Checkpoint firewall common commands part 2
For basic firewall informaton gathering:
fgate stat-Status and statistics of Flood-Gate-1.
fwaccel <stat|stats|conns> – View status, statistics or connection table of SecureXL.
fw getifs-Show list of configured interfaces with IP and netmask.
cpstat <app_flag> [-f flavour] -View OS, HW and CP application status. Issue cpstat without any options to see all possible application flags <app_flag> and corresponding flavours. Examples:
cpstat fw -f policy – verbose policy info
cpstat os -f cpu – CPU utilization statistics
cpinfo -y all -List all installed patches and hotfixes.
cpd_sched_config print -Show task scheduled with CPD scheduler.
enabled_blades -View enabled software blades
avsu_client [-app <app>] , get_version <app> -Get signature version and status of content security .Without the -app option “Anti Virus” is used.
show configuration -Show running system configuration.
show commands -Show all commands you are allowed to run.
show asset all -Display general hardware information.
show sysenv all -Display system component status (fans, power supply…)
asset -View hw info on IP Series Appliances running GAiA.
show asset hardware -View hw info like serial numbers in Nokia clish.
ipsctl -a -View hw info. Also see cat /var/etc/.nvram output.
For Viewing and managing license:
cp_conf lic get-View licenses.
cplic print -Display more detailed license information.
fw lichosts -List protected hosts with limited hosts licenses.
dtps lic -SecureClient Policy Server license summary.
cplic del <sig> <obj> -Detach license with signature sig from object obj.
cplid db_rm <sig> -Remove license <sig> from repository after detaching.
cplic get <ip host|-all> -Retrieve all licenses from a certain gateway or all gateways to synchronize SmartCenter license repository with gw(s).
cplic put <-l file> -Install local license from file to an local machine.
cplic put <obj> <-l file> -Attach one or more central or local licenses from file remotely to obj.
cprlic -Remote license management tool.
contract_util mgmt -Get contracts from Management Server.
For viewing and managing log files:
fw lslogs -View a list of available fw log files and their size.
fwm logexport -Export/display current fw.log to stdout.
fw repairlog <logfile> -Rebuild pointer files for <logfile>.
fw logswitch [-audit] -Copy current (audit) logfile to YY-MM-DD-HHMMSS.log and start a new fw.log.
fw log -c <action> -Show only records with action <action>, e.g. accept,drop, reject etc. Starts from the top of the log, use -t to start a tail at the end.
fw log -f -t -Tail the actual log file from the end of the log. Without the -t switch it starts from the beginning.
fw log -b <starttime> <endtime> -View today’s log entries between <starttime> and <endtime>.
fw fetchlogs -f <file> -Fetch a logfile from a remote CP module. NOTE: The log module will be deleted from the remote module. Does not work with current fw.log.
fwm logexport -i <file> -o out.csv -d ‘,’ -p -n – Export logfile to file , use , (comma) as <file> out.csv delimiter (CSV) and do not resolve services or hostnames ( -n).
log list -Show index of available system and error log files.
log show <nr> -View log file number <nr> from the log list index.
For Basic troubleshooting on firewall :
cpview-View OS and software blade statistics. See sk101878.
cpinfo-Collect diagnostic data for CP support cases. See sk92739.
sar -System monitoring tool (GAiA) generating monitoring data every 10 minutes, keeping the data for 7 days. E.g.:
sar -n EDEV – Interface errors from today thsar -u -f /var/log/sa/sa04 – CPU stats from the 4 .
cpsizeme -For 24h, monitor gw resource utilization every minute and generate a CSV report to use for sizing considerations or troubleshooting.
ethtool -S -View interface statistics and counters.
emergendisk -Create a bootable system on a USB device for system or password recovery and secure HDD wiping.
cpinfo -z -o <file> -Create a compressed cpinfo file to open with the InfoView utility or to send to Check Point support.
cst,ecst -Configuration Summary Tool and its enhanced version. Packs IPSO config, logs, core dumps etc. into a single file.
