Wednesday, May 25, 2011

Cannot Complete Reboot - Firewall Stuck in Reboot

Once Again realized that I need to learn much more to compete here...

It was always a mystery for me abt boot -s (Single User Mode of Nokia) to recover the firewall.

Troubleshooting: Cannot Complete Reboot
In certain configurations the Default Filter may prevent the Security Gateway computer from completing the reboot following installation.

First, examine the Default Filter and verify that the Default Filter allows traffic that the computer needs in order to boot.

If the boot process cannot complete successfully, remove the Default Filter as follows:

Reboot in single user mode (for UNIX) or Safe Mode With No Networking (for Windows 2000).

Ensure that the Default Filter does not load in future boots. Use the command

fwbootconf bootconf Set_def



$FWDIR/bin/fwboot bootconf [value]

options fwboot bootconf




Reports whether firewall controls IP Forwarding.

Returns 1 if IP Forwarding control is enabled on boot.
Returns 0 if IP Forwarding is not controlled on boot.

Set_ipf 0/1

Turns off/on control of IP forwarding for the next boot.

0 - Turns off

1 - Turns on


Returns the full path to the Default Filter that will be used on boot.


Loads as the Default Filter in the next boot. The only safe, and recommended, place to put the default.bin file is $FWDIR\boot. (The default.bin filename is a default name.)

Note - Do NOT move these files.

Checkpoint Commands - In depth - tHEY dONT liKE BUT I always like to ask the Qn WHY?

(excluding switch options)


cpconfig reconfigures an existing VPN-1/Firewall-1 installation

cpstart starts all Check Point applications running on a machine
(invokes fwstart, fgstart, uagstart, etc.)

cpstop stops all Check Point applications running on a machine

fwstart loads the VPN-1/Firewall-1 Module and starts:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons

fwstop kills the following processes:
VPN-1/Firewall-1 daemon (fwd)
The Management Server (fwm)
VPN-1/Firewall-1 SNMP daemon (snmpd)
The authentication daemons
It also unloads the VPN-1/Firewall-1 Module

cp_permission sets up the permissions for CPMI


fw load compiles and installs a Security Policy to the targets VPN-1/
Firewall-1 Modules. This is done in two ways:
1. fw load compiles and installs an Inspection Script (*.pf) file to
the designated VPN-1/Firewall-1 Modules.
2. fw load converts a Rule Base (*.W) file created by the GUI into an
Inspection Script (*.pf) file, then installs it to the
designated VPN-1/Firewall-1 Modules.

fw bload compiles and installs a Security Policy to the targets embedded
VPN-1/Firewall-1 Modules. This is done in one of two ways.
1. fw bload compiles and installs an Inspection Script (*.pf) file to the
Firewall-1 embedded system specified by
2. fw bload converts a Rule Base (*.W) file created by the GUI
into an Inspection Script (*.pf) file and then compiles and
installs it to the Firewall-1 embedded system specified by

fw unload uninstalls the currently loaded Inspection Code from selected

fw fetch fetches the Inspection Code from the specified host and installs
to the kernel

fw putkey installs a VPN-1/Firewall-1 authentication password on a host.
This password is used to authenticate internal communications
between VPN-1/Firewall-1 Modules and between a Check
Point Module and Management Server. That is, the password
is used to authenticate the control channel the first time
communication is established.

fw dbload downloads the user database and network object information
(for example, encryption keys) to selected targets


cpstat displays the status of target hosts in various formats
(replaces fwstat, fw fgstat, fgate state, etc.)

cpstat_monitor a utility that runs on the Check Point Management Station
which can trigger pre-defined actions when the system
changes its status or when an event has occurred.
This is done by defining limits (or thresholds) on status
Parameters, and actions to be taken.

fw lichosts prints a list of hosts protected by the VPN-1/Firewall-1/n
products. The list of hosts is in the file $FWDIR/database/

fw ver displays the VPN-1/Firewall-1 major version number, the build
number, and a copyright notice

fw sam inhibits (blocks) connections to and from specific IP addresses
without the need to change the Security Policy. The command is


fw ctl sends control information to the VPN-1/Firewall-1 Kernel Module
pstat displays VPN-1/Firewall-1 internal statistics
iflist displays the IP interfaces known to the kernel by name and
internal number
arp displays ARP proxy table

fw kill sends a signal to a VPN-1/Firewall-1 daemon

fwm the VPN-1/Firewall-1 Management Server in the Client/Server
implementation of the Management Server, and is used for commu-
nicating with the GUI and adding, updating, and removing admini-

fwell manages Access Lists for Wellfleet (Bay Networks) routers

fw tab displays the content of INSPECT tables on the target hosts in
various formats.

snmp_trap sends an SNMP trap to the specified host. The message may
appear in the command line, or as one in the program input

dynamic_objects specifies an IP address to which the dynamic object will
be resolved on this machine

dbedit edits the objects file on the Management Server

queryDB_util enables searching the object database according to search

Log File Management

fw log displays the content of Log Files

fw logswitch creates a new Log File. The current Log File is
closed and renamed $FWDIR/log/date.log and a new Log
File with the default name ($FWDIR/log/fw.log) is created

fw logexport exports the Log File to an ASCII file

fw repairlog rebuilds a Log files pointer files. The three files fw.logptr,
fw.loginitial_ptr and fw.logaccount_ptr are recreated from
data in the specified Log file


cphastart - enables the High Availability feature on the machine. In NT,
this is done when the VPN-1/Firewall-1 Module is started. In
Solaris, the cphastart command is part of the fwstart script

cphastop - disables the High Availability feature on the machine

cphaprob - defines critical processes. When a critical process fails, the
machine is considered to have failed.

cpha_export (Solaris only) writes MAC address information to stdout. If
the output is redirected to a file, it can be
input (stdin) to cpha_import on another

cpha_import (Solaris only) imports MAC address information from stdin
and updates the machines MAC address
accordingly. The normal procedure is to
redirect stdin to read a file created by
cpha_export on the primary machine

fw hastat displays information about High Availability machines and their


fw dbimport imports users into the VPN-1/Firewall-1 User Database from
an external file. You can create this file yourself, or use a file
generated by fw dbexport

fw dbexport - exports the VPN-1/Firewall-1 User Database to a file. The
file may be in one of the following formats:
1. the same Usage as the import file for fw dbimport
2. LDIF Usage, which can be imported into an LDAP
Server using ldapmodify

ldapmodify - imports users to an LDAP server. The input file must be in
the LDIF format

fw ldapsearch - queries an LDAP directory and returns the results

fw expdate - changes the expiration date of users (but not templates) in the
VPN-1/Firewall-1 User Database to the date specified by the
first parameter. This change can be optionally applied only to
selected users by specifying the second parameter


fw ca putkey distributes the Certificate Authority Key to a Check Point

fw ca genkey - is used to generate the Certificate Authority Key on a
Management Server

fw certify ssl is used to generate a Certificate Authority certificate on a
Check Point Module

fw internalca - enables hybrid authentication mode, which allows the
server to perform IKE key exchange with the clients using
authentication schemes non-interoperable with IKE.

Instructs the Management Server to initiate an Internal CA,
which involves creating an Internal CA database, gener-
ating public and private keys, issuing a certificate and
saving it.

fw ikecrypt - encrypts the password of a SecuRemote user using IKE.
The resulting string must then be stored in the LDAP

fw sic_reset - resets Secure Internal Communication (SIC) on the
Management Server. The user will be prompted before
the operation actually takes place.

This command deletes the internal Certificate Authority,
deletes the Management Server certificate, deletes the
Certificate Revocation List (CRL), and updates the objects


cplic put - is used to install one or more Local licenses. This command
installs a license on a local machine it cannot be performed

cplic print - prints details of Check Point licenses on the local machine.
On a Module, this command will print all licenses that are
installed on the local machine both Local and Central

cplic del - deletes a single Check Point license on a host. Use it to delete
unwanted evaluation, expired and other licenses. On a Module,
this command will work only for a Local license.

cplic check is used to check whether the license on the machine will allow
a given feature to be used. This command is used mainly for
Technical Support purposes.

