Por Javier San Martín
malito: javier@sanmartin.net.ar
[Auditoría]
[BIND]
[Comunicaciones]
[DMZ]
[Electronica]
[Estándar]
[FW-1]
[IDS]
[IKE]
[IPSO]
[Links]
[Linux]
[Lista de Discusion]
[MRTG]
[MSX]
[NMS]
[Seguridad]
[SSH]
[Standard]
[Templates]
[Tunning]
[Tutorial]
[WEP]
[Windows]
Falta completar.
Palabras claves para búsqueda rápida:
TRADUCCIÓN Y PROCESAMIENTO DE
PALABRA
ACTUALIDAD EN REDES Y CONECTIVIDAD
Port Scan y test de vulnerabilidad
Updates (Actualizaciones), Tunning y Bastion Hosts
Comandos para HP-UX (pueden
funcionar en LINUX)
Seguridad, Tunning y Bastion Hosts
1-Cambio de cuenta de comunicaciones
de agentes en NT
2-Cambio en labels de symbols en el
mapa
3-Abrir mapas distintos que el
default
6-Limpiar la base de datos de Eventos de ITO utilizando Oracle.
7-Limitar el tamaño de la base SOLID
MRTG – Multi Router Traffic Grapher
2-Where does checkpoint put its putkey values?
4-Can't Replace Previously Installed Policy
5-How to change log directory at FW4.1, How to redirect logging.
6-How to redirect logging to an other master
7-Cómo auditar cambios en el Firewall-1?
8-In version 2000(4.1) what happened witn fwui.log?
12-Carga de política por línea de
comandos
13-Backup y restore de firewall
Backup De Management station para Linux:
Para hacer backup de la
configuración en IPSO
Para hacer un restore de la
configuración en IPSO desde archivos locales
15-Enabling Windows 2000 Logon through firewall
17-Single Rulebase for Multiple Firewalls
20-Verificar Firewall-1 Build Version
21-Como configurar un login banner en IPSO?
Cabletron Systems – Enterasys Networks
Password Recovery para ELS100-S24TX2M
Various SSR Software Upgrade Procedures
Realizar Password Recovery del SSR
Cómo cambiar BootFlash en las MSFC
Cómo hacer un FTP record en
Arrowpoint
Cómo hacer una copia de la config en
Arrowpoint
Cómo calcular uso de ancho de banda
mediante SNMP
Cómo generar tráfico entre 2 routers
********* FIN DEL APUNTE *********
http://www.uni-leipzig.de/~xlatio/xtools.htm
http://www.lacompu.com/noticias/vernoticia.php3?noticiasID=1514
Manual de
Telecomunicaciones
http://www.siemon.com/standards/
http://standards.ieee.org/getieee802/portfolio.html?agree=ACCEPT
http://www.inei.gob.pe/cpi/bancopub/libfree/lib620/cap0608.htm
Manual de BIND 9
http://www.csd.uwo.ca/staff/magi/doc/bind9/
http://www.pantherdig.com/snmpfaq/
http://www.uk.research.att.com/vnc/
http://www.netopia.com/software/products/tb2/2000/
http://www.remotelyanywhere.com/
[MRTG][Templates]
Para bajar
templates de MRTG, se recomienda el siguiente link:
http://www.somix.com/software/mrtg/#
[MRTG][Lista
de discusión]
Para
consultar la lista de discusión de MRTG y RDD, se recomienda el siguiente link:
En estos sitios se pueden encontrar herramientas para seguridad.
http://www.rtek2000.com/Tech/InternetSecureLinks.html
http://www.rtek2000.com/Tech/I-SecureLinks5.html
http://support.microsoft.com/support/kb/articles/Q286/1/32.ASP
http://www.sysinternals.com/ntw2k/freeware/tdimon.shtml
http://www.xploiter.com/tambu/totostat.shtml
http://www.analogx.com/contents/download/network/pblock.htm
IKE
Scanning Tool
http://www.nta-monitor.com/ike-scan/
Sin dudas, uno de los mejores sitios:
Cracker de
WEP [WEP]
http://sourceforge.net/projects/wepcrack/
http://www.wwdsi.com/saint
(satan based)
[SSH]
Java Based
http://www.mindbright.se/mindterm
[IDS]
Snort 1.7 -
Martin Roesch
SnortPlot.pl
- Angelos Karageorgiou, SnortPlot.pl is a Perl script that rework Snort logs to
graphically plot attack signatures in 3D.
Linux
Router Project
http://www.tarball.net/cish/cish.html
http://www.zelow.no/floppyfw (router+firewall)
Sentry
Firewall CD-ROM 1.0.5 - Sentry Network Security. Sentry Firewall CD-ROM is a
Linux-based bootable CD-ROM, suitable for use as an inexpensive and easy to
maintain firewall or IDS(Intrusion Detection System) node. The system is
designed to be immediately configurable for a variety of different operating
environments via a configuration file located on a floppy disk or a local hard
drive.
IP Chains – filtros de linux
http://oasis.dit.upm.es/~jantonio/documentos/revistas/ipchains/ipchains.html
Stress
test?
http://www.linux-sec.net/Audit/
[Windows][Tunning]
Windows
2000 Updates
http://www.microsoft.com/windows2000/downloads/default.asp
Microsoft
TechNet security site
http://www.microsoft.com/technet/security/
Microsoft
TechNet security site
http://www.microsoft.com/technet/security/
Windows
2000 Internet Server Security Configuration Tool for Internet Information
Server 5 (IIS5)
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19889
Windows
2000 IIS 5.0 Hotfix Checking Tool
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168
How it
works
http://www.microsoft.com/windows2000/library/howitworks/default.asp
Un buen
sitio para saber qué se puede eliminar de Windows. Incluye muy buenas
herramientas, tutorials, tips y discos booteables. Es un verdadero Help Desk
online.
http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm
Lecturas
para considerar sobre tunning de Windows
http://www.phoneboy.com/fom/fom.pl?_recurse=1&file=17#file_519
http://www.rtek2000.com/Tech/InternetSecureLinks.html#hard
http://www.systemexperts.com/tutors/HardenW2K101.pdf
Freeware
Syslog para windows
All release
notes
http://www.enterasys.com/support/relnotes/index601-650.html
Enterasys
White Papers
http://www.enterasys.com/products/whitepapers/
[MSX]
Un muy buen sitio FTP sobre MSX lleno de juegos es el siguiente:
Todos los comandos del vi se utilizan con la secuencia
ESC + la letra (o sea primero ESC y luego la letra)
|
comando |
significado |
|
i |
inserta antes del caracter donde esta el cursor |
|
I |
inserta al principio de la línea donde esta el cursor |
|
a |
hace un append después del cursor |
|
A |
hace un append al final de la línea |
|
o |
inserta una línea debajo de la línea donde esta el cursor |
|
O |
inserta una línea arriba de la línea donde esta el cursor |
|
x |
borra el caracter donde esta el cursor |
|
r |
hace un overstrike de un caracter |
|
R |
hace un overstrike recursivo |
|
/cadena |
busca la cadena tipeada |
|
n |
busca la siguiente cadena |
|
dd |
borra la línea donde esta el cursor |
|
cw |
cambia la palabra donde esta el cursor |
|
dw |
borra la palabra donde esta el cursor |
|
G |
va al final del archivo |
|
yy |
Copiar la linea actual al buffer |
|
p |
pega el buffer |
|
u |
deshace el ultimo cambio |
|
navegación |
significado |
|
h |
mover el cursor a la izquierda |
|
j |
mover el cursor abajo |
|
k |
mover el cursor arriba |
|
l |
mover el cursor a la derecha |
|
i |
modo
input |
|
esc |
modo de comando |
|
ZZ |
sale del vi y graba cambios solo si se hicieron |
|
:w |
graba los cambios sin salir |
|
:wq |
graba los cambios y sale |
|
:q! |
sale sin grabar los cambios |
Nota: el símbolo ! fuerza la escritura.
Para verificar si el cron está funcionando, el comando es
ps –ef |
grep cron
Para listar
el cron, el comando es:
crontab –l
Para editar
el cron, el comando es:
crontab -e
La entrada del cron está representada por 5 elementos y el comando, mas un comentario precedido por el caracter “#”
0 22 * * 6 /etc/bkroot
| | | | | |-> programa o scripts a ejecutar
| | | | |-> dia de la semana a ejecutar (sabado)
| | | |-> mes ( * no importa que mes es )
| | |-> Dia del mes ( * no importa que fecha es)
| |-> Hora de ejecucion
|-> Minuto
Fijate en el man de cron para mas detalle de los parametros.
