ACE - Probe suggestion for CheckPoint Firewall ?

Similar Messages

• SCOM Management pack for Checkpoint Firewall & Fortigate UTM

  HI ,
  Any body knows that is there Management pack for Checkpoint ( <cite>www.checkpoint.com ) </cite>and
  Fortigate Appliance ( http://www.fortinet.com/products/fortigate/index.html ).
  please advise me.
  Regards, COMDINI

  Hi,
  If you cannot find them in system center marketplace:
  http://systemcenter.pinpoint.microsoft.com/en-US/home
  you can contact the vendors for management pack.
  Alex Zhao
  TechNet Community Support

• ACE Probe Config for Blue Coat Proxy TCP Port 74 NETRJS-4

  We are running 4710's with A5(2.2). We use Blue Coat proxies for our internet connections, specifcally TCP port 74. So when we open up a browser connection to www.cisco.com, the HTTP GET is actually encapsulated in TCP port 74 netrjs-4. We want to load-balance these proxies with ACE and I'm trying to setup health probes, but the only ones that work are the tcp probes PROXY_BCC_PROBE and PROXY_PROBE. I'd like to have health probes that hit external websites, but I'm confused whether the "ip address" Probe sub command is all I need, and netrjs is simple encapsulation of the HTTP request (which is what it looks like on a sniffer). Does anyone have Blue Coat proxies/ACE working? If so, how are your probes configured?
  Thanks,
  probe tcp PROXY_BCC_PROBE
    port 8084
    interval 3
    passdetect interval 3
  probe http PROXY_HTTP1_PROBE
    ip address 198.133.219.25
    port 74
    interval 3
    passdetect interval 3
    request method head url /index.html
    expect status 200 299
  probe http PROXY_HTTP2_PROBE
  ip address 198.133.219.25
    port 74
    interval 3
    request method get url /
    expect status 200 299
  probe tcp PROXY_PROBE
    port 74
    interval 3
    passdetect interval 3

  Hi,
  I have seen this working for one of the customer.
  probe http HTTPGET
    description Tests that www.gmail.com returns 302 redirect
    interval 10
    request method get url http://www.gmail.com
    expect status 302 302
  If I modify your probe :
  probe http PROXY_HTTP1_PROBE
    ip address 198.133.219.25
    port 74
    interval 3
    passdetect interval 3 
  request method get url
    http://www.gmail.com
  expect status 302 302
  Give it a try and see if that helps.
  regards,
  Ajay Kumar

• NMAS based token for radius authentication towards checkpoint firewall

  hi,
  i'm looking for token based access towards a checkpoint firewall. i found
  out about radius, and think that's the way to go.
  our user administration is NW65SP2 & Edir 8.7.3 based.
  has anyone a success story about a token based radius server based on this
  configuration ?
  which token ?
  additional software ?
  anyone ?

  Hi Peter,
  have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
  chris
  > We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
  > authentication, and iChain 2.2 RADIUS authentication. The current
  > RADIUS.NLM that we use is from the iChain authentication CD.
  >
  > The only problem I can think of to mention is the "Unknown RADIUS client"
  > error that we got after NW6 SP5. That was solved by the latest NMAS
  patches
  > and an upgrade from eDir 8.6.2 to 8.7.3.
  >
  >
  > "Peter van de Meerendonk" <[email protected]>
  wrote in
  > message news:JNiQd.595$[email protected]..
  > > > Well, just let me cover my hiney a little. We did have extremely bad
  > > > results with Activcard ACO000 tokens, but that is an old product from
  > > about
  > > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
  > > >
  > > OK, but the licensing policy makes activcard a costly alternative.
  we've
  > got
  > > a good deal on RSA, and are negociating a deal on Vasco. eventually we
  > might
  > > need 250+ tokens.
  > >
  > > I am very interested in configuration details of your setup. do you use
  > the
  > > tokens only for checkpoint authentication, or for novell
  authentication as
  > > well?
  > >
  > >
  > >
  >
  >

• ACE IP source for probe

  Hello,
  Can we select which IP source the ACE will used for any kind of probe (ICMP, TCP, ...)
  or it just used the nearest interface?
  Maurice

  Hi Maurice,
  I do no believe that the ip can be changed.. by default the source IP will be the physical interface of the module/appliance. On a bridged deployment, it will use the BVI IP.
  Any specific reason why you wanted to change this ?
  regards,
  Chris

