Watchguard tcp dump options

About TCP Dump Argumentlogo-small

When you run the TCP dump task, you must specify the interface on which to run the task. You an also include expressions in the task arguments to filter for specific traffic.

To specify the interface, you include the -i argument and the interface name and number.

For example:

– i eth1 — Physical interface #1

-i ath1 — Wireless interface #1

-i br1 — Bridge interface #1

-i la1 — Link aggregation interface #1

To build an expression to filter the traffic from the interface you specify, you can use any of the standard TCP dump keywords and operators. Some of the common keywords and operators are:

host — Only include traffic to or from the specified host IP address.

net — Only show traffic to or from the IP addresses in the specified subnet. For example, for 10.0.1.0/24, type 10.0.1.

port — Only show traffic with either a source or destination of the specified port.

portrange — Only show traffic from the specified range of ports.

ip proto — Only show traffic from the specified protocol. For example, for ESP packets, type 50.

src or dst — Use with the keywords host or port to specify the source or destination.

tcp or udp — Use with the keywords port or portrange to specify the protocol.

and / or — Use to combine expressions.

For a complete list of the available keywords, see the PCAP-Filter manpage at http://www.tcpdump.org/manpages/pcap-filter.7.html.

Examples of TCP dump arguments:

-i eth1 host 10.0.1.25 and dst port 80
Show only traffic on interface eth1, to or from 10.0.1.25 with destination port 80.

-i eth0 tcp port 25
Show only traffic on interface eth0, to or from TCP port 25.

-i vlan1024
Show only traffic tagged with VLAN 1024.

-i eth0 udp port 500 or ip proto 50
Show all UDP port 500 or ESP packets for the eth0 interface.

-i eth2 src 10.0.1.100 and dst 10.0.2.25
Show all traffic from 10.0.1.100 to 10.0.2.25 on the eth2 interface.

Hits: 1472

HP A-Series comware cli

enter config mode:
system-view

show running-config:
disp cur

set ntp:
ntp-service enable
ntp-service unicast-peer 172.16.254.1

check ntp:
disp ntp-service stat

Clock status: synchronized
Clock stratum: 5
System peer: 172.16.254.1
Local mode: sym_active
Reference clock ID: 172.16.254.1
Leap indicator: 00
Clock jitter: 0.000198 s
Stability: 0.000 pps
Clock precision: 2^-17
Root delay: 6.37817 ms
Root dispersion: 6.54602 ms
Reference time: db84e749.fba8a28a Thu, Sep 15 2016 9:24:25.983
[L-core]

save config:
s s f (save safely force)

show saved-config:
disp sav

exit terminal:
quit
quit

 

more examples here

Hits: 84

Factory Reset M-series

To reset a Firebox M200 or M300 to factory-default settings:Openlogo-small

Hits: 593

Recommended Watchguard Firecluster IP addresses

logo-smallSelect IP Addresses for Cluster Interfaces

We recommend you make a table with the network addresses you plan to use for the cluster interfaces and interface for management IP address. To avoid conflict with routeable IP addresses, we recommend you allocate a dedicated private subnet to each cluster interface, or use link-local IP addresses that begin with 169.254. If you use link-local IP addresses, you might find it useful to define your cluster interface IP addresses like this:

169.254.<interface number>.<member number>/24 

The FireCluster setup wizard asks you to configure these settings individually for each cluster member. If you plan the interfaces and IP addresses in advance, it is easier to configure these interfaces with the wizard. For example, your table could look something like this:

Interface # and IP addresses for a FireCluster
Interface # IP address for Member 1 IP address for Member 2
Primary cluster interface 5 169.254.5.1/24 169.254.5.2/24
Backup cluster interface 6 169.254.6.1/24 169.254.6.2/24
Management interface 1 10.0.10.100/24 10.0.10.102/24

Hits: 142

Watchguard XTM HTTPS Deep Inspection with Active Directory

On the XTM:

Create FW CSR via Firebox Sytem Manager, use type Proxy Authority

On the Domain Controller:

