ASA me2

Let's troubleshoot... We also do trainings .. Checkout our training page https://asame2.blogspot.com/p/we-also-deliver-trainings.html

Featured Post

How to generate a CSR on Cisco ASA using CLI? CSR- (Certificate signing request)

First thing we need is an RSA key pair:   crypto key generate rsa label SSL-Key modulus 1024 noconfirm Create a trust-point crypto ca...

Recent Comments

Recent Post

Wednesday 27 February 2019

How to do packet capture in Juniper SRX? / How to use traceoptions in SRX?

  February 27, 2019    


 How to do packet capture in Juniper SRX? / How to use traceoptions in SRX?

I have always been an ASA guy. When I first started working on SRX, I started comparing what I could do on ASA and how can I do that on SRX.

On ASA you could do packet capture and very simply:

capture capin interface inside match ip host 1.1.1.1 host 2.2.2.2

thats all.

On SRX it is similar to that but with a little more commands and procedures. But the good part is, it is there. So let's see how to do it.

Let's say I want to capture traffic between two IPs. Source: 192.168.1.5 Destination: 8.8.8.8

Go to configuration mode (If you don't have time to understand it right now and just need the commands then click Here)

>configure

Let's set a name for the capture:
set security flow traceoptions file capin

Set the size of the capture file:

set security flow traceoptions file size 2m


set security flow traceoptions flag basic-datapath

Tell who the source is:

set security flow traceoptions packet-filter p1 source-prefix 192.168.1.5

Tell who the destination is:

set security flow traceoptions packet-filter p1 destination-prefix 8.8.8.8

Now if you are interested in capturing return traffic as well then you have to create another packet filter for return traffic. Just change the name of the filter, source and destination IPs.

So for return traffic, who the source is:
set security flow traceoptions packet-filter p2 source-prefix 8.8.8.8

For return traffic who the destination is:
set security flow traceoptions packet-filter p2 destination-prefix 192.168.1.5



In SRX, you will need to save this to configuration, then only it will be activated.

You should first check what commands are you going to save to configuration/Commit (Junos term)

show | compare

This will show you what commands are you going to commit to configuration.

You can then check if there is any syntax error:

commit check


Once everything is good, go ahead and commit
Commit

Now ask user to initiate traffic.  To check your capture use command:

run show log capin (remember you are still in configuration mode)
when not in configuration mode you can use : show log capin

 You can even clear these captures in case you feel a need to do it. In fact is recommended to clear the captures couple of time before you actually do a capture.
So first thing I do after applying a traceoption/capture is clear them with this command:
run clear log capin

 Enter this command 3-4 times and then ask user to initiate the traffic.
Once you are done with the captures and you want to delete them, here is the way to do it:
delete security flow traceoptions
If you need to see whether there are any captures already applied, you can use below commands to check that, like in ASA you use to do : show capture and it shows you a list of captures applied, Similarly here you can use:
show security flow traceoptions | display set






  No Comments

How to do packet capture in SRX? All commands at once.

  February 27, 2019    

How to do packet capture in SRX?  All commands at once.


If you would to understand them then click here 

>configure
set security flow traceoptions file capin

set security flow traceoptions file size 2m


set security flow traceoptions flag basic-datapath

set security flow traceoptions packet-filter p1 source-prefix 192.168.1.5

set security flow traceoptions packet-filter p1 destination-prefix 8.8.8.8

For return traffic
set security flow traceoptions packet-filter p2 source-prefix 8.8.8.8
set security flow traceoptions packet-filter p2 destination-prefix 192.168.1.5


show | compare

commit check

commit

run clear log capin (3-4 times)

Ask the user to initiate the traffic, then you can check with below command:

run show log capin


Delete security flow traceoptions


  No Comments

Friday 15 February 2019

How to configure syslog on cisco ASA? / How to send logs to syslog server?

  February 15, 2019    

Hello,

Couple of engineers have asked me what commands are really required to make sure ASA is sending logs to syslog server. So I thought this could help someone else looking for it on Internet.

