Welcome to Abdul's Support Page

Checkpoint FAQ 1

 

The following are some general troubleshooting shell commands:
   
tcpdump or fw monitor
Dumps current TCP/IP activity to the terminal. Conrol+C to stop logging.
For SecuRemote Client use: sr monitor
To see total packets dropped / passed use:
fw stat -i &endash;l
 
   
fw debug
This option writes debuging info to the local log ($FWDIR/log/*.elg)
fw debug fwd on Start writing debug information.
fw debug fwd off Stop writing debug information.
(The debug output is automatically redirected to $FWDIR/log/fwd.elg.)
Syntax:
fw debug fwd on
fw debug fwd on TDERROR_ALL_ALL=3
fw debug fwd off
fw debug fwm on OPSEC_DEBUG_LEVEL
fw debug mdq on (Usefull to see why mail is being dropped, might want to try "fw debug in.asmtpd on" as well)
   
fw ctl arp
View proxy arp entries
In 4.1 and earlier releases, or in NG if manual NAT is used, you can use the command 'arp -s' to add an "proxy" arp entry in Unix. See 'man arp'= for more information. To use 'arp -s', you will need to know the MAC address of the external interface. In Unix, use 'ifconfig -a' to get that information.
 
fw ctl debug &endash;m fw memory : Assign the debug option memory for the fw module:
fw ctl debug &endash;m fw : Verify that the debug option memory is assigned to the fw module.
 
fw ctl kdebug &endash;f 2> 
fw ctl kdebug &endash;f >& 
 
fw ctl debug &endash;x 
Disable/clear all debug options
Fw ctl pstat
To verify kernel memory is not being abused.
   
fw tab -s
Examine the firewall kernel tables counts. Look for a table with high counts.
 
   
cpstat [-h host][-p port][-f flavour][-d] entity
Displays the status of target hosts in various formats. cpstat is available in two versions (without or with the -r parameter
   
cpstat fw -f smtp
SMTP statistics can be viewed
   
cpinfo 
cpinfo is used to collect information that is used for debugging and solving VPN- 1/FireWall-1 problems. cpinfo gathers information on the system parameters of the machine on which VPN-1/FireWall-1 is installed, and on VPN-1/FireWall-1 parameters such as interfaces and tables. cpinfo gathers the information by running operating system and VPN-1/FireWall-1 commands and. The resulting file will usually be sent to Check Point Support (support@ts.checkpoint.com) for analysis.
 
cpinfo replaces fwinfo in VPN-1/FireWall-1 4.1.
   
netstat &endash;na
To check whether SIC is listening to its network port.
netstat -na | find "18211" (Windows)
netstat -na | grep 18211 (Linux)
   
netstat &endash;r 
Displays the routing table.
   
cpd &endash;d
To verify that the module is listening. Might give some clues regarding SIC communications.
   
cprlic print fw1 &endash;all
Print CheckPoint License Info
router_load -cisco

Load config on a Cisco Router.  
Syntax
router_load -cisco <ENABLE
password|XXX|PROMPT>
 

fw lichosts
Determin the number of IP's behind the firewall, usefull if you've got a node limited license
   
fw log
There are four modes for showing the log database. These modes are used for support purposes, and make it possible to compare log events seen in the Log Viewer to the actual log records in the VPN-1/FireWall-1 log database (fw.log or any other log switch log file).
Syntax:
fw log -m initial
fw log -m raw
fw log -m semi
fw log -m account
fw log &endash;f : Displays the log continuously.
   
cpmad -f
Two cpmad process cannot normally run simultaneously. If there is a need to run a second cpmad process, run it with the &endash;f switch.
 
   
dbedit
The utility (dbedit) allows administrators to make changes to the objects_5_0.C file like creating or modifying properties.
   
To save the changes issue:
update properties firewall_properties
 
Syntax:
create 
modify 
rename 
update 
delete 
print 
addelement 
rmelement 

 

Fw tab &endash;t 
Displays firewall state tables
   
fwm psload
The fw psload command is run on the Management Server. It installs the Desktop Security policy on the Policy Server.
   
fwm psfetch
The fw psfetch command is run on the VPN/FireWall Module. It fetches the Desktop Security policy from the Management Server
   
fwm fingerprint
Running the fw fingerprint command on the Management Server displays the
Management Server’s fingerprint. 

