Wednesday, January 25, 2023

How to Monitor Checkpoint VPN Concurrent Users

 Here is steps to monitor Checkpoint VPN concurrent user using SNMP (Cacti)

1. I'm using Cacti version 1.2.15

2. Here is the screenshot



3. Attached Cacti Template, import this template into your cacti

-------------------

<cacti>

<hash_000102076d1b2d114314e9557b44e14cf090dd>

<name>VPN - Connected Users</name>

<graph>

<t_title></t_title>

<title>|host_description| - Connected Users</title>

<t_vertical_label></t_vertical_label>

<vertical_label>No of Users</vertical_label>

<t_image_format_id></t_image_format_id>

<image_format_id>1</image_format_id>

<t_height></t_height>

<height>120</height>

<t_width></t_width>

<width>800</width>

<t_base_value></t_base_value>

<base_value>1</base_value>

<t_slope_mode></t_slope_mode>

<slope_mode>on</slope_mode>

<t_auto_scale></t_auto_scale>

<auto_scale>on</auto_scale>

<t_auto_scale_opts></t_auto_scale_opts>

<auto_scale_opts>2</auto_scale_opts>

<t_auto_scale_log></t_auto_scale_log>

<auto_scale_log></auto_scale_log>

<t_scale_log_units></t_scale_log_units>

<scale_log_units></scale_log_units>

<t_auto_scale_rigid></t_auto_scale_rigid>

<auto_scale_rigid></auto_scale_rigid>

<t_upper_limit></t_upper_limit>

<upper_limit>10000</upper_limit>

<t_lower_limit></t_lower_limit>

<lower_limit>0</lower_limit>

<t_unit_value></t_unit_value>

<unit_value></unit_value>

<t_unit_exponent_value></t_unit_exponent_value>

<unit_exponent_value></unit_exponent_value>

<t_unit_length></t_unit_length>

<unit_length></unit_length>

<t_no_gridfit></t_no_gridfit>

<no_gridfit></no_gridfit>

<t_alt_y_grid></t_alt_y_grid>

<alt_y_grid></alt_y_grid>

<t_right_axis></t_right_axis>

<right_axis></right_axis>

<t_right_axis_label></t_right_axis_label>

<right_axis_label></right_axis_label>

<t_right_axis_format></t_right_axis_format>

<right_axis_format>0</right_axis_format>

<t_right_axis_formatter></t_right_axis_formatter>

<right_axis_formatter>0</right_axis_formatter>

<t_left_axis_formatter></t_left_axis_formatter>

<left_axis_formatter>0</left_axis_formatter>

<t_auto_padding></t_auto_padding>

<auto_padding>on</auto_padding>

<t_dynamic_labels></t_dynamic_labels>

<dynamic_labels></dynamic_labels>

<t_force_rules_legend></t_force_rules_legend>

<force_rules_legend></force_rules_legend>

<t_tab_width></t_tab_width>

<tab_width>30</tab_width>

<t_legend_position></t_legend_position>

<legend_position>0</legend_position>

<t_legend_direction></t_legend_direction>

<legend_direction>0</legend_direction>

</graph>

<items>

<hash_100102f9087bbc3a33e6001a146f27a1b8fb94>

<graph_type_id>7</graph_type_id>

<task_item_id>hash_0801028be0de000ffa5df12bf6e211194d90fb</task_item_id>

<color_id>FFFF00</color_id>

<alpha>FF</alpha>

<consolidation_function_id>1</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Connections</text_format>

<hard_return></hard_return>

<line_width>0.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>1</sequence>

</hash_100102f9087bbc3a33e6001a146f27a1b8fb94>

<hash_1001022daad84124129e57ebdc72c8a3fcfb42>

<graph_type_id>9</graph_type_id>

<task_item_id>hash_0801028be0de000ffa5df12bf6e211194d90fb</task_item_id>

<color_id>0</color_id>

<alpha>FF</alpha>

<consolidation_function_id>4</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Current:</text_format>

<hard_return></hard_return>

<line_width>0.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>2</sequence>

</hash_1001022daad84124129e57ebdc72c8a3fcfb42>

<hash_100102799aba36e955f6222ed82846bd9e1c80>

<graph_type_id>9</graph_type_id>

<task_item_id>hash_0801028be0de000ffa5df12bf6e211194d90fb</task_item_id>

<color_id>0</color_id>

<alpha>FF</alpha>

<consolidation_function_id>1</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Average:</text_format>

