[upgrade_export]
It doesn't backup any OS (i.e. SPLAT) settings, it only backups up Check Point settings
It will let you export on one OS and then import on a different OS (i.e. go from Windows to SPLAT)
You can upgrade_import on different hardware (i.e. go from IBM to HP)
You can restore an export from an older version to a newer version of CheckPoint. A SPLAT backup/restore requires that you have the exact same versions. Note that when upgrading from an older to newer version, you must use the newer version's upgrade_export utility to create the export file.
It restores the product list as well. The SPLAT restore command won't restore the Check Point settings if you don't have the exact same products (and product versions) installed.
[backup]
A SPLAT backup will back up both the SPLAT OS settings as well as the CheckPoint settings
Basically it's an upgrade_export with OS settings added in
Restoring a backup file requires the exact same software installation. I.e. you can't restore a backup from R55 on to R60 (the HFA level must match as well). The installed product list must match as well. Note that you can
still restore the OS settings even if your installed Check Point product list doesn't match.
The SPLAT OS settings are hardware specific. If you restore the system settings you must restore on the same hardware. However, if you only restore the Check Point settings you can restore on different hardware. Restoring just the Check Point settings is essentially the same thing as doing an "upgrade_import" of an exported file.
[snapshot]
A snapshot is even better than a backup since it contains binary files. I.e. you can revert from R60 to R55 with a snapshot. The downside to this is that a snapshot file is much larger than an upgrade_export or backup
file.
A snapshot can also roll you forward for minor software changes. For example if I revert from R60 HFA05 to HFA01 I can later revert back to R60 HFA05 from R60 HFA01
A snapshot cannot revert to a newer major release of Check Point. I.e. you can't revert from R55 to R60.
If you're reinstalling SPLAT on the same hardware you don't have to install any HFA's or change any configuration. Simply reverting to your saved snapshot file will restore all configurations and HFAs. The only
stipulation is that the major software version must match. I.e. a R60 snapshot file will only work on a R60 install (regardless of HFA level).
You can only revert on the same hardware, since the snapshot file contains hardware specific SPLAT settings.
Saturday, May 7, 2011
Tuesday, April 26, 2011
IPSO : Total Physical Memory
"ipsctl -a | grep physical_memory" will let you know the total physical memory
Tuesday, April 19, 2011
Checkpoint - Critical error messages and logs
These messages may appear in one of the following locations:
* Console
* SmartView Tracker
* messages or dmesg file
If and when encountered, please contact Check Point Support.
"Out of Memory: Killed process ()"
This message appears in the dmesg file and in /var/log/messages files on SecurePlatform.
It means that no more memory is available to Linux in the user space. As a result, Linux starts to kill processes.
"FW-1: Capacity problem detected
Memory consumption has exceeded X%" (Console message)
"Capacity notification: Memory consumption has exceeded X%" (SmartView Tracker message)
These messages indicate that the memory consumption has increased beyond what was defined as the Aggressive Aging threshold (for more details about Aggressive Aging, refer to 'NGX R65 What's New' document, under 'Firewall & SmartDefense', page 2).
"FW-1: Capacity problem detected"
"Connections table capacity has exceeded X%" (Console message)
"Connections table capacity has exceeded X%" (SmartView Tracker message)
These messages indicate that the Connections table capacity has increased beyond what was defined as the Aggressive Aging threshold.
For more details about Aggressive Aging, refer to 'NGX R65 What's New' document, under 'Firewall & SmartDefense', page 2.
"Main database file <(database file name)> is missing - cannot start fwm. If you wish to reset the DB please run 'cpdb new'." (Console message)
The appearance of this error message might indicate a corruption in $FWDIR/conf/objects_5_0.C. As a result, fwm will not start.
"State synchronization is in risk. Please examine your synchronization network to avoid further problems" (in /var/log/messages file)
This message may indicate that the sync network is overloaded. Overloading the sync network can cause traffic loss, unsynchronized kernel tables, and connectivity problems. For more information, refer to sk23695.
"fwlddist_adjust_buf: record too big for sync" (in /var/log/messages file and on the Console)
This message may indicate problems with the sync network. It can cause traffic loss, unsynchronized kernel tables, and connectivity problems. For more information, refer to sk35466.
"Cluster_info: (ClusterXL) member is down" (in SmartView Tracker)
This log message may indicate that the ClusterXL failed over. You can check the member's status and the failed device using the commands cphaprob stat, cphaprob list and cphaprob -a if. For more information regarding the usage of these commands, refer to CheckPoint NGX ClusterXL User Guide.pdf.
