|
|
|
|||
|
|
||||
If you can't find what you need here, try a different FW-1 Version
Questions:
GENERAL
1) My third burb web server only gives me its base page. All other
links hang.
2) Why can't I get to some sites (I'm using token ring)?
3) CPU goes to 100%
4) How can I monitor the
memory usage of Firewall-1?
INSTALL
1) IBM token ring cards won't work.
2) Do you recommend modifying the NT environment?
3) How do I quickly install FW-1 on NT?
4) How do I totally remove FW-1 from my system?
5) Upgrades overwrite state/local.arp files.
6) How does licensing work?
7) What are best network cards to use in Compaq NT setups?
8) Does FW-1 support multi-processors?
9) How do I load FW-1 for HP-UX?
LOGGING
1) I can't pass logging to a central log server.
2) Cannot de-install logging.
3) I can't switch logs because I run out of memory (NT).
4) In the Firewall-1 Log Viewer program, I get no information in the
columns after "Action".
DISTRIBUTED MANAGEMENT
1) How do I manage a non-VPN fw module from a VPN management station?
2)I have multiple firewalls being controlled by a single management sever.
How do I make sure each firewall will load the correct policy on reboot?
NAT
1) How does NAT on network ranges work?
2) I STILL can't get NAT to work!
3) External to Internal static NAT doesn't work and log shows 2 entries, 1
succeed and 1 reject
4) Can I do Hide xlation in reverse (from outside in)?
PROXIES/CVP/AUTHENTICATION
1) The SMTP proxy announces that its host is a FW-1 firewall. Is
this a problem?
2) SMTP proxy makes CPU go to 100%.
3) I get random results when proxying HTTP traffic on FW-1.
4) Why do I have to log into multiple sites when using HTTP
authentication?
5) The firewall is not filtering all HTTP Java pages.
6) How do the HTTP Java filtering options work together?
7) I can't authenticate to the HTTP proxy.
8) I can't authenticate HTTPS/FTP users through HTTP.
9) How do User Authentication modes work again?
10) FW-1 won't deliver mail to sites that don't accept the
"<>" in the envelope
11) How do I do SecurID authentication?
12)
When using client authentication, do active sessions get terminated when the authorization
times out?
RULE BASE
1) FW-1 Policy takes a long time to install.
2) Rules compile but won't install and I am disconnected.
3) NT won't route packets after install.
4) Can I filter on source port?
5) I am having a problem with time-based rules.
6) How do I backup my rules and objects?
7) I define an object, but it doesn't work (acts like "ANY").
8) I get weird rejects via rule 0.
9) How can I view my policy without connecting to a management station?
SECURE REMOTE
1) Secure Remote won't work.
2) Secure Remote won't work with Network Address Translation (NAT).
Answers:
1) My third burb web server only gives me its base page. All other links hang.
Unknown cause, but there is a work-around. On the rule that the connection hangs, change the service from http to "http with resource." You will have to build an empty HTTP filter that basically does nothing but proxy.
2) Why can't I get to some sites (I'm using token ring)
This isn't scientific but #1, get rid of token ring cards. There is some funky thing with fragmenting packets and token cards that prevent you from accessing certain sites. Like www.ibm.com is funky.
If you are not experiencing any mail problems, you might be trying to do things on the system that you already disabled in Services. Turn on the necessary service in Services.
4) How can I monitor the memory usage of Firewall-1?
On your firewall, run 'fw ctl pstat'. You will see output similar to:
# fw ctl pstat Memory: 3145728 bytes, 3145104 avail, Requests: 122 alloc, 105 free, 0 reject Inspct: 3097 packets, 620813 operations, 18315 lookups, 435 record, 225817 extract Cookies: 9794 total, 0 alloc, 0 free, 0 dup, 5861 get, 0 put, 6194 len Fragments: 0 fragments, 0 expired, 0 packets Encryption: 0 encryption, 0 decryption, 0 short, 0 failures Translation: 0/0 forw, 0/0 bckw, 0 tcpudp, 0 icmp, 0-0 alloc
The interesting line is "Memory".
The first number is the number of bytes Firewall-1 has available to it in kernel memory. This number is fixed, it does not change.
The second number is the number of free bytes available in the region specified by the first number. If this number is below 1,000,000, then you should keep an eye on it and look into increasing the memory allocation for Firewall-1 (note, this does not mean adding RAM).
