Month: July 2018

Check Point unable to delete IKE/IPSEC SA on a SMB device cluster

On a Check Point SMB 1400 series appliance cluster with R77.20.75 installed I happened to run in to an issue where after changing the peer Gateway’s IP address the VPN did not want to come up again and VPN TU showed me a SA’s relating to the old peer IP address. VPN TU delete command did not remove them. Also disabling the VPN community/removing the gateways from it did nothing, still the stubborn SA’s remained, even waiting for the timeouts to occur did nothing.

What in the end actually removed the stuck SA was doing “cp stop” “cp start” on both of the devices with manual fail over in between. After that VPN TU didn’t show the stuck SA any more and the VPN started working again with the peer’s new IP address.

Windows 10 CPU speed not down clocking like it should / Intel speedstep issue and fix

On my Lenovo T480 I ran in to a nice issue where the fan was constantly blowing and CPU was always over 4 GHz never clocking it self down. In Windows power management, it was set to balanced as it should, changing between power plans had no effect, always CPU at max speed. When I started googling about the issue I ran into different forum threads describing the same issue with people saying that Windows Power Management setting sometimes get corrupted and that the only fix they found is a re-install of Windows which for me was an unacceptable solution…

What actually helped me get around the issue was when i changed the CPU minimum and maximum speeds in power management. Basically I changed the minimum to 1% instead of 5 and max to 90%, applied the settings noticed the CPU clocked down instantly to 0,89 GHz like it was supposed to be, then reset the “Balanced power plan” back to it’s default settings and now the CPU speeds are as they should be 0,89 GHz while idling and over 4 GHz when under load.

For those who need more exact directions here is the step by step:

  • Open up the “Start menu” by pressing the Windows key and type Edit Power Plan and press enter/or just double click it with the mouse.
  • Click on “Change advanced power settings
  • Go to the “Processor Power Management” subsection and from there on move to “Minimum Processor State” change the values for both “On battery” and “Plugged in” from their default value of 5% to 1%.
  • Next change the “Maximum Processor State” values for “On battery” and “Plugged in” from their default value of 100% to 90%.
  • Click “Apply” to apply the changed power plan.
  • After applying the altered power plan click on “Restore Plan Defaults” and “Yes” in the prompt that pops up warning you that the power plan settings will be reverted to their default values. And then click “Apply” as the final thing.

And that should be it,  now your computer should be changing its CPU speed based on real needs.

Windows 10 Media Creation Tool error 0x80004005 fix

When trying to create a Windows 10 USB installation disk you may get errors starting with code 0x80004005 and end up scratching your head, that why isn’t it working. When I happened to get that error, what helped me get around it was basically emptying the windows update cache by doing the following:

  • Open command prompt in administrator rights
    Click on the start menu button and type cmd. A best match of "Command Prompt" will appear, right click on it and select run as administrator.
  • Using the previously opened Command Prompt stop the “Windows Update service” by typing the following:
    net stop wuauser
  • If your computer is a part of a Windows Domain, it might not have “Windows Updare service” running but rather have “Update Orchestrator Service” instead running, then you need to stop that by typing the following:
    net stop "Update Orchestrator Service"
  • Next you need to stop the Cryptographic and Background Intelligent Transfer services, by typing the following commands:
    net stop bits
    net stop cryptsvc
  • Now lets just rename some of the folders used by Windows Update so, it would re-create them, by typing:
    ren %systemroot%\System32\Catroot2 Catroot2.old
    
    ren %systemroot%\SoftwareDistribution SoftwareDistribution.old
    
    
  • Now lets start the services back up again that we previously stopped by typing:
    net start wuauser
    
    net start bits
    
    net start cryptsvc
    
    # and if necessary also update orchestrator service
    
    net start "Update Orchestrator Service"
  • And thats it close the Command Prompt and retry creating your Windows 10 installation media.

If your are getting “Access is denied” on the “ren %systemroot%\SoftwareDistribution SoftwareDistribution.old” command and you haven’t stopped the “Update Orchestrator Service”, try stopping that.

