" fwlogsum is a perl script to summarise FW1 logs making it easier to see what services are being blocked or allowed through your firewall. It provides many sorting and filtering options and also handles address/port translation. In addition, it can also handle logs from other firewalls by using a converter. "
http://ginini.com/software/fwlogsum/
Sunday, August 28, 2011
Friday, August 26, 2011
Back to basics - Nokia-IPSO OS Installation
Below will show you how to install a IPSO image using the bootmgr, this can be useful if you have lost your password, or cannot get into the IPSO CLI for what ever reason.
1 Bootmgr
2 IPSO
Default: 1
Starting bootmgr
Loading boot manager..
Install the image
Type any character to enter command mode
BOOTMGR[1]> install
################### IPSO Full Installation ####################
You will need to supply the following information:
Client IP address/netmask, FTP server IP address and filename,
system serial number, and other license information.
This process will DESTROY any existing files and data on your disk.
#################################################################
Continue? (y/n) [n] y
Motherboard serial number is ###########.
The chassis serial number can be found on a
sticker on the back of the unit with the letters
S/N in front of the serial number.
Please enter the serial number: [serial number]
Please answer the following licensing questions.
Will this node be using IGRP ? [y] n
Will this node be using BGP ? [y] n
1. Install from anonymous FTP server.
2. Install from FTP server with user and password.
Choose an installation method (1-2): 2
Enter IP address of this client (0.0.0.0/24): [IP]/[NetMask]
Enter IP address of FTP server (0.0.0.0): [FTP IP]
Enter IP address of the default gateway (0.0.0.0): [GW IP]
Choose an interface from the following list:
1) eth1
2) eth2
3) eth3
4) eth4
Enter a number [1-4]: 1
Choose interface speed from the following list:
1) 10 Mbit/sec
2) 100 Mbit/sec
Enter a number [1-2]: 2
Half or full duplex? [h/f] [h] f
Enter user name on FTP Server : [username]
Enter password for "[username]": [password]
Enter path to ipso image on FTP server [~]: /
Enter ipso image filename on FTP server [ipso.tgz]:
1. Retrieve all valid packages, with no further prompting.
2. Retrieve packages one-by-one, prompting for each.
3. Retrieve no packages.
Enter choice [1-3] [1]: 2
Client IP address = [IP]/[Netmask]
Server IP address = [IP]
Default gateway IP address = [IP]
Network Interface = eth1, speed = 100M, full-duplex
Server download path = [/]
Package install type = prompting
Mirror set creation = no
Are these values correct? [y] y
Checking what packages are available on [FTP IP].
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
#
The following packages are available:
Building filesystems...
Making initial links...done.
Downloading compressed tarfile(s) from [IP].
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
100% 26157 KB 00:00 ETA
Checking validity of image...done.
No packages found in /, continuing.
Installing image...
Installing image...done.
Image version tag: IPSO-4.1.
Checking if bootmgr upgrade is needed...
No need to upgrade bootmgr.
Do you want to upgrade bootmgr anyway? [n]
Installation completed.
Reset system or hitto reboot.
Starting reboot.
After the reboot you will need to configure some basic settings,
Please choose the host name for this system. This name will be used
in messages and usually corresponds with one of the network hostnames
for the system. Note that only letters, numbers, dashes, and dots (.)
are permitted in a hostname.
Hostname? [enter hostname]
Hostname set to "ip350", OK? [y] y
Please enter password for user admin: [password]
Please re-enter password for confirmation: [password]
You can configure your system in two ways:
1) configure an interface and use our Web-based Voyager via a remote
browser
2) VT100-based Lynx browser
Please enter a choice [ 1-2, q ]: 1
Select an interface from the following for configuration:
1) eth1
2) eth2
3) eth3
4) eth4
5) quit this menu
Enter choice [1-5]: 1
Enter the IP address to be used for eth1: [IP]
Enter the masklength: [Netmask]
Do you wish to set the default route [ y ] ? y
Enter the default router to use with eth1: [IP]
This interface is configured as 10 mbs by default.
Do you wish to configure this interface for 100 mbs [ n ] ? y
This interface is configured as half duplex by default.
Do you wish to configure this interface as full duplex [ n ] ? y
You have entered the following parameters for the eth1 interface:
IP address: [IP]
masklength: [Netmask]
Default route: [GW IP]
Speed: 100M
Duplex: full
Is this information correct [ y ] ? y
Do you want to configure Vlan for this interface[ n ] ? n
You may now configure your interfaces with the Web-based Voyager by
typing in the IP address "[IP]" at a remote browser.
