Viewing Checkpoint fw monitor files in Wireshark

Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information.  It does contain additional information from the firewall on interface and direction.

To view this additional information in wireshark some extra configuration is required.

1. Select edit/preferences/protocols/ethernet
2. Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
3. Select edit/preferences/User Interface/columns
4. Click add to add a new column and name it interface.
5. From the format dropdown listbox select FW-1 monitor if/direction and press ok

Save the text below to a file colorise.txt

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@FW-Mon-o@fw1.direction contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]

1. Select View/coloring rules
2. Click import and open the saved file from above
3. Select the last 4 rules and move them to the top of the list by clicking the up button
4. Press ok

Your now ready to view the fw monitor files in wireshark.

References

Wireshark modification for FW Monitor files

http://www.cpug.org/forums/off-topic/8625-wireshark-modification-fw-monitor-files.html#post32733

Making Checkpoint’s FW Monitor more like Tcpdump

Every checkpoint firewall, regardless of platform, includes the packet capture utility fw monitor. The problem with fw monitor is the cryptic inspect syntax that you need to learn to create a capture filter. Unfortunately, if your looking for support from checkpoint then your stuck with fw monitor. To simplify the process I have created a couple of macros that help bridge the gap between the two syntaxes.

When capturing with tcpdump I generally use the host and port commands to reduce the traffic to a particular set of conversations between hosts. An example expression, in tcp dump syntax, to capture all dns traffic either udp or tcp between 192.168.1.1 and 192.168.1.12 is shown below.

"host 192.168.1.1 and 192.168.1.12 and port 53"

After creating a few simple inspect macros we can do the equivalent  using fw monitor with

accept host(192.168.1.1) and host(192.168.1.12) and port(53);

This is not a bad approximation. The only differences are  brackets needed to pass the parameters to the macro, and a repeat of the host command.

The savings are obvious compared to the complete  inspect script syntax shown below.

accept (
(ip_src=192.168.1.1 or ip_src=192.168.1.12) and \
(ip_dst=192.168.1.1 or ip_dst=192.168.1.12) \
) and \
(
(ip_p=PROTO_tcp and (th_sport=53 or th_dport=53)) or \
(ip_p=PROTO_udp and (uh_sport=53 or uh_dport=53)) \
);

 The macros can be saved in a separate library file and included in a filter file or you can just include all the macros in one large command file with the filter expression as shown below.


#include "tcpip.def"
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#define port(portnum) ((ip_p=PROTO_tcp and (sport=portnum or dport=portnum)) or \
(ip_p=PROTO_udp and (uh_sport=portnum or uh_dport=portnum)))
#define srcport(portnum) ((ip_p=PROTO_tcp and sport=portnum) or \
(ip_p=PROTO_udp and uh_sport=portnum))
#define dstport(portnum) ((ip_p=PROTO_tcp and dport=portnum) or \
(ip_p=PROTO_udp and uh_dport=portnum))
#define host(hostip) ((src=hostip) or (dst=hostip))

/* dns traffic between hosts */
accept host(192.168.1.1) and host(192.168.1.12) and port(53);

Once saved to a file, say myfilter.def,  it is a simple matter of running

fw monitor -i -f myfilter.def

and generating, or waiting for the traffic you need to capture.

Checkpoint Secureplatform Wisdom

Enable SCP – sk26258

• Go into expert mode and add users to the /etc/scpusers file.  Create the file if necessary.
• Restart sshd using the command service sshd restart

Enable IP Forwarding – sk25818

• Go into expert mode and type the command “echo 1 > /proc/sys/net/ipv4/ip_forward”

Enable SSH Public key Authentication – sk30366

• Go into expert mode
• mkdir  $HOME/.ssh
• chmod 0700 $HOME/.ssh
• touch $HOME/.ssh/authorized_keys
• chmod 0600 $HOME/.ssh/authorized_keys
• vi $HOME/.ssh/authorized_keys
• :$ (goes to the last line of the file)
• A (appends to the end of the line)
• paste in the key that you have copied from the client
• esc (get out of insert mode)
• : x (save the file and exit)

To be able to match a login to a users key perform the following steps.

• vi /etc/ssh/sshd_config
• find the Logging section and add en entry LogLevel VERBOSE
• Restart sshd using the command service sshd restart
• The fingerprint of  the key used is then recorded in /var/log/secure
• To check the fingerprints you can use the getfingerprints.sh script below

 
#! /bin/bash

#Generate fingerprints for ssh public keys so we can match logons to users

#Create a temp file and bail out if we can't
TMPFILE=`mktemp /tmp/fingerprint.XXXXXX` || exit 1
FPFILE=/home/admin/fingerprints.txt

#Check to see if a keyfile is specified
if [ -r "$1" ]; then
  KEYFILE=$1
else
  KEYFILE=/home/admin/.ssh/authorized_keys
fi

#Cleanup temp files on exit
trap "rm -f ${TMPFILE}" 0

#Truncate the output file
cat /dev/null >${FPFILE}

#Hook up the authorized_keys file to File descriptor 3
exec 3< ${KEYFILE}

#loop through each key in the file
while read <&3
do
        if (!(echo ${REPLY} | egrep "^\#"i)); then
                # If not a comment then save the key and generate a fingerprint
                echo "${REPLY}" >${TMPFILE}
                /usr/bin/ssh-keygen -l -f ${TMPFILE} >> ${FPFILE}
        fi
done

#Close FD 3
exec 3<&-
/bin/echo "The fingerprints for ${KEYFILE} have been saved in ${FPFILE}."

Convert a securecrt ssh public key for use with secureplatform.

This recipe converts IETF multiline key format to the single line format used by openssh on secureplatform.

• Go into expert mode
• create a new file on the firewall with vi.  For example vi mypubkey.txt
• Paste in the new key, save the file and exit.
• type “ssh-keygen -i -f mypubkey.txt >>/home/admin/.ssh/authorized_keys

Restrict a public key authentication to a single command

This recipe is useful if you want to restrict users to a particular operation such as shutdown or reboot.

• Go into expert mode
• edit /home/admin/.ssh/authorized_keys
• Paste in the new key or modify the old key
• At the beginning of the line containing the key insert command=”/sbin/shutdown -h now”
• Save and exit
• Change the shell for admin  using the command usermod -s /bin/bash -U admin
• If you prefer to go into the cpshell when logging in interactively then execute the command “echo exec /bin/cpshell > /etc/profile.d/zchngshell.sh

Increase OSPF adjacency memberships on SecurePlatform Pro – sk32568

• Go into expert mode
• vi /etc/rc.d/rc.local
• add the line ” echo 50 > /proc/sys/net/ipv4/igmp_max_memberships"
• save and exit (: x)

Note the knowledgebase article suggest you add the command to /etc/rc.d/init.d/cpboot.  You could also add an entry directly to /etc/sysctl.conf net.ipv4.igmp_max_memberships= 50

Identify network adapters on Secureplatform/Linux

The recipe helps you identify which physical nic is mapped to an alias such as eth1 by flashing them in turn for 15 seconds.  Adjust the time to suit yourself

• Go into expert mode
• type the following command all on one line
• for i in `egrep "eth[0-9]+" /etc/modules.conf | cut -f2 -d" "`; do echo $i;ethtool -p $i 15; done