 So first thing you need is a syslog server's IP address. You can have a syslog server internal or external. Let's say we have a syslog server which is reachable from inside.


Syslog server IP: 192.168.1.5

==================================
 If you are just looking for quick commands then here you. But if you need to understand this, then continue reading.
 

conf t
logging host inside 192.168.1.5
logging trap debugging
==================================

Now you need to tell this to your ASA. Let's introduce syslog server to the ASA.

conf t

logging host inside 192.168.1.5

! here inside tells the ASA that syslog server is reachable via inside interface. When ASA goes to syslog server, it uses inside interface IP. Same way if your syslog server is reachable via Internet/outside interface then you know what change you need to make.

By doing this is not enough for ASA to start sending logs to syslog server. You need to tell the ASA to start sending logs.

We can do several types of logging. There are 7 levels of logging you can do. Higher you go, more logs you send to syslog server.

Alert Messages, Severity 1
Critical Messages, Severity 2
Error Messages, Severity 3
Warning Messages, Severity 4
Notification Messages, Severity 5
Informational Messages, Severity 6
Debugging Messages, Severity 7


with "logging trap" command we tell the ASA to start sending logs to syslog, but also define what level of logging you need to send.

the exact command will be :

logging trap debugging

so the exact commands at once will be:
==================================
conf t
logging host inside 192.168.1.5
logging trap debugging
==================================

  No Comments

Monday 4 February 2019

How to take the capture as pcap/wireshark format in Checkpoint?

  February 04, 2019    

How to take the capture as pcap/wireshark format in Checkpoint?

Let's say you need to view the capture in wireshark. In that case it needs to be exported. In order to export the capture we need to save it.
 
Syntx:
tcpdump -nni interface_name host IP_address_here -w/location/name.pcap

[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5 -w/var/log/raj.pcap
tcpdump: listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
2 packets captured
4 packets received by filter
0 packets dropped by kernel
[Expert@fw-checkpoint-raj:0]# pwd
/home/_locl
[Expert@fw-checkpoint-raj:0]# cd /var/log
[Expert@fw-checkpoint-raj:0]# pwd
/var/log

[Expert@fw-checkpoint-raj:0]# ls -lr | grep raj
-rw-rw----  1 admin users        248 Jan 14 09:21 raj.pcap 


By default the capture size is 96 bytes.

If you need to capture with more size then specify the buffer size with "-s"

  tcpdump -nni eth2.2 host 10.197.112.5 -w/var/log/raj.pcap -s 1024
tcpdump: listening on eth2.2, link-type EN10MB (Ethernet), capture size 1024 bytes
1 packets captured
2 packets received by filter
0 packets dropped by kernel
If you just need to save the capture in local directory and not in logs, then use this command:

 tcpdump -nni eth2.2 host 10.97.112.161 -w raj2.pcap -s 1024

 How to delete your saved capture file?
go to the location where your capture is saved. verify your current location by "pwd" command

 Then make sure you have your capture file there:
ls -lr | grep raj2.pcap
If your file is listed there, then remove it with "rm raj2.pcap" command

 

  No Comments

How to apply packet capture in Checkpoint?

  February 04, 2019    

How to apply packet capture in checkpoint? / How to apply tcpdump in Checkpoint firewall?

For those of you who have been working on Cisco ASA, packet capture has been awesome thing so far and you really wish that it is available in every firewall.

Well, it gets much easier with Checkpoint!!

Really?

Let's see then.....

Like ASA, first thing we need to know is "On which Interface" we need a packet capture.

How do you figure this out?

Well, we will either take capture on "ingress" interface or "egress" interface, choice is yours and depend upon your troubleshooting approach.

So let's say I want to see if the packets are first reaching my firewall or not. In that case I will take a capture/tcpdump on "ingress" interface. To determine your ingress interface you need to check routing table.

