Search:

That looks much better then a turducken.

PBJ

gns3 .. on a BEOWULF Pi cluster!

1447

Is GNS3 weird? Its all running out of there.

This is what happens when you get a terrible idea and want to see it through.

FortiGate-VM64-KVM # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0...

At some point this is going to be a very round wheel. :)

I'm sorry, was it 30 security issues in this year alone and we're not done with this awesome year? How about that SAML issue? Don't worry, i'm sure that is going to be the last time there is a Uber...

Me thinks out of the 10-15 active users here there are maybe 2 that do programming stuff and 1 that is using the API right now.

That being said i'm all ears. :)

Bug report #1.

Creates invalid clean up rule. :D

J/K. What did you write it in?

I have nothing useful to add other then i'm wondering who across the pond plays (i'm in the US FYI).

I haven't ever played it but I can't get enough of the lore. Its so bad I think i'm about to...

Of course this is still active! There has to be more then 10 people that still post content on here.

BTW that being said.. the kernels all have KVM support built in if i recall.

Correct you're just starting a new process under a chroot. Its basically old school container if you will.

FYI Devin@spikefishsolutions.com did a nice update on our kali howto. Technically you can use this method to install anything Debian based.

Customizing Check Point Gaia with Kali Linux

So i still have no idea if this should work or not... but the major problem we found was the ISP (We'll call them Aye Tee Tee) blocks in bound ESP, which is awesome.

Checkpoint can be forced to...

peer from and to the VIP for a cluster. Make sure graceful restart is enabled. On failover BGP will do down but if i recall graceful restart keeps the routes until BGP session builds up again.

my...

Well.. this took a while to figure out.

High level

2 site to site VPN peers agree on phase 1 and 2 (using PSK and IKEv2).

peer 1 (EdgeRoutr) says.. heck yeah Phase II is great. lets do raw...

Do you have a /32 static route for the Checkpoint internet peer address out the external interface of the cisco? My guess is once default route says go down the tunnel that ends up including the peer...

Come to think of it, this doesn't even make sense. Who cares if it doesn't work? If the primary goes down all 3 will stop working. If the primary is working and the only one, who cares if the...

any chance the nat isn't happening because there is an active connection? I don't think you can modify an active flow. Drop the flow for the time your udp timeout is set to then make the NAT change...

sk106162 - Jumbo hotfix for R77.30 - "PMTR-35032, PRJ-99 VPN Important security update for IPSec Site-to-Site (S2S) VPN."

sk116380 - Jumbo hotfix for R80.10 - "PMTR-35032 VPN Important security...

so I understand, and please, don't take that as hope... :D

Users are in X.COM, but the groups (that you want tied to access roles) are in Y.COM?

cn=group_name,ou=group_name,DC=Y,DC=COM
...

or just put it in github and have the link be to the raw version. cert issue resolved.

Really cool script BTW. major props.

yes, they replaced wget with curl. I can't say for sure, but my guess is they did this just to spite PIX admins.

I thought that was a pretty good list of questions. I mean its not like you explained anything in your configuration or asked any questions about the OPs setup, which is kind of critical since...

One other thought.. could that be only the public key and the sign key be the private?

hmm. did you run file or maybe binwalk aginst the binary to see what they think it is? Most likely you're correct but slim chance.. :)

I don't have a pkcs file handy to look at but what are you thinking? Like is the hex string is missing something or is it more how do you take hex input and convert it into a binary? From the very...

CPX, who is going? I was going to do Vienna, but couldn't get a schedule that worked for my team...

.. so Vegas it is! I know Eric and Max Power are going.

Thats pretty damning. I wonder if PA got mad and sued the employer to make him take it down.

I just happened to login to linkedin and noticed a post from craig about hacking the palo support forum. He had a link to a blog that has since 404ed. Did anyone get the details?

backup everything, restore into VM, put evals on them.

In lab, delete primary cluster member from dashboard and then recreate it. If that works without issue do the same in production. Might not...

reply with the output of the following from expert mode

df -h

du -sh /opt/*

du -sh /var/opt/*

Can you explain a little more what your issue is? The SK covers an upgraded mgmt server. Is that your case?

