Wednesday, February 24, 2010

Checkpoint Commands

Checkpoint commands generally come under,

cp - general
fw - firewall
fwm - management

CP, FW & FWM Commands

cphaprob stat List cluster status

cphaprob -a if List status of interfaces

cphaprob syncstat shows the sync status

cphaprob list Shows a status in list form

cphastart/stop Stops clustering on the specfic node

cp_conf sic SIC stuff

cpconfig config util

cplic print prints the license

cprestart Restarts all Checkpoint Services

cpstart Starts all Checkpoint Services

cpstop Stops all Checkpoint Services

cpstop -fwflag -proc Stops all checkpoint Services
but keeps policy active in kernel

cpwd_admin list List checkpoint processes

cplic print Print all the licensing information.

cpstat -f all polsrv Show VPN Policy Server Stats

cpstat Shows the status of the firewall

fw tab -t sam_blocked_ips Block IPS via SmartTracker

fw tab -t connections -s Show connection stats

fw tab -t connections -f Show connections with IP instead of HEX

fw tab -t fwx_alloc -f Show fwx_alloc with IP instead of HEX

fw tab -t peers_count -s Shows VPN stats

fw tab -t userc_users -s Shows VPN stats

fw checklic Check license details

fw ctl get int [global kernel parameter] Shows the current value
of a global kernel parameter

fw ctl set int [global kernel parameter] [value] Sets the current value of
a global keneral
parameter. Only Temp;
Cleared after reboot.
fw ctl arp Shows arp table

fw ctl install Install hosts internal interfaces

fw ctl ip_forwarding Control IP forwarding

fw ctl pstat System Resource stats

fw ctl uninstall Uninstall hosts internal interfaces

fw exportlog .o Export current log file to ascii file

fw fetch Fetch security policy and install

fw fetch localhost Installs (on gateway) the last installed policy.

fw lichosts Display protected hosts

fw log -f Tail the current log file

fw log -s -e Retrieve logs between times

fw logswitch Rotate current log file

fw lslogs Display remote machine log-file list

fw monitor Packet sniffer

fw printlic -p Print current Firewall modules

fw printlic Print current license details

fw putkey Install authenication key onto host

fw stat -l Long stat list, shows which policies are installed

fw stat -s Short stat list, shows which policies are installed

fw unloadlocal Unload policy

fw ver -k Returns version, patch info and Kernal info

fwstart Starts the firewall

fwstop Stop the firewall

fwm lock_admin -v View locked admin accounts

fwm dbexport -f user.txt used to export users , can also use dbimport

fwm_start starts the management processes

fwm -p Print a list of Admin users

fwm .a Adds an Admin

fwm .r Delete an administrator

Provider 1

mdsenv [cma name] Sets the mds environment

mcd Changes your directory to that of the environment.

mds_setup To setup MDS Servers

mdsconfig Alternative to cpconfig for MDS servers

mdsstat To see the processes status

mdsstart_customer [cma name] To start cma

mdsstop_customer [cma name] To stop cma

cma_migrate To migrate an Smart center server to CMA

cmamigrate_assist If you dont want to go through the pain
of tar/zip/ftp and if you wish to enable FTP
on Smart center server


VPN

vpn tu VPN utility, allows you to rekey vpn

vpn ipafile_check ipassignment.conf detail‏ Verifies the ipassignment.conf file

dtps lic show desktop policy license status

cpstat -f all polsrv show status of the dtps

vpn shell /tunnels/delete/IKE/peer/[peer ip] delete IKE SA

vpn shell /tunnels/delete/IPsec/peer/[peer ip] delete Phase 2 SA

vpn shell /show/tunnels/ike/peer/[peer ip] show IKE SA

vpn shell /show/tunnels/ipsec/peer/[peer ip] show Phase 2 SA

SPLAT Only

router Enters router mode for use on Secure Platform Pro for advanced routing options
patch add cd Allows you to mount an iso and upgrade your checkpoint software (SPLAT Only)

backup Allows you to preform a system operating system backup
restore Allows you to restore your backup
snapshot Performs a system backup which includes all Checkpoint binaries. Note : This issues a cpstop.


VSX

vsx get [vsys name/id] get the current context

vsx set [vsys name/id] set your context

fw -vs [vsys id] getifs show the interfaces for a virtual device

fw vsx stat -l shows a list of the virtual devices and installed policies

fw vsx stat -v shows a list of the virtual devices and installed policies (verbose)

reset_gw resets the gateway, clearing all previous virtual devices and settings.

