One of our Internal Website is always having a Security Warning message when using Internet Explorer https to it, but this message is not showing when using Google Chrome.

Symptoms:

As following screenshot shows, a pop-up window will ask you "Do you want to Continue? The connection to this website is untrusted".
 Click More Information link:
 The Warning message will warm you a Risk;

"This application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source. 

Unable to ensure the certificate unsed to identify this application has not been revoked. 

The digital signature for this application was generated with a certificate from a trusted certificate authority, but we are unable to ensure that it was not revoked by that authority."

Lets drill down again to view Certificate Details:
 From the certificate chain, we can see the local certificate was issued by Verisign G4, Verisign G4 certificate was issued by Verisign G5 (expiring date is Jul 16 2036).

I were able to find out this G5 certificate from Certificate button at IE's Content tab:


Interesting thing is when I use Google Chrome, there is no warning at all. But If I do find an Interesting thing on this Google Chrome connection:

The connection to this website is using TLS1.0 , which is obsolete cryptography.

Solutions:

From previous More Information of warning message screenshot, we could find out it is coming from Java, since at the bottom, it lets us to visit Java.com for more details. Also it mentioned the certificate could not be verified if revoked before. This warning message must relate to Java's TLS Revocation Settings.


I went back to Java Control Panel and found out there is one setting for "TLS Certificate Revocation". After changed it to Do not check. This warning message is gone.

Issues:

Plaintext Management Interfaces Accessible On Cisco Device port 2002/tcp
PCI COMPLIANCE STATUS
PCI Severity: MED
FAIL
VULNERABILITY DETAILS
CVSS Base Score: 4 AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS Temporal Score: 3.6 E:F/RL:W/RC:C
Severity: 3
QID: 38250
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 10/31/2012
THREAT:
The target is determined to be a Cisco device, which uses protocols such as HTTP, TELNET, rlogin, FTP, and SNMP for configuration management.
These services can be accessed and are an invitation for malicious users to break in.
The port string mentioned with this vulnerability should identify the service in question.
IMPACT:
Malicious users can exploit this vulnerability to deploy a range of known attacks against accessible services. Brute force attacks such as password
guessing and Denial Of Service are also possible.
SOLUTION:
Consider taking the following precautionary measures:
Disable services that are not needed.
Consider putting access controls on these services. Access controls can be put together using the features in the device (if available) or using an
external firewall.
Do not use default passwords and replace them with hard to guess passwords. Change passwords frequently.
RESULT:
Service name: TELNET(Cisco) on TCP port 2002.

Plaintext Management Interfaces Accessible On Cisco Device port 9002/tcp
PCI COMPLIANCE STATUS
PCI Severity: MED
FAIL
VULNERABILITY DETAILS
CVSS Base Score: 4 AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS Temporal Score: 3.6 E:F/RL:W/RC:C
Severity: 3
QID: 38250
Category: General remote services
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Last Update: 10/31/2012
THREAT:
The target is determined to be a Cisco device, which uses protocols such as HTTP, TELNET, rlogin, FTP, and SNMP for configuration management.
These services can be accessed and are an invitation for malicious users to break in.
The port string mentioned with this vulnerability should identify the service in question.
IMPACT:
Malicious users can exploit this vulnerability to deploy a range of known attacks against accessible services. Brute force attacks such as password
guessing and Denial Of Service are also possible.
SOLUTION:
Consider taking the following precautionary measures:
Disable services that are not needed.
Consider putting access controls on these services. Access controls can be put together using the features in the device (if available) or using an
external firewall.
Do not use default passwords and replace them with hard to guess passwords. Change passwords frequently.
RESULT:
Service name: TELNET(Cisco) on TCP port 9002.

Screenshots:

R1#show control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN
 tcp                      *:2002          88.198.46.51:58719            TCP Protocols ESTABLIS
 udp                       *:123                         *:0                      NTP   LISTEN
 udp                      *:4500                         *:0                   ISAKMP   LISTEN
 udp                       *:161                         *:0                  IP SNMP   LISTEN
 udp                       *:162                         *:0                  IP SNMP   LISTEN
 udp                      *:1975                         *:0                      IPC   LISTEN
 udp                     *:57430                         *:0                  IP SNMP   LISTEN
 udp                       *:500                         *:0                   ISAKMP   LISTEN

Root Cause: 

1. Complete disable line 2 access
2. put an access list on the Line 2 for IPv4 and IPv6. 

Solution: 

line 2 

transport input none

Reference:

• Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning  

FortiCloud is a Cloud-based services for FortiGate and FortiWiFi products from Fortinet company. It is free for charge for at most 1GB data storage. It is quite interesting especially the remote access feature when I tried to use it. As long as your products managed by FortiCloud have Internet access, you are able to remote access into it.

