Best Practice 3D Security Report R76 v4.1

Best Practice 3D Security Report
Version 4.0 15.05.2013
Changelog
Date 2012 17.05.2013 17.05.2013 27.05.2013 Name Matthias Schungel (Master of 3D Report) Thomas Werner Matthias Schungel (Master of 3D Report) Henning Ermert Changes Initial document Added Performance and troubleshooting section Bugfixes Updated to reflect v.1.16
Please send any comments or questions to DE_PRESALES@checkpoint.com.
Contents
Best Practice 3D Security Report ................................................................................................ 1 1. Install from Image ............................................................................................................... 2 2. Mirror Port configuration ...................................................................................................... 2
a. b. c. d. Configure Mirror Ports ..................................................................................................................... 2 Enable DLP for Mirror Port Setup .................................................................................................... 3 Configure Mirror Port Topology ....................................................................................................... 3 install policy ..................................................................................................................................... 3
3.
a. b. c. d. e. f. g. h.
Configure the Gateway ....................................................................................................... 4

Active software blades ..................................................................................................................... 4 Configure -> Global properties ........................................................................................................ 4 Configure -> Firewall Blade ............................................................................................................. 4 Configure -> IPS Blade .................................................................................................................... 5 Configure -> Application Control & URL Filtering blade .................................................................. 7 Configure -> DLP blade ................................................................................................................... 7 Configure -> Anti-Bot and Anti-Virus Blade ..................................................................................... 8 Install Policy ..................................................................................................................................... 9
4.
a.
Configure the Management ............................................................................................... 10

Configure -> SmartEvent ............................................................................................................... 10
5. 6.
a. b. c.
Sample Switch Configurations for Mirror Port .................................................................... 11 Example setup & how to start at customer side ................................................................. 13
Appliance ....................................................................................................................................... 13 Checks ........................................................................................................................................... 13 Connecting the mirror port interface ............................................................................................. 13
7.
a. b. c. d.
Observing and troubleshooting performance ..................................................................... 15

CPU ................................................................................................................................................ 15 Memory .......................................................................................................................................... 15 Network ........................................................................................................................................ 15 Cores ............................................................................................................................................ 15
8.
a. b. c.
Fine tuning performance ................................................................................................... 16

Reducing CPU Utilization .............................................................................................................. 16 Reducing Logs (Relevant for R75.40 and above) ......................................................................... 17 Reducing Memory Consumption ................................................................................................... 17
[Protected] For public distribution
1. Install from Image

R76 GAiA
R76 Gaia Fresh Install/Upgrade Package for Open Servers/Power-1/UTM-1/2012 Models/IP/Smart-1 5,25,50,150
Install & First-time configuration of R76 GAiA Install 30 Days Eval License + Contract
Download R76 3D REPORT TOOL Ver1.16
a. Install Smart Event Supplement

1. SmartEvent supplement file is located in the tools package and named: R75.45_REPORT_TOOL-SME-PACK-<ver>. Tgz 2. Make a new directory on the SmartEvent Server, under /var, named install. 3. Copy the .tgz file to the server /var/install directory (copy the file in binary mode). 4. Verify that the file transferred correctly by comparing the files MD5: a. Verify the MD5 by running md5sum *.* command b. In the install directory on the server, run: > tar xvzf R76_REPORT_TOOL-SME-PACK-<ver>.tgz > chmod 777 se_script > ./se_script
b. Install 3D Report Ver.1.16 Smart Console Version

Install the 3D Security Analysis Report Tool SmartConsole on a Windows computer with MS Office 2003 or 2010. Although it is a special R76 SmartConsole, it works with any R76 Security Management Server. To install the GUI of this tool: 1. Copy the SmartConsole file to the Windows computer. 2. Double-click the executable and follow the wizard.
2. Mirror Port configuration

a. Configure Mirror Ports
(If needed, you can define more than 1) o Create Monitor Interface
Via Clish: clish> set interface eth0 monitor-mode on (eth0 is an example) OR via in WebUI: Go to "Network Interfaces" tab. Select the required interface and click "Edit". Go to "Ethernet" tab. Check the "Monitor Mode" checkbox and click "OK".
2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
b. Enable DLP for Mirror Port Setup

If needed enable DLP for SMTP Monitoring via CLI: expert> dlp_smtp_mirror_port enable
c. Configure Mirror Port Topology

After initial GW setup, open Security Gateway object in SmartDashboard > Topology >Get > Interfaces with Topology > Yes > Accept. Configure the Mirror Port interface Network Type as Internal and Topology as Not Defined. Remove Anti-Spoofing configuration from all other interfaces In the below example, eth1 is the Mirror Port.
d. install policy
ignore the topology warning regarding missing Anti-spoofing
3. Configure the Gateway

a. Active software blades
b. Configure -> Global properties

i. In Policy > Global Properties > SmartDashboard Customization -> Advanced Configuration -> Configure, click on the Configure button: In FireWall-1 > Stateful Inspection, uncheck "reject_x11_in_any" ii. In Policy > Global Properties > Stateful Inspection Change the TCP Session Timeout to 60 Seconds Change the TCP end timeout to 5 Seconds
c. Configure -> Firewall Blade
Activate logging only if needed for troubleshooting
d. Configure -> IPS Blade

