cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee+
Employee+

Re: My Top 3 Check Point CLI commands

1)    Clear ARP cache via CLI

In case you need to clear 1 arp entry the following command can be used:

arp -d [ip address]

In case the complete arp cache needs to be cleared the following single line script can be used:

for i in `awk -F ' ' '{ if ( $1 ~ /[0-9{1,3}].[0-9{1,3}].[0-9{1,3}].[0-9{1,3}]/ ) print $1 }' /proc/net/arp` ; do arp -d $i ; done

2)    Flash Network Interface LED

To flash/blink a LED on an interface in order to physically identify the interface in question on a machine.
*Note this does not work on all type of interface cards.

ethtool -p <interface_name>


3)    Analyze network traffic via CLI

A script created by a former CP employee, as alternative for SmartView Monitor, cpview or tcpdump you can use the following script in order to analyze traffic patterns. * Note there are some caveats to keep in mind.

http://expert-mode.blogspot.nl/2013/05/checkpoint-top-talkers-script-display.html
https://raw.githubusercontent.com/craigdods/scripts/master/top_talkers.sh

Re: My Top 3 Check Point CLI commands

A bit shorter to type version of clear arp: for ip in $(awk '/([[:digit:]]\.)+/ {print $1}' /proc/net/arp) ; do  arp -d $ip ; done

Or even shorter way to do so per interface:

ip neighbor flush dev eth3

Admin
Admin

Re: My Top 3 Check Point CLI commands

I've got one more to add to this: cplic print -p

This will show you not only the license you have installed but what features your license breaks down to.

I'm curious how many old-timers remember what sr5000 refers to? Smiley Happy

[Expert@oscar:0]# cplic print -p

Host             Expiration  Primitive-Features 

xx.xx.xx.x       22Aug2017   ::CK-xxxxxxxxxxxx fw1:6.0:swb fw1:6.0:ctnt fw1:6.0:swb fw1:6.0:abot fw1:6.0:swb fw1:6.0:appi fw1:6.0:swb fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:urlf fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:av fw1:6.0:av1000 fw1:6.0:swb fw1:6.0:ips fw1:6.0:swb fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:vsx5 fw1:6.0:swb fw1:6.0:cluster-1 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:swb fw1:6.0:connect fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:swb fw1:6.0:identity fw1:6.0:swb cvpn:6.0:ccvunl cvpn:6.0:cvpnunlimited fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:swb fw1:6.0:dlp fw1:6.0:swb evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:swb fw1:6.0:spcps fw1:6.0:pam fw1:6.0:enchostsunlimit fw1:6.0:encryption fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:swb fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm fw1:6.0:blades fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:mc_all_8 fw1:6.0:multicore

Contract Coverage:

#   ID          Expiration   SKU                 

===+===========+============+====================

1  | PSE6H1R   | 20Sep2017  | CPSB-TEX-EVAL

   +-----------+------------+--------------------

   |Covers:     CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx

===+===========+============+====================

2  | F7PG258   | 20Sep2017  | CPSB-TE-EVAL

   +-----------+------------+--------------------

   |Covers:     CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx

===+===========+============+====================

3  | G177T42   | 20Sep2017  | CPSB-CTNT-EVAL

   +-----------+------------+--------------------

   |Covers:     CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx

===+===========+============+====================

4  | D31EF56   | 20Sep2017  | CPSB-IPS-EVAL

   +-----------+------------+--------------------

   |Covers:     CPSG-C-8-U CPSB-FW CPSB-VPN CPSB-IPSA CPSB-DLP CPSB-SSLVPN-U CPSB-IA CPSB-ADNC CPSG-VSX-25S CPSB-SWB CPSB-IPS CPSB-AV CPSB-URLF CPSB-ASPM CPSB-APCL CPSB-ABOT CPSB-CTNT CK-xxxxxxxxxxxx

===+===========+============+====================

Employee+
Employee+

Re: My Top 3 Check Point CLI commands

Securemote 5000 I guess 🙂

0 Kudos
Admin
Admin

Re: My Top 3 Check Point CLI commands

Nice one Smiley Happy

0 Kudos
Employee+
Employee+

Re: My Top 3 Check Point CLI commands

1) Analyze top talkers via CLI using "fw tab"
As an alternative for SmartView Monitor, cpview, you can use the below script in order to analyze the top 10 source and destinations on a  Security Gateway.

