Automatically backup config to scp or tftp when “write mem”

In Cisco, I can automatically backup config using scp or tftp to other location every time I issue “wr me”

How to achieve the same in other brand?

CISCO:
archive
path scp://root:eve@10.0.10.70/$h
write-memory

 

FORTIGATE:

 

HP:

 

JUNIPER:
https://forum.ivorde.com/junos-system-configuration-archival-is-not-working-over-scp-t19351.html

 

RUCKUS:

 

Killing stuck process

Arista:
# bash
$ ps –ef | grep -i Stp
$ sudo kill PID

CheckPoint:
ps -auxww  Report all active processes in the kernel we can see zombi process with this command  (z)
You must first identify the parent process of these zombies;
ps -l -p <pid of zombie>
pidof fwd (splat)
pgrep -l sshd   Find the PIDs of processes by (part of) name
ps axjf              See in tree format also i can see parent pid )
pmap PID       Memory map of process (good for hunting memory leaks)

Displaying the top 10 CPU-consuming processes (% of total usage)
ps aux | head -1; ps aux | sort -rn +2 | head -10
Displaying the processes in order of real memory use
ps vx | head -1 ; ps vx | grep -v PID | sort -rn +6 | head -10

Displaying the processes using whatchdog (CPWD) for  (CDP,FWM,FWD)
cpwd_admin list
more explanation on  this post
******************************************************
Kill a Firewall process
kill -9 (pid of process)
fw kill [-t sig] proc_name
Example:
fw kill -t 9 fwm
Also process can be kill with top command and just press -k follow by process PID

Cisco:
# show processes cpu sorted
# clear sockets PID

F5
# ps ax | grep -i sshd
# kill -9 PID

Fortinet:
-check version
# fnsysctl cat /proc/version
Linux version 2.4.37 (root@build) #1 Mon Dec  4 20:51:05 UTC 2017
-check running daemon
# fnsysctl ls /var/run
alertmail.pid       authd.pid           bgpd.pid
cmdbsvr.pid         cw_acd.pid          daemon.pid
dhcpd.pid           dnsproxy.pid        eap_proxy.pid
fclicense.pid       fcnacd.pid          fgfmd.pid
fnbamd.pid          foauthd.pid         forticldd.pid
forticron.pid       fsvrd.pid           httpclid.pid
httpd.pid           iked.pid            imi.pid
init.pid            ipsengine.pid       ipsmonitor.pid
isisd.pid           kmiglogd.pid        merged_daemons.pid
miglogd000.pid      miglogd001.pid      nsm.pid
ntpd.pid            ospf6d.pid          ospfd.pid
pdmd.pid            pim6d.pid           pimd.pid
pyfcgid.pid         ripd.pid            ripngd.pid
snmpd.pid           sshd.pid            stpd.pid
telnetd.pid         updated.pid         uploadd.pid
wpad.pid            zebos_launcher.pid
-check running PID
# fnsysctl ps
PID       UID     GID     STATE   CMD
1         0       0       S       /bin/initXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2         0       0       S       [keventd]
3         0       0       S       [ksoftirqd_CPU0]
4         0       0       S       [kswapd]
5         0       0       S       [bdflush]
6         0       0       S       [kupdated]
7         0       0       S       [memoryd]
8         0       0       S       [khubd]
12        0       0       S       [usb-storage-0]
13        0       0       S       [scsi_eh_0]
31        0       0       S       [mvl_link]
32        0       0       S       /bin/cmdbsvr
38        0       0       S       /bin/zebos_launcher
39        0       0       S       /bin/nsm -L 2
40        0       0       S       /bin/ripd -L 2
41        0       0       S       /bin/ripngd -L 2
42        0       0       S       /bin/ospfd -L 3
43        0       0       S       /bin/ospf6d -L 2
44        0       0       S       /bin/bgpd -L 3
45        0       0       S       /bin/isisd -L 2
46        0       0       S       /bin/pimd -L 2
47        0       0       S       /bin/pim6d -L 2
48        0       0       S       /bin/pdmd -L 2
49        0       0       S       /bin/imi -L 2
50        0       0       S       /bin/uploadd
51        0       0       S       /bin/miglogd
52        0       0       S       /bin/kmiglogd
53        0       0       S       /bin/httpsd
55        0       0       S       /bin/getty
56        0       0       S       /bin/ipsmonitor
59        0       0       S       /bin/merged_daemons
60        0       0       S       /bin/fnbamd
61        0       0       S       /bin/fclicense
62        0       0       S       /bin/ipshelper
63        0       0       S       /bin/forticron
64        0       0       S       /bin/forticldd
65        0       0       S       /bin/authd
66        0       0       S       /bin/foauthd
67        0       0       S       /bin/httpclid
68        0       0       S       /bin/iked
69        0       0       S       /bin/updated
70        0       0       S       /bin/snmpd
71        0       0       S       /bin/dhcpd
72        0       0       S       /bin/miglogd 1
73        0       0       S       /bin/ntpd
74        0       0       S       /bin/sshd
75        0       0       S       /bin/telnetd
78        0       0       S       /bin/alertmail
79        0       0       S       /bin/dnsproxy
80        0       0       S       /bin/eap_proxy
81        0       0       S       /bin/fgfmd
82        0       0       S       /bin/cw_acd
83        0       0       S       /bin/wpad_ac
84        0       0       S       /bin/stpd
85        0       0       S       /bin/fsvrd
87        0       0       S       /bin/fcnacd
92        0       0       S       /bin/httpsd
93        0       0       S       /bin/httpsd
94        0       0       S       /bin/httpsd
510       0       0       S       /bin/pyfcgid
512       0       0       S       /bin/pyfcgid
513       0       0       S       /bin/pyfcgid
514       0       0       S       /bin/pyfcgid
553       0       0       S       /bin/sshd
554       0       0       S       /bin/newcli
556       0       0       R       ps