cprlic put can be used only from the Management Server, to attach
(install) one or more:
- Central licenses on an NG Module
- Local licenses on the appropriate NG Module
- Version 4.1 licenses on the appropriate version 4.1 Module

cprlic add - is used to add one or more licenses to the license repository
the Management Server.

cprlic print - displays the details of Check Point licenses stored in the
license repository on the Management Server

cprlic del used to detach a Central license from an NG Module. This
command deletes the license from the Module. A Central
license remains in the repository an an unattached license.
The license is available for attachment to another Module.
This command can be executed only on a Management

cprlic rm - removes a license from the license repository on the
Management Server. It can be executed ONLY after the
license was detached using the cprlic del command.
Once the license has been removed from the repository,
it can no longer be used. To re-use it, use the cprlic add
Or cprlic put command.

cprlic get - retrieves all licenses from a Module into the license
repository on the Management Server. Do this to synchronize
the repository with the Module, if NG and version 4.1 Local
licenses were added (or deleted) locally, and hence do not yet
(or still) exist in the license repository. Retrieving licenses
will also delete from the repository Local licenses that do
not exist on the Module.


cppkg add is used to add an installation package file to the Product
Repository. The package file can be located on a CD or a
local or network drive. Cppkg does not overwrite existing
packages. Only SecureUpdate packages can be added to the
Product Repository.

cppkg delete is used to delete a product package from the repository.

cppkg search - is used to list the contents of the Product Repository. Use
this command to see the product and OS strings required
to install a product package using the cprinstall command,
or to delete a package using the cppkg delete command.

cppkg setroot - is used to create a new repository root directory location,
and to move existing product packages into the new
repository. The default Product Repository location is
created when the Management Server is installed.

cppkg getroot - is used to find out the location of the Product Repository

cprinstall get - is used to obtain details of the products and the Operating
System installed on the specified Module, and to update
the Product Repository database.

cprinstall test - is used to test whether the product can be installed on
remote Module. It verifies that the Operating System and
currently installed products are appropriate for the package,
and that there is enough disk space to install the product.

cprinstall install is used to install Check Point products on remote

cprinstall uninstall is used to uninstall products on remote Modules

cprinstall boot is used to boot the remote computer

cprinstall stop is used to stop the operation of other cprinstall commands.
In particular, this command stops the remote installation of
a product even during transfer of files, file extraction,
and pre-installation testing. The operation can be stopped
at any time up to the actual installation.


vpn accel - used for turning on (or off) the accelerator card. When it is
installed, it is enabled by default. You can also check its
status with the command vpn accel stat

lunadiag - a software diagnostics utility specific to the Luna accelerator
card in the Luna package. The utility is documented in the
file lunadiag.txt


vpn ver - displays the VPN-1 major version number, the build number, and
a copyright notice. Usage and options are the same as for fw ver

vpn debug - debug the VPN-1 daemon

vpn drv - installs the VPN-1 kernel (vpnk) and connects to the Firewall-1
kernel (fwk)

vpn intelrng - displays the status of the Intel RNG (random number
generator). This command is a Windows NT and Windows
2000 only command.


cpwd_admin - is used to show the status of processes, and to configure

cpridstop used to stop cprid

cpridstart - used to start cprid (cprid is independent of cpstart and


etmstart - loads the FloodGate Module and starts the FloodGate-1 daemon
(fgd). Also starts the Management Server, provided it is on the
same machine as the FloodGate Module.

etmstop - kills the FloodGate-1 daemon (fgd) and then unloads the
FloodGate Module. Also stops the Management Server,
Provided it is on the same machine as the FloodGate Module.

fgate load - installs a QoS Policy on the specified FloodGate Modules.
If targets is not specified, the QoS Policy is installed on
the local host.

fgate unload - uninstalls a QoS Policy from the specified FloodGate

fgate fetch - fetches the FloodGate QoS Policy that was last installed on
the local host. You must specify the machine where the
FloodGate QoS Policy is found. Use localhost in case
there is no Management Server or if the Management
Server is down.