If this failover was not initiated on purpose, please contact Check Point Technical Support (as described above).
"Dead loop on virtual device sync, fix it urgently" (in dmesg file)
This message is a SecureXL notification on the outbound connection that may cause the gateway to lose sync traffic. For more information, refer to sk32765.
"FW-1: bpush: push block size error..." (Console message)
For more information, refer to sk32753 , sk59124.
"FW-1: fw_runfilter: illegal kfunc" (Console message)
These message may indicate system instability and should not be ignored.
"FW-1: fw_runfilter: stack overflow" (Console message)
This message may indicate that the number of rules in the firewall has exceeded its limit. If more rules are required, please contact Check Point Technical Support (as described above).
"FW-1: fw_runfilter: stack underflow" (Console message)
This message may indicate memory corruption problems detected by the system. System stability may be impacted.
"FW-1: fw_runfilter: wrong number of arguments..." (Console message)
This message may occur after an unsuccessful upgrade and could precede a system panic.
"FWD Error: Log(s) discarded due to unification process failure" (in SmartView Tracker)
A single "unified" log record is produced by the FireWall-1 kernel driver from a number of "basic" log records. If for some reason the building process (unification process) fails, there is a log discard followed by this error message.
This means that logs are discarded from the system and therefore will be lost.
"Database space check failed. There may not be enough disk space or it may have failed to obtain database capacity information" (in Eventia Reporter's $RTDIR/opt/CPrt-R65/log_consolidator_engine/log/lc_rt.log file).
This message means that the process is not communicating with the mysql process or there might be a problem identifying the disk. The logs will be consolidated once the problem is solved. Please check the disk capacity. Check Point also recommends checking disk sanity (for example, by using the check disk utilities).
"FW-1: panic <(x)>:" (Console message)
<(x)> represents the level of panic induced. represents the message that is associated in the code with this panic.
This error message indicates that fw_panic was called.
"FW-1: fw_kfree: memory already freed at 0x. caller is sz=" (Console message)
represents the pointer. represents the name of the function where the error happened.
This error message indicates that released memory is trying to be released again.
This is forbidden and might lead to a potential panic event.
"FW-1: fw_kfree: wrong magic number at tail end of 0x (0x) caller is sz=" (Console message)
"FW-1: fw_kfree: wrong magic number at 0x. caller is sz=" (Console message)
represents the pointer. represents the name of the function where the error happened.
These error messages might indicate an error in the way memory was handled, which might lead to a potential panic event.
"FW-1: hmem_init: unable to allocate the minimum <(x)>" (Console message)
represents the minimum memory size that is needed.
This error message indicates that the firewall's memory management module is not loaded.
"FW-1: b_create: fw_kmalloc(x) failed" (Console message)
represents the pointer.
This message may indicate an error in memory allocation for binary tables. System stability may be impacted.
"ex_init_timer: Failed to initialize timer" (Console message)
This message might indicate an error in the timer mechanism initialization. This may impact system infrastructures and cause inconsistent behavior.
"FW-1: b_create: fw_kmalloc(x) failed" (Console message)
This message might indicate a critical error in allocating a table. System stability may be impacted.
"FW-1: b_create: fw_kmalloc(x) failed" (Console message)
This message may indicate memory allocation problems. System stability may be impacted.
"fwconn_get_bits: invalid bit category: (x)" (Console message)
This error may indicate a critical error in reading the connections table. It may have a serious impact on connectivity.
"fwconn_set_bits: failed to get bit value for bit category (x)" (Console message)
This error may indicate a critical error in writing to the connections table. It may have a serious impact on connectivity.
"fwconn_chain_fill_bits: invalid bit category: (x)" (Console message)
This error might indicate a memory corruption.
"FW-1:: data connection "FWCONN6_FMT" already exists in connections table" (Console message)
This error might indicate synchronization problems between clusters.
"FW-1:: failed to get info from %s table" (Console message)
This error might indicate memory management problems.
"FW-1:: fwconn_chain_lookup failed" (Console message)
This error might indicate an inconsistency within the connection table. This may lead to connectivity problems.
"FW-1: illegal access to connections table" (Console message)
This error might indicate connectivity problems.
