Quick Reference: Check Point
Check Point Software
Check Point Firewall-1
Useful Firewall-1 command line utilities:
Unload current security policy
fw unloadlocal
VPN Tunnel command line access (e.g. delete SAs)
vpn tu
Display overlapping VPN Encryption Domains
vpn overlap_encdom [communities|traditional]
List current Firewall interfaces
fw ctl iflist
Show HA / ClusterXL state
cpstat ha
cphaprob state
cphastop / cphastart
Display State of Checkpoint HA Interfaces
cphaprob -a if
Stop/Start Checkpoint HA/ClusterXL
cphastop / cphastart
Display State of Checkpoint HA Interfaces
cphaprob -a if
Manually failover
cphaprob -d STOP -s problem -t 0 register
cphaprob list
cphaprob -d STOP unregister
Display State of ClusterXL IGMP
cphaprob stat (Notify if IGMP membership is supported)
cphaprob igmp (Display the current IGMP membership settings)
SmartCenter
Backup and Restore SmartCenter
upgrade_export
$FWDIR/bin/upgrade_tools/upgrade_import
Check whether licensed for management high availability (Management HA)
cplic check mgmtha
SecurePlatform
SecurePlatform configuration commands:
Configure Interfaces, Routes etc
sysconfig
Add static routes
Configure Network Interfaces
config conn help
config conn set name eth1 type eth onboot on iff-up on local 192.168.1.2/24 broadcast 192.168.1.255 s-persistant on s-code up mtu 1500
Configure Bonded Network Interfaces (NIC Team, 2 physical, 1 logical interface)
config conn add name bond0 type bond onboot on iff-up on mtu 1500 bond-mode active-backup bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-primary eth1 local 192.168.1.2/24
config conn add name eth1 type eth onboot on iff-up on mtu 1500 master-bond bond0
config conn add name eth4 type eth onboot on iff-up on mtu 1500 master-bond bond0
Useful SecurePlatform command line utilities:
Enter OS commands
expert
Assign interfaces to correct physical NICs
(Edit /etc/sysconfig/ethtab)
[Expert@FIREWALL]# cat ethtab
eth0 00:21:5A:27:DC:E6
eth1 00:21:5A:27:DC:E4
eth2 00:1F:29:5C:82:F5
Set Kernel parameters
(Edit $FWDIR/boot/modules/fwkern.conf)
fwha_mac_magic=0x11
fwha_mac_forward_magic=0x10
fwha_monitor_if_link_state=1
fwha_enable_igmp_snooping=1
fwha_igmp_version=2
Flag disconnected NICs
echo eth6 >> $FWDIR/conf/discntd.if
Show status of Bonded Network Interfaces
cphaconf show_bond -a
Display Versions
SPLAT: ver
Firewall: fw ver
Performance Pack: sim ver –k
Linux: uname -a
Change shell to permit WinSCP connection
usermod -s /bin/bash fwadmin
Change shell timout (cpshell)
idle mm where mm = timeout in minutes (permanent change, updates /etc/cpshell/cpshell.state and is passed on to expert shell)
Change shell timout (bash)
TMOUT = ss where ss = timeout in minutes
export TMOUT
Display the number of CPUs presented to SecurePlatform OS
grep ‘physical id’ /proc/cpuinfo|wc -l
Display the CoreXL CPU Affinity
fw ctl affinity -l
Advanced Routing (gated) Commands
ps -eaf | grep gated
cpwd_admin list
Check Point Troubleshooting & Debugging Tools:
Useful Checkpoint commands
Posted on November 25, 2010
2
Checkpoint is not a cli based firewall, the cli is generally (in the daily life) not used. What the admin wants, can do through the GUI. For troubleshooting purposes or just query something there are some useful commands. In this list I tried to collect what I already had to use (or wanted to try out).
Table 1.
