Checkpoint Log Exporter and MCAS

A customer wanted to start using Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) and for this they had to ensure that the log files are sent to Microsoft. After a lot of reading and a lot of trial-and-error I finally got it working.

We initially assumed that we could send this in the Syslog format, but this didn't work for us.

This step-by-step plan is for the most part about the configuration of the Checkpoint firewall and not about the Microsoft Defender for Cloud Apps part. I don't have access to the customer's Azure environment, so I can't visually support this or explain it in detail. In any case, I will also put links for more detailed information.

Step 1.

First I created a firewall rule, so that the log files are actually allowed to go out.
Syslog is still included, but in principle this is not necessary because the files are sent over https.

Step 2.

Creating a Log Exporter rule on the Checkpoint Management Server is especially important because here you indicate in which format you want to send the logs to the Microsoft Log Collector. In this link there is very extensive information about what you can set, we have chosen to send everything to the Log Collector. For this we used the following command:
cp_log_export add name FW3-LOG target-server 20.71.xx.xx target-port 443 protocol tcp format cef

With the command cp_log_export show you can check your settings.

This makes the log export active immediately and the log files are sent over https to the specified IP address.
I used to have Syslog as format here and it didn't work well with the Log Collector and the MDCA together. After we changed this to the CEF format and also changed the settings on the Azure side to CEF and changed the docker instance of the Log Collector, we saw all relevant information come in, such as which cloud apps, (source) IP addresses are used. This is the information my customer wants to see and they are happy.

Step 3.

In Azure you also have to specify a configuration. Unfortunately I don't have access to the customer environment in Azure, so I can only say that here (Microsoft) can learn more about provisioning from the Azure side.
What you definitely need is a Log Collector, there you send the information that comes from the Checkpoint to the Microsoft Defender for Cloud Apps environment of your company or customer.

Unlock VM in Proxmox

Today I created a new VM in Proxmox, but I made a mistake and so I wanted it to powerdown and then delete it. So I type in the console of the VM the command: sudo halt
The server indicates that it is going to the halt state and I then want to shut down the server completely in the GUI via the Stop command and then remove it, but no matter what I try, nothing works. In the logging I suddenly saw the message below.

trying to acquire lock...
TASK ERROR: can't lock file '/var/lock/qemu-server/lock-103.conf' - got timeout

So I went looking for where this is coming from and one reason is that for example there is a backup process going on right at that moment, preventing it from getting a lock and powerdown on the VM. You can solve this in the following way.

Log into the host server's CLI and then enter the following command to get the PID of the correct server. You can also see this via the GUI.

cat /etc/pve/.vmlist

If we got the correct PID from the VM then run the command below and then the lock is removed.

qm unlock <VMID>

Firmware upload on Cisco Nexus

When I was trying to figure out how to upgrade the Cisco Nexus switch for a customer, I ran into the problem that I also had to upload the firmware to the relevant switch(es). The firmware to be uploaded was too large for tftp. At the time I thought of WinSCP, but that doesn't work out-of-the-box. So below is an explanation of how I got it to work.

  1. First of all you want to make a backup of the current firmware and configuration and for that you have to enable the two features below on the Cisco Nexus switch. First command is to check which features are already enabled:
    show feature | sec enabled
    feature bash-shell
    feature scp-server

2. Als deze features ingeschakeld zijn, kun je met WinSCP inloggen op de Nexus switch. Let wel op dat je bij protocol SCP selecteert. Daarna de rest invullen en bewaren of meteen inloggen.


To route broadcast traffic from the SCCM server over different vlans, an access list must be set on the core switch (where the routing takes place). You can do this with the extended access list below. Give the access list a recognizable name and then set an entry per SCCM server. 

  1. Configure Access-list
    With the access list you indicate that the SCCM servers are allowed to send a broadcast
    In place of the xx you enter the IP address of your own SCCM server
ip access-list extended "<naam acl>"
     10 permit ip xx.xx.xx.xx

ip directed-broadcast access-group "<naam acl>"

If the customer uses 802.1x, the switch port must also be configured to allow WOL traffic on 802.1x ports. This is closed by default.
But with the command below you set that this is allowed through

aaa port-access <port-list> controlled-direction in

Finally, you also have to set the firewall to allow broadcast traffic. This is blocked by default on a CheckPoint firewall. But you can configure it through the Gaia interface or via clish. You can do this for

3. Configure ip-broadcast helper on the firewall 3

Via the Gaia WebGui you can set this up by choosing the interface that your customer vlans are behind. With UDP Port you choose 9 and as relay the ip address of the vlan interface.

Configureren IPv6 op Fortigate

(Alleen Nederlands/Dutch only)

Sinds 1 december is het bij Ziggo mogelijk om IPv6 naar je eigen router te krijgen als je Ziggo modem in bridgemode staat. Omdat je vanuit Ziggo maar een aantal aanwijzingen krijgen over wat je allemaal moet instellen op je router om dit werkend te krijgen. Maar dit is natuurlijk voor veel routers verschillend. Ook binnen firmware versies zijn er verschillen. Bijvoorbeeld voor FortiOS 6.x en 7.x bestaan er verschillen. Hieronder zal ik uit de doeken doen hoe ik dit voor mijn Fortigate 60E heb ingesteld inclusief voor meerdere subnets/vlans

  • Herstart je Ziggo modem, dan weet je zeker dat alles opnieuw wordt ingetraind. Ook al zie al een IPv6-adres op je Fortigate
  • Configureer eerst de WAN interface op je Fortigate, het kan zijn dat deze alleen WAN heet of net zoals mij WAN1 of WAN2 heet. <show system interface> Dan zie je hoe de interface nu ingesteld is, voor leesbaarheid heb ik hier alleen de IPv6 configuratie hier staan. Onthoud hierbij het nummer wat staat onder <config dhcp6-iapd-list> Dit nummer moet je straks bij de configuratie van je LAN-interface(s) noteren
config system interface
    edit "wan1"
        config ipv6
            set ip6-mode dhcp
            set ip6-allowaccess fabric
            set dhcp6-prefix-delegation enable
            config dhcp6-iapd-list
                edit 5
                    set prefix-hint ::/56
  • Herstart na deze configuratie je Fortigate, zo weet je zeker dat de wijzigingen tussen je Ziggo modem en Fortigate op de juiste manier toegepast worden.
  • Na de herstart gaan we verder met de configuratie op de LAN-interface(s)
  • Let op bij <set ip6-delegated-prefix-iaid> hier refereer je aan het nummer wat bij de WAN-interface zag bij <config dhcp6-iapd-list>
  • Let ook op bij het <config ip6-prefix-list> het IPv6-subnet welke hier staat is voor iedereen anders. Kijk hiervoor in de GUI bij de interface en daar zul je jouw toegewezen subnet zien staan. Vul deze hier dan in.
config system interface      
      edit "internal"

        config ipv6
            set ip6-mode delegated
            set ip6-allowaccess ping https ssh snmp
            set ip6-delegated-prefix-iaid 5
            set ip6-send-adv enable
            set ip6-other-flag enable
            set ip6-upstream-interface "wan1"
            set ip6-subnet ::1/64
            config ip6-prefix-list
                edit 2001:1c03:xxxx:xxxx::/64
            config ip6-delegated-prefix-list
                edit 1
                    set upstream-interface "wan1"
                    set subnet ::/64