Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pearl

Common Check Point Commands (ccc)

🏆 Code Hub Contribution of the Year 2018!
👍 Endorsed by Check Point Support!
📕 Max Power 2020 advice!

ccc_logo.png ccc is a menu-driven script to run Check Point CLI tasks and show advanced system summary information.
License: GPL

Installation (expert mode) or download:
curl_cli -k https://dannyjung.de/ccc | zcat > /usr/bin/ccc && chmod +x /usr/bin/ccc

ccc.pngccc_cpx2020.png

218 Replies
Highlighted

Hi there, I don't see an actual download for the script, can I just save the text in notepad and save it as ccc.sh, move it to my gateway and execute it by ./ccc.sh?

Thanks in advance and excellent job on the script and great collaboration between everyone!

0 Kudos
Highlighted

On R80.30 I see some problems.

1.  last -20 -w Show last 20 logins by name

[Executing:]# last -20 -w
last: invalid option -- w
Usage: last [-num | -n num] [-f file] [-t YYYYMMDDHHMMSS] [-R] [-x] [-o] [username..] [tty..]

Done.

2. tail $FGDIR/log/fgd.elg Show last 10 entries in QoS log

[Executing:]# tail /opt/CPsuite-R80.30/fg1/log/fgd.elg
tail: cannot open `/opt/CPsuite-R80.30/fg1/log/fgd.elg' for reading: No such file or directory

Done.

 

 

 

0 Kudos
Highlighted
Pearl

Fixed in version 4.6

0 Kudos
Highlighted

Maybe you can also add treesize, a script I have on all the MDS servers I manage. It looks like this (I picked this one up a while back):

-----------

du -k --max-depth=1 | sort -nr | awk '
   BEGIN {
        split("KB,MB,GB,TB", Units, ",");
   }
   {
        u = 1;
        while ($1 >= 1024) {
             $1 = $1 / 1024;
             u += 1
        }
        $1 = sprintf("%.1f %s", $1, Units[u]);
        print $0;
    }
   '

---------

Regards, Maarten
0 Kudos
Highlighted

Please disregard my question, I was able to figure it out, thanks again everyone for the great teamwork!

Highlighted
Silver

I will share this later, atm I can not access my testlab...

Highlighted
Silver

I love the new colors - great job!

At the moment the script shows all commands an all devices even if there are no relevant blades active on the device where you are executing the script.

For example: with "enabled_blades" you can check if vpn is active or not. If not you do not need th offer vpn relevant commands.

The same I can imagine with ips, threatemulation etc...

BTW: I am missing threatemulation commands. Do you need some?

Further it would be helpful to identify when the script starts if the system where the script is running on is a management, a log server or a gateway. 

If it is a gateway: is it a cluster, is it vsx and which blades are active?

With this set of information you can choose which commands you will show in the menu.

Maybe I can build some code on the weekend.

Cheers

Sven

Highlighted

As we are stepping into color era now, I would suggest to mark "dangerous" commands in red or orange color.

25 - fwaccel off - Disable SecureXL acceleration"
30 - fw unloadlocal; fw stat - Unload security policy on localhost"
36 - fw amw unload; fw stat -b AMW - Disable Threat Prevention"
47 - clusterXL_admin down - Create ClusterXL faildevice"
70 - mdsstop - Stop Multi-Domain Server"
72 - mdsstop_customer <DMS_ID or DMS_IP or DMS_Name> - Stop specific DMS
74 - cpwd_admin stop -name FWM -path "FWDIR/bin/fw" -command "fw kill fwm" - Stop Firewall Management only"

Another possibility is to use green color for commands that enable/turn on something. So, there could be several types of commands - informational (cyan), turn off / stop (red), and turn on / start (green).

Highlighted
Pearl

System info, Threat Emulation & Extraction commands were implemented in version 1.1

Highlighted
Pearl

Attachments implemented in version 1.1

Highlighted
Pearl

Implemented in version 1.1

Highlighted
Nickel

echo " ${BOLD}76${NORM} - ${WARN}cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"${NORM} - Stop Firewall Management only"

you have "$FWDIR/bin/fw"    ...missing the "m" on the end?

Highlighted
Pearl

The command is correct. There is no "m" missing on the end. Read here and there.

Highlighted

I like the system information when you start the script and added a litte improvement:

# Variables

...

MGMTIP=$(cat $CPDIR/registry/HKLM_registry.data | grep ICAip | awk '{print $2}')

...

and in the system output section:

          echo "-------------------------------------------------"
          echo "  ${BOLD}Common Check Point Commands (ccc) v1.1${NORM}"
          echo "-------------------------------------------------"
          echo "  System: ${BOLD}${SYSTEM}${NORM}"
          echo "  Appliance / Server: ${BOLD}${TYPE}${NORM}"
          echo "  Version: ${BOLD}${VERSION}${NORM}"
          echo "  Uptime: ${BOLD}${UPTIME}${NORM}"
          if [[ $($CPDIR/bin/cpprod_util FwIsFirewallModule 2> /dev/null) == *"1"*  ]]; then echo "  Gateway managed by: $MGMT (IP: ${MGMTIP:1:${#MGMTIP}-2})"
          elif [[ $($CPDIR/bin/cpprod_util FwIsVSX 2> /dev/null) == *"1"* ]]; then echo "  Gateway managed by: $MGMT (IP: ${MGMTIP:1:${#MGMTIP}-2})"
          fi
          echo "-------------------------------------------------"
  

the command above shows you the management name and ip address of a gateway/VSX.

Highlighted
Pearl

Implemented in version 1.2

Highlighted
Sapphire

Hmmm - tried it on my SMS:

----------

[Expert@SMS8010:0]# ccc
cat: /opt/CPsuite-R80/fw1/conf/masters: No such file or directory
grep: /opt/CPsuite-R80/fw1/state/local/AMW/local.IPS.set: No such file or directory
date: invalid date `@'
--------------------------------------------------v1.2--
  ccc > SMS8010
--------------------------------------------------------
  System: SmartEvent Server
  Appliance / Server: VMware Virtual Platform
  Version: Check Point Gaia R80.10
  Uptime: 1 day
--------------------------------------------------------

[ MAIN MENU ]

---------

I find the error message on start rather confusing - but strangest phenomenon is

System: SmartEvent Server

In SMS object, SmartEvent Server and Correlation Unit are disabled, evconfig also shows everything disabled... Still, $CPDIR/bin/cpprod_util RtIsRt gives 1, same as $CPDIR/bin/cpprod_util FwIsFirewallMgmt.

Highlighted
Pearl

Implemented in version 1.3

Note: Even Check Point's cpview and healthcheck script v4.08 and cpconfig's 'Automatic start of Check Point Products' detect SmartCenter/SmartEvent Servers wrong. I fixed that by checking for the CPSEMD SmartEvent process instead.

Highlighted

In the MDS part I did see mdsstart and mdsstart_customer, but I did not see the mdsstart -m and mdsstop -m to only stop the MDS itself, but not the domains.

Regards, Maarten
Highlighted

Just one suggestion: In case you have enabled sandblast on your firewall, it could be useful to watch stuck files in the local Check Point postfix mail queue. I implemented this on those firewalls with a bash alias: mailq='/opt/postfix/usr/sbin/postqueue -p -c /opt/postfix/etc/postfix/' Maybe this is useful for adding to the ccc script?

Maybe a funny fact about the name of the script ccc: CCC is in Germany the acronym for the Chaos Computer Club  🙂

Highlighted
Silver

Hi Danny,

thanks for adding TE support.

Nummer 82 would look much nicer in this way:

echo "Global file throughput (TE+AV): $(tecli sh th m) | $(tecli sh th h) | $(tecli sh th d)"

An other nice command I like is

tecli s e e

It shows the running emulations and their states.

Additionally I would be helpful to have a command that is monitoring the mailqueune. I do not have access to my testlab, so I can not provide the relevant command, sorry...

Thanks Sven

0 Kudos
Highlighted

First of all, I love this script ! Thanks a lot Smiley Happy

Can we add another command here:

          echo "  ${BOLD}76${NORM} - ${WARN}cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"${NORM} - Stop Firewall Management only"
          echo "  ${BOLD}77${NORM} - ${ENAB}cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"${NORM} - Start Firewall Management only"

NEW echo "  ${BOLD}XX${NORM} - ${WARN}cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command "fw kill fwm"; sleep 2;cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"${NORM} - Restart Firewall Management only"

Thanks Smiley Happy

0 Kudos
Highlighted
Iron

nice shared ,thanks a lot!!!

