Friday 30 September 2011

UTM-1: How to bypass the WebGUI during the initial install

Before I begin I should note that this does not 'always' work, and is not supported by TAC.

However, if you are successful with it, you can run sysconfig/cpconfig immediately instead of having to go through the initial install procedure via the WebGUI.

I know anyone who is stuck doing remote deployments/wipes with UTM-1's knows the pain this requirement can cause :)

To 'get out of jail', simply run the following from expert mode:

touch /opt/spwm/conf/wizard_accepted


Once completed, sysconfig/cpconfig will now work.

Enjoy!

SPLAT: How to automatically enter "Expert Mode" when logging in

I suppose it's pretty fitting that I include this.

Make sure you're in expert mode when you run this:

Verify your current shell (substitute 'admin' for your user):
cat /etc/passwd |grep admin
admin:x:0:0::/home/admin:/bin/cpshell

Change your shell to bash:
chsh -s /bin/bash admin
Changing shell for admin.
Shell changed.

Verify the change has taken place:
cat /etc/passwd |grep admin
admin:x:0:0::/home/admin:/bin/bash

Now, when you exit/login again, you'll immediately get dropped into expert mode:

login as: admin
admin@192.168.0.50's password:
Last login: Fri Sep 30 14:28:08 2011 from 192.168.0.10
[Expert@R75-A]#

Keep in mind this does have security implications - it's just nice to have in a lab environment :)

Friday 16 September 2011

IPSO: How to Backup and Restore via CLISH?

This will backup all of the OS information/configuration like Routes, Proxy Arps, Interface configuration etc:

The following will create a new backup in /var/backup/

clish -c "set backup manual filename your_desired_filename"
clish -c "set backup manual on"

To Restore:
clish -c "set restore manual /path_to_backup_file.tgz"

Tuesday 6 September 2011

TCPDUMP: How to capture a full packet

This request generally comes around when there is some suspicious network activity seen by one of the IDS and the engineer wants to see the entire packet:

tcpdump -nnvvXSs 1514 -i eth0

FWMonitor: How to filter by network range

Pretty simple idea, however wildcards don't work in the generic 'src/dst' statements unfortunately.

Let's say I want to capture all traffic sourced from 192.168.0.0/24 destined to the 10.15.15.0/24 over port 80, I'd use the following syntax:

fw monitor -e "firstblock={<192.168.0.0,192.168.0.255>};secondblock={<10.15.15.0,10.15.15.255>}; accept (src in firstblock, dst in secondblock, sport=80);"

The first IP Block is the starting IP for the network, and the second is the last IP in the block. You can define as many 'groups' as you'd like. Just make sure that the rest of the 'accept' statement ends up between two parent parenthesis.

Thursday 1 September 2011

How to remove a static route in SPLAT without using SYSCONFIG

It's pretty simple:

Consult the routing table to verify the routing information of your to-be-deleted route with one of the two following commands:
route | grep ip_of_your_route
or
netstat -nr | grep ip_of_your_route

An example is below:
netstat -nr |grep 192.168.72.75
192.168.72.75 172.16.25.45 255.255.255.255 UGH    0 0        0 eth5

Delete the route (help for the command can be found with 'route --help'):
route del -net 192.168.72.75 netmask 255.255.255.255 gw 172.16.25.45

Verify the route has been deleted (you should not see the original route anymore):
netstat -nr |grep 192.168.72.75

Save the changes (in case the route was pulled from sysconfig/netconf.C):
route --save