"FW-1:: Cannot change aggressive timeout without setting the timeout (timeout=, aggr_timeout=)" (Console message)
This error might indicate a program error that might cause Aggressive Aging not to work properly.
"Failed to build the objects schema while initializing database manager with error 0x% ('')" (Console message)
represents internal value of a pointer.
This message can indicate that there is a problem with the schema file that could prevent the fwm process from starting.
fwm not running on the system may lead to problems with connecting with the GUI client and installing the policy.
"fwhandle_get(vpn_tag.c:1275): Table kbufs - Invalid handle f5139a5c (bad pool)" (Console message)
This error message might indicate an error in the way memory was handled. It may cause RemoteAccess Connectivity issues.
"Policy install commit function was unsuccessful due to timeout" (Console message)
This error message appears during security policy installation. It indicates that policy installation on the gateway takes too much time. There is no way to know whether policy was successfully installed or not.
"Failed to get password for connection RT_Database, reason: Could not find path to database socket" (Console message)
This error means that the location of the mysql.sock file is missing. It will prevent the Eventia Reporter from connecting to the database. This problem can be fixed by doing the following:
1. Open the file $RTDIR/Database/conf/my.cnf and copy the directory that the "datadir" is referring to.
2. Run rmdstop (make sure that the database processes are down).
3. Run cd $RTDIR/Database/ .
4. Run the following commands:
bin/mysqld_safe --basedir="$RTDIR/Database"
--ledir="$RTDIR/Database/bin"
--datadir=""
--socket="$RTDIR/Database/mysql.sock" --user=root --log-error=$RTDIR/Database/err.log &
If mysql is not starting up, check the file $RTDIR/Database/err.log for errors.
Note that mysqld_safe and my_print_defaults are not part of the installation. You can download them (in WinZip format) here:
* mysqld_safe
* my_print_defaults
* Console
* SmartView Tracker
* messages or dmesg file
If and when encountered, please contact Check Point Support.
"Out of Memory: Killed process
This message appears in the dmesg file and in /var/log/messages files on SecurePlatform.
It means that no more memory is available to Linux in the user space. As a result, Linux starts to kill processes.
"FW-1: Capacity problem detected
Memory consumption has exceeded X%" (Console message)
"Capacity notification: Memory consumption has exceeded X%" (SmartView Tracker message)
These messages indicate that the memory consumption has increased beyond what was defined as the Aggressive Aging threshold (for more details about Aggressive Aging, refer to 'NGX R65 What's New' document, under 'Firewall & SmartDefense', page 2).
"FW-1: Capacity problem detected"
"Connections table capacity has exceeded X%" (Console message)
"Connections table capacity has exceeded X%" (SmartView Tracker message)
These messages indicate that the Connections table capacity has increased beyond what was defined as the Aggressive Aging threshold.
For more details about Aggressive Aging, refer to 'NGX R65 What's New' document, under 'Firewall & SmartDefense', page 2.
"Main database file <(database file name)> is missing - cannot start fwm. If you wish to reset the DB please run 'cpdb new'." (Console message)
The appearance of this error message might indicate a corruption in $FWDIR/conf/objects_5_0.C. As a result, fwm will not start.
"State synchronization is in risk. Please examine your synchronization network to avoid further problems" (in /var/log/messages file)
This message may indicate that the sync network is overloaded. Overloading the sync network can cause traffic loss, unsynchronized kernel tables, and connectivity problems. For more information, refer to sk23695.
"fwlddist_adjust_buf: record too big for sync" (in /var/log/messages file and on the Console)
This message may indicate problems with the sync network. It can cause traffic loss, unsynchronized kernel tables, and connectivity problems. For more information, refer to sk35466.
"Cluster_info: (ClusterXL) member is down" (in SmartView Tracker)
This log message may indicate that the ClusterXL failed over. You can check the member's status and the failed device using the commands cphaprob stat, cphaprob list and cphaprob -a if. For more information regarding the usage of these commands, refer to CheckPoint NGX ClusterXL User Guide.pdf.
If this failover was not initiated on purpose, please contact Check Point Technical Support (as described above).
"Dead loop on virtual device sync, fix it urgently" (in dmesg file)
This message is a SecureXL notification on the outbound connection that may cause the gateway to lose sync traffic. For more information, refer to sk32765.
"FW-1: bpush: push block size error..." (Console message)
For more information, refer to sk32753 , sk59124.
"FW-1: fw_runfilter: illegal kfunc" (Console message)
These message may indicate system instability and should not be ignored.
