StoneBlog.stonesoft.com

This is exactly the comment I heard from a prospect when I explained him what was a possible use case for Ticket Single Sign On, IMHO one of the most interesting features of StoneGate SSL VPN technology… included at no additional charge

To give him a realistic example, I asked him:
“Do you happen to use SalesForce in your company?”
I already knew the answer was yes but such small sales “segreti di Pulcinella” are useful to get immediate attention, therefore I use them quite often…

Of course he replied yes, so I began my story…

Continue reading »

written by RoarinPenguin - 1,884 views \\ tags: authentication, integration, interoperability, SalesForce, Single Sign-On, SSL VPN, Ticket SSO

I bet you have heard that Linux is the best OS in the world. And the most user-friendly. And the most secure as well… Yes, this is true. And this can be demonstrated by some abnormal program behavior under some “hardened” Linux distributions

Continue reading »

written by DR - 1,717 views

I found a very interesting article on Cisco about their load-balancing algorightms within 65xx Catalysts. It describes the basic principles of the underlying technology within routing brains of MSFC engines (http://www.cisco.com/en/US/tech/tk827/tk831/technologies_tech_note09186a0080094806.shtml).
The article is about the equal-cost load-balancing with dynamic routing, but it is tightly related to Cisco Express Forwarding (CEF) operation, which is used for almost everything. This is CEF who actually selects the direction for packet forwarding based on the contents of the routing table.
And this article reveals the indepth operation of this mechanism.
So any time when we activate something on the Cisco router it will use CEF for this operation, being it MLS (MultiLayer Switching) and traffic distribution or simple routing.
Besides, Cisco is crazy about saying they are great in load-balancing things, especially when they propose their customers to “cluster” IPSes or Firewalls by simply installing several boxes and then doing LB either with EtherChannel or this Equal-Cost routing. So as comes to packet distribution with a Catalyst switch when a customer would say “I can do all the things you sell for extra money with my lovely 6500″, it is no better and sometimes even worse than StoneGate can do with its packet dispatch mechanism within a cluster. It shoud be taken into consideration not just when dealing with load-balancing scenarios but also when justifying clustering efficiency for a complex network with few hosts communicating with each other.
Just a short summary (Cisco – StoneGate)
1) 16 buckets for distribution  – StoneGate use 256
2) only per-destination is possible with 65xx (with a side note that CEF uses source+destination flow mask), so no per-packet distirbution – StoneGate’s built-in load balancer uses source+destinatino and also able to use Full flow mask (taking ports into consideration).
3) packets may be lost when routes change – StoneGate in most cases uses packet dispatch for clustering and thus is dependent on the speed of CAM table revalidation on nearby switches in case master dispatcher for a segment fails, so some packets may also be lost during failover. Still, if not a master dispatcher but a subordinate node fails or if multicast of unicast-based clustering algorithm is used, no packet loss should be expected at all!

Hope someone will find it helpful in future or current implementations.

written by DR - 2,275 views

This post adds another bit to the series of articles about SMC interaction through batch scripts.

Today scenario is similar to the following.
Suppose you have an installed base composed of several StoneGate Engines (IPS, Firewalls) plus few 3rd party devices that you monitor thanks to new cool feature of SMC 5.0.

You would like to allow batch scripting monitoring of such devices to have data from SMC to populate other processes or software you might use.

Continue reading »

written by RoarinPenguin - 1,655 views \\ tags: batch interaction, script, sgElementStatus, SMC

Following the SMC scripting galore trend here’s another tool for you, hoping you find it useful.

The scenario is when you need to verify/validate from command line is a given policy has issues if installed on a particular engine (but naturally without installing it).

The command sgPolicyCheck.[bat|sh] can be issued with the following parameters and options.

