Press "Enter" to skip to content

Tcpdump or Fw Monitor, which is better ?

0

FW MONITOR————It is said that it captures at 4 important points in the firewall namely i,I,o & O. You would see them in the capture in the same sequence.i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the the capture…

IEEE STANDARD 802.3AD – JunOS Configuration

0

The  802.3ad standard supports aggregation on full duplex, point to point  links,  to form a Link Aggregation Group (LAG), so that a Media Access Control (MAC) Client can treat the LAG as if it was a single link.  The sublayer defines multiple functions like Link Aggregation Control (LAC), Link Aggregation Control Protocol (LACP). LAC manages the Link Aggregation sub layer by static information local to the LAG groups, and dynamic information that is exchanged as…

SecureXL Process Details

0

SecureXL is a patented technology consisting of a software package with an API for the acceleration for multiple, intensive security operations. In addition to the IPS, SecureXL also accelerates operations carried out by a Stateful Inspection firewall from Check Point. Through the SecureXL API, this firewall can offload the handling of those operations to a special module, the “SecureXL device,” which is a performance-optimized software module. In a SecureXL-enabled gateway, the firewall first uses the…

WebUI port change doesn’t survive a firewall policy push or reboot

2

Change WebUI port to 4434 from Command line: webui disable webui enable 4434 Unfortunately after a cpstop/cpstart or reboot, the 4434 port will not survive. It rolled back to 443 again.  Solution: Firewall ->Properties -> SecurePlatform -> change main url to :http://x.x.x.x:4434 goto command line do webui changes push policy. 

Route-based VPN between Juniper and Cisco

1

Another useful post for route-based vpn from http://x443.wordpress.com/page/5/  Cisco router configuration: crypto isakmp policy 1 encr aes 256 authentication pre-share group 5crypto isakmp invalid-spi-recoverycrypto isakmp keepalive 10crypto isakmp key 0 keyforlab123 address 2.2.2.2crypto ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmaccrypto ipsec profile CIPHER-AES-256 set transform-set ESP_AES_256 Tunnel interface configuration: interface Tunnel18 description tunnel_to_srx ip address 192.168.100.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 2.2.2.2 tunnel mode ipsec ipv4 tunnel protection ipsec profile CIPHER-AES-256end Juniper SRX configuration: interfaces…

Policy NAT-ing with overlap message – Order is important

0

Existing rule : static (dmz,outside) 200.147.90.89 172.17.1.3 netmask 255.255.255.255 There is a special situation come up today. When 172.17.1.3 access to another site 200.200.200.200 , it has to be nat-ed to different ip address 200.147.90.83 So what I did : 1. Add a new access-list PNAT-T: access-list PNAT-T extended permit ip host 172.17.1.3 host 200.200.200.200  2. Add a new access-list FW1/act/pri(config)# static (dmz,outside) 200.147.90.83 access-list PNAT-T INFO: overlap with existing static   Alphadmz:172.17.1.3 to outside:200.147.90.89 netmask 255.255.255.255…

Checkpoint Domain Object

14

Was thinking to use Domain Object as a source in our firewall rule. After consulted with checkpoint support, it seems impossible if your domain object represented multiple ip addresses. SK42128 Symptoms     Rules containing a Domain object will only resolve to one of the associated IP addresses, causing request for a site not to return a web page.  Cause A Domain object resolves a domain name by the first IP Address that appears when…