How-To and Quick-Ref Compilation Author: Miguel Rosa

Please consider the environment

ContentsFirewalls.............................................................................................................................................................................................................................................................................................................................................................................................. 2

Check Point - Excel PivotTable and PivotChart to analyse firewall logs........................................................................................................................................................................................................................................................................................... 2

Check Point - Performance analysis................................................................................................................................................................................................................................................................................................................................................. 5

Check Point - Firewall Performance- SecureXL, CoreXL, CPU affinity and Dynamic Dispatcher....................................................................................................................................................................................................................................................... 7

Check Point - System Activity Report............................................................................................................................................................................................................................................................................................................................................. 12

Check Point - Web Visualization Tool (sk64501)............................................................................................................................................................................................................................................................................................................................ 13

Check Point - Firewall Policy migration with cp_merge................................................................................................................................................................................................................................................................................................................. 15

Check Point - Sending cp_info with Proxy...................................................................................................................................................................................................................................................................................................................................... 16

Check Point - Workaround when not being able to SmartDashboard to a SmartCenter server.................................................................................................................................................................................................................................................... 17

Check Point - reset SIC without restarting the firewall process..................................................................................................................................................................................................................................................................................................... 18

Check Point - Download file with WinSCP fails on SPLAT............................................................................................................................................................................................................................................................................................................... 20

Utilities.............................................................................................................................................................................................................................................................................................................................................................................................. 21

Visual Subnet Calculator................................................................................................................................................................................................................................................................................................................................................................ 21

Wireshark capture with tcpdump through SSH.............................................................................................................................................................................................................................................................................................................................. 21

Rubular - regular expression editor............................................................................................................................................................................................................................................................................................................................................... 21

Transfer files when everything fails............................................................................................................................................................................................................................................................................................................................................... 22

Linux LVM - reconfigure disk space................................................................................................................................................................................................................................................................................................................................................ 23

LanMngmtXL..................................................................................................................................................................................................................................................................................................................................................................................... 29

Best Practices - for Network Robustness (proactive) or Deep Dive (reactive) plans....................................................................................................................................................................................................................................................................... 29

Check Point IPSO/SPLAT/GAIA Quick reference notes and commands........................................................................................................................................................................................................................................................................................... 30

Disclaimer: this document surely contains errors and omissions. Is provided as is. Use at your own risk, etc, etc

Firewalls

Check Point - Excel PivotTable and PivotChart to analyse firewall logs

Below are some quick graphs I made to try to support an incident: customer had some slowness on Tuesday from 8h55 to 9h25 and they showed a pingplotter graph where we could see our F5 LB with some delay and some packet loss in that period. The F5 sits behind an old Check Point Firewall. Not going much into details on this, but basically we checked cpu/mem/connections/interfacesBW for both FW and F5 and found nothing unusual. So I went a bit further and downloaded the Firewall logs to see if I could find any atypical flow in that period. I didn’t find anything here too but still I think this troubleshoot could be a good method for other cases:

1) Using SmartView Tracker I have a Custom view where I put the columns I want without name or service resolution – I use this custom view all the time, but is also good to have for this particular export

2) Then also for this particular export, I filtered by time period. Also Origin (firewall) because it is a shared SmartCenter.

3) You might need to check how many records will be exported – note that Excel has a limit of 1 million rows. As a reference I exported 774K records = 139MB CSV file = 59MB XLSX (with pivot data already)

4) On Excel open the TXT/CSV file and use “Space” as delimiter, then select all fields and make them “Text” – this is important because the IP addresses are sometimes converted to numbers when they are imported as “General”.

5) Then with all data in the excel, only convert the first column “Time” to “Time” – this is important for the graphs to consider the X axis to be date instead of text. But I also create a new column “NTime” to convert the time in chunks of 15 seconds (8:45:00 to 8:45:14 are all considered 8:45:00, and so on …) – reason is that in my case I was analysing 45 minute period – 2700 seconds. Graphs were too detailed, so by using 15 second chunk I go from 2700 X values to 180. The formula is shown below.

6) Now the fun starts here: create a PivotChart and PivotTable – the are will be automatically select for the whole table. On the table or on the chart you can just play with many options. Select what to count, to categorize and to filter and the charts are created on the fly. Images below show several examples

This is a compound of Source / Destination / Service, each one was filtered by TOP 10. You can also do TOP 20 or TOP 100 but note that Series are limited to 255.

The option for Top X is available in the filter section (left) and in the table you can sort by Grand Total (right)

Top20 rules most hit (left) and Action accepted/dropped (right):

Top20 Services (left) and Top20 Destination (right):

Top 20 sources

Check Point - Performance analysis

Useful commands to analyse performance:

uptimecat/proc/cpuinfotop (press 1 for per CPU info, to be permanent press shift W to save)cphaprob statefw tab -s -t connectionsfw ctl pstatcpstat os -f perffw ctl multik statfw ctl affinity -l -r -vcat /proc/interruptsfwaccel statfwaccel statsfwaccel stats -snetstat -iethtool -S eth3 | egrep 'errors|no_buffer'

cpview: example of one menu – many other options available:

SecureCRT highlight keywords:

Check Point - Firewall Performance- SecureXL, CoreXL, CPU affinity and Dynamic Dispatcher

Purpose: to show some good practices for SecureXL and CoreXL features which can improve Firewall Performance. These features require proper licenses (Performance Pack / Acceleration).

SecureXLThis is an acceleration feature where ‘acceleration’ means the packets will be automatically accepted without being checked by the firewall (fwd) process. We can consider below types of acceleration:

1) Accelerating packets: after a new connection has been accepted by the fwd process, SecureXL takes care of accelerating the rest of packets. Only need to enable SecureXL. Still some packets cannot be accelerated like ICMP, GRE, ESP or subject to IPS, Anti-virus, URL filtering, … More details in sk32578.

2) Accelerating new connections: by use of Accept Templates: new connections can also be accelerated as long as they respect the existing Templates for that purpose. Acceleration of new connections can be important on firewalls with many new connections of small duration (example https). sk32578 lists the conditions where “new connections” cannot be accelerated – examples are rules with services like traceroute, RPC, FTP or use of Time objects. As can be seen below “Accept Templates” are disabled from rule #159 and in this case because that rule has RPC service. One way to optimize this type of accelerations is to isolate and move non-accelerated rules down in the rule base – as long as they are not top-hit rules, case when sometimes is better to keep the rule more to the top.

3) Accelerating dropped connections: details on sk90861. This feature is more important on firewalls where drop rate is high. The option is enabled on Firewall / Cluster object but will only start dynamically when firewall detects a high drop rate.4) There are also other types of acceleration: NAT acceleration with Templates, Multicast acceleration, etc.

To enable or disable SecureXL, use fwaccel onfwaccel offWhen doing packet capture with ‘fw monitor’ accelerated connections are not shown, so might be useful to disable/enable SecureXL but note that this can have high impact on Firewall Performance. A better method is to use tcpdump instead although different in detail.

Status: The information about which rule disables use of “Accept Templates” is important so we can improve policy to make better use of new connections accelerationfwaccel stat

Statistics: some terminology - SXL stands for SecureXL – the fast path (accelerated), PXL for Packet Streaming Library – sent to IPS blade, QXL for packets to QoS Blade, and F2F stands for Forwarded to Firewall – the slow path (no acceleration). The value “conns from templates” relates to acceleration of new connections.fwaccel stats

…

Statistics Summary: Good summary with relation of accelerated connections and packets.fwaccel stats –s

List connections: ‘fwaccel conns’ shows the list of accelerated connections – this can be a very big output. To have statistics the below command can show the top 20 source – destination IP. Note that list of accelerated connections shows two lines per connection (each way) so it is fact a top 10 of flows.fwaccel conns | tail -n +3 | sed -e '/^$/,$d' | awk '{printf "%-16s %-15s\n", $1,$3}' | sort | uniq –c | sort -n –r | head -n 20

CoreXLCoreXL is a feature that allows to manage mappings to each CPU core. Mapping can be of interfaces or processes. This feature is only available on multi-core devices and needs to be enabled on cpconfig. Usually there is no need to customise the configuration – only to enable it in order to take advantage of multi-core with below default settings:

https://sc1.Check Point.com/documents/R76/CP_R76_PerformanceTuning_WebAdmin/6731.htm

To verify the number of CPU cores available:cat /proc/cpuinfo

And CPU usage:topand then pressing 1 if only one line “Cpu(s)” seen. Press W (capital W) to save the preferred view. In this example there are two CPU core. The ‘id’ value means idle – it’s visible that CPU0 is doing more processing then CPU1. When there is a lot of traffic, there will be a lot of “system interrupt” calls to CPU – this is the ‘si’ value – so is visible that CPU0 is taking care of a a great amount of traffic.

CoreXL statistics can be seen withfw ctl multik stat

fw ctl affinity -l -r –v

Above is visible one Firewall process per CPU, one interface (Mgmt) on CPU0 and everything else using both interfaces (auto selection). The connection distribution is more or less equal between CPUs.

Using the below command, it’s possible to see interrupts usage per CPU. Below is visible why CPU0 is having much more load because it is in practice managing all interfacescat /proc/interrupts

To check interfaces status and errors:netstat –i

In more detail:netstat –ni; ethtool -S eth3 | egrep 'errors|no_buffer'

RX drops are seen on eth3 and a method to reduce this impact is to increase the RX ring buffer size. By default it is 256 bytes but can be increased up to 4096 – this should be done carefully in successful increments and checking the results. On GAIA can be applied with set interface eth1 rx-ringsize 512In general can also be done with ethtool -G ethX rx 1024 tx 512

Note that RX drops are considered normal as long as it is 0.5% below the packet RX rate. So if RX drops are seen, better to do some statistics to understand if it requires optimization.