Apagado de un equipo:
shutdown –h
now
shutdown –h
0
shutdown -r
reboot
Pasar a un
archivo el listado de productos instalados (ej.: de swlist):
swlist –l product > /tmp/listado.log
donde –l significa el nivel (product, subproduct, patch)
Se puede consultar el man
Pasar a un
archivo el output de algo:
echo TEST | tee -a /tmp/dump
Buscar la ubicación de un comando:
type comando
whereis comando
Exportar el tipo de terminal:
export TERM=xterm
Exportar el display:
export DISPLAY=direccion_ip:0.0
donde direccion_ip es la IP del equipo con X
instalado, y :0.0 es desde dónde muestro la ventana X
Buscar y listar archivos core:
find / -name core –exec ll \;
Buscar y eliminar archivos core:
find / -name core –exec rm \;
Mostrar espacio utilizado por archivos y directorios
desde el directorio de trabajo:
du –s *
Apagar o levantar el scheduler:
lpshut
lpsched
Definir una impresora local ncrprinter:
lpadmin -pncrprinter -v/dev/null/ -mrmodel -ob3
-ormncr -orplpncr2
Buscar un string en el syslog.log:
grep “Sep 15” syslog.log
Contar la cantidad de palabras:
| wc -l
Borrar el mailqueue:
rm * /var/spool/mqueue
Montar el CD-ROM:
mount /dev/dsk/c1t2d0 /cdrom
Antes
revisar el path /dev/dsk/ para ver donde esta el CD con "ioscan
/path"
Mostrar la
licencia de ITO:
/opt/OV/bin/OpC/install/opclic –list
Comando
para traps Galmonitor
echo
"$A $x $X 1C $1 $2 $3 $7 $8 0A" | /usr/bin/tee -a
/tmp/daniel/pruebaaee | /usr/bin/mailx -s "Interrupcion" gonzalo.pasquali@smtp02.bancogalicia.com.ar
1-HP-UX
General
UNIX hardening applies. Turning off services run from inetd, or as daemons, is
always a good idea (less is better). Restricting access via firewalling,
tcp_wrappers and internal controls is also recommended. Looking for setuid and
setgid files, and removing the setuid/setgid where possible (or the software
package entirely).
2-Windows
NT – 2000
NT
Passwords
Do you know
where does Windows NT 4.0 stores the user's passwords?
Is there
any program that help me change user's passwords on the server?
Answer:
NT stores
users' passwords in the Security Accounts Manager Database, commonly referred
to as the SAM. This is part of the registry, and is stored in %systemroot% --
typically c:\winnt\. To change a user's password on the server, simply use
Account Manager for Domains. You must, of course, be
using an
account in the administrator group or with otherwise sufficient privileges. To
change the password from an NT workstation, this workstation must be part of
the domain. For more information, see:
http://www.ciac.org/ciac/bulletins/h-45.shtml
Additionally,
backups of the SAM are commonly stored in c:\winnt\repair\sam._
..and on
the Emergency Repair Disk (ERD).
[Extranet]
[DMZ]
[Extranet]
http://www.nsa.gov/winsecurity/
defense_in_depth.pdf
group_policy_reference.pdf
guide_to_secure_configuration_of_isa_server.pdf
guide_to_securing_microsoft_windows_2000_act.pdf
guide_to_securing_microsoft_windows_2000_dns.pdf
guide_to_securing_microsoft_windows_2000_efs.pdf
guide_to_securing_microsoft_windows_2000_fil.pdf
guide_to_securing_microsoft_windows_2000_group_policy.pdf
guide_to_securing_microsoft_windows_2000_schema.pdf
guide_to_securing_microsoft_windows_2000_sct.pdf
guide_to_securing_windows_nt_9x_clients.pdf
microsoft_windows_2000_network_architecture_guide_1_0.pdf
microsoft_windows_2000_router_configuration_guide.pdf
office97_executable_content.pdf
secure_configuration_of_certificate_services.pdf
secure_configuration_of_certificate_services_checklist.pdf
secure_configuration_of_iis_5.pdf
secure_configuration_of_iplanet_web_server.pdf
using_dod_pki_certificates_in_outlook_2000.pdf
windows_2000_kerberos_settings.pdf
[DMZ]
In our
University we are planning a firewall configuration like this one:
|
| 35 Mbps
|
ISP Router
|
| 20 Mbps
|
-------
vlan 1
-------- |> | -----DMZ1 (external
servers www, ldap, dns, ...)
| fw1 |
vlan 2
---------|> |------DMZ2 (other
departmental external servers)
(2000) -------
|
| Internal Servers (dns,
www, ldap, nfs, ...)
|
-------
| |
vlan 3
---------|> fw2 | ------- BD servers
(500) | |
-------
Different
users are grouped in vlans depending on their profile. Each vlan has his own
dns server (secondary), dhcp server, and
a web proxy cache server.
Students
are in vlan1, professors in vlan2 and administrative staff in vlan3. This vlans
are isolated between themselves (at least for the moment, although we have to
plan for exceptions).
Access to
BD servers is performed only from people in vlan3 and from the internal web
server.
External
servers are relays to our internal servers.
Here is the
procedure to install the ITO agent software without using the HP ITO account.
Since NT
Agent Version A.05.37
The ITO
agent can now run as non 'HP ITO account' user. This also includes the SYSTEM' account.
Installation
instruction: Use the manual
installation. Before calling the
'opc_inst.bat' script, an dditional entry can be added to the 'opcsetup.inf' file to specify the run
user for the agent:
[Agent
User]
SYSTEM
Instead of
'SYSTEM', any other name could be specified. In this case the user account is created.
If 'SYSTEM'
is given, no user account is created (no
'opc_op' either).
NOTE: User
names may not contain space characters.
If a user name is specified in 'opcsetup.inf', the agent will be installed using this account name,
no matter if there was already an agent
installed using another account.
If a
different user is specified in 'opcsetup.inf', the account created by the existing agent is not removed but left on the system. It has to be removed
manually. If no user name is specified in 'opcsetup.inf', the installation will check if there is already
an agent installed. If it finds one,
the same user will be used. If a user
is specified or found to be used by an old
agent, and the password specified was not correct for this account, the user is removed and re-created.
It has the same name afterwards but a different
internal user ID.
Applications:
- All
applications configured to run as 'opc_op' or 'HP ITO account' have to be changed to specify a user that exists on the system.
- All
monitoring executables will be run as the specified account. This might restrict some of the access rights to monitored applications.
- The
'SYSTEM' account does not have any network access capabilities.
Remote
installation:
- On Domain
Controllers there is the Installation Server
service that executes the installation on remote systems in this domain. If this service is
modified to run as 'SYSTEM', the
remote installation is not possible at all
(the 'SYSTEM' account does not have any access rights for remote systems).
- If remote
execution is wanted, the Installation Server
service can be configured to run as a domain user that has Domain Admin user rights.
Para hacer que NNM tome los cambios realizados en el label de un dispositivo, debes setear una variable. Puedes encontrar esta opción en el capítulo 8 del manual "Managing your network", pág 237 y 238. A continuación adjunto parte del texto:
NOTE The
ipmap service automatically assigns a symbol type and label based upon
information it receives from the netmon service. This means that if you modify
the symbol label or symbol type of an object that is managed by NNM, your
changes will be replaced by the values assigned by NNM the next time
configuration polling runs.
You can
turn off this ipmap capability by setting the environment variable
IPMAP_NO_SYMBOL_CHANGES=TRUE. See the ipmap reference page in NNM's online help
(or the UNIX manpage) for information about the -u parameter.
Para que el usuario pueda abrir su mapa, siendo distinto al default, y en forma automatizada al hacer login en una sesión, en el profile de cada usuario se debe configurar ovw -map <nombre mapa> -ro
El comando ovw ejecuta la aplicación. la opción -map nos permite elegir el mapa y la opción -ro lo abre como sólo lectura.
El primer paso es crear la cuenta del usuario en el sistema operativo. Luego, se abre un mapa en NNM con ese usuario. También se debe crear el perfil de usuario en ITO. Por desgracia, el mapa se va a ver hecho un desastre.
Para grabar y/o copiar mapas de NNM e ITO se debe hacer de la siguiente forma
# ovwls (lista los mapas, anotar grupos owners y permisos)
map->delete->mapa a borrar
map->save as->grabar el mapa default como el mapa borrado
# ovwls
# ovwchown
<owner> <mapa>
# ovwchgrp <grupo> <mapa>
# ovwchmod
776 <mapa>
You can
obtain the Administrators Guide for the Solid database from
http://www.solidtech.com/developer/documentation.html
Esto se
hace truncando las tablas directamente desde la Base de Datos Oracle.
To be able to perform these steps the Oracle DB must be up and running.
Shutdown ITO managers (ovstop opc ovoacomm)
and leave all GUIs.
With ITO 5.0 you can decide whether you want
to clear the active messages or the history messages (or both).
How to clear the active message tables
#su -
oracle
$svrmgrl
>connect internal;
>truncate table opc_op.opc_act_messages;
>truncate table opc_op.opc_msg_text;
>truncate table opc_op.opc_orig_msg_text;
>truncate table opc_op.opc_annotation;
>truncate table opc_op.opc_anno_text;
>exit;
How to clear the history message tables
#su -
oracle
$svrmgrl
>connect internal;
>truncate table opc_op.opc_hist_messages;
>truncate table opc_op.opc_hist_msg_text;
>truncate table opc_op.opc_hist_orig_text;
>truncate table
opc_op.opc_hist_annotation;
>truncate table opc_op.opc_hist_anno_text;
>exit;
NOTE: If you clear all messages (active +
history) please truncate also the
following table:
>truncate table opc_op.opc_forward_msgs;
The Data
Warehouse database ($OV_DB/analysis/default/solid.db) has filled up the
disc. I need to reduce its size and
limit its future growth.CONFIGURATION NNM6.10 and 6.2 on Solaris or
HP-UXRESOLUTION Here is what you need to do to reduce the size of your solid.db.
Before you start it is recommended that you have a complete backup so that
should
there be any problems you can return to the status quo ante.
The steps
are the following:
(1)Delete
unnecessary data from the database.
(2)Unload
the data from the database into a flat file.
(3)Edit the
solid.ini file in order to limit the size to which the database will grow.
(4)Delete
the database.
(5)Recreate
the database.
(6)Reload
the data into it.
(1) To
delete unnecessary data from the database use the command
#ovdwevent
-trim.
You can
test to see what data you are about to delete using
#ovdwevent
-trimnodelete
before you
do it for real. For a full explanation
of the options see the ovdwevent (1) man page. However deleting data will not
reduce the size of the database file, it will simply free up space inside it.
(Once you have got your database under control you might consider setting up a
cron job to delete superfluous data on a regular basis, and thus prevent any
problems caused by the database filling up.)
(2) Now
unload the data from the database into a flat file with ovdwunloader.
Check the
man page for a full explanation of the options. You will need to export both the trend and event data, so you
will need to run the command twice:
#ovdwunloader
-file trend_output_file -trend -v
#ovdwunloader
-file event_output_file -event -v
Stop
OpenView
#ovstop -v
(3) The
default size of the database is a single two gigabytes file. You can control
the size by editing $OV_DB/analysis/default/solid.ini and setting the FileSpec
parameter in the Index File section.
The FileSpec parameter describes the location and the maximum size of
the database file and accepts the following three arguments:
database
file name max filesize device number (optional)
You can
also use the FileSpec parameter to divide the index file into multiple files
and onto multiple disks. To do this, specify another FileSpec parameter
identified by the number 2. The index file will be written to the second file
if it grows over the maximum value of the first FileSpec parameter. For example
the default value for this parameter is solid.db, 2147483647 (which equals 2 GB
expressed in bytes).
FileSpec_1=SOLID.DB
2147483647
In the
following example, the parameters divide the index file on the disks C:, D: and
E: to be split after growing larger than 1 GB (=1073741824 bytes).
FileSpec_1=c:\soldb\solid.1
1073741824 1
FileSpec_2=D:\soldb\solid.2
1073741824 2
FileSpec_3=G:\soldb\solid.3
1073741824 3
NOTE. The
index file locations entered must be valid path names in the server’s operating
system. For example, if the server runs on a UNIX operating system, path
separators must be slashes instead of backslashes. Although the database files reside in different directories, the
file names must be unique. In the above example, it is assumed that C:, D: and
E: partitions reside on separate physical disks. Splitting the index file on multiple disks will increase the
performance of the server because
multiple disk heads will access the data in your index file. There is no
limit to the number of index files you may use.
(4) Now
delete the database:
#cd
$OV_DB/analysis/default
#rm
solid.db
#rm
solmsg.*
#rm
./log/sol*.log
(5) Now
recreate an empty database
#cd
$OV_DB/analysis/default
For NNM
6.10:
#ovdbrun -x
exit -u ovdb -p ovdb
For NNM
6.2:
#ovdbrun -x
-U ovdb -P ovdb -C ovdb
#cd
$OV_CONF/analysis/sqlScripts
#ovdbcheck
-start
#ovdwquery
-file tables_common.solid
#ovdwquery
-file tables_event.solid
#ovdwquery
-file tables_trend.solid
#ovdwquery
-file tables_topo.solid
#ovdbcheck
-stop
#ovstart -v
(6) Now that
OpenView is running again we need to reload the data from the flat files into
the database.
#ovdwloader
-file trend_output_file -v
#ovdwloader
-file event_output_file -v
[MRTG][FW-1][Templates]
Template
para graficar en MRTG la cantidad de paquetes aceptados y rejectados de
Checkpoint Firewall-1 (Necesita estar habilitado SNMP en el firewall y una
regla que permita la transmisión)
<--Inicie
la copia desde aquí-->
Target[packets-cp1]:
1.3.6.1.4.1.2620.1.1.4.0&1.3.6.1.4.1.2620.1.1.5.0:public@xxxx-cp1
Directory[packets-cp1]:xxxxcp1
WithPeak[packets-cp1]:
wmy
YLegend[packets-cp1]:
packets
ShortLegend[packets-cp1]:
. :
MaxBytes[packets-cp1]:
10000
Options[packets-cp1]:
growright
Title[packets-cp1]:
packets: xxxx-cp1
Colours[packets-cp1]:
GREEN#00ee00,RED#ff0000,DARKGREEN#807711,VIOLET#ff00ff
Legend1[packets-cp1]:
Accepted packets
Legend2[packets-cp1]:
Rejected packets
Legend3[packets-cp1]:
5 min maximal accepted packets
Legend4[packets-cp1]:
5 min maximal rejected packets
LegendI[packets-cp1]:
accepted packets :
LegendO[packets-cp1]:
rejected packets :
PageTop[packets-cp1]:
<H1>xxxx-cp1: Packets (5 minute samples)
<BR></H1>
<TABLE>
<TR><TD>System:</TD><TD>xxxx-cp1</TD></TR>
<TR><TD>Maintainer: Network
Systems Team</TD></TR>
</TABLE>
###
<--Finalice
la copia aquí-->
I am trying
to understand how the state table works in checkpoint fw-1. What is the state
table. What happens to the state table when I stop and start the fw-1 service.
What happens to connections when the service stops and starts?
Say I was
doing a ftp file transfer or http file transfer and the service was restarted.
What happens to the state table or what happens to the tcp connection?
Answer:
I think a
good place for you to find some useful answers is the fwstart and fwstop
scripts. Also, please, read the portion of the Checkpoint manuals where the
Firewall-1 architecture is described.
As far as
your question is concerned, it really depends on the kernel
implementation
(i.e. exit sub-routines or functions) and not user logic.
It's very
much possible for the kernel not to reclaim the process' entire address space
immediately, albeir it could claim non-critical portions of it.
That may or
may not depend on the exit status of the process.
Anyway, I'm
sure you can research the particulars of the system you happened to be using.
And then:
On the
other hand, it depends on what you mean by stopping and starting the firewall.
Certainly if you begin killing fw processes and unloading fw kernel modules,
you will most definately kill your traffic and clear your state tables.
When I say
stop and start the firewall, I mean running fwstop and fwstart.
And finally
with a method of testing:
Do fwstop,
then type 1. fw tab -t connections -u and 2. modinfo | grep FW. You can try the
same after you do the fw unload localhost.
Let me know
what you see.
Also in the
thread were comments from Amin Tora (Amin@EPLUS.com)
The state
tables are CLEARED if you stop the firewall or unload your policies.
You can
prove this...
On a test
firewall module:
run
$FWDIR/bin/fw tab -t connections -u {displays contents of state table}
run
$FWDIR/bin/fwstop OR $FWDIR/bin/fw unload localhost
run
$FWDIR/bin/fw tab -t connections -u
http://securityportal.com/list-archive/fw1/2001/May/1005.html
Occasionally,
I see FireWall-1 refer to sys.conf in error messages. What is this file used
for?
Answer:
sys.conf
would exist for only one reason, for you to put into it the names of your
firewalls [either by hostname, IP address, or name of the network object represneting
the firewall]. This would then enable you, on the Management Server, to execute
a command like:
fw load
-all $FWDIR/conf/policy.W
and have
FW-1 push the policy to each firewall listed in sys.conf. Alternatively, you
could use
fw load
-conf $FWDIR/conf/newyork.conf $FWDIR/conff/policy.W
which would
have fw read the newyork.conf file to determine the firewalls (contained in
there) so it could push the policy to them.
As you can
see, you may have multiple system configuration files that would enable you to
have a little control from the command line. Any time a command accepts the
-all, you are accessing sys.conf, by defauult.
After
(reinstalling) a - busy - firewall1 (between 8-10Mbps over the external
interface), a problem which we were trying to get rid of reappeared -- customer
insists on "Account" logging for traffic to its DMZ - (motivation is
commercial/financial)
Problem is
that, when "Account" logging is activated, the firewall panics when reloading
the policy. My principal problem now is that after reboot, the firewall
automatically loads the policy with the "account" logging activated.
Our guess is that, since the latest policy - without account logging - did not
successfully load, the firewall somehow finds and loads the previous
version. Weird thing is that the GUI
and the real loaded policy do no longer match !
Answer:
This is
because FireWall-1 stores the last installed policy in $FWDIR/state. If you
haven't been able to install the policy since this problem started occurring,
then you've got the old policy there. You can clear $FWDIR/state on both your
management console and firewall module. This should prevent FireWall-1 from
loading a policy on startup. Then you can load the proper policy from your
management console.
FOR NT
FireWall-1
Versions 3.0b-4.0 support modifying (or adding) the following registry entry
(It is of type String):
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\FWLOGDIR
Specify the
full path name to the log directory here. In 4.1, create the following registry
entry:
HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\FW1\4.1\FWLOGDIR
Note: this
directory must exist. You will need to restart the FireWall-1 service for this
to take effect.
On Unix
machines, you can symbolically link the $FWDIR/log directory to another drive.
For example:
fwstop
mv
$FWDIR/log $FWDIR/log.old
ln -s
/path/to/new/logdir $FWDIR/log
fwstart,
This
information can be found at http://www.phoneboy.com
FOR UNIX
To direct
Log File to directory different then the standard $FWDIR/log. On UNIX system
this can be achieved by adding
setenv
FWLOGDIR <log-dir>
to the
fwstart scripts before running the fwd and them fwm.
A Master is
a machine to which Firewall Modules direct Logging. the file
$FWDIR/conf/masters contains a list of IP addresses or network object names,
one per line. When the firewall Module starts, it reads this file to determine
where to direct logging.
If the file
does not exist, logging is local
If the file
exists logging is directed to the first IP address in the file.
If any
address is preceded by the sign + , then all logging are directed to all IP
with a + sign.
