24/4/2015Check Point/SPLAT/Network Debug Cheat Sheet Midpoint Technology Search this site HOME PRODUCTS SERVICES TRAINING > RESOURCES > Check Point/SPLAT/Network Debug Cheat Sheet TRAINING COURSES Unix Cheats SCHEDULE RESOURCES REGISTER ANNOUNCEMENTS CONTACT Unix Cheats ifconfig List all network interfaces look for collisions ifconfig | fgrep inet Short list of network IPs ifconfig | grep i 'hwa\|inet' Short list of IPs, ethernet interfaces, and IPs route n Print routing table with no DNS resolution arp an Print out arp table ls alth List 'a'll files in 't'ime order with 'h'uman readable sizes more <filename> The more command will print out a file and scroll it so you can read <somecommand> | more it at your pace. /<searchtext> : search forward for <searchtext> <cr> : read one more line <space> : read one page q : quit ? : help ls alt | tee /tmp/output.txt List the directory, the feed it to "tee" which lists on display AND feeds into file at same time find . follow | xargs ls ald | more List all files in directory, follow symbolic links, and print the file modification time "ls ald" fgrep "search for" * search for "search for" in inside a file in the current directory find . follow mmin 10 | xargs ls ald | more Search for files modified less than 10 minutes ago and print mod dates. Follow all symbolic links Filenames: find . follow mmin 10 | fgrep Looking for a filename that has been modified in last 10 minutes "lookforfilename" Filecontent: find . follow mmin 10 | xargs fgrep Search for files modified less than 10 minutes ago and search i "lookforcontent" | more inside files for content (not the filename!) "lookforcontent" find / follow type f size +10240k Search for files larger than +10MB. 10240k is less than 10MB find / follow type f size +10240k size 102400k File between +10MB and 100MB command > filename send standard output to "filename" (by default error output goes to terminal) command 2>&1 | more send error output "2" to(>) same output as standard output "&1"....which is the display. Pipe all through more command 2> /bin/null | more Send all the error output to null bucket so output just has clean data in it CTRLv CTRLo ENTER Resets terminal to text in case binary data changes display stty rows 80 columns 100 Resets terminal size to window of 80 by 100 dmesg | more Look at all the boot messages, usually used to find debug errors Linux: traceroute n Traceroute Turn off DNS! Windows: tracert d dig @<server IP> <domain name> http://www.midpointtech.com/training/coursematerials/networkdebugcheatsheet Direct query to DNS server @ IP 172.17.1.2 1/8 2 www.fws from 10. eth0> Display physical network card information (limited on VMware) ethtool p eth0 Blink the LED on eth0 port ethtool i eth0 Get driver version info Smart Gateway Debug Commands clock bios time and date cpconfig change SIC.0. From that it generates $FWDIR/conf/<gateway>/rulebases_5_0.com netstat r routing tables netstat an Port numbers that are being used or listening on ps aux.ipv4. Turn on forwarding fw ver k Firewall version and kernel version http://www. expert change from the initial administrator privilege to advanced privilege fw ctl iflist show interface names /bin/date OS time and date fwm load <policyname> On smartcenter or MDM. policy install time and interface table cpstat ha high availability state cpstat os f cpu checkpoint cpu status cpstat os f routing checkpoint routing table cpstop stop all checkpoint services cpwd_admin monitor_list list processes actively monitored. Downloads rulebases_5_0. this is the compiled inspect script.24/4/2015 Check Point/SPLAT/Network Debug Cheat Sheet Midpoint Technology dig @172.0. make SPLAT route through the box.com/training/coursematerials/networkdebugcheatsheet 2/8 .fws which is loaded into gateway. verify and compile and load the policyname onto the <gatewayobjectname> targetgateway.midpointtech. Firewall should contain cpd and vpnd. Make it a straight linux box basically sysctl w