Sunday, December 22, 2019

CLI for firewall debug, processes and daemon

The following terms are used on CLI for firewall debug, processes and daemon:
accel                                 SecureXL
acct                                   Application Control accounting
advp                                  advanced patterns (signatures over port ranges)
APPI                                  Application Control
aspii                                  Accelerated Stateful Protocol Inspection Infrastructure (INPSECT streaming)
async                                IA checking known network
av                                      Anti-Virus inspection
avi_del_tmp_files          Shell script that periodically deletes various old temporary Anti-Virus files
balance                            ConnectControl -logical servers in kernel , load balancing
btime                                browse time
cache_tab                        cachetable infrastructure
ccp                                    Cluster Control Protocol (CCP)
cgnat                                Carrier Grade NAT (CGN/CGNAT)
chain                                chain modules
chainfwd                          chain forwarding - cluster
chainq                              QoS holding and releasing packets during critical actions (policy install / uninstall)
CI                                      Content Inspection
ci_http_server                HTTP Server for Content Inspection
clishd                               Gaia Clish CLI interface process - general information for all Clish sessions
clish                                 Gaia Clish CLI interface
clob                                  data classification-Classification Object (CLOB)
cloningd                          Cloning Groups daemon
cluster                             ClusterXL
cmi                                   Context Management Infrastructure
cmi_inspect                    cmi_loader - INSPECT code
cmi_loader                     CMI loader
cmi_module                   cmi_loader module operations -initialization, module loading, calls to module, contexts, etc.
confd                               Database and configuration
conn                                Connections Table issues
connstats                       connections statisticsfor Evaluation of Heavy Connectionsin CPView (refer to sk105762)
context                            operations on Memory context and CPU context
CPAS                               CPAS (Check Point Active Streaming)
cpca                                Check Point Internal Certificate Authority (ICA)
cpcode                            Data LossPrevention (DLP) CPcode
cpd                                  Check Point processes / daemon
cpdiag                             CPDiag operations
cp_file_convert              Used to convert various file formats to simple textual format for scanning by the DLP engine
cphaconf                         installs cluster configuration or CLI command :slightly_smiling_face:
cphamcset                     Clustering daemon
cphaprob                        Process that lists the state of cluster members or CLI command :slightly_smiling_face:
cphastart                       Starts the cluster and state synchronization.
cphastop                        Stops the cluster and state synchronization
cp_http_server             HTTP Server for Management Portal (SmartPortal) and for OS WebUI
cp_http_server             HTTP Server for OS WebUI and Management Portal
cplmd                             get the data that should be presented in SmartView Tracker
cpm                                Check Point management daemon (PostgreSQL and SOLR databases)
cposd                              SMB-specific daemon responsible for OS Networking operations
cprid                               Check Point Remote Installation Daemon
cprid_wd                        WatchDog for Check Point Remote Installation Daemon
cpsead                            Responsible for Correlation Unit functionality
cpsemd                          Responsible for logging into the SmartEvent GUI
cpsnmpd                        SNMP queries for Check Point OIDs
cpstat_monitor             Process is responsible for collecting and sending information to SmartView Monitor
cptls                               CRYPTO-PRO Transport Layer Security (HTTPS inspection)
cpviewd                          CPView Utility daemon (sk101878)
cpview_historyd           CPView Utility History daemon (sk101878).
cpwd                              WatchDog  monitors critical processes such as Check Point daemons
cpwmd                           Check Point Web Management daemon
crypto                             basic information about encryption and decryption
cserver                           Check Server that either stops or processes the e-mail
ctasd                              Commtouch Anti-Spam daemon
ctipd                               Commtouch IP Reputation daemon.
cu                                    Connectivity Upgrade (sk107042)
cvpnd                              Back-end daemon of the Mobile Access Software Blade
cvpnd                              processingof connections handles by Mobile Access daemon
cvpnproc                        Offload blocking commands from cvpnd
CvpnUMD                      Report SNMP connected users to AMON
DAService                     Check Point Upgrade Service Engine (CPUSE) - (sk92449)
dbsync                           DBsync enables SmartReporter to synchronize data stored in different parts of the network.
dbwriter                        Offload database commands from cvpnd and synchronize with other members
dfa                                  Pattern Matcher (Deterministic Finite Automaton) compilation and execution
df                                    Decision Function -decides, which member will handle each packet in a Load Sharing mode
dfilter                             debug filteroperations
dhcpd                             DHCP server daemon
dlpda                              Data LossPrevention (DLP) Download Agent
dlp                                  Data Loss Prevention
dlp_fingerprint             Used to identify the data according to a unique signature
dlpk                                Data LossPrevention (DLP) Kernel Module
dlpu                                DLP process - receives data from Check Point kernel.
dlpuk                              Data LossPrevention (DLP) User Module
dnstun                            DNS tunnels
domain                          DNS queries
dos                                 DDoS attack mitigation(part of IPS)
dropbear                       Lightweight SSH server on SMB appliance
dynlog                            dynamic log enhancement (INSPECT logs)
fg                                    FloodGate-1 (QoS)
FILEAPP                        File Application
filecache                       Content Awareness file caching
flofiler                           Flow profiler