0 Kudos
Highlighted
Employee+
Employee+

can we add IPv6 command as well?

0 Kudos
Highlighted
Pearl

Implemented in version 1.4

Highlighted
Pearl

Implemented in version 1.4

Highlighted
Pearl

Implemented in version 1.4

Highlighted
Pearl

Thanks for the suggestion! As you just want to run two commands after another, simply enter the relevant numbers after another. From my experience two seconds might not be enough to re-initiate the starting process after stopping it. This needs to be monitored by the admin in charge while executing such commands.

Highlighted
Pearl

Of course! We are looking forward to your additions

Highlighted

Indeed we can do that, but the impact is lower if we run "all in one" command.
But I understand the point.

0 Kudos
Highlighted
Silver

Hi Danny,

I checked the new Identity Awareness commands.

On dayly basis I use more often specifiy searches instead of "pep show user all" or "pdp monitor all".

What about adding some functions for more user interaction?

54 # Functions
55
56 pep_user_query () {
57 echo "Query Identity Awareness for specific"
58 echo "1) Match entries with <username>"
59 echo "2) Match entries with machine <machine name>"
60 echo "3) Match entries that were updated by the given PDP"
61 echo "4) Match entries of clients with specific Client ID"
62 echo "5) Match entries that match full or partialy the given uid"
63 echo "6) Match entries with given group"
64 echo "7) Match entries with machine group"
65 echo "8) Match entries with given compliance"
66 echo "9) Match entries with given identity role"
67
68 echo
69 echo -en "Your choise: "; read ia
70 echo -en "Searchstring: "; read search
71
72 case $ia in
73 1) pep show u q usr $search
74 ;;
75 2) pep show u q mchn $search
76 ;;
77 3) pep show u q pdp $search
78 ;;
79 4) pep show u q cid $search
80 ;;
81 5) pep show u q uid $search
82 ;;
83 6) pep show u q ugrp $search
84 ;;
85 7) pep show u q mgrp $search
86 ;;
87 😎 pep show u q cmp $search
88 ;;
89 9) pep show u q role $search
90 ;;
91 esac
92
93 }

94
95 pdp_monitor_query () {
96 echo "Query PDP Monitor for specific"
97 echo "1) user - print sessions filtered by user name"
98 echo "2) ip - print sessions filtered by ip"
99 echo "3) s_port - print sessions filtered by assigned source port (MUH sessions only)"
100 echo "4) machine - print sessions filtered by machine name"
101 echo "5) mad - print sessions that are from managed asset machines"
102 echo "6) client_type - print sessions filtered by client type"
103 echo "7) groups - print sessions filtered by groups (user/machine)"
104 echo "8) cv_ge - print sessions that the client version is greater (or equal) from given version"
105 echo "9) cv_le - print sessions that the client version is less (or equal) from given version"
106
107 echo
108 echo -en "Your choise: "; read ia
109 echo -en "Searchstring: "; read search
110
111 case $ia in
112 1) pdp monitor user $search
113 ;;
114 2) pdp monitor ip $search
115 ;;
116 3) pdp monitor s_port $search
117 ;;
118 4) pdp monitor machine $search
119 ;;
120 5) pdp monitor mad $search
121 ;;
122 6) pdp monitor client_type $search
123 ;;
124 7) pdp monitor groups $search
125 ;;
126 😎 pdp monitor cv_ge $search
127 ;;
128 9) pdp monitor cv_le $search
129 ;;
130 esac
131 }

[...]

218 echo " ${BOLD}98${NORM} - ${CYAN}pep show user QUERY{NORM} - Identity Awareness > Show specific sessions"
219 echo " ${BOLD}99${NORM} - ${CYAN}pdp monitor QUERY{NORM} - Identity Awareness > Show specific sessions"

[...]

510 98) pep_user_query
511 ;;
512 99) pdp_monitor_query
513 ;;

[...]

0 Kudos