I have tried here to share my knowledge and resources what i had with me i hope these blogs will give you a lot of help in your real senario implementation work. From these blogs i am not getting any commercial profit.
If someone like it please post your comments and suggestions i will try to go with that.
OSPF is a link-state protocol and uses link-state advertisements (LSAs) to describe the network topology. Each OSPF router generates LSAs that describe the topology it sees and floods the LSAs throughout the domain .
OSPF runs directly over IP, using IP protocol 89. It does not use a transport layer protocol such as TCP or UDP.
OSPF defines several different types of areas. The core of an OSPF network is the backbone area, which is the area 0 (written as the 32-bit 0.0.0.0).
Configuring OSPF We enable OSPF by defining the interfaces on which it will run and the area to which the interfaces will be attached: [edit protocols] a@RouterG# set ospf area 0.0.0.0 interface fe-0/0/1.0 a@RouterG# set ospf area 0.0.0.0 interface fe-1/0/1.0
[edit routing-options] a@RouterG# set router-id 192.168.19.1
To check that OSPF is running on the router interfaces, use the show ospf interface command: a@RouterG> show ospf interface Interface State Area DR ID BDR ID Nbrs fe-0/0/1.0 DR 0.0.0.0 192.168.19.1 192.168.18.1 1 fe-1/0/1.0 BDR 0.0.0.0 192.168.17.1 192.168.19.1 1
If the router has not yet determined which router is the DR, the state is Waiting:
a@RouterG> show ospf neighbor Address Interface State ID Pri Dead 10.0.1.1 fe-0/0/1.0 Full 192.168.18.1 128 34 10.0.0.2 fe-1/0/1.0 Full 192.168.17.1 128 34
You see from this output that both neighbors have a router priority of 128, which is the default OSPF priority .If OSPF connectivity is establishing, you may see Attempt, Init, or 2way in State field.
In addition to showing that the neighbor is up (State is Full), the detail version of the show ospf neighbor command shows how long the interface and adjacency have been up, as well as the area number and the router IDs of the DR and BDR for the area. a@RouterG> show ospf neighbor detail
a@RouterG> show ospf route Prefix Path Route NH Metric NextHop Nexthop Interface ddr/label 192.168.17.1 Intra Router IP 1 fe-1/0/1.0 10.0.0.2 192.168.18.1 Intra Router IP 1 fe-0/0/1.0 10.0.1.1
You can find out which routes the router has learned from OSPF by checking the unicast routing table: aviva@RouterG> show route table inet.0 You can also see just the routes learned by OSPF: a@RouterG> show route protocol ospf table inet.0
Viewing the OSPF Link-State Database a@RouterG> show ospf database OSPF link state database, area 0.0.0.0 Type ID Adv Rtr Seq Age Opt Cksum Len Router 192.168.17.1 192.168.17.1 0x800000d0 986 0x2 0xebd2 60
Use the following version of the show ospf database command to get a quick summary of the entries LSA database:
a@RouterG> show ospf database summary Area 0.0.0.0: 3 Router LSAs 3 Network LSAs Externals: Interface fe-0/0/1.0: Interface fe-1/0/0.0:
Configuring a Multiarea OSPF Network [edit protocols] aviva@RouterG# set ospf area 0.0.0.1 interface fe-1/0/0.0
[edit protocols ospf] a@RouterE# set area 0.0.0.3 interface t1-0/0/3.0 a@RouterE# set area 0.0.0.3 stub
You can further reduce the number of LSA packets flooded through the stub area by configuring the ABR so that it does not flood Type 3 (Network Summary) LSAs to the routers in the stub area:
[edit protocols ospf] a@RouterJ# set area 0.0.0.3 stub no-summaries
The routers in the stub area no longer receive the Type 3 LSAs:
[edit protocols ospf] a@RouterJ# set area 0.0.0.3 nssa
For Viewing Ospf database for a particular area use the command: a@RouterJ> show ospf database area 0.0.0.3
Summarizing Routes in OSPF
[edit protocols ospf] a@RouterJ# set area 0.0.0.3 area-range 10.0.0.0/16
[edit protocols ospf area 0.0.0.0 ] a@RouterG# set authentication-type md5 a@RouterG# set interface fe-0/0/1 authentication md5 1 key $1991poPPi a@RouterG# set interface fe-1/0/1 authentication md5 1 key $1991poPPi
Redistributing Static Routes into OSPF Create a routing policy to redistribute static routes into OSPF: [edit policy-options] a@RouterG# set policy-statement export-statics term 1 from protocol static a@RouterG# set policy-statement export-statics term 1 then accept Then apply the policy to OSPF: [edit protocols ospf] a@RouterG# set export export-statics
Increase the cost on one interface to have OSPF use a different interface: [edit protocols ospf area 0.0.0.0 ] a@RouterJ# set interface fe-1/0/0.0 metric 3
Improving OSPF Convergence Times
Reduce the interval at which OSPF exchanges Hello messages and, in parallel, decrease the dead interval: [edit protocols ospf area 0.0.0.0 ] a@RouterG# set interface fe-0/0/1 hello-interval 2 a@RouterG# set interface fe-0/0/1 dead-interval 8 a@RouterG# set interface fe-1/0/1 hello-interval 2 a@RouterG# set interface fe-1/0/1 dead-interval 8
You are getting ready to perform router maintenance and you want to move all OSPF traffic off the router. Configure the router so that it appears to be overloaded with OSPF traffic:
[edit protocols ospf] a@RouterG# set overload
As you are preparing to perform maintenance on a router in a production network, you want to move traffic off that router so that network services are not interrupted during your maintenance window. The set overload command tricks the router into believing that it is overloaded and can't handle any more OSPF transit traffic, and the result is that OSPF transit traffic is sent to other routers. OSPF traffic destined to interfaces directly attached to the local router continues to reach the router.
Disable OSPF on the interface: [edit protocols ospf] a@RouterG# set area 0.0.0.0 interface fe-0/0/1.0 disable
To start OSPF again, remove the disable statement from the configuration:
[edit protocols ospf] a@RouterG# delete area 0.0.0.0 interface fe-0/0/1.0 disable a@RouterG# commit show ospf log The show ospf log command displays how often the SPF algorithm is being Initiated and how long each operation takes to finish. user@ab> show ospf log Last instance of each event type When Type Elapsed 00:17:29 SPF 0.000073 00:17:29 Stub 0.000067 00:17:29 Interarea 0.000025 00:17:29 External 0.000003 Maximum length of each event type When Type Elapsed 01:17:57 SPF 0.000116 00:22:41 Stub 0.000365 20:00:18 Interarea 0.000132 01:19:43 External 0.000042
The actual commands are in BOLD text so that they stand out from the comment blocks. ! Our ASN is 111 router bgp 111 ! ! Don't wait for the IGP to catch up. no synchronization ! ! Be a little more forgiving of an occasional missed keepalive. no bgp fast-external-fallover ! ! Track and punt, via syslog, all interesting observations about our ! neighbors. bgp log-neighbor-changes ! ! Announce our netblock(s) in a manner that does not increase CPU ! utilization. Redistributing from an IGP is dangerous as it increases ! the likelihood of flapping and instability. Redistributing static is ! more stable, but requires the CPU to peruse the routing table at a set ! interval to capture any changes. The network statement, combined with ! a null route, is the least expensive (in terms of CPU utilization) and ! most reliable (in terms of stability) option. network 1.88.0.0 mask 255.255.224.0 ! ! Our first neighbor, 10.10.5.1, is an eBGP peer with the ASN of 333. neighbor 10.10.5.1 remote-as 333 ! ! Set for soft reconfiguration, thus preventing a complete withdrawal ! of all announced prefixes when clear ip bgp x.x.x.x is typed. neighbor 10.10.5.1 soft-reconfiguration inbound ! ! Type in a description for future reference. Not everyone memorizes ! ASNs. :-) neighbor 10.10.5.1 description eBGP with ISP333 ! ! Set up a password for authentication. neighbor 10.10.5.1 password bgpwith333 ! ! Hard-set for version 4. Disabled BGP version negotiation, thus ! bringing the peering session on-line more quickly. neighbor 10.10.5.1 version 4 ! ! Block any inbound announcments that include bogon networks. A prefix ! list is used because it is: ! 1) Easier on the CPU than ACLs, and ! 2) Easier to modify. ! See the actual bogons prefix-list below. neighbor 10.10.5.1 prefix-list bogons in ! ! Announce only those networks we specifically list. This also prevents ! the network from becoming a transit provider. An added bit of protection ! and good netizenship. See the announce prefix-list below. neighbor 10.10.5.1 prefix-list announce out ! ! Prevent a mistake or mishap by our peer (or someone with whom our peer ! has a peering agreement) from causing router meltdown by filling the ! routing and BGP tables. This is a hard limit. At 75% of this limit, ! the IOS will issue log messages warning that the neighbor is approaching ! the limit. All log messages should be sent to a remote syslog host. ! The warning water mark can be modified by placing a value after the ! maximum prefix value, e.g. maximum-prefix 250000 50. This will set the ! IOS to issue warning messages when the neighbor reaches 50% of the limit. ! Note that this number may need to be adjusted upward in the future to ! account for growth in the Internet routing table. neighbor 10.10.5.1 maximum-prefix 250000 ! ! Our next neighbor is 10.10.10.1, an eBGP peer with the ASN of 222. neighbor 10.10.10.1 remote-as 222 neighbor 10.10.10.1 soft-reconfiguration inbound neighbor 10.10.10.1 description eBGP with ISP222 neighbor 10.10.10.1 password bgpwith222 neighbor 10.10.10.1 version 4 neighbor 10.10.10.1 prefix-list bogons in neighbor 10.10.10.1 prefix-list announce out neighbor 10.10.10.1 maximum-prefix 250000 ! ! This is our iBGP peer, 172.17.70.2. neighbor 172.17.70.2 remote-as 111 ! neighbor 172.17.70.2 soft-reconfiguration inbound ! ! Again, a handy description. neighbor 172.17.70.2 description iBGP with our other router ! neighbor 172.17.70.2 password bgpwith111 ! Use the loopback interface for iBGP announcements. This increases the ! stability of iBGP. neighbor 172.17.70.2 update-source Loopback0 neighbor 172.17.70.2 version 4 neighbor 172.17.70.2 next-hop-self neighbor 172.17.70.2 prefix-list bogons in neighbor 172.17.70.2 maximum-prefix 250000 ! ! Do not automatically summarize our announcements. no auto-summary ! If we have multiple links on the same router to the same AS, we like to ! put them to good use. Load balance, per destination, with maximum-paths. ! The limit is six. For our example, we will assume two equal size pipes ! to the same AS. maximum-paths 2 ! ! Now add our null route and the loopback/iBGP route. Remember to add ! more specific non-null routes so that the packets travel to their ! intended destination! ip route 1.88.0.0 255.255.224.0 Null0 ip route 1.88.50.0 255.255.255.0 192.168.50.5 ip route 1.88.55.0 255.255.255.0 192.168.50.8 ip route 1.88.75.128 255.255.255.128 192.168.50.10 ip route 172.17.70.2 255.255.255.255 192.168.50.2 ! ! We protect TCP port 179 (BGP port) from miscreants by limiting ! access. Allow our peers to connect and log all other attempts. ! Remember to apply this ACL to the interfaces of the router or ! add it to existing ACLs. ! Please note that ACL 185 would block ALL traffic as written. This ! is designed to focus only on protecting BGP. You MUST modify ACL ! 185 to fit your environment and approved traffic patterns. access-list 185 permit tcp host 10.10.5.1 host 10.10.5.2 eq 179 access-list 185 permit tcp host 10.10.5.1 eq bgp host 10.10.5.2 access-list 185 permit tcp host 10.10.10.1 host 10.10.10.2 eq 179 access-list 185 permit tcp host 10.10.10.1 eq bgp host 10.10.10.2 access-list 185 permit tcp host 172.17.70.2 host 172.17.70.1 eq 179 access-list 185 permit tcp host 172.17.70.2 eq bgp host 172.17.70.1 access-list 185 deny tcp any any eq 179 log-input ! ! The announce prefix list prevents us from announcing anything beyond ! our aggregated netblock(s). ip prefix-list announce description Our allowed routing announcements ip prefix-list announce seq 5 permit 1.88.0.0/19 ip prefix-list announce seq 10 deny 0.0.0.0/0 le 32 ! ! The bogons prefix list prevents the acceptance of obviously bogus ! routing updates. This can be modified to fit local requirements. ! While aggregation is possible - certainly desirable - IANA tends ! to allocate netblocks on a /8 boundary. For this reason, I have ! listed the bogons largely as /8 netblocks. This will make changes ! to the bogons prefix-list easier to accomplish and less intrusive. ! I have listed more specific netblocks when documentation, such as ! RFC1918, is more granular. ! Please see the IANA IPv4 netblock assignment document at the ! following URL: ! http://www.iana.org/assignments/ipv4-address-space ip prefix-list bogons description Bogon networks we won't accept. ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32 ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32 ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32 ip prefix-list bogons seq 20 deny 5.0.0.0/8 le 32 ip prefix-list bogons seq 30 deny 10.0.0.0/8 le 32 ip prefix-list bogons seq 35 deny 23.0.0.0/8 le 32 ip prefix-list bogons seq 40 deny 27.0.0.0/8 le 32 ip prefix-list bogons seq 45 deny 31.0.0.0/8 le 32 ip prefix-list bogons seq 50 deny 36.0.0.0/8 le 32 ip prefix-list bogons seq 55 deny 37.0.0.0/8 le 32 ip prefix-list bogons seq 60 deny 39.0.0.0/8 le 32 ip prefix-list bogons seq 70 deny 42.0.0.0/8 le 32 ip prefix-list bogons seq 75 deny 46.0.0.0/8 le 32 ip prefix-list bogons seq 80 deny 49.0.0.0/8 le 32 ip prefix-list bogons seq 85 deny 50.0.0.0/8 le 32 ip prefix-list bogons seq 255 deny 100.0.0.0/8 le 32 ip prefix-list bogons seq 260 deny 101.0.0.0/8 le 32 ip prefix-list bogons seq 265 deny 102.0.0.0/8 le 32 ip prefix-list bogons seq 270 deny 103.0.0.0/8 le 32 ip prefix-list bogons seq 275 deny 104.0.0.0/8 le 32 ip prefix-list bogons seq 280 deny 105.0.0.0/8 le 32 ip prefix-list bogons seq 285 deny 106.0.0.0/8 le 32 ip prefix-list bogons seq 290 deny 107.0.0.0/8 le 32 ip prefix-list bogons seq 295 deny 108.0.0.0/8 le 32 ip prefix-list bogons seq 300 deny 109.0.0.0/8 le 32 ip prefix-list bogons seq 305 deny 110.0.0.0/8 le 32 ip prefix-list bogons seq 310 deny 111.0.0.0/8 le 32 ip prefix-list bogons seq 315 deny 112.0.0.0/8 le 32 ip prefix-list bogons seq 320 deny 113.0.0.0/8 le 32 ip prefix-list bogons seq 325 deny 114.0.0.0/8 le 32 ip prefix-list bogons seq 330 deny 115.0.0.0/8 le 32 ip prefix-list bogons seq 390 deny 127.0.0.0/8 le 32 ip prefix-list bogons seq 395 deny 169.254.0.0/16 le 32 ip prefix-list bogons seq 400 deny 172.16.0.0/12 le 32 ip prefix-list bogons seq 405 deny 173.0.0.0/8 le 32 ip prefix-list bogons seq 410 deny 174.0.0.0/8 le 32 ip prefix-list bogons seq 415 deny 175.0.0.0/8 le 32 ip prefix-list bogons seq 420 deny 176.0.0.0/8 le 32 ip prefix-list bogons seq 425 deny 177.0.0.0/8 le 32 ip prefix-list bogons seq 430 deny 178.0.0.0/8 le 32 ip prefix-list bogons seq 435 deny 179.0.0.0/8 le 32 ip prefix-list bogons seq 440 deny 180.0.0.0/8 le 32 ip prefix-list bogons seq 445 deny 181.0.0.0/8 le 32 ip prefix-list bogons seq 450 deny 182.0.0.0/8 le 32 ip prefix-list bogons seq 455 deny 183.0.0.0/8 le 32 ip prefix-list bogons seq 460 deny 184.0.0.0/8 le 32 ip prefix-list bogons seq 465 deny 185.0.0.0/8 le 32 ip prefix-list bogons seq 470 deny 186.0.0.0/8 le 32 ip prefix-list bogons seq 475 deny 187.0.0.0/8 le 32 ip prefix-list bogons seq 490 deny 192.0.2.0/24 le 32 ip prefix-list bogons seq 500 deny 192.168.0.0/16 le 32 ip prefix-list bogons seq 510 deny 197.0.0.0/8 le 32 ip prefix-list bogons seq 512 deny 198.18.0.0/15 le 32 ip prefix-list bogons seq 515 deny 223.0.0.0/8 le 32 ip prefix-list bogons seq 520 deny 224.0.0.0/3 le 32 ! Allow all prefixes up to /27. Your mileage may vary, ! so adjust this to fit your specific requirements. ip prefix-list bogons seq 525 permit 0.0.0.0/0 le 27
The information presented here allows a user to run debug before opening his case with Check Point, to understand what is contained in every debug log that is needed, and to check if the debug generated is complete, or if another debug session will be required. This can save valuable time for the end-user, by shortening the duration of Service Requests.
Scenarios
There are two common, yet different, scenarios that should be considered when planning a debug session: • VPN tunnel was not established. • VPN tunnel has been established, but some or all traffic is not passing.
You can check if the tunnel has been established via the Smart View Tracker or Smart View Monitor tools.
Debug required per scenario
1. If the VPN tunnel was not established. • Capture files (fwmonitor) from both Security Gateways. • Turn on vpn debug (writes a log to the vpnd.elg and ike.elg log files). • Print Screen of the relevant error from SmartView Tracker. • Cpinfo from the SmartCenter server.
2. If the VPN tunnel has been established, but some, or all traffic is not passing. • Capture files (fwmonitor) from both Security Gateways. • Kernel debug from both Security Gateways. • Turn on ike and vpn debug. • Cpinfo from the SmartCenter server.
