ps -aef |grep fw
Common commands for Checkpoint Firewall on IPSO/SPLAT/Crossbeam
// VARIOUS HEALTH RELATED COMMANDS
swapinfo
cpstat os -f cpu ** CPU Usage **
cpstat os -f memory ** Memory Usage **
clish
show useful-stats ** Memory Usage %
vmstat 2 ** free mem and cpu **
fw tab -s -t connections ** Checks current/max connections **
fw tab -t fwx_alloc -s ** Shows Translation Table Connections
netstat -i ** Check for interface errors/collisions **
ipsctl -a | grep eth-s3p1:errors ** detailed interface errors **
ps -aux ** Show processes **
cp_conf sic state ** Check SIC **
ckp_regedit -p ‘SOFTWARE/CHECKPOINT/SIC’ **!ckp**
grep -i icaip $CPDIR/registry/HKLM_* **find CMA IP**
ipsctl -a | grep capabilities **Check Int Capabilities
ipsctl -i **Menu with all hardware**
//CHECK SERIAL NUMBER
cat /var/etc/.nvram
fw ctl zdebug drop | grep 1414
// CHECK IF DISKLESS
dmesg | grep flash
system is flash-based, running in diskless mode
// REBOOT
sync;sync;reboot
// RESTART FWD
#precheck
date; grep “ipsrd:instance:default:vrrp:nomonitorfw t” /config/active; echo sh vrrp | iclid; netstat -an | grep 257; ps aux | grep fwd; swapinfo;
#restart
$CPDIR/bin/cpwd_admin stop -name FWD -path “$FWDIR/bin/fw” -command “fw kill fwd”; sleep 1; ps aux | grep fwd; $CPDIR/bin/cpwd_admin start -name FWD -path $FWDIR/bin/fw -command “fwd”
#post-check
echo sh vrrp | iclid; date; ps aux | grep fwd; netstat -an | grep 257; swapinfo;
//SAVE VOYAGER
clish
save config
exit
dbset :save
// ROUTES AND ARPPROXY
echo sh route | iclid
clish -s -c “set static-route [route]/[mask] nexthop gateway address [gateway] on”
clish -s -c “add arpproxy address [address] macaddress 0:0:0:0:0:0?
arpproxy is needed when it is part of a directly connected network
// clear arp table
clish
delete arpdynamic all – doesn’t delete proxy arps
// ENABLING INTERFACE & VRRP (Simplified mode)
clish -s -c “set interface eth-s4p1 active on”
clish -s -c “set interface eth-s4p1 link_trap on”
clish -s -c “set interface eth-s4p1 auto-advertise off”
clish -s -c “set interface eth-s4p1c0 enable”
clish -s -c “add interface eth-s4p1c0 address x.x.x.x/xx”
clish -s -c “set interface eth-s4p1 speed 100M duplex full”
clish -s -c “add mcvr vrid <1-255> backup-address <vip>”
save config
exit
//BOUNCE INTERFACE (SPLAT)
ifconfig eth-s4p3c0 down
ifconfig eth-s4p3c0 up
//BOUNCE INTERFACE (IPSO)
ifdown eth-s4p3c0
ifup eth-s4p3c0
//VPN Troubleshooting
//Local enc domain
fw tab -t vpn_enc_domain_valid -f -u
//Remote enc domain
fw tab -t vpn_routing -f -u | grep 10.1.6014:43
//SPLAT
Add Route:
route add -net 123.45.44.0 netmask 255.255.255.0 gw 123.45.56.1
route –save
Preferred method is using cos_config as the –save parameter for route may not exist on some systems.
