Wednesday, January 20, 2016
Checkpoint Special Config Files
1. fwkern.conf - $FWDIR/boot/modules/fwkern.conf Magic Mac
2. local.arp - $FWDIR/conf/local.arp GAiA manual ARP
3. sdconf.rec - /var/ace RAS authentication
4. rc.local - /etc/rc.d/rc.local
----------------------------------------------
Checkpoint scripts:
----------------------------------------------
1. checkup.sh
2. cpsizeme
3. nohup mpstat -P ALL 1 86400 > mpstat.out &
----------------------------------------------
Checkpoint Health Checks -Commands
----------------------------------------------
uptime
ver
fw ver
cpinfo -y all
cplic print
expert
df -h
reboot
shutdown
fwunload local
----------------------------------------------
Firewall Performance
----------------------------------------------
top
ps auxwww
fw tab -t connections -s
fw ctl pstat
fwaccel stats
tcpdump -i eth0 src 10.25.240.57 and dst 216.231.64.82
----------------------------------------------
Verification:
----------------------------------------------
cat /etc/sysconfig/ntp
vmstat 1 10
cat /proc/meminfo
cpstat os -f cpu
cpstat os -f memory
Interface Configurations
------------------------
netstat -i
ifconig -a
netstat -rn
ethtool –i eth0
ethtool -S eth1-01
ethtool -S eth1-02
cpview
fw tab -t userc_key -s
fw tab -t userc_users -s
fw tab -t om_assigned_ips -s (verify # of Seed license)
Cluster XL (High Avaiablility)
------------------------------
cpstop
cpstart
cphastop
cphastart
clusterXL_admin up/down
cphaprob –a if
cphaprob list
cphaprob stat
cpstat ha -f all
cphaprob syncstat
cphaprob list
cpconfig
--------------------------------------------------------------------------------
Performance -cpconfig utility enable/disable Checkpoint SecureXL
--------------------------------------------------------------------------------
fwaccel stats (Usage: fwaccel on | off | ver | stat | conns | dbg <...> | help
fwaccel conns
fwaccel conns -s
fw ctl multik stat
fw ctl affinity -l -a -v
gaia> fwaccel conns -s (checks SecureXL Connections)
gaia> fw ctl get int fwx_max_conns (checks maximum connectins 0 means it set to auto/unlimited
[Expert@myfwe-int02:0]# fw ctl multik stat (connection to Core Distribution)
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 11 | 178 | 303
1 | Yes | 10 | 203 | 380
2 | Yes | 9 | 168 | 262
3 | Yes | 8 | 179 | 188
4 | Yes | 7 | 149 | 278
5 | Yes | 6 | 113 | 194
6 | Yes | 5 | 128 | 221
7 | Yes | 4 | 282 | 387
8 | Yes | 3 | 186 | 292
9 | Yes | 2 | 296 | 439
[Expert@hinfwe-int02:0]#
[Expert@myfwe-int02:0]# fw ctl affinity -l -a -v (check CPU core to NIC Mapping -can be change in
$FWDIR/conf/fwaffinity/conf)
Interface eth1-05 (irq 218): CPU 1
Interface Sync (irq 124): CPU 1
Interface eth1-01 (irq 107): CPU 1
Interface eth1-02 (irq 123): CPU 0
Interface eth3-01 (irq 171): CPU 0
Kernel fw_0: CPU 11
Kernel fw_1: CPU 10
Kernel fw_2: CPU 9
Kernel fw_3: CPU 8
Kernel fw_4: CPU 7
Kernel fw_5: CPU 6
Kernel fw_6: CPU 5
Kernel fw_7: CPU 4
Kernel fw_8: CPU 3
Kernel fw_9: CPU 2
Daemon in.geod: CPU all
Daemon vpnd: CPU all
Daemon in.acapd: CPU all
Daemon in.asessiond: CPU all
Daemon in.msd: CPU all
Daemon rad: CPU all
Daemon rtmd: CPU all
Daemon fwd: CPU all
Daemon mpdaemon: CPU all
Daemon usrchkd: CPU all
Daemon cpd: CPU all
Daemon cprid: CPU all
[Expert@hinfwe-int02:0]#
[Expert@hinfwe-int02:0]# fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #35
Drop Templates : disabled
NAT Templates : disabled by user
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, ViolationStats,
Nac, AsychronicNotif, ERDOS, McastRoutingV2
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256
[Expert@hinfwe-int02:0]#
