Checkpoint Special Config Files
----------------------------------------------
1. fwkern.conf - $FWDIR/boot/modules/fwkern.conf Magic Mac
2. local.arp - $FWDIR/conf/local.arp GAiA manual ARP
3. sdconf.rec - /var/ace RAS authentication
4. rc.local - /etc/rc.d/rc.local
5. netconf.C (/etc/sysconfig) Network interfaces/Routes
6. external.if (/etc/sysconfig)
7. ifcfg-eth1 (/etc/sysconfig/network-scripts/)
----------------------------------------------
checkpoint scripts:
----------------------------------------------
1. checkup.sh
2. cpsizeme
3. nohup mpstat -P ALL 1 86400 > mpstat.out &
----------------------------------------------
Checkpoint Health Checks -Commands
----------------------------------------------
uptime
ver
fw ver
cpinfo -y all
cplic print
expert
df -h
reboot
shutdown
fwunload local
----------------------------------------------
Firewall Performance
----------------------------------------------
top
ps auxwww
fw tab -t connections -s
fw ctl pstat
fwaccel stats
tcpdump -i eth0 src 100.25.240.57 and dst 216.230.64.82
----------------------------------------------
Verfication:
----------------------------------------------
cat /etc/sysconfig/ntp
vmstat 1 10
cat /proc/meminfo
cpstat os -f cpu
cpstat os -f memory
Interface Configurations
------------------------
netstat -i
ifconig -a
netstat -rn
ethtool –i eth0
ethtool -S eth1-01
ethtool -S eth1-02
cpview
fw tab -t userc_key -s
fw tab -t userc_users -s
fw tab -t om_assigned_ips -s (verify # of Seed license)
Cluster XL (High Avaiablility)
------------------------------
cpstop
cpstart
cphastop
cphastart
clusterXL_admin up/down
cphaprob –a if
cphaprob list
cphaprob stat
cpstat ha -f all
cphaprob syncstat
cphaprob list
cpconfig
--------------------------------------------------------------------------------
Performance -cpconfig utility enable/disable Checkpoint SecureXL
--------------------------------------------------------------------------------
fwaccel stats (Usage: fwaccel on | off | ver | stat | conns | dbg <...> | help
fwaccel conns
fwaccel conns -s
fw ctl multik stat
fw ctl affinity -l -a -v
gaia> fwaccel conns -s (checks SecureXL Connections)
gaia> fw ctl get int fwx_max_conns (checks maximum connectins 0 means it set to auto/unlimited
[Expert@myfwe-int02:0]# fw ctl multik stat (connection to Core Distribution)
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 11 | 178 | 303
1 | Yes | 10 | 203 | 380
2 | Yes | 9 | 168 | 262
3 | Yes | 8 | 179 | 188
4 | Yes | 7 | 149 | 278
5 | Yes | 6 | 113 | 194
6 | Yes | 5 | 128 | 221
7 | Yes | 4 | 282 | 387
8 | Yes | 3 | 186 | 292
9 | Yes | 2 | 296 | 439
[Expert@myfwe-int02:0]#
[Expert@myfwe-int02:0]# fw ctl affinity -l -a -v (check CPU core to NIC Mapping -can be change in $FWDIR/conf/fwaffinity/conf)
Interface eth1-05 (irq 218): CPU 1
Interface Sync (irq 124): CPU 1
Interface eth1-01 (irq 107): CPU 1
Interface eth1-02 (irq 123): CPU 0
Interface eth3-01 (irq 171): CPU 0
Kernel fw_0: CPU 11
Kernel fw_1: CPU 10
Kernel fw_2: CPU 9
Kernel fw_3: CPU 8
Kernel fw_4: CPU 7
Kernel fw_5: CPU 6
Kernel fw_6: CPU 5
Kernel fw_7: CPU 4
Kernel fw_8: CPU 3
Kernel fw_9: CPU 2
Daemon in.geod: CPU all
Daemon vpnd: CPU all
Daemon in.acapd: CPU all
Daemon in.asessiond: CPU all
Daemon in.msd: CPU all
Daemon rad: CPU all
Daemon rtmd: CPU all
Daemon fwd: CPU all
Daemon mpdaemon: CPU all
Daemon usrchkd: CPU all
Daemon cpd: CPU all
Daemon cprid: CPU all
[Expert@hinfwe-int02:0]#
[Expert@myfwe-int02:0]# fwaccel stat
Accelerator Status : on
Accept Templates : disabled by Firewall
disabled from rule #35
Drop Templates : disabled
NAT Templates : disabled by user