"FW-1: fw_runfilter: stack overflow" (Console message)
This message may indicate that the number of rules in the firewall has exceeded its limit. If more rules are required, please contact Check Point Technical Support (as described above).
"FW-1: fw_runfilter: stack underflow" (Console message)
This message may indicate memory corruption problems detected by the system. System stability may be impacted.
"FW-1: fw_runfilter: wrong number of arguments..." (Console message)
This message may occur after an unsuccessful upgrade and could precede a system panic.
"FWD Error: Log(s) discarded due to unification process failure" (in SmartView Tracker)
A single "unified" log record is produced by the FireWall-1 kernel driver from a number of "basic" log records. If for some reason the building process (unification process) fails, there is a log discard followed by this error message.
This means that logs are discarded from the system and therefore will be lost.
"Database space check failed. There may not be enough disk space or it may have failed to obtain database capacity information" (in Eventia Reporter's $RTDIR/opt/CPrt-R65/log_consolidator_engine/log/lc_rt.log file).
This message means that the process is not communicating with the mysql process or there might be a problem identifying the disk. The logs will be consolidated once the problem is solved. Please check the disk capacity. Check Point also recommends checking disk sanity (for example, by using the check disk utilities).
"FW-1: panic <(x)>:
<(x)> represents the level of panic induced.
This error message indicates that fw_panic was called.
"FW-1: fw_kfree: memory already freed at 0x
This error message indicates that released memory is trying to be released again.
This is forbidden and might lead to a potential panic event.
"FW-1: fw_kfree: wrong magic number at tail end of 0x
"FW-1: fw_kfree: wrong magic number at 0x
These error messages might indicate an error in the way memory was handled, which might lead to a potential panic event.
"FW-1: hmem_init: unable to allocate the minimum <(x)>" (Console message)
This error message indicates that the firewall's memory management module is not loaded.
"FW-1: b_create: fw_kmalloc(x) failed" (Console message)
This message may indicate an error in memory allocation for binary tables. System stability may be impacted.
"ex_init_timer: Failed to initialize timer" (Console message)
This message might indicate an error in the timer mechanism initialization. This may impact system infrastructures and cause inconsistent behavior.
"FW-1: b_create: fw_kmalloc(x) failed" (Console message)
This message might indicate a critical error in allocating a table. System stability may be impacted.
"FW-1: b_create: fw_kmalloc(x) failed" (Console message)
This message may indicate memory allocation problems. System stability may be impacted.
"fwconn_get_bits: invalid bit category: (x)" (Console message)
This error may indicate a critical error in reading the connections table. It may have a serious impact on connectivity.
"fwconn_set_bits: failed to get bit value for bit category (x)" (Console message)
This error may indicate a critical error in writing to the connections table. It may have a serious impact on connectivity.
"fwconn_chain_fill_bits: invalid bit category: (x)" (Console message)
This error might indicate a memory corruption.
"FW-1:
This error might indicate synchronization problems between clusters.
"FW-1:
This error might indicate memory management problems.
"FW-1:
This error might indicate an inconsistency within the connection table. This may lead to connectivity problems.
"FW-1: illegal access to connections table" (Console message)
This error might indicate connectivity problems.
"FW-1:
This error might indicate a program error that might cause Aggressive Aging not to work properly.
"Failed to build the objects schema while initializing database manager with error 0x%
This message can indicate that there is a problem with the schema file that could prevent the fwm process from starting.
fwm not running on the system may lead to problems with connecting with the GUI client and installing the policy.
"fwhandle_get(vpn_tag.c:1275): Table kbufs - Invalid handle f5139a5c (bad pool)" (Console message)
This error message might indicate an error in the way memory was handled. It may cause RemoteAccess Connectivity issues.
"Policy install commit function was unsuccessful due to timeout" (Console message)
This error message appears during security policy installation. It indicates that policy installation on the gateway takes too much time. There is no way to know whether policy was successfully installed or not.
"Failed to get password for connection RT_Database, reason: Could not find path to database socket" (Console message)
This error means that the location of the mysql.sock file is missing. It will prevent the Eventia Reporter from connecting to the database. This problem can be fixed by doing the following:
1. Open the file $RTDIR/Database/conf/my.cnf and copy the directory that the "datadir" is referring to.
2. Run rmdstop (make sure that the database processes are down).
3. Run cd $RTDIR/Database/ .
4. Run the following commands:
bin/mysqld_safe --basedir="$RTDIR/Database"
--ledir="$RTDIR/Database/bin"
--datadir="
--socket="$RTDIR/Database/mysql.sock" --user=root --log-error=$RTDIR/Database/err.log &
If mysql is not starting up, check the file $RTDIR/Database/err.log for errors.