Check Route (SPLAT):
ip route get xx.xx.xx.xx
//Proxy Arp on SPLAT
arp -s <Static_NAT_ip_addr> <interface mac address> pub
**NOTE: This should also be added to the startup script “/etc/rc.local” on both firewalls is this is an HA cluster
(remember use the physical mac address of the interface you are proxy arping on, not the cluster mac)
$FWDIR/conf/local.arp
// Check to see if device is diskless
ipsctl kern:diskless
// Fix IP265 if stuck at #
fsck -fyb 32
mkdir /var/emhome/admin
cp /etc/skel/* /var/emhome/admin
//Identify switch
tcpdump -n -i eth-s4p4c2 -s 1500 -w – -c 1 ether dst 1:0:c:cc:cc:cc and greater 75|strings -3a
Various:
Command Reference Result
H/A Troubleshooting
cphaprob syncstat sk34475 Sync Statistics
fw ctl pstat sk34476 Sync Statistics
mdsstat MDS Statistics
echo ‘show vrrp’ | iclid sk41089 VRRP Data (Master/Backup)
clish -c “show interfacemonitor” sk41089 VRRP Interfaces (Up/Down)
clish -c “show vrrp interfaces” sk41089 VRRP Interfaces (Detailed)
tcpdump -vv -i ethX proto vrrp sk41089 TCPDUMP for VRRPv2 advertisements/packets.
fw monitor –e ‘accept dport=8116;’
cphaprob state
cphaprob -i list sk41089 Checkpoint Processes (FWD/CPHAD)
cphaprob -a if Show SYNC Interfaces
$FWDIR/log/fwd.elg
Log Connections
netstat -an | grep 257 sk38848 Show connections via tcp/257 to CLM.
cd $FWDIR/log sk38848 Check FW log size on disk.
ls -la fw.log sk38848 Check FW log size on disk.
cat $FWDIR/conf/masters sk38848 Masters file management station/log server.
ipsctl -a | grep -i err | grep -v ‘= 0$’ sk39462 Errors via IPSCTL.
SIC
Port 18209 (Control), 18210 (CA), 18211 (CPD, Receive Cert) sk30579
Misc
Checkpoint Port Assignments. sk52421 Predefined ports used by Check Point
grep SIC $CPDIR/log/cpd.elg | tail SIC Log
checkpoint - useful files
Below are some of the various files and commands which you may find useful on a Checkpoint.
Smart Centre Server
$CPDIR/conf - Contains parts of the CPShared system
* cp.license - license of machine
* sic_cert.p12 - SIC certificate
$FWDIR/lib - .def files which are used when the rulebase is complied into inspection code for Enforcement points.
$FWDIR/conf - the rule base and the rest of the security policy
can be found here.
* rulebases_5_0.fws - Contains rulebases and duplicate in *.w files
* objects_5.0.C - Contains all the objects. objects.C is created when sent to the Enforcement Points
$FWDIR/conf/fwauth.* - User Database, main file being fwauth.NDB
$FWDIR/conf/masters - Defines the local log definition in Dashboard
$FWDIR/database/fwauth.* - User Datbase, main file being fwauth.NDB
$FWDIR/log - Logs
Enforcement Point
$CPDIR/conf - Contains parts of the CPShared system
* cp.license - license of machine
* sic_cert.p12 - SIC certificate
$FWDIR/conf/discntd.if - Add interfaces you want to show as disconnected for ClusterXL.
Misc
/etc/sysconfig/netconf.C - Used to configure interface as down, this is useful for ClusterXL when interfaces have no link.