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, ViolationStats,
Nac, AsychronicNotif, ERDOS, McastRoutingV2
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256
[Expert@hinfwe-int02:0]#
[Expert@myfwe-int02:0]# fwaccel conns |grep 216.231.83.228 | more
Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- --------
216.231.83.228 53 74.94.152.161 1580 17 F..A...S... 7/8 8/7 7 0
66.189.0.104 21318 216.231.83.228 53 17 ...A...S... 7/8 8/7 7 0
216.231.83.228 53 50.204.98.98 39412 17 F..A...S... 7/8 8/7 9 0
216.231.83.228 53 68.87.71.237 22618 17 F..A...S... 7/8 8/7 2 0
71.243.0.148 21446 216.231.83.228 53 17 ...A...S... 7/8 8/7 5 0
74.125.19.215 36506 216.231.83.228 53 17 F..A...S... 7/8 8/7 4 0
216.231.83.228 53 216.19.226.66 18445 17 ...A...S... 7/8 8/7 8 0
216.231.83.228 53 65.55.238.47 62154 17 F..A...S... 7/8 8/7 5 0
216.231.65.79 467 216.231.83.228 0 1 F.......... 10/8 8/10 4 0
Usage: fwaccel on | off | ver | stat | cfg <...> | conns | dbg <...> | help
Options:
on-turns acceleration on
off-turns acceleration off
ver-show acceleration/FW version
stat-show acceleration status
cfg-configure acceleration parameters
stats-print the acceleration statistics
conns-print the accelerator's connection table
templates-print the accelerator's templates table
dbg-set debug flags
help-this help messages
diag-policy diagnostics
----------------------------------------------
Troubleshooting
----------------------------------------------
fw monitor | grep 10.210.7.250
fw ctl zdebug + drop > text.drops
fw ctl zdebug + drop | grep 204.105.57.69
tcpdump -ni eth8 src 172.30.25.132
tcpdump -i eth1 port 1089 and dst 216.118.184.254
netstat -rn |grep 204.105
RE: Traffic failing between internet Clusters
Run a packet capture and a kernel debug on the firewall so I can get a packet-level look at what is happening to the traffic.
From expert mode on the Active Firewall:
1. # fwaccel off (Turn off SecureXL, if enabled)
2. # df -h (Check your disk space to make sure you have sufficient space to run a capture and debug_
3. # fw monitor -o /var/log/fwmon.cap (In one session: Run the capture.)
4. # fw ctl zdebug drop > /var/log/drop.txt (In another session: Run the kernel debug for drops.)
5. # tcpdump -nnei any -w /var/log/tcp.cap (In a third session: Run a tcpdump capture.)
6. Re-create the problem.
7. Control-C (End the fw monitor, tcpdump and the kernel debug with the following:)
8. # fwaccel on (Turn on SecureXL, if you disabled it)
----------------------------------------------
log files
----------------------------------------------
$FWDIR/log/vpnd.elg
/var/log/messages
dmesg
/var/log/routed.log
----------------------------------------------
How to Set Specific
----------------------------------------------
clusterXL_admin down/up
ethtool -s eth1 autoneg on
--------------------------------------
/etc/resolv.conf # What's the name resolution config -- sometimes performance is adversely influenced by bad DNS settings
/etc/ntpd.conf # Time config
/etc/ntp.conf
/etc/modprobe.conf # Any NIC or kernel tweaks?
/etc/sysctl.conf # Any kernel tweaks?
/etc/ssh/sshd_config # Any hacks to sshd?
/etc/issue # console banner file
/etc/issue.net # network banner file
/etc/motd # message of the day file
/etc/grub.conf # Grub config -- important to see vmalloc
/etc/gated.ami # gated config file
/etc/gated_xl.ami # gated config file
/etc/rc.d/rc.local # local RC files -- any changes here (such as kernel tweaks)?
$FWDIR/boot/boot.conf # Firewall boot params
$FWDIR/boot/modules/fwkern.conf # Any firewall kernel tweaks?
$PPKDIR/boot/modules/simkern.conf # Any SIM tweaks?
