Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Srinivasan_N
Contributor

Need Command-To Trace CMA IP using Gateway CLI

Jump to solution

Hi Experts

 I've a query to get the Management server IP from Checkpoint gateway CLI. I'm currently working in an setup which is very big and every time we used to trace the network path for the firewall from user IP address or by using Splunk.

 

As i don't have permission to access the database which consists of the relevant  firewall to it's management server IP address , I've to rely on my seniors to check the database for the relevant Management server IP address.

Is there any command from the gateway/firewall CLI to check the relevant Management server IP address that's been associated to.  fw stat shows the policy name, not the CMA IP.

Thanks in advance.

Regards

Srinivasan

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

There's a few possibilities:

1. cplic print, which will show what licenses are installed on the gateway. In many cases, the IP listed is the management IP.

2. Look at $CPDIR/log/cpd.elg.* and see if there are any messages.

3. Check netstat -an | grep 18192 and see what IP is connected to the gateway.

View solution in original post

6 Replies
Ni_c
Contributor

Try cat $FWDIR/conf/master file if you have access to expert mode of a firewall. It will give you info of management center and log server. 

0 Kudos
Srinivasan_N
Contributor

Hi, i'm not getting management server IP. Please advise.

[Expert@Hostname]# cat $FWDIR/conf/masters
[Policy]
usaaucx01-EMEA
usamesx01-EMEA
[Log]
usamesx01-EMEA
[Alert]
usamesx01-EMEA
[Backup]
usamesx01-EMEA

0 Kudos
PhoneBoy
Admin
Admin

There's a few possibilities:

1. cplic print, which will show what licenses are installed on the gateway. In many cases, the IP listed is the management IP.

2. Look at $CPDIR/log/cpd.elg.* and see if there are any messages.

3. Check netstat -an | grep 18192 and see what IP is connected to the gateway.

View solution in original post

Hugo_vd_Kooij
Advisor

cplic print will most likely point to the Multi Domain Server and not the individual CMA.

0 Kudos
Srinivasan_N
Contributor

Hi Mate

Thanks. I got CMA IP by implementing netstat command.

[Expert@Hostname]# netstat -an | grep 18192
tcp 0 0 0.0.0.0:18192 0.0.0.0:* LISTEN
tcp 0 0 172.16.10.1:18192  172.31.24.16:60243 ESTABLISHED

0 Kudos
Hugo_vd_Kooij
Advisor

On a more generic level I find it ... disturbing that there seems to be no design available for the Check Point Management Infrastructure.

If a customer would ask me this I would recommend they fix the organisational problem. As the technical answer is merely a workaround for a organisational problem.

0 Kudos