Difference between revisions of "VPN Form"

From Tech-Wiki
Jump to: navigation, search
Line 2: Line 2:
 
'''[[Cisco Systems#Firewalls|Back to Firewalls]]'''
 
'''[[Cisco Systems#Firewalls|Back to Firewalls]]'''
  
Useful Check Point commands. Check Point commands generally come under '''cp''' (general) and '''fw''' (firewall)
+
Use this form to exchange VPN information
  
  
'''Useful CP Commands'''
+
'''VPN Form'''
  
 
{|border="1" cellpadding="5" cellspacing="0"
 
{|border="1" cellpadding="5" cellspacing="0"
|+ align="bottom" |''Table 1.  Useful CP Commands''
+
|+ align="bottom" |''Table 1.  VPN Form''
 
|-
 
|-
!scope="col" style="background:#97CAFF;" |Command
+
!scope="col" style="background:#97CAFF;" |Parameter
!scope="col" style="background:#97CAFF;" |Description
+
!scope="col" style="background:#97CAFF;" |Value
 
|-
 
|-
|cpconfig
+
|Internet IP address (peer) at XXX
|change SIC, licenses and more
+
|200.2.2.20
 
|-
 
|-
|cpview -t
+
|Internal Network
|show top style performance counters
+
|10.1.50.0/24
 
|-
 
|-
|cphaprob stat
+
|Internet IP Address (remote peer) at YYY
|list the state of the high availability cluster members. Should show active and standby devices.
+
|''please fill''
 
|-
 
|-
|cphaprob -a if
+
|Partner Internal Network
|display status of monitored interfaces in a cluster
+
|''please fill'' (if your network overlaps the network above, it will clash)
 
|-
 
|-
|cphaprob -l list
+
|IKE Version
|display registered cluster devices and status
+
|()IKEv1 (x)IKEv2
 
|-
 
|-
|cphaprob syncstat
+
|IKE Encryption Policy
|display sync transport layer statistics
+
|(x) AES 256 ()3DES (156-bit)
 
|-
 
|-
|cphaprob ldstat
+
|IKE Authentication Policy
|display sync serialization statistics
+
|(x) SHA1  ()MD5
 
|-
 
|-
|cphastop
+
|IKE Lifetime (default 86400s = 1day)
|stop a cluster member from passing traffic. Stops synchronization. (emergency only)
+
|86400 sec
 
|-
 
|-
|clusterXL_admin down –p
+
|Diffie-Hellman Group
|disable this node from cluster membership
+
|()Group 1 (x)Group 2 ()Group 5 ()Group 14
 
|-
 
|-
|cphaconf cluster_id get
+
|Identity (IP address or hostname)
|get cluster Global ID membership
+
|N/A
 
|-
 
|-
|cplic print
+
|Authentication
|license information
+
|(x)Pre-shared Key () PKI
 
|-
 
|-
|cpstart
+
|Mode (Main recommended)
|start all checkpoint services
+
|(x) Main ()Aggressive
 
|-
 
|-
|cpstat fw
+
|Pre-Shared Key
|show policy name, policy install time and interface table
+
|Note: do not use unencrypted emamil to exchange pre-shared keys
 
|-
 
|-
|cpstat ha
+
|Pre-shared Key exchange
|high availability state
+
|()PGP ()Phone call (x) TXT/SMS:___________
 
|-
 
|-
|cpstat blades
+
|IPSEC Encryption Algorithm
|top rule hits and amount of connections
+
|()ESP-3DES (x)ESP-AES128 ()ESP-AES256
 
|-
 
|-
|cpstat os -f all
+
|IPSEC Data Integrity
|checkpoint interface table, routing table, version, memory status, cpu load, disk space
+
|(x)SHA ()MD5
 
|-
 
|-
|cpstat os -f cpu
+
|Perfect Forward Secrecy (PFS)
|checkpoint cpu status
+
|()Off ()Group 1 (x)Group 2 ()Group 5
 
|-
 
|-
|cpstat os -f multi_cpu
+
|IPSEC SA Lifetime - Seconds
|checkpoint cpu load distribution
+
|3600 seconds
 
|-
 
|-
|cpstat os -f sensors
+
|IPSEC SA Lifetime - Kilobytes
|hardware environment (temperature/fan/voltage)
+
|___KB (x) Disabled
|-
+
|cpstat os -f routing
+
|checkpoint routing table
+
|-
+
|cpstop
+
|stop all checkpoint services
+
|-
+
|cpwd_admin monitor_list
+
|list processes actively monitored. Firewall should contain cpd and vpnd.
+
|-
+
|show asset all
+
|show serial numbers and hardware info
+
|-
+
|show route destination xx.xx.xx.xx
+
|show routing for specific host
+
|-
+
|ip route get xx.xx.xx.xx
+
|show routing for specific host
+
|-
+
|iclid / show cluster state
+
|show cluster fail over history
+
|}
+
 