$FWDIR/conf/discntd.if # ClusterXL Disconnected Interfaces
$FWDIR/conf/local.arp # SPLAT / GAiA manual ARP
$FWDIR/conf/vsaffinity_exception.conf # Relevant to R75.40VS and later Virtual systems only
$MDSDIR/conf/external.if # Relevant to P1 / MDSM only
----------------------------------------------------------------------------------------------
ARPING
-----------------------------------------------------------------------------------------------
[myinet-fwa]# fw ctl arp
(26.18.190.123) at 00-1c-7f-3f-6c-fd
(26.18.190.100) at 00-1c-7f-3f-6c-fd
[myinet-fwa]# arping -I eth3-04 216.118.190.88 (check for Arping on specific interface for an IP)
ARPING 216.118.190.88 from 216.118.190.7 eth3-04
Sent 7 probes (7 broadcast(s))
Received 0 response(s)
[myinet-fwa]# arping -I eth3-04 26.18.190.87
ARPING 216.118.190.87 from 26.18.190.7 eth3-04
Sent 9 probes (9 broadcast(s))
Received 0 response(s)
[myinet-fwa]# arping -I eth3-04 26.18.190.89
ARPING 216.118.190.89 from 26.18.190.7 eth3-04
Sent 14 probes (14 broadcast(s))
Received 0 response(s)
[myinet-fwa]
-------------------------------------------------------------------------------------------
ClusterXL Troubleshooting
-------------------------------------------------------------------------------------------
Cluster XL (High Avaiablility)
cpstop
cpstart
cphastop
cphastart
clusterXL_admin up/down
cphaprob –a if
cphaprob list
cphaprob stat
cpwd_admin list
[Expert@mydev-fwa]# cphaprob stat
Cluster Mode: New High Availability (Active Up)
Number Unique Address Assigned Load State
1 (local) 192.168.42.1 100% Active
2 192.168.42.2 0% Standby
[Expert@mydev-fwa]#
[Expert@mydev-fwa]# cphaprob -a if
Required interfaces: 6
Required secured interfaces: 1
eth0 UP non sync(non secured), multicast
eth1 UP non sync(non secured), multicast
eth2 UP non sync(non secured), multicast
eth3 UP non sync(non secured), multicast
eth4 UP non sync(non secured), multicast
eth5 UP sync(secured), multicast
Virtual cluster interfaces: 5
eth0 172.30.25.54
eth1 10.125.240.4
eth2 10.125.242.4
eth3 10.125.244.4
eth4 10.125.246.4
[Expert@mydev-fwa]#
[Expert@mydev-fwa]# cphaprob list
Built-in Devices:
Device Name: Interface Active Check
Current state: OK
Registered Devices:
Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 388872 sec
Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 388866 sec
Device Name: cphad
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.9 sec
Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.9 sec
Expert@mydev-fwa]#
[Expert@mydev-fwa]# cpwd_admin list
cpwd_admin:
APP PID STAT #START START_TIME COMMAND MON
CPD 3449 E 1 [20:24:21] 7/6/2013 cpd Y
CI_CLEANUP 3534 E 1 [20:24:35] 7/6/2013 avi_del_tmp_files N
CIHS 3546 E 1 [20:24:35] 7/6/2013 ci_http_server -j -f /opt/CPsuite-R71/fw1/conf/cihs.conf N
FWD 3548 E 1 [20:24:36] 7/6/2013 fwd N
RTMD 4051 E 1 [20:24:59] 7/6/2013 rtmd N
[Expert@mydev-fwa]#
cphaprob list. There reported issues with fib with problem state. Next ran cpwd_admin list and noticed that FIBMGR and DROUTER restarted 2x's.
[Expert@myvpn-fwb]# clusterXL_admin down
Setting member to administratively down state ...
Member current state is Down
[Expert@myvpn-fwb]# cphaprob stat
Cluster Mode: New High Availability (Active Up)
Number Unique Address Assigned Load State
1 192.168.25.241 100% Active
2 (local) 192.168.25.242 0% Down
[Expert@myvpn-fwb]# clusterXL_admin up
Setting member to normal operation ...
Member current state is Standby
[Expert@myvpn-fwb]#
[Expert@mydev-fwa]# cpwd_admin list
cpwd_admin:
APP PID STAT #START START_TIME COMMAND MON
CPD 3449 E 1 [20:24:21] 7/6/2013 cpd Y
CI_CLEANUP 3534 E 1 [20:24:35] 7/6/2013 avi_del_tmp_files N
CIHS 3546 E 1 [20:24:35] 7/6/2013 ci_http_server -j -f /opt/CPsuite-R71/fw1/conf/cihs.conf N
FWD 3548 E 1 [20:24:36] 7/6/2013 fwd N
RTMD 4051 E 1 [20:24:59] 7/6/2013 rtmd N
[Expert@mydev-fwa]#
cphaprob list. There reported issues with fib with problem state. Next ran cpwd_admin list and noticed that FIBMGR and DROUTER restarted 2x's.
[Expert@myvpn-fwb]# clusterXL_admin down
Setting member to administratively down state ...
Member current state is Down
[Expert@myvpn-fwb]# cphaprob stat
Cluster Mode: New High Availability (Active Up)
Number Unique Address Assigned Load State
1 192.168.25.241 100% Active
2 (local) 192.168.25.242 0% Down
[Expert@myvpn-fwb]# clusterXL_admin up
Setting member to normal operation ...
Member current state is Standby
[Expert@myvpn-fwb]#