checkpoint secureclient ports
* protocol 50 for ESP
* UDP 2746 for UDP Encapsulation
* TCP 18231 for Policy Server logon/FW1_pslogon_NG
* UDP 18233 for Keepalive protocol/FW1_scv_keep_alive
* TCP 18232 for Distribution Server/FW1_sds_logon
* UCP 259 for MEP configuration-RDP
* UDP 18234 for performing tunnel test when the client is inside the network
* TCP 18264 for ICA certificate registration-FW1_ica_services
* UDP 500 for IKE
* TCP 500 for IKE over TCP
* UDP 4500 for IKE and IPSEC (NAT-T)
* TCP 264 for topology download
Tuesday, December 10, 2019
TCPDUMP -
Debug
fw ctl zdebug + drop | grep 204.105.57.69
fw ctl zdebug drop > /var/log/drop.txt
TCPDUMP
tcpdump -i eth3 -nn -X -S -c 100 -w packetcap.cap
tcpdump -nr packetcap.cap | awk '{print }' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -n
tcpdump -i eth0 src 10.25.240.57 and dst 216.231.64.82
tcpdump -i eth1 port 1089 and dst 216.118.184.254
tcpdump -ni eth8 src 172.30.25.132
tcpdump -nnei any -w /var/log/tcp.cap
tcpdump -i any -nn -X -vv -s 1514 -c 1000 -w packetcap.cap
tcpdump -i eth0 -s 0 -vvv -w ./dump.pcap
tcpdump -ni eth0 -s0 -w /var/tmp/asscapture.pcap
FW Monitor
fw monitor | grep 10.210.7.250
fw monitor -e "((src=10.20.59.230 , dst=10.25.240.44) or (src=10.25.240.44 , dst=10.20.59.230)), accept;"
fw monitor -e "accept;" -o connections.cap (create a pcap file open with wireshark)
fw monitor -e "accept (src=10.20.59.230 , dst=10.25.240.44);"
fw monitor -ci 10 | grep 172.30.25.132
fw monitor -o /var/log/fwmon.cap
netstat -nr | grep eth3-02 | awk -F' ' '{print $1,$2,$3}' | sort > test2)
Acceleration
fwaccel off/on
fwaccel stat
fw ctl multik stat
fw ctl affinity -l -a -v
fwaccel conns |grep 216.231.83.228 | more
fw tab –t connections –s
fw ctl zdebug + drop | grep 204.105.57.69
fw ctl zdebug drop > /var/log/drop.txt
TCPDUMP
tcpdump -i eth3 -nn -X -S -c 100 -w packetcap.cap
tcpdump -nr packetcap.cap | awk '{print }' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -n
tcpdump -i eth0 src 10.25.240.57 and dst 216.231.64.82
tcpdump -i eth1 port 1089 and dst 216.118.184.254
tcpdump -ni eth8 src 172.30.25.132
tcpdump -nnei any -w /var/log/tcp.cap
tcpdump -i any -nn -X -vv -s 1514 -c 1000 -w packetcap.cap
tcpdump -i eth0 -s 0 -vvv -w ./dump.pcap
tcpdump -ni eth0 -s0 -w /var/tmp/asscapture.pcap
FW Monitor
fw monitor | grep 10.210.7.250
fw monitor -e "((src=10.20.59.230 , dst=10.25.240.44) or (src=10.25.240.44 , dst=10.20.59.230)), accept;"
fw monitor -e "accept;" -o connections.cap (create a pcap file open with wireshark)
fw monitor -e "accept (src=10.20.59.230 , dst=10.25.240.44);"
fw monitor -ci 10 | grep 172.30.25.132
fw monitor -o /var/log/fwmon.cap
netstat -nr | grep eth3-02 | awk -F' ' '{print $1,$2,$3}' | sort > test2)
Acceleration
fwaccel off/on
fwaccel stat
fw ctl multik stat
fw ctl affinity -l -a -v
fwaccel conns |grep 216.231.83.228 | more
fw tab –t connections –s
CoreXL -Enabling and Monitoring
cpview -t Jan02, 2019 10:30:00
SK105261 - CoreXL
CoreXL Dynamic Dispatcher
-------------------------
my-vpn:TACP-0> fw ctl multik dynamic_dispatching get_mode
Current mode is On
my-vpn:TACP-0>
[Expert@R80.10:0]# fw ctl multik dynamic_dispatching on
New mode is: On
Please reboot the system
[Expert@R80.10:0]#
[Expert@HostName]# fw ctl multik dynamic_dispatching off
Example output:
[Expert@R80.10:0]# fw ctl multik dynamic_dispatching off
New mode is: Off
Please reboot the system
[Expert@R80.10:0]#
Monitoring CoreXL load distribution
-----------------------------------
[Expert@HostName]# fw ctl affinity -l -r
CPU 0: eth0 eth1 eth2
CPU 1: fw_2
CPU 2: fw_1
CPU 3: fw_0
All: cpca status_proxy in.geod fwm cpstat_monitor fwd mpdaemon cpsead cpd cprid
[Expert@HostName]#
Check the current CPU utilization by each CoreXL FW instance with the top command.
Note: If the output does not show all CPU cores (if 3rd line shows "Cpu(s):"), then press "1" and then "Shift+W".
