug fwm on TDERROR_DBG_OPT=time,host,prog,topic,pid,tid [Expert@Hostname]# fw debug fwm on TDERROR_ALL_ALL=5 [Expert@Hostname]# fw debug fwm on OPSEC_DEBUG_LEVEL=3

After this, the debug will be in $FWDIR/log/fwm.elg file.

Source: sk86186 – How to debug FWM daemon

Which process you should suspect when a Policy installation fails with the following error message:
Failed to load Policy on Module? Especially when you find that –

You are able to push policy successfully to other gateways from the same management.
That the policy installation files are not getting updated to the gateway.

In [sk84700 – Methodology for debugging "Load on Module Failed" error](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84700&partition=Advanced&product=Security#Additional debug), is explained how to troubleshoot this error.