fwapp                             information about policy installation for FireWall application
fwd                                 Firewall processes / daemon
fwdlp                             DLP core engine that performs the scanning / inspection
fw                                   Firewall
fwm                               Communication between SmartConsole applications and Security Management Server
fwpushd                        Mobile Access Push Notifications daemon
fwstats                          FW-1 statistics
fwucd                            DLP UserCheck back-end daemon that sends approval / disapproval requests to user
ghtab                             multi-threaded safe global hash tables
glue                               glue layer messages
gtp                                 GPRS Tunneling Protocol(GTP)
gtp                                 GTP (GPRS Tunneling Protocol)
h323                              VoIP H.323
htab                               multi-threaded safe hash table
httpd2                           Web server daemon (Gaia Portal)
httpd                             Endpoint Policy Management Server
httpd                             Front-end daemon of the Mobile Access Software Blade (multi-processes)
IA_htab                         IA checking for network IP address, working with kernel tables
ICAP_CLIENT              Internet Content Adaptation Protocol client
IDAPI                             Identity Awareness
ifnotify                           notification of changes in interface status -up or down (received from OS)
in.acapd                        Packet capturing daemon for SmartView Tracker logs
in.emaild.mta               E-Mail Security Server
in.emaild.pop3             POP3 Security Server that receives e-mails sent by user
in.emaild.smtp            MTP Security Server that receives e-mails sent by user and sends them to their destinations
in.geod                          Updates the IPS Geo Protection Database
in.msd                           Mail Security Daemon that queries the Commtouch engine for reputation.
interpreter                    Process is responsible for Compliance Blade database scan.
ioctl IOCTL                    control messages -communication between kernel and daemon
ipopt                              IP options enforcement
java_solr                       Events are stored in the SOLR database (Jetty Server) part of cpm
kbuf                               kernel-buffer
kissd                              KISS –used for kernel memory management
kissflow                         Kernel Infrastructure Flow
kiss                                Kernel Infrastructure
kisspm                          Kernel Infrastructure Pattern Matcher
kqstats                          Kernel Worker thread statistics mechanism
kw                                  Kernel Worker state and Pattern Matcher inspection
ld                                    kernel dynamic tables infrastructure -reads from / writes to the tables
lea_session                  LEA OPSEC session
lea                                  LEA OPSEC - logs
llq                                   QoS low latency queuing
log_consolidator          Log Consolidator for the SmartReporter product
log_indexer                   R80 Log indexer
lpd                                  Log Parser Daemon – Search predefined patterns in log files
mab                                Mobile Access handler
machine                         INSPECT Virtual Machine
MALWARE                     Malware (Threat Prevention)
mem_pool                     memory pool
mgcp                              Media Gateway Control Protocol
mgr                                policy installationmanager
misc                               miscellaneous helpful information
misp                               ISP Redundancy
mmagic                         MAC magic - operations (getting, setting, updating, initializing, dropping,etc.)
monitorall                     debug -> fw monitor -p all
monitord                       Hardware monitoring daemon
monitor                         debug -> fw monitor
MoveFileDemuxer       Related to MoveFileServer process (moving files between cluster members)
MoveFileServer            Move files between cluster members in order to perform database synchronization
mpdaemon                   Apache server (which can have multiple processes for starting these web servers.
mrtsync                         synchronization (in kernel) between cluster members of Multicast Routes
msnms                          MSN over MSMS(MSN Messenger protocol)
mspi                               information related to creation and destruction of MSA / MSPI
mtctx                             multi-threaded context -memory allocation, reference count
multik                           CoreXL -> Multi-Kernel Inspection
mutex                            Unified Policy internal mutex operations
nac                                 Network Access Control (NAC)
NRB                               Next Rule Base
ntup                               Non-TCP / Non-UDP traffic policy (traffic parser)
om_alloc                       allocationof Office Mode IP addresses
osu                                 cluster Optimal Service Upgrade(sk107042)
packet_err                    invalid ‎packets,‎ for ‎which‎ dispatching‎ decision‎ can’t ‎be ‎made
packval                          statelessverifications -sequences, fragments, translations and other header verifications
parser                            file parsing or CMI parser
parsers_is                     cmi_loader parsers infrastructure
pcktdmp                        dumps the encryptedpackets before encryption/ decryptedpackets after decryption
pcre                                Perl Compatible Regular Expressions
pdpd                               IA Policy Decision Point daemon
pepd                               IA Policy Enforcement Point daemon
per_conn                       messages per connection (when a new connection is handled by RTM)
per_pckt                        messages per packet (when a new packet arrives is handled by RTM) or "con_conn"
Pinger                            Reduce the number of httpd processes performing ActiveSync.
pkt_dump                      traffic packet dump
pkxld                              Performs asymmetric key operations for HTTPS Inspection
PM_compile                  Pattern Matcher -pattern compilation
pmdump                        Pattern Matcher - DFA (dumping XMLs)
pm                                  Gaia OS Process Manager
pmint                             Pattern Matcher compilation
pm                                 Pattern Matcher - compilation and execution
pnote                             registering and monitoring of critical ClusterXL Devices
portscan                       port scanning prevention mechanics
postgres                       PostgreSQL server
prof                                Firewall Priority Queues-connection profiler (refer to sk105762)
q                                     driver queue
