Press "Enter" to skip to content

Tcpdump or Fw Monitor, which is better ?


FW MONITOR————It is said that it captures at 4 important points in the firewall namely i,I,o & O. You would see them in the capture in the same sequence.i – Preinbound, just where the packet is received on the interface. If you see only this then the packet is dropped by address spoofing or the access rule.I – Postinbound, where the packet has gone across the incoming interface. If you don’t see the the capture…

IEEE STANDARD 802.3AD – JunOS Configuration


The  802.3ad standard supports aggregation on full duplex, point to point  links,  to form a Link Aggregation Group (LAG), so that a Media Access Control (MAC) Client can treat the LAG as if it was a single link.  The sublayer defines multiple functions like Link Aggregation Control (LAC), Link Aggregation Control Protocol (LACP). LAC manages the Link Aggregation sub layer by static information local to the LAG groups, and dynamic information that is exchanged as…

SecureXL Process Details


SecureXL is a patented technology consisting of a software package with an API for the acceleration for multiple, intensive security operations. In addition to the IPS, SecureXL also accelerates operations carried out by a Stateful Inspection firewall from Check Point. Through the SecureXL API, this firewall can offload the handling of those operations to a special module, the “SecureXL device,” which is a performance-optimized software module. In a SecureXL-enabled gateway, the firewall first uses the…

WebUI port change doesn’t survive a firewall policy push or reboot


Change WebUI port to 4434 from Command line: webui disable webui enable 4434 Unfortunately after a cpstop/cpstart or reboot, the 4434 port will not survive. It rolled back to 443 again.  Solution: Firewall ->Properties -> SecurePlatform -> change main url to :http://x.x.x.x:4434 goto command line do webui changes push policy. 

Route-based VPN between Juniper and Cisco


Another useful post for route-based vpn from  Cisco router configuration: crypto isakmp policy 1 encr aes 256 authentication pre-share group 5crypto isakmp invalid-spi-recoverycrypto isakmp keepalive 10crypto isakmp key 0 keyforlab123 address ipsec transform-set ESP_AES_256 esp-aes 256 esp-sha-hmaccrypto ipsec profile CIPHER-AES-256 set transform-set ESP_AES_256 Tunnel interface configuration: interface Tunnel18 description tunnel_to_srx ip address tunnel source GigabitEthernet0/0 tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile CIPHER-AES-256end Juniper SRX configuration: interfaces…

Policy NAT-ing with overlap message – Order is important


Existing rule : static (dmz,outside) netmask There is a special situation come up today. When access to another site , it has to be nat-ed to different ip address So what I did : 1. Add a new access-list PNAT-T: access-list PNAT-T extended permit ip host host  2. Add a new access-list FW1/act/pri(config)# static (dmz,outside) access-list PNAT-T INFO: overlap with existing static   Alphadmz: to outside: netmask…

Checkpoint Domain Object


Was thinking to use Domain Object as a source in our firewall rule. After consulted with checkpoint support, it seems impossible if your domain object represented multiple ip addresses. SK42128 Symptoms     Rules containing a Domain object will only resolve to one of the associated IP addresses, causing request for a site not to return a web page.  Cause A Domain object resolves a domain name by the first IP Address that appears when…