Here are some FortiCloud Highlights based on its webpage:

1. -Low touch device provisioning - Get your security and wireless infrastructure up and running quickly by centrally bootstrapping devices
2. -Centralized configuration management - Change device settings across multiple devices instantly with profile-based templates
3. -Traffic and application visibility - Oversee network utilization by leveraging built-in dashboards and FortiView's drill-down capabilities
4. -Secure, hosted log retention - Minimize IT costs by storing log data in the cloud
5. -Cloud-based APT sandboxing - Leverage threat research from FortiGuard to prevent the latest zero-day attacks from affecting your network
6. -Rogue AP detection - Prevent attackers from circumventing your wireless network with the introduction of rogue APs
7. -Custom and preconfigured reporting - Proactively optimize and secure your network by leveraging reporting insights to maintain an optimized security posture

This is FortiCloud main page:
It is completely free to use, you can register your account even without owning Fortinet product. To register your products into FortiCloud, you can activate FortiCloud service from your device's management page.

After activation, you can see the products from FortiCloud page, such as below screenshot. There are two Fortigate 30D products managed by this FortiCloud account. Both of them are having FortiOS 5.2.2 installed. there are Free 1GB storage space. If your business needs more for your devices, you could subscribe it from the home page.

There are Dashboard, FortiView, Drilldown, Reports and Management tabs in the FortiCloud.

• Dashboard tab page:

• FortiView tab page:

• Drilldown tab page:

The most useful one is the Remote Access feature under the Management tab page. You can remote log into your devices https web management page through FortiCloud. It does not require any special configuration on your upstream router /firewall, as long as your device has Internet access, it can be remote accessed through FortiCloud.
Below screenshot is Fortigate 30D https management page. It will be pop up after you clicked Remote Access link under Management tab page.
You will see FortiGate 30D management page after loged in , just like you saw from Internal network. It wont need your upstream router / firewall to open https/http/ssh access to your device's WAN public ip address.


There is a small trick here. After you upgraded your FortiOS to 5.2.2 version, this function is broken. The device's management log in page won't show up. Only a blank page will show in a pop up window. To make it working, following special configuration has to be configured on your device first. Basically, it is because FortiCloud is not supporting https ssl version well. But by default FortiOS 5.2.2 has lock down for Poodle / Heartbeat vulnerability already. The solution is simple, just add support tsl v1.0, 1.1, and 1.2 back into FortiGate devcie. All should be working as expected.

config system global
set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2
end

FGT30D (global) # show
config system global
    set admin-https-ssl-versions tlsv1-0 tlsv1-1 tlsv1-2
    set fgd-alert-subscription advisory latest-threat
    set gui-dlp enable
    set gui-ips enable
    set gui-spamfilter enable
    set hostname "FGT30D"
    set timezone 12
end

References:

• FortiCloud v2.0 Frequently Asked Questions

As a network guy, you will work with NTP (Network Time Protocol) lots for your network devices.

"The protocol is usually described in terms of a client-server model, but can as easily be used in peer-to-peer relationships where both peers consider the other to be a potential time source.Implementations send and receive timestamps using the User Datagram Protocol (UDP) on port number 123. They can also use broadcasting or multicasting, where clients passively listen to time updates after an initial round-trip calibrating exchange. NTP supplies a warning of any impending leap second adjustment, but no information about local time zones or daylight saving time is transmitted."

1. Install NTP Server

a. Check your linux release

b. [root@syslov1p ~]# yum install ntp

Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
Package ntp-4.2.6p5-2.el6.centos.x86_64 already installed and latest version
Nothing to do

2. Modify /etc/ntp.conf

a. add trusted time server, in my case it is 10.9.1.1. Other configuration could be default. 

b. Restart ntpd service

c. Also you could restrict only specific clients

d. add local clock as backup

3. Verify NTP Status

b. Manually synchronize time

Since system crashed and no way for administrator to log in, what we could do is to log in to maintenance mode , either restore from previous backup / image (hopefully you have one), or uninstall the hotfix.

