UserAuthority • Chapter 14 545 Q: Where can I install UserAuthority Server? A: UserAuthority Server can be installed on Check Point FireWall-1 enforcement modules and/or it can be installed on Windows domain controllers (Windows 2000 or NT 4). Q: Where can I install the WebAccess module? A: The WebAccess module can be installed on multiple Microsoft IIS version 4 or ver- sion 5 Web servers.There is a beta version of the WebAccess module for the Apache Web server on Linux. Q: Where can I install the UserAuthority SecureAgent? A: The UserAuthority SecureAgent can be installed on the desktop PC of your users who authenticate to your windows domain (where the domain controller has the UserAuthority Server installed). Q: Why can’t I see the WebAccess tab in the SmartDashboard GUI? A: This is not enabled by default.You need to click Policy | Global Properties | Smart Dashboard Customization. At the bottom of the window is a check box for Display Web Access view, which needs to be checked. Q: How do I install a policy to the WebAccess module? It does not show up when I attempt to install the FireWall-1 Security policy or if I try to install the User Database. A: You can only install the WebAccess policy from the WebAccess tab screen in the SmartDashboard GUI. Right-click the WebSites icon and then select Install.You can install to a specific WebAccess module only if you right-click the specific object and click Install. Q: When I configure SSO to a WebAccess module and log in using the SecureAgent on a desktop host and authenticate against the PDC, then use a browser to access www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 259_Chkpt_VPN_14.qxd 4/3/03 1:39 PM Page 545 546 Chapter 14 • UserAuthority the WebAccess server, the WebAccess server fails to identify my user ID. Why? My WebAccess server does not identify my user ID, although I’m sure I have UserAuthority working correctly on my domain controller and firewall. What could be the problem? A: A common cause of this problem is that the connection to the WebAccess server is being address-translated—either by the firewall module or by another host between yourself and the WebAccess server. Using a proxy to access the Web server will have a similar effect.You need to avoid NAT and proxying on the connections to the WebAccess server. If you must use a proxy, WAM can interpret an HTTP header that identifies the original source IP address of the client, if your proxy supports that. Q: Can I use SecureClient as a remote user and achieve SSO? A: Yes. When you authenticate using SecureClient, you will register with the UAS on the firewall enforcement module that your secure client module authenticated against, and then the WebAccess server can query the module to see if you have authenticated (or if not, the firewall module you authenticated against can use chaining to query other firewall modules). Q: We have personal firewalls on our internal PCs. Will this cause a problem for UA SecureAgent? A: Yes. SecureAgent must be able to receive queries from the domain controller UAS, UDP port 19194.Your personal firewall must be configurable to allow this traffic. Note that Check Point SecureClient version 4.1 cannot be configured to this level of granularity, so it is not suitable for use with SecureAgent if the SecureClient policy is blocking incoming connections to the client. SecureClient NG allows finely granular polices so is fully compatible. Q: We are running a gateway cluster. Can we run UAS on the cluster members? A: Yes, UAS can be run on a cluster. However, the cluster mechanism will not syn- chronize the UACM databases between the members. Check Point supplies a utility called db_sync that will update cluster members.The synchronization must be scheduled manually by the administrator. www.syngress.com 259_Chkpt_VPN_14.qxd 4/3/03 1:39 PM Page 546 Firewall Troubleshooting Solutions in this chapter: ■ SmartView Tracker ■ SmartView Monitor ■ Using fw monitor ■ Other Tools Chapter 15 547 ; Summary ; Solutions Fast Track ; Frequently Asked Questions 259_ChkPt_VPN_15.qxd 4/3/03 1:41 PM Page 547 548 Chapter 15 • Firewall Troubleshooting Introduction Traffic is not flowing, the phone is ringing, and you are scrambling to figure out why. As the administrator of your firewall, you have a large selection of tools at your disposal. There are also a number of tools that you should have close in the event of trouble. SmartView Monitor, SmartView