– Upgrade DC Cert authority to issue sha-256 certs link

– Export root and intermediate certs type Base64

– Import FW CSR via http://DC-ip/certsrv, type subordinate ca

– Export FW Cert type Base64

On the XTM:

– First import root then intermediate certs type IPSEC, Web Server, Other

– Then import FW Cert type Proxy Authority

fsmcerts



Create https proxy policy in Policy Manager

Content Inspection: Enable deep inspection, do not Allow SSLv3, action inspect

Domain Names: None matched: Inspect

Test to find out if the firewall issues the right certs in your browser:

https-deep-inspection

 

 

 

 

 

 

 

 

 

 

 

 

 

Hits: 103

Dig

DNS Lookup using DIGdigging-a-hole

Here is how you do DNS lookups from your *nix host…

Host record:

$ dig www.lexhw.nl +noall +answer

; <<>> DiG 9.8.3-P1 <<>> www.lexhw.nl +noall +answer

;; global options: +cmd

www.lexhw.nl. 1315 IN A 185.56.145.31

 

Reverse lookup:

$ dig -x 185.56.145.31 +noall +answer

; <<>> DiG 9.8.3-P1 <<>> -x 185.56.145.31 +noall +answer

;; global options: +cmd

31.145.56.185.in-addr.arpa. 3599 IN PTR www76.totaalholding.nl.

31.145.56.185.in-addr.arpa. 3599 IN PTR filter02-out9.totaalholding.nl.

 

All records:

$ dig -t ANY lexhw.nl +noall +answer

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> -t ANY lexhw.nl +noall +answer

;; global options: +cmd

lexhw.nl. 3599 IN A 185.56.145.31

lexhw.nl. 3599 IN NS sandra.neostrada.nl.

lexhw.nl. 3599 IN NS christina.neostrada.nl.

lexhw.nl. 3599 IN NS lisa.neostrada.nl.

lexhw.nl. 3599 IN SOA sandra.neostrada.nl. hostmaster.neostrada.nl. 2016102504 10800 3600 604800 3600

lexhw.nl. 3599 IN MX 10 mail.lexhw.nl.

lexhw.nl. 3599 IN TXT “v=spf1 a mx include:spf.totaalholding.nl ip4:185.56.145.31 ?all”

lexhw.nl. 3599 IN NSEC3PARAM 1 0 10 BEEF

 

Mail records only:

$ dig -t MX lexhw.nl +noall +answer

; <<>> DiG 9.8.3-P1 <<>> -t MX lexhw.nl +noall +answer

;; global options: +cmd

lexhw.nl. 3599 IN MX 10 mail.lexhw.nl.

 

Use specific nameserver:

$ dig @8.8.8.8 www.lexhw.nl +noall +answer

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.lexhw.nl +noall +answer

; (1 server found)

;; global options: +cmd

www.lexhw.nl. 3599 IN A 185.56.145.31

 

 

Hits: 7

Let's use bash shortcuts

Command Editing Shortcuts

  • Ctrl + a – go to the start of the command line
  • Ctrl + e – go to the end of the command line
  • Ctrl + k – delete from cursor to the end of the command line
  • Ctrl + u – delete from cursor to the start of the command line
  • Ctrl + w – delete from cursor to start of word (i.e. delete backwards one word)
  • Ctrl + y – paste word or text that was cut using one of the deletion shortcuts (such as the one above) after the cursor
  • Ctrl + xx – move between start of command line and current cursor position (and back again)
  • Alt + b – move backward one word (or go to start of word the cursor is currently on)
  • Alt + f – move forward one word (or go to end of word the cursor is currently on)
  • Alt + d – delete to end of word starting at cursor (whole word if cursor is at the beginning of word)
  • Alt + c – capitalize to end of word starting at cursor (whole word if cursor is at the beginning of word)
  • Alt + u – make uppercase from cursor to end of word
  • Alt + l – make lowercase from cursor to end of word
  • Alt + t – swap current word with previous
  • Ctrl + f – move forward one character
  • Ctrl + b – move backward one character
  • Ctrl + d – delete character under the cursor
  • Ctrl + h – delete character before the cursor
  • Ctrl + t – swap character under cursor with the previous one

Hits: 5