Usually uninstallation script will save your huge amounts of time from this awkward situation, the worst case is to get into maintenance mode to restore image you took before. Let me list all steps I experienced today:

1. System crushed during rebooting after applied a hotfix from Check Point

INIT: Entering runlevel: 3
Applying Intel CPU microcode update: [  OK  ]
Starting sysstat:  Calling the system activity data collector (sadc):
[  OK  ]
Running UP accel driver check.
IP series driver not present
Starting background readahead: [  OK  ]
Checking for hardware changes [  OK  ]
Configuring ipv6 kernel support:  [  OK  ]
Starting kdump:[  OK  ]
Inserting ipsctlmod.2.6.18.cp.i686: [  OK  ]
CKP: Loading SecureXL:  [  OK  ]
CKP: Loading FW-1 IPv4 Instance 0:  [  OK  ]
CKP: Loading VPN-1     Instance 0:  [  OK  ]
CKP: Loading FW-1 IPv4 Instance 1:  [  OK  ]
CKP: Loading VPN-1     Instance 1:  [  OK  ]
FW1: Starting cpWatchDog
Starting wrp: 
[  OK  ]
Starting auditd: [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]
Fulcrum switch not installed
Update Interfaces in Database:  0 bindings were imported
[  OK  ]
Generating vrfs:  [  OK  ]
Configuring NetAccess:  [  OK  ]
Generating NTP configuration:  [  OK  ]
Generating Time Zone configuration:  [  OK  ]
Generating domain name configuration:  [  OK  ]
Generating keyboard mapping configuration:  [  OK  ]
Generating hostname configuration:  [  OK  ]
Configuring Interfaces:  [  OK  ]
Generating /etc/monitor_mode:  [  OK  ]
Generating /etc/fonic_pairs:  [  OK  ]
Configuring NDP:  [  OK  ]
Generating hosts.conf:  [  OK  ]
Generating resolv.conf:  [  OK  ]
Generating dhclient.conf:  [  OK  ]
Generating pwcontrol.conf [  OK  ]
Generating passwd + shadow [  OK  ]
Generating group + gshadow [  OK  ]
Generating routed.conf [  OK  ]
Generating routed0.conf [  OK  ]
Generating extended commands:  [  OK  ]
Generating MOTD:  [  OK  ]
Generating banner message:  [  OK  ]
Generating /etc/raddb/server:  [  OK  ]
Generating TACACS+ configuration:  [  OK  ]
Generating /etc/msmtp.conf:  [  OK  ]
Generating /etc/pam.d/system-auth:  [  OK  ]
Generating /etc/sysconfig/external.if:  [  OK  ]
Generating /etc/lldpd.conf:  [  OK  ]
Generating DHCP server configuration:  Write DSTATE called
ServerConfigured = 1
DdnsConfigured = 0
[  OK  ]
Generating /etc/adjust_radius:  [  OK  ]
Running /bin/arp_xlate:  [  OK  ]
Generating SNMP configuration:  [  OK  ]
Generating Job Scheduler configuration:  [  OK  ]
Updating general configuraion file:  [  OK  ]
Updating syslogd configuration:  Reloading syslogd...[  OK  ]
Reloading klogd...[  OK  ]
[  OK  ]
Updating httpd2 configuration:  [  OK  ]
 Updating httpd-ssl configuration:  [  OK  ]
Applying NetFlow configuration [  OK  ]
Configuring PPPoE:  [  OK  ]
CPshell initialization:  [  OK  ]
Initializing CP Process Manager..
Starting cp_pm_rl2:  [  OK  ]
Starting cp_pm_rl3:  [  OK  ]
Starting cp_pm_rl4:  [  OK  ]
Starting acpi daemon: [  OK  ]
Starting sshd: [  OK  ]
Starting arp: <not configured>
Starting xinetd: [  OK  ]
Starting bp_init:  [  OK  ]
Starting bypass_off:  [  OK  ]
Starting crond: [  OK  ]
Starting cpri_d:  cpridstart: Starting cprid
[1] 7382
[  OK  ]
Starting cpboot:  cpstart: Power-Up self tests passed successfully

cpstart: Starting product - SVN Foundation

SVN Foundation: cpWatchDog already running
SVN Foundation: Starting cpd
Multiportal daemon: starting mpdaemon
SVN Foundation started

cpstart: Starting product - VPN-1

FireWall-1: starting external VPN module -- OK
cpwd_admin:
Process CPHAMCSET started successfully (pid=8208)
FireWall-1: Starting fwd

SecureXL disabled, cannot use affinity commands
SecureXL will be started after a policy is loaded.
FireWall-1: Fetching policy

