fw sam -v -l long_noalert -J any 123.234.111.222
installed_jumbo_take

mdsstop_customer 192.168.2.1;mdsstart_customer 192.168.2.1

1)    Clear ARP cache via CLI

In case you need to clear 1 arp entry the following command can be used:

arp -d [ip address]

In case the complete arp cache needs to be cleared the following single line script can be used:

for i in `awk -F ' ' '{ if ( $1 ~ /[0-9{1,3}].[0-9{1,3}].[0-9{1,3}].[0-9{1,3}]/ ) print $1 }' /proc/net/arp` ; do arp -d $i ; done

2)    Flash Network Interface LED

To flash/blink a LED on an interface in order to physically identify the interface in question on a machine.
*Note this does not work on all type of interface cards.

ethtool -p <interface_name>

3)    Analyze network traffic via CLI

A script created by a former CP employee, as alternative for SmartView Monitor, cpview or tcpdump you can use the following script in order to analyze traffic patterns. * Note there are some caveats to keep in mind.

http://expert-mode.blogspot.nl/2013/05/checkpoint-top-talkers-script-display.html
https://raw.githubusercontent.com/craigdods/scripts/master/top_talkers.sh

I've got one more to add to this: cplic print -p

This will show you not only the license you have installed but what features your license breaks down to.

I'm curious how many old-timers remember what sr5000 refers to?

[Expert@oscar:0]# cplic print -p

Host             Expiration  Primitive-Features 

xx.xx.xx.x       22Aug2017   ::CK-xxxxxxxxxxxx fw1:6.0:swb fw1:6.0:ctnt fw1:6.0:swb fw1:6.0:abot fw1:6.0:swb fw1:6.0:appi fw1:6.0:swb fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:urlf fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:av fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:ips fw1:6.0:swb fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:swb fw1:6.0:cluster-1 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:swb fw1:6.0:connect fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:swb fw1:6.0:identity fw1:6.0:swb cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:swb fw1:6.0:dlp fw1:6.0:swb evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:swb fw1:6.0:spcps fw1:6.0:pam fw1:6.0:enchostsunlimit fw1:6.0:encryption fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:swb fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm fw1:6.0:blades fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:mc_all_8 fw1:6.0:multicore

Contract Coverage:

#   ID          Expiration   SKU                 

===+===========+============+====================

1  | PSE6H1R   | 20Sep2017  | CPSB-TEX-EVAL

   +-----------+------------+--------------------

   |Covers:     CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx

===+===========+============+====================

2  | F7PG258   | 20Sep2017  | CPSB-TE-EVAL

   +-----------+------------+--------------------

   |Covers:     CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx

===+===========+============+====================

3  | G177T42   | 20Sep2017  | CPSB-CTNT-EVAL

   +-----------+------------+--------------------

   |Covers:     CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx

===+===========+============+====================

4  | D31EF56   | 20Sep2017  | CPSB-IPS-EVAL

   +-----------+------------+--------------------

   |Covers:     CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx

===+===========+============+====================

Securemote 5000 I guess 🙂

1) Analyze top talkers via CLI using "fw tab"
As an alternative for SmartView Monitor, cpview, you can use the below script in order to analyze the top 10 source and destinations on a  Security Gateway.

Top 10 Source Connections:

fw tab -t connections -u -f | awk -F';' '/Rule/ {source[$3] } ; END { for (name in source) print source[name], name }' | sort -nr | head -10

Top 10 Destination Connections:

fw tab -t connections -u -f | awk -F';' '/Rule/ {dest[$5] } ; END { for (name in dest) print dest[name], name }' | sort -nr | head -10

2) Monitoring concurrent connections via CLI and redirecting output to a file
There are various ways to monitor concurrent connections. You can use the following command in case you need to monitor this and store the output into a file for further analyzes.

The commands are derived from:  fw tab -t connections –s and fw ctl pstat | grep Concurrent
The output will be stored in a file named e.g. “connections”.

while [ 1 ];do uptime | awk '{ split($1,DATE," "); printf "%s,", DATE[1]}' >>connections ; fw ctl pstat | grep Concurrent >>connections ;sleep 0.5;done

or

while [ 1 ];do uptime | awk '{ split($1,DATE," "); printf "%s,", DATE[1]}' >>connections ; fw tab -t connections -s | awk '{ i=i+1;split($4,VALS," "); if (i==2) print VALS[1] }' >>connections ;sleep 0.5;done

3) Clearing Connection Tables

The below command clears the entire connection table on a Security Gateway.

[Expert@FW-1:0]# fw tab -t connections -x
This will clear all the entries in table connections !!!
Are you sure (yes/no)? [n]

+ 4) List all cronjob tasks

The below script will allow you to quick list all cronjob tasks configured on a device for all accounts.

[Expert@FW-1:0]# more cron.sh
#!/bin/bash
#List all cron jobs for all users
for user in `cat /etc/passwd | cut -d":" -f1`;
do
crontab -l -u $user;
done

Hi all!

Most of my favourite commands were already mentioned, to add something else to the mix:

Check routes (even if they are not active)

dbget -rv routed (Add | grep if needed)

I remember a strange case where certain routes didn't work, when using ip route, route, netstat we couldn't see thos routes because they were not active.

This command helped me to confirm that the routes were properly configured in the gateway and together with tcpdump and fw monitor the customer was convinced that the issues were in their side 🙂

Example

Interface associated with static route 3 is down

[Expert@BTMOB03:0]# ip route
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.201
default via 192.168.0.1 dev eth0  proto routed

No route even if its on the WebUI

[Expert@BTMOB03:0]# dbget -rv routed | grep 200.2.1
routed:instance:default:static:network:200.2.1.0 t
routed:instance:default:static:network:200.2.1.0:masklen:24 t
routed:instance:default:static:network:200.2.1.0:masklen:24:gateway t
routed:instance:default:static:network:200.2.1.0:masklen:24:gateway:address:75.4.2.1 t

Here we can see that its properly configured

Regards,

1) fw ctl zdebug drop | grep 8.8.8.8
2) ping -S src_addr dst_addr
3) ip route get 8.8.8.8 (or) Show route destination 8.8.8.8

Umm difficult thing to just name 3 ... mine i think would be

fw monitor

mdsstat

cphaprob state

WOW, what an amazing engagment and useful crwodsourcing  

So who's volunteering to do a "cheat sheet" out of this ? https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc‌ ?

I like cprid_util command to remotely execute command on a gateway:

cprid_util -server x.x.x.x -verbose rexec -rcmd "arp"

I'm using it on my hosts discovery/creation script available here:

R80.10: Hosts Discovery and creation 

1)
CPMonitor tool (sk103212) - useful traffic analysis

2)
fw stat -l
HOST      IF    POLICY   DATE             TOTAL REJECT DROP ACCEPT LOG
localhost >Mgmt Standard 3Aug2017 6:04:09 394282 0     0    394282 0
localhost <Mgmt Standard 3Aug2017 6:04:09 583248 0     683  582565 519

3)
fw ctl set int print_conns_states 1   (output to dmesg or to kernel debug out-file is defined)

4)
cpstat fw, cpstat mg -f indexer

5)
sar -n DEV

My 2 cents/agorot:

1. df -h    I always start SmartCenter (old habits die slow) Management Server debug with it. Especially back with the first line of UTMs 130/270/etc with their small root partition sizes, some 30% of SC 'failures' were caused by not enough disk space (Can't install policy / logs are empty/can't connect to the SmartCenter make sure it is running ...) 
2.     cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command " fw kill fwm"   Followed by 
       cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"
   You can't imagine how many downtime I prevented by teaching people to restart SmartCenter this way and not via reboot in Standalone installations. 
3. lvresize -L 20GB vg_splat/lv_current
   resize2fs /dev/mapper/vg_splat-lv_current
   Again, harking back to the 1st series of UTMs, it became a lifesaver when root partition run out of space and you deleted all you could - SmartConsole.exe etc and the last solution left was to resize root partition. I did it quite a number of times remotely and no glitches . Big thanks to Tobias Lachmann for this command and courage to try it on a live system first.
4. awk -F\; ' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5
   

   Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101  Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341 Running time for a file of 900 Mb with 4.7 million records real    5m50.287s user    4m22.890s sys     0m3.190s

   No, not my favorite command (while still valid after exporting logs via fw log) , but had to show you what a pain in the neck was to get Rule Hit statistics before they were introduced to the SmartConsole.
5. fw ctl zdebug drop While may be not the best as  Valeri Loukine  mentioned and not the prettiest, but who said life is pretty? So definitely most used in real life to quickly asses the reason of drops.
6. fw monitor Last but not least, my real favorite of all versions and times (Hey, search Google for "fw monitor  reference" and my blog post from 2009 comes before Checkpoint SK !  ) . You can't debug traffic issues without it, if it wasn't fw monitor - I wouldn't be such a fan of the Checkpoint firewalls. 

NB. Moti Sagey  I guess the logical follow up would be - List Top Checkpoint Administrators' Errors You Have Seen ?

I actually wrote once an article on Most Frequent Errors by Checkpoint Administrators (in Hebrew but easy to translate) which could be a start:

http://www.digitalwhisper.co.il/files/Zines/0x4C/DW76-1-Firewall.pdf