Check Point Software
Check Point Firewall-1
Useful Firewall-1 command line utilities:
Unload current security policy
fw unloadlocal
VPN Tunnel command line access (e.g. delete SAs)
vpn tu
Display overlapping VPN Encryption Domains
vpn overlap_encdom [communities|traditional]
List current Firewall interfaces
Show HA / ClusterXL state
cpstat ha
cphaprob state
cphastop / cphastart
Display State of Checkpoint HA Interfaces
cphaprob -a if
Stop/Start Checkpoint HA/ClusterXL
cphastop / cphastart
Display State of Checkpoint HA Interfaces
cphaprob -a if
Manually failover
cphaprob -d STOP -s problem -t 0 register
cphaprob list
cphaprob -d STOP unregister
Display State of ClusterXL IGMP
cphaprob stat (Notify if IGMP membership is supported)
cphaprob igmp (Display the current IGMP membership settings)
SmartCenter
Backup and Restore SmartCenter
upgrade_export
$FWDIR/bin/upgrade_tools/upgrade_import
Check whether licensed for management high availability (Management HA)
cplic check mgmtha
SecurePlatform
SecurePlatform configuration commands:
Configure Interfaces, Routes etc
sysconfig
Add static routes
config route add dest 192.168.1.0/24 via 192.168.0.1 dev eth0 metric 0 s-persistant on apply on
Configure Network Interfaces
config conn help
config conn set name eth1 type eth onboot on iff-up on local 192.168.1.2/24 broadcast 192.168.1.255 s-persistant on s-code up mtu 1500
Configure Bonded Network Interfaces (NIC Team, 2 physical, 1 logical interface)
config conn add name bond0 type bond onboot on iff-up on mtu 1500 bond-mode active-backup bond-miimon 100 bond-downdelay 200 bond-updelay 200 bond-primary eth1 local 192.168.1.2/24
config conn add name eth1 type eth onboot on iff-up on mtu 1500 master-bond bond0
config conn add name eth4 type eth onboot on iff-up on mtu 1500 master-bond bond0
Useful SecurePlatform command line utilities:
Enter OS commands
expert
Assign interfaces to correct physical NICs
(Edit /etc/sysconfig/ethtab)
[Expert@FIREWALL]# cat ethtab
eth0 00:21:5A:27:DC:E6
eth1 00:21:5A:27:DC:E4
eth2 00:1F:29:5C:82:F5
Set Kernel parameters
(Edit $FWDIR/boot/modules/fwkern.conf)
fwha_mac_magic=0×11
fwha_mac_forward_magic=0×10
fwha_monitor_if_link_state=1
fwha_enable_igmp_snooping=1
fwha_igmp_version=2
Flag disconnected NICs
echo eth6 >> $FWDIR/conf/discntd.if
Show status of Bonded Network Interfaces
cphaconf show_bond -a
Display Versions
SPLAT: ver
Firewall: fw ver
Performance Pack: sim ver –k
Linux: uname -a
Change shell to permit WinSCP connection
usermod -s /bin/bash fwadmin
Change shell timout (cpshell)
idle mm where mm = timeout in minutes (permanent change, updates /etc/cpshell/cpshell.state and is passed on to expert shell)
Change shell timout (bash)
TMOUT = ss where ss = timeout in minutes
export TMOUT
Display the number of CPUs presented to SecurePlatform OS
grep ‘physical id’ /proc/cpuinfo|wc -l
Display the CoreXL CPU Affinity
fw ctl affinity -l
Advanced Routing (gated) Commands
ps -eaf | grep gated
cpwd_admin list
Check Point Troubleshooting & Debugging Tools:
http://www.checkpoint.com/services/enterprise/docs/Troubleshooting_and_Debugging.pdf
