Monday, September 19, 2022

Checkpoint Command Line

Checkpoint Command Line  

fw ver
cpinfo -y all
fw ctl pstat
fw tab –t connections –s
vmstat 1 10
free
ps auxwww
uptime
df -h
cplic print
fwunload local 
cpview 


Verification:
cat /etc/sysconfig/ntp
fwaccel stats
netstat -i


Checkpoint Serial Number
show asset all
dmidecode
dmiparse


INTERFACE
ifconig -a
netstat –i
ethtool –i eth0 
netstat -rn


TCPDUMP
tcpdump -nnei any -w /var/log/M-Z_2tcp.cap
tcpdump -ni eth0 -s0 -w /var/tmp/asscapture.pcap
tcpdump -nnei any -w /var/log/tcp.pcap

tcpdump -i eth0 port 1089 and src 205.105.57.69
tcpdump -i eth1 port 1089 and dst 216.118.184.254
tcpdump -ni eth10 src 172.30.25.132
tcpdump -i eth0 src 10.1.1.1 and dst 10.2.1.1

tcpdump -i eth0 src 10.25.240.57 and dst 216.231.64.82
tcpdump -ni eth8 src 172.30.25.132
tcpdump -i any -nn -X -vv -s 1514 -c 1000 -w packetcap.cap
tcpdump -i eth0 -s 0 -vvv -w ./dump.pcap

tcpdump -i eth3 -nn -X -S -c 100 -w packetcap.cap
tcpdump -nr packetcap.cap | awk '{print }' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -n

tcpdump -nnei any -w /var/log/dk.pcap
tcpdump -nr /var/log/dk.pcap | awk '{print }' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -n


FW MONITOR
fw monitor | grep 10.210.7.250
fw monitor -ci 10 | grep 172.30.25.132
tcpdump -ni eth8 src 172.30.25.132
fw monitor | grep 10.210.7.250
fw monitor -ci 10 | grep 172.30.25.132

fw monitor | grep 10.210.7.250
fw monitor -e "((src=10.20.59.230 , dst=10.25.240.44) or (src=10.25.240.44 , dst=10.20.59.230)), accept;"
fw monitor -e "accept;" -o connections.cap  (create a pcap file open with wireshark)
fw monitor -e "accept (src=10.20.59.230 , dst=10.25.240.44);"
fw monitor -ci 10 | grep 172.30.25.132
fw monitor -o /var/log/fwmon.cap

netstat -nr | grep eth3-02 | awk -F' ' '{print $1,$2,$3}' | sort > test2)


fw ctl zdebug
fw ctl zdebug + drop | grep 204.105.57.69
fw ctl zdebug + drop | grep 10.1.1.1
fw ctl zdebug + drop > text.drops
cat text.drops |grep 10.210.7.250


How to Print Static-Routes
netstat -nr | grep -v D
netstat -rn |grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort >routes.txt
netstat -rn |grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort | wc -l
tcpdump -nnei any -w /var/log/M-Z_10tcp.cap


Firewall Performance
top
fw tab -t connections -s
fw ctl pstat
fwaccel stats


Acceleration 
fwaccel off/on
fwaccel stats -s 
fwaccel stats (Usage: fwaccel on | off | ver | stat | conns | dbg <...> | help
fw ctl multik stat
fw ctl affinity -l -a -v
fw tab –t connections –s

fwaccel conns
fwaccel conns -s
fwaccel conns  |grep  216.231.83.228 | more


gaia> fwaccel conns -s  (checks SecureXL Connections)
gaia> fw ctl get int fwx_max_conns (checks maximum connections 0 means it set to auto/unlimited


Affinity 
fw ctl affinity -l -r -v -a 
fw ctl affinity -l -a -v
sim affinity -s 

CoreXL
Monitoring CoreXL load distribution
fw ctl affinity -l -a -v
fw ctl affinity -l -r

