Friday, January 17, 2020

Check Point standby cluster member cannot access the Internet

The title is pretty self-explanatory, and it's behaviour I'm seeing on every recent cluster build that I do (R80.10 and up).  A fair question will be "Why are you concerned with Internet access on your standby member?".  Well, my biggest reason is cosmetic, as occasionally the gateway might throw up alerts in SmartConsole due to it being unable to to entitlement checks and such. 

More importantly, your cluster might also be configured to have the gateways pull IPS / AV / etc. updates (as opposed to having your SMS distribute it) and this means that if your cluster fails over, there might be a small window where you are running outdated protections.

Having said all that, how do we fix this?  Well Check Point has 4 steps listed in sk43807, namely:
  • Verify that routing tables are identical on all nodes
  • Synchronise HTTP, HTTPS, DNS between cluster members
  • Set the 'fwha_forw_packet_to_not_active' kernel parameter to 1
  • Edit your 'table.def' file on the SMS

Of those, the only one that has ever worked for me is the 'table.def' edit, issue with that is that it will get overwritten after every upgrade you do, so in my view not a long-term solution.

Because this issue is caused by the gateway's traffic being hidden behind the cluster IP, we can fix it with a NAT rule.  This also has the advantage of being a permanent fix.  You'll have to create a rule for each gateway in your cluster which states that for any traffic originating from the gateway (create objects with your external IP's) to any, use original.  It needs to look something like this:

Once done, push policy and you should immediately restore access.

Monday, January 6, 2020

Checkpoint and QRadar integration via Checkpoint Log Exporter

I recently had to integrate a new client's Checkpoint environment into their QRadar SIEM solution due to the need for a single point of alerting and monitoring.

Despite the information available on both Checkpoint and IBM's support site, I still found the process a tad convoluted.  Below is a short and sweet summary of how I got the Checkpoint to ship logs to QRadar in a way that made sense to QRadar.

Configure the Checkpoint Log Exporter

Execute the below command on your Checkpoint SMS:

cp_log_export add name qradar target-server target-port 514 protocol tcp format leef read-mode semi-unified

Verify LeefFieldMapping.xml

Navigate to /opt/CPrt-R80/log_exporter/targets/qradar

Verify that the LeefFieldMapping.xml file is as per QRadar requirements defined here:

Verify LeefFormatDefinition.xml

Navigate to $EXPORTERDIR/conf

Verify that the LeefFormatDefinition.xml is as per QRadar requirements defined here:

Once done, restart the Log Exporter instance: cp_log_export restart name qradar

QRadar Configuration

My testing revealed that there are two pre-requisites required:
  1. Ensure you have the latest QRadar Checkpoint DSM (Device support module)
  2. Install IBM QRadar Custom Properties for Checkpoint from the QRadar App Exchange
Lastly, configure a new Checkpoint Log source (Admin -> Log Sources) which matches the settings you defined in your Checkpoint Log Exporter.

QRadar also supports Checkpoint integration via Opsec, but it seems that the Log Exporter is the preferred way for Checkpoint going forward.

Detailed troubleshooting can be found on the IBM Support site.

Thursday, November 8, 2018

Migrating policies from a standalone Checkpoint gateway to a new management server

I was recently faced with an interesting scenario.  A customer had a standalone Checkpoint gateway running R80.10 and wanted to migrate to a distributed configuration, with separate management.  I researched how to do this and was surprised with the lack of clear answers.

A lot of the online solutions here either refer to KB's which explicitly state that the KB does not apply to R80.10 that a migrate export should suffice.  In my experience it doesn't, it errors out explicitly stating that: "Database migration between Standalone and Management only machines is not supported".

Below is then the process I used to migrate my policies (firewall, NAT and Threat Prevention).


We'll need the CheckPoint API Python Development Kit:
And the CheckPoint Policy Import and Export tool

Lastly, make sure that your gateway and management servers are on the latest GA Jumbo Hotfix Accumulator.  This will ensure that there are no Python compatibility issues.