<hard_return></hard_return>

<line_width>0.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>3</sequence>

</hash_100102799aba36e955f6222ed82846bd9e1c80>

<hash_100102e4d2259dc46e9b3c3f55cbef6096ca73>

<graph_type_id>9</graph_type_id>

<task_item_id>hash_0801028be0de000ffa5df12bf6e211194d90fb</task_item_id>

<color_id>0</color_id>

<alpha>FF</alpha>

<consolidation_function_id>3</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Max:</text_format>

<hard_return></hard_return>

<line_width>0.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>4</sequence>

</hash_100102e4d2259dc46e9b3c3f55cbef6096ca73>

<hash_10010278bb2e3bf1ef536dfd3d118f9c5b5809>

<graph_type_id>4</graph_type_id>

<task_item_id>hash_0801028be0de000ffa5df12bf6e211194d90fb</task_item_id>

<color_id>000000</color_id>

<alpha>FF</alpha>

<consolidation_function_id>3</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Max</text_format>

<hard_return>on</hard_return>

<line_width>0.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>5</sequence>

</hash_10010278bb2e3bf1ef536dfd3d118f9c5b5809>

</items>

<inputs>

<hash_090102d7d6f3b9cfb6bfd0c5ff8326e37f671c>

<name>Data Source [vpnusers]</name>

<description></description>

<column_name>task_item_id</column_name>

<items>hash_000102f9087bbc3a33e6001a146f27a1b8fb94|hash_0001022daad84124129e57ebdc72c8a3fcfb42|hash_000102799aba36e955f6222ed82846bd9e1c80|hash_000102e4d2259dc46e9b3c3f55cbef6096ca73|hash_00010278bb2e3bf1ef536dfd3d118f9c5b5809</items>

</hash_090102d7d6f3b9cfb6bfd0c5ff8326e37f671c>

</inputs>

</hash_000102076d1b2d114314e9557b44e14cf090dd>

<hash_010102144d4166ef64cc27c40c3c836eb8f316>

<name>VPN - Concurrent Users</name>

<ds>

<t_name></t_name>

<name>|host_description| - Concurrent Users</name>

<data_source_path></data_source_path>

<data_input_id>hash_0301023eb92bb845b9660a7445cf9740726522</data_input_id>

<t_data_source_profile_id></t_data_source_profile_id>

<data_source_profile_id>hash_200102d62c52891f4f9688729a5bc9fad91b18</data_source_profile_id>

<t_rrd_step></t_rrd_step>

<rrd_step>300</rrd_step>

<t_active></t_active>

<active>on</active>

</ds>

<items>

<hash_0801028be0de000ffa5df12bf6e211194d90fb>

<t_data_source_name></t_data_source_name>

<data_source_name>vpnusers</data_source_name>

<t_rrd_minimum></t_rrd_minimum>

<rrd_minimum>0</rrd_minimum>

<t_rrd_maximum></t_rrd_maximum>

<rrd_maximum>U</rrd_maximum>

<t_data_source_type_id></t_data_source_type_id>

<data_source_type_id>1</data_source_type_id>

<t_rrd_heartbeat></t_rrd_heartbeat>

<rrd_heartbeat>600</rrd_heartbeat>

<t_data_input_field_id></t_data_input_field_id>

<data_input_field_id>0</data_input_field_id>

</hash_0801028be0de000ffa5df12bf6e211194d90fb>

</items>

<data>

<item_000>

<data_input_field_id>hash_07010292f5906c8dc0f964b41f4253df582c38</data_input_field_id>

<t_value></t_value>

<value></value>

</item_000>

<item_001>

<data_input_field_id>hash_07010232285d5bf16e56c478f5e83f32cda9ef</data_input_field_id>

<t_value></t_value>

<value></value>

</item_001>

<item_002>

<data_input_field_id>hash_070102ad14ac90641aed388139f6ba86a2e48b</data_input_field_id>

<t_value></t_value>

<value></value>

</item_002>

<item_003>

<data_input_field_id>hash_0701029c55a74bd571b4f00a96fd4b793278c6</data_input_field_id>

