about Networks!

Check Point CCSE Notes

Following my post on Check Point CCSA Exam notes, in this post I’m gonna write notes on CCSE exam. Though this time I won’t fall into configuration and try to only point out the more important and real-world-applicable things.

Management Server HA

When adding a new Check Point host as a Secondary Management Server, do not Initialize SIC before selecting Network Policy Management feature!
After adding the host, save and Install the policy; synchronization will then work.

As a reminder, whenever you reset the SIC for a Gateway from Management Server, it should be re-initialized from the Gateway by cpconfig; don’t forget to exit cpconfig!

ClusterXL

Check Point calls its clustering solution ClusterXL which supports up to 8 Cluster members and can be implemented in two main flavors:

Load-sharing

Multicast mode: 50/50, very efficient and excellent performance

Unicast mode: 70/30, to be used in environments where an intermediate device has issues with multicast MAC address (IGMP Snooping)

Expert@GAiA-2:0]# cphaprob state
Cluster Mode:   Load Sharing (Unicast) with IGMP Membership

Number     Unique Address  Assigned Load   State
1          192.168.0.101   30%             Active       (pivot)
2 (local)  192.168.0.102   70%             Active

High Availability (HA)
- New Mode: Each member has its own physical IP address
- Legacy Mode: Both members have the same physical IP address

To make kernel changes permanent, they should be written in $FWDIR/modules/fwkern.conf

Continue reading “Check Point CCSE Notes”

Share this!

Some basic EEM applets

Below you will find some very basic Cisco IOS EEM applets which can be used as a module in more complex applets, such as configuration wizards.

Obviously, EEM applets are able to be implemented for many automation use cases; i.e. monitoring SLA/tracks, making actions based on syslog patterns, re-configuring route-maps, ACLs, BGP configuration and whatever you can imagine…

Have in mind that in the first applet, I’ve used different values for each result, just to have it more clear and understandable; though as a matter of fact, from a Programming/Performance point of view, the less variables we use, the better it is. Also, these can be better tuned and get shortened based on specific scenarios and requirements, which I leave to the reader.

event manager applet PING_TEST
event none sync yes default 100 maxrun 150
action 1  cli command "enable"
action 10 puts nonewline "\rPLEASE ENTER DESTINATION IP ADDRESS: "
action 11 gets IP
action 12 cli command "ping $IP"
action 13 set C_RESULT "$_cli_result"
action 14 string match "*100 percent*" "$C_RESULT"
action 15 set M_RESULT "$_string_result"
action 20 if $M_RESULT eq "0"
action 21  puts "\rFIRST PING FAILED with MATCH result of $M_RESULT !"
action 22  puts "HERE IS THE CLI RESULT FOR 1ST PING"
action 23  puts "$_cli_result"
action 24  puts "\rNOW I AM TRYING FOR 2ND PING"
action 25  cli command "ping $IP"
action 26  set C_RESULT "$_cli_result"
action 27  string match "*100 percent*" "$C_RESULT"
action 28  set M_RESULT_2 "$_string_result"
action 30  if $M_RESULT_2 eq "0"
action 31   puts "\r2ND STRING MATCH RESULT IS $M_RESULT_2"
action 32   puts "BOTH 1ST and 2ND PING FAILED!!!"
action 33   puts "\rHERE IS FAILED THE CLI RESULT FOR 2ND PING"
action 34   puts "$_cli_result"
action 35   puts "\r!!!!!! DESTINATION UNREACHABLE !!!!!!"
action 40  else
action 41   puts "2ND PING WORKED!"
action 42   puts "2ND STRING MATCH RESULT IS $M_RESULT_2"
action 43   puts "\rHERE IS THE SUCCESSFULL CLI RESULT FOR 2ND PING"
action 44   puts "$_cli_result"
action 45   puts "\r!!!!!! DESTINATION IS REACHABLE !!!!!!"
action 46  end
action 50 else
action 51  puts "\rFIRST STRING MATCH RESULT IS $M_RESULT"
action 52  puts "\rHERE IS THE SUCCESSFUL CLI RESULT FOR 1ST PING"
action 53  puts "$_cli_result"
action 54  puts "\r!!!!!! DESTINATION IS REACHABLE !!!!!!"
action 99 end

An updated version of the script without the additional variables follows:

Continue reading “Some basic EEM applets”

Share this!

Network Design Project Initial Questions

I have been always thinking of creating a set of questions-to-be-asked for Network design projects. Though, it’s really hard to have the same template for every project, but usually there some general questions applying to all.

Skimming through the web, I came to an interesting article on Cisco Learning Network : Unleashing CCDE. I am pasting the questions list here, but with my own text marking:

Listed are some of the initial questions to ask your customers at the onset of a new network design project:

1. Business objectives, pain points and perceived constraints

Who are the key stakeholders, sponsors, end users?
Why is there a project in the first place? What are the drivers for the redesign of your existing network?
What are the current pain points?
Which business outcomes the customer expects to achieve?
What is the business growth plan 3-5 years, capacity planning, scaling requirements?
Are there any regulatory constraints such as HIPAA, PCI, Fed, and Local Government that affect the organization and industry? Other known constraints?
Is there specific equipment, vendors, or protocols preferred or are absolutely out of the question?
What are the implementation timelines and milestones?
What are the key success factors? Are there known barriers to success?
What is the customer tolerance to risk? Conservative or bleeding edge?

2. Desired characteristics and capabilities

What is the current state of the network (baseline), to compare after the implementation of the new design?
Are there any documentation available, features in use, versions, is standardization consistent?
What is the financial investment (cost/budget, cost-benefit analysis) x desired business, operational, and innovation outcomes, followed by a technical translation of these needs/goals to a technology environment?
What are the desired characteristics of the new network: redundancy/resiliency/convergence, speed, security, cost, application performance, simplicity, manageability, capabilities? Load balancing, load sharing?
Public, private or hybrid cloud?

3. Footprint, policies, method of access and traffic patterns

What is the geographical distribution, connectivity options/capabilities on the branches?
Where do the servers reside in the network, their known vulnerabilities and how the services align with the security policies?
What are the current and future traffic patterns, north-south, east-west, or both?
What are the current and future applications’ requirements and tolerance to delay, packet drop, and jitter?
What is the company security, infrastructure policies? Do you have specific design/architecture principles to adhere to? Any project management methodology or tools? Network management?
What are the established SLA’s if any, and the level of success achieved for these SLA’s?
Does the network support the business, the network is the business, or both?
Are there best practices?
Will there be a test lab or group, a prototype, a development area?

Share this!

Check Point CCSA Notes

CheckPoint is the largest pure-play security vendor globally, and has a long history of being a respected security solutions provider and the company’s devices are one of the most deployed firewalls in use today.

Till now, for eighteen consecutive years Check Point has been positioned in the “Leaders” quadrant in the Magic Quadrant for Enterprise Network Firewalls. Check Point is also positioned in the “Leaders” for Unified Threat Management (UTM) for five years till now. Gartner evaluates each vendor’s Enterprise Network Firewall offerings on a scale of completeness of vision and ability to execute.

Traffic Control Methods:

Packet Filtering in OSI Layer 3 (Network) and Layer 4 (Transport)
Stateful control by Inspect Engine, again at L3 and L4 but with more focus on L4
Application Awareness

Check Point Operating system:

We talk here about both Management Server and the Gateways (firewalls) OS.

IPSO was the initial version, based on BSD (Nokia’s IPSO).
SecurePlatform (SPLAT), based on Redhat
GAiA is the latest version!

Deployment Notes

With small environments, it’s possible to have the Management Server and Gateway on the same hardware. This is called Standalone deployment.

Continue reading “Check Point CCSA Notes”

Share this!

DRBD with Cluster File System on Debian Jessie

Hi,

I’m Sina Moghaddas, and this my first post as a co-author to my brother ?

In this post, I am going to show you how to setup DRBD with OCFS2.

DRBD^® refers to block devices designed as a building block to form highly available (HA) clusters. This is done by mirroring a whole block device via an assigned network. DRBD can be understood as a network based raid-1.

OCFS2 is a general-purpose, shared-disk, clustered filesystem for Linux, which is capable of providing both high performance and high availability.

ok, here we go ?

Continue reading “DRBD with Cluster File System on Debian Jessie”

Share this!