Saturday, December 28, 2013

Myrtle Beach Homes/Condos

InfoSec friends, I have a new site - I look forward to helping you buy your dream ocean front home or condo in Myrtle Beach, South Carolina! If you've never been to Myrtle Beach, it's an awesome place to vacation, or to live! 

Scroll down for my posts on InfoSec, Security, Linux, Firewalls, and IDS/IPS.

Wednesday, November 17, 2010

Helpful Bookmarks & Links

CheckPoint - CheckPoint Support Site - CheckPoint User Group / Forums - CheckPoint FAQ (old but good)

Cisco - Cisco Support Forums - Official Cisco Security Blog

Juniper - Juniper Knowledgebase - Juniper How-to Site

Sourcefire - Sourcefire Blog (old but good) - Sourcefire Support

TippingPoint - TippingPoint Knowledgebase and Threat Mgmt Center

Monday, November 8, 2010

Troubleshooting High CPU on Cisco ASA

show cpu
show processes cpu-usage

**This will tell us which process is consuming the most CPU.

**Dispatch Unit is the "packet processing" process of the ASA. If the Dispatch Unit is showing high utilization, take a packet capture (pcap) from the ASA and view it in Wireshark to see what traffic is causing the most load on the ASA.

Enable CPU Profiling (to provide to Cisco TAC)
cpu profile activate 5000

Cisco ASA 8.2+:
show cpu profile dump

Pre 8.2:
show cpu profile

Saturday, November 6, 2010

Wednesday, November 3, 2010

Fortinet - Free self-paced training online

Fortinet Recorded webinar sessions (under Self-paced Online Training ) :

Customizing SSL VPN Portals
Directory Services Integration using FSAE

Free Fortinet endpoint firewall with IPS and AV (FortiClient)

Free endpoint firewall with IPS and AV

Packet Sniffing on a Fortinet/FortiGate Firewall

Tips for troubleshooting Imperva WAF

Tips for troubleshooting Imperva WAF:

  • statistics.csv from Setup->Gateways->the relevant GW -> the rightmost panel. 
  • get-tech-info
  • cat /opt/SecureSphere/etc/patch_level
  • download "imperva-stats-script" from Imperva site, and run script for 24 hours.

WAF - Relevant Questions to Ask

Relevant Questions to Ask for Implementing a new WAF (Imperva, Breach, etc.)

Web Server Information
Application Name - IP Address & Port
SSL? (yes/no)
IP Type (Legal/NAT/Load Balanced)
Number of Physical Machines
Network Throughput
Web Server Vendor
Web Server Operating System
Web site type (static/dynamic)
Application Server
Web Application Vendor (custom, peoplesoft, etc..)
Web Application Language (.net, java, etc)"
Web Application Transactions per second

Database Information
Database Name
Machine Name or IP Address
Number of Database Servers (physical Database boxes)
Network Throughput
Database Vendor
Database Operating System type
Database Transactions per second

Imperva WAF - Export Full Config from CLI

Export the full config from the CLI of an Imperva WAF:

1) cd /tmp

IPSO CLISH Interface Examples

clish - interface command examples:
set interface eth1 speed 100M duplex full auto-advertise on
add interface eth1c0 address enable
delete interface eth-s1p2c0 address
delete interface eth4c0 address
set static-route default nexthop gateway address priority 1 on

Tuesday, September 21, 2010

Nokia IPSO Status LEDs

  • Solid blue Power - On
  • Solid yellow - Appliance is experiencing an internal voltage problem.
  • Blinking yellow - Appliance is experiencing a temperature problem.
  • Solid red - One or more fans are not operating properly.
  • Blinking green - System activity indicator

Peer-to-Peer (P2P) Ports

Kazaa, Grokster, Morpheous 
TCP 1214
UDP 1214

TCP 4661-4672
UDP 4661-4672

WinMX & Napster
TCP 6257
UDP 6257
TCP 6699
UDP 6699

TCP 6881-6889
TCP 6969
UDP 6881-6889

Gnutella (Bearshare, Limewire)
TCP 6346, 6347, 6348
UDP 6346, 6347, 6348

TCP 4444, 5555, 6666, 7777, 8888
UDP 4444, 5555, 6666, 7777, 8888

tcpdump for ARP packets

tcpdump -lnni eth2 ether proto 0x0806

Tuesday, September 7, 2010

Enable AIP-SSM IPS Inspection on ASA

policy-map global_policy
class ips_class_map
ips inline fail-open

Or for passive:
ips promiscuous fail-open

Clear ACL Hit Counters

clear access-list <access-list name> counters

Enable VPN Keep Alive on Cisco ASA VPN Tunnel

Cisco PIX/ASA 7.x and later, for the tunnel group named
asa(config)#tunnel-group ipsec-attributes
asa(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10

Copy many routes from one Linux box to another

netstat -rn | grep ^[0-9] | awk '{printf "route add -net %-15s gw %-15s netmask %s\n", $1, $2, $3}' | sort > routing_table

CheckPoint Log Buffer Full

1. Create or modify (if the file exists) the $FWDIR/boot/modules/fwkern.conf file on the Security gateway.
2. Add the entry fw_log_bufsize=xxxxx, where xxxx is the desired size in bytes (default = 81920) - try to set it to 163840.
3. Reboot the Security gateway

Add the following to fwstart.conf:
$FWDIR/bin/fw ctl debug -buf 8192
fw ctl kdebug -f > /var/log/console.log &
echo "fw debug messages go to /var/log/console.log"

Commands to Troubleshoot CheckPoint HA Interface Issues

fw ctl iflist
cat $FWDIR/conf/discntd.if (interfaces commented out for HA monitoring)

cphaprob state
cphaprob -a if
cphaprob list

Clear CheckPoint NAT and State Table

fw tab -t sam_blocked_ips -x
fw tab -t fwx_alloc -x
fw tab -t connections -x

Troubleshoot traffic to an IP thru a CheckPoint Firewall

fw monitor -e "src= or dst=;" > /tmp/fwmon- &
tcpdump -w /tmp/traffic.cap -lnni any host &
fw ctl zdebug drop > /tmp/conn.dbg &
fw log -ftn | egrep >> /tmp/fw-log- &

List the Top Connections on a CheckPoint Firewall

fw tab -t connections -u -f >> conns.txt
cat conn-ips.txt | sort | uniq -c | sort -n

How to run a CheckPoint Debug

fw ctl debug 0
fw ctl debug -buf 10000
fw ctl debug -m drop conn packet
fwaccel dbg -m general all 
fw ctl kdebug -f >& fwconnchain.elg

Ctrl+C to stop the debug
fw ctl debug 0

fw ctl debug 0
fw ctl debug -buf 8192
fw ctl debug + conn link drop
fw ctl kdebug -f >& fwconnchain.elg
fw ctl debug 0

Command to list CheckPoint Installed Products

cpprod_util CPPROD_GetKeyValues products 0

CheckPoint Failover Commands

Fail to FAILED:
cphaprob -d faildevice -s problem report

Fail to OK:
cphaprob -d faildevice -s ok report

Check sync stat:
cphaprob syncstat
cphaprob -reset syncstat

fw ctl pstat
cphaprob -i list

Easier method to fail over:
cphastop (primary)
then cphaprob state (secondary)
then cphastart (primary)
should come back as primary standby.

Modify Failover Timeouts:
cphaprob -i list
cphaprob -d fwd -t 45 -s ok -p register
cphaprob -d cphad -t 15 -s ok -p register