CPU affinity

In the example seen above, moving some interfaces to CPU1 can be seen as a good solution to reduce the unbalanced difference between CPUs. This is done by editing the affinity file:$FWDIR/conf/fwaffinity.conf

Then applying:sh $FWDIR/scripts/fwaffinity_apply –f

Verification:sim affinity –l

And also:fw ctl affinity -l -r –v

This method is also possible but doesn’t survive a reboot: fw ctl affinity -s -k 1 4 !!kernel instance #1 to run on core #4fw ctl affinity -s -n vpnd 3 !!vpnd process to run on core #3fw ctl affinity -s -i eth3 1 !!interface eth3 to run on core #1

CoreXL Dynamic DispatcherOn version R77.30 is possible to use CoreXL Dynamic Dispatcher (sk105261). This feature is disabled by default and should only be used for Firewalls / Clusters with many connections (>90.000). This feature dynamically manages the distribution of new connections per firewall process based on current CPU load.

Command to enable the feature (requires reboot):fw ctl multik set_mode 9

Command to verify:fw ctl multik get_mode

The red arrow below shows the moment when CPU affinity and CoreXL Dynamic dispatcher was enabled. On a 2 core firewall, it is best to have a max 2 load. Before the optimization the load peaked to 3 and after to 1.

CPU id and si values are now more even.

Connections distribution shows that CPU1 (not to confuse with ID) can handle more connections probably because it is only managing eth3, while CPU0 manages interrupts from all other interfaces.

Check Point - System Activity Report

On the new Check Point GAIA, not sure from which version, there is a “System Activity Report” – SAR – which is not Check Point specific but a generic Linux OS feature. Check Point generates one report daily and keep them for one week at /var/log/sa/

In this directory you have two types of file:

- saXX are binary files and they can only be read using the ‘sar’ command – one of the advantages is that you get info about current day (example below) or you can generate different reports from the one generated by Check Point (but is very complete)

- sarXX are text files and you can save them to your local computer and then there is Java tool called kSAR that can create graphs instantly for it (one snapshot below)

Note that this tool only reports OS related information (CPU, RAM, Disk, Interfaces, …) and no Check Point related info (concurrent connections for example).

sar -P ALL -f /var/log/sa/sa20

Check Point - Web Visualization Tool (sk64501)Allows to produce a Web page of the policies and is useful to present policies to customers. It requires the same communication as SmartConsole tools, so the application can be installed on the local workstation that is used to connect with SmartDashboard / Monitor / …

These are the installation instructions I use:

1) Use a backup – not the original folder to avoid affecting SmartConsole installation. Copy folder C:\Progra~1\CheckP~1\SmartC~1\R<ver>\PROGRAM\ to C:\WVT\PROGRAM\2) Download and unpack tgz file to C:\WVT\PROGRAM\ and choose to overwrite files. If it doesn’t exist create folder C:\WVT\PROGRAM\xsl\xml\3) Apply a minor patch in order to allow to see the “VPN communities”. Edit xsl\security_policy.xsl andreplace line 157 from<xsl:for-each select="./through/through">to<xsl:for-each select="./through/members/reference">

To export the policies:

C:\WVT\PROGRAM\cpdb2web -s <SCSserver> –u <user> –p <pass> -o C:\WVT\PROGRAM\xsl\XML\Then open C:\WVT\PROGRAM\xsl\index.xml

Note: you might have trouble if you use % in the password.

Example of use:

The XML files can also be opened on Excel or used as input for tool LanMngmtXL to create policy documentation in Excel and do advanced analysis like expanding rules and groups, detect duplicate network objects and services, overlapping rules, etc

To push only one policy – for example when using a Shared Smartcenter but you only want to send a specific policy to customer, the command is

c:\wvt\program\cpdb2html.bat C:\WVT\PROGRAM\ C:\ <SCSserver> <user> <pass> -o export.html -m <cluster_gateway_name>

Example:

Each time you run WVT, you’ll have temp directories created (c:\temp1, c:\temp11, c:\temp111, …). You can delete them after execution of the command.

Check Point - Firewall Policy migration with cp_merge

Goal: new SmartCenter (EMC04/EMC05) was created in emergency and policies from several customers were migrated but only one customer was in fact put to production. All others remained in production on old SmartCenter (EMC01/EMC02). Months later a project was created to migrate all remaining customers.

Problem: needed to avoid affecting the migrated customer while migrating the rest. Policies are independent, but objects file is shared among all.Solution: to update objects file manually and then migrate only the policies.

With this solution was also possible to plan different maintenance windows per customer:

Details on steps taken:Note that all this work was prepared in LAB environment with Virtual Machines where I imported both EMC01 and EMC04 and could simulate migrations. Then was able to build the steps to work on production.

# on old Smartcenter!! Push Policy on EMC01 with EMC04/EMC05 objects added to rules where EMC01/EMC02 used!! Export policies. GUI users need to be out – with “cpstat mg” (or SmartMonitor)cd /var/tmp/export; cp_merge export_policy -s localhost;

# copy policies from old to new Smartcenterchsh -s /bin/bash admin!! SCP/SFTP the .pol fileschsh -s /bin/cpshell admin

# on new SmartCenter!! merge objects file into existing objects - make a backup first. GUI users need to be out (cpstat mg)cd /var/tmp/import; cp $FWDIR/conf/objects_5_0.C /var/tmp/ objects_5_0.C_ORIGINAL; cp_merge merge_objects!! If you receive warnings, check details and try to solve. For example, create the firewall cluster and member objects with same settings after the merge, if they cannot be imported.

!! If a merge has been done before or many duplicate objects exist do not import objects file. Check for existing but changed objects. More details at end.

!! If importing from older version, a trick that usually works is to edit the imported objects_5_0.C file and put the same version as the original file in new SmartCenter

!! Import policy. GUI users need to be out (cpstat mg)cd /var/tmp/importEMC01; cp_merge import_policy -s localhost -u <user> -f <policy>.pol -n <policy-name>

!! Verify Policy!! Reset SIC on Firewall (when exiting cpconfig services are restarted, impact on standalone)!! Initialize SIC between EMC04 and Firewall!! SmartUpdate - attach licenses. During preparation the license should be updated in Usercenter with IP of new SmartCenter and imported on SmartUpdate – can only be attached after SIC.!! Push Policy!! Verify status on SmartMonitor. Check logs on SmartTracker!! Some cleanup (some can be done in later change): remove EMC01/EMC02 from the rules and push policy again. On EMC01/EMC02 Rename (save as new, delete old after) Policy with “NowOnEMC04”. Remove license associated with old server (if error, close and reopen SmartUpdate). To see old license to “get licenses” on the firewall object.

Manual update of objects fileAll the steps above are more or less straightforward – one complex point is how to know which objects have been created/changed in the objects file – note that objects file was migrated with first customer. Then there were changes performed in the months that followed until the others were migrated too.

Be aware that we get an error if an object used in the imported policy is missing so this is good to know but still not a good method because not only is slow (only warns one missing object at a time and so would go steps: migrate – error – login to Dashboard – created object – save – exit – migrate – error ….) also doesn’t detect objects that exist but were edited.

Another method is to check the “last modification date” of the objects:

On more advanced check I used is LanMngmtXL that helped me detect the added/changed objects

Check Point - Sending cp_info with Proxy

It’s not easy to upload a cp_info to Check Point when you have to use proxy. The limit for attachments in their UserCenter for Service Request tickets is 25MB and bigger than that you have to use the cp_uploaderhttps://supportcenter.Check Point.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk84000

C:\>set http_proxy=http://proxy.corp.com:8000C:\>echo %http_proxy%http://proxy.corp.com:8000

C:\>cp_uploader.exe -u user@xxx.com -s 5-1111222233 FW-CPSM01_01_1_2000_00_00.info.gzPassword:Initiating connection to User Center: Done.Generating list of files to be uploaded: Done.Sending list of files to server: Done.Uploading FW-CPSM01_01_1_2000_00_00.info.gz: 100% (31376512/31376512), Done.

Check Point - Workaround when not being able to SmartDashboard to a SmartCenter server

SSH tunnel on SecureCRT: create with name “18190”, redirects my local port 18190 to remote port 18190. This means that after connecting with this new SSH session to remote server, a tunnel is open that will allow a connection to my localhost (127.0.0.1) be tunneled to remote host and sent to its remote port 18190.

Some notes:On remote server change shell to bash: chsh -s /bin/bash adminCheck if local connection (127.0.0.1) is allowed in GUI clients file of Check Point: more $FWDIR/conf/gui-clients (or check with cpconfig)Check SSH logs for errors. In this case the SSH tunnel was being denied:

tail -f /var/log/{messages,secure}

You need to “AllowTcpForwarding yes” in /etc/ssh/sshd_config file and then do “service sshd reload” to reread the config file. After this reload you need to exit your current SSH session and login again because only new sessions will allow the SSH tunnel

“localhost” not always is 127.0.0.1 but IPv6 ::1. So on SmartDashboard put 127.0.0.1, not localhost. Check with application like tcpview.exe if connections are correctly made.

Be careful when connected with SmartDashboard through SSH tunnel, that SSH will have inactivity timeout and when that happens the tunnel will be closed and you will lose work – try to keep SSH active doing “enter” from time to time or better: in expert mode you can change default Timeout value (10 minutes) this way:

echo $TMOUT600TMOUT=1800echo $TMOUT1800

Check Point - reset SIC without restarting the firewall process

Purpose: sometimes SIC reset is needed but need to avoid impact. Two recent examples were- Renaming a firewall object not part of a cluster- Migrating a firewall to another SmartCenter but keep policy loaded to keep NAT working.

Below example of the first case: rename Firewall ‘firewall-02” to “firewall-01”. This example is based on Check Point solution sk86521.

Initial status:

Rename on OS level: simple and doesn’t affect anything

Monitor is still ok and showing the original name

And SIC still established:

Applying a new SIC key without restart:

still nothing changes

Restarting the CPD process only - FWD process continues to work so policy keeps loaded:

Communication with SmartCenter is affected as expected:

But as can be seen from “Start_time” no other process was affected (cpwd_admin list):

Policy is still loaded (cpstat fw -f all):

Then add new Firewall object with correct name and same IP – there is only a warning about having another object with same IP. SIC trust is established and from Monitor it is also visible that policy is still loaded from before the SIC reset:

Check that both objects (old name and new name) are exactly the same – one way it to use two windows (Smartdashboard in Read-Write and another in Read-Only) to compare all Firewall object interfaces and menus.

Update the “installation targets” for the policy and install:

Delete the old firewall object.

Check Point - Download file with WinSCP fails on SPLAT

I had this issue before and now struggled to find the solution – useful to save backups/upgrade_export. You need to disable option “Optimize connection buffer size” in WinSCP Connection settings.

Besides this I only needed to change shell to /bin/bash although Check Point also recommends to create /etc/scpusers containing list of users allowed to SCP and do ‘chmod o+r’ to the file.

chsh -s /bin/bash admin !!change to bashchsh -s /bin/cpshell admin !!return to more secure shell (ignore warning)

UtilitiesVisual Subnet Calculator

You can divide and join networks and copy&paste table to Excel.http://www.davidc.net/sites/default/subnets/subnets.html

Offline version (works best on Firefox):

Example:

Wireshark capture with tcpdump through SSH C:\Putty\plink.exe -l <user> -pw <pass> <serverIP> "tcpdump -s0 -ni any -w - '(host 1.1.1.1)'"|"c:\Program Files\Wireshark\wireshark.exe" -k -i -

Update: I’ve tried this on Check Point GAIA firewalls and works fine. Just few notes:1) The user ‘admin’ has to be used and shell need to be change (chsh –s /bin/bash admin)2) Using option ‘-i any’ will allow to listen on all interfaces but is not a good practice because we’ll see many duplicate packets. Better to run two separate tcpdump to analyse specific flows ‘through’ the firewall.

Example

Rubular - regular expression editor

This site shows a quick reference guide for regular expressions and allows to test the use of one. In this case I wanted to capture the services in conflict in order to cross-match with a list of unused services.

http://rubular.com/

Transfer files when everything fails

Purpose: transfer 2.7GB ISO file obtained from Internet (Check Point website) to a VM server in shared environment.

First I’ve downloaded the file to local workstation – around 1 hour to download. Then transferred with WinSCP directly to the VM. The problem is that it takes 1h30 to transfer and I got the connection aborted two times. There is no possibility of resume – about 2 hours lost.So I transferred to jump server where is possible to resume if the connection breaks – took 2 hours.

Then SCP from Jump Server to VM didn’t work in either direction because some ciphers are no longer supported on this Jump server:

[Expert@VM]# scp user@1.1.1.1:/tftproot/Check_Point_R77.30_Install_and_Upgrade.Gaia.iso.no matching cipher found: client aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se server aes128-ctr,aes192-ctr,aes256-ctr

Then tried TFTP: I can transfer a small file but I can’t transfer the ISO file

[Expert@VM]# tftp 1.1.1.1tftp> binarytftp> get /tftproot/Check_Point_R77.30_Install_and_Upgrade.Gaia.isoError code 1: File not foundtftp> get /tftproot/test2.txtReceived 12 bytes in 0.0 seconds

Permissions are OK:24944 2821480 -rwxrwxrwx 1 xxxxxxxx xxxxxxxx 2889187328 Jan 12 16:59 /tftproot/Check_Point_R77.30_Install_and_Upgrade.Gaia.iso34065 4 -rwxrwxr-x 1 xxxxxxxx xxxxxxxx 12 Jan 13 08:47 /tftproot/test2.txt

So, now what? I can’t transfer with SCP nor TFTP. It is a Linux VM, so not possible to ask onsite to plug a USB pen or the ESX admins to map a network drive or use Remote Desktop for transfer …

Knowing the TFTP issue might be the size of the file, I break the file in parts at the source and then join them at the destination. MD5 verification is important to be sure that in the end is the same file. The main problem with this solution is that temporarily it requires double space on the source and destination (around 6GB space)

Process:Break the file: in this case in 1GB chunks.[xxxxxxxx:xxxxxxxx:/tftproot:] split -b 1000000000 Check_Point_R77.30_Install_and_Upgrade.Gaia.iso

[xxxxxxxx:xxxxxxxx:/tftproot:] ls -lisa x*24956 976568 -rw-r--r-- 1 xxxx xxxxxx 1000000000 Jan 13 08:49 xaa24957 976568 -rw-r--r-- 1 xxxx xxxxxx 1000000000 Jan 13 08:49 xab24958 868352 -rw-r--r-- 1 xxxx xxxxxx 889187328 Jan 13 08:49 xac

Transfer:tftp> get /tftproot/xaa Received 1000000000 bytes in 854.0 secondstftp> get /tftproot/xabReceived 1000000000 bytes in 847.0 secondstftp> get /tftproot/xacReceived 889187328 bytes in 831.9 secondstftp> quit

Merge the file:[Expert@VM]# cat xaa xab xac > Check_Point_R77.30_Install_and_Upgrade.Gaia.iso

Verify:[Expert@VM]# ls -lisa Check_Point_R77.30_Install_and_Upgrade.Gaia.iso917530 2824232 -rw-r----- 1 root root 2889187328 Jan 13 09:15 Check_Point_R77.30_Install_and_Upgrade.Gaia.iso

[Expert@VM]# md5sum Check_Point_R77.30_Install_and_Upgrade.Gaia.isoa95a567defeaec495fe7764bf074845f Check_Point_R77.30_Install_and_Upgrade.Gaia.iso

Clean (also on Jump server):[Expert@VM]# rm xaa xab xac

Linux LVM - reconfigure disk space

This How-To is not specific of Check Point – it describes a global solution on Red-Hat / Fedora / CentOS Linux OS and from which Check Point GAIA is based on.

The purpose is to provide insight of LVM (Logical Volume Manager). Although LVM allows to easily change partitioning, note that these are very critical operations and as shown at the end of this How-To, things can go wrong. So is important to have external backups and perform as many lab simulations as possible.

There 3 important concepts to understand how LVM works: PV is the physical data storage, VG is a virtual grouping of that physical storage and LV is the final logical partition we see on the OS level.

1) In this example there is not much space left on root partition (/) but checking fdisk there is space not used in of the partitions: 24GB available but only 5+2 = 7GB used on the LVM.

2) This can be also verified on lvm_manager (application specific to Check Point): lv_current is / and lv_log is /var/log. There are 2GB used for swap too. The root can be extended to 9GB – this is only 3GB more because it will reserve another 3GB to ‘upgrade’ reserved. This operation requires stopping services and reboot.

3) After reboot, the root partition is now 9GB:

4) These are some of the useful commands to check LVM:

5) Other useful commands to check detected storage devices and mounted partitions:

6) What if there is no physical disk available and a new disk can be added? Example on VirtualBox

7) First a new partition needs to be created with fdisk – the command can be run manually with the options show below. The script below show how to do automatically. In the end new /dev/hdb1 partition exists

8) Then the new partition is added to LVM as PV and extended to existing VG:

9) On the LVM Manager the total size changed from 24GB to 32GB. And free size from 1GB to 9GB.

10) In this example, the LV /var/log is extended to 11GB:

When I did this lab the first time I got kernel panic after reboot! Just a proof that this is a critical operation that should only be done when stricktly required and with a good preparation in lab. No chance of recovery so I did a fresh install. This time instead of a new 4GB disk I created an 8GB from which the example in this message is – the boot finished and I had a new 11GB capacity on /var/log:

With new 8GB disk:

LanMngmtXLAt https://goo.gl/UAxMrx

Best Practices - for Network Robustness (proactive) or Deep Dive (reactive) plans1. Configure a login banner with unauthorised access notice.2. Use AAA (TACACS+ / RADIUS) and have minimal local users. Enforce use of strong passwords. Use Two-Factor Authentication when required.3. Configure NTP. Use NTP authentication when required. Setup correct timezone;4. Setup ICMP monitoring and SNMP v2c (v3 if mandatory) polling for interface status and traffic statistics. Set SNMP contact (support email) and location (rack location/position)5. Configure Syslog and SNMP traps. 6. Use dedicated management Vlan (per security perimeter). Opt for SSH/HTTPS instead of telnet/HTTP for admin access. Limit source networks with VTY ACL. Have session timeout;7. Have Passwords of Last Resort (POLR), service passwords (ex. TACACS secret, SNMP communities, NTP key, ...), VPN PreSharedKey and private keys saved securely and renewed regularly;8. Encrypt passwords in configuration. Scrub sensitive data on configuration extraction to auditors and other 3rd parties;9. Disable unused services including tcp|udp-small-server, HTTP and NTP server. Disable unnecessary services specially on firewalls;10. Control physical access to devices. Have procedure for cleaning configuration when disposing devices;11. Have regular backups saved remotely. Have tools to verify execution and quality of backups. Test backup restoration periodically;12. Set auto/auto speed/duplex for 1/10Gbps ports (for master/slave and error detection). For old NIC and 10/100Mbps use static speed/duplex (no negotiation as it can be unstable, insecure);13. Use Intra-site and Inter-site redundancy solutions. Example: dual power sources, use port aggregation , stack switches, redundant FEX, routers, firewalls clusters, etc.14. Use health-check tools to verify redundant devices have the same config: static routes, NAT rules, Vlan ACLs, …15. Have backend and frontend firewalls from different vendors. Implement preferably dedicated IPS;16. Use IPS on Internet connection, WAN and other external connections and as much as possible in between security zones;17. Have an explicit "Cleanup Rule" (drop all and log) at end of Security Policies;18. Have a "Stealth Rule" (drop and log from any source to Firewall on any service) at beginning and after the rules that allow required flows to Firewalls;

