viernes, 28 de agosto de 2015

Añadir tareas al Cron de CheckPoint

  • On Gaia OS:
    1. Cron job #1 - for IPv4:
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services t
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services:startup 0
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services:daysinweek all
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services:months all
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services:daysinmonth all
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services:hours all
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services:minutes */10
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services:command "$FWDIR/scripts/cp_servers_dynobj_ipv4.sh > /dev/null 2>&1"
      [Expert@HostName:0]# dbset :save
      [Expert@HostName:0]# /bin/cron_xlate cron < /config/active
    2. Cron job #2 - for IPv6 (Optional: only if IPv6 is enabled and DNSv6 server is used):
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services_ipv6 t
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services_ipv6:startup 0
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services_ipv6:daysinweek all
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services_ipv6:months all
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services_ipv6:daysinmonth all
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services_ipv6:hours all
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services_ipv6:minutes */10
      [Expert@HostName:0]# dbset cron:admin:job:cp_online_services_ipv6:command "$FWDIR/scripts/cp_servers_dynobj_ipv6.sh > /dev/null 2>&1"
      [Expert@HostName:0]# dbset :save
      [Expert@HostName:0]# /bin/cron_xlate cron < /config/active

  • On SecurePlatform OS (note that the entire command ends with minus "-"):
    Note: IPv6 is not supported on SecurePlatform OS. Therefore, cron job for IPv4 only is erequired.
    [Expert@HostName]# crontab -l | { cat ; echo "*/10 * * * * $FWDIR/scripts/cp_servers_dynobj_ipv4.sh > /dev/null 2>&1"; } | crontab -

miércoles, 23 de octubre de 2013

Acceso a una shell Linux en un Symantec Messaging Gateway

A veces es necesario poder acceder a una shell completa de Linux para poder ejecutar comandos y realizar troubleshooting. En Symantec Brightmail Gateway esto es posible.

Antes de explicar como se hace, remarcar que esto hay que hacerlo con sumo cuidado, ya que cualquier acción puede tener efectos en la plataforma.

Para acceder a la consola Linux, habrá que ejecutar los siguientes pasos:

1.- Acceso al equipo Symantec BrightMail Gateway mediante ssh con el usuario admin.
2.- Ejecutar el comando set-support. Este comando nos dejara introducir un password para el usuario support. Este password tendrá una validez de dos días.
3.- Desconectar la sesión ssh y volver a conectar con el usuario support.

A partir de este momento, ya estaremos conectados a una terminal Linux.

jueves, 3 de octubre de 2013

Cambio de certificados en el Proxy SG para la autenticación SSL con el AD

Los equipos BlueCoat Proxy SG están configurados de manera que la autenticación de los usuarios
con el BCAAA se hace de manera cifrada, mediante SSL. Para poder cifrar esta comunicación, los
equipos usan un certificado generado durante el proceso de instalación del BCAAA en el propio
Controlador de Dominio. Estos certificados se generan con una duración de 1 año.
Para poder hacer este cambio sin afectar a las comunicaciones, se recomienda desactivar la
comunicación SSL en la configuración del IWA. Para ello, acceder a Management Console ->
Authentication -> IWA y desactivar la casilla Enable SSL. APPLY.
Instalar/Reinstalar el BCAAA
Acceder a a
Section B: BCAAA Installation
1) Install BCAAA and set the parameter as 'Allow only SSL connections.'
2) Configure CN as hostname (for example ford.kllab.bluecoat.com; do not use IP and make sure
the DNS is able to resolve the above hostname).
3) Select “Save the automatically generated certificate in the certificate store” as YES.
4) Select “Require the ProxySG to provide a valid certificate in order to connect” as NO.
5) Click 'Install' to run the installation process.
6) Once the BCAAA installation is complete, please verify the bcaaa.ini and make sure the
configuration is as below. If it is different, please modify the bcaaa.ini and restart the BCAAA
service.
UseSSL=1
CertificateSubject=ford.testlab.bluecoat.com
SaveGeneratedCertificate=1
VerifySG=0
7) From the BCAAA console, click START, RUN, type in MMC and click OK. When the Console
comes up, click File, ADD/Remove Snap-in or press CTRL + M, click ADD, select CERTIFICATES,
click ADD, select SERVICE ACCOUNT, click NEXT twice, select BCAAA, click FINISH, and click
CLOSE and click OK.
8) Make sure the certificate appears under BCAAA\Personal, Certificates. If there’s no certificate as
per the hostname suggested in step 2, you may need to perform some additional steps as
documented in Appendix A.
9) Double click the above certificate; you should see that the certificate is currently not trusted.
10) To make the certificate trusted, press CTRL + M (or click File, ADD/Remove Snap-in), click
ADD, select CERTIFICATES, click ADD, select Computer Account, click NEXT and click FINISH. Click
CLOSE and OK.
11) Then under Certificate – Service (BCAAA) on Local Computer, BCAAA\Personal, Certificates,
select the ford.testlab.bluecoat.com certificate, right click and COPY. Then go to Certificate (LOCAL
COMPUTER), Trusted Root Certification Authorities, Certificates, right click and PASTE it. The
certificate will place at the bottom of the lists. Then double click the certificate
(ford.testlab.bluecoat.com) and you will find that the certificate is not currently trusted.
12) On the same certificate screen as above, click DETAILS, select COPY TO FILE, the WIZARD pop
up and click NEXT, click NEXT (bypass No, do not export the private key), select Base-64 encoded
X.509 (.CER), click NEXT, save the file to a path (for example: c:\bcaaa), click FINISH.
13) Close the MMC console and open the bcaaa.cer which you’d created with notepad, then copy
the entire string from BEGIN CERTIFICATE to END CERTIFICATE. Then connect to ProxySG
Management Console via https.
14) Restart the BCAAA services.
Section C: ProxySG Configuration and Settings
1) In Management Console -> SSL -> CA Certificates, click IMPORT, type in the CA Cert name as
the hostname (eg: ford.testlab.bluecoat.com), and paste the string copied from bcaaa.cer to CA
Cert section.
2) Click OK and the certificate will be placed on the bottom of CA certificates list. Click APPLY.
Then proceed to Management Console -> Policy -> Visual Policy Manager, and click LAUNCH.
3) Ensure the device profile includes your BCAAA server’s certificate by navigating to Configuration
-> SSL -> Device Profiles, highlight the profile name above, and click ‘Edit’. Change ‘CCL’ to ‘<All
CA Certificates>’. Click ‘Apply’. This should then get BCAAA over SSL working OK. Note that this
will allow all CA certificates to be trusted by the above profile. If you do not want this, simply
create a new profile along with a new CA Certificate list.
4) At Visual Policy Manager, click Policy, select Add Web Authentication Layer, provide a name and
click OK. At the Action, right click and select SET, click NEW, select Authenticate, then choose the
REALM you’d created and click OK twice. Click Install Policy and close the Visual Policy Manager.
5) Please go back to BCAAA console and open Event Viewer and observe if there’s any error during
your testing. Select Application at Event Viewer. Then test the authentication with your PC,
explicitly point to ProxySG and connect to a website.
Appendix A
============
To generate the certificate for BCAAA server (where the certification doesn’t show after
installation), you must configure the ProxySG to send a NTLM request to BCAAA. After the request
is sent to BCAAA, the certificate will be generated automatically.
To initiate a NTLM request from ProxySG to BCAAA, the simplest method is configuring a client
browser and point to ProxySG explicitly. The ProxySG should then forward the authentication
request to BCAAA.