Note that mysqld_safe and my_print_defaults are not part of the installation. You can download them (in WinZip format) here:
* mysqld_safe
* my_print_defaults
Wednesday, March 9, 2011
List of Check Point Ports
List of Check Point Ports
PORT TYPE SERVICE DESCRIPTION
21 TCP ftp File transfer Protocol (control)
21 UDP ftp File transfer Protocol (control)
22 Both ssh SSH remote login
25 both SMTP Simple Mail transfer Protocol
50 Encryption IP protocols esp – IPSEC Encapsulation Security Payload
51 Encryption IP protocols ah – IPSEC Authentication Header Protocol
53 Both Domain Name Server
69 Both TFTP Trivial File Transfer Protocol
94 TCP Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation)
137 Both Netbios-ns NETBIOS Name Service
138 Both netbios-dgm NETBIOS Datagram
139 Both netbios-ssn NETBIOS Session
256 TCP FW1 (fwd) policy install port FWD_SVC_PORT
257 TCP FW1_log FW1_log FWD_LOG_PORT
258 TCP FW1_mgmt FWM_SSVVC_PORT
259 TCP FW1_clientauth_telnet
259 UDP RDP Reliable Datagram Protocol
260 TCP sync
260 UDP FW1_snmp FWD_SNMP_PORT
261 TCP FW1_snauth Session Authentication Daemon
262 TCP MDQ – mail dequer
263 TCP dbs
264 TCP FW1_topop Check Point SecureClient Topology Requests
265 TCP FW1_key Check Point VPN-1 Public key transfer protocol
389 Both LDAP Secure Client connecting to LDAP without SSL
443 SNX VPN can use 443 too
444 TCP SNX VPN SNX VPN tunnel in connectra only
500 UDP IPSEC IKE Protocol (formerly ISAKMP/Oakley)
500 TCP IKE over TCP
500 UDP ISAKMPD_SPORT & ISAKMPD_DPORT
514 UDP Syslog Syslog
636 LDAP Secure Client connecting to LDAP with SSL
900 TCP FW1_clntauth_http Client Authentication Daemon
981 Management https on the edge
1247
1494 TCP Winframe Citrix
1645 TCP Radius
1719 UDP VOIP
1720 TCP VOIP
2040 TCP MIP meta Ip admin server
2746 UDP UDP encapsualtion for SR VPN1_IPSEC_encapsulation VPN1_IPSEC encapsulation
2746 TCP CPUDPENCap
4000 Policy Server Port (Redmond)
4433 TCP Connectra Admin HTTPS Connectra admin port
4500 UDP NAT-T NAT Traversal
4532 TCP SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm,
5001 TCP Meta IP Web Connection, MIP
5002 TCP Meta IP DHCP Failover
5004 TCP Meta IP UAM
5005 TCP Meta IP SMC
6969 UDP KP_PORT KeyProt
8116 UDP Check Point HA SyncMode= CPHAP (new sync mode)
8116 UDP Connection table synchronization between firewalls
8989 TCP CPIS Messaging MSG_DEFAULT_PORT
8998 TCP MDS_SERVER_PORT
9000 Command Line Port for Secure Client
10001 TCP Default CPRSM listener port for coms with RealSecure Console
18181 TCP FW1_cvp Check Point OPSEC Content Vectoring Protocol
18182 TCP FW1_ufp Check Point OPSEC URL Filtering Protocol
18183 TCP FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM API)
18184 TCP FW1_lea Check Point OPSEC Log Export API
18185 TCP FW1_omi Check Point OPSEC Objects Management Interface
18186 TCP FW1_omi-sic Check Point OPSEC Objects management Interface with
Secure Internal Communication
18187 TCP FW1_ela Check Point OPSEC Event Loging API
18190 TCP CPMI Check Point Management Interface
18191 TCP CPD Check Point Daemon Proto NG
18192 TCP CPD_amon Check Point Internal Application Monitoring NG
18193 TCP FW1_amon Check Point OPSEC Appication Monitoring NG
18201 TCP FGD_SVC_PORT
18202 TCP CP_rtm Check Point Real time Monitoring
18203 TCP FGD_RTMP_PORT
18204 TCP CE communication
18205 TCP CP_reporting Check Point Reporting Client Protocol
