TechTalk:
New MITRE ATT&CK Extension
May The Fourth
CloudMates Live Show
CheckMates Go
Cyber Security Podcast
Check Point Named in Gartner Market
Guide for Mobile Threat Defense 2021
End of Support Policy Update
For R80.10 Release
Eu gostaria de compartilhar com todos uma melhoria no script para apagar um conexão na tabela automaticamente.
A ideia do ajuste veio a partir do post abaixo.
Créditos para o post Original:https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/How-to-manually-delete-an-entry-f...
O script coleta e converte os ips específicos e faz a limpeza na tabela de conexão, pode ser utilizado em todas as versões R80.X
(esse post foi criado também no CheckMates em Inglês)
- Crie um arquivo com o conteúdo abaixo (ex:del_conn.sh)
#!/bin/bash
logfile="$0.log"
help() {
echo -e "Drop connection from table\n"
echo -e "Usage: "
echo -e "\t $0 <Source> <Destination>"
echo -e "e.g."
echo -e "\t $0 10.10.10.10 20.20.20.20"
echo -e ""
}
main() {
if [[ $# -ne 2 ]]; then
help
exit
fi
IPA=$1
IPB=$2
echo "Are you sure to delete connections on IP $1 and $2? [y/N]"
read confirm2
if [ "$confirm2" != "y" -a "$confirm2" != "Y" ]
then
echo "Aborted by user!!!!"
exit
fi
IPAHEX=`printf '%02x' ${IPA//./ }`;
IPBHEX=`printf '%02x' ${IPB//./ }`;
echo "Parameters: Source: $IPA ($IPAHEX) | Destination: $IPB ($IPBHEX)"
OIFS=IFS
IFS=$'\n'
count=0
echo "Querying table connection"
for li in `fw tab -t connections -u | grep "$IPAHEX" | grep "$IPBHEX" | grep "^<0000000"`; do
count=$((count+1))
echo "Record match: $li"
for cmd in `echo "$li" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}' |sed 's/ //g' |sed 's/<//g' |sed 's/>//g' |sed 's/;//g'`; do
echo "Running: fw tab -t connections -x -e $cmd"
eval "fw tab -t connections -x -e $cmd"
echo "Result: $?"
done
done
IFS=OIFS
echo "Founded: $count record(s)"
}
main $1 $2 | tee -a $logfile
-------------------
Ajuste o arquivo para execução:
- dos2unix del_conn.sh
- chmod +x del_conn.sh
- Teste script conforme o exemplo abaixo:
Usage:
./del_conn.sh <Source> <Destination>
e.g.
./del_conn.sh 10.10.10.10 20.20.20.20
[Expert@FW2_R8040:0]# ./del_conn.sh 10.10.10.125 8.8.8.8
Are you sure to delete connections on IP 10.10.10.125 and 8.8.8.8? [y/N]
y
Parameters: Source: 10.10.10.125 (0a0a0a7d) | Destination: 8.8.8.8 (08080808)
Querying table connection
Record match: <00000001, 08080808, 00000000, 0a0a0a7d, 00005871, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000805)
Running: fw tab -t connections -x -e 00000001,08080808,00000000,0a0a0a7d,00005871,00000001
Entry <00000001, 08080808, 00000000, 0a0a0a7d, 00005871, 00000001>
deleted from table connections
Result: 0
Record match: <00000001, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000802)
Running: fw tab -t connections -x -e 00000001,0a0a0a7d,00005871,08080808,00000000,00000001
<00000001, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> not found in table connections
Result: 0
Record match: <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001; 00010001, 40006080, 00000000, 00000176, 00000000, 5f7f12a1, 00000000, c9b5574b, e911ea8e, 00000002, 00000002, 00000001, 00000001, 00000000, 00000000, 80000080, 00000000, 00000000, 956bc748, 00007f91, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, df1f9800, 00000000, 00000000, 00000000, 00000000, 00000000; 7/30>
Running: fw tab -t connections -x -e 00000000,0a0a0a7d,00005871,08080808,00000000,00000001
<00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> not found in table connections
Result: 0
Record match: <00000000, 08080808, 00000000, c0a80284, 0000a989, 00000001> -> <00000000, 0a0a0a7d, 00005871, 08080808, 00000000, 00000001> (00000806)
Running: fw tab -t connections -x -e 00000000,08080808,00000000,c0a80284,0000a989,00000001
<00000000, 08080808, 00000000, c0a80284, 0000a989, 00000001> not found in table connections
Result: 0
Founded: 4 record(s)
[Expert@FW2_R8040:0]#
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY