Wednesday, October 26, 2011

Checkpoint : Rules from Gateway

sed "/:rules-adtr/,/^$/d" rules.C | egrep ": |:action|:disabled|:global_
location|:through|:time|:track|:dst|:install|:services|:src" | more

Checkpoint : Policy Load From Management Server / Provider-1 / Smartcentre Server

To Load Policy from Management Server

fwm load

And ofcoz good practice to enable logging when u are in trouble

fwm load -d

Monday, October 24, 2011

Checkpoint Firewall Logs from CLI

fw log displays the content of log files. The full syntax of the fw log command is as follows:

fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert_name|all)] [-g] [logfile]

Optional Switches
The optional switches for fw log are as follows:

-f [-t]
After reaching the end of the currently displayed file, do not exit (the default behavior), but continue to monitor the log file indefinitely, and display it while it is being written. The -t parameter indicates that the display is to begin at the end of the file. The display will initially be empty, and only new records added later will be displayed. -t is used with a -f flag. These flags are relevant only for active files.

Do not perform DNS resolution of the IP addresses in the log file (the default behavior). This option significantly speeds up processing.

Display both the date and the time for each log record. (The default is to show the date only once above the relevant records, and then specify the time per log record.)

Show detailed log chains (all log segments a log record consists of).

-c action
Display only events whose action is action, i.e., accept, drop, reject, authorize, deauthorize, encrypt, and decrypt. Control actions are always displayed.

-h host
Display only the log whose origin is the specified IP address or name.

-s starttime
Display only events that were logged after the specified time. (See format below.) starttime may be a date, time, or both. If the date is omitted, today’s date is assumed.

-e endtime
Display only events that were logged before the specified time. (See format below) endtime may be a date, a time, or both.

-b starttime endtime
Display only events that were logged between the specified start and end times (format below), each of which may be a date, time, or both. If date is omitted, today’s date is assumed. The start and end times are expected after the flag.

-u unification_scheme_file
Unification-scheme filename. (The unification-scheme specifies the precise manner, in which logs are processed, per selected unification mode.)

-m unification_mode
This flag specifies the unification mode.
* initial - the default mode, specifying complete unification of log records; i.e., output one unified record for each ID (default). When used together with -f, no updates, but only entries relating to the start of new connections will be displayed. To display updates, use the semi parameter.
* semi - step-by-step unification; for each log record, output a record that unifies this record with all previously-encountered records with the same ID.
* raw - outputs all records, with no unification.

Output account-log records only.

-k alert_name
Display only events that match a specific alert type. The default is all, for any alert type.

Do not use a delimited style. The default is:
* : after field name
* ; after field value

Use logfile instead of the default log file. The default log file is $FWDIR/log/fw.log.

The full date-and-time format is: MMM DD, YYYY HH:MM:SS (for example: May 26, 1999 14:20:00)

It is possible to specify date only in the format MMM DD, YYYY, or time only, in the format: HH:MM:SS. In the format, where time only is specified, the current date is assumed.


fw log
fw log | more
fw log -c reject
fw log -s "May 26, 1999"
fw log -f -s 16:00:00

Friday, October 14, 2011

Checkpoint Debug - Very Much Usefull

Usage :


Debugging CPD :

CPD is a high in the hierarchichal chain and helps to execute many services, such as Secure
Internal Communcation (SIC), Licensing and status report.

For CPD debug, execute:

cpd_admin debug on TDERROR_ALL_ALL=5

The debug file is located under $CPDIR/log/cpd.elg

To stop the CPD debug, execute: % cpd_admin debug off TDERROR_ALL_ALL=1

Debugging FWM:

The FWM process is responsible for the execution of the database activities of the
SmartCenter server. It is; therefore, responsible for Policy installation, Management High
Availability (HA) Synchronization, saving the Policy, Database Read/Write action, Log
Display, etc.

For FWM debug, execute:

fw debug fwm on TDERROR_ALL_ALL=5
fw debug fwm on OPSEC_DEBUG_LEVEL=9
The debug file is located under $FWDIR/log/fwm.elg

To stop the FWM debug, execute:

fw debug fwm off TDERROR_ALL_ALL=1
fw debug fwm off OPSEC_DEBUG_LEVEL=1

Debugging FWD :

The FWD process is responsible for logging. It is executed in relation to logging, Security
Servers and communication with OPSEC applications.

For FWD debug, execute: fw debug fwd debug on TDERROR_ALL_ALL=5

The debug file is located under $FWDIR/log/fwd.elg

To stop the FWD debug, execute: % fw debug fwd off TDERROR_ALL_ALL=1

TIP : echo $TDERROR_ALL_ALL will let you know the debug level

Monday, October 3, 2011

Checkpoint : Nokia : See Memory/CPU

In Voyager Monitor option select CPU and Memory Utilization . This gives you the Total Real Memory, Active Real Memory and the Free Memory available on the appliance.

For console access use clish to display the Real Memory Used. This value is displayed in terms of percentage value.

ipso[admin]# clish

clish:1> show useful-stats

Components Total

Active Routes 4

Packets Forwarded 0

VRRP Masters 0

Real Memory Used 22%

Disk Capacity 11%

Note: The real physical memory output gathered from Voyager is taken from the kernel directly.