From Firewall Guru

CHECK POINT GAIA OS

This page does not cover SPLAT or IPSO.

Check Point Phone: 972-444-6600

Crossbeam: 800-331-1338

Useful Links

Knowledge Base (https://supportcenter.checkpoint.com/supportcenter/index.jsp) - User Center (https://usercent

er.checkpoint.com) - Swag (https://www.stickermule.com/marketplace/search?utf8=%E2%9C%93&q=check+
point&commit=Search)
R80 API Reference (https://sc1.checkpoint.com/documents/R80/APIs/#gui-cli/login)
Check Point's GitHub page (https://github.com/CheckPoint-APIs-Team)
ISOmorphic (https://mega.nz/#!k7gTTAbZ!Edo0WPFQD5lxEWTbGZzbeZQRe9E3JKK0mtU6zAGyyvk)
Check Point URL Categorization (https://www.checkpoint.com/urlcat/main.htm)
Valeri Loukine's Blog (https://checkpoint-master-architect.blogspot.ch/) --- Intro to R80 by Valeri (https://www.
youtube.com/watch?v=Q2ybvvFnQCU)
CPUG.ORG (https://www.cpug.org/forums/)

Cloud

vSec in Azure (https://docs.microsoft.com/en-us/azure/security-center/security-center-add-next-generation-firew

all)
vSec in AWS (https://www.checkpoint.com/products/vsec-amazon-web-services/) - Spec Sheet (https://www.c
heckpoint.com/downloads/product-related/solution-brief/sb-vsec-aws.pdf) - Buy (https://aws.amazon.com/mark
etplace/pp/B01CEYZ5S6?qid=1470228915881&sr=0-1&ref_=srh_res_product_title#product-details)
Video about Check Point in AWS (1hr) (https://www.youtube.com/watch?v=5xC0RysxQxk&feature=youtu.be)
Video about Check Point in Azure (30min) (https://www.youtube.com/watch?v=IFwrcH6Jva8)

Contents
1 clish / shells
2 Health and Status
2.1 Clock
 2.2 Version info
2.3 CPU stats
2.4 Free Memory
2.5 View Sessions / Connections
2.6 Verify TCP/IP Configuration
2.7 Show Routing Table
2.8 Show route for destination
2.9 Add Route from clish
2.10 Traceroute
2.11 Ping
2.12 ARP Cache
2.13 List Cluster Status
2.14 HA start / stop
2.15 Checking for Failovers in Logs
2.16 View DHCP Leases
2.17 File or database corruption
3 Partitions Full
3.1 Find the largest files and sort them
3.2 View Partitions disk usage
3.3 View Disk Usage by Gigs
3.4 All the files that are Gigs in size
3.5 Delete the oldest logs
4 Interfaces
4.1 Show Interfaces availabile
4.2 Check Interface Speed / Duplex
4.3 View Interface Errors / Dropped
4.4 Check Interfaces
4.5 Check NIC for Flapping
4.6 Sync Status
4.7 Show status in list form
4.8 Stop Clustering on a specific node
4.9 SIC portocol
4.10 Configuration Utility
4.11 Print the License
4.12 Show VPN Policy Server Status
4.13 Show status of Firewall
4.14 List Check Point Processes
5 OSPF
5.1 Show OSPF
5.2 show interfaces
5.3 show ospf neighbors
5.4 OSPF Events
5.5 Show OSPF errors
5.6 Stop Dynamic Routing Daemon
5.7 Start Dynamic Routing Daemon
6 BGP commands
7 Syslog commands
8 Start/Stop/Restart
8.1 Restart All Services
8.2 Start Firewall Services
8.3 Stop the Firewall
8.4 Stop Firewall services but keeps policy active
 8.5 Routing Table
8.6 Block IPS via SmartTracker
8.7 Show Connection Stats
8.8 Show connections with IP instead of HEX
8.9 Show fwx_alloc with IP instead of HEX
8.10 Show VPN Stats
8.11 Check License Details
8.12 Show current value of global kernel parameter
8.13 Show current value of global kernel parameter. Only temp; cleared after reboot
8.14 Show ARP table (static)
8.15 Install hosts internal interfaces
8.16 Control IP Forwarding
8.17 System Resourse Stats
8.18 Uninstall hosts internal interfaces
8.19 Export current log file to ascii file
8.20 Fetch security policy and install
8.21 Installs on gateway the last installed policy
8.22 Show Cluster stats
8.23 Display protected hosts
9 LOGS
9.1 Logs don't exist?
9.2 Tail current log file
9.3 Retrieve logs between times
9.4 Rotate Current log file
9.5 Display remote machine log-file list
9.6 FW Monitor
10 Packet Captures
10.1 tcpDump
10.2 Print current Firewall modules
10.3 Print current license details
10.4 Install authentication key onto host
10.5 Long stat list, shows which policies are installed
10.6 Short stat list , shows which policies are installed
10.7 Unload Policy
10.8 Returns version, patch info and kernel info
11 Backup
11.1 Show Configuration
11.2 Copying Packet Captures off the firewall

clish / shells
some commands are from the regular unix shell, others are from clish. I'll try to add clish to the prefix of commands that
are for the clish environment.