If the
connection to master goes down, it will scan the file and use the next IP
addresses. otherwise it will direct logging locally.
[FW-1][Auditoría]
Se deben
buscar los siguientes archivos y procesarlos con alguna herramienta
Archivos de
configuración:
-
rulebases.fws
- objects.c
- fwmusers
-
gui-clients
(si está el
archivo masters, también)
Archivos de
log:
-
cpmgmt.aud (en FW-1 4.1) o el fwui.log (en FW-1 4.0)
-
manage.lock (archivo que se genera cuando un gui client está activo)
fwui.log is
now called cpmgmt.aud
You can
create the file $FWDIR/conf/loggers through a text editor to direct log to a
centralized logging station. It contains a list of Ip addresses one per line.
The syntax is the same as for the master file.
a + sign,
logging will be directed to to all the IP addresses preceded by a + sign
IP
addresses preceded by an @ sign wil receive only alerts
This is the
best discussion I've seen on this topic:
http://www.isp-planet.com/technology/2001/ipsec_nat.html
Called
"Slipping IPSec Past NAT"
As a note,
in order for NAT'd encryption to work you need to use UDP
encapsulation.
That only applies to SR and the original post suggested a Site to Site
VPN.
The host
count is stored in a firewall table, you can use the fw tab command to view and
delete the host count. If you do delete
the count, keep in mind that you will have to delete the fwd.hosts and fwd.h
files form the $FWDIR/database directory as well.
To view the
table
fw tab -t
host_table -u
to delete
fw tab -t
host_table -x
(the -u is
for unlimited, that is it will display the whole table. -x is for delete)
The output
is in HEX. There are scripts and perl
programs out there to automatically convert hex ip addresses to decimal you may
want to look for one of these. :)
c:\winnt\fw1\4.1\bin\fw
load <politica.W> <interfaz.direccion@firewall>
Lo que realiza este comando es cargar una política almacenada en el directorio \winnt\fw1\4.1\ la cual figura con extensión.W sobre las interfases indicadas para el router (en nuestro caso sería all.all@firewall), previa compilación.
What files
to backup?
We want to
back Firewall-1 configuration. If Firewall crash, we want to be able to restore
it quickly. Which files do we have to backup ?
The
following files are considered important and should be backed up regularly. If
you have on the same system the management console and the firewall module,
backup all files of Management console column and also all additional files from
Firewall module column.
Under
Windows 2000/NT replace $FWDIR by %FWDIR%
|
Management
console |
Firewall
module |
Comment |
|
$FWDIR/conf/fw.license |
$FWDIR/conf/fw.license |
|
|
$FWDIR/conf/objects.C |
|
Object
databaseFWDIRdddFWDIR |
|
$FWDIR/conf/*.W |
|
Set of
policies |
|
$FWDIR/conf/rulebases.fws |
|
Combined
rule bases for GUI clients |
|
$FWDIR/conf/fwauth.NDB* |
|
User
database |
|
$FWDIR/conf/fwmusers |
|
Administrators
database |
|
$FWDIR/conf/gui-clients |
|
Wrapper
for the gui clients - Allow GUI Adminstrative hosts |
|
$FWDIR/conf/product.conf |
$FWDIR/conf/product.conf |
FireWall-1
product description file |
|
$FWDIR/conf/fwauth.keys |
$FWDIR/conf/fwauth.keys |
Control
authentication key file |
|
$FWDIR/conf/serverkeys.* |
$FWDIR/conf/serverkeys.* |
|
|
|
$FWDIR/conf/masters |
Master
address definition (of the management console) |
|
|
$FWDIR/conf/smtp.conf |
Configuration
of mail relay function |
|
|
$FWDIR/conf/fwauthd.conf |
Security
Server configuration file |
|
|
$FWDIR/conf/fwopsec.conf |
|
You should
also back up /var/etc/rc.local, if you created one. This is where you could
place ARP commands to support Address Translation, IPSO kernel control
commands, or automated backup scripts, for example. (only for IPSO)
Since you
might use CRON to automatically schedule this backup, consider adding
/var/cron/tabs/root to the backup list.
You should
also modify any file you may have modified in $FWDIR/lib. If you are going to
be upgrading, it is not wise to copy an older version of one of these files
over a newer version. If you are running Windows NT and doing static address translation,
also backup $FWDIR/state/local.arp.
If the
firewall goes completely south, you can re-install to the same patch level as
you were running before and copy in the existing configuration files with the
firewall stopped. You'll have to re-install your security policy, but it's
better than having to completely reset up your firewall rules and network
objects.
How do I
proceed for restoring Restoring?
Make sure
you stop the firewall before restoring any file. Make sure you restore all the
files you need
fwstop
restore by
copying back any file you need
fwstart
or for
Windows 2000/ NT stop the service
This can
also be used when you perform an update or when you have a second system run as
a spare.
What are
the meanings of the different files to backup?
Of largest
significance are your policy file, <policyname>.W, and objects.C -- from
these two you can regenerate the rulebases.fws file
(./fw m -g *.W).
The cp.license file may be useful, but if you know your certificate key, you
can request a copy of it from the checkpoint license site.
The fwauth.NDB (mgmt. module only) file keeps information about your users
& user-groups, so unless you're not doing any authentication or
securemote (minus LDAP stored users..), you'll want to grab this file too.
The fwauth.keys file contains all the putkeys you've set -- backing this up
probably isn't necessary since you'll have to redo the putkeys
anyways. This may not be existant if in single gateway mode with no opsec
add-ons tied into it.
The fwmusers (mgmt. station only) file contains all the usernames and passwords
(including permissions), for GUI-Client access.
The gui-clients (mgmt. station only) file tells which remote systems are
allowed to log into the management station via the GUI and manage it.
The masters file (fw module only) just has the address of the management server
in it.
The product.conf file tells which options you have purchased, want turned on,
and such.. restoring it will save some reconfiguring.
The seed file will allow you to utilize the parts that are stored encrypted --
user passwords and such. Without it, expect to change a lot of passwords.
The sync.conf (fw modules only) file is used when doing high-availability
state-synchronization.
The serverkeys file (or serverkeys.* on unix) are hashes of the putkeys
(fwauth.keys file).
[FW-1][Linux]
Para hacer
backup de una management Station corriendo en linux a otra de alta
disponibilidad:
#!/usr/bin/ksh
lastmod="fw.timestamp"
find /opt/CPfw1-41/lib
-newer $lastmod -type f -print
|
while read
file
do
rcp -p $file backup_system:$file
done
find
/var/opt/CPfw1-41/conf -newer $lastmod -type f
-print |
while read
file
do
rcp -p $file backup_system:$file
done
find
/var/opt/CPfw1-41/database -newer $lastmod -type
f -print |
while read
file
do
rcp -p $file backup_system:$file
done
touch
$lastmod
[FW-1][IPSO]
Method of
Backing up the files
It may be
possible to use a floppy diskette to backup the files. If the files are too
large, then FTP can be used to transfer the files across the network.
One idea is
to create a file that lists the files to backup. Included in the example below
is the path to the IPSO configuration files, the first entry below. Also note that
this will backup your backup scripts. Don't forget them!
# cat /var/admin/ipsobackuplist
/config/db/*
/var/admin/ipsobackup
/var/admin/ipsobackuplist
/var/cron/tabs/root
/var/etc/rc.local
$FWDIR/conf/fw.license
$FWDIR/conf/objects.C
$FWDIR/conf/*.W
$FWDIR/conf/rulebases.fws
$FWDIR/conf/fwauth.keys
$FWDIR/conf/fwauthd.conf
$FWDIR/conf/masters
$FWDIR/conf/serverkeys.db
$FWDIR/conf/sync.conf
$FWDIR/conf/fwopsec.conf
$FWDIR/conf/omi.conf
$FWDIR/conf/slapd.conf
$FWDIR/conf/fwauth.NDB
$FWDIR/conf/fwmusers
$FWDIR/conf/gui-clients
$FWDIR/conf/smtp.conf
$FWDIR/conf/product.conf
$FWDIR/database/*
$FWDIR/state/*
$FWDIR/log/*
Create a
file in the admin's home directory called ipsobackuplist to contain the file
paths listed above.
Create an
executable script in the admin's home directory called ipsobackup
that executes the following commands:
#! /bin/csh
# The following line will define $FWDIR
source /var/admin/.rcm_cshrc
cd /
eval tar cf /var/admin/`uname -n`.`date
+%m%d%y-%H%M`.bkup.tar `cat
/var/admin/ipsobackuplist`
(WARNING:
The tar command above should be one line)
(NOTE: If you wish to retain the leading '/' character, use `tar cPf`)
( see `tar --help` for more command line options)
(This
command creates hostname.062298-0600.bkup.tar if the fwbackup script was
executed at 6:00am on June 22, 1998).
Execute
chmod 755 ipsobackup to make this script executable.
Backing up
the files to a floppy diskette:
cd /
tar cvf /dev/fd0 `cat $HOME/ipsobackuplist`
You might
want to use a DOS formatted floppy diskette. Such a diskette
is mountable across OS platforms:
mkdir /var/floppy
/sbin/mount_msdos /dev/fd0 /var/floppy
cd /var/admin
./ipsobackup
cp *bkup.tar /var/floppy
<or>
cp `cat ipsobackuplist` /var/floppy
umount /var/floppy
Using CRON
to automatically archive these files onto the IPSO filesystem
Use crontab
-e to modify the existing cron file. Add tthe following line to this file:
0 6 * * 0 /var/admin/ipsobackup
This will
create a backup file Sunday morning at 6am
*****Notes
for NT to IP400*****
Note that
there are some issues with moving from a NT machine to an IP400.