The Third interesting number is the number of memory requests rejected. If this number is non-zero, then you have run out of memory at some point, and you will probably see a message similar to "fw: halloc 64 bytes: memory exhausted" somewhere in your system logs (not the Firewall-1 log viewer).
Running out of memory is a Bad Thing.
The procedure for Increasing the amount of Firewall-1 memory is specific to the version of the OS you are running the Firewall-1 module on. See the Phoneboy FAQ for instructions on how to do this.
1) IBM token ring cards won't work.
We recommend using 3com PCI token ring cards. Certain IBM cards do not work well with NT. IBM's web site has NT driver patches for certain afflicted token ring cards. Symptoms include: firewall lockup, can't install policy (invalid handle).
Also, FW-1 does not support proxyarps on token ring cards as of version 3.0b. NAT will not work unless you add explicit routes to the desired addresses on the upstream router.
2) Do you recommend modifying the NT environment?
Why, yes, we do. I'm glad you asked. You should set FWDIR to your install directory and add to PATH %FWDIR%\bin.
3) How do I quickly install FW-1 on NT?
Follow these easy steps. If re-install make sure you save NT drivers and Check Point licenses!!!:
- When installing NT, make sure you add SNMP service, and then the latest Service Pack. SP4 allows read-only SNMP communities.
- TCP/IP should be the only networking protocol.
- Disable all bindings on the external interface besides TCP/IP.
- The firewall should be a stand-alone server in its own domain (unless using LDAP services)
- Disable unnecessary services
- Leave Event Logging (to report events)
- Leave RPC Service (used by explorer to open windows on GUI)
- Leave Protected Storage (if you are using MS Crypto API to protect/access encryption keys)
- Leave FW-1/Raptor/RealSecure/etc security software
- Leave Plug n' Play if you are going to be adding/remove hardware otherwise turn it off- DO NOT install DNS, IIS, or any other network services besides the firewall!
- Modify the following variables in the NT environment: FWDIR=<install directory>, PATH=%PATH%;%FWDIR%\bin
- Make sure TCP/IP forwarding is enabled in Networking.
- In \winnt\system32\drivers\etc\hosts, add hostnames for all machines the firewall will talk to. The most important of these is the firewall itself.
- Install both FW-1 and the GUI client with the install wizard. If you wish to use the real license, you will have to go to license.checkpoint.com and register for the license (for host, use the IP of the firewall).
- Make sure the firewall object you install rules on has inside interface as IP address
- Turn off all services in the NT control panel services list except FW1, Event Log and RPC Service.
- To get NAT working, create FWDIR\state\local.arp, and add entries of the form <IP> <MAC>, eg:
10.1.1.1 0a:00:00:09:24:15 (you can get the MAC address of your interface by typing: nbtstat -a <IP>)
Next, modify your routing tables so that the proxyarped data will flow through the firewall: eg,
route add -p <valid proxyarped IP address> <invalid IP of internal host>- Install ghost rule as rule #1: anysource destfwobject anyservice drop longaudit
4) How do I totally remove FW-1 from my system?
5) Upgrades overwrite state/local.arp files.
Well, this could change at any time, but as of version 3.0b, you need to go to Check Point's licensing site. Follow the (easy?) forms for Firewall-1. The critical things you need to know are host ID and your key. Host ID is your IP address (preferably internal IP). You may have two or more of these if you have the enterprise edition (one for management station and one+ for firewall modules). Your key is your serial # found on the inside of the CD cover or supplied to you by your vendor. Your key should already be registered with Check Point when your vendor bought the software, so your license should be generated on screen.
Cut and paste your license to a text file and make backups!!! Use the text file to fill in info during firewall install. Note: a management station license can be used on all of its managed firewalls (you only need one license).
7) What are best network cards to use in Compaq NT setups?
Got the plug 'n play blues huh? Use the Compaq 10/100's. Stay away from those 3com 3c905, man they suck.
8) Does FW-1 support multi-processors?
No. In fact, the GUI hangs on multiprocessor systems. Best thing to do is disable or remove the second processor.
