My Top 3 Check Point CLI commands

Moti · ‎2017-07-19

Just had a fun geeky conversation with Dameon Welch Abernathy (AKA Phoneboy) Jony Fischbein , Jeff Schwartz and Michael Poublon (over 100 accumulated years of experience in Check Point products) , on what are our favorite & most useful commands in a Check Point environment.

Below are my 3 , plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... ).

1) fw ctl zdebug drop

used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....)

2) cpstat fw

quickly see stats of number of connections (accepted,denied,logged) with a breakdown

if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)

3) fw tab -s -t connections

allowed me to quickly see how much load is (and was i.e "peak" ) on the FW

that's it (i have more , but i want to hear yours ...)

plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... )

Jony_Fischbein · ‎2017-07-19

Some useful ones:

1. fw ctl pstat

2. cphaprob stat

Etheldra_Freder · ‎2018-09-13

cphparob stat is my favorite and fw ctl -d setsync start (this is a life savor when you try to bring up a fw and it keeps saying "down"

Daniel_Niazov · ‎2017-07-19

Here some:

fwaccel stats -s
why? to check acceleration status on FW
cphaprob -a if
why? when troubleshooting cluster, i verify all interfaces are UP and the Virtual IP address for the cluster interfaces.
cpwd_admin list
why? great way to explain the CP watchdog- run the command with watch -d, and from another terminal terminate one of the PID, and observe how the watchdog bring it back.
and its also a great way to see that everything is up

aner_sagi · ‎2017-07-19

cphaprob stat

Cpview

Top

Eric_Ferland · ‎2017-10-04

cpview -t

I use this often to review mem, core usage at any snapshot in time. When getting a checkup device back or reviewing a DAT file.

example: cpview -t Oct 2 14:02:00

use + / - keys to advance forward or backwards in 1 minute increments.

PhoneBoy · ‎2017-07-19

Over 20 years, I've probably forgotten more CLI commands than I remember at this point

But here are a few of the ones I still use from time to time:

fw stat

Shows what policy is loaded on the current gateway and what interfaces it has seen traffic on.

If it's DefaultFilter, then your gateway isn't running a real policy and is probably blocking all traffic

Example:

[Expert@oscar:0]# fw stat

HOST POLICY DATE

localhost IntFW 18Jul2017 19:11:16 : [>eth0] [<eth0] [>eth1] [<eth1] [>eth2] [<eth2]

fw fetch mastername

Fetches the policy from the management station named mastername. You can also use localhost as a way to reload the previously installed policy on the gateway. Note this is not to be confused with fw fetchlocal -d directory which is used in troubleshooting policy installation issues.

push_cert –s Cust_CMA –u admin –p adminpw –o examplegw –k test123

This is probably a command you haven't seen before and there's not even a public SK on it

It is used on the management to establish SIC with a newly installed security gateway without using SmartConsole or SmartDashboard, making it extremely useful in automation scenarios.

Arguments are as follows:

Switch	Description
–s Cust_CMA	Management or CMA IP/hostname (can be localhost)
–u admin	Username of admin user in SmartConsole/SmartDashboard
–p adminpw	Password of admin user specified above
–o examplegw	Name (in SmartConsole/SmartDashboard) of gateway to establish SIC with
–k test123	SIC one-time-password (should match what was specified on the gateway during first-time wizard)

Looking forward to see what everyone else comes up with.

Hugh_McGauran · ‎2017-07-19

config_system - never having to use the FTW via web browser

any clish command - ability to completely script the configuration of an appliance

upgrade_export/ migrate export - best backup method - easiest to recover when you have it!

Nader_Assi__Old · ‎2017-07-19

1) cphaprob state / cphaprob -a if / cphaprob -l list

To view Cluster health status

2) cpview (with top)

To troubleshoot gateway performance (cpu, memory, connections,...)

3) cpwd_admin list

To check the CP process status

4) fw ctl zdebug drop

To search for any "silent" drop (such as IPS)

5) fw monitor

To do a live packet capture

Tomer_Sole · ‎2017-07-19

1. mgmt_cli show groups Check Point - Management API reference

2. mgmt_cli add access-rule Check Point - Management API reference

3. mgmt_cli install-policy Check Point - Management API reference

PhoneBoy · ‎2017-07-19

I would expect you to pick management commands

Ofir_Shikolski · ‎2017-07-20

Tomer Sole‌ Dameon Welch Abernathy‌

show diff between dates:

mgmt_cli show changes from-date "2017-02-01T08:20:50" to-date "2017-02-21" --format json
show unused objects:
mgmt_cli show unused-objects offset 0 limit 50 details-level "standard" --format json
run script:
mgmt_cli run-script script-name "ifconfig" script "ifconfig" targets.1 "corporate-gateway" --format json

Moti · ‎2017-07-20

Surprised no one picked 'cp_merge'

And also though not a part of Gaia/splat

ofiller /odumper by Martin Hoz saved me precious hours in long nights

Valeri Loukine curious , what's yours ?

Tomer_Sole · ‎2017-07-20

Did you know? cp_merge was dropped in R80 and above and replaced with the much more capable:

- import_export_package Python tool for exporting/importing a policy package or parts of it

- import_export_objects Python tool for exporting types of objects from the management server

- command-line support for gradually upgrading globally assigned domains is there an easy way to upgrade large-scale environments to R80.10?

_Val_ · ‎2017-07-28

Hard to pick just 3, I am afraid.

Lately using mostly those:

1. watch cphaprob stat

2. vsx stat - l

3. cphaprob -a list

Peter_Sandkuijl · ‎2017-07-20

fw ctl affinity -l -v -r

multik stat + cphaprob stat

cplic print

cpview

fw ctl zdebug drop

Moti · ‎2017-07-20

Peter Sandkuijl what does the first one achieve?

Peter_Sandkuijl · ‎2017-07-20

fw ctl affinity -l -v -r is a useful command when you're attempting to finetune the affinity of an IRQ to an interface. This is especially useful when looking at the amount of traffic received by an interface that deserves more "horsepower" and should not be sharing CPU time with other interfaces. This command will list what interface is connected to what IRQ to what core. "fw ctl affinity -s" will subsequently allow you to set the values.

Note that Multi Queue enabled interfaces will not show up as they are assigned "automagically"

Andrejs__Андрей · ‎2017-07-20

plus

netstat -ni - check drop on interfaces;

and

ps axwf -o pid,cpuid,pcpu,pmem,time,comm - processes and daemons utilization by cpu-core, mem;

it's all for multicore performance tuning.

regards,

--

ak.

Gaurav_Pandya · ‎2017-07-20

I will prefer below commands.

fw ctl zdebug drop

cpview

fw tab -s -t connections

fw ctl pstat

Mark_Sowell · ‎2017-07-20

1. cpstat mg - (SMS/CMA) Shows connected clients and status.
2. cpstat ha -f all - (GW) Shows sync details.
3. cpstat blades - (GW) Shows packets accepted, dropped, peak connections, and top rule hits.

Kirsten_Turnbul · ‎2017-07-20

I would have to say:

fwmon

tcpdump

cpview

Lon_Kaut · ‎2017-07-20

This command allowed me to execute commands, transfer files etc with a remote gateway without needing credentials. I was able to use it to copy a new shadow file to the remote gateway when password was lost/corrupted.

cprid_util (--help)

Eduardo_Pereira · ‎2017-07-20

1) I created a "watch" command with many tecli commands to monitor TE (deployed on Cloud) live emulations:

watch -d -n 1 "echo \_______________________;echo TE Engine Status:;echo \_______________________;tecli control status;tecli show statistics | grep -E '(engine version is)';echo;echo \_______________________;echo VM Cloud Images;echo \_______________________;tecli ca du al | grep -E '(Image UID)';echo;echo \_______________________;echo Live Cloud Queue:;echo \_______________________;tecli show cloud queue;echo;echo \_______________________;echo History Malicious:;echo \_______________________;echo;tecli ca du al | grep -E '(-----|sha1|malicious)';echo;echo \_______________________;echo TE Cloud Quota Stats:;echo \_______________________;tecli show statistics | grep -E '(day)';echo .......................................................................................................;tecli show statistics | grep -E '(Scanned files:|static analysis|local cache|cloud cache|cloud process time)';echo .......................................................................................................;echo;tecli show cloud quota| grep -E '(Quota identifier|Quota subscription:|Usage for gw:|Remain:|Exceeded:)'"

The outcome would be something like this:

2) cpview

Definitely, the most complete clish command.

3) fw monitor

Very helpful debugging tool.

Timothy_Hall · ‎2017-07-20

Lots of good ones so far, but just to be different the following commands are somewhat obscure but certainly come in handy occasionally (yes I'm well aware of the -f option for #1 and #2 but using it makes the commands take forever to execute):

1) fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head -10

This will show the top ten source IPs hogging slots in the connection table in descending order, however you will need to manually convert the IP addresses displayed from hex to decimal like so: 0a1e0b53 = 10.30.11.83. For the top 10 destinations, substitute $4 for $2 in the awk command above.

2) How many concurrent connections are currently using a particular Hide NAT address and how close are we to the 50k concurrent connection limit? Going over the 50k limit causes the new traffic to be dropped and the infamous "NAT Hide failure - there are currently no available ports for hide operation" message. Edit: The 50k limit can be surpassed by setting up what I call a "many to fewer" NAT, see my post in the following thread:

https://community.checkpoint.com/message/6516-r8010-hide-behind-many-question

Assume the Hide NAT address in question is 203.0.113.1:

fw tab -u -t connections | grep -ci cb007101

Divide the number reported by 2, and you have your answer. The result must be divided by 2 because each post-NATted connection is represented by 2 flows, one outbound (c2s) and one inbound (s2c). Also the NAT IP address must be converted from the dotted quad format to hexadecimal as shown.

3) show routed cluster-state detailed

An undocumented clish command introduced in R77.30 that shows a concise timeline of ClusterXL failover events in a single display. Very handy when trying to correlate unexpected ClusterXL failovers to external network events, or trying to determine if unexplained failovers occur with any suspicious regularity that may point to the real culprit. Definitely beats trying to pore through a sea of Control events (grey wrench icon) in the firewall logs!

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com

Moti · ‎2017-07-20

Nice !

Eduardo_Pereira · ‎2017-07-20

Nice indeed!

PhoneBoy · ‎2017-07-20

Gold as always. Tim!

Sven_Glock · ‎2017-07-21

I love that hidden command! Why is it hidden? It is very helpful!

Kelly_Mccubbin · ‎2017-07-27

show routed cluster-state detailed is super useful! What do the columns "Cluster State SIGQUIT History " indicate? Because I've got a lot of entries!