Do not copy
the fwauthd.conf file. This is not compatible with the IP400 (See resolution #
858 for further information
When FTP
from Windows NT to an IP400 All of the *.NDB files must be transferred in
binary mode and everything else must be transferred ASCII mode.
echo
"starting FTP"
# FTP
transfer part to $BACKUP <Directory>
cd $BACKUP
ftp -i $HOST <<!
cd $SAVE
bin
mput *
bye
!
1. Click
CONFIG on the home page.
2. Click
the Configuration Backup and Restore link in the System Configuration section.
3. In the
MANUAL BACKUP field, enter a file name for your backup file in the BACKUP FILE
NAME edit box.
NOTE: If
you do not enter a name, the backup file is not created.
4.
(Optional) Click the YES button in the BACKUP HOME DIRECTORIES field to include
home directories in the backup file.
5.
(Optional) Click the YES button in the BACKUP LOG FILES field to include your
log files in the backup file.
6.
(Optional) To include package files in your backup file, Click the Yes button
next to the name of each package you want to back up in the BACKUP /OPT fields.
7. Click
APPLY.
8. To make
your changes permanent, click SAVE.
This
procedure describes how to restore your files to the system from locally stored
backup files. You must first create backup files. See Creating a Backup File
Manually or Creating a Regularly Scheduled Backup File.
1. Click
CONFIG on the home page.
2. Click
the Backup and Restore Configuration link in the System Configuration section.
WARNING:
Restoring from a backup file overwrites your existing files.
NOTE: The
system must be running the same version of the operating system and the same
packages as those of the backup file(s) from which you restore file(s).
WARNING:
Make sure that you have enough disk space available on your Nokia appliance
before restoring files. If you try to restore files and you do not have enough
disk space, you risk damaging the operating system.
3. In the
RESTORE FROM LOCAL field, click either the Manual backup file drop-down window
or the Scheduled backup file window to select the name of the backup file from
which to restore. Manually backed-up files are in the /var/backup directory,
and scheduled backup files are in the /var/backup/sched directory. The
drop-down windows contain lists of all the files in the var/backup or
/bar/backup/sched directory but some of the files might not be backup files.
4. Click
APPLY.
Repeat the
previous two steps for each file you want to restore.
5. To make
your changes permanent, click SAVE.
6. Click
the Reboot link near the bottom of the page and wait for the system to reboot.
NOTE: You
must reboot your system after restoring from backup files.
To enable a
Windows 2000 Server-based computer to log on to a Windows 2000 domain through a
firewall you need to open the following ports for inbound traffic. In most
cases this would be done to allow a Windows 2000 server hosting Exchange 2000
to be placed on a DMZ.
53 (User Datagram Protocol [UDP]) - Domain Name System (DNS).
88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.
123 (TCP) - Windows Time Synchronization
Protocol (NTP).
Note that this is not necessary for Windows 2000 logon capability, but may be
configured or required by the network administrator.
135 (TCP) - EndPointMapper.
389 (TCP, UDP) - Lightweight Directory Access Protocol
(LDAP).
445 (TCP)- Server message block (SMB) for Netlogon, LDAP
conversion and distributed file system (Dfs) discovery.
3268 (TCP)- LDAP to global catalog servers.
One port
for the Active Directory logon and directory replication interface (universally
unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and
e3514235-4b06-11d1-ab04-00c04fc2dcd2), which is typically assigned port 1025 or
1026 during startup. This value is not set in the DSProxy or System attendant
(MAD) source code, so you need to map the port in the registry and then open
the port on the firewall. To assign a static port mapping enter the following
registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Value Name: TCP/IP Port
Data Type: REG_DWORD
Radix: Decimal
Value: greater than 1024
For the
servers inside the firewall to communicate back through the firewall to the
external server on the DMZ, you also need to have ports 1024 through 65535
configured for outbound communications. Computers that initiate the
communication through the firewall use a client-side port that is dynamically
assigned and cannot be configured.
Do You Really Need to Stop (fwstop) Firewalls for Putkeys to Work?
The
firewalls have to be stopped and started, but there is a possible workaround.
Contrary to all Check Point documentation, Bill Husler found that it isn't
always necessary - the reason for the stop/start is simply so that you can
exchange keys, prior to the next authentication request. Since this is the
case, there exists a small window of time which would allow for successful key
exchange, while both firewall processes continue to run. To take advantage of
this, Bill found that if he opened two separate administrative windows into the
two separate systems, issued the putkey commands, then hit Enter on the
management window and Enter on the firewall module window, the exchange
happened quick enough to prevent the need for a fwstop.
Is the session between the GUI client and the Management console
encrypted?
I may be
wrong, but I was under the impression that the session between the GUI client
and the Management server is encrypted if you are using a version of FW-1 with
encryption and clear text if you are using a non-encryption version. The method
by which your firewall and management station communicate is defined in the
control.map. Within it are certain variables that mitigate how your firewall
will talk to your management, fwz, ssl, or none (no encryption). By default the
communication that exists between the two is encrypted so long as you have an
encryption module loaded.
How can I secure the session between the Management client and a firewall or a Management console?
If you are
running fw-1 on solaris it's no problem install ssh and download the secure crt
client on your management client. Configure scrt so it's tunnels all packets
that comes from port 258 to your solaris. (it's possible in scrt version 2.3x
and above i think) Then in the gui client just enter 127.0.0.1 (localhost) as
management sever.
Then all fw-1 management communication is encrypted.
When I have a separated Management from a
remote firewall module what are secret shared passwords?
When you
separate the Firewall Management Console functions from the Inspect module,
firewall-1 needs to exchange secret keys. To do this, you need to use the
"fw putkey"
utility on both boxes. On the Firewall Management Console, login as root or
administrator and enter the following -
fw putkey -p
<Shared Secret> <Resolvable Name or IP Address of Firewall>
On the firewall that's running the Inspect module, login as root, or
administrator and enter the following -
fw putkey -p
<Shared Secret> <Resolvable Name or IP Address of Firewall Management
Console>
Also, if you haven't purchased/installed any License Encryption Keys for both
the Firewall Management console and the Firewall, you will need to edit the
$FWDIR/lib/control.map file. By default, Checkpoint attempts to use FWZ to
communicate between boxes. If there is no encyption license installed, you will
never get them to successfully communicate. To enable the boxes to communicate,
you will need to change your control.map file to resemble
something like the following -
The keys
are generated using the random number generator, I guess, or some other similar
process. The password you enter is only a way to securely exchange those keys
over the network, and for initial authentication to the management. No two keys
are the same.
I can't get my putkeys to work. What am I doing
wrong?
Make sure
all IPs on both the management and firewall are resolvable to a hostname within
the system's local host file and that the systems are configured to look at the
local hosts file before looking to DNS.
fw putkey -n local-ip remote-ip
The "local ip" here depends on which interface you will need to talk
out to see the remote system.
The "remote ip" will be the IP address that is closest to you.
To prove /
disprove / workaround the problem, do the following on both hosts.
Take a
backup of control.map (in Solaris, this is at $FWDIR/lib/control.map)
edit
control.map and replace occurances of 'skey' with 'none'
re-start
the firewall daemons
If this works then it is definitely an encryption / fw putkey problem.
Procedure provided by Lance Spitzner
I have
developed and implemented a solution for Management Module to Firewall Module
Authentication
problems. This is one of last resort :)
PROBLEM:
I had 10 FW Modules (4.0 SP2 on AIX) that could neither fetch the FW rule base
NOR log to the Management Module. I received an authentication error for both.
However, the Management Module (4.0 SP2 on Solaris 2.6) CAN push the rule base
onto the Firewall Modules. Authentication was working one way, but not the
other.
SOLUTION
The standard "putkey with -n" trick did not help here. We needed a
more radical approach as the entire authentication database was corrupted.
Basically, I blew away the entire authentication database on the Management
Module and all Remote Modules, and then rebuilt everything from scratch. Bill
Burns pointed me in the right direction, I just had to be a little more
"draconian" in the files I nulled out :)
PROCEDURE
When all else fails, this is the procedure to follow on 4.0 when you are having
authentication problems. I recommend you follow the steps exactly as listed.
On the Management Module
- fwstop
- Backup the following files by copying thhem to <filename>.old
- $FWDIR/database/authkeys.C
- $FWDIR/database/opsec_authkeys.C
- $FWDIR/conf/fwauth.keys
- $FWDIR/serverkeys.pag
- Null out these files with the following command
- cp /dev/null <filename>
- Confirm that $FWDIR/lib/control.map is uusing the same authentication as the
remote modules (fwa1 or skey).
- Make sure /etc/hosts has an entry for thhe remote module(s).
On the Remote Module
- fwstop
- Backup the following files by copying thhem to <filename>.old
- $FWDIR/database/autkeys.C
- $FWDIR/database/opsec_authkeys.C
- $FWDIR/conf/fwauth.keys
- $FWDIR/conf/serverkeys.pag
- Null out these files with the following command
- cp /dev/null <filename>
- Confirm that $FWDIR/lib/control.map is uusing the same authentication as the
management module (fwa1 or skey).
- Make sure /etc/hosts has an entry for thhe management module.
