Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

ccc - Common Check Point Commands

Danny
Champion Champion
Champion

🏆 Code Hub Contribution of the Year 2018!
🎓 Featured in official Maestro courseware!
👍 Endorsed by Check Point Support!
📕 Books: Max Power, FW Admin
▶️ YouTube: Intro

ccc script to run CLI tasks & show system info.

Installation


    curl_cli $(if [[ `grep proxy:ip /config/active` ]];then echo -n '--proxy ';grep proxy:ip /config/active|cut -f2 -d' '|tr -d '\n';echo -n :;grep proxy:port /config/active|cut -f2 -d' ';fi) -k https://dannyjung.de/ccc|zc
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(2)
244 Replies

Danny
Champion Champion
Champion

Smiley Happy Thanks for this valuable feedback.

       -> Please send me your local.set and I'll fix it asap.

The anti-spoofing mode/setting is almost finished. Expect it to be released latest by tomorrow.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Jan_Kleinhans
Advisor

Hello Danny,

thank you for this great tool.

I have got a problem with ccc in a VSX environment.

I try to get the Topology from a Virtual System but always get the error " Main IP of name doesn`t match it`s management interface IP!".

The script is looking for the management IP of the VS0 in the "$FWDIR/state/local/FW1/local.set" of the VS2 in my case. There will be no positive match so that the script ends with this error.

If I comment out the check of the local.set it works with

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Hello Jan,

thank you for your feedback. You are referencing to my One-liner for address spoofing troubleshooting. Does the One-liner work when executed directly on VS2? Or does the error only occur when the One-liner is executed from within ccc?

Regards,
Danny

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Jan_Kleinhans
Advisor
Hi Danny,
it doesn't work either because of the following part which will always be 0 as $FWDIR directs to the fwdir of the virtual system which has no management IP

elif [[ `grep $(grep $(hostname) /etc/hosts | cut -f1 -d' ') $FWDIR/state/local/FW1/local.set | wc -l` == "0" ]]; then echo ' Main IP of '$(hostname)' doesn`t match it`s management interface IP!';

Regards,

Jan ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Fixed in version 4.8

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
Champion Champion
Champion

Hi Danny,

I created a one-liner that shows the VPN routing.


If you like, you can include this command in your script.

Show VPN Routing on CLI 

Regards,

Heiko

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


masher
Employee
Employee

I'm running R80.20EA in my lab and noticed the same thing. I made the following adjustment to the ccc script.

Updated:

# System info

  TYPE=`cpstat os | grep "Appliance Name" | tr -s ' ' | cut -c 17-`
  if     [[ `echo $MDSDIR | grep mds` ]]; then SYSTEM="Multi-Domain Server (MDS)"
    elif [[ `$CPDIR/bin/cpprod_util FwIsVSX 2> /dev/null` == *"1"* ]]; then SYSTEM="Virtual System Extension (VSX)"
    elif [[ `$CPDIR/bin/cpprod_util FwIsStandAlone 2> /dev/null` == *"1"* ]]; t

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Chinmaya_Naik
Advisor

zcat: unexpected end of file

Below is the process  that I did 

STEP 01 : Download the script  (ccc.gz)

STEP 02: Transfer the file to /usr/bin/   (Using WinScp)

STEP 04: Now decompress the file (zcat /usr/bin/ccc.gz > /usr/bin/ccc)

STEP 04: Now make it executable (chmod +x ccc) (chmod +x /usr/bin/ccc)

STEP 05: Now type ccc

NOTE : I am able to execute all the command but why i am getting  "zcat: unexpected end of file" error while executing (ccc). 

#Chinmaya Naik

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Added in version 2.6

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Included your adjustment in version 2.6. Thanks!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Hans_Hartung
Participant
Participant

How about adding "pdp connections pep" next to the other IA-commands?

Thanks,

Hans

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Alexander_Wilke
Advisor

Nice tool.

Unfortunately now we have two different Tools (sk121447) to check health state and troubleshoot the System.

I would suggest to add "fwaccel off" and "fwaccel on" when doing "ips off"

Further I would add the same for QoS:
fgate stat

fgate off

fgate on

same with fwaccel off/on

a command to show "fwkern.con" and "simkern.conf" could help, too.

I would be interested in what "PANIC MODE" and "NORMALE MODE" are doing. so perhaps add here and there som

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Added in version 2.7

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Added in version 2.7

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Petr_Hantak
Advisor
Advisor

If you like, then you can include Show bgp peers across VSX in CLI‌ as well.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Benoit_Verove
Contributor

Hi Danny,

Wonderful tool !

May I sugguest the command "cpqshape" ? Quite helpful when debugging MTA

Regards

Benoit

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Added "cpqshape" commands as described in ATRG: Mail Transfer Agent (MTA) in version 2.9

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Gomboragchaa
Advisor

Can i use it on R77.30?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Yes.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Juan_Lobera
Contributor

This should be natively included

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

I agree. You could send Check Point a Request for Enhancement (RFE) asking for this. Maybe someday Check Point will have the best Community scripts included by default.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


G_W_Albrecht
Legend Legend
Legend

Hmmm - R80.20 B10:
[Expert@SMS8010:0]# ccc
Starting/bin/ccc: line 21: bind: warning: line editing not enabled
.........free: invalid option -- 'o'

Usage:
 free [options]

Options:
 -b, --bytes         show output in bytes
 -k, --kilo          show output in kilobytes
 -m, --mega          show output in megabytes
 -g, --giga          show output in gigabytes
     --tera          show output in terabytes
 -h, --human         show human-readable output
     --si            use powers of 1000 not 102

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Fixed in version 3.1

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


G_W_Albrecht
Legend Legend
Legend

Yes:
[Expert@SMS8010:0]# ccc
Starting/usr/bin/ccc: line 21: bind: warning: line editing not enabled
...........
------------------------------------------------ ccc v3.1 -

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Rolf_Peeters
Explorer

Great work Danny Jung !

@Checkpoint - give this man a medal !

Whilst deploying the script to our devices and executing on version R77.30 , we had to change the script a little to get the correct Hotfix.

For some devices the 77.30 hotfix output is not correct when for example the CPUSE wasn't updated before installation of HFA - there is no installed_jumbo_take command. ( sk115719)

Have an extra request -> is it possible to build in a fool proof protection for critical comma

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


JozkoMrkvicka
Authority
Authority

Idea to add check for PSU status and RAID status ?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Added and improved in version 3.2, though I moved the CPUSE build info to the Firewall Management & Gateway submenu.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Danny
Champion Champion
Champion

Added in version 3.2

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


Siva_R
Explorer

Any command to disable App/URL filter blade(like ips off) in Gateway..

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

I'm not aware of any command to control Application Control / URL Filtering at the CLI. It should however be possible to change the setting for this Software Blade via dbedit and have the security policy reinstalled to the specific gateway afterwards.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free