Creating 802.Q Trunks on VLANS

NOTES:

When creating VLAN interfaces via Clish, the following commands should be used:

Bringing on the Physical interface, on which the VLAN interfaces will be created:

Note: This command may be skipped, if the interface's state is already on.

HostName> set interface <Name_of_Physical_Interface> state on

Adding a VLAN interface:

HostName> add interface <Name_of_Physical_Interface> vlan <VLAN_ID>

Assigning an IP address to newly created VLAN interface:

HostName> set interface <Name_of_VLAN_Interface> ipv4-address <IP_Address> mask-length <Subnet_Mask_Length>

Saving the configuration (so it survives reboot):

HostName> save config



Physical interface - eth1
VLAN interface - eth1.100
VLAN IP address - 192.168.1.1 / 24


HostName> set interface eth1 state on
HostName> add interface eth1 vlan 100
HostName> set interface eth1.100 ipv4-address 192.168.1.1 mask-length 24
HostName> save config

Generate a CSR on Checkpoint FWM

Next steps

Generate a new CSR with a subject alternate name of the IP Address (or hostname or wildcard) that is defined in User Check. We recommend to sign the webserver certificate with the same Microsoft root CA we used to sign the HTTPS inspection cert. Because now both certs are signed be the same root CA and the root CA has already been imported into the certificate store BCBSMA will not have to push out another certificate.

To complete this following the following steps:

1.       Backup and edit the file $CPDIR/conf/openssl.cnf on the machine.

cp $CPDIR/conf/openssl.cnf $CPDIR/conf/openssl.cnf.orig

2.       In the [ req ] section, uncomment the line:

Change: #req_extensions = v3_req

To: req_extensions = v3_req

3.       In the [ v3_req ] section, add the following line:

subjectAltName=DNS:<FQDN>,DNS:*.<FQDN>

Example: subjectAltName=DNS:sslvpn.example.com,DNS:*.sslvpn.example.com

Save the file, run csr_gen and create the CSR. When asked for CommonName (CN), enter "*.sslvpn.example.com".

[Expert@GW]# cpopenssl req -new -out <CERT.CSR> -keyout <KEYFILE.KEY> -config $CPDIR/conf/openssl.cnf

Notes:

                                 i.            This command generates a private key.

                               ii.            Enter a password and confirm.

                              iii.            Fill in the required data:

                       o     The Common Name field is mandatory. This field must have the Fully Qualified Domain Name (FQDN). This is the site that users access. For example: portal.example.com.

                       o     All other fields are optional.

To verify that the CSR was generated properly, run: cpopenssl req -in requestFile.csr -text

4.       After generating the CSR, use the backup to restore the openssl.cnf file to its previous state.

cp $CPDIR/conf/openssl.cnf. orig $CPDIR/conf/openssl.cnf

5.       Submit the CSR file to your 3rd-party CA vendor in order to receive the signed server certificate.

Note: There is not a standard submission procedure. Some CAs have a Web form for submitting the CSR file. Others have a Web form with individual certificate fields. Those cannot be used with the above procedure since our gateway generates a CSR file. Some CAs receive the CSR file by email.

6.       Open Security Gateway properties. 

Go to UserCheck

In the Certificate section, click on "Import" button, or "Replace" button - import the new certificate. 

Click on 'OK' to save the changes. 

Install the policy on the Security Gateway.

Troubleshooting Command Line for Checkpoint R80.10

Checkpoint Firewalls Troubleshooting Command Line

Check Point Environment variables (most common ones)

$FWDIR FW-1 ---installation directory, with f.i. the conf, log, lib, bin and spool directories. You will mostly

work in this tree.

$CPDIR ---SVN Foundation / cpshared tree.

$CPMDIR ---Management server installation directory.

$FGDIR ---FloodGate-1 installation directory.

$MDSDIR ---MDS installation directory. Same as $FWDIR on MDS level.

$FW_BOOT_DIR ---Directory with files needed at boot time.