Parameters:
host=<Mgtserver address> (default: 127.0.0.1)login=<loginname> (default: root)
pass=<password> (default: password)
cluster=<cluster name> (default: "")
policy=<policy name> (default: "")
all_clusters=<use all clusters> (default: false)

An example could be:

C:\Stonesoft\StoneGate\bin>sgPolicyCheck.bat host=192.168.1.101 login=root pass=mypass cluster=FW-5000 policy="verify-this-policy"
…and the output is similar to the one reported below:

Connect to Management Server: root@191.168.1.101
Validation of Firewall Policy verify-this-policy on Single Firewall FW-5000:

6 issues found.
  6 warnings found:
    2 Missing Definitions found.
      Rule @2.0
      Rule @3.0
    2 Unreachable Rules found.
      Rule @1006.0
      Rule @981.0
    2 NAT and Routing Definitions found.
      Rule @1274.5
      Rule @1157.0

As usual, Files area of StoneBlog Community contains the script for Windows and for Linux.

written by RoarinPenguin - 1,307 views \\ tags: batch interaction, script, SMC

Here we go with a second article to enable batch interaction with a StoneGate Management Center: this one is about publishing a ready made policy to a StoneGate Firewall/VPN Engine.

Scenario could be, for instance, that you receive an alert raising the DefCon level and you want to react by activating a more restrictive policy.

The script for you today is called sgUploadFw.[sh|bat] and the syntax is:

sgUploadFw.[bat|sh] [host=hostname] [login=loginname] [pass=password] cluster=clustername [cluster=otherclustername] policy=policyname

host ==> SMC host where you want this script to be executed.
login ==> login of an Administrator Profile, who has rights to operate on given elements
pass ==> password (yes, in cleartext. It’s up to you to decide about security level you want to implement )
cluster ==> could be a single node or a cluster of engines
policy ==> the name of the policy you want to upload

Example and output:

C:\Stonesoft\StoneGate\bin>sgUploadFw.bat host=192.168.1.101 login=root pass=mypassword cluster=”FW-5000″ policy=”DefCon 1″
Finding cluster(s)
Found FW-5000
Found policy: DefCon 1
Accepted a compatible cluster: FW-5000
Starting upload
Waiting 900 seconds…

Contacting nodes of FW-5000
Connection ok on firewall FW-5000
Preparing configuration for FW-5000
Policy snapshot started
Policy snapshot created.
Uploading configuration on FW-5000
New configuration generated for firewall FW-5000
New configuration uploaded to firewall FW-5000
Rule @1279.6 has Source NAT translated to ipaddresses that corresponds to an int
erface address
Applying configuration on FW-5000
New configuration activated on firewall FW-5000
Checking connectivity on FW-5000
Contact with firewall FW-5000 confirmed
Policy installation successful for FW-5000

upload finished

To download the script for Windows click here, while the version for Linux is available here.

Both scripts will remain available in StoneBlog Community, Files area.

written by RoarinPenguin - 1,328 views \\ tags: batch interaction, script, SMC, upload policy

Thinking about oxymoron? Nope… this is first of a series of posts to show how it is possible to interact within a batch script with SMC, to automate tasks.

Scripts linked to this posts will remain available in StoneBlog Community under StoneFiles repository for free download.

Useless to remind that these are unsupported scripts, although I’ve tested them up to latest release and they work nicely

First script I’d like to share is about automating some commands to StoneGate Firewall/VPN or IPS Engine.

Continue reading »

written by RoarinPenguin - 1,513 views \\ tags: automation, script, SMC

It is common for distributed organizations to have multiple engines in different locations as main gateways for protecting the perimeter of the local network.

Sometimes the firewall sees information that are unrelated specifically to network security; still, these information could be very useful to be centrally collected.

This post shows how it is possible to use StoneGate Central Log Processing to collect this information centrally.

Continue reading »

written by RoarinPenguin - 3,107 views \\ tags: information retrieval, log, script

This article refers to previous post in which I illustrated how to create a logging profile to allow a 3rd party device syslog stream to be received by StoneGate Log Server.

I’ll deepen this information in this post by showing how to go from log collection to centralized log processing and reporting, using an Apache Web Server as log sending device. The ultimate goal is to use some parsed data from Web Server to create a basic report using StoneGate Reporting functionality included in StoneGate Management Center.

Continue reading »

written by RoarinPenguin - 3,174 views \\ tags: 3rd party devices, logs, profile

Generally we want or it is mandatory to use the Virtual IP feature with the Stonegate VPN client. But the Virtual IP needs to configure DHCP relay to give an IP to the remote VPN client.

So to clarify the situation about this topic, granting virtual address for client changed in version 4.2.0 and new changes were introduced in FW 4.2.6.

You will see below some description to help you in configuration and understanding of this DHCP part.

Continue reading »

written by Hokkyokuguma - 2,590 views \\ tags: DHCP, mvpn client, tech details, Tips & Tricks, Virtual IP