topic Re: My Top 3 Check Point CLI commands in General Topics

My Top 3 Check Point CLI commands

Moti — Wed, 19 Jul 2017 07:07:20 GMT

Just had a fun geeky conversation with Dameon Welch Abernathy (AKA Phoneboy) Jony Fischbein , Jeff Schwartz and Michael Poublon (over 100 accumulated years of experience in Check Point products) , on what are our favorite & most useful commands in a Check Point environment.

Below are my 3 , plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... ).

1) fw ctl zdebug drop

used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....)

2) cpstat fw

quickly see stats of number of connections (accepted,denied,logged) with a breakdown

if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)

3) fw tab -s -t connections

allowed me to quickly see how much load is (and was i.e "peak" ) on the FW

that's it (i have more , but i want to hear yours ...)

plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... )

Re: My Top 3 Check Point CLI commands

Jony_Fischbein — Wed, 19 Jul 2017 07:26:34 GMT

Some useful ones:

1. fw ctl pstat

2. cphaprob stat

Re: My Top 3 Check Point CLI commands

Daniel_Niazov — Wed, 19 Jul 2017 07:32:33 GMT

Here some:

fwaccel stats -s
why? to check acceleration status on FW
cphaprob -a if
why? when troubleshooting cluster, i verify all interfaces are UP and the Virtual IP address for the cluster interfaces.
cpwd_admin list
why? great way to explain the CP watchdog- run the command with watch -d, and from another terminal terminate one of the PID, and observe how the watchdog bring it back.
and its also a great way to see that everything is up

Re: My Top 3 Check Point CLI commands

aner_sagi — Wed, 19 Jul 2017 10:07:22 GMT

cphaprob stat

Cpview

Top

Re: My Top 3 Check Point CLI commands

PhoneBoy — Wed, 19 Jul 2017 15:06:57 GMT

Over 20 years, I've probably forgotten more CLI commands than I remember at this point

But here are a few of the ones I still use from time to time:

fw stat

Shows what policy is loaded on the current gateway and what interfaces it has seen traffic on.

If it's DefaultFilter, then your gateway isn't running a real policy and is probably blocking all traffic

Example:

[Expert@oscar:0]# fw stat

HOST POLICY DATE

localhost IntFW 18Jul2017 19:11:16 : [>eth0] [<eth0] [>eth1] [<eth1] [>eth2] [<eth2]

fw fetch mastername

Fetches the policy from the management station named mastername. You can also use localhost as a way to reload the previously installed policy on the gateway. Note this is not to be confused with fw fetchlocal -d directory which is used in troubleshooting policy installation issues.

push_cert –s Cust_CMA –u admin –p adminpw –o examplegw –k test123

This is probably a command you haven't seen before and there's not even a public SK on it

It is used on the management to establish SIC with a newly installed security gateway without using SmartConsole or SmartDashboard, making it extremely useful in automation scenarios.

Arguments are as follows:

Switch	Description
–s Cust_CMA	Management or CMA IP/hostname (can be localhost)
–u admin	Username of admin user in SmartConsole/SmartDashboard
–p adminpw	Password of admin user specified above
–o examplegw	Name (in SmartConsole/SmartDashboard) of gateway to establish SIC with
–k test123	SIC one-time-password (should match what was specified on the gateway during first-time wizard)

Looking forward to see what everyone else comes up with.

Re: My Top 3 Check Point CLI commands

Hugh_McGauran — Wed, 19 Jul 2017 15:41:56 GMT

config_system - never having to use the FTW via web browser

any clish command - ability to completely script the configuration of an appliance

upgrade_export/ migrate export - best backup method - easiest to recover when you have it!

Re: My Top 3 Check Point CLI commands

Nader_Assi__Old — Wed, 19 Jul 2017 19:00:29 GMT

1) cphaprob state / cphaprob -a if / cphaprob -l list

To view Cluster health status

2) cpview (with top)

To troubleshoot gateway performance (cpu, memory, connections,...)

3) cpwd_admin list

To check the CP process status

4) fw ctl zdebug drop

To search for any "silent" drop (such as IPS)

5) fw monitor

To do a live packet capture

Re: My Top 3 Check Point CLI commands

Tomer_Sole — Thu, 20 Jul 2017 05:30:54 GMT

1. mgmt_cli show groups Check Point - Management API reference

2. mgmt_cli add access-rule Check Point - Management API reference

3. mgmt_cli install-policy Check Point - Management API reference

Re: My Top 3 Check Point CLI commands

PhoneBoy — Thu, 20 Jul 2017 05:51:29 GMT

I would expect you to pick management commands

Re: My Top 3 Check Point CLI commands

Moti — Thu, 20 Jul 2017 07:36:28 GMT

Surprised no one picked 'cp_merge'

And also though not a part of Gaia/splat

ofiller /odumper by Martin Hoz saved me precious hours in long nights

Valeri Loukine curious , what's yours ?

Re: My Top 3 Check Point CLI commands

Peter_Sandkuijl — Thu, 20 Jul 2017 08:22:50 GMT

fw ctl affinity -l -v -r

multik stat + cphaprob stat

cplic print

cpview

fw ctl zdebug drop

Re: My Top 3 Check Point CLI commands

Moti — Thu, 20 Jul 2017 08:23:47 GMT

Peter Sandkuijl what does the first one achieve?

