Difference between revisions of "VPN Form"

From Tech-Wiki
Jump to: navigation, search
 
(16 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
'''[[Cisco Systems#Firewalls|Back to Firewalls]]'''
 
'''[[Cisco Systems#Firewalls|Back to Firewalls]]'''
  
Useful Check Point commands. Check Point commands generally come under '''cp''' (general) and '''fw''' (firewall)
+
Use this form to exchange VPN information
  
 +
One firewall (peer) will talk to the remote peer using their public IP, and exchange encrypted data (IPSec) in order to stablish the tunnel.<br>
 +
Once the tunnel is Up, the traffic will flow using their internal private address range.
  
'''Useful CP Commands'''
 
  
{|border="1" cellpadding="5" cellspacing="0"
+
Example:
|+ align="bottom" |''Table 1. Useful CP Commands''
+
10.1.50.x – 200.2.2.20 ------ (net) ----- 201.1.1.10 – 192.168.1.x:80
|-
+
!scope="col" style="background:#97CAFF;" |Command
+
!scope="col" style="background:#97CAFF;" |Description
+
|-
+
|cpconfig
+
|change SIC, licenses and more
+
|-
+
|cpview -t
+
|show top style performance counters
+
|-
+
|cphaprob stat
+
|list the state of the high availability cluster members. Should show active and standby devices.
+
|-
+
|cphaprob -a if
+
|display status of monitored interfaces in a cluster
+
|-
+
|cphaprob -l list
+
|display registered cluster devices and status
+
|-
+
|cphaprob syncstat
+
|display sync transport layer statistics
+
|-
+
|cphaprob ldstat
+
|display sync serialization statistics
+
|-
+
|cphastop
+
|stop a cluster member from passing traffic. Stops synchronization. (emergency only)
+
|-
+
|clusterXL_admin down –p
+
|disable this node from cluster membership
+
|-
+
|cphaconf cluster_id get
+
|get cluster Global ID membership
+
|-
+
|cplic print
+
|license information
+
|-
+
|cpstart
+
|start all checkpoint services
+
|-
+
|cpstat fw
+
|show policy name, policy install time and interface table
+
|-
+
|cpstat ha
+
|high availability state
+
|-
+
|cpstat blades
+
|top rule hits and amount of connections
+
|-
+
|cpstat os -f all
+
|checkpoint interface table, routing table, version, memory status, cpu load, disk space
+
|-
+
|cpstat os -f cpu
+
|checkpoint cpu status
+
|-
+
|cpstat os -f multi_cpu
+
|checkpoint cpu load distribution
+
|-
+
|cpstat os -f sensors
+
|hardware environment (temperature/fan/voltage)
+
|-
+
|cpstat os -f routing
+
|checkpoint routing table
+
|-
+
|cpstop
+
|stop all checkpoint services
+
|-
+
|cpwd_admin monitor_list
+
|list processes actively monitored. Firewall should contain cpd and vpnd.
+
|-
+
|show asset all
+
|show serial numbers and hardware info
+
|-
+
|show route destination xx.xx.xx.xx
+
|show routing for specific host
+
|-
+
|ip route get xx.xx.xx.xx
+
|show routing for specific host
+
|-
+
|iclid / show cluster state
+
|show cluster fail over history
+
|}
+
  
  
  
'''Useful FW Commands'''
+
'''VPN Form'''
 +
 
 
{|border="1" cellpadding="5" cellspacing="0"
 
{|border="1" cellpadding="5" cellspacing="0"
|+ align="bottom" |''Table 2Useful FW Commands''
+
|+ align="bottom" |''Table 1VPN Form''
|-
+
!scope="col" style="background:#97CAFF;" |Command
+
!scope="col" style="background:#97CAFF;" |Description
+
 
|-
 
|-
|fw ver
+
!scope="col" style="background:#97CAFF;" |Parameter
|firewall version
+
!scope="col" style="background:#97CAFF;" |Value
 
|-
 
|-
|fw ctl iflist
+
|colspan="2" align="center"|'''Tunnel Termination - Public Internet IP addresses'''
|show interface names
+
 
|-
 
|-
|fw ctl pstat
+
|Internet IP address (peer) at ACME
|show control kernel memory and connections
+
|200.2.2.20
 
|-
 
|-
|fwaccel stat
+
|Internal Network
|show SecureXL status
+
|10.1.50.0/24
 
|-
 
|-
|fw fetch <manager IP>
+
|Internet IP Address (remote peer) at BRANCH
|get the policy from the firewall manager
+
|''please fill''
 
|-
 
|-
|fwm load <policy name> <gateway name>
+
|Partner Internal Network
|compile and install a policy on the target's gateways.
+
|''please fill'' (if internal network overlaps the other one, it should be nat'ed)
 
|-
 
|-
|fw getifs
+
|colspan="2" align="center"|'''IKE Policy (Phase 1)'''
|list interfaces and IP addresses
+
 
|-
 
|-
|fw log
+
|IKE Version
|show the content of the connections log
+
|( ) IKEv1  (x) IKEv2
 
