How to use command line for first time wizard in Check Point

I have been asked by many people how do I use the command line to get my system configured. By using another post I put on how to install my system with just a serial and Ethernet (See my post: How to install Check Point without getting on a plane) that will get the code on your box that you want.  Now using a serial connection we can get it configured using a template and a command ‘config_system‘.

Procedure:
1 ) Create the Template File:
[Expert@HostName:0]# config_system –create-template /path_to/name_of_template_file
2) Edit the template file you created- assign the desired values in the relevant fields. (See example file below)
 Note: to enable / disable IPv4 and IPv6, define the following fields:
      ipstat_v4 (manually / off)
      ipstat_v6 (manually / off)
      Starting from R80.10, these parameters have default values, but in                         older version you must configure them (manually or off).
3) save the file
4) Test to see if your file is good.
[Expert@HostName:0]# config_system –dry-run –config-file /path_to/name_of_template_file
5) Run the file
[Expert@HostName:0]# config_system -f /path_to/name_of_template_file
6) Reboot the machine to complete the configuration

Here are all the flags that you can use and what they do.

config

Example of how you edit the file using “True or False” answers:

# Mandatory parameters - change the values specific to your setup
hostname=NEW_GW
ftw_sic_key=

# Mandatory parameters - do not change
install_security_managment=false
install_security_gw=true
gateway_daip=false
install_ppak=true
gateway_cluster_member=false

Here is an example of a gateway configuration template for a cluster member ready to be connected to management. (For a single box ready for management change the line “gateway_cluster_member=true” to False)

After you use the config system command to create a template, you will have a file that looks like this(see below). Notice below what I have highlighted in BOLD.  If a cluster member is what you want make yours look like mine. Just change the fields appropriately (hostname, IPs etc…) Remember practice this first !

(To make the template see above)
#########################################################################
# #
# Products configuration #
# #
# For keys below set “true”/”false” after ‘=’ within the quotes #
#########################################################################

# Install Security Gateway.
install_security_gw=true

# Install Acceleration Blade (aka Performance Pack).
install_ppak=true

# Enable DAIP (dynamic ip) gateway.
# Should be “false” if CXL or Security Management enabled
gateway_daip=“false”

# Enable/Disable CXL.
gateway_cluster_member=true

# Install Security Management.
install_security_managment=false

# Optional parameters, only one of the parameters below can be “true”.
# If no primary of secondary specified, log server will be installed.
# Requires Security Management to be installed.
install_mgmt_primary=false
install_mgmt_secondary=false

# Provider-1 paramters
# e.g: install_mds_primary=true
# install_mds_secondary=false
# install_mlm=false
# install_mds_interface=eth0
install_mds_primary=
install_mds_secondary=
install_mlm=
install_mds_interface=

# In case of Smart1 SmartEvent appliance, choose
# Security Management only, log server will be installed automatically

#########################################################################
# #
# Products Parameters #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Management administrator name
# Must be provided, if Security Management installed
mgmt_admin_name=

# Management administrator password
# Must be provided, if Security Management installed
mgmt_admin_passwd=

# Management GUI client allowed e.g. any, 1.2.3.4, 192.168.0.0/24
# Set to “any” if any host allowed to connect to managment
# Set to “range” if range of IPs allowed to connect to management
# Set to “network” if IPs from specific network allowed to connect
# to management
# Set to “this” if it’ a single IP
# Must be provided if Security Management installed
mgmt_gui_clients_radio=
#
# In case of “range”, provide the first and last IPs in dotted format
mgmt_gui_clients_first_ip_field=
mgmt_gui_clients_last_ip_field=
#
# In case of “network”, provide IP in dotted format and netmask length
# in range 0-32
mgmt_gui_clients_ip_field=
mgmt_gui_clients_subnet_field=
#
# In case of a single IP
mgmt_gui_clients_hostname=
# Secure Internal Communication key, e.g. “aaaa”
# Must be provided, if primary Security Management not installed
ftw_sic_key=sweet