Table 1.
| General checkpoint, IPSO commands | Description |
| ipsctl hw:eeprom:product_id | Show Product Id. on IPSO |
| ipsctl hw:eeprom:serial_number | Show Serial No. on IPSO |
| uname -a | Show IPSO Version |
| ipsofwd list | show forwarding option on IPSO |
| [admin]# ipsofwd list net:ip:forward:noforwarding = 0 net:ip:forward:noforwarding_author = fwstart net:ip:forward:switch_mode = flowpath net:ip:forwarding = 1 | example for forwarding options |
| ipsofwd on username | set forwarding on if firewall stopped |
| ipsctl -w net:log:partner:status:debug 1 | enable interface debugging (sk41089) |
| ipsctl -w net:log:sink:console 0 | disable debugging |
Table 2.
| Firewall Commands | |
| fw ver | Show Firewall Version |
| vpn macutil | Generate MAC Address for users. This can be used to fix an IP in DHCP Server. |
| cpstat polsrv -f all | Show the connected and the licensed users |
| cpstat fw -f http, ftp, telnet, rlogin, smtp, pop3 | Check protocol states. |
| fw stat | Show policy name and the interfaces that have already seen any traffic. |
| fw stat -long | Shows the policy and the stats for the policy |
| cpstat os -f cpu -o 3 | Monitor CPU state every 3 seconds |
| -o Polling interval (seconds) specifies the pace of the results. Default is 0, meaning the results are shown only once. -c Specifying how many times the results are shown. Default is 0, meaning the results are repeatedly shown. | cpstat useful parameters |
| cpstat os | Show SVN Foundation and OS Version |
| cpstat fw -f all | Product, Policy und Status informations |
| cpstat fw -f policy | Show Installed Policy name |
| fw tab -t connections -s | Show active connections |
| fw fetch | Install Policy from MGM server |
| cplic print | Print licenses |
| fwha_mac_magic | Connecting multiple clusters to the same network segment (same VLAN, same switch) – sk25977 |
| cp_conf sic state | SIC test on the firewall |
| cp_conf sic init <Activation Key> [norestart] | SIC reset on the firewall |
| fw ctl zdebug drop | grep 1.1.1.1 | check dropped packets on the firewall for host 1.1.1.1 |
Table 3.
| Sniffer on the Firewall | |
| fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” | Monitor traffic between host with IP IP_S and host with IP IP_D |
| fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” -owmonitor_cat.cap” | not just monitor but save as capture to a file |
| fw monitor -m iIoO -e “accept (src=IP_S and dst=_IP_D) or (src=IP_D and dst=IP_S);” -p all -a -oDatei.cap | not just monitor but save capture to a file + deeper debug |
| fw monitor -m iIoO -e “accept (sport=5200 or sport=5100 or sport=5000);” | Monitor traffic on the source port 5200, 5100 or 5000 |
Table 4.
| Remote Access and S2S VPN commands | |
| vpn tu | vpn tunnel util, for VPN checking, delete |
| fw tab -t inbound_SPI -f | List SPI and users (external IP, office mode IP, username, DN of a user in case of certificate auth) |
| fw tab -t om_assigned_ips -f | List users and assigned Office mode IPs |
| fw tab -t marcipan_ippool_users -f | List Office Mode used IPs |
| fw tab -t om_assigned_ips -f -m 2000 | awk ‘{print $7,$11}’ | grep -v ‘^ ‘ | Lists office mode Ip fore 2000 users (use -u for unlimited number) |
| fw tab -t marcipan_ippool_users -x | used to manually clear the Office Mode connections table on the Gateway |
| vpn debug trunc | initiates both vpn debug and ike debug |
| vpn debug on TDERROR_ALL_ALL=5 | initiates vpn debug on the level of detail provided by TDERROR_ALL_ALL=5. Output file is $FWDIR/log/vpnd.elg |
| vpn debug ikeon | initiates vpn ike debug. Output file is $FWDIR/log/ike.elg |
| vpn debug mon | Writes ike traffic unecrypted to a file. The output file isikemonitor.snoop. In this output file, all the IKE payloads are in clear |
| vpn debug ikeoff | Stops ike debug. Get ikeviewer to check the ike traffic and log. |
| vpn debug off | Stops vpn debug |
| vpn debug moff | Stops ike sniffer |
vpn export_12 -obj <objectname> -cert <certificatename>
-file <filename> -passwd <passw>
Example:
vpn export_p12 -obj Office_GW -cert defaultCert
–file office_cert.p12 -passwd mypassword
| export a certificate using the Security Management server. certificate object is the Certificakte Nickname from the GUI. |
Table 5.