What each debug file shows fwmonitor: Monitor file for packets going through the Security Gateway. It divides the packet's path into four stages: • As it enters a given interface (i). • As it passes the first chain (I). • As it passes the kernel (o). • As it passes the second chain and leaves a given interface (O).
From the capture file, you can check if the packet is dropped and if the routing is correct. • ike.elg: Shows the packets and the data that they are carrying in the tunnel initiation stage: • Six main mode packets • Config mode packets • Three quick mode packets • Informative packets • Keep-alive packets
From this log file, you can see the packet that has failed and the generated error message.
• vpnd.elg: Log file for the tunnel establishment stage located on the Security Gateway. When debug is turned on, all of the processes that participate in the tunnel initiation stage write the results of there actions to this file. • cpinfo: Allows you to see the configuration and log files of the SmartCenter server. Syntax • Turning on vpn debug on the Security Gateway:
# vpn debug trunc # vpn debug on TDERROR_ALL_ALL=5 • Initiate kernel debug on the Security Gateway: # fw ctl debug 0 # fw ctl debug -buf 32000 # fw ctl debug -m fw VPN all # fw ctl debug -m fw + conn drop ld xlate xltrc nat # fw ctl kdebug -T -f > kernel.dbg • Initiate packet capture on the Security Gateway: # fw monitor -e "accept;" -o monitor.out • Stop vpn debug on the Security Gateway: # vpn debug off # vpn debug ikeoff • Stop kernel debug on the Security Gateway: # fw ctl debug 0 • Stop packet capture by CTRL+C.
Location of the files
The ike.elg and vpnd.elg files are located in $FWDIR/log. The kernel and packet capture are located in the path location that you specified.
For information on how to generate the cpinfo file, refer to sk30567: The CPinfo utility.
Note: When you send Check Point Support the files, do not forget to mention the relevant IP addresses.
Checking if the debug session was successful
• vpnd.elg and ike.elg files can be opened with a strong text editor. You can check if the files were created successfully by checking that the relevant connections have been captured. • ike.elg: Look for the following headers in the text and see if the connection with the peer was captured: • Packet Number in each stage • Peers IP address (in hex) • Time frame to be compared with value in vpnd.elg
• vpnd.elg: Look in the file and verify that the time interval of the relevant packets, captured in ike.elg, is also the time interval captured in vpnd.elg. • fwmonitor: Can be opened by downloading the Wireshark program from the Internet, and verifying that the relevant IP addresses and connection protocols appear in the capture files. • Kernel debug: Look in the file and verify that the time interval of the relevant packets, captured in fwmonitor, is also the time interval captured at the kernel.
DESCRIPTION OF CHANGE: The cluster of non-accelerated platform consists of 2-directors running in active-standby mode. Due to one of the Physical Box Failure in the cluster, needs to be replaced with good one.
IMPLEMENTATION PLAN:
1. Currently Only One Firewall-A is running in Stand alone mode and Firewall-B is in spare.
2. Build the Spare Firewall-B with cluster configuration where VRRP, Sync should be disabled.
3. Test it in an isolated setup for routes update status verification.
4. When the downtime starts, re-image Firewall-A which is in production and join to the cluster with Firewall -B.
5. Enable VRRP & Sync then apply. Both firewalls should reboot at a time.
6. One of the firewall should be reachable, test the SIC for that and get topologies then install the policy.
7. Both the firewalls should be reachable after the policy installation.
8. Test SIC with other Firewall and get all member topologies. Install policy on the cluster.
As we faced Route map missing at OS Level in our earlier Activity, which required Re-Imaging of individual firewalls and for that will take minimum of 30 to 45 minutes, hence for the complete activity we need at-least 4 hours partial downtime.
REVERT BACK
In case of any issue with proposed replacement, reverting back to the existing setup.
FW-Joining to Cluster in Non-accelerated firewalls 5111 or 5109
Any Non Accelerated Firewall which needs to be joined to the cluster the below steps needs to be performed…
In the existing firewall first do the below 3 steps… 1. Disable Sync /cfg/fw/sync/dis
2. Disable VRRP /cfg/net/vrrp/ha/n
3. Delete Host from Cluster objects /cfg/sys/clu/host 1 or 2
Host 1 stands for the first IP address of the firewall (1.1.1.2) and Host 2 is for second (1.1.1.3)
4. Install the same Image version running in existing firewall.
5. Connect the secondary firewall to the Network.
6. Management and Sync will be connected back to back.
7. Execute Join command from Main menu
8. Give the Port number for the Management, Physical IP to that firewall.
9. Management IP and it will ask for admin password and sic password.
10. Once joined, it will show successfully joined to the cluster if not failed
11. Mostly there will not be any issues but some times we may have to delete from the cluster and perform all the above steps again to rejoin…
12. Once successfully joined, enable VRRP –HA and Sync on this firewall.
13. Both the firewalls will reboot at a time.
If both of them not rebooted there might be some kind of issue in the cluster and after the reboot execute the command /info/net/if to check the interface status on both the firewalls where it should show the VRRP IP Addresses.
1. Login to firewall via SSH, using the management IP 2. Type “cfg” to login to the configuration menu. The configuration menu is used for making configuration changes in the firewall. 3. While in the Configuration menu, type, “dump” to take a screen dump of the firewall configuration. 4. Save the putty session to any text file. This is the configuration backup of the firewall. 5. Type, “exit” to exit from the firewall.
1.log-in to smart view reporter(10.10.1.1) through Unicenter with the password@123 2.go to cmd give command rmdstop. 3.log-in to provider(10.10.1.2) through putty ensure that GUI is ot connected.user id:user password:abcd* 4.#expert,password:admin123* 5.#cd /opt or cd /var 6.#mkdir 7.#cd 8.#mds_backup(it will prompt for destination directory[opt/CPM..] press enter and it'll creat a file upto 200mb) 9.again goto smart view reporter ,go to cmd and give command rmdstart.
To take the configuration backup on Nokia IP390 follow the below step by step procedure…
1. Login to the firewall through http access 2. Go to “Configuration > System Configuration > Backup and Restore” 3. Give the File Name for the back up of the configuration at Manual Backup 4. Apply the configuration to start its process. 5. After completion of this process, the backup file will be created with .tgz extension. 6. It can be downloaded from “Download Archive File > Manual backup file”
The same will be stored in the Firewall and any time if we want to restore it, we have to choose the file name at “Restore from Local > Manual backup file” …
TROUBLESHOOTING DOC FOR NSF_ ACCELERATED_ FIREWALL.
INTRODUCTION: The commands useful for monitoring the NSF are presented in this document. These commands are for system level monitoring. DESCRIPTION: It is recommended to monitor the NSF cluster on a regular basic. User can monitor the operation and performance of different hardware as well as software components of the NSF. Hardware components include: Director & Accelerator Software components include: Different Daemon & modules MONITORING HARDWARE COMPONENTS: The runtime status of different hardware components (directors, accelerators, and ports) in the NSF cluster can be monitored using either CLI or root commands. The communication status and the health status of some applications are also monitored by these commands.
Hardware Component Command(CLI/root) Comments Directors /info/clu (CLI) Displays runtime information and application status for all SFDs in the cluster. Accelerators /info/det (CLI) Displays all detected Accelerator(s). Look for “Effective VRRP state”, “Actual VRRP state” and “SFD state” in the output. Port Status /info/net/port (CLI) portstate (root) Displays current port status.
Decoding /info/clu output: This command shows the status of the directors and various software components on the directors. A sample output of the “/info/clu” command is given below. Please make sure to take note of the following:
• Status of all the directors should be displayed in the output. • The “Health Report as of” field should be within the last 2 minutes. • Acceleration status should be “ACCELERATING”. • Synchronization status should be “Working”. • CPU load should be below 50%, so that even if one director fails, the other director can handle the extra load. • Hard disk and memory usage vary widely between various configurations but it should be stable. • The uptime reported for various daemons should not be very small when compared to the uptime of the system. A small value indicates that the daemon had to be restarted after it quit.
>> Main# info/clu IP Address :172.17.13.1 [Up] Sync Network Address : 10.10.1.1 Health Report as of Wed Jun 11 09:53:12 2008
Runtime Information... Firewall Acceleration Status: ACCELERATING Firewall Synchronization Status: Working Hard disk usage: 20 % Memory usage: 52% CPU Load: 15%
Check Point Firewall-1 Running for 5 weeks, 5 days, 10 hours, 19 minutes
Inet server Running for 5 weeks, 5 days, 10 hours, 19 minutes Decoding “/info/det” output The “/info/det” command displays the status of the available accelerators. A sample output of “/info/det” follows: >> Main# info/det Detected Accelerators:
CHEETAH ASF 6600 Accelerator #1 00:14:c7:c8:64:00 Acclerator is configured and unicast/igmp/pim routes are uptodate IP Address = 172.17.13.5 Effective VRRP state: Backup Switch support for L2L3: Yes Actual VRRP state: BACKUP SFD state: Firewall up and accelerating Port link states: Port 1: Link DOWN Port 2: Link up, 1Gb/s, full duplex, RX flow control, TX flow control Port 3: Link up, 1Gb/s, full duplex Port 4: Link DOWN Port 5: Link up, 1Gb/s, full duplex Port 6: Link DOWN Ports 7-9: Link up, 1Gb/s, full duplex, RX flow control, TX flow control Port 10: Link DOWN Ports 11-12: Link up, 1Gb/s, full duplex, RX flow control, TX flow control Port 13: Link DOWN Gateway states: 1 In use, 2 Disabled, 3 Disabled, 4 Disabled
CHEETAH ASF 6600 Accelerator #2 00:15:e8:c8:9e:00 Acclerator is configured and unicast/igmp/pim routes are uptodate IP Address = 172.17.13.4 Effective VRRP state: Master Switch support for L2L3: Yes Actual VRRP state: MASTER SFD state: Firewall up and accelerating Port link states: Port 1: Link DOWN Port 2: Link up, 1Gb/s, full duplex, RX flow control, TX flow control Port 3: Link up, 1Gb/s, full duplex Port 4: Link DOWN Port 5: Link up, 1Gb/s, full duplex, RX flow control, TX flow control Port 6: Link DOWN Ports 7-9: Link up, 1Gb/s, full duplex, RX flow control, TX flow control Port 10: Link DOWN Port 11: Link up, 1Gb/s, full duplex Port 12: Link up, 1Gb/s, full duplex, RX flow control, TX flow control Port 13: Link DOWN Gateway states: 1 In use, 2 Disabled, 3 Disabled, 4 Disabled
Please check for the following in the output: • All your accelerators should be listed (1 in non-HA setup and 2 in HA setup). • The accelerator state should be “configured”. • The “Effective VRRP state” and “Actual VRRP state” should match. • One accelerator should be master and other should be backup in an HA setup.
Decoding “info/net/port” output (Accelerator): The “/info/net/port” command displays the configuration status of the physical port of an accelerator. A sample output of “/info/net/port” follows:
>> Main# info/net/port Port Information Num Name Link Type Interface(s) Vlan(s) Tag GWP Bounce Trunk Filters === ==== ================= ==== ============ ======= === === ====== ===== ======= 1 disabled 2 up 1Gb/s rx+tx FC ENFC 2 auto No No No - - 3 up 1Gb/s ENFC 3 auto No No No - - 4 disabled 5 up 1Gb/s rx+tx FC ENFC 5 auto No No No - - 6 disabled 7 up 1Gb/s rx+tx FC NAAP - - - - - - - 8 up 1Gb/s rx+tx FC NAAP - - - - - - - 9 up 1Gb/s rx+tx FC ENFC 9 auto No No No - - 10 disabled 11 up 1Gb/s ENFC 11 auto No No No - - 12 up 1Gb/s rx+tx FC NAAP - - - - - - - 13 disabled
Please check for the following in the output: • The Physical link status to be configured to auto. • The port which are not used to be configured to disable mode.
Decoding “portstate”root output (Director): The “portstate (root)” command displays the physical port status of a director. A sample output of “portstate” follows:
root@a172-17-13-2 root]# portstate Port 1: link = unknown, autoneg = on Port 2: link = down, autoneg = off Port 3: link = down, autoneg = on Port 4: link = up, autoneg = on, speed = 1000, mode = full
Please check for the following in the output: • The Physical link status to be configured to auto.
MONITORING SOFTWARE MODULES AND PERFORMANCE: Commands to monitor NSF performance are presented in this section. These daemons are essential for proper functioning of NSF. All the commands presented here are to be run at the root prompt and will display information for the current director.
Performance Parameter or Daemon Root Command Comments Director CPU # vmstat 1 This will display SFD CPU usage once in every second. Use CTRL-C to stop running this command. Director CPU and memory usage # top “top” command shows the list of processes with any CPU or memory intensive ones at the top of the list Acceleration status # fwaccel stat This command shows the acceleration status (on or off) from Check Point’s viewpoint. Concurrent connections and connection rate # cat /proc/aim/acp/conns This command displays the connections/second and concurrent connections for the local director. Configuration Daemon (cfgd) # ps –A |grep cfgd Checks whether the configuration daemon (cfgd) is running or not. Health Check Daemon (hcd) # ps –A |grep hc Checks whether health check daemon is running or not. CLI Callback Daemon (clicbd) # ps –A |grep clicbd Checks whether CLI callback daemon is running or not.
MONITORING LOG MESSAGES: The director in NSF generates several log files to record real time logs from different daemons and modules in the SFD. Some important logs from the accelerators are also sent to the directors and are recorded in these log files.
From user point of view, the most important log file to monitor is the syslog (that is, /var/log/messages) file. This file contains information on important system status and error logs from different modules (for example, cfgd, hcd,).
NSF can be configured to send syslog messages to a remote syslog server (/cfg/sys/log/syslog) or to the Check Point Log Viewer using ELA (/cfg/sys/log/ela). You can also view recent syslog messages from the CLI using “/info/syslog” command or from the WebUI.
You may also log in as root and run “grep ERROR /var/log/messages” and “grep CRITICAL /var/log/messages” to scan the syslog for errors. The log messages with “ERROR” is self explanatory and will help in understanding the any unexpected condition that might have been found while checking CLI or root commands.
Starting from ASF 3.5.5 release, the ERROR and CRITICAL messages will have a message identifier (for example, CFGD_064 or CFGD_66). A detailed explanation about the error message and a possible work around (if available) can be found by entering the message ID in “/maint/logdetail” CLI.
TYPICAL SYSLOG MESSAGES: Some of the typical error and critical messages are presented in this Appendix. It is not intended to provide a complete list of all the error and critical messages. The user may see different messages in the syslog file. • CRITICAL: Failed to configure accelerator … • CRITICAL: Unable to operate with accelerator : current configuration is incompatible: … • CRITICAL: This SFD's hardware type is not properly set. Please log in as administrator to correct this. • CRITICAL: Firewall License Settings could not be completely applied. This may be because of invalid license or because you have not restarted the firewall after you changed a license. You can check that your licenses are correctly installed by doing a 'cplic print -x' as root. • CRITICAL: CPU Load [90] moved from Normal (<75) to Major alarm (>=90) on iSD 10.10.1.1 • CRITICAL: Memory usage [90] moved from Normal (<75) to Major alarm (>=90) on iSD 10.10.1.1 • CRITICAL: Acceleration Status changed from ACCELERATING to NOT ACCELERATING at host • ERROR: Accelerator has not been configured with an IP address; unable to upgrade • ERROR: Error while refreshing routes on switch. could not build naap socket for • ERROR: Accelerator is not set to accelerate. Please run 'fw stat' from root prompt, Create trust and push Check Point policy. • ERROR: Accelerator cannot be used, its CLI is jammed. • CRITICAL: Failed to upgrade accelerator • CRITICAL: Port on accelerator is down
Dear Quality Team, Please Use as KB article for below Keyboard shortcuts for our engineers. Use shortcut keys as an alternative to the mouse when working in Windows.
You can open, close, and navigate the Start menu, desktop, menus, dialog boxes, and Web pages using keyboard shortcuts.
Keyboard shortcuts may also make it easier for you to interact with your computer. Click a heading, or press TAB to highlight a heading, and then press ENTER.
Press To CTRL+C Copy. CTRL+X Cut. CTRL+V Paste. CTRL+Z Undo. DELETE Delete. SHIFT+DELETE Delete selected item permanently without placing the item in the Recycle Bin. CTRL while dragging an item Copy selected item. CTRL+SHIFT while dragging an item Create shortcut to selected item. F2 Rename selected item. CTRL+RIGHT ARROW Move the insertion point to the beginning of the next word. CTRL+LEFT ARROW Move the insertion point to the beginning of the previous word. CTRL+DOWN ARROW Move the insertion point to the beginning of the next paragraph. CTRL+UP ARROW Move the insertion point to the beginning of the previous paragraph. CTRL+SHIFT with any of the arrow keys Highlight a block of text. SHIFT with any of the arrow keys Select more than one item in a window or on the desktop, or select text within a document. CTRL+A Select all. F3 Search for a file or folder. ALT+ENTER View properties for the selected item. ALT+F4 Close the active item, or quit the active program. ALT+Enter Displays the properties of the selected object. ALT+SPACEBAR Opens the shortcut menu for the active window. CTRL+F4 Close the active document in programs that allow you to have multiple documents open simultaneously. ALT+TAB Switch between open items. ALT+ESC Cycle through items in the order they were opened. F6 Cycle through screen elements in a window or on the desktop. F4 Display the Address bar list in My Computer or Windows Explorer. SHIFT+F10 Display the shortcut menu for the selected item. ALT+SPACEBAR Display the System menu for the active window. CTRL+ESC Display the Start menu. ALT+Underlined letter in a menu name Display the corresponding menu. Underlined letter in a command name on an open menu Carry out the corresponding command. F10 Activate the menu bar in the active program. RIGHT ARROW Open the next menu to the right, or open a submenu. LEFT ARROW Open the next menu to the left, or close a submenu. F5 Refresh the active window. BACKSPACE View the folder one level up in My Computer or Windows Explorer. ESC Cancel the current task. SHIFT when you insert a CD into the CD-ROM drive Prevent the CD from automatically playing. Dialog box keyboard shortcuts Press To CTRL+TAB Move forward through tabs. CTRL+SHIFT+TAB Move backward through tabs. TAB Move forward through options. SHIFT+TAB Move backward through options. ALT+Underlined letter Carry out the corresponding command or select the corresponding option. ENTER Carry out the command for the active option or button. SPACEBAR Select or clear the check box if the active option is a check box. Arrow keys Select a button if the active option is a group of option buttons. F1 Display Help. F4 Display the items in the active list. BACKSPACE Open a folder one level up if a folder is selected in the Save As or Open dialog box. Natural keyboard shortcuts You can use the following keyboard shortcuts with a Microsoft Natural Keyboard or any other compatible keyboard that includes the Windows logo key ( ) and the Application key ( ).