#########################################################################
# #
# Operating System configuration – optional section #
# #
# For keys below set value after ‘=’ #
#########################################################################

# Password (hash) of user admin.
# To get hash of admin password from configured system:
# dbget passwd:admin:passwd
# OR
# grep admin /etc/shadow | cut -d: -f2
#
# IMPORTANT! In order to preserve the literal value of each character
# in hash, inclose hash string within the quotes.
# e.g admin_hash=’put_here_your_hash_string’
#
# Optional parameter
admin_hash=”

# Interface name, optional parameter
iface=eth0

# Management interface IP in dotted format (e.g. 1.2.3.4),
# management interface mask length (in range 0-32, e,g 24 ) and
# default gateway.
# Pay attention, that if you run first time configuration remotely
# and you change IP, in order to maintain the connection,
# an old IP address will be retained as a secondary IP address.
# This secondary IP address can be delete later.
# Your session will be disconnected after first time condiguration
# process.
# Optional prameter, requires “iface” to be specified
# IPv6 address format: 0000:1111:2222:3333:4444:5555:6666:7777
# ipstat_v4 manually/off
ipstat_v4=manually
ipaddr_v4=192.168.10.10
masklen_v4=24
default_gw_v4=192.168.10.1

ipstat_v6=off
ipaddr_v6=
masklen_v6=
default_gw_v6=

# Host Name e.g host123, optional parameter
hostname=pocgw

# Domain Name e.g. checkpoint.com, optional parameter
domainname=

# Time Zone in format Area/Region (e.g America/New_York or Etc/GMT-5)
# Pay attention that GMT offset should be in classic UTC notation:
# GMT-5 is 5 hours behind UTC (i.e. west to Greenwich)
# Inclose time zone string within the quotes.
# Optional parameter
timezone=’Americas/Arizona

# NTP servers
# NTP parameters are optional
ntp_primary=192.168.10.5
ntp_primary_version=
ntp_secondary=
ntp_secondary_version=

# DNS – IP address of primary, secondary, tertiary DNS servers
# DNS parameters are optional.
primary=198.6.1.2
secondary=
tertiary=

See sk69701 for more information.

Flaw in Facebook Messenger found !

Check Point Software disclosed details about a vulnerability found in Facebook Messenger, both in the online and mobile applications. Following Check Point’s responsible disclosure, Facebook promptly fixed the vulnerability.

Check Point Security Researcher Roman Zaikin discovered the vulnerability allows hackers to control the Facebook chat and adjust the messages according to his needs, including deleting them and replacing text, links, and files.

There are a few potential attack vectors abusing this vulnerability. These schemes could have a severe impact on users due to Facebook’s vital role in everyday activities worldwide, one of which could be used to distribute malware.

Check out a video demo of it here:

You can also read the specifics here:  http://blog.checkpoint.com/2016/06/07/facebook-maliciouschat/

 

Hacking WhatsApp

This was a great blog post by Vijay Prabhu from Techworm that explained both in his post and with video’s how easy it is to take advantage of a SS7 telecom flaw that has been known since 2008! Check it out here:

How To Hack WhatsApp Using SS7 Flaw

How does Amazon Web Service Work??

I wanted to tell everyone about a blog post written by Nick Matthews that describes in depth how all the connectivity works in AWS. Nick defines the terms used by Amazon, and what they mean. In his blog he uses some great network diagrams to help explain how it all fits together.

Check it out here:

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/

https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-two/

There is also a 45 minute video on YouTube that walks through the AWS network presentation:

Did you know??? Check Point vSEC is a family of products that delivers advanced threat prevention security to public, private and hybrid cloud and software-defined data center environments. Easily and affordably, extend security to your Amazon cloud using rapid one-click deployment of the vSEC gateway which is available in the AWS Marketplace. Policy management is simplified with centralized configuration and monitoring of cloud and on premise security from a single console.