qosaccel                        QoS acceleration
qos                                  QoS (FloodGate-1)
queue                             Kernel Worker thread queues
quota                              cross-instance quota table
RAD_KERNEL               Resource Advisor Kernel
rad                                  Resource Advisor
rconfd                             Provisioning daemon
rem                                 Regular Expression Matcher-Pattern Matcher 2nd tier (slow path)
report_mgr                   report manager
routed                            Routing daemon
rtdbd                              Real Time database daemon
rtmd                               Real Time traffic statistics.
RTM                                Real-Time Monitoring
salloc                              System Memory allocation
sam                                 Suspicious Activity Monitoring
scanengine_b                Third party engine.
scanengine_k                Third party engine.
scanengine_s                Third party engine.
scrub_cp_file_convertd          Used to convert various file formats to simple textual format
scrubd                            Main Threat Extraction daemon
scrub                              Main CLI process for Threat Extraction
sctp                                 Stream Control Transmission Protocol(SCTP)
scv                                   SecureClient Verification
searchd                          Search indexing daemon
sec_rb                            secondary NRB rulebase operations
SFT                                 Stream File Type
sfwd                                SMB fwd :slightly_smiling_face:
SGEN                              Struct Generator
shmem                           shared memory allocation
sigload                            signatures loader, patterns, ranges
skinny                             Skinny Client Control Protocol -Cisco proprietary VoIP protocol
smartlog_server           SmartLog product service
SmartView                     SmartEvent Web Application
sms                                 Manages communication with UTM-1 Edge Security Gateways.
sm                                   String Matcher-Pattern Matcher 1st tier (fast path)
sna                                  SnA objects ("Services and Application)
snmpd                            SNMP (Linux) daemon
SOLR                              CPM databases communication
span                                mirror port(duplicates the network traffic)
spii                                  Stateful Protocol Inspection Infrastructure and INSPECT StreamingInfrastructure
sshd                                SSH daemon
ssl_insp                         HTTPS SSL Inspection
sslt                                  SSL TLS library
status_proxy                  Status collection of ROBO Gateways - SmartLSM / SmartProvisioning status proxy.
subs                                Subscribermodule -set of APIs, which enable user space processes (by using a DLL)
SVRServer                     Controller for the SmartReporter product. Traffic is sent via SSL
swblade                         registration of Software Blades
sxl_statd                        Allow acquiring statistics information from Host ppak and Falcon cards
synatk                            'SYN Attack' (SYNDefender)IPS protection
sync                                synchronization operations in ClusterXL
syslogd                           Syslog (Linux) daemon
tcpinfo                            TCP processing messages
tcpstr                              TCP streaming mechanism
tcpt                                 TCP Tunnel (Visitor mode) related information(FW traversal on port 443)
ted                                  Threat Emulation daemon engine
temp_conns                  temporary connections
te                                    Threat Emulation
tnlmon                           tunnel monitoring
topo                                information about topology and Anti-Spoofingof interfaces
ua                                   Universal Alcatel "UA" Protocol
ucd                                 UserCheck connectionsto other cluster members
UC                                  UserCheck
uepm                             Endpoint Management Server
uf                                   URL filters and URL cache
uid                                 Cross-instance Unique IDs
upapp                            information about policy installation for Unified Policyapplication
upconv                          Unified Policy conversion
UPIS                              Unified Policy Infrastructure
UP                                  Unified Policy
urlf_ssl                          Application Control/ URL Filtering for SSL
usrchkd                         Main UserCheck daemon, which deals with UserCheck requests
usrchk                           The CLI client for the UserCheck daemon USRCHKD
usrmem                        User Spaceplatform memory usage
utf7                                conversion of UTF-7characters to a Unicode characters
utf8                                conversion of UTF-8 characters to a Unicode characters
uuid                               session UUID
vbuf                               virtual buffer
vm                                 Virtual Machine chain decisions on traffic going through fw_filter_chain
VPN_cookie                 virtual de-fragmentation cookie
vpnd                              VPN processes / daemon
vpn_multik                  MultiCore VPN (refer to sk118097)
vpn_tagging                sets the VPN policy of a connection according to VPN communities, VPN Policy related info
VPN                               VPN
vs                                   Virtual System (VSX)
wap                               Multimedia Messaging Service (Wireless Application Protocol)
wd                                 WebDefense
wire                              wire-mode Virtual Machine chain module
worker                         Kernel Worker -queuing and dequeuing
wsdnsd                        DNS Resolver - activated when Security Gateway is configured as HTTP/HTTPS Proxy
WSIS                            Web Intelligence Infrastructure
WS_parser                  Web Intelligence HTTP header parser layer
WS_pfinder                 Web Intelligence pattern finder
WS_regexp                  Web Intelligence regular expression library
WS_SIP                        Web Intelligence SIP Parser
wstlsd                          Handles SSL handshake for HTTPS Inspected connections.
WS                               Web Intelligence
xl                                  Accelerator cards interaction
xlate                            NAT - basic information
xltrc                             NAT - additional information -going through NAT rulebase
xpand                          Configuration daemon that processes and validates all user configuration requests,...
zeco                            Zero-Copy kernel module memory allocations

