Scribd
Upload
179 views

CheckMatesCLI REVISED

This document discusses useful Check Point CLI commands for troubleshooting firewall issues. It provides commands for investigating packets getting stuck in the "Roach Motel" effect, checking failover history and triggering administrative failovers in ClusterXL, creating test traffic, viewing firewall tables, disabling antispoofing and IPS/threat prevention temporarily, and using cpview to view historical statistics. The author is Timothy Hall, an expert in Check Point firewall performance optimization.

Uploaded by

dreadkitkat
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
179 views

CheckMatesCLI REVISED

This document discusses useful Check Point CLI commands for troubleshooting firewall issues. It provides commands for investigating packets getting stuck in the "Roach Motel" effect, checking failover history and triggering administrative failovers in ClusterXL, creating test traffic, viewing firewall tables, disabling antispoofing and IPS/threat prevention temporarily, and using cpview to view historical statistics. The author is Timothy Hall, an expert in Check Point firewall performance optimization.

Uploaded by

dreadkitkat
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Best of CheckMates: My Top

Check Point CLI Commands

Timothy Hall
CISSP, CCSI, CCSM, CCNA Security
Shadow Peak Inc, a Check Point ATC
Author of book “Max Power: Check Point Firewall Performance Optimization”
Second Edition (fully updated for R80.10!) Published January 8th
maxpowerfirewalls.com
CLI Troubleshooting the “Roach Motel” Effect


Packets show up at the
firewall

But they don’t leave,
and there is no logging
indication of what
happened to them

Let’s take a look...
Roach Motel: Was the packet really
received by the firewall?


Make sure the destination MAC address on the frame
actually matches the firewall’s MAC address (or
cluster VMAC address) with tcpdump and ifconfig.
This can definitely be an issue during a firewall
replacement:
Roach Motel: Sending Gratuitous ARPs
with arping (sk92483)


If the destination MAC address shown by tcpdump doesn’t
match, clear the ARP cache of the adjacent Layer 3 device

If you don’t have access to that device, use the little-known
arping command to update the device’s ARP cache:
Roach Motel: Packet was definitely
received, but what “ate it”?


INSPECT/SecureXL ate it and why:


Gaia ate it: packet hits iI but does not appear at oO:
ClusterXL - Failover History


Undocumented clish command gives a concise
timeline of ClusterXL failovers, very handy when
trying to correlate failovers to external network
events:
ClusterXL – Persistent Administrative
Failovers


Command clusterXL_admin down registers a “fake”
pnote failure called “admin_down” that will cause an
immediate failover if executed on the active member.
However this fake failure will not survive a reboot

In some cases such as during code upgrades, keeping
this fake failure across reboots is useful with -p:
Creating Test Traffic – pinj
(sk110865)

This great tool allows you to craft packet traffic
and observe how the firewall handles it. The pinj
tool can be used to craft traffic that passes through
all four firewall inspection points: iIoO
Creating Test Traffic:
tcptraceroute


Unfortunately pinj does not currently work on a
R80.10 gateway

tcptraceroute can be used instead, but crafted
traffic will only go through oO capture points
Firewall Tables


Undocumented fw ctl conntab command presents
a very nicely-formatted version of the connections
table with session timers and other great info;
compare with fw tab -u -f -t connections
The Antispoofing “Panic Button”


Traffic being unexpectedly dropped by antispoofing
can strike seemingly without warning, and even cut
off control traffic from the SMS in extreme cases,
requiring an outage (fw unloadlocal) to recover

However antispoofing can be disabled “on the fly”
with these commands. The second line is necessary if
SecureXL is enabled (checked with fwaccel stat):
fw ctl set int fw_antispoofing_enabled 0
sim feature anti_spoofing off; fwaccel off; fwaccel on
Resetting SIC Without a Firewall Outage
(sk86521)

If SIC becomes broken between the gateway and SMS, the
usual way to recover is to run cpconfig on the gateway and
set a new activation key, but this process causes an outage
on the firewall until SIC is re-established and policy pushed

However these commands can be used to set a new SIC
activation key without a gateway outage:
cp_conf sic init ACTIVATIONKEY norestart
cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd"
-command "cpd"
The IPS/Threat Prevention “Panic Button”


If you suspect that IPS and/or Threat Prevention is causing
gateway performance problems, or impeding traffic
unexpectedly, it can be disabled on the fly for testing:
Healthcheck.sh script (sk121447)
cpview Little-known Options: -p


You can dump all possible cpview screens once,
great for repeated execution during a brief
problematic period of time and grabbing lots of
statistics for later analysis: cpview -p >> cpview.txt

Make sure cpview history is being recorded on all
your gateways so it is there when you need it! 30
days worth of data is stored by default
cpview history stat
cpview Little-known Options: -t


Your own personal cpview Wayback Machine for 30
days of historical statistics kept by default: cpview -t
THANK YOU!

Best of CheckMates: My Top


Check Point CLI Commands

Timothy Hall
CISSP, CCSI, CCSM, CCNA Security
Shadow Peak Inc, a Check Point ATC
Author of book “Max Power: Check Point Firewall Performance Optimization”
Second Edition (fully updated for R80.10!) Published January 8th
maxpowerfirewalls.com

You might also like