You can read more about vSEC here: http://www.checkpoint.com/products-solutions/private-public-cloud/index.html

 

PAN- Setting The Record Straight

This video is titled 50 shades of PAN that was posted on YouTube. It really sets the record straight on what they have been claiming. This video shows a sales pitch by Mark McLaughlin CEO of Palo Alto.

See the video here:

You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time.” – Abraham Lincoln

Samsung Research America uses Check Point to secure their Mobile Devices.

Check Point recently deployed their Mobile Threat Prevention on Samsung’s mobile devices. The challenge was to completely secure the mobile environment. Like all companies Samsung employees increasingly work on smartphones, tablets, and their own devices.

“Mobile devices don’t operate behind a security infrastructure like corporate PCs, laptops, and servers do…” “Mobile devices are out in the wild, creating potential security issues and enabling malware to enter the samsungnetwork. There’s no mobile firewall to prevent cyber threats from getting in through emails and apps.”- Steven Lentz, CISSP, CIPP/US, Director Information Security at Samsung Research America

“Check Point had more up-to-date information and automated delivery of the latest malware-related intelligence,” said Lentz. “Check Point Mobile Threat Prevention offers the closest thing to zero-day detection on mobile devices. I like it when a product does what it is supposed to do—and more. Check Point did exactly that.” Check Point Mobile Threat Prevention also vmwareintegrated seamlessly with AirWatch by VMWare MDM and SIEM platforms. Now, Samsung gained comprehensive visibility
into mobile threats and automated enterprise-wide security policy enforcement.

See the testimonial: http://www.checkpoint.com/testimonial/samsung-research-america/index.html
Read the full article: http://www.checkpoint.com/downloads/testimonial-related/ccs-samsung-research-america.pdf

chkpt“Check Point Mobile Threat Prevention is the best
zero-day malware protection possible for mobile
devices. There’s nothing else out there with
multiple layers of protection. Our IP is secure,
and that’s peace of mind.”
Steven Lentz, CISSP, CIPP/US
Director Information Security at Samsung Research America

How Forensics is Better Than Detection

A friend and fellow colleague of mine Elijah Bagdonas recently sent me an awesome explanation of Check Point’s Forensics software. This software is a must have for any enterprise today. I wanted to share his writing with you.

 In the world of anti-malware most people are satisfied with good detection capabilities. But when we really stop to think about what detection gives us, it’s rather disappointing. It’s little more than a big red flashing light that says “ALERT: SOMETHING HAPPENED!” The question then becomes, what is that something that happened and what should I do about it? Here’s where the headache begins.

In most cases of virus detection the administrator has three realistic options:

  • Rely on Anti-Malware quarantine to clean up the mess
  • Re-Image the computer
  • Traditional forensic analysis

 In the case of Anti-Malware quarantine we first have to “know” about the malware. We must be able to identify a signature or behavior and be able to stop the infection before it starts. Sometimes malware can occur in a series of processes and we are only able to detect the last element in the chain. If we eliminate the known elements, the unknown elements can propagate again, putting us into an infection loop. We also can’t identify the damage done during the infection. Even though we detect the malware, it may have already accomplished its goal and we have no way of knowing.

Our second option has its own set of headaches. Re-imaging a computer is often the easy way out but it can be of great inconvenience to the user-base. This invasive process can often leave you with lost data and disruptive downtime to the end user resulting in lost productivity. This will also not protect you from future attacks of the same malware.

The final approach is traditional analysis of the machine to see what happened and how it can be reversed. Having this kind of skill with the advanced malware we see today is very scarce and requires specialized training. Traditional analysis is also very time consuming and costly to perform and with advanced malware, it can often clean up its own tracks before you get a chance to discover it.