Installing Security Policy Internet-CP-Cluster on all.all@Pub-cp2
wdt stop function not defined
Oops: 0000 [#1]
SMP
last sysfs file: /devices/pci0000:00/0000:00:00.0/class
Modules linked in: w83627ehf(U) hwmon_vid(U) hwmon(U) button(U) xfrm_nalgo(U) crypto_api(U) 8021q(U) wrpmodmod(PU) vpn_1(PU) fw_1(PU) vpn_0(PU) fw_0(PU) simmod(PU) bridge(U) llc(U) ipsctlmod(PU) parport_pc(U) lp(U) parport(U) sg(U) pcspkr(U) bypass_sb_gpio(U) i2c_i801(U) bypass_class(U) igb(U) i2c_core(U) e1000e(U) serio_raw(U) ip_srs_apic(U) dm_snapshot(U) dm_zero(U) dm_mirror(U) dm_mod(U) ata_piix(U) libata(U) sd_mod(U) scsi_mod(U) ext3(U) jbd(U) ehci_hcd(U) ohci_hcd(U) uhci_hcd(U)
CPU:    1
EIP:    0060:[<f13bf15b>]    Tainted: P      VLI
EFLAGS: 00010202   (2.6.18-92cp #1)
EIP is at cphwd_api_init+0x82b/0xe90 [simmod]
eax: 5505b527   ebx: 00000005   ecx: 00000000   edx: 00000080
esi: 00000001   edi: f1685580   ebp: f1683120   esp: e2e5b984
ds: 007b   es: 007b   ss: 0068
Process fw_full (pid: 8553, ti=e2e58000 task=ef452c70 task.ti=e2e58000)
Stack: f1441ac0 00000002 00000000 80405d5a f40e3c74 00000000 f40e3e80 00000000
       f13be930 e2e5b9cc f40e3c74 00000000 f2d2eb97 e2e5b9cc f338ae30 00000060
       00000202 f40e3e80 00000000 00000000 00000000 00000001 00000002 00000000
Call Trace:
[<e2e5b990>] <0> [<80405d5a>] common_interrupt+0x1a/0x20
[<e2e5b9a4>] <0> [<f13be930>] cphwd_api_init+0x0/0xe90 [simmod]
[<e2e5b9b4>] <0> [<f2d2eb97>] cphwd_api_init_+0x97/0x100 [fw_0]
[<e2e5b9bc>] <0> [<f338ae30>] fwhamultik_validate_not_locked+0x0/0x90 [fw_0]
[<e2e5b9e8>] <0> [<f2d1b0c4>] cphwd_start+0x2174/0x2cc0 [fw_0]
[<e2e5ba64>] <0> [<804388a9>] update_process_times+0x59/0x90
[<e2e5ba74>] <0> [<f2eaa135>] hmem_global_receive_returned_blocks+0x65/0xd0 [fw_0]
[<e2e5ba78>] <0> [<8041e50a>] smp_apic_timer_interrupt+0x7a/0x80
[<e2e5ba84>] <0> [<80405deb>] apic_timer_interrupt+0x1f/0x24

2. Enter into Maintenance Mode

Following Steps will bring your CheckPoint appliance into maintenance mode:

• Connect to the machine over console (serial).
• Reboot the machine (power cycle). 
• During the boot, press a key on the "Press any key to see the boot menu" screen. This should open the Check Point Boot Menu. By default, user has only 5 seconds to press any key. 
• Choose the "Start in maintenance mode" and press Enter.
• Enter the Admin credentials and press Enter.

3. Uninstall the hotfix from /opt/CPsuite-R77 folder

sh-3.1# fw ver
This is Check Point's software version R77.10 - Build 243

 List all installed hotfix. You will see that problem one marked with red color:

sh-3.1# cpinfo -y
Error: 'Couldn't connect to /tmp/xgets:  Connection refused
'.
------------------------
Hotfix versions
------------------------
[FW1]
  HOTFIX_R77_10
  HOTFIX_R77_HF_HA10_005
  HOTFIX_GYPSY_LTE_HF_001 
[PPACK]
  HOTFIX_R77_10
[SecurePlatform]
  HOTFIX_R77_10_GAIA_GHOST_833
[CVPN]
  HOTFIX_R77_10
[CPinfo]
  No hotfixes..
[SmartLog]
  HOTFIX_R77_10 

Go to /opt/CPsuite-R77 folder:
Note: Usually it is the parent folder $FWDIR. Based on the version you are having on your Checkpoint Device, the real folder directory is different. In this case, it is Gaia R77.10, and folder is /opt/CPsuite-R77.

