Friday, February 23, 2018

Checkpoint Health Checks

----------------------------------------------
Checkpoint Special Config Files
----------------------------------------------
1. fwkern.conf - $FWDIR/boot/modules/fwkern.conf Magic Mac
2. local.arp   - $FWDIR/conf/local.arp   GAiA manual ARP
3. sdconf.rec  -  /var/ace  RAS authentication
4. rc.local    -  /etc/rc.d/rc.local
5. netconf.C      (/etc/sysconfig) Network interfaces/Routes
6. external.if    (/etc/sysconfig)
7. ifcfg-eth1      (/etc/sysconfig/network-scripts/)
----------------------------------------------
checkpoint scripts:
----------------------------------------------
1. checkup.sh
2. cpsizeme
3. nohup mpstat -P ALL 1 86400 > mpstat.out &
----------------------------------------------
Checkpoint Health Checks -Commands
----------------------------------------------
uptime
ver
fw ver
cpinfo -y all
cplic print
expert
df -h
reboot
shutdown
fwunload local

----------------------------------------------
Firewall Performance
----------------------------------------------
top
ps auxwww
fw tab -t connections -s
fw ctl pstat
fwaccel stats
tcpdump -i eth0 src 100.25.240.57 and dst 216.230.64.82


----------------------------------------------
Verfication:
----------------------------------------------
cat /etc/sysconfig/ntp
vmstat 1 10
cat /proc/meminfo
cpstat os -f cpu
cpstat os -f memory

Interface Configurations
------------------------
netstat -i
ifconig -a
netstat -rn
ethtool –i eth0
ethtool -S eth1-01
ethtool -S eth1-02


cpview
fw tab -t userc_key -s
fw tab -t userc_users -s
fw tab -t om_assigned_ips -s  (verify # of Seed license)

Cluster XL (High Avaiablility)
------------------------------
cpstop
cpstart
cphastop
cphastart
clusterXL_admin up/down
cphaprob –a if
cphaprob list
cphaprob stat
cpstat ha -f all
cphaprob syncstat
cphaprob list

cpconfig

--------------------------------------------------------------------------------
Performance -cpconfig utility enable/disable Checkpoint SecureXL
--------------------------------------------------------------------------------
fwaccel stats  (Usage: fwaccel on | off | ver | stat | conns | dbg <...> | help
fwaccel conns
fwaccel conns -s
fw ctl multik stat
fw ctl affinity -l -a -v
gaia> fwaccel conns -s  (checks SecureXL Connections)
gaia> fw ctl get int fwx_max_conns (checks maximum connectins 0 means it set to auto/unlimited

[Expert@myfwe-int02:0]# fw ctl multik stat  (connection to Core Distribution)
ID | Active  | CPU    | Connections | Peak
----------------------------------------------
 0 | Yes     | 11     |         178 |      303
 1 | Yes     | 10     |         203 |      380
 2 | Yes     | 9      |         168 |      262
 3 | Yes     | 8      |         179 |      188
 4 | Yes     | 7      |         149 |      278
 5 | Yes     | 6      |         113 |      194
 6 | Yes     | 5      |         128 |      221
 7 | Yes     | 4      |         282 |      387
 8 | Yes     | 3      |         186 |      292
 9 | Yes     | 2      |         296 |      439
[Expert@myfwe-int02:0]#


[Expert@myfwe-int02:0]# fw ctl affinity -l -a -v    (check CPU core to NIC Mapping -can be change in $FWDIR/conf/fwaffinity/conf)
Interface eth1-05 (irq 218): CPU 1
Interface Sync (irq 124): CPU 1
Interface eth1-01 (irq 107): CPU 1
Interface eth1-02 (irq 123): CPU 0
Interface eth3-01 (irq 171): CPU 0
Kernel fw_0: CPU 11
Kernel fw_1: CPU 10
Kernel fw_2: CPU 9
Kernel fw_3: CPU 8
Kernel fw_4: CPU 7
Kernel fw_5: CPU 6
Kernel fw_6: CPU 5
Kernel fw_7: CPU 4
Kernel fw_8: CPU 3
Kernel fw_9: CPU 2
Daemon in.geod: CPU all
Daemon vpnd: CPU all
Daemon in.acapd: CPU all
Daemon in.asessiond: CPU all
Daemon in.msd: CPU all
Daemon rad: CPU all
Daemon rtmd: CPU all
Daemon fwd: CPU all
Daemon mpdaemon: CPU all
Daemon usrchkd: CPU all
Daemon cpd: CPU all
Daemon cprid: CPU all
[Expert@hinfwe-int02:0]#