[Expert@myfwe-int02:0]# fwaccel conns |grep 216.231.83.228 | more
Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- --------
216.231.83.228 53 74.94.152.161 1580 17 F..A...S... 7/8 8/7 7 0
66.189.0.104 21318 216.231.83.228 53 17 ...A...S... 7/8 8/7 7 0
216.231.83.228 53 50.204.98.98 39412 17 F..A...S... 7/8 8/7 9 0
216.231.83.228 53 68.87.71.237 22618 17 F..A...S... 7/8 8/7 2 0
71.243.0.148 21446 216.231.83.228 53 17 ...A...S... 7/8 8/7 5 0
74.125.19.215 36506 216.231.83.228 53 17 F..A...S... 7/8 8/7 4 0
216.231.83.228 53 216.19.226.66 18445 17 ...A...S... 7/8 8/7 8 0
216.231.83.228 53 65.55.238.47 62154 17 F..A...S... 7/8 8/7 5 0
216.231.65.79 467 216.231.83.228 0 1 F.......... 10/8 8/10 4 0
Usage: fwaccel on | off | ver | stat | cfg <...> | conns | dbg <...> | help
Options:
on-turns acceleration on
off-turns acceleration off
ver-show acceleration/FW version
stat-show acceleration status
cfg-configure acceleration parameters
stats-print the acceleration statistics
conns-print the accelerator's connection table
templates-print the accelerator's templates table
dbg-set debug flags
help-this help messages
diag-policy diagnostics
----------------------------------------------
Troubleshooting
----------------------------------------------
fw monitor | grep 100.210.7.250
fw ctl zdebug + drop > text.drops
fw ctl zdebug + drop | grep 200.105.57.69
tcpdump -ni eth8 src 172.60.25.132
tcpdump -i eth1 port 1089 and dst 215.118.184.254
netstat -rn |grep 204.105
RE: Traffic failing between internet Clusters
Run a packet capture and a kernel debug on the firewall so I can get a packet-level look at what is
happening to the traffic.
From expert mode on the Active Firewall:
1. # fwaccel off (Turn off SecureXL, if enabled)
2. # df -h (Check your disk space to make sure you have sufficient space to run a capture and debug_
3. # fw monitor -o /var/log/fwmon.cap (In one session: Run the capture.)
4. # fw ctl zdebug drop > /var/log/drop.txt (In another session: Run the kernel debug for drops.)
5. # tcpdump -nnei any -w /var/log/tcp.cap (In a third session: Run a tcpdump capture.)
6. Re-create the problem.
7. Control-C (End the fw monitor, tcpdump and the kernel debug with the following:)
8. # fwaccel on (Turn on SecureXL, if you disabled it)
----------------------------------------------
log files
----------------------------------------------
$FWDIR/log/vpnd.elg
/var/log/messages
dmesg
----------------------------------------------
How to Set Specific
----------------------------------------------
clusterXL_admin down/up
ethtool -s eth1 autoneg on
--------------------------------------
/etc/resolv.conf # What's the name resolution config -- sometimes performance is adversely influenced by
bad DNS settings
/etc/ntpd.conf # Time config
/etc/ntp.conf
/etc/modprobe.conf # Any NIC or kernel tweaks?
/etc/sysctl.conf # Any kernel tweaks?
/etc/ssh/sshd_config # Any hacks to sshd?
/etc/issue # console banner file
/etc/issue.net # network banner file
/etc/motd # message of the day file
/etc/grub.conf # Grub config -- important to see vmalloc
/etc/gated.ami # gated config file
/etc/gated_xl.ami # gated config file
/etc/rc.d/rc.local # local RC files -- any changes here (such as kernel tweaks)?
$FWDIR/boot/boot.conf # Firewall boot params
$FWDIR/boot/modules/fwkern.conf # Any firewall kernel tweaks?
$PPKDIR/boot/modules/simkern.conf # Any SIM tweaks?
$FWDIR/conf/discntd.if # ClusterXL Disconnected Interfaces
$FWDIR/conf/local.arp # SPLAT / GAiA manual ARP
$FWDIR/conf/vsaffinity_exception.conf # Relevant to R75.40VS and later Virtual systems only
$MDSDIR/conf/external.if # Relevant to P1 / MDSM only
