Re: One-liner for Address Spoofing Troubleshooting - Page 2

Danny · ‎2018-06-21

🏆 Code Hub Contribution of the Year 2019!
📌 Available as SmartConsole Extension.
👍 Endorsed by Check Point Support!

One-liner (Bash) to show a summary about each gateway interfaces' calculated topology and address spoofing setting.
In expert mode run:

echo; tput bold; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; tput sgr0; echo; elif [[ `grep $(grep $(hostname) /etc/hosts | cut -f1 -d' ') $FWDIR/state/local/FW1/local.set | wc -l` == "0" ]] && [[ $INSTANCE_VSID == '0' ]]; then echo ' Main IP of '$(hostname)' doesn`t match it`s management interface IP!'; tput sgr0; echo; else echo -n ' Interface Topology '; tput sgr0; echo -n '> '; tput bold; tput setaf 1; if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]; then echo $vsname' (ID: '$INSTANCE_VSID')'; else hostname; fi; tput sgr0; echo -n ' '; printf '%.s-' {1..80}; echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]|objtype|has_addr_info|:monitor_only|:external' $FWDIR/state/local/FW1/local.set | sed -n "/$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)*$/,\$ p" | tail -n +3 | sed 's/[\x22\t()<>]//g' | sed 's/--//g' | sed '$!N;s/\n:ipaddr6/ IPv6/;P;D' | sed '/IPv6/!s/://g' | sed 's/interface_topology/\tCalculated Interface Topology/g' | sed '0,/ifindex 0/{/ifindex 0/d;}' | sed '/ifindex 0/q' | sed '/spoof\|scan/d' | sed 's/has_addr_info true/\tAddress Spoofing Protection: Enabled/g' | sed 's/has_addr_info false/\tAddress Spoofing Protection: Disabled/g' | sed -e '/Prot/{n;d}' | sed '$!N;s/\nmonitor_only true/ (Detect Mode)/;P;D' | sed '$!N;s/\nmonitor_only false/ (Prevent Mode)/;P;D' | sed '$!N;s/\nexternal false/ - Internal Interface/;P;D' | sed '$!N;s/\nexternal true/ - External Interface/;P;D' | sed '/objtype/q' | tac | sed '/ifindex 0/I,+2 d' | sed '/Address/,$!d' | tac | sed '/ifindex/d' | sed 's/,/ -/g' | sed '$!N;s/\nipaddr/ >/;P;D' | sed '/ - /s/^ /\t/' | egrep -C 9999 --color=auto $'>|IPv6|External|Disabled|Detect'; echo; fi

The One-liner is IPv4 and IPv6 compatible, works on clustered and single gateway environments also within VSX, shows all interface types configured in your firewall object within SmartDashboad, colors specific words of the output for easier identification of important settings, adds additional information regarding Address Spoofing setting and mode as well as the topology type of each interface and is of course completely integrated within our ccc script.

Thanks to Tim Hall's preliminary work in this thread.
Thanks to Norbert Bohusch for IPv6 support and testing.
Thanks to Kaspars Zibarts, Bob Zimmerman, Jan Kleinhans for VSX support and testing.
Thanks to Anthony Joubaire for support and testing multiple installation targets.

-- More one-liners --

One-liner to show VPN topology on gateways
One-liner for Remote Access VPN Statistics
One-liner to show Geo Policy on gateways
FW Monitor SuperTool

Danny · ‎2019-08-09

I see. I added the quotes your mentioned plus a check to verify that $vsname is not empty.

[[ ! -z '$vsname' ]]

Bob_Zimmerman · ‎2019-08-09

These are both actually the same test:

[[ -n '$vsname' ]] && [[ ! -z '$vsname' ]]

Only one should be needed. Either should be true in case of VSX with $vsname set.

Either should also be false in case of non-VSX or my apparently-weird VSX boxes. I will have to dig into bash startup some time to figure out what my system is doing differently.

Deeper in the script, there appears to be another problem which I don't yet have a good idea how to solve. After the modifications to the tests, I'm able to get the expected output on one cluster member, but the other outputs the data for both members. That seems suboptimal, and it's what I was researching just before I posted to the other thread and had to work on other tasks.

The problem is the schema for the local.set file is private, so Check Point could change the ordering of the key(value) pairs within a given nesting level at any time. Or the process which generates the file could just spit them out differently due to a race. The obvious solution would be to work based on the nesting level, but like I said in the other thread, my awk-fu is weak. I'm not sure how to end the pattern space after the second closing parenthesis alone on a line.

Danny · ‎2019-08-10

Thanks for testing. I remove the obsolete check and I'm glad that it works now for you.

As for the output of both cluster members on your other cluster node, the One-liner already tries to avoid that by deleting all ifindex entries from local.set except the one of the current system. To further optimize the check please send me the relevant local.set privately, so I can have a look.

Bob_Zimmerman · ‎2019-08-12

More weirdness. Turns out $vsname needs to be in quotes in the test. Apostrophes aren't enough:

if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]]

Not sure if the second test should also be quotes.

I should be able to send the relevant chunks of the local.set soon.

Danny · ‎2019-08-14

Thanks, code was improved.

Bob_Zimmerman · ‎2019-08-14

I can confirm the current version definitely works on my all-the-edge-cases R77.30 firewall. It also works for the current VS on my VSX R77.30 and VSX R80.10 firewalls.

Sven_Glock · ‎2019-08-21

Thanks for this cool one-liner, Danny!

I found one gateway where the script is not running:

It is a non-vsx gateway running R80.10 JHF 203.

All the output I get is:

Interface Topology > firewall
--------------------------------------------------------------------------------

I hope I will find some time for investigation...

Cheers

Sven

Hadi · ‎2019-08-14

Thanks Danny, Could you please post final revision?

Danny · ‎2019-08-21

@Hadi , you can always find the latest revision of my one-liner in my initial post of this thread.

Bob_Zimmerman · ‎2019-08-26

Ran into a bizarre issue. It seems in some environments, the main IP in the firewall object and the IP listed in the hosts file can be different. The IP in the hosts file aligns with the IP on the interface fed to

set management interface <interfaceName>

Meanwhile, the main IP can be any address. Technically, it doesn't even have to be an address the firewall has on an interface (though it's a really bad idea to use a main IP it doesn't own).

The script gets the anti spoofing configuration from the file local.set, which lists it under the main IP of the firewall object. Thus, the script as it is will fail in such environments. This is probably expected behavior. If you have this situation on your firewalls, you can work around it by replacing

$(if [[ -n "$vsname" ]] && [[ $vsname != *'unavail'* ]] && [[ $INSTANCE_VSID != '0' ]]; then echo $vsname; else grep `hostname` /etc/hosts | cut -f1 -d' '; fi)

with what you have set as the firewall's main IP. It will then work only on that firewall.

This is a workaround for administrative misconfiguration.

Sven_Glock · ‎2019-08-29

I have trouble with the same part of the oneliner, but your solution is not working for me. I will try to investigate...

Danny · ‎2019-08-31

Thanks @Bob_Zimmerman ,

I just added an error message for these situations to the one-liner.

David_Kozinn · ‎2019-10-10

Congratulations to @Danny on winning the award for this. I saw this mentioned in the Checkpoints email and tried it out. On the couple of VSX boxes I've used this on, I get "Main IP of myboxname-ch01-01 doesn`t match it`s management interface IP!". I spent a couple of minutes looking at the script to see what it's trying to check for but it wasn't obvious (to me). Could some kind soul let me know what the likely issue is so that I can investigate? Thanks.

Danny · ‎2019-10-10

HI @David_Kozinn ,

the main IP of your VS gateways is shown in SmartConsole under Gateways and Servers.

This should be the same IP that is configured within /etc/hosts for the specific VS. In your case this doesn't seem to match.

Paul_Warnagiris · ‎2020-04-21

Danny, I ran the one-liner for anti-spoofing and the only output that came back was

Interface Topology > Xxx-FW01

Any thoughts on why this may be? This was on a small client, maybe 100 users, 200 servers and 10 interfaces. I do have a much bigger client that is a mess and this script would come in handy.

Thanks,
Paul

Danny · ‎2020-04-21

My guess is you are using R80.40.

Paul_Warnagiris · ‎2020-04-21

Should have put that in my post. Sorry. Not 80.40. 80.10 JHF272.

Danny · ‎2020-04-21

PM me the hostname and $FWDIR/state/local/FW1/local.set file and I‘ll have a look.

Paul_Warnagiris · ‎2020-04-21

Amazingly good stuff. Thank you Danny! As we discussed on our PM I did not have the host name setup correctly in the "hosts and dns" tree branch of the Gaia OS. I used to do that religiously, but as the years went by it didn't seem to matter. I guess with everything getting back to scripting it matters again. Thank you for your help.

Paul