sh-3.1# cd CPsuite-R77
sh-3.1# ls
CPinstall    fw1_wrapper_HOTFIX_GYPSY_LTE_HF_001_bcp.tgz
LICENSE.TXT  fw1_wrapper_HOTFIX_GYPSY_LTE_HF_001_bcp.tgz.new.txt
conf         fw1_wrapper_HOTFIX_R77_HF_HA10_005_bcp.tgz
fg1          fw1_wrapper_HOTFIX_R77_HF_HA10_005_bcp.tgz.new.txt
fw1          uninstall_fw1_wrapper_HOTFIX_GYPSY_LTE_HF_001
fw1_wrapper  uninstall_fw1_wrapper_HOTFIX_R77_HF_HA10_005

sh-3.1# ls -ali
total 122712
328062 drwxrwx--x  7 admin bin      4096 Mar 15 10:26 .
 65537 drwxr-xr-x 19 admin root     4096 Aug  6  2014 ..
328064 drwxrwx---  2 admin bin      4096 Aug  6  2014 CPinstall
328066 -rwxrwx---  1 admin bin     38604 Jan 16  2014 LICENSE.TXT
328067 drwxrwx---  2 admin bin      4096 Aug  6  2014 conf
328069 drwxrwx---  9 admin bin      4096 Nov  9 01:37 fg1
328095 drwxrwx--x 30 admin bin      4096 Mar 15 12:35 fw1
852062 drwxr-x---  3 admin bin      4096 Apr  7  2014 fw1_wrapper
327694 -rw-rw----  1 admin root 72317473 Mar 15 10:25 fw1_wrapper_HOTFIX_GYPSY_LTE_HF_001_bcp.tgz
327692 -rw-rw----  1 admin root      763 Mar 15 10:24 fw1_wrapper_HOTFIX_GYPSY_LTE_HF_001_bcp.tgz.new.txt
329068 -rw-rw----  1 admin root 53080782 Aug  6  2014 fw1_wrapper_HOTFIX_R77_HF_HA10_005_bcp.tgz
329067 -rw-rw----  1 admin root      187 Aug  6  2014 fw1_wrapper_HOTFIX_R77_HF_HA10_005_bcp.tgz.new.txt
327700 -rwxr-x---  1 admin bin     18224 Nov  9 01:37 uninstall_fw1_wrapper_HOTFIX_GYPSY_LTE_HF_001
329069 -rwxr-x---  1 admin bin     18218 Apr  7  2014 uninstall_fw1_wrapper_HOTFIX_R77_HF_HA10_005

sh-3.1# ./uninstall_fw1_wrapper_HOTFIX_GYPSY_LTE_HF_001 
Validating uninstall archive...
Do you want to proceed with uninstallation of
Security Gateway Power/UTM R77.10 GYPSY_LTE_HF_001 on this computer?
If you choose to proceed, uninstall will perform CPSTOP.
To proceed type y to cancel type n :
y
 cpwd_admin: Failed to submit request to cpWatchDog
cvpnd: no process killed
dbwriter: no process killed
cvpnproc: no process killed
MoveFileServer: no process killed
CvpnUMD: no process killed
Mobile Access: Stopping MoveFileDemuxer service (if needed)
 cpwd_admin: Failed to submit request to cpWatchDog
Mobile Access: MoveFileDemuxer is not running
Exception: connect() failed - Network is unreachable
Multiportal daemon is not running
Pinger: no process killed
Mobile Access: Successfully stopped Mobile Access services
 cpwd_admin: Failed to submit request to cpWatchDog
SmartView Monitor: Unable to find CpWatchDog - run cpstart
FloodGate-1 is already stopped.
 Unable to open '/dev/fw0': No such file or directory
 fw_syncn_set: failed to set off synchronization
 cpwd_admin: Failed to submit request to cpWatchDog
 Unable to open '/dev/fw0': No such file or directory
 Failed to notify kernel: No such file or directory
 HA not stopped.
VPN-1/FW-1 stopped
Multi portal stopped
fw: Unable to open '/dev/fw0': Unknown error 4294967295
fw: Set operation failed: failed to get parameter
fw: set: Operation failed: Unknown error 4294967295
SVN Foundation: cpd is not running
Multiportal daemon: mpdaemon is not running
 cpwd_admin: Failed to submit request to cpWatchDog
SVN Foundation: cpWatchDog is not running
SVN Foundation stopped
Launching pre-uninstall utility
Removing gx.lf file from registry...
****************
Security Gateway Power/UTM R77.10
Security Gateway Power/UTM R77.10 GYPSY_LTE_HF_001
Uninstall completed successfully.
****************

***********************************************************

Don't forget to reboot the machine!!