fgate stat - displays the status of target hosts in various formats. The
default format displays the following information for each
host: host name, Rule Base (or FloodGate Module) file name,
date and time loaded, and the interface and direction loaded.

fgate ver - displays the FloodGate-1 version number. The version of the
GUI is displayed in the opening screen, and can be viewed
at any time from the Help menu.

fgate kill - sends a signal to a FloodGate-1 daemon


upgrade_fwopsec - upgrades OPSEC configuration information on the
Management Server from pre-NG to NG format, based
on the upgraded Module information. If you have not
changed any of the defaults, then there is no need to
run the upgrade_fwopsec command. However, if you
have changed the defaults, then you should run the
upgrade_fwopsec command.


fwstop-default - kills VPN-1/Firewall-1 processes and loads the Default

fwstop-proc - kills VPN-1/Firewall-1 processes but keeps the current
kernel policy. The Security Policy remains loaded in the
kernel, though user mode processes (cpd, fwd, fwm, vpnd,
fwssd) dont work. Logs, kernel traps, resources, all
security server connections will all stop working. The state
of the kernel remains unchanged. Whatever was loaded in
the kernel is kept. Therefore, rules with generic allow/
reject/drop rules, based only on service will continue

control_bootsec enables or disables Boot Security. The command turns
both the Default Filter and the initial policy off or on,
in the correct sequence.

fwboot bootconf use to change IP Forwarding or Default Filter settings.
This command is located in $FWDIR/boot

comp_init_policy u - removes the current initial policy, and ensures that
it wont be generated in the future when cpconfig
is run

comp_init_policy g - generates the initial policy and ensures that it will
be loaded the next time a policy is fetched (at
fwstart, or at next boot, or via the fw fetch localhost
command). After running this command, cpconfig
will add an initial policy when needed.

defaultfilter.boot - installed by default. It allows:
- all outgoing communications
- incoming communications on ports through which there were previous
outgoing communications
- ICMP packets
- broadcast packets

defaultfilter.drop - drops all communications in and out of the gateway
during the period of vulnerability. If the boot process
requires that the gateway communicate with other
hosts, then the drop default Security Policy should not
be used.

fw defaultgen - use to compile the default filter

Monday, May 23, 2011

Checkpoint : Unwanted Services : Save Memory

FW[admin]# cat $FWDIR/conf/fwauthd.conf
#21 fwssd in.aftpd wait 0
#80 fwssd in.ahttpd wait -2
#513 fwssd in.arlogind wait 0
#25 fwssd in.asmtpd wait 0
#2525 fwssd in.emaild.smtp wait 0
#110 fwssd in.emaild.pop3 wait 0
#23 fwssd in.atelnetd wait 0
#259 fwssd in.aclientd wait 259
10081 fwssd in.lhttpd wait 0
#900 fwssd in.ahclientd wait 900
0 fwssd in.pingd respawn 0
#0 fwssd in.asessiond respawn 0
#0 fwssd in.aufpd respawn 0
0 vpn vpnd respawn 0
#0 fwssd mdq respawn 0
0 stormd stormd respawn 0
0 sds sdsd respawn 0
0 dtps dtpsd respawn 0
0 dtls dtlsd respawn 0

Sunday, May 22, 2011


TCP Dump
How can I show ALL traffic on a specified interface?

tcpdump -i eth0

Will show ALL traffic on interface eth0.

How can I capture a specified number of packets?

tcpdump -c 20 -i eth0

The -c argument specifies the number of packets to capture. For example, this command will capture 20 packets on the specified interface eth0 and quit:

How do I show the MAC address in the capture?

tcpdump -e -i eth0

This filter will display the MAC address as well as the basic information.
How can I look for the Welchia Worm with TCPDUMP?

tcpdump -tnn -i eth0 "icmp[icmptype]==icmp-echo && icmp[8]==0xAA && icmp[9]==0xAA && icmp[10]==0xAA && icmp[11]==0xAA"

Sure can. Try this script. Keep in mind that your sniffer will need to be located where it can see all traffic on your network for this to be useful.