• GUI for monitoring ACE probes

  Hello,
  Can Cisco LMS monitor and report on ACE module probes.
  Thanks.

  yes, as imported MIBs.
  ACE appliance 3.x currently supports more SNMP OIDs for the probes than does the ACE module 2.x, but will ACE module 2.3 due by Q4CY09, they will both have same capabilities for probes monitoring.
  See:
  TableName:cslbxProbeCfgTable
  cslbxProbeState
  INDEX: slbEntity, cslbxProbeName
  For Probe State per Probe Name.
  cslbxProbeState can have two values ACTIVE and INACTIVE
  As part of reporting probe statistics per RServer the following OIDs will be added in the cesRServerProbeTable in CISCO-ENHANCED-SLB-MIB
  Table Name:cesRserverProbeTable
  cesRserverProbesPassed
  cesRserverProbesFailed
  cesRserverProbeHealthMonState
  INDEX: Probe Name, RServerProbe Statistics per RServer (configured probe).
  This will display stats based on Probe Name per Rserver (Rservers are physical devices not associated with any server farm). Stats generated when probe is associated to a rserver.
  Table Name: cesRealServerProbeTable
  cesRealServerProbeName
  cesRealServerProbeStorageType
  cesRealServerProbeRowStatus
  INDEX: Probe Name, Server Farm Name,Real Server Name, Real Server Port
  Represents a probe associated with a real server directly. For example the following configuration adds an entry to the table.
  As part of reporting probe statistics for probes that are assigned to real server/server farm the following table with the OIDs will be added in CISCO-SLB-HEALTH-MON-MIB
  cshMonServerfarmRealProbeStatsTable: (New Table)
  cshMonServerfarmRealPassedProbes
  cshMonServerfarmRealFailedProbes
  cshMonServerfarmRealProbeHealthMonState
  INDEX:Probe Name, Server Farm Name,Real Server Name, Real Server Port ,Inherited Port
  Statistics for probes assigned to real server/serverfarm

• Suggestions for setting up external storage for video editing please?

  I am just starting up as a one-man video-editing business, using a 24 inch iMac running Snow Leopard, with Final Cut Studio. I have realised I'll need an external hard drive for HD footage, and I also need to get some back-up solution in place. Looking for speedy i/o, I would like to connect via the ethernet port (if only eSata was included in the iMac, eh!)
  I've been planning to get a Drobo, but looking around the forums I see that people say it's too slow for using as a working drive to keep all my source footage, so I've been looking at the G-tech 4 Tb, as it says it is designed for media-content production. Does anyone know if I could use two of the drives for working from and two as back up? Or would it be better to keep back-up entirely seperate, and get a Drobo for that for the G-tech to back up to?
  But I am also wondering whether a Mac Mini could be a worthwhile addition to this set up? I find myself sitting around waiting for rendering to complete on clips in my timeline (not to mention exporting to Quicktime conversion!), and I wondered if I put a Mac mini with Xserve installed (Apple store offers this with two 500gb hard drives inside), maybe I could farm the rendering out to the mini while I get on with editing on my iMac? That would require two installations of FCP, which I thought was allowed, but just today in a forum I saw that one would have to be a laptop... anyone have any suggestions for getting rendering done without stopping FCP from doing other things simultaneously?
  Also I don't know if that arrangement is even feasible... I see all these things like Xsan and Artbox... as a one workstation editing suite, does FCP handle all the dataflows for external working drive and external back ups okay without having to introduce more controllers?
  And can anyone explain to me how I could set up an ethernet connection to an external hard drive, or does that require the extra controllers mentioned above? I've seen it said that you can do it via ethernet, but haven't seen how you can actually go about doing it.
  Thanks for overlooking my newbie quality, any answers received with humble gratitude!
  Cheers, Syd

  Hi there,
  as NLEdit said, there will be loads of answers to this.
  IMO i'd avoid drobo like the plague. G tech drives have served me incredibly well working on a huge variety of broadcast projects (just over the water from you in Bristol), I've had no probs with FW800 when using DVCproHD, pro res is ok, sometimes a little slow with multiple layers and of course it eats up storage space. so I'd go for 2 4tb drives, keep the backup one in a different location.
  one tip that has saved me countless times is to format them as follows:-
  mac os extended (not journalled)
  create 2 partitions
  partition 1 - make this small (1gig) and call it "drive a - do not use"
  partition 2 - the rest of available storage and call "drive a"
  this is because the boot sector of the drive is within the first partition and with this method if it goes down it can be re erased without losing all your footage.
  If you call your backup drive the exact same name and have the exact same folder structure, you will not have to relink if you get a problem.
  Ignore getting a mac mini for rendering, won't help at all in FCP. instead I would make every attempt you can at buying a mac pro rather than an imac. much more expansion/speed possibilities and a more robust solution.
  best of luck
  Andy

• Is Airport a substitute for software firewall?