Tracker, a local network sniffer—you should know how to use all of the tools possible to ensure you can troubleshoot the problems that you will no doubt face. We review the Check Point tools and some third-party tools that we recommend that you have in your arsenal. Check Point has provided the SmartView Tracker so that you can view the traffic as it flows through the firewall.This should be the first line of troubleshooting your fire- wall. SmartView Monitor allows you to view interfaces and links in real time. Immediate traffic flow analysis is available to determine how the system is functioning. Along with these tools, Check Point provides command-line utilities that expose the FireWall-1 Kernel statistics, VPN and encryption, and other performance metrics. Check Point also has other tools that will allow the more technical personnel to perform fw monitor functions. Fw monitor is a command-line facility that allows you to analyze the traffic flowing through your firewall on a systematic basis. We review the best methods of using this utility, and how it can provide insight as to where your fire- wall may not be functioning as you expect. SmartView Tracker Typically the first thing you’ll want to do when analyzing firewall behavior is to log in to the SmartView Tracker and watch the traffic as it flows through your firewall.This tool is installed along with the other Check Point SMART Clients on an NG FP3 Windows workstation or server by default. If you are running a pre-FP3 management module, this same tool will be named Log Viewer. The FP3 SmartView Tracker provides a new view into the FireWall-1 logs, with three modes accessible via tabs (Log, Active, and Audit).As shown in Figure 15.1, you also have several options in a drop-down menu format within each view for cus- tomizing and searching the log records that are displayed.The nicest feature about the FP3 interface is the modular views, where you can have multiple instances of the logs open within the Tracker frame by selecting File | Open In New Window and selecting the filename you wish to open. Filtering Traffic You can make certain selections within the SmartView Tracker to limit the log records viewable, which can help you to isolate certain traffic and more effectively troubleshoot your firewall.There are a number of predefined selection criteria that you can choose www.syngress.com 259_ChkPt_VPN_15.qxd 4/3/03 1:41 PM Page 548 www.syngress.com from in the menu display on the left.The default is to show All Records, but you can also choose to view only FireWall-1, VPN-1, or FloodGate-1 traffic for instance by simply right-clicking on the name and choosing Open.You can determine exactly what is being filtered by looking for a green icon next to the column where the filter is applied. For example, the FireWall-1 predefined filter sets the Product column to SmartDefense and VPN-1 & FireWall-1 only; the VPN-1 filter sets the Encryption Scheme column to IKE and FWZ; and the FloodGate-1 filter sets the Product column to FloodGate-1 only. If you would prefer to create your own filters, each of the columns in the frame that displays the logs has a filter option, which you can activate by simply right-clicking on the column and selecting Edit Filter. See Figure 15.2 for an example of the service filter window in which we have selected SMTP as the protocol we hope to scan for in the logs.To do this, follow these steps: 1. Log in to SmartView Tracker. 2. Ensure that All Records are displayed. 3. Right-click on the column labeled Service and choose Edit Filter. 4. Type in smtp in the selection window on the right-hand side, or scroll down to the service you wish to choose in the list. 5. Click Add.You can add as many services as you want to see in the logs to this window. 6. Click OK. Firewall Troubleshooting • Chapter 15 549 Figure 15.1 SmartView Tracker Log View 259_ChkPt_VPN_15.qxd 4/3/03 1:41 PM Page 549 550 Chapter 15 • Firewall Troubleshooting To remove a filter, simply right-click on the column and choose Clear Filter.You can configure multiple filters and search for all SMTP from a specific source address that was dropped also.You can then save the filters you have created as a “Custom” filter and then load them again anytime. Use the Query menu to save customer filters and to perform other filter operations. Active and Audit Logs The other tabs available to you in the SmartView Tracker are the Active and Audit logs. The Active view