SOME MORE.............


>fwstop
Stops the FireWall-1 daemon, management server (fwm), SNMP (snmpd)
and authentication daemon (authd).
(To stop Firewall-1 NG and load the default filter: fwstop –default, fwstop –proc)
>fwstart
Loads the FireWall-1 and starts the processes killed by fwstop.
>cpstop
Stops all Check Point applications running, except cprid.
>cpstart
Starts all Check Point applications.
>cpconfig
In NT, opens Check Point Configuration Tool GUI. (licenses, admins …)
>cpstat options
Provides status of the target hosts.
Usage: cpstat [-h host][-p port][-f flavour][-o polling [-c count] [-e period]]
[-d] application_flag
-h A resolvable hostname, a dot-notation address, or a DAIP object name.
Default is localhost.
-p Port number of the AMON server.
Default is the standard AMON port (18192).
-f The flavour of the output (as appears in the configuration file).
Default is to use the first flavour found in the configuration file.
-o Polling interval (seconds) specifies the pace of the results.
Default is 0, meaning the results are shown only once.
-c Specifying how many times the results are shown.
Default is 0, meaning the results are repeatedly shown.
-e Period interval (seconds) specifies the interval over which "statistical" oids are computed.
Ignored for regular oids.
-d Debug mode
Available application_flags:
Flag Flavours
--------------------------------------------------------------------------------------------------
fw default, policy, perf, hmem, kmem, inspect, cookies, chains, fragments, totals,
ufp, http, ftp, telnet, rlogin, smtp, sync, all
--------------------------------------------------------------------------------------------------
ha default, all
--------------------------------------------------------------------------------------------------
ls default
--------------------------------------------------------------------------------------------------
mg default
--------------------------------------------------------------------------------------------------
os default, routing, memory, old_memory, cpu, disk, perf, all, average_cpu,
average_memory, statistics
--------------------------------------------------------------------------------------------------
persistency product, TableConfig, SourceConfig
--------------------------------------------------------------------------------------------------
polsrv default, all
--------------------------------------------------------------------------------------------------
vpn default, product, IKE, ipsec, traffic, compression, accelerator, nic, statistics,
watermarks, all
--------------------------------------------------------------------------------------------------
FireWall-1 Commands
>fw ver [-h] ..
Display version
This is Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 3 Build 53920
>fw kill [-sig_no] procname
Send signal to a daemon
>fw putkey –n ip_address_host ip_address_of_closest_interface
Client server keys; helpful if you are integrating an NG Management Server
with 4.x enforcement modules. Will install an authenticating password; used
to authenticate SIC between the Management Server and the module.
>fw sam (Suspicious Activities Monitoring)
Usage:
sam [-v] [-s sam-server] [-S server-sic-name] [-t timeout] [-l log] [-f fw-host]
[-C] -((n|i|I|j|J)
sam [-v] [-s sam-server] [-S server-sic-name] [-f fw-host] -M -ijn
sam [-v] [-s sam-server] [-S server-sic-name] [-f fw-host] -D
Criteria may be one of:
src
dst
any
subsrc
subdst
subany
srv
subsrv
subsrvs
subsrvd
dstsrv
subdstsrv
srcpr
dstpr
subsrcpr
subdstpr
>fw fetch ip_address_management_station
Used to fetch Inspection code from a specified host and install it to the
kernel of the current host.
>fw tab [-h] ...
Displays the contents of FireWall-1’s various tables
>fw tab –t connections –s tells how many connections in state table
>fw monitor [-h] ...
Monitor VPN-1/FW-1 traffic
>fw ctl [args] install, uninstall, pstat, iflist, arp, debug, kdebug, chain, conn
Control kernel
>fw ctl pstat shows the internal statistics – memory/connections
>fw ctl arp shows firewall’s ARP cache – IP addresses via NAT
>fw lichosts
Display protected hosts
>fw log [-h] ...
Display logs
>fw logswitch [-h target] [+|-][oldlog]
Create a new log file; the old log is moved
>fw repairlog ...
Log index recreation
>fw mergefiles ...
log files merger
>fw lslogs ...
Remote machine log file list
>fw fetchlogs ...
Fetch logs from a remote host
FireWall Management Server Commands
>fwm ver [-h] ...
Display version
>fwm load [opts] [filter-file|rule-base] targets
Will convert the *.W file from the GUI to a *.pf file and compile into
Inspection code, installing a Security Policy on an enforcement module.
>fwm load Standard.W all.all@localgateway
>fwm unload [opts] targets
Uninstall Security Policy from the specified target(s).
>fwm dbload [targets]
Download the database
>fwm logexport [-h] ...
Export log to ascii file
>fwm logexport [-d delimiter] [-i filename] [-o filename] [-n] [-f] [-m
] [-a]
Where:
-d - Set the output delimiter. Default is ;
-i - Input file name. Default is the active log file, fw.log
-o - Output file name. Default is printing to the screen
-n - No IP resolving. Default is to resolve all IPs
-f - In case of active file (fw.log), wait for new records and export them
-m - Unification mode. Default is initial order.
Initial - initial order mode
Raw - No unification
Semi - Semi-unified mode
-a - Take account records only. Default is export all records
Once your logs files have been written to a backup file you can begin to export them into an
ASCII format so you may begin to analyze them. The command that accomplishes this is
the fw logexport command. The format of this command is as follows:
C:\WINNT\FW1\NG\log>fwm logexport -d , -i 2003-03-19_235900_1.log -o fwlog2003-03-
19.txt
The –d switch specifies a delimiter character with the default being the semi-colon.
The –i switch specifies the input file and the –o switch specifies the output file. The –n
switch tells the program to not perform any name resolution on the IP addresses. This will
greatly speed up the export process. If you have the time and want to see the domain
names instead of IP addresses you may omit this switch. One word of caution though, the
size of the output files that get created grow an average of 2.5 times the input file.
>fwm gen [-RouterType [-import]] rule-base
Generate an inspection script or a router access-list
>fwm dbexport [-h] ...
Export the database
>fwm ikecrypt
Crypt a secret with a key (for the dbexport command)
>fwm dbimport [-h] ...
Import to database
SmartUpdate commands – Requires license
>cppkg add
>cppkg del [vendor] [product] [version] [os] [sp]
>cppkg print
>cppkg setroot
>cppkg getroot