+ E = A new Windows Explorer window + L = Lock your computer + D = Hide all windows and show the desktop. Press it again to bring everything back. + F = Computer and files search box + M = Minimize all open windows + R = Quick access to the Run program box
+BREAK Display the System Properties dialog box. +D Show the desktop. +M Minimize all windows. +Shift+M Restores minimized windows. +E Open My Computer. +F Search for a file or folder. CTRL+ +F Search for computers. +F1 Display Windows Help. + L Lock your computer if you are connected to a network domain, or switch users if you are not connected to a network domain. +R Open the Run dialog box.
Display the shortcut menu for the selected item. +U Open Utility Manager. Accessibility keyboard shortcuts Press To Right SHIFT for eight seconds Switch FilterKeys on and off. Left ALT +left SHIFT +PRINT SCREEN Switch High Contrast on and off. Left ALT +left SHIFT +NUM LOCK Switch MouseKeys on and off. SHIFT five times Switch StickyKeys on and off. NUM LOCK for five seconds Switch ToggleKeys on and off. +U Open Utility Manager.
General keyboard shortcuts • CTRL+C (Copy) • CTRL+X (Cut) • CTRL+V (Paste) • CTRL+Z (Undo) • DELETE (Delete) • SHIFT+DELETE (Delete the selected item permanently without placing the item in the Recycle Bin) • CTRL while dragging an item (Copy the selected item) • CTRL+SHIFT while dragging an item (Create a shortcut to the selected item) • F2 key (Rename the selected item) • CTRL+RIGHT ARROW (Move the insertion point to the beginning of the next word) • CTRL+LEFT ARROW (Move the insertion point to the beginning of the previous word) • CTRL+DOWN ARROW (Move the insertion point to the beginning of the next paragraph) • CTRL+UP ARROW (Move the insertion point to the beginning of the previous paragraph) • CTRL+SHIFT with any of the arrow keys (Highlight a block of text) • SHIFT with any of the arrow keys (Select more than one item in a window or on the desktop, or select text in a document) • CTRL+A (Select all) • F3 key (Search for a file or a folder) • ALT+ENTER (View the properties for the selected item) • ALT+F4 (Close the active item, or quit the active program) • ALT+ENTER (Display the properties of the selected object) • ALT+SPACEBAR (Open the shortcut menu for the active window) • CTRL+F4 (Close the active document in programs that enable you to have multiple documents open simultaneously) • ALT+TAB (Switch between the open items) • ALT+ESC (Cycle through items in the order that they had been opened) • F6 key (Cycle through the screen elements in a window or on the desktop) • F4 key (Display the Address bar list in My Computer or Windows Explorer) • SHIFT+F10 (Display the shortcut menu for the selected item) • ALT+SPACEBAR (Display the System menu for the active window) • CTRL+ESC (Display the Start menu) • ALT+Underlined letter in a menu name (Display the corresponding menu) • Underlined letter in a command name on an open menu (Perform the corresponding command) • F10 key (Activate the menu bar in the active program) • RIGHT ARROW (Open the next menu to the right, or open a submenu) • LEFT ARROW (Open the next menu to the left, or close a submenu) • F5 key (Update the active window) • BACKSPACE (View the folder one level up in My Computer or Windows Explorer) • ESC (Cancel the current task) • SHIFT when you insert a CD-ROM into the CD-ROM drive (Prevent the CD-ROM from automatically playing) • CTRL+SHIFT+ESC (Open Task Manager) Dialog box keyboard shortcuts If you press SHIFT+F8 in extended selection list boxes, you enable extended selection mode. In this mode, you can use an arrow key to move a cursor without changing the selection. You can press CTRL+SPACEBAR or SHIFT+SPACEBAR to adjust the selection. To cancel extended selection mode, press SHIFT+F8 again. Extended selection mode cancels itself when you move the focus to another control. • CTRL+TAB (Move forward through the tabs) • CTRL+SHIFT+TAB (Move backward through the tabs) • TAB (Move forward through the options) • SHIFT+TAB (Move backward through the options) • ALT+Underlined letter (Perform the corresponding command or select the corresponding option) • ENTER (Perform the command for the active option or button) • SPACEBAR (Select or clear the check box if the active option is a check box) • Arrow keys (Select a button if the active option is a group of option buttons) • F1 key (Display Help) • F4 key (Display the items in the active list) • BACKSPACE (Open a folder one level up if a folder is selected in the Save As or Open dialog box) Microsoft natural keyboard shortcuts • Windows Logo (Display or hide the Start menu) • Windows Logo+BREAK (Display the System Properties dialog box) • Windows Logo+D (Display the desktop) • Windows Logo+M (Minimize all of the windows) • Windows Logo+SHIFT+M (Restore the minimized windows) • Windows Logo+E (Open My Computer) • Windows Logo+F (Search for a file or a folder) • CTRL+Windows Logo+F (Search for computers) • Windows Logo+F1 (Display Windows Help) • Windows Logo+ L (Lock the keyboard) • Windows Logo+R (Open the Run dialog box) • Windows Logo+U (Open Utility Manager) Accessibility keyboard shortcuts • Right SHIFT for eight seconds (Switch FilterKeys either on or off) • Left ALT+left SHIFT+PRINT SCREEN (Switch High Contrast either on or off) • Left ALT+left SHIFT+NUM LOCK (Switch the MouseKeys either on or off) • SHIFT five times (Switch the StickyKeys either on or off) • NUM LOCK for five seconds (Switch the ToggleKeys either on or off) • Windows Logo +U (Open Utility Manager) Windows Explorer keyboard shortcuts • END (Display the bottom of the active window) • HOME (Display the top of the active window) • NUM LOCK+Asterisk sign (*) (Display all of the subfolders that are under the selected folder) • NUM LOCK+Plus sign (+) (Display the contents of the selected folder) • NUM LOCK+Minus sign (-) (Collapse the selected folder) • LEFT ARROW (Collapse the current selection if it is expanded, or select the parent folder) • RIGHT ARROW (Display the current selection if it is collapsed, or select the first subfolder) Shortcut keys for Character Map After you double-click a character on the grid of characters, you can move through the grid by using the keyboard shortcuts: • RIGHT ARROW (Move to the right or to the beginning of the next line) • LEFT ARROW (Move to the left or to the end of the previous line) • UP ARROW (Move up one row) • DOWN ARROW (Move down one row) • PAGE UP (Move up one screen at a time) • PAGE DOWN (Move down one screen at a time) • HOME (Move to the beginning of the line) • END (Move to the end of the line) • CTRL+HOME (Move to the first character) • CTRL+END (Move to the last character) • SPACEBAR (Switch between Enlarged and Normal mode when a character is selected) Microsoft Management Console (MMC) main window keyboard shortcuts • CTRL+O (Open a saved console) • CTRL+N (Open a new console) • CTRL+S (Save the open console) • CTRL+M (Add or remove a console item) • CTRL+W (Open a new window) • F5 key (Update the content of all console windows) • ALT+SPACEBAR (Display the MMC window menu) • ALT+F4 (Close the console) • ALT+A (Display the Action menu) • ALT+V (Display the View menu) • ALT+F (Display the File menu) • ALT+O (Display the Favorites menu) MMC console window keyboard shortcuts • CTRL+P (Print the current page or active pane) • ALT+Minus sign (-) (Display the window menu for the active console window) • SHIFT+F10 (Display the Action shortcut menu for the selected item) • F1 key (Open the Help topic, if any, for the selected item) • F5 key (Update the content of all console windows) • CTRL+F10 (Maximize the active console window) • CTRL+F5 (Restore the active console window) • ALT+ENTER (Display the Properties dialog box, if any, for the selected item) • F2 key (Rename the selected item) • CTRL+F4 (Close the active console window. When a console has only one console window, this shortcut closes the console) Remote desktop connection navigation • CTRL+ALT+END (Open the Microsoft Windows NT Security dialog box) • ALT+PAGE UP (Switch between programs from left to right) • ALT+PAGE DOWN (Switch between programs from right to left) • ALT+INSERT (Cycle through the programs in most recently used order) • ALT+HOME (Display the Start menu) • CTRL+ALT+BREAK (Switch the client computer between a window and a full screen) • ALT+DELETE (Display the Windows menu) • CTRL+ALT+Minus sign (-) (Place a snapshot of the entire client window area on the Terminal server clipboard and provide the same functionality as pressing ALT+PRINT SCREEN on a local computer.) • CTRL+ALT+Plus sign (+) (Place a snapshot of the active window in the client on the Terminal server clipboard and provide the same functionality as pressing PRINT SCREEN on a local computer.) Microsoft Internet Explorer navigation • CTRL+B (Open the Organize Favorites dialog box) • CTRL+E (Open the Search bar) • CTRL+F (Start the Find utility) • CTRL+H (Open the History bar) • CTRL+I (Open the Favorites bar) • CTRL+L (Open the Open dialog box) • CTRL+N (Start another instance of the browser with the same Web address) • CTRL+O (Open the Open dialog box, the same as CTRL+L) • CTRL+P (Open the Print dialog box) • CTRL+R (Update the current Web page) • CTRL+W (Close the current window)
Navigating Between Panes To switch between panes in Help, press the F6 key.
NOTE: Because no highlighting appears to help you understand where you are, it is sometimes difficult to determine which pane you are in. Pressing F6 will switch you between the left and right panes. Navigating in the Left Pane While you are in the left pane, use UP ARROW and DOWN ARROW to scroll through topics. You can also type in a new keyword while you are in the left pane. The F6 key considers both sections of the left pane, the keyword listing box and the text box for typing in keywords, as one unit, so you do not need to press any keys to switch between the two. Navigating in the Right Pane While you are in the right pane, you can use UP ARROW and DOWN ARROW to scroll. Use the TAB key to move from one hyperlink to another.
For more information about using keyboard shortcuts to view Help files, type keyboard shortcuts on the Index tab, and select In Help Viewer from the list. General Help Viewer Keyboard Shortcuts ALT+SPACEBAR: Displays system menu.
SHIFT+F10: Displays the Help Viewer shortcut menu.
ALT+TAB: Switches between Help Viewer and other open windows.
ALT+O: Displays the Options menu.
ALT+O, T: Hides or shows the navigation pane.
CTRL+TAB: Switches to the next tab stop in the navigation pane.
CTRL+SHIFT+TAB: Switches to the previous tab stop in the navigation pane.
UP ARROW: Moves up one topic in the table of contents, index, or search results list.
DOWN ARROW: Moves down one topic in the table of contents, index, or search results list.
PAGE UP: Moves up one page in the table of contents, index, or search results list.
PAGE DOWN: Moves down one page in the table of contents, index, or search results list.
F6: Switches focus between the navigation pane and the topic pane.
ALT+O, R: Refreshes the topic that appears in the topic pane.
UP ARROW or DOWN ARROW: Scrolls through a topic.
CTRL+HOME: Moves to the beginning of a topic.
CTRL+END: Moves to the end of a topic.
CTRL+A: Highlights all text in the topic pane.
ALT+O, P: Prints a topic.
ALT+O, B: Moves back to the previously viewed topic.
ALT+O, F: Moves forward to the next (previously viewed) topic.
ALT+F4: Closes the Help Viewer. Keyboard Shortcuts Specific to the Contents Tab ALT+C: Displays the Contents tab
RIGHT ARROW: Opens a book.
LEFT ARROW: Closes a book.
BACKSPACE: Returns to the previous open book.
UP ARROW or DOWN ARROW: Selects a topic.
ENTER: Displays the selected topic. Keyboard Shortcuts Specific to the Index Tab ALT+N: Displays the Index tab.
UP ARROW or DOWN ARROW: Selects a keyword in the list.
ALT+D or ENTER: Displays the associated topic. Keyboard Shortcuts Specific to the Search Tab ALT+S: Displays the Search tab.
ALT+L: Starts a search.
ALT+D or ENTER: Displays the selected topic. Keyboard Shortcuts Specific to the Favorites Tab ALT+I: Displays the Favorites tab.
# Show cdp neighbors: - Displays the neighboring devices which are connected to the switch.
# Show cdp neighbors *:- Displays the detailed information of the devices which are connected to the switch.
# Show interface status: - Displays the information about the ports on the switch whether they are connected or disabled.
# Show Vlan: - Gives the information about the vlans and also gives the information which port is in which vlan.
# Show mac-address –table address :- Gives the information about the port where the particular system is connected on the switch.
# Show running-config: - Displays the running config of the switch.
# Show running-config :- Displays the running config of the specified interface.
# Show Clock: - Displays the system clock.
# Show bootflash:: - Displays information about bootflash: file system.
# Show ip arp: - Displays the ARP table.
# Show ip arp | include :- Gives information about a specified ip address only (Information like mac-address of the machine assigned with this ip and in which vlan is this machine).
# Show logging: - Shows the contents of the logging buffers i.e. shows the logs of the switch.
# Show tech-support: - Show system information for tech-support.
# Show version: - Displays system hardware and software status.
# Configure-terminal: - By issuing this command we can enter into the configuration mode.
#Show ip interface brief: - This Command will display the brief summary of the IP status and configuration.
(Config)#interface :- By issuing this command we can enter into the interface configuration mode and can configure the specified interface.
(Config-if)#switchport access vlan :- We can use this command to move a specified port into a particular vlan.
(Config-if)#description :- By entering this command we can add the description on the interface.
(Config-if)#switchport mode (Config-if)#spanning-tree portfast: - This will enable an interface to move directly to the forwarding on link up.
(Config-if)#switchport trunk encapsulation :- This command will set the trunk encapsulation when interface is in trunking mode.
(Config-if)#shutdown: - This command will shut the selected interface.
(Config-if)#no shutdown: - This command will un shut the selected interface.
(Config-if)#ip address :- We can assign an ip address to the specified interface/vlan from this command.
(Config-if)#ip helper-address :- This command specifies the destination address for UDP broadcast.
(Config)#banner motd :- This command sets the message we want to display while login into the device.
(Config)#interface vlan :- By issuing this command we can create the vlan.
(Config-if)#standby ip :- By this command we can enable HSRP and set the virtual IP address.
(Config-if)#standby priority :- This command sets the standby priority level.
(Config)#vlan :- To configure the layer 2 vlan corresponding to layer 3 vlan.
(Config)#name :- By this command we can specific the name for layer 2 vlan.
(Config)#ip route :- By this command we can add a static route.
(Config)#hostname :- We can set the host name of the switch.
(Config-if)#speed :- We can set the speed for the port by this command.
(Config-if)#duplex :- From this command we can set the port duplex either to full or half.
(Config)#snmp-server community :- This command enables the SNMP; sets SNMP community string and access privilege.
How to find port of a switch when a mac –address has been given
1. show mac-address-table address 0002.e340.24c4
2. show run int portchannel30(optional if it configured in a portchannel)
3. show cdp neighbor
4. sh cdp neighbor detail
5. show mac-address-table address 0002.e340.24c4
6. show mac-address int fa2/0/19
show running-config : View current configuration (DRAM) show startup-config : View startup configuration (NVRAM) copy running-config startup-config or Write : Save the current configuration from DRAM to NVRAM
copy runing-config tftp : Copy DRAM configuration to a TFTP server (To take backup) (need to give TFTP server IP address)
show logging : Shows all logs that the router has in its memory
show version : View version information & uptime …
# Configure-terminal: - By issuing this command we can enter into the configuration mode. Show process cpu: displays the Cpu utilization of the router
Interface.
(Config)#interface :- By issuing this command we can enter into the interface configuration mode and can configure the specified interface.
(Config-if)#ip address :- We can assign an ip address to the specified interface from this command. (Config-if)#description :- By entering this command we can add the description on the interface. (Config-if)#shutdown: - This command will shut the selected interface. (Config-if)#no shutdown: - This command will un shut the selected interface.
show ip interfaces brief : Overview all interfaces on the router
show interface e0 : View the interface status of interface e0
Routing
(Config)#ip route :- By this command we can add a static route
show ip route : Display IP routing table
Ex: show ip route 1.1.1.1(IP): Display route from IP routing table for 1.1.1.1
traceroute ip : show the all hops(routing) between source 7 destination IP
Multilink
show ppp multilink : displays all the multilinks in the router & participating interfaces
show interface multilink 1(multilink no.): displays the multilink traffic & counters
Extended ping
ping ip source repeat
Ex: ping ip 202.144.8.11 source 192.192.16.5 repeat 100
Access lists
show access-lists : Display access lists, this includes the number of displayed matches
EX:show ip access-lists 100 : Display access list 100 including the number of displayed matches
IP Accouting
router(config-if)# ip accounting output-packets : enables IP Accounting (Layer 3) for output traffic on the interface. show ip accounting [checkpoint] output-packets : displays the active accounting or checkpoint database
router# clear ip accounting : copies the content of the active database to the checkpoint database and clears the active database afterward.
VRRP means Virtual router redudancy protocol. I am telling you in very general language not in too technical. Assume that you have a two firewall in HA mode . 1 - Firewall ip is - 192.168.6.1 (primary)2 - Firewall ip is - 192.168.6.2 (Secondary) Now the firewall which is in standby that will look contineously ARP from the primary one and if the arp will not getting by the secondary firewall in given threashold time secondary firewall will become up and automatically primary will go to in standby mode. The same thing will go on , now when the again arp will getting by primary firewall then automatically secondary will come as primary and primary will come as secondary.
