Beruflich Dokumente
Kultur Dokumente
The Advanced Routing Suite CLI is available as part of the Advanced Networking Software Blade. Be sure no other users are connected to Advanced Routing Suite. With Advanced Routing Suite installed properly and running: 1. Enter the SecurePlatform expert mode. 2. Type pro enable at the prompt and press Enter. 3. Reboot. 4. Type router at the prompt and press Enter. This begins your CLI session in User Execution mode The Advanced Routing Suite CLI has the following five modes: User Execution - User Execution mode is the default mode. In User Execution mode, the prompt is ">" Privileged Execution - Privileged Execution mode allows for "privileged" commands. In Privileged Execution mode, the prompt is "#". This mode is password protected and entered using enable Global Configuration - Global Configuration mode is used to change the configuration of Advanced Routing Suite. This mode can only be entered from Privileged Execution mode with the configure terminal command. Router Configuration - Router Configuration mode is used to change the protocol state on a specific router. This mode is entered by typing the following at the (config)# prompt: Interface Configuration - Interface Configuration mode is used to change protocol state on a specific interface. This mode is entered by typing the following at the (config)# prompt:
Multicast
The multicast commands are used to set interface-specific options such as time-to-live (TTL) thresholds and administratively scoped boundaries. Most common commands: clear ip mroute - clears routes in the multicast routing table show ip mroute - displays the contents of the Multicast Routing Table
BGP Neighbor Commands all start with neighbor Querying and Clearing Commands all shows and clears eg show ip bgp neighbors
Router Discovery
The Router Discovery Protocol is an IETF standard protocol (RFC 1256) used to inform hosts of the existence of routers. On systems supporting IP multicasting, the router advertisements are, by default, sent to the all-hosts multicast address, 224.0.0.1.
Manag m n
Management Portal
Management Portal enables web-based administration and troubleshooting of the Security Management server. The product can be deployed on a dedicated server, or alongside the Security Management server. SSL encrypted connections are used to access the Management Portal web interface. Administrative access can be limited to specific IP addresses. Dedicated administrator users can be limited to Management Portal access only. Portal commands smartportalstop - stops Management Portal services smartportalstart - starts Management Portal services Portal configuration The following Management Portal product properties can be modified by editing the cp_httpd_admin.conf conf file. This file can be found in the Management Portal conf directory. Note - Any modifications to the cp_httpd_admin.conf file should be done after performing SmartPortalStop. To change the web server port, modify the PORT attribute (default is TCP 4433). To use HTTP instead of HTTPS set the SSL attribute to 0. It is not recommended to do this for security reasons and should only be used when troubleshooting. To change the Web Server certificate modify the SERVCERT (the full path to the certificate) and CERTPWD (the certificate password) attributes.
Connect to the Management Portal by opening one of the supported browsers and pointing it to: https://<Security Management_server_ip>:4433
SmartUpdate
SmartUpdate automatically distributes applications and updates for Check Point and OPSEC Certified products, and manages product licenses. It provides a centralized means to guarantee that Internet security throughout the enterprise network is always up to date. It is possible to remotely upgrade: Check Point Security Gateways Hotfixes, Hotfix Accumulators (HFAs) and patches Third party OPSEC applications UTM-1 Edge Check Point IPSO Operating System SecurePlatform
License & Contract Repository, which is stored on all platforms in the directory $FWDIR\conf\. Package Repository, which is stored:
o o
The Package Repository requires a separate license, in addition to the license for the Security Management server. This license should stipulate the number of nodes that can be managed in the Package Repository. Packages and licenses are loaded into these repositories from several sources:
the Download Center web site (packages) the Check Point CD (packages) the User Center (licenses) by importing a file (packages and licenses) by running the cplic command line
Of the many processes that run on the Check Point Security Gateways distributed across the corporate network, two in particular are used for SmartUpdate. Upgrade operations require the cprid daemon,
and license operations use the cpd daemon. These processes listen and wait for the information to be summoned by the Security Management server. The Upgrade Package Process Prerequisites for Remote Upgrades
Ensure that SmartUpdate connections are allowed. Go to SmartDashboard > Policy > Global Properties > FireWall Implied Rules, and ensure that the Accept SmartUpdate Connections check box is checked. Secure Internal Communication (SIC) must be enabled to allow secure communications between the Security Management server and remote Check Point Security Gateways.
Snapshot Image Management Before performing an upgrade, you can use the command line to create a Snapshot image of the SecurePlatform OS, or of the packages distributed. If the upgrade or distribution operation fails, you can use the command line to revert the disk to the saved image. To create a Snapshot file on the gateway, type: cprinstall snapshot <object name> <filename> To show the available Snapshot files, type: cprinstall show <object name> To revert to a given Snapshot file, type: cprinstall revert <object name> <filename> Note - Snapshot files are stored at /var/CPsnapshot on the gateway.