| Clustering commands | |
| cphaprob list | Show processes monitored by HA |
| cpstat fw -f sync | Show counters for sync traffic |
| cphaprob state | Show cluster mode and status |
| cpstat ha -f all | Show HA process and HA IP status |
| fw ctl pstat | Show memory, kernel stacks, connections, fragments,…, SYNC status |
| cphaprob -a if | Show Sync interface(s) and HA IP(s) |
| cphaprob syncstat | Show Sync statistics |
| fw hastat | Show HA stat ONLY by ClusterXL! not with VRRP |
Table 6.
| General commands | |
| ps -aux | Report all active processes in the kernel IPSO |
| kill -9 prozessid | Stop a process |
| dmesg | show boot logs |
| vmstat 5 5 | show memory, cpu usage |
| ifconfig bge1:xx down | set virtual Interface on Provider1 down |
| fsck | Filsystemcheck |
Table 7.
| Administrate CMA/MDS processes | |
| mdsstop_customer | Stop a CMA |
| mdsstart_customer | Start a CMA |
| mdsstat | Shows MDS and CMA Status |
| mdsstop | Stops all CMAs und Server processes |
| mdsstart | Start all CMAs und Server processes |
| mdsenv CMANAME | Change the Enviroment to selected CMA |
| echo $FWDIR | This displays the correct path for the CMA. |
| cpstat mg | check the connected clients (with Provider1 in the CMA Level: mdsenv <CMA-IP>) |
| fwm -a | Change admin password (or cpconfig delete admin and add admin) |
| fwm dbload | Install database |
| watch -d “cpstat os -f cpu” | Monitor cpu state with watch |
Table 8.
| Searching for objects | What you cannot find whit cross CMA search |
| cd $FWDIR/conf grep subdomain objects.C | grep -v Name | awk ‘{print $2}’ | grep “^(” | sed -e ‘s/(//’ | Searching all objects with subdomain ‘subdomain’ in their name |
| cd $FWDIR/conf grep subdomain /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/objects.C | grep -v Name | awk ‘{print $1, $3}’ | grep “(” | sed -e ‘s/(//’ | Searching all objects in all firewalls (in MDS) with subdomain ‘subdomain’ in their name |
| grep “2.2.2.2\|3.3.3.3” /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/objects_5_0.C | find the 2 IP Address in the firewall configs |
| grep hostimiss.com /opt/CPmds-R65/customers/*/CPsuite-R65/fw1/conf/rulebases_5_0.fws | find the hostname in the firewall rulebase configs |
Table 9.
| Archive commands | |
| tar tfv [ARCHIVNAME].tar | Show the content of an archive |
| tar cfvz [ARCHIVNAME].tar.gz[VERZEICHNIS1] [DATEI1] | Archive files |
| tar xfvz [ARCHIVNAME].tar.gz | open archive |
| SCP command | |
| scp root@provider1:/opt/CPmds-R65/customers/cma1/CPsuite-R65/fw1/conf/objects_5_0.C . | copy the objects_5_0.C file to the lokal folder from where the command was issued |
Collect info for Checkpoint TAC
| cpinfo [-v] [-l] [-n] [-o ] [-r | -t [tablename]] [-c cma … | -x vs]* -z: Output gzipped (effective with -o option). * -r: Includes the registry (Windows – very large output). * -v: Prints version information. * -l: Embeds log records (very large output). * -n: Does not resolve network addresses (faster) * -t: Output consists of tables only (SR only). * -c: Get information about the specified CMA (Provider-1). * -x: Get information about the specified VS (VSX). |
And some example for cpinfo.
| CPinfo Options: cpinfo [-v] [-l] [-n] [-o output_file] [-r | -t [tablename]] [-c cma/ctx]-o output_file (Redirect output into file output_file) -r (Include the registry in the output) -v (Print version information) -l (Embed Log records) -n (Do not resolve network addresses) -t (Output consists of tables only (SR only) -c (Get information about the specified cma/ctx) (No parameters): Redirects output to the standard output (the command window).Required steps to get the cpinfo from mds:1. Back to MDS # mdsenv 2. Verify the correct environment # echo $FWDIR /opt/CPmds-R65/ 3. Run cpinfo # cpinfo -z -n -o /var/mds.cpinfoRequired steps for cpinfo from the relevant CMA (sk10176)1. List of all Customers (CMAs) # mdsstat 2. Set the environment for the Customer # mdsenv CMANAME 3. Verify the correct environment # echo $FWDIR /opt/CPmds-R65/customers//CPsuite-R65/fw1/ 4. Run cpinfo # cpinfo -c CMANAME -z -n -o FILENAME |
Checkpoint logging in short.
