To install NGX R65 HFA 60 on IPSO Flash-based:

1. If using 1GB RAM systems, run the following command to extend the /opt RAM disk partition: /sbin/mount -u -o extend_partition /dev/null /opt
   To verify that the /opt partition was extended to at least 500000 KB, run the df command.
2. Verify that there is enough free disk space for the installation of the HFA packages:
   * For /preserve, you need at least 455000 KB free.
   (To find absolute free space: run the df -k /preserve command and subtract the 3rd column Used from the 2nd column 1K-blocks).
   * For /opt and /var, you need at least 382000 KB free.
3. Create a temporary directory on /opt: mkdir /opt/hfa
4. Navigate to the new directory: cd /opt/hfa
5. Download Check_Point_NGX_R65_HFA_60.ipso.tgz (http://supportcontent.checkpoint.com/file_download?id=10349) to /opt/hfa and extract the contents.
6. Delete the *.tgz file to save disk space.
7. Execute: ./UnixInstallScript
8. Reboot the machine.

Unfortunately, I had a lot if problems:

1. After make a copy of hfa file, I didn’t extract it, because of lack of disk space.
2. Looking for log files, I deleted some audit log from Nokia Voyager that allow me to extract all content from hfa file.
3. When I tried to execute: ./UnixInstallScript , I got the error: “Can’t open /opt/CPshared/5.0/tmp/.CPprofile.sh”. I searched for this error on User Center and Google, and I didn’t find anything related with my problem.
4. Looking for the Check Point packages, I found the CPInfo package, that I immediately deleted. Reboot. I tried again, getting the same error.
5. I decided then to remove CPsuite-R65 (maybe this procedure will clean all temp files and directories). I rebooted and try to install the CPsuite-R65 again, using IPSO_wrapper_R65.tgz (according Check Point site: NGX R65 Package for Flash Based Platforms with 1GB of RAM or Disk Based Platforms on IPSO 4.1 and 4.2) with 186MB. I did the upload, extract and install. Didn’t install.
6. After a few hours, I found the package fw1_R65_IPSO.tgz (NGX R65 Package for Flash Based Platforms with 512 MB of RAM on IPSO 4.1 and 4.2) with 77MB. So, I uploaded, extracted and installed, rebooted, and in the end, everything works.
7. Immediately I applied the HFA60, following the procedures above, with success.
8. I lost almost 4 hours with this little problem.

Conclusion

The Check Point site shows some confusing information about packages, ipso, and missing for Release Notes files.

In my case, I’m using Nokia (IPSO) with Check Point NGX R65. Basically I have 5 networks: 4 for Users and 1 for servers. My DHCP Server (Microsoft) is in Servers Network. My Check Point is the default gateway for all these VLAN’s.

1) In Nokia Voyager (IPSO 4.2) –> Router Service –> BootP/DHCP Relay add the IP for your DHCP Server in all Clients Networks. Set “Wait Time” to 0.

2) If you are using VRRP, you need to change one file in your Smart Center Server. Edit this file $FWDIR/lib/table.def and add UDP port 67 and 68 to the no_hide_services_ports section of table.def.

Modified line should appear like the following (post changes made):

no_hide_services_ports = { <500, 17>, <259, 17>, <1701, 17>, <67, 17>, <68, 17> };

3) Create 3 rules

I leave Services field in Any, because I had some problems using only dhcp-req-localmodule.

More information:

• sk41515
• sk41237

When I installed the Enforcer on my MS-DHCP Server, my first problem happened: "Enforcer Cannot Bind To The Agent Authentication Port", but I can fix it just disable the SNAC Agent (I found a solution here).

My second problem was the “Encryption Password” (password defined during SEP Manager installation and necessary to start a communications between Enforcer and SEP Manager), because I didn’t know the password. I asked some people here (nobody knew), and we started to try a “lot of possible” passwords.

After a few hours we found this password and the communications were started successfully (the I-DHCP group appeared in SEP Manager), and the quarantine scope options were added on all my DHCP scopes.

All configurations were “default”, I just added the IP for my SEP Manager Server in “Automatic Quarantine” options.

After a few minutes, some users began to complain about a “network problems”. For all cases I found that users got Quarantine IP (without Default Gateway and mask 255.255.255.255). I tried to using “ipconfig /release” and “ipconfig /renew” many times without success. I checked the antivirus status and everything was Ok.

The Enforcer log showed me the message “Symantec is not running or running an incompatible version”.

So, I decided to stop the Enforcer and delete the quarantine scope options.