shows you any active connections in your firewall(s) in real-time.The Audit view shows you what the firewall administrators are doing, such as who logs into the various Smart Clients and when, as well as any changes they may make while logged in with write permission. If something suddenly stops working one day, and you have others administering the policy, it might be a good idea to see if any changes were made that correspond to the outage in service.The Audit view will give you such detail as the color of an object that was changed, or new objects that were created, a policy was installed, and so on.You can set up filters in both the Active and Audit logs the same way you did it in the Log view. www.syngress.com Figure 15.2 SmartView Tracker Service Filter GUI Administrators It is best to use individual admin usernames instead of a generic username like fwadmin. The problem with using a generic login ID is that you cannot prop- erly audit the activities of the firewall administrators. It may be important for you to know who installed the last security policy when you are trou- bleshooting a problem. This becomes more and more important when there are several people administering a firewall system. It is also important to limit the activities of your administrators to only those functions that they will need. You may not want to give an entry-level Tools & Traps… Continued 259_ChkPt_VPN_15.qxd 4/3/03 1:41 PM Page 550 Firewall Troubleshooting • Chapter 15 551 SmartView Monitor SmartView Monitor is included free with all SmartCenter Pro licenses. With this product you can receive up-to-the-minute information about your firewalls and net- works due to status alerts, security threat alerts, and defense capabilities monitored and reported in SmartView. In addition, SmartView Monitor can assist in long-term deci- sion making and policy planning due to data mining, trending, and detailed analytical tools included in SmartView. In order to view real-time monitor data from your FP3 SmartCenter, you will need to install the SmartView Monitor on your firewall modules, and check the box labeled SmartView Monitor in the Check Point products list for the relevant Check Point objects defined through SmartDashboard, and then install the security policy.You will also require an additional license for monitoring and reporting per module if you are not running a SmartCenter Pro. SmartView Monitor (a.k.a. Real-Time Monitoring) is very useful for environments where troubleshooting through the firewall is common, and SmartView Monitor can be used in lieu of other monitoring software, thereby saving money. Log in to the SmartView Monitor from the SMART Clients menu, and you will be presented with a screen similar to the one shown in Figure 15.3. In this screen, you will need to select the type of session you wish to start.You can select only one firewall or interface to monitor at a time.You are also able to record a session and play it back later. sys admin write access to the security policy if he will only need to managed network objects and users. FireWall-1 is very flexible in the permissions you can customize for each administrator, so take advantage of it. Figure 15.3 Session Type www.syngress.com 259_ChkPt_VPN_15.qxd 4/3/03 1:41 PM Page 551 552 Chapter 15 • Firewall Troubleshooting The other tabs listed will depend on your selections on the Session Type tab. If you choose Real-Time for the Session Mode, you will be able to monitor Check Point System Counters, Traffic, or a Virtual Link. From the Settings tab, you can control the monitor rate, which is set to 2 seconds by default, and you can choose between a line or bar graph.You may also have the options to choose the type of measurement by Data Transfer Rate, Packets per Second, Line Utilization (%), Percent,or Milliseconds, and to set the scale for the graphs that you are viewing.These choices are shown in Figure 15.4. Monitoring Check Point System Counters Check Point System Counters allow you to monitor and report on system resources and other statistics for your enforcement points. Figure 15.5 shows a monitoring session on a cluster that measures the size of the connection table in FireWall-1.This data can be very valuable for analyzing the traffic at your site.You could possibly identify a problem if you see the connections reaching the maximum of 25,000 at any time, which will give you the opportunity to increase that value to better fit the