Introduction

The Advanced Routing Suite CLI is available as part of the Advanced Networking Software Blade. Be sure no other users are connected to Advanced Routing Suite. With Advanced Routing Suite installed properly and running: 1. Enter the SecurePlatform expert mode. 2. Type pro enable at the prompt and press Enter. 3. Reboot. 4. Type router at the prompt and press Enter. This begins your CLI session in User Execution mode The Advanced Routing Suite CLI has the following five modes: User Execution - User Execution mode is the default mode. In User Execution mode, the prompt is ">" Privileged Execution - Privileged Execution mode allows for "privileged" commands. In Privileged Execution mode, the prompt is "#". This mode is password protected and entered using enable Global Configuration - Global Configuration mode is used to change the configuration of Advanced Routing Suite. This mode can only be entered from Privileged Execution mode with the configure terminal command. Router Configuration - Router Configuration mode is used to change the protocol state on a specific router. This mode is entered by typing the following at the (config)# prompt: Interface Configuration - Interface Configuration mode is used to change protocol state on a specific interface. This mode is entered by typing the following at the (config)# prompt:

Multicast
The multicast commands are used to set interface-specific options such as time-to-live (TTL) thresholds and administratively scoped boundaries. Most common commands: clear ip mroute - clears routes in the multicast routing table show ip mroute - displays the contents of the Multicast Routing Table

Border Gateway Protocol (BGP)

BGP is an exterior, or inter-domain, routing protocol. BGP is used to exchange routing information between multiple transit autonomous systems, between transit and stub autonomous systems, or between two stub autonomous systems. Global Configuration Mode Commands router bgp" Global BGP Commands eg bgp router-id, bgp cluster-id

BGP Neighbor Commands all start with neighbor Querying and Clearing Commands all shows and clears eg show ip bgp neighbors

Internet Control Message Protocol (ICMP)

Advanced Routing Suite listens to ICMP messages received by the system. Advanced Routing Suite currently supports redirect. Processing of ICMP redirect messages is handled by the "router redirect" command. router icmp - allows the user to enter ICMP Router Configuration Mode

Fast Open Shortest Path First (OSPF)

Open Shortest Path First Routing (OSPF) is a shortest path first or link-state protocol. OSPF is an interior gateway protocol that distributes routing information between routers in a single autonomous system (AS). OSPF chooses the least-cost path as the best path. Advanced Routing Suite can run over a variety of physical connections: serial connections, LAN interfaces, ATM, or FDDI. The OSPF configuration supports three different types of connections in the interface clauses: LAN and Point-to-Point Non-Broadcast Multiple Access Point-to-Multipoint OSPF commands Global Configuration Mode OSPF Commands router ospf Global Commands global-wide commands such as authentication, distance and enable Area Commands all start with area Default Commands all start with default Area Interface commands interface specific such as authentication, neighbor, network Floating Interface Commands all start with ip ospf Querying Commands all start with show ip ospf

Router Discovery
The Router Discovery Protocol is an IETF standard protocol (RFC 1256) used to inform hosts of the existence of routers. On systems supporting IP multicasting, the router advertisements are, by default, sent to the all-hosts multicast address, 224.0.0.1.

Routing Information Protocol (RIP)

RIP is an implementation of a distance-vector, or Bellman-Ford, algorithm. RIP classifies routers as active and passive (silent). Active routers advertise their routes (reachability information) to others; passive routers listen and update their routes based on advertisements, but do not advertise. Typically, routers run RIP in active mode, while hosts use passive mode. RIP version 2 (more commonly known as RIP II) adds additional capabilities to RIP notably next hop, network mask, authentication and RIP tag field.

Global Configuration Mode RIP Commands - "router rip"

Internet Group Management Protocol (IGMP)

IGMP was designed for hosts on multi-access networks to inform locally-attached routers of their multicast group memberships. Hosts inform routers of the groups of which they are members by multicasting IGMP Group Membership Reports. Once multicast routers listen for these reports, they can exchange group membership information with other multicast routers. clear ip igmp group - removes IGMP join state

Manag m n
Management Portal
Management Portal enables web-based administration and troubleshooting of the Security Management server. The product can be deployed on a dedicated server, or alongside the Security Management server. SSL encrypted connections are used to access the Management Portal web interface. Administrative access can be limited to specific IP addresses. Dedicated administrator users can be limited to Management Portal access only. Portal commands smartportalstop - stops Management Portal services smartportalstart - starts Management Portal services Portal configuration The following Management Portal product properties can be modified by editing the cp_httpd_admin.conf conf file. This file can be found in the Management Portal conf directory. Note - Any modifications to the cp_httpd_admin.conf file should be done after performing SmartPortalStop. To change the web server port, modify the PORT attribute (default is TCP 4433). To use HTTP instead of HTTPS set the SSL attribute to 0. It is not recommended to do this for security reasons and should only be used when troubleshooting. To change the Web Server certificate modify the SERVCERT (the full path to the certificate) and CERTPWD (the certificate password) attributes.

Connect to the Management Portal by opening one of the supported browsers and pointing it to: https://<Security Management_server_ip>:4433

SmartUpdate
SmartUpdate automatically distributes applications and updates for Check Point and OPSEC Certified products, and manages product licenses. It provides a centralized means to guarantee that Internet security throughout the enterprise network is always up to date. It is possible to remotely upgrade: Check Point Security Gateways Hotfixes, Hotfix Accumulators (HFAs) and patches Third party OPSEC applications UTM-1 Edge Check Point IPSO Operating System SecurePlatform

SmartUpdate installs two repositories on the Security Management server:

License & Contract Repository, which is stored on all platforms in the directory $FWDIR\conf\. Package Repository, which is stored:
o o

on Windows machines in C:\SUroot. on UNIX machines in /var/suroot.

The Package Repository requires a separate license, in addition to the license for the Security Management server. This license should stipulate the number of nodes that can be managed in the Package Repository. Packages and licenses are loaded into these repositories from several sources:

the Download Center web site (packages) the Check Point CD (packages) the User Center (licenses) by importing a file (packages and licenses) by running the cplic command line

Of the many processes that run on the Check Point Security Gateways distributed across the corporate network, two in particular are used for SmartUpdate. Upgrade operations require the cprid daemon,

and license operations use the cpd daemon. These processes listen and wait for the information to be summoned by the Security Management server. The Upgrade Package Process Prerequisites for Remote Upgrades

Ensure that SmartUpdate connections are allowed. Go to SmartDashboard > Policy > Global Properties > FireWall Implied Rules, and ensure that the Accept SmartUpdate Connections check box is checked. Secure Internal Communication (SIC) must be enabled to allow secure communications between the Security Management server and remote Check Point Security Gateways.

Snapshot Image Management Before performing an upgrade, you can use the command line to create a Snapshot image of the SecurePlatform OS, or of the packages distributed. If the upgrade or distribution operation fails, you can use the command line to revert the disk to the saved image. To create a Snapshot file on the gateway, type: cprinstall snapshot <object name> <filename> To show the available Snapshot files, type: cprinstall show <object name> To revert to a given Snapshot file, type: cprinstall revert <object name> <filename> Note - Snapshot files are stored at /var/CPsnapshot on the gateway.