Thursday, July 26, 2012

DDOS Tuning for Checkpoint IPS Blade

These are the main things to check against ddos related attacks on checkpoint,
but of course not enough for sophisticated layer 7 attack techniques, checkout new radware based checkpoint ddos appliance; ddos protector.

Aggressive aging: protection against connection-consuming attacks
Lower Stateful Inspection timers: defense against slow attack
Geo protection: Rules to block by country and direction of traffic
Network quota: limit number of connections by source IP
Worm catcher signature: block known worms (HTTP and CIFS)
TCP window size enforcement: small TCP window and flood
SYN flood protection: cookie-based validation
HTTP flooding / UDP Flooding: rate-based blocking
non-TCP Flooding: restrict non-TCP traffic from occupying more than a given percentage of an enforcement point State table

Wednesday, July 18, 2012

Checkpoint Port Based Routing in ISP Redundancy

Its possible that certain outgoing connections be routed specifically through the first ISP link at ISP Redundancy Load Sharing Mode
edit the $FWDIR/lib/table.def as follows
By changing it to: no_misp_services_ports = { <500, 17>, <259, 17>, <80,6>};, (where <25,6> stands for SMTP (port 25), TCP (IP protocol 6)), all outgoing SMTP traffic would go through the first ISP link.

Also some tips
Show the currently defined ISP links
#cpstat fw
Test ISP Redundancy by administratively bringing down/up thelink
# fw isp_link ISP-1 down
# fw isp_link ISP-1 up

more advanced commands will be on next release of SmartSPLAT

Wednesday, July 4, 2012

Cant access to Mobile Access Portal, Browser keeps loading without giving an error

Look under /opt/CPcvpn-R75.20/log/cvpnd.elg for the problem reason,
In my case it was showing
Exception: open("/opt/CPcvpn-R75.20/conf/includes/CustomRulesAfter.conf") failed - No such file or directory - CVPND aborting
manually create the file or files,
touch /opt/CPcvpn-R75.20/conf/includes/CustomRulesAfter.conf
touch /opt/CPcvpn-R75.20/conf/includes/CustomRulesBefore.conf
and do  a cvpnrestart
Also check licenses on both cluster members...