Tuesday, May 16, 2017

VSX and local.arp - correction and follow up

Hi, in one of my previous posts I have mentioned that with Jumbo HFA 210 and up local.arp files are purged.

The issue was reported to me by a customer, and I was not personally involved in troubleshooting it. That was my oversight, which led to some erroneous statements in the original post.

Since several Check Point developers and RND managers reached out to me to investigate the details. After thorough analysis it has been found that the information reported is not 100% accurate.

Here are the results:

1. Check Point admits that after Jumbo installation local.arp on VS0 only will be purged. This issue will be corrected with the next HFA package.

2. Any VS other than VS0 will keep local.arp intact. That also means, the original warning about installing Jumbo package 216 was incorrect. With regular precaution, such as backups and local modifications saved aside, there is no showstopper for VSX, unless you filter your production traffic on VS0.

3. The actual customer's issue occurred on a physical FW and not on VSX. Here I have to remind all that the only supported way to configure Proxy ARP settings on physical Gaya based devices is through CLISH.

More info to follow.

I thank Gera Dorfman, Yigal Alexander and Sergei Shir for their time and efforts spent to investigate the issue.

Monday, May 15, 2017

Wcry lesson - we learn that we do not learn

Wannacry ransomware wreaked havoc around the globe, infecting and putting out of commission more than two hundred thousands computers. One could consider this as a brutal and effective crashtest for common security practices. Test that we have failed, miserably. Just look at the map of affected countries...

The situation could be completely different, if IT security adhered to a small set of very basic security practices, such as

Educate end users

One of the Wcry vectors is a phishing email. We all know that it is not wise clicking on email links, right? Wrong, apparently. People are still doing that. Teaching users simple security awareness practices is vital to avoid such incidents.

Scan incoming emails and downloads

One of the classic cases of Threat Emulation is scanning and detonating file attachments and downloads. Every decent security vendor has an appropriate offering in this field. 

Anti-phishing tools are also widely available, both onsite and cloud based.

Patch your systems timely

SMB vulnerability used by Wcry to propagate was patched by Microsoft in March 2017, two month before the event. Two month!

Use IPS for virtual patching

Okay, you say, we could patch all supported Windows machines, but how about XP, 8 and 2003? Even if there was no patched for unsupported Windows flavors, simple IPS virtual patching would do. How hard it can be, really?

Filter incoming traffic, segment your networks

To prevent the initial infection coming from Internet through SMB, one only needed to filter out incoming SMB traffic. Same to prevent lateral movement of the worm in segmented networks. Simple FW rules denying such traffic would do.

Backups, backups, backups

In case of infection, there is always a plan B - restoring systems from backups. If you have any. If you keep them safe. Safe in this context means offline. 

Simple and widely known best security practices could save the day. Yes, we have all seen recently that our networks are out there for anyone who wants to take them over. How sad is that?

To support this blog send your donations to https://www.paypal.me/cpvideonuggets

CPET feedback

Hi all,

Nobody showed up to the planned CPET session about pros and cons of Check Point Stateful Inspection, and I would like to understand what went wrong here.

Please kindly take your time to fill in a short questionnaire that would help me to plan better the next time.

Thanks a lot

CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter. 

Monday, May 8, 2017

Urgent! Your VSX proxy ARP settings might be broken with latest R77.30 Jumbo HFA

In 2014 I wrote an article about setting proxy arp on VSX bond interface

IMPORTANT: The information below is not 100% accurate. Please jump to the new post for more details

The problem occurred the first time during a sophisticated VSX setup with one of my customers. Although CP official documentation insisted doing it from Gaia clish, it was failing, and manual local.arp file was required.

Since then, Check Point corrected its recommendation, and in sk30197 local.arp is mentioned as the appropriate configuration.

Guess what? With R77.30 Jumbo HFA package 210 and above this is now broken

The last week my other VSX customer reported to me that installing Jumbo 216 caused four hour outage on their business critical system, and the reason was failing proxy ARP settings. They have used local.arp files, but after installing 216 Jumbo HFA package those files were purged.  They also needed to use Gaia clish to configure it, again. 

After some research, we are now convinced that this is the result of fixing bonding issue mentioned in sk111675. The fix is included in Jumbo packages version 201 and up. 

The ugly part of the issue is that it was not expected and apparently not tested on a system with pre-existing local.arp.

If you happen to have local.arp files in place and plan to install the latest R77.30 Jumbo HFA, take hypercare.

The documentation is not fixed yet, and I did not manage to find any new SK for the matter just yet. 

Support this blogs with your donations to https://www.paypal.me/cpvideonuggets

Session 2 - meeting details

As previously announced, we are having the second session of CPET this weekend.

It will happen on Sunday, 14th of May, at 3PM CET.

Zoom meeting will be available via this linkCalendar invitation for it is here.

As before, only 50 participants will be able to join. Mark your calendars and be on time.

CPET project relies on your support. Participate in the talks and help us with your donations to https://www.paypal.me/cpvideonuggets

Follow us on Facebook and Twitter.