***********************************************************

sh-3.1# reboot
Preforming soft reboot
INIT: Sending processes the TERM signal
INIT: Starting killall:  [  OK  ]
Starting bypass_on:  [  OK  ]
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Saving random seed:
Syncing hardware clock to system time
Turning off swap:
Unmounting file systems:
mount: /proc is busy
Please stand by while rebooting the system...
Restarting system.

4. Verify Hotfix uninstalled

You will find HOTFIX_GYPSY_LTE_HF_001 has gone from the list.

[Expert@Pub-CP1:0]# cpinfo -y
------------------------
Hotfix versions
------------------------
[FW1]
  HOTFIX_R77_10
  HOTFIX_R77_HF_HA10_005
[SecurePlatform]
  HOTFIX_R77_10_GAIA_GHOST_833
[PPACK]
  HOTFIX_R77_10
[CVPN]
  HOTFIX_R77_10
[CPinfo]
  No hotfixes..
[SmartLog]
  HOTFIX_R77_10
[rtm]
  No hotfixes..

PKI based IPSec Site to Site VPN becomes more and more populous. I had a previous post "Set up PKI IPSec VPN with Verisign SSL Certificates between Juniper SRX Firewalls" which records all steps how to set this kind of IPsec VPN up.

Symptoms: 

Troubleshooting:

Solutions:

Not sure how many home users are experiencing wireless router coverage issue. Your wireless home router is set at living room, but at the certain location of your home, the wireless signal is quite weak. It will be painful especially when you found this fact on the bed with your tablet devices. Upgrade a more powerful wireless routers, or buy another router repeater?Actually the router vendors have implemented a "bridge" technology which can enable wireless connection between multi-vendor's routers. Here is Wikepedia's explanation about Bridging (networking):

"Network bridging is the action taken by network equipment to create an aggregate network from either two or more communication networks, or two or more network segments. If one or more segments of the bridged network are wireless, it is known as wireless bridging. Bridging is distinct from routing, which allows multiple different networks to communicate independently while remaining separate."

Topology:

1. Main Router's Configuration

Wireless basic configuration:

 Wireless Security:

 LAN and DHCP Setup (LAN IP is 192.168.2.1):

2. Secondary Router's Configuration:

3. Test Result

One of our SRX240H is having temperature problem. Whenever the temperature reached 50 Celsius degree, system alarm will be on. Alarm email should be sent out when temperature reached threshold 50. SRX itself seems not able to send alarm email out based on this discussion. NSM or other SNMP tools may help in this situation.

PRTG is using to monitor our network devices and it works great with SNMPv3. My previous post has described how to monitor SRX's CPU, Memory, Flow Sessions etc. Alarm status and Temperature is another sensor I am looking for to monitor. There are couple of ways to do it. You can use NSM to send alarm email, firewall itself to send snmp traps to your SNMP server, or Network Monitoring Tools to pull SNMP OID values then send email. In my case, PRTG is preferred way to monitor system status and send alarming email based on the requirement.

Step 1: SNMPv3 on SRX

set snmp v3 usm local-engine user SRXAES authentication-md5 authentication-password Test1234
set snmp v3 usm local-engine user SRXAES privacy-aes128 privacy-password Test12345
set snmp engine-id local 4716
set snmp view view_all oid 1 include
set snmp filter-duplicates
set snmp health-monitor

set snmp location "<location>"
set snmp contact "<contact name>"
set snmp community <community-name> authorization read-only
set snmp community <community-name> clients <snmp-host>
set snmp community <community-name> clients 0.0.0.0/0 restrict

Note: A generic local engine-id must be configured. Otherwise (e.g. when the MAC is used) SNMPv3 will not work in cluster configurations. After configuring the engine-id, committing the configuration might be required because the engine-id is involved in the key generation below.

To make NSM work with SRX, location and contact should not be set. Else, after the configuration imported into NSM, when you push policy from NSM to SRX, snmpv3 anthentication password and privacy password will be changed.