Monday, August 22, 2011
Friday, August 19, 2011
Android / iPhone / Windows - L2TP VPN Setup FAQ (Checkpoint R70)
Checkpoint Configuration
Prerequisites
1. A functional remote access VPN
2. Office Mode (for all users)
3. Remote access user (using a checkpoint password scheme)
In other words, if you currently have a set of remote access workers connecting using secure remote/client with office mode. The following guide should work!
1. Enable "Gateway support IKE over TCP"
Global Properties > Remote Access > VPN Basic
2. Enable "L2TP Support"
Firewall Object > Remote Access
3. Choose "MD5-Challenge" authentication
Firewall Object > Remote Access
4. Shared Secret (The tricky part)
a. Create a empty file called "l2tp.conf"
b. type in plain text a shared secret into the above file. There are no config items or tags, the file should only contain a single line of plain text.
e.g. mysharedsecret1234
c. Copy l2tp.conf to your Firewall "Gateway" (not the management station)
E.g. $FWDIR/conf/
this would resolve to the following if you are using a NOKIA gateway
/var/opt/CPsuite-R70/fw1/conf
5. Add UDP L2TP to your rulebase
You should have an existing "Any VPN" rule for your existing remote access users
Source > any
Destination > Firewall Object
VPN > any traffic
Service > L2TP (UDP)
Action > accept
6. Install the FW policy.
Android Configuration
1. Go to Settings -> Wireless & Networks -> VPN Settings
2. Tap Add VPN
3. Tap L2TP/IPSec PSK VPN
4. Set a VPN name (My Office VPN)
5. Set VPN Server to either DNS or IP of your firewall
6. Set IPSec pre-shared key (used in the l2tp.conf)
7. Tap the Menu Key, Tap Save
iPhone Configuration
1. From your iPhone home screen, go to Settings > General > Network > VPN > Settings
2. Server: Enter your VPN-1 server FQDN (DNS name) or IP address
3. Account: Enter you checkpoint username and password
4. RSA Secure ID: Off
5. Password: Ask Every Time
6. Secret: Enter the IPSec pre-shared key (used in the l2tp.conf)
7. Send all Traffic: On
Windows XP Configuration
1. Select Start > Settings > Control Panel > Network Connections > New Connection Wizard
2. Select “Connect to the network at my workplace”, click next
3. Select “Virtual Private Network Connection”, click next
4. Enter a Company Name “My Company”, click next
5. Select “Do not dial the initial connection”, click next
6. This setting could be used to invoke a 3G connection before the VPN connection
7. Enter the Host name or IP Address “”, click next
8. Select “Do not use my smart card”, click next
9. Select “Anyone’s use” if this is to be used by anyone who logs onto the laptop
10. Select the option to “Add a shortcut to this connection to my desktop”, click Finish
11. A Pop-up Window is displayed. “Connect My Company” Select “Properties”
12. Select the “Networking” tab
13. Change “Type of VPN” to “L2TP IPSec VPN”
14. Select the “Security” tab
15. Select “Advanced (custom settings)” Default is set to “Typical (recommended settings)”
16. Click “Settings”
17. Leave “Data Encryption” set as default “Require Encryption (disconnect if server declines)”
18. Select “Use Extensible Authentication Protocol (EAP)” and Change the Dropdown Box to “MD5-Challenge”
19. Select “OK” to save changes
20. Select “IPSec Settings”
21. Tick “Use pre-shared key for authentication” Enter the pre shared key
22. Click “OK” to save settings
Checkpoint Logs
This is what you should see in a working setup.
Depending on the connecting client, the logs will look different. Highlighted in Bold below.
iPhone
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
7. Login (VPN internal Source connected to gateway)
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine: om_method: IP pools assigned_IP: )
10. Key Install (IKE: Informational Exchange Received Delete IPSEC-SA from Peer: SPIs: *********)
Windows XP
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
7. Login (VPN internal Source connected to gateway)
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine: om_method: IP pools assigned_IP: )
Android
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. key Install (IKE: Informational Exchange Received Notification from Peer: Initial Contact (phase1))
6. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
7. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
8. Login (VPN internal Source connected to gateway)
9. UDP L2TP > Accept
10. Login (Session: PPP: Authenticated by FireWall-1 Password auth_method: Password Authentication Protocol (PAP) machine: om_method: IP pools assigned_IP: )
Reference :
Checkpoint L2TP Supplement Release Notes
http://www.checkpoint.com/iphone/downloads/release-notes.pdf
Prerequisites
1. A functional remote access VPN
2. Office Mode (for all users)
3. Remote access user (using a checkpoint password scheme)
In other words, if you currently have a set of remote access workers connecting using secure remote/client with office mode. The following guide should work!