Port No. Name in Service Manager Short description 256 /tcp FW1 Check Point VPN-1 & FireWall-1 Service- Download of rulebase from MM to FWM (4.x)- Fetching rulebase from FWM to MM when starting (4.x)- Get topology information from MM or CMA to FWM (also for NG)- Full synchronisation for HA configuration (also for NG) 257 /tcp FW1_log Check Point VPN-1 & FireWall-1 Logs- Protocol used for delivering logs from FWM to MM- Protocol used for delivering logs from FWM to CMA or CLM 258 /tcp FW1_mgmt Check Point VPN-1 & FireWall-1 Management (Version 4.x, obsolete)- Protocol for communication between GUI and MM 4.x 259 /tcp FW1_clntauthFW1_clntauth_telnet Check Point VPN-1 & FireWall-1 Client Authentication (Telnet)- Protocol for performing Client-Authentication at FWM using telnet 259 /udp RDP Check Point VPN-1 FWZ Key Negotiations - Reliable Datagram Protocol- Protocol used for FWZ VPN (supported up to NG FP1 only)- Protocol used by SR/SCl for checking the availability of the FWM/PS 260 /udp FW1_snmp Check Point VPN-1 & FireWall-1 SNMP Agent- Check Point's SNMP, used additionally to 161/udp (snmp) 261 /tcp FW1_snauth Check Point VPN-1 & FireWall-1 Session Authentication- Protocol for Session Authentication between FWM and SAA 262 /tcp - not predefined - only internally used by Mail Dequerer (process: mdq) 264 /tcp FW1_topo Check Point VPN-1 SecuRemote Topology Requests- Topology Download for SR (build 4100 and higher) and SCl 265 /tcp FW1_key Check Point VPN-1 Public Key Transfer Protocol- Protocol for exchanging CA- and DH-keys between MM's (SKIP, FWZ (4.x))- Public Key download for SR/SCl 900 /tcp FW1_clntauthFW1_clntauth_http Check Point VPN-1 & FireWall-1 Client Authentication (HTTP)- Protocol for performing Client-Authentication at FWM using HTTP 981 /tcp - not predefined - Check Point VPN-1 Edge remote administration from external using HTTPS 2746 /udp VPN1_IPSEC_encapsulation Check Point VPN-1 SecuRemote IPSEC Transport Encapsulation Protocol- Default-Protocol used for UDP encapsulation 4532 / tcp - not predefined - only internally used by Session Authentication (in.asessiond) 5004 /udp MetaIP-UAT Check Point Meta IP UAM Client-Server Communication 8116 /udp - not predefined - Check Point Cluster Control Protocol- Protocol for internal communication between High Availability Cluster Members. Used for e.g. report/query state, probing, load balancing 8989 / tcp - not predefined - only internally used by CMA for Messaging (process: cpd) 9281 /udp SWTP_Gateway VPN-1 Embedded / SofaWare commands- Encrypted Protocol for communication between MM and Check Point Appliance (e.g. VPN-1 Edge) 9282 /udp SWTP_SMS VPN-1 Embedded / SofaWare Management Server (SMS)- Encrypted Protocol for communication between MM and Check Point Appliance (e.g. VPN-1 Edge) 18181 /tcp FW1_cvp Check Point OPSEC Content Vectoring Protocol- Protocol used for communication between FWM and AntiVirus Server 18182 /tcp FW1_ufp Check Point OPSEC URL Filtering Protocol- Protocol used for communication between FWM and Server for Content Control (e.g. Web Content) 18183 /tcp FW1_sam Check Point OPSEC Suspicious Activity Monitor API- Protocol e.g. for Block Intruder between MM (or CMA) and FWM 18184 /tcp FW1_lea Check Point OPSEC Log Export API- Protocol for exporting logs from MM 18185 /tcp FW1_omi Check Point OPSEC Objects Management Interface- Protocol used by applications having access to the ruleset saved at MM 18186 /tcp FW1_omi-sic Check Point OPSEC Objects Management Interface with SIC- Protocol used by applications having access to the ruleset saved at MM 18187 /tcp FW1_ela Check Point OPSEC Event Logging API- Protocol for applications logging to the Firewall log at MM 18190 /tcp CPMI Check Point Management Interface- Protocol for communication between GUI and MM- Protocol for connections from MDG to MDS and CMA 18191 /tcp CPD Check Point Daemon Protocol- Download of rulebase from MM to FWM- Fetching rulebase, from FWM to MM when starting FWM- Download of rulebase from MDS/CMA to FWM- Fetching rulebase, from FWM to CMA when starting FWM 18192 /tcp CPD_amon Check Point Internal Application Monitoring- Protocol for getting System Status, from MM or MDS/CMA to FWM 18193 /tcp FW1_amon Check Point OPSEC Application Monitoring- Protocol for monitoring apps, e.g. from MM to CVP server 18202 /tcp CP_rtm Check Point RTM Log- Protocol used by Real Time Monitor (SmartView Monitor) 18205 /tcp CP_reporting Check Point Reporting client- Protocol used by Reporting client when connecting to Reporting Server (MM) 18207 /tcp FW1_pslogon Check Point Policy Server Logon protocol- Protocol used for download of Desktop Security from PS to SCl (4.x) 18208 /tcp FW1_CPRID Check Point Remote Installation Protocol- Protocol used from MM to FWM when installing Secure Updates. 18209 /tcp - not predefined - Protocol used in SIC for communication between FWM and ICA (status, issue, revoke) 18210 /tcp FW1_ica_pull Check Point Internal CA Pull Certificate Service- Protocol used by SIC for e.g. FWM pulling CA's from MM 18211 /tcp FW1_ica_push Check Point Internal CA Push Certificate Service- Protocol used by SIC for pushing CA's from MM or CMA/MDS to FWM 18212 /udp FW1_load_agent Check Point ConnectControl Load Agent- Default-Port for Load Agent running on load-balanced Servers (e.g. WWW, FTP) 18221 /tcp CP_redundant Check Point Redundant Management Protocol- Protocol used for synchronizing primary and secondary MM- Protocol used for synchronizing CMA between primary and secondary MDS 18231 /tcp FW1_pslogon_NG Check Point NG Policy Server Logon protocol (NG)- Protocol used for download of Desktop Security from PS to SCl 18232 /tcp FW1_sds_logon Check Point SecuRemote Distribution Server Protocol- Protocol for software distribution of Check Point components 18233 /udp FW1_scv_keep_alive Check Point SecureClient Verification KeepAlive Protocol- Protocol for Secure Configuration Verification on SecureClient 18234 /udp tunnel_test Check Point tunnel testing application- Protocol for testing applications through a VPN, used by SR/SCl 18241 /udp E2ECP Check Point End to End Control Protocol- Protocol to check SLA's defined in Virtual Links by SmartView Monitor 18262 /tcp CP_Exnet_PK Check Point Extrnet public key advertisement- Protocol for exchange of public keys when configuring Extranetno more supported since NG AI R55 18263 /tcp CP_Exnet_resolve Check Point Extranet remote objects resolution- Protocol for importing exported objects from partner in Extranetno more supported since NG AI R55 18264 /tcp FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services- Protocol for Certificate Revocation Lists and registering users when using the Policy Server- needed when e.g. FWM is starting 18265/tcp FW1_ica_mgmt_tools Check Point Internal CA Management Tools- Protocol for managing the ICA, established with NG AI, also used for central administration of certificates on MM.- needs to be started separately with the command cpca_client 19190 /tcp FW1_netso Check Point User Authority simple protocol- Protocol used in UA for connecting from UA Server to Web Plugin when authenticating users here 19191 /tcp FW1_uaa Check Point OPSEC User Authority API- Protocol for connections to the UA Server 19194 /udp CP_SecureAgent-udp SecureAgent Authentication service 19195 /udp CP_SecureAgent-udp SecureAgent Authentication service 60709 / tcp - not predefined - Internally used by SecurePlatform for web based system administration (process: cpwmd). It's bound to localhost, so no remote connect is possible. 65524 /tcp FW1_sds_logon_NG Check Point SecuRemote Distribution Server Protocol- Protocol for software distribution of Check Point components in Next Generation Additionally defined:Internet Protocol 17 (tunnel_test_mapped), tunnel testing for a module performing the tunnel testInternet Protocol 94 (FW1_Encapsulation), Check Point VPN-1 SecuRemote FWZ Encapsulation ProtocolInternet Protocol 112 (Virtual Router Redundancy Protocol), HA for Nokia's IPSO - since NG AI Shortcuts new name since FP3 FWM Firewall Module, Inspection Module, Enforcement Point, also SecuRemote Server
GUI Rulebase Editor, Graphical User Interface, Management Client, Policy Editor SmartDashboard, SmartConsole ICA Internal CA, mostly primary MM
MM Management Module, Management Server SmartCenter / SmartCenter Pro PS Policy Server
SAA Session Authentication Agent
SIC Secure Internal Communication
SR SecuRemote Client
SCl SecureClient
MDG Multi Domain GUI (Provider-1)
MDS Multi Domain Server, Manager or Container (Provider-1)
Q1 What a re the two basics responsibilities of routing? Q2 hat does the term Hop stand for? Q3 What is the default boot sequence of new Cisco router? Q4 Routers update each other about the metrics by communicating with ont another and maintaining their routing tables through the transmission of a variety of messages. (T/F) Q5 what is the meaning of convergence in term of routing? Q6 What are the generic parts of Layer 3 Address? Q7 what is routed and routing protocols? Q8 List the name of Routed and routing protocols? Q9 Give the example of Routed and non routed protocols? Q10 what metric does RIP use to update its routing table? Q11 In which Cisco router modes would an ICMP ping be used for troubleshooting a network? Q12 what is the command to encrypt all passwords stored in a Cisco router? Q13 In cisco routers IP addresses are configured in the ------ mode Q14 What are the design goals for routing algorithms? Q15 some of the routing protocols combile the metrics to get the best path and faster convergence (T/F) Q16 List the name of commonly used routed protocols? Q17 Configuration files of Cisco routers stores in---- Q18 When the router is online the configurations are read from---- Q19 In Cisco routers, Is it possible to protect the user Exec mode by a password (T/F) Q20 What a re the commands to configure a Telnet Password in Cisco Router? Q21 Which one is the most important command to check LAN/WAN connectivity problems in a routers? Q22 Which command would you execute to view the current configuration of a router? Q23 You need to issue the command Show Startup-config from privileged mode. Ho can you tell you are in the privileged mode? Q24 Users on your network 10.1.0.0/16 are complaining that they cannot access the company's internet server using the FQDN "www.company.com". Your are able to ping the IP address of the internet server, but cannot ping "www.company.com". why? Q25 Auxiliary port in Cisco router is used for ---- Q26 You have been assigned the task to secure the router. What will be your first step towards securing the routers passwords? Q27 In a distance vector routing protocol, a failed route is advertised for a time with a metric that implies the network is of "infinite" distance. (T/F)
Q28 In a distance vector routing protocol, a failed route is advertised for a time with a metric that implies the network is of "Zero" distance. (T/F)
Q29 When installing the IGRP routing protocol, what information you needed to configure IGRP? Q30 Where does a router stores routing tables, ARP Cache, and packet buffers?
ACL
Q1 You have just created an IP extended ACL and now wish to apply this to an interface. Which command will allow you to apply the list to an interface? Q2 Write the number ranges for Standard and Extended ACL? Q3 Write an example of Standard and Extend ACL. Q4 Which statement should you uses to deny telnet access only from Network 2.0 to Network 3.0? Q5 A Standard ACL is based upon Source IP Address. (T/F) Q6 A Extended ACL is based upon Destination IP address. (T/F) Q7 What is the wildcard mask for a standard ACL for the Network of IP address 192.168.1.1? Q8 In terms of an ACL , what does "1" signify in a WCM? Q9 In terms of an ACL , what does "0" signify in a WCM? Q10 What commands may be used to view your ACL? Q11 If you issued the command show access-list 10 , what would be displayed? Q12 you have been called in to fix a router that is having security issues. The router has an ACL configured on it but the list does not seem to be working. What command can you use to see if the ACL has been applied to an interface?
What are the two basic responsibilities of Router? Ans: Configuring a Software Router or Implementing the CIDR concept. What dose the term of Hub? What is boot sequence of a new Router to locate the IOS Software? Ans: Post (Power on self test the Hardware) Ã ROM (Loads the bootstrap program & search when IPS is located) Ã Flash (IOS found in flash loading IOS) Ã NVRA< (Flash contact the NVRAM for configuration file) Ã RAM (NVRAM configuration copied into RAM) What are the generic parts of Layer 3 Address? Deference between Routing and Routed Protocols? What does metric RIP using to update its routing table? In which Cisco router modes would on ICMP ping be used for troubleshooting a network? What is the command to encrypt all passwords storing Cisco Router? In Cisco Router IP address are configured the ____________ mode. What are the designed goals for Routing Algorithms? Some of the Routing combine the metrics to get the best path and fasters conversion is (T/F) List the commonly used Routed Protocols? Routed and Routing Protocols? Configure file for the Cisco Router as _______________. When the Router is online the configuration of read from __________________. In Cisco Routers, is it possible to protect the user Exec mode by a password (T/F). What are the commands configure of telnet password in Cisco Router? Which one is most important command to check LAN & WAN connectivity problems in a Router? Which command would execute to view the current configuration of a Router? We need to issue the command show startup configuration for Prevails mode, how can you tell your are in the preevelige mode? Users on you network 10.1.0.0/16 are compiling the they can’t access the computer’s internet server using the FQDN www.company.com your able to ping the IP address of the Internet server, but can’t ping www.company.com . Why? Auxiliary port in Cisco Router using for ________________. You have been assign the task to secure the Router, what will be the first step towards securing the Router password? In a distance vectore Routing protocol, a failed route is advertised for a time with a metric that implies the network is of “infinite” distance. (T/F) In a distance vectore Routing protocol, a failed route is advertised for a time with a metric that implies the network is of “0” distance. (T/F) When installing IGRP routing protocol, what information you need to configure IGRP? Where does a Router stores routing tables, ARP Cache, and packet buffers? Router updates each other about the metrics by communicating with one another and maintaining their routing tables through the transmission of a verity of messages. (T/F) What is the meaning of convergence in term of routing? Give the example of Routed and non-routed protocols? What do you mean by network topology? Give an example? Write down (10) commonly used service and port numbers? Explain and define difference between Hub & Switch, Router & Bridge? Deference between Desktop Operating System and Server Operating System? Define and range of IP address of Class A, B, C, D & E? What do you mean by Sub-net mask? What is the port number of TCP/IP, ICNP? Explain a brief connection less and connection oriented with example? Draw a diagram of cross cable, straight cable and roller cable? What is the data communication Range in Cat V, Cat Ve, Cat VI? Explain various range of Radio or Wireless communication? What is the technology used to communication in wireless LAN & WAN network equipment? What do you mean by DCE & DTE devices give an example? What is the difference between Broadcast, Multicast and Unicast?
ACL
1. You have just created an IP extended ACL and now wish to apply this to an interface. Which command will allow you to apply the list to an interface? Ans: Interface Ethernet 0. 2 Write the number ranges for Standard and Extended ACL? Ans: 1 – 99 for Standard, 100 – 199 for Extended AEL. 3 Write an example of Standard and Extend ACL. Ans: 4 Which statement should you uses to deny telnet access only from Network 2.0 to Network 3.0? Ans: Access-list deny tcp 192.168.2.0 0.0.0.255 192.168.3.1 0.0.0.0 eg 80. 5 A Standard ACL is based upon Source IP Address. (T/F) Ans: True 6 A Extended ACL is based upon Destination IP address. (T/F) Ans: True. 7 What is the Wild Card Mask for a standard ACL for the Network of IP address 192.168.1.1? Ans: 0.0.0.0 8 In terms of an ACL , what does "1" signify in a WCM? Ans: IGNORE 9 In terms of an ACL , what does "0" signify in a WCM? Ans: MUST MATCH 10 What commands may be used to view your ACL? Ans: show ip access-list 11 If you issued the command show access-list 10 , what would be displayed? Ans: 12 you have been called in to fix a router that is having security issues. The router has an ACL configured on it but the list does not seem to be working. What command can you use to see if the ACL has been applied to an interface? Ans:
You have been assigned an RSA SecurID token to use when logging in. To gain access to the protected system, you must enter a valid RSA SecurID passcode, which is made up of two factors: · Your Personal Identification Number (PIN). · The tokencode currently displaying on the front of your RSA SecurID token. The tokencode changes at a specified time interval, typically every 60 seconds. Before You Begin Your administrator will tell you: · Whether you are to receive a system-generated PIN or create your own · The required length of your PIN Completing New PIN Mode The first time you authenticate with an RSA SecurID token, you are in New PIN mode. This is because your token is not yet associated with a PIN, which is required for two-factor authentication. To complete New PIN mode: 1. When you are prompted for your passcode, type the tokencode currently displaying on your RSA SecurID token. 2. Do one of the following: · Receive a system-generated PIN. When prompted, indicate that you want to receive a system-generated PIN. When the system-generated PIN displays, memorize it. Do not write it down. · Create your own PIN. – Indicate that you want to create your own PIN. – When prompted, enter a PIN. – When prompted again, confirm the PIN. 3. Wait for the next tokencode. Depending on the type of token you have, follow the instructions in “Performing RSA SecurID Authentication with a Standard Card or Key Fob” on page 2 or “Performing RSA SecurID Authentication with a PINPad” on page 2. Performing RSA SecurID Authentication with a Standard Card or Key Fob To authenticate with an RSA SecurID Standard Card or Key Fob: 1. When prompted for the passcode, enter your PIN followed by the tokencode currently displaying on your card or key fob. For example, if your PIN is 1234, and the current tokencode is 800261, enter 1234800261. 2. If your administrator has enabled Windows password integration, you are prompted to enter your password the first time you authenticate. The next time you log on, you will only have to enter your RSA SecurID passcode. If Windows password integration is disabled, you will have to enter your password each time that you log on. Note: Once they are accepted, RSA SecurID passcodes and tokencodes cannot be used again. To log on again, you must wait for a new tokencode to appear. The new tokencode appears after the last of the countdown indicators disappears from the left of your token’s LCD. Performing RSA SecurID Authentication with a PINPad To authenticate with an RSA SecurID PINPad: 1. Enter your PIN into the PINPad, and press the diamond (¨) near the bottom of the PINPad. A new passcode appears on the token. 2. When prompted, enter your passcode. 3. As soon as your passcode has been accepted, press the P on your PINPad to clear the PIN from your card’s memory. 4. If your administrator has enabled Windows password integration, you are prompted to enter your password the first time you authenticate. The next time you log on, you will only have to enter your RSA SecurID passcode. If Windows password integration is disabled, you will have to enter your password each time that you log on. The Next Tokencode Prompt Sometimes, even after you type your passcode or tokencode correctly, the system prompts you to enter the next tokencode that appears on your RSA SecurID token to confirm your possession of the token. To authenticate in Next Tokencode mode with a standard card or key fob: Wait until the tokencode changes, and then type the new one. Enter only the tokencode. Do not enter your PIN. If you are not granted access after correctly entering the next tokencode, call your system administrator. To authenticate in Next Tokencode mode with a PINPad: 1. Press the P on the PINPad to clear the PIN from your card’s memory. 2. Wait until the tokencode changes, and then type the new one. Enter only the tokencode. Do not enter your PIN. Authenticating When Offline If your administrator has enabled offline authentication, you will need to perform RSA SecurID authentication when your computer is disconnected from the network. Before you can authenticate offline, however, you must authenticate while connected to the network. After you have authenticated once while connected, you can authenticate while offline, provided offline authentication is supported for your token type as specified by your administrator. Authenticating When Locked Out of Your Computer Several scenarios can prevent you from accessing your computer: · You go for a period of time without logging in, and exceed the number of days of authentication allowed by your administrator · You exceed the number of incorrectly-typed passcodes permitted by your administrator · You forget your PIN · You lose your token If you encounter any of these scenarios, contact your RSA ACE/Server administrator, who can supply the correct type of emergency code for your situation. Security Precautions If an unauthorized person learns your PIN or obtains your RSA SecurID token, this person can assume your identity. Any action this intruder takes is attributed to you in the system security log. For your own protection and for that of the system, always take the following precautions: · Never reveal your PIN to anyone. · If you think someone has learned your PIN or your token is missing, notify the security administrator immediately. · Follow your system’s standard logoff procedures. Failure to log off properly can create a route into the unprotected system.