On the Management Module
- fw putkey -p <password> -n <loccal IP> <remote IP>
On the Remote Module
- fw putkey -p <password> -n <loccal IP> <remote IP>
On the Mangement Module
- fwstart
On the Remote Module
- fwstart
That's it! If that did not do the trick, follow these two steps.
STEP 1
Ensure all Network Objects in Rule Base match /etc/hosts file and fw putkey IP
addresses. Repeat steps above.
If this fails,
STEP 2
Post resume on Internet :)
If I want
to manage multiple Remote Firewall modules with a single management station, is
it possible with a single rulebase, instead of having 10 different rule bases,
one for each individual remote module, we want a single rule base that is
installed on all 10 remote modules. We specify in the rule base what rules
apply to what remote modules under the "Install On" column. Usually,
we create separate rule base for every remote module.
Is this a
good practice or is it bad because it creates a huge single rulebase that is
installed on every Firewall. Also, wouldn't this also create allot of CPU
overhead, as now every Firewall has to process a rulebase where 80%
of the
rules do not apply to it.
Is there an
advantage to having a single rulebase for many remote modules?
Either way is correct. Both ways have their plusses and minuses.
If each
firewall has a different rulebase file, it is fairly easy to see what security
policy is on an individual firewall. Also, it is far easier to specify whether
or not a rule is enforced inbound, outbound, or eitherbound. On the other hand,
it is possible to install the wrong rulebase on the wrong firewall, thus
causing an outage on an individual firewall. Also, if you have to make global
changes, you have to change each individual security policy file. If you do not feel to comfortable with
firewall policies, go that way, it is much clearer and easier to understand.
A single
rulebase is slightly more difficult to maintain.
On the
other hand, you can see your entire site's security policy at a glance and it
does prevent snafus that occur from installing the wrong rulebase on the wrong
firewall. Only the rules that apply to a specific gateway will be installed
there. On the downside, when you list specific gateways in the Install-On
field, rules are enforced in the eitherbound direction (i.e. they must pass
through the rulebase twice). This is only usually noticable with large
rulebases on heavily-loaded systems.
If you are
going to go with a single security policy file for multiple firewalls, here are
my hints:
Rules that
apply to "all" firewalls should have the install-on be listed as
gateways (e.g. any any any drop)
Potentially
busy rules on all firewalls should be installed on gateways to increase
performance (even if a particular firewall can't enforce the rule).
Name: fwModuleState
Oid: 1.3.6.1.4.1.2620.1.1.1 Description: The state of the fw module.
Name:
fwFilterName Oid: 1.3.6.1.4.1.2620.1.1.2 Description: The name of the loaded
filter.
Name:
fwFilterDate Oid: 1.3.6.1.4.1.2620.1.1.3 Description: When was the filter installed
(STRING!)
Name:
fwAccepted Oid: 1.3.6.1.4.1.2620.1.1.4 Description: The number of accepted
packets.
Name:
fwRejected Oid: 1.3.6.1.4.1.2620.1.1.5 Description: The number of rejected
packets.
Name:
fwDropped Oid: 1.3.6.1.4.1.2620.1.1.6 Description: The number of dropped
packets.
Name:
fwLogged Oid: 1.3.6.1.4.1.2620.1.1.7 Description: The number of logged packets.
Name:
fwMajor Oid: 1.3.6.1.4.1.2620.1.1.8 Description: FireWall-1 Major Version.
Name:
fwMinor Oid: 1.3.6.1.4.1.2620.1.1.9 Description: FireWall-1 Minor Version.
Name:
fwProduct Oid: 1.3.6.1.4.1.2620.1.1.10 Description: FireWall-1 Product.
Name:
fwEvent Oid: 1.3.6.1.4.1.2620.1.1.11 Description: A string containing the last
snmp trap sent via fw
Automatic
NAT
1. create a
workstation object.
2. use the
actual ip under the first tab.
3. click on
NAT tab
4. put
checkmark in "create automatic translation"
5. select
STATIC
6. put
external IP address (the one not actually on the box).
7. add a
PROXY ARP MAC address using the external MAC for the external ip
address.
Manual NAT
1. create a
workstation object with the external ip address.
2. create a
workstation object with the internal ip address
3. click on
"network address translation tab"
4. add two
rules (if there are other rules already there, make sure there is
not logic
conflict).
5. for rule
one, put external ip workstation object in original destination.
6. for rule
one, put internal ip workstation object in translated
destination.
7. for rule
two, put internal ip workstation object in original source.
8. for rule
two, put external ip workstation object in translated source.
9. add a
PROXY ARP MAC address using the external MAC for the external ip
address.
route add
-p <external-IP-address> mask 255.2555.255.255 <internal-ip-address>
where <external-ip-address> is
the published external IP address
where <internal-ip-address> is
either the Internal IP address of the server
or the IP address of the
router sitting between the Firewall and the
Internal server
Para
verificar la versión de Firewall-1 y nivel de parches, el comando a ejecutar es
"fw ver" que se debe chequear contra:
http://fixmyfirewall.com/fw1/fw-1.0003.html
[FW-1][Auditoría][IPSO]
The telnet
banner is set in /etc/gettytab by using the "im" (initial message)
capability. All IPSO terminals use the default entry, which looks like this:
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n
IPSO (%h) (%t)\r\n\r\n:sp#1200:
This
produces the following initial banner.
IPSO
(hostname) (ttyp0)
login:
You may
change this by editing /etc/gettytab. To do so, first remount the hard disk read-write
(# mount -uw /) and edit gettytab. If you wished for the initial banner to say
something else, you could edit the im capability, such as in the following
example:
default:\
:cb:ce:ck:lc:fd#1000:im=\r\n
Unauthorized access
prohibited\r\n\r\n:sp#1200:
Cómo hago
para que el daemon del firewall me envíe un mail ante un problema? (no me
refiero al alert que se pone en el campo "track" de la política)
You need to
go into the global properties, LOG AND ALERT, Alert Commands and activate
"Run mail Alert Script" and plug the following information:
Internal_sendmail
(IP of your mail server) -s alert (Replace alert with a personal Warning; ex.
"From Firewall
>
abc123" -t mailer (Replace root with name of Sender)
Then you
need to change the rule, you want the alert for from LOG to MAIL If you want to
activate mail for popup alerts from the System status then activate "Run
popup Alert Script" and use what I have mentionned above;
1.1.1.1 -s
"From Firewall abc123" -t mailer "THE STATUS-VIEWER"
"-t
mailer" should be replaced by "-t mail.server.com"
Descargar las imágenes de firmware de la web y seguir estos pasos:
1. Download
the TFTP/Bootp Services from the Cabletron Download Library, http://www.cabletron.com/download/.
Make sure you save this as a Zip file to your hard drive.
2. Unzip
the file and run the setup program. This will install the TFTP/Bootp Services
on your computer. After the install, start the services.
3. If you
have another TFTP program running, close that down as only one service should
be running.
4. Place the .dnl file close to root. Copy down the path. (Ex. C:\images\10002.dnl)
5. Telnet
or locally go to the ELS100-24 and go into the Download Software Menu, selection
F.
6. Select A
and enter the IP address of the PC that you have the TFTP/Bootp Services
running on and then hit return.
7. Select B and enter the path to the image file. Ex. C:\images\10002.dnl
8. Select C
to start the download.
NOTE: This
will take the ELS100 off line, similar to doing a .HEX download to other
Cabletron devices.
If you have
the same image on the ELS as you are trying to download, the ELS will not
download and will reset.
The menu
screen asks for a .bin file. The .dnl file is the same thing and will work
fine.
Spectrum
Element Manager, ver. 2.0 and 2.1 Remote Administration Tools will not
recognize the .dnl file and you will not be able to do a download to the
ELS100-24 family. The Standalone TFTP/Bootp server is from the ver. 1.x family
of Spectrum Element Manager and will also not recognize the .dnl file
Do not
reset the ELS100-24 while a download is in progress. If the download fails and
the ELS is reset then it may need to be replaced.
Runtime
firmware downloads will not work if the TFTP server is using one of the
following RFC1819 reserved addresses:
10.0.0.0 172.16.0.0 192.168.0.0
Non-Runtime
downloads operate properly with all IP addresses.
The
download may also not work if there is a 0 (zero) in the second or third octet
of the IP address of the server. Examples of this are 134.141.0.3 or
126.0.141.3.
Firmware
version 2.01.04 and later allows you to clear the password. Reset the box and
hit enter any time to set the Baud rate of the Local Management connection.
When you see Topology discovery completed, hit the CTL and P keys 3 times. The
unit will continue to boot up and when you see >>>>>> System
Port Loopback Test.......--> Pass and then you will see, "Are you sure
(y/n)" show up on the screen. The default is No. Hit y for yes and the
unit will continue to boot up and clear the password. Admin and enter will
allow you to log into the unit and reconfigure a new password.
Version 2.00.07 and below do not have this option. Contact Tier 3 to get a
Webview session setup with the customer. This requires the customer to have a
LM/telnet session with the device and an internet connection.
If not possible, the unit will have to be RMA'd.
