Monday 21 January 2013

Removing old Check Point packages and files after an upgrade


Check Point releases a great script which erases old CP packages and files causing disc issues later on. Here it is;
Solution ID:sk91060
Product:Security Gateway, Security Management, 2012 Models Security Appliances, UTM-1, Power-1, Smart-1
Version:R70, R71, R75, R75.10, R75.20, R75.30, R75.40, R75.40VS
OS:SecurePlatform 2.6, Gaia
Platform / Model:All
Date Created:08-Jan-2013
Last Modified:20-Jan-2013
Rate this document
[Click on the stars to rate]
SYMPTOMS
  • After an upgrade, the packages of the old version are not deleted automatically.

    For example, when upgrading from R71 to R75, the old R71 packages and files remain on the system. This could lead to a disk space issue, especially after several upgrades.



SOLUTION
A new script was developed in order to remove all old packages and files from the upgraded machine.
Important Note: The script can be used only on SecurePlatform OS and on Gaia OS running Check Point R70 and higher versions.

Follow these steps to remove all old packages and files:
  1. Download the shell script from here.
  2. Log in to Expert mode by running the expert command.
  3. Copy the RemoveOldVersion.sh script to the relevant machine (for example, /var/log/ directory).
  4. Assign the execute permissions to the script:

    [Expert@HostName]# chmod u+x /var/log/RemoveOldVersion.sh
  5. Run the script:

    [Expert@HostName]# cd /var/log/
    [Expert@HostName]# ./RemoveOldVersion.sh
  6. The script performs the following operations:

    1. Creates a detailed log file:
      /var/log/RemoveOldVersion.elg
    2. Uninstalls all old RPM packages, except these:
      • CPrt (Eventia products)
      • CPinfo (CPinfo utility)
      • CPuepm (Endpoint Security Server)
      • CPda (Deployment Agent)
    3. Deletes all directories and files that were installed by old RPM packages (except those mentioned above):
      • /opt/<package>
      • /var/opt/<package>
      • /var/OPT/<package>
      • /opt/CPshrd-*
      • /var/log/CPsuite-*
  7. Once the script completes its job, the user will get the prompt back.
  8. To verify that the script has finished successfully, run the following commands:

    [Expert@HostName]# rpm -qa | grep CP
    [Expert@HostName]# ls -l /opt/CP*
    [Expert@HostName]# ls -l /var/opt/CP*
    [Expert@HostName]# ls -l /var/log/CPsuite-*

    Notes:
    • The outputs should show only the latest version (to which the system was upgraded).
    • These directories are not deleted:
      • CPrt (Eventia products)
      • CPinfo (CPinfo utility)
      • CPuepm (Endpoint Security Server)
      • CPda (Deployment Agent)
Posted by at No comments:
Labels:

Tuesday 8 January 2013

Checkpoint IPSec VPN with Non-Checkpoint Products (Such as, PFsense, DrayTek etc.)



Non-Check Point products does not have "ike_use_largest_possible_subnets (supernetting)" feature, this is the reason why we need to disable that feature on Check Point.
(Exchanging keys with another vendor gateway uses largest possible subnet –Check Point uses the best possible subnet to increase the performance while doing IKE key exchanges by default)

DNS packets should not be allowed firstly, otherwise that results DNS resolution problems for VPN domains.

------------------------------------------------------------------------------------
# dbedit

Enter Server name (ENTER for 'localhost'): 



Enter User Name: fwadmin

Enter User Password: abc123



Please enter a command, -h for help or -q to quit: 

dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false



dbedit> update properties firewall_properties

firewall_properties updated successfully.



dbedit> quit

#
-----------------------------------------------------------
 
and You can configure the "max_subnet_for_range" table in "user.def" file on the Security Management Server / Domain Server. This table is designed to force VPN-1/FireWall-1 to negotiate IPSEC SAs using a specific subnet mask for a given IP address range;
max_subnet_for_range = {<first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>};

Example;
#ifndef __user_def__ 
#define __user_def__ 
// // User defined INSPECT code//
max_subnet_for_range = {<0.0.0.0, 10.29.39.255; 255.255.255.0>,<10.29.40.0, 10.29.50.255; 255.255.255.255>,<10.29.51.0, 255.255.255.255; 255.255.0.0>};#endif /* __user_def__ */














Posted by



at





No comments:
  


















Labels:

















        

      









Subscribe to:
Posts (Atom)