18207 TCP FW1_pslogon Check Point Policy Server logon Protocol
18208 TCP FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol
18209 TCP FWM CA for establishing SIC communication
18210 TCP FW1_ica_pull Check Point Internal CA Pull Certificate Service
18211 TCP FW1_ica_pull Check Point Internal CA Push Certificate Service
18212 UDP Connect Control – Load Agent port
18213 TCP cpinp: inp (admin server)
18214 TCP cpsmc: SMC
18214 UDP cpsmc: SMC Connectionless
18221 TCP CP_redundant Check Point Redundant Management Protocol NG
18231 TCP FW1_pslogon_NG Check Point NG Policy Server Logon Protocol
18231 TCP NG listens on this port by default dtps.exe
18232 TCP FW1_sds_logon Check Point SecuRemote Distribution Server Protocol
18233 UDP Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive
18241 UDP e2ecp
18262 TCP CP_Exnet_PK Check Point Public Key Resolution
18263 TCP CP_Exnet_resolve Check Point Extranet remote objects resolution
18264 TCP FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services
19190 TCP FW1_netso Check Point OPSEC User Authority Simple Protocol
19191 TCP FW1_uaa Check point OPSEC User Authority API
65524 FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher)
Check Point General Common Ports
PORT TYPE SERVICE DESCRIPTION
257 tcp FireWall-1 log transfer
18208 tcp CPRID (SmartUpdate)
18190 tcp SmartDashboard to SCS
18191 tcp SCS to FW-1 gateway for policy install
18192 tcp SCS monitoring of firewalls (SmartView Status)
Check Point SIC Ports
====================
PORT TYPE SERVICE
18209 tcp NGX Gateways <> ICAs (status, issue, or revoke).
18210 tcp Pulls Certificates from an ICA.
18211 tcp Used by the cpd daemon (on the gateway) to receive Certificates.
Check Point Authentication Ports
================================
PORT TYPE SERVICE DESCRIPTION
259 tcp Client Authentication (Telnet)
900 tcp Client Authentication (HTTP)
PORT TYPE SERVICE DESCRIPTION
21 TCP ftp File transfer Protocol (control)
21 UDP ftp File transfer Protocol (control)
22 Both ssh SSH remote login
25 both SMTP Simple Mail transfer Protocol
50 Encryption IP protocols esp – IPSEC Encapsulation Security Payload
51 Encryption IP protocols ah – IPSEC Authentication Header Protocol
53 Both Domain Name Server
69 Both TFTP Trivial File Transfer Protocol
94 TCP Encryption IP protocols fwz_encapsulation (FW1_Eencapsulation)
137 Both Netbios-ns NETBIOS Name Service
138 Both netbios-dgm NETBIOS Datagram
139 Both netbios-ssn NETBIOS Session
256 TCP FW1 (fwd) policy install port FWD_SVC_PORT
257 TCP FW1_log FW1_log FWD_LOG_PORT
258 TCP FW1_mgmt FWM_SSVVC_PORT
259 TCP FW1_clientauth_telnet
259 UDP RDP Reliable Datagram Protocol
260 TCP sync
260 UDP FW1_snmp FWD_SNMP_PORT
261 TCP FW1_snauth Session Authentication Daemon
262 TCP MDQ – mail dequer
263 TCP dbs
264 TCP FW1_topop Check Point SecureClient Topology Requests
265 TCP FW1_key Check Point VPN-1 Public key transfer protocol
389 Both LDAP Secure Client connecting to LDAP without SSL
443 SNX VPN can use 443 too
444 TCP SNX VPN SNX VPN tunnel in connectra only
500 UDP IPSEC IKE Protocol (formerly ISAKMP/Oakley)
500 TCP IKE over TCP
500 UDP ISAKMPD_SPORT & ISAKMPD_DPORT
514 UDP Syslog Syslog
636 LDAP Secure Client connecting to LDAP with SSL
900 TCP FW1_clntauth_http Client Authentication Daemon
981 Management https on the edge
1247
1494 TCP Winframe Citrix
1645 TCP Radius
1719 UDP VOIP
1720 TCP VOIP