fw ctl zdebug drop -Real time listing of dropped packets.
cpwd_admin list -Display PID, status and starting time of CP WatchDog monitored processes.
cpca_client lscert -Display all ICA certificates.
fw tab –t <tbl> [–s] -View kernel table contents. Make output short with -s switch. List all available tables with fw tab -s. Example: fw tab -t connections -s – View connection table.
fw ctl multik stat -Show connection statistics for each kernel instance.
fw ctl pstat -Display internal statistics including information about memory,inspect, connections, synchronization and NAT.
fw ctl chain -Displays in and out chain of CP modules. Useful for placing fw monitor into the chain with the -p option.
cp_conf sic state,cp_conf sic init <key> -Display SIC trust status or (re)initialize SIC.
fwm sic_reset -Reset Internal Certificate Authority (ICA) and delete certs. Reinitialize ICA with cpconfig or cp_conf ca init.
cpca_client -Manage parts of the ICA. View, create and revoke certificates, start and stop the ICA Web Tool. Examples: cpca_client lscert -stat Valid , cpca_client search <searchstring>
fwaccel <off|on> -Disable/enable SecureXL.
cpmonitor -Statistics and analysis of snoop/tcpdump/fw monitor traffic
For firewall packet capture example:
Display all packets from 192.168.1.12 to 192.168.3.3
fw monitor -e ‘accept src=192.168.1.12 and dst=192.168.3.3;’
UDP port 53 (DNS) packets, pre-in position is before ‘ippot_strip’
fw monitor -pi ipopt_strip -e ‘accept udpport(53);’
UPD traffic from or to unprivileged ports, only show post-out
fw monitor -m O -e ‘accept udp and (sport>1023 or dport>1023);’
Display Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12
fw monitor -e ‘accept host(192.168.1.12) and tracert;’
Capture web traffic for VSX virtual system ID 23
fw monitor -v 23 -e ‘accept tcpport(80);’
fgate stat-Status and statistics of Flood-Gate-1.
fwaccel <stat|stats|conns> – View status, statistics or connection table of SecureXL.
fw getifs-Show list of configured interfaces with IP and netmask.
cpstat <app_flag> [-f flavour] -View OS, HW and CP application status. Issue cpstat without any options to see all possible application flags <app_flag> and corresponding flavours. Examples:
cpstat fw -f policy – verbose policy info
cpstat os -f cpu – CPU utilization statistics
cpinfo -y all -List all installed patches and hotfixes.
cpd_sched_config print -Show task scheduled with CPD scheduler.
enabled_blades -View enabled software blades
avsu_client [-app <app>] , get_version <app> -Get signature version and status of content security .Without the -app option “Anti Virus” is used.
show configuration -Show running system configuration.
show commands -Show all commands you are allowed to run.
show asset all -Display general hardware information.
show sysenv all -Display system component status (fans, power supply…)
asset -View hw info on IP Series Appliances running GAiA.
show asset hardware -View hw info like serial numbers in Nokia clish.
ipsctl -a -View hw info. Also see cat /var/etc/.nvram output.
For Viewing and managing license:
cp_conf lic get-View licenses.
cplic print -Display more detailed license information.
fw lichosts -List protected hosts with limited hosts licenses.
dtps lic -SecureClient Policy Server license summary.
cplic del <sig> <obj> -Detach license with signature sig from object obj.
cplid db_rm <sig> -Remove license <sig> from repository after detaching.
cplic get <ip host|-all> -Retrieve all licenses from a certain gateway or all gateways to synchronize SmartCenter license repository with gw(s).
cplic put <-l file> -Install local license from file to an local machine.
cplic put <obj> <-l file> -Attach one or more central or local licenses from file remotely to obj.
cprlic -Remote license management tool.
contract_util mgmt -Get contracts from Management Server.