-------------------------------------------------------------------------------------------------------------------------------------------------

Basic Starting and Stopping

cpstop ---Stop all Check Point services except cprid. You can also stop specific services by issuing an

option with cpstop.

cpstart ---Start all Check Point services except cprid. cpstart works with the same options as cpstop.

cprestart ---Combined cpstop and cpstart. Complete restart.

cpridstop ---Stop cprid, the Check Point Remote installation Daemon.

cpridstart ---Start cprid, the Check Point Remote installation Daemon.

cpridrestart ---Combined cpridstop and cpridstart.

fw kill [-t sig] proc_name ---Kill a Firewall process. PID file in $FWDIR/tmp/ must be present. Per default sends

signal 15 (SIGTERM).

Example: fw kill -t 9 fwm

fw unloadlocal ---Uninstall local security policy and disables forwarding.

-------------------------------------------------------------------------------------------------------------------------------------------------

View and Manage Logfiles

fw lslogs ---View a list of available fw logfiles and their size.

fwm logexport ---Export/display current fw.log to stdout.

fw logswitch [-audit] ---Write the current (audit) logfile to YY-MM-DDHHMMSS. log and start a

new fw.log.

fw log -c <action> ---Show only records with action <action>, e.g. accept, drop, reject etc. Starts

from the top of the log, use -t to start a tail at the end.

fw log -f -t ---Tail the actual log file from the end of the log. Without the -t switch it starts

from the beginning.

fw log -b <starttime> <endtime> ---View today's log entries between <starttime> and <endtime>.

Example:

fw log -b 09:00:00 09:15:00.

fw fetchlogs -f <file> module ---Fetch a logfile from a remote CP module. NOTICE: The log will be

moved, hence deleted from the remote module. Does not work with current fw.log.

fwm logexport -i in.log -o out.csv -d ',' -p -n ---Export logfile in.log to file out.csv, use , (comma) as delimiter

(CSV) and do not resolve services or hostnames.

-------------------------------------------------------------------------------------------------------------------------------------------------

Display and Manage Licenses

cp_conf lic get ---View licenses.

cplic print ---Display more detailed license information.

fw lichosts ---List protected hosts with limited hosts licenses. dtps lic SecureClient Policy Server license

summary.

cplic del <sig> <obj> ---Delete CP license with signature sig from object obj.

cplic get <ip host|-all> ---Retrieve all licenses from a certain gateway or all gateways in order to synchronize

license repository on the SmartCenter server with the gateway(s).

cplic put <-l file> ---Install local license from file to an local machine.

cplic put <obj> <-l file> ---Attach one or more central or local licenses from file remotely to obj.

cprlic ---Remote license management tool.

-------------------------------------------------------------------------------------------------------------------------------------------------

ClusterXL

ATRG -- sk93306

cp_conf ha enable|disable [norestart] ---Enable or disable HA.

cphastop ---Disable ClusterXL on the cluster member. Issued on a cluster member running in HA

Legacy Mode cphastop might stop the entire cluster.

cphastart ---Activate ClusterXL on this cluster member.

fw hastat ---View HA state of local machine.

cphaprob state ---View HA state of all cluster members.

cphaprob -a if ---View interface status.

cphaprob -ia list ---View list and state of critical cluster devices.

cphaprob syncstat ---View sync transport layer statistics. Reset with -reset.

cphaconf set_ccp <broadcast|multicast> ---Configure Cluster Control Protocol (CCP) to use unicast or multicast

messages. By default set to multicast. Setting survives reboot.

clusterXL_admin <up|down> ---Perform a graceful manual failover by registering a faildevice.

