ps -aef |grep fw
Common commands for Checkpoint Firewall on IPSO/SPLAT/Crossbeam
// VARIOUS HEALTH RELATED COMMANDS
swapinfo
cpstat os -f cpu ** CPU Usage **
cpstat os -f memory ** Memory Usage **
clish
show useful-stats ** Memory Usage %
vmstat 2 ** free mem and cpu **
fw tab -s -t connections ** Checks current/max connections **
fw tab -t fwx_alloc -s ** Shows Translation Table Connections
netstat -i ** Check for interface errors/collisions **
ipsctl -a | grep eth-s3p1:errors ** detailed interface errors **
ps -aux ** Show processes **
cp_conf sic state ** Check SIC **
ckp_regedit -p ‘SOFTWARE/CHECKPOINT/SIC’ **!ckp**
grep -i icaip $CPDIR/registry/HKLM_* **find CMA IP**
ipsctl -a | grep capabilities **Check Int Capabilities
ipsctl -i **Menu with all hardware**
//CHECK SERIAL NUMBER
cat /var/etc/.nvram
fw ctl zdebug drop | grep 1414
// CHECK IF DISKLESS
dmesg | grep flash
system is flash-based, running in diskless mode
// REBOOT
sync;sync;reboot
// RESTART FWD
#precheck
date; grep “ipsrd:instance:default:vrrp:nomonitorfw t” /config/active; echo sh vrrp | iclid; netstat -an | grep 257; ps aux | grep fwd; swapinfo;
#restart
$CPDIR/bin/cpwd_admin stop -name FWD -path “$FWDIR/bin/fw” -command “fw kill fwd”; sleep 1; ps aux | grep fwd; $CPDIR/bin/cpwd_admin start -name FWD -path $FWDIR/bin/fw -command “fwd”
#post-check
echo sh vrrp | iclid; date; ps aux | grep fwd; netstat -an | grep 257; swapinfo;
//SAVE VOYAGER
clish
save config
exit
dbset :save
// ROUTES AND ARPPROXY
echo sh route | iclid
clish -s -c “set static-route [route]/[mask] nexthop gateway address [gateway] on”
clish -s -c “add arpproxy address [address] macaddress 0:0:0:0:0:0?
arpproxy is needed when it is part of a directly connected network
// clear arp table
clish
delete arpdynamic all – doesn’t delete proxy arps
// ENABLING INTERFACE & VRRP (Simplified mode)
clish -s -c “set interface eth-s4p1 active on”
clish -s -c “set interface eth-s4p1 link_trap on”
clish -s -c “set interface eth-s4p1 auto-advertise off”
clish -s -c “set interface eth-s4p1c0 enable”
clish -s -c “add interface eth-s4p1c0 address x.x.x.x/xx”
clish -s -c “set interface eth-s4p1 speed 100M duplex full”
clish -s -c “add mcvr vrid <1-255> backup-address <vip>”
save config
exit
//BOUNCE INTERFACE (SPLAT)
ifconfig eth-s4p3c0 down
ifconfig eth-s4p3c0 up
//BOUNCE INTERFACE (IPSO)
ifdown eth-s4p3c0
ifup eth-s4p3c0
//VPN Troubleshooting
//Local enc domain
fw tab -t vpn_enc_domain_valid -f -u
//Remote enc domain
fw tab -t vpn_routing -f -u | grep 10.1.6014:43
//SPLAT
Add Route:
route add -net 123.45.44.0 netmask 255.255.255.0 gw 123.45.56.1
route –save
Preferred method is using cos_config as the –save parameter for route may not exist on some systems.