Example (Load on CPU 3 is 24% by SoftIRQ; CoreXL FW instance 0 is consuming 18%; other CoreXL FW instances (fw_worker threads) are idle):
Tasks: 118 total, 3 running, 115 sleeping, 0 stopped, 0 zombie
Cpu0 : 0.0%us, 0.0%sy, 0.0%ni, 94.0%id, 0.0%wa, 1.2%hi, 4.8%si, 0.0%st
Cpu1 : 0.0%us, 1.2%sy, 0.0%ni, 98.8%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu2 : 40.2%us, 9.2%sy, 0.0%ni, 49.4%id, 0.0%wa, 0.0%hi, 1.1%si, 0.0%st
Cpu3 : 1.3%us, 1.3%sy, 0.0%ni, 73.3%id, 0.0%wa, 0.0%hi, 24.0%si, 0.0%st
Mem: 4078484k total, 4021144k used, 57340k free, 241380k buffers
Swap: 3140696k total, 64k used, 3140632k free, 414744k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15964 admin 18 0 1644 436 368 R 41 0.0 0:00.42 cp_logrotate
4129 admin 15 0 0 0 0 R 18 0.0 8:23.67 fw_worker_0
15954 admin 15 0 2176 1112 840 R 2 0.0 0:00.09 top
14 admin 10 -5 0 0 0 S 0 0.0 47:01.09 events/0
4995 admin 15 0 207m 66m 24m S 1 1.7 79:04.08 cpd
1 admin 15 0 2044 724 624 S 0 0.0 0:00.43 init
2 admin RT -5 0 0 0 S 0 0.0 3:08.83 migration/0
3 admin 15 0 0 0 0 S 0 0.0 0:02.15 ksoftirqd/0
4 admin RT -5 0 0 0 S 0 0.0 0:00.05 watchdog/0
5 admin RT -5 0 0 0 S 0 0.0 2:46.42 migration/1
6 admin 15 0 0 0 0 S 0 0.0 0:00.01 ksoftirqd/1
7 admin RT -5 0 0 0 S 0 0.0 0:00.36 watchdog/1
8 admin RT -5 0 0 0 S 0 0.0 2:36.56 migration/2
9 admin 17 0 0 0 0 S 0 0.0 0:00.24 ksoftirqd/2
Check the distribution of connections across all CoreXL FW instances with the fw ctl multik stat command.
my-vpn:TACP-0> fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 31 | 1604 | 4327
1 | Yes | 15 | 690 | 2809
2 | Yes | 30 | 670 | 2592
3 | Yes | 14 | 732 | 2596
4 | Yes | 29 | 716 | 2856
5 | Yes | 13 | 774 | 2968
6 | Yes | 28 | 811 | 3188
7 | Yes | 12 | 687 | 2758
8 | Yes | 27 | 754 | 2912
9 | Yes | 11 | 795 | 2808
10 | Yes | 26 | 812 | 2776
11 | Yes | 10 | 779 | 2650
12 | Yes | 25 | 726 | 3319
13 | Yes | 9 | 793 | 3178
14 | Yes | 24 | 668 | 2579
15 | Yes | 8 | 744 | 2891
16 | Yes | 23 | 679 | 2951
17 | Yes | 7 | 716 | 3083
18 | Yes | 22 | 840 | 2934
19 | Yes | 6 | 780 | 3015
20 | Yes | 21 | 816 | 3198
21 | Yes | 5 | 766 | 2471
22 | Yes | 20 | 734 | 2837
23 | Yes | 4 | 775 | 2930
24 | Yes | 19 | 779 | 3182
25 | Yes | 3 | 784 | 3078
26 | Yes | 18 | 815 | 2873
27 | Yes | 2 | 760 | 3277
my-vpn:TACP-0>
SK105261 - CoreXL
CoreXL Dynamic Dispatcher
-------------------------
my-vpn:TACP-0> fw ctl multik dynamic_dispatching get_mode
Current mode is On
my-vpn:TACP-0>
[Expert@R80.10:0]# fw ctl multik dynamic_dispatching on
New mode is: On
Please reboot the system
[Expert@R80.10:0]#
[Expert@HostName]# fw ctl multik dynamic_dispatching off
Example output:
[Expert@R80.10:0]# fw ctl multik dynamic_dispatching off
New mode is: Off
Please reboot the system
[Expert@R80.10:0]#
Monitoring CoreXL load distribution
-----------------------------------
[Expert@HostName]# fw ctl affinity -l -r
CPU 0: eth0 eth1 eth2
CPU 1: fw_2
CPU 2: fw_1
CPU 3: fw_0
All: cpca status_proxy in.geod fwm cpstat_monitor fwd mpdaemon cpsead cpd cprid
[Expert@HostName]#
Check the current CPU utilization by each CoreXL FW instance with the top command.