19. Have a "Noise Traffic Rule" (broadcasts, multicasts, ident,bootp, ospf, hsrp,...) at beginning to avoid excessive logging;20. Verify "Implied Rules" that control outgoing flows from Firewalls. Preferably opt for explicit rules (RIP, DNS, ICMP, CPRID, DHCP, SSH, VRRP,...);21. Prefer "Drop" instead of "Reject" in general;22. Drop out-of-state packets;23. Intermediate Drop rules should be moved to as to the top of Security Policy as possible (after Stealth);24. Put most common accessed rules on top. Put most complex rules (many objects) at end;25. Per VPN sections, create last drop rule for remote encryption domain. Check Point: disable "Decrypt" on accept property if not using VPN;26. Do not allow delinquent rules: no “any” src/dst/service, no big port range (>1.000). When having a DMZ do not allow inside to Internet or Internet to inside - proxy through DMZ;27. Have default route to backend WAN in backend LAN and default route to Internet in DMZ. On higher security, route only necessary Internet addresses and no default route to Internet);28. From Internet drop sources from 10/8, 172.16/12, 192.168/16, 0/8, 127/8, 169.254/16, mcast, bcast and other Bogons (sources not expected from internet);29. Set antispoofing in all interfaces and Match Antispoofing Settings with Configured Routes. On ASA enable "ip verify reverse-path”. Avoid long lists of routes/antispoof groups when possible;30. Avoid complex rules: long list of objects, big groups. Use Networks instead of big hosts list when acceptable. 31. Avoid creating duplicate objects (hosts/networks/services);32. Enforce naming conventions on rules/objects/sections. Example: Section "From ZoneA to ZoneB", host "ServerA_1.1.1.1_vl120", network "vlan120_10.10.10.0_24, service "http_8080", …33. Rule comments should include Requester,Purpose,Date,Change number,Implementer. Don't use non-ASCII chars even on comments;34. On VPN use stronger cipher/hash for Phase 1 and more efficient for Phase 2. Use PFS for improved security. Use AES instead of 3DES. Check Point: IPsec/SSL algorithms speed sk73980;35. Use IKEv2 when possible which includes PMTUD. Check Point: if VPN endpoints are both Check Point, use Permanent tunnels that will use PMTUD and can track tunnel down/up;36. Backend Firewall: in more controlled environments try to keep last drop rule with low hitcount by stopping unintended flows from source;37. Avoid having several networks in same vlan. On Check Point, multiple networks in same vlan not supported on ClusterXL (use VRRP instead);38. Check necessity of IPS protections that have High Performance Impact. On Check Point use "Protect Internal Host Only" if needed. Try to avoid using "Bypass Under Load";39. Check for rules that are covered (shadowed) by later rules and remove if not needed (could still be useful for logging or hit-count granularity);40. Redundant pairs: use primary dedicated sync interface and when possible set secondary sync interface through different switches and use bonding;41. Check Point: use 64 bit instead of 32 bit when RAM > 6GB;42. Check Point: use dedicated SmartCenter for management and logging (HA if possible);43. Check Point: SecureXL(sk32578): unless top hit, move non-accelerated rules (ex. time restriction, VPN, RPC/DCE) to end of Policy to allow SXL New connections templates on most rules;44. Check Point: use accelerated SecureXL drop template optimization (sk90861, sk90941);45. Check Point: with ClusterXL all vlans should be tagged on trunks (no native vlan) - sk101428;46. Check Point: check CoreXL stats (CPU, interrupts) and optimize Interface affinity and process distribution per CPU core. Apply same purpose per core pairs to better use L1/L2/L3 CPU cache;47. Check Point: if RX-DROP, use Dynamic Dispatcher and increase RX ring buffer size only if needed;48. Check Point: avoid using negations on Source/Destination/Service fields, also avoid using Domain objects or Group with Exceptions;49. Check Point: optimize timeouts: TCP start 5-25s, TCP session 1800-3600s, TCP end 2-20s, UDP virtual 10-40s ICMP virtual 10-30s (bold=recommended, underscore=default);50. Check Point: short-duration services like HTTP(S) enable “start sync 30sec after connection iniitiation” (works only for SecureXL matched Templates). Uncheck "Sync on cluster") for DNS;51. Use a domain-name, DNS and DNSSEC when appropriate. Integration with DHCP when possible;52. Deploy IPv6 capable HW and SW;

Check Point IPSO/SPLAT/GAIA Quick reference notes and commands EOS/EOL: http://www.Check Point.com/support-services/support-life-cycle-policy/ !!Rule order: 1)Implied–First 2)Stealth 3)All explicit except last 4)Implied-Before Last 5)Cleanup 6)Implied–Last 7)Implicit drop 8)Anti-spoofing 9)NAT!!Allowing Any Any Any still drops service X11 (sk24600). snmp-read has implicit drop of snmpset even when udp/161 allowed too (sk103405)!!check also a good site by Marko Todorovic: http://todorovicmarko.blogspot.sk/p/blog-page.html !!Best practices: sk98348 and sk106597 and sk111303. SecureXL (sk32578) and SXL NAT templates: sk71200.!!ASA to Check Point migration tool: https://github.com/GoSecure/Cisco2Check Point !!Upgrade: https://supportcenter.Check Point.com/supportcenter/portal?eventSubmit_doShowupgradewizard. !!Compatibility Matrix:www.Check Point.com/support-services/hcl/ !! MIBs: sk90470. https://articles.sourcecom.se/Check Point-in-depth-snmp-monitoring/ !!Max Power: Firewall Performance Optimization http://www.maxpowerfirewalls.com/ snmpget -c public 1.1.1.1 .1.3.6.1.4.1.2620.1.1.25.3.0 !!Check Point fwNumConn.0!!Web Visualization Tool (WVT)cpdb2web -s <server> -u <user> -p <password> -o C:\WVT\PROGRAM\xsl\XML\cpdb2html.bat C:\WVT\PROGRAM\ C:\ <server> <user> <password> -o policy.html -m <firewall>!!TCP/18190 GUI(CPMI),TCP/256 MMtoFWM, TCP/257 Logs, TCP/443 WebUI, TCP/259+900 ClientAuth (telnet,HTTP),!!TCP/261 Session Agent, TCP/18182 OPSEC UFP, UDP/8116 ClusterXL, TCP/4433 ManagementPortal, TCP/18181 CVP!!TCP/18234 VPN Tunnel Test, TCP/18264 Certificate (http://169.254.100.100:18264/ Install Certs, /ICA_CRL0.crl CRL), UDP/259 MEP VPN RDP Probing!!“Match for Any” what protocol type (under service advanced properties) will be enforced when a match on port number and Service is Any in the rule. Be careful to uncheck on services like SIP or H323. Avoid having duplicate services.!!Frame Stages: 1)Rcv if MAC is NIC/bcast/mcast|promiscuous mode 2)HW Interrupt to retrieve from NIC RAM 3)Frame check. “receive socket buffer” 4)RX ring buffer w/ descriptor 5)SW interrupt from main CPU 6)send to registered received (SecureXL|INSPECT,tcpdump) 7)SXL (accl path) 8)F2F (FW/Medium path) 9)Policy+NAT 10)Routing on GAIA 11)INSPECT (o->O) 12) SXL out 13) “send socket buffer” 14) TX ring buffer w/descriptor 15) NIC RAM HW int. 16) Transmit!!Force clean of all Check Point products from Windows (sk92884): stop Check Point and SNMP services; backup and delete all Check Point folders (Windows\FW1, !! Program Files, Program Files (x86), Common Files; Backup and Delete all registry entries HKLM\Software\Wow6432Node\Check Point and search for Check Point !!IPSO to GAIA: sk94445. First-time Wizard from CLI: sk69701. Jumbo Hotfixes: sk104859, sk106389 (R77.30).!!First-Time Wizard from CLI: sk69701. Sub-interfaces/Alias IP address/Secondary IP address on Gaia OS with ClusterXL: sk89980, sk31821!!cpsizeme tool (sk88160) to analyse Performance sizing!!TCP MSS clamping: sk61221, sk101219clish –c "<command>" !!enter cli cmd from expert mode>>(lock database override)|(unlock database) !!Acquire|Release config lock [force]>>show asset all !!HW info

>>show sysenv all !!Temperature and other values>>show configuration !!list configuration>>save config !!save configuration. WebUI saves config automatically but CLI doesn’t>>show uptime|(version all) !!Show uptime|system information>>set selfpasswd>>set expert-password plain !!Set expert password>>expert !!enter expert mode>>tacacs_enable TACP-15 !!Remote user higher privilege>>set user admin shell /bin/bash|/etc/cli.sh !!change shell (ex. to allow SCP)>>ver !!show version>>cpconfig !!config licenses/admin/…>>cpinfo|cpconfig|cplic !!Information,config,license>>cpstart|cpstop|cprestart !!start/stop Check Point services>>fw !!Gateway control commands>>fw log –f –n –s <starttime> -e <endtime> –c drop …>>fw logswitch !!Rotate logs>>fwm !!Management control commands>>vpn !!VPN control commands>>cphaprob|cphastart|cphastop !!High Availability control commands>>netstat|ping|ping6|traceroute !!Network config/debug>>top !!Processes running>>cpstat !!Statistics>>reboot|halt !!reboot|shutdown>>start|commit|rollback !!start|commit|cancel transaction>>set edition [default] [32-bit|64-bit] !!Change system to 32|64 bit (if >4GB RAM, need support 64-bit)>>set ipv6-state on|off !!Enable/Disable IPv6>>add command fw6 path /opt/CPsuite-R75.40/fw1/bin/fw6 description "Security gateway IPv6 commands" >>add command sim6 path /opt/CPppak-R75.40/bin/sim6 description "SecureXL Implementation Module IPv6 commands" >>set arp table cache-size 1024>>set arp table validity-timeout 60>>set web session-timeout 10>>set web ssl-port 443>>set web daemon-enable on>>set date|time>>show clock|date|time>>set timezone <timezone>>>set ntp active on|off>>set ntp server primary|secondary <ip> version <v>>>show ntp servers>>set dns suffix <domain>>>set domainname <domain>>>set hostname <name>>>set|show net-access telnet on|off !!Enable telnet>>set snmp agent on|off>>set snmp agent-version any>>set snmp community public read-only >>set snmp traps trap <trap> enable|disable >>set clienv rows <0-70> !!Set terminal paging limit>>set clienv debug 0>>set clienv echo-cmd off>>set clienv output pretty|structured|xml !!Set output format>>set clienv prompt "%M> ">>set clienv syntax-check off>>add|show allowed-client host|network <any-host|ipv4-address …> !!Allowed GUI clients>>set interface <if> link-speed <speed>>>set interface <if> state on|off>>set interface <if> auto-negotiation off>>set interface <if> ipv4|ipv6-address <ip> mask-length <prefix>>>set interface eth1 rx-ringsize 1024 !!change TX ring-size (sk42181)>>add interface Mgmt alias 192.168.1.1/24>>show interface <if>>>show configuration interface>>delete interface Mgmt alias Mgmt:1 !!Add or remove interface in ClusterXL HA might cause fail-over: sk57100/sbin/ip -4 -o addr list dev <if>>>add arp static ipv4-address <ip> macaddress <mac>>>delete arp (static ipv4-address <ip>)|(dynamic all)>>show arp static|dynamic all>> add arp proxy ipv4-address <publishIP> interface <publishIF> real-ipv4-address <realIP> !!Proxy ARP (sk30197)>> add arp proxy ipv4-address <publishIP> macaddress <VMAC=00:1c:7f:00:00:fe> real-ipv4-address <realIP> !!When using ClusterXL VMAC>> delete arp proxy ipv4-address>>show arp proxy all>>set static-route (default|<ip/prefix>) nexthop gateway (address <ip>|logical <if>) on|off !!set routes>>set static-route (default|<ip/prefix>) blackhole|reject !!drop|reject routes