Note: DO NOT run any cphaconf commands other than set_ccp

-------------------------------------------------------------------------------------------------------------------------------------------------

SecureXL

ATRG --sk98722

fwaccel on

fwaccel off ---"-q" flag suppresses the output

fwaccel ver

fwaccel stat

fwaccel stats -s Prints the acceleration statistics for Network Access Control (NAC)

fwaccel stats -d Prints the acceleration statistics for dropped packets

fwaccel stats –n

fwaccel stats -p Prints the acceleration statistics for SecureXL violations (F2F packets)

fwaccel stats -l Prints all acceleration statistics in Legacy mode (output is not divided into sections)

file:///C|/Users/kwinfiel/Desktop/CCSE%20ADV%20TS/CLI%20Command%20line%20cheat%20sheet.txt[5/11/2015 9:26:32 AM]

fwaccel stats -m Prints the acceleration statistics for multicast traffic

fwaccel stats -r Resets all acceleration statistics

fwaccel conns Prints the SecureXL Connections Table ('cphwd_db')

-------------------------------------------------------------------------------------------------------------------------------------------------

CoreXL

ATRG: CoreXL --sk98737

fw ctl multik --Controls CoreXL FW instances

fw ctl multik ---Prints the general help message with available parameters

fw ctl multik stat ---Prints the summary table for CPU cores and CoreXL FW instances

fw ctl multik start ---Starts CoreXL

fw -i Instance_ID ctl multik start ----Starts specific CoreXL FW instance

fw ctl multik stop ---Stops CoreXL

fw -i Instance_ID ctl multik stop ---Stops specific CoreXL FW instance

fw ctl affinity <options> ---Controls CoreXL affinities of interfaces / processes / CoreXL FW instances to CPU core

fw ctl affinity ---Prints the help message with available options

fw -d ctl affinity -corelicnum ---Prints the number of system CPU cores allowed by CoreXL license

fw ctl affinity -l ---Prints the current CoreXL affinities - output shows affinities of interfaces/processes/CoreXL FW

instances to CPU cores

fw ctl affinity -l -r ---Prints the current CoreXL affinities in reverse order - output shows CPU cores and which

interface/process/CoreXL FW instance is affined to each CPU core

fw ctl affinity -l -a ---Prints all current CoreXL affinities - output shows affinities of interfaces/processes/CoreXL

FW instances to CPU cores, and also shows targets without specific affinity

fw ctl affinity -l -v ---Prints the current CoreXL affinities - verbose output shows affinities of

interfaces/processes/CoreXL FW instances to CPU cores (targets are shown as 'Interface' (with IRQ), 'Kernel', 'Process'

fw ctl affinity -l -q ---Prints the current CoreXL affinities - output shows affinities of interfaces/processes/CoreXL

FW instances to CPU cores, and suppresses errors

fw ctl affinity -l -r -a -v ---Prints the current CoreXL affinities - verbose output that combines all possible outputs

(shows all targets in reverse order) fw ctl affinity -l -p PID [-r] [-a] [-v] Prints the current CoreXL affinity of the

specified process (by PID) to CPU cores

fw ctl affinity -l -n Daemon_Name [-r] [-a] [-v] ---Prints the current CoreXL affinity of the specified process (by

name [maximal length = 255 characters]) to CPU cores

fw ctl affinity -l -k Instance_ID [-r] [-a] [-v] ---Prints the current CoreXL affinity of the specified CoreXL FW

instance to CPU cores

fw ctl affinity -l -i Interface_Name [-r] [-a] [-v] ---Prints the current CoreXL affinity of the specified interface to cpu cores

fw ctl affinity -s <target> { CPU_ID [ CPU_ID ... ] | all } ---Sets CoreXL Affinity

fw ctl affinity -s -p PID { CPU_ID [ CPU_ID ... ] | all } ---Sets CoreXL affinity of the specified process (by PID)

to CPU cores

fw ctl affinity -s -n Daemon_Name { CPU_ID [ CPU_ID ... ] | all } ---Sets CoreXL affinity of the specified

process (by name [maximal length = 255 characters]) to CPU cores

fw ctl affinity -s -k Instance_ID { CPU_ID [ CPU_ID ... ] | all } ---Sets CoreXL affinity of the specified CoreXL