Check Route (SPLAT):
ip route get xx.xx.xx.xx
//Proxy Arp on SPLAT
arp -s <Static_NAT_ip_addr> <interface mac address> pub
**NOTE: This should also be added to the startup script “/etc/rc.local” on both firewalls is this is an HA cluster
(remember use the physical mac address of the interface you are proxy arping on, not the cluster mac)
$FWDIR/conf/local.arp
// Check to see if device is diskless
ipsctl kern:diskless
// Fix IP265 if stuck at #
fsck -fyb 32
mkdir /var/emhome/admin
cp /etc/skel/* /var/emhome/admin
//Identify switch
tcpdump -n -i eth-s4p4c2 -s 1500 -w – -c 1 ether dst 1:0:c:cc:cc:cc and greater 75|strings -3a
Various:
Command Reference Result
H/A Troubleshooting
cphaprob syncstat sk34475 Sync Statistics
fw ctl pstat sk34476 Sync Statistics
mdsstat MDS Statistics
echo ‘show vrrp’ | iclid sk41089 VRRP Data (Master/Backup)
clish -c “show interfacemonitor” sk41089 VRRP Interfaces (Up/Down)
clish -c “show vrrp interfaces” sk41089 VRRP Interfaces (Detailed)
tcpdump -vv -i ethX proto vrrp sk41089 TCPDUMP for VRRPv2 advertisements/packets.
fw monitor –e ‘accept dport=8116;’
cphaprob state
cphaprob -i list sk41089 Checkpoint Processes (FWD/CPHAD)
cphaprob -a if Show SYNC Interfaces
$FWDIR/log/fwd.elg
Log Connections
netstat -an | grep 257 sk38848 Show connections via tcp/257 to CLM.
cd $FWDIR/log sk38848 Check FW log size on disk.
ls -la fw.log sk38848 Check FW log size on disk.
cat $FWDIR/conf/masters sk38848 Masters file management station/log server.
ipsctl -a | grep -i err | grep -v ‘= 0$’ sk39462 Errors via IPSCTL.
SIC
Port 18209 (Control), 18210 (CA), 18211 (CPD, Receive Cert) sk30579
Misc
Checkpoint Port Assignments. sk52421 Predefined ports used by Check Point
grep SIC $CPDIR/log/cpd.elg | tail SIC Log
checkpoint - useful files
Below are some of the various files and commands which you may find useful on a Checkpoint.
Smart Centre Server
$CPDIR/conf - Contains parts of the CPShared system
* cp.license - license of machine
* sic_cert.p12 - SIC certificate
$FWDIR/lib - .def files which are used when the rulebase is complied into inspection code for Enforcement points.
$FWDIR/conf - the rule base and the rest of the security policy
can be found here.
* rulebases_5_0.fws - Contains rulebases and duplicate in *.w files
* objects_5.0.C - Contains all the objects. objects.C is created when sent to the Enforcement Points
$FWDIR/conf/fwauth.* - User Database, main file being fwauth.NDB
$FWDIR/conf/masters - Defines the local log definition in Dashboard
$FWDIR/database/fwauth.* - User Datbase, main file being fwauth.NDB
$FWDIR/log - Logs
Enforcement Point
$CPDIR/conf - Contains parts of the CPShared system
* cp.license - license of machine
* sic_cert.p12 - SIC certificate
$FWDIR/conf/discntd.if - Add interfaces you want to show as disconnected for ClusterXL.
Misc
/etc/sysconfig/netconf.C - Used to configure interface as down, this is useful for ClusterXL when interfaces have no link.
checkpoint secureclient ports
* protocol 50 for ESP
* UDP 2746 for UDP Encapsulation
* TCP 18231 for Policy Server logon/FW1_pslogon_NG
* UDP 18233 for Keepalive protocol/FW1_scv_keep_alive
* TCP 18232 for Distribution Server/FW1_sds_logon
* UCP 259 for MEP configuration-RDP
* UDP 18234 for performing tunnel test when the client is inside the network
* TCP 18264 for ICA certificate registration-FW1_ica_services
* UDP 500 for IKE
* TCP 500 for IKE over TCP
* UDP 4500 for IKE and IPSEC (NAT-T)
* TCP 264 for topology download
