Creating Pre-Configured VPN Client – Checkpoint

How to configure a custom install package for your secure vpn clients.

There are many options here but I want to do a simple one and then elaborate on it further in another post.

1. Download the latest client build from Checkpoint
2. Obtain the MSI packaging tool provided by Checkpoint.  If you have the smart dashboard installed you can find this program in c:\program files\Checkpoint\Smartconsole\R65\program\util
3. With cpmsi_tool.exe we will extract the MSI downloaded in step 1

• Create a directory x:\secureclient
• place the latest secureclient and the cpmsi_tool.exe in this directory
• Rename the downloaded msi package to Base.msi
• Open a command line prompt and change to the new directory secureclient
• Type:  cpmsi_tool.exe Base.msi out all (this will extract the files from the msi file.

Once these files are extracted you can edit them in notepad.  The product.ini file has many options that you can research to make changes.
examples: show welcome screen, force options etc. etc.

After you have made any options changes to these files you need to re-package the files back into the msi file.

At command prompt again Type:  cpmsi_tool Base.msi in all

Now install the Base package on a laptop.

Configure the settings to connect to your firewall.  Connect to the firewall and make sure the connections works.  This updates the topology etc.

Disconnect the vpn client and then go to control panel services and stop the checkpoint services.  Now go and get this file:  c:\program files\checkpoint\secuRemote\database\userc.C

Now we have the basic configuration file.  So lets re-assemble the msi file with the updated userc file.

Note here:  you can edit this userc.C file to make many changes.  For this example we are just going to leave it alone.

copy the userc.C file back to the directory on the computer that we were working on originally (not the test laptop)

Lets make sure we have all this separate:

Make a new directory called finished and copy the base.msi file to this directory. Rename it to (whateveryouwant.msi).  Extract it by Typing:  cpmsi_tool.exe whateveryouwant.msi out all.  Then copy the userc.C file that you copied from your laptop to this directory and allow it to overwrite the file.  This contains all the changes you made.

Repackage the file by Typing:  cpmsi_tool.exe whateveryouwant.msi in all

Now you have a pre-configured package to work test.

There are many variables to change in there but this is a quick and dirty way to create this.  Please check Checkpoint’s secure knowledge for more definitive ways to customize this file.

Howto check RAM on Linux

Sometimes  you want to know how much memory you have on a Linux box.  There are several ways to do this but I have found the best and easiest way is to us the top process.

At the command line enter type top or vmstat.

Example:

[root@ftp ~]#top

top – 15:49:46 up 53 days, 11:54,  1 user,  load average: 0.00, 0.00, 0.00
Tasks:  71 total,   1 running,  70 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.3%us,  0.0%sy,  0.0%ni, 99.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   1034796k total,   985256k used,    49540k free,   144156k buffers
Swap:  2031608k total,        0k used,  2031608k free,   778420k cached

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
1 root      15   0  2060  620  532 S  0.0  0.1   0:00.61 init
2 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 migration/0
3 root      34  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
4 root      RT  -5     0    0    0 S  0.0  0.0   0:00.00 watchdog/0
5 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 events/0
6 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khelper
7 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kthread
10 root      20  -5     0    0    0 S  0.0  0.0   0:00.22 kblockd/0
11 root      20  -5     0    0    0 S  0.0  0.0   0:00.00 kacpid
73 root      20  -5     0    0    0 S  0.0  0.0   0:00.00 cqueue/0
76 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 khubd
78 root      10  -5     0    0    0 S  0.0  0.0   0:00.00 kseriod
138 root      25   0     0    0    0 S  0.0  0.0   0:00.00 pdflush
139 root      15   0     0    0    0 S  0.0  0.0   0:01.69 pdflush
140 root      10  -5     0    0    0 S  0.0  0.0   0:00.05 kswapd0
141 root      20  -5     0    0    0 S  0.0  0.0   0:00.00 aio/0
299 root      11  -5     0    0    0 S  0.0  0.0   0:00.00 kpsmoused

Sniffing with TCPDump

How to sniff a network with TCPDump. TCPDump comes installed on Linux by default. You will have to install the package on Solaris. This is just a simple sniff.