FW instance to CPU cores

fw ctl affinity -s -i Interface_Name { CPU_ID [ CPU_ID ... ] | all } ---Sets CoreXL affinity of the specified interface

to CPU cores

-------------------------------------------------------------------------------------------------------------------------------------------------

Traffic Gathering /Monitoring

TCPdump

ATRG -sk40072

tcpdump -i <int name> host <ip> -w filename

tcpdump -i <int name> tcp port <port number>

tcpdump -i <int name> udp port <port number>

tcpdump -i <int name> proto ospf

FW Monitor

ATRG – 41045

Functionality

There are four inspection points when a packet passes through a Security Gateway:

Pre-Inbound - marked as 'i'

Post-Inbound - marked as 'I'

Pre-Outbound - marked as 'o'

Post-Outbound - marked as 'O'

Note:

The direction (inbound/outbound) relates to each specific packet, and not to the connection.

fw monitor -e 'accept src=x.x.x.x or dst=v.v.v.v;' -o filename.cap

fw monitor -e "accept;" -o /var/log/fw_mon.cap

fw monitor -e "((src=x.x.x.x , dst=y.y.y.y) or (src=y.y.y.y , dst=x.x.x.x)), accept;" -o /var/log/fw_mon.cap

fw monitor Examples:

# packets with IP 192.168.1.12 as SRC or DST

fw monitor -e 'accept host(192.168.1.12);'

# all packets from 192.168.1.12 to 192.168.3.3

fw monitor -e 'accept src=192.168.1.12 and dst=192.168.3.3;'

# UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'

fw monitor -pi ipopt_strip -e 'accept udpport(53);'

# UPD traffic from or to unprivileged ports, only show post-out

fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);'

# Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12

fw monitor -e 'accept host(192.168.1.12) and tracert;'

# Capture web traffic for VSX virtual system ID 23

fw monitor -v 23 -e 'accept tcpport(80);'

# Capture traffic on a SecuRemote/SecureClient client into a file.

# srfw.exe in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)

srfw monitor -o output_file.cap

-------------------------------------------------------------------------------------------------------------------------------------------------

Kernel debug 'fw ctl debug'

Usage:

fw ctl debug -h ---Default (clear) all current kernel debugging options:

fw ctl debug 0 ---Disable all kernel debugging options (de-allocates the buffer automatically kills "fw ctl debug"

process):

fw ctl debug -x ---Allocate the debugging buffer (to catch debug messages):

fw ctl debug -buf 32000 ---Enable desired debug flags (in addition to the default flags):

fw ctl debug -m MODULE_NAME + FLAG1 FLAG2 FLAG3 ---Enable only the specified debug flags (all other

flags will be overwritten):

fw ctl debug -m MODULE_NAME - FLAG6 FLAG7 ---Disable undesired debug flags:

fw ctl debug ---Display all kernel modules and their flags that Security Gateway "understands":

fw ctl debug -m ---Display the flags for specific module that were turned on:

fw ctl debug -m MODULE_NAME ---Print the timestamp in debug output (t = seconds ; T = microseconds):

fw ctl kdebug -t or fw ctl kdebug -T

fw ctl kdebug -T -f > /var/log/debug.txt ---Save the debug messages from debugging buffer into a file:

To stop the debug - press CTRL+C

-------------------------------------------------------------------------------------------------------------------------------------------------

Zdebug drop

Fw ctl Zdebug drop > filename.out

-------------------------------------------------------------------------------------------------------------------------------------------------