|-
 
|-
|fw log -b "MMM DD, YYYY HH:MM:SS" "MMM DD, YYYY HH:MM:SS"
+
|IKE Encryption Policy
|search the current log for activity between specific times
+
|(x) AES 256  ( ) 3DES (156-bit)
 
|-
 
|-
|fw log -c drop
+
|IKE Authentication Policy
|search for dropped packets in the active log; also can use accept or reject to search
+
|(x) SHA1  ( ) MD5
 
|-
 
|-
|fw log -f
+
|IKE Lifetime (default 86400s = 1day)
|tail the current log
+
|86400 sec
 
|-
 
|-
|fwm logexport -i <log name> -o <output name> -n -p
+
|Diffie-Hellman Group
|export an old log file on the firewall manager
+
|( ) Group 1  (x) Group 2  ( ) Group 5  ( ) Group 14
 
|-
 
|-
|fw logswitch
+
|Identity (IP address or hostname)
|rotate logs
+
|N/A
 
|-
 
|-
|fw lslogs
+
|Authentication
|list firewall logs
+
|(x) Pre-shared Key  ( ) PKI
 
|-
 
|-
|fw stat
+
|Mode (Main recommended)
|firewall status, should contain the name of the policy and the relevant interfaces.
+
|(x) Main  ( ) Aggressive
 
|-
 
|-
|fw stat -l
+
|Pre-Shared Key
|show which policy is associated with which interface and package drop, accept and reject
+
|Note: do not use unencrypted email to exchange pre-shared keys
 
|-
 
|-
|fw tab
+
|Pre-shared Key exchange
|displays firewall tables
+
|( ) PGP  ( ) Phone call  (x) TXT/SMS ____________
 
|-
 
|-
|fw tab -s -t connections
+
|colspan="2" align="center"|'''IPSEC Policy (Phase 2)'''
|number of connections in state table
+
 
|-
 
|-
|fw tab -s -t userc_users
+
|IPSEC Encryption Algorithm
|number of remote users connected (VPN)
+
|( ) ESP-3DES  (x) ESP-AES128  ( ) ESP-AES256
 
|-
 
|-
|fw tab -t xlate -x
+
|IPSEC Data Integrity
|clear all translated entries
+
|(x) SHA ( ) MD5
 
|-
 
|-
|fw unloadlocal
+
|Perfect Forward Secrecy (PFS)
|clear local firewall policy
+
|( ) Off  ( ) Group 1  (x) Group 2  ( ) Group 5
 
|-
 
|-
|fw monitor -e "accept host(10.1.1.10);"
+
|IPSEC SA Lifetime - Seconds
|trace the packet flow to/from the specified host
+
|3600 seconds
 
|-
 
|-
|fw ctl zdebug + drop <nowiki>|</nowiki> grep 'x.x.x.x\<nowiki>|</nowiki>y.y.y.y'
+
|IPSEC SA Lifetime - Kilobytes
|Check reason of your packet being dropped
+
|_____KB  (x) Disabled
 
|}
 
|}

Latest revision as of 18:51, 26 July 2018

Back to Firewalls

Use this form to exchange VPN information

One firewall (peer) will talk to the remote peer using their public IP, and exchange encrypted data (IPSec) in order to stablish the tunnel.
Once the tunnel is Up, the traffic will flow using their internal private address range.


Example: 10.1.50.x – 200.2.2.20 ------ (net) ----- 201.1.1.10 – 192.168.1.x:80


VPN Form

Table 1. VPN Form
Parameter Value
Tunnel Termination - Public Internet IP addresses
Internet IP address (peer) at ACME 200.2.2.20
Internal Network 10.1.50.0/24
Internet IP Address (remote peer) at BRANCH please fill
Partner Internal Network please fill (if internal network overlaps the other one, it should be nat'ed)
IKE Policy (Phase 1)
IKE Version ( ) IKEv1 (x) IKEv2
IKE Encryption Policy (x) AES 256 ( ) 3DES (156-bit)
IKE Authentication Policy (x) SHA1 ( ) MD5
IKE Lifetime (default 86400s = 1day) 86400 sec
Diffie-Hellman Group ( ) Group 1 (x) Group 2 ( ) Group 5 ( ) Group 14
Identity (IP address or hostname) N/A
Authentication (x) Pre-shared Key ( ) PKI
Mode (Main recommended) (x) Main ( ) Aggressive
Pre-Shared Key Note: do not use unencrypted email to exchange pre-shared keys
Pre-shared Key exchange ( ) PGP ( ) Phone call (x) TXT/SMS ____________
IPSEC Policy (Phase 2)
IPSEC Encryption Algorithm ( ) ESP-3DES (x) ESP-AES128 ( ) ESP-AES256
IPSEC Data Integrity (x) SHA ( ) MD5
Perfect Forward Secrecy (PFS) ( ) Off ( ) Group 1 (x) Group 2 ( ) Group 5
IPSEC SA Lifetime - Seconds 3600 seconds
IPSEC SA Lifetime - Kilobytes _____KB (x) Disabled