lunes, 26 de agosto de 2013

Como proteger la configuración de un FortiClient v5 con contraseña

Para evitar que los usuarios puedan modificar la configuración del Forticlient, se recomienda protegerla con contraseña.
Si se hace en el cliente, cada vez que el FortiClient sincronice con el FortiGate encargado de la configuración, se perderá la protección.

Para poderlo hacer de manera centralizada y que esto no ocurra, será necesario ejecutar los siguiente pasos en el equipo FortiGate:

config endpoint-control profile
edit "default" (donde default es el nombre del perfil EndPoint)
config forticlient-winmac-settings
set forticlient-settings-lock enable
set forticlient-settings-lock-passwd password
end

A partir de este momento, todos los FortiClients gestionados desde el perfil EndPoint configurado tendrán su configuración protegida.

A disfrutar del FortiClient.

miércoles, 31 de julio de 2013

Gestionar FortiClients 5.0 desde un Fortigate 5.0

Para poder gestionar remotamente los FortiClient, es necesario activar lo siguiente en el Fortigate:

- "Feature" de Endpoint Protection.

Esto hará que aparezca la opción FCT-Access en la interfaz de red por donde recibiremos las comunicaciones de los clientes. Esta opción también debe estar activada.

Las comunicaciones se harán al puerto 8010 del Fortigate.

A disfrutar de los FortiClient gestionados!

miércoles, 24 de julio de 2013

Recuperando un Fortigate

Please try the following, this method has worked in the past although I am not sure it has 100% success rate !

>From the console port:

FWF50B (11:04-02.28.2007)
Ver:04000007
Serial number:FWF50B3G07524828
RAM activation
Total RAM: 256MB
Enabling cache...Done.
Scanning PCI bus...Done.
Allocating PCI resources...Done.
Enabling PCI resources...Done.
Zeroing IRQ settings...Done.
Verifying PIRQ tables...Done.
Enabling Interrupts...Done.
Boot up, boot device capacity: 64MB.
Press any key to display configuration menu...
..
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[I]: Configuration and information.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter Selection [G]:

Enter G,F,I,Q,or H:

Select option d (hidden)

dr: Disable onboard RAM.
rt: Start RAM test.
offc: Turn off cache.
onc: Turn on cache.
lpci: List all PCI devices.
spci: Set PCI configuration registers.
clk: Display real time clock.
q: Quit debug mode.
h: Display this command list.

Select option k (hidden) to scan the flash and check/correct for bad blocks

:k
Flash CS0 is configured as a I/O based NAND controller at address=FF80h
Flash I/O not enabled in MSR_DIVIL_BALL_OPTS
ID NAND device returned ... AD 76 AD 76 AD 76 AD 76
ROM manufacturer=AD device=76
The ROM is a 64 MB Hynix HY27US08121M device
Scan and verify Nand flash's block(Blocks=0X1000)-->
List existing bad block(s):
------------------------------
------------------------------
start_block-->0x000
end_block-->0xfff

Testing block: 0X0000~0X0FFF of 0X0043

If bad blocks are found they should be marked.

When complete it will require a format and tftp of a new image, you must use MR5 patch 1 release.

Como acceder al Eventlog de BlueCoat

Para poder acceder al Event Log de un Proxy SG de BlueCoat, se accederá mediante la siguiente URL:

https://XX.XX.XX.XX:8082/Eventlog/Statistics