-you can use diag to check 100 the most 100 top resources with 25s delay, but the list not as comprehensive as “fnsysctl ps” above
# diag sys top 25 100
Run Time:  0 days, 8 hours and 15 minutes
0U, 0N, 0S, 100I; 499T, 253F
         pyfcgid      510      S       0.0     5.1
         pyfcgid      512      S       0.0     5.0
         pyfcgid      513      S       0.0     5.0
         pyfcgid      514      S       0.0     5.0
         cmdbsvr       32      S       0.0     5.0
          httpsd       94      S       0.0     4.7
          httpsd       93      S       0.0     4.7
          httpsd       53      S       0.0     4.1
          cw_acd       82      S       0.0     4.0
          httpsd       92      S       0.0     3.9
       forticron       63      S       0.0     3.3
         miglogd       51      S       0.0     3.3
          newcli      560      R       0.0     3.1
          newcli      554      S       0.0     3.1
           fgfmd       81      S       0.0     3.0
       ipshelper       62      S <     0.0     2.5
          fcnacd       87      S       0.0     2.4
           authd       65      S       0.0     2.3
            iked       68      S       0.0     2.2
       eap_proxy       80      S       0.0     2.2

-for example we want to check dhcp PID
# fnsysctl more /var/run/dhcpd.pid
71
-to kill dhcpd
# diag sys kill 9 71
or
# fnsysctl kill -9 71
-to disable dhcpd service
# config sys dhcp server
# edit 1
# set status dis
-to enable back
# set status ena

HP:

Juniper:
> show system processes extensive
last pid: 16727; load averages: 22.24, 22.19, 22.15 up 0+17:39:34 01:26:10
265 processes: 28 running, 215 sleeping, 1 zombie, 21 waiting
Mem: 970M Active, 128M Inact, 147M Wired, 230M Cache, 112M Buf, 386M Free
> start shell
% top
   last pid: 37244; load averages: 0.04, 0.03, 0.00 up 16+16:18:49 09:19:44 52 processes:    1 running, 51 sleeping, , 1 zombie, 21 waiting
   CPU states: 2.5% user, 0.0% nice, 0.6% system, 0.3% interrupt, 96.6% idle Mem: 429M     Active, 69M Inact, 59M Wired, 165M Cache, 110M Buf, 258M Free
If the PID is identified from CLI, or the top command
% ps aux | grep –Wz
Pid=16396
Pid=13256
-to kill target PID
# kill -9 16396

Mikrotik:

PaloAlto:
Sangfor:

SonicWall:

Sophos:

Firewall/Router Attack – BlackNurse

SOURCE: blacknurse.dk

This BlackNurse attack will causing high CPU on target device

REQUIREMENT:

-Kali linux

Attack (flood better)
# hping3 -1 -C 3 -K 3 -i u20

# hping3 -1 -C 3 -K 3 –flood

RESULTS:
-Mikrotik v6.37.1 CPU utilization before attack 4%, after attack 44%
-Fortigate 5.2 CPU utilization before attack idle 99%, after attack idle 70%

This attack only from 1 source. Could be more damage if I am using more attack sources

