Useful Firewall-1 commands
sk39486
fw log –n –ft | grep <users IP>

the –n switch means no DNS lookups so the results are shown as IP addresses.
fw tab -t connections –s

counts the number of connections currently being processed
fw tab -t sam_blocked_ips

show IP addressses that have been blocked by SAM
fw printlic –p

displays license information
fw putlic -n

if you want the manager to talk to the module (and vice versa) on an IP other than the one that resolves when you ping the node/hostname then use the -n switch.
fw ctl pstat

depending on the switch, shows memory, disk space, cpu usage etc.
fw upgrade sp1 (FP1)

fwm upgrade sp2 (FP2)

used in conjunction with a copy of default_objects.C to upgrade / older versions objects.C files to NG FP* (see full notes here)
cpstat mg

show the status of the management daemon
cp_conf sic get

Show the SIC
cp_conf ha enable

Enables HA module
cp_conf sic init < 1 time password >

Initialize the SIC
fw ctl iflist


see the interfaces checkpoint is bound too
fw ctl pstat
fw stat (-d -l)
...
cphaprob status

check status of ClusterXL
cphastart -d

debug ClusterXL
cpd -d &


kill the cpd process and start again in debug mode, which will scroll up the terminal screen
fwd -d &

kill the fwd process and start in debug mode  which will scroll up the terminal screen (do cpd first)
cpshared_ver

find the build number of the SVN foundations
dtps ver

find the build number of the policy server
fw ver [-k]


find the build number of firewall-1
vpn accel stat

check the status of the accelerator card (make sure it's enabled in voyager)
vpn accel on

turn the card on at the console within checkpoint

some clusterXL notes here


sort largest directories on nokia.
du | sort -n -r | head


Running the Checkpoint CP and FW processes in DEBUG MODE
NG Debug Commands
To start FWM and FWD in debug:

On the manager / module, run these commands if it is a Windows machine:

fw debug fwm on TDERROR_ALL_ALL=3

fw debug fwd on TDERROR_ALL_ALL=3
To enable debugging of CPD:

cpd_admin debug on TDERROR_ALL_ALL=5


to turn if off:

cpd_admin debug off TDERROR_ALL_ALL=0
run these commands if it is a Unix machine:

fw debug fwm on TDERROR_ALL_ALL 3

fw debug fwd on TDERROR_ALL_ALL 3
To enable debugging of SIC:

cpstop

setenv OPSEC_DEBUG_LEVEL 3


setenv TDERROR_ALL_ALL 3

cpd -d
Management HA debugging, run this at the command line:
fw debug fwm on TDERROR_ALL_MGMTHA=3

to disable debuging

fw debug fwm off TDERROR_ALL_MGMTHA=3
To enable VPN debugging
The "vpn debug on" command activates debugging mode of VPND, the vpn daemon. Debug output will be written to the $FWDIR\log\vpnd.elg file.


The "vpn debug ikeon" command turns on IKE debugging mode. IKE packets will be written to the $FWDIR\log\ike.elg file.

The "vpn debug trunc" empties the ike.elg file, adds a stamp line "..." and enables both VPN and IKE debugging.
and kernel debug by:
fw ctl debug 0

fw ctl debug –buf 8192

fw ctl debug –m VPN all

fw ctl kdebug –f > file_name
Management HA Debug
fw debug fwm on TDERROR_ALL_MGMTHA=3

to disable debuging

fw debug fwm off TDERROR_ALL_MGMTHA=0

 
Provider-1 NG Specific
To get the version of P-1

fwm mds ver
reactor debug mode is enabled
migrating management data into a CMA with greater detail in the output


cma_migrate
syncing the MDS with the CMA's

mdsenv

set_mds_info -b -y

mdsstop

mdsstart
degugging the MDS

mdsenv


fwm debug mds on TDERROR_ALL_ALL=5
Debugging the CMA

mdsenv cmaname
fwm debug fwm on TDERROR_ALL_ALL=3
Screen Debug ::
Set environment to CSH

setenv TDERROR_ALL_FP_dbg=3
fw monitor
Built in packet capture program (view saved files with ethereal)
Flag
Description
-d Turn on debug flag
-D Turn on debug flag??
-e Specify an INSPECT program line (multiple -e options can be used)
-f INSPECT filter name. '-' can be used to specify standard input. The -f and -e options are mutually exclusive
-l Specify how many bytes of the packet should be transferred from the kernel.
-m Specify inspection points mask, any one or more of i, I, o, O as explained above. This feature only works on 4.0 SP3 or later.
-o Specify an output file, which can be viewer with the 'snoop' command on Solaris.
-
x Perform a hex dump of the received data, starting at specified offset and printing out 'len' bytes.
Examples
fw monitor -m iIoO -e "accept [20:2,b]=<src port> or [22:2,b]=<dst port>;" -o /tmp/output.cap

will display all packets from specified sorce or destination port and saved to a file <snoop format, can be read by ethereal>
fw monitor -m iIoO -e "accept [12,b]=<client ip> or [16,b]=<client ip>;" -o /tmp/output.cap

will display all packets from specified source or destination IP and saved to a file <snoop format, can be read by ethereal>

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。