<t_value></t_value>

<value></value>

</item_003>

<item_004>

<data_input_field_id>hash_070102012ccb1d3687d3edb29c002ea66e72da</data_input_field_id>

<t_value></t_value>

<value></value>

</item_004>

<item_005>

<data_input_field_id>hash_0701024276a5ec6e3fe33995129041b1909762</data_input_field_id>

<t_value></t_value>

<value>.1.3.6.1.4.1.2620.1.2.5.2.3.0</value>

</item_005>

<item_006>

<data_input_field_id>hash_070102fc64b99742ec417cc424dbf8c7692d36</data_input_field_id>

<t_value></t_value>

<value></value>

</item_006>

<item_007>

<data_input_field_id>hash_07010220832ce12f099c8e54140793a091af90</data_input_field_id>

<t_value></t_value>

<value></value>

</item_007>

<item_008>

<data_input_field_id>hash_070102c60c9aac1e1b3555ea0620b8bbfd82cb</data_input_field_id>

<t_value></t_value>

<value></value>

</item_008>

<item_009>

<data_input_field_id>hash_070102feda162701240101bc74148415ef415a</data_input_field_id>

<t_value></t_value>

<value></value>

</item_009>

</data>

</hash_010102144d4166ef64cc27c40c3c836eb8f316>

<hash_0301023eb92bb845b9660a7445cf9740726522>

<name>Get SNMP Data</name>

<type_id>2</type_id>

<input_string></input_string>

<fields>

<hash_07010292f5906c8dc0f964b41f4253df582c38>

<name>SNMP IP Address</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>hostname</type_code>

<input_output>in</input_output>

<data_name>management_ip</data_name>

</hash_07010292f5906c8dc0f964b41f4253df582c38>

<hash_07010232285d5bf16e56c478f5e83f32cda9ef>

<name>SNMP Community</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_community</type_code>

<input_output>in</input_output>

<data_name>snmp_community</data_name>

</hash_07010232285d5bf16e56c478f5e83f32cda9ef>

<hash_070102ad14ac90641aed388139f6ba86a2e48b>

<name>SNMP Username</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls>on</allow_nulls>

<type_code>snmp_username</type_code>

<input_output>in</input_output>

<data_name>snmp_username</data_name>

</hash_070102ad14ac90641aed388139f6ba86a2e48b>

<hash_0701029c55a74bd571b4f00a96fd4b793278c6>

<name>SNMP Password</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls>on</allow_nulls>

<type_code>snmp_password</type_code>

<input_output>in</input_output>

<data_name>snmp_password</data_name>

</hash_0701029c55a74bd571b4f00a96fd4b793278c6>

<hash_070102012ccb1d3687d3edb29c002ea66e72da>

<name>SNMP Version (1, 2, or 3)</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls>on</allow_nulls>

<type_code>snmp_version</type_code>

<input_output>in</input_output>

<data_name>snmp_version</data_name>

</hash_070102012ccb1d3687d3edb29c002ea66e72da>

<hash_0701024276a5ec6e3fe33995129041b1909762>

<name>OID</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_oid</type_code>

<input_output>in</input_output>

<data_name>oid</data_name>

</hash_0701024276a5ec6e3fe33995129041b1909762>

<hash_070102fc64b99742ec417cc424dbf8c7692d36>

<name>SNMP Port</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_port</type_code>

<input_output>in</input_output>

<data_name>snmp_port</data_name>

</hash_070102fc64b99742ec417cc424dbf8c7692d36>

<hash_07010220832ce12f099c8e54140793a091af90>

<name>SNMP Authenticaion Protocol (v3)</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_auth_protocol</type_code>

<input_output>in</input_output>

<data_name>snmp_auth_protocol</data_name>

</hash_07010220832ce12f099c8e54140793a091af90>

<hash_070102c60c9aac1e1b3555ea0620b8bbfd82cb>

<name>SNMP Privacy Passphrase (v3)</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_priv_passphrase</type_code>

<input_output>in</input_output>

<data_name>snmp_priv_passphrase</data_name>

</hash_070102c60c9aac1e1b3555ea0620b8bbfd82cb>

<hash_070102feda162701240101bc74148415ef415a>

<name>SNMP Privacy Protocol (v3)</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_priv_protocol</type_code>