1 Insert the SecurePlatform NG with Application Intelligence (R55) CD into the drive. 2 Enter the expert mode: # expert 3 Mount the CD using the command: # mount /mnt/cdrom 4 If you are upgrading from SecurePlatform NG FP2, FP3 or FP# Edition 2, update the patch program by installing the CPpatch_command package from the CD: # patch add /mnt/cdrom/SecurePlatform/patch/CPpatch_command_*.tgz 5 Apply the SecurePlatform NG with Application Intelligence (R55) upgrade package: # patch add cd 6 Choose the NG_AI R55 upgrade package from the list. First Time Setup Using the Web Interface After the installation from the CD has been completed, and the computer has been rebooted, a first time setup is required in order to: • Select which products will be installed • Configure the network settings • Perform the Smart Center initial setup, if selected • Apply the license Perform the first time setup proceed as follows: 1 Set your browser to work with the IP address you have specified while setting up your network. (e.g. https://172.16.1.1). Since it is a first time installation, the End User’s License Agreement window will be displayed. If you accept the terms of the license agreement, the Login window is displayed. Alternatively, you can run the sysconfig command from the console to configure SecurePlatform using a text interface. 2 In the Login window, login using user name admin and password admin. Since this is an initial user name and password, the Change password window is displayed. 3 In the Change Password window, proceed as follows: • Set the User name and Password for the administrator. Select Apply when done. • Select Token, this saves a token that can be used in case you forget your password. • Select Login for login.
4 The setup wizard begins, and guides you through the first-time configuration. Select Next to proceed to the next window, or Prev to get back to the previous window. Next, the Welcome window is displayed. 5 Select Next to proceed to the Network Configuration window. 6 Configure the following: • the computer’s network interfaces • the default gateway • the computer’s name • the domain name and up to three DNS servers 7 In the Installation Type window, select the type of the installation. Your choices determine which other windows will be displayed by the wizard. 8 In the Products window, choose the installation type. The products available for your choice depend on what you previously selected in the Installation Type window. 9 In the SIC setup window, enter the SIC activation key. This key will also be used later in the SmartDashboard to communicate with this module.
10 In the Web Clients window, add the IP addresses or resolvable names of the Web client machines.
11 In the SmartCenter Administrator window, you have two options: • Set the SmartCenter Administrator to be the same Administrator as the SecurePlatform's Administrator, or • Set another user as the administrator, in which case, you must set the user and Password for the administrator.
12 In the Smart Clients window, define the machines (by host name or IP address) that will be allowed to administer the SecurePlatform SmartCenter server.
13 In the Date and Time setup window you can enter the current date and time as well as setting the time zone. Select Apply to apply the date and time.
14 The Summary window is the last window in the wizard, and displays all the products you selected to install.
Firewall technology ranges from packet filtering to application-layer proxies, to Stateful inspection; each technique gleaning the benefits from its predecessor.
Stateful inspection works at the network layer and does not require a separate proxy for each application. This technology does not suffer from the same degradation in performance as application-level technology (proxies), which involves the extra overhead of transporting data up to the application layer. And on the contrary of packet filters it has the ability to maintain session state and therefore increase the security level of a network transaction.
Checkpoint Firewall-1
Checkpoint FW-1 has been the firewall market leader since shortly after its introduction in 1994/95. Its well-designed GUI interface was, and still is, the best visual interface to any firewall product. This intuitive interface makes FW-1 easy to work with even for those new to firewalls.
FireWall-1 is based upon Stateful Inspection technology, the de facto standard for firewalls. Invented by Check Point, Stateful Inspection provides the highest level of security. FireWall-1’s scalable, modular architecture enables an organization to define and implement a single, centrally managed Security Policy. The enterprise Security Policy is defined on a central management server trough a GUI and downloaded to multiple enforcement points (Inspection Modules) throughout the network. The FireWall-1 Inspection Module is located in the operating system (NT or UNIX operating systems) kernel at the lowest software level. The Inspection Module analyzes all packets before they reach the gateway operating systems. Packets are not processed by any of the higher protocol layers unless FireWall-1 verifies that they comply with the Inspection Module security policy (it examines communications from any IP protocol or application, including stateless protocols, such as UDP and RPC)
PIX Firewall
Originally designed to be a network address translator, Cisco introduced the Private Internet Exchange (PIX) Firewall series in 1994. The PIX Firewall is a high-performance firewall that uses Stateful packet filtering. The PIX Firewall is essentially a firewall appliance"--it has its own integrated hardware/software solution (Intel hardware / proprietary OS). The PIX Firewall is not UNIX or NT-based, but is based on a secure, real-time embedded system, known as the Adaptive Security Algorithm (ASA), which offers Stateful inspection technology. ASA tracks the source and destination address, TCP sequence numbers, port numbers, and additional TCP flags. All inbound and outbound traffic is controlled by applying the security policy to connection table entries, which house the information. Access is permitted through the PIX Firewall only if a connection has been validated or if it has been explicitly configured.
Comparison
PIX and checkpoint FW-1 are using similar technologies in that both use smart packet filtering technologies (Stateful technology).
There are several key differences: one is that FW1 uses a general-purpose operating system while Cisco's PIX uses an embedded operating system. Another is that the PIX are essentially a "diode": you define a security level for an interface, and anything from a higher (internal=100) to a lower (external=0) is allowed while lower (external) to higher (internal) is blocked (with coding for exception); with FW1 there are no native directions, and everything must be coded. (For this reason, FW1 can be found much more flexible) The license structure on the PIX is per-connection; the license structure on FW1 is per protected host. All other things being equal, maintenance is much easier on the PIX, and performance is higher on the PIX. Cisco has recently released a host-to-LAN encryption solution; FW1 has such a solution for a long time now (SecuRemote for windows boxes). FW1 has extra features such as bandwidth management (floodgate) or content vectoring servers and others (see OPSEC products).
Note that FW1 is developed in a UNIX environment. The UNIX implementation is more efficient, more mature, and more stable. It is wrong to go with NT unless the client swears he can support NT and is afraid of UNIX. Also, comparing FW1 on a switch or on a NOKIA box versus the PIX could be kind of an interesting comparison.
PIX Pros:
1) Minimal configuration if you have few or zero internal devices that needs to be accessed directly from the Internet (i.e. web servers on a protected DMZ) and want to allow everything outbound.
2) Complete hardware/software solution, no additional OS vulnerabilities or boot-time errors to worry about.
3) Cisco support, which is generally very good.
4) Performance, probably the best in the business.
5) No special client side software other than telnet, tftp or serial port terminal software.
6) Lots of detailed documentation.
7) Free upgrades
PIX Cons:
1) Difficult to manage if you have many servers on a protected DMZ (lots and lots of conduit statements) or many firewalls to manage.
2) Routing limitation in complex network architectures (Need to add a router for EACH segment).
3) Command line (IOS style) based. Cisco GUI manager (PIX Firewall Manager) is currently in its early releases and not as functional as FW-1's.
4) No ability to off-load layer 7 services like: virus scanning, URL filtering, etc. You can filter on outgoing traffic, but the process is not dynamic.
5) Requires a separate syslog server for logging.
6) No source port filtering.
8) No clear documentation (Cisco's documentation is often conflicting, fails to explain which version of the PIX OS a certain configuration will or will not work under, and seems to be constantly changing). FW-1 Pros:
1) Very functional GUI interface.
2) Based on Stateful inspection like PIX, but can off-load layer 7 inspection to other servers if required.
3) Lots of features for complex environments like: large protected DMZ, Windows VPN support, firewall synchronization, bi-directional NAT, etc.
4) Can be used to control bi-directional traffic.
5) Complex logging provided on management station.
FW-1 Cons:
1) Must account for OS vulnerabilities as well as FW-1 vulnerabilities.
2) Performance on NT not as good as on UNIX or the PIX.
3) Support is only through re-sellers, very expensive (Contracts start at 50% of the price of the original software per year) and needed for products upgrades.
4) OS boot-time errors possibilities.
NB: PIX can filter java but no ActiveX or JavaScript filtering yet. (Although FW-1 can)
Conclusion
In the simplest terms, FW-1 can be considered much more functional than the PIX, while the PIX have better performance and support. If your particular environment requires a lot of functionality, the best choice is the FW-1 solution, although you might want to consider running it on a UNIX platform rather than a NT platform. If your environment is pretty simple, PIX is a solid solution with very good performance.
Basic IT security check list Developing a Computer Security Incident Response �� Define your organization’s overall incident response structure. �� Develop and implement alert mechanisms that permit quick action. �� Establish a centralized reporting structure. �� Appoint and train incident response personnel. Recognizing Signs of an Intrusion �� Observe your systems for unexpected behavior or anything suspicious. �� Investigate anything you consider to be unusual. �� If your investigation finds something that isn't explained by authorized activity, immediately initiate your intrusion response procedures Monitoring Systems for Intrusion in a Windows Environment �� Look for unusual or unauthorized user accounts or groups. �� Using the computer management tool, check all groups for invalid user membership �� Check log files for connections from unusual locations or for any unusual activity. �� Search for invalid user rights. �� Check to see if unauthorized applications are running. �� Examine the Windows Registry. �� Look for invalid services. �� Monitor system startup folders. NIPC Recommendations for Incident Victims �� Respond quickly. Contact law enforcement officials. �� If unsure of what actions to take, do not stop systems processes or tamper with files. This may destroy traces of an intrusion. �� Follow organizational policies/procedures. (Your organization should have a computer incident response capability/plan.) �� Use the telephone to communicate. Attacker(s) may be capable of monitoring e-mail traffic. �� Contact the incident response team for your organization. Quick technical expertise is crucial in preventing further damage and protecting potential evidence. �� Consider activating Caller Identification on incoming lines. This information may help in leading to the identification of the source/route of intrusion. �� Establish points of contact with general counsel, emergency response staff, and law enforcement officials. Pre-established contacts will help in a quick response effort. �� Make copies of files an intruder may have altered or left behind. If you have the technical expertise to copy files, this action will assist investigators in determining when and how the intrusion may have occurred. �� Identify a primary point of contact to handle potential evidence. �� Establish a chain-of-custody procedure that tracks who has been involved in handling the evidence and where it has been stored. Potential hardware/software evidence that is not properly controlled may lose its value. �� Do not contact the suspected perpetrator. Incident Reporting Assessment Low-level incidents are the least severe and should be resolved within one working day after the event occurs. These include �� Loss of passwords �� Suspected unauthorized sharing of accounts �� Misuse of computer hardware �� Unintentional computer actions �� Unsuccessful scans or probes Mid-level incidents are more serious and should be handled the same day the event occurs (normally within two to four hours of the event). These include �� Property destruction related to a computer incident �� Illegal download of copyrighted music/unauthorized software �� Violation of special access �� Unauthorized use of a system for processing or storing personal data �� An act resulting from unfriendly employee termination �� Illegal building access �� Personal theft (moderate in value) related to a computer incident High-level incidents are the most serious. Because of the gravity of these situations and the likelihood of damage resulting to the organization’s bottom line, these types of incidents should be handled immediately. They include �� Property destruction related to a computer incident �� Child pornography �� Pornography �� Personal theft (higher in value than a mid-level incident) related to a computer incident �� Suspected computer break-in �� Denial of Service (DoS) attacks �� Illegal software download �� Malicious code (for example, viruses, worms, Trojan horses, and malicious scripts) �� Unauthorized use of a system for processing or storing of prohibited data �� Changes to system hardware, firmware (for example, BIOS), or software without the system owner’s authorization �� Any violation of the law Preparing Systems for Data Collection �� Enable logging and auditing on all workstations and servers. �� Make all workstations and servers time-synchronized with a reliable and accurate Internet timeserver, such as www.time.nist.gov. �� Use time-stamping and ensure that the verification of time stamps within your system cannot be modified or distorted. �� Identify network devices by creating a network map to serve as a baseline and graphical representation of the devices on your network for future reference. IT Contingency-Planning Process �� Develop the contingency-planning policy statement. �� Conduct the business impact analysis (BIA). �� Identify preventive controls. �� Develop recovery strategies. �� Develop an IT contingency plan. �� Plan testing, training, and exercises. �� Plan maintenance. NIST Forensic Tool Requirements �� The tool shall not alter the original disk. �� The tool shall be able to access both IDE and SCSI disks. �� The tool shall be able to verify the integrity of a disk image file. �� If there are no errors accessing the source media, then the tool shall create a bit-stream duplicate of the original disk or a disk partition on fixed or removable media. �� If there are I/O errors accessing the source media, then the tool shall create a qualified bit-stream duplicate. (A qualified bit-stream duplicate is defined to be a duplicate except in identified areas of the bit-stream.) The identified areas are replaced by values specified by the tool’s documentation. �� The tool shall log input/output (I/O) errors, including the type of error and location of the error. �� The tool shall be able to access disk drives through one or more of the following interfaces: direct access to the disk controller, Interrupt 13 BIOS interface, Interrupt 13 BIOS extended interface, ASPI SCSI interface, or Linux interface. �� Documentation shall be correct insofar as the mandatory and any implemented optional requirements are concerned. For example, if a user following the tool’s documented procedures produces the expected result, then the documentation is deemed correct. �� The tool shall copy a source to a destination that is larger than or equal to the size of the source, and shall document the contents of the areas on the destination that are not part of the copy. �� The tool shall notify the user if the source is larger than the destination Dealing with Digital Evidence Obtained from a Memory Dump �� All of the standard forensic and procedural principles must be applied. �� Upon seizing memory-related evidence, actions taken should not change that evidence. �� People who access original digital evidence should be trained for that purpose. �� All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. �� Individuals are responsible for all actions taken with respect to digital evidence while such evidence is in their possession. �� Any individual or group that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for complying with these principles. �� No potential evidence is damaged, destroyed, or compromised in any way by the procedures used to investigate the computer. �� Extracted and possibly relevant evidence is properly handled and protected from later physical or magnetic damage. �� A continuing chain-of-custody is established and maintained. �� Business operations are affected for a limited amount of time, if at all. �� Any client-attorney information that is inadvertently acquired during a forensic exploration is ethically and legally respected and not divulged. Detecting Malicious Code and Intruders �� Analyze any abnormal system processes using the Windows Task Manager or third-party tools like Process Explorer. �� Detect unusual or hidden files by modifying Windows to display certain hidden file types. �� Locate rootkits and backdoors in Unix and Linux by using third-party programs like Intact by Pedestal Software or via manual inspection. �� Scan for backdoors and network sniffers using the netstat –n and ifconfig –a commands. Collecting Log File Data �� The process names and startup times �� The status of the process �� Which user executed the process �� The amount of system resources used by specific processes over time �� System and user processes and services executing at any given time �� The method by which each process is normally started and what authorization and privileges have been assigned to those processes �� Hardware devices used by specific processes �� Files currently opened by specific processes Reviewing Operating System and Network Logs Look for the following: �� Processes consuming excessive resources �� Processes starting or running at unexpected times �� Unusual processes not the result of normal authorized activities �� Processes that prematurely terminate �� Previously inactive user accounts that suddenly begin to spawn processes and consume computer or network resources �� Unexpected or previously disabled processes, which may indicate that a hacker or intruder has installed his own version of a process or service �� A workstation or terminal that starts exhibiting abnormal input/output behavior �� Multiple processes with similar names �� An unusually large number of running processes Retrieving and Analyzing Clues �� Perform keyword searches using third-party tools like Disk Investigator or BinTex. �� Locate and examine the Windows swap file for evidence. Under Windows 95/98/ME, the swap file is called win386.swp, and in Windows NT/2000/XP, it is called pagefile.sys. �� Locate and retrieve e-mail evidence. E-mail messages can be found in a number of different places, such as the sender’s e-mail inbox/outbox, a network server’s mailbox, or backup media. �� Recover evidence from Web browser cache and history. Web caches reveal a lot about which Web sites a user has visited. Most contemporary Web browsers (for example, Internet Explorer and Netscape Navigator) perform Web caching and maintain browsing history. �� Gather evidence from the Windows print spooler (EMF) files. Even if a user never saved a word-processing document, temporary versions of word-processing documents sometimes remain on the hard drive. �� Locate data in hidden or masked file extensions. Be sure to scan for evidence hidden in steganographic images and password-protected compressed files. Basic Procedures for Collecting and Preserving Evidence �� Understand volatility of evidence. Some evidence, such as data in the computer’s RAM, only exists while the computer is powered on. �� Create a real-mode boot disk, because the simple act of turning on the computer can destroy potential evidence. By using a special real-mode boot disk, a forensic investigation can be conducted without booting the computer via the hard drive. �� Use packet sniffers to gather evidence. Computer investigations sometimes warrant the capture of "live" data as it travels in real time across an organization’s computer network. �� Build a forensic toolkit. Essential to any computer investigation, toolkits come in two types; those you assemble yourself and pre-fabricated ones that you download or purchase as a suite from any one of many forensic software vendors. �� Follow a chain-of-custody. The chain-of-custody is a record of evidence handling from the time of seizure to the time evidence is presented in a court of law. �� Ensure the admissibility of evidence collected via authentication. Before a computer record can be used as evidence, it must first be proven to be authentic. Computer Evidence Guidelines �� Admissible. The evidence must conform to certain legal rules before it can be put before a court. �� Authentic. It must be possible to positively tie the evidentiary material to the incident by showing that the evidence relates to the incident in a relevant way. �� Complete. It must tell the whole story and not just one particular perspective. Not only should you collect evidence that can prove the attacker’s actions, but also evidence that could prove his or her innocence. �� Reliable. There must be nothing about how the evidence was collected and subsequently handled that casts doubt about its authenticity and veracity. �� Believable and understandable. The evidence must be readily believable and understandable by a court of law. The Order of Evidence Collection �� Find the evidence. Figure out where the evidence you are seeking is being stored on the system. �� Determine data relevance. Decide what parts of the data you collect are relevant to the case at hand. �� Rank volatility. Items that are most likely to degrade or become unusable should be collected first. �� Eliminate outside interference. As only unaltered data may be entered as evidence, utmost care must be taken to thwart any possible outside contamination. �� Collect the evidence. As you gather evidence, continue to examine the items you’ve already collected, as new pieces you collect may influence what you consider worthy information. �� Document everything. Your method of collecting the evidence you present may be called into question later, so be sure to maintain a record of everything that you’ve done in the collection