1100 Appliance SIP Calls Drop After 15 Minutes

SIP Calls Drop After 15 Minutes –

CheckPoint 1100 Appliance

There are many different reasons why SIP calls drop – if they regularly drop after a consistent period it’s very often a faulty SIP session timer or failure to send keep-alive packets. There are others however and this article highlights a parameter, which if set to false,  will make Checkpoint 1100 appliance SIP calls drop after 15 minutes or another fixed period of time.

The reason is down to the fact that the CheckPoint periodically changes the port which the SIP messaging system communicates over. This means that the SIP re-invites and are not received by the phone system behind the firewall and the call will end after the remote side has not received a reply to any of the INVITEs sent after the specified time-out period (15 minutes in this case).

There is a boolean parameter in the 1100 under Device -> Advanced -> Advanced Settings named “Sip Service – Accept connections to registered ports” which is set to false by default:

Accept connections to registered ports
Click to view full settings page

Set this parameter to true and all should be well!

Notes: This is an issue across many firewall vendors. For example the SonicWall equivalent parameter is named “Enable Consistent NAT.”

How To Repair A Corrupt Smartcenter Installation

Repair A Corrupt Smartcenter Installation

This article details how to repair a corrupt smartcenter step-by-step. This process is valid for both Windows and *nix-based installations and platform-specific instructions are pointed out where necessary.

In fact, the word “repair” is somewhat misleading as what we really do is create a new smartcenter and use configuration files from the old install to effectively make a clone – all certificates, ICA, VPN etc will remain as they were so no re-SIC will be required with the gateway modules once you are up and running.

There are two ways to restore – minimal and complete. “Minimal” will make sure that all objects, rules, certificates and the user database are restored which is all that is needed a lot of the time. If however you would like to do a “complete” restore including licensing, database versions then the files are specified as well.

In addition, at the end of the article are two simple commands which can be used to gather up all of the files and place them in an archive for easy retrieval!

 

Minimal Restore Requirements

Objects and Rulebase

The following files are required to restore a smartcenter’s rulebase, objects and user database. The first two files are absolutely necessary and there is no point proceeding without them, fwauth.NDB is necessary to restore the user database:

  • $FWDIR/conf/objects_5_0.C
  • $FWDIR/conf/rulebases_5_0.fws
  • $FWDIR/conf/slprulebases_5_0.fws
  • $FWDIR/conf/fgrules.fws
  • $FWDIR/conf/fwauth.NDB

Notes:

  1. Check Point stores all the rulebases in one file, called ‘rulebases_5_0.fws’. This is the only rulebase file needed.
  2. Check Point stores the desktop security rulebase in a database file called ‘slprulebases_5_0.fws’ (Secure LAN Policy).
  3. Check Point stores all the objects, services, etc in one database file called ‘objects_5_0.C’.
  4. Check Point users are stored in the file ‘fwauth.NDB’.
  5. On Windows machines, %FWDIR%\conf\fwauth.NDB is only the pointer to the real user database file, for example, %FWDIR%\conf\fwauth.NDB522. In this case, rename the real database file %FWDIR%\conf\fwauth.NDB522 with the name %FWDIR%\conf\fwauth.NDB
Internal Certificate Authority Files

The ICA is what all other certificates are based on – SIC, VPN etc. restoreing these is necessary to avoid having to re-setup certificate-based VPNs, remote-worker certificates and re-establishing SICwith all managed gateways.

  • $FWDIR/conf/InternalCA.*
  • $FWDIR/conf/ICA*.*
  • $CPDIR/conf/sic_cert.p12
  • $FWDIR/conf/crls/*
Registry Data – SecurePlatform & Gaia

/opt/CPshared/registry/HKLM_registry.data

– copy everything under ‘SIC’

Registry Data – Windows OS

HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\SIC

(export this key and then import it on the target machine)


 