Identity Awareness - IDC Problems

Identity Awareness - IDC Problems

Checking where the issue resides and provide this extra info to TAC.
Type the following commands on both PDP and PEP to see where the identity is known:
# pdp m u <PROBLEMATIC USERNAME>
or alternatively:
# pdp m ip <PROBLEMATIC IP>

and on the PEP side:
# pep sh u q cid <PROBLEMATIC IP>
or alternatively:
# pep sh u q usr <PROBLEMATIC USERNAME>

In addition to the above outputs, please provide TAC:
1. cpinfo from both PDP and PEP (if these are different machines)
2. log files:
$FWDIR/log/pdpd.elg*
$FWDIR/log/pepd.elg*

R80.20 - new ClusterXL commands



cphaprob stat     > with more clusterxl informations
fwaccel ranges   > show's anti spoofing ranges
fw ctl multik utilize   > shows the CoreXL queue utilization for each CoreXL FW instance
fw ctl multik print_heavy_conn   > shows the table with heavy connections




New ClusterXL clish commands are available.

show cluster


Show cluster MAC Magic and MAC Forward Magic parameters.

show cluster mmagic

Show cluster fail over information.

show cluster failover

Reset history:
> show cluster failover reset history

Show cluster states of all members.

show cluster stats

Show the roles of the RouteD daemon.

show cluster roles

Show cluster statistics transport

show cluster statistics transport

Show cluster statistics sync

show cluster statistics sync

Show all cluster interfaces (cphaprob -a if)

> show cluster members interfaces all

Show pnotes (cphaprob -l list)

> show cluster members pnotes all

Check Point Certified Security Master


Main Topics
https://www.ankenbrand24.de/index.php/articles/articles-check-point/
https://community.checkpoint.com/t5/General-Topics/R80-x-Architecture-and-Performance-Tuning-Link-Collection/m-p/47883#M9336

1. Advance Database Management
2. Kernel Mode and User Mode Troubleshooting
3. SmartConsole and Policy Management
4. Advance Network Address Translation
5. VPN Troubleshooting
6. Troubleshooting Access Control Policies
7. Troubleshooting Threat Prevention Policies
8. Troubleshooting IPS
9. Optimization and Tuning
10. Advance Clustering
11. Acceleration Debugging
12.IPv6
Appendix A – Question and Answers
Appendix B  - Critical Devices Failovers and Solutions

Subject
ClusterXL
CoreXL
SecureXL
IPS ATGR

80 - Questions
80% of questions Training

SecureXL will accelerate packets from interface to interface for known traffic thus saving CPU usage CoreXL adds ability to run multiple inspection cores concurrently.



Check Point Processes and Daemons sk97638
How to modify URL Filtering cache size sk90422
Debug Policy Verification sk33438
IPS sk60395

1. Advance Database Management

ProstgreSQL
 - 2 different segments
 - CPM and Monitoring

CPM
- Central database
- Contains all objects in database

Monitoring Segment
-contains views (status written from queries

ProstgreSQL Interactive Shell is psql_client

When typing a command, cpm is the name of the Database, and postgress is the connection username

To view postgres:
1. psql_client cpm postgres
2. at prompt enter:  \d   [a list of rations (database objects) displays]
3. close the psql session type \q


To view monitoring database segment:
1. psql_client monitoring postgres


Postgres Tables

Tables are the primary storage objects for data in postgres database.
tables consists of rows and columns which holds data.
Each table consist of following columns or fields"
- Schema (collection of database objects(tables) associated with a particular database name)
- Name (The name assigned to database object)
- Type (type of database objects used to store or preference the data)
- Owner (schema owner or owner of the related group of objects.
Objects in the database are represented in 2 different tables
dleobjectderef_data
CpNetworkObject_data


Database Queries
Syntax
select <colum name1, column name2 ...> from <tablename> where <condition>;

select name from dleobjectderef_data where name = 'Your-FW';


Database Domains
Management database configuration stored in postgres database is partition into several rational database domains -

1. Global Domain
   - exist in the Security Management Deployment
   - It is
2. User Domain
   - Stores user modify configuration such as network objects and security policies
   - Multi Domain environment, each domain contains a separate user domain type
3. System Domain
  - contains administrator data,
  - Folders
  - Domain
  - Trusted GUI Client permission profile
  - Management settings
4. Log Domain 
  - contains config data of log servers and save queries for application

Data Domains
- Default data
- threat Prevention Data domains
- Application control


To view postgres:
1. psql_client cpm postgres
2. at prompt enter:  \d   [a list of rations (database objects) displays]
3. close the psql session type \q

[Expert@mytestMGMT:0]# fw ver
This is Check Point's software version R80.30 - Build 078
[Expert@mytestMGMT1:0]# psql_client cpm postgres
psql.bin (9.2.4)
Type "help" for help.