Solution
ID: tk0722-9
Creation
Date: 04/18/2001
Revised
Date: 05/13/2002
Technology:
Routing
Environment:
X-Pedition, SSR-2, SSR-8, SSR-16, ER16, Upgrade
Goals:
SSR
Software Upgrade Procedures
upgrading
from boot 1.1.0.7 to 1.1.0.8; and from vfs1 to vfs2
upgrading
to a new boot prom and software image, while on vfs2
upgrading
to a new software image
recovering
a corrupted external pcmcia flash
Solution:
This
document contains procedures for the following upgrade-related tasks:
Upgrading
from boot 1.1.0.7- to 1.1.0.8+, software image, and from VFS1 to VFS2
Use steps
1-18
Upgrading
to a new boot prom and software image, while already on VFS2
Use steps
1-9, 15-18
Upgrading
to a new software image
Use steps
1-7, 17-18
Recovering
a corrupted External (PCMCIA) Flash
Use steps
1-3, 9-16, 6-7, 17-18 (omit pcmakeversion2 in step 11)
While
upgrading an SSR8000/8600 with two control modules, differing software/boot
images on the two CMs are incompatible. So, depending upon what you are doing
and how carefully you do it, you either should or must remove the CMs one at a
time and upgrade them separately. It is best to err on the side of safety, and
seek downtime to do the parallel upgrades. Even with only a single CM, one or
more system reboots will likely be necessary, so expect at least some level of
disruption.
Before you
begin:
Review the
SSR memory organization, in TK0550-9, but do not use any of the commands
described there.
Back up
your startup config to a TFTP server, as explained in TK0660-9. This would also
be a good time to ask yourself whether the active config is the same as the
startup config. If not, you may choose to do a config-mode save startup command
before performing the backup operation.
Each time
you save startup (with f/w 3.x+), a copy of the merged scratchpad/active config
will not only be saved to the Internal Flash startup file, but will also be
saved to the External (PCMCIA) Flash startup file. The TFTP-offload suggestion
is precautionary, in the unlikely event of Internal Flash corruption. Recovery
from this problem is described in TK0553-9 and TK0660-9.
Items
needed:
PC/Laptop
with software (aka firmware) and bootprom images.
TFTP/BootP
server application, for the PC. Don't have one? Try our FTP Site.
Pair of
identical DB9<=>RJ45 adapters, usually Enterasys' "PC"
Adapters, for attachment to the SSR's DB9 console port and the PC's DB9 COM
port; and straight-through RJ45 cable to connect the adapters.
Crossover
cable to connect PC/Laptop to the RJ45 10 or 10/100 Mgmt port en0, on the SSR.
Steps:
1. Assemble
the adapters and cable, and open up a terminal session via the console port on
the SSR.
2. Connect
the PC's Network Interface to the SSR's en0 port, using the RJ45 crossover
cable. Though enable-mode upgrade commands can use either management interface
en0 or any user port, a portion of this document uses boot prom-mode, which can
use only en0. For consistency, all instructions assume en0.
3. Start
the TFTP/BootP Server application on the PC, and then minimize it.
4. Need to
confirm the SSR's currently running boot/software image revs? Simplest way is
to monitor the bootup process. Alternately, use enable-mode's system show
version command.
5. When the
SSR boots to user mode, enter enable mode.
enable
(toggle from user mode to enable mode)
6. The PC
and SSR must share a common IP subnet. To add an enable-mode IP address to en0:
config
(toggle from enable mode to config mode)
interface
add ip en0 address-netmask [IP address/maskbits]
save active
(save from scratchpad to active config)
save
startup (save from scratchpad to startup config)
[CTRL Z]
(exit to enable mode)
7. Ping
from the SSR to the TFTP Server (PC), to confirm IP connectivity.
ping [TFTP
server's IP address]
8. Download
the boot image from the TFTP Server to the SSR's nonvolatile boot area, located
on Internal Flash memory. File name must be no greater than 8 DOS-valid
characters, and must have no extension:
system
promimage upgrade [TFTP Server's IP address] [bootprom file name]
9. Once the
upgrade is done, reboot onto the new prom image:
reboot
10. While
rebooting, press the "Esc" key until you see a
"ssr-boot>" prompt, representing boot prom mode.
11. Totally
initialize the PCMCIA; a repository of one or more software images, plus
possibly a backup copy of the startup configuration set. Consider the first
command to be a bit of paranoia, since the subsequent set of commands should do
the same thing:
pcmakeversion2
(reformat the PCMCIA from VFS1 to VFS2 - retaining data)
pcumount
(unmount the PCMCIA)
erasepcvfs
(reformat the PCMCIA - using 1.1.0.8's VFS2 - and wipe all data)
pcmount -i
(remount the PCMCIA)
Note:
Though boot images above 1.1.0.8 (such as 1.1.0.9, 2.0.0.0, E3.0.0.0, and any
future releases) also contain the pcmakeversion1 and pcmakeversion2 commands,
making them in theory compatible with both VFS1 and VFS2 and capable of
converting between them, actual practice has more often than not shown them to
be intolerant of VFS1. Since there is no reason not to go to the more efficient
and much faster VFS2, the recommendation is to do that as of the 1.1.0.8 boot
prom level, and don't look back. TB1083-9, TK0706-9, and ENT949 contain some
additional background about boot and software revs, and VFS.
12. Confirm
the resulting PCMCIA Virtual File System rev:
pcshowversion
(response should be "PC Flash File System is version 2")
13.
Download the new image from the TFTP server to the SSR's volatile DRAM:
set netaddr
[SSR's boot prom-mode en0 IP address]
set netmask
[SSR's boot prom-mode en0 subnet mask]
set
bootaddr [TFTP Server's IP address] (must be local subnet)
ping [TFTP
Server's IP address] (ensures connectivity)
boot [TFTP
Server's path/filename] (example: boot c:/images/ssr3011)
14. At this
point the SSR should reset, and boot off of the TFTP Server.
15. Use the
enable command, to toggle from user mode to enable mode.
16. Confirm
that the downloaded boot and software images are properly identified:
system show
version
17.
Download/confirm/select the image, this time storing to the non-volatile
PCMCIA, for use during the next system reboot. These commands represent a
typical software upgrade, explained in somewhat more detail in TK0547-9:
system
image add [TFTP server's IP address] [path/filename]
(Need to
add an enable-mode IP address for en0? See step 6.)
(Insufficient
room on the PCMCIA for another image? See TK0698-9.)
system
image list (find the image you want, for use in the next command)
system
image choose [software file name] (example: ssr3011)
18.
Cold-boot (power cycle) the SSR. Per TB0806-9, this is strongly recommended as
the final step in any upgrade operation, including E8 software and beyond.
Environment:
SmartSwitch Router 2000, SmartSwitch Router 8000, SmartSwitch Router 8600,
memory
Goals: SSR Control Module (CM) memory and deletion processes
Solution: Where appropriate, commands will be given to allow the user to erase
sensitive data that they may have entered into the system to make the SSR
operational for their environment. All of these special commands to erase data
should be issued from the boot prom mode command line.
The different memories are:
NVRAM: holds the boot variables (ipaddr, bootsource, etc). This is stored as a
compacted sequence of strings. When a variable is deleted, the list is compacted
by copying the strings downwards. The leftover data is not erased in any way.
To make sure any variables that were set are unreadable, do the following
commands:
1.delete the sensitive variables
ssr-boot> unset netaddr
2.create a few new large variables
ssr-boot> set foo aaaaaaaaaaaaaaa
(Creating 4 variables, each with 80 "a"s in them, will overwrite
about 320 bytes of NVRAM memory destroying any previous entries in that space.)
3.delete the newly created large variables
ssr-boot> unset foo
IDPROM: a small (32-byte) memory that holds the OEM ID and the base MAC
address. This memory is sequential information assigned by Cabletron during the
manufacturing process and is not accessible to the customer.
BOOT PROM: 512kb of flash, holds the boot prom. This memory is only updated
when you issue a system promimage upgrade command from the CLI. The system only
allows write access to this area with an approved version of prom code.
DRAM: This is volatile memory used when the system is in operation. Nothing
written to DRAM is stored permanently. A few seconds of power loss is enough to
completely lose DRAM contents.
INTFLASH: 512kb of flash, holds the config file (and any copies of the config
file saved via the CLI from enable mode) in a special file system. Files are
deleted in the standard file system manner: a pointer is zeroed out and the
blocks freed for other use, but unless a file actually needs them, these free
blocks are not erased. The INTFLASH can be completely erased with the erasevfs
command. The process will erase all memory by writing all "1"s to
every bit
in every byte on all blocks. This is a proper hard erase: every bit is wiped.
Use the following commands to ensure complete destruction of all data on the
INTFLASH:
ssr-boot> umount
ssr-boot> erasevfs
ssr-boot> mount -i
PCFLASH: 8MB of flash in a PCMCIA card (CM and CM2) holds the boot image and a
copy of the config file in certain software revisions. This PCFLASH uses the
same file system structure as INTFLASH. It is subject to the same deletion
issues and the same secure deletion procedure. Use the following commands to
ensure complete destruction of data on the PCFLASH:
ssr-boot> pcumount
ssr-boot> erasepcvfs
ssr-boot> pcmount -i
The same process (outlined above for PCFLASH) is necessary to wipe the PCFLASH
on an SSR2000 or SSR2100 product. The 8MB Flash is not a removable PCMCIA card
on these platforms, but it is identified by the system and handled in an
identical manner using the same commands.
Based on the above information, there are three areas that need to be
considered for security reasons:
-NVRAM may have IP addresses of actual serrvices on the network that were used
during tfpt uploads while in boot prom mode.
-INTFLASH contains configuration files thaat were saved to startup or copied to
other backup file names.
-PCFLASH may contain a copy of the startupp file depending on the version of
code that was in operation at any time while changes to the config were being
made and saved.