Hi all, John Ejaife of Spikefish Solutions, wrote up a blog on how to hook Checkpoint into Cisco ISE to authenticate admins (via radius) and assign different roles based on AD group membership....

ethtool Sync (assuming that is the interface name).

reply with output from both. Might be interestring to plug a laptop into the Sync port on both firewalls to see if it run at 1000/full when set...

it shouldn't but if you want to be safe do this on the standby.

clusterXL_admin down

replace cable

clusterXL_admin up

I think you may want to replace that cable. Possibly double check both firewalls sync interface config to make sure they're auto/auto (think you did that already). That would be the correct setup for...

Can you? I'm sure it wouldn't be that hard to make a pgsql user and change some stuff up.

Should you? Thats another question. :)

route based vpn (VTI in checkpoint) uses an empty encryption domain with basically a 0.0.0.0/0 for src and dst tunnel. Anything routed to the interface would be sucked into the vpn. Are you mixing...

If that doesn't help do a packet capture on the checkpoint device and see what service algosec is trying to use. From there it should be a little more clear on what to do.

something like..
...

is it trying to login via ssh or via CPMI? If ssh maybe try changing the shell to bash. if CPMI i would check the audit logs.

oh.. or API i forgot about that. I think by default the API is only...

doesn't it show on that last line you pasted?

also i think there is a command called

installed_jumbo_take

or something like that... that will show the take as well.

Well.. it hasn't gone well. Using raw securid it seems the best i can do is map all RSA users to a single group and then do something with that group in the firewall policy which isn't good.
...

Hi all, i'm working on a project where i'm trying to support Active Directory base auth as well as SecureID based auth. I'm running into some RSA issues but i expect i'll have that addressed shortly....

From clish
show route all

Does it show up then, possibly as hidden? Please show output from both cluster members.

Could you hack it what NAT rules?

src: fw1 dst:DNS1, nat src: orginal, nat dst:magic_dns_1
src: fw2 dst:DNS1, nat src: orginal, nat dst:magic_dns_1

Each VS could have its own nat rule.

yeah i'm poking around and finding interesting things.

TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap |
bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan |
...

Any know if 4k sectors are just not supported on USB? I was trying to get R77.30 to talk to a 6TB usb drive. Even with GPT table the moment I try to write data i get a large amount of errors barfed...

yeah that or just edit and add a row.

hmm looks like network namespaces are now supported. I wonder if that means a big vsx update is on the way.

technically init is still pid 1.

You sure about that version? :)

This is kind of a shot in the dark, but is anyone using L2TP on iOS? I'm using dhcp for officemode IP allocation and seeing that the MAC address unicasted to the dhcp server inside the dhcp request...

iotop.. nice. I helped a customer out with a large p1 install. Everyone was complaining about how slow policy installs were but no one noticed %100 iowait. Took a little trouble shooting to figure...

oh sorry i misread. I was thinking R77.30 on IPSO. You clearly have R65 on ipso.

Could be CPD and / or FWD need to be restarted. Might be easier to just reboot. However if the system is diskless...

I'm pretty sure the release notes or something says R77.30 requires 2gig of ram. Maybe its in R77 notes. I don't remember if IP390 has a real hard disk or not. If its flash your only hope is to maybe...

Is there any chance you have a services in the NAT policy and original has udp and nated has tcp or something like that?

I didn't know legacy client auth didn't support ssl on R80.10 but you should really be using captive portal. It should have the same functionality as client auth (well except for telnet auth.. well...

for x in $(seq 10 100) ; do echo clish -c "add arp proxy ipv4-address 10.31.0.$x interface eth3 real-ipv4-address 10.31.0.1" ; done

Make sure admin's shell is /bin/bash (log out and back in if you...

BTW i think the locks Eric was talking about are in sk108058.

rm -i /tmp/clish.*

Are you using tacacs or radius for logins? BTW you left off md5sum of /bin/bash

What does
md5sum /etc/cli.sh /bin/bash
Return?

What does
egrep admin /etc/passwd
Return?


Hmm maybe

Is there any chance the iscsi traffic is fragmenting? Might explain high cpu usage as frags basically suck. Would need to packet capture to tell since the firewall is going to reassembly the frags...

Doesn't antispoofing require 2 interfaces? Not sure if sync counts in that list or not.

How does the routing look? Still just one default route?

netstat -anp | grep 257

should show something. 1 per gateway and should always be established. Granted just because there is an estblished connection doesn't mean its logging anything. Not super...

Man I am so disappointed in Tufin right now. They have no way to create a rules and objects usage report that digs into objects except via PDF or HTML. I've been told I can file a RFE or setup a PS...

