Monday, November 27, 2017

Check Point Firewall: Adding A User In CLI

Here is a quick "how to" on adding a user in Check Point via command line (CLI).  It just as easy to go into the GUI and do this, but I have found that when I'm in CLI anyway and need to do this, this is a quick template for me. 

add user NewUserName uid 0 homedir /home/NewUserName
set user NewUserName gid 100 shell /etc/cli.sh
set user NewUserName password
(then you will verify the password you just typed in)
add rba user NewUserName roles adminRole (for adding an administrator)
save config

Friday, November 24, 2017

Been In NYC...

There are a lot of cool things about NYC. It's a place my family and I really enjoy coming to. From the Top of the Rock, you can see Trump Tower. It's the red, white and blue building. No matter which side of the fence you reside on politically, that's pretty cool.

Saturday, November 11, 2017

Small Update

Sorry for the lack of posts. It's been busy. I have some technical things to post about, and will try to get them up soon. Just wanted to update. I hope you all are doing well.

Monday, November 6, 2017

Do The Right Thing

My wife and I went to Nashville not long ago to see a musician named Ron Pope. One of his openers was a group called Ages and Ages. They were really cool, and they had this song called Do The Right Thing.  Click on that link and give it a listen.

Saturday, November 4, 2017

Home Projects: Security Light

I just realized on that Cisco IP SLA catalyst config, that I didn't post the ASA config for it. I'll do that this coming week.
Until then, I'm getting tired of people coming around and lifting door handles in my neighborhood. Maybe a new security light will deter them. My driveway light just didn't work, so I replaced it today.




Friday, November 3, 2017

Home Projects: Pictures On The Wall

Well, getting the frames straight on the wall isn't easy. But with a little effort, you can do it.


Tuesday, October 24, 2017

Cisco IP SLA

I did a IP SLA configuration on two Cisco 4500s the other day.  Its really a great solution for multi path or dual-ISP, if you dont run a routing protocol.  See below, the config and some notes.

Topology:















Config for Site 1:
ip sla 1
icmp-echo 10.15.0.2 source-ip 10.15.0.1
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 10.2.3.0 255.255.255.0 10.15.0.2 track 1
ip route 10.2.3.0 255.255.255.0 10.0.10.5 10

Config for Site 2:
ip sla 1
icmp-echo 10.15.0.1 source-ip 10.15.0.2
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

ip route 10.20.15.0 255.255.255.0 10.15.0.1 track 1
ip route 10.20.15.0 255.255.255.0 10.20.3.253 10


Notes:
10.15.0.2 is the IP address on Site 2 fiber port.
10.15.0.1 is the IP address on Site 1 fiber port.
10.0.10.5 is the IP address on Site 1 LAN Firewall port.
10.20.3.253 is the IP address on Site 2 LAN Firewall port.
Basically, if the fiber goes down, then change the routing table to go across the VPN to the remote site, is the idea here.

Site 1 4500:
Switch#sh track
Track 1
  IP SLA 1 reachability
  Reachability is Up
    1 change, last change 00:02:09
  Latest operation return code: Over threshold
  Latest RTT (millisecs) 4
  Tracked by:
    Static IP Routing 0
Admin_Switch#sh ip route
...
S        10.20.3.0/24 [1/0] via 10.15.0.2

Switch# config t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int vlan 99
Switch(config-if)#shut
Switch(config-if)#exit
Switch(config)#exit
Switch#sh track
Track 1
  IP SLA 1 reachability
  Reachability is Down
    2 changes, last change 00:00:02
  Latest operation return code: Timeout
  Tracked by:
    Static IP Routing 0
Switch#sh ip route
...
S        10.20.3.0/24 [10/0] via 10.0.10.5

Switch(config)#int vlan 99
Switch(config-if)#no shut
Switch(config-if)#exit
Switch(config)#exit
Switch#sh track
Track 1
  IP SLA 1 reachability
  Reachability is Up
    3 changes, last change 00:00:03
  Latest operation return code: Over threshold
  Latest RTT (millisecs) 4
  Tracked by:
    Static IP Routing 0

Switch#sh ip route
...
S        10.20.3.0/24 [1/0] via 10.15.0.2
Switch#


Friday, October 20, 2017

VPN: IKEv1 And IKEv2

While configuring some VPNs today, the question came up about using IKEv1 vs IKEv2. I don't want to get into the technical details about the differences in the two (I'll do that in the next post), but I do want you to know that the two are not compatible with each other. So if you use IKEv2 on one side, you have to use it in the other side.

Thursday, October 12, 2017

Cisco ASR920 Problem

This was an interesting evening. I went onsite to a customer and put in one of those TZ600 SonicWall firewalls I just configured. Once I got it in place, I noticed the normal ARP issue that you have on the next hop router. So I rebooted the ISP router.  As it turns out, there is a firmware issue on these Cisco ASR920 routers that when you reboot the system, if you have fiber modules in the ASR, it can cause an issue forwarding traffic, even though the interfaces are up. The fix? Literally, pull out the Gbic modules and re-seat them.  All OK after that. 



Monday, October 9, 2017

Two SonicWall TZ600s

This week, I have two SonicWall TZ600 firewalls to get setup for a company. They will have site to site VPN and will provide these small offices with some security.  It's certainly not an enterprise solution, but OK for a small office like these.

Sunday, October 8, 2017

Saturday, September 30, 2017

It's Never Ending...

Just keep in mind, when it comes to security of company data, everyone is a target. You have to protect yourself with appropriate cyber security. Sonic was the latest we have heard of. Who is next?

Wednesday, September 27, 2017

Check Point Firewall: CPView In CLI

Just real quick, if you go into CLI of Check Point, there is a command called cpview.  Its a good, quick look at some statistics that might be helpful to you.  Try it out, and get a feel for it.