Category: Check Point

In R77 getting the whole connections table in human readable format

When you need to get the connections table out in human readable format from your CheckPoint R7x firewall and get some sort of idea on how many connections there are between certain hosts and who have the most this line might help you.

fw tab -t connections -u -f|grep Direction|cut -d';' -f3,5-7|sort -n|uniq -c|sort -rn > connections`date +"%Y-%m-%dT%H-%M"`.txt

Depending on the connections table size it may take quite a bit of time and I would suggest doing in on the standby node not to spend the active devices CPU time on it.

CheckPoint R77 remove stale connections from connections table

In some cases operating systems while creating new connection might reuse the source port. That might cause problems in cases where the previous connection in the firewall hasn’t been closed yet. In other words you still have the same source/destination IP address:Port combination already in connection table and the firewall will drop it with the reason that it’s a SYN packet in a already existing connection.

To resolve that issue instead of just waiting for the connection to time out you can remove the connection from the connections table.  To do that you must log in to the firewall CLI and get the whole connections table in to a file, then generate the relevant delete commands. I wish it was easier, but CheckPoint keeps it’s connection table info in HEX and requires the delete command also to have the connection info in HEX.

So the procedure it self needs to be done in the “Expert Mode” and it goes as follows:
1) Get the connections table in to a file

[Expert@cplab]# fw tab -t connections -u > connections.txt

2) Generate delete commands for all the connections between the source and destination IP addresses:

[Expert@cplab]# IPA="192.168.1.55"; IPB="192.168.2.27"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" connections.txt | grep "$IPBHEX" | grep "^<0000000" | awk  '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > delete_connections.sh

3) Run the script generated in the previous command. (I prefer using the -x flag to see the actual commands being run)

[Expert@cplab]# sh -x delete_connections.sh
+ fw tab -t connections -x -e 00000000,c0a80137,000002c8,c0a8021b,0000037c,00000011
Entry <00000000, c0a80137, 000002c8, c0a8021b, 0000037c, 00000011>
deleted from table connections

And after that all the connections between the selected 2 hosts should have been deleted. I you want to be more specific you can actually add also port numbers to the mix.

This post is based on the article found I at https://community.checkpoint.com/thread/6193-how-to-manually-delete-an-entry-from-the-connections-table and is just a reminder for my self so I wouldn’t have to go through the community and support sites looking for it.

CheckPoint SmartCenter log backup

One way to back up your CheckPoint firewall logs to an external host is to run a little script nightly in your SmartCenter using SFTP. The script uses all utilities already included in the CheckPoint Gaia installation.  To use it you need to generate a ssh key pair, have the public key on the authorized keys list on your backup host. It should also work similarly on R80 with minor changes to the path’s used in the script and cron command. (At least thats what a CP engineer at CPX said, haven’t had the time to test it out yet.)

The script it self:

 #!/bin/bash
 echo "Starting SmartCenter Firewall log backup script"
 /usr/bin/sftp -o identityfile=/home/*username*/.ssh/id_rsa *user*@backup.host >/tmp/backup.log<<end
 lcd /opt/CPsuite-R77/fw1/log
 cd logs
 put $(date --date='yesterday' +%Y-%m-%d)*
 quit
 end
 cat "/tmp/backup.log"
 echo "Backup script finished"

The cron command to run the backup script nightly:

5 0 * * * . /opt/CPshrd-R77/tmp/.CPprofile.sh && bash /home/*username*/log_backup.sh|/opt/CPsuite-R77/fw1/bin/sendmail -s "SmartCenter log backup output" -t your.mail.server -f username@yoursmartcenter.host youraddress@domain.host

As the above cron command suggests you need to have nightly log rotation turned on in your SmartCenter properties. Oh yea and if you don’t want an e-mail about the status of the backup. Well you can just comment the echo commands out of the script and replace the parts after | in the cron command with the regular send to /dev/null.

Reset a VPN tunnel in CheckPoint R77.30 or earlier

Some times VPN tunnels may require resetting, in CheckPoint firewalls that can be done by removing the IPSEC/IKE SA’s relating to that tunnel using the “vpn tu” command.
Basically to reset the VPN tunnel do the following:

  1. Log in to the firewall cli and open the vpn tunnel utility:
    cp> vpn tu
    
    **********     Select Option     **********
    
    (1) List all IKE SAs
    
    (2) List all IPsec SAs
    
    (3) List all IKE SAs for a given peer (GW) or user (Client)
    
    (4) List all IPsec SAs for a given peer (GW) or user (Client)
    
    (5) Delete all IPsec SAs for a given peer (GW)
    
    (6) Delete all IPsec SAs for a given User (Client)
    
    (7) Delete all IPsec+IKE SAs for a given peer (GW)
    
    (8) Delete all IPsec+IKE SAs for a given User (Client)
    
    (9) Delete all IPsec SAs for ALL peers and users
    
    (0) Delete all IPsec+IKE SAs for ALL peers and users
    
    (Q) Quit
  2. Press nr 7 on your keyboard,  insert peer GW IP address and press enter twice:
    *******************************************
    
    7
    
    Enter IP of peer (format: xxx.xxx.xxx.xxx): 123.123.123.123
    
    Hit <Enter> key to continue ...
  3. List the IPsec and IKE SAs to see if they have re-appeared for your GW (in some setups it may be required to try and access the VPN connection for the tunnel to be actually renegotiated)