Friday, October 25, 2024

Monitoring maximum NAT usage on Checkpoint Firewall

 For some cases on internet facing firewall, we found out that connections was failed due to NAT was exhausted. By default on R81.0 , checkpoint will assign 50.000 NAT ports to be used by each IP

Here is the the sample graph for NAT monitoring



On Checkpoint firewall, we can monitor NAT usage by using SNMP. Here is the OID

Number of NAT Port Used    : .1.3.6.1.4.1.2620.1.56.1301.3.1.7.1.0

Percentage of NAT usage    : .1.3.6.1.4.1.2620.1.56.1301.3.1.9.1.0

You can use any tools to graph for above mentioned OID

Please note that, those OID refer to connections that are using the most NAT port

For cacti, here is the graph template that can be used

<cacti>

<hash_000102b7faeb81cf164d3c638b4064b9666805>

<name>Checkpoint - NAT Port Usage</name>

<graph>

<t_title></t_title>

<title>|host_description| - Checkpoint NAT Port Usage</title>

<t_vertical_label></t_vertical_label>

<vertical_label>No of Login</vertical_label>

<t_image_format_id></t_image_format_id>

<image_format_id>1</image_format_id>

<t_height></t_height>

<height>120</height>

<t_width></t_width>

<width>800</width>

<t_base_value></t_base_value>

<base_value>1</base_value>

<t_slope_mode></t_slope_mode>

<slope_mode>on</slope_mode>

<t_auto_scale></t_auto_scale>

<auto_scale>on</auto_scale>

<t_auto_scale_opts></t_auto_scale_opts>

<auto_scale_opts>2</auto_scale_opts>

<t_auto_scale_log></t_auto_scale_log>

<auto_scale_log></auto_scale_log>

<t_scale_log_units></t_scale_log_units>

<scale_log_units></scale_log_units>

<t_auto_scale_rigid></t_auto_scale_rigid>

<auto_scale_rigid></auto_scale_rigid>

<t_upper_limit></t_upper_limit>

<upper_limit>10000</upper_limit>

<t_lower_limit></t_lower_limit>

<lower_limit>0</lower_limit>

<t_unit_value></t_unit_value>

<unit_value></unit_value>

<t_unit_exponent_value></t_unit_exponent_value>

<unit_exponent_value></unit_exponent_value>

<t_unit_length></t_unit_length>

<unit_length></unit_length>

<t_no_gridfit></t_no_gridfit>

<no_gridfit></no_gridfit>

<t_alt_y_grid></t_alt_y_grid>

<alt_y_grid></alt_y_grid>

<t_right_axis></t_right_axis>

<right_axis></right_axis>

<t_right_axis_label></t_right_axis_label>

<right_axis_label></right_axis_label>

<t_right_axis_format></t_right_axis_format>

<right_axis_format>0</right_axis_format>

<t_right_axis_formatter></t_right_axis_formatter>

<right_axis_formatter>0</right_axis_formatter>

<t_left_axis_formatter></t_left_axis_formatter>

<left_axis_formatter>0</left_axis_formatter>

<t_auto_padding></t_auto_padding>

<auto_padding>on</auto_padding>

<t_dynamic_labels></t_dynamic_labels>

<dynamic_labels></dynamic_labels>

<t_force_rules_legend></t_force_rules_legend>

<force_rules_legend></force_rules_legend>

<t_tab_width></t_tab_width>

<tab_width>30</tab_width>

<t_legend_position></t_legend_position>

<legend_position>0</legend_position>

<t_legend_direction></t_legend_direction>

<legend_direction>0</legend_direction>

</graph>

<items>

<hash_100102dbf95855760e38870c660f958dff393c>

<graph_type_id>4</graph_type_id>

<task_item_id>hash_080102016a584d0faa5554e624a627ca036a76</task_item_id>

<color_id>00A348</color_id>

<alpha>FF</alpha>

<consolidation_function_id>4</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Highest Number of NAT Port Used</text_format>

<hard_return></hard_return>

<line_width>0.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>1</sequence>

</hash_100102dbf95855760e38870c660f958dff393c>

<hash_100102d01ed451d582f491958658889bfd7f16>

<graph_type_id>9</graph_type_id>

<task_item_id>hash_080102016a584d0faa5554e624a627ca036a76</task_item_id>

<color_id>0</color_id>

<alpha>FF</alpha>

<consolidation_function_id>4</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Current:</text_format>

