cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Re: My Top 3 Check Point CLI commands

1. top

2. cphaprob stat

3. show bgp peers

Re: My Top 3 Check Point CLI commands

View connections sorted by rule.

R77.30:
fw tab -u -t connections -f | awk -F ';' '{print $11,"\t", $7,"\t", $3,"\t",  $5,"\t", $6}' |grep Rule | sort -ng

R80.10:
fw tab -u -t connections -f | awk -F ';' '{print $16,"\t", $8,"\t", $10,"\t",  $11,"\t", $12}' |grep Rule | sort -ng

Ilan_Yale
Ivory

Re: My Top 3 Check Point CLI commands

nice command

0 Kudos

Re: My Top 3 Check Point CLI commands

cpstat -f log_server mg

cpstat -f indexer mg

cpwd_admin list

cpview

top or ps auxwf

fw stat

show ip arp dynamic all | grep x.x.x.x

fw ver

installed_jumbo_take or cpinfo -y all

Re: My Top 3 Check Point CLI commands

"fw ctl zdebug" is a powertool that is not exhausted from being used with "fw ctl zdebug drop". There is not much to be found in Check Point KB or in the documentation.


Here are some good examples for debugging:

fw ctl zdebug + packet
fw ctl zdebug + packet | grep -B 1 TCP |grep -B 1 "(SYN)"    <<< change SYN-ACK,ACK,FIN,... and/or UDP,TCP...
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "1.1.1.1"            <<< change IP address
fw ctl zdebug + all |grep -A 2 "Monitor"
fw ctl zdebug + sync                     
fw ctl zdebug + conn |grep "After  VM:" |grep "(SYN)"
fw ctl zdebug + xlate
fw ctl zdebug + monitorall                                                         <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + monitor                                                            <<< use with host IP "| grep 1.1.1.1" or network range "| grep 1.1."
fw ctl zdebug + filter conn | grep -A 8 "rule 1"                          <<< change rule number
fw ctl zdebug + filter monitor  | grep -A 8 "rule 2"                     <<< change rule number - show connetions to rule xyz

   
Attention, if you turn on debugging, this will affect the performance of the firewall.

Re: My Top 3 Check Point CLI commands

i've just read through the entire thread - amazing content, full of experience and knowledge.

thanks!

Employee
Employee

Re: My Top 3 Check Point CLI commands

does anyone know a way or a cli command to monitor performance of VPN cores? I know of 'vpn tu mstat' and 'vpn multik ipsec stat'

Re: My Top 3 Check Point CLI commands

First off, there are SmartView Monitor reports called Traffic..."Top Tunnels", System Counters..."VPN", and System Counters..."VPN History" that might prove helpful for measuring VPN throughput.  I'm pretty sure these numbers only show IPSec traffic that was not fully accelerated by SecureXL in the SXL path (see below).  These reports also show how much CPU is actually being used by IPSec VPN processing, not sure how to get these numbers from the CLI.

However the cores that handle IPSec VPN traffic will vary depending on the version of your gateway.

For R77.30 gateway and earlier, all non-accelerated IPSec VPN traffic will be handled by firewall kernel instance (worker) #0, which is usually assigned to the highest numbered CPU core.  As far as CPU usage you can use top..1 to monitor that single highest-numbered core or alternatively cpstat os -f multi_cpu -o 1.  To measure current VPN throughput use cpstat -f statistics vpn like this:

IKE Successes (per sec):                  ?
IKE Failures (per sec):                   ?
Encryption Throughput (bytes per sec):    ?
Decryption Throughput (bytes per sec):    ?
Encrypted Packets (per sec):              ?
Decrypted Packets (per sec):              ?
Encryption Errors (per sec):              ?
Decryption Errors (per sec):              ?
VPN Accel Enc Throughput (bytes per sec): ?
VPN Accel Dec Throughput (bytes per sec): ?
VPN Accel Encryption Errors (per sec):    ?
VPN Accel Decryption Errors (per sec):    ?
Compressed Packets (per sec):             ?
Decompressed Packets (per sec):           ?
Compression Errors (per sec):             ?
Decompression Errors (per sec):           ?