cpm=#
cpm=# \d
                                       List of relations
 Schema |                              Name                              |   Type   |  Owner 
--------+----------------------------------------------------------------+----------+----------
 public | abstractauditlogbase                                           | table    | postgres
 public | accessctrlaccessrole                                           | view     | postgres
 public | accessctrlaccessrole_data                                      | table    | postgres
 public | accessctrlaccessrole_machines                                  | view     | postgres
 public | accessctrlaccessrole_machines_data                             | table    | postgres
 public | accessctrlaccessrole_networks                                  | view     | postgres
 public | accessctrlaccessrole_networks_data                             | table    | postgres
 public | accessctrlaccessrole_users                                     | view     | postgres
 public | accessctrlaccessrole_users_data                                | table    | postgres
 public | accessctrlautoupdateappsettings                                | view     | postgres
 public | accessctrlautoupdateappsettings_data                           | table    | postgres
 public | accessctrlrule                                                 | view     | postgres
 public | accessctrlrule_data                                            | table    | postgres
 public | accessctrlrulebase                                             | view     | postgres
 public | accessctrlrulebase_data                                        | table    | postgres
 public | accessctrlsection                                              | view     | postgres
 public | accessctrlsection_data                                         | table    | postgres
 public | accessctrlsharedsection                                        | view     | postgres
 public | accessctrlsharedsection_data                                   | table    | postgres
 public | accessinlinerulebaseentity                                     | view     | postgres
 public | accessinlinerulebaseentity_data                                | table    | postgres
 public | accesspolicy                                                   | view     | postgres
 public | accesspolicy_data                                              | table    | postgres
 public | accesspolicycontainer                                          | view     | postgres
 public | accesspolicycontainer_data                                     | table    | postgres
 public | accesspolicycontainermirror                                    | view     | postgres
 public | accesspolicycontainermirror_data                               | table    | postgres
 public | accesspolicymirror                                             | view     | postgres
 public | accesspolicymirror_data                                        | table    | postgres
 public | activedirectorysettings                                        | view     | postgres
 public | activedirectorysettings_data                                   | table    | postgres
 public | addindicatornotificationdetails                                | view     | postgres
 public | addindicatornotificationdetails_data                           | table    | postgres
 public | addressrange                                                   | view     | postgres
 public | addressrange_data                                              | table    | postgres
 public | adminsettings                                                  | view     | postgres
 public | adminsettings_data                                             | table    | postgres
 public | aduifetchprofile                                               | view     | postgres
 public | aduifetchprofile_data                                          | table    | postgres
 public | allowedclients                                                 | view     | postgres
 public | allowedclients_data                                            | table    | postgres
--More--
 public | vpnglobal_data                                                 | table    | postgres
 public | vseclicense                                                    | view     | postgres
 public | vseclicense_data                                               | table    | postgres
 public | wildcardobject                                                 | view     | postgres
 public | wildcardobject_data                                            | table    | postgres
 public | worksession                                                    | table    | postgres
 public | worksessionaudit                                               | table    | postgres
(964 rows)

cpm=# 


cpm-# \d vpncommunity
                      View "public.vpncommunity"
           Column            |            Type             | Modifiers
-----------------------------+-----------------------------+-----------
 objid                       | uuid                        |
 checkpointobjid             | uuid                        |
 color                       | character varying(255)      |
 comments                    | text                        |
 customfields                | text                        |
 displayname                 | character varying(255)      |
 dlesession                  | smallint                    |
 domainid                    | uuid                        |
 featurespreset              | uuid                        |
 folder                      | uuid                        |
 icon                        | character varying(255)      |
 name                        | text                        |
 permissionprimitivepresetid | uuid                        |
 readprimitiveid             | uuid                        |
 tags                        | text                        |
 creationtime                | timestamp without time zone |
 creator                     | character varying(255)      |
 deletable                   | boolean                     |
 lastmodifier                | character varying(255)      |
 lastmodifytime              | timestamp without time zone |
 newobject                   | boolean                     |
 renameable                  | boolean                     |
 validationstate             | integer                     |
 opid                        | bigint                      |
 editingsession              | smallint                    |
 deleted                     | boolean                     |

cpm-#


cpm=# select name, objid from domainbase_data;
       name       |                objid               
------------------+--------------------------------------
 Check Point Data | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 System Data      | a0eebc99-afed-4ef8-bb6d-fedfedfedfed
 IPS Data         | a0bbbc99-adef-4ef8-bb6d-cebcebcebceb
 APPI Data        | 8bf4ac51-2df7-40e1-9bce-bedbedbedbed
 LOG Data         | 31ab94da-4ab1-5da9-a03d-ddddddaaaaaa
 Global           | 1e294ce0-367a-11e3-aa6e-0800200c9a66
 SMC User         | 41e821a0-3720-11e3-aa6e-0800200c9fde
(7 rows)

cpm=#

cpm=# \d dleobjectderef_data
                                     Table "public.dleobjectderef_data"
           Column            |          Type          |                      Modifiers                   
-----------------------------+------------------------+-----------------------------------------------------
 objid                       | uuid                   | not null
 blobonlyinfo                | text                   |
 checkpointobjid             | uuid                   |
 cpmitable                   | character varying(255) |
 cpmitype                    | character varying(255) |
 deletewhenorphan            | boolean                |
 dlesession                  | smallint               | default mysessionid()
 domainid                    | uuid                   |
 excludefromsync             | boolean                | default false
 featurespreset              | uuid                   |
 folder                      | uuid                   |
 fwset                       | text                   |
 ipaddresses                 | text                   |
 name                        | text                   |
 nameuniquenessscope         | character varying(255) |
 objclass                    | character varying(255) |
 objectoverview              | text                   |
 permissionprimitivepresetid | uuid                   |
 readprimitiveid             | uuid                   |
 tabletype                   | integer                |
 validname                   | boolean                |
 opid                        | bigint                 | not null default nextval('opid_sequence'::regclass)
 fromversion                 | integer                |
 toversion                   | integer                |
 editingsession              | smallint               | default (-1)
 deleted                     | boolean                | default false
 domainspreset               | uuid                   |
Indexes:
    "dleobjectderef_data_pkey" PRIMARY KEY, btree (opid)
    "dleobjectderef_data_chkid_dom_idx" btree (checkpointobjid, domainid) WHERE checkpointobjid IS NOT NULL
    "dleobjectderef_data_cpmitable_index" btree (cpmitable)
    "dleobjectderef_data_cpmitype_index" btree (cpmitype)
    "dleobjectderef_data_dlesession_excludefromsync_objclass_index" btree (objclass, dlesession, excludefromsync) WHERE obj
class IS NOT NULL
    "dleobjectderef_data_dlesession_index" btree (dlesession)
    "dleobjectderef_data_domainspreset_idx" btree (domainspreset) WHERE domainspreset IS NULL
    "dleobjectderef_data_folder_index" btree (folder)
    "dleobjectderef_data_name_index" btree (name) WHERE name IS NOT NULL
    "dleobjectderef_data_name_lower_index" btree (lower(name))
    "dleobjectderef_data_objid_index" btree (objid)
    "dleobjectderef_data_table_and_name_idx" btree (cpmitable, name) WHERE cpmitable IS NOT NULL AND name IS NOT NULL
    "dleobjectderef_data_validname_index" btree (validname) WHERE validname = false
    "dleobjectderef_editing_session_index" btree (editingsession) WHERE editingsession <> (-1)
Check constraints:
    "rev_constraint" CHECK (dlesession > 0 AND fromversion IS NULL AND toversion IS NULL OR (dlesession = 0 OR dlesession = (-1)) AND fromv
ersion IS NOT NULL AND toversion IS NOT NULL)
Triggers:
    object_create BEFORE INSERT ON dleobjectderef_data FOR EACH ROW EXECUTE PROCEDURE create_object_dleobjectderef_data()
    object_update BEFORE DELETE OR UPDATE ON dleobjectderef_data FOR EACH ROW EXECUTE PROCEDURE update_object_dleobjectderef_data()