9) How do I load FW-1 for HP-UX?
a) Copy all files and unzip to separate directories
b) In the firewall directory, type: ./fwinstall and follow prompts.
c) Copy new kernel from /stand/build/vmunix_fw to /stand/vmunix (backup old kernel).
d) Add /etc/fw/bin to PATH, and /etc/fw/man to MANPATH. Set FWDIR to /etc/fw either in .cshrc or .profile
e) Reboot, and patch accordingly.
1) I can't pass logging to a central log server.
An Event Log message "cannot send" means that firewall cannot contact the management station for logging. When using fw modules logging to central server, make sure the rule0 properties rule permits outgoing packets from the firewall to be sent to central server.
A second possibility: when using fw modules on separate machines from control modules, make sure you use the encryption license or else logging won't work (see Distributed Management). The firewall will only log locally.
Be carefull under logging remote firewalls from central server. If you delete or modify logging of the firewall it won't go away. Once installed, logging of remote modules cannot change. Solution: reinstall the firewall (v2.1).
3) I can't switch logs because I run out of memory (NT).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1\Parameters
Add a new key named Memory of class REG_DWORD. Our data is set to 0x200000 for 2MB.
4) In the Firewall-1 Log Viewer program, I get no information in the columns after "Action".
This is a FW-1 bug (known to 3064). Check Point gives several things to try:
1) speed up logging by disabling name resolution in the log viewer or by disabling "active connections" in Properties window of the policy editor.
2) restart the firewall service
3) Point the log viewer at an old log file that is ok, then point back to original log file
4) Most radical: stop the firewall, delete the log files in winnt\fw\log:
*.*vlog*
*.*alog*
*.log*
then start the firewall. (might want to backup working logs to tape or another directory...)
1) How do I manage a non-VPN fw module from a VPN management station?
By default, the management station will encrypt the communication with the fw module, which cannot decrypt it. To fix this:
1.Edit the file $FWDIR/lib/control.map
2.Consider the following paragraph, for example:
MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1
CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none
* :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny opsec/fwn1
*/fwa1
3.Replace the bolded-word 'CLIENT' with the non-VPN's IP address.
4.Replace the bolded-word 'fwa1' with 'skey'.
The line should look, for instance, like:
123.122.133.3 :load,db_download,fetch,log/skey opsec/fwn1 */none
You can set a firewall to load the local copy of its policy instead of trying to fetch a copy from the management server. Edit the fwstart script: change:
set masters = ( $masters localhost )
to:
set masters = ( localhost )
1) How does NAT on network ranges work?
On static for a range of numbers associated with a network, external IP addresses don't start with specified IP address. The reason: IP addresses are generated from a combination of start range+ip address of client (where the netmask of the client is used to determine what is the host IP address to add).
For example: if registered external start address is 192.1.1.1 and internal client is 10.1.1.1, netmask 255.255.0.0, then the real start address is 192.1.1.1 + 0.0.1.1 = 192.1.2.2. If internal client is 10.1.1.10, netmask 255.255.0.0, then the real start address is 192.1.1.1+ 0.0.1.10 = 192.1.2.11.
Use IP address of firewall only on hide option (not static) or else proxy problems occur on unknown IP address.
2) I STILL can't get NAT to work!
Three things:
a) Define local.arp file (for static translation) on an NT box to define proxyarps (UNIX is usually an ifconfig alias). Make sure that %FWDIR%\state\local.arp file has these properties:
- filename is in lower case
- local.arp format consists of two columns: <ip address> <mac address>
- mac address format - aa:bb:cc:dd
b) Define address translation rules on objects to be translated.
c) Add appropriate routing info (static xlate). The destination (valid address) should be gatewayed behind the invalid address (usually internal).Things to check:
- For NAT groups, it might not use the starting IP address on static number (see question about how NAT ranges work). If you specify a starting group too high (i.e. 254) it might start using .255, an illegal IP.
- For the enterprise edition, the firewall does not tell you what is the internal interface and/or external interface. So when debugging, you are not sure if this is a NAT factor or not. For example, is network address translation sensitive to the network interfaces where the packets arrive in order to be in sync with SRC and DST rules?
- Make sure that NAT addresses are in correct entries, not backwards. Make sure internal IP labels object and translated registered (valid) IP goes into NAT address field.