>>set static-route (default|<ip/prefix>) ping on|off>>show route all>>set rip update|expire-interval default>>set rip auto-summary on>>set password-controls min-password-length 6>>set password-controls complexity 2>>set password-controls palindrome-check true>>set password-controls history-checking true>>set password-controls history-length 10>>set password-controls password-expiration never>>set user <user> shell /etc/cli.sh >>set user <user> password-plain|hash <pass>>>set router-id <ip>>>set inactivity-timeout 10>>set format date dd-mmm-yyyy>>set format time 24-hour>>set format netmask Dotted>>show sysenv all|fans|ps|temp|volt>>show volume logs>>show routed cluster-state detailed !!ClusterXL details incl Slave to Master transition date./ccc.sh !!Common Check Point Commands https://community.Check Point.com/docs/DOC-2214-common-check-point-commands-ccc http://dannyjung.de/ccc_v2.3.gz ./healthcheck.sh !!Health Check on GAIA (sk121447)!!emergendisk USB flash to Reset the Gaia Admin and Expert passwords. If error “invalid token: primary” use parted to change pen from ‘loop’ to ‘msdos’emergendisk !! sk92663. Check /var/log/emergendisk.logenabled_blades !!Check enabled Software Bladeslvm_manager !!LVM managementcphaconf cluster_id set 150 !!Change cluster ID on GAIA (magic number before - when upgrade check)cphaconf cluster_id get !!Get value. Also $FW_BOOT_DIR/ha_boot.confdbget sysEnv:temp !!Get temperature sensors statusdbget sysEnv:fansadd snmp custom-trap temperatureSensorValue_Any oid .1.3.6.1.4.1.2620.1.6.7.8.1.1.3 operator Greater_Than threshold 86 frequency 2 message "Sensor is over temperature!"

!!SNMP trapcat /web/templates/httpd-ssl.conf.templ !!Check SSLCipherSuite (sk93395)cpopenssl ciphers -v 'HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5' !!Test alowed cipher suite to WebUIcpopenssl pkcs12 -in /tmp/servcert.p12 -passin pass: -nokeys !!Check certificatecpopenssl pkcs12 -in /tmp/servcert.p12 -nokeys -clcerts -passin pass: 2>/dev/null | cpopenssl x509 -text -noout 2>/dev/null | grep "Public-Key"tellpm process:httpd2; tellpm process:httpd2 t !!Restart HTTPd daemonpro enable|disable !!SPLAT PRO features(dynamic route, radius, ...). Then reboot. Needs licensecpconfig !!Licenses, GUI clients, CA, SecureXL, …clish !!go to CLI modeclish> shell !!go to shell modemore $FWDIR/conf/masters !!Which Smartcenter (SCS) allowedmore $FWDIR/gui !!GUI clients$FWDIR/conf/initial_module.pf !!Initial Policy of the firewallHKLM\Software\Check Point\Management Clients\5.3\Connection\Known Servers !!Windows: list of SCS allowedmore $FWDIR/conf/gui-clients !!Which GUI clients allowed/config/db/initial !!IPSO configcat /var/etc/.nvram | dmidecode | egrep -i "serial|product" !!Serial Number, IPSO/SPLAT/GAIAdmidecode -t processor | grep -i "speed" !!Check CPU speeddmidecode -t cache !!L1/L2/L3 cache infodmiparse [System Product] !!sk37692uname –aclish show asset hardware !!IPSO HW informationclish show fruipsctl hw:eeprom:serial_number | hw:eeprom:product_id !!product ID, IPSO versionipsctl -a !!IPSO kernel informationipsctl -a kern:diskless !!also if /preserve dir existsipsctl -a | grep CF !!Boot Manager location: hw:disk:ad:0 (ad0)ipsctl -a | grep serial ipsctl -a ifphysipsctl -a ifphys | grep error | grep -v '= 0' !!Show errors (combine with 'watch' if needed)ipsctl -a ifphys:eth-s4p1:errors | moreipsctl -a ifphys:eth-s1p1 | grep erroripsctl -a | grep speed/etc/sysconfig/netconf.C !!Network config/etc/sysconfig/network.C/etc/sysconfig/ethtabsysconfig !!Network, DHCP, DNS, Date configecho <user> > /etc/scpusers !!Allow file transfer. WinSCP: disable Connection>Optimize buffer sizechsh -s /bin/bash admin !!change to bash. Useful for file transferchsh -s /bin/cpshell admin !!return to more secure shellchsh -s /etc/cli.sh admin !!on GAIA

cplic print -x|-p|check|get|put|del|… !!License managementcplic check MGMTHA !!Check HA license validitythreshold_config !!advanced SNMP config!!ICA Tshoot: backup and retrieve defaultDatabase/log_actions.C,log_fields.C,log_filed_server_types.Ccpca_client lscert [-kind SIC|IKE|…]cpca_client set_mgmt_tool print !!List ICA settingscpca_client set_mgmt_tool off | on [-no_ssl] [-a "adminDN"|-u "userDN"] !!Disable|Enable ICA mgmt (TCP/18265)cp $CPDIR/conf/sic_cert.p12 $CPDIR/conf/sic_cert.p12_BACKUP; cd $CPDIR; sicRenew -d; cpstop;

mv $CPDIR/conf/new_sic_cert.p12 $CPDIR/conf/sic_cert.p12; cpstart !!Renew SIC certificate!!Example: CN=ICA_Tool_User,OU=users,O=MGMT..ecuekf. Certificates at /var/opt/CPsuite-Rxx/fw1/conf/crls/cpca_client revoke_cert -n "CN=Security_Gateway_Object_Name" !!Use when SIC error “A certificate with this name already exists” (sk41962)cpstart|cpstop|cprestart !!start|stop|restart CHK processes excl. cpridfw unloadlocal; echo 1 > /proc/sys/net/ipv4/ip_forward !!Unload Security Policy.and keep forwarding$CPDIR/bin/cprid_util -server <FW> -verbose rexec -rcmd /bin/clish -s -c 'set user admin password-hash <hash from grub-md5-crypt>' !!sk106490ipsofwd on admin !!Allow routingipsofwd list !!check IP forward statusfwstart|fwstop !!start|stop fwd,fwm,snmpd,in.htttpd,…drouter stop|start !!routing processtellpm process:routed t !!starts routing process. Survives reboottellpm process:routed !!stops routing process. Survices rebootvpn drv off|on !!VPN driverntpstop|ntpstartcppkg [add|delete|get|…] !!Product repositorycprinstall [install|stop|boot|cpstart|cpstop|upgrade|verify|…] !!Remote installationcpstat fw -o 1 !!FW stats cpstat mg !!Smartcenter status and connected clientscpstat blades !!Gateway Top Rule Hits and othercpstat -f [cpu|multi_cpu] os –o <s> -c <count>] !!CPU stats every s seccpstat -f perf oscpstat -f memory oscpstat -f all fw !!Product, policy and status infocpstat -f all ha !!HA statcpstat -f ifconfig os !!ip/mac/mtu/descriptioncpstat -f routing oscpstat -f sensors oscpstat -f power_supplynmonps auxwfvmstat 2 5 |awk '{now=strftime("%Y-%m-%d %T "); print now $0}'/opt/CPsuite-R75.40/fw1/bin/disconnect_client !!Disconnect clients (extra app, avoid use)cpinfo !!CHK applications statusset http_proxy=http://<proxy>:8000 && cp_uploader.exe -u <usercenterMail> -s <SR> <cpinfo>.gz <otherfile> …cp_conf snmp get !!Check snmp extensions statuscp_conf [sic|admin|ca|lic|client|ca|auto|…] !!Reconfigure CHKcp_conf sic init <activation key> [no restart] | state !!SIC reset|verify. sk65764cp_conf sic init <new SIC key> norestart !!Reset SIC without restart Firewall Services. sk86521cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop" !!After SIC new keycpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd" !!restart CPD and reset key on SmartCenter Firewall objectcpwd_admin list|monitor_list|exist|kill|config !!Watchdog processcpwd_admin stop -name STPR !!Example stopcpwd_admin start -name STPR -path "$FWDIR/bin/status_proxy" -command "status_proxy" !!Example startcp_admin_convert !!Export admin definitionsdbedit -s <ip>|-local -u <admin> -p <pass> -f script.txt !!edit objects file (close GUI before)dbedit> modify properties firewall_properties undo_msg true !!remove Security Servers bannersdbedit> update properties firewall_properties !!apply changedbedit> update_all | quit –no_update !!save changes (|don’t)dbver create|export|import|print|print_all !!export|import different revisions of DBpatch add cd !!upgrade Check Point version (also ./UnixInstallScript)newimage | newpkg !!upgrade IPSO OS | Check Point packagesdbget -v dynamic:pkgaddrtmstart|rtmstop|(rtm debug|monitor|stat|ver) !!SmartView Monitor set of cmdsscc (dis)connect|(re)startsc|stopsc|status|listprofiles|numprofiles|… !!SecureClient set of cmds!!http://todorovicmarko.blogspot.sk/2013/12/troubleshootclasterxlcp.htmlclusterXL_admin down|up !!Manage cluster: use when changing interfaces sk57100$FWDIR/conf/discntd.if !!Disconnected interfaces. Not needed on R77.20 and abovecp_conf ha enable/disable [norestart] !!Enable/Disable HAcphaconf|cphastart|cphastop !!ClusterXL cmdscphaconf set_ccp multicast|broadcast !!Use on Zero Downtime upgrade. Use with Nexus switches (sk109842)$FW_BOOT_DIR/ha_boot.conf !!Verify CCP settingfw ctl set fwha_enable_igmp_snooping 1 !!Enable IGMP snoopingcphaprob state|tablestat|syncstat|fcustat|ldstat !!HA statescphaprob -a if !!shows also CCP status (multicast/broadcast) and VMAC (sk50840)cphaprob -ia list

