Engineering Notebook -

DISCLAIMER: This is my private professional blog - for Certified Checkpoint Master Architect -CCMA -my engineering notebook with  raw notes on supporting Checkpoint R81.20 Environment.  All IP addresses and names are fictitious.  I've been working with Checkpoint products for more than 30 years. Everything expressed in this blog is my very own opinion and does not express any official opinion of Checkpoint. I've fun working with these products for the last three decades and hopefully will continue to do so in the future. I'll NOT reveal any information given to me under NDA and given to me in private by Check Point employees. I'll not reveal any internal documentation or training documents. For resolution of your technical issues related to Checkpoint products and systems always follow standard support procedures. 

I hope this blog serves you well May God Bless You, Keep you safe and bring you peace! JaiSaiRam

Checkpoint Gaia R81.20 with Software Blades

Firewall                                            Application Control
IPSec VPN                                       Application URL Filtering
Mobile Access                                 QOS - rate limiting
IPS                                                   Data Loss Prevention DLP
Anti Bot                                           Threat Emulation
Anti Virus                                        ClusterXL
Anti Spam/Email Security               Monitoring
Identity Awareness
Firewall Security Book                    SandBlast -Threat-Emulation

Checkpoint Stateful Inspection Patent No 5,606,668 so who invented Checkpoint's  Stateful Inspection Nir Zuk or Gil Shwed?  Inventor: Gil Shwed, Jerusalem, Israel

How to  -Configuration	Checkpoint Command
Revert back to Factory default	set fcd revert Gaia_R77.30
How to load configuration from file	load configuration config
How to add static route	set static-route 10.0.0.0/8 nexthop gateway address 10.15.29.13 on
How to set Management interface	set management interface eth3-04
How to set Hostname	set hostname myvpn-fwa
How to set Domain Name	set domainname mydomain.com
How to set DNS	set dns suffix mydomain.com
	set dns primary 216.188.176.160
	set dns secondary 100.250.210.160
How to set NTP	set ntp active on
	set ntp server primary 216.188.176.160 version 1
	set ntp server secondary 100.250.210.16 version 1
How to turn on an Interface	set interface eth3-01 state on
	set interface eth3-01 auto-negotiation on
	set interface eth3-01 mtu 1500
	set interface eth3-01 ipv4-address 16.11.190.78 mask-length 25
	set interface eth3-01 comments "internet"
How to shutdown interface	set interface eth3-02 state off
How to set default route	set static-route default nexthop gateway address 16.11.19.2 on
How to turn off a default route	set static-route default nexthop gateway address 192.168.1.254 off
How to add a static route	set static-route 148.91.83.0/24 nexthop gateway address 10.150.249.113 on
How to config OSPF	set ospf area backbone off
	set ospf area 25.10.10.3 on
	set ospf interface eth1-01 area 25.10.10.3 on
	set ospf interface eth1-01 cost 1
	set ospf interface eth1-01 priority 0
Add User	add user scp uid 0 homedir /home/scp
	set user scp gid 100 shell /bin/bash
	set user scp password-hash $1$iAGC7iEO$PtD4i6lb)7/KpeJ8iSfdGE1
How to Print Static-Routes	netstat -nr | grep -v D
	netstat -rn |grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort >routes.txt
	netstat -rn |grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort | wc -l
Unload Local Firewall Policy   fwnload local Ace directory is created when the VPN firewall is first pushed. sdconf.rec - Seed File from RSA for testvpn-fwb sdopts.rec - file contains the gateway IP address for RSA  CLIENT_IP=100.105.249.61 sdstatus.12 - Created automatically with gateway first contacted RSA for authentication [Expert@mytestvpn-fwb:0]# cd /var/ace [Expert@mytestvpn-fwb:0]# ls -lt total 12 -rw-rw-r-- 1 admin root 2418 Mar 10 23:22 sdstatus.12 -rw-r----- 1 admin root   22 Mar 10 22:07 sdopts.rec -rw-r----- 1 admin root 2757 Mar  8 13:58 sdconf.rec [Expert@[Expert@mytestvpn-fwb:0]# cat  sdopts.rec CLIENT_IP=10.15.249.61 [Expert@mytestvpn-fwb:0]# :0]# [Expert@mytestvpn-fwb:0]# cat  sdopts.rec CLIENT_IP=100.105.249.61 Expert@mytestvpn-fwb:0]# Update default settings in trac_client_1.ttm on both member cluster :client_decide (client_decide)  to  :client_decide (false) :default (true)  to  :default (false) mytestvpn-fwa:# mytestvpn-fwa:# cd /var/opt/CPsuite-R77/fw1/conf more trac_client_1.ttm mytestvpn-fw                 :automatic_mep_topology (                         :gateway (                                 :map (                                         :false (false)                                         :true (true)                                         :client_decide (client_decide)                                 )                                 :default (true) bostestvpn-fw                 :automatic_mep_topology (                         :gateway (                                 :map (                                         :false (false)                                         :true (true)                                         :client_decide (false)                                 )                                 :default (false) License Seats [Expert@MY-VPN]# grep --binary-files=text sc_users $FWDIR/database/fwauth.NDB         :sc_users (25500) [Expert@MY-VPN]#