  I have a Windows PC behind my Airport network. Is my Airport's NAT (or the NAT of any router for that matter) a substitute for software firewall?
  As I understand it, the only thing software firewalls do is block un-used ports, which Airport's NAT already does (since by default it doesn't forward any port except 80 and few other necessary ports to the IPs behind its NAT), and therefore there's no way for hackers to get to them. Please correct me if I'm wrong.
  It'd also be nice to know what ports Airport permit traffics... and how it knows which IP to forward the traffic too (does it act kind of like a proxy?).
  Thanks

  Yi,
  Below is an article that discusses hardware and software firewalls. I hope it helps. The original article can be found here.
  Firewall Debate: Hardware vs. Software
  By Ronald Pacchiano
  November 4, 2003
  I'm about to get my first broadband connection, and I know I need to get a firewall. However, I've been getting some conflicting advice as to what type of firewall I need. Some people tell me I should get a hardware firewall, while others tell me a software firewall is preferred. What's the difference, and more importantly, which is better?
  Good question. The truth is that in a typical home office environment, one type of firewall isn't necessarily better than the other. They are some differences, though, and they can be used together to give you an even greater degree of protection.
  Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. Additionally, in most cases, they can be effective with little or no configuration, and they can protect every machine on a local network.
  A hardware firewall in a typical broadband router employs a technique called packet filtering, which examines the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped. A more advanced technique called Stateful Packet Inspection (SPI), looks at additional characteristics such as a packet's actual origin (i.e. did it come from the Internet or from the local network) and whether incoming traffic is a response to existing outgoing connections, like a request for a Web page.
  But most hardware residential firewalls have an Achilles' heel in that they typically treat any kind of traffic traveling from the local network out to the Internet as safe, which can sometimes be a problem.
  Consider this scenario: What would happen if you received an e-mail message or visited a website that contained a concealed program? Let's say this program was designed to install itself on your machine and then surreptitiously communicate with someone via the Internet — a distributed denial of service (DDoS) attack zombie or a keystroke logger, for example? And trust me, this is by no means an unlikely scenario.
  To most broadband hardware firewalls, the traffic generated by such programs would appear legitimate since it originated inside your network and would most likely be let through. This malevolent traffic might be blocked if the hardware firewall was configured to block outgoing traffic on the specific Transmission Control Protocol/Internet Protocol (TCP/IP) port(s) the program was using, but given that there are over 65,000 possible ports and there's no way to know which ports a program of this nature might use, the odds of the right ones being blocked are slim.
  Moreover, blocking too many ports would almost certainly adversely affect your ability to use some programs (many games, for instance). Also, some broadband router firewalls don't even provide the ability to restrict outgoing traffic, only incoming traffic.
  Advantages of Software Firewalls
  Now consider what a software firewall might do in the aforementioned scenario. When you first set up a software firewall, you can specify which applications are allowed to communicate over the Internet from that PC. Programs that aren't explicitly allowed to do so are either blocked or else the user is prompted for confirmation before the traffic is allowed to pass. Therefore, it would likely intercept this kind of traffic before it left your computer.
  Another potential scenario where a software firewall would be useful is in the case of an e-mail worm with its own e-mail sever, like the recent "SoBig" worm. Its built-in mail server could attempt to send mail on the valid Simple Mail Transfer Protocol (SMTP) port (25), which would probably pass through the router because of its trusted origin.
  On the other hand, a software firewall could be configured to only allow Microsoft Outlook to use port 25 (assuming Outlook is your e-mail client). Any attempt by another application to use the port would be dropped, or blocked pending user confirmation. For that matter, the application's attempt to use any port would be blocked if the firewall was configured that way.
  By comparison, a hardware firewall that had the ability to filter outgoing traffic might allow you to block most kinds of traffic from a particular PC, but it wouldn't be able to flag you and alert you to repeated attempts to infiltrate your computer.
  One obvious downside to software firewalls is that they can only protect the machine they're installed on, so if you have multiple computers (which many small offices do), you need to buy, install, and configure a software firewall separately on each machine. This can get expensive and can be difficult to manage if you have a lot of computers.
  But the fact of the matter is that software firewalls generally offer the best measure of protection against certain types of situations like Trojan programs or e-mail worms. Speaking of which, a firewall isn't the only protection method available to you. Whether you end up using a software firewall or a hardware firewall, you should always supplement it with anti-virus software.
  A good anti-virus package is just as important as a firewall, and I would seriously suggest that you invest in a good one (I'm partial to both Norton and McAfee myself). However, keeping your virus definitions updated is far more important than which program you use. I cannot stress the importance of this enough. Making sure your definitions are current is absolutely critical to maintaining your protection. Many Anti-virus programs today can be configured to automatically update themselves, so you have no excuse for not maintaining them.
  The bottom line is that with any home-office broadband connection, a hardware firewall should be considered a bare minimum, and supplementing it with a software firewall on one or more computers (and don't forget anti-virus software) is almost always a good idea.