<hard_return></hard_return>

<line_width>1.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>2</sequence>

</hash_100102d01ed451d582f491958658889bfd7f16>

<hash_100102d1b24e91115e0e33f0d159876e2ab123>

<graph_type_id>9</graph_type_id>

<task_item_id>hash_080102016a584d0faa5554e624a627ca036a76</task_item_id>

<color_id>000000</color_id>

<alpha>FF</alpha>

<consolidation_function_id>3</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Max:</text_format>

<hard_return>on</hard_return>

<line_width>1.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>3</sequence>

</hash_100102d1b24e91115e0e33f0d159876e2ab123>

<hash_100102406a8e435792be8a787f6abc2d096d64>

<graph_type_id>4</graph_type_id>

<task_item_id>hash_080102d932f127aad060310c6c50a567cad4b9</task_item_id>

<color_id>F70D1A</color_id>

<alpha>FF</alpha>

<consolidation_function_id>4</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>NAT Usage Percentage</text_format>

<hard_return></hard_return>

<line_width>0.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>4</sequence>

</hash_100102406a8e435792be8a787f6abc2d096d64>

<hash_100102adf4c8fa70cde57415d8e386cb24f989>

<graph_type_id>9</graph_type_id>

<task_item_id>hash_080102d932f127aad060310c6c50a567cad4b9</task_item_id>

<color_id>0</color_id>

<alpha>FF</alpha>

<consolidation_function_id>4</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Current:</text_format>

<hard_return></hard_return>

<line_width>1.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>5</sequence>

</hash_100102adf4c8fa70cde57415d8e386cb24f989>

<hash_100102b8a9df7442af68f4f741287a280fb2a7>

<graph_type_id>9</graph_type_id>

<task_item_id>hash_080102d932f127aad060310c6c50a567cad4b9</task_item_id>

<color_id>0</color_id>

<alpha>FF</alpha>

<consolidation_function_id>3</consolidation_function_id>

<cdef_id>0</cdef_id>

<vdef_id>0</vdef_id>

<shift></shift>

<value></value>

<gprint_id>hash_060102e9c43831e54eca8069317a2ce8c6f751</gprint_id>

<textalign></textalign>

<text_format>Max:</text_format>

<hard_return>on</hard_return>

<line_width>1.00</line_width>

<dashes></dashes>

<dash_offset>0</dash_offset>

<sequence>6</sequence>

</hash_100102b8a9df7442af68f4f741287a280fb2a7>

</items>

<inputs>

<hash_0901026a3e7759f28ea124c093203bee23a19c>

<name>Data Source [cpnatused]</name>

<description></description>

<column_name>task_item_id</column_name>

<items>hash_000102dbf95855760e38870c660f958dff393c|hash_000102d01ed451d582f491958658889bfd7f16|hash_000102d1b24e91115e0e33f0d159876e2ab123</items>

</hash_0901026a3e7759f28ea124c093203bee23a19c>

<hash_090102d6073cd9799f8c752e94c8921e772ea9>

<name>Data Source [cpnatpercentage]</name>

<description></description>

<column_name>task_item_id</column_name>

<items>hash_000102406a8e435792be8a787f6abc2d096d64|hash_000102adf4c8fa70cde57415d8e386cb24f989|hash_000102b8a9df7442af68f4f741287a280fb2a7</items>

</hash_090102d6073cd9799f8c752e94c8921e772ea9>

</inputs>

</hash_000102b7faeb81cf164d3c638b4064b9666805>

<hash_01010284e90a9963452154952e108c85b74b0d>

<name>Checkpoint - Number of NAT Usage</name>

<ds>

<t_name></t_name>

<name>|host_description| - Number of NAT Port Used</name>

<data_source_path></data_source_path>

<data_input_id>hash_0301023eb92bb845b9660a7445cf9740726522</data_input_id>

<t_data_source_profile_id></t_data_source_profile_id>

<data_source_profile_id>hash_200102d62c52891f4f9688729a5bc9fad91b18</data_source_profile_id>