Download and Extract both on your Computer, using the d:\CP_Python folder for this example I then end up with this structure:
│ ├───examples_python2
│ ├───examples_python3

Now we need to move all files and folders under the d:\CP_PYTHON\cp_mgmt_api_python_sdk-master folder to the d:\CP_PYTHON\cp_mgmt_api_python_sdk folder.

Our folder structure then looks like this:
│ ├───examples_python2
│ ├───examples_p
│ └───lib
│ └───lib

The next step is to transfer the ExportImportPolicyPackage-master folder to both our source and destination CheckPoints. In this case I've transferred to the /tmp folder on each.

[Expert@source1:0]# pwd

Now we execute the actual script, like so:

[Expert@source1:0]#/opt/CPsuite-R80/fw1/Python/bin/python2.7 /tmp/ExportImportPolicyPackage-master/

An interactive menu system will appear, from here make sure to specify:
- Output filename
- Layer to be exported
- Whether you want to export Threat-Prevention Layers

If you just specified a filename, your export can be found under the /tmp/ExportImportPolicyPackage-master/ folder. Now transfer this file to your destination management server.

In this instance I've transferred it to my /tmp folder.  If this is a new management server, I always delete the built-in Standard Layer, as I've found that the NAT rules import is a bit all over the show otherwise.

This you do under Security Policies -> Manage Policies -> Manage policies and Layers. Delete and publish your changes.

On the destination gateway we now execute the script, just like we did on the source:

[Expert@dest1:0]#/opt/CPsuite-R80/fw1/Python/bin/python2.7 /tmp/ExportImportPolicyPackage-master/

Once again, an interactive menu system will appear, from here make sure to specify:
- Import a Package
- Enter user credentials manually
- Specify custom name for imported package (I use Standard, remember to delete the built-in as per above)
- Run

The script will now:
- Create a Policy Package
- Import services
- Import objects
- Import access-layers
- Import access-rules
- Import NAT rules
- Import threat-layers
- Import network
- Import hosts
- Import threat-profiles
- Import groups

If you connect to the management server with SmartConsole, you should see all the above reflected.

Tuesday, May 16, 2017

Protecting against a ransomware attack


Wikipedia describes ransomware as “a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it.” 

In Layman's terms, it denies you access to your own files until you pay the ransomware creators to unlock your files. This extortion method has proven to be very profitable, with CryptoLocker and CryptoWall netting their creators U$3 million and US$17 million respectively.

Ransomware attacks are typically carried out by a Trojan, where the user is tricked into opening a seemingly legitimate attachment or document. Once activated, the ransomware will spread by exploiting vulnerabilities on the target systems. Once a system has been compromised and the files encrypted the victim will be issued with instructions on how to unlock the files - unlocking methods invariably involves paying the ransomware creators via hard-to-trace channels such as Bitcoin.

Whilst the result of a ransomware attack may be devastating, there are a lot of measures that one can take to protect your organisation. I will give a brief overview of these methods below. Do note that attacks, and indeed defense mechanisms, are constantly evolving. Thus the measures below are in no way exhaustive, but should be seen as a very strong baseline to work from.


Secure your perimeter

Your first line of defense is crucial. As such you need to make sure that a Unified Threat Management (UTM) firewall is part of your perimeter security solution. This will allow you to activate measures such as Anti-Virus and Malware scanning as well as Intrusion Detection and Prevention Systems (IDS / IPS). A UTM firewall will also allow you to configure outbound filtering, which will prevent any "phone-home" communication between a compromised system and its command-and-control servers.


Secure your E-Mail

E-Mail is one of the most prevalent attack vectors, so it just makes sense to invest significant effort to secure it. Start off by enable strong spam filters to prevent phishing and other similar forms of attack from reaching your users. You should furthermore look at implementing methods to authenticate inbound mail, these include technologies such as Domain Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). All these technologies complement each other and works together to detect and prevent mail spoofing. Of course you also need to make sure you are scanning all mails for viruses and, last but not least, filter all executable and "bad" file types.