clish

Health and Status

Clock
clock

#top

Version info

ver

sample output:

checkpoint-gaia> ver
Product version Check Point Gaia R80.20
OS build 1
OS kernel version 2.6.28-92
OS edition 64-bit

#top

CPU stats

cpstat -f cpu os

#top

Free Memory

cpstat -f memory os

free -m

fw ctl pstat

#top

View Sessions / Connections

stats, peak

fw tab -t connections -s

by ip address

fw tab -t connections -f

#top

Verify TCP/IP Configuration

Ifconfig a

#top

Show Routing Table

netstat rn

Show route for destination

from clish

show route destination x.x.x.x

#top

Add Route from clish

set static-route x.x.x.x/24 nexthop gateway address x.x.x.x priority 1 on

save config

Traceroute

traceroute <ip address>

#top

Ping

ping <ip address>

#top

ARP Cache

arp a

#top

List Cluster Status

cphaprob stat
#top

HA start / stop

cphastart

cphastop

#top

Checking for Failovers in Logs

In smartview tracker

right click on information column and filter based on the word "cluster"

#top

View DHCP Leases

cat /var/lib/dhcpd/dhcpd.leases

#top

File or database corruption

No output is good!

cphash -d -v

Example Output:

Check out - sk105510, get your USB stick ready for an OS reload!

[ 4541 2012442704]@checkpointr77[20 Aug 7:44:21] is_initialized: new process or forked

[ 4541 2012442704]@checkpointr77[20 Aug 7:44:21] registry_root_reload_do: registry file corrupted
[ 4541 2012442704]@checkpointr77[20 Aug 7:44:21] Unable to open Registry (/opt/CPshrd-R77.20/registry/HKLM_registry.data)! Fa

#top

Partitions Full
Find the largest files and sort them

find / -type f -size +10000 -exec ls -lh {} \; 2> /dev/null | awk '{ print $NF ": " $5 }' | sort -nk 2,2
Sample Output:

/proc/kcore: 1.8G
/var/log/opt/CPsuite-R75/fw1/log/2020-01-12_131447_113.log: 2.0G
/var/log/opt/CPsuite-R75/fw1/log/2020-01-12_225954_114.log: 2.0G
/var/log/opt/CPsuite-R75/fw1/log/2020-02-13_062870_115.log: 2.0G
/var/log/opt/CPsuite-R75/fw1/log/2020-01-13_132657_116.log: 2.0G

#top

View Partitions disk usage

df -h

#top

View Disk Usage by Gigs

du -h |grep G

#top

All the files that are Gigs in size

ls -lah |grep G

Delete the oldest logs

Test and get the list right

ls -lah |grep <filename> |grep -v ptr

Now delete the list

rm $(ls |grep <filename> |grep -v ptr)

#top

Interfaces
Show Interfaces availabile

from clish

show interfaces
Check Interface Speed / Duplex

from clish

show interface eth1

View Interface Errors / Dropped

ifconfig eth1

Check Interfaces

cphaprob -a if

#top

Check NIC for Flapping

cat /var/log/messages |grep "NIC Link"

Example of flapping:

Nov 20 00:32:46 hostname kernel: e1000: eth0b: e1000_watchdog_task: NIC Link is Down
Nov 20 00:33:25 hostname kernel: e1000: eth0b: e1000_watchdog_task: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Nov 20 00:37:48 hostname kernel: e1000: eth0b: e1000_watchdog_task: NIC Link is Down
Nov 20 00:38:27 hostname kernel: e1000: eth0b: e1000_watchdog_task: NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Nov 20 00:42:51 hostname kernel: e1000: eth0b: e1000_watchdog_task: NIC Link is Down

Check the wiring or neighboring devices!!