cpm=#

                                      ^
cpm=# select name, objid, domainid from dleobjectderef_data  where domainid ='a0bbbc99-adef-4ef8-bb6d-defdefdefdef' and name like '%tcp%'; 
                    name                     |                objid                 |               domainid             
---------------------------------------------+--------------------------------------+--------------------------------------
 unknown_tcp_protocol                        | b789287b-396d-47e2-b710-c6f1f6b4a35a | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 unknown_protocol_tcp                        | 8e3e95ae-42f0-405f-9a15-658656e4b77e | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 IKE_tcp                                     | 97aeb3af-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 snmp-tcp                                    | 7af4639a-f103-47fe-96f7-b652f7b34ad9 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 nfsd-tcp                                    | 97aeb3b9-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 tcp-high-ports                              | 97aeb3dd-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477 | a936bbac-ebc3-4f18-b3cc-a63365f07477 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 echo-tcp                                    | 97aeb3f7-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 domain-tcp                                  | 97aeb3f9-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 discard-tcp                                 | 97aeb3fd-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 time-tcp                                    | 97aeb3ff-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 daytime-tcp                                 | 97aeb401-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 ntp-tcp                                     | 97aeb403-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 pptp-tcp                                    | 97aeb425-9aea-11d5-bd16-0090272ccb30 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 sip-tcp                                     | b11890a6-2700-495a-8c99-914d31714f3a | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
 sip_any-tcp                                 | 5aa6d21c-0cc8-4478-b3a3-2206c2da6d66 | a0bbbc99-adef-4ef8-bb6d-defdefdefdef
(16 rows)

cpm=#

cpm=# select objid, objclass, domainid, dlesession from dleobjectderef_data  where name='MGMT';   
 objid | objclass | domainid | dlesession
-------+----------+----------+------------
(0 rows)

cpm=#

cpm=# select objid, objclass, domainid, dlesession from dleobjectderef_data  where name='IKE_tcp';     
                objid                 |                      objclass                       |               domainid               | dlesession
--------------------------------------+-----------------------------------------------------+--------------------------------------+------------
 97aeb3af-9aea-11d5-bd16-0090272ccb30 | com.checkpoint.objects.classes.dummy.CpmiTcpService | a0bbbc99-adef-4ef8-bb6d-defdefdefdef |          0
(1 row)

cpm=#


cpm=# select objid, objclass, domainid, dlesession from dleobjectderef_data  where name='Mgmt';
   
                objid                 |                              objclass                              |    domainid                          | dlesession
--------------------------------------+--------------------------------------------------------------------+--------------------------------------+------------
 40c772e6-2201-433e-9239-61473f065793 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 40c772e6-2201-433e-9239-61473f065793 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 f6a96fdd-55da-4987-9642-a45647cc00fb | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 f6a96fdd-55da-4987-9642-a45647cc00fb | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 40c772e6-2201-433e-9239-61473f065793 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 53be0b02-e0cf-433d-9f52-4127c09ba1d4 | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 a5429dfa-8b0c-4a60-a6be-f05d13d21e1c | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 60ad6c84-460d-401b-a156-d5c22c8ffeb0 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 156afc18-54c0-4738-98c7-e1b973d13d21 | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 156afc18-54c0-4738-98c7-e1b973d13d21 | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 36c61429-2cbd-4d42-a7a4-0d59f6c03cfe | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 36c61429-2cbd-4d42-a7a4-0d59f6c03cfe | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 60ad6c84-460d-401b-a156-d5c22c8ffeb0 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 f90f5aad-0ebd-4f0d-b71e-242253e8e434 | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 f90f5aad-0ebd-4f0d-b71e-242253e8e434 | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 60ad6c84-460d-401b-a156-d5c22c8ffeb0 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 156afc18-54c0-4738-98c7-e1b973d13d21 | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |         -1
 44747ccb-6f2e-48b6-82ef-400a7df57929 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 2a841864-d42e-4620-9995-e41021096a4f | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 f03029f5-f23c-46ae-8cfe-6c5cf1d230ff | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 24504319-8b51-45a0-8d56-27ce39ccaa65 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 308c0e17-a074-40b3-a62d-f3d034b77e52 | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 d722337f-ee8c-47ab-b36c-e582d3bea88e | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 b16a8c5d-596c-4d6a-b9dc-2e0e6f6ce9b6 | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 1e08d97c-dd2e-4eb9-b60f-8e39f9bdd49b | com.checkpoint.management.cdm.objects.interfaces.EthernetInterface | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
 a59524fb-8237-49db-805b-91ab353f5d03 | com.checkpoint.management.cdm.objects.network.GatewayNetwork       | 41e821a0-3720-11e3-aa6e-0800200c9fde |          0
(26 rows)
cpm=#

                 
cpm-# \q
[Expert@mytestMGMT:0]#






To view monitoring database segment:
------------------
1. psql_client monitoring postgres