I opened a case in Symantec to investigate this issue, and after some questions, they found the problem:

I needed to add the IP of my Enforcer/DHCP in “Automatic Quarantine” section in Enforcer plug-in configuration. Works.

I would never realize that this kind of configuration was really necessary, because for me is so obvious. Anyway my problem was solved.

My first goal: Install SNAC in my existing console. With my Serial Number, I downloaded SNAC software from https://fileconnect.symantec.com/licenselogin.jsp?localeStr=en_US.

After, I read the PDF documentation and for my surprise, there wasn’t installation procedure for my case (an existing SEP console). So, I tried install SNAC by myself, just executing setup.exe. The installation works fine (my console was updated from 11.0.4xxx to 11.0.5002 version) and show the “Host Integrity” option in Policies tab.

After almost a full day of testing, I discovered that Host Integrity only really blocks non-compliance computers with a Firewall Policy enabled and with Peer-to-Peer authentication (I didn’t find this in any PDF documentation).

The block tests works very well, so I missed an option to “Monitor Only” (without blocks) in Peer-to-Peer Authentication. I afraid to implement SNAC and block any valid traffic (in my production servers), causing problems.

The second step in my plan was install the DHCP plug-in (Microsoft DHCP). All my DHCP servers are in MS-Cluster and I didn’t find a documentation for installation in clustered environments. I asked Symantec about this, and Symantec wrote me: “… the DHCP plug-in has not been tested with clustered environments and is therefore not supported …”

Conclusion

I hope Symantec test DHCP plug-in with clustered environments and make a documentation review about SNAC (I still think that is a good product).

So, what the procedure to send this threat (file) to Symantec build a new set of definitions?

1. Send the suspicious file to Symantec: https://submit.symantec.com/websubmit/essential.cgi
2. Wait for an answer from Symantec, and download the new definitions files (Symantec will send you a ftp site link to do this):
   symrapidreleasedefsi32.exe or/and symrapidreleasedefsi64.exe
   vd2fxxxx.jdb

   The exe (x86 or x64) file is a Intelligent Updater, for manual updates.
   The .JDB file is a package to apply in your SEPM
   You can get more information about these files here.

3. Test using EXE file if this (new) definition detects the threat
4. If yes, apply it (.JDB file) into your SEPM following these instructions.

I hope this will be useful.

When I tried to push a policy, the following error message appears:

Reason: Load on Module failed – failed to load Security Policy.   ( message from member <firewall-name> )

I tried everything to see an error message that told me something else, like:

• fw –d fetch <smart-center-ip> from Security Gateways
• fwm load -d <PolicyName> <security-gw> from SmartCenter
• Looking for all log files

But nothing, help me. Although I had already seen this sk33893 before, I did not give due attention to it. My problem was exactly described in this kb article.

I had an interface in one of my Cluster members, duplicated with the other node, but, the Nokia (Voyager) configuration was right. I just correct the ip of this interface in the Firewall object and push a policy. Works.

Conclusion

I lost almost 3 days trying to analyze this problem, building a lab to try reproduce this, while the solution was very quickly and simple.

Using cp_merge it’s possible to do merge, export and import policies.

I used it, to do a merge between 2 Smart Centers Server and import a new policy. Works very well.

More information about it, see here: sk33751.

Xlight has a version that not require installation, it’s only a executable file (you can put it on USB drive).

More information about it, you can see here.

• Almost all products and technologies documentations are written in English. It’s so familiar for me and other IT professionals (to read);
• I’m still learning English, and for that, I need to training more.

Some Considerations

I know I made grammar mistakes and it doesn’t worry me,  after all, it just happens when you try.

If you find a mistake, feel comfortable to correct me. I’ll be grateful.

Enjoy.

Infelizmente não achei nenhum template de report nestes moldes, então resolvi fazer eu mesmo  uma query SQL. Segue abaixo:

use sem7
select sc.computer_name, sc.current_login_user, sc.operation_system,
sc.processor_type, sc.memory, sc.bios_version, sc.ip_addr1_text, sa.agent_version,
dateadd(s,convert(bigint,sa.last_scan_time)/1000,'01-01-1970 00:00:00') as last_scan_time,
p.version as v_definitions, im.name
from sem_agent as sa
inner join
v_sem_computer as sc on sc.computer_id = sa.computer_id
inner join
pattern as p on sa.pattern_idx = p.pattern_idx
inner join
identity_map as im on sa.group_id = im.id
where
sa.group_id in (SELECT id FROM IDENTITY_MAP
where name like '%My Company%')
and sa.deleted=0