1. Enable "Gateway support IKE over TCP"
Global Properties > Remote Access > VPN Basic
2. Enable "L2TP Support"
Firewall Object > Remote Access
3. Choose "MD5-Challenge" authentication
Firewall Object > Remote Access
4. Shared Secret (The tricky part)
a. Create a empty file called "l2tp.conf"
b. type in plain text a shared secret into the above file. There are no config items or tags, the file should only contain a single line of plain text.
e.g. mysharedsecret1234
c. Copy l2tp.conf to your Firewall "Gateway" (not the management station)
E.g. $FWDIR/conf/
this would resolve to the following if you are using a NOKIA gateway
/var/opt/CPsuite-R70/fw1/conf
5. Add UDP L2TP to your rulebase
You should have an existing "Any VPN" rule for your existing remote access users
Source > any
Destination > Firewall Object
VPN > any traffic
Service > L2TP (UDP)
Action > accept
6. Install the FW policy.
Android Configuration
1. Go to Settings -> Wireless & Networks -> VPN Settings
2. Tap Add VPN
3. Tap L2TP/IPSec PSK VPN
4. Set a VPN name (My Office VPN)
5. Set VPN Server to either DNS or IP of your firewall
6. Set IPSec pre-shared key (used in the l2tp.conf)
7. Tap the Menu Key, Tap Save
iPhone Configuration
1. From your iPhone home screen, go to Settings > General > Network > VPN > Settings
2. Server: Enter your VPN-1 server FQDN (DNS name) or IP address
3. Account: Enter you checkpoint username and password
4. RSA Secure ID: Off
5. Password: Ask Every Time
6. Secret: Enter the IPSec pre-shared key (used in the l2tp.conf)
7. Send all Traffic: On
Windows XP Configuration
1. Select Start > Settings > Control Panel > Network Connections > New Connection Wizard
2. Select “Connect to the network at my workplace”, click next
3. Select “Virtual Private Network Connection”, click next
4. Enter a Company Name “My Company”, click next
5. Select “Do not dial the initial connection”, click next
6. This setting could be used to invoke a 3G connection before the VPN connection
7. Enter the Host name or IP Address “
8. Select “Do not use my smart card”, click next
9. Select “Anyone’s use” if this is to be used by anyone who logs onto the laptop
10. Select the option to “Add a shortcut to this connection to my desktop”, click Finish
11. A Pop-up Window is displayed. “Connect My Company” Select “Properties”
12. Select the “Networking” tab
13. Change “Type of VPN” to “L2TP IPSec VPN”
14. Select the “Security” tab
15. Select “Advanced (custom settings)” Default is set to “Typical (recommended settings)”
16. Click “Settings”
17. Leave “Data Encryption” set as default “Require Encryption (disconnect if server declines)”
18. Select “Use Extensible Authentication Protocol (EAP)” and Change the Dropdown Box to “MD5-Challenge”
19. Select “OK” to save changes
20. Select “IPSec Settings”
21. Tick “Use pre-shared key for authentication” Enter the pre shared key
22. Click “OK” to save settings
Checkpoint Logs
This is what you should see in a working setup.
Depending on the connecting client, the logs will look different. Highlighted in Bold below.
iPhone
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host:
7. Login (VPN internal Source
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine:
10. Key Install (IKE: Informational Exchange Received Delete IPSEC-SA from Peer:
Windows XP
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host:
7. Login (VPN internal Source
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine:
Android
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. key Install (IKE: Informational Exchange Received Notification from Peer: Initial Contact (phase1))
6. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
7. Key Install (IKE: Quick Mode completion IKE IDs: host:
8. Login (VPN internal Source
9. UDP L2TP > Accept
10. Login (Session:
Reference :
Checkpoint L2TP Supplement Release Notes
http://www.checkpoint.com/iphone/downloads/release-notes.pdf
Subscribe to:
Posts (Atom)