2040 TCP MIP meta Ip admin server
2746 UDP UDP encapsualtion for SR VPN1_IPSEC_encapsulation VPN1_IPSEC encapsulation
2746 TCP CPUDPENCap
4000 Policy Server Port (Redmond)
4433 TCP Connectra Admin HTTPS Connectra admin port
4500 UDP NAT-T NAT Traversal
4532 TCP SNDAEMON_PORT sn_auth_trap: sn_auth daemon Sec.Serv comm,
5001 TCP Meta IP Web Connection, MIP
5002 TCP Meta IP DHCP Failover
5004 TCP Meta IP UAM
5005 TCP Meta IP SMC
6969 UDP KP_PORT KeyProt
8116 UDP Check Point HA SyncMode= CPHAP (new sync mode)
8116 UDP Connection table synchronization between firewalls
8989 TCP CPIS Messaging MSG_DEFAULT_PORT
8998 TCP MDS_SERVER_PORT
9000 Command Line Port for Secure Client
10001 TCP Default CPRSM listener port for coms with RealSecure Console
18181 TCP FW1_cvp Check Point OPSEC Content Vectoring Protocol
18182 TCP FW1_ufp Check Point OPSEC URL Filtering Protocol
18183 TCP FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM API)
18184 TCP FW1_lea Check Point OPSEC Log Export API
18185 TCP FW1_omi Check Point OPSEC Objects Management Interface
18186 TCP FW1_omi-sic Check Point OPSEC Objects management Interface with
Secure Internal Communication
18187 TCP FW1_ela Check Point OPSEC Event Loging API
18190 TCP CPMI Check Point Management Interface
18191 TCP CPD Check Point Daemon Proto NG
18192 TCP CPD_amon Check Point Internal Application Monitoring NG
18193 TCP FW1_amon Check Point OPSEC Appication Monitoring NG
18201 TCP FGD_SVC_PORT
18202 TCP CP_rtm Check Point Real time Monitoring
18203 TCP FGD_RTMP_PORT
18204 TCP CE communication
18205 TCP CP_reporting Check Point Reporting Client Protocol
18207 TCP FW1_pslogon Check Point Policy Server logon Protocol
18208 TCP FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol
18209 TCP FWM CA for establishing SIC communication
18210 TCP FW1_ica_pull Check Point Internal CA Pull Certificate Service
18211 TCP FW1_ica_pull Check Point Internal CA Push Certificate Service
18212 UDP Connect Control – Load Agent port
18213 TCP cpinp: inp (admin server)
18214 TCP cpsmc: SMC
18214 UDP cpsmc: SMC Connectionless
18221 TCP CP_redundant Check Point Redundant Management Protocol NG
18231 TCP FW1_pslogon_NG Check Point NG Policy Server Logon Protocol
18231 TCP NG listens on this port by default dtps.exe
18232 TCP FW1_sds_logon Check Point SecuRemote Distribution Server Protocol
18233 UDP Check Point SecureClient Verification Keepalive Protocol FW1_scv_keep_alive
18241 UDP e2ecp
18262 TCP CP_Exnet_PK Check Point Public Key Resolution
18263 TCP CP_Exnet_resolve Check Point Extranet remote objects resolution
18264 TCP FW1_ica_services Check Point Internal CA Fetch CRL and User Registration Services
19190 TCP FW1_netso Check Point OPSEC User Authority Simple Protocol
19191 TCP FW1_uaa Check point OPSEC User Authority API
65524 FW1_sds_logon_NG Secure Client Distribution Server Protocol (VC and Higher)
Check Point General Common Ports
PORT TYPE SERVICE DESCRIPTION
257 tcp FireWall-1 log transfer
18208 tcp CPRID (SmartUpdate)
18190 tcp SmartDashboard to SCS
18191 tcp SCS to FW-1 gateway for policy install
18192 tcp SCS monitoring of firewalls (SmartView Status)
Check Point SIC Ports
====================
PORT TYPE SERVICE
18209 tcp NGX Gateways <> ICAs (status, issue, or revoke).
18210 tcp Pulls Certificates from an ICA.
18211 tcp Used by the cpd daemon (on the gateway) to receive Certificates.