net.g. top Realtime display of processes and mem utilization <space bar> refresh F > k Sort on CPU F >n Sort on MEM f > X Sort on Command name R Toggle reverse sort on/off tftp <ip of tftp server> binary put <filename> ethtool <ethX e.42.1.ip_forward=1 After unloading policy.0. When it compiles. licenses and more cplic print license information cpstart;cpstop start all checkpoint services cpstat fw show policy name.google. This has latest policy in it fw unloadlocal Remove all policy and security enforcement from SPLAT.17.42 get the policy from the firewall manager (use this only if there are problems on the firewall). it creates a file called $FWDIR/conf/<policyname.pf>.0. ps auxwf print out all processes or with subprocess tree list. fw fetch 10. arp. hwclock show the hardware clock. fw ctl mem fw tab | grep '\' | more Dump out names of tables stored in hash memory ' fw ctl pstat' (hmem) fw tab s t connections number of connections in state table fw tab t xlate x clear all translated entries (emergency only) fwm lock_admin h unlock a user account after repeated failed log in attempts fwm ver firewall manager version (on SmartCenter) sysconfig configure date/time.3.24/4/2015 Check Point/SPLAT/Network Debug Cheat Sheet Midpoint Technology cpinfo Prints out TONS of FW debug information for help desk fw stat firewall status. Also have to check Global Properties:NAT:Merge manual arps ======NAT DEBUG========= Reserve space Turn on NAT debug fw ctl debug buf 32000 fw ctl debug + xlate xltrc nat fw ctl kdebug f > /tmp/nat. x 0 Packet data dump starting at offset 0 e "accept ip_src=1.2. should contain the name of the policy and the relevant interfaces.txt Dump traffic through iIoO stacks and ouput to ascii. i.4" Only filter packets from 1.midpointtech.def has shortcuts for filtering ip_src is one example of a shortcut/macro] Common VI commands vi <filename> :q! quitno save ZZ quit: save data <arrow keys> up/down/sideways <pg up><pg down> x delete character dd delete line /someword search forward for someword http://www. sync the hardware clock to the OS with "hwclock –systohc" cpd_sched_config print Print out CP batch queue CP version of crontab fw ctl arp List all the proxy arp entries for manual arp brought into the kernel from $FWDIR/conf/local. dns. network.3. ntp upgrade_import run ‘/opt/CPsuiteR65/fw1/bin/upgrade_tools/upgrade_import’ after a system Dịch upgrade to import the old license and system information. o output.2.4 [NOTE:$FWDIR/lib/tcpip. Note these are tables that are reserved for firewall kernel hash tables.900] fw stat l show which policy is associated with which interface and package drop.e.cap Dump traffic through iIoO stacks and output to Wireshark format for export. Standard_5_1_1_1_1 [>eth4] [<eth4] [<eth5] [>eth0. If the hardware and operating system clocks are off by more than a minute.com/training/coursematerials/networkdebugcheatsheet 3/8 . i flushes buffers immediately so you get all the output written to the output file.out Dump to file Turn off NAT debug fw ctl debug 0 fw monitor i p all > outputascii.900] [<eth0. accept and reject fw tab displays firewall hash tables. Takes a lot of CPU and swap. Look for FREE space to make sure there is free space. so: swap out: means running out of physical memory so start "swap out". Should be big number. should be steady number bo: blocks written to disk Compare to nonbusy device. Look at f all Queue lenghts to see if things are backing up. fw ctl pstat show control kernel memory and connections: Hash Kernel Memory: Total Memory Blocks Used/Unused/%: State table memory>Make sure this has free memory System Kernel Memory: Allocations: Free: Application Memory > Make sure there is free memory for applications Kernel Memory: Free: Firewall kernel memory> Make sure there is free memory Connections: Peak concurrent vs concurrent: Make sure under default config 25000 top Dynamic list of processes and the resources they utilize vmstat Memory and virtual