[Expert@myfwMGMT:0]# psql_client monitoring postgres
psql.bin (9.2.4)
Type "help" for help.

monitoring=# help
You are using psql, the command-line interface to PostgreSQL.
Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands name query
       \q to quit
monitoring=#


SONR 

  1. solr is a search engine and indexer written java
  2. Real-time indexing and full text search capability.
  3. contains full clone of all prostgreSQL data.
  4. It generates indexes of the data for quick and easy search queries.
  5. Object information from both management database and log servers are stored in Solr
  6. Mgmt server runs instance of Solr via CPM. Additional instance runs when indexing of log server. 



[Expert@myfwMGMT]# ps -efww | grep SOLR
admin     2286 24466  0 12:35 pts/2    00:00:00 grep --color=auto SOLR
admin    13557  7861  0 Dec09 ?        00:34:30 /opt/CPshrd-R80.30/jre_64/bin/java -D_CPM_SOLR=TRUE -Xmx512m -Xms64m -Xgcpolicy:optavgpause -Djava.io.tmpdir=/opt/CPsuite-R80.30/fw1/tmp -Xaggressive -Xshareclasses:none -Xdump:heap:events=gpf+user -Xdump:directory=/var/log/dump/usermode -Xdump:tool:none -Xdump:tool:events=gpf+abort+traceassert+corruptcache,priority=1,range=1..0,exec=javaCompress.sh CPM_SOLR %pid -Xdump:tool:events=systhrow,filter=java/lang/OutOfMemoryError,priority=1,range=1..0,exec=javaCompress.sh CPM_SOLR %pid -Xdump:tool:events=throw,filter=java/lang/OutOfMemoryError,priority=1,exec=kill -9 %pid -Dsolr.solr.home=/opt/CPsuite-R80.30/fw1/Solr/solr/ -DNGM.SOLR.LOG.DIR=/opt/CPsuite-R80.30/fw1/log -Djava.util.logging.config.file=/opt/CPsuite-R80.30/fw1/Solr/etc/logging.properties -DSTART=/opt/CPsuite-R80.30/fw1/Solr/start.config -Djetty.home=/opt/CPsuite-R80.30/fw1/Solr/ -DSTOP.KEY=checkpointkey -DSTOP.PORT=8982 -Dpath=/opt/CPsuite-R80.30/fw1/cpm-server/java_is.jar:/opt/CPsuite-R80.30/fw1/cpm-server/java_sic.jar:/opt/CPshrd-R80.30/jars/jetty_assist.jar -jar /opt/CPsuite-R80.30/fw1/Solr/start.jar
[Expert@myfwMGMT]# 


Core Partitions
Solr has 7 core partitions each is consider a data unit.

  1. CPM_0_Active - Contains SMC_User Damain, system domain information from both public data and private session
  2. CPM_0_Revision - contains revision and public data
  3. CPM_Global_A - Contains CP_Data log, APPI, IPS, global domain information for both public data and private session
  4. CPM_Global_R - Contail Global revision and pubic data
  5. CPM_0_Log  - Contains Log data Solr has 2 of these cores
  6. CPM_Global_M - contains statuses of SmarView
  7. New revision are transfer from active core to revision core once a day at midnight


[Expert@myfwmgmt:0]# cpwd_admin list
APP        PID    STAT  #START  START_TIME             MON  COMMAND             
CPVIEWD    7408   E     1       [12:50:56] 9/12/2019   N    cpviewd             
CPVIEWS    7411   E     1       [12:50:56] 9/12/2019   N    cpview_services     
CPD        7424   E     1       [12:50:56] 9/12/2019   Y    cpd                 
FWD        7533   E     1       [12:51:01] 9/12/2019   N    fwd -n              
FWM        7536   E     1       [12:51:01] 9/12/2019   N    fwm                 
STPR       7544   E     1       [12:51:01] 9/12/2019   N    status_proxy        
CLOUDGUARD 7569   E     1       [12:51:02] 9/12/2019   N    vsec_controller_start
SOLR       7761   E     1       [12:51:05] 9/12/2019   N    java_solr /opt/CPrt-R80.30/conf/jetty.xml
RFL        7801   E     1       [12:51:05] 9/12/2019   N    LogCore             
SMARTVIEW  7837   E     1       [12:51:06] 9/12/2019   N    SmartView           
CPM        7861   E     1       [12:51:06] 9/12/2019   N    /opt/CPsuite-R80.30/fw1/scripts/cpm.sh -s
INDEXER    7938   E     1       [12:51:07] 9/12/2019   N    /opt/CPrt-R80.30/log_indexer/log_indexer
SMARTLOG_SERVER 8009   E     1       [12:51:08] 9/12/2019   N    /opt/CPSmartLog-R80.30/smartlog_server
DASERVICE  25955  E     1       [06:54:42] 10/12/2019  N    DAService_script    
LPD        29083  E     1       [12:53:30] 9/12/2019   N    lpd                 
CPSM       29472  E     1       [12:53:45] 9/12/2019   N    cpstat_monitor      
AUTOUPDATER 29477  E     1       [12:53:46] 9/12/2019   N    AutoUpdaterService.sh
[Expert@myfwmgmt0]#


cpm=# select name, color, ipaddress4, from CpNetworkObject_data  where name='MY-FW102'; 



cpm=# \d CpNetworkObject_data
                                            Table "public.cpnetworkobject_data"
                Column                 |            Type             |                      Modifiers          
            