To see if IPSec VPN traffic is being accelerated, use fwaccel stats and look in the Accelerated VPN Path section.  This will just show you raw counters, and I don't think there is a way to show current throughput numbers for accelerated VPN traffic.  Not much VPN traffic tends to be eligible for acceleration like this anyway due to most traffic on firewalls today taking the Medium (PXL) Path.

For R80.10 and later IPSec VPN traffic is spread across all Firewall Worker cores by default, and the distribution can be observed with vpn tu mstats and vpn tu tlist.  So in that case you'd need to examine the CPU utilization of all Firewall Workers using the various tools above.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: My Top 3 Check Point CLI commands

My top 3 commands.

#asg monitor vs all

#asg perf -vs all -v -p

#g_tcpdump 

Best regard

Re: My Top 3 Check Point CLI commands

My top 3 commands.

# watch tecli s s

# tail -f /var/log/messages
# cphacu start <IP> 1

Re: My Top 3 Check Point CLI commands

Hi team,

with which command we check if a policy is already allowed

My top 3 command are:

cphaprob stat

tcpdump

fw monitor

Regards,

Highlighted

Re: My Top 3 Check Point CLI commands

Hi, I want to suggest a new way for this: "show access-rulebase name MyPolicy filter 'src:2.2.2.2 AND dst:4.5.6.7'"

 

Re: My Top 3 Check Point CLI commands

My top 3 commands:

reboot Smiley Happy

netstat -ni

cplic print

Re: My Top 3 Check Point CLI commands

when I have devices around me, taking a dump -connectivity wise... and I have to prove the Gateway's innocence:

ip -s -s neigh flush all

...after running netstat and arp'ing and checking my inferfaces.

Alan Stanwyck: "If you reject the proposition, you keep the thousand – and your mouth shut."
Fletch: "Does this proposition entail my dressing up as Little Bo Peep?"
Alan Stanwyck: "It’s nothing of a sexual nature, I assure you."
Fletch: "Yeah, I assure you."
Alan Stanwyck: "One thousand just to listen. I don’t see how you can pass that up, Mister…?"
Fletch: "Nugent. Ted Nugent."
Shinn_Ho
Iron

Re: My Top 3 Check Point CLI commands

Hahahaha....

1. top

2. cpstop/cpstart

3. reboot

Re: My Top 3 Check Point CLI commands

My top 3:

vsx_util vsls

fw vsx rssctrl monitor enable

fw vsx stat –l

Re: My Top 3 Check Point CLI commands

My Top 3:

Install Policy

# mgmt_cli install-policy

Show unused objekts:

# mgmt_cli show unused-objects offset 0 limit 50 details-level "standard" --format json

R80.10+ debug VPN

# iketool

Shows Cluster informations

> show routed cluster-state detailed

Oded_Y
Ivory

Re: My Top 3 Check Point CLI commands

1. Ping

2. ifconfig

3. cd

Smiley Happy

R89_99
Nickel

Re: My Top 3 Check Point CLI commands

Shows the health stat of various blades.

# ./healthckeck.sk    (sk121447)

Displays a lot of information about ClusterXL:
- Time of the last cluster switch (Master<>Slave)

 

# clish -c "show routed cluster-state detailed"


R89_99
Nickel

Re: My Top 3 Check Point CLI commands

Interface Status of phisical interfaces (speed,duplex,driver type) in one line:

# ifconfig -a | grep encap | awk '{print $1}' | grep -v lo | grep -v bond | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'ethtool %; ethtool -i %' | grep '^driver\|Speed\|Duplex\|Setting' | sed "s/^/ /g" | tr -d "\t" | tr -d "\n" | sed "s/Settings for/\nSettings for/g" | awk '{print $5 " "$7 "\t " $9 "\t" $3}' | grep -v "Unknown" | grep -v "\."

