The Moose and Squirrel Files

September 26, 2011

A bash Telnet Client for Checkpoint Secureplatform

Filed under: checkpoint, linux — networknerd @ 9:27 pm

UPDATED: As Dreezman pointed out in the comments there is a telnet client on the distribution media.  I’ll leave this post up though so I can refer back to it for hints on Linux IO redirection.

Checkpoints secureplatform doesn’t come with a telnet client pre-installed.  While this generally isn’t a major problem there are times where life would be simpler if you had telnet to connect to an adjacent router, or even to check connectivity with an SMTP relay.

The bash shell script below is simple yet still capable enough to meet these occasional demands.  Without all the niceties the script amounts to just three lines.

  1. The exec statement to connect file handle 3 to our socket.
  2. Reading the input of the file handle and using cat to send it to the screen.
  3. Reading STDIN  (keyboard) and writing it to our file handle.

A great example of how powerful  linux IO redirection can be.

#! /bin/bash
# Workaround for lack of telnet client on Secureplatform
# Uses Bash IO redirection to tcp sockets
     echo "USAGE: $0 host port" >&2
#Check we have the right number of args on the command line
if [ -z "$1" -o -z "$2" ]; then
#Check if the script is sourced.
#We use return if it is to avoid exiting the parent shell
    if [ "$0" == "bash" ]; then
        return -1
       exit -1
#Redirect input and output from the socket to filehandle
exec 3<>/dev/tcp/$1/$2
#Output from the file handle goes to the screen,we run this process in background
cat <&3 &
#Input from the keyboard goes to our file handle. CTRL-C to exit.
cat >&3
#Close Output then input
exec 3>&-
exec 3<&-

August 27, 2009

Viewing Checkpoint fw monitor files in Wireshark

Filed under: checkpoint — Tags: , — networknerd @ 11:48 am

Checkpoints fw monitor utility performs packet captures similar to tcpdump and wireshark. Unlike these utilities it operates above layer 2 and contains no mac address information.  It does contain additional information from the firewall on interface and direction.

To view this additional information in wireshark some extra configuration is required.

  1. Select edit/preferences/protocols/ethernet
  2. Check the box labelled “Attempt to interpret as Firewall-1 monitor file” and press ok
  3. Select edit/preferences/User Interface/columns
  4. Click add to add a new column and name it interface.
  5. From the format dropdown listbox select FW-1 monitor if/direction and press ok

Save the text below to a file colorise.txt

# DO NOT EDIT THIS FILE!  It was created by Wireshark
@FW-Mon-i @ fw1.direction contains "i"@[65535,65535,0][0,0,0]
@FW-Mon-I @fw1.direction contains "I"@[37008,61166,37008][0,0,0]
@FW-Mon-o@fw1.direction contains "o"@[44461,55512,59110][0,0,0]
@FW-Mon-O@ fw1.direction contains "O"@[31161,49051,54875][0,0,0]

  1. Select View/coloring rules
  2. Click import and open the saved file from above
  3. Select the last 4 rules and move them to the top of the list by clicking the up button
  4. Press ok

Your now ready to view the fw monitor files in wireshark.


Wireshark modification for FW Monitor files

August 26, 2009

Making Checkpoint’s FW Monitor more like Tcpdump

Filed under: checkpoint — Tags: — networknerd @ 10:51 pm

Every checkpoint firewall, regardless of platform, includes the packet capture utility fw monitor. The problem with fw monitor is the cryptic inspect syntax that you need to learn to create a capture filter. Unfortunately, if your looking for support from checkpoint then your stuck with fw monitor. To simplify the process I have created a couple of macros that help bridge the gap between the two syntaxes.

When capturing with tcpdump I generally use the host and port commands to reduce the traffic to a particular set of conversations between hosts. An example expression, in tcp dump syntax, to capture all dns traffic either udp or tcp between and is shown below.

"host and and port 53"

After creating a few simple inspect macros we can do the equivalent  using fw monitor with

accept host( and host( and port(53);

This is not a bad approximation. The only differences are  brackets needed to pass the parameters to the macro, and a repeat of the host command.

The savings are obvious compared to the complete  inspect script syntax shown below.

accept (
(ip_src= or ip_src= and \
(ip_dst= or ip_dst= \
) and \
(ip_p=PROTO_tcp and (th_sport=53 or th_dport=53)) or \
(ip_p=PROTO_udp and (uh_sport=53 or uh_dport=53)) \

 The macros can be saved in a separate library file and included in a filter file or you can just include all the macros in one large command file with the filter expression as shown below.