+
 
+
 
+
'''Useful FW Commands'''
+
{|border="1" cellpadding="5" cellspacing="0"
+
|+ align="bottom" |''Table 2.  Useful FW Commands''
+
|-
+
!scope="col" style="background:#97CAFF;" |Command
+
!scope="col" style="background:#97CAFF;" |Description
+
|-
+
|fw ver
+
|firewall version
+
|-
+
|fw ctl iflist
+
|show interface names
+
|-
+
|fw ctl pstat
+
|show control kernel memory and connections
+
|-
+
|fwaccel stat
+
|show SecureXL status
+
|-
+
|fw fetch <manager IP>
+
|get the policy from the firewall manager
+
|-
+
|fwm load <policy name> <gateway name>
+
|compile and install a policy on the target's gateways.
+
|-
+
|fw getifs
+
|list interfaces and IP addresses
+
|-
+
|fw log
+
|show the content of the connections log
+
|-
+
|fw log -b "MMM DD, YYYY HH:MM:SS" "MMM DD, YYYY HH:MM:SS"
+
|search the current log for activity between specific times
+
|-
+
|fw log -c drop
+
|search for dropped packets in the active log; also can use accept or reject to search
+
|-
+
|fw log -f
+
|tail the current log
+
|-
+
|fwm logexport -i <log name> -o <output name> -n -p
+
|export an old log file on the firewall manager
+
|-
+
|fw logswitch
+
|rotate logs
+
|-
+
|fw lslogs
+
|list firewall logs
+
|-
+
|fw stat
+
|firewall status, should contain the name of the policy and the relevant interfaces.
+
|-
+
|fw stat -l
+
|show which policy is associated with which interface and package drop, accept and reject
+
|-
+
|fw tab
+
|displays firewall tables
+
|-
+
|fw tab -s -t connections
+
|number of connections in state table
+
|-
+
|fw tab -s -t userc_users
+
|number of remote users connected (VPN)
+
|-
+
|fw tab -t xlate -x
+
|clear all translated entries
+
|-
+
|fw unloadlocal
+
|clear local firewall policy
+
|-
+
|fw monitor -e "accept host(10.1.1.10);"
+
|trace the packet flow to/from the specified host
+
|-
+
|fw ctl zdebug + drop <nowiki>|</nowiki> grep 'x.x.x.x\<nowiki>|</nowiki>y.y.y.y'
+
|Check reason of your packet being dropped
+
 
|}
 
|}

Revision as of 20:01, 5 June 2018

Back to Firewalls

Use this form to exchange VPN information


VPN Form

Table 1. VPN Form
Parameter Value
Internet IP address (peer) at XXX 200.2.2.20
Internal Network 10.1.50.0/24
Internet IP Address (remote peer) at YYY please fill
Partner Internal Network please fill (if your network overlaps the network above, it will clash)
IKE Version ()IKEv1 (x)IKEv2
IKE Encryption Policy (x) AES 256 ()3DES (156-bit)
IKE Authentication Policy (x) SHA1 ()MD5
IKE Lifetime (default 86400s = 1day) 86400 sec
Diffie-Hellman Group ()Group 1 (x)Group 2 ()Group 5 ()Group 14
Identity (IP address or hostname) N/A
Authentication (x)Pre-shared Key () PKI
Mode (Main recommended) (x) Main ()Aggressive
Pre-Shared Key Note: do not use unencrypted emamil to exchange pre-shared keys
Pre-shared Key exchange ()PGP ()Phone call (x) TXT/SMS:___________
IPSEC Encryption Algorithm ()ESP-3DES (x)ESP-AES128 ()ESP-AES256
IPSEC Data Integrity (x)SHA ()MD5
Perfect Forward Secrecy (PFS) ()Off ()Group 1 (x)Group 2 ()Group 5
IPSEC SA Lifetime - Seconds 3600 seconds
IPSEC SA Lifetime - Kilobytes ___KB (x) Disabled
Retrieved from ‘http://tech-wiki.net/index.php?title=VPN_Form&oldid=1168