Note: If the output does not show all CPU cores (if 3rd line shows "Cpu(s):"), then press "1" and then "Shift+W".
Example (Load on CPU 3 is 24% by SoftIRQ; CoreXL FW instance 0 is consuming 18%; other CoreXL FW instances (fw_worker threads) are idle):
Tasks: 118 total, 3 running, 115 sleeping, 0 stopped, 0 zombie
Cpu0 : 0.0%us, 0.0%sy, 0.0%ni, 94.0%id, 0.0%wa, 1.2%hi, 4.8%si, 0.0%st
Cpu1 : 0.0%us, 1.2%sy, 0.0%ni, 98.8%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Cpu2 : 40.2%us, 9.2%sy, 0.0%ni, 49.4%id, 0.0%wa, 0.0%hi, 1.1%si, 0.0%st
Cpu3 : 1.3%us, 1.3%sy, 0.0%ni, 73.3%id, 0.0%wa, 0.0%hi, 24.0%si, 0.0%st
Mem: 4078484k total, 4021144k used, 57340k free, 241380k buffers
Swap: 3140696k total, 64k used, 3140632k free, 414744k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15964 admin 18 0 1644 436 368 R 41 0.0 0:00.42 cp_logrotate
4129 admin 15 0 0 0 0 R 18 0.0 8:23.67 fw_worker_0
15954 admin 15 0 2176 1112 840 R 2 0.0 0:00.09 top
14 admin 10 -5 0 0 0 S 0 0.0 47:01.09 events/0
4995 admin 15 0 207m 66m 24m S 1 1.7 79:04.08 cpd
1 admin 15 0 2044 724 624 S 0 0.0 0:00.43 init
2 admin RT -5 0 0 0 S 0 0.0 3:08.83 migration/0
3 admin 15 0 0 0 0 S 0 0.0 0:02.15 ksoftirqd/0
4 admin RT -5 0 0 0 S 0 0.0 0:00.05 watchdog/0
5 admin RT -5 0 0 0 S 0 0.0 2:46.42 migration/1
6 admin 15 0 0 0 0 S 0 0.0 0:00.01 ksoftirqd/1
7 admin RT -5 0 0 0 S 0 0.0 0:00.36 watchdog/1
8 admin RT -5 0 0 0 S 0 0.0 2:36.56 migration/2
9 admin 17 0 0 0 0 S 0 0.0 0:00.24 ksoftirqd/2
Check the distribution of connections across all CoreXL FW instances with the fw ctl multik stat command.
my-vpn:TACP-0> fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 31 | 1604 | 4327
1 | Yes | 15 | 690 | 2809
2 | Yes | 30 | 670 | 2592
3 | Yes | 14 | 732 | 2596
4 | Yes | 29 | 716 | 2856
5 | Yes | 13 | 774 | 2968
6 | Yes | 28 | 811 | 3188
7 | Yes | 12 | 687 | 2758
8 | Yes | 27 | 754 | 2912
9 | Yes | 11 | 795 | 2808
10 | Yes | 26 | 812 | 2776
11 | Yes | 10 | 779 | 2650
12 | Yes | 25 | 726 | 3319
13 | Yes | 9 | 793 | 3178
14 | Yes | 24 | 668 | 2579
15 | Yes | 8 | 744 | 2891
16 | Yes | 23 | 679 | 2951
17 | Yes | 7 | 716 | 3083
18 | Yes | 22 | 840 | 2934
19 | Yes | 6 | 780 | 3015
20 | Yes | 21 | 816 | 3198
21 | Yes | 5 | 766 | 2471
22 | Yes | 20 | 734 | 2837
23 | Yes | 4 | 775 | 2930
24 | Yes | 19 | 779 | 3182
25 | Yes | 3 | 784 | 3078
26 | Yes | 18 | 815 | 2873
27 | Yes | 2 | 760 | 3277
my-vpn:TACP-0>
Friday, November 15, 2019
Wednesday, September 18, 2019
Dig Command
Dig Command
Make that DNS talk !