Patch Management

Most ransomware propagates by exploiting Operating System Vulnerabilities. Point in case is the WannaCry variant which utilizes the EternalBlue exploit, which was actually patched by Microsoft two months before the first attacks hit. This clearly demonstrates the value of patching. Ensure you have a proper patch management strategy in place and that systems are patched timeously.


Endpoint Anti-Virus

This goes without saying - always ensure that your anti-virus (AV) solution is up to date and that real-time scanning is enabled. Apart from that you'll also need to configure it to perform regular scheduled scans. Most AV solutions now also include heuristic technologies, which allows it to detect and remove threats for which there are no signatures yet, make sure you utilize this. Lastly, ensure that the endpoint's firewall is activated if provided as part of your AV solution.


Implement Least Privilege

Limit the use of administrative privileges to a minimum and also make sure that User Access Control (UAC) is activated. The principle of Least Privilege should also be applied when granting users access to network resources. Only give write permissions to users that absolutely need those permissions. Default to read only permissions when possible. You should also regularly audit your file shares and review the needed permissions for each share. Ransomware will typically enumerate all network resources an infected system has access to and then encrypt those resources. You can significantly reduce the impact of Ransomware by limiting user access to network resources and just granting them access to what they actually need.


Block file execution from certain paths

Ransomware generally executes from temporary folders located in Windows AppData folders. To protect against this you should configure a Software Restriction Policy to prevent executable files from running out of the %APPDATA% location. A much more exhaustive list can be obtained here.


Implement Geo-Blocking and blocking of known bad IP addresses

If possible for your organisation you should configure your perimeter firewall to block traffic to "at-risk" countries if you do not do business in these countries. For example a large percentage of Ransomware variants rely on communication with Russian IP blocks to function and spread. Protection mechanisms such as these are admittedly crude, but can be surprisingly effective. Furthermore if your perimeter solution allows you to do so, you should explicitly block all traffic to known bad IP addresses.


Application Whitelisting

Application whitelisting is perhaps the most effective method of protecting against ransomware attacks. The flip side is that it also typically takes the most effort and resources in terms of testing, implementing and maintaining.  There are various solutions available to implement application whitelisting, but as a start you should consider the AppLocker and Software Restriction Policies native to Windows.


Disable MS Office Macros

Many variants of Ransomware leverage Macros to propagate. If possible you should disable this functionality within Office documents, or at the very minimum for documents received via mail and downloaded from the Internet. Alternatively you can make use of the Office File Viewer to view these untrusted documents.


Enable Filescreen

Windows FileScreen was a popular method to detect ransomware infections, however its functionality has been greatly reduced because of new ransomware variants randomizing file extensions. It might still add value in your organisation and assist with alerting and tracing the origin of a ransomware outbreak. A fairly comprehensive list of file extensions can be found here.


Enable Logging (SIEM)

A proper logging solution will be invaluable in tracing the origin of a ransomware outbreak. The value in a SIEM solution is that you will be able to correlate the logs of a multitude of different devices to find out how the attack happened. This in turn will allow you to take measure to prevent a re-occurrence. A properly configured SIEM solution will also act as an efficient early-warning system, which will allow you to limit the spread and fallout of a ransomware infection should you be compromised.



If all else fails your backups will be what stands between you and disaster. Back up your data regularly, as per your organisation's Recovery Point Objective's (RPO). Verify the integrity of those backups and test the restoration process regularly to ensure it is working. You also need to secure your backups, or at the very least take them offline so that it cannot be affected by the same ransomware you are trying to protect against.

