Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

ccc - Common Check Point Commands

Danny
Champion Champion
Champion

🏆 Code Hub Contribution of the Year 2018!
🎓 Featured in official Maestro courseware!
👍 Endorsed by Check Point Support!
📕 Books: Max Power, FW Admin
▶️ YouTube: Intro

ccc script to run CLI tasks & show system info.

Installation


    curl_cli $(if [[ `grep proxy:ip /config/active` ]];then echo -n '--proxy ';grep proxy:ip /config/active|cut -f2 -d' '|tr -d '\n';echo -n :;grep proxy:port /config/active|cut -f2 -d' ';fi) -k https://dannyjung.de/ccc|zc
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(2)
244 Replies

Ty_King
Explorer

Version 1.7 seems to have a typo in the main menu:  Two entries for Cluster XL Troubleshooting, although second entry goes to VPN troubleshooting as expected.  Otherwise, great tool.  Thanks to all the contributors.

[ MAIN MENU ]

Firewall-Management & Gateway >
Firewall-Management >
Firewall Gateway >
ClusterXL Troubleshooting >
ClusterXL Troubleshooting >
Multi-Core Performance Tuning >
VSX Troubleshooting >
MDS Troubleshooting >
Standalone Firewall & Management >
Threat

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Fixed in version 1.8

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Robert_Stewart
Participant

Not entirely sure what you mean by disabled interfaces, but it seems to include interfaces clish believes are off.

MyFW2> show configuration

...

set interface eth1-08 state off

set interface eth2-01 state off

set interface eth2-02 state on

add bonding group 1 interface eth2-02

...

[me@MyFW2 Standby]# ifconfig -a | egrep "^[^ ]"

...

eth1-08     Link encap:Ethernet  HWaddr 00:1C:7F:__:__:__

eth2-01     Link encap:Ethernet  HWaddr 00:1C:7F:__:__:__

eth2-02     Link

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Thanks for your input. It is much appreciated. I tried your commands which are leading to different results. If seen various situations where ifconfig shows different results when interfaces had no link, werenot configured or were simply shut down (state: off). The current solution via cpstat os -f ifconfig accompanied by our one-liner can of course be much more optimized. Personally I'd prefer one sorted result instead of two resulting tables in different layouts. Maybe you'd like to com

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Robert_Stewart
Participant

I just tested results with this:

ifconfig -a | egrep "^[^ ]" | awk '{print $1}' | sort > ifconfigA.txt
ip link show | egrep "^[^ ]" | awk '{print $2}' | sed -r 's#^([^@:]+)[@:].*#\1#' | sort > ipLinkShow.txt
netstat -i | tail -n +3 | awk '{print $1}' | sort > netstatI.txt

I then used 'diff' to compare the outputs. ifconfigA.txt and ipLinkShow.txt were exactly the same. netstatI.txt was missing interfaces with clish state off. The interfaces on this system in state off are not phys

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

This would cause a huge latency increase on script start while I'm looking to decrease the current delay. Instead of calling external applications I'd prefer grepping some files' content instead, because it's much faster.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Thanks, I'll check tomorrow if this is a valid replacement for the current commands.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Kumar_Gollapudi
Participant

How to check the access list in checkpoint through CLI like (Cisco: show access-list)

any help is much appreciated.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

AlekseiShelepov
Advisor

It is not possible.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

It is. See here.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


AlekseiShelepov
Advisor

As I understand, mgmt_cli and API works only on Management server and only in R80.10. I thought that the question was how to check that on a gateway itself, like what rules are used on it. Maybe I misinterpreted it. 

But anyway, there is a separate thread for this question.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Even on the gateway it is possible by looking into the $FWDIR/state/local/FW1 directory as described several times in this community.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

System info was extended in version 2.1

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Robert_Stewart
Participant

Here is a linear-log plot of the execution time of commands to find the interface names. In green, we have 'ip link show', in orange, we have 'ifconfig -a', and in blue, 'cpstat os -f ifconfig'. All include the necessary text processing to get down to just a list of interface names with no additional information. I ran them each 1000 times to collect the data. The X axis is the time taken, and the Y axis is the number of times the command took that long. 'ip link show' took 0.004 seconds

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


G_W_Albrecht
Legend
Legend

It is 2.1 now already - great work ! This by now is a really lovely tool Smiley Happy.

Besides a noticed bug: On FIREWALL-MANAGEMENT Page, the last command (cpca_client set_mgmt_tool off) is also used for the "on" command before, then all above trigger the next command instead of the displayed. The line for migrate export issues the vpn overlap_encdom and the first command is correct again. So migrate export is currently left out.

Also a slight feeling of insecurity: When started, the scrip

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Thanks for providing these interesting results. Let's create a a One-liner based on 'ip link show' that provides a similar out to what 'cpstat os -f ifconfig' provides.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Fixed in version 2.2. If you won't have the self-update as requested by other users, just comment out the two lines in the script.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


G_W_Albrecht
Legend
Legend

Yes, that is an easy task 😉

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Maciej_Maczka
Contributor

Hi,

Great tool!

Some commands for MTA (maybe new branch?):

cpstat fw -f smtp
tail -f  /var/log/maillog
/opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p
tail  $FWDIR/log/emaild.mta.elg

Bug:

When trying to select:  Threat Emulation -> /opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p this option disappears and I am unable to use arrows anymore.

Best Regards

Maciej

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Commands and code optimization implemented in version 2.3

Changed tail -f to tail because it's non-interactive and SIGINT (Crtl-C) needs to be pressed in order to quit the routine which quits ccc as well.

Thanks!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Sven_Glock
Advisor

Hi Danny,

in [ < MAIN - MULTI-CORE PERFORMANCE TUNING ] you have 

netstat -ni Check for drop on interfaces

Beat me when I am wrong, but I think this is not multicore relevant 

in [ < MAIN - FIREWALL-MANAGEMENT & GATEWAY ] you already have 
cpstat os -f ifconfig Show advanced interface summary

Both commands have pretty the same output. 

Maybe you can remove one of them.

Regards

Sven

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Tom_Cripps
Advisor

How easy would it be to implement the watch command into the commands? I think that's a really good feature to see the increase or decrease of values when running a command? I sometimes come out of the script to then run the command separately?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Kevin_Orrison
Collaborator

Wow, this is really cool!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
Champion Champion
Champion

Hello Danny,

 

Thanks for the 2500 points. It's a little too much for a one-liner (One-liner for Address Spoofing Troubleshooting).

 

I think it's a great community and we should all help each other without rewards.

I gave you back 2500 points for your great work in this article Common Check Point Commands (ccc)Smiley Happy.

 

And thanks to everyone who helped to find the great commands for ccc.

For more infos see this article with revisions:

Show Address Spoofing Networks via CLI

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Niels_van_Sluis
Contributor

Cool tool! Another suggestion to add to the Threat Extraction menu:

scrub bypass on|off|state

Bypasses all files. Use this command to debug issues with the scrub (Threat Extraction) daemon. When you set bypass to active, requests from the mail transfer agent (MTA) to the scrub daemon are not handled. Threat Extraction is suspended. No files are cleaned.

[Expert@te250x:0]# scrub bypass
Available options: 
scrub bypass on - activate bypass 
scrub bypass off - deacti
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Gomboragchaa
Advisor

+1

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Added in version 2.4

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Norbert_Bohusch
Advisor

The System info is wrong on a Server running FW Management & SmartEvent, because it only says SmartEvent server, even though it is both.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

I ended up dropping your one-liner as it still relies on ifconfig and not the actual configuration from $FWDIR/state/local/FW1/local.set which can differ from what is configured in GAiA. This makes troubleshooting address spoofing issues worse while the intention is to make it easier. Also your one-liner doesn't work correctly on single firewall gateways that are not part of a cluster. Sorry.

I created a new one-liner that is implemented in ccc starting from version 2.4.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Norbert_Bohusch
Advisor

I tested this new version and IPv6 on the is not correctly displayed (btw. they were missing completely in the original one of Heiko), because colons are missing.

And this reminds me that the topology information for IPv6 on both one-liners is missing Smiley Happy

Also adding again the anti-spoofing mode/setting per interface would be great

[Executing:]# echo; egrep -B1 $'ifindex|:ipaddr|\(\x22<[0-9]' /opt/CPsuite-R80/fw1/state/local/FW1/local.set | sed 's/[\x22\t:()<>-]//g' | sed 's/int
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free