memory usage vmstat 5 Display every 5 seconds Look for : w: Number of processes blocked waiting for resources to run.24/4/2015 Check Point/SPLAT/Network Debug Cheat Sheet Midpoint Technology ?someword search backwards for someword n search for next instance N search for previous instance i insert character at current spot a append character after current spot <ESC> escape insert mode u undo last change o Create line above current line and start inserting characters O Create line above current line and start typing characters <ESC> escape insert mode u undo last change Unix/Splat Performance Queries ifconfig List all network interfaces look for collisions and errors on interfaces ps Print out process hierarchy with cpu times. Should be low number and decreasing bi: blocks read from disk Compare to nonbusy device. and full commands that process is executing auxwf cpstat os Best overall view of OS with descriptions. free: The amount of idol memory available for swapping. should be steady number cs: context switches Number of times a process goes from idle to running. Should be low or steady number us: cpu time spent running user code sy: cpu time spent running kernel code id: Time spent ideal wa: Time spent waiting for IO to happen Watch this one http://www.com/training/coursematerials/networkdebugcheatsheet 4/8 . Look for % CPU time. Should be low number.midpointtech. 1. much faster! NO DNS! n fw log n < fwlogname.txt> NOTE: 'fwm' not 'fw'. ether src host 00:0c:29:80:11:0c and arp http://www. tcpdump i eth1 n w /tmp/netout.log. Both *.2009 15:15:00" tcpdump tcpdump i <interface> n s 500 w <outputfile> X i <interface> commonly eth0/1/2/3 [command] n no DNS resolution.0/24 3. NO DNS! n fw logswitch rotate logs.midpointtech.log> > /tmp/logout. YYYY HH:MM:SS> eg fw log b "Jul 23.1 && host 2. log show # dump a log listed by 'log list' fwm logexport i <log name> o <output name.4 and src port 53) 4. clear out current log and archive it based on date fw lslogs list firewall logs fw log f tail the current log fw log n <logfile>.! then enclose the whole command in quotes ' host 1. Export ogs to ascii to output_name. 2009 15:01:30" "Jul 23.cap X [command] s 500 size of data packet w output file. can be used to feed into Wireshark X ascii and hex output eg.com/training/coursematerials/networkdebugcheatsheet 5/8 .24/4/2015 Check Point/SPLAT/Network Debug Cheat Sheet Midpoint Technology df h Disk usage of all the drives netstat i packets dropped/errors per interface Logging Commands fw log c drop Entries in the log 'drop' column. also can use 'accept' and 'reject' fwm logexport i <log name> o <outputfilename export an old log file on the firewall manager fw log n <fwlogname.do not use DNS resolution n. src host 1.1 or (dst host 3.1.||. faster eg.1.1.txt.&&..txt dump log files both to display AND to file logout. Examples commands: 1.1.1 2.. YYYY HH:MM:SS> <MMM DD.cap dump to file and screen Expression Modifiers ! or not && and || or NOTE: If you use ().2' because the shell Common Command Operators [ether] [src|dst] host <host> | net <net>/len [tcp|udp] [src|dst] port <p1> | portrange <port> <port> [src|dst] net <netip>/mask arp icmp proto will use the && before tcpdump does.txt file fw log b <MMM DD.log log list show all logs kept by gateway/mgr. *elg.2. host 1.txt dump logs into file.1. src net 10.1.2. tcpdump i eth1 n | tee /tmp/netout. search the current log for activity between specific times.1.log> | tee /tmp/logout. ether src host 00:0c:29:80:11:0c monitor all data packets from MAC address 5.2.1. host == 1.1.1.1 ip.host == 1.1.1.1 arp or icmp and !(ip.1) and NOT ip.1 ip. Wireshark Expression Modifiers: Common filters a == b ARP a != b a and b arp filter just arps a or b arp or icmp filter arps and icmp !