Display only the ANSWER section
| dig opensuse.org +noall +answer |
Activate the short output
| dig perdu.com +short |
Reverse DNS (get name from IP)
| dig -x 208.97.177.124 |
Use a specific DNS server
| dig @8.8.4.4 redhat.com |
Display the name resolution path
| dig google.com +trace |
Request a zone transfer
| dig microsoft.com AXFR |
List specific types of RRs (Resource Records)
List address records
| dig -t A tme520.net |
List aliases
| dig -t CNAME tme520.net |
Find who manages a domain
| dig -t SOA tme520.net |
List mail servers
| dig tme520.net MX |
List name servers
| dig tme520.net NS |
List any type of Resource Record
|
There are about 40 DNS Resources Records types, but you only have to know 5 of them:
- A : Address record (IPv4); AAAA for IPv6,
- CNAME : Canonical Name. Aliases to A or AAAA records,
- SOA : Start Of Authority: primary name server, email of the domain admin, domain serial number, and timers relating to refreshing the zone,
- MX : Mail eXchange. Points to a mail server,
- NS : Name Server (a DNS).
- A : Address record (IPv4); AAAA for IPv6,
- CNAME : Canonical Name. Aliases to A or AAAA records,
- SOA : Start Of Authority: primary name server, email of the domain admin, domain serial number, and timers relating to refreshing the zone,
- MX : Mail eXchange. Points to a mail server,
- NS : Name Server (a DNS).
Dig stands for (Domain Information Groper). Dig is a network administration command-line tool for querying Domain Name System (DNS) name servers. It is useful for verifying and troubleshooting DNS problems and also to perform DNS lookups and displays the answers that are returned from the name server that were queried. dig is part of the BIND domain name server software suite. dig command replaces older tool such as nslookup and the host. dig tool is available in major Linux distributions.
Query Domain “A” Record
# dig yahoo.com; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> yahoo.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<
Above command causes dig to look up the “A” record for the domain name yahoo.com. Dig command reads the /etc/resolv.conf file and querying the DNS servers listed there. The response from the DNS server is what dig displays.
UNDERSTAND THE OUTPUT:
- Lines beginning with ; are comments not part of the information.
- The first line tell us the version of dig (9.8.2) command.
- Next, dig shows the header of the response it received from the DNS server
- Next comes the question section, which simply tells us the query, which in this case is a query for the “A” record of yahoo.com. The IN means this is an Internet lookup (in the Internet class).
- The answer section tells us that yahoo.com has the IP address 72.30.38.140
- Lastly there are some stats about the query. You can turn off these stats using the +nostats option.
Query Domain “A” Record with +short
By default dig is quite verbose. One way to cut down the output is to use the +short option. which will drastically cut the output as shown below.
# dig yahoo.com +short 98.139.183.24 72.30.38.140 98.138.253.109
Note: By default dig looks for the “A” record of the domain specified, but you can specify other records also. The MX or Mail eXchange record tells mail servers how to route the email for the domain. Likewise TTL, SOA etc.
Query MX Record
Querying different types of DNS resource records only.
# dig yahoo.com MX ; <> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <> yahoo.com MX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31450 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 24 ;; QUESTION SECTION: ;yahoo.com. IN MX ;; ANSWER SECTION: yahoo.com. 33 IN MX 1 mta6.am0.yahoodns.net. yahoo.com. 33 IN MX 1 mta7.am0.yahoodns.net. yahoo.com. 33 IN MX 1 mta5.am0.yahoodns.net.