process. Collecting Volatile Evidence �� Do not power down the system until you have completed all the evidence collection procedures for volatile evidence. �� Don't trust the programs on the system. Intruders have been known to replace system commands. �� Don't run programs that modify the access time of all files on the system. �� When removing outside interference, keep in mind that simply disconnecting from the network may trigger a dead-man switch that can detect when the computer is disconnected from the network and quickly delete evidence. Building an Incident Response/Forensic Toolkit A properly outfitted toolkit enables its owner to efficiently collect evidence for later analysis and should contain the following elements: �� A tool to capture network traffic for analysis (for example, a network sniffer) �� A utility to create disk images or clones at the bit level �� A tool to crack passwords �� A tool that reports open TCP/IP ports and then maps them back to their owning process �� A tool to recover deleted (erased) data �� A data collection tool to capture file slack and unallocated (erased file) data �� A tool to discover hidden files, such as NTFS Alternate Data Streams �� A monitoring tool that displays all Registry activity in real time �� A utility to back up and edit the Windows Registry �� A tool that displays open files, object processes, Registry keys, DLLs, and owners of object processes �� A utility to display all file system activity in real time �� A tool to analyze file properties �� A program used to document the CMOS System Time and Date on a computer seized as evidence �� A text-search utility that can scan DOS and Windows systems and locate targeted keywords and/or strings of text in computer-related investigations and computer security reviews �� A forensic binary data search tool that is used to identify targeted graphics file content and/or foreign language words and phrases stored in the form of computer data �� A utility that displays any network shares including local and remote �� A monitoring tool that displays logons, logoffs, and privilege usage Selecting Incident Response/Forensic Tools �� Command-line tools are best; avoid tools that use a Windows (GUI) interface. �� Create several floppy disks containing your most important data collection tools. �� Use tested tools that you know work. Incident Containment and Eradication of Vulnerabilities �� Contain the incident. The goal is to limit the scope and magnitude of an incident to prevent the incident from causing more damage. �� Determine the risk of continuing operations. If the system contains classified or sensitive information or if critical programs risk becoming corrupted, it is generally advised that the system be shut down or at least temporarily disconnected from the network. �� Sever network and Internet connections. For example, if a serious virus is suspected, such as a fast-spreading worm or dangerous Trojan horse, you should immediately disconnect the infected computer from the network. �� Understand the risks of using network and file shares. Many viruses and worms will use network file shares as a means to propagate across a network. �� Establish a trust model. A trust model is a means for helping to recognize and visualize varying degrees of confidence, intentionally or unintentionally granted to individuals, based upon the risks associated with granting confidence. �� Periodically change passwords. Passwords are one of the first lines of defense that users have to protect their systems. Changing them frequently or after a system compromise is mandatory. �� Promote security awareness by using multimedia documentation strategies that can be easily or periodically distributed to all organizational members. Maintaining Chain-of-Custody Notes �� Use a notebook that does not permit any pages to be removed. �� Keep notes on the evidence found, which will go into your final report in more detail. These would essentially be notes that anyone could pick up and, at a glance, know exactly where you left off in your assessment of the seized computer and media. �� List the names of all personnel involved in the investigation including administrators responsible for the routine maintenance of systems. �� Include the current date and time (as well as appropriate time zone) for everything documented. �� Document broken hardware or any significant problems. �� Document special techniques (for example, sniffers, password crackers, and so on) used above and beyond normal processes. �� List outside sources used (for example, third-party companies or products that helped to provide assistance and information). �� Maintain a record of all applications running on the suspect’s computer. �� Include a list of who had access to the collected evidence including date and time of access, as well as the date and time of any actions taken by those with access. �� Document the details of the initial assessment leading to the formal investigation. �� Specify the circumstances surrounding the suspected incident including who initially reported the suspected incident along with date and time. �� Maintain a complete list of all computer systems included in the investigation along with system specifications. �� Include a printed copy of any organizational policies and logon banners that relate to accessing and using computer systems. �� Keep a comprehensive list of steps used to collect and analyze evidence. Disaster Recovery and Follow-Up �� Develop a Disaster Recovery Plan. Knowing how to react properly in an emergency is critical to making decisions that will minimize resultant damage and quickly restore operations. �� Develop incident recordkeeping procedures. The methods used to create your records are to be documented to ensure the ability to retrieve, read, and use those records in the future. �� Utilize an Uninterruptible Power Supply (UPS). In the event of a power failure, a generator may not supply the uninterrupted power required to maintain your computer system operation or to perform an orderly shutdown of a workstation or server. �� Perform regular backups. When disaster strikes, a backup may be the only hope of retrieving original data. �� After an incident, monitor systems for unusual or suspicious activity. In addition, a post-mortem examination should be conducted so that the organization can learn from the experience and, if necessary, update its procedures. �� Anticipate and plan for future attacks. Properly anticipating and planning for unforeseen disruptions to business operations is important for remaining competitive. The Goals of a Disaster Recovery Plan �� Identify flaws and vulnerabilities and implement a disaster prevention program. �� Minimize disruptions to business operations. �� Facilitate recovery tasks. �� Reduce the complexity of the recovery effort. Developing a Disaster Recovery Plan �� Provide management with an understanding of all the resources needed to develop and maintain an effective disaster recovery plan. In addition, the organization should have the committed support from all group members (for example, management or IT personnel) to help support and participate in the effort. �� Assemble an incident response team that includes representatives from every key division of the organization. �� Define recovery requirements from the perspective of business functions. �� Identify the risks. Every risk must be identified along with what steps would be necessary to thwart it happening in the first place. �� Document the impact of an extended loss to operations and key business functions. It is impossible for a disaster recovery plan to justify each expense included in every business process and application in the recovery process. The organization should therefore inventory and prioritize critical business processes. �� Select recovery teams to oversee the disaster recovery process and ensure that the required proper balance is maintained for disaster recovery plan development. �� Develop a contingency plan that is understandable, easy to use, and easy to maintain by all organization members. �� Define how contingency planning considerations are to be incorporated in your ongoing business planning. System development procedures must also be defined in order for the plans to remain viable. Restoring the System �� Restore the system after compromise. Once a compromise has been eradicated, the next logical step is to restore the system to its fully operational state. �� Validate the system. Once the system has been restored, verify that the operation was successful and the system is back to its normal operating condition. �� Decide when to restore operations. Management may decide to leave the system offline while operating system upgrades and patches are installed. �� Monitor the systems. Once the system is back online, continue to monitor for backdoors that may have eluded detection. Disaster Recovery Plan Training Goals for Employees �� Make employees aware of the need for a disaster recovery/business resumption plan. �� Inform all employees of the existence of the plan and provide procedures to follow in the event of an emergency. �� Train all personnel with responsibilities identified in the plan to perform the disaster recovery and business continuity procedures. �� Provide the opportunity for recovery teams to practice their disaster recovery and business continuity skills. Implementing and Maintaining an Effective Records Security Program �� Ensure that only authorized personnel have access to electronic records. �� Provide for backup and recovery of records to protect against information loss. �� Ensure that appropriate personnel are trained to protect sensitive or classified electronic records. �� Minimize the risk of unauthorized alteration or erasure of electronic records. �� Ensure that electronic records security is included in your organization’s overall information security plans. Authentication Methods for Electronic Records �� A hard copy of a document accompanies the electronic media containing information about the electronic record that can be used for identifying, retrieving, or indexing. �� Attach an authentication label to the media. �� Link a digital signature to the electronic file or document. Procedures to Improve the Legal Admissibility of Electronic Records as Evidence �� Document that similar kinds of records generated and stored electronically are created by the same processes each time and have a standardized retrieval approach. �� Substantiate that security procedures prevent unauthorized addition, modification, or deletion of a record and ensure system protection against such problems as power interruptions. �� Identify the electronic media on which records are stored throughout their life cycle, and the maximum time that records remain on each type of storage medium. �� Coordinate all of the foregoing with appropriate senior management staff and legal counsel. Creating a Backup Plan �� Designate one person as coordinator and record keeper of all backups. �� Put the plan in writing and keep it with the organization's security policies and procedures documentation. �� Include the name of the backup coordinator and/or record keeper in the plan. �� Include the type of data requiring backup in the plan. �� State the frequency of data backups in the plan. �� Cite the location of on-site data storage in the plan. �� Cite the location of offsite data storage in the plan. �� State the method used for backing up data along with a checklist of procedures in the plan. Post-Incident Monitoring and Analysis �� Validate that the attack has subsided. �� Examine files and logs for details of the attack. �� Determine if legal action is warranted or possible. �� Reevaluate or modify overall computer network security. Incident Postmortem Questions �� How did the incident start? �� Which vulnerabilities or flaws were exploited? �� How was access gained? �� How did the organization become aware of the incident? �� How was the incident eventually resolved? �� Were existing incident response procedures adequate or did they require updating? Removing a Hacker from the System �� Kill all active or running processes that the hacker is using and remove any files or programs that he or she may have left on the system. �� Change passwords on any accounts accessed by the hacker/cracker and be sure to keep a log of all actions taken. �� Restore the system to a normal state, and restore any data or files that the hacker/cracker may have modified. �� Install patches or fixes to close any security vulnerabilities that the hacker/cracker may have exploited. Also, install patches for other vulnerabilities of which the hacker may not have taken advantage, and inform the appropriate people. �� All actions taken to restore the system to a normal state should be documented in the logbook for this incident. �� Once the incident has been contained and the hacker removed from the system, the next step is to contact the appropriate authorities. �� After the investigation is complete, a report describing the incident should be written and distributed to all incident response and security personnel. Network Security Audit Elements �� Assessment of current security policies, procedures, and practices �� A vulnerability assessment �� Penetration testing �� Visual inspection of the network’s physical security Computer Security Policy Goals �� Establish policies to protect your organization’s networks and computer systems from abuse and inappropriate use. �� Establish methods that will aid in the identification and prevention of abuse of the organization’s networks and computer systems. �� Provide an effective method for responding to questions and complaints regarding abuses—real or unconfirmed—of the organization’s networks and computer system. �� Establish procedures that will protect your professional reputation while allowing you to meet the organization’s responsibilities (legal and ethical) regarding the computer system’s Internet connection. Security Policy Assessment Elements �� An explanation of the reason for the policy �� The effective date of the policy as well as the date it expires �� A listing of those who: (a) authorized the policy, (b) constructed the policy, (c) approved the policy, (d) will maintain the policy, and (e) will enforce the policy �� A listing of the personnel and staff that will be affected by the policy �� An outline of the actions the organization expects of its users �� The methods that will be used to enforce the policy �� The regulations and laws upon which the policy is based (including the in-house regulations of your organization) �� Which information assets must be protected �� The methods and procedures that personnel are to follow for reporting security violations (whether real or unsubstantiated) The Basic Six-Step Computer Security Audit Process �� Analysis of vulnerabilities. Determine the adequacy of your organization’s security measures, identify security deficiencies, and evaluate the effectiveness of your existing security measures. The analysis should include the risk and likelihood of malicious coders, hackers, and insiders exploiting these flaws. �� Network assessment and infrastructure analysis. Examine hardware devices, intrusion detection systems, routers, and firewalls for vulnerabilities that could leave you open to intrusions. �� Risk assessment. List the safeguards you already have in place for protecting against potential threats by assessing their relative significance in terms of potential loss for all areas of your system. The results from this assessment can be used to determine which areas need the most attention first. �� Access and policy assessment. Examine each user’s availability and access to computer system resources. Be sure to include a review of password policies, backup policies, Internet access policy, network security policy, remote access policy, desktop policy, server platform policy, application security policy, personal Internet-based accounts, and in general, the guidelines for the development and implementation of policy standards throughout your organization. �� Physical security. Examine physical computer assets for protection from vandalism, unauthorized access, and tampering. Include a review of all the organization’s computer hardware and associated equipment, such as workstations, servers, terminals, routers, switches, removable storage media, hard copies of documentation, and support facilities. �� Findings and recommendations report. Include all of the findings resulting from the analysis and assessments performed as well as recommendations for implementing countermeasures to any of the vulnerabilities discovered during the security audit. Analyzing Workstations When conducting your organization’s computer network assessment, be sure to examine individual workstations for the following: �� Has the user enabled a workstation screen lock? �� Has a BIOS password been implemented? �� Is sensitive data stored on a workstation in a secure manner? �� Have all unused or unnecessary networking protocols been removed? �� Are unnecessary services, such as IIS (Microsoft’s Internet Information Server), prevented from running on the workstation? �� Is virus protection installed, updated, and running? �� Are any unnecessary files and folders precluded from being shared on the workstation? �� Has the operating system been updated and patched against known vulnerabilities? �� Is there a procedure to automate the frequent backup of data? Security Policy Audit Checklist Questions �� Have a broad range of employees within the organization—representative of a variety of positions and job levels—been involved in developing the security policy? �� Has the policy been drafted in a manner that can be understood and followed by all staff members? �� Has staff been informed of their security roles and responsibilities in writing? �� Have the needs and expectations of your organization been communicated to your personnel both initially and in an ongoing manner? �� Have your personnel received security training specifically tailored to the needs of their position? �� Are all new employees sufficiently trained regarding their security roles, responsibilities, and expectations? �� Are appropriate opportunities provided for personnel to voice security concerns and ask questions about security policies and procedures? �� Is adequate time provided for reading and reviewing security agreements before employees and outsiders are required to sign and submit them? �� Have your policy developers reviewed the policies (security-related practices) of other organizations in the same line of work or those with whom you will conduct business? Cooperation at this juncture ensures that all the engaged parties will be satisfied with future transactions. �� Has news of your organization's commitment to security been shared with the public? �� Have policy goals and objectives been translated into organizational security rules that are designed to modify staff behavior? �� Has an administrator been specifically appointed to be responsible for your organization’s security? �� Are these security regulations enforced equally at all levels of your organization? �� Have security issues been included as a part of employee performance reviews? �� Are outsiders (for example, repair technicians and outside organizations) required to sign a contract acknowledging that they are aware of their responsibilities and that they will abide by your organization's security rules and regulations? �� Are security policies reviewed—and if need be, revised—at least on an annual basis? Analyzing Network Severs Be sure to also examine network servers for the following: �� Have the servers been located in a secure area that prevents unauthorized access? �� Has a BIOS password been implemented? �� Has all sensitive data been stored on an NTFS partition? �� Have all default accounts been disabled? �� Has the system administrator unbound unnecessary or unused protocols, such as IPX/SPX, NetBIOS, and so on? �� Have unnecessary services—such as SMTP, NTP, and FTP—been removed or disabled? �� Is virus protection software installed and regularly updated? �� Have any shared folders been given unique permissions for any individual users? �� Have service packs and security patches been installed when available? �� Is your network administrator on the organization’s security mailing list (so as to be reminded to apply fixes and upgrades in a timely manner)? �� Are full backups made on a frequent, regular basis? �� Has your network administrator created and securely stored emergency repair disks? �� Has auditing and account logging been turned on? �� Are security event logs reviewed on a regular basis? �� Has the auto-run feature been disabled for CD-ROM use? �� Are audit logs being monitored? �� Has the server’s real-time clock been synchronized to a central timeserver? �� Have password-cracking tools been used to detect weak or easily guessed passwords? �� Has a host-based intrusion detection system (IDS) been employed? �� Have floppy disk drives been disabled? �� Has auditing been enabled for the backup and restoration of data? �� Has anonymous logon been disabled or restricted? �� Have NetBIOS null sessions been disabled? �� Has the administrator account been renamed? �� If appropriate, has the SAM password database been encrypted with 128-bit encryption? (Use syskey.exe for NT4.0.) �� Have procedures and guidelines been established for responding to incidents? Security Policy Mistakes to Avoid �� Installing unnecessary programs and services �� Opening e-mail message attachments from unknown people �� Not keeping current on software patches, especially security-related ones �� Not installing antivirus software and keeping its virus patterns current �� Lack of adequate training to administer the system �� Not deploying encryption or intrusion detection systems �� Inadequate handling of sensitive data �� Sharing passwords or using weak passwords �� Propagating chain mail and virus hoaxes Information Security Precautions �� Protect your computer equipment. Keep it in a secure environment. Be sure to keep food, drink, and cigarette smoke away from it at all times. In addition, know where fire suppression equipment is located, and learn how to use it. �� Protect your area. Keep unauthorized people away from sensitive computer equipment and information and remember to question any strangers in your area. �� Protect your password. Never write it down or give it to anyone. In addition, do not use names, numbers, or dates that can be personally identified with you. Remember not only to change it often, but also to change it immediately if you think it has been compromised. �� Protect your files. Don’t allow unauthorized access to your files and data, and remember to never leave your equipment unattended with your password activated; always sign off! �� Protect against malicious code. Don’t use unauthorized software, and back up your critical files before implementing any new software. �� Lock up storage media that contains sensitive data. If the data or information is sensitive or critical to your organization, always be sure to lock it up in a secure location. �� Back up your data. Keep duplicates of your sensitive data in a safe place, out of your immediate area, and remember to back up data as often as necessary. �� Report security violations. Tell your system administrator or network security manager if you see any unauthorized changes to your data. Immediately report any loss of data or programs, whether automated or hard copy.