61000/41000 CLI commands

Information

asg stat [-v] ---Blade and policy status for all chassis

asg monitor ---Monitor blade and policy status

asg resource [-v] ---SGM resource use

asg if ---Chassis interface information

asg_route ---Routing tables for all SGMs

asg perf [-v -a -p -k] ---Continously monitor performance

asg conns [-b <blade>] ---Show connections per blade

asg config show ---Show gclish configuration for all blades

asg cores_stat ---CoreXL information for all blades

asg_info -w ---Asg Info Diagnostic File

asg_auditlog ---Chassis audit log

asg_blade_config is_in_security_group ---Check if SMG is in security group

asg_blade_config get_smo_ip ---Get SMO ip address

asg dxl stat ---Blade Distribution Stats

asg dxl dist_mode verify [-v] ---Blade Distribution Mode

g_all mpstat ---CPU use for all blades

asg if -p ---Interface Performance Information

Navigation

blade 1_02 ---to change to chassis 1 blade 2

Security Switch Module (SSM)

asg_chassis_ctrl start_ssm <SSM> ---Start SSM

asg_chassis_ctrl shutdown_ssm <SSM> ---Stop SSM

asg_chassis_ctrl restart_ssm <SSM> ---Restart SSM

asg_chassis_ctrl active_ssm ---Get active SSMs

asg_chassis_ctrl get_ssm_firmware <SSM> ---SSM Firmware version

asg_chassis_ctrl get_ssm_type <SSM> ---SSM Hardware version

asg_chassis_ctrl get_bmac <SSM> ---MAC Addresses on SSM

show chassis id 1 module <SSM1|SSM2> ip ---Show SSM's CIN Address

-------------------------------------------------------------------------------------------------------------------------------------------------

Configuration and Policy

asg_ntp_sync_config ---Configure NTP on all blades

asg security_group ---Configure SGM security group

asg_blade_config pull_config all <bladeIP> ---Pull config from another blade

asg_blade_config fetch_smc ---Fetch policy for all blades from smc

asg_policy fetch ---Fetch the policy for all SGMs

asg_policy unload ---Unload policy for all SGMs

asg policy verify ---View installed policy for each SGM

g_all <command> ---Return command from all blades

gexec -a -c <Command> ---Execute command on blades

asg_cp2blades <SrcFile> [<DstFile>] ---Copy file to all blades

asg alert Configure ---Chassis Alerts (SNMP/SMS)

asg_sync_manager ---Chassis Syncronization Wizard

fwaccel <on|off|stat> ---SecureXL control

g_update_conf_file fwkern.conf <Kernel Parameter> ---Set kernel parameter for all blades

View available kernel parameters by ruinning modinfo against the kernel file

modinfo $FWDIR/boot/modules/fwmod.2.6.18.cp.i686.o

Chassis

asg_sgm_serial ---SGM Serial Numbers

asg_serial_info ---CMM,SSM and Chassis Serial Numbers

asg diag verify ---Chassis diagnostic and results

asg_version ---Version information for all blades

asg stat -i tasks ---Used to identify the SMO blade

asg chassis_admin -c <chassis> [down|up] ---Administratively down/up a chassis

asg sgm_admin -b <blade> <up|down> ---Administratively down/up a blade

asg_reboot -b <Blade> ---Reboot blade(s) or Chassis

asg_reboot -b chassis1

asg_reboot -b 1_01

asg_reboot -b 1_01,1_03

asg_chassis_ctrl get_psu_status ---Chassis PUS status

asg_chassis_ctrl get_cpus_temp <Blade> ---SGM CPU Temeperature

asg_chassis_ctrl get_power_type ---Returns AC/DC

asg hw_monitor ---Chassis Hardware Stats

set chassis high-availability primary-chassis <0-2> ---Set chassis priority

set chassis high-availability factors <x> ---Change chassis component score(s)

See cli guide for additional syntax

Chassis Control Module (CMM)

asg_chassis_ctrl restart_cmm <CMM#> Restart CMM

asg_chassis_ctrl get_cmm_status Get CMM status and firmware version

Active CMM CIN address 198.51.100.33

Standby CMM CIN address 198.51.100.233

-------------------------------------------------------------------------------------------------------------------------------------------------