Full Restore Requirements

The following represents the complete set of files essential for a database restore:
• $CPDIR/conf/cp.license
• $CPDIR/conf/sic_cert.p12
• $CPDIR/database/*.C
• $CPDIR/registry/*
• $FWDIR/conf/lists/*
• $FWDIR/conf/*.fws
• $FWDIR/conf/*.conf (except for ‘components_reg.conf’, ‘fwrl.conf’, ‘cpmad_rulebase.conf’)
• $FWDIR/conf/masters
• $FWDIR/conf/fwmusers
• $FWDIR/conf/gui-clients
• $FWDIR/conf/*.C (except for ‘mv_doc.C’, ‘classes.C’, ‘scheme.C’, ‘fields.C’, ‘tables.C’, ‘rtmclasses.C’, ‘default_objects.C’)
• $FWDIR/conf/db_versions/Database/versioning_db.fws
• $FWDIR/conf/vpe/*
• $FWDIR/conf/XML/*
• $FWDIR/conf/cpsc/*
• $FWDIR/conf/I*
• $FWDIR/conf/crls/*
• $FWDIR/conf/db_versions/repository/*
• $FWDIR/conf/fwauth.NDB
• $FWDIR/conf/DiapCpdList.NDB
• $FWDIR/conf/DiapFwmList.NDB
• $FWDIR/conf/DAIP_RS_Database.NDB
• $FWDIR/conf/robo-gateways.NDB
• $FWDIR/conf/robo-control.NDB
• $FWDIR/conf/robo-ike.NDB

Note: If logs are required then the contents of $FWDIR/log/ should also be included (note that $FWDIR/log/ is a symbolic link to another partition on the hard disk and files should be retrieved from there).

Restore Process

  1. Back up the files noted herein, offloading to a secure location.
  2. Install the same version and feature set onto the replacement Security Management Server, ensuring that the same hostname and leading IP address are used.
  3. Perform the installation as though this was a clean (new) Security Management Server installation.
  4. If the new Security Management Server is rebooted at the conclusion of the installation, run ‘cpstop’ before restoring the files.
  5. Copy the backups from Step 1 to the fresh installation.
  6. Extract the backups to their appropriate locations.
  7.   Before executing ‘cpstart’, delete the $FWDIR/conf/applications.C and $FWDIR/conf/CPMILink*

Automate File Retrieval

Use the below commands to automate retrieval of the files specified above. The files will be bundled into two files named backup1.tgz and backup2.tgz

Note: This does assume that the Check Point path variables $CPDIR and $FWDIR are available:
[Expert@mgmt]# tar -czvf backup1.tgz $FWDIR/conf/objects_5_0.C $FWDIR/conf/gui-clients $FWDIR/conf/fwmusers $FWDIR/conf/rulebases_5_0.fws $FWDIR/conf/slprulebases_5_0.fws $FWDIR/conf/fgrules.fws $FWDIR/conf/fwauth.NDB $FWDIR/conf/InternalCA.* $FWDIR/conf/ICA*.* $CPDIR/conf/sic_cert.p12 $CPDIR/conf/cp.license $CPDIR/registry/HKLM_registry.data $FWDIR/conf/crls

 

[Expert@mgmt]# tar -czvf backup2.tgz $CPDIR/conf/cp.license $CPDIR/conf/sic_cert.p12 $CPDIR/database/*.C $CPDIR/registry $FWDIR/conf/lists/* $FWDIR/conf/*.fws $FWDIR/conf/*.conf $FWDIR/conf/fwmusers $FWDIR/conf/masters $FWDIR/conf/*.C $FWDIR/conf/db_versions/Database/versioning_db.fws $FWDIR/conf/gui-clients $FWDIR/conf/vpe/* $FWDIR/conf/XML/* $FWDIR/conf/cpsc/* $FWDIR/conf/I* $FWDIR/conf/crls/* $FWDIR/conf/*.NDB

PrivateInternetAccess SOCKS Proxy Tutorial

PrivateInternetAccess SOCKS Proxy Tutorial – Software Installation

In this article we are going to run through the Debian, OpenVPN and Squid proxy software installation. In this tutorial we are installing it on a virtual machine in an ESXi environment but it can obviously be installed on any PC, virtual or otherwise. We are using a dual-core CPU with 2GB of RAM which is more than enough for a light-user proxy.

Let’s get started!

1. Download the netinstall iso, burn it to CD/DVD if necessary and boot. Run through the install and make sure to specify your static IP. You only need a minimal installation, no desktop manager so select the options as shown:

OpenVPN and Squid Proxy - Software Installation

2. Once installed and logged in, update the apt repositories with apt-get update:

dante apt-get update

3. Install the OpenVPN software:

  • apt-get install openvpn

4. Install the dante software software:

  • apt-get install dante-server

Now we’re all installed, it’s time for the configuration.