Those who are security conscious will want to ensure that they have issued the
appropriate commands to the INTFLASH, the PCFLASH, and the NVRAM to ensure that
those memory locations contain no information related to their locations.
ssr-boot>
cp /int-flash/cfg/startup int-flash/cfg/startup.sav (copies startup to
startup.sav)
ssr-boot>
ls /int-flash/cfg/ (makes sure the new file is there)
ssr-boot>
rm /int-flash/cfg/startup (deletes the original startup file)
ssr-boot>
reboot
After
rebooting:
ssr# copy
startup.sav to scratchpad
ssr# config
ssr# show
(Note line # of password set command(s))
ssr(config)#
negate <line number(s)> scratchpad
ssr(config)#
^z
ssr# copy
scratchpad to startup (Configuration -- without passwords -- made Active)
SSR-8600
VER3.0.0.2 TACACS PLUS COMMANDS
tacacs-plus
enable
tacacs-plus
set server <IPaddr>
tacacs-plus
set [timeout <number>] [key <string>] [last-resort
password|succeed]
tacacs-plus
authentication login|enable
login: permite autenticar en el login
enable: permite autenticar en el
enable
tacacs-plus
show stats|all
muestra las stats de tacacs
tacacs-plus
accounting command level <level>
5 Log Configure commands.
10 Log all Configure and Enable
commands.
15 Log all Configure, Enable, and
User commands.
tacacs-plus
accounting shell start|stop|all
en nuestro caso seria all
tacacs-plus
accounting snmp active|startup
loguea cambios hechos a la config a traves de
snmp
tacacs-plus
accounting system fatal|error|warning|info
nosotros lo tenemos por syslog, pero se puede
hacer por tacacs.
nivel a utilizar: error
Entonces,
el script seria una cosa asi:
tacacs-plus
enable
tacacs-plus
set server 10.0.3.2
tacacs-plus
set server 10.0.3.4
#
tacacs-plus set timeout 5
tacacs-plus
set key jk23
tacacs-plus
set last-resort password
tacacs-plus authentication login
tacacs-plus authentication enable
tacacs-plus
accounting command level 15
tacacs-plus
accounting shell all
tacacs-plus accounting snmp active
tacacs-plus accounting snmp startup
tacacs-plus
accounting system error
fin del
script
ena
sess 15
ena
conf
int vlan1
ip add
1.1.1.1 255.255.255.0
no shut
sh bootf
copy tftp
bootflash:
1.1.1.2
<name>
<destinaton>
delete
bootflash
<el archivo viejo>
squeeze bootf
cop tftp:
bootflash:
boot
bootldr bootflash:c6msfc2-boot-mz.121-4.E1
boot system
bootflash:c6msfc2-jsv-mz.121-4.E1
ftp-record
<nombre> <ip> anonymous "adrian@" ctrl-z
copy ftp
adrian
copy
running-conf tftp <ip> <nombre>
copy config flash
# te pide el nombre, y despues
copy config
tftp
copy flash
tftp
levantar la config en word
courrier
new plain text 10
Introduction
This
document describes how to calculate bandwidth utilization using Simple Network
Management Protocol (SNMP).
Solution
Calculating
utilization depends on how data is presented for the particular thing you want
to measure. Interface utilization is the primary measure used for network
utilization. The following formulas should be used, based on whether the
connection you measure is half-duplex or full-duplex. Shared LAN connections
tend to be half-duplex, mainly because contention detection requires that a
device listen before transmitting. WAN connections typically are full-duplex
because the connection is point-to-point; both devices can transmit and receive
at the same time because they know there is only one other device sharing the
connection. Because MIB-II variables are stored as counters, you must take two
poll cycles and figure the difference between the two (hence, the delta used in
the equation).
The
following explains the variables used in the formulas:
|
Formula:
DeltaIfInOctets: The difference between two poll cycles of the collecting the
SNMP ifInOctets object, which represents the count of inbound octets of
traffic. |
|
Formula:
DeltaIfOutOctets: The difference between two poll cycles of the collecting
the SNMP ifOutOctets object, which represents the count of outbound octets of
traffic. |
|
IfSpeed:
the speed of the interface, as reported in the snmpifSpeed object |
Note:
ifSpeed may not accurately reflect the speed of a WAN interface.
For
half-duplex media, use the following formula for interface utilization:
|
(
(DeltaIfInOctets + DeltaIfOutOctets) * 8 * 100 ) / ( seconds in Delta *
ifSpeed ) |
For
full-duplex media, calculating the utilization is trickier. For example, with a
full T-1 serial connection, the line speed is 1.544 Mbps. What this means is
that a T-1 interface can both receive and transmit 1.544 Mbps for a combined
possible bandwidth of 3.088 Mbps!
When
calculating interface bandwidth for full-duplex connections, you could use the
following formula, in which you take the larger of the in and out values and
generate a utilization percentage:
|
( (max(DeltaIfInOctets
+ DeltaIfOutOctets)) * 8 * 100 ) / ( seconds in Delta * ifSpeed ) |
However,
this method hides the utilization of the direction that has the lesser value
and provides less accurate results. A more accurate method is to measure the
input utilization and output utilization separately, using the following
formulae:
|
Input
Utilization= ( DeltaIfInOctets * 8 * 100 ) / (seconds in Delta * ifSpeed ) |
|
Output
Utilization= ( DeltaIfOutOctets * 8 * 100 ) / (seconds in Delta * ifSpeed ) |
These
formulas are somewhat simplified because they do not take into consideration
any overhead associated with the particular protocol. As an example, refer to
RFC 1757 Ethernet-utilization formulas that take into consideration packet
overhead.
All of the
MIB attributes listed above are found in RFC1213 MIB.
Details of
the MIB variables used in these formulas are as follows:
.1.3.6.1.2.1.2.2.1.10
ifInOctets OBJECT-TYPE
-- FROM RFC1213-MIB, IF-MIB
SYNTAX Counter
MAX-ACCESS read-only
STATUS Mandatory
DESCRIPTION "The total number of octets received on the interface,
including framing characters."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) interfaces(2)
ifTable(2) ifEntry(1) 10 }
.1.3.6.1.2.1.2.2.1.16
ifOutOctets OBJECT-TYPE
-- FROM RFC1213-MIB, IF-MIB
SYNTAX Counter
MAX-ACCESS read-only
STATUS Mandatory
DESCRIPTION "The total number of octets transmitted out of the interface,
including framing characters."
::= { ISO(1) org(3) DOD(6) Internet(1) mgmt(2) mib-2(1) interfaces(2)
ifTable(2) ifEntry(1) 16 }
.1.3.6.1.2.1.2.2.1.5
ifSpeed OBJECT-TYPE
-- FROM RFC1213-MIB, IF-MIB
SYNTAX Gauge
MAX-ACCESS read-only
STATUS Mandatory
DESCRIPTION "An estimate of the interface's current bandwidth in bits per
second. For interfaces which do not vary in bandwidth or for those where no
accurate estimation can be made, this object should contain the nominal
bandwidth."
::= { ISO(1) org(3) DOD(6) Internet(1) mgmt(2) mib-2(1) interfaces(2)
ifTable(2) ifEntry(1) 5 }
Para generar trafico (entre dos routers por ejemplo):
A) =>
1) telnet xxx.xxx.xxx.xxA
2) autenticarse.
3) ya en la linea de comando: si el otro router es xxx.xxx.xxx.xxB hacer "telnet xxx.xxx.xxx.xxB chargen"
4) dejar el telnet andando.
B) <=
1) telnet xxx.xxx.xxx.xxB
2) autenticarse.
3) ya en la linea de comando: si el otro router es xxx.xxx.xxx.xxA hacer "telnet xxx.xxx.xxx.xxA chargen"
4) dejar el telnet andando.
Se debe
partir del siguiente OID para obtener las MIBs de Temperatura para Cisco
.1.3.6.1.4.1.9.9.13.1.3.1
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoEnvMonMIB.ciscoEnvMonTemperatureStatusTable.ciscoEnvMonTemperatureStatusEntry.1
Entries:
CiscoEnvMonTemperatureStatusIndex:
.1.3.6.1.4.1.9.9.13.1.3.1.1
Se usa para
el snmpwalk
CiscoEnvMonTemperatureStatusDescr:
.1.3.6.1.4.1.9.9.13.1.3.1.2.instancia
Los puntos
donde se mide la temperatura:
Instancias:
Inlet
(entrada)=1
Hotpoint
(puntos criticos)=2
Eshaust
(salida)=3
CiscoEnvMonTemperatureStatusValue:
.1.3.6.1.4.1.9.9.13.1.3.1.3.instancia
Mide los 3
valores (en grados C) de los puntos anteriores
CiscoEnvMonTemperatureTreshold:
.1.3.6.1.4.1.9.9.13.1.3.1.4.instancia
Tiene como
parametro el umbral al cual puede llegar antes de un shutdown de emergencia
Inlet
(entrada)=50
Hotpoint
(puntos criticos)=60
Eshaust
(salida)=101
CiscoEnvMonTemperatureLastShutdown:
.1.3.6.1.4.1.9.9.13.1.3.1.5.instancia
Guarda
(contrariamente a lo que dice el manual) las temperaturas registradas en los
puntos medidos durante un shutdown (sea o no de emergencia)
CiscoEnvMonTemperatureState:
.1.3.6.1.4.1.9.9.13.1.3.1.6.instancia
Para este
ultimo, tenemos los estados:
Normal=1
Warning=2
Critical=3
Shutdown=4
Not
present=5