In my working configuration for NSM and SRX 240H / 1400 Cluster, the configuration looks like below:

root@fw-srx-1> show configuration snmp
v3 {
    usm {
        local-engine {
            user SRXAES {
                authentication-md5 {
                    authentication-key "$9$cOJSKMWLxNbs8LUjq.zF9ApuIEM8Xx-VvM4aJGq.Tz390BhSrlM836evW8dVP5TCuO1EhrOB-VYgJZ69CApBlKM-bsKv4aZUHkBIRcevdbsY4aSr8boa/CAtu1SyKW87vMX-bs4oJGDk5Q9ApREyk.hSreXxk5Qn/9pOBE3nA0O1hcYg4oDi"; ## SECRET-DATA
                }
                privacy-aes128 {
                    privacy-key "$9$4yaZjq.53/CmPF/CtIRNdVsoJDik.mTZGp01IcSM8XNds4oGDHqvWUjqmTQevM8dbYgojk.4oz369OBX7N-s2JZjPfz.muOBIrlLxNdVYgoDkY2QF6/tpM8Lx7VY2aGjHaJUH.PQzEcSl8XVwYaGDsYoGiH5T369pIErev7dbuONdbYoan/9AtO"; ## SECRET-DATA
                }
            }
        }
    }
    vacm {
        security-to-group {
            security-model usm {
                security-name SRXAES {
                    group readonly;
                }
            }
        }
        access {
            group readonly {
                default-context-prefix {
                    security-model usm {
                        security-level privacy {
                            read-view view_all;
                        }
                    }
                }
            }
        }
    }
}
engine-id {
    local 109849;
}
view view_all {
    oid 1 include;
}
client-list snmpclient {
    10.1.1.11/31;
    0.0.0.0/0 {
        restrict;
    }
}

Step 2: PRTG Configuration

PRTG can be easily integrated into your network monitoring system and execute comprehensive monitoring tasks. Also , alerting feature is quite flexible to meet your organization needs. Even one normal windows server can monitoring thousands of sensors without problem.

For SNMPv3 configuration in the PRTG, right click edit pop up menu at  root properties of Device tab, enter the snmpv3 information:

Then you can add your network devices with inherited configuration. All new device will get same snmpv3 configuration.

Step 3: Add SNMP Custom Sensor

Following instruction on the screen to add sensor for your network devices, you will need to pick SNMP category's SNMP Custom type sensor.



we are able to find out a couple of values for temperature:

jnxOperatingTemp.9.1.0.0 = 50
jnxOperatingTemp.9.2.0.0 = 49
jnxFruTemp.9.1.0.0 = 50
jnxFruTemp.9.1.1.0 = 50
jnxFruTemp.9.2.0.0 = 48
jnxFruTemp.9.2.1.0 = 48

From Show Chassis Routing-Engine, there are different type of temperature for cpu and chassis , also for different node if it is cluster configuration.

root@fw-srx-1> show chassis routing-engine
node0:
--------------------------------------------------------------------------
Routing Engine status:
    Temperature                 50 degrees C / 122 degrees F
    CPU temperature             49 degrees C / 120 degrees F
    Total memory              1024 MB Max   850 MB used ( 83 percent)
      Control plane memory     560 MB Max   493 MB used ( 88 percent)
      Data plane memory        464 MB Max   362 MB used ( 78 percent)
    CPU utilization:
      User                       7 percent
      Background                 0 percent
      Kernel                     5 percent
      Interrupt                  0 percent
      Idle                      87 percent
    Model                          RE-SRX240H
    Serial ID                      AAEP4868
    Start time                     2015-01-18 13:24:42 UTC
    Uptime                         38 days, 8 hours, 29 minutes, 47 seconds
    Last reboot reason             0x200:normal shutdown
    Load averages:                 1 minute   5 minute  15 minute
                                       0.16       0.44       0.46
node1:
--------------------------------------------------------------------------
Routing Engine status:
    Temperature                 48 degrees C / 118 degrees F
    CPU temperature             50 degrees C / 122 degrees F
    Total memory              1024 MB Max   696 MB used ( 68 percent)
      Control plane memory     560 MB Max   336 MB used ( 60 percent)
      Data plane memory        464 MB Max   357 MB used ( 77 percent)
    CPU utilization:
      User                       5 percent
      Background                 0 percent
      Kernel                     3 percent
      Interrupt                  0 percent
      Idle                      92 percent
    Model                          RE-SRX240H
    Serial ID                      AAEK3334
    Start time                     2015-02-15 16:05:14 UTC
    Uptime                         10 days, 5 hours, 49 minutes, 24 seconds
    Last reboot reason             0x200:normal shutdown
    Load averages:                 1 minute   5 minute  15 minute
                                       0.06       0.08       0.08

Next step is to find out OID from online website OID database , such as http://oid-info.com/ or Solarwinds SNMP Center:
From the database search result, it shows jnxOperatingTemp = 1.3.6.1.4.1.2636.3.1.13.1.7
In this case, jnxOperatingTemp.9.2.0.0 is 1.3.6.1.4.1.2636.3.1.13.1.7.9.2.0.0. That is exactly OID we need for this monitoring. 

Step 4. Create email alarm

After checked the thresholds for temperature as shown in below, we will build an alarm email.

root@fw-srx-1> show chassis temperature-thresholds
node0:
--------------------------------------------------------------------------
                           Fan speed      Yellow alarm      Red alarm      Fire Shutdown
                          (degrees C)      (degrees C)     (degrees C)      (degrees C)
Item                     Normal  High   Normal  Bad fan   Normal  Bad fan     Normal
Chassis default              35    45       50       40       75       65      100
Routing Engine               35    45       50       40       75       65      100
node1:
--------------------------------------------------------------------------
                           Fan speed      Yellow alarm      Red alarm      Fire Shutdown
                          (degrees C)      (degrees C)     (degrees C)      (degrees C)
Item                     Normal  High   Normal  Bad fan   Normal  Bad fan     Normal
Chassis default              35    45       50       40       75       65      100
Routing Engine               35    45       50       40       75       65      100

Based on this Object Triggers set up, once the JnxOperatingTemp sensor's value is above 51 for 60 seconds, an email will be sent out to admin.

Reference:

• Junos temperature thresholds in SRX devices and the actions taken when it exceeds the threshold
• Monitoring Juniper SRX Firewall CPU, Memory and Flow Session Information from PRTG

1. FGT30D # config system interface 

FGT30D (interface) # show

config system interface
    edit "wan"
        set ip 10.99.142.1 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
        set type physical
        set snmp-index 2
    next
.....
    edit "lan"
        set ip 192.168.100.1 255.255.255.0
        set allowaccess ping https ssh http fgfm capwap
        set type physical
        set snmp-index 1
    next
end

2. Change System Hostname

FGT30D # config system global 
FGT30D (global) # set hostname FGT30D
FGT30D (global) # end

3. Configure System DHCP Server on Interface "lan"

FGT30D # config system dhcp server 

config system dhcp server
    edit 1
        set default-gateway 192.168.100.1
        set dns-service default
        set interface "lan"
            config ip-range
                edit 1
                    set end-ip 192.168.100.200
                    set start-ip 192.168.100.80
                next
            end
        set netmask 255.255.255.0
    next
end

4. FGT30D # config firewall policy 

config firewall policy 
    edit 1
        set srcintf "lan"
        set dstintf "wan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

5. FGT30D # config router static 

config router static
    edit 1
        set device "wan"
        set gateway 10.99.142.6
    next
end

6. Configure system DNS host

FGT30D # config system dns 

config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
end

7. Set System Users

FGT30D # config system admin

config system admin
edit admin
set password <psswrd>

config system admin
    edit "admin"
        set accprofile "super_admin"
 ....
        set password ENC AK1TDEt3tvzlnXWgK7ZjkFDgEisgltyWyK2/lnOYtvcl28=
    next
    edit "superadmin1"
        set accprofile "super_admin"
....
        set password ENC AK1eDVLPbT+qARqmQ5r0ituEhnmu9xVwdAbo2puf9TZofo=
    next
    edit "testadmin"
        set accprofile "prof_admin"
        set password ENC AK1JB0gM4GKvhld20nMmfFbhnictGo/+oUIqAaGTGlb+vg=
    next
end

8. Configure Syslog Settings

config log syslogd(2|3) setting
set status enable
set server 10.99.1.1
set port 514
set facility user
end

• URL Filtering
• Anti-Virus
• Anti-Bot
• Threat Emulation
• IPS
• HTTPS Inspection

Step 1: Register an account at https://cloud.checkpoint.com/ with your email account

 After registration, you will receive a email with subject "Your Capsule Connect registration code". Inside the email, there are all links to download the client for Windows, Macintosh, Android and iOS versions.

Step 2: Download and Install the Client:

Step 3: Log into https://cloud.checkpoint.com/ to review the configuration and policies

Check Point Capsule Cloud Policy Tab.
Under Security Policy, there are three features enabled:

• URL Filtering
• Threat Prevention
• HTTPS Inspection

Step 4: Troubleshooting for https website issue

Reference:

• Check Point Capsule Cloud sk102501
• Check Point Capsule Cloud Administration Guide