GCLISH Commands

gclish ---enter global clish shell

show configuration ---List gclish text configuration

set bonding group <ID> lacp_rate slow ---Configure bonding rate

verify bonding rate by running: cat /proc/net/bonding/bond<ID>

asg_config save -t <File> ---Save Gclish config to a text file

save config ---Save Gclish configuration

Packet Captures and Troubleshooting

tcpdump -mcap -w <outfile> -nnei <IF> ---Packet capture from all blades

asg search ---Search blades for specific connection

g_fw ctl zdebug drop ---Dropped packet debug across all blades

g_fw ctl zdebug -m cluster + correction ---Kernel debug across all blades

dxl calc <> ---Determine the blade a connection will use. Based on the src and dst pair

asg log <audit|smd|ports> {-b <blade string>} ---View messages from blade(s) or chassis

Image Management

show snapshots ---List current snapshots (gclish)

add snapshot <name> ---Create new snapshot (gclish)

delete snapshot <name> ---Delete snapshot from respoitory (gclish)

set snapshot import <name> path <path to snapshot> ---Add snapshot to respoitory (gclish)

set global-mode off/on ---Disable global mode for gclish

set snapshot export <name> path <path to export to> ---Export snapshot from repository (shell)

Note: The snapshot cannot contain .tgz in the name

g_snapshot -b <blade string> revert <snapshot name> ---Revert snapshot on blade(s) (shell)

backup_system backup <name> ---Create backup package

Note this creates 4 separate files

watch -d "g_all dbget snap:show:progress" ---View snapshot revert progress

Gaia Interface and Routes

set interface <IF Name> ipv4-address <IP Address> mask-length <Bit Length> ---Configure Address on

Interface (Physical/VLAN/Bond)

set interface <IF Name> state on/off ---Enable/Disable Interface

(Physical/VLAN/Bond)

add interface <IF NAME> vlan <VLAN ID> ---Add VLAN Interface

add bonding group <Bond ID> interface <IF Name> ---Create and Enslave Bonded

Interface(s)

add interface <IF Name> alias <Address>/<Mask Length> ---Create Interface Alias

set static-route <Network>/<Netmask> nexthop gateway address <Gateway> on ---Configure Static

Route

set static-route default nexthop gateway address <Gateway> on ---Configure Default Route

-------------------------------------------------------------------------------------------------------------------------------------------------

VSX

vsx stat [-v] [-l] [id] ---Display VSX status. Verbose output with -v, interface list with -l or status of single

system with VS ID <id>.

vsx get ---View current shell context.

vsx set <id> ---Set context to VS with the ID <id>.

vsx sic reset <id> ---Reset SIC for VS ID <id>.

file:///C|/Users/kwinfiel/Desktop/CCSE%20ADV%20TS/CLI%20Command%20line%20cheat%20sheet.txt[5/11/2015 9:26:32 AM]

cpinfo -x <vs> ---Start cpinfo collecting data for VS ID <vs>.

fw -vs <id> getifs ---View driver interface list for a VS. You can also use the VS name instead of -vs <id>.

fw tab -vs <id> -t <table> ---View state tables for virtual system <id>.

fw monitor -v <id> -e 'accept;' ---View traffic for virtual system with ID <id>.

Attn: with fw monitor use -v instead of –vs

In general, a lot of Check Point's commands do understand the -vs <id> switch.

-------------------------------------------------------------------------------------------------------------------------------------------------

Provider-1

mdsenv [cma_name] ---Set the environment variables for MDS oder CMA level.

mdsstart [-m|-s] Starts the MDS and all CMAs (10 at a time). ---Start only the MDS with -m or the CMAs

subsequently with -s.

mdsstop [-m] ---Stop MDS and all CMAs or with -m just the MDS.

mdsstat [cma_name]|[-m] ---Show status of the MDS and all CMAs or a certain customer's

CMA. Use -m for only MDS status.

cpinfo -c <cma> (Remember to run mdsenv <cma> in advance.) ---Create a cpinfo for the customer cma <cma>.

mcd <directory> ---Quick cd to $FWDIR/<directory> of the current CMA.

mdsstop_customer <cma> Stop CMA. ---Run mdsenv <cma> in advance.

mdsstart_customer <cma> Start CMA. ---Run mdsenv <cma> in advance

mdsconfig MDS replacement for cpconfig. ---mds_backup Backup binaries and data to current directory.