 

fwd -d
Running fwd manually with the '-d' parameter will give you a lot more information debug information in the cpwd.elg log file. 
   
cphaprob state
Status of high availability modules, shows which gateway is active, standby and down
 
Verify gateways are synchronizing with fw ctl pstat

 

netsod
Verifying the UAG Daemon is operating properly  
Syntax:
netsod d #initialize uas daemon
netsod drv #uas driver commands
netsod query #perform command line uas query command
netsod update #perform command line uas update command
netsod kill #terminate uas daemon
netsod simple #initialize uas simple proxy
netsod simplekill #terminate uas simple proxy
netsod ver # display the uas version 
numbernetsod debug # Turn on/off UAS debug printings
   
kill
Use kill &endash;9 pid where the pid is from top or from ps aux. (First try to reboot system, killing a kernel process will leave the firewall in an unstable state)

 

ps &endash;al
List current processes and the path, eg:  
ps -ef | grep httpd ps list running processes, grep reads the output of ps and prints only those lines containing the letters httpd.

 

top
Displays running processes and system uptime. (When running the top command from a remote ssh connection, use the export TERM=vt100 command to resolve display issues)

 

free
Displays memory and swap file useage
   
last
last user login
   
dmesg
Displays system messages and hardware details

 

Networking
 

ifconfig       Displays status of active network interfaces  
ifconfig -a  Displays status of all interfaces, even those that are down
Configuration details of network interfaces are located in /etc/sysconfig/network-scripts 

 

To change the ip address of an interface issue:  
ifconfig eth0 netmask 255.255.255.0
This however does not survive a reboot. For permanent changes modify the relevant file eg: ifcfg-eth0 in /etc/sysconfig/network-scripts 

 

You can bring an interface up or down by typing ifconfig eth0 up or down

 

route to see the current routes. 
 
To add a route:  
route add -net 192.168.22.0 netmask 255.255.255.0 gw 192.168.22.254 

 

To delete a route  
route del -net 192.168.22.0 netmask 255.255.255.0 gw 192.168.22.254 

 

Verify connectivity:  
ping 192.168.22.254
Use to stop pinging

 

Environment Variables

 

echo $PATH The PATH variable is a list of directories, separated by a colon, through which the shell searches for the executable program corresponding to the command you typed in at the prompt.
 
Example:

FWDIR=/opt/CPfw1-41; export FWDIR
PATH=$PATH:$FWDIR/bin; export PATH
MANPATH=$MANPATH:$FWDIR/man; export MANPATH

Only files on path (i.e. in directories listed in the PATH variable) can be executed directly. Thus to execute a command in a directory that is not on path, you must specify the path. Alternatively, rather than add a directory to PATH, you can make a symbolic link to the script in a directory which is already on path such as /usr/bin/ or /usr/local/bin/. It may even be easier just to move the script file to one of these directories.

If /sbin is in the path then users can use the command, if not and you want to add them you would need to add it to their profile. 
 

vi /etc/profile
add or modify PATH variable:
PATH=$PATH:/sbin
 

 

SecuRemote Client

 

Setting a Static Username and Password:
Scc.exe
Scc up jgreen password >>>Sets a Static password for jgreen
Scc pc password c:\certs\jgreen.epf >>>>Use certificate
 
Scc ep >>>>> Erase password
Scc setmode con >>>>> Exit command line mode
Scc d >>>>> Disconnect Sesssion
Scc s >>>>>>>. Session Status
 
Passwords are encrypted and stored in the registry under:
HKEY_CURRENT_USER\Software\Checkpoint\SecuRemote
 
Configure the dialer to run scc.exe after connection has been made to establish VPN tunnel. EG: Scc cn Jgreen >>>>>>> Jgreen is the profile name
 

 

Disk and File Management

 

mount /dev/fd0 /mnt/floppy
Mount floppy ( Dir floppy must exist in /mnt)

 

mount /mnt/cdrom Mounts the CDROM, cd /mnt/cdrom and do a ls to view contents on the CD
   
fdisk /dev/hda
Displays Partition Tables for first IDE hard disk
fdisk /dev/hda &endash;l (Only prints the partition table)
(df is a safer command to use)
   
Log Files
In general, each NG log file is composed of four files:
xx.log &emdash; stores the log records

 

Troubleshooting
xx.logptr &emdash; pointers to beginning of each log records
xx.loginitial_ptr &emdash; pointers to beginning of each log chain (logs with the same connection id) ,
xx.logaccount_ptr &emdash; pointers to beginning of each accounting record.