---------------------------------------+-----------------------------+-----------------------------------------------------
 objid                                 | uuid                        | not null
 active                                | boolean                     | 
 checkpointobjid                       | uuid                        | 
 color                                 | character varying(255)      | 
 comments                              | text                        | 
 cpversion                             | uuid                        | 
 customfields                          | text                        | 
 displayname                           | character varying(255)      | 
 dlesession                            | smallint                    | default mysessionid()
 domainid                              | uuid                        | 
 featurespreset                        | uuid                        | 
 folder                                | uuid                        | 
 hardware                              | uuid                        | 
 icon                                  | character varying(255)      | 
 ipaddress4                            | character varying(255)      | 
 ipaddress6                            | character varying(255)      | 
 legacyobject                          | uuid                        | 
 mds                                   | boolean                     | 
 name                                  | character varying(255)      | 
 objecttype                            | uuid                        | 
 os                                    | uuid                        | 
 permissionprimitivepresetid           | uuid                        | 
 platform                              | uuid                        | 
 readprimitiveid                       | uuid                        | 
 sicname                               | character varying(255)      | 
 tags                                  | text                        | 
 truststate                            | integer                     | 
 acceptsyslogmessages                  | boolean                     | 
 acctupdateinterval                    | integer                     | 
 alertonlowspace                       | boolean                     | 
 alertthreshold                        | integer                     | 
 alertunits                            | integer                     | 
 citrixicaapplicationdetection         | boolean                     | 
 cleanuponlowspace                     | boolean                     | 
 cleanupthreshold                      | integer                     | 
 cleanupunits                          | integer                     | 
 daily_maintenance_at_least_script     | character varying(255)      | 
 daily_maintenance_script              | character varying(255)      | 
 dlpblobdeleteabovevaluepercentage     | integer                     | 
 dlpblobdeleteonabove                  | boolean                     | 
 dlpblobdeleteonrunscript              | boolean                     | 
 dlpblobfetchbulksize                  | integer                     | 
 dlpblobfetchinterval                  | integer                     | 
 dlpblobretryinterval                  | integer                     | 
 emergency_script                      | character varying(255)      | 
 etmlogging                            | boolean                     | 
 forwardevent                          | boolean                     | 
 forwardlogwithoutdelete               | boolean                     | 
 forwardlogs                           | boolean                     | 
 logforwardschedule                    | uuid                        | 
 logforwardtarget                      | uuid                        | 
 logkeepdaysvalue                      | integer                     | 
 logmaintenanceprofile                 | uuid                        | 
 logswitchbeforeforwarding             | boolean                     | 
 maintenance_type                      | character varying(255)      | 
 newlogfileonschedule                  | uuid                        | 
 newlogfileonsizeabove                 | boolean                     | 
 newlogfilethreshold                   | integer                     | 
 packetscapturereserveddiskmetrics     | integer                     | 
 packetscapturereserveddisksizemb      | integer                     | 
 packetscapturereserveddisksizepercent | integer                     | 
 rejectconnections                     | boolean                     | 
 scripttexttorunbeforecleanup          | character varying(255)      | 
 stoploggingonlowspace                 | boolean                     | 
 stoploggingthreshold                  | integer                     | 
 stoploggingunits                      | integer                     | 
 servertype                            | integer                     | 
 first                                 | character varying(255)      | 
 last                                  | character varying(255)      | 
 creationtime                          | timestamp without time zone | 
 creator                               | character varying(255)      | 
 deletable                             | boolean                     | 
 lastmodifier                          | character varying(255)      | 
 lastmodifytime                        | timestamp without time zone | 
 newobject                             | boolean                     | 
 renameable                            | boolean                     | 
 validationstate                       | integer                     | 
 opid                                  | bigint                      | not null default nextval('opid_sequence'::regclass)
 fromversion                           | integer                     | 
 toversion                             | integer                     | 
 editingsession                        | smallint                    | default (-1)
 deleted                               | boolean                     | default false
Indexes:
    "cpnetworkobject_data_pkey" PRIMARY KEY, btree (opid)
    "cpnetworkobject_data_objid_index" btree (objid)
    "cpnetworkobject_editing_session_index" btree (editingsession) WHERE editingsession <> (-1)
Check constraints:
    "rev_constraint" CHECK (dlesession > 0 AND fromversion IS NULL AND toversion IS NULL OR (dlesession = 0 OR dlesession = (-1)) AND fromversion IS NOT NULL AND toversion IS NOT NULL)
Triggers:
    object_create BEFORE INSERT ON cpnetworkobject_data FOR EACH ROW EXECUTE PROCEDURE create_object_cpnetworkobject_data()
    object_update BEFORE DELETE OR UPDATE ON cpnetworkobject_data FOR EACH ROW EXECUTE PROCEDURE update_object_cpnetworkobject_data()

cpm=# 



NAT
-----
Port Address Translation

5000 port for a single IP (after is port exhaustion)
table limit of 10K entry (firewall flushing table)


Automatic

Manuea


destination NAT on client  Side


fwx cache