You can exclude files by specifying them in $MDSDIR/conf/mds_exclude.dat.

mds_restore <file> ---Restore MDS backup from file. Notice: you may need to copy

mds_backup from $MDSDIR/scripts/ as well as gtar and gzip from $MDS_SYSTEM/shared/ to the

directory with the backup file. Normally, mds_backup does this during backup

-------------------------------------------------------------------------------------------------------------------------------------------------

VPN & VPN Debugging

vpn ver [-k] ---Check VPN-1 major and minor version as well as build number and latest hotfix. Use -k for

kernel version.

vpn tu ---Start a menu based VPN TunnelUtil program where you can list and delete Security

Associations (SAs) for peers. vpn shell Start the VPN shell.

vpn debug ikeon|ikeoff ---Debug IKE into $FWDIR/log/ike.elg.

vpn debug on|off ---Debug VPN into $FWDIR/log/vpnd.elg.

vpn debug trunc ---Truncate and stamp logs, enable IKE & VPN debug.

vpn drv stat ---Show status of VPN-1 kernel module.

vpn overlap_encdom ---Show, if any, overlapping VPN domains.

vpn macutil <user> ---Show MAC for Secure Remote user <user>.

-------------------------------------------------------------------------------------------------------------------------------------------------

Site to site VPN troubleshooting

1. Turn on debugs

vpn debug trunc

vpn debug on TDERROR_ALL_ALL=5

2. Run the following command to reset the tunnel

(not needed if you are testing a Remote Access VPN):

vpn tu

Then select the option that reads,

Delete all IPsec+IKE SAs for a given peer (GW)

enter your remote GW ip address

exit the utility

3. Try to build the tunnel back up again, in both directions,

attempt to connect from YOUR NETWORK to a device in

the remote encryption domain and then attempt to connect

from THE REMOTE NETWORK to a device in the local

encryption domain.

4. Turn off debugs

vpn debug ikeoff

vpn debug off

debug file location:

SecurePlatform - $FWDIR/log/ike.elg*

$FWDIR/log/vpnd.elg*

Windows - %FWDIR%\log\ike.elg*

%FWDIR%\log\vpnd.elg*

-------------------------------------------------------------------------------------------------------------------------------------------------

FWD -- Logging/Policy debug

1. Turn on debug

fw debug fwd on TDERROR_ALL_ALL=5

2. Recreate issue

3. Turn off debug

fw debug fwd off TDERROR_ALL_ALL=0

debug file location:

SecurePlatform - $FWDIR/log/fwd.elg

Windows - %FWDIR%\log\fwd.elg

-------------------------------------------------------------------------------------------------------------------------------------------------

FWM -- policy/Dashboard/Mgt HA Sync debug

Debug it!

1. Turn on debug

fw debug fwm on TDERROR_ALL_ALL=5

2. Recreate issue

3. Turn off debug

fw debug fwm off TDERROR_ALL_ALL=0

debug file location:

SecurePlatform - $FWDIR/log/fwm.elg

Windows - %FWDIR%\log\fwm.elg

-------------------------------------------------------------------------------------------------------------------------------------------------

CPD --- SIC debug

Debug it!

1. Turn on debug

cpd_admin debug on TDERROR_ALL_ALL=5

2. Recreate issue

3. Turn off debug

cpd_admin debug off TDERROR_ALL_ALL=0

debug file location:

SecurePlatform - $CPDIR/log/cpd.elg

Windows - %CPDIR%\log\cpd.elg

------------------------------------------------