 

Re: My Top 3 Check Point CLI commands

Awesome command mate, I have added a small modification to show the link status, so we can check the state of all the interfaces quickly

ifconfig -a | grep encap | awk '{print $1}' | grep -v lo | grep -v bond | grep -v ":" | grep -v ^lo | xargs -I % sh -c 'ethtool %; ethtool -i %' | grep '^driver\|Speed\|Link\|Setting' | sed "s/^/ /g" | tr -d "\t" | tr -d "\n" | sed "s/Settings for/\nSettings for/g" | awk '{print $3 " \t" $5 "\t " $10  "\t" $8}' |  grep -v "\."

Re: My Top 3 Check Point CLI commands

In R80.20, cphaprob stat shows info about last failover and bit more as well.

and now to something completely different
0 Kudos

Re: My Top 3 Check Point CLI commands

Here are some of my popular ones ..  

Acceleration 
fwaccel off/on
fwaccel stat
fw ctl multik stat
fw ctl affinity -l -a -v
fwaccel conns  |grep  10.20.32.12 | more
fw tab –t connections –s

Re: My Top 3 Check Point CLI commands

My top 3 are:

1) fw ctl zdebug + drop | grep <ip_address>   //to quickly know what is the reason a connection is being dropped//

2) fw tab -t connections -s //to know what is the number of concurrent connections that the FW is handling//

3) cphaprob stat  //to know the status of the cluster members//

Regards

Danny
Pearl

Re: My Top 3 Check Point CLI commands

I've put all your commands into this script:

Common Check Point Commands (ccc)

Re: My Top 3 Check Point CLI commands

I think the most important commands have been mentioned. And didn't know there was a 'pinj of test' (pune intended). Here some more tips:

Really recommend the book for Firewall Performance Optimization where we can learn a lot of great commands for that purpose http://www.maxpowerfirewalls.com/

Also recomend this blog with a lot of interesting information specially on troubleshooting http://todorovicmarko.blogspot.sk/p/blog-page.html

WVT - Web Visualisation Tool I didn't see mentioned and has been Beta all the time but for me has been an amazing tool for documentation


Attached a compilation of commands and how-to I've done along the many years working with Check Point products and also other good tips I've learned.

My "all time" favorite command is below - applies to Check Point but also in general to other platforms where tcpdump can be run. The purpose is to connect remotely to a device, run tcpdump with specific filters if needed and then through a SSH tunnel have a live view of the capture on Wireshark running on the local computer.

plink.exe -l <u> -pw <p> <IP> "tcpdump -s0 -npi any -w - '(host 1.1.1.1)'"|"c:\Wireshark\wireshark.exe" -k -i -

Re: My Top 3 Check Point CLI commands

fwaccel stats > 

  • Displays SecureXL acceleration statistics

cpview >

  • Shows statistical data that contain general system information (cpu, memory, disk, interfaces , connections...) and information for different blades.

cphaprob state / -a if / -l list > 

  • Cluster member status / Cluster interfaces / critical devices (sync, filter, cphad, fwd) status.
0 Kudos

Re: My Top 3 Check Point CLI commands

cpview

Because its just awsome.

cphaprob state (with all its different options)

 fw ctl zdebug drop 

0 Kudos

Re: My Top 3 Check Point CLI commands

tcpdump - just a versatile tool

fw ctl debug drop | grep 

cphaprob -a if

0 Kudos
Jerry
Gold

Re: My Top 3 Check Point CLI commands

oh, seems I've missed that topic year ago ... Smiley Sad

every day usage of following:

watch --interval=1 'cpstat fw'
watch cphaprob stat

clusterXL_admin down -p
vsx stat - l
cphaprob -a if

clish> show routed cluster-state detailed
fw ctl affinity -l -v -r
fw ctl zdebug drop
fwaccel stats -s
fw tab -s -t connections
watch fw tab -s -t connections

curl_cli -v -k https://updates.checkpoint.com/

fw monitor -e "host(x.y.z.w) and host(a.b.c.d), accept;"

tcptraceroute -4 -T -p 80 a.b.c.d

and obviously ntpq -pn Smiley Happy when we know time is precious  

Yours

Jerry