Category: Networking

CheckPoint R77 remove stale connections from connections table

In some cases operating systems while creating new connection might reuse the source port. That might cause problems in cases where the previous connection in the firewall hasn’t been closed yet. In other words you still have the same source/destination IP address:Port combination already in connection table and the firewall will drop it with the reason that it’s a SYN packet in a already existing connection.

To resolve that issue instead of just waiting for the connection to time out you can remove the connection from the connections table.  To do that you must log in to the firewall CLI and get the whole connections table in to a file, then generate the relevant delete commands. I wish it was easier, but CheckPoint keeps it’s connection table info in HEX and requires the delete command also to have the connection info in HEX.

So the procedure it self needs to be done in the “Expert Mode” and it goes as follows:
1) Get the connections table in to a file

[Expert@cplab]# fw tab -t connections -u > connections.txt

2) Generate delete commands for all the connections between the source and destination IP addresses:

[Expert@cplab]# IPA="192.168.1.55"; IPB="192.168.2.27"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" connections.txt | grep "$IPBHEX" | grep "^<0000000" | awk  '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > delete_connections.sh

3) Run the script generated in the previous command. (I prefer using the -x flag to see the actual commands being run)

[Expert@cplab]# sh -x delete_connections.sh
+ fw tab -t connections -x -e 00000000,c0a80137,000002c8,c0a8021b,0000037c,00000011
Entry <00000000, c0a80137, 000002c8, c0a8021b, 0000037c, 00000011>
deleted from table connections

And after that all the connections between the selected 2 hosts should have been deleted. I you want to be more specific you can actually add also port numbers to the mix.

This post is based on the article found I at https://community.checkpoint.com/thread/6193-how-to-manually-delete-an-entry-from-the-connections-table and is just a reminder for my self so I wouldn’t have to go through the community and support sites looking for it.

CheckPoint SmartCenter log backup

One way to back up your CheckPoint firewall logs to an external host is to run a little script nightly in your SmartCenter using SFTP. The script uses all utilities already included in the CheckPoint Gaia installation.  To use it you need to generate a ssh key pair, have the public key on the authorized keys list on your backup host. It should also work similarly on R80 with minor changes to the path’s used in the script and cron command. (At least thats what a CP engineer at CPX said, haven’t had the time to test it out yet.)

The script it self:

 #!/bin/bash
 echo "Starting SmartCenter Firewall log backup script"
 /usr/bin/sftp -o identityfile=/home/*username*/.ssh/id_rsa *user*@backup.host >/tmp/backup.log<<end
 lcd /opt/CPsuite-R77/fw1/log
 cd logs
 put $(date --date='yesterday' +%Y-%m-%d)*
 quit
 end
 cat "/tmp/backup.log"
 echo "Backup script finished"

The cron command to run the backup script nightly:

5 0 * * * . /opt/CPshrd-R77/tmp/.CPprofile.sh && bash /home/*username*/log_backup.sh|/opt/CPsuite-R77/fw1/bin/sendmail -s "SmartCenter log backup output" -t your.mail.server -f username@yoursmartcenter.host youraddress@domain.host

As the above cron command suggests you need to have nightly log rotation turned on in your SmartCenter properties. Oh yea and if you don’t want an e-mail about the status of the backup. Well you can just comment the echo commands out of the script and replace the parts after | in the cron command with the regular send to /dev/null.

Reset a VPN tunnel in CheckPoint R77.30 or earlier

Some times VPN tunnels may require resetting, in CheckPoint firewalls that can be done by removing the IPSEC/IKE SA’s relating to that tunnel using the “vpn tu” command.
Basically to reset the VPN tunnel do the following:

  1. Log in to the firewall cli and open the vpn tunnel utility:
    cp> vpn tu
    
    **********     Select Option     **********
    
    (1) List all IKE SAs
    
    (2) List all IPsec SAs
    
    (3) List all IKE SAs for a given peer (GW) or user (Client)
    
    (4) List all IPsec SAs for a given peer (GW) or user (Client)
    
    (5) Delete all IPsec SAs for a given peer (GW)
    
    (6) Delete all IPsec SAs for a given User (Client)
    
    (7) Delete all IPsec+IKE SAs for a given peer (GW)
    
    (8) Delete all IPsec+IKE SAs for a given User (Client)
    
    (9) Delete all IPsec SAs for ALL peers and users
    
    (0) Delete all IPsec+IKE SAs for ALL peers and users
    
    (Q) Quit
  2. Press nr 7 on your keyboard,  insert peer GW IP address and press enter twice:
    *******************************************
    
    7
    
    Enter IP of peer (format: xxx.xxx.xxx.xxx): 123.123.123.123
    
    Hit <Enter> key to continue ...
  3. List the IPsec and IKE SAs to see if they have re-appeared for your GW (in some setups it may be required to try and access the VPN connection for the tunnel to be actually renegotiated)


		

Removing stubborn client connections on F5 BigIP

In F5 BigIP LTM devices to see the connections table there is the “tmsh show sys connection”  command which would print out the entire connection table. To get more specific results it has the following parameters available for filtering:

age connection-id cs-client-addr cs-client-port cs-server-addr cs-server-port protocol ss-client-addr ss-client-port ss-server-addr ss-server-port type

cs-* parameters are relating to the connections on the external side of your load balancer in F5 terms the client-side. To see a single clients connections to your device you could issue the following command:

tmsh show sys connection cs-client-addr 172.16.1.100

Which would produce the following output in my case:

Sys::Connections

172.16.1.100:12727  192.168.32.20:443  192.168.1.254:12727  192.168.1.10:443  tcp  213  (tmm: 0)  none

Total records returned: 1

The out put show’s that the client with the IP address 172.16.1.100 is connected to the Virtual Server running on the IP address 192.168.32.20 and port 443 and the connection it self has been sent’t to the back end server with the IP address 192.168.1.10.

Lets say you have disabled that node in your LB but the client is still connected to that server and want to remove the client’s connection so it would be sent to a new resource pool member you can remove the connection with the following command:

tmsh delete sys connection cs-client-addr 172.16.1.100 cs-server-addr 192.168.32.20 cs-server-port 443

You could get even more specific on the connection you want to delete based on the other parameters available like cs-client-port,etc that were mentioned in the beginning.