How can I use TCPDUMP to determine the top talker on my network?

tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '

Depending on how busy your network is, you might want to lower the `-c 20000' (packet count) to fit your needs. This script will capture 20,000 packets and sort by top talkers

Saturday, May 21, 2011

ASA Firewall Upgrade Procedure - Active/Standby


1. Login to the console for the standby firewall

2. Upload the ASA image and ADSM imgage to flash from tftpserver

copy tftp://x.x.x.x/asa822-k8.bin flash:/

copy tftp://x.x.x.x/asdm-625-53.bin flash:/


copy tftp: disk0:/

3. Change the boot system and asdm image

boot system disk0:/asa822-k8.bin

asdm image disk0:/asdm-625-53.bin

4. save the configs and reboot

wr mem

5. after reload make the standby fw to active

failover active

6. Confirm that all traffic going fine, if yes. Proceed with Upgrading other FW

7. Login to the console for the ASA FIREWALL(which was active before, now sandby)

8. Upload the ASA image and ADSM imgage to flash from tftp server

copy tftp://x.x.x.x/asa822-k8.bin flash:/

copy tftp://x.x.x.x/asdm-625-53.bin flash:/


copy tftp: disk0:/

9. Change the boot system and asdm image

boot system disk0:/asa822-k8.bin

asdm image disk0:/asdm-625-53.bin

10. save the configs and reboot

wr mem

11. after reload make the standby fw to active

failover active

12. Confimr that all working fine

13. Issue wr standby from Active firewall

Test Plan

Confirm all working fine. Try to login with ASDM as well

Backout plan

1. login to firewall

2. conf t

3. boot system disk0:/asa821-k8.bin

4. asdm image disk0:/asdm-621.bin

5. wr mem

6. reload

Wednesday, May 11, 2011

How to See Free Memory ?

Still I am confused with vmstat output, it may be a great help for me if someone could explain me the same...

For the time being I have found an alternative to check the free memory in checkpoint.. Not sure this will work even if checkpoint is not running (i mean cpstop)
Have to test it, cannot test at this point of time as I am playing with production env...:(
cpstat -f memory os

Saturday, May 7, 2011

Checkpoint Backup Methods


It doesn't backup any OS (i.e. SPLAT) settings, it only backups up Check Point settings
It will let you export on one OS and then import on a different OS (i.e. go from Windows to SPLAT)
You can upgrade_import on different hardware (i.e. go from IBM to HP)
You can restore an export from an older version to a newer version of CheckPoint. A SPLAT backup/restore requires that you have the exact same versions. Note that when upgrading from an older to newer version, you must use the newer version's upgrade_export utility to create the export file.
It restores the product list as well. The SPLAT restore command won't restore the Check Point settings if you don't have the exact same products (and product versions) installed.


A SPLAT backup will back up both the SPLAT OS settings as well as the CheckPoint settings
Basically it's an upgrade_export with OS settings added in
Restoring a backup file requires the exact same software installation. I.e. you can't restore a backup from R55 on to R60 (the HFA level must match as well). The installed product list must match as well. Note that you can
still restore the OS settings even if your installed Check Point product list doesn't match.
The SPLAT OS settings are hardware specific. If you restore the system settings you must restore on the same hardware. However, if you only restore the Check Point settings you can restore on different hardware. Restoring just the Check Point settings is essentially the same thing as doing an "upgrade_import" of an exported file.


A snapshot is even better than a backup since it contains binary files. I.e. you can revert from R60 to R55 with a snapshot. The downside to this is that a snapshot file is much larger than an upgrade_export or backup
A snapshot can also roll you forward for minor software changes. For example if I revert from R60 HFA05 to HFA01 I can later revert back to R60 HFA05 from R60 HFA01
A snapshot cannot revert to a newer major release of Check Point. I.e. you can't revert from R55 to R60.
If you're reinstalling SPLAT on the same hardware you don't have to install any HFA's or change any configuration. Simply reverting to your saved snapshot file will restore all configurations and HFAs. The only
stipulation is that the major software version must match. I.e. a R60 snapshot file will only work on a R60 install (regardless of HFA level).
You can only revert on the same hardware, since the snapshot file contains hardware specific SPLAT settings.