After installing the FireEye app for Spunk and having some issues with it, the app was uninstalled, which left a gap that needed to be filled. So off I went into Splunk land to see if I could scrounge together some decent "dashboard" worthy search queries that could help display important information. Below are a collection of the search queries I have built thus far. It is, be no means, an exhaustive list because anyone who knows Splunk easily knows that there are soooo many more ways to show … [Read more...]
FireEye Role Based Access Control (RBAC)
Regarding role based access control and Active Directory integration with FireEye back in FEOS versions 7.0.x (webmps), 6.3.2 (emailmps) and 6.4.1 (CMS), we only had the ability to map a single Active Directory group to a single FireEye "role". And most enterprises would probably have mapped that single group to the Admin role. Well..... Fast >> Forward >> to FEOS 7.1 "Shasta" where FireEye has merged the various code revisions for web/email/CMS into one single version, and we are … [Read more...]
FireEye Integration With BlueCoat Proxy
This tutorial will assist you in setting up FireEye Integration With BlueCoat Proxy, by using a URL list populated by FireEye to use in the BlueCoat as another web filter. This filter can then be used in BlueCoat policy just like the BCWF, McAfee Smartfilter, etc... … [Read more...]
Blue Coat ProxySG – Issues Upgrading SGOS From 5.5.x.x to 6.2.x.x
Following an upgrade on a Blue Coat ProxySG 600-10, from 5.5.3.31 to 6.2.9.1, I encountered the errors below, and was unable to pass traffic thru the proxy using the BlueCoat WebFilter categories for "Allow"/"Deny". As this specific ProxySG is a non-production device, there are very minimal users working with it, and the first I noticed of the issue, was an email from the ProxySG itself. From: ProxySG@Company-X.com [mailto: ProxySG@Company-X.com] Sent: Thursday, June 14, 2012 1:51 … [Read more...]
Check Point Quick Reference – FW Monitor
Overview: FW Monitor is a built-in firewall tool which needs no separate install on the device you wish to capture packets and interrogate connections. It is a functionality provided with the installation of the FW-1 package and syntax is also identical across all FW-1 installations. FW Monitor allows for sampling the connection from 4 different points in the firewall, can show NAT assignments or see if routing is working right. FW Monitor happens at the kernel level, but is not a packet … [Read more...]
Firewall Commands For Identifying Specific Routes
The Question: Using firewall commands, identify the route to specific destination/target without using the routing table (more specific) I was asked the question today, and blanked out... I have ran the Cisco and CheckPoint IPSO versions, but not Splat and still couldn't pull it from memory. Once I looked it up I felt silly, but knew it will be a good addition to my little knowledge repository. CheckPoint - IPSO: show route destination xx.xx.xx.xx Checkpoint - Splat: ip route get … [Read more...]
Blue Coat – HowTo Set Up A Policy Trace To Debug Access Issues
Problem Description: Policy tracing is primarily used when debugging access to web sites. When something is allowed and it should be denied, or vice-versa, using the policy trace feature is the best way to diagnose the issue. Resolution: Enabling a policy trace Open the “Configuration” tab, expand “Policy” radio button Launch the visual policy manager (VPM) Click the “Web access layer (trace)” tab on the VPM Right-Click the source of an existing rule and click on … [Read more...]
Useful Stuff
This post is a quasi-holding place for uncategorized things at the moment, with no rhyme or reason as to why its here or somewhere else: SCP files from a linux box or firewall to another linux box: SYNTAX = scp /path/to/local/file user@remote_host:/path/to/file/on/remote/host EXAMPLE = scp /var/tmp/todays-date-kernel-debug.tgz user@firewall-hostname:/var/tmp/todays-date-kernel-debug.tgz … [Read more...]
Check Point Firewall – Nokia IPSO CST Hanging or Taking Forever?
Is your Nokia IPSO CST Not finishing? Trying to run a CST on your Nokia, but seems to be taking forever? I have had the same issue on various Nokia security appliances running on IPSO 4.2 and older. The problem ended up being hung process that was spawned by the CST program. It seems that CST calls "fw tab -u -t", and sometimes it just gets hung up, but will look to the user like the whole CST process is just hung. Here is a sample so you can get a visual: FIREWALL123[admin]# cst IPSO … [Read more...]
Check Point Firewall – Interfaces Reordered Upon Upgrade
A few days ago, one of our Check Point IAS M6 Firefly equiped, R70.20 Splat clusters, had a member fail due to "PLANAR VOLTAGE FAILURE", so says the IBM iLO event log. Since this is not solved by a simple power supply replacement, so an RMA replacement unit from Check Point was obtained. The new device came pre-loaded with R65 and no HFA's or hotfixes. So we distributed R70 Splat to the box via Provider-1, upgraded and everything was happy, with us seemingly cruising along on a smooth … [Read more...]