Top 10 Source Connections:

fw tab -t connections -u -f | awk -F';' '/Rule/ {source[$3] } ; END { for (name in source) print source[name], name }' | sort -nr | head -10

Top 10 Destination Connections:

fw tab -t connections -u -f | awk -F';' '/Rule/ {dest[$5] } ; END { for (name in dest) print dest[name], name }' | sort -nr | head -10

2) Monitoring concurrent connections via CLI and redirecting output to a file
There are various ways to monitor concurrent connections. You can use the following command in case you need to monitor this and store the output into a file for further analyzes.

The commands are derived from:  fw tab -t connections –s and fw ctl pstat | grep Concurrent
The output will be stored in a file named e.g. “connections”.

while [ 1 ];do uptime | awk '{ split($1,DATE," "); printf "%s,", DATE[1]}' >>connections ; fw ctl pstat | grep Concurrent >>connections ;sleep 0.5;done

or

while [ 1 ];do uptime | awk '{ split($1,DATE," "); printf "%s,", DATE[1]}' >>connections ; fw tab -t connections -s | awk '{ i=i+1;split($4,VALS," "); if (i==2) print VALS[1] }' >>connections ;sleep 0.5;done

3) Clearing Connection Tables

The below command clears the entire connection table on a Security Gateway.

[Expert@FW-1:0]# fw tab -t connections -x
This will clear all the entries in table connections !!!
Are you sure (yes/no)? [n]

+ 4) List all cronjob tasks

The below script will allow you to quick list all cronjob tasks configured on a device for all accounts.

[Expert@FW-1:0]# more cron.sh
#!/bin/bash
#List all cron jobs for all users
for user in `cat /etc/passwd | cut -d":" -f1`;
do
crontab -l -u $user;
done

Re: My Top 3 Check Point CLI commands

Hi all!

Most of my favourite commands were already mentioned, to add something else to the mix:

Check routes (even if they are not active)

dbget -rv routed (Add | grep if needed)

I remember a strange case where certain routes didn't work, when using ip route, route, netstat we couldn't see thos routes because they were not active.

This command helped me to confirm that the routes were properly configured in the gateway and together with tcpdump and fw monitor the customer was convinced that the issues were in their side 🙂

Example

Interface associated with static route 3 is down

[Expert@BTMOB03:0]# ip route
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.201

default via 192.168.0.1 dev eth0  proto routed

No route even if its on the WebUI

[Expert@BTMOB03:0]# dbget -rv routed | grep 200.2.1
routed:instance:default:static:network:200.2.1.0 t

routed:instance:default:static:network:200.2.1.0:masklen:24 t

routed:instance:default:static:network:200.2.1.0:masklen:24:gateway t

routed:instance:default:static:network:200.2.1.0:masklen:24:gateway:address:75.4.2.1 t

Here we can see that its properly configured

Regards,

Highlighted

Re: My Top 3 Check Point CLI commands

Or you could run "show configuration static-route" from clish mode to see what all routes are configured Smiley Happy

0 Kudos

Re: My Top 3 Check Point CLI commands

1) fw ctl zdebug drop | grep 8.8.8.8
2) ping -S src_addr dst_addr
3) ip route get 8.8.8.8 (or) Show route destination 8.8.8.8

Re: My Top 3 Check Point CLI commands

I would add ping -I interface dst_addr or ping -I src_addr dst_addr.  Found this real useful to send traffic from CMAs to destinations. Basically we now have Cisco extended ping capability in expert mode. Smiley Happy

0 Kudos

Re: My Top 3 Check Point CLI commands

Umm difficult thing to just name 3 ... mine i think would be

fw monitor

mdsstat

cphaprob state

Admin
Admin

Re: My Top 3 Check Point CLI commands

WOW, what an amazing engagment and useful crwodsourcing  

So who's volunteering to do a "cheat sheet" out of this ? https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc‌ ?