I'm going to break protocol here and skip everything in the middle and go right for the head shot.

I double dog dare you to do it!

Not that i think anything will happen, but it would be nice...

Looks like clish has a prompt command. I'm assuming you could fix that and submit a patch. ;)

show clienv prompt

looks like the default is

%M>

Not sure what all the options are, but i'm...

Doesn't ethtool also have a way to identify a port? I lost multiple days trying to understand the ethernet naming convention in ubuntu at one point. I found sanity only after looking cthulhu right in...

Challenge accepted!

I made a bogus vti interface, then added a pbr route. Next hop options are ip, interface, vti vpn.

If I chose next hop of remote vti peer it takes it. Granted this is not...

Thanks for all the replies everyone. No smb firewall so no worries there.

Has anyone used Tufin to review global policy across many gateways before? My end goal is to see what global policy usage looks like across around 100 gateway. I played around with this through the...

But couldn’t you do that with pbr and a vti?

Completed testing this morning. Well... can never have too much testing...

Did not remove global policy first.

Kept hostname of cma the same. Created a dummy vm firewall in pre move lab...

Hi all, i'm starting a project where i'll be moving a CMA out of one MDS into a completely different MDS. The source CMA has global policy the destination MDS has no global policy.

IP will change...

Have you looked at the cert its using? Could you match that on a allow for in your https inspection policy?

# From MGMT server / CMA
cprid_util -server $IP -verbose rexec -rcmd bash -c 'reboot'

I don't remember if the reboot command will ask you if your sure or not. This should work on SMB or normal...

Can you expand on that? Like the normal performance issues or something else?

What’s that? It’s slow? No everything is fine *cough coughnowcough cough*.

I haven’t tried that before but the route table seems to support that. Are you really using a vti or are you doing domain based vpn? Also is this centrally by a smart center?

sk98894 Maybe?

Oooh right. I forgot about that. Could very well be.

yeah, looks like it might not be a supported path. I would export the mgmt server database, rebuild in VM, import and then build new firewalls and test out pushing policies and what not.

Looks...

I haven't heard of that. I would do a packet capture and see if you can verify it really looks like a SMTP server. Does anything show up in the logs of the secondary? What blades do you have enabled...

Ok first yes, no Gaia on IPSO appliance. %100 agree.

Is this a flash based IP560? Can you send the output of

df -k

If this only has CF and no hard drive then you can not install management...

Its not clear what part you're saying is failing. Are you trying to run a firewall + mgmt on a flash based firewall? If so that isn't supported.

If that isnt' what your getting at can you explain?...

yes it will. As Shadow indicated the ISP router would need to do the hide nat function. the only thing he left out would be a static route on ISP router saying how to get to the subnet behind 1100. ...

oops my bad, you are correct.

1100 isn't the fastest firewall in the world. That being said it doesn't seem like its overloaded based on netstat -in output. How does top look when you run the speed test?

Have you tried wiring...

I normally don't like throwing this option out there, but since this is an older version have you tried rebooting the mgmt server?

Never mind.. may not be worth trying. I didn't poke around the SK.

Or a bridge firewall with a dedicated mgmt interface that needs internet access, which would then route through the internal interface of the bridge, but there is some newer way to handle that. Some...

This might be a little exotic, but does the remote side support VTI or route based VPNs? Its the same thing just a different name. They're interesting because the vpn doesn't use local and remote...

yeah, thats what i ended up doing. Basically delete any ref of _30_JUMBO_HF. Now CPUSE will install.

crossing fingers.

Is there a way to force the install of a jumbo hotfix via CPUSE? I have a replication setup that thinks JH $version is installed but its not. Want to re-install $version then upgrade to 309.

That is a completely different beast. Interface spoofing can not be addressed with address spoofing.

Do you by chance have more then one cluster on the same vlan? What about checking for ip...

My guess is rx_missed_errors and/or rx_no_buffer_count go up.

My guess based on a few searches is the psk is stored in fwauth.NDB. I don’t know what data store format that file is. Maybe something that checkpoint cooked up? Was thinking maybe a sleepycat (or...

Clusterxl can’t sync members with different CoreXL configs like you’ve found. Should be all you need to do is run cpconfig and fix the number in the CoreXL configuration.

Did you try that already?

It fully tastes the rainbow.