There’s a better way

With the introduction of Check Point’s Endpoint Forensics we now have a way to see the whole picture. By keeping tabs on any and all changes that occur on the system, we can develop a comprehensive image of EXACTLY what happened when the infection hit in an easy to digest roadmap.

forensics1

 

In this example, the oem7ec2.exe process triggered a malware event. Since we’ve been keeping tabs on the changes, we can backtrack and find out exactly what happened (even across system boots). Let’s look at the steps that brought us to this point.

  • Chrome process launched
  • Chrome exploit is used while browsing to launch handle.tmp process
  • tmp process schedules a shellcode download to occur on next boot
  • exe payload is downloaded and ran on startup
  • Malicious code runs and sends personal data to C&C center

Since we know the whole story and all of the processes involved, we can also see that companysecret.doc was sent outbound resulting in a loss of data.

With this roadmap, not only do we have the complete picture of the steps involved, but a means to clean it up. Knowing all the steps means we can dynamically generate a script to clean up the mess that was left behind for easy remediation.

Armed with knowledge of everything involved it’s easy to see why Endpoint Forensics is clearly better than detection.

US-CERT to Windows Users: Apple Ends Support for QuickTime for Windows

I wanted to share this with everyone as this is something that is very important for folks to do. Krebsonsecurity.com recently reported that Microsoft is saying to remove Apple QuickTime for security concerns. Krebs reports:

“Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT).

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”

See the post from Apple “QuickTime 7 for Windows is no longer supported by Apple”  https://support.apple.com/kb/DL837?locale=en_US

US-CERT Post: https://www.us-cert.gov/ncas/alerts/TA16-105A

Thanks to Brian Krebs at krebsonsecurity.com for alerting us to this.

Security Policy Management Made Easy

Check Point’s security management architecture (SMART) has always been the best in the market. Upon release of the new R80 security management the best got even better.

In earlier versions you had to install SmartConsole applications (SmartDashboard) in order to manage security policies. This is a tool which enables centralized management of different products and versions. However, it always required that you had to install the application on a computer which was defined as a GUI-client in the security management server. It was also possible to manage policies using the command line tool DBEDIT, but that’s quite complicated tool that could not be recommended for normal policy manipulation. It was usually used in migrations and other more complex activities. Also only one administrator could be connected at a time in write-mode to the security management server.

All the above mentioned limitations are gone in R80. It contains a lot of new features and even more to come in future versions. However, in this post I focus on different ways to manipulate security policies.

  1. Unified SmartConsole
    This is the traditional way of creating rules. What is awesome is that you can do everything from the same console. SmartView Tracker is gone as a log viewer and replaced by SmartLog which is shown in the same SmartConsole window.
  2. SmartConsole CLI
    This is a command line interface that can be opened directly from the SmartConsole. By giving simple commands like “add host…” you can create objects and policies. It’s also possible to add commands into a file and upload this file directly to the CLI when all commands are executed. Think about the case where you need to quicly spin up several security policies or create 5000 objects. All you need to do is to create a command file and run it.Ok, ok… This has been possible with DBEDIT as well in earlier versions, but let’s have a quick look why the new way is better. In the following example we create the same network object with DBEDIT and with R80 CLI. Let’s see the difference (I omit the login and update/publish commands as they are only done once for all commands):