Re: My Top 3 Check Point CLI commands

Peter_Sandkuijl — Thu, 20 Jul 2017 08:28:39 GMT

fw ctl affinity -l -v -r is a useful command when you're attempting to finetune the affinity of an IRQ to an interface. This is especially useful when looking at the amount of traffic received by an interface that deserves more "horsepower" and should not be sharing CPU time with other interfaces. This command will list what interface is connected to what IRQ to what core. "fw ctl affinity -s" will subsequently allow you to set the values.

Note that Multi Queue enabled interfaces will not show up as they are assigned "automagically"

Re: My Top 3 Check Point CLI commands

Andrejs__Андрей — Thu, 20 Jul 2017 11:34:41 GMT

plus

netstat -ni - check drop on interfaces;

and

ps axwf -o pid,cpuid,pcpu,pmem,time,comm - processes and daemons utilization by cpu-core, mem;

it's all for multicore performance tuning.

regards,

ak.

Re: My Top 3 Check Point CLI commands

Gaurav_Pandya — Thu, 20 Jul 2017 14:08:07 GMT

I will prefer below commands.

fw ctl zdebug drop

cpview

fw tab -s -t connections

fw ctl pstat

Re: My Top 3 Check Point CLI commands

Mark_Sowell — Thu, 20 Jul 2017 16:14:43 GMT

1. cpstat mg - (SMS/CMA) Shows connected clients and status.
2. cpstat ha -f all - (GW) Shows sync details.
3. cpstat blades - (GW) Shows packets accepted, dropped, peak connections, and top rule hits.

Re: My Top 3 Check Point CLI commands

Kirsten_Turnbul — Thu, 20 Jul 2017 16:32:52 GMT

I would have to say:

fwmon

tcpdump

cpview

Re: My Top 3 Check Point CLI commands

Lon_Kaut — Thu, 20 Jul 2017 18:48:48 GMT

This command allowed me to execute commands, transfer files etc with a remote gateway without needing credentials. I was able to use it to copy a new shadow file to the remote gateway when password was lost/corrupted.

cprid_util (--help)

Re: My Top 3 Check Point CLI commands

Eduardo_Pereira — Thu, 20 Jul 2017 19:05:08 GMT

1) I created a "watch" command with many tecli commands to monitor TE (deployed on Cloud) live emulations:

watch -d -n 1 "echo \_______________________;echo TE Engine Status:;echo \_______________________;tecli control status;tecli show statistics | grep -E '(engine version is)';echo;echo \_______________________;echo VM Cloud Images;echo \_______________________;tecli ca du al | grep -E '(Image UID)';echo;echo \_______________________;echo Live Cloud Queue:;echo \_______________________;tecli show cloud queue;echo;echo \_______________________;echo History Malicious:;echo \_______________________;echo;tecli ca du al | grep -E '(-----|sha1|malicious)';echo;echo \_______________________;echo TE Cloud Quota Stats:;echo \_______________________;tecli show statistics | grep -E '(day)';echo .......................................................................................................;tecli show statistics | grep -E '(Scanned files:|static analysis|local cache|cloud cache|cloud process time)';echo .......................................................................................................;echo;tecli show cloud quota| grep -E '(Quota identifier|Quota subscription:|Usage for gw:|Remain:|Exceeded:)'"

The outcome would be something like this:

2) cpview

Definitely, the most complete clish command.

3) fw monitor

Very helpful debugging tool.

Re: My Top 3 Check Point CLI commands

Timothy_Hall — Fri, 21 Jun 2019 08:56:16 GMT

Lots of good ones so far, but just to be different the following commands are somewhat obscure but certainly come in handy occasionally (yes I'm well aware of the -f option for #1 and #2 but using it makes the commands take forever to execute):

1) fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head -10

This will show the top ten source IPs hogging slots in the connection table in descending order, however you will need to manually convert the IP addresses displayed from hex to decimal like so: 0a1e0b53 = 10.30.11.83. For the top 10 destinations, substitute $4 for $2 in the awk command above.

2) How many concurrent connections are currently using a particular Hide NAT address and how close are we to the 50k concurrent connection limit? Going over the 50k limit causes the new traffic to be dropped and the infamous "NAT Hide failure - there are currently no available ports for hide operation" message. Edit: The 50k limit can be surpassed by setting up what I call a "many to fewer" NAT, see my post in the following thread:

https://community.checkpoint.com/message/6516-r8010-hide-behind-many-question

Assume the Hide NAT address in question is 203.0.113.1:

fw tab -u -t connections | grep -ci cb007101

Divide the number reported by 2, and you have your answer. The result must be divided by 2 because each post-NATted connection is represented by 2 flows, one outbound (c2s) and one inbound (s2c). Also the NAT IP address must be converted from the dotted quad format to hexadecimal as shown.

3) show routed cluster-state detailed

An undocumented clish command introduced in R77.30 that shows a concise timeline of ClusterXL failover events in a single display. Very handy when trying to correlate unexpected ClusterXL failovers to external network events, or trying to determine if unexplained failovers occur with any suspicious regularity that may point to the real culprit. Definitely beats trying to pore through a sea of Control events (grey wrench icon) in the firewall logs!

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.