Query SOA Record
# dig yahoo.com SOA ; <> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <> yahoo.com SOA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2197 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 7 ;; QUESTION SECTION: ;yahoo.com. IN SOA ;; ANSWER SECTION: yahoo.com. 1800 IN SOA ns1.yahoo.com. hostmaster.yahoo-inc.com. 2012081409 3600 300 1814400 600
Query TTL Record
# dig yahoo.com TTL ; <> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <> yahoo.com TTL ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56156 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 3589 IN A 98.138.253.109 yahoo.com. 3589 IN A 98.139.183.24 yahoo.com. 3589 IN A 72.30.38.140
Query only answer section
# dig yahoo.com +nocomments +noquestion +noauthority +noadditional +nostats ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> yahoo.com +nocomments +noquestion +noauthority +noadditional +nostats ;; global options: +cmd yahoo.com. 3442 IN A 72.30.38.140 yahoo.com. 3442 IN A 98.138.253.109 yahoo.com. 3442 IN A 98.139.183.24
Query ALL DNS Records
# dig yahoo.com ANY +noall +answer ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> yahoo.com ANY +noall +answer ;; global options: +cmd yahoo.com. 3509 IN A 72.30.38.140 yahoo.com. 3509 IN A 98.138.253.109 yahoo.com. 3509 IN A 98.139.183.24 yahoo.com. 1709 IN MX 1 mta5.am0.yahoodns.net. yahoo.com. 1709 IN MX 1 mta6.am0.yahoodns.net. yahoo.com. 1709 IN MX 1 mta7.am0.yahoodns.net. yahoo.com. 43109 IN NS ns2.yahoo.com. yahoo.com. 43109 IN NS ns8.yahoo.com. yahoo.com. 43109 IN NS ns3.yahoo.com. yahoo.com. 43109 IN NS ns1.yahoo.com. yahoo.com. 43109 IN NS ns4.yahoo.com. yahoo.com. 43109 IN NS ns5.yahoo.com. yahoo.com. 43109 IN NS ns6.yahoo.com.
DNS Reverse Look-up
Querying DNS Reverse Look-up. Only display answer section with using +short.
# dig -x 72.30.38.140 +short ir1.fp.vip.sp2.yahoo.com.
Query Multiple DNS Records
Query multiple website’s DNS specific query viz. MX, NS etc. records.
# dig yahoo.com mx +noall +answer redhat.com ns +noall +answer ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 <<>> yahoo.com mx +noall +answer redhat.com ns +noall +answer ;; global options: +cmd yahoo.com. 1740 IN MX 1 mta6.am0.yahoodns.net. yahoo.com. 1740 IN MX 1 mta7.am0.yahoodns.net. yahoo.com. 1740 IN MX 1 mta5.am0.yahoodns.net. redhat.com. 132 IN NS ns1.redhat.com. redhat.com. 132 IN NS ns4.redhat.com. redhat.com. 132 IN NS ns3.redhat.com. redhat.com. 132 IN NS ns2.redhat.com.
Create .digrc file
Create .digrc file under $HOME/.digrc to store default dig options.
# dig yahoo.com yahoo.com. 3427 IN A 72.30.38.140 yahoo.com. 3427 IN A 98.138.253.109 yahoo.com. 3427 IN A 98.139.183.24
We have store +noall +answer options permanently in .digrc file under user’s home directory. Now, whenever dig command executes it will show only answer section of dig output. No Need to type every-time options like +noall +answer.
Once installed, check the version, to make sure the setup was completed successfully:
dig -v
Dig Syntax
In its simplest form, the syntax of the dig utility will look like this:
dig [server] [name] [type]
[server] – the IP address or hostname of the name server to query.
If the server argument is the hostname then dig will resolve the hostname before proceeding with querying the name server.
It is optional and if you don’t provide a server argument then dig uses the name server listed in /etc/resolv.conf.
[name] – the name of the resource record that is to be looked up.
[type] – the type of query requested by dig. For example, it can be an A record, MX record, SOA record or any other types. By default dig performs a lookup for an A record if no type argument is specified.
How to Use the Dig Command
Lets get into the basic uses of the command:
Dig a Domain Name
To perform a DNS lookup for a domain name, just pass the name along with the dig command:
dig hostinger.com
By default, the dig command will display the A record when no other options are specified. The output will also contain other information like the installed dig version, technical details about the answers, statistics about the query, a question section along with few other ones.