Edit the Gateway properties and change Protect Scope to Perform IPS inspection on all traffic with the Recommended_Protection IPS Profile.
Also in IPS Tab edit the Aggressive Aging Protection is (IPS signature) enabled with the following settings: TCP Start Timeout: 5 TCP Session Timeout: 55 TCP End Timeout: 3 Set tracking for the protection to None
Eliminating some IPS False Positives

Enabling PSL Tap Mode Edit $FWDIR/modules/fwkern.conf (create if it doesn't exist) and add the following lines: psl_tap_enable=1 fw_tap_enable=1 Reboot the Security Gateway
Do not forget to update IPS protection signatures :
e. Configure -> Application Control & URL Filtering blade
Ensure the destination is Any (and not Internet as defined by default) If you have a 3D Report with a huge bandwidth and you are monitoring several Days or weeks, it is recommended to use only Log and not extended Log in der Track field. It decreased the time for generating the 3D Report Word Document. Go to the Engine`s settings and enable following options.
f. Configure -> DLP blade

i. ii. iii. iv. Define the E-Mail domains Do NOT enable DLP on FTP (it is off by default) Enable SMTP only if you are using R75.40 and have applied the patch (see above). Proxy - Use this procedure if the proxy or proxies for HTTP traffic are used at the customer. 1. In SmartDashboard, go to the Objects Tree and select the Services tab. 2. Edit the TCP service: HTTP_and_HTTPS_proxy. 3. Click Advanced. 4. Select Protocol Type, and choose HTTP. 5. Enable Match for Any 6. Click OK v. Define customer rules
g. Configure -> Anti-Bot and Anti-Virus Blade

Define the Protected Scope (internal networks)
Ensure you are using a detect-only policy similar to:
And make sure the profile specifies that all file types/directions are scanned:
h. Install Policy
Install the new policy Note: For testing with EICAR test virus see SK44781
4. Configure the Management

a. Configure -> SmartEvent
i. Define the internal network (same object used in the AntiBot policy) ii. Install SmartEvent policy
5. Sample Switch Configurations for Mirror Port

Switch type
Extreme Summit 200-24
CLI commands
enable mirroring to port 23 untagged configure mirror add port 1 configure mirror add port 2 configure mirror add port 3 configure mirror add port 16 configure mirror add port 14
comments
Make sure the relevant port (23 in this example) is not tagged
Cisco Catalyst 2850, 2940, 2950, 2955, 2960, 2970, 3550, 3560, 3560-E, 3750, 3750-E 4500/4000 and C6500/6000 Series Switches That Run Cisco IOS System Software and Cisco Nexus Series Switches That Runs NX-OS Software
conf t monitor session 1 source interface gigabitEthernet 0/17 both monitor session 1 destination interface gigabitEthernet 0/15 exit write mem Syntax: monitor session session_number source interface interface-id [, | -] [both | rx | tx] monitor session session_number destination interface interface-id
Source interface is the interface connected to the router leading to the internet, and destination interface is the mirror port. both - Monitor both received and sent traffic. rx - Monitor received traffic. tx - Monitor sent traffic.
Cisco Catalyst 2900, 4500/4000, 5500/5000, and 6500/6000 Series Switches That Run CatOS
Syntax: set span source_port destination_port [rx | tx | both]
Juniper EX-2200
root@switch# edit root@switch# set ethernet-switching-options 0/0/6.0 root@switch# set ethernet-switching-options analyzer mirror-3d input ingress interface ge-0/0/6.0 root@switch# set ethernet-switching-options analyzer mirror-3d output interface ge0/0/13.0 root@switch# commit
Input port is ge-0/0/6.0 Output / Mirrored port is ge-0/0/13.0 instance Input needs both ingress and egress in order to see entire connection setup
analyzer mirror-3d input egress interface ge- mirror-3d is the name given to the "analyzer"
HP Procurve Switches
Some HP Procurve Switch models only provide ingress traffic only when configured in monitor mode. See following HP knowledge base article bit outdated) (a
RouterBoard 250GS
A great, cheap switch to use in situations where the customer is unable to provide a mirror port!
Important! Check switch statistics and if the port you want to monitor has a utilization of more than 50% of the in peaks (1Gbps ports can do 2Gbps 1Gbps TX and 1Gbps RX) one should split the monitor port and sent TX packets to one port and RX packets to another port (this is what TAPs are doing). This will avoid over subscription of the switch monitor/SPAN port and make sure all packets are sent to the PoC device. The PoC device must then be configured in bridge mode and connect the TX and RX monitor/SPAN ports to each side of the bridge. In most cases a setup with separated TX and RX span port in bridge mode will give you better performance on the device since you can configure a topology. This will let the inspection engine better understand what traffic is outbound and what traffic is inbound and be more efficient.
6. Example setup & how to start at customer side

a. Appliance
Management interface (can be used for updates) OR Separate Interface for Updates Proxy could be used, but the GW is not able to authenticate with username & password
Monitor Interfaces
b. Checks Check the setting with the customer (IP Addresses & GW configuration) Check DNS & Routing (for the update interface) Check updates & contract enforcement (IPS, APPC, AntiBot & Antivirus)
c. Connecting the mirror port interface