cphaprob -d forcefail -t 0 -s ok register|unregister !!Failover (dummy device). Alternate to priority changecphaprob -d forcefail -s problem report !!Failover Enabled (by reporting problem)cphacu start <Sync IP of Active_GW> <Member ID of Active_GW> !!Manual sync from secondary GW (fwaccel off before)tcpdump -nepi <sync-if> -x port -s 0 8116 2> /dev/null | ccp_analyzer -g -c !!Read sync information between clustersfw ctl set int fwha_vmac_global_param_enabled 1 !!VMAC on FW (also enable on cluster object)$FWDIR/boot/modules/fwkern.conf: fwha_vmac_global_param_enabled=1 !!VMAc permanent changepatch|reboot|shutdown|ver|diag|log|top|… !!System cmds!!Backups(sk105385, sk54100). Compare:snapshot(~3GB),backup(~400MB),upgrade_export(~100MB),cp_merge+objects(~10MB),DBrev(~25KB).GAIA: sk91400, sk108902snapshot|revert !!Snapshot at /var/CPsnapshot/snapshots.20min stops services(backup|restore) –f <filename> !!Backup at /var/CPbackup/backups.10min might stop servicescd $FWDIR/bin/upgrade_tools; upgrade_export|upgrade_import </var/tmp/file> !!on SCS -need GUI closed (cpstat mg)cp_merge [(list|export|import|delete)_policy|…] !!Export/import policy packagescd <dstdir>;cp_merge export_policy -s localhost;cp $FWDIR/conf/objects*.C <dstdir> !!Export policy and objectscp_merge merge_objects !!Merges (imports) objects_5_0.C to SmartCenter. Doesn’t overwrite existingcp_merge import_policy -s localhost -u <user> -p <pass> -f policy.pol -n policy_name !!Imports policy!!Manual NAT ARP(proxy arp): Voyager/GAIA WebUI with "IP MAC"+"Merge manual proxy ARP configuration"+Policy Push (check local.arp)!!Static NAT has priority over Hide NAT and node NAT over net/range NAT. Default inspection at inboundarping -c 4 -A -I eth1 10.1.1.1 !!arping (send gratutious ARP) sk92483arping <ip> !!test arp in local LANarping -I eth0 10.1.1.1arping -s <srcIP> 10.1.1.1addarp|delarp <ip> <MAC> !!Add/Remove static ARP (survives a reboot)arp -an !!list ARP entriesdbget ip:arp:cache_size !!Check ARP cache (sk43772 - kernel: neighbour table overflow)cat /proc/sys/net/ipv4/neigh/default/gc_thresh[1|2|3] !!Verify ARP cache garbage collector thresholdssysctl -w net.ipv4.neigh.default.gc_thresh1=256 !!Example to change thresholdping|traceroute !!Network diag cmdstcptraceroute [-T -U -I] -p <port> <ip>/opt/CPPinj-R77/pinj --sport 59999 --dport 80 --protocol udp 10.3.2.1 10.1.2.3 !!Packet Injector Test tool (sk110865)config conn add type vlan local <ip/p> vlan-tag <vlan> dev <phy-int> !!Create sub with vlancatroute (add|del) (–net|-host) 10.10.10.0 netmask 255.255.255.0 gw 10.11.12.13dbget -rv routed !!List routes even if not activearp|hosts|ifconfig|vconfig|route|hostname|domainname|dns|webui|router|… !!Network config cmdsadduser|deluser|showusers|(lockout enable|disable|show)|unlockuser|checkuserlock !!User config cmdsrouter|cligated !!Router shell/bin/expert_passwd !!Expert (use passwd for users)fw fetch <SCS-server> !!Get (pull) Security Policyset config-lock on override !!get config lock from clishset config-lock off !!release config-lockfw ctl conn -a !!Full Connectivity Upgrade - check products installedfw ctl (un)install !!(stop)start intercepting packets!!http://todorovicmarko.blogspot.sk/2013/11/troubleshootmemmorycp.htmlfw ctl pstat -h|-s|-k|-c !!System resource/capacity stats, incl aggressive agingfw ctl chain !!show in/out chain orderfw ctl arp -n !!Shows arp table (proxy arp)fw ctl ip_forwarding !!Control IP forwardingfw ctl iflist !!List interfacesfw ctl setsync start/off !!Enable/Disable cluster syncfw ctl|expdate|kill|log|lslogs|sam|stat|ver !!controls several aspects of FWfw ctl zdebug drop | grep <ip> !!TSHOOT Show dropped packets in realtimefw ctl zdebug log dynlogtop !! 1 for per CPU, shift W to saveuptime; cat/proc/cpuinfo; cphaprob state; fw ctl pstat; cpstat os -f perf; fw ctl multik stat; fw ctl affinity -l -r –v; cat /proc/interrupts; fwaccel stat; fwaccel stats; fwaccel stats -s

!!Global checks before/after changesnetstat –ni; ethtool -S eth0 | egrep 'errors|no_buffer' !!Check interface errors

fwaccel off; fw ctl debug 0; fw ctl debug -buf 32000; fw ctl debug -m fw + drop conn vm; !!Reset and Start traffic debug+capture examplefw ctl kdebug -T -f > fw.ctl !!First shellfw monitor -e "accept;" -o fwmon.out !!Second shelltcpdump -vvveeennni any -s0 -w tcpdump.pcap !!Third shell. Replicate issue and then stop kernel,fwmonitor,tcpdumpfw ctl debug 0; fwaccel on !!Traffic debug+capture end procedurefw ctl debug 0 !!Reset debug config to defaultfw ctl debug -buf 32768 !!Debug buffer sizefw ctl debug -m fw + conn vpn drop nat link !!Enable debug example (check $FWDIR/log/fwd.elg)fw ctl debug -m fw + nat xlate xltrc conn drop vm !!NAT debugfw ctl debug -m VPN all !!VPN debug (on kernel)fw ctl debug -m cluster + pnote stat if !!Cluster debugfw ctl kdebug -T -f > fw.ctl !!Debug configurationfw -d ctl affinity -corelicnum !!Show licensed CPU core (also cplic print CPSG-C-<n>-U)fw ctl multik stat !!CoreXL CPU multicore affinity stat. Set cores on cpconfigfw ctl multik set_mode 9 !!CoreXL Dynamic dispatcher (sk105261) and reboot (fix sk105724)fw ctl multik get_mode !!Use to check also CoreXL Dynamic dispatcher