Kernel
multi-kernel statistics (multik)
fw ctl multik stat
fw ctl multik get_mode
fw ctl multik dynamic_dispatching get_mode

 
cat /opt/CPsuite-R80.20/fw1/boot/modules/fwkern.conf


Interface Configurations
netstat -i
ifconig -a
netstat -rn
ethtool –i eth0 

 
ROUTE
netstat -rn |grep 204.105
route del -host 172.30.25.133/32 gw 10.210.0.193
route add -host 172.30.25.133/32 gw 10.210.0.193
ip route show match 167.211.210
netstat -rn | wc -l
netstat -rn | grep -v D
netstat -rn | grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort > routes.txt
netstat -rn | grep eth1 | awk -F' ' ' {print $1, $2, $3}' | sort | wc -l


cpstat os -f routing  | grep 200.231.64

|   200.231.64.0|  255.255.255.0|    10.15.249.2|eth3-01  |

|   200.231.64.0|  255.255.255.0|    10.15.249.3|eth3-01  |


[Expert@myfw-fwa]# ip route show match 167.211.210.

167.211.210.0/24 via 10.25.0.102 dev eth3

default via 216.231.83.11 dev eth1


Cluster XL (High Availability)
cpstop
cpstart
cphastop
cphastart
clusterXL_admin up/down
cphaprob –a if
cphaprob list
cphaprob stat


Advance Troubleshooting Techniques

Crash Dump

 /var/log/crash

 /var/log/dump/usermode/


1. Was this connections working before? Yes /No

2. Is the application up and running

    - validated on the destination server?

    - netstat a | grep listening port

    - do a local telnet to listening port

    - can the destination server ping its default gateway

2. When was the connection last worked? validate date or via SmartView Tracker

3. What is the Source and Destination of Connection?

4. What changed in the environment?

5. Is traffic flowing thru the firewalls? SmartView Tracker

6. Validate if a policy was updated on the firewalls fw stat or cpstat fw

7. Do some basic layer 2 and 3 traffic flow

   - traceroute or tracert to destination ip from source (determine the path of traffic flow)

   -  ping the destination address (validate if you are seeing traffic in tracker)

   -  telnet to destination address port the application is listening on

8. Are you routing the traffic to the correct interface of the firewalls?

   - netstat -rn | grep destination IP address

9. Is the traffic hitting the firewall interface

   - tcpdump -i eth0 port 1089 and src 11.11.11.11

10. is the traffic leaving the firewall

  - tcpdump -i eth1 port 1089 and dst 10.10.10.10


Please run a packet capture and a kernel debug on the firewall so I can get a packet-level look at what is happening to the traffic.


From expert mode on the Active Firewall:


1. Turn off SecureXL, if enabled.

# fwaccel off


2. Check your disk space to make sure you have sufficient space to run a capture and debug.

# df -h


3. In one session: Run the capture.

# fw monitor -o /var/log/fwmon.cap


4. In another session: Run the kernel debug for drops.

# fw ctl zdebug drop > /var/log/drop.txt


5. In a third session: Run a tcpdump capture.

# tcpdump -nnei any -w /var/log/tcp.cap


6. Re-create the problem.


7. End the fw monitor, tcpdump and the kernel debug with the following:

Control-C


8. Turn on SecureXL, if you disabled it.

# fwaccel on


9. Upload the packet captures and zdebug drop output using the Check Point Uploader Utility.

# cp_uploader -s 5-1100876571 -u  youremail@yourdomain.com /var/log/drop.txt /var/log/tcp.cap /var/log/fwmon.cap


10. Please provide me with the Source IP, Destination IP, External IP of Active Gateway, and if Gateway is set up in a cluster, the VIP of the cluster as well so I can thoroughly review the debugs.


[Expert@laneds-fwa]# ssh -v -p 1089 10.25.227.13

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to 10.25.227.13 [10.25.227.13] port 1089.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1



How to Export the existing SmartCenter

1. Login to Manager via ssh
2. Enter expert mode
3. [Expert@MGMT]# cd $FWDIR/bin/upgrade_tools
4. [Expert@MGMT]# yes | nohup ./migrate export /<Full Path to export to>/<Name of Exported File>
5. Also provide the SMS Management IP 

debug1: identity file /root/.ssh/id_dsa type -1

Posted by at