#top

Sync Status

cphaprob syncstat

#top

Show status in list form

cphaprob list

#top

Stop Clustering on a specific node

cphastart/stop
#top

SIC portocol

cp_conf sic

#top

Configuration Utility

cpconfig

#top

Print the License

cplic print

cplic print -x

#top

Show VPN Policy Server Status

cpstat -f all polsrv

#top

Show status of Firewall

cpstat

#top

List Check Point Processes

cpwd_admin list

#top

OSPF
Show OSPF
from clish

show ospf

#top

show interfaces

--- You can see the status of the interfaces and errors ---

from clish

show ospf interfaces

#top

show ospf neighbors

from clish

show ospf neighbors

#top

OSPF Events

from clish

show ospf events

#top

Show OSPF errors

from clish

show ospf errors

#top

Stop Dynamic Routing Daemon

Restarting OSPF -- probably would be better to restart the firewalls

from clish

drouter stop

#top
Start Dynamic Routing Daemon

from clish

drouter start

#top

BGP commands
work in progress

show bgp
show bgp errors
show bgp groups
show bgp memory
show bgp paths
show bgp peer VALUE advertise
show bgp peer VALUE detailed
show bgp peer VALUE received
show bgp peers
show bgp peers detailed
show bgp peers established
show bgp routemap
show bgp stats
show bgp summary

#top

Syslog commands
work in progress

show syslog all

show syslog cplogs
show syslog filename
show syslog log-remote-addresses

#top

Start/Stop/Restart
Restart All Services

cprestart

#top

Start Firewall Services

cpstart

#top
Stop the Firewall

cpstop

#top

Stop Firewall services but keeps policy active

cpstop -fwflag -proc

#top

Routing Table

cpstat os -f routing

#top

Block IPS via SmartTracker

fw tab -t sam_blocked_ips

#top

Show Connection Stats

fw tab -t connections -s

#top

Show connections with IP instead of HEX

fw tab -t connections -f

#top

Show fwx_alloc with IP instead of HEX

fw tab -t fwx_alloc -f

#top

Show VPN Stats

fw tab -t peers_count -s

fw tab -t userc_users -s

Check License Details

fw checklic Check license details

#top

Show current value of global kernel parameter

fw ctl get int [global kernel parameter]

Show current value of global kernel parameter. Only temp; cleared after reboot

fw ctl set int [global kernel parameter] [value]

#top

Show ARP table (static)

fw ctl arp

#top

Add new static arp http://51sec.blogspot.com/2012/04/checkpoint-splat-manual-proxy-arp.html#.VNrQjPnF-pc

Install hosts internal interfaces

fw ctl install

#top

Control IP Forwarding

fw ctl ip_forwarding

#top

System Resourse Stats

fw ctl pstat

#top
Uninstall hosts internal interfaces

fw ctl uninstall

#top

Export current log file to ascii file

fw exportlog .o

#top

Fetch security policy and install

fw fetch

#top

Installs on gateway the last installed policy

fw fetch localhost

#top

Show Cluster stats

fw hastat

#top

Display protected hosts

fw lichosts

#top

LOGS
Logs don't exist?

quickly locate what is causing a drop regardless of the policy tracking settings
fw ctl zdebug drop

#top

Tail current log file

fw log -f

#top

Retrieve logs between times

fw log -s -e

#top

Rotate Current log file

fw logswitch Rotate current log file

#top

Display remote machine log-file list

fw lslogs Display remote machine log-file list

#top

FW Monitor

I use here host macros that automatically generates filter for source and destination IP addresses.

fw ctl debug -e "accept host(8.8.8.8);"

$FWDIR/lib/tcpip.def file for reference

SK30583 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&
solutionid=sk30583)

#top

Packet Captures
Example Captures (https://www.firewall.guru/wiki/index.php/Pcap)
tcpDump

More TCPDump Examples on the Linux page (https://www.firewall.guru/wiki/index.php/Linux#Packet_Capture)

By Single IP

tcpdump -i eth# host x.x.x.x

Looking for Two Way traffic, source and destination.

tcpdump -i eth# "host x.x.x.x" and "host x.x.x.x"

nohup tcpdump -W 5 -C 1000 -w Filename.pcap -nni <Interface> host <SOURCE IP> and host <DEST IP> &

#top

Print current Firewall modules

fw printlic -p

#top

Print current license details

fw printlic Print current license details

#top

Install authentication key onto host

fw putkey

#top

Long stat list, shows which policies are installed

fw stat -l Long stat list, shows which policies are installed

#top

Short stat list , shows which policies are installed

fw stat -s

#top

Unload Policy

fw unloadlocal

#top

Returns version, patch info and kernel info

fw ver -k

#top

Backup
Show Configuration

This will create a dump of the current configuration. This is great for making a backup. You can use this to quickly
restore a configuration.

show configuration

#top

Copying Packet Captures off the firewall

While on a linux client, copy from firewall

scp admin@firewallip:/path/on/file/capturefile.pcap /path/on/localhost/capturefile.pcap

While on Firewall, copy to linux destination

scp /path/on/localhost/capturefile.pcap admin@firewallip:/path/on/firewall/capturefile.pcap

#top

Retrieved from "https://www.firewall.guru/wiki/index.php?title=CheckPoint&oldid=1588"

Categories: Firewall Check Point GAIA

This page was last modified on 24 August 2017, at 21:19.