 

Check Point R77.30 management interface crypto hardening (WebUI and SSH Cipher change)

By default the management interfaces (WebUI/SSH) of a Check Point firewall are using crypto settings that are not that great (MD5 and SSLv3, etc are enabled), but fortunately it is possible to change them.

SSH daemon is configured like in a normal Linux Distribution by just editing the /etc/ssh/sshd_config, Check Point in its support site also recommends you also modify the ssh client configuration located in /etc/ssh/ssh_config.  Basically in order to change the encryption algorithms available when connecting to the firewall using ssh add the following lines to the aforementioned configuration files using the vi command in Expert mode:

Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes192-ctr,aes128-cbc,aes192-cbc
MACs hmac-sha1

After modifying the config file restart the SSH server using the following command:

 service sshd restart

If everything is fine then your connection survives and if for some strange reason your ssh connectivity breaks and you can’t log back in you can undo the previous changes by using the terminal access that you can get in the WebUI.

Now that the SSHD settings have been changed, lets start changing the Cipher suites available for HTTPS used for WebUI. Just connect to command line using SSH and do the following in Expert mode.

  1. Backup the current file /web/templates/httpd-ssl.conf.templ:
    [Expert@HostName:0]# cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ_ORIGINAL
  2. Edit the current /web/templates/httpd-ssl.conf.templ file:
    [Expert@HostName:0]# vi /web/templates/httpd-ssl.conf.templ
  3.  Find the line containing the SSLCipherSuite parameter and change the values behind it for example to ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!SSLv3:!eNULL:!aNULL:!RC4
  4. Close the editor by using :wq!  , the ‘!’ in the end will override the fact that the file has read only permissions.
  5. Update the current configuration of HTTPD daemon based on the modified configuration template:
    [Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active
  6. To activate the configuration changes restart the HTTPD daemon by using the “tellpm” command:
    [Expert@HostName:0]# tellpm process:httpd2
    
    [Expert@HostName:0]# tellpm process:httpd2 t

To find out what you actually want to use as the SSLCipherSuite value you can use the cpopenssl to see what algorithms will be available with which value. Example:

[Expert@HostName:0]# cpopenssl ciphers -v 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4' | sort -k1

Expected output:

AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

Renewing F5 BigIP LTM expired device certificates

Every once in a while it is necessary to renew the device certificates on your BigIP devices which are used in the connection for the Web UI(XUI). It’s easy enough to do using the web interface. When the certificate hasn’t expired yet just log in to the Web UI using any web browser you like, but when the certificate has already expired Edge/Chrome/Firefox won’t let you in (no there is no “proceed” button, since the management interface is using strict settings), but Internet Explorer will still work. If you don’t have Internet Explorer available, it can also be done via the command line interface.

To renew the device certificate using the web interface just log in to the management interface and go to the page: System ›› Device Certificates : Device Certificate ›› Device Certificate and click on the Renew button. There you can choose whether you want to create a new self signed certificate or generate a certificate request to your company internal CA, or some external CA if you prefer.

In a clustered environment after you renew the certificate on one device, you need to sync the configurations between the devices before proceeding to update the others. If you don’t do config sync in between you may end up having to renew the previously already renewed certificates again, as config sync will push the old certificates back to active state on the other devices, since it doesn’t have info on the peer’s new certificates.

When renewing device certificates using the command line you will need to use openssl to generate the new rsa private key and certificate request and then use tmsh to activate the newly created key/certificate pair.

OpenSSL command example for generating a new RSA key and creating a certificate request:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

OpenSSL command example for generating a new self signed certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt

The newly created private key should be placed in the /config/http/confd/ssl.key/ directory and the newly created certificate should be placed in the /config/httpd/conf/ssl.crt/ directory. After you have placed them there, the command to activate new key/certificate pair using tmsh is:

tmsh modify /sys httpd ssl-certkeyfile /config/httpd/conf/ssl.key/new-private.key ssl-certfile /config/httpd/conf/ssl.crt/new-certificate.crt