fw ctl set int fwmultik_hash_use_dport 1 !!Use src+dst+dport hash for CoreXL FW worker distribution (sk96068)echo 1 > /proc/cpkstats/fw_worker_<n>_stats !!Enable worker stats (at /proc/cpkstats/fw_worker_<n>_stats)cat /proc/interrupts !!Interface IRQs processing!!SSL Multicore support (R77.20 and above): sk101223cpmq get -a !!Check Multi Queue (only for igb/ixgbe interfaces)ls -1 /sys/class/net | grep -v ^lo | xargs -i ethtool {} !!Check for igb/ixgbe interfacesfw ctl affinity -l -r -a -v !!sk33250sh $FWDIR/scripts/fwaffinity_apply -f !!apply affinity after editing $FWDIR/conf/fwaffinity.conf. Put at /etc/rc.d/rc.local (sk105724)sim affinity -l !!$FWDIR/conf/fwaffinity.conf: i default autosim affinity -s !!change settings manually for SecureXL (-a automatically)fw ctl affinity -s -k 1 4 !!kernel instance #1 to run on core #4fw ctl affinity -s -n vpnd 3 !!vpnd process to run on core #3fw ctl affinity -s -i eth3 1 !!interface eth3 to run on core #1fw ctl get|set int <flag> <value> !!Kernel params. Recommended below:fw ctl get int fwha_cul_mechanism_enable 1fw ctl get int fwha_cul_member_cpu_load_limit 80fw ctl get int fwha_cul_member_long_timeout 1800fw ctl get int fwha_cul_cluster_short_timeout 100fw ctl get int fwha_cul_cluster_log_delay_millisec 2000fw ctl get int fwha_cul_policy_freeze_timeout_millisec 30000fw ctl get int fwha_cul_policy_freeze_event_timeout_millisec 15000fw ctl get int fwha_dead_timeout_multiplier 3fw ctl get int fwha_freeze_state_machine_timeout 30fw ctl get int fwha_monitor_if_link_state 1fw ctl get int fwha_if_connectivity_tolerance 3fw ctl get int fwha_recovery_delay_timeout (Output of 'cphaprob -ia list' Critical Device 'Recovery Delay')fw ctl get int cphwd_nat_templates_support !!set 1 to enablefw ctl get int cphwd_nat_templates_enabled !!set 1 to enablefw ctl get int fwha_forw_packet_to_not_active 0|1 !!change to allow ping to standby for ex.fw ctl get int fwha_mac_magic 254 !!Change magic number (ex 57) if more cluster in same vlanfw ctl get int fwha_mac_forward_magic 253 !!Change magic number (ex 56) if more cluster in same vlanfw ctl set int fwha_mac_forward_magic 56fw ctl set int fwha_mac_magic 57echo fwha_mac_forward_magic=56 >> $FWDIR/boot/modules/fwkern.conf !!Lost on upgradesecho fwha_mac_magic=57 >> $FWDIR/boot/modules/fwkern.conf!!sk31499 - Check ClusterXL multicast addresses: fw ctl zdebug -m cluster + conf >/var/log/data.txt & cphaconf debug_data; fg; <CTRL+C>; less /var/log/data.txtfw ctl set int fw_rst_expired_conn 1 !!Enable send TCP RST when TCP conn expire. For permanent: edit objects_5_0.C via GUIDbedit/dbeditfw ctl set int fwconn_tcp_state_logging X !!TCP state logging (sk101221)fw ctl set int fw_antispoofing_enabled 0; sim feature anti_spoofing off ; fwaccel off ; fwaccel on !!Disabled Antispoofing on the flyfw ctl set int fw_antispoofing_enabled 1; sim feature anti_spoofing on ; fwaccel off ; fwaccel on !!Reenablemodinfo -p $PPKDIR/boot/modules/simmod.2.6.*.o|sort -u|grep _type|awk 'BEGIN {FS=":"} ; {print $1}' !!on IPSO$FWDIR/boot/modules/fwkern.conf !!set permanent kernel values (SPLAT, GAIA)dbset advanced:loader [t] !!enable/disable Configuration>Tools>Firewall Kernel Tuning (Voyager-IPSO)dbsave !!save dbset/opt/CPsuite-R77/fw1/lib/table.def !!Set services not hidden by VIP. Do on SCS. Push policy after (sk31832). Overwritten on upgrades no_hide_services_ports = { <4500,17>, <500, 17>, <259, 17>, <1701, 17>, <5500, 17>, <68,17>, <67,17>, <49,6> };$FWDIR/boot/modules/fwkern.conf !!Allow packets to be forwarded to standby unit fwha_forw_packet_to_not_active=1!!i (pre-inbound), I (post-inbound), o (pre-outbound), O (post-outbound).!!ip_p, flag, icmp type (see packet diagrams). Macros: $FWDIR/lib/tcpip.def and $FWDIR/lib/fwmonitor.deffw monitor –T -e –ci|-co <count> -l <len> -x <b-start>,<b-end> -pi|-po <chain-pos> "<name>={<net-start, net-end>}; accept not (ip_p=<prot> src|dst=<ip> or netof src=<net> or <net> in <name> and sport|dport <|>|= <port> and ip_len=<len> and th_flags=<flag> or icmp_type=<n>);" –o <capture.cap>fw monitor -T -e "net1={<1.1.1.1,1.1.1.3>}; net2={<1.1.2.1,1.1.2.3>}; accept (src in net1 and dst in net2);"fw monitor -T -e -m iIoO "accept from_net(1.1.0.0,16) or to_net(1.1.0.0,16);" -o capture.txtfw monitor -T -e “bad_ports=static {22,25,443}; accept dport in bad_ports;”fw monitor -T -e “accept ip_p=112;” !!capture VRRP protocolfw monitor -T -e "accept port(500) or port(4500);" !!capture VPN IPsecfw monitor -T -p [all|iIoO] -e “...” !!show chain position!!Ginspect: http://decock.org/ginspect/ !!F=Fwd(not XL),U=Unidir(reverse is F2F),N=NAT,A=Account,C=Encrypt,W=Wire,P=Partial,S=Stream,D=Drop,L=Log dropsim if !!check accelerated interfacessim nonaccel -s|-c ethX;fwaccel off;fwaccel on !!Disabled|Enable acceleration on interfacecpview [–p] !!Performance + Statistical Data(sk101878).Disable SecureCRT “Highlight keywords”cpview -b -t 299 -i 288 -j !!24 hour batch statistics (-s to stop). Log at /var/log/cpviewcpview history on | off | stat !!check if history enabled!!SecureXL Templates:connections grouped by srvc. Disabled for FTP,SYN Defender,VPNs,ISN Spoofing,UDP w/src_port (sk32578)fwaccel on | off | stat | conns (–s|-m <n>) | stats (-s) !!enable|disable|stats|connections SecureXL / Performance Packfwaccel templates [-s] !!list templates (-help for flag description)watch -d -n1 fwaccel stats -p !!Check SXL F2F reason and ratesfwaccel dbg -m <module> <flag> !!debug SecureXL (-help for modules list)fw tab -t cphwd_db -s !!SecureXL number of connections

sim dropcfg -l !!List drop templatessim nonaccel -s <if>; fwaccel stop; fwaccel start !!Disable SecureXL on specific interface. Add to /etc/rc.local to be permanentsim vpn on|off !!Enables|Disables accelerating VPN trafficips off|on !!Disable|Enable IPS. Check SXL effect: watch -d -n1 fwaccel stats -ssim dbg -m vpn all !!SecureXL VPN debugsim dbg -f <src>,<sport=*>,<dst>,<dport=*>,<prot=6> !!SecureXL debug filtersim dbg list !!Verify filtersim dbg -m pkt + pxl + f2f; sleep 15; sim dbg resetall !!Start, debug for 15 seconds and stop!!SecureXL NAT Template: cphwd_nat_templates_enabled=1 and cphwd_nat_templates_support=1 on $FWDIR/boot/modules/fwkern.conf!!fwaccel shows 2 lines (each way) per connection. -help for flag description. Top 20 connections:fwaccel conns|tail +3|sed -e '/^$/,$d'|awk '{printf "%-16s %-15s\n", $1,$3}'|sort|uniq -c|sort -n -r|head -n 20./top-talkers !! http://expert-mode.blogspot.com/2013/05/Check Point-top-talkers-script-display.html sim erdos <options> !!SecureXL “Penalty Box” sk74520. Useful to drop DoS!!fw samp(DoS mitigation) d|n|b|l=drop|notify|bypass|log. -l r = regular logging. Key=source|destination|service. rate per second!!flush true (through Suspicious Activity Monitoring policy DB)!!Service: 1 (ICMP), 50-51 (IPSec), 6/443 (TCP/HTTPS), 17/53 (UDP/DNS), …fw samp add -a d|n|b [-l r] [-t TIMEOUT] [-n NAME] [-c COMMENT] quota <key value> … !!by default only enforced on external iffw samp add -a b -l r -n LimitRate quota source range:1.1.1.1-1.1.1.3 destination cidr:2.2.2.2/32 service 1,50-51,6/443,17/53 new-conn-rate 100 track source flush truesim_dos ctl -x 0 !!Enforce on all interfaces (not just external)sim_dos -m 1|0 !!Enforce as monitor only|fullfw samp get !!Status of rulecat /proc/ppk/dos !!Status of enforcement!!CPMonitor(traffic analysis): sk103212. tcpdump -i {<if>|any} -w /var/log/capture.cap; ./cpmonitor [-f|-n] /var/log/capture.capfw tab -u > tables.txt !!Extract all the tablesfw tab [-t <table>] –s !!Summary of all (specific) tablesfw tab -f -u -t <table> !!Show formatted and all entries of a tablefw tab -t sam_blocked_ips !!Show blocked IPS via SmartTrackerfw tab -t connections -u > conn.txt !!Then connStat.exe -f conn.txt -a. (sk85780 )(also CPmonitor sk103212)fw tab -t connections -f -m <n> !!Show <n> connections in readable formatfw tab -t connections -s !!Concurrent connections. Check capacity optimizationfw tab -t connections -s -i <core> !!Connections per core (CoreXL)fw tab -t connections | head -n 3 | grep limit !!Check limit (also with fw ctl pstat)fw tab -t connections -f -u | grep … !!Connection detailsfw tab -t connections -u -f|awk -F";" '/Rule/ {source[$3]++} ; END { for (name in source) print source[name], name }'|sort -nr|head -20fw tab -t connections -u -f|awk -F";" '/Rule/ {dest[$5]++} ; END { for (name in dest) print dest[name], name }' |sort -nr|head -20fw tab -t connections -x !!Clears all connections (careful use)fw tab -t fwx_alloc [-s -f] !!Show NAT allocationsfw tab -t fwx_cache -s !!Status of NAT cache(sk21834)fw tab -s -t string_dictionary_tablefw tab -f -u -t peers_count !!VPN Shows active VPN peersfw tab -f -u -t vpn_enc_domain_valid !!IPsec Local encryption domainfw tab -f -u -t sr_enc_domain_valid !!Remote encryption domainfw tab -f -u -t inbound_SPI !!SPI database of established VPN tunnelsfw tab -f -u -t IKE_peers !!active VPN peers with IKE phase upfw tab -f -u -t IKE_SA_table !!List table of Security Associationsfw tab -f -u -t natt_port !!NAT traversal port!!Link Selection: probe availability of links, distribute VPN traffic (Load Sharing), use links based on services, setup links for Remote Access!!VTIs: numbered - SPLAT Pro, assigned local IP, can share IPs, cannot use existing <if>IP, each member unique srcIP, unique <if>IP, Cluster IPs required, sameVTI name for same remote peer. unnumbered: GAIA, must be assigned to a proxy <if>, VTI local&remote not configured. Office mode: SecureClient,L2TP,SSL Net Extender$FWDIR\conf\vpn_route.conf !!VPN routingvpn ver|… !!VPN set of cmdsvpn tu|tunnelutil !!List and delete SA with peeersvpn compstat !!VPN compression statisticsvpn overlap_encdom communities !!Check overlapping encryption domainsvpn crl_zap !!Erase all CRLvpn shell /show/tunnels/ike/all|peer/<remote peer> !!Show VPN IKE SAvpn shell /show/tunnels/ipsec/all|peer/<remote peer> !!Show VPN Phase 2 SAvpn shell /tunnels/delete/ike/peer/<remote peer>|all !!Delete VPN IKE SAvpn shell /tunnels/delete/ipsec/peer/<remote peer>|all !!Delete VPN Phase 2 SAvpn shell show interface detailed <vti> !!VPN Tunnel Interface config. Use of VTI disables CoreXLvpn shell interface add numbered 10.10.0.1 10.10.0.2 GW_A_to_B !!Route-based VPN.Domain based takes precedence: need empty Domain groupvpn debug on TDERROR_ALL_ALL=5 !!vpn debug to $FWDIR/log/vpnd.elgvpn debug ikeon !!vpn ike debug to $FWDIR/log/ike.elg. Open with IKEviewvpn debug trunc !!both vpn.elg and ike.elg debugvpn debug mon !!ike traffic unecrypted to ikemonitor.snoopvpn debug off; vpn debug ikeoff; vpn debug moff; fw ctl debug 0 !!Other debug off$FWDIR/lib/user.def !!To change "IKE_largest_possible_subnet" to "false" (avoid supernet)!!http://pingtool.org/downloads/IKEView.exe Application to open ike.elg or get at sk30994!!$FWDIR/log/fw.log and fw.vlog (current connections), fw.adtlog (audit admin). fw log -pln fw.log | grep --line-buffered -v ^$ | logger -p local.0.crit -t fw1log !!Typical Tracker formatfw log -f -t -n | grep <ip>fw log –f –t -s <start> -e <end> -b <start> <end> !!Retrieve logs between times!!Rule Use in $FWDIR/log

