This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
LazarusG
Contributor
Contributor
‎2023-10-04 07:29 AM
Jump to solution

methodology for troubleshooting vsx on maestro traffic flows

Hi

We have customers that have had VSX on Maestro deployed by CP PS and they are starting to come to us to assist with troubleshooting traffic flows.

Im trying to come up with a methodology for this because some of the gclish comands dont seem to take vsx into account.

Ideally I would run tcpdump/fw monitor or cppcap to a file and then take it offline to analyze in wireshark, but its proving problematic.

Im struggling to understand what commands work and in which shell.

At the moment my approach is;

1) 'asg search srcip dstip' to find connection owner, I can run this inside VS shell

2) m x_y to move to the owning member SGM - I can run this inside VS shell but it dumps me to GCLISH

3) expert mode then VSENV X to move to the desired VS

Then I can run cppcap or tcpdump as needed on console output.

I can write to a file in /tmp but the tcpdump -read -r doesnt seem to work

The tcpdump -mcap doesnt seem to work inside VSX shell, and outside of it it doesnt take VSX shell into account

Also, I note from this thread that getting the files off the SGMs with WINSCP is more painful for maestro;

https://community.checkpoint.com/t5/Maestro/WinSCP-access-to-individual-members-of-security-group/m-...

So is there a suggested workflow for approaching this type of activity?

How do the VS shell and clish shells interoperate?

What is the value of running global captures on all SGMS - is this only to look at the correction layer?

Is there a problem with focussing on the connection owner only?

And finally, cppcap doesnt seem to work with the g_all prefix or global clish shell, is it not an appropriate tool for Maestro?

Thanks

 

 

0 Kudos
1 Solution

Accepted Solutions
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2023-10-06 07:34 PM
Jump to solution

Your approach of using asg search and then going to the owner of the connection is fine. You can also use g_tcpdump, but that's more performance intensive and like you mentioned there is not much benefit of using it other than troubleshooting possible correction.

cppcap does not work in global mode (with g_ commands). That's a known limitation.

Remember that each virtual system is active on every SGM. In order to capture traffic on a specific VS you will need to switch to VS context either with vsenv (in expert mode) or set virtual system in gclish. Most commands are vs aware and work in VS context.

You also referred to another thread about accessing each SGM individually. This is not possible in current software versions. However, in dual site you can access each site by using UIPC (Unique IP-address per chassis). Limitation with this technique is that the IPs you use must be from the same management IP-space as the management address.

Are you familiar with asg_cp2blades-command? You can use it to copy files to all SGMs, so even Winscp copies the files to the SMO only, you can still copy them quickly to all other SGMs (or only to the SGMs you want) by using asg_cp2blades.

View solution in original post

(1)
2 Replies
Lari_Luoma
Ambassador Ambassador
Ambassador
‎2023-10-06 07:34 PM
Jump to solution

Your approach of using asg search and then going to the owner of the connection is fine. You can also use g_tcpdump, but that's more performance intensive and like you mentioned there is not much benefit of using it other than troubleshooting possible correction.

cppcap does not work in global mode (with g_ commands). That's a known limitation.

Remember that each virtual system is active on every SGM. In order to capture traffic on a specific VS you will need to switch to VS context either with vsenv (in expert mode) or set virtual system in gclish. Most commands are vs aware and work in VS context.

You also referred to another thread about accessing each SGM individually. This is not possible in current software versions. However, in dual site you can access each site by using UIPC (Unique IP-address per chassis). Limitation with this technique is that the IPs you use must be from the same management IP-space as the management address.

Are you familiar with asg_cp2blades-command? You can use it to copy files to all SGMs, so even Winscp copies the files to the SMO only, you can still copy them quickly to all other SGMs (or only to the SGMs you want) by using asg_cp2blades.

(1)
LazarusG
Contributor
Contributor
‎2023-10-09 01:28 AM
In response to Lari_Luoma
Jump to solution

Thank you so much for the response, It is greatly appreciated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events