Checkpoint SPLAT Quick Command

Commonly Used Linux Command

Sometimes, I do have problem remembering Linux commands when I'm on my console. I will list the most common Linux commands and also specific for Checkpoint fw running on SPLAT(Secure Platform). It's a bit odd how they short form it to SPLAT :)

ls -l (to list the files)

ls -lrt (list the files according the dates, the last line will be the latest file)

df -h (to view the size of the disks created, if the disk is 100% utilized, you might experienced some problem, especially if you are running the fw management server)

df -k (the same as above, instead of megabytes, it will show you the size in kilobytes)

netstat -rn (to show the routing table of your device)

ifconfig ( to show the list of available interfaces)

if your Linux has the tcpdump features, (i think most are pre-installed) the commands to sniff the packets on specific interface are as below;

# tcpdump -i -s 1500net 10.200.1.0/24 -w/var/tmp/xxw.pcap

*the interface name is the interface sets on your device. If you want to filter based on the network address, you should put as above, if filter based on host, change it to 'host 10.200.1.1'.

The -s 1500 indicate the normal 1500 size packet you want to capture. If you don't define 1500, the packets captured will show incomplete details.

-w is used to save the files to a specific folder. By defining the file extension with .pcap, you'd be able to double click the file to open it via ethereal.

trace route (to do normal trace route functions. In windows, you'll use tracert)

ping (to check the response of the destination server)

ssh (to ssh using a defined username)

grep command can be used at the end of the normal commands to grab specific name you wish to search for. Example, in your routing table, you wish the routing at your interface eth3. You'll use below commands;

netstat -rn | grep eth3

If you wish to display the routing table per page, use | more at the end of your command line. Example;

netstat -rn | more

ps -ef (to check the processes running and identify the process ids and also which are consuming the most RAM)

snmpd service stat (to check the status of the snmpd daemon)

For specific Checkpoint command line, the most commonly used are;

cphaprob stat ( to check the Checkpoint High Availability status)

cpstart ( to start the checkpoint application)

cpstop (to stop the checkpoint application)

sysconfig (to enter the network setting on the SPLAT machine)

cpconfig ( to enter the checkpoint setting)

New ones for Checkpoint firewall

cplic print (print the license)

cpstat (to check cp stats)

cpstat -vs 3 fw -f policy (to check the stats on the firewall VID=3 based on the fw vsx)

Other stats finding command lines

cpstat os -f all

cpstat os -f cpu

fw tab -s -t connections

fw ctl cpstat

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.