Press "Enter" to skip to content

Tcpdump or Fw Monitor, which is better ?


FW MONITOR————It is said that it captures at 4 important points in the firewall namely i,I,o & O. You would see them in the capture in the same sequence.i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.I – Postinbound, where…

IEEE STANDARD 802.3AD – JunOS Configuration


The  802.3ad standard supports aggregation on full duplex, point to point  links,  to form a Link Aggregation Group (LAG), so that a Media Access Control (MAC) Client can treat the LAG as if it was a single link.  The sublayer defines multiple functions like Link Aggregation Control (LAC), Link Aggregation Control Protocol (LACP). LAC manages the Link Aggregation sub layer…

SecureXL Process Details


SecureXL is a patented technology consisting of a software package with an API for the acceleration for multiple, intensive security operations. In addition to the IPS, SecureXL also accelerates operations carried out by a Stateful Inspection firewall from Check Point. Through the SecureXL API, this firewall can offload the handling of those operations to a special module, the “SecureXL device,”…

WebUI port change doesn’t survive a firewall policy push or reboot


Change WebUI port to 4434 from Command line: webui disable webui enable 4434 Unfortunately after a cpstop/cpstart or reboot, the 4434 port will not survive. It rolled back to 443 again.  Solution: Firewall ->Properties -> SecurePlatform -> change main url to :http://x.x.x.x:4434 goto command line do webui changes push policy. 

Route-based VPN between Juniper and Cisco


Another useful post for route-based vpn from  Cisco router configuration: crypto isakmp policy 1 encr aes 256 authentication pre-share group 5crypto isakmp invalid-spi-recoverycrypto isakmp keepalive 10crypto isakmp key 0 keyforlab123 address ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmaccrypto ipsec profile CIPHER-AES-256 set transform-set ESP_AES_256 Tunnel interface configuration: interface Tunnel18 description tunnel_to_srx ip address tunnel source GigabitEthernet0/0 tunnel…

Policy NAT-ing with overlap message – Order is important


Existing rule : static (dmz,outside) netmask There is a special situation come up today. When access to another site , it has to be nat-ed to different ip address So what I did : 1. Add a new access-list PNAT-T: access-list PNAT-T extended permit ip host host  2. Add a new access-list FW1/act/pri(config)#…

Checkpoint Domain Object


Was thinking to use Domain Object as a source in our firewall rule. After consulted with checkpoint support, it seems impossible if your domain object represented multiple ip addresses. SK42128 Symptoms     Rules containing a Domain object will only resolve to one of the associated IP addresses, causing request for a site not to return a web page.  Cause…

Add static route in Smoothwall


Add static route in Smoothwall Firstly, edit the file /etc/rc.d/rc.netaddress.up Above the 'echo "setting up firewall ……."', add: /sbin route add -net destination netmask subnetmask gw gateway devdeviceinterface ————————————– Edit /etc/rc.d/rc.firewall.up After the section on "# Allow packets that we know about through …" Add: # Allow packets from green to green /sbin/iptables -A FORWARD -i $GREEN_DEV -o $GREEN_DEV -j ACCEPT

no response when ping MS Cluster’s ip address – Solution


There is a Citrix cluster deployed in our environment. But cluster ip not working from an outside network, although working fine in same network. Checked MS doc – troubleshooting NLB, foud following cause: There is no response when you use ping to access the cluster's IP address from an outside network. Verify that you can use ping to access the dedicated IP addresses…