JBOSS Installing JBoss METHOD I ) USING COMMAND LINE:: Installing JBoss is simple. 1. Obtain a JDK version 1.3.1 or later for your platform (>1.4.2 recommended, and 1.5.0_x for latter jboss versions, see JBoss vs JDK) and install it. 1. It is important to make sure it is the JDK and not the JRE as the compiler is required for JSPs and other functions. 2. JBoss 3.2.6 appears to require JDK 1.4.2 or better. Main.boot():98 calls java.net.URLDecoder.decode(String s, String enc), which is present in 1.4.2 but not in 1.3.1 . This was corrected for the 3.2.7 release which compiles and runs under jdk 1.3 2. Obtain the latest production or development release 3. Unzip the sources into a directory that does not contain spaces anywhere in the path. (Meaning do not put it in C:\Program Files\bla) 4. Examine the JBossDirectoryStructure. Running 1. make sure JAVA_HOME is set 1. on Linux: export JAVA_HOME=/path/to/j2sdk-1.4.2_0x 2. on Windows (NT based): right click on My Computer, click on Advanced, click on set Environment Variables. Set JAVA_HOME. Example: JAVA_HOME = C:\progra~1\j2sdk1.4.2_03 remember no spaces. 2. change directory to the location that you installed JBoss 3. change directory to the bin directory 4. execute either the run.sh or run.bat 5. congratulations, you are running the default configuration! Configurations JBoss comes with 3 different configurations which you specify by passing a -c variable: default - run with no parameters or with "-c default" basic J2EE/EJB support with integrated Tomcat minimal - run with "-c minimal" minimal jmx kernel support (with a JNDI server - CAUTION: EJBs will not deploy in this config !) all - run with "-c all" includes everyting from default plus JBoss.NET for web services, and larger scale services such as clustering and IIOP. The configurations are under server/xxx and have their own tree with conf, deploy, and lib. To deploy your applications you need to take note of which configuration you are running and put them in the appropriate deploy directory. Shutting Down To shut down JBoss, run bin/shutdown(.sh/.bat) or press ctrl-c in the running terminal window. Alternatively, there are methods to shut down JBoss in the JMXConsole. Notes on Running JBoss with JDK 1.3.x JBoss distributions downloadable from the website may be compiled using newer JDK 1.4.x versions. This has caused problems trying to run the binaries at least with some older JDK 1.3.x versions. Most often these problems manifest themselves at JVM level AbstractMethodErrors or similar. To workaround these possible bytecode incompatibilities you will have to rebuild the server from a source checkout using JDK 1.3.x. JBoss 3.2.x series is compatible with JDK 1.3.x and can be compiled with its Java compiler (JBoss 4.x will require JDK 1.4). If you find that you get errors (not warnings!) from the compiler trying to create the 3.x server binaries using JDK 1.3.x, please report it as a bug. Notes on default ports for JBoss 4.0.3 (applies to others) The default port used for the naming service (1098) is often used by Yahoo Instant messenger. This problem shows up as a JVM Bind error early on in startup, and the server will not operate properly. The easiest solution is to stop all your instant messengers, start JBoss AS, and then start up your instant messenger clients (they will happily work out another port to use). If you suffer for other port collisions, especially on Windows, you can use any of the free tools to tell you what application is using that port (Active Ports worked fine for me). Installing jboss 3.2.3 as a windows service See: RunJBossAsAServiceOnWindows note: Invoking startdatabasemanager via jmx-console doesn't work in this configuration (for Hypersonic) It doesn't work either in the configuration of RunJBossAsAServiceOnWindows which is almost the same. It runs with run.bat with the same system, config etc. though. Make sure the database manager MBean is uncommented in your deploy/hsqldb-ds.xml, it is disabled in the current distribution versions of JBoss
METHOD II ) USING GUI Chapter 1. Installing and running JBoss JBoss, a free J2EE 1.4 certified application server, is the most widely used open source application server on the market. The highly flexible and easy-to-use server architecture has made JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform. The server binary and source code distributions are available from the SourceForge repository. (http://sourceforge.net/projects/jboss). The ready availability of the source code allows you to debug the server, learn its inner workings and create customized versions for your personal or business use. This chapter will show you how to download and install JBoss 4.0. You will learn about the directory structure and understand what the key services and configuration files are. Before installing and running the server, you need to check your system to make sure you have a working Java 1.4 or 1.5 installation. Java 1.5 is required to use the new simplified EJB3 technologies. The simplest way to check on your Java environment is to execute the java -version command to ensure that the java executable is in your path and that you are using an appropriate version:[tmp]$ java -versionJava(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_02-56)Java HotSpot(TM) Client VM (build 1.5.0_02-36, mixed mode, sharing) 1.1. Installing JBoss The most recent release of JBoss is available from the JBoss downloads page, http://www.jboss.org/products/jbossas/downloads. After you have downloaded the version you want to install, use the JDK jar tool (or any other ZIP extraction tool) to extract the jboss-4.0.4.zip archive contents into a location of your choice. It does not matter where on your system you install JBoss. Note, however, that installing JBoss into a directory that has a name that contains spaces causes problems in some situations with Sun-based VMs. This is caused by bugs with file URLs not correctly escaping the spaces in the resulting URL. The jboss-4.0.4.tgz archive is a gzipped tar file that requires a gnutar-compatible tar program that can handle the long pathnames in the archive. The default tar binaries on Solaris and OS X do not currently support the long pathnames. JBoss also provides a GUI installer that can simplify the installation process. In addition to the basic installation, the installer allows you to select the which services are installed secure the JBoss management applications. Using a custom JBoss install created by the installer can greatly simplify the installation and configuration of JBoss. The installer can be run directly from a web browser using Java Web Start or can be downloaded as an executable JAR file named jboss-4.0.4-installer.jar. On many operating system, you can run executable JARs by double-clicking them. If your system doesn't support that, you can run the installer directly from the command line: [tmp]$ java -jar jboss-4.0.4-installer.jar When you launch the installer, you will be able to select the starting server configuration set, as shown in Figure 1.1, “The JBoss AS installer configuration set selection screen”. Figure 1.1. The JBoss AS installer configuration set selection screen The starting configuration determine which sets of packages are available for installation. The following table describes each of the configuration sets. Table 1.1. The JBoss AS installer configuration sets Name Description Notes default A base J2EE 1.4 server profile.
all A full J2EE 1.4 server profile with enterprise extensions such as clustering and IIOP.
minimal A minimal JMX microkernel This is not a J2EE 1.4 compatible configuration. ejb3 An EJB3 profile supporting the full EJB3 specification with Tomcat This requires a Java 5 runtime and is not a J2EE 1.4 compatible configuration. ejb3-clustered An EJB3 profile supporting the full EJB3 specification with Tomcat and clustering. This requires a Java 5 runtime and is not a J2EE 1.4 compatible configuration. jms A JMS 1.1 server profile This is not a J2EE 1.4 compatible configuration. tomcat A Servlet 2.4 container profile This is not a J2EE 1.4 compatible configuration. After selecting the configuration set, you have the option to further customize the services installed, eliminating unneeded options. When choosing configuration sets, be aware that you can not add packages not in the configuration set. If you you wanted a simple web container (the tomcat configuration) that also had JMS support (the jms configuration), it would be necessary to go to a larger configuration, such as the default configuration, and remove the unwanted packages. Figure 1.2, “The JBoss installer package selection screen” shows the package selection screen. Figure 1.2. The JBoss installer package selection screen The following screen (Figure 1.3, “The JBoss installer configuration name screen”) allows for the customization of the server configuration name. Unless you need to create multiple configurations, you should use a configuration name of default. Use of any other configuration requires you to start JBoss with the -c option to specify the configuration JBoss should use. Figure 1.3. The JBoss installer configuration name screen The installer will then guide you through a few install customization screens. The first screen allows you to enable applications isolation, completely separating the classloading space of all applications. Application isolation can be helpful in some instances, but it comes with the cost of requiring slow pass-by-value semantics for passing data between applications. In most cases, it is preferable to use loader repositories to control the sharing of classes on an application-by-application basis rather than enabling isolation for the entire server. When installed from the tar/zip archive, all JBoss services are left in a developer-friendly state requiring no authentication to access most JBoss services, including administrative services. The installer gives you a chance to secure those services on the security screen, shown in Figure 1.4, “The JBoss installer security configuration screen”. It is recommended that you click to enable security for all services and change the password from the default admin/admin values. Figure 1.4. The JBoss installer security configuration screen When you install from the installer, you get a smaller install image that is more tuned for your environment. However, the directory structure will be slightly different than when using the tar/zip archive. The examples in the book need to make use of many different configurations and will assume the complete install. Although use of the installer is recommended for normal JBoss use, you'll need to download the complete image to work through all the examples. 1.2. Directory Structure Installing the JBoss distribution creates a jboss-4.0.4 directory that contains server start scripts, JARs, server configuration sets and working directories. You need to know your way around the distribution layout to locate JARs for compiling code, updating configurations, deploying your code, etc. Figure 1.5, “The JBoss AS directroy structure” illustrates the installation directory of the JBoss server. Figure 1.5. The JBoss AS directroy structure Throughout this book we refer to the top-level jboss-4.0.4 directory as the JBOSS_DIST directory. In Figure 1.5, “The JBoss AS directroy structure”, the default server configuration file set is shown expanded. It contains a number of subdirectories: conf, data, deploy, lib, log, and tmp. In a clean installation, only the conf, deploy, and lib directories will exist. Several of the locations may be overridden. For these locations, the org.jboss.system.server.ServerConfig interface constant and its corresponding system property string are shown. The names ending in URL correspond to locations that can be specified using a URL to access remote locations, for example, HTTP URLs against a web server. Table 1.2, “The JBoss top-level directory structure” shows the the top-level directories and their function. Table 1.2. The JBoss top-level directory structure Directory Description bin All the entry point JARs and start scripts included with the JBoss distribution are located in the bin directory. client The JARs that are required for clients that run outside of JBoss are located in the client directory. server The JBoss server configuration sets are located under the server directory. The default server configuration set is the server/default set. JBoss ships with minimal, default and all configuration sets. The subdirectories and key configuration files contained default configuration set are discussed in more detail in Section 1.3, “The Default Server Configuration File Set” lib The lib directory contains startup JARs used by JBoss. Do not place your own libraries in this directory. Table 1.3, “The JBoss server configuration directory structure” shows the the directories inside of the server configuration directory and their function. Table 1.3. The JBoss server configuration directory structure Directory Description conf The conf directory contains the jboss-service.xml bootstrap descriptor file for a given server configuration. This defines the core services that are fixed for the lifetime of the server. data The data directory is available for use by services that want to store content in the file system. deploy The deploy directory is the default location the hot deployment service looks to for dynamic deployment content. This may be overridden through the URLDeploymentScanner URLs attribute. lib The lib directory is the default location for static Java libraries that should not be hot deployed. All JARs in this directory are loaded into the shared classpath at startup. log The log directory is the directory log files are written to. This may be overridden through the conf/log4j.xml configuration file. tmp The tmp directory is used by JBoss to store temporarily files such as unpacked deployments. The contents of the conf and deploy directories will be shown in the following section.
DEPLOYMENT:: JBoss is a popular J2EE application server. Several recent surveys put its market share at above 30 percent and single it out as the only application server whose market share is on the rise. JBoss is standards-compliant and a free download, making it an attractive choice whether you are running a production-quality site or looking for a learning tool. The title of this article series, "JBoss At Work: A Practical Guide," is inspired by the authors' experience as back-to-back presidents of the Denver Java Users Group. In our time running the group, the most common refrain we heard was, "I don't want to be an expert in it--I just want to make it work." It didn't matter what technology or API we were talking about at the time; the comment was always the same. This sentiment reflects the busy schedules and tight deadlines that most working professionals face. Digging through a 1,000-page book on each new technology that comes down the pike is, quite simply, a luxury that few of us can afford. Our goal is to get you up and running in JBoss as quickly as possible. In this, the first of three articles, we show you how to download and install JBoss. We explore the directory structure and show you how to add and remove services. Finally, we show you how to deploy an application to JBoss. The second article in the series introduces the different parts of a J2EE application. We show you how JSPs and servlets fit into the application. We show you how they interact with EJBs. We show you how to use XDoclet and Ant to generate key configuration files and create an EAR (Enterprise ARchive) suitable for deployment. The third article focuses on web services. We take the application from the second article and wrap the existing functionality in web services. XDoclet once again comes into play, making it almost trivial to expose your application's functions as web services. We create SOAP (Simple Object Access Protocol) clients to consume the web services from both a servlet and the command line. But before we can get to any of those advanced topics, we need to start at the very beginning. What is an Application Server? As you well know, compiled Java code cannot run on its own--it must be run inside of a JVM. J2EE classes require an additional step: they must be run inside of a J2EE container (which in turn runs inside of a JVM). The container provides an infrastructure and a framework in which your code runs. It handles the mundane low-level "plumbing" aspects of the application, freeing you to focus on the higher-level business development. An application server is nothing more than a loosely coupled collection of containers (or "services") that correspond to the various parts of the J2EE API. The beauty of the J2EE is that it is a specification, not an implementation. In other words, Sun provides the technical guidelines for how each service should behave, but leaves it open for anyone to write a server that can host a J2EE application. This gives you, the developer, a wide variety of choices when it comes to selecting an application server. While the details of how to deploy a J2EE application may vary from server to server, you can rest assured that your compiled code will behave the same way regardless of the application server it is running in. JBoss is an open source J2EE application server. It is J2EE 1.4 spec-compliant, which means that it offers the same level of functionality as its more expensive commercial counterparts. What this means to you is that the lessons learned here will be largely useful, regardless of the application server you are currently using. The most important thing to keep in mind is that cost does not equal value or reliability. The open source Apache web server runs more than two-thirds of all web sites today. JBoss isn't quite at that level of pervasiveness, but it shouldn't be ignored when considering enterprise-quality application servers just because it is free. Installing JBoss The latest JBoss release, 4.0.1, requires Java 1.4 or higher. Be sure that you have the 1.4 SDK (Software Development Kit) installed and not just the JRE (Java Runtime Environment). JBoss uses the compiler in the SDK to compile your JSP pages on the fly, among other things. To verify the version of Java you have installed, type java -version at a command prompt. Make sure that you have the SDK installed by typing javac at a command prompt. If necessary, go to Sun's web site for the latest JDK and installation instructions. Once your Java environment is in place, you can go to the JBoss web site to download the application server. As you can see, there are a number of projects hosted at this site. Our focus is on the first one in the list, JBoss AS. Since JBoss is written in Java, it can be run on any platform that has a working JVM. The download page has a long list of files archived in a variety of formats (.zip, .tar.gz, .bz2). The only difference between them is the utility used to bundle them up--there isn't a platform-specific JBoss distribution. Whichever one you download will work on Windows, Linux, Mac OS X, or any of the various flavors of Unix. The current release is about 65MB, so make sure that you have a fast Internet connection or a lot of time on your hands. Don't download the source ("src") or the release candidate ("RC") bundles--look for the ones named jboss-4.0.1.*. Download one of them and unzip it to the directory of your choice. (For best results, avoid directory names with spaces in them like Program Files.) Create an environment variable called JBOSS_HOME that points to the directory. There are no installation scripts to run. At this point, you are ready to fire up JBoss and take a look around. Running JBoss To start JBoss, change to the JBOSS_HOME/bin/ directory and type run (run.bat on Windows, run.sh on Linux/Mac OS X/Unix). You should see a long stream of output similar to the abbreviated version shown in Figure 1. Figure 1. JBoss initialization output Not surprisingly, the output shows the step-by-step process JBoss goes through when starting up. The first thing JBoss does is look for key environment variables such as JBOSS_HOME. It then begins booting the microkernel, the core JBoss process. Once the core is in place, it begins loading the individual J2EE services. After the services are loaded, JBoss deploys all WAR (Web ARchive) and EAR files it finds in the deploy/ directory. (More on this in just a moment.) JBoss is fully up and running when it reports Started in XXs:YYms. Any service that can't be started will throw an exception during this process. One of the most common problems is trying to use default port assignments that conflict with applications already running on the system. For example, Tomcat comes bundled with JBoss. If you already have a running instance of Tomcat using the default ports (8005 and 8080), you will see a stream of errors in the console output from the embedded Tomcat instance, and it will fail to start. You'll learn how to change those ports after we get to know the directory structure. Exploring the Directory Structure There are a number of subdirectories under JBOSS_HOME (see Figure 2), but the two most important to the typical J2EE developer are the bin/ and server/ directories. The bin/ directory contains the startup and shutdown scripts for JBoss, and server/ contains the directories where we will eventually deploy our applications. The others are of secondary importance to us. Figure 2. The JBoss directory structure The client/ directory contains JARs used by remote clients. (We discuss remote clients in the third article of this series.) The docs/ directory contains various license and example files. The lib/ directory contains the core JBoss JARs. You've already had a chance to look around the bin/ directory. The rest of this article focuses on the contents of the server/ directory. Server Configurations We said earlier that an application server is a collection of J2EE services. JBoss makes it easy to mix and match these services by grouping them in a directory structure called a Server Configuration. If you look in the JBOSS_HOME/server/ directory, you should see three named Server Configurations: all, default, and minimal. If you don't specify a configuration on boot, JBoss uses the default configuration. The default configuration is the one that fulfills the J2EE 1.4 spec, so it is a reasonable place for most developers to start. The minimal configuration is bare dirt--nothing but a JNDI and a Log4j service. All is at the opposite end of the spectrum--everything in the minimal and default configurations, plus advanced services like clustering. Let's shut down JBoss and start it with a different configuration. Press Ctrl-C in the JBoss console window to shut it down. Now type run -c minimal. You should see far fewer services launch and a dramatically shorter startup time. It is easy to create your own Server Configuration. Simply copy one of the existing directory trees and give it a new name. For example, copy the default/ directory to a new one named myapp/. Now start JBoss using the new configuration--press Ctrl-C to stop the currently running configuration, and then type run -c myapp. Configuring JBoss Services A server configuration has three main subdirectories: conf/, deploy/, and lib/. The conf/ directory, as you might guess, contains configuration files. The main config file is jboss-service.xml. This is one place (but not the only place) where settings like port numbers can be found. The lib/ directory contains the JAR files that make up the JBoss services. The deploy/ directory contains the J2EE services, as well as any WAR and EAR files that should be deployed. Services can be added and removed from a running JBoss instance through the magic of JMX (Java Management eXtensions). JMX is a framework that allows you to interact with live, running code. You can start and stop services, gather metrics, and even change parameters on the fly. Services that implement the JMX interface are called "managed beans," or MBeans. Each of the J2EE services that run inside of JBoss is an MBean. (For more details on JMX, see this tutorial.) To see JMX in action, open a new terminal window next to the JBoss console, change to JBOSS_HOME/server/myapp/deploy, and create an undeploy/ directory. (It can be named anything you'd like, but undeploy/ is a common choice.) Move hsqldb-ds.xml to the undeploy/ directory and watch the JBoss console. You should see the Hypersonic database service shut down and all of the related services reconfigure themselves. Now move the file back from the undeploy/ directory to the deploy/ directory. Once again, JBoss recognizes the change in configuration and adjusts itself accordingly. The XML file defining the MBean is another good place to look for port numbers. For instance, if you look at hsqldb-ds.xml, line 16 shows the port number that Hypersonic is configured to use. Complex MBeans that require more than a simple XML file and a JAR in the lib/ directory can be deployed as a SAR (Service ARchive). Tomcat is a good example of this. Change to the jbossweb-tomcat50.sar/ directory, and you'll find the traditional server.xml file used to configure Tomcat, along with all of its dependent libraries. (Tomcat ports can be changed here.) Deploying Applications to JBoss Your applications are deployed to the same directory as the MBeans. JBoss treats them as equals. J2EE applications are generally bundled up as EARs or WARs. While each of these is technically nothing more than a simple JAR file, they have special internal directory structures and configuration files that must be present for the sake of the application server. (We discuss EARs and WARs in the next article in this series.) Download test.war from here and copy it to the deploy/ directory. In the JBoss console window, you should see the test application being deployed. Open a web browser and go to http://localhost:8080/test (see Figure 3). Figure 3. A custom application deployed to JBoss If you move test.war to the undeploy/ directory, JBoss will dynamically unload it, just as it did Hypersonic earlier. You don't have to do anything special to your application to gain this level of functionality--JBoss does it for you automagically. Summary This was a whirlwind introduction to J2EE and JBoss. We downloaded and installed JBoss. We described the JBoss directory structure and how to start and stop the server. Finally, we deployed and undeployed both JBoss services and custom applications. Next time, we'll introduce you to the basic pieces of a J2EE application and show you how to stick it in your EAR. (EAR file, that is.) Until then, have a great time using JBoss at work or on your open source project. Tom Marrs is the principal and senior software architect at Vertical Slice, a consulting firm that designs and implements mission-critical business applications using the latest J2EE and open source technologies, along with providing architecture evaluation and developer training and mentoring services.
