All_about_network

As I am involved with security appliances lately I thought It would be beneficial if I write down some stuff about them. This time it will be “howto”  on routing on the Nokia IP390 appliance with IPSO 4.2 and SPLAT supplied with Check Point R65. In this article will be described some basics about routing on these two platforms. Hopefully some advanced guide will follow up.

After logging in onto Nokia’s IPSO you would probably like to use special command line interface called “clish” evoked by the same command. Once you are in clish you can print the list of routes by the “show route” command. The results should be something like this:

test[admin]# clish
NokiaIP390:48> show route
Codes:  C  -  Connected,  S  -  Static,  I  –  IGRP,  R  -  RIP,  B  –  BGP,
O  -  OSPF  IntraArea  (IA  -  InterArea,  E  -  External,  N  -  NSSA)
A  -  Aggregate, K  -  Kernel  Remnant,  H  -  Hidden,  P  -  Suppressed

S    0.0.0.0/0                via 82.13.116.160, eth1c0, cost 0, age 18416
C    10/14                    is directly connected, eth4c0
C    82.13.116.160/27     is directly connected, eth1c0
C    127.0.0.1/32          is directly connected, loop0c0
S    192.168/16              via 10.1.1.254, eth4c0, cost 0, age 18847
NokiaIP390:49>

You can see my static routes marked by letter S. The default route should be set from the initial device configuration. The second was added later on by the following command.

NokiaIP390:49>set static-route 192.168.0.0/16 nexthop gateway address 10.1.1.254 on

In my case I had to change the default route as the original was unsuitable for my purposes. So adding a default route has a slightly different syntax where instead of destination o.o.o.o/o is used the “default” keyword.

NokiaIP390:49> set static-route default nexthop gateway address 82.13.116.160 on

If you want to delete these routes you will issue the same commands with the last keyword changed to “off”. This whole thing could be done in Web-interface called Voyager but I found it rather confusing.

In secure platform the same could be done in three ways. as SPLAT is basically Linux (flavor of Red-Hat) you can use the linux “ip” command which will work but is against the best practices. The other way is through the SPLAT’s web interface which is easy and just everybody should be able to do that. The proper way from CLI is to use the “sysconfig” utility.  But at first it is useful to see the routes how the system sees them.

You can do that by  Linux netstat utility in expert mode.

[cpmodule]# expert
Enter expert password:

You are in expert mode now.

[Expert@cpmodule]# netstat -nvr
Kernel IP routing table
Destination               Gateway                   Genmask       Flags   MSS Window irtt   Iface
224.0.0.2                    0.0.0.0             255.255.255.255     UHD    0 0 0                      lo
127.0.0.1                    0.0.0.0             255.255.255.255     UH      0 0 0                      lo
10.1.1.0                      0.0.0.0           255.255.255.0           U       0 0 0                     eth0
192.168.0.0                10.1.1.254         255.255.0.0            UG      0 0 0                     eth0
127.0.0.0                    0.0.0.0            255.0.0.0                U        0 0 0                     lo
0.0.0.0                      10.1.1.188        0.0.0.0                    UG      0 0 0                    eth0
[Expert@cpmodule]#