Admin
Admin

Re: My Top 3 Check Point CLI commands

There's a document to be made from this list...as well as a poll.

Employee+
Employee+

Re: My Top 3 Check Point CLI commands

I like cprid_util command to remotely execute command on a gateway:

cprid_util -server x.x.x.x -verbose rexec -rcmd "arp"

I'm using it on my hosts discovery/creation script available here:

R80.10: Hosts Discovery and creation 

Employee
Employee

Re: My Top 3 Check Point CLI commands

1)
CPMonitor tool (sk103212) - useful traffic analysis

2)
fw stat -l
HOST      IF    POLICY   DATE             TOTAL REJECT DROP ACCEPT LOG
localhost >Mgmt Standard 3Aug2017 6:04:09 394282 0     0    394282 0
localhost <Mgmt Standard 3Aug2017 6:04:09 583248 0     683  582565 519

3)
fw ctl set int print_conns_states 1   (output to dmesg or to kernel debug out-file is defined)

4)
cpstat fw, cpstat mg -f indexer

5)
sar -n DEV

Admin
Admin

Re: My Top 3 Check Point CLI commands

Thx

Can u explain what 4,5 does ?

0 Kudos

Re: My Top 3 Check Point CLI commands

Mostly statistics per interface. Cannot figure -mg part though. a typo?

0 Kudos

Re: My Top 3 Check Point CLI commands

"mg" stands for management server.

Re: My Top 3 Check Point CLI commands

My 2 cents/agorot:

  1. df -h    I always start SmartCenter (old habits die slow) Management Server debug with it. Especially back with the first line of UTMs 130/270/etc with their small root partition sizes, some 30% of SC 'failures' were caused by not enough disk space (Can't install policy / logs are empty/can't connect to the SmartCenter make sure it is running ...) 
  2.     cpwd_admin stop -name FWM -path "$FWDIR/bin/fw" -command " fw kill fwm"   Followed by 
        cpwd_admin start -name FWM -path "$FWDIR/bin/fwm" -command "fwm"
    You can't imagine how many downtime I prevented by teaching people to restart SmartCenter this way and not via reboot in Standalone installations. 
  3. lvresize -L 20GB vg_splat/lv_current
    resize2fs /dev/mapper/vg_splat-lv_current
    Again, harking back to the 1st series of UTMs, it became a lifesaver when root partition run out of space and you deleted all you could - SmartConsole.exe etc and the last solution left was to resize root partition. I did it quite a number of times remotely and no glitches Smiley Happy. Big thanks to Tobias Lachmann for this command and courage to try it on a live system first.
  4. awk -F\; ' {match($0,/{([[:print:]]+)}/,rules);rule_count[rules[1]]++} END {for (rule_number in rule_count) print " Rule number: " rule_number " Hits: " rule_count[rule_number]}' ./fw.log.txt | sort -n -k5
    Rule number: FE40E076-BAEB-4979-8E41-5EF1333315e6 Hits: 440101  Rule number: BB3F6772-4D38-4D5A-952A-301333315de8 Hits: 1354341 Running time for a file of 900 Mb with 4.7 million records real    5m50.287s user    4m22.890s sys     0m3.190s
    No, not my favorite command (while still valid after exporting logs via fw log) , but had to show you what a pain in the neck was to get Rule Hit statistics before they were introduced to the SmartConsole.
  5. fw ctl zdebug drop While may be not the best as  Valeri Loukine  mentioned and not the prettiest, but who said life is pretty? So definitely most used in real life to quickly asses the reason of drops.
  6. fw monitor Last but not least, my real favorite of all versions and times (Hey, search Google for "fw monitor  reference" and my blog post from 2009 comes before Checkpoint SK !  ) . You can't debug traffic issues without it, if it wasn't fw monitor - I wouldn't be such a fan of the Checkpoint firewalls. 

