Analyzing FW Monitor Output in CLI

If you understand the inspection points in Check Point and can use FW Monitor to get the required logs/captures then you can read further on how how to analyze those logs.

Click to enlarge

So to start off with, lets see what the different fields are in the above picture of a sample log from the console;

Continue reading

Debug F5 monitor response from the server

It is quite simple to see if a pool member failed it’s health check by checking the pool status via GUI/CLI and the ltm logs also give you more information on the time lines when the pool went down/up;

cd /var/log
cat ltm | grep

But what if you’ve configured a custom health monitor for a particular pool and now that pool is down and you know it’s the monitor that is failing it. You’ve verified that the F5 is indeed sending the F5 monitor traffic to the nodes. You run some captures on the interface or on an intermediary firewall and see the node is sending replies as well. Now, what if you want to check the contents of the server’s response during that time from the F5 itself?

So here’s the step-by-step instructions you need to follow to effectively get that information;

Continue reading

OSPF neighbor relationship process

OSPF Neighbor relationship process

1. Determine the Router ID

  • It is the router’s name in the OSPF process. It’s always advisable to hard code the router-id.
  • Router-id > Loopbacks > Active Physical interface IP

2. Add interfaces to the link state database, done by the network command

3. Send a Hello message on chosen interfaces

  • Hello message timer
Broadcast/P-2-P networks Every 10 seconds
Non-Broadcast Multi-access Networks (NBMA) Every 30 seconds

Continue reading

Transferring licenses after RMA (Cisco)

Our ASR 1001 had a hardware failure with the SPA Interface Processor  and we had to file an RMA for it. Once we got the device to the data center and started loading up the config, we realized it required the ‘advipservices’ and ‘ipsecurity’ licenses which were being used on the old router. After speaking to the licensing support team, they explained to us that we can get a license transfer in this case as this is a replacement device. We gave the serial number of the old router and the new router with the RMA and SR number that was raised with them and she sent us a .lic file that can be loaded on the new ASR router.

If you have been looking for this, here’s another way to get this done; (A phone call to Cisco is definitely a better option with the below information handy)

Continue reading

Using FW Monitor to Capture Traffic Flows in Check Point (Cheat Sheet)

I’m in no way a Check Point junkie. I got these FW Monitor templates from my tech lead at work and he has been using these for over 10 years now. I find these templates just about enough to get me the captures that I need. If you need a more sophisticated FW Monitor, then I’d recommend you go through this document. In the next post after this I plan to write on how to analyze those logs/captures on your console and in Wireshark (this can get lengthy). In FW Monitor there are a few switches you can use to customize your captures but I’ve only posted some basic templates where you can just replace the IPs and run it.

If you’re not aware of the inspection points in Check Point, you can check out my previous post which will help you to understand the FW Monitor logs in a better way and possibly help in troubleshooting.

Continue reading