This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Help
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-09-28 07:40 AM

R80.20 - new interesting commands

I've been testing R80.20 very intensively in the lab over the last few days. Here I have discovered some interesting new commands on CLI. What did you discover that didn't exist before?

# cphaprob stat     > with more clusterxl informations

# fwaccel ranges   > show's anti spoofing ranges

# fw ctl multik utilize   > shows the CoreXL queue utilization for each CoreXL FW instance

# fw ctl multik print_heavy_conn   > shows the table with heavy connections

 

More see:

Command Line Interface R80.20 Reference Guide 

 

Reply
41 Replies
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-09-28 07:42 AM

Re: R80.20 - new interesting commands

See more: R80.20 - more ClusterXL state informations

# cphaprob stat

Regards,

Heiko

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-09-28 07:48 AM

Re: R80.20 - new interesting commands

Exciting command show's anti spoofing ranges:-)

You have to take a closer look.

# fwaccel ranges

Regards,

Heiko

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-09-29 12:50 PM

Re: R80.20 - new interesting commands

Shows the CoreXL queue utilization for each CoreXL FW instance

# fw ctl multik utilize

Reply
Yoni-Indeni
Yoni-Indeni
Ivory
‎2018-11-13 07:27 AM

Re: R80.20 - new interesting commands

Have you ever seen the queue fill up? Is this something worth tracking and adding a script to Indeni for?

CEO & Founder, Indeni
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-09-29 01:04 PM

Re: R80.20 - new interesting commands

Shows the table with Heavy Connections (that consume the most CPU resources) in the CoreXL
Dynamic Dispatcher.
# fw ctl multik print_heavy_conn
Reply
Ofir_Shikolski
Employee+
Employee+
‎2018-09-30 06:05 AM

Re: R80.20 - new interesting commands

fw ctl multik stop / start 

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 10:59 AM

Re: R80.20 - new interesting commands

nice info

thx,

heiko

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 01:42 PM

Re: R80.20 - new interesting commands

More  see  here:

https://community.checkpoint.com/thread/11958-enable-and-disable-corexl-instances-on-the-fly 

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-10-01 07:39 AM

Re: R80.20 - new interesting commands

The blacklist blocks all traffic to and from the specified IP addresses.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.

# fwaccel dos blacklist -a <ip>

# fwaccel dos blacklist -s

# fwaccel dos blacklist -d <ip>

More see here:

R80.20 - IP blacklist in SecureXL 

Regards,

Heiko

Reply
Jelle_Hazenberg
Jelle_Hazenberg
Nickel
‎2018-10-24 07:56 AM

Re: R80.20 - new interesting commands

This looks a lot like #sim dropcfg which has the same functionality.

edit:

Off course its handy to have a link to more information of this useful feature

See Accelerated Drops which is supported since 75.40

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:00 AM

Re: R80.20 - new interesting commands

nice info

 

thx,

heiko

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-10-15 01:53 PM

Re: R80.20 - new interesting commands

# fw ctl chain

The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm):

SecureXL inbound (sxl_in)                    > Packet received in SecureXL from network

SecureXL inbound CT (sxl_ct)              > Accelerated packets moved from inbound to outbound processing (post routing)

SecureXL outbound (sxl_out)               > Accelerated packet starts outbound processing

SecureXL deliver (sxl_deliver)             > SecureXL transmits accelerated packet

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:01 AM

Re: R80.20 - new interesting commands

There are more new chain modules in R80.20:

vpn before offload (vpn_in)                  > FW inbound preparing the tunnel for offloading the packet (along with the connection)

fw offload inbound (offload_in)            > FW inbound that perform the offload

fw post VM inbound  (post_vm)            > Packet was not offloaded (slow path) - continue processing in FW inbound

Reply
Highlighted
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:02 AM

Re: R80.20 - new interesting commands

More see here:

R80.20 SecureXL + new chain modules + fw monitor 

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-10-15 01:57 PM

Re: R80.20 - new interesting commands

In firewall kernel (now also SecureXL), each kernel is associated with a key (blue) witch specifies the type of traffic applicable to the chain modul.

 

# fw ctl chain

# fw monitor -e ...

 

KeyFunction
ffffffffIP Option Stip/Restore
00000001new processed flows
00000002wire mode
00000003will applied to all ciphered traffic (VPN)
00000000SecureXL offloading (new in R80.20+)
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:03 AM

Re: R80.20 - new interesting commands

More see here:

R80.20 SecureXL + new chain modules + fw monitor 

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-10-16 12:55 AM

Re: R80.20 - new interesting commands

New ClusterXL clish commands:

> show cluster

> show cluster mmagic

More see here:

R80.20 - new ClusterXL commands 

Regards,

Heiko

.

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:07 AM

Re: R80.20 - new interesting commands

> show cluster stats

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:08 AM

Re: R80.20 - new interesting commands

> show cluster failover

 

Reset history:

> show cluster failover reset history

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:09 AM

Re: R80.20 - new interesting commands

> show cluster roles

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:10 AM

Re: R80.20 - new interesting commands

> show cluster statistics transport

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:11 AM

Re: R80.20 - new interesting commands

> show cluster statistics sync

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:12 AM

Re: R80.20 - new interesting commands

> show cluster members interfaces all

0 Kudos
Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2019-03-09 11:14 AM

Re: R80.20 - new interesting commands

> show cluster members pnotes all

0 Kudos
Reply
Sandro_Gerdel
Sandro_Gerdel
Iron
‎2018-10-21 12:27 AM

Re: R80.20 - new interesting commands

Nice new commands.

Cheers,

Sandro

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-11-05 10:03 AM

Re: R80.20 - new interesting commands

Fetches and unloads Threat Prevention policy.

Threat Prevention policy applies to these Software Blades:

  • Anti-Bot
  • Anti-Virus
  • Anti-Spam
  • Threat Emulation
  • Threat Extraction
  • IPS

# fw amw unload                    -> To unload the current Threat Prevention policy.

# fw amw fetch localhost      -> To fetch the Threat Prevention policy stored locally on the Security Gateway.

More see:

Command Line Interface R80.20 Reference Guide 

Reply
Val_Loukine
Admin
Admin
‎2018-11-06 01:41 AM

Re: R80.20 - new interesting commands

it would help to put a link to CLI reference guide in the original post

Reply
HeikoAnkenbrand
HeikoAnkenbrand
Pearl
‎2018-12-06 01:43 PM

Re: R80.20 - new interesting commands

"iotop" watches I/O usage information output by the Linux kernel  and displays a table of current I/O usage by processes or threads on the system. Only available on gateway with R80.20 3.10 kernel (see Check Point R80.20 with Gaia 3.10 for Security Gateways).

# iotop -b -n 1

Reply
Patricia_OSulli
Patricia_OSulli
Iron
‎2018-12-08 07:33 AM

Re: R80.20 - new interesting commands

great job

Reply