<input_output>in</input_output>

<data_name>snmp_priv_protocol</data_name>

</hash_070102feda162701240101bc74148415ef415a>

</fields>

</hash_0301023eb92bb845b9660a7445cf9740726522>

<hash_200102d62c52891f4f9688729a5bc9fad91b18>

<name>5 Minute Collection</name>

<step>300</step>

<heartbeat>600</heartbeat>

<x_files_factor>0.5</x_files_factor>

<default>on</default>

<cf_items>1|2|3|4</cf_items>

<items>

<item_000>

<name>Daily (5 Minute Average)</name>

<steps>1</steps>

<rows>600</rows>

<timespan>86400</timespan>

</item_000>

<item_001>

<name>Weekly (30 Minute Average)</name>

<steps>6</steps>

<rows>700</rows>

<timespan>604800</timespan>

</item_001>

<item_002>

<name>Monthly (2 Hour Average)</name>

<steps>24</steps>

<rows>775</rows>

<timespan>2618784</timespan>

</item_002>

<item_003>

<name>Yearly (1 Day Average)</name>

<steps>288</steps>

<rows>797</rows>

<timespan>31536000</timespan>

</item_003>

</items>

</hash_200102d62c52891f4f9688729a5bc9fad91b18>

<hash_060102e9c43831e54eca8069317a2ce8c6f751>

<name>Normal</name>

<gprint_text>%8.2lf%s</gprint_text>

</hash_060102e9c43831e54eca8069317a2ce8c6f751>

</cacti>

-------------------


4. Enable SNMP on your Checkpoint VPN gateway (make sure interface is the correct one)

set snmp mode default

set snmp agent on

set snmp agent-version any

set snmp community PbCsNE01 read-only

add snmp interface eth1-01

5. Allow connection on the firewall rules from your Cacti server to VPN gateway



Posted by at No comments:

Thursday, January 19, 2023

SSL Certificate Management

                  1. Convert various Certificate Format

a.      From PEM (Apache) format to PFX (IIS) – If we have intermediary and root CA

openssl pkcs12 -export -out NEW-CERTIFICATE.pfx -inkey PRIVATE-KEY.key -in PRIVATE-KEY.crt -in INTERMEDIATE-CA.crt -in ROOT-CA.crt

 

b.      From PEM (Apache) format to PFX (IIS) – If we don’t have intermediary and root CA

openssl pkcs12 -export -out NEW-CERTIFICATE.pfx -inkey PRIVATE-KEY.key -in NEW-CERTIFICATE.crt

 

c.      From PFX (IIS) to PEM (Apache)

openssl pkcs12 -in NEW-CERTIFICATE.pfx -cacerts -nodes -out NEW-CERTIFICATE.pem


2. Comparing two Public Key, to ensure public key is the same (Usefull when using Certificate Pinning). Run command below on linux env

openssl x509 -noout -modulus -in OLD-CERTIFICATE.crt | openssl md5

openssl x509 -noout -modulus -in NEW-CERTIFICATE.crt | openssl md5

Posted by at No comments:

Nginx tuning to be able to handle 50000 requests

 

Nginx Tuning untuk menghandle 50000 requests

1.      Set beberapa kernel parameter berikut (vi /etc/sysctl.conf)

fs.file-max = 50000

net.ipv4.tcp_fin_timeout = 15

 

2.      Set Soft dan Hard Limit untuk user nginx (vi /etc/security/limits.conf)

nginx       soft    nofile   10000

nginx       hard    nofile   50000

 

3.      Set Worker Process menjadi 10 dan worker rlimit menjadi 50000 (vim /etc/nginx/nginx.conf)




Posted by at No comments:

Palo Alto Disk Usage Management

These are some command usefull to manage Palo Alto Firewall Disk Usage

1. Enable aggressive Aging
debug software disk-usage aggressive-cleaning enable
2. Delete based on threshold
debug software disk-usage cleanup deep threshold 90
3. Set Threshold via Web
Device > Setup > scroll down to Logging and Reporting Settings

Posted by at No comments:
Subscribe to: Posts (Atom)