To sniff all traffic accross an interface (port-mon is your friend)

tcpdump -w testsniff -c 6000
-this sniffs everything and stops when it reaches a 6000 packet count. Good idea if you have a lot of traffic. It puts this sniff into a file named testniff. Most Packet analyzers can read a tcpdump file format.

tcpdump host x.x.x.x -c 1000
-this sniff’s a specific host with a count of 1000 packets.

tcpdump -i eth0 host x.x.x.x -c 1000
-this sniff’s on eth0 for those multiple interface boxes. This is nice for sniffing firewall interfaces with DMZ’s etc.

This is just a small simple description. Read man tcpdump and you will see how powerful TCPDump can be.

Bridged Firewall with Centos

A quick guide on how to install a bridged firewall.  A bridged firewall is a firewall that operates at layer 2. It works at the MAC layer and does not use IP addressing at layer 3.  This is a great way to integrate a firewall into a network without having to make major network changes.  (there is only one ip assigned and this is for management)

You will need a server with at least 2 Network for your uplink and downlink.

We will be utilzing network bridging and we will bridge both physical interfaces into one virtual bridge.

This example is using Centos 5.0.

Install Bridge-Utils —–> yum install bridge-utils

Create and modify network scripts

Create this config file:
/etc/sysconfig/network-scripts/ifcfg-br0

Sample:
DEVICE=br0
TYPE=Bridge
IPADDR=65.205.64.2
GATEWAY=65.205.64.1
NETMASK=255.255.255.0
ONBOOT=yes

Modify this config file:
/etc/sysconfig/network-scripts/ifcfg-eth0

Sample:
DEVICE=eth0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes

Modify this config file:
/etc/sysconfig/network-scripts/ifcfg-eth1

Sample:
DEVICE=eth1
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes

Restart your network

service network restart

Install and configure iptables

yum install iptables or yum update iptables

Example iptables commands;

Example:
# Flush firewall
iptables -X firewall
iptables -X
iptables -F
iptables -Z# Setup firewall chain (all that’s being blocked goes to this chain)
iptables -N firewall
iptables -A firewall -j LOG –log-level info –log-prefix “Firewall:”
iptables -A firewall -j DROP# Setup rules INT->EXT
iptables -A FORWARD -s 65.205.64.5 -p tcp –dport 20:21 -j ACCEPT
iptables -A FORWARD -s 65.205.64.5 -p udp –dport 53 -j ACCEPT
iptables -A FORWARD -s 65.205.64.5 -p tcp –dport 53 -j ACCEPT
iptables -A FORWARD -s 65.205.64.5-p tcp –dport 80 -j ACCEPT
iptables -A FORWARD -s 65.205.64.5 -p icmp -j ACCEPT# Block anything else INT->EXT (send it to firewall chain)
iptables -A FORWARD -s 65.205.64.5 -p icmp -j firewall
iptables -A FORWARD -s 65.205.64.5 -p tcp –syn -j firewall
iptables -A FORWARD -s 65.205.64.5 -p udp -j firewall# Setup rules EXT->INT
iptables -A FORWARD -d 65.205.64.5 -p tcp –dport 80 -j ACCEPT
iptables -A FORWARD -d 65.205.64.5 -p icmp -j ACCEPT
iptables -A FORWARD -d 65.205.64.21 -p udp –sport 53 -j ACCEPT
iptables -A FORWARD -d 65.205.64.21 -p tcp –sport 53 -j ACCEPT

# Block anything else EXT->INT (send it to firewall chain)
iptables -A FORWARD -d65.205.64.5 -p icmp -j firewall
iptables -A FORWARD -d 65.205.64.5 -p tcp –syn -j firewall
iptables -A FORWARD -d 65.205.64.5 -p udp -j firewall

Save iptables config

iptables-save > /etc/sysconfig/iptables

Show iptables config

iptables -l