Short Answers
The above dig command includes a lot of useful information in different sections, but there may be times when you want only the result of the query. You can do that by using the +short option, that will display the IP address (A record) of the domain name only:
dig hostinger.com +short
Detailed Answers
Sometimes you want to view the answers section in details. Therefore, For a detailed information on answers section, you can stop displaying all the section using +noall option and query the answers section only by using +answer option with the dig command.
dig hostinger.com +noall +answer
Specifying Nameservers
By default, dig commands will query the name servers listed in /etc/resolv.conf to perform a DNS lookup for you. You can change this default behavior by using the @ symbol followed by a hostname or IP address of the name server along.
The following dig command sends the DNS query to Google’s name server(8.8.8.8) by using the @8.8.8.8 option.
dig @8.8.8.8 hostinger.com
Query All DNS Record Types
To query all the available DNS record types associated with a domain use the ANY option. The ANY option will include all the available record types in the output:
dig hostinger.com ANY
Search For Record Type
If you want to look up a specific record, just add the type to the end of the command.
For example, to query get only the mail exchange – MX – answer section associated with a domain, you can use the following dig command:
dig hostinger.in MX
Similarly, to view the other records associated with a domain, specify the record type at the end of dig command:
dig hostinger.com txt (Query TXT record) dig hostinger.com cname (Query CNAME record) dig hostinger.com ns (Query NS record) dig hostinger.com A (Query A record)
Trace DNS Path
Dig allows tracing the DNS lookup path by using the +trace option. The option makes iterative queries to resolve the name lookup. It will query the name servers starting from the root and subsequently traverses down the namespace tree using iterative queries following referrals along the way:
dig hostinger.com +trace
Reverse DNS Lookup
Reverse DNS lookup lets you look up the domain and hostname associated with an IP address. To perform a reverse DNS lookup using the dig command use the –x option followed by your chosen IP address. In the following example, dig will perform a reverse DNS lookup for the IP address associated with google.com:
dig +answer -x 172.217.166.46
Remember that If a PTR record is not defined for an IP address, then it is not possible to do a reverse DNS lookup since the PTR record points to the domain or hostname.
Batch Queries
With the dig utility, you can perform a DNS lookup for a list of domains instead of doing the same for each one individually. To do that, you need to provide dig with a list of domain names – one per line in a file. Once the file is ready, specify the name of it with -f option:
vi domain_name.txt hostinger.com google.com ubuntu.com
dig -f domain_name.txt +short
Control Dig Behavior
The output of the command can be customized permanently by setting up options in the ~/.digrc file that will run automatically with the command.
Suppose you want to view the answer section only – specify the required options in the ~/.digrc file, so you don’t have to type them in while executing the query.
echo "+noall +answer" > ~/.digrc
Now perform a DNS server lookup for a domain. The output confirms that dig runs with the options set in the ~/.digrc file.
Conclusion
That’s all the basics you need to start using dig In Linux. Now you can perform DNS lookups for domains using various options. Want to learn more? Check the manual page by using the man dig command to find out all the possible uses and options.
Sunday, August 25, 2019
Checkpoint Troubleshooting Files -
1. Cpinfo (from both Cluster members, sk92739).
2. /var/log/messages* (From both Cluster members, All 5 Files).
- Run following command in expert will create a tgz file with all of the messages in the present working directory:
· #tar zcvf messages.tgz /var/log/messages*
3. Export the cpview history database file (from both cluster members, sk101878) using the following command (from expert):
# cpview history export
Upload the file generated (should be in /var/log/CPView_history/)
4. From CLISH: >show routed cluster-state detailed (from both Cluster members)
5. ClusterXL messages from SmartConsole logs - according to the following procedure:
a. Go to the Logs & Monitor tab
b. Open the relevant log files.
c. After you have the correct file open, please use the following filter:
d. origin:(FW01 OR FW02) AND type:Control AND (ClusterXL)
e. On the search bar, there is an option to export the logs
f. Please send us that resulting file
Subscribe to:
Comments (Atom)