- Products
- Learn
- Local User Groups
- Partners
-
More
It's Here!
CPX 360 2021 Content
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
I've been testing R80.20 very intensively in the lab over the last few days. Here I have discovered some interesting new commands on CLI. What did you discover that didn't exist before?
# cphaprob stat > with more clusterxl informations
# fwaccel ranges > show's anti spoofing ranges
# fw ctl multik utilize > shows the CoreXL queue utilization for each CoreXL FW instance
# fw ctl multik print_heavy_conn > shows the table with heavy connections
More see:
Command Line Interface R80.20 Reference Guide
Have you ever seen the queue fill up? Is this something worth tracking and adding a script to Indeni for?
fw ctl multik stop / start
The blacklist blocks all traffic to and from the specified IP addresses.
The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.
This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.
# fwaccel dos blacklist -a <ip>
# fwaccel dos blacklist -s
# fwaccel dos blacklist -d <ip>
More see here:
R80.20 - IP blacklist in SecureXL
Regards,
Heiko
This looks a lot like #sim dropcfg which has the same functionality.
edit:
Off course its handy to have a link to more information of this useful feature
See Accelerated Drops which is supported since 75.40
# fw ctl chain
The new fw monitor chain modules (SecureXL) do not run in the virtual machine (vm):
SecureXL inbound (sxl_in) > Packet received in SecureXL from network
SecureXL inbound CT (sxl_ct) > Accelerated packets moved from inbound to outbound processing (post routing)
SecureXL outbound (sxl_out) > Accelerated packet starts outbound processing
SecureXL deliver (sxl_deliver) > SecureXL transmits accelerated packet
There are more new chain modules in R80.20:
vpn before offload (vpn_in) > FW inbound preparing the tunnel for offloading the packet (along with the connection)
fw offload inbound (offload_in) > FW inbound that perform the offload
fw post VM inbound (post_vm) > Packet was not offloaded (slow path) - continue processing in FW inbound
In firewall kernel (now also SecureXL), each kernel is associated with a key (blue) witch specifies the type of traffic applicable to the chain modul.
# fw ctl chain
# fw monitor -e ...
Key | Function |
---|---|
ffffffff | IP Option Stip/Restore |
00000001 | new processed flows |
00000002 | wire mode |
00000003 | will applied to all ciphered traffic (VPN) |
00000000 | SecureXL offloading (new in R80.20+) |
New ClusterXL clish commands:
> show cluster
> show cluster mmagic
More see here:
R80.20 - new ClusterXL commands
Regards,
.
Nice new commands.
Cheers,
Sandro
Fetches and unloads Threat Prevention policy.
Threat Prevention policy applies to these Software Blades:
# fw amw unload -> To unload the current Threat Prevention policy.
# fw amw fetch localhost -> To fetch the Threat Prevention policy stored locally on the Security Gateway.
More see:
it would help to put a link to CLI reference guide in the original post
"iotop" watches I/O usage information output by the Linux kernel and displays a table of current I/O usage by processes or threads on the system. Only available on gateway with R80.20 3.10 kernel (see Check Point R80.20 with Gaia 3.10 for Security Gateways).
# iotop -b -n 1
great job
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY