cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Re: Common Check Point Commands (ccc)

zcat: unexpected end of file

Below is the process  that I did 

STEP 01 : Download the script  (ccc.gz)

STEP 02: Transfer the file to /usr/bin/   (Using WinScp)

STEP 04: Now decompress the file (zcat /usr/bin/ccc.gz > /usr/bin/ccc)

STEP 04: Now make it executable (chmod +x ccc) (chmod +x /usr/bin/ccc)

STEP 05: Now type ccc

NOTE : I am able to execute all the command but why i am getting  "zcat: unexpected end of file" error while executing (ccc). 

#Chinmaya Naik

Danny
Pearl

Re: Common Check Point Commands (ccc)

Added in version 2.6

Danny
Pearl

Re: Common Check Point Commands (ccc)

Included your adjustment in version 2.6. Thanks!

Re: Common Check Point Commands (ccc)

How about adding "pdp connections pep" next to the other IA-commands?

Thanks,

Hans

0 Kudos

Re: Common Check Point Commands (ccc)

Nice tool.

Unfortunately now we have two different Tools (sk121447) to check health state and troubleshoot the System.

I would suggest to add "fwaccel off" and "fwaccel on" when doing "ips off"

Further I would add the same for QoS:
fgate stat

fgate off

fgate on

same with fwaccel off/on

a command to show "fwkern.con" and "simkern.conf" could help, too.

I would be interested in what "PANIC MODE" and "NORMALE MODE" are doing. so perhaps add here and there some Information about the commands you use.

And - I did not test it - but perhaps add a user check before performing such Actions to make sure noone unexpectedly uses these commands.

When performing one Task of your script the Cursor is at the end of the Output but simetime you do not know if it has finished or not. so add a line "Task finished" or something similar at the end of every Task execution.

So really nice and helpful script. Go on with this good work!

Regards

Danny
Pearl

Re: Common Check Point Commands (ccc)

Added in version 2.7

Danny
Pearl

Re: Common Check Point Commands (ccc)

Added in version 2.7

Petr_Hantak
Silver

Re: Common Check Point Commands (ccc)

If you like, then you can include Show bgp peers across VSX in CLI‌ as well.

0 Kudos

Re: Common Check Point Commands (ccc)

Hi Danny,

Wonderful tool !

May I sugguest the command "cpqshape" ? Quite helpful when debugging MTA

Regards

Benoit

0 Kudos
Danny
Pearl

Re: Common Check Point Commands (ccc)

Added "cpqshape" commands as described in ATRG: Mail Transfer Agent (MTA) in version 2.9

Re: Common Check Point Commands (ccc)

Can i use it on R77.30?

0 Kudos
Danny
Pearl

Re: Common Check Point Commands (ccc)

Yes.

Juan_Lobera
Nickel

Re: Common Check Point Commands (ccc)

This should be natively included

0 Kudos
Danny
Pearl

Re: Common Check Point Commands (ccc)

I agree. You could send Check Point a Request for Enhancement (RFE) asking for this. Maybe someday Check Point will have the best Community scripts included by default.

Re: Common Check Point Commands (ccc)

Hmmm - R80.20 B10:
[Expert@SMS8010:0]# ccc
Starting/bin/ccc: line 21: bind: warning: line editing not enabled
.........free: invalid option -- 'o'

Usage:
 free [options]

Options:
 -b, --bytes         show output in bytes
 -k, --kilo          show output in kilobytes
 -m, --mega          show output in megabytes
 -g, --giga          show output in gigabytes
     --tera          show output in terabytes
 -h, --human         show human-readable output
     --si            use powers of 1000 not 1024
 -l, --lohi          show detailed low and high memory statistics
 -t, --total         show total for RAM + swap
 -s N, --seconds N   repeat printing every N seconds
 -c N, --count N     repeat printing N times, then exit
 -w, --wide          wide output

     --help     display this help and exit
 -V, --version  output version information and exit

For more details see free(1).
..
--------------------------------------------- ccc v3.0 -

On the GW of the same version all is good:


[Expert@GW_80.10:0]# ccc
Starting................
--------------------------------------------- ccc v3.0 -

0 Kudos
Danny
Pearl

Re: Common Check Point Commands (ccc)

Fixed in version 3.1

Re: Common Check Point Commands (ccc)

Yes:
[Expert@SMS8010:0]# ccc
Starting/usr/bin/ccc: line 21: bind: warning: line editing not enabled
...........
------------------------------------------------ ccc v3.1 -

0 Kudos

Re: Common Check Point Commands (ccc)

Great work Danny Jung !

@Checkpoint - give this man a medal !

Whilst deploying the script to our devices and executing on version R77.30 , we had to change the script a little to get the correct Hotfix.

For some devices the 77.30 hotfix output is not correct when for example the CPUSE wasn't updated before installation of HFA - there is no installed_jumbo_take command. ( sk115719)

Have an extra request -> is it possible to build in a fool proof protection for critical commands like "CPSTOP" ?

Just to be sure ... - asking confirmation when running a critical command is not going to hurt anybody .

Then some additional info (bold text ) i added to the startup screen, to get a complete overview on the first screen - so administration is made a little easier .

And that gives me this output atm :

--------------------------------------------- ccc v3.0 -
Hostname
--------------------------------------------------------
System Firewall Gateway
Type Check Point 2200
Serial Number 1111B1111
Version Check Point Gaia R77.30 JHF (Take 185)
CPUSE Build 1130
CPU 2 Cores | SMT: - | Load: 0.25%
RAM 2 GB (Free: 0 GB) | Swapping: 0 GB
SecureXL On | Multi-Queue Interfaces: -
CoreXL On (2 Cores) | Dynamic Dispatcher: Off
Uptime 80 days
--------------------------------------------------------
Managed by Some_Management (IP: 192.169.1.1)
--------------------------------------------------------
Policy Some_Policy_Name
Installed   Aug 21 2018 - 09:48:02
--------------------------------------------------------
Blades FW, VPN
--------------------------------------------------------

Mac Address 00:11:FF:FF:FF:FF
--------------------------------------------------------

I used following commands to collect the data :

  • Added Serial number info
    SERIAL=`clish -c "show asset system" | grep "Serial Number:" | head -1 | cut -d ":" -f2 | sed 's/ //g'`;

  • Changed JHF command
    JUMBO=`cat $CPDIR/registry/HKLM_registry.data | grep Check_Point | grep -o -E '[0-9]+' | tail -1`; [ "$JUMBO" == '' ] && JUMBO="-"

        (Command not tested yet for R80 , maybe we need to use the buildin OS verifier to check what command to use , but need more time ... )

  • Added CPUSE build info - easy to verify builds on all gateways
    CPUSE=`cpvinfo $DADIR/bin/DAService | grep -iE "Build|Minor" | grep -o -E '[0-9]+' | head -1`;

  • Changed RAM info - gives now the correct number of Memory installed in GB
    RAM=`dmidecode -t memory | grep  Size: | grep -v "No Module Installed" | awk '{sum+=$2/1024}END{print sum}'`;

  • Added Policy installation date -  
    PINST=`cpstat fw | grep "Install time" | awk '{print $4" "$5" "$7" - "$6}'`; echo -n .

  • Added Mgmt Mac Address 
    MAC=`clish -c "show interface Mgmt" | grep "mac-addr" | awk '{print $2}'`;

Still need more more info when it's a VSX, come back on this later .

Regards,

Rolf

JozkoMrkvicka
Platinum

Re: Common Check Point Commands (ccc)

Idea to add check for PSU status and RAID status ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Danny
Pearl

Re: Common Check Point Commands (ccc)

Added and improved in version 3.2, though I moved the CPUSE build info to the Firewall Management & Gateway submenu.

Danny
Pearl

Re: Common Check Point Commands (ccc)

Added in version 3.2

Siva_R
Ivory

Re: Common Check Point Commands (ccc)

Any command to disable App/URL filter blade(like ips off) in Gateway..

0 Kudos
Danny
Pearl

Re: Common Check Point Commands (ccc)

I'm not aware of any command to control Application Control / URL Filtering at the CLI. It should however be possible to change the setting for this Software Blade via dbedit and have the security policy reinstalled to the specific gateway afterwards.

Siva_R
Ivory

Re: Common Check Point Commands (ccc)

Thanks for the reply.. Its required many times during troubleshooting... Hopefully someone will share the command...

0 Kudos

Re: Common Check Point Commands (ccc)

I looked into this when researching the second edition of my book, and there is simply no way to disable APCL/URLF "on the fly" for a security gateway without unchecking those features on the firewall object and reinstalling policy.  As to why, my guess is that APCL/URLF policy enforcement is a bit too tightly intertwined with Stateful Inspection and the other key firewall operations.  IPS/TP is more separated though, and can be disabled on the fly with the ips off and fw amw unload commands as detailed in my CPX360 presentation here:

Best of CheckMates CLI 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: Common Check Point Commands (ccc)

Hi and thank you for all the effort Smiley Happy Nicely done! 

I've found a syntax error in FIREWALL TROUBLESHOOTING -> CheckPoint Appliance -> show sysenv all 

Command is:  clish -c "show sysenv all | more" and ends with error: Invalid command:'show sysenv all | more'.

I think command should be: clish -c "show sysenv all" | more

Best regards Smiley Happy 

Danny
Pearl

Re: Common Check Point Commands (ccc)

Fixed in version 3.5

Re: Common Check Point Commands (ccc)

Hi Danny

There is a non ASCII Character in the ccc Skript. line 58:

TIME=`cpstat fw | grep "Install time" | awk '{print $4" "$5" "$7" ´"$6}' | cut -d':' -f1,2`; echo -n .

Between the $7 and the $6. Can you please remove it?

Thanks and best regards
Martin

Danny
Pearl

Re: Common Check Point Commands (ccc)

Fixed in version 3.6

Highlighted

Re: Common Check Point Commands (ccc)

How about adding (as per sk62873)

cpca_client lscert -kind SIC

... to view all SIC certificates?

Maybe even limited to list those with expiration e.g. +/- 90 days.

0 Kudos