CheckPoint Gaia SNMP configuration

Here is an example of SNMPv3 configuration in CheckPoint Gaia Appliace:

[code]
set snmp agent on
set snmp contact “zzzz@domain.com”
set snmp location “Middle of nowhere”
add snmp address 123.34.56.78
set snmp agent-version v3-Only
add snmp usm user snmpv3user security-level authPriv auth-pass-phrase 111222333 privacy-pass-phrase 555666777
[/code]

To use less secure version of SNMP v1/v2 use following commands:

[code]
set snmp agent on
set snmp contact “zzzz@domain.com”
set snmp location “Middle of nowhere”
add snmp address 123.34.56.78
set snmp agent-version any
set snmp community snmpv2community read-only
[/code]

Replace 123.34.56.78 with Firewall’s interface IP which is going to answer the SNMP requests. This command may be omitted – then SNMP will listen on all interfaces.

If you want to enable SNMPv3 only you might want to remove the default “public” community from configuration file, but after changing the agent-version to v3-Only the firewall will reject your command:

[code]
delete snmp community public read-only
NMSSNM0075 SNMP v3-Only does not accept community strings.
[/code]

To work around this issue, just execute:

[code]
set snmp agent-version any
delete snmp community public read-only
set snmp agent-version v3-Only
[/code]

CheckPoint NTP time sync configuration

To set NTP in CheckPoint SecurePlatform (SPLAT) system run following command:

[code]
ntp -n 1800 time.nist.gov ntp.eenet.ee ntp.estpak.ee
[/code]

You may also use IP addresses:

[code]
ntp -n 1800 64.236.96.53 193.40.133.142 192.98.49.10
[/code]

This command will create a config file in /etc/sysconfig/ntp and enable ntpd on boot.

The following file was produced by example command:
[code]
SERVER1=64.236.96.53
SERVER2=193.40.133.142
SERVER3=192.98.49.10
INTERVAL=1800
MD5_SECRET=
USE_NTP=true
[/code]

You may want to confirm ntpd will be started at boot by running:
[code]
chkconfig –list ntp
[/code]

Command should display:
[code]
ntp 0:off 1:off 2:off 3:on 4:off 5:on 6:off
[/code]

CheckPoint VPN – Wrong value for: Group Description

While debugging a VPN you an error in the log, that says:

IKE Main Mode Failed to match proposal: Transform 3DES / AES, SHA1 / MD5, Pre-shared secret, Group 1 (1024 bit)

This error means that you have a mismatch in Phase 1 settings on the other side of the VPN.
“Group Description” should not confuse you – mismatch is not necessarily in Diffie–Hellman group value.

If you have access to the remote device, check the settings yourself, or contact its maintainer.

Block Skype connections

There is a popular belief that Skype client is very hard to block on the network layer, due to it’s Peer-To-Peer behavior and usage of HTTP/S ports.

Block Skype client

However at present time (December, 2012) Skype client connections can be blocked pretty simply by a few firewall rules.
After startup, Skype client receives a number of it’s master (login?) servers – dsnX.d.skype.net. Currently there are 16 DNS entries from dsn0.d.skype.net to dsn16.dsn.skype.net.

Using simple bash script (uses Linux DNS utility – dig) we can get most of these server’s IP addresses:

[code]
for i in {0..20} ; do dig +short dsn$i.d.skype.net; done | sort | uniq
[/code]

Just block all access to following networks and Skype client won’t be able to authenticate and connect.

111.221.74.0/24
111.221.77.0/24
157.55.130.0/24
157.55.235.0/24
157.55.56.0/24
157.56.52.0/24
213.199.179.0/24
64.4.23.0/24
65.55.223.0/24

For Linux router, with IPtables firewall, you may use following command:

[code]
for ip in 111.221.74.0/24 111.221.77.0/24 157.55.130.0/24 157.55.235.0/24 157.55.56.0/24 157.56.52.0/24 213.199.179.0/24 64.4.23.0/24 65.55.223.0/24; do iptables -A OUTPUT -d $ip -j DROP; done
[/code]