Check that the monitor interface only receiving packets (tcpdump & show interface) Check system health (CPU`s, interface queue etc.) Check SmartViewTracker and SmartEvent ! Important ! From any client that is seen via the Mirror port interface open http://www.google.co.il one time (this is needed to determine the traffic flow)
After collecting the logs, enable the 3D Report in Smart Event.
And generate the Report.
Good luck!
7. Observing and troubleshooting performance

a. CPU
i. ii. iii. iv. cpstat -f cpu os cpstat -f multi_cpu os top (press 1 to see all cores) cat /proc/interrupts
b. Memory
i. cpstat -f memory os ii. fw ctl pstat iii. cat /proc/meminfo
c. Network
i. ii. iii. iv. netstat ni ifconfig eth1 (=> look for dropped packages on mirror port) netstat s ethtool -S eth1
d. Cores
i. fw ctl multik stat
8. Fine tuning performance

a. Reducing CPU Utilization
1. Tweak some settings in GuiDBedit <SmartConsole installation directory>\PROGRAM\GuiDBedit.exe For each of the following attributes, search for all the queries (might be more than one, use find next option) of the attributes in the DB and change them to the specified value: Attribute fw_trust_suspicious_rst fw_trust_suspicious_estab fw_rst_expired_conn log_local_inf_addr_spoofing (Relevant in R75.40) Save and close GuiDBedit. Value true true false none
2. Turn off Sequence Verifier in IPS: In SmartDashboard: IPS > Protections > By Protocol > IPS Software Blade > Network Security > TCP > Sequence Verifier. Make protection inactive for all profiles. 3. Disable Out of State Protections 1. 2. 3. In SmartDashboard: Policy > Global Properties > Stateful Inspection Uncheck Drop out of state TCP packets Uncheck Drop out of state ICMP packets
4. Install Policy
b. Reducing Logs (Relevant for R75.40 and above)

Reducing excessive streaming engine logs 1. Edit $FWDIR/modules/fwkern.conf (create if it doesn't exist) and add the following line: fwpslglue_seg_limit_enforce=0 2. Reboot the Security Gateway Eliminating Local Interface Address Spoofing messages In GuiDBedit, set log_local_inf_addr_spoofing to none, push policy.
c. Reducing Memory Consumption

To be used only in case of high memory consumption Reducing streaming engine windows to 256 KB 1. Edit $FWDIR/modules/fwkern.conf (create if doesn't exist) and add the following line:
psl_max_dynamic_window=262144 1. Reboot the Security Gateway

Best Practice 3D Security Report R76 v4.1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Best Practice 3D Security Report R76 v4.1

Uploaded by

Copyright:

Available Formats

Best Practice 3D Security Report

Version 4.0 15.05.2013

Please send any comments or questions to DE_PRESALES@checkpoint.com.

Configure the Gateway ....................................................................................................... 4

Configure the Management ............................................................................................... 10

Observing and troubleshooting performance ..................................................................... 15

Fine tuning performance ................................................................................................... 16

[Protected] For public distribution

1. Install from Image

Download R76 3D REPORT TOOL Ver1.16

a. Install Smart Event Supplement

b. Install 3D Report Ver.1.16 Smart Console Version

2. Mirror Port configuration

b. Enable DLP for Mirror Port Setup

c. Configure Mirror Port Topology

3. Configure the Gateway

b. Configure -> Global properties

c. Configure -> Firewall Blade

Activate logging only if needed for troubleshooting

d. Configure -> IPS Blade

Eliminating some IPS False Positives

Do not forget to update IPS protection signatures :

e. Configure -> Application Control & URL Filtering blade

f. Configure -> DLP blade

g. Configure -> Anti-Bot and Anti-Virus Blade

Ensure you are using a detect-only policy similar to:

4. Configure the Management

5. Sample Switch Configurations for Mirror Port

Syntax: set span source_port destination_port [rx | tx | both]

6. Example setup & how to start at customer side

c. Connecting the mirror port interface

After collecting the logs, enable the 3D Report in Smart Event.

And generate the Report.

7. Observing and troubleshooting performance

8. Fine tuning performance

b. Reducing Logs (Relevant for R75.40 and above)

c. Reducing Memory Consumption

psl_max_dynamic_window=262144 1. Reboot the Security Gateway

You might also like