3) External to Internal static NAT doesn't work and log shows 2 entries, 1 succeed and 1 reject
On Windows NT, with FW-1 version 2.1x through 4.0x, if a network card's name has any letter after a numeric value, then the name of this interface will be incorrect (all the letters after the digit will be ignored) and the anti-spoofing rules will not apply. Change the interface's name in the network object manager to be like "eth1", "eth2", etc. and add
On Windows NT, with FW-1 version 2.1x through 4.0x, if a network card's name has any letter after a numeric value, then the name of this interface will be incorrect (all the letters after the digit will be ignored) and the anti-spoofing rules will not apply. Change the interface's name in the network object manager to be like "eth1", "eth2", etc. and add#define eth1 <real name of eth1> #define eth2 <real name of eth2>etc. on the first line of the fwui_head.def file located in the lib directory.
If you must define alternate names, use simple, unique (within the first 3-5 chars) names. Do not use spaces, and try to keep it under 9 characters.
4) Can I do Hide xlation in reverse (from outside in)?
Yes.
1) The SMTP proxy announces that its host is a FW-1 firewall. Is this a problem?
The banner message during an SMTP session with a FW-1 proxy announces it is running on a Check Point FW-1. The world knows to use FW-1 based attacks.
2) SMTP proxy makes CPU go to 100%.
Make sure mail spool directory exists before you install it or else CPU goes to 100%. Customer support email bounces, because there is no mail server with that name on internet.
3) I get random results when proxying HTTP traffic on FW-1.
It is not a proxy. It cannot disk cache or authenticate FTP/HTTPS. Make sure client browser is not caching for testing OR use refresh button to ensure you are not seeing data in cache.
4) Why do I have to log into multiple sites when using HTTP authentication?
If FW-1 is requiring you to authenticate for each site you visit, that means that you have NOT specified FW-1 as the proxy server. You must go into your browser's options->connections->proxies and specify your firewall as the http proxy server. No port number is required. This will allow FW-1 to remember your password across sites.
5) The firewall is not filtering all HTTP Java pages.
Filtering: make sure you filter EVERY HTTP and not the ones specified in the match page. the match page should match ALL HTTP pages. Sometimes people match only certain file names.
Make sure you set the proxy in the browser to proxy HTTP. Then install a Java HTTP resource.
6) How do the HTTP Java filtering options work together?
COMBINATION RESULT Block only blank page Block and Strip "Sorry, this browser does not support Java. I recommend Netscape 3.0 or higher." message Strip only "Sorry, this browser does not support Java. I recommend Netscape 3.0 or higher." message
7) I can't authenticate to the HTTP proxy.
HTTP authentication returns reasons like "Internal not supported" when users try to authenticate.
If you fail the password check, kill your browser and start over again. A bug in FW-1 does not let you type in the correct password and it continues to reuse the old password (v3.0).
8) I can't authenticate HTTPS/FTP users through HTTP.
FW-1 authentication does not work with HTTPS. it is a separate service and cannot be authenticated by FW-1. Check Point avows this will change with the release of 4.0.
FTP through HTTP and authentication: if you have FTP authentication on and try to do an FTP transfer from within HTTP, it won't let you because you haven't authenticated. FW-1 does not support authenticated FTP like it authenticates HTTP. In order to authenticate FTP you must install ANOTHER FTP proxy server and it is responsible for authentication (if you don't mind having yet another user/passwd database).
9) How do User Authentication modes work again?
1) transparent means you have to configure the firewall to be in Version 3.0 mode and not backward compatibility mode. Note that for FTP, this mode is not really transparent but only less ugly. if your FW-1 username is different than your destination username, then you have to revert back to the Version 2.1c syntax:
destusername@fw1username@finaldest.domain.com, and password is <final password>@<fw-1 password>:# ftp ftp.citilink.com Connected to ftp.citilink.com. 220 Check Point FireWall-1 Secure FTP server running on testadura User (ftp.citilink.com:(none)): <dest username>@<fw-1 username>@ftp.citilink.com 331 aftpd: FireWall-1 password: you can use password@FW-1-password Password: <my destination password>@<fw-1 password> 230-aftpd: User <username> authenticated by FireWall-1 authentication 230-aftpd: Connected to 206.11.208.3. Logging in... 230-aftpd: 220 homebase FTP server (Version wu-2.4(3) Thu Aug 1 16:38:57 CDT 1996) ready. 230-aftpd: 331 Password required for <username>. 230 aftpd: 230 User <username> logged in.2) Here is the transparent session for telnet.
telnet ns.machine.com Check Point FireWall-1 authenticated Telnet server running on testadura User: <my login> FireWall-1 password: ********** User mend authenticated by FireWall-1 authentication Connected to 205.164.72.2 BSDI BSD/OS 2.0 (ivan.ivy-ops.orbis.net) (ttyp0) login:When setting up user authentication, not only do you set authentication scheme up for specific user BUT also have to set the firewall gateway up to support that authentication scheme (network objects->gateway->authentication).