• Oracle server and Checkpoint firewall

  When setting block Findricset SQL Injection
  on Checkpoint firewall and try to login by sqlplus
  to the db server (8.1.7) behind that firewall
  the following error messages occur:
  ORA-24323: value not allowed
  ERROR:
  ORA-03114: not connected to ORACLE
  Error accessing PRODUCT_USER_PROFILE
  Warning: Product user profile information not loaded!
  You may need to run PUPBLD.SQL as SYSTEM
  ORA-24323: value not allowed
  ORA-24323: value not allowed
  Error accessing package DBMS_APPLICATION_INFO
  ERROR:
  ORA-03114: not connected to ORACLE
  SP2-0575: Use of Oracle SQL feature not in SQL92 Entry Level
  ORA-24323: value not allowed
  Can anyone tell me where's the problem?

  It appears that the firewall is blocking the connection to the database. Since this appears to be something more than a basic firewall product (i.e. it is doing more than allowing and denying requests on particular ports for particular IP addresses), you would need to talk to your firewall vendor to determine why it thinks a SQL*Plus connection is a SQL injection risk and how to get around the problem.
  Of course, you could set up something like Oracle Connection Manager to proxy the connection through the firewall, but that may well defeat the point of an active firewall product.
  Justin

• No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

  Hello!
  We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
  From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
  The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
  Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
  Any help would be very much appreciated!
  Jakob J. Blaette

  Hi Jakob,
  Adding my two cents here.
  You always need to confirm that the following ports and protocol are opened:
  1- UDP port 500 --> ISAKMP
  2- UDP port 4500 --> NAT-T
  3- Protocol 50 ---> ESP
  A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
  HTH.
  Portu.
  Please rate any helpful posts and mark this post as answered.

• Checkpoint Firewall Management Server Lost Identity in MARS

  About a month ago, we added our Checkpoint firewall to MARS as well as the 2 Firewall agents who reported to the device. The devices were recognized and running properly.
  At some point in the last week, the Checkpoint management server lost it's identity within MARS. Instead of being recognized as a Checkpoint device, the server is now considered a "Generic Router Version Unknown" via the Device Type.
  The agent firewalls beneath this device still exist as desired, but MARS is no longer recording logs for the primary device.
  I'm ready to remove and recreate the device, but I'm interested to figure out how this could have happened. Nothing in the Audit Trail points to any weird configuration changes.
  I've posted a picture here: http://pixpin.com/viewer.php?file=mars-checkpoint-j1zc.jpg

  It might have to do with bug CSCse03097 - CheckPoint LEA record comes to MARS later and later for better understanding

• NAC and Checkpoint firewall

  Hi to all,
  Does anyone know if it is possible to configure SSO using NAC and a checkpoint firewall VPN client software on an user machine??
  Thanks in advance for your help

  Mark,
  If the checkpoint device can do standard radius accounting, it can work with CCA. When doing VPN SSO with CCA, it only cares about the accounting packets from the VPN head-end.
  HTH,
  Faisal

• ACE : PROBE-FAILED and Syslog messages

  Hi,
  When a real server is in PROBE-FAILED status, I observe a syslog message at each trial of the proble. This fills our syslog server. Is there a mean to configure the ACE in such a way that a syslog message would be generated only when a transition occurs in the probe status ?
  Thank you for any hints,
  Yves