needs of your connection. There are a number of counters categories for you to choose from in the Counters tab in your SmartView Monitor properties window. Choose Basic: FireWall-1 from the pull-down menu to monitor the number of active connections as shown in Figure 15.5.You could also choose to monitor dropped, rejected, and/or accepted packets, memory and cpu, encryption parameters, security servers, and FloodGate-1 traffic.You don’t have to choose just one setting to monitor either; you can select as many counters www.syngress.com Figure 15.4 Session Properties Settings 259_ChkPt_VPN_15.qxd 4/3/03 1:41 PM Page 552 Firewall Troubleshooting • Chapter 15 553 as you wish and each one will be displayed on the same graph with a different line color. Don’t get too carried away though, or you won’t be able to read the output. Monitoring Traffic Using the SmartView Monitor to monitor traffic is another way to view the statistics on your firewall. When choosing Session Type, select Traffic by: and then select from services, Network Objects (IPs), QoS Rules, or Top Firewall Rules. If you take the default, services, the Monitor by Services tab will be available in the SmartView Monitor properties window, and you can select the method that you would like to view services.You could again take the default of Top 10 Services, as shown in Figure 15.6, or you can narrow it down to a particular service that you may wish to monitor. Monitoring by network objects is similar to monitoring by service, the default is to display the Top 10 Network Objects, or you can select specific objects that you wish to display instead.You can also choose if you want the object monitored in the source, destination, or both. Top Firewall Rules allows you to choose how many (10 is the default) firewall rules you wish to monitor.This feature may help you to better order your rules, since you should attempt to write your policy such that the most frequently used rules are placed closest to the top of the policy for better performance. If you are running FloodGate-1, you can also monitor QoS Rules through the SmartView Monitor.The Monitor by QoS Rules tab in the Session Properties window allows you to choose the rules that you wish to display, and then you can watch how they are utilized. www.syngress.com Figure 15.5 Monitoring FireWall-1 Active Connections 259_ChkPt_VPN_15.qxd 4/3/03 1:41 PM Page 553 554 Chapter 15 • Firewall Troubleshooting Monitoring a Virtual Link To monitor a Virtual Link, you must first define one or more Virtual Links through the SmartDashboard from the Virtual Links tab in the Objects Tree.You will need to give the link a name and specify two firewall modules as end points. End point A must be an internal FireWall-1 module, and end point B may be either internal or external. If you wish to monitor the link between these modules, you must check the box to Activate Virtual Link.You can also define SLA parameters from the Virtual Link Properties window in the SmartDashboard to ensure that the SLA is being met. NOTE Check Point uses the Check Point End-to-End Control Protocol (E2ECP) service to monitor the link between gateways in a Virtual Link configuration. You may need a rule to allow the communication for this protocol on both end points. E2ECP uses UDP port 18241. Once you have selected the Virtual Link you wish to monitor in the Session Properties window in SmartView Monitor, select the Virtual Link Monitoring tab to choose the type of graph you wish to have displayed.You can choose to view Bandwidth or Bandwidth Loss from point A to B, B to A, or both directions (as shown in Figure 15.7), or you can choose Round Trip Time to monitor the total time it takes for a packet to travel round trip between the gateways. www.syngress.com Figure 15.6 Monitoring Top 10 Services 259_ChkPt_VPN_15.qxd 4/3/03 1:41 PM Page 554 [...]... seq =12 f 513 66 ack=0000fb02 eth-s4p1c0:I[40]: 19 2 .16 8 .1. 3 -> 207 .17 1 .18 5 .16 (TCP) len=40 id=39382 TCP: 3273 -> 80 F A seq =12 f 513 66 ack=0000fb02 eth-s3p1c0:o[40]: 19 2 .16 8 .1. 3 -> 207 .17 1 .18 5 .16 (TCP) len=40 id=39382 TCP: 3273 -> 80 F A seq =12 f 513 66 ack=0000fb02 eth-s3p1c0:O[40]: 17 2 .16 .1. 3 -> 207 .17 1 .18 5 .16 (TCP) len=40 id=39382 TCP: 12 5 51 -> 80 F A seq =12 f 513 66 ack=0000fb02 eth-s3p1c0:i[40]: 207 .17 1 .18 5 .16 ... -> 17 2 .16 .1. 3 (TCP) len=40 id=0 TCP: 80 -> 12 5 51 A seq=0000fb02 ack =12 f 513 67 eth-s3p1c0:I[40]: 207 .17 1 .18 5 .16 -> 19 2 .16 8 .1. 