[Expert@myfwe-int02:0]# fwaccel stat
Accelerator Status : on
Accept Templates   : disabled by Firewall
                     disabled from rule #35
Drop Templates     : disabled
NAT Templates      : disabled by user

Accelerator Features : Accounting, NAT, Cryptography, Routing,
                       HasClock, Templates, Synchronous, IdleDetection,
                       Sequencing, TcpStateDetect, AutoExpire,
                       DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
                       WireMode, DropTemplates, NatTemplates,
                       Streaming, MultiFW, AntiSpoofing, ViolationStats,
                       Nac, AsychronicNotif, ERDOS, McastRoutingV2
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
                        3DES, DES, CAST, CAST-40, AES-128, AES-256,
                        ESP, LinkSelection, DynamicVPN, NatTraversal,
                        EncRouting, AES-XCBC, SHA256
[Expert@hinfwe-int02:0]#



[Expert@myfwe-int02:0]# fwaccel conns  |grep  216.231.83.228 | more
Source          SPort Destination     DPort PR Flags       C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- --------
 216.231.83.228    53   74.94.152.161  1580 17 F..A...S... 7/8     8/7      7        0
   66.189.0.104 21318  216.231.83.228    53 17 ...A...S... 7/8     8/7      7        0
 216.231.83.228    53    50.204.98.98 39412 17 F..A...S... 7/8     8/7      9        0
 216.231.83.228    53    68.87.71.237 22618 17 F..A...S... 7/8     8/7      2        0
   71.243.0.148 21446  216.231.83.228    53 17 ...A...S... 7/8     8/7      5        0
  74.125.19.215 36506  216.231.83.228    53 17 F..A...S... 7/8     8/7      4        0
 216.231.83.228    53   216.19.226.66 18445 17 ...A...S... 7/8     8/7      8        0
 216.231.83.228    53    65.55.238.47 62154 17 F..A...S... 7/8     8/7      5        0
  216.231.65.79   467  216.231.83.228     0  1 F.......... 10/8    8/10     4        0

Usage: fwaccel on | off | ver | stat | cfg <...> | conns | dbg <...> | help
Options:
on-turns acceleration on
off-turns acceleration off
ver-show acceleration/FW version
stat-show acceleration status
cfg-configure acceleration parameters
stats-print the acceleration statistics
conns-print the accelerator's connection table
templates-print the accelerator's templates table
dbg-set debug flags
help-this help messages
diag-policy diagnostics


----------------------------------------------
Troubleshooting
----------------------------------------------
fw monitor | grep 10.210.7.250
fw ctl zdebug + drop > text.drops
fw ctl zdebug + drop | grep 204.105.57.69
tcpdump -ni eth8 src 172.30.25.132
tcpdump -i eth1 port 1089 and dst 216.118.184.254
netstat -rn |grep 204.105

RE: Traffic failing between internet  Clusters
Run a packet capture and a kernel debug on the firewall so I can get a packet-level look at what is happening to the traffic.
From expert mode on the Active Firewall:
1. # fwaccel off  (Turn off SecureXL, if enabled)
2. # df -h (Check your disk space to make sure you have sufficient space to run a capture and debug_
3. # fw monitor -o /var/log/fwmon.cap   (In one session: Run the capture.)
4. # fw ctl zdebug drop > /var/log/drop.txt  (In another session: Run the kernel debug for drops.)
5. # tcpdump -nnei any -w /var/log/tcp.cap (In a third session: Run a tcpdump capture.)
6. Re-create the problem.
7. Control-C   (End the fw monitor, tcpdump and the kernel debug with the following:)
8. # fwaccel on  (Turn on SecureXL, if you disabled it)


----------------------------------------------
log files
----------------------------------------------
$FWDIR/log/vpnd.elg
/var/log/messages
dmesg
/var/log/routed.log


----------------------------------------------
How to Set Specific
----------------------------------------------
clusterXL_admin down/up
ethtool -s eth1  autoneg on


--------------------------------------
/etc/resolv.conf    # What's the name resolution config -- sometimes performance is adversely influenced by bad DNS settings
/etc/ntpd.conf      # Time config
/etc/ntp.conf
/etc/modprobe.conf  # Any NIC or kernel tweaks?
/etc/sysctl.conf    # Any kernel tweaks?
/etc/ssh/sshd_config # Any hacks to sshd?
/etc/issue           # console banner file
/etc/issue.net       # network banner file
/etc/motd            # message of the day file
/etc/grub.conf       # Grub config -- important to see vmalloc
/etc/gated.ami       # gated config file
/etc/gated_xl.ami    # gated config file
/etc/rc.d/rc.local   # local RC files -- any changes here (such as kernel tweaks)?
$FWDIR/boot/boot.conf              # Firewall boot params
$FWDIR/boot/modules/fwkern.conf    # Any firewall kernel tweaks?
$PPKDIR/boot/modules/simkern.conf  # Any SIM tweaks?
$FWDIR/conf/discntd.if             # ClusterXL Disconnected Interfaces
$FWDIR/conf/local.arp              # SPLAT / GAiA manual ARP
$FWDIR/conf/vsaffinity_exception.conf      # Relevant to R75.40VS and later Virtual systems only
$MDSDIR/conf/external.if                   # Relevant to P1 / MDSM only


----------------------------------------------------------------------------------------------
ARPING
-----------------------------------------------------------------------------------------------
[myinet-fwa]# fw ctl arp
 (26.18.190.123) at 00-1c-7f-3f-6c-fd
 (26.18.190.100) at 00-1c-7f-3f-6c-fd


[myinet-fwa]# arping -I eth3-04 216.118.190.88 (check for Arping on specific interface for an IP)
ARPING 216.118.190.88 from 216.118.190.7 eth3-04
Sent 7 probes (7 broadcast(s))
Received 0 response(s)

[myinet-fwa]# arping -I eth3-04 26.18.190.87
ARPING 216.118.190.87 from 26.18.190.7 eth3-04
Sent 9 probes (9 broadcast(s))
Received 0 response(s)

[myinet-fwa]# arping -I eth3-04 26.18.190.89
ARPING 216.118.190.89 from 26.18.190.7 eth3-04
Sent 14 probes (14 broadcast(s))
Received 0 response(s)
[myinet-fwa]


-------------------------------------------------------------------------------------------
ClusterXL Troubleshooting
-------------------------------------------------------------------------------------------
Cluster XL (High Avaiablility)
cpstop
cpstart
cphastop
cphastart
clusterXL_admin up/down
cphaprob –a if
cphaprob list
cphaprob stat
cpwd_admin list

[Expert@mydev-fwa]# cphaprob stat

Cluster Mode:   New High Availability (Active Up)

Number     Unique Address  Assigned Load   State

1 (local)  192.168.42.1    100%            Active
2          192.168.42.2    0%              Standby

[Expert@mydev-fwa]#


[Expert@mydev-fwa]# cphaprob -a if

Required interfaces: 6
Required secured interfaces: 1

eth0       UP                    non sync(non secured), multicast
eth1       UP                    non sync(non secured), multicast
eth2       UP                    non sync(non secured), multicast
eth3       UP                    non sync(non secured), multicast
eth4       UP                    non sync(non secured), multicast
eth5       UP                    sync(secured), multicast

Virtual cluster interfaces: 5

eth0            172.30.25.54
eth1            10.125.240.4
eth2            10.125.242.4
eth3            10.125.244.4
eth4            10.125.246.4

[Expert@mydev-fwa]#


[Expert@mydev-fwa]# cphaprob list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 388872 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 388866 sec

Device Name: cphad
Registration number: 2
Timeout: 2 sec
Current state: OK
Time since last report: 0.9 sec

Device Name: fwd
Registration number: 3
Timeout: 2 sec
Current state: OK
Time since last report: 0.9 sec

Expert@mydev-fwa]#

[Expert@mydev-fwa]# cpwd_admin list
cpwd_admin:
APP        PID    STAT  #START  START_TIME             COMMAND              MON
CPD        3449   E     1       [20:24:21] 7/6/2013    cpd                  Y
CI_CLEANUP 3534   E     1       [20:24:35] 7/6/2013    avi_del_tmp_files    N
CIHS       3546   E     1       [20:24:35] 7/6/2013    ci_http_server -j -f /opt/CPsuite-R71/fw1/conf/cihs.conf N
FWD        3548   E     1       [20:24:36] 7/6/2013    fwd                  N
RTMD       4051   E     1       [20:24:59] 7/6/2013    rtmd                 N
[Expert@mydev-fwa]#

cphaprob list. There reported issues with fib with problem state. Next ran cpwd_admin list and noticed that FIBMGR and DROUTER restarted 2x's.


[Expert@myvpn-fwb]# clusterXL_admin down
Setting member to administratively down state ...
Member current state is Down
[Expert@myvpn-fwb]# cphaprob stat

Cluster Mode:   New High Availability (Active Up)


Number     Unique Address  Assigned Load   State

1          192.168.25.241  100%            Active
2 (local)  192.168.25.242  0%              Down

[Expert@myvpn-fwb]# clusterXL_admin up
Setting member to normal operation ...
Member current state is Standby
[Expert@myvpn-fwb]#