After installing the FireEye app for Spunk and having some issues with it, the app was uninstalled, which left a gap that needed to be filled. So off I went into Splunk land to see if I could scrounge together some decent "dashboard" worthy search queries that could help display important information. Below are a collection of the search queries I have built thus far. It is, be no means, an exhaustive list because anyone who knows Splunk easily knows that there are soooo many more ways to show … [Read more...]
FireEye Role Based Access Control (RBAC)
Regarding role based access control and Active Directory integration with FireEye back in FEOS versions 7.0.x (webmps), 6.3.2 (emailmps) and 6.4.1 (CMS), we only had the ability to map a single Active Directory group to a single FireEye "role". And most enterprises would probably have mapped that single group to the Admin role. Well..... Fast >> Forward >> to FEOS 7.1 "Shasta" where FireEye has merged the various code revisions for web/email/CMS into one single version, and we are … [Read more...]
BlueCoat Proxy – Web URL Category Review / Best Practices
This page will attempt to assist you in building a Web URL Category review process, as well as provide best practice recommendations from BlueCoat and my own personal experience with BlueCoat. BlueCoat does not update their Web URL Categories very often, but it does happen about once every 12-18 months. In earlier times, they were not very helpful about this and normally only included a single email to subscribed users (a very manual process - it is not created for you when you purchase a … [Read more...]
BlueCoat Proxy – Log Injection For Rule Tracking
Unfortunately BlueCoat doesn't have a nice and fancy log tracker type utility like CheckPoint has in Smart Tracker, so the rules do not have numbers. However, you can work around this by using some log injection smoke and mirror tricks. There are a few unused (or not very often used) log variables that can be used in conjunction with a specific action on a rule, that when matched, will create a log line with a piece of text of your choosing. … [Read more...]
FireEye Integration With BlueCoat Proxy
This tutorial will assist you in setting up FireEye Integration With BlueCoat Proxy, by using a URL list populated by FireEye to use in the BlueCoat as another web filter. This filter can then be used in BlueCoat policy just like the BCWF, McAfee Smartfilter, etc... … [Read more...]
Blue Coat ProxySG – Splash Page Updates
In my previous blathering’s about BlueCoat splash pages, I always had used the variable $(cs-categories) to identify which BlueCoat WebFilter (BCWF) the requested URL was a child of. But this displays ALL the categories that a specific URL/site is a member of, not just the one that is the criteria for the block. In your day to day administration and troubleshooting of BlueCoat proxy, you have no doubt seen URL’s/site’s with multiple categorizations. You are probably also familiar with trying … [Read more...]
Blue Coat ProxySG – Issues Upgrading SGOS From 5.5.x.x to 6.2.x.x
Following an upgrade on a Blue Coat ProxySG 600-10, from 5.5.3.31 to 6.2.9.1, I encountered the errors below, and was unable to pass traffic thru the proxy using the BlueCoat WebFilter categories for "Allow"/"Deny". As this specific ProxySG is a non-production device, there are very minimal users working with it, and the first I noticed of the issue, was an email from the ProxySG itself. From: ProxySG@Company-X.com [mailto: ProxySG@Company-X.com] Sent: Thursday, June 14, 2012 1:51 … [Read more...]
Checkpoint VSX Commands
This is a short list of Checkpoint VSX Commands that I am compiling as I continue to work with CheckPoint VSX systems. The list is not comprehensive and may not work for everyone, so if you see errors, please contact me so I may correct them. Thanks! /ryan Check Point CLI "CP" Commands CLI Command Command Description vsx get View current shell context. vsx set Set context to VS with the ID . [Expert@FW-VSX-Gateway:0]# vsx set 3 Context is set to Virtual Device … [Read more...]
Check Point Quick Reference – Tcpdump
NOTE: fw monitor operates above layer 2 and does not include mac address information - cant see ARP messages. tcpdump can see layer 2 ARP messages This is one of the most common tcpdump commands: (looks for packets from a src to dst, need to specify interface) tcpdump nn-i eth2 host 11.11.11.11 and host 22.22.22.22 08:02:15.043273 11.11.11.11.62044 > 22.22.22.22.https: S 1943270491:1943270491(0) win 65535 tcpdump -nni eth0 tcpdump -nni eth0 host 111.111.111.111 tcpdump -nni eth0 … [Read more...]
CheckPoint SmartDashboard – Missing Menu
Hello All. I was bouncing around in the Checkpoint SmartDashboard, updating rules in some firewalls and noticed that the menu bar at the top of the window was missing... After some searching, I found that a registry setting needed to be modified to restore the SmartDashboard menu bar. Here is the registry path that needed to be modified: HKEY_CURRENT_USER\Software\CheckPoint\Management Clients\6.2.01\R75.10\Check Point SmartDashboard\Check Point SmartDashboard\Toolbar … [Read more...]