 

In the case of the audit log file the files are xx.adtlog, xx.adtlogptr,
xx.adtloginitial_ptr, and xx.adtlogaccount_ptr.

 

touch Creates a new, empty file

 

ls (-l) To list information about files or directories. The output is presented in alphabetical order by default. 

 

df Displays drive and partition info (df -h - Displays in human readable format)

 

du /etc -s -h Displays the size of the etc directory
   
rm (-R) Removes a file (-R forces delete of non empty directories, (f switch disables prompting of file deleting: WARNING use -Rf with care, )

 

cp Copies files, (-r &emdash; recursive. copy the whole directory tree, subdirectories and all)

 

mv (-i &emdash; interactive, -f &emdash; force, no prompting, -v &emdash; verbose) Moves and/or renames files

 

cd Change Directories

 

pwd Present working directory

 

mkdir Make a new directory

 

fsck -a -p /dev/hda1 Does a disk check (Find partitions using the df command)

 

touch file1 file2 file3 creates files file1 file2 file3 or updates their time stamp if they already exist. 

 

less filename Prints out the file
Files can also be viewed with: cat, echo and more 
 

cat filename Displays contents of file  
cat filename | more Displays file one page at a time

 

whereis filename Finds / Locates a file

 

find /home -name httpd.conf searches /home and its subdirectories for the file httpd.conf.

 

Creating and Editing files using VI

 

vi is a text editor which comes with SecurePlatform
 

vi filename open ( or create) file in the vi editor. 

 

The most important keys to remember are: 
i ... this enters insert mode and allows you to insert text. 
... this enters command mode which you must be in to save the file, exit vi, or edit the text. Most of the time, the tendency is to switch back and forth between insert (i) and command () modes when writing a text file. 
:wq ... save the file and exit back to the prompt. (must be in command mode to do this!) 

 

Useful key sequences in vi 
i insert mode
< esc > command mode
a append
o inserts a new line below current line&ldots;O inserts one above
arrows keys move a row or column at a time
h move left one column
j move down one row
k move up on row
l move right one column
< ctrl > u move up (back) one half screen
< ctrl > d move down (fwd) one half screen
< ctrl > f move forward one screen
< ctrl > b move back one screen
G move to the end of the file
x deletes character on which cursor appears
dd deletes the entire line on which cursor appears
/< string > search forwards for text string < string >
?< string > < return > search backwards for text string < string >
n find next occurrence of string from last search
N find previous occurrence of string from last search
:w save
:wq save and quit
ZZ save and quit
:q quit
:q! quit and discard changes (!= force action)
:set nu - Displays line numbers, usefull when debugging error messages from scripts, :set nonu Turns of line numbers

 

Backing up files and directories  
tar cvf fwconfig.tar /opt/CPfw1-50-03/conf Creates a compressed file of the directory contents of /opt/CPfw1-50-03/conf and saves the output as fwconfig.tar

 

tar tf tarfile.tar List contents of tar file  
tar -xvf tarfile.tar Extracts tarfile.tar using the verbose option. When extracting, you have to use the -f option in order to specify the file. If the tar file contained a directory and its files and sub-directories, these will be recreated upon extraction. 

 

Tip:
SSH File Transfer provides file editing and copying in an Windows environment. You can download it from here:
http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html
(for non-commercial use)

 

I prefer WinSCP a much better tool and suitable for commercial use.
http://winscp.vse.cz/eng/

 

But one caveat with editing files on a Windows/DOS machine is that there is 
a potential danger that those non-Unix editors are messing with the 
end-of-line markers in the text file (only LF (0Ah) in Unix, CR-LF 
(0Dh-0Ah) in DOS/Windows) and can cause the resulting file not to work.

 

Still a great way to navigate and copy files over a secure tunnel.