Example:

Source IP: 10.197.112.5
Destination IP: 18.197.74.74

Check the route for 10.197.112.5

fw-checkpoint-raj> show route destination 10.197.112.5
Codes: C - Connected, S - Static, R - RIP, B - BGP,
       O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
       A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
       U - Unreachable, i - Inactive

C         10.197.112.0/24      is directly connected, eth2.2
                                  Inside_Lan

Now we know that this network is behind eth2.2. We can apply tcpdump on eth2.2


In order to collect a packet capture/tcpdump you will need to be in "Expert" mode.

fw-checkpoint-raj>expert
Enter expert password: type your expert password here



[Expert@fw-checkpoint-raj:0]#

tcpdump -nni <interface name> host <source/destination ip>


[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:46:55.227674 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148513804:2148514202(398) ack 708108218 win 254
04:46:55.260477 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1:498(497) ack 398 win 979
04:46:55.474618 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 252

Once you hit enter after typing tcpdump command, firewall starts listening for any traffic on that interface.

If you know exact source and destination IP then you can apply more specific capture/tcpdump

Capture traffic between two exact IPs:
=========================================================
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 host 10.197.112.5 and host 18.197.74.74
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:56:39.575612 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148545757:2148546155(398) ack 708114785 win 252
04:56:39.609196 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1:498(497) ack 398 win 979
04:56:39.822522 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 256

3 packets captured
6 packets received by filter
0 packets dropped by kernel
========================================================


You can also capture traffic between two IPs by specifying who is source and who is destination:
========================================================
[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 src 10.197.112.5 and dst 18.197.74.74
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:58:26.653461 IP 10.197.112.5.59422 > 18.197.74.74.443: P 2148546553:2148546953(400) ack 708115779 win 254
04:58:26.900437 IP 10.197.112.5.59422 > 18.197.74.74.443: . ack 498 win 252

2 packets captured
4 packets received by filter
0 packets dropped by kernel


Reversing the source and destination, just to show you the difference:

[Expert@fw-checkpoint-raj:0]# tcpdump -nni eth2.2 src 18.197.74.74 and dst 10.197.112.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2.2, link-type EN10MB (Ethernet), capture size 96 bytes
04:59:18.728787 IP 18.197.74.74.443 > 10.197.112.5.59422: P 708116276:708116773(497) ack 2148547353 win 979
05:00:12.766360 IP 18.197.74.74.443 > 10.197.112.5.59422: P 497:994(497) ack 401 win 979
05:01:07.810321 IP 18.197.74.74.443 > 10.197.112.5.59422: P 994:1491(497) ack 801 win 979
05:01:16.766112 IP 18.197.74.74.443 > 10.197.112.5.59422: P 1491:1750(259) ack 1065 win 979


  No Comments

How to retrieve expert password on checkpoint via CLI? Forgot my checkpoint expert password.

  February 04, 2019    

This happened to me and I want to make sure I share it with you so that you can fix it by yourself.

I forgot my "expert" password and needed to reset it.

What you need to do is:
login to the device with admin/root credentials:
checkpoint-fw-raj> show configuration

Run command "show configuration", look at the very bottom and look for this command:

set user admin password-hash $1$6LgE8X45fg23987hgjsi34/234sak

Now set your expert password hash to the same value as admin:


set expert-password-hash $1$6LgE8X45fg23987hgjsi34/234sak

Now duplicate your putty session and login again with admin. Try to go to expert mode now, but use your "admin" user password.

You should be in. Its time to change your expert password now:
set expert-password ---- hit Enter
Current password:
New password:
New password (Again):


checkpoint-fw-raj> save config

Enjoy!

  No Comments

How to obtain config lock on checkpoint?

  February 04, 2019    

Hello,

I logged into my Checkpoint firewall via CLI and could see that it could not acquire the config lock because the lock is now owned by some other client.

checkpoint-fw-raj>
CLINFR0509  Could not re-acquire the config lock because the lock is now owned by some other client.
CLINFR0509  Failed to maintain the lock. Command not executed.

I need to enter this command:

checkpoint-fw-raj>lock database override

  No Comments

Subscribe to: Posts (Atom)