Configuring FortiGate IPS to block WannaCry ransomware

I’ll split this up in two scenarios – the first being where there is no IPS being done yet and you just want to block WannaCry, and the second being where you already have IPS measures in place protecting to your clients

No IPS in place yet

  1. Create an IPS protection profile containing the MS.SMB.Server.SMB1.Trans2.Secondary.Handling.Code.Execution signature
  2. Ensure that the protection profile is set to Block
  3. Apply the IPS signature to all policies governing your intra-VLAN traffic

Adding the WannaCry signature to your existing client targeting IPS profile

The target type for this signature unfortunately has the target type Server, even though client OS’s are also being targeted.  This means you’ll have to manually add it to your client-targeting IPS profile.

Another point to note is that it is listed as a Rate-based signature, so ensure that your signature has a threshold of zero.

Here is more information about the relevant signature from Fortinet:

Monday, January 9, 2017

Configuring password expiration for FortiGate users


A FortiGate device allows you to create a password policy for administrative accounts via the web interface.  Unfortunately this functionality is not exposed for normal, local user accounts.  Typically this isn't a big pain point as I would imagine that most customers would make use of external authentication (FSSO / LDAP / Radius etc.).  That said, I recently had a situation where a client had a bunch of local users configured and they wanted to implement password expiry, with users being prompted to change passwords upon expiry.  Authentication was done via Captive Portal.

The FortiOS handbook came up blank, but a chat with my Fortinet SE provided me with a solution.  First we need to configure the actual policy, then apply it to a user account. 

The password policy is configured like so:

config user password-policy
edit "pwpol01"
set expire-days 2
set warn-days 1

We then apply it to a user:

config user local
edit "user01"
set type password
set passwd-policy "pwpol01"

Unfortunately password policies can only be applied to users, and not to groups, so it is a bit of a pain if you have lots of users, although in that use case you will be better off using external authentication or FortiAuthenticator.  When the configurable number of days has been reached, the user will be prompted via their captive portal to renew their password before the expiration day is reached.

Friday, November 18, 2016

Becoming a Payment Card Industry Professional (PCIP)


I am very proud to say that I now hold the Payments Card Industry Professional (PCIP) certification. This is a journey that took me about 6 months to complete and I'll share some tips and experience I've picked up on my way to becoming certified.

The registration process starts by submitting your application as well as supporting documentation to the PCI Council via their website. The approval typically takes about two weeks and it might be that they ask you for proof of work experience and additional security certifications. In my case I've been fortunate to have about a decade of experience in the InfoSec field in general, and 3 years working for clients who need to be PCI-DSS compliant.

What do you need to do?

Once your application is approved you need to attend the PCIP course. This can be either on-line or classroom based. If you are new to the PCI-DSS field I would strongly suggest attending the classroom training, as access to the instructor as well as conversing with peers in the industry can be invaluable. If you have PCI-DSS experience then the on-line course will suffice.

Once you have completed the course, the PCI Council will register a user ID for you on the Pearson Vue website and provide you with a voucher to take the exam. It is up to you to do the booking on the Vue website. It is important to note that you have to use this voucher within 30 days of your training. If you fail the exam you can book to take it again at your own cost. If, heavens forbid, you fail it a second time you will have to attend the PCIP course again.

Preparing for the exam

First and foremost, know the PCI-DSS 3.2 Standard inside out. You do not have to know things like requirement 3.2.1 states that etc. You will however need to know how to successfully meet every requirement. In my case there was also a strong focus on the various Self-Assessment Questionnaires (SAQs) and in which cases they would be applicable. I was not tested on Reports of Compliance (ROC) or Attestation of Compliance (AOC) at all.

You should also know when encryption, strong cryptography, hashing, tokenization and masking should be used as well as the difference between all these. Make sure you know exactly when Compensating Controls are allowed, as well as what are the requirements for acceptance of those. I got maybe one or two question from the supplemental (Virtualization and TLS specifically). You don't have to study them in depth, but do read through them and understand the intent.

Next Steps

I find assisting our clients on their path towards PCI-DSS compliance to be an extremely challenging and rewarding endeavour. As such, the next step on my journey is to become a PCI Internal Security Assessor. I believe this will add tremendous value over and above that which we already provide to our clients in the financial services sector.