#include "tcpip.def"
#define src ip_src
#define dst ip_dst
#define sport th_sport
#define dport th_dport
#define port(portnum) ((ip_p=PROTO_tcp and (sport=portnum or dport=portnum)) or \
(ip_p=PROTO_udp and (uh_sport=portnum or uh_dport=portnum)))
#define srcport(portnum) ((ip_p=PROTO_tcp and sport=portnum) or \
(ip_p=PROTO_udp and uh_sport=portnum))
#define dstport(portnum) ((ip_p=PROTO_tcp and dport=portnum) or \
(ip_p=PROTO_udp and uh_dport=portnum))
#define host(hostip) ((src=hostip) or (dst=hostip))

/* dns traffic between hosts */
accept host( and host( and port(53);

Once saved to a file, say myfilter.def,  it is a simple matter of running

fw monitor -i -f myfilter.def

and generating, or waiting for the traffic you need to capture.

August 28, 2008

Checkpoint Secureplatform Wisdom

Filed under: checkpoint — Tags: , — networknerd @ 8:22 pm

Enable SCP – sk26258

  • Go into expert mode and add users to the /etc/scpusers file.  Create the file if necessary.
  • Restart sshd using the command service sshd restart

Enable IP Forwarding – sk25818

  • Go into expert mode and type the command “echo 1 > /proc/sys/net/ipv4/ip_forward”

Enable SSH Public key Authentication – sk30366

  • Go into expert mode
  • mkdir  $HOME/.ssh
  • chmod 0700 $HOME/.ssh
  • touch $HOME/.ssh/authorized_keys
  • chmod 0600 $HOME/.ssh/authorized_keys
  • vi $HOME/.ssh/authorized_keys
  • :$ (goes to the last line of the file)
  • A (appends to the end of the line)
  • paste in the key that you have copied from the client
  • esc (get out of insert mode)
  • : x (save the file and exit)

To be able to match a login to a users key perform the following steps.

  • vi /etc/ssh/sshd_config
  • find the Logging section and add en entry LogLevel VERBOSE
  • Restart sshd using the command service sshd restart
  • The fingerprint of  the key used is then recorded in /var/log/secure
  • To check the fingerprints you can use the script below
#! /bin/bash

#Generate fingerprints for ssh public keys so we can match logons to users

#Create a temp file and bail out if we can't
TMPFILE=`mktemp /tmp/fingerprint.XXXXXX` || exit 1

#Check to see if a keyfile is specified
if [ -r "$1" ]; then

#Cleanup temp files on exit
trap "rm -f ${TMPFILE}" 0

#Truncate the output file
cat /dev/null >${FPFILE}

#Hook up the authorized_keys file to File descriptor 3
exec 3< ${KEYFILE}

#loop through each key in the file
while read <&3
        if (!(echo ${REPLY} | egrep "^\#"i)); then
                # If not a comment then save the key and generate a fingerprint
                echo "${REPLY}" >${TMPFILE}
                /usr/bin/ssh-keygen -l -f ${TMPFILE} >> ${FPFILE}

#Close FD 3
exec 3<&-
/bin/echo "The fingerprints for ${KEYFILE} have been saved in ${FPFILE}."

Convert a securecrt ssh public key for use with secureplatform.

This recipe converts IETF multiline key format to the single line format used by openssh on secureplatform.

  • Go into expert mode
  • create a new file on the firewall with vi.  For example vi mypubkey.txt
  • Paste in the new key, save the file and exit.
  • type “ssh-keygen -i -f mypubkey.txt >>/home/admin/.ssh/authorized_keys

Restrict a public key authentication to a single command

This recipe is useful if you want to restrict users to a particular operation such as shutdown or reboot.

  • Go into expert mode
  • edit /home/admin/.ssh/authorized_keys
  • Paste in the new key or modify the old key
  • At the beginning of the line containing the key insert command=”/sbin/shutdown -h now”
  • Save and exit
  • Change the shell for admin  using the command usermod -s /bin/bash -U admin
  • If you prefer to go into the cpshell when logging in interactively then execute the command “echo exec /bin/cpshell > /etc/profile.d/

Increase OSPF adjacency memberships on SecurePlatform Pro – sk32568

  • Go into expert mode
  • vi /etc/rc.d/rc.local
  • add the line ” echo 50 > /proc/sys/net/ipv4/igmp_max_memberships"
  • save and exit (: x)

Note the knowledgebase article suggest you add the command to /etc/rc.d/init.d/cpboot.  You could also add an entry directly to /etc/sysctl.conf net.ipv4.igmp_max_memberships= 50

Identify network adapters on Secureplatform/Linux

The recipe helps you identify which physical nic is mapped to an alias such as eth1 by flashing them in turn for 15 seconds.  Adjust the time to suit yourself

  • Go into expert mode
  • type the following command all on one line
  • for i in `egrep "eth[0-9]+" /etc/modules.conf | cut -f2 -d" "`; do echo $i;ethtool -p $i 15; done

Blog at