Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

ccc - Common Check Point Commands

Danny
Champion Champion
Champion

🏆 Code Hub Contribution of the Year 2018!
🎓 Featured in official Maestro courseware!
👍 Endorsed by Check Point Support!
📕 Books: Max Power, FW Admin
▶️ YouTube: Intro

ccc script to run CLI tasks & show system info.

Installation


    curl_cli $(if [[ `grep proxy:ip /config/active` ]];then echo -n '--proxy ';grep proxy:ip /config/active|cut -f2 -d' '|tr -d '\n';echo -n :;grep proxy:port /config/active|cut -f2 -d' ';fi) -k https://dannyjung.de/ccc|zc
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(2)
244 Replies

Jay_Jeffcoat
Participant

Hi there, I don't see an actual download for the script, can I just save the text in notepad and save it as ccc.sh, move it to my gateway and execute it by ./ccc.sh?

Thanks in advance and excellent job on the script and great collaboration between everyone!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Hugo_vd_Kooij
Advisor

On R80.30 I see some problems.

1.  last -20 -w Show last 20 logins by name

[Executing:]# last -20 -w
last: invalid option -- w
Usage: last [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-x] [-o] [username..] [tty..]

Done.

2. tail $FGDIR/log/fgd.elg Show last 10 entries in QoS log

[Executing:]# tail /opt/CPsuite-R80.30/fg1/log/fgd.elg
tail: cannot open `/opt/CPsuite-R80.30/fg1/log/fgd.elg' for reading: No such file or directory

Done.

 

 

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Fixed in version 4.6

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Maarten_Sjouw
Champion
Champion

Maybe you can also add treesize, a script I have on all the MDS servers I manage. It looks like this (I picked this one up a while back):

-----------

du -k --max-depth=1 | sort -nr | awk '
   BEGIN {
        split("KB,MB,GB,TB", Units, ",");
   }
   {
        u = 1;
        while ($1 >= 1024) {
             $1 = $1 / 1024;
             u += 1
        }
        $1 = sprintf("%.1f %s", $1, Units[u]);
        print $0;
    }
   '

---------

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Jay_Jeffcoat
Participant

Please disregard my question, I was able to figure it out, thanks again everyone for the great teamwork!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Sven_Glock
Advisor

I will share this later, atm I can not access my testlab...

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Sven_Glock
Advisor

I love the new colors - great job!

At the moment the script shows all commands an all devices even if there are no relevant blades active on the device where you are executing the script.

For example: with "enabled_blades" you can check if vpn is active or not. If not you do not need th offer vpn relevant commands.

The same I can imagine with ips, threatemulation etc...

BTW: I am missing threatemulation commands. Do you need some?

Further it would be helpful to identif

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


AlekseiShelepov
Advisor

As we are stepping into color era now, I would suggest to mark "dangerous" commands in red or orange color.

25 - fwaccel off - Disable SecureXL acceleration"
30 - fw unloadlocal; fw stat - Unload security policy on localhost"
36 - fw amw unload; fw stat -b AMW - Disable Threat Prevention"
47 - clusterXL_admin down - Create ClusterXL faildevice"
70 - mdsstop - Stop Multi-Domain Server"
72 - mdsstop_customer <DMS_ID or DMS_IP or DMS_Name> - Stop specific DMS
74 - cpwd_admin stop -name FWM -

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

System info, Threat Emulation & Extraction commands were implemented in version 1.1

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Attachments implemented in version 1.1

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Implemented in version 1.1

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Ivan_Moore
Contributor

echo " ${BOLD}76${NORM} - ${WARN}cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"${NORM} - Stop Firewall Management only"

you have "$FWDIR/bin/fw"    ...missing the "m" on the end?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

The command is correct. There is no "m" missing on the end. Read here and there.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Martin_Heim
Participant

I like the system information when you start the script and added a litte improvement:

# Variables

...

