Well looks like this has turned into the most epic Checkmates thread ever and my last 3 commands were well-received, so here are some more that have not been mentioned yet. The focus for these is recovering from mistakes that normally would require a firewall outage:
1) Disable anti-spoofing on the fly from the gateway. Should you make a mistake in the anti-spoofing config the results can be dire: lots of traffic suddenly being dropped by the gateway. Once the specific interface with the problem has been identified, best practice dictates setting the antispoofing setting for that interface to "Detect" and reinstalling policy. On R80+ Management, quickly reverting the gateway to a known-good policy via the "Installation History" screen is a good choice as well. At that point you can figure out what went wrong at your leisure.
But what if antispoofing is now dropping all management traffic to/from the SMS itself? A corrected policy can't be pushed, and new logs can no longer be received from the firewall either to figure out what is going on. The usual way of breaking this catch-22 that involves taking a full outage on the firewall is:
1) Log into firewall (probably on console)
2) Unplug/disable externally-facing interface to protect firewall
3) Run fw unloadlocal (full outage begins)
4) Race back to SmartConsole and push policy with corrected antispoofing
5) Restore external-facing interface (full outage ends)
But there is a better way that does not involve taking a full outage, and these expert mode gateway commands can also be used as a bit of a "panic button" in regards to an antispoofing problem:
fw ctl set int fw_antispoofing_enabled 0
sim feature anti_spoofing off ; fwaccel off ; fwaccel on
All antispoofing enforcement on the gateway is immediately disabled. While these settings will not survive a gateway reboot, they will survive a policy re-installation and cprestart, so once the issue is corrected make sure to turn anti-spoofing back on like this:
fw ctl set int fw_antispoofing_enabled 1
sim feature anti_spoofing on ; fwaccel off ; fwaccel on
Edit: The above commands work for R80.10 and earlier, for R80.20+ use these commands instead:
fw ctl set int fw_antispoofing_enabled 0
fw ctl set int sim_anti_spoofing_enabled 0 -a
2) Recover from SIC issues between SMS and gateway without an outage. If SIC somehow gets broken between a single gateway and the SMS and must be reset, the traditional way of dealing with it is to run "cpconfig" on the gateway, reset SIC and enter a new activation key. Unfortunately doing it this way causes the gateway to not only discard its current SIC certificate, but also discard its current installed security policy and load up the default "InitialPolicy", which blocks almost all traffic and causes a full outage until policy is reinstalled/fetched from the SMS.
A far more problematic situation though is when the certificate of the SMS itself gets corrupted/changed (or the ICA somehow gets reset brutally) and SIC trust gets instantly broken between all managed gateways and the SMS. Now you're staring down the barrel of outages on all non-clustered gateways to recover control. But there is a way to have the gateway discard its SIC certificate and set a new activation key, but without discarding its installed security policy taken from sk86521: Reset SIC without restarting the firewall process:
On the gateway run:
cp_conf sic init ACTIVATIONKEY norestart
cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"
Trust can now be reestablished to to the gateway and policy reinstalled, all without an outage!
3) Regain gateway CLI access via SIC if admin and/or expert passwords are unknown/corrupt. The typical outage-inducing way to recover from this situation: Factory reset a gateway appliance (and pray you have a good backup to restore containing passwords that you know) or on open hardware boot from a live Linux distribution DVD/USB media like Knoppix and try to hack the password that way.
The cprid_util command has been mentioned a few times in this thread, but bears repeating for this situation. If for some reason you cannot log into the gateway CLI, assuming SIC is still established between the gateway and the SMS (and SIC traffic is not being impeded by firewall policy), you can execute commands on the gateway from the SMS via the SIC trust without a password.
Here is a sample command to reset the gateway's admin password, taken from sk106490: How to remotely reset Admin / Expert password on a Security Gateway from a Security Manage...:
$CPDIR/bin/cprid_util -server <IP_address_of_Security_Gateway> -verbose rexec -rcmd /bin/clish -s -c 'set user admin password-hash <password hash generated by grub-md5-crypt command>'
--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.
New 2-day Live "Max Power" Series Course Now Available:
"Gateway Performance Optimization R81.20" at maxpowerfirewalls.com