Before Upgrading the Image of the Contivity VPN router Backup of current configuration and internal LDAP server has to be taken.
Acquire the image vxworks-3-for5_05.244(fix) in the optimized format (.tar extension).
Connect your laptop or PC to Contivity via a cross cable to contivity’s private LAN interface.
Make sure that your Laptop’s or PC’s IP address is in the same range as that of Contivity’s Management IP address.
Then open the Internet Explorer (Version 6) and using the Mgmt. IP of the Contivity open the web based mgmt. of Contivity.
Start the FTP server in your Laptop or PC and configure a user and its password.
Give the path of the image file in the FTP server to the folder in which you have stored the optimized (.tar file) image file.
Please note that the Optimized image file with .tar extension has one more extension .gz, which is hidden.
Now in web based mgmt. of Contivity go to Admin à upgrades.
In this screen you need to enter the following info:
Host IP à IP address of your Laptop or PC running FTP server. Path à Just give the image file name with. Tar.gz extension. Version à name of the image but without the. Tar.gz extension. User name and password of the FTP
Make sure that in the Internet Explorer POP Up’s are allowed
After entering all the info. Correctly and after making sure that the FTP server is running, click on the Retrieve button on that page.
A small window will open showing the status of the image copied to the Contivity.
When in this window there is a display that the transfer completed successfully, you can close this small window.
Now that you have dumped the image to the Contivity hard disk, you need to apply this image.
In the same path (Admin à Upgrades) there will be a drop down box where you can see the new image that you just transferred to the Contivity.
Select that new image version and click Apply.
Wait for some time, the new image will be applied and the Contivity will reboot automatically.
After the Contivity is booted again access the Contivity via web based and goes to Status à System and verify the new image version.
Roll Back Procedure:
If there are any discrepancies in the work condition of the upgraded Contivity VPN router, the following procedure will help in reverting back to the old version.
1.In the GUI screen, go to Admin->Upgrades , In the Apply New version window select the older version 5_05.220 and click on Apply. Contivity will reboot with new image version.
1. Acquire the image v5_05.241 (128 bit) in the optimized format (.tar extension).
2. Connect your laptop or PC to Contivity via a cross cable to contivity’s private LAN interface.
3. Make sure that your Laptop’s or PC’s IP address is in the same range as that of Contivity’s Management IP address.
4. Then open the Internet Explorer (Version 6) and using the Mgmt. IP of the Contivity open the web based mgmt. of Contivity.
5. Start the FTP server in your Laptop or PC and configure a user and its password.
6. Give the path of the image file in the FTP server to the folder in which you have stored the optimized (.tar file) image file.
7. Please note that the Optimized image file with .tar extension has one more extension .gz which is hidden.
8. Now in web based mgmt. of Contivity go to Admin à upgrades.
9. In this screen you need to enter the following info:
Host IP à IP address of your Laptop or PC running FTP server. Path à Just give the image file name with .tar.gz extension. Version à name of the image but without the .tar.gz extension. User name and password of the FTP server.
Make sure that in the Internet Explorer POP Up’s are allowed
10. After entering all the info. correctly and after making sure that the FTP server is running, click on the Retrieve button on that page.
11. A small window will open showing the status of the image copied to the Contivity.
12. When in this window there is a display that the transfer completed successfully, you can close this small window.
13. Now that you have dumped the image to the Contivity hard disk, you need to apply this image.
14. In the same path (Admin à Upgrades) there will be a drop down box where you can see the new image that you just transferred to the Contivity.
15. Select that new image version and click Apply.
16. Wait for some time, the new image will be applied and the Contivity will reboot automatically.
17. After the Contivity is booted again access the Contivity via web based and go to Status à System and verify the new image version.
These commands are used on all Cisco devices running the Cisco IOS. ROUTER COMMANDS TERMINAL CONTROLS: · Config# terminal editing - allows for enhanced editing commands · Config# terminal monitor - shows output on telnet session · Config# terminal ip netmask-format hexadecimalbit-countdecimal - changes the format of subnet masks HOST NAME: · Config# hostname ROUTER_NAME BANNER: · Config# banner motd # TYPE MESSAGE HERE # - # can be substituted for any character, must start and finish the message DESCRIPTIONS: · Config# description THIS IS THE SOUTH ROUTER - can be entered at the Config-if level CLOCK: · Config# clock timezone Central -6# clock set hh:mm:ss dd month yyyy - Example: clock set 14:35:00 25 August 2003 CHANGING THE REGISTER: · Config# config-register 0x2100 - ROM Monitor Mode · Config# config-register 0x2101 - ROM boot · Config# config-register 0x2102 - Boot from NVRAM BOOT SYSTEM: · Config# boot system tftp FILENAME SERVER_IP - Example: boot system tftp 2600_ios.bin 192.168.14.2 · Config# boot system ROM · Config# boot system flash - Then - Config# reload CDP: · Config# cdp run - Turns CDP on · Config# cdp holdtime 180 - Sets the time that a device remains. Default is 180 · Config# cdp timer 30 - Sets the update timer.The default is 60 · Config# int Ethernet 0 · Config-if# cdp enable - Enables cdp on the interface · Config-if# no cdp enable - Disables CDP on the interface · Config# no cdp run - Turns CDP off HOST TABLE: · Config# ip host ROUTER_NAME INT_Address - Example: ip host lab-a 192.168.5.1-or- · Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 - Example: ip host lab-a 192.168.5.1 205.23.4.2 199.2.3.2 - (for e0, s0, s1) DOMAIN NAME SERVICES: · Config# ip domain-lookup - Tell router to lookup domain names · Config# ip name-server 122.22.2.2 - Location of DNS server · Config# ip domain-name cisco.com - Domain to append to end of names CLEARING COUNTERS: · # clear interface Ethernet 0 - Clears counters on the specified interface · # clear counters - Clears all interface counters · # clear cdp counters - Clears CDP counters STATIC ROUTES: · Config# ip route Net_Add SN_Mask Next_Hop_Add - Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2 · Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add - Default route-or- · Config# ip default-network Net_Add - Gateway LAN network IP ROUTING: · Config# ip routing - Enabled by default · Config# router rip-or- · Config# router igrp 100 · Config# interface Ethernet 0 · Config-if# ip address 122.2.3.2 255.255.255.0 · Config-if# no shutdown IPX ROUTING: · Config# ipx routing · Config# interface Ethernet 0 · Config# ipx maximum-paths 2 - Maximum equal metric paths used · Config-if# ipx network 222 encapsulation sap - Also Novell-Ether, SNAP, ARPA on Ethernet. Encapsulation HDLC on serial · Config-if# no shutdown ACCESS LISTS: IP Standard 1-99 IP Extended 100-199 IPX Standard 800-899 IPX Extended 900-999 IPX SAP Filters 1000-1099 IP STANDARD: · Config# access-list 10 permit 133.2.2.0 0.0.0.255 - allow all src ip’s on network 133.2.2.0-or- · Config# access-list 10 permit host 133.2.2.2 - specifies a specific host-or- · Config# access-list 10 permit any - allows any address · Config# int Ethernet 0 · Config-if# ip access-group 10 in - also available: out IP EXTENDED: · Config# access-list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq telnet -protocols: tcp, udp, icmp, ip (no sockets then), among others -source then destination address -eq, gt, lt for comparison -sockets can be numeric or name (23 or telnet, 21 or ftp, etc)-or- · Config# access-list 101 deny tcp any host 133.2.23.3 eq www-or- · Config# access-list 101 permit ip any any · Config# interface Ethernet 0 · Config-if# ip access-group 101 out IPX STANDARD: · Config# access-list 801 permit 233 AA3 - source network/host then destination network/host-or- · Config# access-list 801 permit -1 -1 - “-1” is the same as “any” with network/host addresses · Config# interface Ethernet 0 · Config-if# ipx access-group 801 out IPX EXTENDED: · Config# access-list 901 permit sap 4AA all 4BB all - Permit protocol src_add socket dest_add socket -“all” includes all sockets, or can use socket numbers-or- · Config# access-list 901 permit any any all any all -Permits any protocol with any address on any socket to go anywhere · Config# interface Ethernet 0 · Config-if# ipx access-group 901 in IPX SAP FILTER: · Config# access-list 1000 permit 4aa 3 - “3” is the service type-or- · Config# access-list 1000 permit 4aa 0 - service type of “0” matches all services · Config# interface Ethernet 0 · Config-if# ipx input-sap-filter 1000 - filter applied to incoming packets-or- · Config-if# ipx output-sap-filter 1000 - filter applied to outgoing packets NAMED ACCESS LISTS: · Config# ip access-list standard LISTNAME -can be ip or ipx, standard or extended -followed by the permit or deny list · Config# permit any · Config-if# ip access-group LISTNAME in -use the list name instead of a list number -allows for a larger amount of access-lists PPP SETUP: · Config-if# encapsulation ppp · Config-if# ppp authentication chap pap -order in which they will be used -only attempted with the authentification listed -if one fails, then connection is terminated · Config-if# exit · Config# username Lab-b password 123456 -username is the router that will be connecting to this one -only specified routers can connect-or- · Config-if# ppp chap hostname ROUTER · Config-if# ppp chap password 123456 -if this is set on all routers, then any of them can connect to any other -set same on all for easy configuration ISDN SETUP: · Config# isdn switch-type basic-5ess - determined by telecom · Config# interface serial 0 · Config-if# isdn spid1 2705554564 - isdn “phonenumber” of line 1 · Config-if# isdn spid2 2705554565 - isdn “phonenumber” of line 2 · Config-if# encapsulation PPP - or HDLC, LAPD DDR - 4 Steps to setting up ISDN with DDR 1. Configure switch typeConfig# isdn switch-type basic-5ess - can be done at interface config 2. Configure static routesConfig# ip route 123.4.35.0 255.255.255.0 192.3.5.5 - sends traffic destined for 123.4.35.0 to 192.3.5.5Config# ip route 192.3.5.5 255.255.255.255 bri0 - specifies how to get to network 192.3.5.5 (through bri0) 3. Configure InterfaceConfig-if# ip address 192.3.5.5 255.255.255.0Config-if# no shutdownConfig-if# encapsulation pppConfig-if# dialer-group 1 - applies dialer-list to this interfaceConfig-if# dialer map ip 192.3.5.6 name Lab-b 5551212 connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic can also use “dialer string 5551212” instead if there is only one router to connect to 4. Specify interesting trafficConfig# dialer-list 1 ip permit any-or-Config# dialer-list 1 ip list 101 - use the access-list 101 as the dialer list 5. Other OptionsConfig-if# hold-queue 75 - queue 75 packets before dialingConfig-if# dialer load-threshold 125 either -load needed before second line is brought up -“125” is any number 1-255, where % load is x/255 (ie 125/255 is about 50%) -can check by in, out, or either Config-if# dialer idle-timeout 180 -determines how long to stay idle before terminating the session -default is 120 FRAME RELAY SETUP: · Config# interface serial 0 · Config-if# encapsulation frame-relay - cisco by default, can change to ietf · Config-if# frame-relay lmi-type cisco - cisco by default, also ansi, q933a · Config-if# bandwidth 56 · Config-if# interface serial 0.100 point-to-point - subinterface · Config-if# ip address 122.1.1.1 255.255.255.0 · Config-if# frame-relay interface-dlci 100 -maps the dlci to the interface -can add BROADCAST and/or IETF at the end · Config-if# interface serial 1.100 multipoint · Config-if# no inverse-arp - turns IARP off; good to do · Config-if# frame-relay map ip 122.1.1.2 48 ietf broadcast -maps an IP to a dlci (48 in this case) -required if IARP is turned off -ietf and broadcast are optional · Config-if# frame-relay map ip 122.1.1.3 54 broadcast SHOW COMMANDS
· Show access-lists - all access lists on the router · Show cdp - cdp timer and holdtime frequency · Show cdp entry * - same as next · Show cdp neighbors detail - details of neighbor with ip add and ios version · Show cdp neighbors - id, local interface, holdtime, capability, platform portid · Show cdp interface - int’s running cdp and their encapsulation · Show cdp traffic - cdp packets sent and received · Show controllers serial 0 - DTE or DCE status · Show dialer - number of times dialer string has been reached, other stats · Show flash - files in flash · Show frame-relay lmi - lmi stats · Show frame-relay map - static and dynamic maps for PVC’s · Show frame-relay pvc - pvc’s and dlci’s · Show history - commands entered · Show hosts - contents of host table · Show int f0/26 - stats of f0/26 · Show interface Ethernet 0 - show stats of Ethernet 0 · Show ip - ip config of switch · Show ip access-lists - ip access-lists on switch · Show ip interface - ip config of interface · Show ip protocols - routing protocols and timers · Show ip route - Displays IP routing table · Show ipx access-lists - same, only ipx · Show ipx interfaces - RIP and SAP info being sent and received, IPX addresses · Show ipx route - ipx routes in the table · Show ipx servers - SAP table · Show ipx traffic - RIP and SAP info · Show isdn active - number with active status · Show isdn status - shows if SPIDs are valid, if connected · Show mac-address-table - contents of the dynamic table · Show protocols - routed protocols and net_addresses of interfaces · Show running-config - dram config file · Show sessions - connections via telnet to remote device · Show startup-config - nvram config file · Show terminal - shows history size · Show trunk a/b - trunk stat of port 26/27 · Show version - ios info, uptime, address of switch · Show vlan - all configured vlan’s · Show vlan-membership - vlan assignments · Show vtp - vtp configs CATALYST COMMANDSFor Native IOS - Not CatOS SWITCH ADDRESS: · Config# ip address 192.168.10.2 255.255.255.0 · Config# ip default-gateway 192.168.10.1 DUPLEX MODE: · Config# interface Ethernet 0/5 - “fastethernet” for 100 Mbps ports · Config-if# duplex full - also, half auto full-flow-control SWITCHING MODE: · Config# switching-mode store-and-forward - also, fragment-free MAC ADDRESS CONFIGS: · Config# mac-address-table permanent aaab.000f.ffef e0/2 - only this mac will work on this port · Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3 -port 3 can only send data out port 2 with that mac -very restrictive security · Config-if# port secure max-mac-count 5 - allows only 5 mac addresses mapped to this port VLANS: · Config# vlan 10 name FINANCE · Config# interface Ethernet 0/3 · Config-if# vlan-membership static 10 TRUNK LINKS: · Config-if# trunk on - also, off auto desirable nonegotiate · Config-if# no trunk-vlan 2 -removes vlan 2 from the trunk port -by default, all vlans are set on a trunk port CONFIGURING VTP: · Config# delete vtp - should be done prior to adding to a network · Config# vtp server - the default is server, also client and transparent · Config# vtp domain Camp - name doesn’t matter, just so all switches use the same · Config# vtp password 1234 - limited security · Config# vtp pruning enable - limits vtp broadcasts to only switches affected · Config# vtp pruning disable FLASH UPGRADE: · Config# copy tftp://192.5.5.5/configname.ios opcode - “opcode” for ios upgrade, “nvram” for startup config DELETE STARTUP CONFIG: · Config# delete nvram