(a or b) icmp filter just icmp IP ip. You will get errors but in end it will clear them all out.host == 1. '{print $3}' | xargs n cplic del cp contract put <file> cplic put l <file> Install a license file or a contract file.host == 1..1. port 22 or arp figure out why SSH is not connecting .host != 1.24/4/2015 Check Point/SPLAT/Network Debug Cheat Sheet Midpoint Technology monitor arp packets from MAC address 6. spam. Licenses are for software.1.1.dst_host == 1.1 TCP tcp.port == 22 tcp..midpointtech.1 License Commands cplic print s Print out all licenses with signatures cplic del XXXX Delete license with signature XXXX cplic print x | awk Delete all licenses.com/training/coursematerials/networkdebugcheatsheet 6/8 .srcport == 22 Complex Filter Examples: arp or ip.1.1. URL filtering http://www. contracts are for subscriptions like IPS.1.. probably because ARPs are not being returned.1.src_host == 1.dstport == 22 tcp.1.1.1) NOTE: use !(ip.1. elg and ike.out Turn off after done!!! fw ctl debug 0 Turn off!!!! vpn debug trunc vpn debug off Turn off!!! http://www. clusterXL_admin up|down fail over device.txt fw ctl debug buf 32000 fw ctl debug m VPN all fw ctl kdebug f > /tmp/vpn.midpointtech. cphaprob a if Display state of interfaces cphaprob ia list List all the monitored devices and their status to figure out why the firewall and standby devices. (emergency only) failed over.elg 7/8 .macro Splat Gateway Filesystem $CPDIR/log cpd logs.out Turn on VPN kernel debug and send output to file /tmp/vpn. Should show active cphaprob syncstat display sync transport layer statistics cphastop stop a cluster member from passing traffic. setup logs. Use "ls alt" to find recently modified log files /var/log/messages Linux OS logs $FWDIR/log/*. not automatically flips back to highest priority.24/4/2015 Check Point/SPLAT/Network Debug Cheat Sheet Midpoint Technology cplic print p Print out the detailed licensing info after being translated by $CPDIR/conf/cp.elg component text log files $FWDIR/log/fw. Stops synchronization.com/training/coursematerials/networkdebugcheatsheet Debug the setting up key exchanges and tunnel testing.log log file that shows up in Smart Tracker $FWDIR/conf FW configuration files Smart Gateway HA debug Commands cphaprob ldstat display sync serialization statistics cphaprob stat list the state of the high availability cluster members. NOTE you have to failover other device to get this device back to active. Output is in $FWDIR/log/vpn. Unless you set autorecovery in clusterXL menu for Smart Gateway VPN debug Commands vpn tu fw ctl chain list and kill tunnels Watch iIoO stack traffic and data being decrypted fw monitor p > /tmp/outputfile. general check point product logs $FWDIR/database && $FWDIR/state Where policy is installed $FWDIR/log/ Directory of log files. Đăng nhập | Hoạt động gần đây của trang web | Báo cáo lạm dụng | Trang in | Được cung cấp bởi Google Sites http://www. make sure you do a mdsenv MDS command lines mdsstat List all the DMS and their statuses mdsenv set MDS environment to a specific domain (listed in mdsstat) mcd change environment to domain specified in mdsenv mdsstop Stop all of MDS mdsstart Start all of MDS mdsstop_customer customer start a single DMS mdsstart_customer customer stop a single DMS mdscmd command line version of the SDM GUI mdscmd runcrossdomainquery ‐all query_rulebase ‐n Search all DM's rulebases dor G_MDS G_MDS mdscmd runcrossdomainquery all query_network_obj c Search all DMS's object files for partial name "dms" dms Nhận xét Bạn không có quyền thêm nhận xét.com/training/coursematerials/networkdebugcheatsheet 8/8 .midpointtech.pf Rulebase saved by Smart Dashboard $FWDIR/conf/rulebases_5_0. 20110902_105546.24/4/2015 Check Point/SPLAT/Network Debug Cheat Sheet Midpoint Technology Smart Center Filesystem $FWDIR/conf $FWDIR/log <year><month><day>_<time>.log Name of logfile switched on 9/2/2011 /var/log/messages $FWDIR/conf/Standard.fws Compiled rule bases pushed to gateway $CPDIR/log cpd daemon and intercommunications logs MDS file system $MDSDIR/log MDS logs $MDSDIR/conf MDS global databases cd $FWDIR current DMS.log Names of log files when you execute a fw logswitch eg.