    DBEDIT

    create network Net_10.10.57.0
    modify network_objects Net_10.10.57.0 ipaddr 10.10.57.0
    modify network_objects Net_10.10.57.0 netmask 255.255.255.0
    R80 CLI
    mgmt_cli add network name Net_10.10.57.0 subnet 10.10.57.0 mask-length 24 -s id.txt
    Instead of three commands in DBEDIT, with R80 you give only one. As I said this is a bit simplified statement as the login and publish are missing, but I’m sure you get the point.
  3. GAIA CLI
    From Gaia command line you can login to the management console (see the example below). Gaia management console is similar as the one in SmartrConsole. Each command starts with a keyword “mgmt” like “mgmt add host…”.R80Mgmt> mgmt login user admin
    Enter password:
    R80Mgmt>
    R80Mgmt> mgmt show networks
    objects:
    – uid: “0baad4de-7221-4578-b2b9-c3b78a759124”
    name: “CP_default_Office_Mode_addresses_pool”
    type: “network”
    domain:
    name: “SMC User”
  4. mgmt_cli
    This small little tool is available on all R80 management servers and SmartConsole installations and allows you to access the management server from any Linux or Windows machine (in Windows the tool is called mgmt_cli.exe). You don’t have to install SmartConsole on the computer, it’s enough that you copy the mgmt_cli-tool (it doesn’t require any installation) from the existing installation to the computer you would like to use for accessing the management server. Only thing you need to do is to enable the API from the Management API Settings on R80 SmartConsole.
    R80_mgmt_api
    The only difference with the mgmt_cli and SmartConsole or Gaia CLI is that the authentication needs to be carried out every time. When you login into SmartConsole you give the user name and password, but with the mgmt_cli you will either need to give this information every time or a login-command which creates a session for you. See the example below.
    Example:
    The following is an example mgmt_cli -connection which logs into the system creating a session (the same id is used for every command) and then creates some host and network objects, policy package with one rule (clean up rule is there by default, but without logging, this example enables login for the clean up rule as well). Finally the config changes are published making them available for other admins as well and the session is ended with the logout -command.

    mgmt_cli login user admin password vpn123 -m 192.168.80.254 > id.txt
    mgmt_cli add host name h_12 ip-address 10.1.2.10 -s id.txt
    mgmt_cli add host name h_13 ip-address 10.1.2.11 -s id.txt
    mgmt_cli add host name h_14 ip-address 10.1.2.12 -s id.txt
    mgmt_cli add host name h_15 ip-address 10.1.2.13 -s id.txt
    mgmt_cli add host name h_16 ip-address 10.1.2.14 -s id.txt
    mgmt_cli add host name h_17 ip-address 10.1.2.15 -s id.txt
    mgmt_cli add host name h_18 ip-address 10.1.2.16 -s id.txt
    mgmt_cli add host name h_19 ip-address 10.1.2.17 -s id.txt
    mgmt_cli add host name h_20 ip-address 10.1.2.18 -s id.txt
    mgmt_cli add network name n_test_net1 subnet 10.10.10.0 mask-length 24 -s id.txt
    mgmt_cli add network name n_test_net2 subnet 192.168.192.0 mask-length 24 -s id.txt
    mgmt_cli add network name n_test_net3 subnet 172.16.172.0 mask-length 24 -s id.txt
    mgmt_cli add package access True threat-prevention True name Policy_Lari -s id.txt
    mgmt_cli set access-rule layer “Policy_Lari Network” name “Cleanup rule” track “Log” -s id.txt
    mgmt_cli add access-rule layer “Policy_Lari Network” position 1 name “Test Rule” source n_test_net1 destination h_12 service “ssh” action “Accept” track “Full Log” -s id.txt
    mgmt_cli publish -s id.txt
    mgmt_cli logout -s id.txt

  5. Web Services
    You can create your own web app that simply uses HTTPS post to manipulate your security policies. This way you can integrate the security management to almost any web based ticketing system or similar.For more detailed information about the web services and usage examples visit the developers forum in R80 Exchange Point.

Adobe Critical Vulnerability and Patch

Brian Krebs wrote an article at Krebs on Security about Adobe. Seems they had to rush an emergency patch out because the security hole was already being exploited in active attacks.

Adobe said a “critical” bug exists in all versions of Flash including Flash versions 21.0.0.197 and lower (older) across a broad range of systems, including Windows, Mac, Linux and Chrome OS.

Check Out the full article here at:

http://krebsonsecurity.com/2016/04/adobe-patches-flash-player-zero-day-threat/#more-34432

brokenflash-a