10) FW-1 won't deliver mail to sites that don't accept the "<>" in the envelope
For example: mail from: mje@company.com won't work but <mje@company.com> will work.
11) How do I do SecurID authentication?
Troubleshooting:
Active sessions will not get terminated when the authorization times out. See Firewall-1 Architecture and Administration User Guide version 3.0, pg. 60.
1) FW-1 Policy takes a long time to install.
Make sure that all Firewall-1 machines (control modules and firewall modules) have DNS entries or host entries otherwise lots of hanging occurs during installation of policies. If DNS is not working, add any machines you are working with to the hosts file, in: "WINNT install directory\system32\drivers\etc\hosts"
2) Rules compile but won't install and I am disconnected.
- Might be a DNS issue as in question 1. Check this first.
- Another possibility: if you can install the policy from the directly connected network and the firewall itself, but not nets a router hop away, you probably have a NAT issue. There are a number of possible solutions:
a) Instead of defining Hide translation for multiple network objects, try defining translation with Address Range objects. Eg, you have 10.1.x.x, 10.2.x.x, etc, (Class B), define a range of 10.0.0.1-10.255.255.254 and hide it.
b) Try connecting to the EXTERNAL IP of the firewall.
c) Turn of xlation to any networks BETWEEN you and the firewall.
3) NT won't route packets after install.
Make sure you turn on IP Forwarding in ControlPanel/Network/Routing on an NT server. If you are doing address translation, check the NAT questions.
4) Can I filter on source port?
Yes, you can. Edit the service (Manage/Services) you are trying to pass. Near the bottom of the panel is a range of source ports you can enter.
5) I am having a problem with time-based rules.
This is a weird one (noted in version 3.0a). You may notice that the rule is not being checked or logged, or that the rule never expires. Make sure you are using 24-hour notation (eg, 23:00, 08:00). If your configuration is correct and you are still having problems, upgrade to 3.0b.
6) How do I backup my rules and objects?
In the FW-1 install directory, backup the following subdirectories:
- conf
- lib
- database
- and the local.arp file in the state subdirectory
After a fresh reinstall, stop the firewall, replace the new directories with these old ones, and start the firewall again. You MUST back up ALL THREE directories, or else your objects will not be recreated.
7) I define an object, but it doesn't work (acts like "ANY").
Check Point is aware of a bug in version 3.0b 3064 and earlier where you cannot define objects with the following names:
Short, Long, Account, Alert, SnmpTrap, Mail, UserDefined, spoof, spoofalert, Auth, AuthAlert, Duplicate, basewin, serviceswin, netobjwin, viewwin, users, resources, time, true, false, last, first, status_alert, fwalert
These objects will be undefined, and will not be implemented.
8) I get weird rejects via rule 0.
Make sure your interfaces are unique as defined in question 34. This applies to all interfaces that you are managing across firewalled objects! This means no 2 interfaces can be the same, even on different firewalls. You might see something like "fw_xlate_forw: failed to initialize the connection" error messages in the event viewer.
9) How can I view my policy without connecting to a management station?
Have customer send these files from the management: $FWDIR/conf/objects.C, $FWDIR/conf/rulebases.fws. Find where the GUI is installed on your workstation, and in that directory copy:
objects.C -> objects.fws
rulebases.fws -> rules.fwsThen log into the GUI with any user name and password but for server say "*local*".
-Versions up to ~3.0: It is difficult to uninstall and does not work with RAS. Does not work with NT.
-Versions 3.0+: Works better (& on NT), however, as of FW-1 4.0, you need a separate SR license to run the client.
2) Secure Remote won't work with Network Address Translation (NAT).
Secure Remote may not work with NAT. Incidentally, H323 streaming (eg., Netmeeting) will not work with NAT. Version 4.0 will supposedly fix H323.
Home | Services | Training | Support | Contact Us | Search
Copyright 2006, Security Evolution, Inc.