NB. Moti Sagey  I guess the logical follow up would be - List Top Checkpoint Administrators' Errors You Have Seen ?

I actually wrote once an article on Most Frequent Errors by Checkpoint Administrators (in Hebrew but easy to translate) which could be a start:

http://www.digitalwhisper.co.il/files/Zines/0x4C/DW76-1-Firewall.pdf

Admin
Admin

Re: My Top 3 Check Point CLI commands

The primary reason I had a chapter on INSPECT in my books was for fw monitor.

I, of course, also had an FAQ on it back in the day, which you can read here: https://phoneboy.com/fw1/faq/0410.html 

Just to clarify your suggestion, are you talking about configuration errors that Check Point admins commonly make?

0 Kudos

Re: My Top 3 Check Point CLI commands

Yep, I remember, I had it as well but can't find anymore, probably someone 'borrowed' .I still have the follow up Check Point NGX book 

book by Barry (R.I.P.) .

Pity no one dares to write a book anymore (correction: How could I forget that Tim Hall did write a book about Checkpoint...).

Yes, that is what I meant. In the article I linked to I give my list with the real life examples of (working 10 years for CSP provided me with lots of examples of 'not smart things people do with firewalls'):

  • Removing object that is being used in Security Rules, ignoring the warning
  • Using Dynamic Object as URL filter to block access to some website(s)
  • Not checking available disk space before doing any debug
  • Using easy to brute-force OS/ssh passwords (especially given the capability of changing default admin OS username during install appearing and disappearing intermittently, depending on the version of the firewall)
  • Forgetting to disable SecureXL before doing debug 
  • Not using so easy to use Database Revision Control as 'insurance' against disaster
  • Installing the wrong Security Policy on the wrong firewall (usually ending up in black-out/downtime)
  • Using Reject instead of Drop in Security Rules
  • Restarting the whole Standalone firewall when needed to restart only the SmartCenter 
  • Not using NTP for clock synchronization (and as a consequence lessened value or complete uselessness of logs)
  • Not verifying saved back ups
0 Kudos

Re: My Top 3 Check Point CLI commands

In regard to your statement "Pity no one dares to write a book anymore" I can be the first to tell you that writing a book is hard.  Your picture though did remind me of some old Check Point books I bought while writing Max Power for pennies on the dollar because they were so outdated.  I wasn't looking for content really, just wanted to see how concepts were presented and what content structures worked and which didn't.  Dameon's book was by far the most helpful in that regard, and part of the reason I asked him to write the foreword for Max Power.  I have attached a picture of all those old Check Point books I was able to find and buy for research purposes:

Old Check Point Books

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

Re: My Top 3 Check Point CLI commands

First - my bad, I corrected my post about no one   writing books anymore Smiley Happy .

Second,I dug a bit about technical book writing  and indeed the picture in general is not rosy (as taken from the Internet):

- For a technical book 30000-35000 sold copies is considered a sound success (we are talking about general technical writing - not insanely priced franchises for Universities / exclusive access to technology books a la C# 8 preview)

- Most books never reach such sales
- As a consequence of above the simplistic ROI calculation doesn't justify writing books for money ( a year/two work on a book), as professional hire-for-money employment will bring much more money
- Main driving reasons for writing a book are establishing the author's expert status / generating consulting| training work / possible public speaking engagements
- Prolonged editing/traditional publishing process makes fast changing technology books outdated before the release
- In many publishing houses the author is supposed to do the bulk of promotion by her/himself

- My personal observation: some previously published authors of technical books re-purpose their work into video/streaming courses, online training labs.

0 Kudos

Re: My Top 3 Check Point CLI commands

All the above is quite accurate.   Another dirty little secret is that by signing on with a publisher, you'll MAYBE get 10-15% in royalties and that is only after any cash advance has been extinguished. Also that publisher can re-use elements from your work for practically nothing, and also owns a stake on any of the author's future works on that topic. 

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Admin
Admin

Re: My Top 3 Check Point CLI commands

Sounds fun 😉

0 Kudos

Re: My Top 3 Check Point CLI commands

Yep, that's why Max Power was self-published through CreateSpace and Amazon.  🙂  I did get approached by a "real" publisher after the book was released.  Reading their proposed contract was quite the eye-opener, but at least I got to find out about all these onerous details the easy way (by just reading about them) and not the hard way.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Admin
Admin

Re: My Top 3 Check Point CLI commands

Two comments on writing a book:

1. It's a lot of work (first one took me two years).

2. Keeping it up to date is also a constant challenge, especially today, as things evolve at a much more rapid pace than they did in the early 2000s.

Re: My Top 3 Check Point CLI commands

Yuri Slobodyanyuk wrote:

Yes, that is what I meant. In the article I linked to I give my list with the real life examples of (working 10 years for CSP provided me with lots of examples of 'not smart things people do with firewalls'):

  • Using Dynamic Object as URL filter to block access to some website(s)
  • Using easy to brute-force OS/ssh passwords (especially given the capability of changing default admin OS username during install appearing and disappearing intermittently, depending on the version of the firewall)
  • Using Reject instead of Drop in Security Rules
  • Not using NTP for clock synchronization (and as a consequence lessened value or complete uselessness of logs)
  • Not verifying saved back ups

stay tuned 

Yuri Slobodyanyuk wrote:

  • Removing object that is being used in Security Rules, ignoring the warning
  • Not using so easy to use Database Revision Control as 'insurance' against disaster

With R80.10 automatic revisions and session live validations (even when going command-line), these things can no longer happen.

Yuri Slobodyanyuk wrote:

  • Installing the wrong Security Policy on the wrong firewall (usually ending up in black-out/downtime)

Tip: Open SmartConsole.exe.config and change <add key="OverridePolicyWarningEnable" value="false"/> from false to true Smiley Happy

Am I diverging?

Re: My Top 3 Check Point CLI commands

Yes and no Smiley Happy . Your solutions are perfectly correct, true, but ... don't forget that I called it 'List of Administrator's errors...' not Checkpoint product errors . So technical solutions existed long before R80.10,

e.g. wrong Policy install ? ... can't be easier than that - just check relevant gateways in "Policy Targets" menu for this policy and this will never happen. 

Removing object in use ? Well, just read the warning and click on the button "Where used" .

And while my list is compiled based on R55 - R77.30 versions, after speaking with thousands of IT guys/gals managing firewalls, I can assure you - they will 'outsmart' any technical safety measures put by bright R&D folks at Checkpoint, no one can beat the 8th layer of OSI, doesn't mean you should never try but  ...  

0 Kudos

Re: My Top 3 Check Point CLI commands

Yuri Slobodyanyuk wrote:

Yes and no  . Your solutions are perfectly correct, true, but ... don't forget that I called it 'List of Administrator's errors...' not Checkpoint product errors . So technical solutions existed long before R80.10,

e.g. wrong Policy install ? ... can't be easier than that - just check relevant gateways in "Policy Targets" menu for this policy and this will never happen. 

Removing object in use ? Well, just read the warning and click on the button "Where used" .

And while my list is compiled based on R55 - R77.30 versions, after speaking with thousands of IT guys/gals managing firewalls, I can assure you - they will 'outsmart' any technical safety measures put by bright R&D folks at Checkpoint, no one can beat the 8th layer of OSI, doesn't mean you should never try but  ...  

I encourage you to try to remove a used object from the objects bar in R80.10. Let me know if you found a way to do that.

In general, at Check Point we try to have our admins do the most by clicking the least. Some errors can be fully prevented with a smart backend platform (R80). Others are user best practices which aren't always a problem and are different between organizations - which I mentioned as stay tuned.

Of course there will always be the market for educational programs and partner sessions in which they help their customers make the most out of their Check Point products. We definitely learn from our partners' experience when shaping the future of our product line.

0 Kudos