  Hello,
  You can utilize "logging trap " command and
  "logging message level " command
  in order to achive what you are seeking.
  The "logging trap " command limits the logging messages sent to a syslog server based on severity.
  If it is set to "5 - notification", all messages that have security level of 5 or lower number are sent to the syslog server.
  You can disable the display of a specific syslog
  message or change the severity level of a specific system log message using
  "logging message level " command.
  Not sure what kind of probe you are using but If it is ICMP probe and
  the reason of probe failure is arp, it generates a message for every try
  as below with severity level of 3, by default.
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
  class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
  %ACE-4-442007: VIP in class: 'VIP' changed state from OUTOFSERVICE to INSERVICE
  %ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
  class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
  %ACE-4-442004: Health probe ICMP detected rserver r1 (interface vlan31) changed state to UP
  %ACE-4-442001: Health probe ICMP detected r1 (interface vlan31) in serverfarm SF changed state to UP
  If your "logging trap " is set to "5 - notification" and you do not want
  the message "%ACE-3-251009:xxx" to be sent to syslog server,
  you can change its security level like below.
  switch/Admin(config)# logging message 251009 level 6
  switch/Admin(config)# do show logging message 251009
  Message logging:
                  message 251009: current-level 6  default-level 3 (enabled)
  You can check the message id that is filling the syslog server
  and change its security level to higher number than "logging trap ".
  Regards,
  Kimihito.

• ACE Syslog message for State change

  Hi,
  Is there a syslog message for a state-change for rservers, if so how could we enable this?
  e.g. when probe fails state changes to 'probe-failed'
  when all probes are successful state is 'operational'
  Thank you
  Bilal

  Hi,
  There is a syslog message something like below:
  %ACE-3-251006: Health probe failed for server 10.80.10.10 on port 80 internal error: failed to setup a socket.
  First enable logging on ACE.
  ACE/Admin(config)# logging enable
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/config.html#wp1063750
  read the section:  Specifying Syslog Output Locations
  logging buffered 3 should generate syslog in event of probe failure.
  You can also set snmp to monitor it.
  cesRealServerStateChange
  CISCO-ENHANCED-
  SLB-MIB
  State of a real server configured in a server farm changed to a new  state as a result of something other than a user intervention. This  notification is sent for situations such as ARP failures, probe  failures, and so on.
  Hope that helps.
  regards,
  Ajay Kumar

• ACE: probe timers

  Hi,
  I've general question about ACE probe timers. I've following probe setup:
  probe https probe:1061
    port 1061
    interval 34
    passdetect interval 17
    open 1
  ACE# sh probe probe:1061detail
  probe       : probe:1061
  type        : HTTPS
  state       : ACTIVE
  description :
     port      : 1061   address     : 0.0.0.0         addr type  : -
     interval  : 34      pass intvl  : 17              pass count : 3
     fail count: 3       recv timeout: 10
  ===
  for above probe: when ACE will declare the server as down? will it declare it down after (17*3+34) 85 seconds or it will declare it down after 115 seconds (added recv timeout=secs 3 times = 30 seconds).
  please help.
  ========
  we did a test and bought down the server manually. ACE declared the server down after 91 seconds (from the time when server was brought down).

  Hi Gavin, Krishna,
  The explanation for all these parameters can be found in the health monitoring section of the configuration guide (
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html#wp1031040)
  Below are the definitions quoted from the guide:
  Interval:
  The time interval between probes is the frequency  that the ACE sends probes to a server marked as passed. You can change  the time interval between probes by using the interval command
  Faildetect:
  Before the ACE marks a server as failed, it must  detect that probes have failed a consecutive number of times. By  default, when three consecutive probes have failed, the ACE marks the  server as failed. You can configure this number of failed probes by  using the faildetect command
  Passdetect interval/count:
  To configure the time interval after which the ACE  sends a probe to a failed server and the number of consecutive  successful probes required to mark the server as passed, use the passdetect command.
  So, to summarize, taking Gavin's configuration as example. A server failure would be detected in a time between 78 seconds (2x34 +10) and 112 (3x34 +10). Once it's down, it will become operational between 34 (2x17) and 51 (3x17) seconds after it comes back up.
  I hope this helps
  Daniel