Check Point Authentication Ports
================================
PORT TYPE SERVICE DESCRIPTION
259 tcp Client Authentication (Telnet)
900 tcp Client Authentication (HTTP)
Wednesday, March 2, 2011
NIC status in Linux
#!/bin/bash
NICLIST=`ifconfig | egrep '^eth[0-9] ' | awk '{ print $1 }'`
for nics in $NICLIST
do
niclink=(`ethtool $nics | awk '/Duplex/ { duplex=$2 }; /Link detected/ { link=$3 }; /Speed/ { speed=$2 } END { print link " " speed " " duplex }'`)
if [ "${niclink[0]}" = "yes" ]; then
speed="${niclink[1]}"
duplex="${niclink[2]}"
fi
printf "%7s %4s %9s %5s\n" $nics ${niclink[0]} $speed $duplex
speed=""
duplex=""
done
Note : Power-1 and UTM-1 There are differences as the nic name changes
NICLIST=`ifconfig | egrep '^eth[0-9] ' | awk '{ print $1 }'`
for nics in $NICLIST
do
niclink=(`ethtool $nics | awk '/Duplex/ { duplex=$2 }; /Link detected/ { link=$3 }; /Speed/ { speed=$2 } END { print link " " speed " " duplex }'`)
if [ "${niclink[0]}" = "yes" ]; then
speed="${niclink[1]}"
duplex="${niclink[2]}"
fi
printf "%7s %4s %9s %5s\n" $nics ${niclink[0]} $speed $duplex
speed=""
duplex=""
done
Note : Power-1 and UTM-1 There are differences as the nic name changes
IPSO - rc.local and rc.flash
Is there a location on the IPSO file system where site-specific commands may be executed at bootup?
On disk-based platforms, /etc/rc.local is a Bourne shell script that is executed in startup. Any commands you wish to run on boot should be put in this file. You may need to add a sleep command to the beginning of this script as interfaces and other devices may not be up at the time this file is executed.
On flash-based (or hybrid) systems, /etc/rc.flash is similar to /etc/rc.local except for two critical differences:
You cannot put Check Point spceific commands in rc.flash as the Check Point packages won't even be unpacked when rc.flash is run.
rc.flash is part of the Operating System image, whereas rc.local is not. This means that rc.flash will need to be backed up before an IPSO upgrade and restored after the upgrade is complete, whereas rc.local is independent from the OS image.
To modify /etc/rc.flash:
ipso[admin]# mount -uw /
ipso[admin]# vi /etc/rc.flash
ipso[admin]# mount -ur /
The system will execute /etc/rc.local as a bourne shell script, if it exists. Edit the /etc/rc.local and put your commands in this file. Essentially, any command you can execute when logged into a Nokia IP Security Platform can be placed in this file. You may need to add a sleep command to the beginning of this script as interfaces and other devices may not be up at the time this file is executed.
Note that /etc/rc.local is indepdendent of the OS image that is running and will not be touched on a system upgrade.
On disk-based platforms, /etc/rc.local is a Bourne shell script that is executed in startup. Any commands you wish to run on boot should be put in this file. You may need to add a sleep command to the beginning of this script as interfaces and other devices may not be up at the time this file is executed.
On flash-based (or hybrid) systems, /etc/rc.flash is similar to /etc/rc.local except for two critical differences:
You cannot put Check Point spceific commands in rc.flash as the Check Point packages won't even be unpacked when rc.flash is run.
rc.flash is part of the Operating System image, whereas rc.local is not. This means that rc.flash will need to be backed up before an IPSO upgrade and restored after the upgrade is complete, whereas rc.local is independent from the OS image.
To modify /etc/rc.flash:
ipso[admin]# mount -uw /
ipso[admin]# vi /etc/rc.flash
ipso[admin]# mount -ur /
The system will execute /etc/rc.local as a bourne shell script, if it exists. Edit the /etc/rc.local and put your commands in this file. Essentially, any command you can execute when logged into a Nokia IP Security Platform can be placed in this file. You may need to add a sleep command to the beginning of this script as interfaces and other devices may not be up at the time this file is executed.
Note that /etc/rc.local is indepdendent of the OS image that is running and will not be touched on a system upgrade.
Monitor Memory - Linux
One of the best ways to monitor the memory on the Linux-based system is to run 'cat /proc/meminfo' command.
You should sum these counters : 'MemFree' + 'Buffers' + 'Cached' and compare the result with counter 'MemTotal'
Note, that memory on Linux-based system is very dynamic - it is allocated and freed all the time.
You should sum these counters : 'MemFree' + 'Buffers' + 'Cached' and compare the result with counter 'MemTotal'
Note, that memory on Linux-based system is very dynamic - it is allocated and freed all the time.