For viewing and managing log files:
fw lslogs -View a list of available fw log files and their size.
fwm logexport -Export/display current fw.log to stdout.
fw repairlog <logfile> -Rebuild pointer files for <logfile>.
fw logswitch [-audit] -Copy current (audit) logfile to YY-MM-DD-HHMMSS.log and start a new fw.log.
fw log -c <action> -Show only records with action <action>, e.g. accept,drop, reject etc. Starts from the top of the log, use -t to start a tail at the end.
fw log -f -t -Tail the actual log file from the end of the log. Without the -t switch it starts from the beginning.
fw log -b <starttime> <endtime> -View today’s log entries between <starttime> and <endtime>.
fw fetchlogs -f <file> -Fetch a logfile from a remote CP module. NOTE: The log module will be deleted from the remote module. Does not work with current fw.log.
fwm logexport -i <file> -o out.csv -d ‘,’ -p -n – Export logfile to file , use , (comma) as <file> out.csv delimiter (CSV) and do not resolve services or hostnames ( -n).
log list -Show index of available system and error log files.
log show <nr> -View log file number <nr> from the log list index.
For Basic troubleshooting on firewall :
cpview-View OS and software blade statistics. See sk101878.
cpinfo-Collect diagnostic data for CP support cases. See sk92739.
sar -System monitoring tool (GAiA) generating monitoring data every 10 minutes, keeping the data for 7 days. E.g.:
sar -n EDEV – Interface errors from today thsar -u -f /var/log/sa/sa04 – CPU stats from the 4 .
cpsizeme -For 24h, monitor gw resource utilization every minute and generate a CSV report to use for sizing considerations or troubleshooting.
ethtool -S -View interface statistics and counters.
emergendisk -Create a bootable system on a USB device for system or password recovery and secure HDD wiping.
cpinfo -z -o <file> -Create a compressed cpinfo file to open with the InfoView utility or to send to Check Point support.
cst,ecst -Configuration Summary Tool and its enhanced version. Packs IPSO config, logs, core dumps etc. into a single file.
fw ctl zdebug drop -Real time listing of dropped packets.
cpwd_admin list -Display PID, status and starting time of CP WatchDog monitored processes.
cpca_client lscert -Display all ICA certificates.
fw tab –t <tbl> [–s] -View kernel table contents. Make output short with -s switch. List all available tables with fw tab -s. Example: fw tab -t connections -s – View connection table.
fw ctl multik stat -Show connection statistics for each kernel instance.
fw ctl pstat -Display internal statistics including information about memory,inspect, connections, synchronization and NAT.
fw ctl chain -Displays in and out chain of CP modules. Useful for placing fw monitor into the chain with the -p option.
cp_conf sic state,cp_conf sic init <key> -Display SIC trust status or (re)initialize SIC.
fwm sic_reset -Reset Internal Certificate Authority (ICA) and delete certs. Reinitialize ICA with cpconfig or cp_conf ca init.
cpca_client -Manage parts of the ICA. View, create and revoke certificates, start and stop the ICA Web Tool. Examples: cpca_client lscert -stat Valid , cpca_client search <searchstring>
fwaccel <off|on> -Disable/enable SecureXL.
cpmonitor -Statistics and analysis of snoop/tcpdump/fw monitor traffic
For firewall packet capture example:
Display all packets from 192.168.1.12 to 192.168.3.3
fw monitor -e ‘accept src=192.168.1.12 and dst=192.168.3.3;’
UDP port 53 (DNS) packets, pre-in position is before ‘ippot_strip’
fw monitor -pi ipopt_strip -e ‘accept udpport(53);’
UPD traffic from or to unprivileged ports, only show post-out
fw monitor -m O -e ‘accept udp and (sport>1023 or dport>1023);’
Display Windows traceroute (ICMP, TTL<30) from and to 192.168.1.12
fw monitor -e ‘accept host(192.168.1.12) and tracert;’
Capture web traffic for VSX virtual system ID 23
fw monitor -v 23 -e ‘accept tcpport(80);’
Comments
Post a Comment