LIST OF REPORTED AFFECTED PRODUCTS :
-Cisco ASA 5505, 5506, 5515, 5525 , 5540 (default settings)
-Cisco 6500 routers with SUP2T and Netflow v9 on the inbound interface – 100% CPU load
-Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
-Cisco Router 897 – Can be mitigated – The current code from https://www.cymru.com/Documents/secure-ios-template.html will make evil worse.
-Fortinet v5.4.1 – One CPU consumed
-Fortigate units 60c and 100D (even with drop ICMP on) – RESPONSE FROM FORTINET
-Some unverified Palo Alto – SEE ANSWER FROM PALO ALTO
-Palo Alto 5050 Firewalls with firmware 7.1.4-h2
-SonicWall – Misconfiguration can be changed and mitigated (Enable Anti-DDOS)
-Zyxel NWA3560-N (Wireless attack from LAN Side)

-Zyxel Zywall USG50

NOT AFFECTED:
-AVM Fritz!Box 7360 (common ADSl router in Germany)
-Check Point Security Gateways – Checkpoint response!
-Cisco ISR4321 Router IOS XE – Version 15.5(3)S2, RELEASE SOFTWARE (fc2)
-GigaVUE HC-Serie (Gigamon)
-Iptables
-Juniper SRX
-Mikrotik CCR1036-12G-4S firmware: 3.27 (250 Mbit/sek) and no problem && RouterOS 5.4 on Mikrotik RB750
-OpenBSD 6.0 and current
-pfSense
-Ubiquiti Networks – EdgeRouter Lite CPU 60-70% load but still going
-Windows Firewalls

Fortigate OS 4.x < 5.0.7 – SSH Backdoor

SOURCE: https://www.exploit-db.com/exploits/39224/

This remote exploit which allows remote attackers to obtain administrative access via an SSH session

Affected device:
-FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5
-FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8
-FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 and 5.0.x before 5.0.8

# mv 39224.py fgt_ssh_backdoor.py
# chmod 744 fgt_ssh_backdoor.py
# ./fgt_ssh_backdoor.py targetip

How to disable SIP ALG

SOURCE:
http://www.voip-info.org/wiki/view/Routers+SIP+ALG

Many of today’s commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers’ ALG implementations are wrong and break SIP.

CheckPoint
login to Smart Dashboard
click Smart Defence tab
expand Application Intelligence
expand VoIP
disable all features on H.323

Cisco
(config)# no ip nat service sip tcp port 5060
(config)# no ip nat service sip udp port 5060

ASA
(config)# policy-map global_policy
(config)# no inspect sip

Cyberoam
> cyberoam system_modules sip unload

D-Link
Open a browser and enter the router’s IP address in the address bar. Go to “Firewall Settings” under the “Advanced” item.
Uncheck the box to disable SPI – usually, directly below this item are options for “NAT Endpoint Filtering” that must be changed to “Endpoint Independent” for both TCP and UDP.
Next, find the “Application Level Gateway (ALG) Configuration” area and uncheck the box for SIP.
Save these settings and reboot the device if requested

FortiGate
disable SIP ALG
# config system settings
# set sip-helper disable
# set sip-nat-trace disable
# end
verify
# show full-configuration system settings
delete sip
# config system session-helper
(session-helper) # show
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
(session-helper) # delete 13
(session-helper) # end

Juniper
https://kb.juniper.net/InfoCenter/index?page=content&id=KB7078&actp=search
# set security alg sip disable
# commit and quit

Mikrotik
> ip firewall service-port set sip disabled=yes

Netgear
From Wan Setup Menu, NAT Filtering, uncheck the box next to “Disable SIP ALG”

PaloAlto
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Disable-SIP-ALG/ta-p/60637
# set shared alg-override application sip alg-disabled yes

Peplink
go to http://<router.LAN.IP>/cgi-bin/MANGA/support.cgi
Click the “Disable” button under “SIP ALG Support”

SonicWall
in GUI, go to VOIP>Settings>General Settings
tick Enable consistent NAT
untick Enable SIP Transformations

SpeedTouch
telnet router
> connection unbind application=SIP port=5060
> saveall

Zyxel
telnet router
Menu option “24. System Maintenance”.
Menu option “8. Command Interpreter Mode”.
ip nat service sip active 0

Blocking Browsec Chrome Extension

Browsec is VPN extension similar to ZenMate

CheckPoint:
Image.png

Cisco ASA:

Cyberoam:

Fortigate:

Juniper:

Mikrotik:

/ip firewall address-list
add address=12.12.12.0/24 list=LAN
/ip firewall layer7-protocol
add name=browsec regexp=”^.+(postls.com).*\$”
/ip firewall filter

add action=drop chain=forward layer7-protocol=browsec src-address-list=LAN

PaloAlto:

SonicWall: