cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee
Employee

Re: My Top 3 Check Point CLI commands

These two comes handy when you are doing an onsite engagement and you ask the customer to get out of the management because you need to start working....  The first one is actually a Linux command but still helpful.

#w or w -l

w

Also #cpstat mg 

cpstat mg

 

One more command that I find useful is #cpwd_admin list - this command alone can help you catch when processes are crashing and how many times they have crashed or if there is any of the processes down.

cpwd_admin list

Re: My Top 3 Check Point CLI commands

Hi Everyone,

I am following this discussion since the beginning and i must say that really like all the reactions so far.

A lot of useful commands and a lot of learning here!

Here is my list, maybe not my favorite commands but i didn't see them posted so far:

On the SMS

1)  cpprod_util FwIsActiveManagement To find out the current status of the active SMS (HA). 1= Active 0= Standby

On the SG

2)  cp_conf sic state - shows trust state of SIC

All CP Products

3) cpstat os -f ifconfig - really nice summary of interface stats

Greetings,

Jelle

Al_Kennon
Ivory

Re: My Top 3 Check Point CLI commands

I left out the basic stuff and I'm listing the commands I find myself using when looking at odd issues.

clish -c "show route summary" = This gives you a quick snapshot of your routing table

cphaprob -a if = This will give you a quick peek at your Interfaces/IP Address/VMAC

fw ctl multik stat = This will tell you how hard your procs are getting hit with connections

Re: My Top 3 Check Point CLI commands

Haven't tested if this one works on R80, but has been a very usefull command to restart fwd. In a cluster this will not trigger a failover:

cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd" ; cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"

Re: My Top 3 Check Point CLI commands

An earlier post noted the command cpstat mg which reminded me of a PRE R80.x command I use to use to check if any one is logged into Dashboard :

#send_command

Enter Server name (ENTER for 'localhost'):

#send_command> connected_clients

--------------------------------------------------------------------------------------------------------------------
| # |Session Id |Client type |Administrator |Database Mode |Database Lock |Login Time |
| 1 |d42f3f50 |Command Sender |localhost |read-write |false |Mon Oct 16 08:45:09 2017|
--------------------------------------------------------------------------------------------------------------------

This is particularly useful in scenarios where I know the customer has lots of potential users logged into read only mode, usually checking logging and monitoring etc.

This always used to cause issues with automated weekly migrate exports.

At least this way each user can be politely requested to log out.

This command also provides a number of other options:

end_command> connected_clinets
Commands:

connected_clients
kill_clients [-n] <session id> .... <session id>
shared_secret <community> <external-device> <password>
gen_cert <object-name>
change_to_active
change_to_standby
manual_synchronize
manual_synchronize_me
db_change_since_last_revision
db_change_since_last_save
delete_policies
fwm_dump_log <start|stop|print>
quit

USE AT YOUR DISCRETION. There may be other ways to achieve the same functionality.

John Tammaro

CCMA

Re: My Top 3 Check Point CLI commands

I'm not sure but I'd be careful not to place much confidence in fw tab -s -t connections 

Especially the "peak" output.

I believe that is the peak since the firewall was first started. Not a current state.

0 Kudos
Admin
Admin

Re: My Top 3 Check Point CLI commands

Yeah i know ...

this is why I wrote "allowed me to quickly see how much load is (and was i.e "peak" ) on the FW "

usually back in the days when I was doing PS at a partner (worked at NetVision (CCMA #9 baby )) 

I would get called to see a FW that is "acting up" .some of the times by the time I got there it was working smooth 

so this (with 'fw ctl pstat |grep "fail" ') allowed me to see if it was experiencing heavy load and then dig further .

0 Kudos

Re: My Top 3 Check Point CLI commands

Great article!

Iain_King
Copper

Re: My Top 3 Check Point CLI commands

cpwd_admin (list) etc

cpmiquerybin or queryDB_util

cprid_util -server 1.2.3.4 rexec -rcmd /bin/bash -c "....."

xargs for everything! Smiley Happy

Admin
Admin

Re: My Top 3 Check Point CLI commands

cpmiquerybin or queryDB_util

What’s the expected output?

EdesLC
Copper

Re: My Top 3 Check Point CLI commands

#General commands

tcpdump

cpwd_admin list

ps -aufxxx

fw tab -s -t connections

cpstat -f cpu os
cpstat -f memory os

fw ctl zdebug drop

curl_cli

arp -na

tecli

top

#CoreXL

fw ctl multik stat
fw ctl affinity -l -r -a -v

#Clustering commands - ClusterXL

cphaprob 

cphaprob -a if

cphaprob list

clusterXL_admin down / up

#Better do not forget.

save config ( kkkkkkk )

Re: My Top 3 Check Point CLI commands

Some useful ones

tcptraceroute -T -p 443 10.0.0.1

-T for TCP -U for UDP and -I for icmp, p for port then IP address, allows you to see if there is latency or access list / firewall blocking the traffic.

(in R80.10 onwards)

iketool -f filename (command line tool for looking at ike debugs on the gateway!)

 tcpdump -nepi Sync -x port -s 0 8116 2> /dev/null | ccp_analyzer -g -c

Useful tool shows you the ccp messages in readable format from members so you can quickly understand why the cluster has issues.

Iain_King
Copper

Re: My Top 3 Check Point CLI commands

what is this ccp_analyzer of which you speak?

Re: My Top 3 Check Point CLI commands

Hi Iain,

ccp_analyzer is a tool located within the scripts directory (I forget the exact location but you can find it easily (find / -name ccp-analyzer) on a Check Point installation, it is a non documented tool as far as I am aware.

It presents you the details from the CCP packets in a human readable format. (CCP = Check Point Clustering Protocol - this document is very old yet still very relevant http://downloads.checkpoint.com/dc/download.htm?ID=10336)

You can find more information on ClusterXL here https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk93306.

Best Regards

Jason

Re: My Top 3 Check Point CLI commands

Hi Jason,

I didn't know ccp_analyzer but I hope it doesn't work correct because I get a lot of errors and all other checks shows me, that the cluster is running fine

Check Point High Availability Protocol
        Magic Number: 0x1a90
        Protocol Version: Unknown(2921)
        Cluster Number: 8661
        HA OpCode: 11 (FWHAP_CHASSIS_STATE)
        Source Interface: 2
        Random ID: 25309
        Source Machine ID: 1
        Destination Machine ID: 65534
        Policy ID: 9228
        Filler: 0
        Total number of cores: 6
        Handling core id: 1
        FWHAP_CHASSIS_STATE
                Reporting Member ID: 0
                Local:
                        Chassis State: Unknown
                        Standard Ports Up/Total: 0/0
                        Critical Ports Up/Total: 0/0
                        Chassis Grade: 0
                        Attached Blades Mask: 0
                Other:
                        Chassis State: STANDBY
                        Standard Ports Up/Total: 0/0
                        Critical Ports Up/Total: 0/0
                        Chassis Grade: 0
                        Attached Blades Mask: 0
                Active Blades: 0
                In Maintenance Mode: NO
                Standard Priority Port Factor: 0
                High Priority Port Factor: 0
                Blade Factor: 0
                Failover value: 0
                Are Factors Equal: NO
                Sync1 link state: DOWN
                Sync2 link state: DOWN

Check Point High Availability Protocol
        Magic Number: 0x1a90
        Protocol Version: Unknown(2921)
        Cluster Number: 8661
        HA OpCode: 1 (FWHA_MY_STATE)
        Source Interface: 2
        Random ID: 25309
        Source Machine ID: 1
        Destination Machine ID: 65534
        Policy ID: 9228
        Filler: 0
        Total number of cores: 6
        Handling core id: 1
        FWHA_MY_STATE
                Number of IDs reported: 0
                Report Code: 80a, Machine information NOT present
                HA mode: 2 (FWHA_BALANCE_MODE - More than one machine active)
                Has Problem: YES
                Chassis ID: 4
                Blade State: -
                Proc State: Unknown (0x402)       ITERATION_FINISHED
                CPU Load Average: 10752%
                Pnote admin_down state: 0
                Pnote Core Number state: 0
                Policy time: 16777216
                Interface states
                        Interfaces up in the Inbound: 0
                        Interfaces assumed up in the Inbound: 0
                        Interfaces up in the Outbound: 0
                        Interfaces assumed up in the Outbound: 0

Maybe it works fine if I have a real error ;-)

Bye

Re: My Top 3 Check Point CLI commands

Hi Daniel,

From the output I see you are running R77.30 in 64 bit mode (Protocol version 2921) and the member 1 is reporting it has an issue, I would check the status using “cphaprob list”

Re: My Top 3 Check Point CLI commands

Hi Jason,

77.30 64 bit ist correct.

cphaprob -l list shows nothing special

# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check
Current state: OK

Device Name: Recovery Delay
Current state: OK

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 256189 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 256184 sec

Device Name: routed
Registration number: 2
Timeout: none
Current state: OK
Time since last report: 130950 sec

Device Name: cphad
Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 2.23278e+06 sec
Process Status: UP

Device Name: fwd
Registration number: 4
Timeout: 30 sec
Current state: OK
Time since last report: 320680 sec
Process Status: UP‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

And also cpstat shows also nothing special

# cpstat ha -f all |grep -v eth

Product name: High Availability
Major version: 6
Minor version: 0
Service pack: 4
Version string: N/A
Status code: 0
Status short: OK
Status long: Refer to the Notification and Interfaces tables for information about the problem
HA installed: 1
Working mode: High Availability (Active Up)
HA protocol version: 2
HA started: yes
HA state: active
HA identifier: 1


Interface table
-----------------------------------------------------------------------
|Name |IP |Status|Verified|Trusted|Shared|Netmask |
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Problem Notification table
------------------------------------------------
|Name |Status|Priority|Verified|Descr|
------------------------------------------------
|Synchronization|OK | 0| 256489| |
|Filter |OK | 0| 256484| |
|routed |OK | 0| 131249| |
|cphad |OK | 0| 2233077| |
|fwd |OK | 0| 320980| |
------------------------------------------------

Cluster IPs table
-----------------------------------------------------------------------
|Name |IP |Netmask |Member Network|Member Netmask |
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Sync table
------------------------------------
|Name|IP |Netmask |
------------------------------------
------------------------------------

(I had to remove interfaces with IP-addresses)

0 Kudos

Re: My Top 3 Check Point CLI commands

fw ctl zdebug drop

fw monitor

tcpdump

Re: My Top 3 Check Point CLI commands

fw stat

it shows which policy is installed. Some times it helps me to identify that firewall freezes with default filter or initial policy.

fw monitor -e "accept expression;"

- it helps me to understand what happens with packets. Do they return?

fw ctl zdebug drop | grep expression

- it helps to understand the reason of drop even if there is no log in SmartLog

cpview - it shows current throughput, packet rate and so on. very usefull

Employee
Employee

Re: My Top 3 Check Point CLI commands

Thanks mate - brilliant 

Re: My Top 3 Check Point CLI commands

Below are some useful VSX Commands. Number after colon represents current virtual system (context) you are in.

FW-XXXX-01:0> show virtual-system all
Virtual systems list
VS ID       VS NAME
0           0
1           FW-XXXX-01_VF-ABC-01
2           FW-XXXX-01_VF-XYZ-01

FW-XXXX-01:1> set virtual-system 2
Context is set to vsid 2

[Expert@FW-XXXX-01:0]# vsx stat
VSX Gateway Status
==================
Name:            FW-XXX-01
Security Policy: FW-XYZ_VSX
Installed at:    18Oct2017 19:21:24
SIC Status:      Trust

Number of Virtual Systems allowed by license:          10
Virtual Systems [active / configured]:                  2 / 2
Virtual Routers and Switches [active / configured]:     0 / 0
Total connections [current / limit]:                24155 / 189700

[Expert@FW-XXXX-01:0]# vsenv 1
Context is set to Virtual Device FW-XXX-01_VF-XX-01 (ID 1).

vsx_util (from management box)

Re: My Top 3 Check Point CLI commands

What is Checkpoint equivalent command for "show environment" ?

0 Kudos

Re: My Top 3 Check Point CLI commands

Rough equivalent to Cisco's show environment command is:

cpstat -f sensors os

cpstat -f power_supply os

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: My Top 3 Check Point CLI commands

Hi Tim,

Thanx for the reply,

When I issue "cpstat -f sensors os", it shows "STATUS 0". What is mean by STATUS 0 ?

Re: My Top 3 Check Point CLI commands

Zero being reported by "cpstat -f sensors os" is good and means the voltage/temperature is within specifications.  Anything other than zero (like 1) is bad and means something is out of spec.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Maarten_Sjouw
Platinum

Re: My Top 3 Check Point CLI commands

One that I have not seen but is used mostly together with:

cplic print is the command:

contract_util mgmt 

What is does is it forces the collection of the contract information from the management server.

Another that is very useful is indeed pinj 

Next to that a very useful way to add pinj as a clish command is:

add command pinj path /opt/CPPinj-R77/pinj description "Packet Injector"

Regards, Maarten

Re: My Top 3 Check Point CLI commands

pinj is a great tool to be sure, but does not currently work with R80.10 gateway.  But hey sk110865: Check Point Packet Injector says that pinj will be available for R80.10 in 2017, so we should definitely have it here in the next 20 days or so.  :-) 

tcptraceroute can be used in the meantime, but traffic created by that tool on the firewall only goes through oO, while pinj traffic goes through iIoO.

--
My Book "Max Power: Check Point Firewall Performance Optimization"
Second Edition Coming Soon

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: My Top 3 Check Point CLI commands

My list is super simple, but these are the good old tried and true commands I've used more times than I can count over the years.

fw stat.  Number one go to just to see what the heck is going on.  Is a policy loaded?  When?  Yeah, I just pushed, but did the firewall actually get it?  And yes, I've seen a policy push and the firewall report an older version in state.  Is it loaded on all the interfaces?  Over the years, this has been the most consistent starting place when shooting a problem.  Many interesting roads began with fw stat. 

fw unloadlocal.  Absolute life saver.  This one has pulled my chestnuts from the fire on many occasions.  Mostly to clear 18000 series port errors between management server and firewall, but highly useful on other occasions.  And thank goodness for persistent ssh connections after a bad policy push!  (Yeah, I know, it's not good to have a firewall sitting there without a policy, but when it's 2:00 a.m., "now" was five hours ago and there is nobody in the DC to kick the box if it doesn't come back... fw unloadlocal and move forward.)

cpstart/stop/restart.  Another handy deal that didn't kill ssh sessions.  I've been amazed how many times a simple boot has cleared things up.  Often needed after doing heart surgery on various files, as well.  Great for looking at which daemons and processes are coming up and then throwing a flag on the field. Clear elg files, cprestart and start fresh.  Great way to see what's going wrong right now.  Honestly, a pretty critical tool just for figuring out whether to continue shooting, back off a version or rebuild a gateway. 

Honorable mentions:

I cannot walk away without mentioning fwm ike_reset - the mother of all VPN shooting bombs and fwm load [target - by freaking IP address!].  Yeah, yeah, API.  But I miss fwm.  It had certain powers that the API will never understand. And didn't always need objects to work.  Nice sledge hammer.  But, no more. Sad panda.

Re: My Top 3 Check Point CLI commands

Tcpdump

fw ctl zdebug drop

cpview

fw ctl pstat

cphaprob stat / -a if/ -l list

Highlighted
RickHoppe
Silver

Re: My Top 3 Check Point CLI commands

We experienced long waiting times during making of snapshots on VSX systems, and also during CPUSE. The cause of all this was the existence of millions of zero-byte temporary files. CPUSE ran in a time-out since these files needed to be backupped first before installation of a Jumbo Hotfix continued.

Deleting these files manually with a variation of  'rm *' results in a "argument list too long" error message.

So specific for this issue, here are my top 3 CLI commands :-)

To find zero-byte files and print to screen:

find / -size 0 -print

You'll soon see the directory containing a lot (perhaps millions) zero-byte files. In this example we found a lot zero-byte files starting with fileAxxxx, fileBxxxx etc in a tmp directory of a Virtual System. So the following commands are based on these filenames and VS 3.

To find zero-byte files in a specific directory and count them:

find /opt/CPshrd-R77/CTX/CTX00003/tmp/ -size 0 -print -type f -name "file*" | wc -l

To find and delete zero-byte files named file* in a specific directory:

find /opt/CPshrd-R77/CTX/CTX00003/tmp/ -size 0 -type f -name "file*" -delete

Last year I posted this on my blog. CPUSE timeout during ‘Saving File Permissions’ – checkpointengineer 

Unfortunately we never received an answer on the questions we had back then. Perhaps I will contact TAC again as this issue still exists.

[UPDATE]

Found sk116679. It seems there is a hotfix available but unfortunately it's not included in a Jumbo Hotfix.

The SK is mentioning $CPDIR/tmp/ which is the exact same directory as in my example above.

Snapshot creation on Gaia OS is stuck at 1-2% 

[UPDATE 2]

Currently available hotfix is only compatible with versions up to Take 225 on R77.30. Filed an SR for a portfix to install on top of the current GA and also requested to include this permanently in a future Jumbo Hotfix Take.

Blog: https://checkpoint.engineer