| VPN-1/FireWall-1 NG includes the following log type files:- FWDIR/log/xx.log – stores the log records. – FWDIR/log/xx.logptr – provides pointers to the beginning of each log record. – FWDIR/log/xx.loginitial_ptr – provides pointers to the beginning of each log chain (logs that share the same connection ID – LUUID). – FWDIR/log/xx.logaccount_ptr – provides pointers to the beginning of each accounting record. – Note: the NG log directory also includes an additional temporary pointer file, namedxx.logLuuidDB.To purge/delete the current log files without saving it to a backup file, run: # fw logswitch “”The VPN-1/FireWall-1 NG audit log type files are:- xx.adtlog – stores the audit log records. – xx.adtlogptr – provides pointers to the beginning of each log records. – xx.adtloginitial_ptr – provides pointers to the beginning of each log chain (logs that shared the same connection ID – LUUID). – xx.adtlogaccount_ptr – provides pointers to the beginning of each accounting record.Topurge/delete the current audit log files without saving it to a backup file, run: # fw logswitch -audit “” |
This is an example how to collect the same info (the fw version here) from all of our firewall with a script.
We need to collect the firewalls with their IPs or with their hostnames in a file I call iplist and run the srcipt with ‘sh ./get_fwversion.sh’
root@myserver # cat get_fwversion.sh
#!/bin/bash
for HOST in $(cat iplist | grep -v "^#" | grep -v "^$")
do
echo $HOST
ssh admin@$HOST 'fw ver'
# Some example. Just delete the # for the required command
# ssh admin@$HOST 'ipsctl hw:eeprom:product_id'
# ssh admin@$HOST 'fwaccel stat'
# ssh admin@$HOST 'clish -c "show vrrp"'
# ssh admin@$HOST 'grep buffer /var/log/messages' | tail -n 2
# ssh admin@$HOST 'grep "Log buffer is full\|log/trap messages" /var/log/messages'
# ssh admin@$HOST 'cpstat os -f cpu'
done
root@myserver # cat iplist
#R55
myfirewall1
myfirewall2
myfirewall3
myfirewall4
myfirewallcluster1_A
myfirewallcluster1_B
#R60
myfirewall5
myfirewall6
#R65
myfirewall7
myfirewall8
myfirewallcluster2_A
myfirewallcluster2_B
|
Important Files:
On the Management Server:
$FWDIR/conf/classes.C – scheme file. Each object in objects.c, rulebases.fws, fwauth.ndb or whatever must match one of the classes listed below.
$FWDIR/conf/objects_5_0.C – object file.
$FWDIR/conf/rulebases_5_0.fws – Rulebase file.
$FWDIR/conf/fwauth.NDB – userdatabase
$FWDIR/conf/.W – The policy file
$FWDIR/conf/user.def.NGX_FLO – User defined inspect code (sk30919)
On the Management Server:
$FWDIR/conf/classes.C – scheme file. Each object in objects.c, rulebases.fws, fwauth.ndb or whatever must match one of the classes listed below.
$FWDIR/conf/objects_5_0.C – object file.
$FWDIR/conf/rulebases_5_0.fws – Rulebase file.
$FWDIR/conf/fwauth.NDB – userdatabase
$FWDIR/conf/.W – The policy file
$FWDIR/conf/user.def.NGX_FLO – User defined inspect code (sk30919)
On the Firewall:
$FWDIR/conf/masters – On the firewalls shows who is the management server
$FWDIR/conf/initial_module.pf – Initial Policy of the firewall
$FWDIR/conf/discntd.if – Add the interface-name in this file to disable monitoring in Secureplatform
$FWDIR/conf/masters – On the firewalls shows who is the management server
$FWDIR/conf/initial_module.pf – Initial Policy of the firewall
$FWDIR/conf/discntd.if – Add the interface-name in this file to disable monitoring in Secureplatform