<t_rrd_step></t_rrd_step>

<rrd_step>300</rrd_step>

<t_active></t_active>

<active>on</active>

</ds>

<items>

<hash_080102016a584d0faa5554e624a627ca036a76>

<t_data_source_name></t_data_source_name>

<data_source_name>cpnatused</data_source_name>

<t_rrd_minimum></t_rrd_minimum>

<rrd_minimum>0</rrd_minimum>

<t_rrd_maximum></t_rrd_maximum>

<rrd_maximum>U</rrd_maximum>

<t_data_source_type_id></t_data_source_type_id>

<data_source_type_id>1</data_source_type_id>

<t_rrd_heartbeat></t_rrd_heartbeat>

<rrd_heartbeat>600</rrd_heartbeat>

<t_data_input_field_id></t_data_input_field_id>

<data_input_field_id>0</data_input_field_id>

</hash_080102016a584d0faa5554e624a627ca036a76>

</items>

<data>

<item_000>

<data_input_field_id>hash_07010292f5906c8dc0f964b41f4253df582c38</data_input_field_id>

<t_value></t_value>

<value></value>

</item_000>

<item_001>

<data_input_field_id>hash_07010232285d5bf16e56c478f5e83f32cda9ef</data_input_field_id>

<t_value></t_value>

<value></value>

</item_001>

<item_002>

<data_input_field_id>hash_070102ad14ac90641aed388139f6ba86a2e48b</data_input_field_id>

<t_value></t_value>

<value></value>

</item_002>

<item_003>

<data_input_field_id>hash_0701029c55a74bd571b4f00a96fd4b793278c6</data_input_field_id>

<t_value></t_value>

<value></value>

</item_003>

<item_004>

<data_input_field_id>hash_070102012ccb1d3687d3edb29c002ea66e72da</data_input_field_id>

<t_value></t_value>

<value>2</value>

</item_004>

<item_005>

<data_input_field_id>hash_0701024276a5ec6e3fe33995129041b1909762</data_input_field_id>

<t_value></t_value>

<value>.1.3.6.1.4.1.2620.1.56.1301.3.1.7.1.0</value>

</item_005>

<item_006>

<data_input_field_id>hash_070102fc64b99742ec417cc424dbf8c7692d36</data_input_field_id>

<t_value></t_value>

<value></value>

</item_006>

<item_007>

<data_input_field_id>hash_07010220832ce12f099c8e54140793a091af90</data_input_field_id>

<t_value></t_value>

<value></value>

</item_007>

<item_008>

<data_input_field_id>hash_070102c60c9aac1e1b3555ea0620b8bbfd82cb</data_input_field_id>

<t_value></t_value>

<value></value>

</item_008>

<item_009>

<data_input_field_id>hash_070102feda162701240101bc74148415ef415a</data_input_field_id>

<t_value></t_value>

<value></value>

</item_009>

</data>

</hash_01010284e90a9963452154952e108c85b74b0d>

<hash_0101026c7c3ccd579778b4e0cd13bb8e9e1001>

<name>Checkpoint - NAT Usage Percentage</name>

<ds>

<t_name></t_name>

<name>|host_description| - Percentage of NAT Port Used</name>

<data_source_path></data_source_path>

<data_input_id>hash_0301023eb92bb845b9660a7445cf9740726522</data_input_id>

<t_data_source_profile_id></t_data_source_profile_id>

<data_source_profile_id>hash_200102d62c52891f4f9688729a5bc9fad91b18</data_source_profile_id>

<t_rrd_step></t_rrd_step>

<rrd_step>300</rrd_step>

<t_active></t_active>

<active>on</active>

</ds>

<items>

<hash_080102d932f127aad060310c6c50a567cad4b9>

<t_data_source_name></t_data_source_name>

<data_source_name>cpnatpercentage</data_source_name>

<t_rrd_minimum></t_rrd_minimum>

<rrd_minimum>0</rrd_minimum>

<t_rrd_maximum></t_rrd_maximum>

<rrd_maximum>U</rrd_maximum>

<t_data_source_type_id></t_data_source_type_id>

<data_source_type_id>1</data_source_type_id>

<t_rrd_heartbeat></t_rrd_heartbeat>

<rrd_heartbeat>600</rrd_heartbeat>

<t_data_input_field_id></t_data_input_field_id>

<data_input_field_id>0</data_input_field_id>

</hash_080102d932f127aad060310c6c50a567cad4b9>

</items>

<data>

<item_000>

<data_input_field_id>hash_07010292f5906c8dc0f964b41f4253df582c38</data_input_field_id>

<t_value></t_value>

<value></value>

</item_000>

<item_001>

<data_input_field_id>hash_07010232285d5bf16e56c478f5e83f32cda9ef</data_input_field_id>

<t_value></t_value>

<value></value>

</item_001>

<item_002>

<data_input_field_id>hash_070102ad14ac90641aed388139f6ba86a2e48b</data_input_field_id>

<t_value></t_value>

<value></value>

</item_002>

<item_003>

<data_input_field_id>hash_0701029c55a74bd571b4f00a96fd4b793278c6</data_input_field_id>

<t_value></t_value>

<value></value>

</item_003>

<item_004>

<data_input_field_id>hash_070102012ccb1d3687d3edb29c002ea66e72da</data_input_field_id>

<t_value></t_value>

<value></value>

</item_004>

<item_005>

<data_input_field_id>hash_0701024276a5ec6e3fe33995129041b1909762</data_input_field_id>

<t_value></t_value>

<value>.1.3.6.1.4.1.2620.1.56.1301.3.1.9.1.0</value>

</item_005>

<item_006>

<data_input_field_id>hash_070102fc64b99742ec417cc424dbf8c7692d36</data_input_field_id>

<t_value></t_value>

<value></value>

</item_006>

<item_007>

<data_input_field_id>hash_07010220832ce12f099c8e54140793a091af90</data_input_field_id>

<t_value></t_value>

<value></value>

</item_007>

<item_008>

<data_input_field_id>hash_070102c60c9aac1e1b3555ea0620b8bbfd82cb</data_input_field_id>

<t_value></t_value>

<value></value>

</item_008>

<item_009>

<data_input_field_id>hash_070102feda162701240101bc74148415ef415a</data_input_field_id>

<t_value></t_value>

<value></value>

</item_009>

</data>

</hash_0101026c7c3ccd579778b4e0cd13bb8e9e1001>

<hash_0301023eb92bb845b9660a7445cf9740726522>

<name>Get SNMP Data</name>

<type_id>2</type_id>

<input_string></input_string>

<fields>

<hash_07010292f5906c8dc0f964b41f4253df582c38>

<name>SNMP IP Address</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>hostname</type_code>

<input_output>in</input_output>

<data_name>management_ip</data_name>

</hash_07010292f5906c8dc0f964b41f4253df582c38>

<hash_07010232285d5bf16e56c478f5e83f32cda9ef>

<name>SNMP Community</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_community</type_code>

<input_output>in</input_output>

<data_name>snmp_community</data_name>

</hash_07010232285d5bf16e56c478f5e83f32cda9ef>

<hash_070102ad14ac90641aed388139f6ba86a2e48b>

<name>SNMP Username</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls>on</allow_nulls>

<type_code>snmp_username</type_code>

<input_output>in</input_output>

<data_name>snmp_username</data_name>

</hash_070102ad14ac90641aed388139f6ba86a2e48b>

<hash_0701029c55a74bd571b4f00a96fd4b793278c6>

<name>SNMP Password</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls>on</allow_nulls>

<type_code>snmp_password</type_code>

<input_output>in</input_output>

<data_name>snmp_password</data_name>

</hash_0701029c55a74bd571b4f00a96fd4b793278c6>

<hash_070102012ccb1d3687d3edb29c002ea66e72da>

<name>SNMP Version (1, 2, or 3)</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls>on</allow_nulls>

<type_code>snmp_version</type_code>

<input_output>in</input_output>

<data_name>snmp_version</data_name>

</hash_070102012ccb1d3687d3edb29c002ea66e72da>

<hash_0701024276a5ec6e3fe33995129041b1909762>

<name>OID</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_oid</type_code>

<input_output>in</input_output>

<data_name>oid</data_name>

</hash_0701024276a5ec6e3fe33995129041b1909762>

<hash_070102fc64b99742ec417cc424dbf8c7692d36>

<name>SNMP Port</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_port</type_code>

<input_output>in</input_output>

<data_name>snmp_port</data_name>

</hash_070102fc64b99742ec417cc424dbf8c7692d36>

<hash_07010220832ce12f099c8e54140793a091af90>

<name>SNMP Authenticaion Protocol (v3)</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_auth_protocol</type_code>

<input_output>in</input_output>

<data_name>snmp_auth_protocol</data_name>

</hash_07010220832ce12f099c8e54140793a091af90>

<hash_070102c60c9aac1e1b3555ea0620b8bbfd82cb>

<name>SNMP Privacy Passphrase (v3)</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_priv_passphrase</type_code>

<input_output>in</input_output>

<data_name>snmp_priv_passphrase</data_name>

</hash_070102c60c9aac1e1b3555ea0620b8bbfd82cb>

<hash_070102feda162701240101bc74148415ef415a>

<name>SNMP Privacy Protocol (v3)</name>

<update_rra></update_rra>

<regexp_match></regexp_match>

<allow_nulls></allow_nulls>

<type_code>snmp_priv_protocol</type_code>

<input_output>in</input_output>

<data_name>snmp_priv_protocol</data_name>

</hash_070102feda162701240101bc74148415ef415a>

</fields>

</hash_0301023eb92bb845b9660a7445cf9740726522>

<hash_200102d62c52891f4f9688729a5bc9fad91b18>

<name>5 Minute Collection</name>

<step>300</step>

<heartbeat>600</heartbeat>

<x_files_factor>0.5</x_files_factor>

<default>on</default>

<cf_items>1|2|3|4</cf_items>

<items>

<item_000>

<name>Daily (5 Minute Average)</name>

<steps>1</steps>

<rows>600</rows>

<timespan>86400</timespan>

</item_000>

<item_001>

<name>Weekly (30 Minute Average)</name>

<steps>6</steps>

<rows>700</rows>

<timespan>604800</timespan>

</item_001>

<item_002>

<name>Monthly (2 Hour Average)</name>

<steps>24</steps>

<rows>775</rows>

<timespan>2618784</timespan>

</item_002>

<item_003>

<name>Yearly (1 Day Average)</name>

<steps>288</steps>

<rows>797</rows>

<timespan>31536000</timespan>

</item_003>

</items>

</hash_200102d62c52891f4f9688729a5bc9fad91b18>

<hash_060102e9c43831e54eca8069317a2ce8c6f751>

<name>Normal</name>

<gprint_text>%8.2lf %s</gprint_text>

</hash_060102e9c43831e54eca8069317a2ce8c6f751>

</cacti>



Posted by at No comments:

Sunday, July 14, 2024

Analyzing BIND Logs using CLI

 To enhance DNS Server, we need to analyze logs we collected. On my case, there are lots of non-existent DNS queries based on my monitoring


Further checking on the logs, using this CLI command, it was found that some of these domains were non-existent domain and still queried by many endpoint clients

grep "query" /var/named/log/query-errors.2 | cut -d ' ' -f 8 | sort | uniq -c | sort -nr | head



Those domains can be handled using sinkhole DNS imlementation in BIND




Posted by at No comments:

Handling Non Existent Domain (NXDOMAIN) Queries

 On a large organization, where there are lots of endpoint clients, there will be a huge number of DNS queries. Many of those queries were non existent domains and sometimes causing resource exhaustion either on DNS server or on the network level

Here are the steps to set up sinkhole domains in BIND


1. Create a file /etc/blacklisted.domains and put these lines

zone "blacklisted.domain" {type master; file "/etc/blockeddomains.db";};


2. Create a file /etc/blockeddomains.db

$TTL 1D @ IN SOA localdomain. root.localdomain. ( 2024041801 ; Serial 3600 ; Refresh 600 ; Retry 86400 ; Expire 3600 ; Minimum TTL ) @ IN NS localdomain. localdomain. IN A 127.0.0.1 ; Replace with actual IP if needed

3. Add this line into your BIND configuration (/etc/named.conf)

include "/etc/blacklisted.zones";


Posted by at No comments:

Sunday, June 9, 2024

How to Extend Certificate Validity Period on Windows Certificate Authority

1. Open regedit on your enterprise CA server

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>

2. In the right pane, double-click ValidityPeriod

3. In the Value data box, type one of the following, and then click OK:

  • Days
  • Weeks
  • Months
  • Years
4. In the right pane, double-click ValidityPeriodUnits and fill the length you required (e.g 2 for 2 years)

5. Stop and Start the service from cmd

net stop certsvc net start certsvc



Posted by at No comments:
Subscribe to: Posts (Atom)