3 (TCP) len=40 id=0 TCP: 80 -> 3273 A seq=0000fb02 ack =12 f 513 67 eth-s4p1c0:o[40]: 207 .17 1 .18 5 .16 -> 19 2 .16 8 .1. 3 (TCP) len=40 id=0 TCP: 80 -> 3273 A seq=0000fb02 ack =12 f 513 67 eth-s4p1c0:O[40]: 207 .17 1 .18 5 .16 -> 19 2 .16 8 .1. 3 (TCP) len=40 id=0 TCP: 80 -> 3273 A seq=0000fb02 ack =12 f 513 67... following by monitoring the sync interface via tcpdump Notice the second column in the output contains both I and O packets, indicating that there is sync traffic both inbound and outbound on this interface 00:42:23.630 410 O 0.0.0.0. 811 6 > 19 2 .16 8.254.0. 811 6: udp 28 00:42:23.7200 21 O 0.0.0.0. 811 6 > 19 2 .16 8.254.0. 811 6: udp 24 00:42:23.72 010 9 I 0.0.0.0. 811 6 > 19 2 .16 8.254.0. 811 6: udp 36 00:42:23.8 317 56 I... accounting (AAA), 10 5 chaining, UserAuthority, 511 - 513 and cluster solutions, 200 directory service and, 62 Internet access, 518 -523 259_ChkPt _VPN_ indx.qxd 4/4/03 10 :36 AM Page 579 Index MS-AD, suggested uses of, 95-96 Rule Base, configuring for, 92-94 TACACS+, 11 0 -11 4 VPN- 1/ FireWall -1, schemas order, 10 7 Authentication Header (AH), configuring SR/SC, 16 1 Automatic ARP, 6, 11 -14 , 20 Automatic Certificate... 62 914 56 bytes in 15 35 4KB blocks using 1 pool Total memory bytes used: 369748 unused: 59 217 08 (94 .12 %) Total memory blocks used: 12 2 unused: 14 13 (92%) peak: 8 719 40 243 Allocations: 12 1 012 62 alloc, 0 failed alloc, 12 095655 free www.syngress.com peak: 259_ChkPt _VPN_ 15 .qxd 4/3/03 1: 41 PM Page 565 Firewall Troubleshooting • Chapter 15 565 System kernel memory (smem) statistics: Total memory Blocking bytes... are ICMP,TCP, and UDP, which are represented by numbers 1, 6, and 17 respectively Figure 15 .10 IP Packet Header 0 IP Version Header (4 bits) Length 4 1 2 Type of Service (TOS) 5 16 -bit Identification 8 9 Time to Live (TTL) 3 Total Packet Length (in Bytes) 6 Flags Protocol (Transport Layer Protocol) 10 7 13 -bit Fragment Offset 11 Header Checksum 12 13 14 32-bit Source IP Address 15 16 17 18 32-bit Destination... 32-bit Destination IP Address 19 If you are interested in capturing data to or from a specific IP address, you might use the following syntax: fw monitor -e “accept [12 ,b] =10 .10 .10 .1 or [16 ,b] =10 .10 .10 .1; ” –o monitor.out In this example, [12 ,b] represents the source IP address, which starts in the twelfth byte of an IP packet header (starting from 0, as shown in Figure 15 .10 ) In this case, you do not... Physical interface = eth1 www.syngress.com 259_ChkPt _VPN_ 15 .qxd 558 4/3/03 1: 41 PM Page 558 Chapter 15 • Firewall Troubleshooting Table 15 .2 Interface Direction Inspection in fw monitor Inspection Point Description i I o O Before VPN- 1/ FireWall -1 kernel inspection in the inbound direction After VPN- 1/ FireWall -1 kernel inspection in the inbound direction Before VPN- 1/ FireWall -1 kernel inspection in the... "accept [12 ,b]=IP_A or [12 ,b]=IP_B;" If that produces too much data, and you want to further filter based on port number, try the following: fw monitor -e "accept [12 ,b]=IP_A or [12 ,b]=IP_B and [20:2,b]=80 or [22:2,b]=80;" Example output: www.syngress.com 573 259_ChkPt _VPN_ 15 .qxd 574 4/3/03 1: 41 PM Page 574 Chapter 15 • Firewall Troubleshooting eth-s4p1c0:i[40]: 19 2 .16 8 .1. 3 -> 207 .17 1 .18 5 .16 (TCP) len=40... 19 2 .16 8.254.0. 811 6: udp 36 00:42:23.8 317 56 I 0.0.0.0. 811 6 > 19 2 .16 8.254.0. 811 6: udp 28 00:42:23.832244 I 0.0.0.0. 811 6 > 19 2 .16 8.254.0. 811 6: udp 12 92 00:42:23.850223 O 0.0.0.0. 811 6 > 19 2 .16 8.254.0. 811 6: udp 28 Q: How do I use the fw tab command to see how many hosts my firewall has counted? A: Use the command fw tab –t host_table –s.The output will look something like the following output.The number under #VALS is the . numbers 1, 6, and 17 respectively. If you are interested in capturing data to or from a specific IP address, you might use the following syntax: fw monitor -e “accept [12 ,b] =10 .10 .10 .1 or [16 ,b] =10 .10 .10 .1; ”. Identification Flags 13 -bit Fragment Offset Time to Live (TTL) Protocol (Transport Layer Protocol) Header Checksum 32-bit Source IP Address 32-bit Destination IP Address 3 210 4567 89 10 11 12 16 13 14 17 18 19 15 259_ChkPt _VPN_ 15 .qxd. Address 3 210 4567 89 10 11 12 16 13 14 17 18 19 15 259_ChkPt _VPN_ 15 .qxd 4/3/03 1: 41 PM Page 559 560 Chapter 15 • Firewall Troubleshooting 1. Run fw monitor -e “accept [12 ,b] =19 2 .16 8.0.8 or [16 ,b] =19 2 .16 8.0.8;”. 2. Start the FTP