nohup fw log -pln -m raw file.log|sed -r 's/.*rule_uid: (\S+);.*/\1/'|egrep -v -E '^$'>output.txt; grep { output.txt | sort | uniq -c >> list.txtfw hastat !!Shows Cluster statisticsfw lichosts !!Display protected hostsfw lslogs !!Display remote machine log-file listfw printlic -p !!Print current Firewall modulesfw stat –l|-s !!Long|short info of Policy installed and interface that see trafficfw ver -k !!Returns version, patch info and Kernal infofw getifs !!summary of IP addresses per interfacefwm verify <policy> !!Verify Security Policyfwm gen <policy> > output.txt !!Verify Security Policyfwm load <options> <policy> <target> !!Install/Push Security Policy (fwm load -h for options)fwm unload <target> !!Unload policyfwm dbexport|dbimport|dbload|hastat|lock_admin|logexport|ver !!Manages Management GWfwm –a !!Reset admin passwdfwm logexport -n -p -i file.log | cut -d\; -f12,13 | egrep -v -E '^$' | sort -n | uniq -c | sort$FWDIR/scripts/get_ips_statistics.sh <FW_IP> <sec> !!IPS statistics (ips stats)ips statpush_cert –s <SCSserver> –u admin –p pw –o <gw> –k <SICkey> !!establish SIC!!Force Reset: remove InternalCA.* ICA.*. Remove objects_5_0.C sic_name and InternalCA.cpstop;fwm sic_reset; rm applications.C* CPMILinksMgr.db*; cpconfig; cpstart!!ICA/ +SIC reset to all FW!!Clear server cache sk100507:cpstop;mkdir -v /var/log/GUI_cache_bkp; mv $FWDIR/conf/applications.C* $FWDIR/conf/CPMILinksMgr.db* /var/log/GUI_cache_bkp/; cpstartC:\Program Files (x86)\Check Point\SmartConsole\R7x.xx\PROGRAM\data\CPMICache\<machine name> !!Clear client cachecpstop; cd $FWDIR/conf; mv mgha/* /var/tmp/; cpstart !!Clear MGMT HA datacpd_admin debug on TDERROR_ALL_ALL=5 !!CPD debug on $CPDIR/log/cpd.elgcpd_admin debug off TDERROR_ALL_ALL=1 !!CPD debug offfw debug fwm on TDERROR_ALL_ALL=5 !!FWM debug on $FWDIR/log/fwm.elgfw debug fwm off TDERROR_ALL_ALL=1 !!FWM debug offfw debug fwd on TDERROR_ALL_ALL=5 !!FWD debug on $FWDIR/log/fwd.elgfw debug fwd off TDERROR_ALL_ALL=1 !!FWD debug offfw debug fwm on OPSEC_DEBUG_LEVEL=9 !!OPSEC LEA debugfw debug fwm off OPSEC_DEBUG_LEVEL=0 !!OPSEC LEA offless -M $CPDIR/registry/HKLM_registry.data !!Check HotFixes installed (lookup /HotFixes)cpvinfo $DADIR/bin/DAService | grep -E "Build|Minor" !!CPUSE Deployment agent version>>installer import ftp|local|cloud... !!GAIA CPUSE Install Jumbo HotFix>>show installer installed_packages|available_packages|available_local_packages|package_statuscpinfo –y all !!list Hotfixesinstalled_jumbo_take !!Check Jumbo HF take (sk72800)$CPDIR/bin/CRSValidator -l /opt/SecurePlatform/conf/crs.xml -remove <HotFix>!!Manually remove HotFixidle <20m> !!Idle timeout in seconds. Expert mode use TMOUT=<1200s>unset TMOUT !!Disable auto loggof in expert mode/etc/cst [-small –nocpinfo –batch –o <dir>] !!IPSO diagnostic tool!!Flags:F:to Fw, U:opposite flow to Fw, N:NAT performed, A:Accounting performed, C:Encryption done, W:wire modetrap2sink <trapServer> <community> cp_monitor 1.3.6.1.2.1.2.2.1.8.<SNMP_Interface_Index>==2 <rateSec> <msg="Interface Down"> !!SNMP trap examplexntpdc -pn !!NTP query>>shell !!go to shell mode. '>>' are clish mode>>save config !!save config permanently>>load|save cfgfile <file> !!load|save config file to config set>>show cfgfiles !!show config set>>show uptime>>show asset hardware|software|packages>>show summary !!IPSO “show run” summary>>show useful-stats !!Shows Disk, VRRP, RAM summary>>show package all|active|inactive !!List all|active|inactive packages>>add package media local name [opt/packages/IPSO-3.9.tgz] !!Add package>>show disks|(disk <id> capacity)|diskmirrors>>show images (current) !!Show Installed|current images>>delete image <name> !!Delete image>>show iftrafficstats>>show sysenv temperature all>>add|delete interface <if> address ip <ip/p>>>set interface ethX speed 100M duplex full active on>>set interface ethXc0 enable>>show interfaces>>show tunnels>>show interfacemonitor>>set mcvr vrid <1-255> priority <1-254> !!Simplified VRRP>>set vrrp interface <if> virtual-router backup-vrid <1-255> priority <1-254> !!Legacy VRRP>>show vrrp !!VRRP, useful to check active/backup unit>>show vrrp interfaces>>show configuration ospf>>show route [destination <ip>]>>set static-route default nexthop gateway address 192.168.29.2 priority 1 on !!Set default gateway

>>set static-route <net>/<prefix> nexthop gateway address <gw> on|off !!Add|Remove static routes>>set static-route <net>/<prefix> nexthop blackhole>>set static-route <net>/<prefix> nexthop reject>>add arpproxy address <ip> macaddress <mac> !!Add Proxy arp>>show configuration arp>>show arp table cache-size !!Default: 1024, Range: 1024-16384>>show arp static all>>show arp dynamic all>>show arp proxy all>>set arp table cache-size <n>>>delete arp dynamic all>>set date timezone-city "Greenwich (GMT)" !!Set Timezone>>add ntp server <ip> version 3 prefer yes !!Add an NTP server>>show ntp servers>>show ntp active>>show arp|arpproxy all|keep-time !!ARP info>>set hostname <name> !!Set Hostname>>add host name <anme> ipv4 <ip> !!Set hostname assignment>>add user <user> uid <uid> homedir /var/emhome/<dir> !!Create user>>set user <user> passwd !!Set user passwd>>show usersHKCU\Software\Check Point\Management Clients\<ver>\<release>\Check Point SmartDashboard\Check Point SmartDashboard\Toolbar States\ ToolBar-Bar0\Toolbar States=1

!!restore SmartDashboard Menumii-tool !!Bridge mode. Interface infobrctl show !!Bridge mode information$CPDIR/bin/cpprod_util CPPROD_GetValue "Reporting Module" DefaultDatabase 1 !!Which DB SmartReporter uses$CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database !!check connection to DB!!use external Syslog (need R77.30 Add-on): http://www.51sec.org/2016/01/23/configuring-Check Point-gateway-forwarding-logs-to-external-syslog-server/ !!FS check(sk92442). Start in maintenance mode. umount -a; fsck -f -n -c -v; fsck -f -p -v; reboot!!Hardware Diagnostic Tool: sk97251!!SmartEvent Server: $RTDIR/distrib, $RTDIR/events_db!!sk66575: evstop; $CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 postgres -c 'DROP DATABASE events_db'; rm -r $RTDIR/distrib/*; evstart!!SmartReporter DB settings: $RTDIR/Database/conf/my.cnf!!Sticky Decision Function in Load Sharing ClusterXL: works for FTP,NAT,VPN,L2TP. Not for VPN routing,SecureXL !!Search non-ascii characters https://www.cpug.org/forums/showthread.php/22208-Eliminate-non-UTF-8-encoded-chars grep --color='auto' -P -n '[^\x00-\x7F]' $FWDIR/conf/objects_5_0.C grep --color='auto' -P 'rule-base|[^\x00-\x7F]' $FWDIR/conf/rulebases_5_0.fws | grep -P -B 1 '^\t\t\t'grep --color='auto' -P 'rule-base|[^\x00-\x7F]' $FWDIR/conf/sem_rulebases_5_0.fws | grep -P -B 1 '^\t\t\t'!!VSX (http://todorovicmarko.blogspot.sk/2014/11/troubleshootvsxgeneral_18.html) !!VSX/VSID 0 = $FWDIR + $CPDIR. VSX/VSID n = $FWDIR/CTX00n + $CPDIR/CTXn!!$CPDIR/conf/ctxdb.C, $CPDIR/registry/HKLMSOFTWARECheck PointCCTXCCTX0000<VSID>!!$CPDIR/CTX/CTX00xxx/conf, $FWDIR/CTX/CTX00xxx/log|databasecpinfo -x <VSXID> -o <file_cpinfo> !!cpinfo for tech support>show virtual-system all>set virtual-system|<vsxid>fw -vs <vsxid> getifscphaprob -a -vs <vsxid> ifcphaconf show_bond bondXXXset interface <if> state on|offclish -c "show arp proxy all" | grep xxxxgrep arpproxy /config/db/initial$FWDIR/conf/local.arp !!Proxy arp config fileVSXID> add arp proxy ipv4-address <ip> interface VSXID> delete arp proxy ipv4-address <ip>fw vsx stat -l <vsxid>mgmt_cli show changes from-date "2017-02-01T08:20:50" to-date "2017-02-21" --format json !!show diff between datesmgmt_cli show unused-objects offset 0 limit 50 details-level "standard" --format json !!show unused objects!!Convert policy to Check Point: SmartMove (on R80.10): sk115416. Cisco2Check Point: https://github.com/GoSecure/Cisco2Check Point