Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moti
Admin
Admin

My Top 3 Check Point CLI commands

Just had a fun geeky conversation with Dameon Welch Abernathy (AKA Phoneboy) Jony Fischbein , Jeff Schwartz and Michael Poublon (over 100 accumulated years of experience in Check Point products) , on what are our favorite & most useful commands in a Check Point environment.

Below are my 3 , plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... ).

 

1) fw ctl zdebug drop 

used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....)

 

2) cpstat fw

quickly see stats of number of connections (accepted,denied,logged) with a breakdown

if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)

 

3) fw tab -s -t connections 

allowed me to quickly see how much load is (and was i.e "peak" ) on the FW 

 

that's it (i have more , but i want to hear yours ...)

plz add yours in the comments (we will do a poll for the top 5 after getting your feedback ... )

 

194 Replies
Kim_Jakobsen
Explorer

cpview

Because its just awsome.

cphaprob state (with all its different options)

 fw ctl zdebug drop 

0 Kudos
Nigel_Beaumont
Explorer

tcpdump - just a versatile tool

fw ctl debug drop | grep 

cphaprob -a if

0 Kudos
Jerry
Mentor
Mentor

oh, seems I've missed that topic year ago ... Smiley Sad

every day usage of following:

watch --interval=1 'cpstat fw'
watch cphaprob stat

clusterXL_admin down -p
vsx stat - l
cphaprob -a if

clish> show routed cluster-state detailed
fw ctl affinity -l -v -r
fw ctl zdebug drop
fwaccel stats -s
fw tab -s -t connections
watch fw tab -s -t connections

curl_cli -v -k https://updates.checkpoint.com/

fw monitor -e "host(x.y.z.w) and host(a.b.c.d), accept;"

tcptraceroute -4 -T -p 80 a.b.c.d

and obviously ntpq -pn Smiley Happy when we know time is precious  

Yours

Jerry
PhoneBoy
Admin
Admin

Despite having been started more than a year ago, this thread by far garners the most views of any thread on CheckMates to date.

It shows no signs of slowing down Smiley Happy

Jerry
Mentor
Mentor

yes mate, indeed it looks awesome also viewing your recent CPX '18 Youtube 25min. video Smiley Happy 

well done Dameon! keep it going same way and well done to all of YOU (US) contributors!  

cheerio

Jerry
Jerry
Mentor
Mentor

... and OBVIOUSLY in notorious way - awesome and only CPVIEW Smiley Happy

Jerry
0 Kudos
Matthew_Do
Contributor

Check SIC & license status at GWY

  • cp_conf sic state
  • cplic check identity

Check identity awareness at GWY (in expert mode)

  • pdp monitor client_type portal      (show everyone who is authenticated via captive portal)
  • pdp monitor ip 10.1.1.50              (same as above but for a specific IP/user)
  • pdp control revoke_ip 10.1.1.50 

AndreasNileborn
Explorer

tcpdump

cphaprob -a if

show cluster stats - a nice new one

Better late then never

0 Kudos
Etheldra_Freder
Collaborator

LOL.

0 Kudos
Michiel_Buhrs
Explorer

Also to see which traffic is matched on what rule(s) you can use (in R80):

Example:

fw up_execute src=x.x.x.x dst=y.y.y.y ipp=17 dport=53 (run in expert mode)

Rulebase execution ended successfully.

Overall status:

----------------

Active clob mask: 0

Required clob mask: 0

Match status: MATCH

Match action: Accept

 

Per Layer:

------------

Layer name: NAME

Layer id: 0

Match status: MATCH

Match action: Accept

Matched rule: 14

Possible rules:  14 18 19 16777215

Have fun!

Etheldra_Freder
Collaborator

I like this command.

0 Kudos
Matt_Killeen
Contributor

Thanks Timothy,

Yes, I agree that it indicates that I'm are running out of Hide NAT ports somewhere but I can't find any evidence that it's reaching the 50k limit or that it's for ports in the 60,001 to 65536 range. Traffic analysis on the external interface shows most connections are from source ports in the 30,000 to 39,999 range and the 40,000 to 49,999 range with peaks counts  of 500 to 600 unique ports in each of those two ranges. I record no connections from source ports in the 20,000 to 29,999 range and only the odd one connection in the 50,000 -59,999 range which is always port 50,001. However, there does seem to be a correlation between the NAT hide logs and a flurry of connections in the 10,000 to 19,000 range. Ports in this range are only seen when the issue occurs.

The traffic analysis shows that large ranges of ports are never used which would suggest that the 50k limit is never reached and, as said earlier, each time I've run the fw tab -u -t connections | grep -ci command, the result stays under 10,000 connections.  I don't think setting up a "many to fewer" hide NAT will do anything as the source is a single proxy IP and that NAT IP is dedicated to the Proxy IP and used only for one internet target IP.

Thanks again for your input - I didn't mean to hi-jack this thread/discussion with my issue. I'm going to try and escalate again through CheckPoint.

Matt.

Matt_Foreman
Participant

fw ctl zdebug drop > drops.txt

cphaprob -a if

fw unloadlocal
0 Kudos
yakup
Explorer

cphaprob -a if

cpview

fw ctl zdebug + drop

0 Kudos
rogfleming
Explorer

My top CLI commands


Who using the most cpu

ps -eo pcpu,pid,user,args | sort -r -k1 | less


To remove a connection from the connection table


fw tab -t connections -u > table


IPA="1024"; IPB="1024"; IPAHEX=`printf '%02x' ${IPA//./ }`; IPBHEX=`printf '%02x' ${IPB//./ }`; grep "$IPAHEX" table | grep "$IPBHEX" | grep "^<0000000" | awk '{print $1" "$2" "$3" "$4" "$5" "$6}'|sed 's/ //g'|sed 's/</fw tab -t connections -x -e /g'|sed 's/>//g'|sed 's/;//g' > listall

cat listofall

fw tab -t connections -x -e 00000001,50a99963,000001f4,81231bc4,000001f4,00000011

fw tab -t connections -x -e 00000001,81231bc4,000001f4,50a99963,000001f4,00000011

fw tab -t connections -x -e 00000000,81231bc4,000001f4,50a99963,000001f4,00000011

fw tab -t connections -x -e 00000000,50a99963,000001f4,81231bc4,000001f4,00000011


Remote commands from CMA


`$CPDIR/bin/cprid_util -server $Firewall_IP -verbose rexec -rcmd /bin/clish -c

 

Identity Awareness


pdp monitor summary all

netstat -anp | grep wmic


pdp d rotate

adlog a d on

adlog a d extended

pdp debug on

pdp d s all all


adlog a control reconf;sleep 5;watch -n 1 -d "adlog a dc"


adlog a d off

pdp d unset all all

pdp d off


cat $FWDIR/log/pdpd.elg | grep -i


fw tab -t pdp_sessions -t pdp_super_sessions -t pdp_encryption_keys -t pdp_whitelist -t pdp_timers -t pdp_expired_timers -t pdp_ip -t pdp_net_reg -t pdp_net_db -t pdp_cluster_stat -t pep_pdp_db -t pep_networks_to_pdp_db -t pep_net_reg -t pep_reported_network_masks_db -t pep_port_range_db -t pep_async_id_calls -t pep_client_db -t pep_identity_index -t pep_revoked_key_clients -t pep_src_mapping_db -t pep_log_completion -x -y


fw kill pdpd

fw kill pepd

 

killing Zombies


To find a zombie process


ps aux | awk '"[Zz]" ~ $8 { printf("%s, PID = %d\n", $8, $2); }'


Kill a Zombie process run


kill -9 $(ps -A -ostat,ppid | grep -e '[zZ]'| awk '{ print $2 }')


running top again the counter for zombie should now be 0

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events