MGMTIP=$(cat $CPDIR/registry/HKLM_registry.data | grep ICAip | awk '{print $2}')

...

and in the system output section:

          echo "-------------------------------------------------"
          echo "  ${BOLD}Common Check Point Commands (ccc) v1.1${NORM}"
          echo "-------------------------------------------------"
          echo "  System: ${BOLD}${SYSTEM}${NORM}"
   

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Implemented in version 1.2

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


G_W_Albrecht
Legend
Legend

Hmmm - tried it on my SMS:

----------

[Expert@SMS8010:0]# ccc
cat: /opt/CPsuite-R80/fw1/conf/masters: No such file or directory
grep: /opt/CPsuite-R80/fw1/state/local/AMW/local.IPS.set: No such file or directory
date: invalid date `@'
--------------------------------------------------v1.2--
  ccc > SMS8010
--------------------------------------------------------
  System: SmartEvent Server
  Appliance / Server: VMware Virtual Platform
  Version: Check Point Gaia R80.10
  Uptime: 1 day
----------

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Implemented in version 1.3

Note: Even Check Point's cpview and healthcheck script v4.08 and cpconfig's 'Automatic start of Check Point Products' detect SmartCenter/SmartEvent Servers wrong. I fixed that by checking for the CPSEMD SmartEvent process instead.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Maarten_Sjouw
Champion
Champion

In the MDS part I did see mdsstart and mdsstart_customer, but I did not see the mdsstart -m and mdsstop -m to only stop the MDS itself, but not the domains.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Ralf_Naegele
Participant

Just one suggestion: In case you have enabled sandblast on your firewall, it could be useful to watch stuck files in the local Check Point postfix mail queue. I implemented this on those firewalls with a bash alias: mailq='/opt/postfix/usr/sbin/postqueue -p -c /opt/postfix/etc/postfix/' Maybe this is useful for adding to the ccc script?

Maybe a funny fact about the name of the script ccc: CCC is in Germany the acronym for the Chaos Computer Club  🙂

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Sven_Glock
Advisor

Hi Danny,

thanks for adding TE support.

Nummer 82 would look much nicer in this way:

echo "Global file throughput (TE+AV): $(tecli sh th m) | $(tecli sh th h) | $(tecli sh th d)"

An other nice command I like is

tecli s e e

It shows the running emulations and their states.

Additionally I would be helpful to have a command that is monitoring the mailqueune. I do not have access to my testlab, so I can not provide the relevant command, sorry...

Thanks Sven

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Arthur_DENIS1
Advisor
Advisor

First of all, I love this script ! Thanks a lot Smiley Happy

Can we add another command here:

          echo "  ${BOLD}76${NORM} - ${WARN}cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"${NORM} - Stop Firewall Management only"
          echo "  ${BOLD}77${NORM} - ${ENAB}cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"${NORM} - Start Firewall Management only"

NEW echo "  ${BOLD}XX${NORM} - ${WARN}cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Han_Kang
Participant

nice shared ,thanks a lot!!!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Ilya_Yusupov
Employee
Employee

can we add IPv6 command as well?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Implemented in version 1.4

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Implemented in version 1.4

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Implemented in version 1.4

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Thanks for the suggestion! As you just want to run two commands after another, simply enter the relevant numbers after another. From my experience two seconds might not be enough to re-initiate the starting process after stopping it. This needs to be monitored by the admin in charge while executing such commands.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Of course! We are looking forward to your additions

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Arthur_DENIS1
Advisor
Advisor

Indeed we can do that, but the impact is lower if we run "all in one" command.
But I understand the point.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Sven_Glock
Advisor

Hi Danny,

I checked the new Identity Awareness commands.

On dayly basis I use more often specifiy searches instead of "pep show user all" or "pdp monitor all".

What about adding some functions for more user interaction?

54 # Functions
55
56 pep_user_query () {
57 echo "Query Identity Awareness for specific"
58 echo "1) Match entries with <username>"
59 echo "2) Match entries with machine <machine name>"
60 echo "3) Match entries that were updated by the given PDP"
61

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos