0% found this document useful (0 votes)

132 views

CP R80.30 GA CLI ReferenceGuide

The document describes various commands and subcommands for managing certificates and certificate authorities. The top level commands are cpwd_admin, contract_util, cpca_client, and mgmt_cli. Cpwd_admin allows configuring password policies. Contract_util manages service contracts. Cpca_client allows managing certificates issued by a certificate authority, including creating, revoking, and listing certificates. Mgmt_cli is used to manage the device.

Uploaded by

jarriaga.gonzalez

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

132 views

CP R80.30 GA CLI ReferenceGuide

Uploaded by

jarriaga.gonzalez

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 1137

 sim sim6

 pdp nested_groups __set_state 4

 fw up_execute
 usrchk

 fw monitor

 mds_backup
 migrate
 queryDB_util
 vpn debug

 fwaccel cfg


 fw monitor
 migrate
 mds_backup
 mds_restore
main command
 nested subcommand 1
  nested subsubcommand 1-1
  nested subsubcommand 1-2
 nested subcommand 2

cpwd_admin
config
-a <options>
-d <options>
-p
-r
del <options>

 cpwd_admin config -a < >

 cpwd_admin config -d < >
 cpwd_admin config -p
 cpwd_admin config -r
 cpwd_admin del < >





 mgmt_cli.exe
 mgmt_cli


api restart

mgmt_cli

mgmt_cli

mgmt_cli
contract_util [-d]
check <options>
cpmacro <options>
download <options>
mgmt
print <options>
summary <options>
update <options>
verify

check < >

cpmacro < > cp.macro cp.macro

download < >

mgmt

print < >

summary

update < >

verify
contract_util check
{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

{-h | -help}

hfa

maj_upgrade

min_upgrade

upgrade
cp.macro cp.macro

cp.macro

contract_util cpmacro /<path_to>/cp.macro

CntrctUtils_Write_cp_macro returned -1 contract_util cpmacro

CntrctUtils_Write_cp_macro returned 0 contract_util cpmacro

CntrctUtils_Write_cp_macro returned 1 contract_util cpmacro

contract_util download
{-h | -help}
local
{-h | -help}
[{hfa | maj_upgrade | min_upgrade | upgrade}] <Service Contract File>
uc
{-h | -help}
[-i] [{hfa | maj_upgrade | min_upgrade | upgrade}] <Username>
<Password> [<Proxy Server> [<Proxy Username>:<Proxy Password>]]

{-h | -help}

-i

local
cplic contract put (on page )

hfa

maj_upgrade

min_upgrade

upgrade

< >

< > [<

>:<
>]  < >

 < >
 < >
< >
contract_util mgmt
contract_util [-d] print
{-h | -help}
hfa
maj_upgrade
min_upgrade
upgrade

{-h | -help}

-d

hfa

maj_upgrade

min_upgrade

upgrade
contract_util summary
hfa
maj_upgrade
min_upgrade
upgrade

hfa

maj_upgrade

min_upgrade

upgrade
contract_util update
[-proxy <Proxy Server>:<Proxy Port>]
[-ca_path <Path to ca-bundle.crt File>]

update

-proxy <
>:< >
 < >

 < >

-ca_path <
> ca-bundle.crt
contract_util check

contract_util verify
mdsenv < >
cpca_client ...

cpca_client [-d]
create_cert <options>
double_sign <options>
get_crldp <options>
get_pubkey <options>
init_certs <options>
lscert <options>
revoke_cert <options>
revoke_non_exist_cert <options>
search <options>
set_mgmt_tool <options>
set_sign_hash <options>

-d cpca_client

create_cert

double_sign
get_crldp

get_pubkey

init_certs

lscert
revoke_cert
revoke_non_exist_cert

search
set_mgmt_tool
set_sign_hash
cpca_client [-d] create_cert [-p <CA port number>] -n "CN=<Common Name>" -f <Full
Path to PKCS12 file> [-w <Password>] [-k {SIC | USER | IKE | ADMIN_PKG}] [-c "<Comment
for Certificate>"]

-d

-p < >

-n "CN=< < >

>"
-f <
>
-w < >
-k {SIC | USER | IKE
| ADMIN_PKG}
-c "<
>"

[Expert@MGMT:0]# cpca_client create_cert -n "cn=cp_mgmt" -f

$CPDIR/conf/sic_cert.p12
cpca_client [-d] double_sign [-p <CA port number>] -i <Certificate File in PEM
format> [-o <Full Path to Output File>]

-d

-p < >

-i <
>
-o <
>

[Expert@MGMT:0]# cpca_client double_sign -i certificate.pem

Requesting Double Signature for the following Certificate:

refCount: 1
Subject: [email protected],CN=http://www.example.com/,OU=ValiCert Class 2 Policy
Validation Authority,O=exampleO\, Inc.,L=ExampleL Validation Network

Double Sign of Cert:

======================
(
: (
:dn ("[email protected],CN=http://www.example.com/,OU=exampleOU Class 2
Policy Validation Authority,O=exampleO\, Inc.,L=exampleL Validation Network")
:doubleSignCert (52016390... ... ...ebb67e96)
:return_code (0)
)
)

[Expert@MGMT:0]#
cpca_client [-d] get_crldp [-p <CA port number>]

-d

-p < >

[Expert@MGMT:0]# cpca_client get_crldp

192.168.3.51
[Expert@MGMT:0]
cpca_client [-d] get_pubkey [-p <CA port number>] <Full Path to Output File>

-d

-p < >

< >

[Expert@MGMT:0]# cpca_client get_pubkey /tmp/key.txt

[Expert@MGMT:0]#
[Expert@MGMT:0]# cat /tmp/key.txt
3082010a... ... ...f98b8910
[Expert@MGMT:0]#
cpca_client [-d] init_certs [-p <CA port number>] -i <Full Path to Input File> -o
<Full Path to Output File>

-d

-p < >

-i < >

...CN=test1,OU=users...
<Empty Line>
...CN=test2,OU=users...

-o < >

>.failures
cpca_client [-d] lscert [-dn <SubString>] [-stat {Pending | Valid | Revoked |
Expired | Renewed}] [-kind {SIC | IKE | User | LDAP}] [-ser <Certificate Serial
Number>] [-dp <Certificate Distribution Point>]

-d

-dn < >

< >.

-stat {Pending |
Valid | Revoked |
Expired | Renewed}

-kind {SIC | IKE |

User | LDAP}

-ser <
>

-dp <
>

[Expert@MGMT:0]# cpca_client lscert -stat Revoked

Operation succeeded. rc=0.
5 certs found.

Subject = CN=VSX2,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 5521 DP = 0
Not_Before: Sun Apr 8 14:10:01 2018 Not_After: Sat Apr 8 14:10:01 2023

Subject = CN=VSX1,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Revoked Kind = SIC Serial = 9113 DP = 0
Not_Before: Sun Apr 8 14:09:02 2018 Not_After: Sat Apr 8 14:09:02 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client lscert -kind IKE
Operation succeeded. rc=0.
3 certs found.

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

Subject = CN=VSX_Cluster VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 64655 DP = 1
Not_Before: Mon Apr 9 19:36:31 2018 Not_After: Sun Apr 9 19:36:31 2023

Subject = CN=VSX1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Revoked Kind = IKE Serial = 82434 DP = 2
Not_Before: Mon May 14 19:15:05 2018 Not_After: Sun May 14 19:15:05 2023
[Expert@MGMT:0]#
cpca_client [-d] revoke_cert [-p <CA port number>] -n "CN=<Common Name>" -s
<Certificate Serial Number>

-d

-p < >

-n "CN=<
>" cpca_client lscert
Subject =
,O=...

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x

Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023

-n "CN=VS1 VPN Certificate

-n
-s
-s <
> cpca_client lscert
-s
-n

[Expert@MGMT:0]# cpca_client lscert

Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -n "CN=VS1 VPN Certificate"
Certificate was revoked successfully
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client lscert
Subject = CN=VS1 VPN Certificate,O=MyDomain_Server.checkpoint.com.s6t98x
Status = Valid Kind = IKE Serial = 27214 DP = 1
Not_Before: Wed Apr 11 17:26:02 2018 Not_After: Tue Apr 11 17:26:02 2023
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpca_client -d revoke_cert -s 27214
Certificate was revoked successfully
[Expert@MGMT:0]#
cpca_client [-d] revoke_non_exist_cert -i <Full Path to Input File>

-d cpca_client
-i <
> cpca_client lscert

Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 30287 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
<Empty Line>
Subject = CN=cp_mgmt,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 60870 DP = 0
Not_Before: Sat Apr 7 19:40:13 2018 Not_After: Fri Apr 7 19:40:13 2023

Name of Input File>.failures

cpca_client [-d] search <String> [-where {dn | comment | serial | device_type |
device_id | device_name}] [-kind {SIC | IKE | User | LDAP}] [-stat {Pending | Valid
| Revoked | Expired | Renewed}] [-max <Maximal Number of Results>] [-showfp {y |
n}]

-d

< >

-where {dn | comment

| serial |
device_type |
device_id |  dn
device_name}
 comment
 serial
 device_type
 device_id
 device_name

-kind {SIC | IKE |

User | LDAP}
-kind Kind1 Kind2 Kind3

-stat {Pending |
Valid | Revoked |
Expired | Renewed}
-stat Status1 Status2 Status3

-max <
> 

-showfp {y | n}

 y

 n

[Expert@MGMT:0]# cpca_client search samplecompany -where comment -kind SIC LDAP

-stat Pending Valid Renewed

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn

Operation succeeded. rc=0.
1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
Fingerprint = XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX XXX
Thumbprint = xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpca_client search 192.168.3.51 -where dn -showfp n

Operation succeeded. rc=0.
1 certs found.

Subject = CN=192.168.3.51,O=MGMT.5p72vp
Status = Valid Kind = SIC Serial = 73455 DP = 0
Not_Before: Sat Apr 7 19:40:12 2018 Not_After: Fri Apr 7 19:40:12 2023
[Expert@MGMT:0]#


cpca_client [-d] set_mgmt_tool {on | off | add | remove | clean | print} [-p <CA
port number>] {[-a <Administrator DN>] | [-u <User DN>] | [-c <Custom User DN>]}

-d

on
off
add

remove

clean

-p < >
-a < >

-a "CN=ICA_Tool_Admin,OU=users,O=MGMT.s6t98x"
-u < >

-u "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"
-c < >

-c "CN=ICA_Tool_User,OU=users,O=MGMT.s6t98x"

cpca_client set_mgmt_tool -a
-u
cpca_client [-d] set_sign_hash {sha1 | sha256 | sha384 | sha512}

cpstop
cpstart

mdsstop_customer < >

mdsstart_customer < >

-d

{sha1 | sha256 |
sha384 | sha512}

[Expert@MGMT:0]# cpca_client set_sign_hash sha256

You have selected the signature hash function SHA-256

WARNING: This hash algorithm is not supported in Check Point gateways prior to R71.
WARNING: It is also not supported on older clients and SG80 R71.

Are you sure? (y/n)

y
Internal CA signature hash changed successfully.
Note that the signature on the Internal CA certificate has not changed, but this
has no security implications.
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpstop ; cpstart
cp_conf
-h
admin <options>
auto <options>
ca <options>
client <options>
finger <options>
lic <options>
snmp <options>

-h

admin

auto

ca 


client

finger

lic

snmp

 cpconfig

 cpconfig

cp_conf admin
-h
add [<UserName> <Password> {a | w | r}]
add -gaia [{a | w | r}]
del <UserName1> <UserName2> ...
get

-h

add [< >

< > {a | w | r}]  < >

 < >
 a

 w

 r
add -gaia [{a | w | r}] admin
 a

 w

 r
del

get
get -gaia
admin
[Expert@MGMT:0]# cp_conf admin add
Administrator name: admin
Administrator admin already exists.
Do you want to change Administrator's Permissions (y/n) [n] ? y

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) c
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w

Administrator admin was modified successfully and has

Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; )

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia

Permissions for all products (Read/[W]rite All, [R]ead Only All, [C]ustomized) C
Permission for SmartUpdate (Read/[W]rite, [R]ead Only, [N]one) w
Permission for Monitoring (Read/[W]rite, [R]ead Only, [N]one) w
Administrator admin was added successfully and has
Read/Write Permission for SmartUpdate
Read/Write Permission for Monitoring
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin get -gaia

The following Administrators

are defined for this Security Management Server:

admin (Read/Write Permission for all products; ) - Gaia admin

[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia a

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products with Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia w

Administrator admin already exists.

Administrator admin was modified successfully and has

Read/Write Permission for all products without Permission to Manage Administrators
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf admin add -gaia r

Administrator admin already exists.

Administrator admin was modified successfully and has

Read Only Permission for all products
[Expert@MGMT:0]#
cpconfig

cp_conf auto
-h
{enable | disable} <Product1> <Product2> ...
get all

-h
{enable | disable}
< > < > ...

get all





[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

[Expert@MyGW:0]# cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed

[Expert@MyGW:0]#


cpconfig

cp_conf ca
-h
fqdn <FQDN Name>
init

-h

fqdn < >

< >
init

[Expert@MyMGMT:0]# hostname
MyMGMT
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# domainname
checkpoint.com
[Expert@MyMGMT:0]#

[Expert@MyMGMT:0]# cp_conf ca fqdn MyMGMT.checkpoint.com

Trying to contact Certificate Authority. It might take a while...
Certificate was created successfully
MyMGMT.checkpoint.com was successfully set to the Internal CA
[Expert@MyMGMT:0]#

 cpconfig

cp_conf client
add <GUI Client>
createlist <GUI Client 1> <GUI Client 2> ...
del <GUI Client 1> <GUI Client 2> ...
get

-h

< > < >




 "Any"


add < >
createlist < >
< > ...
del < ><
> ...
get

[Expert@MGMT:0]# cp_conf client get

There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.15

172.20.168.15 was successfully added.
[Expert@MGMT:0]#
[Expert@MGMT:0]# cp_conf client get
172.20.168.15
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.15

172.20.168.15 was deleted successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add MySmartConsoleHost

MySmartConsoleHost was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

MySmartConsoleHost
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del MySmartConsoleHost

MySmartConsoleHost was deleted successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add "Any"

Any was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del "Any"

Any was deleted successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was deleted successfully
[Expert@MGMT:0]#
[Expert@MGMT:0]# cp_conf client get
There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.*

172.20.168.* was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.*
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client del 172.20.168.*

172.20.168.* was deleted successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

There are no GUI Clients defined for this Security Management Server
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client add 172.20.168.0/255.255.255.0

172.20.168.0/255.255.255.0 was successfully added.
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

172.20.168.0/255.255.255.0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist 192.168.40.0/255.255.255.0

172.30.40.55
New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

192.168.40.0/255.255.255.0
172.30.40.55
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client createlist "Any"

New list was created successfully
[Expert@MGMT:0]#

[Expert@MGMT:0]# cp_conf client get

Any
[Expert@MGMT:0]#
cpconfig

cp_conf finger
-h
get

-h
get

[Expert@MGMT:0]# cp_conf finger get

EDNA COCO MOLE ATOM ASH MOT SAGE NINE ILL TINT HI CUBE
[Expert@MGMT:0]#
cpconfig

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

-h

add -f <
>
cplic db_add
add -m < > < >
< >
< > cplic db_add
del < >
cplic del
get [-x]
-x

cplic print [-x]

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic add -m MGMT2 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX

License was successfully installed
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#
cpca_create [-d] -dn <CA DN>

-d

-dn < >

cpconfig

mdsconfig

[Expert@MyMGMT:0]# cpconfig
This program will let you re-configure
your Check Point Security Management Server configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) Administrator
(3) GUI Clients
(4) SNMP Extension
(5) Random Pool
(6) Certificate Authority
(7) Certificate's Fingerprint
(8) Automatic start of Check Point Products

(9) Exit

Enter your choice (1-9) :

cplic cplic

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

cplic [-d]
{-h | -help}
del <options>
get <options>
put <options>
upgrade <options>

cplic [-d]
{-h | -help}
db_add <options>
db_print <options>
db_rm <options>

-d
{-h | -help}

check < >

contract < >

db_add < >

db_print < >

db_rm < >

del < >

del < > < >

get < >

print < >

put < >

put < > < >

upgrade < >

cplic check {-h | -help}
cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t <Date>] [{-r
| -routers}] [{-S | -SRusers}] <Feature>

{-h | -help}

-d

-p < >

 fw1

 mgmt
 services
 cvpn
 etm
 eps
-v < >
{-c | -count}

-t < >

{-r | -routers}
< >
{-S | -SRusers}

< >

[Expert@MGMT]# cplic print -p

Host Expiration Primitive-Features
W.X.Y.Z 24Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:comp
fw1:6.0:compunlimited fw1:6.0:cluster-1 fw1:6.0:cpxmgmt_qos_u_sites
fw1:6.0:sprounl fw1:6.0:nxunlimit fw1:6.0:swp evnt:6.0:smrt_evnt fw1:6.0:fwc
fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:cmd evnt:6.0:alzd5
evnt:6.0:alzc1 evnt:6.0:alzs1 fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:sme10
etm:6.0:rtm_u fw1:6.0:cep1 fw1:6.0:rt fw1:6.0:cemid fw1:6.0:web_sec_u
fw1:6.0:workflow fw1:6.0:ram1 fw1:6.0:routers fw1:6.0:supmgmt fw1:6.0:supunlimit
fw1:6.0:prov fw1:6.0:atlas-unlimit fw1:6.0:filter fw1:6.0:ui
psmp:6.0:psmsunlimited fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1
fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp
fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt
fw1:6.0:blades fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote
[Expert@MGMT]#

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha

cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

[Expert@GW]# cplic print -p

Host Expiration Primitive-Features
W.X.Y.Z 23Mar2016 ::CK-XXXXXXXXXXXX fw1:6.0:swb fw1:6.0:abot fw1:6.0:ips
fw1:6.0:appi fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:urlf fw1:6.0:av fw1:6.0:vsx5
fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw
fw1:6.0:sxl_ppk fw1:6.0:connect fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg
etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:identity cvpn:6.0:ccvunl
cvpn:6.0:cvpnunlimited fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption
cvpn:6.0:cvpn fw1:6.0:dlp evnt:6.0:smrt_evnt fw1:6.0:ipsa fw1:6.0:spcps
fw1:6.0:pam fw1:6.0:enchostsunlimit fw1:6.0:aes fw1:6.0:rdp fw1:6.0:isakmp
fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm fw1:6.0:blades
fw1:6.0:sr5000 fw1:6.0:hostsunlimit fw1:6.0:mc_all_8 fw1:6.0:multicore
[Expert@GW]#

[Expert@MGMT]# cplic check cluster-u

cplic check 'cluster-u': license valid
[Expert@MGMT]#

[Expert@MGMT]# cplic check -c cluster-u

cplic check 'cluster-u': 9 licenses
[Expert@MGMT]#


cplic get

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

{-h | -help}

-d

del $CPDIR/conf/cp.contract

put $CPDIR/conf/cp.contract

< >
{-o | -overwrite}

< >
cplic db_add {-h | -help}
cplic [-d] db_add -l <License File> [<Host>] [<Expiration Date>] [<Signature>]
[<SKU/Features>]

{-h | -help}
-d

-l < >
< >
< >
< >
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m

< >
CPSUITE-EVAL-3DES-vNG

192.0.2.11.lic cplic db_add -l

192.0.2.11.lic
[Expert@MGMT]# cplic db_add -l 192.0.2.11.lic
Adding license to database ...
Operation Done
[Expert@MGMT]#
cplic db_print {-h | -help}
cplic [-d] db_print {<Object Name> | -all} [{-n | -noheader}] [-x] [{-t | -type}]
[{-a | -attached}]

{-h | -help}
-d

< > < >

< >

-all
{-n | -noheader}
-x
{-t | -type}
{-a | -attached}
-all

[Expert@MGMT:0]# cplic db_print -all

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@MGMT:0]#

[Expert@MGMT:0]# cplic db_print -all -x -a

Retrieving license information from database ...

The following licenses appear in the database:

===============================================
Host Expiration Features
192.168.3.28 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX MGMT
[Expert@MGMT:0]#
cplic del

cplic db_rm {-h | -help}

cplic [-d] db_rm <Signature>

{-h | -help}

-d

< >
cplic print -x

[Expert@MGMT:0]# cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

cplic del {-h | -help}
cplic [-d] del [-F <Output File>] <Signature> <Object Name>

{-h | -help}
-d

-F < >
< >
cplic print -x

< >
cplic del {-h | -help}
cplic [-d] del <Object Name> [-F <Output File>] [-ip <Dynamic IP Address>]
<Signature>

{-h | -help}
-d

< >

-F < >
-ip <
>

< >
cplic print -x
cplic get {-h | -help}
cplic [-d] get
-all
<IP Address>
<Host Name>

{-h | -help}

-d

-all

< >

MyGW
cplic get MyGW

[Expert@MGMT:0]# cplic get MyGW

Get retrieved 4 licenses.
Get removed 2 licenses.
[Expert@MGMT:0]#
cplic print {-h | -help}
cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output File>] [{-p |
-preatures}] [-D]

{-h | -help}
-d

{-n | -noheader}
-x
{-t | -type]

-F < >
{-p | -preatures}
-D

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2017 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

[Expert@HostName:0]# cplic print -x

Host Expiration Signature Features
192.168.3.28 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#
cplic put {-h | -help}
cplic [-d] put [{-o | -overwrite}] [{-c | -check-only}] [{-s | -select}] [-F <Output
File>] [{-P | -Pre-boot}] [{-k | -kernel-only}] -l <License File> [<Host>]
[<Expiration Date>] [<Signature>] [<SKU/Features>]

{-h | -help}
-d

{-o | -overwrite}

{-c | -check-only}

{-s | -select}

-F < >
{-P | -Pre-boot}

{-K | -kernel only}

-l < >
< >
< >
< >

< >

CPSUITE-EVAL-3DES-vNG
host

expiration date never

signature

SKU/features

CPSB-SWB CPSB-ADNC-M CK0123456789ab

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#



cplic put {-h | -help}

cplic [-d] put <Object Name> [-ip <Dynamic IP Address>] [-F <Output File>] -l
<License File> [<Host>] [<Expiration Date>] [<Signature>] [<SKU/Feature>]

{-h | -help}

-d

< >

-ip

-F < >

-l < > >

< >
< >
< >

< >
CPSUITE-EVAL-3DES-vNG

host

expiration date never

signature

SKU/features

CPSB-SWB CPSB-ADNC-M CK0123456789ab

cplic upgrade {-h | -help}
cplic [-d] upgrade –l <Input File>

{-h | -help}

–l < >





cplic get -all

[Expert@MyMGMT]# cplic get -all

Getting licenses from all modules ...
MyGW:
Retrieved 1 licenses


cplic db_print -all -a

[Expert@MyMGMT]# cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================
Host Expiration Features
192.0.2.11 Never CPFW-FIG-25-53 CK49C3A3CC7121 MyGW1
192.0.2.11 26Nov2017 CPSB-SWB CPSB-ADNC-M CK0123456789ab MyGW2


cplic get -all
 cplic upgrade –l < >




cppkg
add <options>
{del | delete} <options>
get
getroot
print
setroot <options>



mdsenv

add < >

{del | delete} < >

get

getroot
$SUROOT
print

setroot < >



mdsenv


cppkg add <Full Path to Package | DVD Drive [Product]>

<
>

[ ] /mnt/CPR80

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg add /var/log/CP1100_6.0_4_0_-.tgz

Adding package to the repository
Getting the package type...
Extracting the package files...
Copying package to the repository...
Package was successfully added to the repository
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#


mdsenv

cppkg del ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor Version>"]

cppkg delete ["<Vendor>" "<Product>" "<Major Version>" "<OS>" "<Minor Version>"]

del | delete

 cppkg print

[Expert@MGMT:0]# cppkg delete

Select package:
--------------------
(0) Delete all
(1) CP1100 Gaia Embedded Check Point R77.20 R77.20

(e) Exit

Enter your choice : 1

You chose to delete 'CP1100 Gaia Embedded Check Point R77.20 R77.20', Is this correct? [y/n] : y

Package was successfully removed from the repository

[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg print

Vendor Product Version OS Minor Version
----------------------------------------------------------------------------------
Check Point CP1100 R77.20 Gaia Embedded R77.20
[Expert@MGMT:0]#

[Expert@MGMT:0]# cppkg delete "Check Point" "CP1100" "R77.20" "Gaia Embedded" "R77.20"
Package was successfully removed from the repository
[Expert@MGMT:0]#


mdsenv

cppkg get

[Expert@MGMT:0]# cppkg get

Update successfully completed
[Expert@MGMT:0]#
$SUROOT



mdsenv

cppkg getroot

[Expert@MGMT:0]# cppkg getroot

[cppkg 7119 4128339728]@MGMT[29 May 17:16:06] Current repository root is set to
: /var/log/cpupgrade/suroot
[Expert@MGMT:0]#


mdsenv

cppkg print

[Expert@MGMT:0]# cppkg print

 $SUROOT
$CPDIR/tmp/.CPprofile.sh
$CPDIR/tmp/.CPprofile.csh

cppkg setroot <Full Path to Repository Root Directory>

[Expert@MGMT:0]# cppkg setroot /var/log/my_directory

Repository root is set to : /var/log/cpupgrade/suroot

Note : When changing repository root directory :

1. Old repository content will be copied into the new repository

2. A package in the new location will be overwritten by a package in the old
location, if the packages have the same name

Change the current repository root ? [y/n] : y

The new repository directory does not exist. Create it ? [y/n] : y

Repository root was set to : /var/log/my_directory

Notice : To complete the setting of your directory, reboot the machine!

[Expert@MGMT:0]#
$CPDIR/registry/HKLM_registry.data


cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4} "<Value>" {0|1}
cpprod_util -dump

CPPROD_GetValue


CPPROD_SetValue

"< >"
"< >"

"< >"



dump
$CPDIR/registry/HKLM_registry.data
RegDump

 cpprod_util
 FwIsFirewallMgmt
FwIsLogServer FwIsStandAlone

no-parameter string-parameter integer-parameter
 status-output no-output
 cpprod_util

cpprod_util < > > < > 2>&1

[Expert@MGMT:0]# cpprod_util CPPROD_GetInstalledProducts

CPFC
IDA
MGMT
FW1
SecurePlatform
NGXCMP
EdgeCmp
SFWCMP
SFWR75CMP
SFWR77CMP
FLICMP
R75CMP
R7520CMP
R7540CMP
R76CMP
R77CMP
PROVIDER-1
Reporting Module
SmartLog
CPinfo
VSEC
DIAG
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util FwIsFirewallMgmt

1
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util FwIsStandAlone

0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util FwIsPrimary

1
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util FwIsActiveManagement

0
[Expert@MGMT:0]#
[Expert@MGMT:0]# cpprod_util FwIsSMCBackup
0
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util FwIsLogServer

0
[Expert@MGMT:0]

[Expert@MGMT:0]# cpprod_util FwIsAtlasManagement

1
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util RtIsAnalyzerServer

1
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util RtIsAnalyzerCorrelationUnit

1
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util UepmIsInstalled

1
[Expert@MGMT:0]#

[Expert@MGMT:0]# cpprod_util UepmIsPolicyServer

0
[Expert@MGMT:0]#
cprid



mdsenv

cprid

cpridstart

cprid

cpridstop

cprid

run_cprid_restart





 cpd
 cprid

cprinstall
boot <options>
cprestart <options>
cpstart <options>
cpstop <options>
delete <options>
get <options>
install <options>
revert <options>
show <options>
snapshot <options>
transfer <options>
uninstall <options>
verify <options>

boot < >

cprestart < > cprestart

cpstart < > cpstart

cpstop < > cpstop

delete < >

get < > 

install < >

revert < >

show < >

snapshot < >

transfer < >

uninstall < >

verify < >




cprinstall boot <Object Name>

[Expert@MGMT]# cprinstall boot MyGW

cprestart

cprinstall cprestart <Object Name>

[Expert@MGMT:0]# cprinstall cprestart MyGW

cpstart

cprinstall cpstart <Object Name>

[Expert@MGMT]# cprinstall cpstart MyGW

cpstop

cprinstall cpstop {-proc | -nopolicy} <Object Name>

-proc

-nopolicy

[Expert@MGMT]# cprinstall cpstop -proc MyGW

cprinstall delete <Object Name> <Snapshot File>

[Expert@MGMT]# cprinstall delete MyGW Snapshot25Apr2017



cprinstall get <Object Name>

[Expert@MGMT]# cprinstall get MyGW

Checking cprid connection...
Verified
Operation completed successfully
Updating machine information...
Update successfully completed
'Get Gateway Data' completed successfully
Operating system Major Version Minor Version
------------------------------------------------------------------------
SecurePlatform R75.20 R75.20

Vendor Product Major Version Minor Version

------------------------------------------------------------------------
Check Point VPN-1 Power/UTM R75.20 R75.20
Check Point SecurePlatform R75.20 R75.20
Check Point SmartPortal R75.20 R75.20
[Expert@MGMT]#
 cprinstall verify

 cppkg print

cprinstall install [-boot] [-backup] [-skip_transfer] <Object Name> "<Vendor>"

"<Product>" "<Major Version>" "<Minor Version>"

-boot

-backup

-skip_transfer

 checkpoint
 Check Point

 SVNfoundation
 firewall
 floodgate
 CP1100
 VPN-1 Power/UTM
 SmartPortal
[Expert@MGMT]# cprinstall install -boot MyGW "checkpoint" "firewall" "R75" "R75.20"

Installing firewall R75.20 on MyGW...

Info : Testing Check Point Gateway
Info : Test completed successfully.
Info : Transferring Package to Check Point Gateway
Info : Extracting package on Check Point Gateway
Info : Installing package on Check Point Gateway
Info : Product was successfully applied.
Info : Rebooting the Check Point Gateway
Info : Checking boot status
Info : Reboot completed successfully.
Info : Checking Check Point Gateway
Info : Operation completed successfully.
[Expert@MGMT]#
cprinstall revert <Object Name> <Snapshot File>

cprinstall
show
cprinstall show <Object Name>

[Expert@MGMT]# cprinstall show GW1

SU_backup.tzg
cprinstall snapshot <Object Name> <Snapshot File>

cprinstall
show
cppkg print

cprinstall transfer <Object Name> "<Vendor>" "<Product>" "<Major Version>" "<Minor

Version>"

 checkpoint
 Check Point

 SVNfoundation
 firewall
 floodgate
 CP1100
 cprinstall verify

 cprinstall get

 cppkg print

cprinstall uninstall [-boot] <Object Name> "<Vendor>" "<Product>" "<Major

Version>" "<Minor Version>"

-boot

 checkpoint
 Check Point

 SVNfoundation
 firewall
 floodgate
 CP1100
[Expert@MGMT]# cprinstall uninstall MyGW "checkpoint" "firewall" "R75.20" "R75.20"
Uninstalling firewall R75.20 from MyGW...
Info : Removing package from Check Point Gateway
Info : Product was successfully applied.
Operation Success. Please get network object data to complete the operation.
[Expert@MGMT]#
[Expert@MGMT]# cprinstall get






cprinstall verify <Object Name> "<Vendor>" "<Product>" "<Major Version>" ["<Minor

Version>"]


 cppkg print

 checkpoint
 Check Point

 SVNfoundation
 firewall
 floodgate
 CP1100
 VPN-1 Power/UTM
 SmartPortal
[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"
Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway.
Info : Test completed successfully.
Info : Installation Verified, The product can be installed.

[Expert@MGMT]# cprinstall verify MyGW "checkpoint" "SVNfoundation" "R75.20"

Verifying installation of SVNfoundation R75.20 on MyGW...
Info : Testing Check Point Gateway
Info : SVN Foundation R70 is already installed on 192.0.2.134
Operation Success. Product cannot be installed, did not pass dependency check.
 cprid cpridstart


cpstart
cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o <Polling
Interval> [-c <Count>] [-e <Period>]] <Application Flag>

-d

-h < >

< >
localhost
-p < >

-s < >

-f < >

< > cpstat

-o <
>





-c < >

cpstat os -f perf -o 2
-c < >

-o < >

 <
>
 <
>
 <
>
 <
>
cpstat os -f perf -o 2 -c 2
-e < >

-o < >

-c < >
cpstat os -f perf -o 2 -c 2 -e 60
< >

 os
 persistency
 thresholds
threshold_config
 ci
 https_inspection
 cvpn
 fw
 vsx
 vpn
 blades
 identityServer
 appi
 urlf
 dlp
 ctnt
 antimalware
 threat-emulation
 scrub
 gx
 fg
 ha
 polsrv

 ca
 mg

[Expert@MyGW:0]# cpstat -f interfaces fw

Network interfaces
--------------------------------------------------------------------------------------------------
------------------
|Name|IP |Netmask |Flags|Peer name|Remote IP|Topology|Proxy name|Slaves|Ports|IPv6
Address|IPv6 Len|
--------------------------------------------------------------------------------------------------
------------------
|eth0|192.168.30.40|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth1| 172.30.60.80|255.255.255.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth2| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth3| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth4| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth5| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth6| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
|eth7| 0.0.0.0| 0.0.0.0| 0| | 0.0.0.0| 4| | | |
::| 0|
--------------------------------------------------------------------------------------------------
------------------

[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

Interface table
---------------------------------------
|Name|Dir|Total |Accept|Deny |Log|
---------------------------------------
|eth0|in | 2393126| 32589| 2360537| 52|
|eth0|out| 33016| 33016| 0| 0|
|eth1|in | 2360350| 0| 2360350| 0|
|eth1|out| 0| 0| 0| 0|
|eth2|in | 2360350| 0| 2360350| 0|
|eth2|out| 0| 0| 0| 0|
|eth3|in | 2348704| 0| 2348704| 1|
|eth3|out| 0| 0| 0| 0|
|eth4|in | 2360350| 0| 2360350| 0|
|eth4|out| 0| 0| 0| 0|
---------------------------------------
| | |11855896| 65605|11790291| 53|
---------------------------------------

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741331456
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741331456
Free Real Memory (Bytes): 4489732096
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 0
CPU System Time (%): 0
CPU Idle Time (%): 100
CPU Usage (%): 0
CPU Queue Length: -
CPU Interrupts/Sec: 135
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

Total Virtual Memory (Bytes): 12417720320

Active Virtual Memory (Bytes): 3741556736
Total Real Memory (Bytes): 8231063552
Active Real Memory (Bytes): 3741556736
Free Real Memory (Bytes): 4489506816
Memory Swaps/Sec: -
Memory To Disk Transfers/Sec: -
CPU User Time (%): 3
CPU System Time (%): 0
CPU Idle Time (%): 97
CPU Usage (%): 3
CPU Queue Length: -
CPU Interrupts/Sec: 140
CPUs Number: 8
Disk Servicing Read\Write Requests Time: -
Disk Requests Queue: -
Disk Free Space (%): 61
Disk Total Free Space (Bytes): 12659716096
Disk Available Free Space (Bytes): 11606188032
Disk Total Space (Bytes): 20477751296

[Expert@MyGW:0]#
 cprid cpridstop


cpstop
cpview --help
cpview_< >.cap< >
cpwd

fwm fwd cpd cpm DAService java_solr

log_indexer

$CPDIR/log/cpwd.elg log

cpwd_admin

cpwd_admin list MON N

cpwd_admin list MON Y

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

config
del

detach

exist cpwd
flist
$CPDIR/tmp/cpwd_list_<Epoch Timestamp>.lst
getpid

kill cpwd

list
monitor_list

start

start_monitor

stop

stop_monitor
cpstop

cpwd_admin config
-h
-a <Configuration_Parameter_1>=<Value_1>
<Configuration_Parameter_2>=<Value_2> ... <Configuration_Parameter_N>=<Value_N>
-d <Configuration_Parameter_1> <Configuration_Parameter_2> ...
<Configuration_Parameter_N>
-p
-r

-h
-a
< >=<
>
< >=<
> ...
< >=<
>
-d < >
< > ... cpwd_admin config -a
< >
-p
cpwd_admin config -a

-r

default_ctx
display_ctx 
CTX

cpwd_admin list APP
PID
 CTX
 CTX
no_limit  rerun_mode=1

 


num_of_procs 

rerun_mode 



reset_startups 
 startup_counter

cpwd_admin list
#START
sleep_mode 
 


sleep_timeout
sleep_timeout  rerun_mode=1


stop_timeout 

zero_timeout  no_limit
zero_timeout


zero_timeout
timeout
$CPDIR/registry/HKLM_registry.data : (Wd_Config
("CheckPoint Repository Set"
: (SOFTWARE
: (CheckPoint
: (CPshared
:CurrentVersion (6.0)
: (6.0
... ...
: (reserved
... ...
: (Wd
: (Wd_Config
:Configuration_Parameter_1 ("[4]Value_1")
:Configuration_Parameter_2 ("[4]Value_2")
)
)
... ...

[Expert@HostName:0]# cpwd_admin config -p

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -a sleep_timeout=120 no_limit=12
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog Configuration parameters are:
sleep_timeout : 120
no_limit : 12
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin config -r

cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#
[Expert@HostName:0]# cpstop ; cpstart
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin config -p
cpWatchDog doesn't have configuration parameters
[Expert@HostName:0]#

 cpwd_admin list

cpstart

cpwd_admin del -name <Application Name> [-ctx <VSID>]

< >
cpwd_admin list APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

 cpwd_admin list

cpstart

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

< >
cpwd_admin list APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#
 cpwd

cpwd_admin exist

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#
$CPDIR/tmp/cpwd_list_<
>.lst
http://www.epochconverter.com

cpwd_admin flist [-full]

-full

APP
PID
STAT

 E
 T
#START
START_TIME

SLP/LIMIT sleep_timeout no_limit

MON
cpwd_admin
 Y
 N
COMMAND

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.30/tmp/cpwd_list_3209472813.lst
[Expert@HostName:0]#
cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

< >
cpwd_admin list APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#
cpwd

cpstop cpstart

cpwd_admin kill
cpwd_admin list [-full]

-full

APP
PID
STAT

 E
 T
#START
START_TIME

SLP/LIMIT sleep_timeout no_limit

MON
cpwd_admin
 Y
 N
COMMAND

[Expert@HostName:0]# cpwd_admin list

APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 19738 E 1 [17:50:44] 31/5/2018 N cpviewd
HISTORYD 0 T 0 [17:54:44] 31/5/2018 N cpview_historyd
CPD 19730 E 1 [17:54:45] 31/5/2018 Y cpd
SOLR 19935 E 1 [17:50:55] 31/5/2018 N java_solr
/opt/CPrt-R80.30/conf/jetty.xml
RFL 19951 E 1 [17:50:55] 31/5/2018 N LogCore
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2018 N SmartView
INDEXER 20032 E 1 [17:50:55] 31/5/2018 N
/opt/CPrt-R80.30/log_indexer/log_indexer
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2018 N
/opt/CPSmartLog-R80.30/smartlog_server
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2018 N cp3dlogd
EPM 20251 E 1 [17:50:56] 31/5/2018 N startEngine
DASERVICE 20404 E 1 [17:50:59] 31/5/2018 N DAService_script
[Expert@HostName:0]#
[Expert@HostName:0]# cpwd_admin list -full
APP PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
CPVIEWD 19738 E 1 [17:50:44] 31/5/2018 60/5 N
PATH = /opt/CPshrd-R80.30/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 T 0 [17:54:44] 31/5/2018 60/5 N
PATH = /opt/CPshrd-R80.30/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
CPD 19730 E 1 [17:54:45] 31/5/2018 60/5 Y
PATH = /opt/CPshrd-R80.30/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
SOLR 19935 E 1 [17:50:55] 31/5/2018 60/5 N
PATH = /opt/CPrt-R80.30/bin/java_solr
COMMAND = java_solr /opt/CPrt-R80.30/conf/jetty.xml
--------------------------------------------------------------------------------
RFL 19951 E 1 [17:50:55] 31/5/2018 60/5 N
PATH = /opt/CPrt-R80.30/bin/LogCore
COMMAND = LogCore
--------------------------------------------------------------------------------
SMARTVIEW 19979 E 1 [17:50:55] 31/5/2018 60/5 N
PATH = /opt/CPrt-R80.30/bin/SmartView
COMMAND = SmartView
--------------------------------------------------------------------------------
INDEXER 20032 E 1 [17:50:55] 31/5/2018 60/5 N
PATH = /opt/CPrt-R80.30/log_indexer/log_indexer
COMMAND = /opt/CPrt-R80.30/log_indexer/log_indexer
--------------------------------------------------------------------------------
SMARTLOG_SERVER 20100 E 1 [17:50:55] 31/5/2018 60/5 N
PATH = /opt/CPSmartLog-R80.30/smartlog_server
COMMAND = /opt/CPSmartLog-R80.30/smartlog_server
ENV = LANG=C
--------------------------------------------------------------------------------
CP3DLOGD 20237 E 1 [17:50:55] 31/5/2018 60/5 N
PATH = /opt/CPuepm-R80.30/bin/cp3dlogd
COMMAND = cp3dlogd
--------------------------------------------------------------------------------
EPM 20251 E 1 [17:50:56] 31/5/2018 60/5 N
PATH = /opt/CPuepm-R80.30/bin/startEngine
COMMAND = startEngine
--------------------------------------------------------------------------------
DASERVICE 20404 E 1 [17:50:59] 31/5/2018 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#
cpwd_admin

cpwd_admin monitor_list

[Expert@HostName:0]# cpwd_admin monitor_list

cpwd_admin:
APP FILE_NAME NO_MSG_TIMES LAST_MSG_TIME
CPD CPD_5420_4714.mntr 0/10 [19:00:33] 31/5/2018
[Expert@HostName:0]#
cpwd_admin start -name <Application Name> [-ctx <VSID>] -path "<Full Path to
Executable>" -command "<Command Syntax>" [-env {inherit | <Env_Var>=<Value>]
[-slp_timeout <Timeout>] [-retry_limit {<Limit> | u}]

-name < cpwd_admin list

> APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

-path "<
>"

 $FWDIR/bin/fwm
 /opt/CPsuite-R80.30/fw1/bin/fw
 $CPDIR/bin/cpd

/opt/CPsuite-R80.30/fw1/scripts/cpm.sh"
 /opt/CPshrd-R80.30/bin/cptnl
-command "<
>"

 fwm
 fwm mds
 fwd
 cpd

/opt/CPsuite-R80.30/fw1/scripts/cpm.sh -s"
 /opt/CPshrd-R80.30/bin/cptnl -c
"/opt/CPuepm-R80.30/engine/conf/cptnl_srv.co
nf"
-env {inherit |
< >=< >}
 inherit

 < >=< >

-slp_timeout sleep_timeout
< >
cpwd_admin config
-retry_limit no_limit
{< > | u} cpwd_admin config
 < >

 u
cpwd_admin

cpwd_admin start_monitor

[Expert@HostName:0]# cpwd_admin start_monitor

cpwd_admin:
CPWD has started to perform active monitoring on Check Point services/processes
[Expert@HostName:0]#
cpwd_admin stop -name <Application Name> [-ctx <VSID>] [-path "<Full Path to
Executable>" -command "<Command Syntax>" [-env {inherit | <Env_Var>=<Value>]

-name < cpwd_admin list

> APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

-path "<
>"

 $FWDIR/bin/fwm
 /opt/CPsuite-R80.30/fw1/bin/fw
 $CPDIR/bin/cpd_admin
-command "<
>"

 fw kill fwm
 fw kill fwd
 cpd_admin stop
-env {inherit |
< >=< >}
 inherit

 < >=< >

cpwd_admin

cpwd_admin stop_monitor

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#
$FWDIR/conf/objects_5_0.C

dbedit -help
dbedit [-globallock] [{-local | -s <Management_Server>}] [{-u <User> | -c
<Certificate>}] [-p <Password>] [-f <File_Name> [ignore_script_failure]
[-continue_updating]] [-r "<Open_Reason_Text>"] [-d <Database_Name>] [-listen]
[-readonly] [-session]

-help
-globallock

savedb

-local

-s < >

-u < >

-s
< >
-c < >

-s
< >
-p < >

-s
< > -u < >
-f < >

 create <object_type> <object_name>

 modify <table_name> <object_name>
<field_name> <value>
 update <table_name> <object_name>
 delete <table_name> <object_name>
 print <table_name> <object_name>
 quit

ignore_script_failure

-f < >

-continue_updating

update_all
-f < >

-r "< >"

-d < >
mdsdb
-listen

-readonly

-session
dbedit

-h

dbedit> -h
-q

quit
dbedit> -q
dbedit> quit [-update_all | -noupdate]

dbedit> quit

dbedit> quit -update_all

dbedit> quit -no_update
update

network_objects services users

dbedit> update <table_name> <object_name>

dbedit> update services My_Service

update_all

dbedit> update_all
_print_set

network_objects services users

$FWDIR/conf/objects_5_0.C

dbedit> _print_set <table_name> <object_name>

dbedit> print network_objects My_Obj

network_objects properties services users

dbedit> print <table_name> <object_name>

dbedit> print network_objects my_obj



dbedit> print properties firewall_properties

printxml

network_objects properties
services users

dbedit> printxml <table_name> [<object_name>]


dbedit> printxml network_objects my_obj


dbedit> printxml properties firewall_properties

printbyuid

$FWDIR/conf/objects_5_0.C
chkpf_uid ({...})

dbedit> printbyuid {object_id}

dbedit> printbyuid {D3833F1D-0A58-AA42-865F-39BFE3C126F1}

query

query <table_name>
<attribute> '<value>'

dbedit> query <table_name> [ , <attribute>='<value>' ]


dbedit> query users


dbedit> query network_objects, management='true'


dbedit> query services, name='ssh'

dbedit> query services, port='22'

dbedit> query network_objects, ipaddr='10.10.10.10'
whereused

dbedit> whereused <table_name> <object_name>

dbedit> whereused network_objects My_Obj

create





dbedit> create <object_type> <object_name>

dbedit> create tcp_service my_service

delete

dbedit> delete <table_name> <object_name>

dbedit> delete services my_service

modify

network_objects services users

dbedit> modify <table_name> <object_name> <field_name>

<value>


dbedit> modify services My_Service color red

dbedit> modify network_objects MyObj comments "Created by
fwadmin with dbedit"


dbedit> modify properties firewall_properties

ike_use_largest_possible_subnets false


dbedit> addelement network_objects My_FW interfaces

interface
dbedit> modify network_objects My_FW
interfaces:3:officialname NAME_OF_INTERFACE
dbedit> modify network_objects My_FW interfaces:3:ipaddr
IP_ADDRESS
dbedit> modify network_objects My_FW interfaces:3:netmask
NETWORK_MASK
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:access specific
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:allowed
network_objects:group_name
dbedit> modify network_objects My_FW
interfaces:3:security:netaccess:perform_anti_spoofing
true
dbedit> modify network_objects MyObj FieldA LINKSYS

dbedit> modify network_objects MyObj FieldA:FieldB NewVal

dbedit> modify network_objects MyObj FieldA B:C
lock

network_objects services users

dbedit> lock <table_name> <object_name>

dbedit> lock services My_Service_Obj

addelement

dbedit> addelement <table_name> <object_name> <field_name>

<value>

dbedit> addelement ldap My_Obj Read:BranchObjectClass

Organization


dbedit> addelement services MyServicesGroup ''

services:MyService


dbedit> addelement network_objects MyNetworksGroup ''

network_objects:MyNetwork
rmelement

dbedit> rmelement <table_name> <object_name> <field_name>

<value>

dbedit> rmelement services MyServicesGroup ''

services:MyService


dbedit> rmelement network_objects MyNetworksGroup ''

network_objects:MyNetwork


dbedit> rmelement ldap my_obj Read:BranchObjectClass

Organization
rename

dbedit> rename <table_name> <object_name> <new_object_name>

dbedit> rename network_objects london chicago

rmbyindex

dbedit> rmbyindex <table_name> <object_name> <field_name>

<index_number>

dbedit> rmbyindex network_objects g

log_servers:backup_log_servers 1
add_owned_re
move_name

dbedit> add_owned_remove_name <table_name> <object_name>

<field_name> <value>

dbedit> add_owned_remove_name network_objects My_Gateway

additional_products owned:my_external_products
is_delete_al
lowed

dbedit> is_delete_allowed <table_name> <object_name>

dbedit> is_delete_allowed network_objects MyObj

set_pass

dbedit> set_pass <user> <password>

dbedit> set_pass abcd 1234

savedb

dbedit
-globallock

dbedit> savedb
savesession

dbedit -session

dbedit> savesession





fw [-d]
fetchlogs <options>
hastat <options>
kill <options>
log <options>
logswitch <options>
lslogs <options>
mergefiles <options>
repairlog <options>
sam <options>
sam_policy <options>

-d

fetchlogs $FWDIR/log/*.log*
$FWDIR/log/*.adtlog*

hastat

kill

log
$FWDIR/log/*.log $FWDIR/log/*.adtlog
logswitch $FWDIR/log/fw.log
$FWDIR/log/fw.adtlog
lslogs $FWDIR/log/*.log*
$FWDIR/log/*.adtlog*

mergefiles $FWDIR/log/*.log
$FWDIR/log/*.adtlog
repairlog $FWDIR/log/*.log
$FWDIR/log/*.adtlog
sam

sam_policy


samp 
$FWDIR/log/*.log*
$FWDIR/log/*.adtlog*

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]... [-f <Name
of Log File N>] <Target>

-d

-f < >

$FWDIR/log/*.log*
$FWDIR/log/*.adtlog*

2017-0?-*.log


-f



< >

 $FWDIR/log/

 $FWDIR/log/
 $FWDIR/log/fw.log
$FWDIR/log/fw.adtlog

fw logswitch [-audit] [-h < >]

fw fetchlogs -f <Log File Name> < >



MyGW__2018-06-01_000000.log

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2018-05-16_000000.log
9KB 2018-05-17_000000.log
11KB 2018-05-18_000000.log
5796KB 2018-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2018-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2018-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# ls $FWDIR/log/MyGW*
/opt/CPsuite-R80.30/fw1/log/MyGW__2018-06-01_000000.log
/opt/CPsuite-R80.30/fw1/log/MyGW__2018-06-01_000000.logaccount_ptr
/opt/CPsuite-R80.30/fw1/log/MyGW__2018-06-01_000000.loginitial_ptr
/opt/CPsuite-R80.30/fw1/log/MyGW__2018-06-01_000000.logptr
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2018-05-16_000000.log
9KB 2018-05-17_000000.log
11KB 2018-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#
fw hastat
 show cluster state
cphaprob state
 cpstat

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

[Expert@MGMT:0]# fw hastat

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS

localhost active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#
fw [-d] kill [-t <Signal Number>] <Name of Process>

-d

-t <
> kill -l

kill signal

SIGTERM

< >

fw kill fwd
$FWDIR/log/*.log
$FWDIR/log/*.adtlog

fw log {-h | -help}

fw [-d] log [-a] [-b "<Start Timestamp>" "<End Timestamp>"] [-c <Action>] [{-f |
-t}] [-g] [-H] [-h <Origin>] [-i] [-k {<Alert Name> | all}] [-l] [-m {initial |
semi | raw}] [-n] [-o] [-p] [-q] [-S] [-s "<Start Timestamp>"] [-e "<End Timestamp>"]
[-u <Unification Scheme File>] [-w] [-x <Start Entry Number>] [-y <End Entry
Number>] [-z] [-#] [<Log File>]

{-h | -help}

-d

script

-a

-b "< >"
"< >"
 < > < >

 < >" "< >

-b 'XX' 'YY" -b "XX"
"YY
 -b -s
-e

-c < >
 accept
 drop
 reject
 encrypt
 decrypt
 vpnroute
 keyinst
 authorize
 deauthorize
 authcrypt
 ctl

 fw log ctl

 authcrypt
-e "< >"

 < >
 < >
-e '...' -e "..."
 -e -b


-f

$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog

-g



-H
-h < >

-i

-k {< > |
all}
 < >

 alert
 mail
 snmp_trap
 spoof
 user_alert
 user_auth
 all

-l

-m

 initial

-f

semi
 semi

 raw
-n

-o

-p
-q

-S

-s "< >"

 < >


 < >
-s '...' -s "..."
 -s -b


-t

$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog

-u <
>

$FWDIR/conf/log_unification_scheme.C

-w

-x < >

-y < >

-z

< >

$FWDIR/log/fw.log
MMM DD, YYYY June 11, 2018
HH:MM:SS 14:20:00

MMM DD, YYYY HH:MM:SS June 11, 2018 14:20:00

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum Flags

Action Origin IfDir InterfaceName LogId ...

HeaderDateHour 12Jun2018 12:56:42

ContentVersion 5
HighLevelLogKey <max_null>
Uuid (0x5b1f99cb,0x0,0x3403a8c0,0xc0
000000)
SequenceNum 1
Flags 428292

Action  accept
 dropreject
 encrypt
 decrypt
 vpnroute
 keyinst
 authorize
 deauthorize
 authcrypt
 ctl
Origin MyGW

IfDir  <
 >
 <

 >

InterfaceName  eth0
 daemon
 N/A

daemon
LogId 0
Alert
 alert
 mail
 snmp_trap
 spoof
 user_alert
 user_auth
OriginSicName CN=MyGW,O=MyDomain_Server.check
point.com.s6t98x

inzone Local
outzone External
service_id ftp

src MyHost

dst MyFTPServer

proto tcp
sport_svc 64933

ProductName  VPN-1 & FireWall-1

 Application Control
 FloodGate-1
ProductFamily Network

fw log -l

[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"

12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum:
<max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x;
fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default;
fg-1_server_in_rule_name: Host Redirect; fg-1_server_out_rule_name: ;
ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:39 5 N/A 1 drop MyGW < eth0 LogId: 0; ContextNum: <max_null>;
OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local;
outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp;
UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid:
4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid:
802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table:
TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0;
UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc:
64933; ProductFamily: Network;

... ... ...

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw log -l -b "June 12, 2018 12:33:00" 'June 12, 2018 12:34:00'
12Jun2018 12:33:00 5 N/A 1 accept MyGW > N/A LogId: <max_null>; ContextNum:
<max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x;
fg-1_client_in_rule_name: Default; fg-1_client_out_rule_name: Default;
fg-1_server_in_rule_name: Host Redirect; fg-1_server_out_rule_name: ;
ProductName: FG; ProductFamily: Network;

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum:

<max_null>; OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x;
description: Contracts; reason: Could not reach
"https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS and
Proxy configuration on the gateway.; Severity: 2; status: Failed; version: 1.0;
failure_impact: Contracts may be out-of-date; update_service: 1; ProductName:
Security Gateway/Management; ProductFamily: Network;
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw log -l -c drop

[Expert@MyGW:0]# fw log -l -q -w -c drop

HeaderDateHour: 12Jun2018 12:33:39; ContentVersion: 5; HighLevelLogKey:
<max_null>; LogUid: ; SequenceNum: 1; Flags: 428292; Action: drop; Origin: MyGW;
IfDir: <; InterfaceName: eth0; Alert: ; LogId: 0; ContextNum: <max_null>;
OriginSicName: CN=MyGW,O=MyDomain_Server.checkpoint.com.s6t98x; inzone: Local;
outzone: External; service_id: ftp; src: MyGW; dst: MyFTPServer; proto: tcp;
UP_match_table: TABLE_START; ROW_START: 0; match_id: 2; layer_uuid:
4e26fc30-b345-4c96-b8d7-9db6aa7cdd89; layer_name: MyPolicy Network; rule_uid:
802020d9-5cdc-4c74-8e92-47e1b0eb72e5; rule_name: ; ROW_END: 0; UP_match_table:
TABLE_END; UP_action_table: TABLE_START; ROW_START: 0; action: 0; ROW_END: 0;
UP_action_table: TABLE_END; ProductName: VPN-1 & FireWall-1; svc: ftp; sport_svc:
64933; ProductFamily: Network;
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#
 $FWDIR/log/fw.log
 $FWDIR/log/fw.adtlog

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
-h <Target> [[+ | -]<Name of Switched Log>]

-d

-audit $FWDIR/log/fw.adtlog

-h < >





<
>


<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog

<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog



$FWDIR/log/

<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log

<Gateway_Object_Name>__<Specified_Log_Name>.log

-

 $FWDIR/log/


<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log

<Gateway_Object_Name>__<Specified_Log_Name>.log


 fw fetchlogs

gzip

[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw logswitch -audit

Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw logswitch -h MyGW

[Expert@MGMT:0]# fw logswitch -h MyGW +

Log file has been switched to: 2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MGMT:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.30/fw1/log/fw.log
/opt/CPsuite-R80.30/fw1/log/MyGW__2018-06-13_185451.log
[Expert@MGMT:0]#
[Expert@MyGW:0]# ls $FWDIR/log/*.log
/opt/CPsuite-R80.30/fw1/log/fw.log
/opt/CPsuite-R80.30/fw1/log/2018-06-13_185451.log
[Expert@MyGW:0]#
$FWDIR/log/*.log
$FWDIR/log/*.adtlog

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>] ... [-f <Name
of Log File N>] [-e] [-r] [-s {name | size | stime | etime}] [<Target>]

-d

script
-f < >


$FWDIR/log/*.log

2017-0?-*


-f
-e

 Size
 Creation Time
 Closing Time
 Log File Name
-r
-s {name | size |
stime | etime}

 name
 size
 stime

 etime
< >


< >

[Expert@MGMT:0]# fw lslogs
Size Log file name
9KB 2018-06-14_000000.log
11KB 2018-06-15_000000.log
9KB 2018-06-16_000000.log
10KB 2018-06-17_000000.log
9KB fw.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2018-05-29_000000.adtlog
9KB 2018-05-29_000000.log
9KB 2018-05-20_000000.adtlog
9KB 2018-05-20_000000.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "2018-06-14" -f '2018-06-15'

Size Log file name
9KB 2018-06-14_000000.adtlog
9KB 2018-06-14_000000.log
11KB 2018-06-15_000000.adtlog
11KB 2018-06-15_000000.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "2018-06-14" -f '2018-06-15'

Size Log file name
9KB 2018-06-14_000000.adtlog
9KB 2018-06-14_000000.log
11KB 2018-06-15_000000.adtlog
11KB 2018-06-15_000000.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "2018-06-14" -f '2018-06-15' -e -s name -r

Size Creation Time Closing Time Log file name
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00 2018-06-15_000000.log
11KB 14Jun2018 0:00:00 15Jun2018 0:00:00
2018-06-15_000000.adtlog
9KB 13Jun2018 18:23:59 14Jun2018 0:00:00 2018-06-14_000000.log
9KB 13Jun2018 0:00:00 14Jun2018 0:00:00
2018-06-14_000000.adtlog
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "2018-06-14" -f '2018-06-15' 192.168.3.53

Size Log file name
11KB 2018-06-15_000000.adtlog
11KB 2018-06-15_000000.log
9KB 2018-06-14_000000.log
9KB 2018-06-14_000000.adtlog
[Expert@MGMT:0]#
*.log *.adtlog

 $FWDIR/log/fw.log
$FWDIR/log/fw.log
fw logswitch
 $FWDIR/log/fw.adtlog
$FWDIR/log/fw.adtlog
fw logswitch


fw [-d] mergefiles [-s] [-r] [-t <Time Conversion File>] <Name of Log File 1> <Name
of Log File 2> ... <Name of Log File N> <Name of Merged Log File>

-d

-s
-r

-t <
>

<IP Address of Log Server 1> <Signed Date Time in

Seconds>
<IP Address of Log Server 2> <Signed Date Time in
Seconds>
... ...



<

<
>

[Expert@MGMT]# fw mergefiles -s -r $FWDIR/log/2018-06-06_000000.log

$FWDIR/log/2018-06-05_000000.log /var/log/Merged_FireWall_Log.log
[Expert@MGMT]#

[Expert@MGMT]# fw mergefiles -s -r $FWDIR/log/2018-06-06_000000.adtlog

$FWDIR/log/2018-06-05_000000.adtlog /var/log/Merged_Audit_Log.adtlog
[Expert@MGMT]#
$FWDIR/log/*.log *.logptr
*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB
$FWDIR/log/*.adtlog *.adtlogptr
*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

fw repairlog [-u] <Name of Log File>

-u

< >

fw repairlog -u 2018-06-17_000000.adtlog

 fw sam

 fw sam_policy sam_alert


 fw sam
$FWDIR/log/sam.dat

<type>,<actions>,<expire>,<ipaddr>
<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>


sam_blocked_ips



[Expert@HostName:0]# fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-t <Timeout>] [-l <Log Type>] [-C] [-e <key=val>]+ [-r]
-{n|i|I|j|J} <Criteria>

[Expert@HostName:0]# fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] -D


[Expert@HostName:0]# fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all


[Expert@HostName:0]# fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

-d

-v

-s < >

localhost
-S <
>


-f <
> < >



fw sam

-D -i -j -I -J -n

 fw sam
-C -D

-C fw sam


fw sam -t <Timeout>

-t < >
fw sam
-l < >
 nolog
 short_noalert
 short_alert
 long_noalert
 long_alert
-e < >+

 name
 comment
 originator
-r
-n


-i



-I



-j



-J



-b
-q
-M
all

< >







 src < >

 dst < >
 any < >
 subsrc < > < >
 subdst < > < >
 subany < > < >
 srv < > < > < > < >
 subsrv < ip> < > < > < >
< > < >
 subsrvs < >< >< >< >< >
 subsrvd < > < > < > < >
< >
 dstsrv < > < > < >
 subdstsrv < > < > < > < >
 srcpr < > < >
 dstpr < > < >
 subsrcpr < > < > < >
 subdstpr < > < > < >
 generic < >
< >

src < >

dst <IP>

any < >

subsrc < > < >

subdst < > < >

subany < > < >

srv < > < > < >

< >
subsrv < >< ><
> < > < > < >

subsrvs < > < >

< > < > < >
subsrvd < > < > <
> < > < >
dstsrv < > < >
< >
subdstsrv < > < >
< > < >

srcpr < > < >

dstpr < > < >
subsrcpr < > < >
< >

subdstpr < > < >

< >
generic < >+

 service=gtp
 imsi
 msisdn
 apn
 tunl_dst
 tunl_dport
 tunl_proto


 fw sam
 sam_alert

 fw sam_policy fw samp

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

-d

add < >

batch
del < >

get < >

 fwm

fwm [-d]
dbload <options>
exportcert <options>
fetchfile <options>
fingerprint <options>
getpcap <options>
ikecrypt <options>
load [<options>]
logexport <options>
mds <options>
printcert <options>
sic_reset
snmp_trap <options>
unload [<options>]
ver [<options>]
verify <options>

-d

dbload

exportcert

fetchfile

fingerprint

getpcap

ikecrypt
load
mgmt_cli

logexport $FWDIR/log/*.log
$FWDIR/log/*.adtlog
mds

printcert

sic_reset
snmp_trap

unload

ver

verify
mdsenv < >

fwm [-d] dbload

-a
-c <Configuration File>
<GW1> <GW2> ... <GWN>

-d

fwm

-a
$FWDIR/conf/sys.conf

-c < >

< > < > ... < >


localhost
mdsenv < >

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file <Output File>
[-withroot] [-pem]

-d

fwm

< >

< >
-withroot
-pem
fwopsec.conf fwopsec.v4x

mdsenv < >

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

-d

fwm

-r < > fw1

 conf/fwopsec.conf
 conf/fwopsec.v4x
-d < >
< >

[Expert@MGMT:0]# fwm fetchfile -r "conf/fwopsec.conf" -d /tmp 192.168.3.52

Fetching conf/fwopsec.conf from 192.168.3.52...
Done
[Expert@MGMT:0]#
mdsenv < >

fwm [-d] fingerprint [-d]

<IP address of Target> <SSL Port>
localhost <SSL Port>

-d
 fwm -d
fwm
fwm

 fingerprint -d

< >
< >

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.51,L=Locality Name (eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

[Expert@MGMT:0]# fwm fingerprint 192.168.3.52 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.52,L=Locality Name (eg\, city)
#FINGER 5C:8E:4D:B9:B4:3A:58:F3:79:18:F1:70:99:8B:5F:2B
##
[Expert@MGMT:0]#

mdsenv <
>

$FWDIR/log/captures_repository/

$FWDIR/log/blob/

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p <Local Path>

-d

fwm

-g < >

-u '{< >}'

-p < >

[Expert@MGMT:0]# fwm getpcap -g 192.168.162.1 -u

'{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}' /var/log/
[Expert@MGMT:0]#
mdsenv < >

fwm [-d] ikecrypt <Key> <Password>

-d

fwm

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#
mgmt_cli
$FWDIR/log/*.log $FWDIR/log/*.adtlog

mdsenv < >

fwm logexport -h
fwm [-d] logexport [{-d <Delimiter> | -s}] [-t <Table Delimiter>] [-i <Input File>]
[-o <Output File>] [{-f | -e}] [-x <Start Entry Number>] [-y <End Entry Number>]
[-z] [-n] [-p] [-a] [-u <Unification Scheme File>] [-m {initial | semi | raw}]

-d

fwm

-d < > | -s
 -d < >
 -s

;
-t < >

,
-i < >


$FWDIR/log/*.log
$FWDIR/log/*.adtlog


$FWDIR/log/fw.log
-o < >
-f

$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog
-e

$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog
-x < >

-y < >

-z

-n

-p

-a

-u <
>

$FWDIR/conf/log_unification_scheme.C
-m {initial | semi |
raw}
 initial

-f

semi

 semi

 raw
fwm logexport
;;
fwm logexport

$FWDIR/conf/logexport.ini
[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini
$FWDIR/conf/logexport.ini
[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_FIELDS>,field100
excluded_fields = field10,field11

num
<REST_OF_FIELDS>
 -f <REST_OF_FIELDS>
$FWDIR/conf/logexport_default.C
 -f <REST_OF_FIELDS>

included_fields excluded_fields

fwm logexport

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum
;origin_id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductF
amily;fg-1_client_in_rule_name;fg-1_client_out_rule_name;fg-1_server_in_rule_n
ame;fg-1_server_out_rule_name;description;status;version;comment;update_servic
e;reason;Severity;failure_impact
0;13Jun2018;19:47:54;CXL1_192.168.3.52;control; ;;daemon;inbound;VPN-1 &
FireWall-1;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;
5;18446744073709551615;2;Log file has been switched to:
MyLog.log;Network;;;;;;;;;;;;
1;13Jun2018;19:47:54;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=CX
L1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;18446744073709551615
;1;;Network;Default;Default;;;;;;;;;;
... ...
35;13Jun2018;19:55:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=C
XL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;1844674407370955161
5;1;;Network;Default;Default;Host Redirect;;;;;;;;;
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security
Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com
.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;
;
... ...
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security
Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com
.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not
reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS
and Proxy configuration on the gateway.;2;Contracts may be out-of-date
... ...
[Expert@MGMT:0]#

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum
;origin_id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductF
amily;fg-1_client_in_rule_name;fg-1_client_out_rule_name;fg-1_server_in_rule_n
ame;fg-1_server_out_rule_name;description;status;version;comment;update_servic
e;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security
Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com
.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;
;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=C
XL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;1844674407370955161
5;2;;Network;Default;Default;Host Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=C
XL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;1844674407370955161
5;1;;Network;Default;Default;Host Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security
Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com
.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not
reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS
and Proxy configuration on the gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#



fwm [-d] mds

ver
rebuild_global_communities_status {all | missing}

-d

fwm

ver
rebuild_global_
communities_sta
tus  all
 missing

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R80.20 - Build 084
[Expert@MDS:0]#
mdsenv < >

fwm [-d] printcert

-obj <Name of Object> [-cert <Certificate Nick Name>] [-verbose]
-ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
-f <Name of Binary Certificate File> [-verbose]

-d

fwm

-obj < >

-cert < >

-ca < >
internal_ca
-x509 < >
-p

-f <
>
-verbose

[Expert@MGMT:0]# fwm printcert -ca internal_ca

Subject: O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Apr 8 13:41:00 2018 Local Time
Not Valid After: Fri Jan 1 05:14:07 2038 Local Time
Serial No.: 1
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint:
is CA
MD5 Fingerprint:
7B:F9:7B:4C:BD:40:B9:1C:AB:2C:AE:CF:66:2E:E7:06
SHA-1 Fingerprints:
1. A6:43:3A:2B:1A:04:7F:A6:36:A6:2C:78:BF:22:D9:BC:F7:7E:4D:73
2. KEYS HEM GERM PIT ABUT ROVE RAW PA IQ FAWN NUT SLAM
[Expert@MGMT:0]#

[Expert@MGMT:0]# fwm printcert -ca internal_ca -verbose

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: called
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] fwa_db_init: closing existing
database
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] do_links_getver: strncmp failed.
Returning -2
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] db_fetchkey: entering
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] PubKey:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Modulus:
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ae b3 75 36 64 e4 1a 40 fe c2 ad 2f
9b 83 0b 45 f1 00 04 bc
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 77 77 76 d1 de 8a cf 9f 32 78 8b
d4 b1 b4 be db 75 cc c8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c2 6d ff 3e aa fe f1 2b c3 0a b0 a2
a5 e0 a8 ab 45 cd 87 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] ac c6 9f a4 a9 ba 30 79 08 fa 59 4c
d2 dc 3d 36 ca 17 d7 c1
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] b2 a2 41 f5 89 0f 00 d4 2d f2 55 d2
30 a5 32 c7 46 7a 6b 32
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 29 0f 53 9f 35 42 91 e5 7d f7 30 6d
bc b3 f2 ae f3 f0 ed 88
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] c4 d7 7d 0c 2d f6 5f c8 ed 9f 9a 57
54 79 d0 0f 0b 2f 9c 0d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 94 2e f0 f4 66 62 f7 ae 2e f8 8e 90
08 ba 63 85 b6 46 2f b7
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a7 01 29 9a 14 58 a8 ef eb 07 17 4e
95 8b 2f 48 5f d3 18 10
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 3f 00 d5 03 d7 fd 45 45 ca 67 5b 34
be b8 00 ae ea 9a cd 50
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] d6 e7 a2 81 86 78 11 d7 bf 04 9f 8b
43 3f f7 36 5f ed 31 a8
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3
3e f4 dd 50 01 0f 86 9d
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] 55 16 a3 4d f8 90 2d 13 c6 c1 28 57
f8 3e 7c 59
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] Exponent: 65537 (0x10001)
[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52]
X509 Certificate Version 3
refCount: 1
Serial Number: 1
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager:
called.
[Expert@MGMT:0]#

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

defaultCert:
Host Certificate (level 0):
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Issuer: O=MGMT.checkpoint.com.s6t98x
Not Valid Before: Sun Jun 3 19:58:19 2018 Local Time
Not Valid After: Sat Jun 3 19:58:19 2023 Local Time
Serial No.: 85021
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:
IP Address: 192.168.3.244
CRL distribution points:
http://192.168.3.240:18264/ICA_CRL2.crl
CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x
Key Usage:
digitalSignature
keyEncipherment
Basic Constraint:
not CA
MD5 Fingerprint:
B1:15:C7:A8:2A:EE:D1:75:92:9F:C7:B4:B9:BE:42:1B
SHA-1 Fingerprints:
1. BC:7A:D9:E2:CD:29:D1:9E:F0:39:5A:CD:7E:A9:0B:F9:6A:A7:2B:85
2. MIRE SANK DUSK HOOD HURD RIDE TROY QUAD LOVE WOOD GRIT WITH

*****
[Expert@MGMT:0]#

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244 -verbose

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: called
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] fwa_db_init: closing existing
database
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] do_links_getver: strncmp failed.
Returning -2

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 1 certificates
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] PubKey:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Modulus:
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] df 35 c3 45 ca 42 16 6e 21 9e 31 af
c1 fd 20 0a 3d 5b 6f 5d
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] e0 a2 0c 0e fa fa 5e e5 91 9d 4e 73
77 fa db 86 0b 5e 5d 0c
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] ce af 4a a4 7b 30 ed b0 43 7d d8 93
c5 4b 01 f4 3d b5 d8 f4
... ... ...
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 34 b1 db ac 18 4f 11 bd d2 fb 26 7d
23 74 5c d9 00 a1 58 1e
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] 60 7c 83 44 fa 1e 1e 86 fa ad 98 f7
df 24 4a 21
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] Exponent: 65537 (0x10001)
[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45]
X509 Certificate Version 3
refCount: 1
Serial Number: 85021
Issuer: O=MGMT.checkpoint.com.s6t98x
Subject: CN=CXL_192.168.3.244 VPN Certificate,O=MGMT.checkpoint.com.s6t98x
Not valid before: Sun Jun 3 19:58:19 2018 Local Time
Not valid after: Sat Jun 3 19:58:19 2023 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyEncipherment
Subject Alternate names:
IP: 192.168.3.244
Basic Constraint:
not CA
CRL distribution Points:
URI: http://192.168.3.240:18264/ICA_CRL2.crl
DN: CN=ICA_CRL2,O=MGMT.checkpoint.com.s6t98x

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager:
called.
*****
[Expert@MGMT:0]#


mdsenv < >

fwm [-d] sic_reset

-d

fwm

mdsenv <
>


fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s <Specific Trap
Number>] [-p <Source Port>] [-c <SNMP Community>] <Target> ["<Message>"]

-d

fwm

-v < >
-g <
>

 coldStart
 warmStart
 linkDown
 linkUp
 authenticationFailure
 egpNeighborLoss
 enterpriseSpecific

-s <
> enterpriseSpecific

-p < >

-c < >
< >

"< >"

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public 192.168.3.52 "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host

192.168.3.51
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
22:49:43.891287 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17),
length: 103) 192.168.3.51.53450 > MyGW_192.168.3.52.snmptrap: [udp sum ok] {
SNMPv1 { Trap(58) E:2620.1.1 192.168.3.240 linkDown 1486440 E:2620.1.1.11.0="My
Trap Message" } }
CTRL+C
[Expert@MyGW_192.168.3.52:0]#
mdsenv < >

fwm unload


comp_init_policy

 fw fetch
 cpstart
 fw unloadlocal

fwm [-d] unload <GW1> <GW2> ... <GWN>

-d

fwm

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: CXL_Policy
Policy install time: Tue Oct 23 18:23:14 2018
... ... ...
[Expert@MyGW:0]#
[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge
net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 0
net.ipv6.conf.eth1.forwarding = 0
net.ipv6.conf.eth3.forwarding = 0
net.ipv6.conf.eth2.forwarding = 0
net.ipv6.conf.eth4.forwarding = 0
net.ipv6.conf.eth5.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth6.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 0
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 0
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 0
[Expert@MyGW:0]#
fwm [-d] ver [-f <Output File>]

-d

fwm

-f < >

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R80.20 - Build 252
[Expert@MGMT:0]#
mdsenv < >

fwm [-d] verify <Policy Name>

-d

fwm

< >

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#
inet_alert -s <IP Address> [-o] [-a <Auth Type>] [-p <Port>] [-f <Token> <Value>]
[-m <Alert Type>]

-s < >
-o stdout
inet_alert <some
command> | inet_alert ...
-a < >

 ssl_opsec

 auth_opsec
 clear

-p < >
-f < > < > < > < >

 < >

 < >
< >< >

-m < >

 alert
 mail
 snmptrap
 spoofalert

$FWDIR/conf/objects.C
value=clientquotaalert. Parameter=clientquotaalertcmd

0
102
103
104 stdin
106
107
inet_alert -s 10.0.2.4 -a clear -f product cads -m alert



cads





$FWDIR/log/ldap_pid_< >.stats

[Expert@MGMT:0]# ldapcmd [-d <Debug Level>] -p {<Process Name> | all} <Command>

-d < >

-p {< > | all}

< >

 cacheclear {all | UserCacheObject |

TemplateCacheObject |
TemplateExtGrpCacheObject}
 all
 UserCacheObject
 TemplateCacheObject

 TemplateExtGrpCacheObject
 cachetrace {all | UserCacheObject |
TemplateCacheObject |
TemplateExtGrpCacheObject}
 all
 UserCacheObject
 TemplateCacheObject

 TemplateExtGrpCacheObject

 log {on | off}

 on
 off

 stat {< > | 0}

 >

 0
[Expert@MGMT:0]# ldapcompare [-d <Debug Level>] [<Options>] <DN> {<Attribute>
<Value> | <Attribute> <Base64 Value>}

-d

< >
< >
< >
< >

-E [!]< >[=<
>]
!dontUseCopy
-M
-MM
-P < >

-z

-D < >
-e [!]< >[=<
>]

 [!]assert=< >

 [!]authzid=< >
dn:< > "u:< >

 [!]chaining[=<
>[/< >]]

 "chainingPreferred"
 "chainingRequired"
 "referralsPreferred"
 "referralsRequired"

 [!]manageDSAit

 [!]noop
 ppolicy
 [!]postread[=< >]

 [!]preread[=< >]

 [!]relax
 abandon

 cancel

 ignore

-h < >

-H <

-I
-n
-N

-o < >[=< >]

nettimeout={< > | none | max}
-O < >
-p < >
-Q

-R < >
-U < >
-v

-V -VV
-w < >

-W

-x

-X < >
dn:< > u:< >
-y < >
< >
-Y < >
-Z
-ZZ
Member
MemberOf
MemberOf Both
Member

Member
MemberOf
Member
Both
ldapmemberconvert.log

[Expert@MGMT:0]# ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP

Server Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m <Member Attribute Name>
-o <MemberOf Attribute Name> -c <Member ObjectClass Value> [-B] [-f <File> | -g
<Group DN>] [-L <LDAP Server Timeout>] [-M <Number of Updates>] [-S <Size>] [-T
<LDAP Client Timeout>] [-Z]

-d < >

-h < >

localhost
-p < >
-D < >
-w < >
-m < >
Member
-o <
> MemberOf
-c < ObjectClass
>

-c <Member Object Class 1> -c <Member Object Class

2> ... -c <Member Object Class X>
-B Both
-f < >

-g < >

-g <Group DN 1> -g <Group DN 2> ... -g <Group DN

X>
-L < >

never
-M < >

-S < >

none
-T < >

never
-Z

GroupMembership


MemberOf
–M <Number of Updates>

–M

cn=cpGroup,ou=groups,ou=cp,c=us
...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

...
cn=member1
objectclass=fw1Person
...

...
cn=member2
objectclass=fw1Person
...

[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer

-d cn=admin -w secret –m uniquemember -o memberof -c fw1Person

...
cn=cpGroup
...

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...
...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

–B

uniquemember="cn=template1,ou=people, ou=cp,c=us"

cn=member1
objectclass=fw1Template

-c fw1Person template1 fw1Template

[Expert@MGMT:0]# ldapmodify [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Server
Port>] [-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-a] [-b] [-c] [-F] [-k]
[-n] [-r] [-v] [-T <LDAP Client Timeout>] [-Z] [ -f <Input File>.ldif | < <Entry>]

-d < >

-h < >

localhost
-p < >
-D < >
-w < >
-a add
-b
-c
-F
-k
-K
-n add

-r
-v

-T < >

never
-Z
-f < >.ldif < >.ldif

< < >

<
[Expert@MGMT:0]# ldapsearch [-d <Debug Level>] [-h <LDAP Server>] [-p <LDAP Port>]
[-D <LDAP Admin DN>] [-w <LDAP Admin Password>] [-A] [-B] [-b <Base DN>] [-F
<Separator>] [-l <LDAP Server Timeout>] [-s <Scope>] [-S <Sort Attribute>] [-t]
[-T <LDAP Client Timeout>] [-u] [-z <Number of Search Entries>] [-Z] <Filter>
[<Attributes>]

-d < >

-h < >

localhost
-p < >
-D < >
-w < >
-A
-B

-b < >
-F < >

-l < >

never
-s < >
 base
 one
 sub
-S < >
-t /tmp/

/tmp/ldapsearch-< >-< >

fw1color
a00188
/tmp/ldapsearch-fw1color-a00188
-T < >

never
-u

cn=Babs Jensen, users, omi

cn=Babs Jensen, cn=users,cn=omi
-z <
>
-Z

< >

objectclass=fw1host
< >

[Expert@MGMT:0]# ldapsearch -p 18185 -b cn=omi objectclass=fw1host objectclass

cn=omi
fw1host
objectclass
mgmt_cli

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

C:\> cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
C:\Program Files\...\PROGRAM\> mgmt_cli.exe <Command Name> <Command Parameters>
<Optional Switches>

C:\> cd /d "%ProgramFiles(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
C:\Program Files (x86)\...\PROGRAM\> mgmt_cli.exe <Command Name> <Command
Parameters> <Optional Switches>

 mgmt_cli mgmt_cli mgmt_cli.exe





$FWDIR/bin/upgrade_tools/

migrate


/var/log/opt/CPshrd-R80.30/migrate-<YYYY.MM.DD_HH.MM.SS>.log


$CPDIR/log/migrate-<YYYY.MM.DD_HH.MM.SS>.log


[Expert@MGMT:0]# ./migrate -h


[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate export [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full Path>/<Name of
Exported File>


[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# yes | nohup ./migrate import [-l | -x] [-n]
[--exclude-uepm-postgres-db] [--include-uepm-msi-files] /<Full Path>/<Name of
Exported File>.tgz

-h
yes | nohup ./migrate ... & yes | nohup ... &
yes migrate

migrate

export

import

-l
$FWDIR/log/

-x
$FWDIR/log/


-n


cpstop
--exclude-uepm-postgres-d
b

--include-uepm-msi-files

/< >/
< >
*.tgz

*.tgz

[Expert@MGMT:0]# cd $FWDIR/bin/upgrade_tools/
[Expert@MGMT:0]# ./migrate export /var/log/Migrate_Export

You are required to close all clients to Security Management Server

or execute 'cpstop' before the Export operation begins.

Do you want to continue? (y/n) [n]? y

Copying required files...

Compressing files...

The operation completed successfully.

Location of archive with exported database: /var/log/Migrate_Export.tgz

[Expert@MGMT:0]#
[Expert@MGMT:0]# find / -name migrate-\* -type f
/var/log/opt/CPshrd-R80.30/migrate-2018.06.14_11.03.46.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# ./migrate export /var/log/My_Migrate_Export

Execution finished with errors. See log file
'/opt/CPshrd-R80.30/log/migrate-2018.06.14_11.21.39.log' for further details
[Expert@MGMT:0]#

[Expert@MGMT:0]# rs_db_tool [-d] -operation add -name <Object Name> -ip <IPv4
Address> -ip6 <Pv6 Address> -TTL <Time-To-Live>


[Expert@MGMT:0]# rs_db_tool [-d] -operation fetch -name <Object Name>


[Expert@MGMT:0]# rs_db_tool [-d] -operation delete -name <Object Name>


[Expert@MGMT:0]# rs_db_tool [-d] -operation list


[Expert@MGMT:0]# rs_db_tool [-d] -operation sync

-d

-name < >

-ip < >
-ip6 < >
-TTL < >



 fw sam fw sam_policy

[Expert@MGMT:0]# sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

-v fw sam

-o

-s < >
-t < >

-f < >

-C
-n

-i

-I

-src
-dst
-any

-srv

[Expert@MGMT:0]# sam_alert -v2 [-v] [-O] [-S <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-n <Name>] [-c "<Comment">] [-o <Originator>] [-l {r | a}] -a {d | r|
n | b | q | i} [-C] {-ip |-eth} {-src|-dst|-any|-srv}

-v2
-v fw sam
-O

-S < >
-t < >

-f < >

-n < >

-c "< >"

-o < >
sam_alert
-l {r | a}

 r
 a
None
-a {d | r| n | b | q | i}

 d
 r
 n
 b
 q
 i
-C

-ip
-eth
-src
-dst
-any

-srv
[Expert@HostName:0]# mdsenv <
>

[Expert@HostName:0]# threshold_config

Threshold Engine Configuration Options:

---------------------------------------

(1) Show policy name

(2) Set policy name
(3) Save policy
(4) Save policy to file
(5) Load policy from file
(6) Configure global alert settings
(7) Configure alert destinations
(8) View thresholds overview
(9) Configure thresholds

(e) Exit (m) Main Menu

Enter your choice (1-9) :

[Expert@HostName:0]# cpwd_admin stop -name CPD -path

"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
[Expert@HostName:0]# cpwd_admin start -name CPD -path
"$CPDIR/bin/cpd" -command "cpd"

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"

(1) Show policy name

(2) Set policy name

Default Profile
(3) Save policy
(4) Save policy to file

(5) Load policy from file

(6) Configure global

alert settings



(7) Configure alert
destinations

Configure Alert Destinations Options:

-------------------------------------
(1) View alert destinations
(2) Add SNMP NMS
(3) Remove SNMP NMS
(4) Edit SNMP NMS
(8) View thresholds
overview


 (9)



(9) Configure thresholds
Thresholds Categories
----------------------
(1) Hardware
(2) High Availability
(3) Local Logging Mode Status
(4) Log Server Connectivity
(5) Networking
(6) Resources

 (1) Hardware
Hardware Thresholds:
--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading

 (2) High Availability

High Availability Thresholds:
-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

 (3) Local Logging Mode Status

Local Logging Mode Status Thresholds:

-------------------------------------
(1) Local Logging Mode

 (4) Log Server Connectivity

Log Server Connectivity Thresholds:

-----------------------------------
(1) Connection with log server
(2) Connection with all log servers
 (5) Networking
Networking Thresholds:
----------------------
(1) Interface Admin Status
(2) Interface removed
(3) Interface Operational Link Status
(4) New connections rate
(5) Concurrent connections rate
(6) Bytes Throughput
(7) Accepted Packet Rate
(8) Drop caused by excessive traffic

 (6) Resources
Resources Thresholds:
---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

(1) Hardware Hardware Thresholds:

--------------------
(1) RAID volume state
(2) RAID disk state
(3) RAID disk flags
(4) Temperature sensor reading
(5) Fan speed sensor reading
(6) Voltage sensor reading
(2) High Availability High Availability Thresholds:
-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status
(3) Local Logging Mode Local Logging Mode Status Thresholds:
Status -------------------------------------
(1) Local Logging Mode
(4) Log Server Log Server Connectivity Thresholds:
Connectivity -----------------------------------
(1) Connection with log server
(2) Connection with all log servers
(5) Networking Networking Thresholds:
----------------------
(1) Interface Admin Status
(2) Interface removed
(3) Interface Operational Link Status
(4) New connections rate
(5) Concurrent connections rate
(6) Bytes Throughput
(7) Accepted Packet Rate
(8) Drop caused by excessive traffic
(6) Resources Resources Thresholds:
---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

 threshold_config

 $FWDIR/conf/thresholds.conf




 mgmt_cli.exe
 mgmt_cli


api restart


mgmt_cli

mgmt_cli

mgmt_cli
cma_migrate /<Full Path>/<Name of R7x Domain Exported File>.tgz /<Full
Path>/<$FWDIR Directory of the New Domain Management Server>/

[[email protected]_MDS:0]# cma_migrate /var/log/orig_R7x_database.tgz

/opt/CPmds-R80.30/customers/MyDomain3/CPsuite-R80.30/fw1/
cpmiquerybin

MISSING_ATTR

cpmiquerybin <query_result_type> <database> <table> <query> [-a

<attributes_list>]

< >
 attr

 object

< > "mdsdb" ""

< >
< >
(""

-a < > query_result_type

__name__

cpmiquerybin
# cpmiquerybin attr "" network_objects "" -a __name__
DMZZone
WirelessZone
ExternalZone
InternalZone
AuxiliaryNet
LocalMachine_All_Interfaces
CPDShield
InternalNet
LocalMachine
DMZNet
 fwm

-d

dbload

exportcert

fetchfile

fingerprint

getpcap

ikecrypt
load
mgmt_cli

logexport $FWDIR/log/*.log
$FWDIR/log/*.adtlog
mds

printcert

sic_reset
snmp_trap

unload

ver

verify
mdsenv < >

fwm [-d] dbload

-a
-c <Configuration File>
<GW1> <GW2> ... <GWN>

-d

fwm

-a
$FWDIR/conf/sys.conf

-c < >

< > < > ... < >


localhost
mdsenv < >

fwm [-d] exportcert -obj <Name of Object> -cert <Name of CA> -file <Output File>
[-withroot] [-pem]

-d

fwm

< >

< >
-withroot
-pem
fwopsec.conf fwopsec.v4x

mdsenv < >

fwm [-d] fetchfile -r <File> [-d <Local Path>] <Source>

-d

fwm

-r < > fw1

 conf/fwopsec.conf
 conf/fwopsec.v4x
-d < >
< >

[Expert@MGMT:0]# fwm fetchfile -r "conf/fwopsec.conf" -d /tmp 192.168.3.52

Fetching conf/fwopsec.conf from 192.168.3.52...
Done
[Expert@MGMT:0]#
mdsenv < >

fwm [-d] fingerprint [-d]

<IP address of Target> <SSL Port>
localhost <SSL Port>

-d
 fwm -d
fwm
fwm

 fingerprint -d

< >
< >

[Expert@MGMT:0]# fwm fingerprint localhost 443

#DN OID.1.2.840.113549.1.9.2=An optional company name,Email=Email
Address,CN=192.168.3.51,L=Locality Name (eg\, city)
#FINGER 11:A6:F7:1F:B9:F5:15:BC:F9:7B:5F:DC:28:FC:33:C5
##
[Expert@MGMT:0]#

[Expert@MGMT:0]# fwm fingerprint 192.168.3.52 443

$FWDIR/log/blob/

fwm [-d] getpcap -g <Security Gateway> -u '{<Capture UID>}' -p <Local Path>

-d

fwm

-g < >

-u '{< >}'

-p < >

[Expert@MGMT:0]# fwm getpcap -g 192.168.162.1 -u

'{0x4d79dc02,0x10000,0x220da8c0,0x1ffff}' /var/log/
[Expert@MGMT:0]#
mdsenv < >

fwm [-d] ikecrypt <Key> <Password>

-d

fwm

[Expert@MGMT:0]# fwm ikecrypt MySecretKey MyPassword

OUQJHiNHCj6HJGH8ntnKQ7tg
[Expert@MGMT:0]#
mgmt_cli
$FWDIR/log/*.log $FWDIR/log/*.adtlog

mdsenv < >

-d

fwm

-d < > | -s
 -d < >
 -s

;
-t < >

,
-i < >


$FWDIR/log/*.log
$FWDIR/log/*.adtlog


$FWDIR/log/fw.log
-o < >
-f

$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog
-e

$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog
-x < >

-y < >

-z

-n

-p

-a

-u <
>

$FWDIR/conf/log_unification_scheme.C
-m {initial | semi |
raw}
 initial

-f

semi

 semi

 raw
fwm logexport
;;
fwm logexport

$FWDIR/conf/logexport.ini
[Expert@MGMT:0]# touch $FWDIR/conf/logexport.ini
$FWDIR/conf/logexport.ini
[Expert@MGMT:0]# vi $FWDIR/conf/logexport.ini

[Fields_Info]
included_fields = field1,field2,field3,<REST_OF_FIELDS>,field100
excluded_fields = field10,field11

num
<REST_OF_FIELDS>
 -f <REST_OF_FIELDS>
$FWDIR/conf/logexport_default.C
 -f <REST_OF_FIELDS>

included_fields excluded_fields

fwm logexport

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log

[Expert@MGMT:0]# fwm logexport -i MySwitchedLog.log -x 36 -y 47

Starting... There are 113 log records in the file
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;LogId;ContextNum
;origin_id;ContentVersion;HighLevelLogKey;SequenceNum;log_sys_message;ProductF
amily;fg-1_client_in_rule_name;fg-1_client_out_rule_name;fg-1_server_in_rule_n
ame;fg-1_server_out_rule_name;description;status;version;comment;update_servic
e;reason;Severity;failure_impact
36;13Jun2018;19:56:06;CXL1_192.168.3.52;control; ;;;inbound;Security
Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com
.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Started;1.0;<null>;1;;
;
37;13Jun2018;19:56:06;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=C
XL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;1844674407370955161
5;2;;Network;Default;Default;Host Redirect;;;;;;;;;
... ...
46;13Jun2018;19:56:59;CXL1_192.168.3.52;account;accept;;;inbound;FG;-1;-1;CN=C
XL1_192.168.3.52,O=MyDomain_Server.checkpoint.com.s6t98x;5;1844674407370955161
5;1;;Network;Default;Default;Host Redirect;;;;;;;;;
47;13Jun2018;19:57:02;CXL1_192.168.3.52;control; ;;;inbound;Security
Gateway/Management;-1;-1;CN=CXL1_192.168.3.52,O=MyDomain_Server.checkpoint.com
.s6t98x;5;18446744073709551615;1;;Network;;;;;Contracts;Failed;1.0;;1;Could not
reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check DNS
and Proxy configuration on the gateway.;2;Contracts may be out-of-date
[Expert@MGMT:0]#



fwm [-d] mds

ver
rebuild_global_communities_status {all | missing}

-d

fwm

ver
rebuild_global_
communities_sta
tus  all
 missing

[Expert@MDS:0]# fwm mds ver

This is Check Point Multi-Domain Security Management R80.20 - Build 084
[Expert@MDS:0]#
mdsenv < >

fwm [-d] printcert

-obj <Name of Object> [-cert <Certificate Nick Name>] [-verbose]
-ca <CA Name> [-x509 <Name of File> [-p]] [-verbose]
-f <Name of Binary Certificate File> [-verbose]

-d

fwm

-obj < >

-cert < >

-ca < >
internal_ca
-x509 < >
-p

-f <
>
-verbose

[Expert@MGMT:0]# fwm printcert -ca internal_ca

[Expert@MGMT:0]# fwm printcert -ca internal_ca -verbose

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] destroy_rand_mutex: destroy

[FWM 24304 4024166304]@MGMT[12 Jun 20:21:52] cpKeyTaskManager::~cpKeyTaskManager:
called.
[Expert@MGMT:0]#

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244

printing all certificates of CXL_192.168.3.244

*****
[Expert@MGMT:0]#

[Expert@MGMT:0]# fwm printcert -obj CXL_192.168.3.244 -verbose

printing all certificates of CXL_192.168.3.244

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] db_fetchkey: entering

defaultCert:

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] destroy_rand_mutex: destroy

[FWM 24665 4023814048]@MGMT[12 Jun 20:26:45] cpKeyTaskManager::~cpKeyTaskManager:
called.
*****
[Expert@MGMT:0]#


mdsenv < >

fwm [-d] sic_reset

-d

fwm

mdsenv <
>


fwm [-d] snmp_trap [-v <SNMP OID>] [-g <Generic Trap Number>] [-s <Specific Trap
Number>] [-p <Source Port>] [-c <SNMP Community>] <Target> ["<Message>"]

-d

fwm

-v < >
-g <
>

 coldStart
 warmStart
 linkDown
 linkUp
 authenticationFailure
 egpNeighborLoss
 enterpriseSpecific

-s <
> enterpriseSpecific

-p < >

-c < >
< >

"< >"

[Expert@MGMT:0]# fwm snmp_trap -g 2 -c public 192.168.3.52 "My Trap Message"

[Expert@MGMT:0]#

[Expert@MyGW_192.168.3.52:0]# tcpdump -s 1500 -vvvv -i eth0 udp and host

fwm unload


comp_init_policy

 fw fetch
 cpstart
 fw unloadlocal

fwm [-d] unload <GW1> <GW2> ... <GWN>

-d

fwm

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

[Expert@MGMT:0]# fwm unload MyGW

Uninstalling Policy From: MyGW

Security Policy successfully uninstalled from MyGW...

Security Policy uninstall complete.

[Expert@MGMT:0]#

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

-d

fwm

-f < >

[Expert@MGMT:0]# fwm ver

This is Check Point Security Management Server R80.20 - Build 252
[Expert@MGMT:0]#
mdsenv < >

fwm [-d] verify <Policy Name>

-d

fwm

< >

[Expert@MGMT:0]# fwm verify Standard

Verifier messages:
Error: Rule 1 Hides rule 2 for Services & Applications: any .
[Expert@MGMT:0]#
$FWDIR

mdsenv <IP Address or Name of Domain Management Server>

mcd <Name of Directory in $FWDIR>

[Expert@MDS:0]# mdsstat
+--------------------------------------------------------------------------------------+
| Processes status checking |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name | IP address | FWM | FWD | CPD | CPCA |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS | - | 192.168.3.51 | up 17284 | up 17266 | up 17251 | up 17753 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA |MyDomain_Server | 192.168.3.240 | up 32227 | up 32212 | up 25725 | up 32482 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Total Domain Management Servers checked: 1 0 up 1 down |
| Tip: Run mdsstat -h for legend |
+--------------------------------------------------------------------------------------+
[Expert@MDS:0]#
[Expert@MDS:0]# mdsenv MyDomain_Server
[Expert@MDS:0]#
[Expert@MDS:0]# mcd
changing to /opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fw1/
[Expert@MDS:0]#
[Expert@MDS:0]# ls -1
av
bin
conf
cpm-server
database
doc
hash
lib
libsw
log
scripts
state
tmp
[Expert@MDS:0]#
[Expert@MDS:0]# mcd av
changing to /opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fw1/av
[Expert@MDS:0]#
[Expert@MDS:0]# mcd bin
changing to /opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fw1/bin
[Expert@MDS:0]#
[Expert@MDS:0]# mcd conf
changing to /opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fw1/conf
[Expert@MDS:0]#
[Expert@MDS:0]# mcd log
changing to /opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fw1/log
[Expert@MDS:0]#
[Expert@MDS:0]# mcd scripts
changing to /opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fw1/scripts
[Expert@MDS:0]#
mds_backup

mds_backup gtar dump

* tar
13Sep2019-141437.mdsbk.tar

mds_backup
tar <timestamp>mdsbk.tar
tgz <timestamp>mdsbk.tgz

mds_backup

*.tar mds_restore
gtar gzip

mds_backup -h
mds_backup [-g -b [-d <target_directory>] -s [-v] [-l]]

-h
-g
-b
-d
< >

-s
-v

-l

 mds_backup
mds_backup
/opt/CPmds-<current_release>/

 mds_backup *.log
*.adtlog

$MDSDIR/conf/mds_exclude.da
log/*
mds_backup

mds_restore < >


mdscmd addadministrator < >
mdscmd adddomain < > mgmt_cli add-domain
mdscmd addlogserver < > mgmt_cli add-domain
mdscmd addmanagement < > mgmt_cli add-domain
mdscmd assign-globalpolicy < > mgmt_cli set global-assignment

mdscmd assignadmin < > mgmt_cli set-administrator

mdscmd assignguiclient < >

mdscmd deleteadministrator < >
mdscmd deletedomain < > mgmt_cli delete-domain
mdscmd deletelogserver < >
mdscmd deletemanagement < > mgmt_cli delete-domain
mdscmd disableglobaluse < >
mdscmd enableglobaluse < >
mdscmd install-globalpolicy < > mgmt_cli assign-global-assignment

mdscmd migratemanagement < >

mdscmd mirrormanagement < >
mdscmd reassign-globalpolicy < > mgmt_cli set global-assignment

mgmt_cli assign-global-assignment

mdscmd remove-globalpolicy < > mgmt_cli delete global-assignment

mdscmd removeadmin < > mgmt_cli set-administrator

mdscmd removeguiclient < >

mdscmd runcrossdomainquery < >
mdscmd startmanagement < > mdsstart_customer
mdscmd stopmanagement < > mdsstop_customer
mdsenv

mdsstart (on page ), mdsstop

mdsenv [<Name or IP Address of Domain Management Server>]

<
>
mdsquerydb <key_name> [-f <output_file_name>]

< >

-f < >

Keys for Multi-Domain environment:

----------------------------------
GlobalNetworkObjects Get name and type of all global network objects
NetworkObjects Get all Domains' internal Check Point installed network objects
Domains Get names of all Domains Irit B comment from QA Draft
Administrators Get names of all Administrators
MDSs Get names and IPs of all MDSs
DomainManagementServers Get names of all Domain Servers
GuiClients Get names and IPs of all gui clients
CMAs Backwards Compatibility (DomainManagementServers)
Customers Backwards Compatibility (Domains)

Keys for Domain environment:

----------------------------
NetworkObjects Get name and type of all network objects
Gateways Get names and IPs of all gateways

# mdsquerydb

# mdsenv
# mdsquerydb Domains

# mdsenv
# mdsquerydb NetworkObjects –f /tmp/gateways.txt
# mdsenv DServer1
# mdsquerydb Gateways -f /tmp/gateways.txt
mdsstart
mdsstop

 mdsstop_customer
 mdsstart_customer

mdsstart [-m | -s]

mdsstop [-m | -s]

-m

-s

NUM_EXEC_SIMUL

NUM_EXEC_SIMUL
# export NUM_EXEC_SIMUL=<Number of Domain Management Servers>
export NUM_EXEC_SIMUL=5
NUM_EXEC_SIMUL
# echo $NUM_EXEC_SIMUL
/etc/rc.d/rc.local
# cp -v /etc/rc.d/rc.local{,_BKP}
/etc/rc.d/rc.local
# vi /etc/rc.d/rc.local

export NUM_EXEC_SIMUL=<Number of Domain Management Servers>

export NUM_EXEC_SIMUL=5

NUM_EXEC_SIMUL
# echo $NUM_EXEC_SIMUL

NUM_EXEC_SIMUL
# unset NUM_EXEC_SIMUL
NUM_EXEC_SIMUL
# echo $NUM_EXEC_SIMUL
mdsstop_customer

mdsstart_customer <IP address or Name of Domain Management Server>

mdsstat

mdsstat [-h] [-m] [<Name or IP Address of Domain Management Server>]

-h
-m

up
down
pnd
init
N/A
N/R

# mdsstat
+--------------------------------------------------------------------------------------+
| Processes status checking |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Type| Name | IP address | FWM | FWD | CPD | CPCA |
+-----+----------------+-----------------+------------+----------+----------+----------+
| MDS | - | 192.168.3.101 | up 17284 | up 17266 | up 17251 | up 17753 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| CMA |DOM211_Server | 192.168.3.211 | up 32227 | up 32212 | up 25725 | up 32482 |
| CMA |DOM212_Server | 192.168.3.212 | up 4248 | up 4184 | up 4094 | up 4441 |
+-----+----------------+-----------------+------------+----------+----------+----------+
| Total Domain Management Servers checked: 2 2 up 0 down |
| Tip: Run mdsstat -h for legend |
+--------------------------------------------------------------------------------------+
mdsstop_customer <IP address or Name of Domain Management Server>

 mdsstart_customer
mgmt_cli

mgmt_cli <Command Name> <Command Parameters> <Optional Switches>

C:\> cd /d "%ProgramFiles%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
C:\Program Files\...\PROGRAM\> mgmt_cli.exe <Command Name> <Command Parameters>
<Optional Switches>

C:\> cd /d "%ProgramFiles(x86)%\CheckPoint\SmartConsole\<VERSION>\PROGRAM\"
C:\Program Files (x86)\...\PROGRAM\> mgmt_cli.exe <Command Name> <Command
Parameters> <Optional Switches>

 mgmt_cli mgmt_cli mgmt_cli.exe


migrate_global_policies
*.pre_migrate

migrate_global_policies

migrate_global_policies <Path>

< >

$MDSDIR/conf

[email protected]_MDS:0]# migrate_global_policies
/var/log/exported_global_db.22Jul2007-124547.tgz
[Expert@HostName:0]# mdsenv <
>

[Expert@HostName:0]# threshold_config

Threshold Engine Configuration Options:

---------------------------------------

(1) Show policy name

(e) Exit (m) Main Menu

Enter your choice (1-9) :

[Expert@HostName:0]# cpwd_admin stop -name CPD -path

"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
[Expert@HostName:0]# cpwd_admin start -name CPD -path
"$CPDIR/bin/cpd" -command "cpd"

[Expert@HostName:0]# cpwd_admin list | egrep "STAT|CPD"

(1) Show policy name

(2) Set policy name

Default Profile
(3) Save policy
(4) Save policy to file

(5) Load policy from file

(6) Configure global

alert settings



(7) Configure alert
destinations

Configure Alert Destinations Options:

-------------------------------------
(1) View alert destinations
(2) Add SNMP NMS
(3) Remove SNMP NMS
(4) Edit SNMP NMS
(8) View thresholds
overview

 (2) High Availability

High Availability Thresholds:
-----------------------------
(1) Cluster member state changed
(2) Cluster block state
(3) Cluster state
(4) Cluster problem status
(5) Cluster interface status

 (3) Local Logging Mode Status

Local Logging Mode Status Thresholds:

-------------------------------------
(1) Local Logging Mode

 (4) Log Server Connectivity

Log Server Connectivity Thresholds:

 (6) Resources
Resources Thresholds:
---------------------
(1) Swap Memory Utilization
(2) Real Memory Utilization
(3) Partition free space
(4) Core Utilization
(5) Core interrupts rate

(1) Hardware Hardware Thresholds:

 threshold_config

 $FWDIR/conf/thresholds.conf





$MDSVERUTIL help
$MDSVERUTIL
AllCMAs <options>
AllVersions
CMAAddonDir <options>
CMACompDir <options>
CMAFgDir <options>
CMAFw40Dir <options>
CMAFw41Dir <options>
CMAFwConfDir <options>
CMAFwDir <options>
CMAIp <options>
CMAIp6 <options>
CMALogExporterDir <options>
CMALogIndexerDir <options>
CMANameByFwDir <options>
CMANameByIp <options>
CMARegistryDir <options>
CMAReporterDir <options>
CMASmartLogDir <options>
CMASvnConfDir <options>
CMASvnDir <options>
ConfDirVersion <options>
CpdbUpParam <options>
CPprofileDir <options>
CPVer <options>
CustomersBaseDir <options>
DiskSpaceFactor <options>
InstallationLogDir <options>
IsIPv6Enabled
IsLegalVersion <options>
IsOsSupportsIPv6
LatestVersion
MDSAddonDir <options>
MDSCompDir <options>
MDSDir <options>
MDSFgDir <options>
MDSFwbcDir <options>
MDSFwDir <options>
MDSIp <options>
MDSIp6 <options>
MDSLogExporterDir <options>
MDSLogIndexerDir <options>
MDSPkgName <options>
MDSRegistryDir <options>
MDSReporterDir <options>
MDSSmartLogDir <options>
MDSSvnDir <options>
MDSVarCompDir <options>
MDSVarDir <options>
MDSVarFwbcDir <options>
MDSVarFwDir <options>
MDSVarSvnDir <options>
MSP <options>
OfficialName <options>
OptionPack <options>
ProductName <options>
RegistryCurrentVer <options>
ShortOfficialName <options>
SmartCenterPuvUpgradeParam <options>
SP <options>
SVNPkgName <options>
SvrDirectory <options>
SvrParam <options>
help

AllCMAs < >

AllVersions

CMAAddonDir < >

CMACompDir < >

CMAFgDir < > $FGDIR

CMAFw40Dir < > $FWDIR

CMAFw41Dir < > $FWDIR

CMAFwConfDir < >

$FWDIR/conf/

CMAFwDir < > $FWDIR

CMAIp < >

CMAIp6 < >

CMALogExporterDir < >

$EXPORTERDIR

CMALogIndexerDir < >

$INDEXERDIR
CMANameByFwDir < >

$FWDIR
CMANameByIp < >

CMARegistryDir < >

$CPDIR/registry/

CMAReporterDir < > $RTDIR

CMASmartLogDir < >

$SMARTLOGDIR

CMASvnConfDir < >

$CPDIR/conf/

CMASvnDir < > $CPDIR

ConfDirVersion < >

$FWDIR/conf/

CpdbUpParam < >

CPprofileDir < >

.CPprofile.sh
.CPprofile.csh
CPVer < >

CustomersBaseDir < >

$MDSDIR/customers/
DiskSpaceFactor < >
mds_setup

InstallationLogDir < >

/opt/CPInstLog/
IsIPv6Enabled true

false
IsLegalVersion < >

IsOsSupportsIPv6 true
false

LatestVersion

MDSAddonDir < >

MDSCompDir < >

MDSDir < > /opt/

$MDSDIR
MDSFgDir < > $FGDIR

MDSFwbcDir < > /opt/

MDSFwDir < > /opt/

$FWDIR

MDSIp < >

MDSIp6 < >

MDSLogExporterDir < >

$EXPORTERDIR

MDSLogIndexerDir < >

$INDEXERDIR

MDSPkgName < >

MDSRegistryDir < >

$CPDIR/registry/

MDSReporterDir < > $RTDIR

MDSSmartLogDir < >
$SMARTLOGDIR

MDSSvnDir < > /opt/

$CPDIR

MDSVarCompDir < > /var/opt/

MDSVarDir < > /var/opt/

$MDSDIR
MDSVarFwbcDir < > /var/opt/

MDSVarFwDir < > /var/opt/

$FWDIR

MDSVarSvnDir < > /var/opt/

$CPDIR

MSP < >

OfficialName < >
OptionPack < >
ProductName < >

RegistryCurrentVer < >

ShortOfficialName < >

SmartCenterPuvUpgradeParam < >

SP < >
SVNPkgName < >

SvrDirectory < >

SvrParam < >

$MDSVERUTIL AllCMAs [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL AllCMAs

MyDomain_Server_1
MyDomain_Server_2
MyDomain_Server_3
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL AllCMAs -v VID_92

MyDomain_Server_1
MyDomain_Server_2
MyDomain_Server_3
[Expert@MDS:0]#
$MDSVERUTIL AllVersions

 $MDSVERUTIL IsLegalVersion
 $MDSVERUTIL OfficialName
[Expert@MDS:0]# $MDSVERUTIL AllVersions
VID_92
VID_91
VID_90
VID_89
VID_88
VID_87
VID_86
VID_85
VID_84
VID_83
VID_80
VID_65
VID_62
VID_NGX_61
VID_61
VID_60
VID_541_A
VID_541
VID_54_VSX_R2
VID_54_VSX
VID_54
VID_53_VSX
VID_53
VID_52
VID_51
VID_41
[Expert@MDS:0]#
$MDSVERUTIL MDSAddonDir

$MDSVERUTIL CMAAddonDir -n <Name or IP address of Domain Management Server> [-v

<Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMAAddonDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPmgmt-R55W
[Expert@MDS:0]#
 $MDSVERUTIL MDSCompDir
 $MDSVERUTIL MDSVarCompDir

$MDSVERUTIL CMACompDir -n <Name or IP address of Domain Management Server> -c <Name

of Backward Compatibility Package>

-n <

>
-c <
>

ls -1 $MDSDIR/customers/<
>/ | grep CMP

[Expert@MDS:0]# $MDSVERUTIL CMACompDir -n MyDomain_Server -c CPR77CMP-R80.30

/opt/CPmds-R80.30/customers/MyDomain_Server/CPR77CMP-R80.30
[Expert@MDS:0]#
$FGDIR

$MDSVERUTIL MDSFgDir

$MDSVERUTIL CMAFgDir -n <Name or IP address of Domain Management Server> [-v

<Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMAFgDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fg1
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CMAFgDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fg1
[Expert@MDS:0]#
$FWDIR

$MDSVERUTIL CMAFw40Dir -n <Name or IP address of Domain Management Server> [-v

<Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMAFw40Dir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/fw40
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CMAFw40Dir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/fw40
[Expert@MDS:0]#
$FWDIR

$MDSVERUTIL CMAFw41Dir -n <Name or IP address of Domain Management Server> [-v

<Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMAFw41Dir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPEdgecmp-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CMAFw41Dir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPEdgecmp-R77
[Expert@MDS:0]#
$FWDIR/conf/

$MDSVERUTIL CMAFwConfDir -n <Name or IP address of Domain Management Server> [-v

<Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMAFwConfDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fw1/conf
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CMAFwConfDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fw1/conf
[Expert@MDS:0]#
$FWDIR

$MDSVERUTIL MDSFwDir

$MDSVERUTIL CMAFwDir -n <Name or IP address of Domain Management Server> [-v

<Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMAFwDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPsuite-R80.30/fw1
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CMAFwDir -n MyDomain_Server -v VID_90

/opt/CPmds-R77/customers/MyDomain_Server/CPsuite-R77/fw1
[Expert@MDS:0]#
$MDSVERUTIL MDSIp

$MDSVERUTIL CMAIp -n <Name or IP address of Domain Management Server> [-v

<Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMAIp -n MyDomain_Server

192.168.3.240
[Expert@MDS:0]#
$MDSVERUTIL MDSIp6

$MDSVERUTIL CMAIp6 -n <Name or IP address of Domain Management Server> [-v

<Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions
$EXPORTERDIR

$MDSVERUTIL MDSLogExporterDir

$MDSVERUTIL CMALogExporterDir -n <Name or IP address of Domain Management Server>

[-v <Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMALogExporterDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPrt-R80.30/log_exporter
[Expert@MDS:0]#
$INDEXERDIR

$MDSVERUTIL MDSLogIndexerDir

$MDSVERUTIL CMALogIndexerDir -n <Name or IP address of Domain Management Server>

[-v <Version_ID>]

-n <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMALogIndexerDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPrt-R80.30/log_indexer
[Expert@MDS:0]#
$FWDIR

$MDSVERUTIL CMANameByFwDir -d $FWDIR [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMANameByFwDir -d $FWDIR

MyDomain_Server
[Expert@MDS:0]#
$MDSVERUTIL CMANameByIp -i <IP address of Domain Management Server> [-v
<Version_ID>]

-i <

>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMANameByIp -i 192.168.3.240

MyDomain_Server
[Expert@MDS:0]#
$CPDIR/registry/

$MDSVERUTIL MDSRegistryDir

$MDSVERUTIL CMARegistryDir -n <Name of Domain Management Server> [-v <Version_ID>]

-n <

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMARegistryDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPshrd-R80.30/registry
[Expert@MDS:0]#
$RTDIR

$MDSVERUTIL MDSReporterDir

$MDSVERUTIL CMAReporterDir -n <Name of Domain Management Server> [-v <Version_ID>]

-n <
>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMAReporterDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPrt-R80.30
[Expert@MDS:0]#
$SMARTLOGDIR

$MDSVERUTIL MDSSmartLogDir

$MDSVERUTIL CMASmartLogDir -n <Name of Domain Management Server> [-v <Version_ID>]

-n <
>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMASmartLogDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPSmartLog-R80.30
[Expert@MDS:0]#
$CPDIR/conf/

$MDSVERUTIL CMASvnConfDir -n <Name of Domain Management Server> [-v <Version_ID>]

-n <
>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMASvnConfDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPshrd-R80.30/conf
[Expert@MDS:0]#
$CPDIR

 $MDSVERUTIL MDSSvnDir
 $MDSVERUTIL MDSVarSvnDir

$MDSVERUTIL CMASvnDir -n <Name of Domain Management Server> [-v <Version_ID>]

-n <
>
-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CMASvnDir -n MyDomain_Server

/opt/CPmds-R80.30/customers/MyDomain_Server/CPshrd-R80.30
[Expert@MDS:0]#
$FWDIR/conf/
$MDSVERUTIL AllVersions

$MDSVERUTIL ConfDirVersion -d $FWDIR/conf

[Expert@MDS:0]# $MDSVERUTIL ConfDirVersion -d $FWDIR/conf

VID_92
[Expert@MDS:0]#
 $MDSVERUTIL MSP
 $MDSVERUTIL SP

$MDSVERUTIL CpdbUpParam [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam

6.0.4.9
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam -v VID_90

6.0.4.0
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CpdbUpParam -v VID_65

6.0.1.0
[Expert@MDS:0]#
.CPprofile.sh .CPprofile.csh

$MDSVERUTIL CPprofileDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CPprofileDir

/opt/CPshrd-R80.30/tmp
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CPprofileDir -v VID_90

/opt/CPshrd-R77/tmp
[Expert@MDS:0]#
$MDSVERUTIL CPVer [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CPVer

9.0
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CPVer -v VID_80

8.0
[Expert@MDS:0]#
$MDSDIR/customers/

$MDSVERUTIL CustomersBaseDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL CustomersBaseDir

/opt/CPmds-R80.30/customers
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL CustomersBaseDir -v VID_90

/opt/CPmds-R77/customers
[Expert@MDS:0]#
mds_setup

$MDSVERUTIL DiskSpaceFactor [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL DiskSpaceFactor

1
[Expert@MDS:0]#
/opt/CPInstLog/

$MDSVERUTIL InstallationLogDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL InstallationLogDir

/opt/CPInstLog
[Expert@MDS:0]#
true
false

$MDSVERUTIL IsIPv6Enabled
$MDSVERUTIL IsLegalVersion -v <Version_ID>

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL IsLegalVersion -v VID_92

0
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL IsLegalVersion -v VID_123456

1
[Expert@MDS:0]#
true
false

$MDSVERUTIL IsOsSupportsIPv6
$MDSVERUTIL LatestVersion

$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL LatestVersion

VID_92
[Expert@MDS:0]#
$MDSVERUTIL CMAAddonDir

$MDSVERUTIL MDSAddonDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSAddonDir

/opt/CPmgmt-R55W
[Expert@MDS:0]#
 $MDSVERUTIL CMACompDir
 $MDSVERUTIL MDSVarCompDir

$MDSVERUTIL MDSCompDir -c <Name of Backward Compatibility Package>

-c <
>

ls -1 /opt/ | grep CMP

[Expert@MDS:0]# $MDSVERUTIL MDSCompDir -c CPR77CMP-R80.30

/opt/CPR77CMP-R80.30
[Expert@MDS:0]#
/opt/ $MDSDIR
$MDSVERUTIL MDSVarDir

$MDSVERUTIL MDSDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSDir

/opt/CPmds-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSDir -v VID_90

/opt/CPmds-R77
[Expert@MDS:0]#
$FGDIR
$MDSVERUTIL CMAFgDir

$MDSVERUTIL MDSFgDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSFgDir

/opt/CPsuite-R80.30/fg1
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSFgDir -v VID_90

/opt/CPsuite-R77/fg1
[Expert@MDS:0]#
/opt/

$MDSVERUTIL MDSVarFwbcDir

$MDSVERUTIL MDSFwbcDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSFwbcDir

/opt/CPEdgecmp-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSFwbcDir -v VID_90

/opt/CPEdgecmp-R77
[Expert@MDS:0]#
/opt/ $FWDIR

 $MDSVERUTIL MDSVarFwDir


$MDSVERUTIL MDSFwDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSFwDir

/opt/CPsuite-R80.30/fw1
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSFwDir -v VID_90

/opt/CPsuite-R77/fw1
[Expert@MDS:0]#
$MDSVERUTIL CMAIp

$MDSVERUTIL MDSIp [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSIp

192.168.3.51
[Expert@MDS:0]#
$MDSVERUTIL CMAIp6

$MDSVERUTIL MDSIp6 [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions
$EXPORTERDIR
$MDSVERUTIL CMALogExporterDir

$MDSVERUTIL MDSLogExporterDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSLogExporterDir

/opt/CPrt-R80.30/log_exporter
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSLogExporterDir -v VID_91

/opt/CPrt-R80/
[Expert@MDS:0]#
$INDEXERDIR
$MDSVERUTIL CMALogIndexerDir

$MDSVERUTIL MDSLogIndexerDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSLogIndexerDir

/opt/CPrt-R80.30/log_indexer
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSLogIndexerDir -v VID_91

/opt/CPrt-R80/
[Expert@MDS:0]#
$MDSVERUTIL SVNPkgName

$MDSVERUTIL MDSPkgName [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSPkgName

CPmds-R80.30-00
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSPkgName -v VID_90

CPmds-R77-00
[Expert@MDS:0]#
$CPDIR/registry/
$MDSVERUTIL CMARegistryDir

$MDSVERUTIL MDSRegistryDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSRegistryDir

/opt/CPshrd-R80.30/registry
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSRegistryDir -v VID_90

/opt/CPshrd-R77/registry
[Expert@MDS:0]#
$RTDIR
$MDSVERUTIL CMAReporterDir

$MDSVERUTIL MDSReporterDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSReporterDir

/opt/CPrt-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSReporterDir -v VID_91

/opt/CPrt-R80
[Expert@MDS:0]#
$SMARTLOGDIR
$MDSVERUTIL CMASmartLogDir

$MDSVERUTIL MDSSmartLogDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSSmartLogDir

/opt/CPSmartLog-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSSmartLogDir -v VID_91

/opt/CPSmartLog-R80
[Expert@MDS:0]#
/opt/ $CPDIR

 $MDSVERUTIL CMASvnDir
 $MDSVERUTIL MDSVarSvnDir

$MDSVERUTIL MDSSvnDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSSvnDir

/opt/CPshrd-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSSvnDir -v VID_91

/opt/CPshrd-R80
[Expert@MDS:0]#
/var/opt/

 $MDSVERUTIL CMACompDir
 $MDSVERUTIL MDSCompDir

$MDSVERUTIL MDSVarCompDir -c <Name of Backward Compatibility Package>

-c <
>

ls -1 /var/opt/ | grep CMP

[Expert@MDS:0]# $MDSVERUTIL MDSVarCompDir -c CPR77CMP-R80.30

/var/opt/CPR77CMP-R80.30
[Expert@MDS:0]#
/var/opt/ $MDSDIR
$MDSVERUTIL MDSDir

$MDSVERUTIL MDSVarDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSVarDir

/var/opt/CPmds-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSVarDir -v VID_90

/var/opt/CPmds-R77
[Expert@MDS:0]#
/var/opt/

$MDSVERUTIL MDSFwbcDir

$MDSVERUTIL MDSVarFwbcDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwbcDir

/var/opt/CPEdgecmp-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwbcDir -v VID_90

/var/opt/CPEdgecmp-R77
[Expert@MDS:0]#
/var/opt/ $FWDIR
$MDSVERUTIL MDSFwDir

$MDSVERUTIL MDSVarFwDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwDir

/var/opt/CPsuite-R80.30/fw1
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSVarFwDir -v VID_90

/var/opt/CPsuite-R77/fw1
[Expert@MDS:0]#
/var/opt/ $CPDIR

 $MDSVERUTIL CMASvnDir
 $MDSVERUTIL MDSSvnDir

$MDSVERUTIL MDSVarSvnDir [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MDSVarSvnDir

/var/opt/CPshrd-R80.30
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MDSVarSvnDir -v VID_90

/var/opt/CPshrd-R77
[Expert@MDS:0]#
 $MDSVERUTIL SP
 $MDSVERUTIL CpdbUpParam

$MDSVERUTIL MSP [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL MSP

9
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL MSP -v VID_91

8
[Expert@MDS:0]#
$MDSVERUTIL ShortOfficialName

$MDSVERUTIL OfficialName [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL OfficialName

R80.20
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL OfficialName -v VID_91

R80
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL OfficialName -v VID_65

NGX R65
[Expert@MDS:0]#
$MDSVERUTIL OptionPack [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL OptionPack

3
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL OptionPack -v VID_90

1
[Expert@MDS:0]#
$MDSVERUTIL ProductName [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL ProductName

Multi-Domain Security Management
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL ProductName -v VID_65

Provider-1
[Expert@MDS:0]#
$MDSVERUTIL RegistryCurrentVer [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL RegistryCurrentVer

6.0
[Expert@MDS:0]#
$MDSVERUTIL OfficialName

$MDSVERUTIL ShortOfficialName [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL ShortOfficialName

R80.20
[Expert@MDS:0]#

[Expert@MDS:0]# ShortOfficialName -v VID_65

NGX_65
[Expert@MDS:0]#
$MDSVERUTIL SmartCenterPuvUpgradeParam [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam

R80.20
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam -v VID_90

R77
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL SmartCenterPuvUpgradeParam -v VID_65

NGX_R65
[Expert@MDS:0]#
 $MDSVERUTIL MSP
 $MDSVERUTIL CpdbUpParam

$MDSVERUTIL SP [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL SP
4
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL SP -v VID_91

4
[Expert@MDS:0]#
$MDSVERUTIL MDSPkgName

$MDSVERUTIL SVNPkgName [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions

[Expert@MDS:0]# $MDSVERUTIL SVNPkgName

CPsuite-R80.30-00
[Expert@MDS:0]#

[Expert@MDS:0]# $MDSVERUTIL SVNPkgName -v VID_90

CPsuite-R77-00
[Expert@MDS:0]#
$MDSVERUTIL SvrDirectory [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions
$MDSVERUTIL SvrParam [-v <Version_ID>]

-v < >
$MDSVERUTIL AllVersions
 MyDomain
 MyDMS




mgmt_cli add domain name <domain_name> servers.ip address "<ipv4>" servers.name

"<server_name>" servers.multi-domain-server "<mdm_name>"
mgmt_cli
printxml

printxml

printxml fw_policies ##< >

printxml network_objects

printxml services
LSMcli [-d] <Server> <User> <Pswd> <Action>

[-d]
LSMcli [-d] < > < > < > AddROBO VPN1 < > < >
[-RoboCluster=< >] [-O=< > [-I=< >]] [[-CA=< >
[-R=< >] [-KEY=< >]]]
[-D]:< >=< >
[-< >] [-D]:...]]

AddROBO VPN1

server

user
pswd
ROBOName
Profile

OtherROBOName

-RoboCluster
ActivationKey

CaName

CertificateIdentifie
r#
AuthorizationKey
DynamicObjectName
IP1-IP2

LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass

-I=192.0.2.4 -DE:FirstDO=192.0.2.100
MyRobo
AnyProfile

FirstDO
LSMcli mySrvr name pass AddROBO VPN1 MyRobo AnyProfile -O=MyPass
-I=10.10.10.1 -DE:FirstDO=10.10.10.5 -CA=OPSEC_CA -R=cert1233 -KEY=ab345
LSMcli [-d] < > < > < > AddROBO VPN1Edge< > < >
< >
[-RoboCluster=< >] [-O=< >] [[-CA=< >
[-R=< >][-KEY=< >]]]
[-F=LOCAL|DEFAULT|< >]
[-M=< >] [-K=< >] [-D[E]:<D.O. name>=< >[-< >] [-D[E]:...]]

AddROBO UTM-1 Edge

server

user
pswd
RoboName
Profile

ProductType
OtherROBOName

-RoboCluster

RegistrationKey
CaName

CertificateIdentifier#
AuthorizationKey

Firmware-name
MAC

ProductKey

DO Name
E LSMcli
ModifyROBOManualVPNDomain
Ip1-Ip2

LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile SBox-100

MyRobo
AnyProfile MyRobo
LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile IP30 -O=AnyRegKey
-F=DEFAULT – M=00:08:AA:BB:CC:DD -K=123456-ABCDEF-ABC123
LSMcli mySrvr name pass AddROBO VPN1Edge MyRobo AnyProfile SBox-100
-F=Safe@_Safe@_3.0.23_Generic_Safe@_fcs
LSMcli [-d] < > < > < > ModifyROBO VPN1 < > [

[-P=Profile] [-RoboCluster=< >|-NoRoboCluster]

[-D:< >=< >[-< >] [-KeepDOs]...]

ModifyROBO VPN1

server

user
pswd
RoboName
Profile

OtherROBOName

-RoboCluster
-NoRoboCluster -NoRoboCluster
ModifyROBO VPN1

DO Name
IP1-IP2
-KeepDOs

LSMcli

LSMcli mySrvr name pass ModifyROBO VPN1 MyRobo -D:MyEmailServer=123.45.67.8

-D:MySpecialNet=10.10.10.1-10.10.10.6
LSMcli [-d] < > < > < > ModifyROBO VPN1Edge< >

[-P=< >] [-T=< >]

[-RoboCluster=< >|-NoRoboCluster]
[-O= RegistrationKey] [-F=LOCAL|DEFAULT|< >] [-M=< >]
[-K=< >] [-D[E]:< >=< >[-< >] [-KeepDOs]...]

ModifyROBO UTM-1 Edge

server

user
pswd
RoboName
Profile

ProductType
OtherROBOName

-RoboCluster
-NoRoboCluster -NoRoboCluster
ModifyROBO VPN1

RegistrationKey
Firmware
MAC

ProductKey

DO Name
E LSMcli
ModifyROBOManualVPNDomain.
Ip1-Ip2
-KeepDOs

LSMcli

LSMcli mySrvr name pass ModifyROBO VPN1Edge MyEdgeROBO

-P=MyNewEdgeProfile-NoRoboCluster
LSMcli [-d] < >< >< > ModifyROBOManualVPNDomain < >

-Add=< > -Delete=< ShowROBOTopology >

[-IfOverlappingIPRangesDetected=< >]

ModifyROBOManual VPN Domain

server

user

pswd

RoboName
FirstIP-LastIP
Index
IfOverlappingIPRangesDetected

LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo

-Add=192.0.2.1-192.0.2.20
LSMcli mySrvr name pass ModifyROBOManualVPNDomain MyRobo -Delete=1
LSMcli [-d] < > < > < > ModifyROBOTopology VPN1 < >
-VPNDomain=< >

ModifyROBOTopology VPN1

server

user
pswd
RoboName
VPNDomain

 not_defined:

ShowROBOTopology
 external_ip_only:
 topology:

 manual:
ModifyROBOManualVPNDomain

LSMcli mySrvr name pass ModifyROBOTopology VPN1 MyRobo -VPNDomain=manual

LSMcli [-d] < > < > < > ModifyROBOTopology VPN1Edge < >
[-VPNDomain=< >]

ModifyROBOTopology UTM-1 Edge

server

user
pswd
RoboName
VPNDomain

 not_defined:

ShowROBOTopology
 external_ip_only
 topology

 automatic:

 manual:

LSMcli mySrvr name pass ModifyROBOTopology VPN1Edge MyRobo -VPNDomain=manual

LSMcli [-d] < > < > < > ModifyROBOInterface VPN1 < >
< > [-i=< >] [-Netmask=< >]

[-IfOverlappingIPRangesDetected=< >]

ModifyROBOInterface VPN1

server

user

pswd

RoboName
InterfaceName
IPAddress
NetMask
IfOverlappingIPRangesDetected

LSMcli mySrvr name pass ModifyROBOInterface VPN1 MyRobo eth0 -i=192.0.2.1

-Netmask=255.255.255.0
LSMcli [-d] < > < > < > ModifyROBOInterface VPN1Edge < >
< > [-i=< >] [-NetMask=< >]
[-Enabled=< >] [-HideNAT=< >] [-DHCPEnabled=< >]
[-DHCPIpAllocation=< >|<F >|< >]
[-IfOverlappingIPRangesDetected=< >]

ModifyROBOInterface UTM-1 Edge

server

user

pswd

RoboName
InterfaceName
IPAddress
NetMask
Enabled
HideNAT

DHCPEnabled
DHCPIpAllocation

IfOverlappingIPRangesDetected

LSMcli mySrvr name pass ModifyROBOInterface VPN1Edge MyRobo DMZ -i=192.0.2.1

-Netmask=255.255.255.0 -Enabled=true -HideNAT=false -DHCPEnabled=true
-DHCPIpAllocation=automatic
LSMcli [-d] < > < > < > AddROBOInterface VPN1 < >
< >
-i=< > -NetMask=< >

AddROBOInterface VPN1

server

user
pswd
RoboName
InterfaceName
IPAddress
NetMask

LSMcli mySrvr name pass AddROBOInterface VPN1 MyRobo eth0 -i=192.0.2.1

-Netmask=255.255.255.0
LSMcli [-d] < > < > < > DeleteROBOInterface VPN1 < >
< >

DeleteROBOInterface VPN1

server

user
pswd
RoboName
InterfaceName

LSMcli mySrvr name pass DeleteROBOInterface VPN1 MyRobo eth0

LSMcli [-d] < > < > < > ResetSic < > < > [-I=< >]

ResetSic

server

user
pswd
RoboName
ActivationKey

LSMcli mySrvr name pass ResetSic MyROBO aw47q1

LSMcli mySrvr name pass ResetSic MyFixedIPROBO sp36rt1 -I=10.20.30.1
LSMcli [-d] < > < > < > ResetIke < > [-CA=< >
[-R=< >] [-KEY=< >]]

ResetIke

server

user
pswd
RoboName
CaName

CertificateIdentifier
AuthorizationKey

LSMcli mySrvr name pass ResetIke MyROBO -CA=OPSEC_CA -R=cer3452s

-KEY=ad23fgh
$FWDIR/conf/

LSMcli [-d] < > < > < > ExportIke < > < > < >

ExportIke

server

user
pswd
RoboName

Password
FileName

LSMcli mySrvr name pass ExportIke MyROBO ajg42k93N MyROBOCert.p12

LSMcli [-d] < > < > < > UpdateCO < >

UpdateCO

server

user
pswd
Cogw
CogwCluster

LSMcli mySrvr name pass UpdateCO MyCO

LSMcli [-d] < > < > < > Remove < > < >

Remove

server

user
pswd
RoboName
ID

LSMcli mySrvr name pass Remove MyRobo 0.0.0.251

LSMcli [-d] < > < > < > Show [-N=< >] [-F= nbcitvpglskd]

Show

-N

-F
n
b
c
i
t
v
p
g
l
s
k
d

LSMcli mySrvr name pass Show -N=MyRobo

LSMcli mySrvr name pass Show -F=nibtp
ModifyROBOManualVPNDomain

LSMcli [-d] < > < > < > ShowROBOTopology < >

ShowROBOTopology

server

user
pswd
RoboName

LSMcli mySrvr name pass ShowROBOTopology MyRobo

ModifyROBOConfigScript ShowROBOConfigScript

ModifyROBOConfigScript

Usage
LSMcli [-d] < >< >< > ModifyROBOConfigScript VPN1Edge < >
< >

Parameters
ModifyROBOConfigScript

server

user
pswd
RoboName
inputScriptFile

Example
LSMcli mySrvr name pass ModifyROBOConfigScript VPN1Edge MyRobo myScriptFile

Usage
LSMcli [-d] < > < > < > ShowROBOConfigScript VPN1Edge < >

Parameters
ShowROBOConfigScript

server

user
pswd
RoboName

Example
LSMcli mySrvr name pass ShowROBOConfigScript VPN1Edge MyRobo
VerifyInstall
Install
uninstall

LSMcli [-d] < > < > < > VerifyInstall < > < > < >
< > < >

VerifyInstall

server

user
pswd
RoboName
Product
Vendor
Version
SP

LSMcli mySrvr name pass VerifyInstall MyRobo firewall checkpoint NG_AI fcs
VerifyInstall

LSMcli [-d] < >< >< > Install < >< >< >< >
< >
[-P=Profile] [-boot] [-DoNotDistribute]

Install

server

user
pswd
RoboName
Product
Vendor
Version
SP
Profile

boot

-DoNotDistribute

LSMcli mySrvr name pass Install MyRobo firewall checkpoint NG_AI fcs
-P=AnyProfile -boot
ShowInfo

LSMcli [-d] < > < > < > Uninstall < > < > < > < >
< >
[-P=Profile] [-boot]

Uninstall

server

user
pswd
ROBO
Product
Vendor
Version
SP
Profile

boot

LSMcli mySrvr name pass Uninstall MyRobo firewall checkpoint NG_AI fcs -boot
LSMcli [-d] < > < > < > Distribute < > < > < >
< > < >

Distribute

server

user
pswd
RoboName
Product
Vendor
Version
SP

LSMcli mySrvr name pass Distribute MyRobo fw1 checkpoint NG_AI R54
LSMcli [-d] < > < > < > VerifyUpgrade < >

VerifyUpgrade

LSMcli mySrvr name pass VerifyUpgrade MyRobo

LSMcli [-d] < > < > < > Upgrade < > [-P=Profile] [-boot]

Upgrade

server

user
pswd
RoboName
Profile

boot

LSMcli mySrvr name pass Upgrade MyRobo -P=myprofile -boot

ShowInfo

LSMcli [-d] < > < > < > GetInfo < >

GetInfo

server

user
pswd
RoboName

LSMcli mySrvr name pass GetInfo MyRobo

GetInfo

LSMcli [-d] < > < > < > ShowInfo < >

ShowInfo

server

user
pswd
VPN1EdgeRoboName

LSMcli mySrvr name pass ShowInfo MyRobo

LSMcli [-d] < > < > < > ShowRepository
CPRID CPRID

LSMcli [-d] < > < > < > Stop < >

Stop

server

user
pswd

Robo Gateway

LSMcli mySrvr name pass Stop MyRobo

CPRID CPRID

LSMcli [-d] < > < > < > Start < >

Start

server

user
pswd

Robo Gateway

LSMcli mySrvr name pass Start MyRobo

CPRID CPRID

LSMcli [-d] < > < > < > Restart < >

Restart

server

user
pswd

Robo Gateway

LSMcli mySrvr name pass Restart MyRobo

CPRID CPRID

LSMcli [-d] < > < > < > Reboot < >

Reboot

server

user
pswd

Robo Gateway

LSMcli mySrvr name pass Reboot MyRobo

CPRID
CPRID

LSMcli [-d] < > < > < > PushPolicy < >

PushPolicy

server

user
pswd

Robo Gateway

LSMcli mySrvr name pass PushPolicy MyRobo

PushPolicy

LSMcli [-d] < > < > < > PushDOs < >

PushDOs

server

user
pswd
RoboName

LSMcli mySrvr name pass PushDOs MyRobo

LSMcli [-d] < > < > < > GetStatus < >

GetStatus

server

user
pswd

Robo Gateway

LSMcli mySrvr name pass GetStatus MyRobo

LSMcli [-d] < > < > < > Convert ROBO VPN1 < > [-CO] [-Force]

Convert ROBO VPN1

server

user
pswd
Name
CO
Force

LSMenabler –r off

LSMenabler on

LSMcli mySrvr name pass Convert ROBO VPN1 MyRobo –CO

LSMcli mySrvr name pass Convert ROBO VPN1 MyRobo -Force
LSMcli [-d] < > < > < > Convert Gateway VPN1 < > < >
[< > [-I=INT]
[-D=DMZ] [-A=AUX]] [-NoRestart] [-Force]

Convert VPN Gateway

server

user
pswd
Name
Profile

EXT
INT
DMZ
AUX
NoRestart

Force

LSMenabler –r on

LSMcli mySrvr name pass Convert Gateway VPN1 MyGW MyProfile –E=hme0 –I=hme1
–D=hme2 -Force
LSMcli [-d] < > < > < > Convert ROBO VPN1Edge < >

Convert ROBO UTM-1 Edge

server

user
pswd
Name

LSMcli mySrvr name pass Convert ROBO VPN1Edge MyRobo

LSMcli [-d] < > < > < > Convert Gateway VPN1Edge < > < >

Convert Gateway UTM-1 Edge

server

user
pswd
Name
Profile

LSMcli mySrvr name pass Convert Gateway VPN1Edge MyRobo MyProfile

LSMcli

LSMcli [-d] <server> <user> <pswd> <action>







AddROBO VPN1Cluster
AddROBO
VPN1Cluster
< >

AddROBO VPN1Cluster <Profile> < > < >

[-S=< >]
[-CA=< > [-R=< >] [-KEY=< >]]

Profile

MainIPAddress
SuffixName

SubstitutedName
Part
CAName

KeyIdentifier#

AuthorizationCode

ModifyROBO VPN1Cluster
ModifyROBO VPN1Cluster
< >
ModifyROBO VPN1Cluster < > -I=< >
< >
< >

ModifyROBO VPN1Cluster
< >

ModifyROBO VPN1Cluster < > -D:<D.O. Name>=< >

< >
<D.O. Name>
< > i

ModifyROBO VPN1Cluster
< >

ModifyROBOTopology VPN1Cluster < >

-VPNDomain=< >
ModifyROBOTopology VPN1
ModifyROBOManualVPNDomain

< >

ModifyROBONetaccess
VPN1Cluster
< >

ModifyROBONetaccess VPN1Cluster < > < >

-Mode=< >
[-TopologyType=< >]
[-DMZAccess=< >]
[-InternalIP=< > [-AllowedGroup=< >]]
[-AntiSpoof=< >
[-AllowedGroup=< >][-SpoofTrack=< >]]

ClusterName
InterfaceName

-Mode by_profile override

-TopologyType
-TopologyType external internal

-DMZAccess true false

-InternalIP not_defined
this specific

-AntiSpoof true
AllowedGroup SpoofTrack
false
-AllowedGroup TopologyType=external AllowedGroup

TopologyType=internal AllowedGroup

-SpoofTrack none log alert

<action>
< >ClusterSubnetOverride VPN1Cluster < >
< > [-IName=< >] [-MNet=< >]
[-CIP=< > -CNetMask=< >]

ModifyClusterSubnetOverride

AddClusterSubnetOverride
DeleteClusterSubnetOverride

PrivateSubnetOverride

Add|Modify|Delete
ROBOClusterName
InterfaceName

-IName

-MNet

-CIP
-CNetMask ClusterIPAddress
< >
<Add|Modify|Delete>PrivateSubnetOverride VPN1ClusterMember
< > < > [-IName=< >]
[-MNet=< >]

ModifyPrivateSubnetOverride

AddPrivateSubnetOverride
DeletePrivateSubnetOverride

Add|Modify|Delete
ROBOMemberName
InterfaceName
-IName

-MNet

< >
RemoveCluster < >
LSMcli [-d] < >< >< > AddROBO < > < >
[-O=< > [-I=< >]] [[-CA=< >
[-R=< >] [-KEY=< >]]

server

user
pswd
Appliance_Model

 CPSG80
 1200R
 1430/1450
 1470/1490
ROBOName
Profile

ActivationKey

CaName

CertificateIdentifie
r#
AuthorizationKey

 LSMcli 192.168.3.26 aa aaaa AddROBO

CPSG80 Paris_GW small_office_profile
 LSMcli 192.168.3.26 aa aaaa
AddROBO 1470/1490 Paris_GW small_office_profile
AddROBO Cluster < > < > < >
[-S=< >]
[-CA=< > [-R=< >] [-KEY=< >]]

<Appliance_Model>Cluster

 CPSG80Cluster
 1200RCluster

1430/1450Cluster

1470/1490Cluster
Profile

MainIPAddress
SuffixName

SubstitutedName
Part

CAName

KeyIdentifier#

AuthorizationCode

LSMcli 192.168.3.26 aa aaaa AddRobo 1430/1450Cluster

cluster_profile 1.1.1.1 Paris


LSMcli 192.168.3.26 aa aaaa ModifyROBO CPSG80 Paris_GW
-P=second_small_office_profile

LSMcli 192.168.3.26 aa aaaa ModifyROBO CPSG80 Paris_GW
-P=second_small_office_profile






 cpstat -f policy fw
InitialPolicy


 $FWDIR/state/__tmp/FW1/
 $FWDIR/state/local/FW1/
 $FWDIR/state/< >/FW1/

 control_bootsec
 fwboot bootconf
 fw defaultgen
 fwboot default

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-u | -U]

[Expert@HostName:0]# $FWDIR/bin/comp_init_policy [-g | -G]
-u
-U
$CPDIR/registry/HKLM_registry.data
$FWDIR/state/local/FW1/
-g
-G
$CPDIR/registry/HKLM_registry.data
$FWDIR/state/local/FW1/

$FWDIR/state/local/FW1/

cpstart fw
fetch localhost
comp_init_policy -g

 comp_init_policy -g
fw fetch localhost
 comp_init_policy -g
cpstart
 comp_init_policy -g
reboot

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.30/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 7744
-rw-r--r-- 1 admin root 20166 Jun 13 16:34 install_policy_report.txt
-rw-r--r-- 1 admin root 55 Jun 13 16:34 install_policy_report_timing.txt
-rw-r--r-- 1 admin root 37355 Jun 13 16:34 local.Sandbox-persistence.xml
-rw-r--r-- 1 admin root 3 Jun 13 16:34 local.ad_query_profiles
-rw-r--r-- 1 admin root 309 Jun 13 16:34 local.adlog.networks.exclude
-rw-r--r-- 1 admin root 148 Jun 13 16:34 local.adlog.users.exclude
-rw-r--r-- 1 admin root 3 Jun 13 16:34 local.allowed_clients_objects
-rw-r--r-- 1 admin root 8236 Jun 13 16:34 local.appfw_misc
-rw-r--r-- 1 admin root 4706 Jun 13 16:34 local.cluster_member
-rw-r--r-- 1 admin root 7889 Jun 13 16:34 local.connectra_global_properties
-rw-r--r-- 1 admin root 514 Jun 13 16:34 local.connectra_policy
-rw-r--r-- 1 admin root 603 Jun 13 16:34 local.cpmi_file
-rw-r--r-- 1 admin root 8 Jun 13 16:34 local.ctlver
-rw-r--r-- 1 admin root 680 Jun 13 16:34 local.current_recovery.profile
-rw-r--r-- 1 admin root 1054 Jun 13 16:34 local.data_awareness_settings
-rw-r--r-- 1 admin root 31202 Jun 13 16:34 local.data_files
-rw-r--r-- 1 admin root 33104 Jun 13 16:34 local.db
-rw-r--r-- 1 admin root 26763 Jun 13 16:34 local.dcerpc_service
-rw-r--r-- 1 admin root 0 Jun 13 16:34 local.device_settings_transactions
-rw-r--r-- 1 admin root 4 Jun 13 16:34 local.domain_objects_for_web_applications
-rw-r--r-- 1 admin root 3409 Jun 13 16:34 local.dynobj
-rw-r--r-- 1 admin root 6876 Jun 13 16:34 local.embedded_applications
-rw-r--r-- 1 admin root 966 Jun 13 16:34 local.eps_notify.html
-rw-r--r-- 1 admin root 1667 Jun 13 16:34 local.eps_notify.mail
-rw-r--r-- 1 admin root 717137 Jun 13 16:34 local.fc
-rw-r--r-- 1 admin root 784436 Jun 13 16:34 local.fc6
-rw-r--r-- 1 admin root 737 Jun 13 16:34 local.fileslist
-rw-r--r-- 1 admin root 216819 Jun 13 16:34 local.ft
-rw-r--r-- 1 admin root 216651 Jun 13 16:34 local.ft6
-rw-r--r-- 1 admin root 4789 Jun 13 16:34 local.fwrl.conf
-rw-r--r-- 1 admin root 3025 Jun 13 16:34 local.gateway_cluster
-rw-r--r-- 1 admin root 706 Jun 13 16:34 local.gateway_general_properties
-rw-r--r-- 1 admin root 617 Jun 13 16:34 local.global_preferences
-rw-r--r-- 1 admin root 8207 Jun 13 16:34 local.icmp_service
-rw-r--r-- 1 admin root 16003 Jun 13 16:34 local.icmpv6_service
-rw-r--r-- 1 admin root 211440 Jun 13 16:34 local.ics_configuration
-rw-r--r-- 1 admin root 633 Jun 13 16:34 local.identity_awareness_custom_settings
-rw-r--r-- 1 admin root 3 Jun 13 16:34 local.identity_roles
-rw-r--r-- 1 admin root 11 Jun 13 16:34 local.ifs
-rw-r--r-- 1 admin root 31618 Jun 13 16:34 local.implied_rules
-rw-r--r-- 1 admin root 833 Jun 13 16:34 local.inspect.lf
-rw-r--r-- 1 admin root 596 Jun 13 16:34 local.intranet_community
-rw-r--r-- 1 admin root 2 Jun 13 16:34 local.ips_enhance
-rw-r--r-- 1 admin root 2 Jun 13 16:34 local.ips_granular_contexts
-rw-r--r-- 1 admin root 8123 Jun 13 16:34 local.languages
-rw-r--r-- 1 admin root 10286 Jun 13 16:34 local.lg
-rw-r--r-- 1 admin root 10286 Jun 13 16:34 local.lg6
-rw-r--r-- 1 admin root 39 Jun 13 16:34 local.logo_directory_content.conf
-rw-r--r-- 1 admin root 41030 Jun 13 16:34 local.magic
-rw-r--r-- 1 admin root 878700 Jun 13 16:34 local.magic.mgc
-rw-r--r-- 1 admin root 3 Jun 13 16:34 local.mail_servers
-rw-r--r-- 1 admin root 35 Jun 13 16:34 local.mgmt_dhcp_data
-rw-r--r-- 1 admin root 10958 Jun 13 16:34 local.mobile_profiles
-rw-r--r-- 1 admin root 1389 Jun 13 16:34 local.mobile_profiles_rulebase
-rw-r--r-- 1 admin root 101 Jun 13 16:34 local.mv_tag
-rw-r--r-- 1 admin root 2230 Jun 13 16:34 local.nac_agents
-rw-r--r-- 1 admin root 2267 Jun 13 16:34 local.network_applications
-rw-r--r-- 1 admin root 558756 Jun 13 16:34 local.objects
-rw-r--r-- 1 admin root 2951 Jun 13 16:34 local.other_service
-rw-r--r-- 1 admin root 630 Jun 13 16:34 local.policy
-rw-r--r-- 1 admin root 42336 Jun 13 16:34 local.policy.xml
-rw-r--r-- 1 admin root 5304 Jun 13 16:34 local.products_updates
-rw-r--r-- 1 admin root 5749 Jun 13 16:34 local.rad_services
-rw-r--r-- 1 admin root 11419 Jun 13 16:34 local.realm_objects
-rw-r--r-- 1 admin root 20590 Jun 13 16:34 local.realms
-rw-r--r-- 1 admin root 5767 Jun 13 16:34 local.remote_access_clients_objects
-rw-r--r-- 1 admin root 11389 Jun 13 16:34 local.rpc_service
-rw-r--r-- 1 admin root 7280 Jun 13 16:34 local.rule
-rw-r--r-- 1 admin root 3 Jun 13 16:34 local.rule_adtr
-rw-r--r-- 1 admin root 924 Jun 13 16:34 local.rulebase
-rw-r--r-- 1 admin root 6329 Jun 13 16:34 local.rulebase_tracks
-rw-r--r-- 1 admin root 0 Jun 13 16:34 local.sdopts.rec
-rw-r--r-- 1 admin root 0 Jun 13 16:34 local.securid
-rw-r--r-- 1 admin root 1643 Jun 13 16:34 local.service_group
-rw-r--r-- 1 admin root 362239 Jun 13 16:34 local.set
-rw-r--r-- 1 admin root 140 Jun 13 16:34 local.sic_name
-rw-r--r-- 1 admin root 590 Jun 13 16:34 local.sr_community
-rw-r--r-- 1 admin root 3 Jun 13 16:34 local.ssl_certificates
-rw-r--r-- 1 admin root 949165 Jun 13 16:34 local.ssl_inspection
-rw-r--r-- 1 admin root 4 Jun 13 16:34 local.sso_groups
-rw-r--r-- 1 admin root 1004 Jun 13 16:34 local.str
-rw-r--r-- 1 admin root 1004 Jun 13 16:34 local.str6
-rw-r--r-- 1 admin root 152350 Jun 13 16:34 local.tcp_protocol
-rw-r--r-- 1 admin root 304987 Jun 13 16:34 local.tcp_service
-rw-r--r-- 1 admin root 48337 Jun 13 16:34 local.thresholds.conf
-rw-r--r-- 1 admin root 887 Jun 13 16:34 local.track
-rw-r--r-- 1 admin root 36327 Jun 13 16:34 local.udp_protocol
-rw-r--r-- 1 admin root 125679 Jun 13 16:34 local.udp_service
-rw-r--r-- 1 admin root 1452032 Jun 13 16:34 local.upDB.sqlite
-rw-r--r-- 1 admin root 80512 Jun 13 16:34 local.user_check_interactions.C.converted
-rw-r--r-- 1 admin root 0 Jun 13 16:34 local.userdef
-rw-r--r-- 1 admin root 6240 Jun 13 16:34 local.vs_cluster_member
-rw-r--r-- 1 admin root 4547 Jun 13 16:34 local.vs_cluster_netobj
-rw-r--r-- 1 admin root 3118 Jun 13 16:34 local.vsx_cluster_member
-rw-r--r-- 1 admin root 2278 Jun 13 16:34 local.vsx_cluster_netobj
-rw-r--r-- 1 admin root 5172 Jun 13 16:34 local.{939922F7-DF98-4988-B776-B70B9B8340F3}
-rw-r--r-- 1 admin root 10328 Jun 13 16:34 local.{B9D14722-3936-4B33-814B-F87EA4062BEB}
-rw-r----- 1 admin root 14743 Jun 13 16:34 manifest.C
-rw-r--r-- 1 admin root 7381 Jun 13 16:34 policy.info
-rw-r--r-- 1 admin root 2736 Jun 13 16:34 policy.map
-rw-r--r-- 1 admin root 51 Jun 13 16:34 sig.map
[Expert@GW:0]#

[Expert@GW:0]# comp_init_policy -u
erasing local state..
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#

[Expert@GW:0]# comp_init_policy -g
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root 8 Jul 19 19:51 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 19:51 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 19:51 local.fc6
-rw-rw---- 1 admin root 235 Jul 19 19:51 local.ft
-rw-rw---- 1 admin root 317 Jul 19 19:51 local.ft6
-rw-rw---- 1 admin root 135 Jul 19 19:51 local.fwrl.conf
-rw-rw---- 1 admin root 14 Jul 19 19:51 local.ifs
-rw-rw---- 1 admin root 833 Jul 19 19:51 local.inspect.lf
-rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg
-rw-rw---- 1 admin root 243 Jul 19 19:51 local.lg6
-rw-rw---- 1 admin root 0 Jul 19 19:51 local.magic
-rw-rw---- 1 admin root 3 Jul 19 19:51 local.set
-rw-rw---- 1 admin root 51 Jul 19 19:51 sig.map
[Expert@GW:0]#
defaultfilter
InitialPolicy

 comp_init_policy
 fwboot bootconf
 fw defaultgen
 fwboot default

[Expert@GW:0]# $FWDIR/bin/control_bootsec [-g | -G]

[Expert@GW:0]# $FWDIR/bin/control_bootsec {-r | -R}




-g $FWDIR/boot/fwboot bootconf set_def

-G $FWDIR/boot/default.bin
$FWDIR/boot/boot.conf
DEFAULT_FILTER_PATH
/etc/fw.boot/default.bin
$FWDIR/bin/comp_init_policy -g

$CPDIR/registry/HKLM_registry.data
$FWDIR/state/local/FW1/
-r
-R $FWDIR/boot/fwboot bootconf set_def

$FWDIR/boot/boot.conf DEFAULT_FILTER_PATH
0
$FWDIR/bin/comp_init_policy -u

$CPDIR/registry/HKLM_registry.data

$FWDIR/state/local/FW1/

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.30/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 7736
-rw-rw---- 1 admin root 11085 Jul 19 20:16 install_policy_report.txt
-rw-rw---- 1 admin root 56 Jul 19 20:16 install_policy_report_timing.txt
-rw-rw---- 1 admin root 37355 Jul 19 20:16 local.Sandbox-persistence.xml
-rw-rw---- 1 admin root 3 Jul 19 20:16 local.ad_query_profiles
... ... ...
-rw-r----- 1 admin root 14743 Jul 19 20:16 manifest.C
-rw-rw---- 1 admin root 7381 Jul 19 20:16 policy.info
-rw-rw---- 1 admin root 2736 Jul 19 20:16 policy.map
-rw-rw---- 1 admin root 51 Jul 19 20:16 sig.map
[Expert@GW:0]#

[Expert@GW:0]# $FWDIR/bin/control_bootsec -r
Disabling boot security
FW-1 will not load a default filter on boot
[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

:InitialPolicySafe (true)
[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 0
[Expert@GW:0]#

[Expert@GW:0]# cd $FWDIR/state/local/FW1/
[Expert@GW:0]#

[Expert@GW:0]# pwd
/opt/CPsuite-R80.30/fw1/state/local/FW1
[Expert@GW:0]#

[Expert@GW:0]# control_bootsec -g
Enabling boot security
[Expert@GW:0]#

[Expert@GW:0]# cat $FWDIR/boot/boot.conf

CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH /opt/CPsuite-R80.30/fw1/boot/default.bin
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@GW:0]#

[Expert@GW:0]# grep InitialPolicySafe $CPDIR/registry/HKLM_registry.data

[Expert@GW:0]#

[Expert@GW:0]# ls -l
total 56
-rw-rw---- 1 admin root 8 Jul 19 20:22 local.ctlver
-rw-rw---- 1 admin root 4514 Jul 19 20:22 local.fc
-rw-rw---- 1 admin root 4721 Jul 19 20:22 local.fc6
-rw-rw---- 1 admin root 235 Jul 19 20:22 local.ft
-rw-rw---- 1 admin root 317 Jul 19 20:22 local.ft6
-rw-rw---- 1 admin root 135 Jul 19 20:22 local.fwrl.conf
-rw-rw---- 1 admin root 14 Jul 19 20:22 local.ifs
-rw-rw---- 1 admin root 833 Jul 19 20:22 local.inspect.lf
-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg
-rw-rw---- 1 admin root 243 Jul 19 20:22 local.lg6
-rw-rw---- 1 admin root 0 Jul 19 20:22 local.magic
-rw-rw---- 1 admin root 3 Jul 19 20:22 local.set
-rw-rw---- 1 admin root 51 Jul 19 20:22 sig.map
[Expert@GW:0]#
cp_conf
-h
adv_routing <options>
auto <options>
corexl <options>
fullha <options>
ha <options>
intfs <options>
lic <options>
sic <options>
snmp <options>

-h

adv_routing < >

auto < >

corexl < >

fullha < >

ha < >

intfs < >

lic < >

sic < >
snmp < >
cpconfig

cp_conf auto
-h
{enable | disable} <Product1> <Product2> ...
get all

-h
{enable | disable}
< > < > ...

get all





[Expert@MGMT:0]# cp_conf auto get all

Check Point Security Gateway is not installed

QoS is not installed

The SmartEvent Suite will start automatically at boot time.

[Expert@MGMT:0]#

[Expert@MyGW:0]# cp_conf auto get all

The Check Point Security Gateway will start automatically at boot time.

QoS will start automatically at boot time.

SmartEvent Suite is not installed

[Expert@MyGW:0]#

cpconfig



 n k
cp_conf corexl [-v] enable [n] [-6 k]


cp_conf corexl [-v] disable

fwboot corexl

-v vmalloc
n
k

KERN_INSTANCE_NUM = 2

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 2 | 7 | 28
1 | Yes | 1 | 0 | 11
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 2
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cp_conf corexl -v enable 3
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /etc/fw.boot/boot.conf
CTL_IPFORWARDING 1
DEFAULT_FILTER_PATH 0
KERN_INSTANCE_NUM 3
COREXL_INSTALLED 1
KERN6_INSTANCE_NUM 2
IPV6_INSTALLED 0
CORE_OVERRIDE 4
[Expert@MyGW:0]#
[Expert@MyGW:0]# reboot
.. ... ...
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 7 | 28
1 | Yes | 2 | 0 | 11
2 | Yes | 1 | 4 | 10
[Expert@MyGW:0]#





cp_conf fullha
enable
del_peer
disable
state

enable
del_peer
disable
state

[Expert@Cluster_Member:0]# cp_conf fullha state

FullHA is currently enabled
[Expert@Cluster_Member:0]#
cpconfig

cp_conf ha {enable | disable} [norestart]

enable

cpconfig
disable

cpconfig
norestart

[Expert@MyGW:0]# cp_conf ha enable norestart

Cluster membership for this gateway was enabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

[Expert@MyGW:0]# cp_conf ha disable norestart

cpwd_admin:
Process CPHAMCSET process has been already terminated

Cluster membership for this gateway was disabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#
cp_conf intfs
get
set
auxiliary <Name of Interface>
DMZ <Name of Interface>
external <Name of Interface>
internal <Name of Interface>

get
set
 auxiliary
 DMZ
 external
 internal
cpconfig

cp_conf lic
-h
add -f <Full Path to License File>
add -m <Host> <Date> <Signature Key> <SKU/Features>
del <Signature Key>
get [-x]

-h

add -f <
>
cplic db_add
add -m < > < >
< >
< > cplic db_add
del < >
cplic del
get [-x]
-x

cplic print [-x]

[Expert@HostName:0]# cp_conf lic add -f ~/License.lic

License was installed successfully.
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic add -m MGMT2 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX

License was successfully installed
[Expert@HostName:0]#

[Expert@HostName:0]# cp_conf lic get

Host Expiration Signature Features
192.168.3.28 25Aug2017 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx CPMP-XXX
[Expert@HostName:0]#
cpconfig

cp_conf
-h
sic
cert_pull <Management Server> <DAIP GW object>
init <Activation Key> [norestart]
state

-h
cert_pull <Management
Server> <DAIP GW object>

init < >

[norestart]

state

[Expert@MyGW:0]# cp_conf sic state

Trust State: Trust established

[Expert@MyGW:0]#
cpconfig
[Expert@MySingleGW:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable cluster membership for this gateway
(7) Check Point CoreXL
(8) Automatic start of Check Point Products
(9) Exit

Enter your choice (1-9) :

[Expert@MyClusterMember:0]# cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
----------------------
(1) Licenses and contracts
(2) SNMP Extension
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Disable cluster membership for this gateway
(7) Enable Check Point Per Virtual System State
(8) Enable Check Point ClusterXL for Bridge Active/Standby
(9) Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :

cplic cplic

cplic [-d]
{-h | -help}
check <options>
contract <options>
del <options>
print <options>
put <options>

-d

{-h | -help}

check < >

contract < >

del < >

print < >

put < >

cplic check {-h | -help}
cplic [-d] check [-p <Product>] [-v <Version>] [{-c | -count}] [-t <Date>] [{-r
| -routers}] [{-S | -SRusers}] <Feature>

{-h | -help}

-d

-p < >

 fw1

 mgmt
 services
 cvpn
 etm
 eps
-v < >
{-c | -count}

-t < >

{-r | -routers}
< >
{-S | -SRusers}

< >

[Expert@MGMT]# cplic print -p

[Expert@MGMT]# cplic check -p fw1 -v 6.0 -c mgmtha

cplic check 'mgmtha': 1 licenses
[Expert@MGMT]#

[Expert@GW]# cplic print -p

[Expert@MGMT]# cplic check cluster-u

cplic check 'cluster-u': license valid
[Expert@MGMT]#

[Expert@MGMT]# cplic check -c cluster-u

cplic check 'cluster-u': 9 licenses
[Expert@MGMT]#


cplic get

cplic contract -h
cplic [-d] contract
del
-h
<Service Contract ID>
put
-h
[{-o | -overwrite}] <Service Contract File>

{-h | -help}

-d

del $CPDIR/conf/cp.contract

put $CPDIR/conf/cp.contract

< >
{-o | -overwrite}

< >
cplic del {-h | -help}
cplic [-d] del [-F <Output File>] <Signature> <Object Name>

{-h | -help}
-d

-F < >
< >
cplic print -x

< >
cplic print {-h | -help}
cplic [-d] print[{-n | -noheader}] [-x] [{-t | -type}] [-F <Output File>] [{-p |
-preatures}] [-D]

{-h | -help}
-d

{-n | -noheader}
-x
{-t | -type]

-F < >
{-p | -preatures}
-D

[Expert@HostName:0]# cplic print

Host Expiration Features
192.168.3.28 25Aug2017 CPMP-XXX CK-XXXXXXXXXXXX
[Expert@HostName:0]#

[Expert@HostName:0]# cplic print -x

{-h | -help}
-d

{-o | -overwrite}

{-c | -check-only}

{-s | -select}

-F < >
{-P | -Pre-boot}

{-K | -kernel only}

-l < >
< >
< >
< >

< >

CPSUITE-EVAL-3DES-vNG
host

expiration date never

signature

SKU/features

CPSB-SWB CPSB-ADNC-M CK0123456789ab

[Expert@HostName:0]# cplic put -l License.lic

Host Expiration SKU
192.168.2.3 14Jan2016 CPSB-SWB CPSB-ADNC-M CK0123456789ab
[Expert@HostName:0]#
$CPDIR/registry/HKLM_registry.data


cpprod_util CPPROD_GetValue "<Product>" "<Parameter>" {0|1}

cpprod_util CPPROD_SetValue "<Product>" "<Parameter>" {1|4} "<Value>" {0|1}
cpprod_util -dump

CPPROD_GetValue


CPPROD_SetValue

"< >"
"< >"
"< >"



dump
$CPDIR/registry/HKLM_registry.data
RegDump

 cpprod_util
 FwIsFirewallModule
FwIsVSX FwIsStandAlone

no-parameter string-parameter integer-parameter
 status-output no-output


cpprod_util < > > < > 2>&1

[Expert@MyGW:0]# cpprod_util CPPROD_GetInstalledProducts

CPFC
IDA
MGMT
FW1
SecurePlatform
CPinfo
DIAG
PPACK
CVPN
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpprod_util FwIsStandAlone

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpprod_util FwIsHighAvail

1
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpprod_util FwIsVSX

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpprod_util FwIsFloodGate

1
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpprod_util FwIsAtlasModule

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpprod_util FwIsBridge

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpprod_util FwIsFullHA

0
[Expert@MyGW:0]#
[Expert@MyGW:0]# cpprod_util FwIsDAG
0
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpprod_util FwIsFireWallIPv6

1
[Expert@MyGW:0]#
cpstart [-fwflag {–default | -proc | -driver}]

-fwflag -default

-fwflag -proc
-fwflag -driver
cpstat [-d] [-h <Host>] [-p <Port>] [-s <SICname>] [-f <Flavor>] [-o <Polling
Interval> [-c <Count>] [-e <Period>]] <Application Flag>

-d

-h < >

< >
localhost
-p < >

-s < >

-f < >

< > cpstat

-o <
>





-c < >

cpstat os -f perf -o 2
-c < >

-o < >

 <
>
 <
>
 <
>
 <
>
cpstat os -f perf -o 2 -c 2
-e < >

-o < >

-c < >
cpstat os -f perf -o 2 -c 2 -e 60
< >

 ca
 mg

[Expert@MyGW:0]# cpstat -f interfaces fw

[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat -f default fw

Policy name: MyGW_Policy

Install time: Wed May 23 18:14:32 2018

... ... [truncated for brevity] ... ...

[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat os -f perf -o 2 -c 2 -e 60

Total Virtual Memory (Bytes): 12417720320

[Expert@MyGW:0]#
cpstop [-fwflag {–default | -proc | -driver}]

-fwflag –default 
 defaultfilter
-fwflag -proc 


cpstart

-fwflag -driver



cpview --help
cpview_< >.cap< >
dynamic_objects


dynamic_objects -l


dynamic_objects -n <object_name> [-r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>] -a]


dynamic_objects -o <object_name> -r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>] -a


dynamic_objects -o <object_name> -r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>] -d

dynamic_objects -u <object_name> [-r <FromIP1> <ToIP2> ... [<FromIPx> <ToIPy>]]


dynamic_objects -c

dynamic_objects -do <object_name>

dynamic_objects -e
< >

 dynamic_objects -n < >

-r < > < >

... [< >
< >]

192.168.2.30 192.168.2.40 192.168.2.50 192.168.2.60

-a

-c
$FWDIR/database/dynamic_objects.db
$FWDIR/conf/objects.C
-d
-do
-e
$FWDIR/database/dynamic_objects.db
-l
$FWDIR/database/dynamic_objects.db
-n
-u

dynamic_objects -n bigserver
dynamic_objects -o bigserver -r 192.168.2.30 192.168.2.40 -a

dynamic_objects -n bigserver -r 192.168.2.20 192.168.2.40 -a

dynamic_objects -u bigserver -r 192.168.2.60 192.168.2.80

cpwd

fwm fwd cpd cpm DAService java_solr

log_indexer

$CPDIR/log/cpwd.elg log

cpwd_admin

cpwd_admin list MON N

cpwd_admin list MON Y

cpwd_admin
config <options>
del <options>
detach <options>
exist
flist <options>
getpid <options>
kill
list <options>
monitor_list
start <options>
start_monitor
stop <options>
stop_monitor

config < >

del < >

detach < >

exist cpwd
flist < >
$CPDIR/tmp/cpwd_list_< >.lst
getpid < >

kill cpwd
list < >

monitor_list

start < >

start_monitor

stop < >

stop_monitor
cpstop

-h
-a
< >=<
>
< >=<
> ...
< >=<
>
-d < >
< > ... cpwd_admin config -a
< >
-p
cpwd_admin config -a

-r

default_ctx
display_ctx 
CTX

cpwd_admin list APP
PID
 CTX
 CTX
no_limit  rerun_mode=1

 


num_of_procs 

rerun_mode 



reset_startups 
 startup_counter

cpwd_admin list
#START
sleep_mode 
 


sleep_timeout
sleep_timeout  rerun_mode=1


stop_timeout 

zero_timeout  no_limit
zero_timeout


[Expert@HostName:0]# cpwd_admin config -p

[Expert@HostName:0]# cpwd_admin config -r

cpwd_admin del -name <Application Name> [-ctx <VSID>]

< >
cpwd_admin list APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

[Expert@HostName:0]# cpwd_admin del -name FWD

cpwd_admin:
successful Del operation
[Expert@HostName:0]#

 cpwd_admin list

cpstart

cpwd_admin detach -name <Application Name> [-ctx <VSID>]

< >
cpwd_admin list APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

[Expert@HostName:0]# cpwd_admin detach -name FWD

cpwd_admin:
successful Detach operation
[Expert@HostName:0]#
 cpwd

cpwd_admin exist

[Expert@HostName:0]# cpwd_admin exist

cpwd_admin: cpWatchDog is running
[Expert@HostName:0]#
$CPDIR/tmp/cpwd_list_<
>.lst
http://www.epochconverter.com

cpwd_admin flist [-full] [-ctx <VSID>]

-full

-ctx < >

APP
CTX
PID
STAT

 E
 T
#START
START_TIME

SLP/LIMIT sleep_timeout no_limit

cpwd_admin config
MON
cpwd_admin
 Y
 N
COMMAND

[Expert@HostName:0]# cpwd_admin flist

/opt/CPshrd-R80.30/tmp/cpwd_list_3209472813.lst
[Expert@HostName:0]#
cpwd_admin getpid -name <Application Name> [-ctx <VSID>]

< >
cpwd_admin list APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

[Expert@HostName:0]# cpwd_admin getpid -name FWD

5640
[Expert@HostName:0]#
cpwd

cpstop cpstart

cpwd_admin kill
cpwd_admin list [-full] [-ctx <VSID>]

-full

-ctx < >

APP
CTX
PID
STAT

 E
 T
#START
START_TIME

SLP/LIMIT sleep_timeout no_limit

MON
cpwd_admin
 Y
 N
COMMAND

[Expert@HostName:0]# cpwd_admin list

APP CTX PID STAT #START START_TIME MON COMMAND
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2018 N fwk_forker
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2018 N fwk_wd -i 1 -i6 0
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2018 N cpsicdemux
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2018 N cpviewd
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2018 N cpview_historyd
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2018 N sxl_statd
CPD 0 5420 E 1 [18:14:15] 23/5/2018 Y cpd
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2018 N mpdaemon
/opt/CPshrd-R80.30/log/mpdaemon.elg /opt/CPshrd-R80.30/conf/mpdaemon.conf
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2018 N avi_del_tmp_files
CIHS 0 5628 E 1 [18:14:26] 23/5/2018 N ci_http_server -j -f
/opt/CPsuite-R80.30/fw1/conf/cihs.conf
FWD 0 5640 E 1 [18:14:26] 23/5/2018 N fwd
RAD 0 6330 E 1 [18:14:28] 23/5/2018 N rad
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2018 N DAService_script
[Expert@HostName:0]#

[Expert@HostName:0]# cpwd_admin list -full

APP CTX PID STAT #START START_TIME SLP/LIMIT MON
--------------------------------------------------------------------------------
FWK_FORKER 0 4180 E 1 [18:14:04] 23/5/2018 60/5 N
PATH = /opt/CPsuite-R80.30/fw1/bin/fwk_forker
COMMAND = fwk_forker
--------------------------------------------------------------------------------
FWK_WD 0 4182 E 1 [18:14:04] 23/5/2018 3/u N
PATH = /opt/CPsuite-R80.30/fw1/bin/fwk_wd
COMMAND = fwk_wd -i 1 -i6 0
--------------------------------------------------------------------------------
CPSICDEMUX 0 5383 E 1 [18:14:14] 23/5/2018 60/5 N
PATH = /opt/CPshrd-R80.30/bin/cpsicdemux
COMMAND = cpsicdemux
--------------------------------------------------------------------------------
CPVIEWD 0 5407 E 1 [18:14:15] 23/5/2018 60/5 N
PATH = /opt/CPshrd-R80.30/bin/cpviewd
COMMAND = cpviewd
--------------------------------------------------------------------------------
HISTORYD 0 5410 E 1 [18:14:15] 23/5/2018 60/5 N
PATH = /opt/CPshrd-R80.30/bin/cpview_historyd
COMMAND = cpview_historyd
--------------------------------------------------------------------------------
SXL_STATD 0 5413 E 1 [18:14:15] 23/5/2018 60/5 N
PATH = /opt/CPsuite-R80.30/fw1/bin/sxl_statd
COMMAND = sxl_statd
--------------------------------------------------------------------------------
CPD 0 5420 E 1 [18:14:15] 23/5/2018 60/5 Y
PATH = /opt/CPshrd-R80.30/bin/cpd
COMMAND = cpd
--------------------------------------------------------------------------------
MPDAEMON 0 5436 E 1 [18:14:16] 23/5/2018 60/5 N
PATH = /opt/CPshrd-R80.30/bin/mpdaemon
COMMAND = mpdaemon /opt/CPshrd-R80.30/log/mpdaemon.elg
/opt/CPshrd-R80.30/conf/mpdaemon.conf
--------------------------------------------------------------------------------
CI_CLEANUP 0 5626 E 1 [18:14:26] 23/5/2018 60/5 N
PATH = /opt/CPsuite-R80.30/fw1/bin/avi_del_tmp_files
COMMAND = avi_del_tmp_files
--------------------------------------------------------------------------------
CIHS 0 5628 E 1 [18:14:26] 23/5/2018 60/5 N
PATH = /opt/CPsuite-R80.30/fw1/bin/ci_http_server
COMMAND = ci_http_server -j -f /opt/CPsuite-R80.30/fw1/conf/cihs.conf
--------------------------------------------------------------------------------
FWD 0 5640 E 1 [18:14:26] 23/5/2018 60/5 N
PATH = /opt/CPsuite-R80.30/fw1/bin/fw
COMMAND = fwd
--------------------------------------------------------------------------------
RAD 0 6330 E 1 [18:14:28] 23/5/2018 60/5 N
PATH = /opt/CPsuite-R80.30/fw1///bin/rad
COMMAND = rad
--------------------------------------------------------------------------------
DASERVICE 0 8604 E 1 [18:14:43] 23/5/2018 60/5 N
PATH = /opt/CPda/bin/DAService_script
COMMAND = DAService_script
[Expert@HostName:0]#
cpwd_admin

cpwd_admin monitor_list

[Expert@HostName:0]# cpwd_admin monitor_list

-name < cpwd_admin list

> APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

-path "<
>"

 $FWDIR/bin/fwm
 /opt/CPsuite-R80.30/fw1/bin/fw
 $CPDIR/bin/cpd

/opt/CPsuite-R80.30/fw1/scripts/cpm.sh"
 /opt/CPshrd-R80.30/bin/cptnl
-command "<
>"

 < >=< >

-slp_timeout sleep_timeout
< >
cpwd_admin config
-retry_limit no_limit
{< > | u} cpwd_admin config
 < >

 u
cpwd_admin

cpwd_admin start_monitor

[Expert@HostName:0]# cpwd_admin start_monitor

-name < cpwd_admin list

> APP

 FWM
 FWD
 CPD
 CPM
-ctx < >

-path "<
>"

 $FWDIR/bin/fwm
 /opt/CPsuite-R80.30/fw1/bin/fw
 $CPDIR/bin/cpd_admin
-command "<
>"

 fw kill fwm
 fw kill fwd
 cpd_admin stop
-env {inherit |
< >=< >}
 inherit

 < >=< >

cpwd_admin

cpwd_admin stop_monitor

[Expert@HostName:0]# cpwd_admin stop_monitor

cpwd_admin:
CPWD has stopped performing active monitoring on Check Point services/processes
[Expert@HostName:0]#



























fw [-d] [-i]
amw <options>
ctl <options>
defaultgen
fetch <options>
fetchlogs <options>
getifs
hastat <options>
isp_link <options>
kill <options>
lichosts <options>
log <options>
logswitch <options>
lslogs <options>
mergefiles <options>
repairlog <options>
sam <options>
sam_policy <options>
showuptables <options>
stat
tab <options>
unloadlocal
up_execute <options>
ver <options>

-d

script
-i

amw < >

ctl
defaultgen
fetch

fetchlogs $FWDIR/log/*.log*
$FWDIR/log/*.adtlog*

getifs



hastat

isp_link

kill
lichosts < >

log
$FWDIR/log/*.log $FWDIR/log/*.adtlog
logswitch
$FWDIR/log/fw.log $FWDIR/log/fw.adtlog
lslogs $FWDIR/log/*.log*
$FWDIR/log/*.adtlog*

mergefiles $FWDIR/log/*.log
$FWDIR/log/*.adtlog
monitor

repairlog
$FWDIR/log/*.log $FWDIR/log/*.adtlog

sam
sam_policy

showuptables

stat
tab < >
unloadlocal

up_execute < >

ver < >

fw fw

fw -i

fw -i <ID of CoreXL FW instance> <Command>

< >
fw ctl multik
stat
< > fw -i
 fw -i < > conntab ...
 fw -i < > ctl get ...
 fw -i < > ctl leak ...
 fw -i < > ctl pstat ...
 fw -i < > ctl set ...
 fw -i < > monitor ...
 fw -i < > tab ...

fw -i 1 tab -t connections








fw [-d] amw fetch -f [-i] [-n] [-r]

fw [-d] amw fetch -f -c [-i] [-n] [-r]


fw [-d] amw fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]


fw [-d] amw fetch local [-nu]
fw [-d] amw fetch localhost [-nu]

fw [-d] amw fetchlocal [-lu] -d <Full Path to Directory>


fw [-d] amw unload

fw -d amw ...

fw amw fetch

fw amw fetch local

fw amw fetch localhost $FWDIR/state/local/AMW/

fw amw fetchlocal
fw amw unload

-c

 -f

-f
$FWDIR/conf/masters
-i

-lu

$FWDIR/state/local/AMW/
-n

-nu
-r
< > [< > ...]








 < >

< >
< >

localhost
 < >

localhost
-d < >

[Expert@MyGW:0]# fw amw fetch local

Installing Threat Prevention policy from local
Fetching Threat Prevention policy succeeded
[Expert@MyGW:0]#
fw [-d] ctl
arp <options>
bench <options>
block <options>
chain
conn
conntab <options>
cpasstat <options>
debug <options>
get <options>
iflist
install
kdebug <options>
pstat <options>
set <options>
tcpstrstat <options>
uninstall

-d

arp < >

$FWDIR/conf/local.arp
bench < >




block < >

chain
conn
conntab < >

cpasstat < >

debug < >

dlpkstat < >

get < >

iflist


install

kdebug < >

leak < >

pstat < >
set < >

tcpstrstat < >

uninstall
$FWDIR/conf/local.arp

fw [-d] ctl arp

[-h]
[-n]

-d

-h
-n



dmesg

fw [-d] ctl bench

-h
lock
[packet | ioctl] [<Limit>]
[stop]
packet [<Limit> | stop]

-d

-h

lock
[packet | ioctl] [<Limit>]
[stop]


 packet
 ioctl
 < >

 stop
packet
[<Limit> | stop]




 < >

 stop

[Expert@MyGW:0]# dmesg -c
... ... ...
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl bench lock 5
starting to collect statistics for 5 seconds
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg
[fw4_1];

[fw4_1];BENCHMARKER
[fw4_1];===================================
[fw4_1];Type: FW LOCK STATISTICS

[fw4_1];General info
[fw4_1];-------------
[fw4_1];TU = Time Units
[fw4_1];Calibration: number of TU in one second 2401506325
[fw4_1];Testing period in TU: 11998021084

[fw4_1];Number of samples taken: 18476

[fw4_1];Interval Name % of total cpu Total TU Average TU

Max TU sampled
[fw4_1];----------------------------------- --------------- --------- -----------
---------------

[fw4_1];lock 0 91646831 4960

4724016
[fw4_2];

[fw4_2];BENCHMARKER
[fw4_2];===================================
[fw4_2];Type: FW LOCK STATISTICS

[fw4_2];General info
[fw4_2];-------------
[fw4_2];TU = Time Units
[fw4_2];Calibration: number of TU in one second 2398783828
[fw4_2];Testing period in TU: 11999333782

[fw4_2];Number of samples taken: 8624

[fw4_0];

[fw4_2];Interval Name % of total cpu Total TU Average TU

Max TU sampled
[fw4_0];BENCHMARKER
[fw4_0];===================================
[fw4_0];Type: FW LOCK STATISTICS

[fw4_0];General info
[fw4_0];-------------
[fw4_0];TU = Time Units
[fw4_2];----------------------------------- --------------- --------- -----------
---------------

[fw4_2];lock 0 46269343 5365

2978418
[fw4_0];Calibration: number of TU in one second 2399455273
[fw4_0];Testing period in TU: 11999522911

[fw4_0];Number of samples taken: 8911

[fw4_0];Interval Name % of total cpu Total TU Average TU

Max TU sampled
[fw4_0];----------------------------------- --------------- --------- -----------
---------------

[fw4_0];lock 0 40686039 4565

2973453
[Expert@MyGW:0]#

[Expert@MyGW:0]# dmesg -c
... ... ...
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl bench packet
starting to collect statistics for 10 seconds
[Expert@MyGW:0]#
[fw4_1];

[fw4_1];BENCHMARKER
[fw4_1];===================================
[fw4_1];Type: OUTBOUND PACKETS STATISCITCS

[fw4_1];General info
[fw4_1];-------------
[fw4_1];TU = Time Units
[fw4_1];Calibration: number of TU in one second 2401506325
[fw4_1];Testing period in TU: 23998127929

[fw4_1];Number of samples taken: 3

[fw4_1];Interval Name % of total cpu Total TU Average TU

Max TU sampled
[fw4_1];----------------------------------- --------------- --------- -----------
---------------

[fw4_1];fw_filter - first chain module (out) 0 27534 9178

13695
[fw4_1];

[fw4_1];IP Options Strip (out) 0 1119 373

543
[fw4_1];

[fw4_1];TCP streaming (out) 0 16650 5550

8886
[fw4_1];

[fw4_1];passive streaming (out) 0 4137 1379

2082
[fw4_1];

[fw4_1];Stateless verifications (out) 0 2547 849

1482
[fw4_1];

[fw4_1];fw VM outbound 0 21603 7201

10692
[fw4_1];

[fw4_1];fw post VM outbound 0 14574 4858

7545
[fw4_1];

[fw4_1];QoS outbound offload chain modul 0 9051 3017

4689
[fw4_1];

[fw4_1];QoS slowpath outbound chain mod 0 95691 31897

38586
[fw4_1];
[fw4_1];fw accounting outbound 0 1080 360
456
[fw4_1];

[fw4_1];TCP streaming post VM 0 3864 1288

2070
[fw4_1];

[fw4_1];IP Options Restore (out) 0 1263 421

627
[fw4_1];

[fw4_1];BENCHMARKER
[fw4_1];===================================
[fw4_1];Type: INBOUND PACKETS STATISCITCS

[fw4_1];General info
[fw4_1];-------------
[fw4_1];TU = Time Units
[fw4_1];Calibration: number of TU in one second 2401506325
[fw4_1];Testing period in TU: 23998363528

[fw4_1];Number of samples taken: 2

[fw4_1];Interval Name % of total cpu Total TU Average TU

Max TU sampled
[fw4_1];----------------------------------- --------------- --------- -----------
---------------

[fw4_1];fw_filter - first chain module (in) 0 33612 16806

27489
[fw4_1];

[fw4_1];IP Options Strip (in) 0 981 490

732
[fw4_1];

[fw4_1];Stateless verifications (in) 0 1995 997

1416
[fw4_1];

[fw4_1];fw multik misc proto forwarding 0 17040 8520

9366
[fw4_1];

[fw4_1];fw VM inbound 0 25701 12850

16110
[fw4_1];

[fw4_1];fw SCV inbound 0 570 285

300
[fw4_1];

[fw4_1];QoS inbound offload chain module 0 2499 1249

1851
[fw4_1];

[fw4_1];fw offload inbound 0 1458 729

738
[fw4_1];

[fw4_1];fw post VM inbound 0 10275 5137

7584
[fw4_1];

[fw4_1];fw accounting inbound 0 483 241

300
[fw4_1];

[fw4_1];QoS slowpath inbound chain mod 0 64650 32325

39846
[fw4_1];

[fw4_1];passive streaming (in) 0 4272 2136

3072
[fw4_1];

[fw4_1];TCP streaming (in) 0 5577 2788

3363
[fw4_1];
[fw4_1];IP Options Restore (in) 0 441 220
312
[fw4_1];

[fw4_1];Cluster Late Correction 0 2010 1005

1038
[fw4_2];

[fw4_2];BENCHMARKER
[fw4_2];===================================
[fw4_2];Type: INBOUND PACKETS STATISCITCS

[fw4_2];General info
[fw4_2];-------------
[fw4_2];TU = Time Units
[fw4_2];Calibration: number of TU in one second 2398783828
[fw4_2];Testing period in TU: 23995572652

[fw4_2];Number of samples taken: 100

[fw4_2];Interval Name % of total cpu Total TU Average TU

Max TU sampled
[fw4_2];----------------------------------- --------------- --------- -----------
---------------

[fw4_2];fw_filter - first chain module (in) 0 1948305 19483

65454
[fw4_2];

[fw4_2];IP Options Strip (in) 0 125625 1256

64737
[fw4_2];

[fw4_2];Stateless verifications (in) 0 60024 600

1116
[fw4_2];

[fw4_2];fw multik misc proto forwarding 0 698478 6984

10260
[fw4_2];

[fw4_2];fw VM inbound 0 1885545 18855

42528
[fw4_2];

[fw4_2];fw SCV inbound 0 32229 322

984
[fw4_2];

[fw4_2];QoS inbound offload chain module 0 170295 1702

2682
[fw4_2];

[fw4_2];fw offload inbound 0 93720 937

2958
[fw4_2];

[fw4_2];fw post VM inbound 0 366336 3663

18180
[fw4_2];

[fw4_2];fw accounting inbound 0 51537 515

1182
[fw4_2];

[fw4_2];QoS slowpath inbound chain mod 0 4392585 43925

82623
[fw4_2];

[fw4_2];passive streaming (in) 0 289659 2896

5013
[fw4_2];

[fw4_2];TCP streaming (in) 0 66417 664

2766
[fw4_2];

[fw4_2];IP Options Restore (in) 0 31596 315

1215
[fw4_2];
[fw4_2];Cluster Late Correction 0 172422 1724
10737
[fw4_0];

[fw4_0];BENCHMARKER
[fw4_0];===================================
[fw4_0];Type: OUTBOUND PACKETS STATISCITCS

[fw4_0];General info
[fw4_0];-------------
[fw4_0];TU = Time Units
[fw4_0];Calibration: number of TU in one second 2399455273
[fw4_0];Testing period in TU: 23995636055

[fw4_0];Number of samples taken: 7

[fw4_0];Interval Name % of total cpu Total TU Average TU

Max TU sampled
[fw4_0];----------------------------------- --------------- --------- -----------
---------------

[fw4_0];fw_filter - first chain module (out) 0 52110 7444

30537
[fw4_0];

[fw4_0];IP Options Strip (out) 0 2496 356

1152
[fw4_0];

[fw4_0];TCP streaming (out) 0 21528 3075

9399
[fw4_0];

[fw4_0];passive streaming (out) 0 6240 891

2829
[fw4_0];

[fw4_0];Stateless verifications (out) 0 3558 508

1272
[fw4_0];

[fw4_0];fw VM outbound 0 29139 4162

13431
[fw4_0];

[fw4_0];fw post VM outbound 0 19554 2793

8079
[fw4_0];

[fw4_0];QoS outbound offload chain modul 0 12984 1854

5478
[fw4_0];

[fw4_0];QoS slowpath outbound chain mod 0 138486 19783

43347
[fw4_0];

[fw4_0];fw accounting outbound 0 1812 453

576
[fw4_0];

[fw4_0];TCP streaming post VM 0 6210 1552

2235
[fw4_0];

[fw4_0];IP Options Restore (out) 0 1839 459

762
[fw4_0];

[fw4_0];BENCHMARKER
[fw4_0];===================================
[fw4_0];Type: INBOUND PACKETS STATISCITCS

[fw4_0];General info
[fw4_0];-------------
[fw4_0];TU = Time Units
[fw4_0];Calibration: number of TU in one second 2399455273
[fw4_0];Testing period in TU: 23997573677

[fw4_0];Number of samples taken: 7

[fw4_0];Interval Name % of total cpu Total TU Average TU
Max TU sampled
[fw4_0];----------------------------------- --------------- --------- -----------
---------------

[fw4_0];fw_filter - first chain module (in) 0 23706 3386

5688
[fw4_0];

[fw4_0];IP Options Strip (in) 0 1494 213

612
[fw4_0];

[fw4_0];Stateless verifications (in) 0 2166 309

519
[fw4_0];

[fw4_0];fw multik misc proto forwarding 0 2703 386

858
[fw4_0];

[fw4_0];fw VM inbound 0 37902 5414

10083
[fw4_0];

[fw4_0];fw SCV inbound 0 999 142

279
[fw4_0];

[fw4_0];QoS inbound offload chain module 0 2328 332

621
[fw4_0];

[fw4_0];fw offload inbound 0 2400 342

777
[fw4_0];

[fw4_0];fw post VM inbound 0 11742 1677

2820
[fw4_0];

[fw4_0];fw accounting inbound 0 597 85

153
[fw4_0];

[fw4_0];QoS slowpath inbound chain mod 0 118860 16980

27087
[fw4_0];

[fw4_0];passive streaming (in) 0 4194 838

1371
[fw4_0];

[fw4_0];TCP streaming (in) 0 8826 1765

3231
[fw4_0];

[fw4_0];IP Options Restore (in) 0 405 81

99
[fw4_0];

[fw4_0];Cluster Late Correction 0 3825 765

1374
[fw4_2];

[fw4_2];BENCHMARKER
[fw4_2];===================================
[fw4_2];Type: OUTBOUND PACKETS STATISCITCS

[fw4_2];General info
[fw4_2];-------------
[fw4_2];TU = Time Units
[fw4_2];Calibration: number of TU in one second 2398783828
[fw4_2];Testing period in TU: 24000292567

[fw4_2];Number of samples taken: 1

[fw4_2];Interval Name % of total cpu Total TU Average TU

Max TU sampled
[fw4_2];----------------------------------- --------------- --------- -----------
---------------

[fw4_2];fw_filter - first chain module (out) 0 5418 5418

5418
[fw4_2];

[fw4_2];IP Options Strip (out) 0 375 375

375
[fw4_2];

[fw4_2];TCP streaming (out) 0 30435 30435

30435
[fw4_2];

[fw4_2];passive streaming (out) 0 1296 1296

1296
[fw4_2];

[fw4_2];Stateless verifications (out) 0 2508 2508

2508
[fw4_2];

[fw4_2];fw VM outbound 0 393270 393270

393270
[fw4_2];

[fw4_2];fw post VM outbound 0 9345 9345

9345
[fw4_2];

[fw4_2];QoS outbound offload chain modul 0 47829 47829

47829
[fw4_2];

[fw4_2];QoS slowpath outbound chain mod 0 10530 10530

10530
[fw4_2];

[fw4_2];fw accounting outbound 0 441 441

441
[fw4_2];

[fw4_2];TCP streaming post VM 0 1533 1533

1533
[fw4_2];

[fw4_2];IP Options Restore (out) 0 402 402

402
[Expert@MyGW:0]#
fw ctl block on

fw ctl block off

fw [-d] ctl block

off
on

-d

off
on
fw [-d] ctl chain

-d

[Expert@MyGW:0]# fw ctl chain

in chain (23):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6812b0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -7d000000 (ffffffff8a96ee80) (00000003) vpn multik forward in
4: - 2000000 (ffffffff8a97d830) (00000003) vpn decrypt (vpn)
5: - 1fffffa (ffffffff8a9533a0) (00000001) l2tp inbound (l2tp)
6: - 1fffff8 (ffffffff8b67f0e0) (00000001) Stateless verifications (in) (asm)
7: - 1fffff7 (ffffffff8b67ec00) (00000001) fw multik misc proto forwarding
8: - 1fffff2 (ffffffff8a982aa0) (00000003) vpn tagging inbound (tagging)
9: - 1fffff0 (ffffffff8a983460) (00000003) vpn decrypt verify (vpn_ver)
10: 0 (ffffffff8b85a950) (00000001) fw VM inbound (fw)
11: 1 (ffffffff8a97ed70) (00000003) vpn policy inbound (vpn_pol)
12: 2 (ffffffff8b681700) (00000001) fw SCV inbound (scv)
13: 3 (ffffffff8a982130) (00000003) vpn before offload (vpn_in)
14: 4 (ffffffff8b0fa5c0) (00000003) QoS inbound offload chain module
15: 5 (ffffffff8b574730) (00000003) fw offload inbound (offload_in)
16: 10 (ffffffff8b84c9c0) (00000001) fw post VM inbound (post_vm)
17: 100000 (ffffffff8b807970) (00000001) fw accounting inbound (acct)
18: 22000000 (ffffffff8b0fbfc0) (00000003) QoS slowpath inbound chain mod (fg_sched)
19: 7f730000 (ffffffff8b3d3aa0) (00000001) passive streaming (in) (pass_str)
20: 7f750000 (ffffffff8b17dff0) (00000001) TCP streaming (in) (cpas)
21: 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (in) (ipopt_res)
22: 7fb00000 (ffffffff8a9fe8a0) (00000001) Cluster Late Correction (ha_for)
out chain (19):
0: -7f800000 (ffffffff8b6812b0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (ffffffff8a96ee60) (00000003) vpn multik forward out
2: - 1ffffff (ffffffff8a97fb70) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (ffffffff8b168640) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (ffffffff8b3d3aa0) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (ffffffff8a982aa0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (ffffffff8b67f0e0) (00000001) Stateless verifications (out) (asm)
7: 0 (ffffffff8b85a950) (00000001) fw VM outbound (fw)
8: 10 (ffffffff8b84c9c0) (00000001) fw post VM outbound (post_vm)
9: 2000000 (ffffffff8a982900) (00000003) vpn policy outbound (vpn_pol)
10: 15000000 (ffffffff8b0fac30) (00000003) QoS outbound offload chain modul (fg_pol)
11: 1ffffff0 (ffffffff8a951790) (00000001) l2tp outbound (l2tp)
12: 20000000 (ffffffff8a978280) (00000003) vpn encrypt (vpn)
13: 21000000 (ffffffff8b0fbfc0) (00000003) QoS slowpath outbound chain mod (fg_sched)
14: 7f000000 (ffffffff8b807970) (00000001) fw accounting outbound (acct)
15: 7f700000 (ffffffff8b17cb10) (00000001) TCP streaming post VM (cpas)
16: 7f800000 (ffffffff8b681260) (ffffffff) IP Options Restore (out) (ipopt_res)
17: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
18: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#
fw [-d] ctl conn

-d

[Expert@MyGW:0]# fw ctl chain

Registered connections modules:
No. Name Newconn Packet End Reload Dup Type
Dup Handler
Connectivity level 0:
1: Accounting 1: Accounting 0000000000000000 0000000000000000 FFFFFFFF8B8395A0
0000000000000000 Special FFFFFFFF8B831720
2: Authentication 2: Authentication FFFFFFFF8B3150A0 0000000000000000 0000000000000000
0000000000000000 Special FFFFFFFF8B34FCC0
8: NAT 8: NAT 0000000000000000 0000000000000000 FFFFFFFF8B6D1AF0
0000000000000000 Special FFFFFFFF8B6B8410
9: RTM 9: RTM 0000000000000000 0000000000000000 0000000000000000
0000000000000000 None
10: RTM2 10: RTM2 0000000000000000 0000000000000000 FFFFFFFF8B014970
0000000000000000 None
11: SPII 11: SPII FFFFFFFF8B412060 0000000000000000 FFFFFFFF8B41AF40
FFFFFFFF8B4016A0 None
13: VPN 13: VPN FFFFFFFF8A965440 0000000000000000 FFFFFFFF8AA4CC40
0000000000000000 Special FFFFFFFF8AA60490
Connectivity level 1:
13: VPN 13: VPN 0000000000000000 0000000000000000 0000000000000000
0000000000000000 None
[Expert@MyGW:0]#
fw tab -t connections -f

fw [-d] ctl conntab

{-h | -help}
-sip=<Source IP Address in Decimal Format>
-sport=<Port Number in Decimal Format>
-dip=<Destination IP Address>
-dport=<Port Number in Decimal Format>
-proto=<Protocol Name>
-service=<Name of Service>
-rule=<Rule Number in Decimal Format>

{-h | -help}
-d

-sip=<

>
-sport=<
>

-dip=<

>
-dport=<
>
-proto=<
>




-service=< fw
> ctl conntab
-rule=< fw ctl
> conntab

[Expert@MyGW:0]# fw ctl conntab

<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP);
3593/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481), Ifncin=1,
Ifncout=1, conn modules: Authentication, FG-1>

<(outbound, src=[192.168.204.40,59249], dest=[192.168.204.1,53], UDP); 20/40,

rule=0, service=domain-udp(335), Ifnsout=1, conn modules: Authentication, FG-1>

<(outbound, src=[192.168.204.40,37892], dest=[192.168.204.1,53], UDP); 20/40,

rule=0, service=domain-udp(335), Ifnsin=1, Ifnsout=1, conn modules:
Authentication, FG-1>
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl conntab -dport=22

<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP);
3594/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481), Ifncin=1,
Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl conntab -dport=53

<(outbound, src=[192.168.204.40,33585], dest=[192.168.204.1,53], UDP); 39/40,
rule=0, service=domain-udp(335), Ifnsout=1, conn modules: Authentication, FG-1>

<(outbound, src=[192.168.204.40,56661], dest=[192.168.204.1,53], UDP); 39/40,

rule=0, service=domain-udp(335), Ifnsin=1, Ifnsout=1, conn modules:
Authentication, FG-1>
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl conntab -sport=54201

<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP);
3600/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481), Ifncin=1,
Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl conntab -proto=UDP
<(outbound, src=[192.168.204.40,44966], dest=[192.168.204.1,53], UDP); 37/40,
rule=0, service=domain-udp(335), Ifnsin=1, Ifnsout=1, conn modules:
Authentication, FG-1>
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl conntab -proto=TCP

<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP);
3596/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481), Ifncin=1,
Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl conntab -service=domain-udp

<(outbound, src=[192.168.204.40,44966], dest=[192.168.204.1,53], UDP); 35/40,
rule=0, service=domain-udp(335), Ifnsin=1, Ifnsout=1, conn modules:
Authentication, FG-1>
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl conntab -rule=2

<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP);
3597/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481), Ifncin=1,
Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl conntab -dip=192.168.204.40 -dport=22 -proto=TCP

-service=ssh
<(inbound, src=[192.168.204.1,54201], dest=[192.168.204.40,22], TCP);
3599/3600, rule=2, tcp state=TCP_ESTABLISHED, service=ssh(481), Ifncin=1,
Ifncout=1, conn modules: Authentication, FG-1>
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw tab -t connections -f

Formatting table's data - this might take a while...

localhost:
Date: Sep 10, 2018
11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum:
<max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; :
(+)====================================(+); Table_Name: connections; : (+);
Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 21
22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152,
unlimited; LastUpdateTime: 10Sep2018 11:30:56; ProductName: VPN-1 & FireWall-1;
ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum:

<max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; :
-----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 54201; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type:
131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: -1;
Ifnsout: 1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018
11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum:
<max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; :
-----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 53; Dest: 192.168.204.40; DPort: 54201; Protocol: udp; CPTFMT_sep_1: ->;
Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 54201; Dest_1: 192.168.204.1;
DPort_1: 53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56;
ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum:

<max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; :
-----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 22; Dest: 192.168.204.1; DPort: 54201; Protocol: tcp; CPTFMT_sep_1: ->;
Direction_2: 0; Source_2: 192.168.204.1; SPort_2: 54201; Dest_2: 192.168.204.40;
DPort_2: 22; Protocol_2: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 11:30:56;
ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum:

<max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; :
-----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 54201; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;; Type:
114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1;
Ifnsout: -1; Bits: 02007800000f9000; Expires: 3596/3600; LastUpdateTime: 10Sep2018
11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum:

<max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; :
-----------------------------------(+); Direction: 0; Source: 192.168.204.1;
SPort: 53; Dest: 192.168.204.40; DPort: 44966; Protocol: udp; CPTFMT_sep_1: ->;
Direction_1: 1; Source_1: 192.168.204.40; SPort_1: 44966; Dest_1: 192.168.204.1;
DPort_1: 53; Protocol_1: udp; FW_symval: 2054; LastUpdateTime: 10Sep2018 11:30:56;
ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

11:30:56 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum:

<max_null>; OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; :
-----------------------------------(+); Direction: 1; Source: 192.168.204.40;
SPort: 44966; Dest: 192.168.204.1; DPort: 53; Protocol: udp; CPTFMT_sep: ;; Type:
131073; Rule: 0; Timeout: 335; Handler: 0; Ifncin: -1; Ifncout: -1; Ifnsin: 1;
Ifnsout: 1; Bits: 0000780000000000; Expires: 23/40; LastUpdateTime: 10Sep2018
11:30:56; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

[Expert@MyGW:0]#
fw [-d] ctl cpasstat
[-r]

-d

-r

[Expert@MyGW:0]# fw ctl cpasstat

Connections:
Connections initiated ............................ 0
Connections accepted ............................. 0
Connections established actively or passively .... 0
Connections dropped .............................. 0
Connections closed (includes drops)............... 0
Delayed acks sent ................................ 0
Connections dropped in retransmit timeout ........ 0
Connections dropped in persist timeout ........... 0
Connections dropped in keepalive timeout ......... 0
Packets:
Total packets sent ............................... 0
Data packets sent ................................ 0
Data bytes sent .................................. 0
Data packets retransmitted ....................... 0
Data bytes retransmitted ......................... 0
Fast retransmits ................................. 0
Ack-only packets sent ............................ 0
Window probes sent ............................... 0
Packets sent with URG only ....................... 0
Window update-only packets sent .................. 0
Control (SYN|FIN|RST) packets sent ............... 0
Total packets received ........................... 0
Packets received in sequence ..................... 0
Bytes received in sequence ....................... 0
Packets received with checksum errors ........... 0
Packets received with bad offset ................. 0
Packets received too short ....................... 0
Duplicate-only packets received .................. 0
Duplicate-only bytes received .................... 0
Packets with some duplicate data ................. 0
Duplicate bytes in part-duplicate packets ........ 0
Out-of-order packets received .................... 0
Out-of-order bytes received ...................... 0
Packets with data after window ................... 0
Bytes received after window ...................... 0
Packets received after connection closed ......... 0
Received window probe packets .................... 0
Received duplicate acks .......................... 0
Received acks for unsent data .................... 0
Received acks for old data ....................... 0
Received ack packets ............................. 0
Bytes acked by received acks ..................... 0
Received window update packets ................... 0
SYN packet with src==dst received ................ 0
Times header prediction correct for acks ......... 0
Times header prediction correct for data packets . 0
Defragmented packets ............................. 0
Memory:
Allocated memory in bytes ........................ 204180
Allocated skbuffs num ............................ 0
Allocated skbuffs size in bytes .................. 0
Allocated memory per connection .................. 0
Retransmissions:
Segments for which TCP tried to measure RTT ...... 0
Times RTT estimators updated ..................... 0
Timers:
Times retransmit timer expires ................... 0
Times persist timer expires ...................... 0
Times keepalive timer expires .................... 0
Keepalive probes sent ............................ 0
Drop reson:
Packets dropped for lack of memory ............... 0
Segments dropped due to PAWS ..................... 0
TCP Signatures:
Received bad or missing TCP signatures ........... 0
Received good TCP signatures ..................... 0
ECN stats:
ECN connections accepted ......................... 0
Number of received ECE ........................... 0
Number of received CWR ........................... 0
Number of received CE in IP header ............... 0
Number of ECT sent ............................... 0
Number of ECE sent ............................... 0
Number of CWR sent ............................... 0
Number of cwnd reduced by ECN .................... 0
Number of cwnd reduced by fastrecovery ........... 0
Number of cwnd reduced by timeout ................ 0
SYN cache stats:
Number of entries added .......................... 0
Number of connections completed .................. 0
Number of entries timed out ...................... 0
Number dropped due to overflow ................... 0
Number dropped due to RST ........................ 0
Number dropped due to ICMP unreach ............... 0
Number dropped due to bucket overflow ............ 0
Number of duplicate SYNs received ................ 0
Number of SYNs dropped (no route/mem) ............ 0
Number of retransmissions ........................ 0
SACK stats:
SACK recovery episodes ........................... 0
SACK retransmit segments ......................... 0
SACK retransmit bytes ............................ 0
SACK options received ............................ 0
SACK options sent ................................ 0

Applications Counters:
======================

[Expert@MyGW:0]#



fw [-d] ctl dlpkstat

[-r]

-d

-r

[Expert@MyGW:0]# fw ctl dlpkstat

=====================================
DLPK Statistics Information
=====================================
Number of emails seen ................................................ 0
Number of emails held and moved to user mode ......................... 0
Number of emails not held due to Monitor Only ........................ 0
Number of emails bypassed due to High CPU Load ....................... 0
Number of emails bypassed due to large data size limit ............... 0
Number of emails rejected due to large data size limit ............... 0
Number of emails bypassed due to internal errors ..................... 0
Number of emails rejected due to internal errors ..................... 0
Number of emails bypassed due to TLS ................................ 0
Number of HTTP POST requests ......................................... 0
Number of HTTP PUT requests .......................................... 0
Number of HTTP GET requests .......................................... 0
Number of other HTTP method requests ................................. 0
Number of HTTP POST requests held and moved to user mode ............. 0
Number of HTTP POST requests not held due to Monitor Only ............ 0
Number of HTTP POST requests bypassed due to High CPU Load ........... 0
Number of HTTP POST requests bypassed due to large data size limit ... 0
Number of HTTP POST requests bypassed due to internal errors ......... 0
Number of HTTP POST requests rejected due to large data size limit ... 0
Number of HTTP POST requests rejected due to internal errros ......... 0
User Mode Responses Statistics
===============================
Number of accepted HTTP POST requests ................................ 0
Number of rejected HTTP POST requests ................................ 0
Number of rejected HTTP POST requests with error page ................ 0
Number of failures at handling usermode result on held connection .... 0
Number of accepted emails ............................................ 0
Number of rejected emails ............................................ 0

HTTP Data passed to user mode ........................................ 0 MB + 0 bytes

SMTP Data passed to user mode ........................................ 0 MB + 0 bytes

Identity Awareness - Captive Portal

====================================
Number of HTTP requests redirected to captive portal successfully ... 0
Number of HTTP requests redirected to captive portal with error ..... 0

Identity Awareness - Fetch Users Statistics

============================================
|---------------------------------------------------------------------------|
| Category | Source | Destination |
|-----------------------------------------------+-------------+-------------|
| Total number of synchronous IA queries | 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Number of known users (Synchronous) | 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Number of unknown final (Synchronous) | 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Number of need async call (Synchronous) | 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Number of failed queries (Synchronous) | 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Total number of asynchronous IA queries | 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Number of known users (Asynchronous) | 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Number of unknown final (Asynchronous) | 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Number of timed out queries (Asynchronous)| 0 | 0 |
|-----------------------------------------------+-------------+-------------|
| Number of failed queries (Asynchronous) | 0 | 0 |
|---------------------------------------------------------------------------|

[Expert@MyGW:0]#




 $FWDIR/modules/fw_kern_64.o
 $FWDIR/modules/fw_kern_64_v6.o
 $PPKDIR/modules/sim_kern_64.o
 $PPKDIR/modules/sim_kern_64_v6.o

fw ctl set

fw [-d] ctl get

int <Name of Integer Kernel Parameter> [-a]
str <Name of String Kernel Parameter> [-a]

-d

<
>
< >
-a
$FWDIR/modules/fw_*.o
$PPKDIR/modules/sim_*.o

[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit -a

FW:
fw_kdprintf_limit = 100
SIM:
fw_kdprintf_limit = 100
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset -a
FW:
fileapp_default_encoding_charset = 'UTF-8'
SIM:
Failed to get from ppak
[Expert@MyGW:0]#




ifn=2
 cpstat
 cpstat -f ifconfig os
 cpstat -f interfaces fw

fw [-d] ctl iflist

-d

[Expert@MyGW:0]# fw ctl iflist

fw ctl iflist
1 : eth0
2 : eth1
3 : eth2
4 : eth3
5 : eth4
6 : eth5
7 : eth6
8 : eth7
[Expert@MyGW:0]#
fw ctl install
cpstart

fw ctl uninstall fw ctl install

fw
fetch cpstart

fw [-d] ctl install

-d
/var/log/messages
dmesg

fw [-d] ctl leak

{-h | -help}
[{-a | -A}] [-t <Internal Object Type>] [-o <Internal Object ID>]
[-d] [-l] [-p]
[-s]

fw -d ctl leak ...

{-h | -help}
-a
-A
-A
-a
-d
-s
-l
-s
-o < >

-p
-s
-s
-d -l
-p
-t < >

 chain
 connh
 cookie
 kbuf
 num

[Expert@GW_HostName:0]# cp -v /var/log/messages{,_BKP}

[Expert@GW_HostName:0]# echo '' > /var/log/messages

[Expert@GW_HostName:0]# dmesg -c

[Expert@GW_HostName:0]# fw [-d] ctl leak < >

[Expert@GW_HostName:0]# dmesg
[Expert@GW_HostName:0]# cat /var/log/messages

[Expert@GW_HostName:0]# cp -v /var/log/messages{,_LEAK_DETECTION}

/var/log/messages_LEAK_DETECTION

[Expert@MyGW:0]# cp -v /var/log/messages{,_BKP}
`/var/log/messages' -> `/var/log/messages_BKP'
[Expert@MyGW:0]#
[Expert@MyGW:0]# echo '' > /var/log/messages
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg -c
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl leak -s
[Expert@MyGW:0]#
[Expert@MyGW:0]# dmesg
[fw4_0];fwleak_report: type chain - 0 objects
[fw4_0];fwleak_report: type cookie - 0 objects
[fw4_0];fwleak_report: type kbuf - 0 objects
[fw4_0];fwleak_report: type connh - 0 objects
[fw4_1];fwleak_report: type chain - 0 objects
[fw4_1];fwleak_report: type cookie - 0 objects
[fw4_1];fwleak_report: type kbuf - 0 objects
[fw4_1];fwleak_report: type connh - 0 objects
[fw4_2];fwleak_report: type chain - 0 objects
[fw4_2];fwleak_report: type cookie - 0 objects
[fw4_2];fwleak_report: type kbuf - 0 objects
[fw4_2];fwleak_report: type connh - 0 objects
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /var/log/messages
Sep 12 16:09:50 2018 MyGW kernel: [fw4_0];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_0];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_0];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_0];fwleak_report: type connh - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_1];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_1];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_1];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_1];fwleak_report: type connh - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_2];fwleak_report: type chain - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_2];fwleak_report: type cookie - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_2];fwleak_report: type kbuf - 0 objects
Sep 12 16:09:50 2018 MyGW kernel: [fw4_2];fwleak_report: type connh - 0 objects
[Expert@MyGW:0]
[Expert@MyGW:0]# cp -v /var/log/messages{,_LEAK_DETECTION}
`/var/log/messages' -> `/var/log/messages_LEAK_DETECTION'
[Expert@MyGW:0]#










fw [-d] ctl pstat

[-c] [-h] [-k] [-l] [-m] [-o] [-s] [-v {4 | 6}]

-d

-c

 fwmultik_global_stats
 fwmultik_gconn_stats
 fwmultik_stats
-h
-k
-l
-m
-o
-s
-v 4 -v 4 -v 4
-v 6

[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

Total memory allocated: 742391808 bytes in 181248 (4096 bytes) blocks using 1 pool
Total memory bytes used: 0 unused: 742391808 (100.00%) peak: 68247020
Total memory blocks used: 0 unused: 181248 (100%) peak: 17227
Allocations: 2193027 alloc, 0 failed alloc, 2154121 free

System kernel memory (smem) statistics:

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2204456 alloc, 0 failed alloc
2162587 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

System kernel memory (smem) statistics:

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2212475 alloc, 0 failed alloc
2170606 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc
Unable to open '/dev/fw6v0': No such file or directory
fw_get_kernel_instance_num: Invalid instance num 0 - return 0

FWMULTIK GCONN STAT:

VS 0 info:

CPU 0:
notifications handled: 64322, conn create failed: 0,
conns not from pool: 0, conns from pool: 6466, conns deleted: 9224, conn delete failed: 0,
bad notifications: 0,
pkt_partial_search: 367, pkt_partial_match: 0,
pkt_localsrc_search: 0, pkt_localsrc_match: 0

CPU 1:
notifications handled: 16624, conn create failed: 0,
conns not from pool: 0, conns from pool: 576, conns deleted: 2400, conn delete failed: 0, bad
notifications: 0,
pkt_partial_search: 46, pkt_partial_match: 0,
pkt_localsrc_search: 0, pkt_localsrc_match: 0

CPU 2:
notifications handled: 7460, conn create failed: 0,
conns not from pool: 0, conns from pool: 441, conns deleted: 2142, conn delete failed: 0, bad
notifications: 0,
pkt_partial_search: 26, pkt_partial_match: 0,
pkt_localsrc_search: 0, pkt_localsrc_match: 0

CPU 3:
notifications handled: 7090, conn create failed: 0,
conns not from pool: 0, conns from pool: 375, conns deleted: 1946, conn delete failed: 0, bad
notifications: 0,
pkt_partial_search: 28, pkt_partial_match: 0,
pkt_localsrc_search: 0, pkt_localsrc_match: 0

FWMULTIK STAT:

VS 0 info:

CPU 0:
Zeco: 0 data mapped, 0 data unmapped, 0 shared info mapped, 0 shared info unmapped
cut through: 0, non linear skbs: 0, shared skbs: 0
data alloc from pool: 0, data alloc not from pool: 0

fwmultik enqueue stats:

Inbound packet kernel: 37568
Outbound packet kernel: 34
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 30
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 289900
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0
fwmultik enqueue fail stats:
Inbound packet kernel: 0
Outbound packet kernel: 0
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 0
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 0
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0

CPU 1:
Zeco: 0 data mapped, 0 data unmapped, 0 shared info mapped, 0 shared info unmapped
cut through: 0, non linear skbs: 0, shared skbs: 0
data alloc from pool: 0, data alloc not from pool: 0

fwmultik enqueue stats:

Inbound packet kernel: 0
Outbound packet kernel: 31437
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 2982
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 38540
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0

fwmultik enqueue fail stats:

Inbound packet kernel: 0
Outbound packet kernel: 0
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 0
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 0
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0

CPU 2:
Zeco: 0 data mapped, 0 data unmapped, 0 shared info mapped, 0 shared info unmapped
cut through: 0, non linear skbs: 0, shared skbs: 0
data alloc from pool: 0, data alloc not from pool: 0

fwmultik enqueue stats:

Inbound packet kernel: 0
Outbound packet kernel: 12474
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 2232
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 36644
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0

fwmultik enqueue fail stats:

CPU 3:
Zeco: 0 data mapped, 0 data unmapped, 0 shared info mapped, 0 shared info unmapped
cut through: 0, non linear skbs: 0, shared skbs: 0
data alloc from pool: 0, data alloc not from pool: 0

fwmultik enqueue stats:

Inbound packet kernel: 0
Outbound packet kernel: 11743
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 2252
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 45020
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0

fwmultik enqueue fail stats:

fwmultik dequeue stats:

Inbound packet kernel: 0
Outbound packet kernel: 0
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 0
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 19020
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0

FWMULTIK GLOBAL STAT:

VS 0 info:

INSTANCE 0:
multik_forwarding: 0

fwmultik dispatch reason:

not selected: 0
arbitray: 0
conn: 0
multik tag: 0
sxl tag: 0
param: 0

INSTANCE 1:
multik_forwarding: 0

fwmultik dispatch reason:

not selected: 0
arbitray: 0
conn: 0
multik tag: 0
sxl tag: 0
param: 0

INSTANCE 2:
multik_forwarding: 0

fwmultik dispatch reason:

not selected: 0
arbitray: 0
conn: 0
multik tag: 0
sxl tag: 0
param: 0

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]# fw ctl pstat

[Expert@MyGW:0]# fw ctl pstat -h
System Capacity Summary:
Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

Total memory allocated: 742391808 bytes in 181248 (4096 bytes) blocks using 1 pool
Total memory bytes used: 14537008 unused: 727854800 (98.04%) peak: 68247020
Total memory blocks used: 4090 unused: 177158 (97%) peak: 17227
Allocations: 2195201 alloc, 0 failed alloc, 2156295 free
Memory used for internal structures: 163600 bytes
Total number of items: 38906
Utilized blocks unused memory percentage: 13%
Detailed statistics according to item size:
Size 16: Blocks: 5 Full blocks: 0 Nitems: 71 unused memory 94%
Size 24: Blocks: 16 Full blocks: 0 Nitems: 655 unused memory 75%
Size 32: Blocks: 15 Full blocks: 0 Nitems: 434 unused memory 77%
... ... <truncated for brevity> ... ...
Size 1712: Blocks: 1 Full blocks: 0 Nitems: 1 unused memory 57%
Size 2000: Blocks: 117 Full blocks: 114 Nitems: 231 unused memory 2%

System kernel memory (smem) statistics:

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2206659 alloc, 0 failed alloc
2164790 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

System kernel memory (smem) statistics:

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2208847 alloc, 0 failed alloc
2166978 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL
Memory used for internal structures: 502428 bytes
Total number of items: 41869

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

System kernel memory (smem) statistics:

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2209847 alloc, 0 failed alloc
2167978 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

Handles:
table name "kbufs"
3 handles, 6 pools, 6 maximum pool(s)
18249 allocated, 0 failed, 18246 freed
6 pool(s) allocated, 0 failed, 0 freed, 0 not preallocated

[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

System kernel memory (smem) statistics:

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2213652 alloc, 0 failed alloc
2171783 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc
Unable to open '/dev/fw6v0': No such file or directory
fw_get_kernel_instance_num: Invalid instance num 0 - return 0

FWMULTIK GCONN STAT:

VS 0 info:

notifications handled: 95496, conn create failed: 0,

conns not from pool: 0, conns from pool: 7858, conns deleted: 15712, conn delete failed: 0,
bad notifications: 0,
pkt_partial_search: 467, pkt_partial_match: 0,
pkt_localsrc_search: 0, pkt_localsrc_match: 0

FWMULTIK STAT:

VS 0 info:

Zeco: 0 data mapped, 0 data unmapped, 0 shared info mapped, 0 shared info unmapped
cut through: 0, non linear skbs: 0, shared skbs: 0
data alloc from pool: 0, data alloc not from pool: 0

fwmultik enqueue stats:

Inbound packet kernel: 37568
Outbound packet kernel: 55688
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 7496
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 411712
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0

fwmultik enqueue fail stats:

fwmultik dequeue stats:

Inbound packet kernel: 0
Outbound packet kernel: 0
Inbound packet userspace: 0
Outbound packet userspace: 0
Multik message kernel: 0
Multik message userspace: 0
F2P packet kernel: 0
F2P packet userspace: 0
VPN packet kernel: 0
VPN packet userspace: 0
Notification: 20628
Notification Packet: 0
Etm multik chain: 0
Vs message: 0
Vs_kill: 0
Forward before encrypt(F2F) kernel: 0
Forward before encrypt(F2F) userspace: 0
Async index req: 0
Accel ACK info: 0
SXL Device State Info: 0
Async ADP call: 0

FWMULTIK GLOBAL STAT:

VS 0 info:

multik_forwarding: 0

fwmultik dispatch reason:

not selected: 0
arbitray: 0
conn: 0
multik tag: 0
sxl tag: 0
param: 0

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]# fw ctl pstat

Driver uptime 5b918625

Policy installation time 5b919925
Policy ID 0
Protection ID 0
First kmem allocation failure time 0

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

System kernel memory (smem) statistics:

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2215919 alloc, 0 failed alloc
2174050 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]# fw ctl pstat

System Capacity Summary:

Memory used: 3% (265 MB out of 7117 MB) - below watermark
Concurrent Connections: Not Available
Aggressive Aging is enabled, not active

Hash kernel memory (hmem) statistics:

System kernel memory (smem) statistics:

Total memory bytes used: 913975068 peak: 1165010872
Total memory bytes wasted: 7883999
Blocking memory bytes used: 4896272 peak: 6916084
Non-Blocking memory bytes used: 909078796 peak: 1158094788
Allocations: 13397 alloc, 0 failed alloc, 10207 free, 0 failed free
vmalloc bytes used: 908585924 expensive: no
Memory used for internal structures: 51040 bytes
Total number of items: 3190
*** use 'fw ctl debug memory' command to get detailed allocation report ***

Kernel memory (kmem) statistics:

Total memory bytes used: 185761552 peak: 486615148
Allocations: 2216464 alloc, 0 failed alloc
2174595 free, 0 failed free
External Allocations: 0 for packets, 7303643 for SXL

Cookies:
91808 total, 0 alloc, 0 free,
2 dup, 91808 get, 0 put,
182258 len, 909 cached len, 0 chain alloc,
0 chain free

Connections:
0 total, 0 TCP, 0 UDP, 0 ICMP,
0 other, 0 anticipated, 0 recovered, -3 concurrent,
0 peak concurrent

Fragments:
0 fragments, 0 packets, 0 expired, 0 short,
0 large, 0 duplicates, 0 failures

NAT:
0/0 forw, 0/0 bckw, 0 tcpudp,
0 icmp, 0-0 alloc

Sync: Run "cphaprob syncstat" for cluster sync statistics.

[Expert@MyGW:0]# fw ctl pstat





 $FWDIR/modules/fw_kern_64.o
 $FWDIR/modules/fw_kern_64_v6.o
 $PPKDIR/modules/sim_kern_64.o
 $PPKDIR/modules/sim_kern_64_v6.o

 $FWDIR/modules/fwkern.conf
 $FWDIR/modules/vpnkern.conf
 $PPKDIR/conf/simkern.conf

fw ctl get

fw [-d] ctl set

int <Name of Integer Kernel Parameter> <Integer Value>
str <Name of String Kernel Parameter> '<String Value>'

-d

<
>

< >
[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit
fw_kdprintf_limit = 100
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set int fw_kdprintf_limit 50
Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get int fw_kdprintf_limit
fw_kdprintf_limit = 50
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl set str icap_unwrap_append_header_str 'print'

Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str
icap_unwrap_append_header_str = '__print__'
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set str icap_unwrap_append_header_str ''
Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl get str icap_unwrap_append_header_str
icap_unwrap_append_header_str = ''
[Expert@MyGW:0]#


fw [-d] ctl tcpstrstat
-p
-r

-d

-p
-r

[Expert@MyGW:0]# fw ctl tcpstrstat

General Counters:
=================
Connections:
Concurrent num of connections ............. 0
Concurrent num of si connections .......... 0
Packets:
Total num of packets ...................... 2567
Total packets in bytes .................... 202394
Concurrent num of async packets ........... 0
Memory:
Allocated memory in bytes ................. 0
Referenced skbuffs num .................... 0
Referenced skbuffs size in bytes .......... 0
External packet references................. 0
Allocated memory per connection ........... 0
Rejected packets/connections:
Total num of rejected packets ............. 0
Dropped packets/connections:
Total num of dropped packets .............. 0
Stripped/Truncated packets:
Total num of stripped packets ............. 0
Total num of truncated packets ............ 0
Paused packets:
Total num of c2s|s2c paused packets ....... 0 | 0
Concurrent num of UDP held packets ........ 0

Applications Counters:
======================
Application Name: ASPII_MT
Connections:
Total num of connections .................. 954
Concurrent num of connections ............. 0
Total num of c2s|s2c connections .......... 954 | 954
Concurrent num of c2s|s2c connections ..... 0 | 0
Packets:
Total num of c2s|s2c data packets ......... 2567 | 0
Total c2s|s2c data packets in bytes ....... 130518 | 0

[Expert@MyGW:0]# fw ctl tcpstrstat -p

Exception statistics:
=============================
Total num of urgent packets ...................... 0
Total num of invalid SYN retransmissions ......... 0
Total num of SYN sequences not initialized ....... 0
Total num of old packets outside window .......... 0
Total num of old packets outside window truncate . 0
Total num of old packets outside window strip .... 0
Total num of new packets outside window .......... 0
Total num of incorrect retransmissions ........... 0
Total num of TCP packets with incorrect checksum . 0
Total num of ACK on unprocessed data ............. 0
Total num of old ACK outside window .............. 0
Max segments reached ............................. 0
No resources ..................................... 0
Hold timeout ..................................... 0

Packets Manipulations:
=============================
Total num of split packets ....................... 0
Total num of merge packets ....................... 0
Total num of shrink packets ...................... 0

Opaque statistics:
=============================

Release reference:
End Handler ........... 954

Packet Expiration Counters:

=============================

[Expert@MyGW:0]#
RTM

fw ctl uninstall

fw ctl uninstall fw ctl install

fw
fetch cpstart

fw [-d] ctl uninstall

-d
 comp_init_policy
 control_bootsec
 fwboot default
 fwboot bootconf

fw [-d] defaultgen

–d

defaultgen

 $FWDIR/state/default.bin
 $FWDIR/state/default.bin6

$FWDIR/state/default.bin.bak
$FWDIR/state/default.bin6.bak

[Expert@MyGW:0]# fw defaultgen
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
hostaddr(MyGW) failed
Backing up default.bin6 as default.bin6.bak
[Expert@MyGW:0]#

fw [-d] fetch -f [-i] [-n] [-r]

fw [-d] fetch -f -c [-i] [-n] [-r]


fw [-d] fetch [-i] [-n] [-r] <Master 1> [<Master 2> ...]


fw [-d] fetch local [-nu]
fw [-d] fetch localhost [-nu]


fw [-d] fetchlocal -d <Full Path to Directory>

fw -d fetch...

script
-c

 -f

-f
$FWDIR/conf/masters
-i

-n

-nu
-r
< > [< > ...]








 < >

< >
< >

localhost
 < >

localhost
-d < >
$FWDIR/log/*.log*
$FWDIR/log/*.adtlog*

fw [-d] fetchlogs [-f <Name of Log File 1>] [-f <Name of Log File 2>]... [-f <Name
of Log File N>] <Target>

-d

-f < >

$FWDIR/log/*.log*
$FWDIR/log/*.adtlog*

2017-0?-*.log


-f



< >

 $FWDIR/log/

 $FWDIR/log/
 $FWDIR/log/fw.log
$FWDIR/log/fw.adtlog

fw logswitch [-audit] [-h < >]

fw fetchlogs -f <Log File Name> < >



MyGW__2018-06-01_000000.log

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2018-05-16_000000.log
9KB 2018-05-17_000000.log
11KB 2018-05-18_000000.log
5796KB 2018-06-01_000000.log
4610KB fw.log
[Expert@HostName:0]#

[Expert@HostName:0]# fw fetchlogs -f 2018-06-01_000000 MyGW

File fetching in process. It may take some time...
File MyGW__2018-06-01_000000.log was fetched successfully
[Expert@HostName:0]#

[Expert@HostName:0]# fw lslogs MyGW

Size Log file name
23KB 2018-05-16_000000.log
9KB 2018-05-17_000000.log
11KB 2018-05-18_000000.log
4610KB fw.log
[Expert@HostName:0]#




 cpstat
 cpstat -f ifconfig os
 cpstat -f interfaces fw

fw [-d] getifs

-d

[Expert@MyGW:0]# fw getifs
localhost eth0 192.168.30.40 255.255.255.0
localhost eth1 172.30.60.80 255.255.255.0
[Expert@MyGW:0]#
fw hastat
 show cluster state
cphaprob state
 cpstat

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

[Expert@MGMT:0]# fw hastat

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS

localhost active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#
fw [-d] isp_link
{-h | -help}
[<Name of Object>] <Name of ISP Link>
down
up

-d

{-h | -help}

< >

down
up
fw [-d] kill [-t <Signal Number>] <Name of Process>

-d

-t <
> kill -l

kill signal

SIGTERM

< >

fw kill fwd
fw [-d] lichosts [-l] [-x]

-d

-l
-x

[Expert@MyGW:0]# fw lichosts
License allows an unlimited number of hosts
[Expert@MyGW:0]
$FWDIR/log/*.log
$FWDIR/log/*.adtlog

fw log {-h | -help}

{-h | -help}

-d

script

-a

-b "< >"
"< >"
 < > < >

 < >" "< >

-b 'XX' 'YY" -b "XX"
"YY
 -b -s
-e

-c < >
 accept
 drop
 reject
 encrypt
 decrypt
 vpnroute
 keyinst
 authorize
 deauthorize
 authcrypt
 ctl

 fw log ctl

 authcrypt
-e "< >"

 < >
 < >
-e '...' -e "..."
 -e -b


-f

$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog

-g



-H
-h < >

-i

-k {< > |
all}
 < >

 alert
 mail
 snmp_trap
 spoof
 user_alert
 user_auth
 all

-l

-m

 initial

-f

semi
 semi

 raw
-n

-o

-p
-q

-S

-s "< >"

 < >


 < >
-s '...' -s "..."
 -s -b


-t

$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog

-u <
>

$FWDIR/conf/log_unification_scheme.C

-w

-x < >

-y < >

-z

< >

$FWDIR/log/fw.log
MMM DD, YYYY June 11, 2018
HH:MM:SS 14:20:00

MMM DD, YYYY HH:MM:SS June 11, 2018 14:20:00

HeaderDateHour ContentVersion HighLevelLogKey Uuid SequenceNum Flags

Action Origin IfDir InterfaceName LogId ...

HeaderDateHour 12Jun2018 12:56:42

ContentVersion 5
HighLevelLogKey <max_null>
Uuid (0x5b1f99cb,0x0,0x3403a8c0,0xc0
000000)
SequenceNum 1
Flags 428292

Action  accept
 dropreject
 encrypt
 decrypt
 vpnroute
 keyinst
 authorize
 deauthorize
 authcrypt
 ctl
Origin MyGW

IfDir  <
 >
 <

 >

InterfaceName  eth0
 daemon
 N/A

daemon
LogId 0
Alert
 alert
 mail
 snmp_trap
 spoof
 user_alert
 user_auth
OriginSicName CN=MyGW,O=MyDomain_Server.check
point.com.s6t98x

inzone Local
outzone External
service_id ftp

src MyHost

dst MyFTPServer

proto tcp
sport_svc 64933

ProductName  VPN-1 & FireWall-1

 Application Control
 FloodGate-1
ProductFamily Network

fw log -l

[Expert@MyGW:0]# fw log -l -s "June 12, 2018 12:33:00"

... ... ...

[Expert@MyGW:0]#

12Jun2018 12:33:45 5 N/A 1 ctl MyGW > LogId: <max_null>; ContextNum:

[Expert@MyGW:0]# fw log -l -c drop

[Expert@MyGW:0]# fw log -l -q -w -c drop

[Expert@MyGW:0]# fw log -l -x 0 -y 10
... ...
[Expert@MyGW:0]#
 $FWDIR/log/fw.log
 $FWDIR/log/fw.adtlog

fw [-d] logswitch
[-audit] [<Name of Switched Log>]
-h <Target> [[+ | -]<Name of Switched Log>]

-d

-audit $FWDIR/log/fw.adtlog

-h < >





<
>


<YYYY-MM-DD_HHMMSS>.log
<YYYY-MM-DD_HHMMSS>.adtlog

<Specified_Log_Name>.log
<Specified_Log_Name>.adtlog



$FWDIR/log/

<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log

<Gateway_Object_Name>__<Specified_Log_Name>.log

-

 $FWDIR/log/


<Gateway_Object_Name>__<YYYY-MM-DD_HHMMSS>.log

<Gateway_Object_Name>__<Specified_Log_Name>.log


 fw fetchlogs

gzip

[Expert@MGMT:0]# fw logswitch
Log file has been switched to: 2018-06-13_182359.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw logswitch -audit

Log file has been switched to: 2018-06-13_185711.adtlog
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw logswitch -h MyGW

[Expert@MGMT:0]# fw logswitch -h MyGW +

fw [-d] lslogs [-f <Name of Log File 1>] [-f <Name of Log File 2>] ... [-f <Name
of Log File N>] [-e] [-r] [-s {name | size | stime | etime}] [<Target>]

-d

script
-f < >


$FWDIR/log/*.log

2017-0?-*


-f
-e

 Size
 Creation Time
 Closing Time
 Log File Name
-r
-s {name | size |
stime | etime}

 name
 size
 stime

 etime
< >


< >

[Expert@MGMT:0]# fw lslogs
Size Log file name
9KB 2018-06-14_000000.log
11KB 2018-06-15_000000.log
9KB 2018-06-16_000000.log
10KB 2018-06-17_000000.log
9KB fw.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "*"

Size Log file name
9KB fw.adtlog
9KB fw.log
9KB 2018-05-29_000000.adtlog
9KB 2018-05-29_000000.log
9KB 2018-05-20_000000.adtlog
9KB 2018-05-20_000000.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "2018-06-14" -f '2018-06-15'

Size Log file name
9KB 2018-06-14_000000.adtlog
9KB 2018-06-14_000000.log
11KB 2018-06-15_000000.adtlog
11KB 2018-06-15_000000.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "2018-06-14" -f '2018-06-15'

Size Log file name
9KB 2018-06-14_000000.adtlog
9KB 2018-06-14_000000.log
11KB 2018-06-15_000000.adtlog
11KB 2018-06-15_000000.log
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw lslogs -f "2018-06-14" -f '2018-06-15' -e -s name -r

[Expert@MGMT:0]# fw lslogs -f "2018-06-14" -f '2018-06-15' 192.168.3.53

Size Log file name
11KB 2018-06-15_000000.adtlog
11KB 2018-06-15_000000.log
9KB 2018-06-14_000000.log
9KB 2018-06-14_000000.adtlog
[Expert@MGMT:0]#
$FWDIR/log/*.log
$FWDIR/log/*.adtlog
$FWDIR/log/fw.log
$FWDIR/log/fw.adtlog
fw logswitch




Warning: The size of the files you have chosen to merge is greater than
2GB. The merge will produce two or more files.

 .log
 _1.log
 _2.log
 ... ...
 _N.log

fw [-d] mergefiles
{-h | -help}
[-s] [-r] [-t <Time Conversion File>] <Log File 1> [<Log File 2> ... <Log File
N>] <Output Log File>

-d

script

{-h | -help}
-r
-s
-t < >

< > <

>
< > <
>
... ... ...
< > [< > ... <
>]
< >

[Expert@MyGW:0]# ls -l $FWDIR/*.log
-rw-rw-r-- 1 admin root 189497 Sep 7 00:00 2018-09-07_000000.log
-rw-rw-r-- 1 admin root 14490 Sep 9 09:52 2018-09-09_000000.log
-rw-rw-r-- 1 admin root 30796 Sep 10 10:56 2018-09-10_000000.log
-rw-rw-r-- 1 admin root 24503 Sep 10 13:08 fw.log
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw mergefiles -s $FWDIR/2018-09-07_000000.log $FWDIR/2018-09-09_000000.log
$FWDIR/2018-09-10_000000.log /var/log/2018-Sep-Merged.log
[Expert@MyGW:0]#
[Expert@MyGW:0]# ls -l /var/log/2018-Sep-Merged.log*
-rw-rw---- 1 admin root 213688 Sep 10 13:18 /var/log/2018-Sep-Merged.log
-rw-rw---- 1 admin root 8192 Sep 10 13:18 /var/log/2018-Sep-Merged.logLuuidDB
-rw-rw---- 1 admin root 80 Sep 10 13:18 /var/log/2018-Sep-Merged.logaccount_ptr
-rw-rw---- 1 admin root 2264 Sep 10 13:18 /var/log/2018-Sep-Merged.loginitial_ptr
-rw-rw---- 1 admin root 4448 Sep 10 13:18 /var/log/2018-Sep-Merged.logptr
[Expert@MyGW:0]#
 fw monitor
 fw monitor

$FWDIR/tmp/monitorfilter.*


fw monitor {-h | -help}

fw monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of Outbound
Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter File> | -}] [-i] [-l
<Length>] [-m {i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI
<Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-v
<VSID>] [-x <Offset>[,<Length>]]

fw6 monitor {-h | -help}

fw6 monitor [-d] [-D] [-ci <Number of Inbound Packets>] [-co <Number of Outbound
Packets>] [-e <INSPECT Expression> | -f {<INSPECT Filter File> | -}] [-i] [-l
<Length>] [-m {i,I,o,O,e,E}] [-o <Output File> [-w]] [[-pi <Position>] [-pI
<Position>] [-po <Position>] [-pO <Position>] | -p all [-a]] [-T] [-u | -s] [-v
<VSID>] [-x <Offset>[,<Length>]]

{-h | -help}
-d
-D
 -d
 -D

-ci <
>
-co <
>  -ci
 -co
-ci -co

-e <
>  -e < >

-f {<  -f < >

> | -}

 -f -

$FWDIR/lib/fwmonitor.def

-i

-v < >
-l < >




-m {i, I, o, O, e,
E}

 -m i

 -m I

 -m o

 -m O

 -m e

 -m E

... -m o -m O ...
 -m {i, I, o, O,
e, E}
-p{i | I | o | O}


fw ctl chain fw VM inbound

[Client] --> ("i") {FW VM attached to eth1} ("I")

[Security Gateway] ("o") {FW VM attached to eth2}
("O") --> [Server]


[Client] <-- ("O") {FW VM attached to eth1} ("o")

[Security Gateway] ("I") {FW VM attached to eth2}
("i") <-- [Server]
-o < >

/var/log/

snoop
-pi < >
-pI < >
-po < >
-o < >
-pO < >

-p all [-a]
 -pi < >

 -pI < >

 -po < >

 -pO < >

 -p all [-a]

-a

fw ctl chain
 < >
 fw ctl chain

 fw ctl chain

sxl_in
fw cpas
 fw ctl chain

 -p{i | I|
o | O} ... -m
{i, I, o, O, e, E}


fw ctl chain fw VM inbound

-T
DDMMMYYYY HH:MM:SS.mmmmmm

-u

 -u
-s

 -s
-v < >

fw monitor -v 4 -e "accept;" -o /var/log/fw_mon.cap

-x
< >[,< >]

 < >

-x
52,96

eth4:i

eth4:I
eth4:id
eth4:ID
eth4:iq
eth4:IQ

eth4:o

eth4:O
eth4:e
eth4:E
eth4:oq
eth4:OQ

[Expert@MyGW:0]# fw monitor
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:I[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31789
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a13
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31790
TCP: 53901 -> 22 ....A. seq=761113cd ack=f92e2a47
... ... ...
monitor: caught sig 2
monitor: unloading
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw monitor -m i -ci 3

monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31905
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e683b
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31906
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e68ef
[vs_0][fw_1] eth0:i[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=31907
TCP: 53901 -> 22 ....A. seq=76111bb5 ack=f92e69a3
monitor: unloading
Read 3 inbound packets and 0 outbound packets
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl chain

in chain (15):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
4: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
5: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
6: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
7: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
8: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
9: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
10: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
11: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
12: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
13: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
14: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (14):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
2: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
3: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
4: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
5: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
6: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
7: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
8: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
9: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
10: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
11: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
12: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
13: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw monitor -pi 2 -ci 3
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800001 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
3: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
monitor: monitoring (control-C to stop)
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228
id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1228]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1228
id=37575
TCP: 22 -> 51702 ...PA. seq=34e2af31 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32022
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2af31
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37576
TCP: 22 -> 51702 ...PA. seq=34e2b3d5 ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32023
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2b8f9
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[1356]: 192.168.204.40 -> 192.168.204.1 (TCP) len=1356
id=37577
TCP: 22 -> 51702 ...PA. seq=34e2b8f9 ack=e6c995ce
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412
id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[412]: 192.168.204.40 -> 192.168.204.1 (TCP) len=412
id=37578
TCP: 22 -> 51702 ...PA. seq=34e2be1d ack=e6c995ce
[vs_0][fw_1] eth0:iq2 (IP Options Strip (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:IQ13 (TCP streaming (in))[40]: 192.168.204.1 -> 192.168.204.40 (TCP) len=40 id=32024
TCP: 51702 -> 22 ....A. seq=e6c995ce ack=34e2bf91
[vs_0][fw_1] eth0:oq1 (TCP streaming (out))[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716
id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
[vs_0][fw_1] eth0:OQ10 (TCP streaming post VM)[716]: 192.168.204.40 -> 192.168.204.1 (TCP) len=716
id=37579
TCP: 22 -> 51702 ...PA. seq=34e2bf91 ack=e6c995ce
monitor: unloading
Read 3 inbound packets and 5 outbound packets
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw monitor -T
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[vs_0][fw_1] 12Sep2018 19:08:05.453947 eth0:oq[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124
id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.453960 eth0:OQ[124]: 192.168.3.53 -> 172.20.168.16 (TCP) len=124
id=38414
TCP: 22 -> 64424 ...PA. seq=1c23924a ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454059 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454064 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38415
TCP: 22 -> 64424 ...PA. seq=1c23929e ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454072 eth0:oq[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.454074 eth0:OQ[252]: 192.168.3.53 -> 172.20.168.16 (TCP) len=252
id=38416
TCP: 22 -> 64424 ...PA. seq=1c239372 ack=3c951092
[vs_0][fw_1] 12Sep2018 19:08:05.463165 eth0:iq[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
[vs_0][fw_1] 12Sep2018 19:08:05.463177 eth0:IQ[40]: 172.20.168.16 -> 192.168.3.53 (TCP) len=40 id=17398
TCP: 64424 -> 22 ....A. seq=3c951092 ack=1c239446
monitor: unloading
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl chain

in chain (17):
0: -7fffffff (0000000000000000) (00000000) SecureXL inbound (sxl_in)
1: -7ffffffe (0000000000000000) (00000000) SecureXL inbound CT (sxl_ct)
2: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (in) (ipopt_strip)
3: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
4: - 1fffff8 (ffffffff8b66f6f0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff7 (ffffffff8b66f210) (00000001) fw multik misc proto forwarding
6: 0 (ffffffff8b8506a0) (00000001) fw VM inbound (fw)
7: 2 (ffffffff8b671d10) (00000001) fw SCV inbound (scv)
8: 4 (ffffffff8b061ed0) (00000003) QoS inbound offload chain module
9: 5 (ffffffff8b564d30) (00000003) fw offload inbound (offload_in)
10: 10 (ffffffff8b842710) (00000001) fw post VM inbound (post_vm)
11: 100000 (ffffffff8b7fd6c0) (00000001) fw accounting inbound (acct)
12: 22000000 (ffffffff8b0638d0) (00000003) QoS slowpath inbound chain mod (fg_sched)
13: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
14: 7f730000 (ffffffff8b3c40b0) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (ffffffff8b0e5b40) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (in) (ipopt_res)
out chain (16):
0: -7f800000 (ffffffff8b6718c0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (i/f side)
2: - 1fffff0 (ffffffff8b0d0190) (00000001) TCP streaming (out) (cpas)
3: - 1ffff50 (ffffffff8b3c40b0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (ffffffff8b66f6f0) (00000001) Stateless verifications (out) (asm)
5: - 1ff (ffffffff8aeec0a0) (00000001) NAC Packet Outbound (nac_tag)
6: 0 (ffffffff8b8506a0) (00000001) fw VM outbound (fw)
7: 10 (ffffffff8b842710) (00000001) fw post VM outbound (post_vm)
8: 15000000 (ffffffff8b062540) (00000003) QoS outbound offload chain modul (fg_pol)
9: 21000000 (ffffffff8b0638d0) (00000003) QoS slowpath outbound chain mod (fg_sched)
10: 70000000 (ffffffff8b6774d0) (ffffffff) fwmonitor (IP side)
11: 7f000000 (ffffffff8b7fd6c0) (00000001) fw accounting outbound (acct)
12: 7f700000 (ffffffff8b0e4660) (00000001) TCP streaming post VM (cpas)
13: 7f800000 (ffffffff8b671870) (ffffffff) IP Options Restore (out) (ipopt_res)
14: 7f900000 (0000000000000000) (00000000) SecureXL outbound (sxl_out)
15: 7fa00000 (0000000000000000) (00000000) SecureXL deliver (sxl_deliver)
[Expert@MyGW:0]#
$FWDIR/log/*.log *.logptr
*.logaccount_ptr
*.loginitial_ptr
*.logLuuidDB
$FWDIR/log/*.adtlog *.adtlogptr
*.adtlogaccount_ptr
*.adtloginitial_ptr
*.adtlogLuuidDB

fw repairlog [-u] <Name of Log File>

-u

< >

fw repairlog -u 2018-06-17_000000.adtlog

 fw sam

 fw sam_policy sam_alert


 fw sam
$FWDIR/log/sam.dat

<type>,<actions>,<expire>,<ipaddr>
<type>,<actions>,<expire>,<src>,<dst>,<dport>,<ip_p>


sam_blocked_ips



[Expert@HostName:0]# fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} all


[Expert@HostName:0]# fw [-d] sam [-v] [-s <SAM Server>] [-S <SIC Name of SAM Server>]
[-f <Security Gateway>] [-r] -M -{i|j|n|b|q} <Criteria>

-d

-v

-s < >

localhost
-S <
>


-f <
> < >



fw sam

-D -i -j -I -J -n

 fw sam
-C -D

-C fw sam


fw sam -t <Timeout>

-t < >
fw sam
-l < >
 nolog
 short_noalert
 short_alert
 long_noalert
 long_alert
-e < >+

 name
 comment
 originator
-r
-n


-i



-I



-j



-J



-b
-q
-M
all

< >







 src < >

src < >

dst <IP>

any < >

subsrc < > < >

subdst < > < >

subany < > < >

srv < > < > < >

< >
subsrv < >< ><
> < > < > < >

subsrvs < > < >

< > < > < >
subsrvd < > < > <
> < > < >
dstsrv < > < >
< >
subdstsrv < > < >
< > < >

srcpr < > < >

dstpr < > < >
subsrcpr < > < >
< >

subdstpr < > < >

< >
generic < >+

 service=gtp
 imsi
 msisdn
 apn
 tunl_dst
 tunl_dport
 tunl_proto


 fw sam
 sam_alert

 fw sam_policy fw samp

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

-d

add < >

batch
del < >

get < >

fw sam_policy add fw6 sam_policy add



 fw sam_policy add fw samp

add

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


fw [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>] [-n
<"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z <"Zone">]
ip <IP Filter Arguments>
quota <Quota Filter Arguments>

fw6 [-d] sam_policy add [-u] -a {d|n|b} [-l {r|a}] [-t <Timeout>] [-f <Target>]
[-n <"Rule Name">] [-c <"Rule Comment">] [-o <"Rule Originator">] [-z <"Zone">]
ip <IP Filter Arguments>
quota <Quota Filter Arg
-d

script
-u
User-defined
Auto
-a {d | n | b}

 d
 n

 b

-l {r | a}

 -r
 -a
-t < >

-f < >

< >
 all


-n "< >"

"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "< >"

"This\ is\ a\ comment\ with\ a\ backslash\ \\"

-o "< >"

"Created\ by\ John\ Doe"

-z "< >"

ip < > ip quota

[-C] [-s < >] [-m < >] [-d <

>] [-M < >] [-p < >] [-r < >]
quota < quota ip
>

 [flush true]
 [source-negated {true | false}] source < >
 [destination-negated {true | false}]
destination < >
 [service-negated {true | false}] service
< >
 [< >< >] [< ><
>] ...[< > < >]
 [track < >]

flush true fw samp add

-C

-s < >
-m < >

-d < >
-M < >

-p < >

-r < >

flush true
[source-negated {true |
false}] source < >
 any

 range:< >

range:< >-< >



 cidr:< >/< >



 cc:< >

 asn:< >

 source-negated false
 source-negated true
[destination-negated {true |
false}] destination
< >  any

 range:< >

range:< >-< >



 cidr:< >/< >



 cc:< >

 asn:< >

 destination-negated false
 destination-negated true
[service-negated {true |
false}] service <
>

 < >

 < >-< >

 < >/< >

 < >/< >-< >

 service-negated false
 service-negated true
[< > < >]
[< > < >]
...
[< > < >]  concurrent-conns < >

 concurrent-conns-ratio < >

N / 65536
 pkt-rate < >

 pkt-rate-ratio < >

N / 65536
 byte-rate < >

 byte-rate-ratio < >

N / 65536
 new-conn-rate < >

 new-conn-rate-ratio < >

N / 65536
[track < >]
 source

 source-service
fw sam_policy add -a d -l r -t 3600 quota service any source
range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

 -a d

 -l r
 -t 3600

new-conn-rate 5 service any
source range:172.16.7.11-172.16.7.13

flush true

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true

source cc:QQ byte-rate 0

 -a n
 timeout

 service-negated true
service
1,50-51,6/443,17/53

cc:QQ
 byte-rate 0


flush true

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service

any pkt-rate 0

 -a d
 timeout


asn:AS64500

cidr:[::FFFF:C0A8:1100]/120
 service any
 pkt-rate 0

flush true

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

 -a b

 timeout


range:172.16.8.17-172.16.9.121
 service 6/80

flush true

fw sam_policy add -a d quota service any source-negated true source cc:QQ

concurrent-conns-ratio 655 track source

 -a d
 -l r
 timeout

 service any
 source-negated true
cc:QQ

concurrent-conns-ratio 655 service any
service-negated true
cc:QQ



flush true
fw sam_policy batch fw6 sam_policy batch



 fw sam_policy batch fw samp

batch

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


fw sam_policy batch << EOF

fw6 sam_policy batch << EOF

 add del

add del fw samp

 fw sam_policy
add fw6 sam_policy add

EOF

fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources"
quota service any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
fw sam_policy del fw6 sam_policy del



 fw sam_policy del add fw

samp del

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


fw [-d] sam_policy del '<Rule UID>'

fw6 [-d] sam_policy del '<Rule UID>'

-d fw

script
'< >'

 '<...>'
 fw sam_policy get fw6
sam_policy get

fw sam_policy get
fw6 sam_policy get

operation=add uid=< , , , > target=... timeout=...

action=... log= ... name= ... comment=... originator= ...
src_ip_addr=... req_tpe=...

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all

timeout=300 action=notify log=log name=Test\ Rule comment=Notify\
about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

fw [-d] sam_policy del '< >'

fw6 [-d] sam_policy del '< >'

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

fw samp add -t 2 quota flush true

fw6 samp add -t 2 quota flush true

fw samp del fw6 samp del

fw sam_policy get fw6 sam_policy get



 fw sam_policy get add fw

samp get

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng



set virtual-system < >
vsenv < >


fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v '<Value>'}]
[-n]]

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v
'<Value>'}] [-n]]

-d
-l

 -l


-u '< >'

-k '

-t
-t in
+{-v '< >'}

-n
 -k
 -t
 +-v

[Expert@GW:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300

action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\
1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

[Expert@GW:0]# fw samp get -l

uid
<5ac3965f,00000000,3403a8c0,0000264a>
target
all
timeout
2147483647
action
notify
log
log
name
Test\ Rule
comment
Notify\ about\ traffic\ from\ 1.1.1.1
originator
John\ Doe
src_ip_addr
1.1.1.1
req_type
ip
[Expert@GW:0]# fw samp get -u '<5ac3965f,00000000,3403a8c0,0000264a>'
0
operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300
action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\
1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

[Expert@MyGW:0]# fw samp get

no corresponding SAM policy requests
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp add -a d -l r -t 3600 quota service any source range:172.16.7.11-172.16.7.13
new-conn-rate 5 flush true
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true source
cc:QQ byte-rate 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp add -a d quota service any source-negated true source cc:QQ
concurrent-conns-ratio 655 track source
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3586 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'service' -t in -v '6/80'
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'service-negated' -t in -v 'true'
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'source' -t in -v 'cc:QQ'
operation=add uid=<5bab3acf,00000000,3503a8c0,00003ddc> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
operation=add uid=<5bab3ac9,00000000,3503a8c0,00003dd5> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k source -t in -v 'cc:QQ' -n
operation=add uid=<5bab3ac6,00000000,3503a8c0,00003dbf> target=all timeout=3291 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
operation=add uid=<5bab3acc,00000000,3503a8c0,00003dd7> target=all timeout=indefinite action=bypass
source=range:172.16.8.17-172.16.9.121 service=6/80 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'source-negated' -t in -v 'true'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'byte-rate' -t in -v '0'
operation=add uid=<5baa9431,00000000,860318ac,00002efd> target=all timeout=indefinite action=notify
log=log service=1,50-51,6/443,17/53 service-negated=true source=cc:QQ byte-rate=0 req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'flush' -t in -v 'true'
operation=add uid=<5baa9422,00000000,860318ac,00002eea> target=all timeout=2841 action=drop log=log
service=any source=range:172.16.7.11-172.16.7.13 new-conn-rate=5 flush=true req_type=quota
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw samp get -k 'concurrent-conns-ratio' -t in -v '655'
operation=add uid=<5baa94e0,00000000,860318ac,00003016> target=all timeout=indefinite action=drop
service=any source-negated=true source=cc:QQ concurrent-conns-ratio=655 track=source req_type=quota
[Expert@MyGW:0]#
fw [-d] showuptables
[-h]
[-i]

-d

-h
-i

[Expert@MyGW:0]# fw showuptables
Error: table up_0_day_in_month_intvl was not found
Error: table up_0_day_in_week_intvl was not found
Error: table up_0_month_intvl was not found
Error: table up_0_time_of_day_intvl was not found
Error: table up_0_time_period_intvl was not found
Error: table sslIns_rb_src_uuid_list was not found
Error: table sslIns_rb_dst_negate_uuid_list was not found
Error: table sslIns_rb_src_negate_uuid_list was not found
Error: table sslIns_rb_dst_uuid_list was not found

********************
Printing UP Tables
********************

----- LAYER Network -----

_____________________________
up_0_src_identity_intvl
9105

<FROM_ADDRESS ,TO_ADDRESS : RULES ,INDEX >

_____________________________
up_0_compound_clob_lists
9112

<INDEX : COMPOUND_CLOB >

<1 : [270000164] >
<2 : [270000164] [270000165] [270000166] >
<3 : [270000165] >
<4 : [270000166] >

_____________________________
up_0_negate_compound
9116

<COLUMN_ID : COMPOUND_CLOB_PTR >

_____________________________
up_0_clob_id_to_rnum
9110

<COLUMN_ID ,CLOB_TYPE ,UUID : RULES >

_____________________________
up_0_rule_to_clob_uuid
9119

<RULE_NUMBER ,COLUMN_ID ,CLOB_TYPE : CLOB_LIST >

<1 ,Service Application ,27 : [1017e024-00000000-00000000-00000000]
[1017e025-00000000-00000000-00000000] [1017e026-00000000-00000000-00000000] >
<1 ,Service ,4 : [97aeb414-9aea11d5-bd160090-272ccb30] [97aeb415-9aea11d5-bd160090-272ccb30]
[97aeb416-9aea11d5-bd160090-272ccb30] >

_____________________________
up_0_n_clob_id_to_rnum
9111

<COLUMN_ID ,CLOB_TYPE ,UUID : RULES >

_____________________________
up_0_columns_utility
9109

<COLUMNS_ID : IS_ANY ,ANY_BUF ,NEGATE_BUF >

_____________________________
up_0_compound_to_clob_mask
9117

<COLUMN_ID ,CLOB_TYPE ,COMPOUND_ID : CLOB_TYPE_BITMASK ,CLOB_TYPE_BITMASK ,IS_NEGATE_SERVICE >

_____________________________
up_0_clob_lists
9118

<KEY : CLOB_LIST >

<1 : [97aeb414-9aea11d5-bd160090-272ccb30] [97aeb415-9aea11d5-bd160090-272ccb30]
[97aeb416-9aea11d5-bd160090-272ccb30] >
<2 : [1017e024-00000000-00000000-00000000] [1017e025-00000000-00000000-00000000]
[1017e026-00000000-00000000-00000000] >

_____________________________
up_0_n_simple_to_compound
9114

<COLUMN_ID ,CLOB_TYPE ,UUID : COMPOUND_CLOB_PTR >

_____________________________
up_0_any_compound
9115

<COLUMN_ID : COMPOUND_CLOB_PTR >

_____________________________
up_0_dst_ip_intvl
9102

<FROM_ADDRESS ,TO_ADDRESS : RULES ,INDEX >

<0.0.0.0 ,255.255.255.255 : [1 - 2] [16777215 - 16777215] ,0 >

_____________________________
up_0_clob_type_scheme
9108

<RULE : ACTIVE_MASK ,ACTIVE_MASK ,REQUIRED_4_MATCH ,REQUIRED_4_MATCH >

<1 : 08000010 ,00000000 ,08000010 ,00000000 >
<2 : 00000000 ,00000000 ,00000000 ,00000000 >
<16777215 : 00000000 ,00000000 ,00000000 ,00000000 >

_____________________________
up_0_dst_zone
9104

<INTERNET ,INTERNET : RULES ,INDEX >

_____________________________
up_0_rnum_lists
9106

<INDEX : RULES >

<52 : [1 - 2] [16777215 - 16777215] >
<53 : [1 - 1] >

_____________________________
up_0_action_track
9107

<RULE_NUMBER : MATCH_ACTION ,APPLY_LAYER_ID ,REDIRECT ,TRACK ,TRACK_CODE ,IS_LIMIT

,ADDITIONAL_SETTINGS ,IS_ACCT_ON ,IS_LOG_PER_SESSION ,IS_LOG_PER_CONNECTION >
<1 : Drop ,4294967295 ,False ,False ,0 ,False ,0 ,False ,False ,False ,[] >
<2 : Accept ,4294967295 ,False ,False ,0 ,False ,0 ,False ,False ,False ,[] >
<16777215 : Drop ,4294967295 ,False ,False ,0 ,False ,0 ,False ,False ,False ,[] >

_____________________________
up_0_src_ip_intvl
9101

<FROM_ADDRESS ,TO_ADDRESS : RULES ,INDEX >

<0.0.0.0 ,255.255.255.255 : [1 - 2] [16777215 - 16777215] ,0 >

_____________________________
up_0_src_zone
9103

<INTERNET ,INTERNET : RULES ,INDEX >

_____________________________
up_0_simple_to_compound
9113

<COLUMN_ID ,CLOB_TYPE ,UUID : COMPOUND_CLOB_PTR >

----- GENERAL TABLES -----

_____________________________
ip_range_to_dynobj2
9142

<FROM_ADDRESS ,TO_ADDRESS : INDEX >

_____________________________
dynobj_to_ip_ranges2
9145

<UUID : RANGES >

_____________________________
dynobj_to_ip_ranges1
9141

<UUID : RANGES >

_____________________________
unresolved_dynobjs2
9144

<UUID : IS_IN_ACCESS_RULEBASE ,DYNOBJ_TYPE >

_____________________________
unresolved_dynobjs1
9139

<UUID : IS_IN_ACCESS_RULEBASE ,DYNOBJ_TYPE >

<5e414bec-4a61-4675-a980-4841a1f5a0be : False ,0 >
<8a883654-cdd4-45a8-b079-d4e476a70ad6 : False ,0 >
<97aeb36b-9aea-11d5-bd16-0090272ccb30 : False ,0 >
<cac127fb-24f5-4079-9404-be5c00d11393 : False ,0 >
<d67128b1-bdba-4724-93e8-336e45853b0a : False ,0 >
<fe9b9103-f1c0-499e-985a-d15ccc7ebaab : False ,0 >

_____________________________
ip_range_to_dynobj1
9138

<FROM_ADDRESS ,TO_ADDRESS : INDEX >

_____________________________
sslIns_rb_dst_intvl_list
529

<FROM_ADDRESS ,TO_ADDRESS : RULES ,INDEX >

_____________________________
ip_range_to_dynobj_kbufs1
9140

<INDEX : CLOB_LIST >

_____________________________
ip_range_to_dynobj_kbufs2
9143

<INDEX : CLOB_LIST >

_____________________________
sslIns_rb_src_intvl_list
528

<FROM_ADDRESS ,TO_ADDRESS : RULES ,INDEX >

<0.0.0.0 ,255.255.255.255 : [1 - 1] ,0 >

[Expert@MyGW:0]#




cpstat

fw [-d] stat [-l | -s] [<Name of Object>]

-d

-l

 Total

 Reject

 Drop

 Accept

 Log

-s

< >
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost MyGW_Policy 10Sep2018 14:01:25 : [>eth0] [<eth0] [>eth1]
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw stat -s
HOST IF POLICY DATE
localhost >eth0 MyGW_Policy 10Sep2018 14:01:25 :
localhost <eth0 MyGW_Policy 10Sep2018 14:01:25 :
localhost >eth1 MyGW_Policy 10Sep2018 14:01:25 :
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw stat -l
HOST IF POLICY DATE TOTAL REJECT DROP
ACCEPT LOG
localhost >eth0 MyGW_Policy 10Sep2018 14:01:25 : 14377 0 316
14061 1
localhost <eth0 MyGW_Policy 10Sep2018 14:01:25 : 60996 0 0
60996 0
localhost >eth1 MyGW_Policy 10Sep2018 14:01:25 : 304 0 304
0 0
[Expert@MyGW:0]#

[Expert@MGMY:0]# fw stat -l MyGW

HOST IF POLICY DATE TOTAL REJECT DROP
ACCEPT LOG
MyGW >eth0 MyGW_Policy 12Sep2018 16:34:56 : 120113 0 0
120113 0
MyGW <eth0 MyGW_Policy 12Sep2018 16:34:56 : 10807 0 0
10807 0
MyGW >eth2 MyGW_Policy 12Sep2018 16:34:56 : 3 0 0
3 0
MyGW <eth2 MyGW_Policy 12Sep2018 16:34:56 : 3 0 0
3 0
[Expert@MGMT:0]#
 fw tab -t connections -f

 fw ctl conntab

fw [-d]
{-h | -help}
[-v] [-t <Table>] [-c | -s] [-f] [-o <Output File>] [-r] [-u | -m <Limit>]
[-a -e <Entry>] [ -x [-e <Entry>]] [-y] [<Name of Object>]

-d

{-h | -help}

-t < >
fw tab
-s

fw tab -s > /tmp/output.txt

-a -e < >
expire
-a -e < >

-c

-e < >
-f




-o < >

fw log

-m < >

-r
-s
-u

-v

-x [-e < >]

-y

-a -x
< >

localhost

[Expert@MyGW:0]# fw tab -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost vsx_firewalled 0 1 1 0
localhost firewalled_list 1 2 2 0
localhost external_firewalled_list 2 0 0 0
localhost management_list 3 2 2 0
localhost external_management_list 4 0 0 0
localhost log_server_list 5 0 0 0
localhost ips1_sensors_list 6 0 0 0
localhost all_tcp_services 7 141 141 0
localhost tcp_services 8 1 1 0
... ...
localhost connections 8158 2 56 2
... ...
localhost up_251_rule_to_clob_uuid 14083 0 0 0
... ...
localhost urlf_cache_tbl 29 0 0 0
localhost proxy_outbound_conn_tbl 30 0 0 0
localhost dns_cache_tbl 31 0 0 0
localhost appi_referrer_table 32 0 0 0
localhost uc_hits_htab 33 0 0 0
localhost uc_cache_htab 34 0 0 0
localhost uc_incident_to_instance_htab 35 0 0 0
localhost fwx_cntl_dyn_ghtab 36 0 0 0
localhost frag_table 37 0 0 0
localhost dos_blacklist_notifs 38 0 0 0
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw tab -t connections

localhost:
-------- connections --------
dynamic, id 8158, num ents 0, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22
23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
<00000000, c0a8cc01, 0000d28d, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1,
00000000, 5b9687cd, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800,
000f9000, 00000080, 00000000, 00000000, 38edac90, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
1996/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000d28d, 00000006> -> <00000000, c0a8cc01, 0000d28d,
c0a8cc28, 00000016, 00000006> (00000805)
<00000000, c0a8cc01, 0000c9f6, c0a8cc28, 00000016, 00000006; 0001c001, 00044000, 00000002, 000001e1,
00000000, 5b9679de, 00000000, 28cca8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff, 02007800,
000f9000, 00000080, 00000000, 00000000, 38edaa98, ffffc200, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000;
3597/3600>
<00000001, c0a8cc28, 00000016, c0a8cc01, 0000c9f6, 00000006> -> <00000000, c0a8cc01, 0000c9f6,
c0a8cc28, 00000016, 00000006> (00000805)
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw tab -t connections -f

Using cptfmt
Formatting table's data - this might take a while...

localhost:
Date: Sep 10, 2018
20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : (+)====================================(+); Table_Name:
connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbufs 21
22 23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited; LastUpdateTime:
10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 1;
Source: 192.168.204.40; SPort: 22; Dest: 192.168.204.1; DPort: 53901; Protocol: tcp; CPTFMT_sep_1: ->;
Direction_1: 0; Source_1: 192.168.204.1; SPort_1: 53901; Dest_1: 192.168.204.40; DPort_1: 22;
Protocol_1: tcp; FW_symval: 2053; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 & FireWall-1;
ProductFamily: Network;
20:30:48 5 N/A N/A 192.168.204.40 > N/A LogId: <max_null>; ContextNum: <max_null>;
OriginSicName: cn=cp_mgmt,o=MyGW..44jkyv; : -----------------------------------(+); Direction: 0;
Source: 192.168.204.1; SPort: 51702; Dest: 192.168.204.40; DPort: 22; Protocol: tcp; CPTFMT_sep: ;;
Type: 114689; Rule: 2; Timeout: 481; Handler: 0; Ifncin: 1; Ifncout: 1; Ifnsin: -1; Ifnsout: -1; Bits:
02007800000f9000; Expires: 3600/3600; LastUpdateTime: 10Sep2018 20:30:48; ProductName: VPN-1 &
FireWall-1; ProductFamily: Network;

[Expert@MyGW:0]# fw tab -t connections -m 2

[Expert@MyGW:0]# fw tab -t 8158 -v

localhost:
-------- connections --------
dynamic, id 8158, num ents 6, load factor 0.0, attributes: keep, sync, aggressive aging, kbufs 21 22
23 24 25 26 27 28 29 30 31 32 33 34, expires 25, refresh, , hashsize 2097152, unlimited
[fw_0] <00000001, c0a80335, 00004710, c0a803f0, 00008652, 00000006> -> <00000000, c0a803f0, 00008652,
c0a80335, 00004710, 00000006> (00000805)
[fw_0] <00000001, c0a80335, 00008adf, c0a803f0, 0000470f, 00000006; 0002d001, 00046000, 10000000,
0000000e, 00000000, 5b9a4129, 00030000, 3503a8c0, c0000000, ffffffff, ffffffff, 00000001, 00000001,
00000800, 00000000, 80008080, 00000000, 00000000, 338ea330, ffffc200, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000; 3162/3600>
[fw_0] <00000000, c0a803f0, 00008652, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000,
0000000f, 00000000, 5b8fed6a, 00030001, 3503a8c0, c0000000, 00000001, 00000001, ffffffff, ffffffff,
00000800, 08000000, 00000080, 00000000, 00000000, 337b0978, ffffc200, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000; 3599/3600>
[fw_0] <00000000, c0a803f0, 0000470f, c0a80335, 00008adf, 00000006> -> <00000001, c0a80335, 00008adf,
c0a803f0, 0000470f, 00000006> (00000806)
[fw_0] <00000001, c0a80334, 00004710, c0a803f0, 0000a659, 00000006> -> <00000000, c0a803f0, 0000a659,
c0a80334, 00004710, 00000006> (00000805)
[fw_0] <00000000, c0a803f0, 0000a659, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000,
0000000f, 00000000, 5b8feabb, 0000007a, 3403a8c0, c0000000, ffffffff, ffffffff, ffffffff, ffffffff,
00000000, 10000000, 04000080, 00000000, 00000000, 3364aed0, ffffc200, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000; 3484/3600>
[fw_1] <00000001, c0a80334, 00004710, c0a803f0, 0000bc74, 00000006> -> <00000000, c0a803f0, 0000bc74,
c0a80334, 00004710, 00000006> (00000805)
[fw_1] <00000001, c0a80335, 00000016, ac14a810, 0000e056, 00000006> -> <00000000, ac14a810, 0000e056,
c0a80335, 00000016, 00000006> (00000805)
[fw_1] <00000000, ac14a810, 0000e056, c0a80335, 00000016, 00000006; 0001c001, 00044000, 00000003,
000001df, 00000000, 5b9a3832, 00030000, 3503a8c0, c0000001, 00000001, 00000001, ffffffff, ffffffff,
00000800, 08000000, 00000080, 00000000, 00000000, 33410370, ffffc200, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000; 3600/3600>
[fw_1] <00000000, c0a803f0, 0000bc74, c0a80334, 00004710, 00000006; 0001c001, 00044100, 12000000,
0000000f, 00000000, 5b8fe89b, 00000001, 3403a8c0, c0000001, ffffffff, ffffffff, ffffffff, ffffffff,
00000000, 10000000, 04000080, 00000000, 00000000, 335841e0, ffffc200, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000; 3600/3600>
[fw_2] <00000000, c0a803f0, 0000ab74, c0a80335, 00004710, 00000006; 0001c001, 00044000, 12000000,
0000000f, 00000000, 5b8fed7e, 00030000, 3503a8c0, c0000002, 00000001, 00000001, ffffffff, ffffffff,
00000800, 08000000, 00000080, 00000000, 00000000, 33337660, ffffc200, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000; 3556/3600>
[fw_2] <00000001, c0a80335, 00004710, c0a803f0, 0000ab74, 00000006> -> <00000000, c0a803f0, 0000ab74,
c0a80335, 00004710, 00000006> (00000805)
[fw_2] <00000001, c0a80335, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4,
c0a80335, 00001fb4, 00000011> (00000805)
[fw_2] <00000000, 00000000, 00001fb4, c0a80335, 00001fb4, 00000011; 00010001, 00004000, 00000003,
00000028, 00000000, 5b8fed76, 00030000, 3503a8c0, c0000002, 00000001, ffffffff, ffffffff, ffffffff,
00000800, 08000000, 00000084, 00000000, 00000000, 336d4e30, ffffc200, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000; 38/40>
[fw_2] <00000000, 00000000, 00001fb4, c0a80334, 00001fb4, 00000011; 00010001, 00004100, 00000003,
00000028, 00000000, 5b8fed72, 0000025f, 3403a8c0, c0000002, ffffffff, ffffffff, ffffffff, ffffffff,
00000000, 10000000, 04000084, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000,
00000000; 39/40>
[fw_2] <00000001, c0a80334, 00001fb4, 00000000, 00001fb4, 00000011> -> <00000000, 00000000, 00001fb4,
c0a80334, 00001fb4, 00000011> (00000805)
Table fetched in 3 chunks
[Expert@MyGW:0]#
fw unloadlocal

fw unloadlocal


comp_init_policy

 fw fetch
 cpstart
 fwm unload

fw [-d] unloadlocal

-d

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name: My_Policy
Policy install time: Tue Oct 23 18:23:14 2018
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

net.ipv6.conf.bond0.forwarding = 1
net.ipv6.conf.eth1.forwarding = 1
net.ipv6.conf.eth3.forwarding = 1
net.ipv6.conf.eth2.forwarding = 1
net.ipv6.conf.eth4.forwarding = 1
net.ipv6.conf.eth5.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1
net.ipv6.conf.eth6.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv4.conf.bond0.mc_forwarding = 0
net.ipv4.conf.bond0.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 0
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw unloadlocal

Uninstalling Security Policy from all.all@MyGW

Done.
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpstat -f policy fw

Product name: Firewall

Policy name:
Policy install time:
... ... ...
[Expert@MyGW:0]#

[Expert@MyGW:0]# sysctl -a | grep forwarding | grep -v bridge

[Expert@MyGW:0]# fw fetch localhost

Installing Security Policy My_Policy on all.all@MyGW
Fetching Security Policy from localhost succeeded
[Expert@MyGW:0]#








fw [-d] up_execute ipp=<IANA Protocol Number> [src=<Source IP>] [dst=<Destination

IP>] [sport=<Source Port>] [dport=<Destination Port>] [protocol=<Protocol
Detection Name>] [application=<Application/Category Name 1>
[application=<Application/Category Name 2> ...]]

-d

script
ipp=<
>





src=< >
dst=<Destination IP>
sport=< >

dport=<
>

protocol=<
>
application=<
>

[Expert@MyGW:0]# fw up_execute src=126.200.49.240 dst=10.1.1.1 ipp=1

Rulebase execution ended successfully.

Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: Network
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 2
Possible rules: 2 16777215

[Expert@MyGW:0]#

[Expert@MyGW:0]# fw up_execute src=10.1.1.1 ipp=6 dport=8080 protocol=HTTP

application=Facebook application=Opera

Rulebase execution ended successfully.

Overall status:
----------------
Active clob mask: 0
Required clob mask: 0
Match status: MATCH
Match action: Accept

Per Layer:
------------
Layer name: Network
Layer id: 0
Match status: MATCH
Match action: Accept
Matched rule: 2
Possible rules: 2 16777215

[Expert@MyGW:0]#





fw [-d] ver [-k] [-f <Output File>]

-d

ver




-k 




-f < >

[Expert@MyGW:0]# fw ver -k
This is Check Point's software version R80.20 - Build 123
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ver -k
This is Check Point's software version R80.20 - Build 123
kernel: R80.20 - Build 456
[Expert@MyGW:0]#
[Expert@HostName:0]# $FWDIR/boot/fwboot
bootconf <options>
corexl <options>
cpuid <options>
default <options>
fwboot_ipv6 <options>
fwdefault <options>
ha_conf <options>
ht <options>
multik_reg <options>
post_drv <options>

bootconf
< >

corexl
< >

cpuid
< >

default
< >

fwboot_ipv6
< >

fwdefault
< >

ha_conf
< >

ht < >
multik_reg
< >

post_drv
< >
$FWDIR/boot/boot.conf
fwboot
bootconf

 fwboot corexl
 control_bootsec

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

get_corexl
get_core_override
get_def
get_ipf
get_ipv6
get_kernnum
get_kern6num

[Expert@HostName:0]# $FWDIR/boot/fwboot bootconf

set_corexl <0 | 1>
set_core_override <number>
set_def [</path/filename>]
set_ipf <0 | 1>
set_ipv6 <0 | 1>
set_kernnum <number>
set_kern6num <number>

get_corexl


$FWDIR/boot/boot.conf
COREXL_INSTALLED
get_core_override

$FWDIR/boot/boot.conf
CORE_OVERRIDE
get_def
$FWDIR/boot/default.bin
$FWDIR/boot/boot.conf
DEFAULT_FILTER_PATH
get_ipf


$FWDIR/boot/boot.conf
CTL_IPFORWARDING
get_ipv6



$FWDIR/boot/boot.conf
IPV6_INSTALLED
get_kernnum
$FWDIR/boot/boot.conf
KERN_INSTANCE_NUM
get_kern6num
$FWDIR/boot/boot.conf
KERN6_INSTANCE_NUM
set_corexl <0 | 1>




 $FWDIR/boot/boot.conf
COREXL_INSTALLED
 cpconfig
set_core_override < >

$FWDIR/boot/boot.conf
CORE_OVERRIDE
set_def [< >]
$FWDIR/boot/default.bin

 $FWDIR/boot/boot.conf
DEFAULT_FILTER_PATH


DEFAULT_FILTER_PATH

 $FWDIR/boot/
set_ipf <0 | 1>


$FWDIR/boot/boot.conf
CTL_IPFORWARDING
set_ipv6 <0 | 1>



 $FWDIR/boot/boot.conf
IPV6_INSTALLED


set_kernnum <number>

 $FWDIR/boot/boot.conf
KERN_INSTANCE_NUM
 cpconfig
set_kern6num < >

 $FWDIR/boot/boot.conf
KERN6_INSTANCE_NUM
 cpconfig
fwboot bootconf


cpconfig



[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

core_count
curr_instance4_count
curr_instance6_count
def_instance4_count
def_instance6_count
eligible
installed
max_instance4_count
max_instances4_32bit
max_instances4_64bit
max_instance6_count
max_instances_count
max_instances_32bit
max_instances_64bit
min_instance_count
unsupported_features

[Expert@HostName:0]# $FWDIR/boot/fwboot corexl

def_by_allowed [n]
default
[-v] disable
[-v] enable [n] [-6 k]
vmalloc_recalculate
core_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl core_count

[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat /proc/cpuinfo | grep processor
processor : 0
processor : 1
processor : 2
processor : 3
[Expert@MyGW:0]#
curr_instance4_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

curr_instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 0 | 16
1 | Yes | 2 | 0 | 11
2 | Yes | 1 | 1 | 29
[Expert@MyGW:0]#
curr_instance6_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

curr_instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 0 | 4
1 | Yes | 2 | 0 | 12
[Expert@MyGW:0]#
def_by_allowed [n]

default

def_instance4_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

def_instance4_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#
def_instance6_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

def_instance6_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#
[-v] disable

 -v vmalloc
cp_conf corexl

eligible

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl eligible

[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#
[-v] enable [n] [-6 k] n k

 -v vmalloc
 n
 k
cp_conf corexl
installed




[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl installed

[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#
max_instance4_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

max_instance4_count
[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
max_instances4_32bit

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

max_instances4_32bit
[Expert@MyGW:0]# echo $?
14
[Expert@MyGW:0]#
max_instances4_64bit

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

max_instances4_64bit
[Expert@MyGW:0]# echo $?
38
[Expert@MyGW:0]#
max_instance6_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

max_instance6_count
[Expert@MyGW:0]# echo $?
3
[Expert@MyGW:0]#
max_instances_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

max_instances_count
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#
max_instances_32bit

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

max_instances_32bit
[Expert@MyGW:0]# echo $?
16
[Expert@MyGW:0]#
max_instances_64bit

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

max_instances_64bit
[Expert@MyGW:0]# echo $?
40
[Expert@MyGW:0]#
min_instance_count

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

min_instance_count
[Expert@MyGW:0]# echo $?
2
[Expert@MyGW:0]#
vmalloc_recalculate vmalloc
/boot/grub/grub.conf
unsupported_features

[Expert@MyGW:0]# $FWDIR/boot/fwboot corexl

unsupported_features
corexl unsupported feature: QoS is configured.
[Expert@MyGW:0]# echo $?
1
[Expert@MyGW:0]#
[Expert@HostName:0]# $FWDIR/boot/fwboot cpuid
{-h | -help | --help}
-c
--full
ht_aware
-n
--possible

[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid

3 2 1 0
[Expert@MyGW:0]#
-c

[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -c

[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
--full

[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --full

cpuid phys_id core_id thread_id
0 0 0 0
1 2 0 0
2 4 0 0
3 6 0 0
[Expert@MyGW:0]#
ht_aware

[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid ht_aware

3 2 1 0
[Expert@MyGW:0]#
-n

[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid -n

[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
--possible

[Expert@MyGW:0]# $FWDIR/boot/fwboot cpuid --possible

[Expert@MyGW:0]# echo $?
4
[Expert@MyGW:0]#
$FWDIR/boot/fwboot fwdefault

 fw defaultgen
 fwboot bootconf
 control_bootsec
 comp_init_policy

[Expert@HostName:0]# $FWDIR/boot/fwboot default <Default Filter Policy File>

<
> $FWDIR/boot/default.bin

[Expert@MyGW:0]# $FWDIR/boot/fwboot default $FWDIR/boot/default.bin

FW-1: Default filter installed successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0]
[Expert@MyGW:0]
[Expert@HostName:0]# $FWDIR/boot/fwboot fwboot_ipv6 <Number of CoreXL FW instance>
hook [-d]

<
>
-d

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 4 | 28
1 | Yes | 2 | 1 | 11
2 | Yes | 1 | 2 | 22
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 0 hook

0xffffffff89f8fc00
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 1 hook

0xffffffff8cd71c00
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwboot_ipv6 2 hook

0xffffffff8fb53c00
[Expert@MyGW:0]#
$FWDIR/boot/fwboot default

 fw defaultgen
 fwboot bootconf
 control_bootsec
 comp_init_policy

[Expert@HostName:0]# $FWDIR/boot/fwboot fwdefault <Default Filter Policy File>

<
> $FWDIR/boot/default.bin

[Expert@MyGW:0]# $FWDIR/boot/fwboot fwdefault $FWDIR/boot/default.bin

FW-1: Default filter installed successfully
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw stat
HOST POLICY DATE
localhost defaultfilter 13Sep2018 14:27:23 : [>eth0] [<eth0]
[Expert@MyGW:0]


[Expert@HostName:0]# $FWDIR/boot/fwboot ha_conf

[Expert@HostName:0]# $FWDIR/boot/fwboot ht
--core_override [<number>]
--disable
--eligible
--enable
--enabled
--supported

--core_override
[< >]

--disable
--eligible

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --eligible

[Expert@MyGW:0]# echo $?








--enable
--enabled

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --enabled

[Expert@MyGW:0]# echo $?





--supported

[Expert@MyGW:0]# $FWDIR/boot/fwboot ht --supported

[Expert@MyGW:0]# echo $?






[Expert@HostName:0]# $FWDIR/boot/fwboot multik_reg <Number of CoreXL FW instance>
{ipv4 | ipv6} [-d]

<
>
ipv4
ipv6
-d

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 4 | 28
1 | Yes | 2 | 1 | 11
2 | Yes | 1 | 2 | 22
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 0 ipv4

0
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 1 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#

[Expert@MyGW:0]# $FWDIR/boot/fwboot multik_reg 2 ipv4

0xffffffff8a2a5690
[Expert@MyGW:0]#
cpstop cpstart

[Expert@HostName:0]# $FWDIR/boot/fwboot post_drv {ipv4 | ipv6}

ipv4
ipv6



 fw sam fw sam_policy

[Expert@MGMT:0]# sam_alert [-v] [-o] [-s <SAM Server>] [-t <Time>] [-f <Security
Gateway>] [-C] {-n|-i|-I} {-src|-dst|-any|-srv}

-v fw sam

-o

-s < >
-t < >

-f < >

-C
-n

-i

-I

-src
-dst
-any

-srv

-v2
-v fw sam
-O

-S < >
-t < >

-f < >

-n < >

-c "< >"

-o < >
sam_alert
-l {r | a}

 r
 a
None
-a {d | r| n | b | q | i}

 d
 r
 n
 b
 q
 i
-C

-ip
-eth
-src
-dst
-any

-srv
usrchk
hits <options>
incidents <options>
debug <options>

usrchk hits
hits < >



usrchk hits list all

usrchk hits list user < >

usrchk hits list uci <
>



usrchk hits clear all

usrchk hits clear user < >

usrchk hits clear uci <
>


usrchk hits db reload

usrchk hits db reload update

incidents < >


usrchk incidents expiring
debug < >


usrchk debug on
usrchk debug on
usrchk debug set ...

usrchkd


usrchk debug off

usrchk debug set < > < >

 all


 all
 critical
 events
 important
 surprise

usrchk debug set all all


usrchk debug stat

usrchk debug unset < >


usrchk debug reset


usrchk debug

 usrchkd
usrchk debug memory


$FWDIR/log/usrchk.elg
usrchk debug spaces [<0 - 5>]









usrchk hits list all



cphastop

cphastart
[-h]
[-d]

-h


cphastart -d > /var/log/cphastart_output.txt

prepare_command_args: -D ... start
/opt/CPsuite-RXX/fw1/bin/cphaconf clear-secured
/opt/CPsuite-RXX/fw1/bin/cphaconf -D ... start
 $FWDIR/log/cphastart.elg


 cphastart

cphastop

show cluster<ESC><ESC>

cphaprob
cphaprob


show cluster state cphaprob [-vs < >]

state

show cluster members pnotes cphaprob [-l] [-ia]

all
[-e] list
problem

show cluster members interfaces cphaprob [-vs all]

all [-a][-m] if
secured
virtual
vlans
show cluster bond cphaprob show_bond
all
name <bond_name> [< >]

N / A cphaprob
show_bond_groups

show cluster failover [reset cphaprob [-reset {-c |

{count | history}] -h}] [-l < >]
show_failover

show cluster mmagic cphaprob [-vs < >]

[-k] mmagic

show cluster statistics sync cphaprob [-reset]

[reset] syncstat

show cluster statistics cphaprob [-reset]

transport [reset] ldstat

show cluster members cphaprob [-vs all] -a if

interfaces virtual

show cluster members igmp cphaprob igmp

show cluster members ips cphaprob tablestat

show cluster members idmode cphaprob names

show ospf interfaces cphaprob routedifcs

[detailed]
show cluster roles cphaprob roles

N / A cphaprob corr
cphaprob -c {a | d |f}
show cluster members cphaprob -a if
interfaces virtual

show cluster members ccpenc cphaprob ccp_encrypt

show cluster
show cluster
bond
all
name <Name of Bond>
failover [reset {count | history}]
members
ccpenc
idmode
igmp
interfaces
all
secured
virtual
vlans
ips
pnotes
all
problem
mmagic
roles
state
statistics
sync [reset]
transport [reset]

cphaprob

cphaprob [-vs <VSID>] state

cphaprob [-reset {-c | -h}] [-l <count>] show_failover
cphaprob [-vs <VSID>][-k][-S] mmagic
cphaprob names
cphaprob [-reset] [-a] syncstat
cphaprob [-reset] ldstat
cphaprob [-l] [-i[a]] [-e] list
cphaprob [-vs all] [-a] [-m] if
cphaprob show_bond [<bond_name>]
cphaprob show_bond_groups
cphaprob igmp
cphaprob tablestat
cphaprob routedifcs
cphaprob roles
cphaprob {corr | -c {a | d |f}}
cphaprob ccp_encrypt
set virtual-system < >
show cluster state
cphaprob [-vs < >] state

MEM2> cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 150.150.150.2 0% STANDBY MEM2

2 150.150.150.1 100% ACTIVE MEM1

Active PNOTEs: None

Last member state change event:

Event Code: CLUS-111490
State change: DOWN -> STANDBY
Reason for state change: There is already an ACTIVE member in the cluster (member 2)
Event time: Sun Jun 3 09:50:46 2018

Last cluster failover event:

Transition to new ACTIVE: Member 1 -> Member 2
Reason: Interface eth1 is down (Cluster Control Protocol packets are not
received)
Event time: Sun Jun 3 09:50:18 2018

Cluster failover count:

Failover counter: 5
Time of counter reset: Sun Jun 3 09:50:46 2018 (reboot)

MEM2>









problem



 ACTIVE(!)
 ACTIVE(!F)

 ACTIVE(!P)

 ACTIVE(!FP)

problem



Problem
Notification

problem
problem
Init

Interface Active
Check

Load Balancing
Configuration

Recovery Delay
CoreXL
Configuration

Fullsync

Policy

fwd fwd fwd

fwd

cphad cphamcset cphamcset

cphamcset

$FWDIR/log/cphamc
set.elg
routed routed routed

routed

cvpnd cvpnd cvpnd

cvpnd

ted ted ted

ted
VSX

Down

Problematic
VSIDs:

Instances

Hibernating

admin_down
admin_down clusterXL_admin
down
host_monitor

host_monitor

$FWDIR/bin/cluste
rXL_monitor_ips

fwd $FWDIR/bin/cluste
routed cvpnd ted rXL_monitor_proce
ss

show cluster members pnotes {all | problem}

cphaprob [-l] [ [-e] list

show cluster members pnotes all

show cluster members pnotes Built-in Devices
problem Registered Devices

cphaprob -l Built-in Devices

Registered Devices
cphaprob -i list

There are no pnotes in problem state

problem

cphaprob -ia list

There are no pnotes in problem state

Problem Notification
problem
cphaprob -e list

There are no pnotes in problem state

problem

fwd problem fwd

[Expert@Member2:0]# cphaprob -l list

Built-in Devices:

Device Name: Interface Active Check

Current state: OK

Device Name: Recovery Delay

Current state: OK

Device Name: CoreXL Configuration

Current state: OK

Registered Devices:

Device Name: Fullsync

Registration number: 0
Timeout: none
Current state: OK
Time since last report: 1221.5 sec

Device Name: Policy

Registration number: 1
Timeout: none
Current state: OK
Time since last report: 1221.5 sec

Device Name: routed

Registration number: 2
Timeout: none
Current state: OK
Time since last report: 1277.6 sec

Device Name: cphad

Registration number: 3
Timeout: 30 sec
Current state: OK
Time since last report: 1554.4 sec
Process Status: UP

Device Name: Init

Registration number: 4
Timeout: none
Current state: OK
Time since last report: 1522.7 sec

Device Name: fwd

Registration number: 5
Timeout: 30 sec
Current state: problem
Time since last report: 45.3 sec
Process Status: NOT UP

Device Name: ted

Registration number: 6
Timeout: 600 sec
Current state: OK
Time since last report: 2 sec

Device Name: cvpnd

Registration number: 7
Timeout: none
Current state: OK
Time since last report: 1.4 sec

[Expert@Member2:0]#
set virtual-system < >
show cluster members interfaces {all | secured |
virtual | vlans}
cphaprob [-vs all] [-a] [-m] if

show cluster members interfaces all




show cluster members interfaces secured




show cluster members interfaces virtual





show cluster members interfaces vlans

cphaprob if





cphaprob -a if





cphaprob -a -m if
cphaprob -am if




Member2> show cluster members interfaces all

CCP mode: Automatic

Required interfaces: 3
Required secured interfaces: 1

eth0 Non-Monitored non sync(non secured)

eth3 UP non sync(non secured), unicast
eth4 UP non sync(non secured), unicast
bond0 UP sync(secured), unicast, bond High Availability

Virtual cluster interfaces: 2

eth3 192.168.151.7
eth4 192.168.1.5

No VLANs are monitored on the member

Member2>

set cluster member ccp <mode>





show cluster bond {all | name < >}
show bonding groups
cphaprob show_bond [< >]
cphaprob show_bond_groups

show cluster bond all

show bonding groups
cphaprob show_bond
show cluster bond name < >
cphaprob show_bond < >
cphaprob show_bond_groups

[Expert@Member2:0]# cphaprob show_bond

|Slaves |Slaves |Slaves

Legend:
-------
UP! - Bond interface state is UP, yet attention is required
Slaves configured - number of slave interfaces configured on the bond
Slaves link up - number of operational slaves
Slaves required - minimal number of operational slaves required for bond to be UP

[Expert@Member2:0]#

Member2> show bonding groups

Bonding Interface: 1
Bond Configuration
xmit-hash-policy Not configured
down-delay 200
primary Not configured
lacp-rate Not configured
mode active-backup
up-delay 200
mii-interval 100
Bond Interfaces
eth3
eth4
Member2>
cphaprob show_bond
show cluster bond all

 High Availability
 Load Sharing

 UP
 UP!

 DOWN

[Expert@Member2:0]# cphaprob show_bond bond1

Bond name: bond1

Bond mode: High Availability
Bond status: UP

Configured slave interfaces: 2

In use slave interfaces: 2
Required slave interfaces: 1

Slave name | Status | Link

----------------+-----------------+-------
eth4 | Active | Yes
eth3 | Backup | Yes

[Expert@Member2:0]#

cphaprob show_bond <bond_name>

show cluster bond name < >

 High Availability
 Load Sharing
 UP
 UP!

 DOWN

 Active

 Backup

 Not Available

 Yes
 No

[Expert@Member2:0]# cphaprob show_bond_groups

| Required | Bonds | Bonds

Legend:
---------
Bonds in group - a list of the bonds in the bond group
Required active bonds - number of required active bonds
[Expert@Member2:0]#
cphaprob show_bond_groups

 UP
 DOWN

 UP
 DOWN
show cluster failover

cphaprob [-l < >] show_failover

show cluster failover reset {count | history}

cphaprob -reset {-c | -h} show_failover

-l < >
count
-c
history
-h

[Expert@Member2:0]# cphaprob show_failover

Last cluster failover event:

Transition to new ACTIVE: Member 2 -> Member 1
Reason: Available on member 2
Event time: Mon Apr 23 14:38:44 2018

Cluster failover count:

Failover counter: 2
Time of counter reset: Mon Apr 23 13:14:41 2018 (reboot)

[Expert@Member2:0]#
[Expert@Member2:0]# clusterXL_admin down
Setting member to administratively down state ...
Member current state is Down
[Expert@Member2:0]#
[Expert@Member2:0]# cphaprob show_failover

Last cluster failover event:

Transition to new ACTIVE: Member 1 -> Member 2
Reason: ADMIN_DOWN PNOTE
Event time: Mon Apr 23 16:20:23 2018

Cluster failover count:

Failover counter: 3
Time of counter reset: Mon Apr 23 13:14:41 2018 (reboot)

[Expert@Member2:0]#
set virtual-system < >
show cluster mmagic
cphaprob [-vs < >][-k] mmagic

[Expert@Member2:0]# cphaprob mmagic

Configuration mode: Automatic

Configuration phase: Stable

MAC magic: 1
MAC forward magic: 254

Used MAC magic values: None.

[Expert@Member2:0]#

[Expert@Member2:0]# cphaprob mmagic

Configuration mode: Automatic

Configuration phase: Stable

MAC magic: 2
MAC forward magic: 1

Used MAC magic values:

0x01(001)

[Expert@Member2:0]#
show cluster statistics sync
cphaprob syncstat

show cluster statistics sync reset

cphaprob -reset syncstat
show cluster statistics
sync cphaprob syncstat

Delta Sync Statistics

Sync status: OK

Drops:
Lost updates................................. 0
Lost bulk update events...................... 0
Oversized updates not sent................... 0

Sync at risk:
Sent reject notifications.................... 0
Received reject notifications................ 0

Sent updates:
Total generated sync messages................ 12316
Sent retransmission requests................. 0
Sent retransmission updates.................. 0
Peak fragments per update.................... 1

Received updates:
Total received updates....................... 12
Received retransmission requests............. 0

Queue sizes (num of updates):

Sending queue size........................... 512
Receiving queue size......................... 256
Fragments queue size......................... 50

Timers:
Delta Sync interval (ms)..................... 100

Reset on Sun Jun 3 14:37:26 2018 (triggered by fullsync).

 Sync status: OK
 Sync status: Off - Full-sync failure
 Sync status: Off - Policy installation failure
 Sync status: Off - Cluster module not started
 Sync status: Off - SIC failure
 Sync status: Off - Full-sync checksum error
 Sync status: Off - Full-sync received queue is full
 Sync status: Off - Release version mismatch
 Sync status: Off - Connection to remote member timed-out
 Sync status: Off - Connection terminated by remote member
 Sync status: Off - Could not start a connection to remote member
 Sync status: Off - cpstart
 Sync status: Off - cpstop
 Sync status: Off - Manually disabled sync
 Sync status: Off - Was not able to start for more than X second
 Sync status: Off - Boot
 Sync status: Off - Connectivity Upgrade (CU)
 Sync status: Off - cphastop
 Sync status: Off - Policy unloaded
 Sync status: Off - Hibernation
 Sync status: Off - OSU deactivated
 Sync status: Off - Sync interface down
 Sync status: Fullsync in progress
 Sync status: Problem (Able to send sync packets, unable to receive
sync packets)
 Sync status: Problem (Able to send sync packets, saving incoming sync
packets)
 Sync status: Problem (Able to send sync packets, able to receive sync
packets)
 Sync status: Problem (Unable to send sync packets, unable to receive
sync packets)
 Sync status: Problem (Unable to send sync packets, saving incoming
sync packets)
 Sync status: Problem (Unable to send sync packets, able to receive
sync packets)




manually by fullsync
show cluster members igmp
cphaprob igmp

Member2> show cluster members igmp

IGMP Membership: Enabled
Supported Version: 2
Report Interval [sec]: 60

IGMP queries are replied only by Operating System

Interface Host Group Multicast Address Last ver. Last Query[sec]

------------------------------------------------------------------------------
eth0 224.168.204.33 01:00:5e:28:cc:21 N/A N/A
eth1 224.10.10.250 01:00:5e:0a:0a:fa N/A N/A
eth2 224.20.20.33 01:00:5e:14:14:21 N/A N/A
Member2>
SET
REFRESH DELETE

show cluster statistics transport [reset]

cphaprob [-reset] ldstat

reset

Member2> show cluster statistics transport

Operand Calls Bytes Average Ratio %
----------------------------------------------------------
ERROR 0 0 0 0
SET 2035 106444 52 99
RENAME 0 0 0 0
REFRESH 0 0 0 0
DELETE 0 0 0 0
SLINK 1 64 64 0
UNLINK 0 0 0 0
MODIFYFIELDS 0 0 0 0
RECORD DATA CONN 0 0 0 0
COMPLETE DATA CONN 0 0 0 0

Total bytes sent: 114652 (0 MB) in 429 packets. Average 267

Member2>
show cluster members ips
cphaprob tablestat

Member1> show cluster members ips

---- Unique IP's Table ----

Member Interface IP-Address

------------------------------------------

(Local)
0 1 172.23.88.176
0 2 1.0.0.176
0 3 2.0.0.176
0 4 3.0.0.176

1 2 1.0.0.177
1 3 2.0.0.177
1 4 3.0.0.177

------------------------------------------
Member1>

Member2> show cluster members ips

---- Unique IP's Table ----

Member Interface IP-Address

------------------------------------------
0 2 1.0.0.176
0 3 2.0.0.176
0 4 3.0.0.176

(Local)
1 1 172.23.88.177
1 2 1.0.0.177
1 3 2.0.0.177
1 4 3.0.0.177

------------------------------------------
Member2>
show cluster members idmode
cphaprob names

[Expert@Member2:0]# cphaprob names

Current member print mode in local logs is set to: ID

[Expert@Member2:0]#
show ospf interfaces [detailed]
cphaprob routedifcs

[Expert@Member2:0]# cphaprob routedifcs

No interfaces are registered.

[Expert@Member2:0]#

[Expert@Member2:0]# cphaprob routedifcs

Monitored interfaces registered by routed:

eth0
[Expert@Member2:0]#


show cluster role

cphaprob roles

[Expert@Member2:0]# cphaprob roles

ID Role

1 Non-Master
2 (local) Master

[Expert@Member2:0]#



with metadata

cphaprob corr
cphaprob -c {a | d |f}

cphaprob corr
cphaprob -c a
cphaprob -c d
cphaprob -c f

[Expert@Member2:0]# cphaprob corr

Cluster Correction Stats (All traffic):

------------------------------------------------------
Sent packets: 0 (0 with metadata)
Sent bytes: 0
Received packets: 0 (0 with metadata)
Received bytes: 0
Send errors: 0
Receive errors: 0
Local asymmetric conns: 0
[Expert@Member2:0]#

[Expert@Member2:0]# cphaprob -c a
Cluster Correction Stats (All traffic):
------------------------------------------------------
Sent packets: 0 (0 with metadata)
Sent bytes: 0
Received packets: 0 (0 with metadata)
Received bytes: 0
Send errors: 0
Receive errors: 0
Local asymmetric conns: 0
[Expert@Member2:0]#

[Expert@Member2:0]# cphaprob -c d

Cluster Correction Stats (SND corrections only):

[Expert@Member2:0]# cphaprob -c f

Cluster Correction Stats (Firewall instances and SND):

show cluster members interfaces virtual

cphaprob -a if

show cluster members ccpenc

cphaprob ccp_encrypt
cphaprob ccp_encrypt_key

set cluster <ESC><ESC>

cphaconf
cphaconf



set cluster member idmode cphaconf mem_id_mode
id id
name name

N/A cphaconf set_pnote -d

< > -t
< > -s
{ok|init|problem} [-p]
[-g] register
N/A cphaconf set_pnote -d
< > [-p]
[-g] unregister

N/A cphaconf set_pnote -d

< > -s
{ok|init|problem} [-g]
report

N/A cphaconf set_pnote -f

< > [-g]
register

N/A cphaconf set_pnote -a

[-g] unregister

set cluster member ccp cphaconf set_ccp

auto auto
broadcast unicast
multicast multicast
unicast broadcast
set cluster member ccpenc cphaconf ccp_encrypt
off off
on on

set cluster member forwarding cphaconf forward

on on
off off
N/A cphaconf debug_data

N/A cphaconf failover_bond

< >

N/A cphaconf
enable_bond_failover
< >

set cluster member admin clusterXL_admin

down down
up up

set cluster member

set cluster member
admin
down
up
ccp
auto
broadcast
multicast
unicast
forwarding
off
on
idmode
id
name

cphaconf

cphaconf [-D]
[-c <Cluster Size>]
[-i <Member ID>]
[-n <Cluster ID>]
[-p <Policy ID>]
[-m {1|service} | {2|balance} | {3|primary-up} | {4|active-up}]
[-R a | <Number of Required IF>]
[-t <Sync IF 1>...]
[-d <Non-Monitored IF 1>...]
[-M {0|multicast} | {1|pivot}]
[-l <Cluster Failover Track Mode 0-7>]
[-M multicast|pivot]
[-N <MAC Magic value>]
[-u <Member_Name1,Member_Name2,...>]
start

cphaconf stop

cphaconf [-t <Sync IF 1>...] [-d <Non-Monitored IF 1>...] add

cphaconf clear-secured

cphaconf clear-non-monitored

cphaconf set_ccp {auto|unicast|multicast|broadcast}

cphaconf debug_data

cphaconf delete_link_local [-vs <VSID>] <IF name>

cphaconf set_link_local [-vs <VSID>] <IF name> <Cluster IP>

cphaconf mem_id_mode {id | name}

cphaconf failover_bond <bond_name>

cphaconf [-s] {set|unset|get} var <Kernel Parameter Name> [<Value>]

cphaconf set_pnote -d <Device> -t <Timeout in sec> -s {ok|init|problem} [-p] [-g]

cphaconf set_pnote -f <File> [-g] register

cphaconf set_pnote -d <Device> [-p] [-g] unregister

cphaconf set_pnote -a [-g] unregister

cphaconf set_pnote -d <Device> -s {ok|init|problem} [-g] report

cphaconf ccp_encrypt {on | off}

cphaconf ccp_encrypt_key <Key String>

 /var/log/messages
 dmesg
 $FWDIR/log/fwd.elg

set cluster member idmode

id
name
cphaconf mem_id_mode
id
name

[Expert@Member2:0]# cphaprob names

Current member print mode in local logs is set to: ID
[Expert@Member2:0]#

[Expert@Member2:0]# cphaconf mem_id_mode name

Member print mode in local logs: NAME
[Expert@Member2:0]#

[Expert@Member2:0]# cphaprob names

Current member print mode in local logs is set to: NAME
[Expert@Member2:0]#



N/A

cphaconf set_pnote -d < > -t <

> -s {ok | init | problem} [-p] [-g] register

 0
 -p

 -g



problem

N/A

cphaconf set_pnote -d < > [-p] [-g]

unregister

 -p

 -g



N/A

cphaconf set_pnote -d < > -s {ok | init

| problem} [-g] report

 -g
 < > problem
<device> <timeout> <status>



<timeout> <device>

0
<status> <device>

 ok
 init

 problem

N/A

cphaconf set_pnote -f [-g] register

g
N/A
cphaconf set_pnote -a [-g] unregister

 -a
 -g



set cluster member ccp

auto
broadcast
multicast
unicast
cphaconf set_ccp
auto
unicast
multicast
broadcast

set cluster member ccpenc

off
on
cphaconf ccp_encrypt
off
on
cphaconf ccp_encrypt_key <Key String>
set cluster member admin
down
up
clusterXL_admin
down
up

Member2> show cluster state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 192.168.20.176 0% STANDBY Member1

2 (local) 192.168.20.177 100% ACTIVE Member2

Active PNOTEs: None

Last member state change event:

Event Code: CLUS-11482
State change: STANDBY -> ACTIVE
Reason for state change: No other ACTIVE member has been found in the cluster
Event time: Sun Jun 3 20:24:35 2018

Last cluster failover event:

Transition to new ACTIVE: Member 1 -> Member 2
Reason: Interface eth1 is down (Cluster Control Protocol packets are not
received)
Event time: Sun Jun 3 20:24:35 2018

Cluster failover count:

Failover counter: 261
Time of counter reset: Sun Jun 3 20:24:35 2018 (reboot)

Member2>

Member2> set cluster member admin down

Setting member to administratively down state ...
Member current state is DOWN
Member2>

Member2> show cluster state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 192.168.20.176 100% ACTIVE Member1

2 (local) 192.168.20.177 0% DOWN Member2

Active PNOTEs: ADMIN

Last member state change event:

Event Code: CLUS-11144
State change: ACTIVE -> DOWN
Reason for state change: ADMIN_DOWN PNOTE
Event time: Sun Jun 3 20:27:19 2018

Last cluster failover event:

Transition to new ACTIVE: Member 2 -> Member 1
Reason: ADMIN_DOWN PNOTE
Event time: Sun Jun 3 20:27:19 2018

Cluster failover count:

Failover counter: 262
Time of counter reset: Sun Jun 3 20:27:19 2018 (reboot)

Member2>

Member2> set cluster member admin up

Setting member to normal operation ...
Member current state is STANDBY
Member2>

Member2> show cluster state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 192.168.20.176 100% ACTIVE Member1

2 (local) 192.168.20.177 0% STANDBY Member2

Active PNOTEs: None

Last member state change event:

Event Code: CLUS-11490
State change: DOWN -> STANDBY
Reason for state change: There is already an ACTIVE member in the cluster (member 1)
Event time: Sun Jun 3 20:27:44 2018

Last cluster failover event:

Transition to new ACTIVE: Member 2 -> Member 1
Reason: ADMIN_DOWN PNOTE
Event time: Sun Jun 3 20:27:19 2018

Cluster failover count:

Failover counter: 262
Time of counter reset: Sun Jun 3 20:27:44 2018 (reboot)

Member2>
cpconfig

cp_conf ha {enable | disable} [norestart]

enable

cpconfig
disable

cpconfig
norestart

[Expert@MyGW:0]# cp_conf ha enable norestart

Cluster membership for this gateway was enabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#

[Expert@MyGW:0]# cp_conf ha disable norestart

cpwd_admin:
Process CPHAMCSET process has been already terminated

Cluster membership for this gateway was disabled successfully

Important: This change will take effect after reboot.

[Expert@MyGW:0]#
fw hastat
 show cluster state
cphaprob state
 cpstat

fw hastat [<Target1>] [<Target2>] ... [<TargetN>]

[Expert@MGMT:0]# fw hastat

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS

localhost active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@MGMT:0]# fw hastat 192.168.3.52 192.168.3.53

HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
192.168.3.53 2 stand-by OK
[Expert@MGMT:0]#

[Expert@Member1:0]# fw hastat
HOST NUMBER HIGH AVAILABILITY STATE MACHINE STATUS
192.168.3.52 1 active OK
[Expert@Member1:0]#
$FWDIR/bin/clusterXL_admin

 admin_down
problem Down
 admin_down ok
Up
admin_down

#! /bin/csh -f
#
# The script will cause the machine to get into down state, thus the member will not filter packets.
# It will supply a simple way to initiate a failover by registering a new device in problem state when
# a failover is required and will unregister the device when wanting to return to normal operation.
# USAGE:
# clusterXL_admin <up|down>

set PERSISTENT = ""

# checking number of arguments

if ( $#argv > 2 || $#argv < 1 ) then
echo "clusterXL_admin : Invalid Argument Count"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
else if ( $#argv == 2 ) then
if ( "$2" != "-p" ) then
echo "clusterXL_admin : Invalid Argument ($2)"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
endif
set PERSISTENT = "-p"
endif

#checking if cpha is started

$FWDIR/bin/cphaprob stat | grep "Cluster" > /dev/null
if ($status) then
echo "HA is not started"
exit 1
endif

if ( $1 == "up" ) then
echo "Setting member to normal operation ..."
$FWDIR/bin/cphaconf set_pnote -d admin_down $PERSISTENT unregister > & /dev/null
if ( `uname` == 'IPSO' ) then
sleep 5
else
sleep 1
endif

set stateArr = `$FWDIR/bin/cphaprob stat | grep "local"`

$FWDIR/bin/cphaprob stat | egrep "Sync only|Bridge Mode" > /dev/null

#If it's third party or bridge mode, use column 4 , otherwise 5
if ($status) then
set state = $stateArr[5]
else
set state = $stateArr[4]
endif

echo "Member current state is $state"

if (($state != "Active" && $state != "Standby") && ($state != "ACTIVE" && $state != "STANDBY"
&& $state != "ACTIVE(!)")) then
echo "Operation failed: member is still down, run 'cphaprob list' for further details"
endif
exit 0
endif

if ( $1 == "down" ) then
echo "Setting member to administratively down state ..."
$FWDIR/bin/cphaconf set_pnote -d admin_down -t 0 -s problem $PERSISTENT register > & /dev/null
sleep 1

set stateArr = `$FWDIR/bin/cphaprob stat | grep "local"`

$FWDIR/bin/cphaprob stat | egrep "Sync only|Bridge Mode" > /dev/null

#If it's third party or bridge mode, use column 4 , otherwise 5
if ($status) then
set state = $stateArr[5]
else
set state = $stateArr[4]
endif

echo "Member current state is $state"

if ( $state == "Active attention" || $state == "ACTIVE(!)" ) then
echo "All the members within the cluster have problem/s and the local member was chosen
to become active"
else
if ( $state != "Down" && $state != "DOWN" ) then
echo "Operation failed: member is not down, run 'cphaprob list' for further
details"
endif
endif
exit 0
else
echo "clusterXL_admin : Invalid Option ($1)"
echo "Usage: clusterXL_admin <up|down> [-p]"
exit 1
endif
Down Up
$FWDIR/conf/cpha_hosts

$FWDIR/bin/clusterXL_monitor_ips

host_monitor ok
$FWDIR/conf/cpha_hosts

problem Down
ok

#!/bin/sh
#
# The script tries to ping the hosts written in the file $FWDIR/conf/cpha_hosts. The names (must be
resolveable) ot the IPs of the hosrs must be written in seperate lines.
# the file must not contain anything else.
# We ping the given hosts every number of seconds given as parameter to the script.
# USAGE:
# cpha_monitor_ips X silent
# where X is the number of seconds between loops over the IPs.
# if silent is set to 1, no messages will appear on the console
#
# We initially register a pnote named "host_monitor" in the problem notification mechanism
# when we detect that a host is not responding we report the pnote to be in "problem" state.
# when ping succeeds again - we report the pnote is OK.

silent=0

if [ -n "$2" ]; then
if [ $2 -le 1 ]; then
silent=$2
fi
fi
hostfile=$FWDIR/conf/cpha_hosts
arch=`uname -s`
if [ $arch = "Linux" ]
then
#system is linux
ping="ping -c 1 -w 1"
else
ping="ping"
fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -t 0 -s ok register
TRUE=1
while [ "$TRUE" ]
do
result=1
for hosts in `cat $hostfile`
do
if [ $silent = 0 ]
then
echo "pinging $hosts using command $ping $hosts"
fi
if [ $arch = "Linux" ]
then
$ping $hosts > /dev/null 2>&1
else
$ping $hosts $1 > /dev/null 2>&1
fi
status=$?
if [ $status = 0 ]
then
if [ $silent = 0 ]
then
echo " $hosts is alive"
fi
else
if [ $silent = 0 ]
then
echo " $hosts is not responding "
fi
result=0
fi
done
if [ $silent = 0 ]
then
echo "done pinging"
fi
if [ $result = 0 ]
then
if [ $silent = 0 ]
then
echo " Cluster member should be down!"
fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -s problem report
else
if [ $silent = 0 ]
then
echo " Cluster member seems fine!"
fi
$FWDIR/bin/cphaconf set_pnote -d host_monitor -s ok report
fi
if [ "$silent" = 0 ]
then
echo "sleeping"
fi
sleep $1
echo "sleep $1"
done
$FWDIR/conf/cpha_proc_list

$FWDIR/bin/clusterXL_monitor_process

ok
$FWDIR/conf/cpha_proc_list

problem
Down
ok

#!/bin/sh
#
# This script monitors the existance of processes in the system. The process names should be written
# in the $FWDIR/conf/cpha_proc_list file one every line.
#
# USAGE :
# cpha_monitor_process X silent
# where X is the number of seconds between process probings.
# if silent is set to 1, no messages will appear on the console.
#
#
# We initially register a pnote for each of the monitored processes
# (process name must be up to 15 charachters) in the problem notification mechanism.
# when we detect that a process is missing we report the pnote to be in "problem" state.
# when the process is up again - we report the pnote is OK.

if [ "$2" -le 1 ]
then
silent=$2
else
silent=0
fi
if [ -f $FWDIR/conf/cpha_proc_list ]
then
procfile=$FWDIR/conf/cpha_proc_list
else
echo "No process file in $FWDIR/conf/cpha_proc_list "
exit 0
fi

arch=`uname -s`

for process in `cat $procfile`

do
$FWDIR/bin/cphaconf set_pnote -d $process -t 0 -s ok -p register > /dev/null 2>&1
done

while [ 1 ]
do

result=1
for process in `cat $procfile`
do
ps -ef | grep $process | grep -v grep > /dev/null 2>&1

status=$?

if [ $status = 0 ]
then
if [ $silent = 0 ]
then
echo " $process is alive"
fi
# echo "3, $FWDIR/bin/cphaconf set_pnote -d $process -s ok report"
$FWDIR/bin/cphaconf set_pnote -d $process -s ok report
else
if [ $silent = 0 ]
then
echo " $process is down"
fi

$FWDIR/bin/cphaconf set_pnote -d $process -s problem report

result=0
fi

done

if [ $result = 0 ]

then
if [ $silent = 0 ]
then
echo " One of the monitored processes is down!"
fi
else
if [ $silent = 0 ]
then
echo " All monitored processes are up "
fi

fi
if [ "$silent" = 0 ]
then
echo "sleeping"
fi

sleep $1

done


fwaccel
fwaccel6

fwaccel help
fwaccel [-i <SecureXL ID>]
cfg <options>
conns <options>
dbg <options>
dos <options>
feature <options>
off <options>
on <options>
ranges <options>
stat <options>
stats <options>
synatk <options>
tab <options>
templates <options>
ver

fwaccel6 help
fwaccel6
conns <options>
dbg <options>
dos <options>
feature <options>
off <options>
on <options>
ranges <options>
stat <options>
stats <options>
synatk <options>
tab <options>
templates <options>
ver

help

-i <SecureXL ID>

cfg <options> (on page 727)

conns <options> (on page

730)
dbg <options> (on page 733)

dos <options> (on page 737)

feature <options> (on page

756)
off <options> (on page 758)

on <options> (on page 761)

ranges <options> (on page

764)
stat <options> (on page
769)
stats <options> (on page
772)
synatk <options> (on page
792)
tab <options> (on page 812)

templates <options> (on

page 815)
ver (on page 818)
fwaccel cfg
-h
-a {<Number of Interface> | <Name of Interface> | reset}
-b {on | off}
-c <Number>
-d <Number>
-e <Number>
-i {on | off}
-l <Number>
-m <Seconds>
-p {on | off}
-r <Number>
-v <Seconds>
-w {on | off}




-h

-a < >  -a < >

-a < >
-a reset
 -a < >

 -a reset

fw getifs
fw ctl iflist
 fwaccel cfg -a ...

tail -n 10 /var/log/messages
-b {on | off}

 on
 off

-c < >

-d < >
-e < >
-i {on | off}

 on
 off

-l < >




fwaccel
off fwaccel on

-m < >



-p {on | off}

 on

 off
-r < >

-v < >



-w {on | off}

 on
 off
fwaccel [-i <SecureXL ID>] conns
-h
-f <filter>
-m <Number of Entries>
-s

fwaccel6 conns
-h
-f <Filter>
-m <Number of Entries>
-s

-h
-i
<
>
-f < >

 fwaccel conns -h


fwaccel conns -f AaQq

 A

 a
 C
 c
 F

 f

 H

 h

 L
 l
 N

 n

 Q
 q
 S
 s
 U
 u
-m
<
>
-s

[Expert@MyGW:0]# fwaccel conns

Source SPort Destination DPort PR Flags C2S i/f S2C i/f Inst Identity
--------------- ----- --------------- ----- -- ----------- ------- ------- ---- -------
1.1.1.200 50586 1.1.1.100 18191 6 F............. 2/2 2/- 3 0
192.168.0.244 35925 192.168.0.242 18192 6 F............. 1/1 -/- 1 0
192.168.0.93 257 192.168.0.242 53932 6 F............. 1/1 1/- 0 0
192.168.0.242 22 172.30.168.15 57914 6 F............. 1/1 -/- 2 0
192.168.0.244 34773 192.168.0.242 18192 6 F............. 1/1 -/- 2 0
192.168.0.88 138 192.168.0.255 138 17 F............. 1/1 -/- 0 0
1.1.1.100 18191 1.1.1.200 55336 6 F............. 2/2 2/- 4 0
192.168.0.242 18192 192.168.0.244 38567 6 F............. 1/1 -/- 4 0
192.168.0.242 53932 192.168.0.93 257 6 F............. 1/1 1/- 0 0
192.168.0.242 18192 192.168.0.244 62714 6 F............. 1/1 -/- 1 0
192.168.0.244 33558 192.168.0.242 18192 6 F............. 1/1 -/- 5 0
1.1.1.200 36359 1.1.1.100 18191 6 F............. 2/2 2/- 5 0
1.1.1.200 55336 1.1.1.100 18191 6 F............. 2/2 2/- 4 0
192.168.0.242 60756 192.168.0.93 257 6 F............. 1/1 1/- 4 0
1.1.1.100 18191 1.1.1.200 36359 6 F............. 2/2 2/- 5 0
1.1.1.100 18191 1.1.1.200 50586 6 F............. 2/2 2/- 3 0
192.168.0.244 38567 192.168.0.242 18192 6 F............. 1/1 -/- 4 0
192.168.0.242 18192 192.168.0.244 32877 6 F............. 1/1 -/- 5 0
192.168.0.242 53806 192.168.47.45 53 17 F............. 1/1 1/- 3 0
192.168.0.242 18192 192.168.0.244 33558 6 F............. 1/1 -/- 5 0
172.30.168.15 57914 192.168.0.242 22 6 F............. 1/1 -/- 2 0
192.168.0.255 138 192.168.0.88 138 17 F............. 1/1 -/- 0 0
192.168.0.93 257 192.168.0.242 60756 6 F............. 1/1 1/- 4 0
1.1.1.200 18192 1.1.1.100 37964 6 F............. 2/2 -/- 1 0
1.1.1.100 37964 1.1.1.200 18192 6 F............. 2/2 -/- 1 0
192.168.0.244 32877 192.168.0.242 18192 6 F............. 1/1 -/- 5 0
192.168.0.242 18192 192.168.0.244 34773 6 F............. 1/1 -/- 2 0
192.168.0.242 18192 192.168.0.244 35925 6 F............. 1/1 -/- 1 0
192.168.47.45 53 192.168.0.242 53806 17 F............. 1/1 1/- 3 0
192.168.0.244 62714 192.168.0.242 18192 6 F............. 1/1 -/- 1 0

Idx Interface
--- ---------
0 lo
1 eth0
2 eth1

Total number of connections: 30

[Expert@MyGW:0]#
fwaccel dbg
-h
-m <Name of SecureXL Debug Module>
all
+ <Debug Flags>
- <Debug Flags>
reset
-f {"<5-Tuple Debug Filter>" | reset}
list
resetall

-h

-m <
>
fwaccel dbg
all

+ < >

+ Flag1 [Flag2 Flag3 ... FlagN]

- < >

- Flag1 [Flag2 Flag3 ... FlagN]

-
reset
-f "<5-Tuple Debug Filter>"

"<Source IP Address>,<Source
Port>,<Destination IP Address>,<Destination
Port>,<Protocol Number>"

 *

-f reset
list
resetall

[Expert@MyGW:0]# fwaccel dbg

Usage: fwaccel dbg [-m <...>] [resetall | reset | list | all | +/- <flags>]
-m <module> - module of debugging
-h - this help message
resetall - reset all debug flags for all modules
reset - reset all debug flags for module
all - set all debug flags for module
list - list all debug flags for all modules
-f reset | "<5-tuple>" - filter debug messages
+ <flags> - set the given debug flags
- <flags> - unset the given debug flags

List of available modules and flags:

Module: default (default)

err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update acct conf
stat queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

Module: db
err get save del tmpl tmo init ant profile nmr nmt

Module: api
err init add update del acct conf stat vpn notif tmpl sv pxl qos gtp infra tmpl_info upd_conf upd_if_inf
add_sa del_sa del_all_sas misc get_features get_tab get_stat reset_stat tag long_ver del_all_tmpl
get_state upd_link_sel

Module: pkt
err f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan
pkt nat wrp corr caf

Module: infras
err reorder pm

Module: tmpl
err dtmpl_get dtmpl_notif tmpl
Module: vpn
err vpnpkt linksel routing vpn

Module: nac
err db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils error

Module: synatk
init conf conn err log pkt proxy state msg

Module: adp
err rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dbg -m default + err conn

Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)

err conn

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default - conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)

err

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default reset
Debug flags updated.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dbg resetall

Debug state was reset to default.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6

Debug filter was set.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

... ...

Debug filter: "<,,*,,>"

[Expert@MyGW:0]#

set virtual-system < >
vsenv < >


fwaccel [-i <SecureXL ID>] dos

blacklist <options>
config <options>
pbox <options>
rate <options>
stats <options>
whitelist <options>

fwaccel6 dos
blacklist <options>
config <options>
rate <options>
stats <options>

-i < >
blacklist < >

config < >

pbox < >

rate < >

stats < >

whitelist < >


set virtual-system < >
vsenv < >



fwaccel dos config fwaccel6 dos config
fw sam_policy fw6 sam_policy

fwaccel [-i <SecureXL ID>] dos blacklist

-a <IPv4 Address>
-d <IPv4 Address>
-F
-s

fwaccel6 dos blacklist

-a <IPv6 Address>
-d <IPv6 Address>
-F
-s

-i < >

-a < >

-d < >

-F
-s
[Expert@MyGW:0]# fwaccel dos blacklist -s
The blacklist is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -a 1.1.1.1
Adding 1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
1.1.1.1
[Expert@MyGW:0]# fwaccel dos blacklist -a 2.2.2.2
Adding 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
2.2.2.2
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
1.1.1.1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -F
All blacklist entries deleted
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos blacklist -s
The blacklist is empty
[Expert@MyGW:0]#

set virtual-system < >
vsenv < >


fwaccel [-i <SecureXL ID>] dos config

get
set
{--disable-rate-limit | --enable-rate-limit}
{--disable-pbox | --enable-pbox}
{--disable-blacklists | --enable-blacklists}
{--disable-drop-frags | --enable-drop-frags}
{--disable-drop-opts | --enable-drop-opts}
{--disable-internal | --enable-internal}
{--disable-monitor | --enable-monitor}
{--disable-log-drops | --enable-log-drops}
{--disable-log-pbox | --enable-log-pbox}
{-n <NOTIF_RATE> | --notif-rate <NOTIF_RATE>}
{-p <PBOX_RATE> | --pbox-rate <PBOX_RATE>}
{-t <PBOX_TMO> | --pbox-tmo <PBOX_TMO>}

fwaccel6 dos config

-i < >

get
set < >
--disable-blacklists

--disable-drop-frags

--disable-drop-opts

--disable-internal

--disable-log-drops

--disable-log-pbox

--disable-monitor

--disable-pbox

fwaccel dos pbox

--disable-rate-limit

--enable-blacklists
fwaccel dos blacklist fwaccel6
dos blacklist
--enable-drop-frags
--enable-drop-opts
--enable-internal
--enable-log-drops
--enable-log-pbox

--enable-monitor

--enable-pbox
fwaccel dos pbox
--enable-rate-limit

-n < >
--notif-rate < >

-p < >
--pbox-rate < >

-t < >
--pbox-tmo < >

[Expert@MyGW:0]# fwaccel dos config get

rate limit: disabled (without policy)
pbox: disabled
blacklists: disabled
log blacklist: disabled
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: disabled
log pbox: disabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos config set --enable-pbox

OK
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos config get
rate limit: disabled (without policy)
pbox: enabled
blacklists: disabled
drop frags: disabled
drop opts: disabled
internal: disabled
monitor: disabled
log drops: enabled
log pbox: enabled
notif rate: 100 notifications/second
pbox rate: 500 packets/second
pbox tmo: 180 seconds
[Expert@MyGW:0]#

fwaccel dos config set fwaccel6 dos config set

$FWDIR/conf/fwaccel_dos_rate_on_ins
tall fwaccel dos config set
#!/bin/bash
fwaccel dos config set < >

$FWDIR/conf/fwaccel6_dos_rate_on_in
stall fwaccel6 dos config set
#!/bin/bash
fwaccel6 dos config set < >

fw sam_policy



 touch $FWDIR/conf/< >
 vi $FWDIR/conf/< >


 set virtual-system < >

 vsenv < >
 #!/bin/bash


chmod +x $FWDIR/conf/< >

!/bin/bash
fwaccel dos config set --enable-internal
fwaccel dos config set --enable-pbox


set virtual-system < >
vsenv < >



fwaccel dos config fwaccel6 dos config

 fwaccel dos whitelist

 fwaccel synatk whitelist fwaccel6 synatk whitelist

fwaccel [-i <SecureXL ID>] dos pbox

flush
whitelist
-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

-i < >

flush
whitelist < >

fwaccel dos
whitelist
-a < >[/< >]

 < >

 < >
/<bits>


192.168.20.30
192.168.20.30/32

192.168.20.0/24
-d < >[/< >]

 < >

/<bits>

-F
-l /< >/< >


touch vi

chmod +x

< >[/< >]



-L

$FWDIR/conf/pbox-whitelist-v4.conf

fwaccel dos pbox whitelist -L



touch vi

chmod +x

< >[/< >]



-s

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -F
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.0/24

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -F
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.40/32

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos pbox whitelist -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos pbox whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#

set virtual-system < >
vsenv < >


fwaccel [-i <SecureXL ID>] dos rate

get '<Rule UID>'
install

fwaccel6 dos rate

get '<Rule UID>'
install

-i < >

get '< >'

install

fw sam_policy get -l -k req_type -t in -v quota |

fwaccel dos rate install
fw sam_policy

fwaccel dos config set --disable-rate-limit



set virtual-system < >
vsenv < >


fwaccel [-i <SecureXL ID>] stats

clear
get

fwaccel6 dos stats

clear
get

-i < >

clear
get

[Expert@MyGW:0]# fwaccel dos stats get

Firewall:
Number of Elements in Tables:
Penalty Box Violating IPs: 0 (size: 8192)
Blacklist Notification Handlers: 0 (size: 1024)
SXL Device 0:
Total Active Connections: 0
Total New Connections/Second: 0
Total Packets/Second: 0
Total Bytes/Second: 0
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Blacklist: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0 (size: 0)
Non-Empty Blacklists: 0 (size: 0)
Blacklisted IPs: 0 (size: 0)
Rate Limit Matches: 0 (size: 0)
Rate Limit Source Only Tracks: 0 (size: 0)
Rate Limit Source and Service Tracks: 0 (size: 0)
SXL Devices in Aggregate:
Reasons Packets Dropped:
IP Fragment: 0
IP Option: 0
Penalty Box: 0
Blacklist: 0
Rate Limit: 0
Number of Elements in Tables:
Penalty Box: 0
Non-Empty Blacklists: 0
Blacklisted IPs: 0
Rate Limit Matches: 0
Rate Limit Source Only Tracks: 0
Rate Limit Source and Service Tracks: 0
[Expert@MyGW:0]#


set virtual-system < >
vsenv < >


 --enable-drop-opts
 --enable-drop-frags
fwaccel dos config fwaccel6 dos config
 fw samp
fw samp -a b ...
fw sam_policy

 fwaccel dos pbox whitelist

 fwaccel synatk whitelist

fwaccel [-i <SecureXL ID>] dos whitelist

-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

-i < >
-a < >[/< >]

 < >

 < >
/<bits>


192.168.20.30
192.168.20.30/32

192.168.20.0/24
-d < >[/< >]

 < >

/<bits>

-F
-l /< >/< >

-F -l


touch vi

chmod +x

< >[/< >]



-L

$FWDIR/conf/pbox-whitelist-v4.conf

fwaccel dos pbox whitelist -L

-F -L



touch vi

chmod +x

< >[/< >]



-s
[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40/32

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.0/24

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -F
[Expert@MyGW:0]# fwaccel dos whitelist -s
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.40/32

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -a 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
192.168.20.70/32
[Expert@MyGW:0]# fwaccel dos whitelist -d 192.168.20.70/32
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dos whitelist -s
192.168.20.40/32
[Expert@MyGW:0]#






fwaccel [-i <SecureXL ID>] feature <Name of Feature>

get
off
on

fwaccel6 feature <Name of Feature>

get
off
on

-i < >

< >

 sctp


get
off

sctp
$FWDIR/modules/fwkern.conf
sim_sctp_disable_by_default=1

[Expert@MyGW:0]# fwaccel feature

Usage: fwaccel feature <name> {on|off|get}

Available features: sctp

[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel feature sctp get

sim_sctp_disable_by_default = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp off
Set operation succeeded
[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 1
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp on
Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel feature sctp get
sim_sctp_disable_by_default = 0
[Expert@MyGW:0]#
cpstart




set virtual-system < >

vsenv < >
 -a

fwaccel [-i <SecureXL ID>] off [-a] [-q]

fwaccel6 off [-a] [-q]

-i < >
-a
-q

 SecureXL device disabled

 SecureXL device is not active
 Failed to disable SecureXL device
 fwaccel_off: failed to set process context < >

[Expert@MyGW:0]# fwaccel off

SecureXL device disabled.
[Expert@MyGW:0]#

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# fwaccel off

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust
Number of Virtual Systems allowed by license: 25
Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel off -a
SecureXL device disabled. (Virtual ID 0)
SecureXL device disabled. (Virtual ID 1)
SecureXL device disabled. (Virtual ID 2)
[Expert@MyVSXGW:1]#
fwaccel
off fwaccel6 off




set virtual-system < >

vsenv < >
 -a

fwaccel [-i <SecureXL ID>] on [-a] [-q]

fwaccel6 on [-a] [-q]

-i < >
-a
-q

 SecureXL device is enabled.

 Failed to start SecureXL.
 No license for SecureXL.
 SecureXL is disabled by the firewall. Please try again later.
 The installed SecureXL device is not compatible with the installed
firewall (version mismatch).
 The SecureXL device is in the process of being stopped. Please try
again later.
 SecureXL cannot be started while "flows" are active.
 SecureXL is already started.
 SecureXL will be started after a policy is loaded.
 fwaccel: Failed to check FloodGate-1 status. Acceleration will not
be started.
FW-1: SecureXL acceleration cannot be started while QoS is running
in express mode.
Please disable FloodGate-1 express mode or SecureXL.
FW-1: SecureXL acceleration cannot be started while QoS is running
with citrix printing rule.
Please remove the citrix printing rule to enable SecureXL.
FW-1: SecureXL acceleration cannot be started while QoS is running
with UAS rule.
Please remove the UAS rule to enable SecureXL.
 FW-1: SecureXL acceleration cannot be started while QoS is running.
Please remove the QoS blade to enable SecureXL.
 Failed to enable SecureXL device
 fwaccel_on: failed to set process context < >

[Expert@MyGW:0]# fwaccel on
SecureXL device is enabled.
[Expert@MyGW:0]#

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]#

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel on -a
[Expert@MyVSXGW:1]#









fwaccel [-i <SecureXL ID>] ranges

-h
-a
-l
-p <Range ID>
-s <Range ID>

fwaccel6 ranges
-h
-a
-l
-p <Range ID>
-s <Range ID>

-i < >
-h
-a

fwaccel templates -d fwaccel6 templates -d

fwaccel ranges -a

-l




-p < >
-s < >

[Expert@MyGW:0]# fwaccel ranges -l

SecureXL device 0:
0 Rule base source ranges (ip):
1 Rule base destination ranges (ip):
2 Rule base dport ranges (port, proto):
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel ranges

SecureXL device 0:
Rule base source ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
Rule base destination ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
Rule base dport ranges (port, proto):
(0) 0, 0 - 138, 6
(1) 139, 6 - 139, 6
(2) 140, 6 - 18189, 6
(3) 18190, 6 - 18190, 6
(4) 18191, 6 - 18191, 6
(5) 18192, 6 - 18192, 6
(6) 18193, 6 - 19008, 6
(7) 19009, 6 - 19009, 6
(8) 19010, 6 - 136, 17
(9) 137, 17 - 138, 17
(10) 139, 17 - 65535, 65535
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel ranges -p 0

SecureXL device 0:
Rule base source ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -p 1
SecureXL device 0:
Rule base destination ranges (ip):
(0) 0.0.0.0 - 192.168.204.0
(1) 192.168.204.1 - 192.168.204.1
(2) 192.168.204.2 - 192.168.204.39
(3) 192.168.204.40 - 192.168.204.40
(4) 192.168.204.41 - 192.168.254.39
(5) 192.168.254.40 - 192.168.254.40
(6) 192.168.254.41 - 255.255.255.255
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -p 2
SecureXL device 0:
Rule base dport ranges (port, proto):
(0) 0, 0 - 138, 6
(1) 139, 6 - 139, 6
(2) 140, 6 - 18189, 6
(3) 18190, 6 - 18190, 6
(4) 18191, 6 - 18191, 6
(5) 18192, 6 - 18192, 6
(6) 18193, 6 - 19008, 6
(7) 19009, 6 - 19009, 6
(8) 19010, 6 - 136, 17
(9) 137, 17 - 138, 17
(10) 139, 17 - 65535, 65535
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel ranges -s 0

SecureXL device 0:
List name "Rule base source ranges (ip):", ID 0, Number of ranges 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -s 1
SecureXL device 0:
List name "Rule base destination ranges (ip):", ID 1, Number of ranges 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel ranges -s 2
SecureXL device 0:
List name "Rule base dport ranges (port, proto):", ID 2, Number of ranges 11
[Expert@MyGW:0]#

[Expert@MyVSXGW:2]# vsenv 0
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVSXGW:0]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth0:
1 Anti spoofing ranges eth1:
[Expert@MyVSXGW:0]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth3:
1 Anti spoofing ranges eth2.52:
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:2]# fwaccel ranges -l
SecureXL device 0:
0 Anti spoofing ranges eth4:
1 Anti spoofing ranges eth2.53:
[Expert@MyVSXGW:2]#

[Expert@MyVSXGW:2]# vsenv 0
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVSXGW:0]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth0:
(0) 0.0.0.0 - 10.20.29.255
(1) 10.20.31.0 - 126.255.255.255
(2) 128.0.0.0 - 192.168.2.255
(3) 192.168.3.1 - 192.168.3.241
(4) 192.168.3.243 - 192.168.3.254
(5) 192.168.4.0 - 223.255.255.255
(6) 240.0.0.0 - 255.255.255.254
Anti spoofing ranges eth1:
(0) 10.20.30.1 - 10.20.30.241
(1) 10.20.30.243 - 10.20.30.254
[Expert@MyVSXGW:0]#
[Expert@MyVSXGW:1]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth3:
(0) 40.50.60.0 - 40.50.60.255
(1) 192.168.196.17 - 192.168.196.17
(2) 192.168.196.19 - 192.168.196.30
Anti spoofing ranges eth2.52:
(0) 70.80.90.0 - 70.80.90.255
(1) 192.168.196.1 - 192.168.196.1
(2) 192.168.196.3 - 192.168.196.14
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:2]# fwaccel ranges
SecureXL device 0:
Anti spoofing ranges eth4:
(0) 100.100.100.0 - 100.100.100.255
(1) 192.168.196.17 - 192.168.196.17
(2) 192.168.196.19 - 192.168.196.30
Anti spoofing ranges eth2.53:
(0) 192.168.196.1 - 192.168.196.1
(1) 192.168.196.3 - 192.168.196.14
(2) 200.200.200.0 - 200.200.200.255
[Expert@MyVSXGW:2]#
[Expert@MyVSXGW:2]# vsenv 1
Context is set to Virtual Device VS1 (ID 1).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 0
SecureXL device 0:
List name "Anti spoofing ranges eth3:", ID 0, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 1
SecureXL device 0:
List name "Anti spoofing ranges eth2.52:", ID 1, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# fwaccel ranges -s 2
SecureXL device 0:
The requested range table is empty
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:1]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 0
SecureXL device 0:
List name "Anti spoofing ranges eth4:", ID 0, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 1
SecureXL device 0:
List name "Anti spoofing ranges eth2.53:", ID 1, Number of ranges 3
[Expert@MyVSXGW:1]#
[Expert@MyVSXGW:2]# fwaccel ranges -s 2
SecureXL device 0:
The requested range table is empty
[Expert@MyVSXGW:2]#
fwaccel [-i <SecureXL ID>] stat [-a] [-t] [-v]

fwaccel6 stat [-a] [-t] [-v]

-i < >











-a
-t






-v
-a

[Expert@MyGW:0]# fwaccel stat

Accept Templates : disabled by Firewall

Layer MyGW_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer MyGW_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel stat -t

[Expert@MyGW:0]#

[Expert@MyVSXGW:1]# vsx stat -v

VSX Gateway Status
==================
Name: VSX2_192.168.3.242
Access Control Policy: VSX_GW_VSX
Installed at: 17Sep2018 13:17:14
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 4 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

Accept Templates : disabled by Firewall

Layer VS1_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
Drop Templates : disabled
NAT Templates : disabled by Firewall
Layer VS1_Policy Network disables template offloads from rule #1
Throughput acceleration still enabled.
[Expert@MyVSXGW:1]#
fwaccel [-i <SecureXL ID>] stats
[-c]
[-d]
[-l]
[-m]
[-n]
[-o]
[-p]
[-q]
[-r]
[-s]
[-x]

fwaccel6 stats
[-c]
[-d]
[-l]
[-m]
[-n]
[-o]
[-p]
[-q]
[-r]
[-s]
[-x]

-i < >
-c

-d

-l

-m
-n

-o

-p
-q

-r

-s
-x


accel packets
accel bytes
outbound packets
outbound bytes
conns created
conns deleted
C total conns
C templates

C TCP conns
C non TCP conns

conns from templates

nat conns
dropped packets
dropped bytes
nat templates
port alloc templates
conns from nat tmpl
port alloc conns
fragments received
fragments transmit
fragments dropped
fragments expired
IP options stripped
IP options restored
IP options dropped
corrs created
corrs deleted
C corrections
corrected packets
corrected bytes

C crypt conns

enc bytes
dec bytes
ESP enc pkts
ESP enc err
ESP dec pkts
ESP dec err
ESP other err
espudp enc pkts
espudp enc err
espudp dec pkts
espudp dec err

PXL packets

PXL async packets

PXL bytes
C PXL conns
C PXL templates

PXL FF conns
PXL FF packets
PXL FF bytes
PXL FF acks

PSL Inline packets

PSL Inline bytes
CPAS Inline packets
CPAS Inline bytes

Total QoS Conns

QoS Classify Conns
QoS Classify flow
Reclassify QoS polic

Enqueued IN packets
Enqueued OUT packets
Dequeued IN packets
Dequeued OUT packets
Enqueued IN bytes
Enqueued OUT bytes
Dequeued IN bytes
Dequeued OUT bytes

Enqueued IN packets
Enqueued OUT packets
Dequeued IN packets
Dequeued OUT packets

Enqueued IN bytes
Enqueued OUT bytes
Dequeued IN bytes
Dequeued OUT bytes


F2F packets

F2F bytes

TCP violations
C anticipated conns
port alloc f2f
F2V conn match pkts

F2V packets

F2V bytes

gtp tunnels created

gtp tunnels
gtp accel pkts
gtp f2f pkts

gtp spoofed pkts

gtp in gtp pkts
gtp signaling pkts
gtp tcpopt pkts
gtp apn err pkts

memory used
free memory
C used templates
pxl tmpl conns
C conns from tmpl

C tcp handshake conn

C tcp established co

C tcp closed conns

C tcp pxl handshake

C tcp pxl establishe

C tcp pxl closed con

outbound pxl packets

fwaccel stats -s

Accelerated conns/Total conns : 0/0 (0%)

Accelerated pkts/Total pkts : 0/8 (0%)
F2Fed pkts/Total pkts : 8/8 (100%)
F2V pkts/Total pkts : 0/8 (0%)
CPASXL pkts/Total pkts : 0/8 (0%)
PSLXL pkts/Total pkts : 0/8 (0%)
QOS inbound pkts/Total pkts : 0/8 (0%)
QOS outbound pkts/Total pkts : 0/8 (0%)
Corrected pkts/Total pkts : 0/8 (0%)
fwaccel stats

Name Value Name Value

---------------------------- ------------ ---------------------------- ------------

Accelerated Path
--------------------------------------------------------------------------------------
accel packets 0 accel bytes 0
outbound packets 0 outbound bytes 0
conns created 0 conns deleted 0
C total conns 0 C TCP conns 0
C non TCP conns 0 nat conns 0
dropped packets 0 dropped bytes 0
fragments received 0 fragments transmit 0
fragments dropped 0 fragments expired 0
IP options stripped 0 IP options restored 0
IP options dropped 0 corrs created 0
corrs deleted 0 C corrections 0
corrected packets 0 corrected bytes 0

Accelerated VPN Path

--------------------------------------------------------------------------------------
C crypt conns 0 enc bytes 0
dec bytes 0 ESP enc pkts 0
ESP enc err 0 ESP dec pkts 0
ESP dec err 0 ESP other err 0
espudp enc pkts 0 espudp enc err 0
espudp dec pkts 0 espudp dec err 0
espudp other err 0

Medium Streaming Path

--------------------------------------------------------------------------------------
CPASXL packets 0 PSLXL packets 0
CPASXL async packets 0 PSLXL async packets 0
CPASXL bytes 0 PSLXL bytes 0
C CPASXL conns 0 C PSLXL conns 0
CPASXL conns created 0 PSLXL conns created 0
PXL FF conns 0 PXL FF packets 0
PXL FF bytes 0 PXL FF acks 0
PXL no conn drops 0

Inline Streaming Path

--------------------------------------------------------------------------------------
PSL Inline packets 0 PSL Inline bytes 0
CPAS Inline packets 0 CPAS Inline bytes 0

QoS Paths
--------------------------------------------------------------------------------------
QoS General Information:
------------------------
Total QoS Conns 0 QoS Classify Conns 0
QoS Classify flow 0 Reclassify QoS policy 0

FireWall QoS Path:

------------------
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0

Accelerated QoS Path:

---------------------
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0

Firewall Path
--------------------------------------------------------------------------------------
F2F packets 35324 F2F bytes 1797781
TCP violations 0 F2V conn match pkts 0
F2V packets 0 F2V bytes 0

GTP
--------------------------------------------------------------------------------------
gtp tunnels created 0 gtp tunnels 0
gtp accel pkts 0 gtp f2f pkts 0
gtp spoofed pkts 0 gtp in gtp pkts 0
gtp signaling pkts 0 gtp tcpopt pkts 0
gtp apn err pkts 0

General
--------------------------------------------------------------------------------------
memory used 38798784 C tcp handshake conns 0
C tcp established conns 0 C tcp closed conns 0
C tcp pxl handshake conns 0 C tcp pxl established conns 0
C tcp pxl closed conns 0 outbound cpasxl packets 0
outbound pslxl packets 0 outbound cpasxl bytes 0
outbound pslxl bytes 0 DNS DoR stats 0

(*) Statistics marked with C refer to current value, others refer to total value
fwaccel stats -c

Cluster Correction stats:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
Sent pkts (total) 0 Sent with metadata 0
Received pkts (total) 0 Received with metadata 0
Sent bytes 0 Received bytes 0
Send errors 0 Receive errors 0
fwaccel stats -d

Reason Value Reason Value

-------------------- --------------- -------------------- ---------------
general reason 0 CPASXL decision 0
PSLXL decision 0 clr pkt on vpn 0
encrypt failed 0 drop template 0
decrypt failed 0 interface down 0
cluster error 0 XMT error 0
anti spoofing 0 local spoofing 0
sanity error 0 monitored spoofed 0
QOS decision 0 C2S violation 0
S2C violation 0 Loop prevention 0
DOS Fragments 0 DOS IP Options 0
DOS Blacklists 0 DOS Penalty Box 0
DOS Rate Limiting 0 Syn Attack 0
Reorder 0 Expired Fragments 0
fwaccel stats -l

Name Value Name Value

---------------------------- ------------ ---------------------------- ------------
- 0 accel packets 0
accel bytes 0 outbound packets 0
outbound bytes 0 conns created 0
conns deleted 0 C total conns 0
C TCP conns 0 C non TCP conns 0
nat conns 0 dropped packets 0
dropped bytes 0 fragments received 0
fragments transmit 0 fragments dropped 0
fragments expired 0 IP options stripped 0
IP options restored 0 IP options dropped 0
corrs created 0 corrs deleted 0
C corrections 0 corrected packets 0
corrected bytes 0 C crypt conns 0
enc bytes 0 dec bytes 0
ESP enc pkts 0 ESP enc err 0
ESP dec pkts 0 ESP dec err 0
ESP other err 0 espudp enc pkts 0
espudp enc err 0 espudp dec pkts 0
espudp dec err 0 espudp other err 0
acct update interval 3600 CPASXL packets 0
PSLXL packets 0 CPASXL async packets 0
PSLXL async packets 0 CPASXL bytes 0
PSLXL bytes 0 C CPASXL conns 0
C PSLXL conns 0 CPASXL conns created 0
PSLXL conns created 0 PXL FF conns 0
PXL FF packets 0 PXL FF bytes 0
PXL FF acks 0 PXL no conn drops 0
PSL Inline packets 0 PSL Inline bytes 0
CPAS Inline packets 0 CPAS Inline bytes 0
Total QoS Conns 0 QoS Classify Conns 0
QoS Classify flow 0 Reclassify QoS policy 0
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0
Enqueued IN packets 0 Enqueued OUT packets 0
Dequeued IN packets 0 Dequeued OUT packets 0
Enqueued IN bytes 0 Enqueued OUT bytes 0
Dequeued IN bytes 0 Dequeued OUT bytes 0
F2F packets 35383 F2F bytes 1801493
TCP violations 0 F2V conn match pkts 0
F2V packets 0 F2V bytes 0
gtp tunnels created 0 gtp tunnels 0
gtp accel pkts 0 gtp f2f pkts 0
gtp spoofed pkts 0 gtp in gtp pkts 0
gtp signaling pkts 0 gtp tcpopt pkts 0
gtp apn err pkts 0 memory used 38798784
C tcp handshake conns 0 C tcp established conns 0
C tcp closed conns 0 C tcp pxl handshake conns 0
C tcp pxl established conns 0 C tcp pxl closed conns 0
outbound cpasxl packets 0 outbound pslxl packets 0
outbound cpasxl bytes 0 outbound pslxl bytes 0
DNS DoR stats 0
(*) Statistics marked with C refer to current value, others refer to total value
fwaccel stats -m

Name Value Name Value

-------------------- --------------- -------------------- ---------------
in packets 0 out packets 0
if restricted 0 conns with down if 0
f2f packets 0 f2f bytes 0
dropped packets 0 dropped bytes 0
accel packets 0 accel bytes 0
mcast conns 0
fwaccel stats -n

Name Value Name Value

-------------------- --------------- -------------------- ---------------
NAC packets 0 NAC bytes 0
NAC connections 0 complience failure 0
fwaccel stats -o

Appliaction: F2V
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: Route
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: New connection

Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------

Appliaction: F2P
Statistic Value
----------------------------------- --------------------
Queued pkts 0
Max queued pkts 0
Timer triggered 0
Callback hahndling unhold 0
Callback hahndling unhold and drop 0
Callback hahndling reset 0
Dequeued pkts resumed 0
Queue ent allocated 0
Queue ent freed 0
Queues allocated 0
Queues freed 0
Ack notif sent 0
Ack respones handling 0
Dequeued pkts dropped 0
Reached max queued pkt limit 0
Set timer failed 0
Error already held 0
Queue ent alloc failed 0
Queue alloc failed 0
Ack notif failed 0
Ack respones handling failed 0
----------------------------------------------------
fwaccel stats -p

F2F packets:
--------------
Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 0 ICMP miss conn 3036
TCP-SYN miss conn 8 TCP-other miss conn 32224
UDP miss conn 3772 other miss conn 0
VPN returned F2F 0 uni-directional viol 0
possible spoof viol 0 TCP state viol 0
out if not def/accl 0 bridge, src=dst 0
routing decision err 0 sanity checks failed 0
fwd to non-pivot 0 broadcast/multicast 0
cluster message 0 cluster forward 0
chain forwarding 0 F2V conn match pkts 0
general reason 0 route changes 0
fwaccel stats -q

Notification Packets Notification Packets

--------------------- -------------- --------------------- --------------
ntSAAboutToExpire 0 ntSAExpired 0
ntMSPIError 0 ntNoInboundSA 0
ntNoOutboundSA 0 ntDataIntegrityFailed 0
ntPossibleReplay 0 ntReplay 0
ntNextProtocolError 0 ntCPIError 0
ntClearTextPacket 0 ntFragmentation 0
ntUpdateUdpEncTable 0 ntSASync 0
ntReplayOutOfWindow 0 ntVPNTrafficReport 0
ntConnDeleted 0 ntConnUpdate 0
ntPacketDropped 0 ntSendLog 0
ntRefreshGTPTunnel 0 ntMcastDrop 0
ntAccounting 0 ntAsyncIndex 0
ntACkReordering 0 ntAccelAckInfo 0
ntMonitorPacket 0 ntPacketCapture 0
ntCpasPacketCapture 0 ntPSLGlueUpdateReject 0
ntSeqVerifyDrop 0 ntPacketForwardBefore 0
ntICMPMessage 0 ntQoSReclassifyPacket 0
ntQoSResumePacket 0 ntVPNEncHaLinkFailure 0
ntVPNEncLsLinkFailure 0 ntVPNEncRouteChange 0
ntVPNDecVerRouteChang 0 ntVPNDecRouteChange 0
ntMuxSimToFw 0 ntPSLEventLog 0
ntSendCPHWDStats 14871 ntPacketTaggingViolat 0
ntDosNotify 28 ntSynatkNotify 0
ntSynatkStats 0 ntQoSEventLog 0
ntPrintGetParam 0
fwaccel stats -x

PXL Release Context statistics:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
End Handler 0 Post Sync 0
Stop Stream 0 kbuf fail 0
Set field failure 0 Notif set field fail 0
Non SYN seq fail 0 Tmpl kbuf fail 0
Tmpl set field fail 0 Segment Injection 0
Init app fail 0 Expiration 0
Newconn set field fail 0 Newconn fail 0
CPHWD dec 0 No PSL policy 0

PXL Exception statistics:

Name Value Name Value

----------------------- ------------ ----------------------- ------------
urgent packets 0 invalid SYN retrans 0
SYN seq not init 0 old pkts out win 0
old pkts out win trunc 0 old pkts out win strip 0
new pkts out win 0 incorrect retrans 0
TCP pkts with bad csum 0 ACK unprocessed data 0
old ACK out win 0 Max segments reached 0
No resources 0 Hold timeout 0
fwaccel synatk
-a
-c <options>
-d
-e
-g
-m
-t <options>
config
monitor <options>
state <options>
whitelist <options>

fwaccel6 synatk
-a
-c <options>
-d
-e
-g
-m
-t <options>
config
monitor <options>
state <options>
whitelist <options>

-a
-c < >

-d
-e

-g
-m

-t < >

config
monitor < >

state < >

whitelist < >

$FWDIR/conf/synatk.conf




 {fwaccel | fwaccel6} synatk -d

 {fwaccel | fwaccel6} synatk -e
 {fwaccel | fwaccel6} synatk -g
 {fwaccel | fwaccel6} synatk -m

fwaccel synatk -a

fwaccel6 synatk -a



 {fwaccel | fwaccel6} synatk -d

 {fwaccel | fwaccel6} synatk -e
 {fwaccel | fwaccel6} synatk -g
 {fwaccel | fwaccel6} synatk -m

fwaccel synatk -c <Configuration File>

fwaccel6 synatk -c <Configuration File>

$FWDIR/conf/synatk.conf

$FWDIR/conf/synatk.conf
-c

 fwaccel synatk monitor fwaccel6 synatk monitor

 Disabled
 Disable
 Disable
 fwaccel synatk config fwaccel6 synatk config

 enabled 0
 enforce 0

fwaccel synatk -d

fwaccel6 synatk -d

$FWDIR/conf/synatk.conf
-c

 fwaccel synatk monitor fwaccel6 synatk monitor

 Enforcing
 Prevent
 Ready
 fwaccel synatk monitor fwaccel6 synatk monitor

 Enforcing
 Detect
 Monitor
 fwaccel synatk config fwaccel6 synatk config

 enabled 1
 enforce 1

fwaccel synatk -e

fwaccel6 synatk -e

$FWDIR/conf/synatk.conf
-c

 fwaccel synatk monitor fwaccel6 synatk monitor

 Enforcing
 Prevent
 Ready
 fwaccel synatk monitor fwaccel6 synatk monitor

 Enforcing
 Detect
 Monitor
 fwaccel synatk config fwaccel6 synatk config

 enabled 1
 enforce 2

fwaccel synatk -g

fwaccel6 synatk -g

$FWDIR/conf/synatk.conf
-c

 fwaccel synatk monitor fwaccel6 synatk monitor

 Monitoring
 Detect
 Monitor
 fwaccel synatk config fwaccel6 synatk config

 enabled 1
 enforce 0

fwaccel synatk -m

fwaccel6 synatk -m

$FWDIR/conf/synatk.conf
-c

fwaccel synatk -t <Threshold>

fwaccel6 synatk -t <Threshold>

 < >



 < >


 < >



fwaccel synatk config

fwaccel6 synatk config

[Expert@MyGW:0]# fwaccel synatk config

enabled 0
enforce 1
global_high_threshold 10000
periodic_updates 1
cookie_resolution_shift 6
min_frag_sz 80
high_threshold 5000
low_threshold 1000
score_alpha 100
monitor_log_interval (msec) 60000
grace_timeout (msec) 30000
min_time_in_active (msec) 60000
[Expert@MyGW:0]#

enabled



enforce


global_high_threshold
fwaccel synatk -t <Threshold>
fwaccel6 synatk -t <Threshold>

periodic_updates



cookie_resolution_shift



min_frag_sz



high_threshold
fwaccel synatk -t <Threshold>
fwaccel6 synatk -t <Threshold>

low_threshold
fwaccel synatk -t <Threshold>
fwaccel6 synatk -t <Threshold>

score_alpha



monitor_log_interval (msec)



grace_timeout (msec)



min_time_in_active (msec)



fwaccel synatk -m fwaccel6 synatk -m

fwaccel synatk monitor

[-p]
[-p] -a
[-p] -s
[-p] -v

fwaccel6 synatk monitor

[-p]
[-p] -a
[-p] -s
[-p] -v

-p
PPAK ID: 0
[-p] -a

[-p] -s
[-p] -v

-a -s -v

[Expert@MyGW:0]# fwaccel synatk monitor

[Expert@MyGW:0]# fwaccel synatk monitor -p

[Expert@MyGW:0]# fwaccel synatk monitor -p -a

Global:
status attached
nr_active 0

Firewall
----------
Per-interface:
eth0 eth1
---------- ----------
topology External Internal
state Monitor Monitor
syn ready 0 0
syn active prev 0 0
syn active curr 0 0
active_score 0 0
msec grace 0 0
msec active 0 0
sent cookies 0 0
fail validations 0 0
succ validations 0 0
early packets 0 0
no conn data 0 0
bogus syn 0 0
peak non-estab 0 0
int sent cookies 0 0
int succ validations 0 0
msec interval 0 0

PPAK ID: 0
----------
Per-interface:
eth0 eth1
---------- ----------
topology External Internal
state Monitor Monitor
syn ready 0 0
syn active prev 0 0
syn active curr 0 0
active_score 0 0
msec grace 0 0
msec active 0 0
sent cookies 0 0
fail validations 0 0
succ validations 0 0
early packets 0 0
no conn data 0 0
bogus syn 0 0
peak non-estab 0 0
int sent cookies 0 0
int succ validations 0 0
msec interval 0 0
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel synatk monitor -p -s

M,N,0,0

PPAK ID: 0
----------
M,N,0,0
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel synatk monitor -p -v

+-----------------------------------------------------------------------------+
| SYN Defender statistics |
+-----------------------------------------------------------------------------+
| Status Normal |
| Spoofed SYN/sec 0 |
+-----------------------------------------------------------------------------+

PPAK ID: 0
----------
+-----------------------------------------------------------------------------+
| SYN Defender statistics |
+-----------------------------------------------------------------------------+
| Status Normal |
| Spoofed SYN/sec 0 |
+-----------------------------------------------------------------------------+
[Expert@MyGW:0]#
fwaccel synatk state
-h
-a
-d
-g
-i {all | external | internal | <Name of Interface>}
-m
-r

fwaccel6 synatk state

-h
-a
-d
-g
-i {all | external | internal | <Name of Interface>}
-m
-r

-a -d -g -m -r

-h
-a
-d
-g
-i all
-i external
-i internal

-i < >
-m
-r


 fwaccel dos whitelist

fwaccel synatk whitelist

-a <IPv4 Address>[/<Subnet Prefix>]
-d <IPv4 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s

fwaccel6 synatk whitelist

-a <IPv6 Address>[/<Subnet Prefix>]
-d <IPv6 Address>[/<Subnet Prefix>]
-F
-l /<Path>/<Name of File>
-L
-s
-a <IPv4 Address>[/<Subnet
Prefix>]

 < >

 < >
/<bits>


192.168.20.30
192.168.20.30/32

192.168.20.0/24

-a < >[/<
>]
 < >

 < >
/<bits>


2001:0db8:85a3:0000:0000:8a2e:0370:7334
2001:0db8:85a3:0000:0000:8a2e:0370:7334/
128

2001:cdba:9abc:5678::/64
-d <IPv4 Address>[/<Subnet
Prefix>]

 < >

/<bits>

-d < >[/<
>]
 < >

 < >

/<bits>

-F

-l /<Path>/<Name of File>

-F -l


touch vi

chmod +x


< >[/< >]

-L

$FWDIR/conf/synatk-whitelist-v4.conf

fwaccel | fwaccel6} synatk whitelist -L

-F -L



touch vi

chmod +x


< >[/< >]


-s

[Expert@MyGW:0]# fwaccel synatk whitelist -a 192.168.20.0/24

[Expert@MyGW:0]# fwaccel synatk whitelist -s
192.168.20.0/24
[Expert@MyGW:0]# fwaccel synatk whitelist -d 192.168.20.0/24
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel synatk whitelist -a 192.168.40.55
[Expert@MyGW:0]# fwaccel synatk whitelist -s
192.168.40.55/32
[Expert@MyGW:0]# fwaccel synatk whitelist -d 192.168.40.55
 connections


 /var/log/messages
 fw tab

fwaccel [-i <SecureXL ID>] tab [-f] [-m <Number of Rows>] -t <Name of Kernel Table>
fwaccel [-i <SecureXL ID>] tab -s -t <Name of Kernel Table>

fwaccel6 tab [-f] [-m <Number of Rows>] -t <Name of Kernel Table>

fwaccel6 tab -s -t <Name of Kernel Table>

-i < >

-f

-m < >

-s
-t < >

 connections
 dos_ip_blacklists
 dos_pbox
 dos_pbox_violating_ips
 dos_rate_matches
 dos_rate_track_src
 dos_rate_track_src_svc
 drop_templates
 frag_table
 gtp_apns
 gtp_tunnels
 if_by_name
 inbound_SAs
 invalid_replay_counter
 ipsec_mtu_icmp
 mcast_drop_conns
 outbound_SAs
 PMTU_table
 profile
 reset_table
 vpn_link_selection
 vpn_trusted_ifs

[Expert@MyGW:0]# fwaccel tab -f -m 200 -t connections

Table connections is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t inbound_SAs
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t outbound_SAs
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t vpn_link_selection
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t drop_templates
Table drop_templates is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t vpn_trusted_ifs
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t profile
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t mcast_drop_conns
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t invalid_replay_counter
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t ipsec_mtu_icmp
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t gtp_tunnels
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t gtp_apns
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t if_by_name
Table contents written to /var/log/messages.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t PMTU_table
Table PMTU_table is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t frag_table
Table frag_table is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t reset_table
Table reset_table is empty
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_ip_blacklists
Table dos_ip_blacklists is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_pbox
Table dos_pbox is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_rate_matches
Table dos_rate_matches is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_rate_track_src
Table dos_rate_track_src is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_rate_track_src_svc
Table dos_rate_track_src_svc is not active for SecureXL device 0.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel tab -t dos_pbox_violating_ips
Table dos_pbox_violating_ips is not active for SecureXL device 0.
[Expert@MyGW:0]#



fwaccel [-i <SecureXL ID>] templates

[-h]
[-d]
[-m <Number of Rows>]
[-s]
[-S]

fwaccel6 templates
[-h]
[-d]
[-m <Number of Rows>]
[-s]
[-S]

-i < >

cphwd_tmpl
-h
-d

-m < >

-s

-S
[Expert@MyGW:0]# fwaccel templates
Source SPort Destination DPort PR Flags LCT DLY C2S i/f S2C i/f
--------------- ----- --------------- ----- -- ------------ ---- --- ------- -------
192.168.10.20 * 192.168.10.50 80 6 0 0 0 eth5/eth1 eth1/eth5
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel templates -d

The SecureXL drop templates table is empty
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel templates -s

Total number of templates: 1
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel templates -S

Templates stats:

Name Value Name Value

-------------------- ------------ -------------------- ------------
C templates 0 conns from templates 0
nat templates 0 conns from nat tmpl 0
C CPASXL templates 0 C PSLXL templates 0
C used templates 0 cpasxl tmpl conns 0
pslxl tmpl conns 0 C conns from tmpl 0

[Expert@MyGW:0]#





fwaccel ver

[Expert@MyGW:0]# fwaccel ver

Firewall version: R80.20 - Build 240
Acceleration Device: Performance Pack
Accelerator Version 2.1
Firewall API version: 3.0NG (19/11/2015)
Accelerator API version: 3.0NG (19/11/2015)
[Expert@MyGW:0]#


 fw sam
 sam_alert

 fw sam_policy fw samp

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


fw [-d] sam_policy
add <options>
batch
del <options>
get <options>
fw [-d] samp
add <options>
batch
del <options>
get <options>

fw6 [-d] sam_policy

add <options>
batch
del <options>
get <options>
fw6 [-d] samp
add <options>
batch
del <options>
get <options>

-d

add < >

batch
del < >

get < >

fw sam_policy add fw6 sam_policy add



 fw sam_policy add fw samp

add

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


script
-u
User-defined
Auto
-a {d | n | b}

 d
 n

 b

-l {r | a}

 -r
 -a
-t < >

-f < >

< >
 all


-n "< >"

"This\ is\ a\ rule\ name\ with\ a\ backslash\ \\"

-c "< >"

"This\ is\ a\ comment\ with\ a\ backslash\ \\"

-o "< >"

"Created\ by\ John\ Doe"

-z "< >"

ip < > ip quota

[-C] [-s < >] [-m < >] [-d <

>] [-M < >] [-p < >] [-r < >]
quota < quota ip
>

flush true fw samp add

-C

-s < >
-m < >

-d < >
-M < >

-p < >

-r < >

flush true
[source-negated {true |
false}] source < >
 any

 range:< >

range:< >-< >



 cidr:< >/< >



 cc:< >

 asn:< >

 source-negated false
 source-negated true
[destination-negated {true |
false}] destination
< >  any

 range:< >

range:< >-< >



 cidr:< >/< >



 cc:< >

 asn:< >

 destination-negated false
 destination-negated true
[service-negated {true |
false}] service <
>

 < >

 < >-< >

 < >/< >

 < >/< >-< >

 service-negated false
 service-negated true
[< > < >]
[< > < >]
...
[< > < >]  concurrent-conns < >

 concurrent-conns-ratio < >

N / 65536
 pkt-rate < >

 pkt-rate-ratio < >

N / 65536
 byte-rate < >

 byte-rate-ratio < >

N / 65536
 new-conn-rate < >

 new-conn-rate-ratio < >

N / 65536
[track < >]
 source

 source-service
fw sam_policy add -a d -l r -t 3600 quota service any source
range:172.16.7.11-172.16.7.13 new-conn-rate 5 flush true

 -a d

 -l r
 -t 3600

new-conn-rate 5 service any
source range:172.16.7.11-172.16.7.13

flush true

fw sam_policy add -a n -l r quota service 1,50-51,6/443,17/53 service-negated true

source cc:QQ byte-rate 0

 -a n
 timeout

 service-negated true
service
1,50-51,6/443,17/53

cc:QQ
 byte-rate 0


flush true

fw sam_policy -a d quota source asn:AS64500,cidr:[::FFFF:C0A8:1100]/120 service

any pkt-rate 0

 -a d
 timeout


asn:AS64500

cidr:[::FFFF:C0A8:1100]/120
 service any
 pkt-rate 0

flush true

fw sam_policy add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

 -a b

 timeout


range:172.16.8.17-172.16.9.121
 service 6/80

flush true

fw sam_policy add -a d quota service any source-negated true source cc:QQ

concurrent-conns-ratio 655 track source

 -a d
 -l r
 timeout

 service any
 source-negated true
cc:QQ

concurrent-conns-ratio 655 service any
service-negated true
cc:QQ



flush true
fw sam_policy batch fw6 sam_policy batch



 fw sam_policy batch fw samp

batch

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


fw sam_policy batch << EOF

fw6 sam_policy batch << EOF

 add del

add del fw samp

 fw sam_policy
add fw6 sam_policy add

EOF

fw samp batch <<EOF

add -a d -l r -t 3600 -c "Limit\ conn\ rate\ to\ 5\ conn/sec from\ these\ sources"
quota service any source range:172.16.7.13-172.16.7.13 new-conn-rate 5

del <501f6ef0,00000000,cb38a8c0,0a0afffe>

add -a b quota source range:172.16.8.17-172.16.9.121 service 6/80

EOF
fw sam_policy del fw6 sam_policy del



 fw sam_policy del add fw

samp del

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng






set virtual-system < >
vsenv < >


fw [-d] sam_policy del '<Rule UID>'

fw6 [-d] sam_policy del '<Rule UID>'

-d fw

script
'< >'

 '<...>'
 fw sam_policy get fw6
sam_policy get

fw sam_policy get
fw6 sam_policy get

operation=add uid=< , , , > target=... timeout=...

action=... log= ... name= ... comment=... originator= ...
src_ip_addr=... req_tpe=...

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all

timeout=300 action=notify log=log name=Test\ Rule comment=Notify\
about\ traffic\ from\ 1.1.1.1 originator=John\ Doe
src_ip_addr=1.1.1.1 req_tpe=ip

fw [-d] sam_policy del '< >'

fw6 [-d] sam_policy del '< >'

fw samp del '<5ac3965f,00000000,3403a8c0,0000264a>'

fw samp add -t 2 quota flush true

fw6 samp add -t 2 quota flush true

fw samp del fw6 samp del

fw sam_policy get fw6 sam_policy get



 fw sam_policy get add fw

samp get

$FWDIR/database/sam_policy.db
 $FWDIR/database/sam_policy.mng



set virtual-system < >
vsenv < >


fw [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v '<Value>'}]
[-n]]

fw6 [-d] sam_policy get [-l] [-u '<Rule UID>'] [-k '<Key>' -t <Type> [+{-v
'<Value>'}] [-n]]

-d
-l

 -l


-u '< >'

-k '

-t
-t in
+{-v '< >'}

-n
 -k
 -t
 +-v

[Expert@GW:0]# fw samp get

operation=add uid=<5ac3965f,00000000,3403a8c0,0000264a> target=all timeout=300

action=notify log=log name=Test\ Rule comment=Notify\ about\ traffic\ from\
1.1.1.1 originator=John\ Doe src_ip_addr=1.1.1.1 req_tpe=ip

[Expert@GW:0]# fw samp get -l

[Expert@MyGW:0]# fw samp get

[Expert@MyGW:0]# cat /proc/ppk/<Name of File>

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/<Name of File>

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/<Name of File>

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/<Name of File>

affinity

conf
conns
cpls
cqstats
drop_statistics

ifs
mcast_statistics

nac

notify_statistics

profile_cpu_stat

rlc

statistics
stats

viol_statistics


[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/affinity

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/affinity

[Expert@MyGW:0]# cat /proc/ppk/affinity

Current accelerated PPS : 0
Current enc. bytes rate : 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/conf

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/conf

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/conf

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/conf

[Expert@MyGW:0]# cat /proc/ppk/conf

Flags : 0x00000192
Accounting Update Interval : 3600
Conn Refresh Interval : 512
SA Sync Notification Interval : 0
UDP Encapsulation Port : 0
Min TCP MSS : 0
TCP End Timeout : 5
Connection Limit : 14900

Total Number of conns : 0

Number of Crypt conns : 0
Number of TCP conns : 0
Number of Non-TCP conns : 0
Total Number of corrs : 0

Debug flags :
0 : 0x1
1 : 0x1
2 : 0x1
3 : 0x801
4 : 0x1
5 : 0x1
6 : 0x1
7 : 0x1
8 : 0x100
9 : 0x8
10 : 0x1
11 : 0x10
[Expert@MyGW:0]#
fwaccel conns fwaccel6 conns

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/conns

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/conns

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/conns

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/conns

fwaccel cfg -h

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/cpls

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/cpls

[Expert@MyGW:0]# cat /proc/ppk/cpls

fwha_conf_flags: 638
fwha_df_type: 0
fwha_member_id: 1
fwha_port: 8116
FWHAP MAC magic: 2
Forwarding MAC magic: 1
My state: ACTIVE
udp_enc_port: 0
selection table size: 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/cqstats

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/cqstats

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/cqstats

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/cqstats

[Expert@MyGW:0]# cat /proc/ppk/cqstats

Name Value Name Value
-------------------- --------------- -------------------- ---------------
Queued pkts 0 Queue fail 0
Dequeue & f2f 0 Dequeue & drop 0
Dequeue & resume 0 Async index req 0
Err Async index req 0 Async index cb 0
Err Async index cb 0 Queue alloc fail 0
Queue empty err 0
[Expert@MyGW:0]#
fwaccel stats -d

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/drop_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/drop_statistics

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/drop_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/drop_statistics

[Expert@MyGW:0]# cat /proc/ppk/drop_statistics

Reason Packets Reason Packets
-------------------- --------------- -------------------- ---------------
general reason 0 CPASXL decision 0
PSLXL decision 0 clr pkt on vpn 0
encrypt failed 0 drop template 0
decrypt failed 0 interface down 0
cluster error 0 XMT error 0
anti spoofing 24987 local spoofing 0
sanity error 0 monitored spoofed 0
QOS decision 0 C2S violation 0
S2C violation 0 Loop prevention 0
DOS Fragments 0 DOS IP Options 0
DOS Blacklists 0 DOS Penalty Box 0
DOS Rate Limiting 0 Syn Attack 0
Reorder 0 Defrag timeout 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/ifs

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/ifs

[Expert@MyGW:0]# cat /proc/ppk/ifs

No | Interface | Address | IRQ | F | SIM F | Dev | Output Func |
Features
--------------------------------------------------------------------------------------------------
-----------
2 | eth0 | 192.168.3.242 | 67 | 39 | 80 | 0xffff81023e836000 | 0x000013a0
3 | eth1 | 10.20.30.242 | 75 | 29 | 88 | 0xffff81023d508000 | 0x000013a0
4 | eth2 | 0.0.0.0 | 59 | 1 | 80 | 0xffff81023d6b4000 | 0x000013a0
5 | eth3 | 192.168.196.18 | 67 | 29 | 80 | 0xffff81023dbc1000 | 0x000013a0
6 | eth4 | 192.168.196.18 | 83 | 29 | 80 | 0xffff81023d678000 | 0x000013a0
7 | eth5 | 0.0.0.0 | 75 | 1 | 80 | 0xffff81023c6ba000 | 0x000013a0
8 | eth6 | 0.0.0.0 | 59 | 1 | 80 | 0xffff81023e370000 | 0x000013a0
11 | eth2.53 | 192.168.196.2 | 0 | 29 | 580 | 0xffff81022ca90000 | 0x000013a0
12 | eth2.52 | 192.168.196.2 | 0 | 29 | 580 | 0xffff81022c980000 | 0x000013a0
[Expert@MyGW:0]#

[Expert@MyGW:0]# cat /proc/ppk6/ifs

No | Interface | Address | IRQ | F | SIM F | Dev | Output Func | Features
--------------------------------------------------------------------------------------------------
-----------
2 | eth0 | fe80:0:0:0:250:56ff:fea3:3038 | 67 | 39 | 80 | 0xffff81023f57e000 |
0x000013a0
3 | eth1 | fe80:0:0:0:250:56ff:fea3:770b | 75 | 29 | 80 | 0xffff81023b9d7000 |
0x000013a0
4 | eth2 | fe80:0:0:0:250:56ff:fea3:c39 | 59 | 1 | 80 | 0xffff81023e161000 |
0x000013a0
7 | eth5 | fe80:0:0:0:250:56ff:fea3:4242 | 75 | 1 | 80 | 0xffff81023de56000 |
0x000013a0
8 | eth6 | fe80:0:0:0:250:56ff:fea3:2039 | 59 | 1 | 480 | 0xffff81023c06a000 |
0x000013a0
[Expert@MyGW:0]#

F
SIM F
fw_clamp_tcp_mss fw_clamp_vpn_mss
activate_optimize_drops_support_now




















fwaccel stats -m

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/mcast_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/mcast_statistics

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/mcast_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/mcast_statistics

[Expert@MyGW:0]# cat /proc/ppk/mcast_statistics

Name Value Name Value
-------------------- --------------- -------------------- ---------------
in packets 0 out packets 0
if restricted 0 conns with down if 0
f2f packets 0 f2f bytes 0
dropped packets 0 dropped bytes 0
accel packets 0 accel bytes 0
mcast conns 0
[Expert@MyGW:0]#
fwaccel stats -n

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/nac

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/nac

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/nac

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/nac

[Expert@MyGW:0]# cat /proc/ppk/nac

Name Value Name Value
-------------------- --------------- -------------------- ---------------
NAC packets 0 NAC bytes 0
NAC connections 0 complience failure 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/notify_statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/notify_statistics

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/notify_statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/notify_statistics

[Expert@MyGW:0]# cat /proc/ppk/notify_statistics

Notification Packets Notification Packets
--------------------- -------------- --------------------- --------------
ntSAAboutToExpire 0 ntSAExpired 0
ntMSPIError 0 ntNoInboundSA 0
ntNoOutboundSA 0 ntDataIntegrityFailed 0
ntPossibleReplay 0 ntReplay 0
ntNextProtocolError 0 ntCPIError 0
ntClearTextPacket 0 ntFragmentation 0
ntUpdateUdpEncTable 0 ntSASync 0
ntReplayOutOfWindow 0 ntVPNTrafficReport 0
ntConnDeleted 0 ntConnUpdate 0
ntPacketDropped 421 ntSendLog 0
ntRefreshGTPTunnel 0 ntMcastDrop 0
ntAccounting 0 ntAsyncIndex 0
ntACkReordering 0 ntAccelAckInfo 0
ntMonitorPacket 0 ntPacketCapture 0
ntCpasPacketCapture 0 ntPSLGlueUpdateReject 0
ntSeqVerifyDrop 0 ntPacketForwardBefore 0
ntICMPMessage 0 ntQoSReclassifyPacket 0
ntQoSResumePacket 0 ntVPNEncHaLinkFailure 0
ntVPNEncLsLinkFailure 0 ntVPNEncRouteChange 0
ntVPNDecVerRouteChang 0 ntVPNDecRouteChange 0
ntMuxSimToFw 0 ntPSLEventLog 0
ntSendCPHWDStats 2509 ntPacketTaggingViolat 0
ntDosNotify 0 ntSynatkNotify 0
ntSynatkStats 0 ntQoSEventLog 0
ntPrintGetParam 0
[Expert@MyGW:0]#



[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/profile_cpu_stat

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/profile_cpu_stat

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/profile_cpu_stat

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/profile_cpu_stat

[Expert@MyGW:0]# cat /proc/ppk/profile_cpu_stat

0 0
1 0
2 0
3 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/rlc

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/rlc

[Expert@MyGW:0]# cat /proc/ppk/rlc

Total drop packets : 0
Total drop bytes : 0
[Expert@MyGW:0]#
fwaccel stats fwaccel6 stats

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/statistics

[Expert@MyGW:0]# cat /proc/ppk/<SecureXL Instance ID>/statistics

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/statistics

[Expert@MyGW:0]# cat /proc/ppk6/<SecureXL Instance ID>/statistics

[Expert@MyGW:0]# cat /proc/ppk/statistics

Name Value Name Value
-------------------- --------------- -------------------- ---------------
accel packets 0 accel bytes 0
outbound packets 0 outbound bytes 0
conns created 0 conns deleted 0
current total conns 0 TCP conns 0
non TCP conns 0 nat conns 0
dropped packets 728 dropped bytes 107978
fragments received 0 fragments transmit 0
fragments dropped 0 fragments expired 0
IP options stripped 0 IP options restored 0
IP options dropped 0 corrs created 0
corrs deleted 0 C corrections 0
corrected packets 0 corrected bytes 0
crypt conns 0 enc bytes 0
dec bytes 0 ESP enc pkts 0
ESP enc err 0 ESP dec pkts 0
ESP dec err 0 ESP other err 0
espudp enc pkts 0 espudp enc err 0
espudp dec pkts 0 espudp dec err 0
espudp other err 0 acct update interval 3600
CPASXL packets 0 PSLXL packets 0
CPASXL async packets 0 PSLXL async packets 0
CPASXL bytes 0 PSLXL bytes 0
CPASXL conns 0 PSLXL conns 0
CPASXL conns created 0 PSLXL conns created 0
PXL FF conns 0 PXL FF packets 0
PXL FF bytes 0 PXL FF acks 0
PXL no conn drops 0 PSL Inline packets 0
PSL Inline bytes 0 CPAS Inline packets 0
CPAS Inline bytes 0 Total QoS conns 0
CLASSIFY 0 CLASSIFY_FLOW 0
RECLASSIFY_POLICY 0 Enq-IN FW pkts 0
Enq-OUT FW pkts 0 Deq-IN FW pkts 0
Deq-OUT FW pkts 0 Enq-IN FW bytes 0
Enq-OUT FW bytes 0 Deq-IN FW bytes 0
Deq-OUT FW bytes 0 Enq-IN AXL pkts 0
Enq-OUT AXL pkts 0 Deq-IN AXL pkts 0
Deq-OUT AXL pkts 0 Enq-IN AXL bytes 0
Enq-OUT AXL bytes 0 Deq-IN AXL bytes 0
Deq-OUT AXL bytes 0 F2F packets 0
F2F bytes 0 TCP violations 0
F2V conn match pkts 0 F2V packets 0
F2V bytes 0 gtp tunnels created 0
gtp tunnels 0 gtp accel pkts 0
gtp f2f pkts 0 gtp spoofed pkts 0
gtp in gtp pkts 0 gtp signaling pkts 0
gtp tcpopt pkts 0 gtp apn err pkts 0
memory used 38799384 C tcp handshake conn 0
C tcp estab. conns 0 C tcp closed conns 0
C tcp pxl hnshk conn 0 C tcp pxl est. conn 0
C tcp pxl closed 0 ob cpasxl packets 0
ob pslxl packets 0 ob cpasxl bytes 0
ob pslxl bytes 0 DNS DoR stats 0
trimmed pkts
[Expert@MyGW:0]#
[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/stats

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/stats

[Expert@MyGW:0]# cat /proc/ppk/stats

IRQ | Interface
---------------------------
67 eth0
75 eth1
59 eth2
67 eth3
83 eth4
75 eth5
59 eth6
[Expert@MyGW:0]#
fwaccel stats -p

[Expert@MyGW:0]# ls -lR /proc/ppk/

[Expert@MyGW:0]# cat /proc/ppk/viol_statistics

[Expert@MyGW:0]# ls -lR /proc/ppk6/

[Expert@MyGW:0]# cat /proc/ppk6/viol_statistics

[Expert@MyGW:0]# cat /proc/ppk/viol_statistics

Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt has IP options 0 ICMP miss conn 150
TCP-SYN miss conn 6 TCP-other miss conn 4256
UDP miss conn 11105353 other miss conn 0
VPN returned F2F 0 uni-directional viol 0
possible spoof viol 0 TCP state viol 0
out if not def/accl 0 bridge, src=dst 0
routing decision err 0 sanity checks failed 0
fwd to non-pivot 0 broadcast/multicast 0
cluster message 0 cluster forward 0
chain forwarding 0 F2V conn match pkts 0
general reason 0 route changes 0
[Expert@MyGW:0]#
fwaccel dbg
-h
-m <Name of SecureXL Debug Module>
all
+ <Debug Flags>
- <Debug Flags>
reset
-f {"<5-Tuple Debug Filter>" | reset}
list
resetall

-h

-m <
>
fwaccel dbg
all

+ < >

+ Flag1 [Flag2 Flag3 ... FlagN]

- < >

- Flag1 [Flag2 Flag3 ... FlagN]

-
reset
-f "<5-Tuple Debug Filter>"

"<Source IP Address>,<Source
Port>,<Destination IP Address>,<Destination
Port>,<Protocol Number>"

 *

-f reset
list
resetall

[Expert@MyGW:0]# fwaccel dbg

List of available modules and flags:

Module: default (default)

err init drv tag lock cpdrv routing kdrv gtp tcp_sv gtp_pkt svm iter conn htab del update acct conf
stat queue ioctl corr util rngs relations ant conn_app rngs_print infra_ids offload nat

Module: db
err get save del tmpl tmo init ant profile nmr nmt

Module: pkt
err f2f frag spoof acct notif tcp_state tcp_state_pkt sv cpls routing drop pxl qos user deliver vlan
pkt nat wrp corr caf

Module: infras
err reorder pm

Module: tmpl
err dtmpl_get dtmpl_notif tmpl
Module: vpn
err vpnpkt linksel routing vpn

Module: nac
err db db_get pkt pkt_ex signature offload idnt ioctl nac

Module: cpaq
init client server exp cbuf opreg transport transport_utils error

Module: synatk
init conf conn err log pkt proxy state msg

Module: adp
err rt nh eth heth wrp inf mbs bpl bplinf mbeinf if drop bond xmode ipsctl xnp

Module: dos
fw1-cfg fw1-pkt sim-cfg sim-pkt err detailed drop

[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dbg -m default + err conn

Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (2001)

err conn

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default - conn
Debug flags updated.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

Module: default (1)

err

Module: db (1)
err

Module: api (1)

err

Module: pkt (1)

err

Module: infras (1)

err

Module: tmpl (1)

err

Module: vpn (1)

err

Module: nac (1)

err

Module: cpaq (100)

error

Module: synatk (0)

Module: adp (1)

err

Module: dos (10)

err

Debug filter not set.

[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg -m default reset
Debug flags updated.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dbg resetall

Debug state was reset to default.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fwaccel dbg -f 192.168.20.30,*,172.16.40.50,22,6

Debug filter was set.
[Expert@MyGW:0]#
[Expert@MyGW:0]# fwaccel dbg list

... ...

Debug filter: "<,,*,,>"

[Expert@MyGW:0]#
/var/log/messages




fw ctl debug 0


fwaccel dbg resetall

fwaccel -i dbg resetall

fw ctl debug -buf 8200 [-v {"< >" | all}]

fw ctl debug | grep buffer

fw ctl debug -m < > {all | + < >}


fwaccel dbg -m < > {all | + <
>}

fwaccel -i dbg -m < > {all |
+ < >}

fw ctl debug


fwaccel dbg list

fwaccel -i dbg list

fw tab -t connections -x -y

fw tab -t cphwd_tmpl -x -y

fw ctl kdebug -T -f > /var/log/kernel_debug.txt

fw ctl debug 0

fwaccel dbg resetall

fwaccel -i dbg resetall

fw ctl debug


fwaccel dbg list

fwaccel -i dbg list

/var/log/kernel_debug.txt
fwaccel dbg


acct
ant
conf
conn
conn_app
corr
cpdrv
del
drv
err
gtp
gtp_pkt
htab
infra_ids
init
ioctl

iter
kdrv
lock
nat
offload
queue
relations
rngs
rngs_print
routing
stat
svm

tag
tcp_sv
update
util

acct
caf
corr
cpls
deliver
drop
err
f2f
frag
nat
notif
pkt
pxl

qos
routing
spoof
sv
tcp_state
tcp_state_pkt
user
vlan
wrp

ant
del
err
get
init
nmr

nmt

profile
save
tmo
tmpl

acct
add
add_sa
conf
del
del_all_sas
del_all_tmpl
del_sa
err
get_features
get_stat
get_state
get_tab
gtp
infra
init
long_ver
misc
notif
pxl

qos
reset_stat
stat
sv
tag

tmpl
tmpl_info
upd_conf
upd_if_inf

upd_link_sel
update

vpn

err
pm
reorder

db
db_get
err
idnt
ioctl
nac
offload
pkt

pkt_ex
signature

err
linksel
routing
vpn
vpnpkt

cbuf
client
error
exp
init
opreg
server
transport
transport_utils

detailed

drop
err
fw1-cfg

fw1-pkt

sim-cfg

sim-pkt

conf

conn
err
init
log

msg

pkt
proxy
state

err
dtmpl_get
dtmpl_notif
tmpl
fw ctl multik fw6 ctl multik

fw ctl multik
add_bypass_port <options>
del_bypass_port <options>
dynamic_dispatching <options>
gconn <options>
get_instance <options>
print_heavy_conn
prioq <options>
show_bypass_ports
stat
start
stop
utilize

fw6 ctl multik

add_bypass_port <options>
del_bypass_port <options>
dynamic_dispatching <options>
gconn <options>
get_instance <options>
print_heavy_conn
prioq <options>
show_bypass_ports
stat
start
stop
utilize
add_bypass_port < >

del_bypass_port < >

dynamic_dispatching

gconn < >

get_instance

print_heavy_conn

prioq

show_bypass_ports

stat
start
stop
utilize
$FWDIR/conf/dispatcher_bypass.conf

fw ctl multik add_bypass_port <Port Number 1>,<Port Number 2>,...,<Port Number N>

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

dynamic dispatcher bypass port list:
[Expert@MyGW:0]#
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 0
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik add_bypass_port 8888
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 1
dynamic_dispatcher_bypass_port_table=8888
[Expert@MyGW:0]
[Expert@MyGW:0]# fw ctl multik add_bypass_port 9999
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik show_bypass_ports
dynamic dispatcher bypass port list:
(8888,9999)
[Expert@MyGW:0]
[Expert@MyGW:0]# cat $FWDIR/conf/dispatcher_bypass.conf
dynamic_dispatcher_bypass_ports_number = 2
dynamic_dispatcher_bypass_port_table=8888,9999
[Expert@MyGW:0]
$FWDIR/conf/dispatcher_bypass.conf

fw ctl multik del_bypass_port <Port Number 1>,<Port Number 2>,...,<Port Number N>

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

fw6 ctl multik dynamic_dispatching

get_mode
off
on

[Expert@MyGW:0]# fw ctl multik dynamic_dispatching get_mode

Current mode is Off
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik dynamic_dispatching on
New mode is: On
Please reboot the system
[Expert@MyGW:0]#
fw_multik_ld_gconn_table




fw [-d] ctl multik gconn

-h
-p
-sec
-seg <Number>

-d

-h
-p

 I/O
 Inst. ID
 Flags
 Seq
 Hold_ref
 Prio
 last_enq_jiff
 queue_indx
 conn_tokens
-s
-sec

 I/O
 Inst. ID
 Flags
 Seq
 Hold_ref
-seg < >

[Expert@MyGW:0]# fw ctl multik gconn

Default:
==================================================================================================
========================
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|
==================================================================================================
========================
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.52 | 54216 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 54216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |
==================================================================================================
========================
FP - from pool. T - temporary connection. PP - pending pernament.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl multik gconn -s

Summary:
Total number of global connections: 12
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl multik gconn -p

Instance section prio info:
==================================================================================================
==================================================================================================
===
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|Inst. Section: I/O|Inst. ID|Flags| Seq | Hold_ref
|Prio:|last_enq_jiff|queue_indx|conn_tokens
==================================================================================================
==================================================================================================
===
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 0 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 35883 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 0 | Perm | 494 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.52 | 35883 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 0 | Perm | 280 | 0 |Prio:| 0 | -1 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 0 | Perm | 219 | 0 |Prio:| 0 | -1 | 0 |
==================================================================================================
==================================================================================================
===
FP - from pool. T - temporary connection. PP - pending pernament. In - inbound. Out -
outbound.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl multik gconn -sec

Instance section:
==================================================================================================
====================================================================
| Segm | Src IP | S.port | Dst IP | D.port | Proto | Flags | PP |Ref Cnt(I/O)|Inst|PPAK ID|clstr mem
ID|Rec. ref|Rec. Type|Inst. Section: I/O|Inst. ID|Flags| Seq | Hold_ref |
==================================================================================================
====================================================================
| 0 | 192.168.3.52 | 18192 | 192.168.3.240 | 46082 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.52 | 52864 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 2 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 2 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 53925 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 0 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 64216 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 60186 | 192.168.3.240 | 257 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 76 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.53 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 0.0.0.0 | 8116 | 192.168.3.52 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 64216 | 192.168.3.53 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 15
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.52 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 172.20.168.16 | 63800 | 192.168.3.53 | 22 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 0 | Perm | 479 | 0 |
| 0 | 192.168.3.240 | 46082 | 192.168.3.52 | 18192 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 8116 | 0.0.0.0 | 8116 | 17 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 1 | Perm | 0 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.52 | 52864 | 6 |FP .. ..| No | 0/0 | 2 | 32 | 0
| 0 | UNDEF |Inst. Section: In | 2 | Perm | 0 | 0 |
| 0 | 192.168.3.53 | 22 | 172.20.168.16 | 63800 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 0 | Perm | 257 | 0 |
| 0 | 192.168.3.53 | 18192 | 192.168.3.240 | 53925 | 6 |FP .. ..| No | 0/0 | 0 | 32 | 1
| 0 | UNDEF |Inst. Section: Out | 0 | Perm | 219 | 0 |
| 0 | 192.168.3.240 | 257 | 192.168.3.53 | 60186 | 6 |FP .. ..| No | 0/0 | 1 | 32 | 1
| 0 | UNDEF |Inst. Section: In | 1 | Perm | 0 | 0 |
==================================================================================================
====================================================================
FP - from pool. T - temporary connection. PP - pending pernament. In - inbound. Out -
outbound.
[Expert@MyGW:0]#

fw ctl multik get_instance sip=<Source IPv4 Address> dip=<Destination IPv4 Address>
proto=<Protocol Number>

fw ctl multik get_instance sip=<Source IPv4 Address Start>-<Source IPv4 Address

End> dip=<Destination IPv4 Address Start>-<Destination IPv4 Address End>
proto=<Protocol Number>

<Source IPv4 Address>

<Source IPv4 Address Start>

<Source IPv4 Address End>

<Destination IPv4 Address>

<Destination IPv4 Address

Start>

<Destination IPv4 Address

End>





[Expert@MyGW:0]# fw ctl multik get_instance sip=192.168.2.3 dip=172.30.241.66 proto=6

protocol: 6
192.168.2.3 -> 172.30.241.66 => 3
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl multik get_instance sip=192.168.2.3-192.168.2.8 dip=172.30.241.66 proto=6

protocol: 6
192.168.2.3 -> 172.30.241.66 => 3
192.168.2.4 -> 172.30.241.66 => 0
192.168.2.5 -> 172.30.241.66 => 3
192.168.2.6 -> 172.30.241.66 => 5
192.168.2.7 -> 172.30.241.66 => 4
192.168.2.8 -> 172.30.241.66 => 5
[Expert@MyGW:0]#

















fw [-d] ctl multik print_heavy_conn

-d

[Expert@MyGW:0]# fw ctl multik print_heavy_conn

Source: 192.168.20.31; SPort: 51006; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load
61%; Connection instance load 100%
Source: 192.168.20.31; SPort: 50994; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load
61%; Connection instance load 100%
Source: 192.168.20.31; SPort: 50992; Dest: 172.30.40.55; DPort: 80; IPP: 6; Instance 1; Instance Load
61%; Connection instance load 100%
[Expert@MyGW:0]#
$FWDIR/conf/prioq.conf

fw ctl multik prioq

[0]
[1]
[2]

fw6 ctl multik prioq

[0]
[1]
[2]

0
1

[Expert@MyGW:0]# fw ctl multik prioq

Current mode is Off

Available modes:
0. Off
1. Eviluator-only
2. On

Choose the desired mode number: (or 3 to Quit)

[Expert@MyGW:0]#
fw ctl multik add_bypass_port

$FWDIR/conf/dispatcher_bypass.conf

fw ctl multik show_bypass_ports

[Expert@MyGW:0]# fw ctl multik show_bypass_ports

dynamic dispatcher bypass port list:
(9999,8888)
[Expert@MyGW:0]#
fw [-d] ctl multik stat

fw6 [-d] ctl multik stat








-d

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 5 | 21
1 | Yes | 6 | 3 | 23
2 | Yes | 5 | 5 | 25
3 | Yes | 4 | 4 | 21
4 | Yes | 3 | 5 | 21
5 | Yes | 2 | 5 | 20
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw6 ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 7 | 0 | 4
1 | Yes | 6 | 0 | 4
[Expert@MyGW:0]#
fw ctl multik stop

fw ctl multik start

fw6 ctl multik start

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | No | - | 6 | 13
1 | No | - | 3 | 11
2 | No | - | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
Instance 1 started (2 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
Instance 2 started (3 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 5 | 13
1 | Yes | 2 | 4 | 11
2 | Yes | 1 | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik start
All instances are already active
[Expert@MyGW:0]#
fw ctl multik start

fw ctl multik stop

fw6 ctl multik stop

[Expert@MyGW:0]# fw ctl multik stat

ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 5 | 13
1 | Yes | 2 | 4 | 11
2 | Yes | 1 | 4 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
Instance 2 stopped (2 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
Instance 1 stopped (1 of 3 are active)
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | Yes | 3 | 4 | 13
1 | No | - | 3 | 11
2 | No | - | 7 | 13
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stop
All instances are already inactive
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl multik stat
ID | Active | CPU | Connections | Peak
----------------------------------------------
0 | No | - | 6 | 13
1 | No | - | 3 | 11
2 | No | - | 4 | 13
[Expert@MyGW:0]#
fw ctl multik utilize

fw6 ctl multik utilize

[Expert@MyGW:0]# fw ctl multik utilize

ID | Utilize(%) | Queue Elements
----------------------------------
0 | 1 | 30
1 | 0 | 10
2 | 0 | 17
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw6 ctl multik utilize
ID | Utilize(%) | Queue Elements
----------------------------------
0 | 0 | 0
1 | 0 | 0
[Expert@MyGW:0]#
fw ctl affinity



fw ctl affinity -l






fw ctl affinity


fw ctl affinity -l [-a] [-v] [-r] [-q]


fw ctl affinity -l -i <Interface Name>


fw ctl affinity -l -k <CoreXL FW Instance ID>


fw ctl affinity -l -p <Process ID>


fw ctl affinity -l -n <Process Name>


fw -d ctl affinity -corelicnum

-i <Interface Name>

-k <CoreXL FW Instance ID>

-p <Process ID>

-n <Process Name>

all

<CPU ID0> ... <CPU IDn>

-a

-v

-r

-q
[Expert@MyGW:0]# fw ctl affinity -l
eth0: CPU 0
eth1: CPU 0
eth2: CPU 0
eth3: CPU 0
fw_0: CPU 7
fw_1: CPU 6
fw_2: CPU 5
fw_3: CPU 4
fw_4: CPU 3
fw_5: CPU 2
fwd: CPU 2 3 4 5 6 7
fgd50: CPU 2 3 4 5 6 7
status_proxy: CPU 2 3 4 5 6 7
rad: CPU 2 3 4 5 6 7
cpstat_monitor: CPU 2 3 4 5 6 7
mpdaemon: CPU 2 3 4 5 6 7
cpsead: CPU 2 3 4 5 6 7
cserver: CPU 2 3 4 5 6 7
rtmd: CPU 2 3 4 5 6 7
fwm: CPU 2 3 4 5 6 7
cpsemd: CPU 2 3 4 5 6 7
cpca: CPU 2 3 4 5 6 7
cprid: CPU 2 3 4 5 6 7
cpd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -l -a -v

Interface eth0 (irq 67): CPU 0
Interface eth1 (irq 75): CPU 0
Interface eth2 (irq 83): CPU 0
Interface eth3 (irq 59): CPU 0
fw_0: CPU 7
fw_1: CPU 6
fw_2: CPU 5
fw_3: CPU 4
fw_4: CPU 3
fw_5: CPU 2
fwd: CPU 2 3 4 5 6 7
fgd50: CPU 2 3 4 5 6 7
status_proxy: CPU 2 3 4 5 6 7
rad: CPU 2 3 4 5 6 7
cpstat_monitor: CPU 2 3 4 5 6 7
mpdaemon: CPU 2 3 4 5 6 7
cpsead: CPU 2 3 4 5 6 7
cserver: CPU 2 3 4 5 6 7
rtmd: CPU 2 3 4 5 6 7
fwm: CPU 2 3 4 5 6 7
cpsemd: CPU 2 3 4 5 6 7
cpca: CPU 2 3 4 5 6 7
cprid: CPU 2 3 4 5 6 7
cpd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -l -a -v -r

CPU 0: eth0 (irq 67) eth1 (irq 75) eth2 (irq 83) eth3 (irq 59)
CPU 1:
CPU 2: fw_5
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 3: fw_4
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 4: fw_3
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 5: fw_2
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 6: fw_1
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
CPU 7: fw_0
fwd fgd50 status_proxy rad cpstat_monitor mpdaemon cpsead cserver rtmd fwm cpsemd cpca cprid
cpd
All:
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -l -i eth0

eth0: CPU 0
[Expert@MyGW:0]#

[Expert@MyGW:0]# ps -ef | grep -v grep | egrep "PID|fwd"

UID PID PPID C STIME TTY TIME CMD
admin 26641 26452 0 Mar27 ? 00:06:56 fwd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -l -p 26641
Process 26641: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -l -n fwd
fwd: CPU 2 3 4 5 6 7
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -l -k 1

fw_1: CPU 6
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw -d ctl affinity -corelicnum

[5363 4134733584]@MyGW[4 Apr 18:11:03] Number of system CPUs 8
[5363 4134733584]@MyGW[4 Apr 18:11:03] cplic_get_navailable_cpus: fw_get_allowed_cpus_num returned
invalid value (100000) - all cpus considered as allowed!!!
4
[5363 4134733584]@MyGW[4 Apr 18:11:03] cpKeyTaskManager::~cpKeyTaskManager: called.
[Expert@MyGW:0]#
fw ctl affinity -l



fw ctl affinity -l -x
set virtual-system
< >


fw ctl affinity -l -x
[-vsid <VSID ranges>]
[-cpu <CPU ID ranges>]
[-flags {e | k | t | n | h | o}]


fw -d ctl affinity -corelicnum

-vsid < >

 -vsid 7
 -vsid
0-2 4
-vsid

< >
 -cpu 7
 -cpu 0-2 4
-flags {e | k | t | n -flags
| h | o}
 e
 k
 t
 n
/proc/ /cmdline
 h
 o
/tmp/affinity_list_output

-flags tn

[Expert@VSX_GW:0]# fw ctl affinity -l -x -cpu 0

---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 2 | 0 | 0 | | | K | |
| 3 | 0 | 0 | | | K | |
| 4 | 0 | 0 | | | K | |
| 14 | 0 | 0 | | | K | |
| 99 | 0 | 0 | | | K | |
| 278 | 0 | 0 | | | K | |
| 382 | 0 | 0 | | | K | |
| 674 | 0 | 0 | | | K | |
| 2195 | 0 | 0 | | | K | |
| 6348 | 0 | 0 | | | K | |
| 6378 | 0 | 0 | | | K | |
---------------------------------------------------------------------
PID - represents the pid of the process
VSID - represents the virtual device id
CPU - represents the CPUs assigned to the specific process
SRC - represents the source configuration file of the process - (V)SID / (I)nstance / (P)rocess
V - represents validity,star means that the actual affinity is different than the configured affinity
KT - represents whether the process is a kernel thread
EXC - represents whether the process belongs to the process exception list (vsaffinity_exception.conf)
[Expert@VSX_GW:0]#

[Expert@VSX_GW:0]# fw ctl affinity -l -x -vsid 1

---------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
---------------------------------------------------------------------
| 3593 | 1 | 1 2 3 | | | | | httpd
| 10997 | 1 | 1 2 3 | | | | | cvpn_rotatelogs
| 11005 | 1 | 1 2 3 | | | | | httpd
| 22294 | 1 | 1 2 3 | | | | | routed
| 22328 | 1 | 1 2 3 | | | | | fwk_wd
| 22333 | 1 | 1 2 3 | P | | | | fwk
| 22488 | 1 | 1 2 3 | | | | | cpd
| 22492 | 1 | 1 2 3 | | | | | fwd
| 22504 | 1 | 1 2 3 | | | | | cpviewd
| 22525 | 1 | 1 2 3 | | | | | mpdaemon
| 22527 | 1 | 1 2 3 | | | | | ci_http_server
| 30629 | 1 | 1 2 3 | | | | | vpnd
| 30631 | 1 | 1 2 3 | | | | | pdpd
| 30632 | 1 | 1 2 3 | | | | | pepd
| 30635 | 1 | 1 2 3 | | | | | fwpushd
| 30743 | 1 | 1 2 3 | | | | | dbwriter
| 30748 | 1 | 1 2 3 | | | | | cvpnproc
| 30752 | 1 | 1 2 3 | | | | | MoveFileServer
| 30756 | 1 | 1 2 3 | | | | | CvpnUMD
| 30760 | 1 | 1 2 3 | | | | | Pinger
| 30764 | 1 | 1 2 3 | | | | | IdlePinger
| 30770 | 1 | 1 2 3 | | | | | cvpnd
---------------------------------------------------------------------
[Expert@VSX_GW:0]#
fw ctl affinity -s





$FWDIR/conf/fwaffinity.conf
• fw ctl affinity -s
sim affinity -s
sim affinity -a


fw ctl affinity


fw ctl affinity -s -i <Interface Name>
all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]


fw ctl affinity -s -k <CoreXL FW Instance ID>
all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]


fw ctl affinity -s -p <Process ID>
all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]


fw ctl affinity -s -n <Process Name>
all
<CPU ID0> [ <CPU ID1> ... <CPU IDn> ]

-i <Interface Name>

-k <CoreXL FW Instance ID>

-p <Process ID>

-n <Process Name>
all

<CPU ID0> ... <CPU IDn>

[Expert@MyGW:0]# fw ctl affinity -s -i eth1 1

eth1: CPU 1 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -s -k 1 2

fw_1: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

[Expert@MyGW:0]# cpwd_admin list | egrep "PID|cpd"

APP PID STAT #START START_TIME MON COMMAND
CPD 6080 E 1 [13:46:27] 17/9/2018 Y cpd
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -s -p 6080 2
Process 6080: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -s -n cpd 2

cpd: CPU 2 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#
fw ctl affinity -s





fw ctl affinity


fw ctl affinity -s -d [-vsid <VSID ranges>] -cpu <CPU ID ranges>


fw ctl affinity -s -d -pname <Process Name> [-vsid <VSID ranges>]
-cpu all
-cpu <CPU ID ranges>


fw ctl affinity -s -d -inst <Instances Ranges> -cpu <CPU ID ranges>


fw ctl affinity -s -d -fwkall <Number of CPUs>


fw ctl affinity
-vsx_factory_defaults
-vsx_factory_defaults_no_prompt

-vsid < >


-vsid 7

-vsid 0-2 4
-vsid
< >

-cpu 7

-cpu 0-2 4

-pname < >

-inst < >


-inst 7

-inst 0 2 4
-fwkall < >

-vsx_factory_defaults

-vsx_factory_defaults_no_prompt

[Expert@MyGW:0]# fw ctl affinity -s -d -vsid 0-2 4 6-8 -cpu 0-2 4

VDevice 0-2 4 6-8 : CPU 0 1 2 4 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -s -d -pname cpd -vsid 0-12 -cpu 7

VDevice 0-12 : CPU 7 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
Warning: some of the VSIDs did not exist
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl affinity -s -d -inst 0 2 4 -cpu 5
VDevice 0 2 4: CPU 5 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -s -d -fwkall 2

VDevice 0-2 : CPU 2 3 - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl affinity -s -d -fwkall 4

There are configured processes/FWK instances
(y) will override all currently configured affinity and erase the configuration files
(n) will set affinity only for unconfigured processes/threads
Do you want to override existing configurations (y/n) ? y
VDevice 0-2 : CPU all - set successfully
Multi-queue affinity was not changed. For More info, see sk113834.
[Expert@MyGW:0]#
fw fw

fw -i

fw -i <ID of CoreXL FW instance> <Command>

fw -i 1 tab -t connections
cpmq


cpmq get
[-a]
[-v]
[-vv]
[rx_num {igb | ixgbe | i40e | mlx5_core}]


cpmq set rx_num
igb {default | <Value>}
ixgbe {default | <Value>}
i40e {default | <Value>}
mlx5_core {default | <Value>}


cpmq set affinity

get

get -a

 [On]
 [Off]
 [Pending On]

 [Pending Off]

[Expert@GW:0]# cpmq get -a

Active igb interfaces:

eth1-05 [On]
eth1-06 [Off]
eth1-01 [Off]
eth1-03 [Off]
eth1-04 [On]

Non active igb interfaces:

eth1-02 [Off]
[Expert@GW:0]#
get -v

get -vv

set affinity





set rx_num igb

default
<Value> igb
set rx_num ixgbe
default
<Value> ixgbe
set rx_num i40e
default
<Value> i40e
set rx_num mlx5_core
default
<Value> mlx5_core
set rx_num <Driver>
default

set rx_num <Driver>

<Value>

cpmq get

cpmq set








cpmq get rx_num

igb
ixgbe
i40e
mlx5_core

cpmq set rx_num ixgbe {default | < >}




cpmq set rx_num {igb | ixgbe | i40e | mlx5_core} <Number of Active RX Queues>

cpconfig

cpmq set rx_num {igb | ixgbe | i40e | mlx5_core} default

rx_num











rx_num





 fw ctl affinity

 cpmq set affinity

 cpmq get -v

cpmq get -v

[Expert@GW:0]# cpmq get -v

Active mlx5_core interfaces:

eth2-01 [On]

Active i40e interfaces:

eth5-01 [On]
eth5-02 [Off]

Active ixgbe interfaces:

eth4-01 [On]
eth4-02 [On]

Active igb interfaces:

Mgmt [On]

The rx_num for mlx5_core is: 10 (default)

The rx_num for i40e is: 10
The rx_num for ixgbe is: 16 (default)
The rx_num for igb is: 2

multi-queue affinity for mlx5_core interfaces:

CPU | TX | Vector | RX Bytes
-------------------------------------------------------------
0 | 0 | eth2-01-0 (211) | 0
1 | 2 | eth2-01-2 (227) | 0
2 | 4 | eth2-01-4 (52) | 0
3 | 6 | eth2-01-6 (68) | 0
4 | 8 | eth2-01-8 (84) | 0
5 | 10 | |

multi-queue affinity for i40e interfaces:

CPU | TX | Vector | RX Bytes
-------------------------------------------------------------
0 | 0 | i40e-eth5-01-TxRx-0 (99) | 0
1 | 2 | i40e-eth5-01-TxRx-2 (115) | 0
2 | 4 | i40e-eth5-01-TxRx-4 (131) | 0
3 | 6 | i40e-eth5-01-TxRx-6 (147) | 0
4 | 8 | i40e-eth5-01-TxRx-8 (163) | 0
5 | 0 | |

multi-queue affinity for ixgbe interfaces:

CPU | TX | Vector | RX Bytes
-------------------------------------------------------------
0 | 0 | eth4-01-TxRx-0 (156) | 0
| | eth4-02-TxRx-0 (157) |
1 | 2 | eth4-01-TxRx-2 (172) | 0
| | eth4-02-TxRx-2 (173) |
2 | 4 | eth4-01-TxRx-4 (188) | 0
| | eth4-02-TxRx-4 (189) |
3 | 6 | eth4-01-TxRx-6 (204) | 0
| | eth4-02-TxRx-6 (205) |
4 | 8 | eth4-01-TxRx-8 (220) | 0
| | eth4-02-TxRx-8 (221) |
5 | 10 | eth4-01-TxRx-10 (236) | 0
| | eth4-02-TxRx-10 (237) |
6 | 12 | eth4-01-TxRx-12 (61) | 0
| | eth4-02-TxRx-12 (62) |
7 | 14 | eth4-01-TxRx-14 (77) | 0
| | eth4-02-TxRx-14 (78) |
[Expert@GW:0]#

top

top - 18:02:33 up 28 days, 1:18, 1 user, load average: 1.22, 1.38, 1.48
Tasks: 137 total, 3 running, 134 sleeping, 0 stopped, 0 zombie

Cpu0 : 2.0%us, 0.0%sy, 0.0%ni, 42.7%id, 5.9%wa, 0.0%hi, 49.4%si, 0.0%st

Cpu1 : 0.0%us, 1.0%sy, 0.0%ni, 55.2%id, 0.0%wa, 0.0%hi, 43.8%si, 0.0%st
Cpu2 : 2.0%us, 2.0%sy, 0.0%ni, 45.5%id, 0.0%wa, 4.0%hi, 46.5%si, 0.0%st
Cpu3 : 1.0%us, 2.0%sy, 0.0%ni, 74.5%id, 0.0%wa, 0.0%hi, 22.5%si, 0.0%st
Cpu4 : 5.0%us, 1.0%sy, 0.0%ni, 42.6%id, 0.0%wa, 0.0%hi, 51.5%si, 0.0%st

Mem: 12224020k total, 70005820k used, 5218200k free, 273536k buffers

Swap: 14707496k total, 0k used, 14707496k free, 484340k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

3301 root 15 0 0 O 0 R 17 0.0 2747:04 [fw_worker_3]
3326 root 15 0 0 O 0 R 16 0.0 2593:35 [fw_worker_0]
... ... ...

cpmq get -vv

[Expert@GW:0]# cpmq get -vv

Active i40e interfaces:

eth5-01 [On]
eth5-02 [Off]

Active ixgbe interfaces:

eth4-01 [On]
eth4-02 [On]

Active igb interfaces:

Mgmt [On]

The rx_num for i40e is: 10

The rx_num for ixgbe is: 16 (default)
The rx_num for igb is: 2

multi-queue affinity for i40e interfaces:

CPU | TX | Vector | RX Packets | RX Bytes
--------------------------------------------------------------------
0 | 0 | i40e-eth5-01-TxRx-0 (220) | 0 | 0
1 | 2 | i40e-eth5-01-TxRx-2 (236) | 0 | 0
2 | 4 | i40e-eth5-01-TxRx-4 (61) | 0 | 0
3 | 6 | i40e-eth5-01-TxRx-6 (77) | 0 | 0
4 | 8 | i40e-eth5-01-TxRx-8 (93) | 0 | 0
5 | 0 | | |

multi-queue affinity for ixgbe interfaces:

CPU | TX | Vector | RX Packets | RX Bytes
--------------------------------------------------------------------
0 | 0 | eth4-01-TxRx-0 (234) | 0 | 0
| | eth4-02-TxRx-0 (187) | |
1 | 2 | eth4-01-TxRx-2 (59) | 0 | 0
| | eth4-02-TxRx-2 (203) | |
2 | 4 | eth4-01-TxRx-4 (75) | 0 | 0
| | eth4-02-TxRx-4 (219) | |
3 | 6 | eth4-01-TxRx-6 (91) | 0 | 0
| | eth4-02-TxRx-6 (235) | |
4 | 8 | eth4-01-TxRx-8 (107) | 0 | 0
| | eth4-02-TxRx-8 (60) | |
5 | 10 | eth4-01-TxRx-10 (123) | 0 | 0
| | eth4-02-TxRx-10 (76) | |
6 | 12 | eth4-01-TxRx-12 (139) | 0 | 0
| | eth4-02-TxRx-12 (92) | |
7 | 14 | eth4-01-TxRx-14 (155) | 0 | 0
| | eth4-02-TxRx-14 (108) | |

multi-queue affinity for igb interfaces:

CPU | TX | Vector | RX Packets | RX Bytes
--------------------------------------------------------------------
0 | 0 | Mgmt-TxRx-0 (172) | 2752 | 176674
1 | 0 | | |
[Expert@GW:0]#
adlog


 adlog
adlog
 adlog

adlog a <parameter> [<option>]

 adlog

adlog l <parameter> [<option>]

< >
a

 adlog a
l

 adlog l
l adlog
a adlog l
control < > < >

dc
debug < >

query < >< >

statistics
adlog {a | l} control
muh <options>
reconf
srv_accounts <options>
stop

muh
mark
show  mark
unmark
 show
 unmark

reconf

srv_accounts
clear
find
show
unmark

 clear

 find
 show
 unmark

stop
adlog a dc
adlog l dc
adlog

$FWDIR/log/pdpd.elg
$FWDIR/log/fwd.elg

adlog {a | l} debug
extended
mode
off
on

extended
mode on off
off
on
adlog {a | l} query
all
ip <options>
machine <options>
string <options>
user <options>

all

ip < >
machine < >

string < >

user < >

jo
adlog a query user jo
adlog

adlog a statistics
adlog l statistics
pdp <command> [<parameter> [<option>]]

< >
ad < > < >

auth < > < >

connections < >

control < >< >

debug < > < >

idc < >< >

monitor < >< >

nested_groups < >

network < >

radius < > < >

status < >

tasks_manager < >

timers < >

topology_map
tracker < >
update < >
vpn < >
pdp ad <parameter>
associate <options>
disassociate <options>

associate < >

disassociate < >

pdp ad associate ip <IP Address> u <Username> d <Domain> [m <Computer Name>] [t

<Timeout>] [s]

ip < >
u < >

m < >

d < >

t < >

s u < > m < >

< > < >
pdp ad disassociate ip <IP Address> {u <Username> | m <Computer Name>} [r {override
| probed | timeout}]

ip <IP Address>

u <Username>

m <Computer Name>

r
override
probed
timeout
pdp auth
allow_empty_result <options>
count_in_non_ldap_group <options>
fetch_by_sid <options>
force_domain <options>
kerberos_any_domain <options>
kerberos_encryption <options>
reauth_agents_after_policy <options>
recovery_interval <options>
username_password <options>

allow_empty_result
disable
enabled
status

count_in_non_ldap_group
disable
enabled
status

fetch_by_sid
disable
enabled
status
force_domain
disable
enabled
stat
kerberos_any_domain
disable
enabled
status
kerberos_encryption
get
set

reauth_agents_after_policy
disable
enabled
status
recovery_interval
disable
enable
set <Value>
show
username_password
disable
enabled
stat
pdp connections
idc
pep
ts

idc
pep

ts
pdp control
revoke_ip <options>
sync

revoke_ip < >

sync
pdp debug
async1
ccc <options>
memory
off
on
reset
rotate
set <options>
spaces [<options>]
stat
unset <options>

async1
async echo

ccc
on
off $FWDIR/log/pdpd.elg
 on
 off
memory

off

pdp debug on
pdp debug set ...

reset

pdp debug
reset pdp debug off

rotate

 $FWDIR/log/pdpd.elg
$FWDIR/log/pdpd.elg.0
 $FWDIR/log/pdpd.elg.0
$FWDIR/log/pdpd.elg.1

set <Topic Name> <Severity>

 all


 all
 critical
 events
 important
 surprise

pdp debug set all all

spaces
[0 | 1 | 2 | 3 | 4 | 5]
$FWDIR/log/pdpd.elg

stat

unset <Topic Name>

pdp idc
groups_consolidation <options>
muh <options>
service_accounts

groups_consolidation
status

muh
mark
show  mark
unmark
 show
 unmark

service_accounts
pdp monitor
all
client_type <options>
cv_ge <options>
cv_le <options>
groups <options>
ip <options>
machine <options>
machine_exact
mad
network
s_port
summary
user <options>
user_exact

all

client_type
"AD Query"
"Identity Agent"
portal
unknown
 "AD Query"
 "Identity Agent"

 portal
 unknown
cv_ge <Version>

cv_le <Version>

groups <Group Name>

ip <IP address>

machine <Computer Name>

machine_exact
mad

network

192.168.72.*
s_port

summary

user <Username>

user_exact

pdp monitor ip 192.0.2.1

Published
pdp nested_groups
clear
depth
disable
enable
show
status
__set_state <options>

clear

depth

disable

enable

show

status

__set_state
1
2  1
3
4  2
 3

pdp network
info
registered

info
registered
pdp radius
ip <options>
groups <options>
parser <options>
roles <options>
status

ip
reset
set <attribute index> [-a <vendor specific
attribute index>] [-c <vendor code>]
 set

 reset

groups
fetch
off
on
reset
 fetch
set
-m <attribute index> [-a <vendor specific
attribute index>] [-c <vendor code>] [-d <delimiter>]
-u
 on
 off
 reset

 set

parser
reset
set <attribute index> [-c <vendor code> -a <vendor
specific attribute index>] -p <prefix> -s <suffix>
 reset

 set
roles
fetch
off
on
reset
set  fetch
-m <attribute index> [-a <vendor specific
attribute index>] [-c <vendor code>] [-d <delimiter>]
-u

 on
 off
 reset

 set

status
pdp status
show

show
pdp tasks_manager
status

status
pdp timers
show

show
 User Auth Timer
 Machine Auth Timer
 Pep Cache Timer
 Compliance Timer
 Keep Alive Timer
 Ldap Fetch Timer
pdp topology_map
TRACKER

TRACKER

pdp tracker
off
on

off TRACKER
on TRACKER
pdp update
all
specific

all
specific
pdp vpn
show

show
pep <command> [<parameter> [<option>]]

control < >< >

debug < > < >

show < > < >

tracker < > TRACKER

pep control
extended_info_storage <options>
pep_priority_method <options>
portal_dual_stack <options>
tasks_manager status <options>

extended_info_storage
disable
enable
 disable
 enable
pep_priority_method
remove
status
ttl
user_machine
 remove
pep_priority_method.
 status
 ttl
 user_machine

portal_dual_stack
disable
enable  disable
 enable
tasks_manager
status
pep debug
memory
off
on
reset
rotate
set <options>
spaces [<options>]
stat
unset <options>

memory

off

pep debug on
pep debug set ...

reset

pep debug
reset ... pep debug
off
rotate

 $FWDIR/log/pepd.elg
$FWDIR/log/pepd.elg.0
 $FWDIR/log/pepd.elg.0
$FWDIR/log/pepd.elg.1

set <Topic Name> <Severity>

 all


 all
 critical
 events
 important
 surprise

pep debug set all all

spaces
[0 | 1 | 2 | 3 | 4 | 5]
$FWDIR/log/pepd.elg

stat

unset <Topic Name>

pep show
conciliation_clashes <options>
network <options>
pdp <options>
stat
topology_map
user <options>

conciliation_clashes
all
clear  all
ip <Session IP Address>
 clear
 ip

network
pdp
registration  pdp

 registration

pdp
all
id <ID of PDP>
 all
 id

stat

topology_map
user
all
query
cid <IP[,ID]>
cmp <Compliance>
mchn <Computer Name>  all
mgrp <Group>
pdp <IP[,ID]>  query
role <Identity Role>
ugrp <Group>
uid <UID String>  cid < [, ]>
usr <Username>

 cmp <Compliance>

 mchn < >

 mgrp < >

 pdp < [, ]>

 role < >

 ugrp < >

 uid < >

 usr < >

jo
Employees

# pep show user query usr jo ugrp

Employees
TRACKER

TRACKER

pep tracker
off
on

off TRACKER
on TRACKER

 $FWDIR/conf/test_ad_connectivity.conf
$FWDIR/conf/test_ad_connectivity.conf

 –o
$FWDIR/log/test_ad_connectivity.elg

[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity -h
[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity <Parameter_1 Value_1>
<Parameter Value_2> ... <Parameter_N Value_N> ...<Parameters And Options>

-h
-a

 -a
 -c
 -p
-b < >
-c < >

 -a
 -c
 -p
-d < >
ad.mycompany.com
-D < >

-f <
>
-i < >

-I < >

-o < >

$FWDIR/tmp/
-p < >

 -a
 -c
 -p
-l

-L < >

-M

-r < >



-s

-t < >

-u < >

-v
-x < >
ad.mycompany.com

-w

192.168.230.240
mydc.local
Administrator
aaaa
[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity -u
"Administrator" -c "aaaa" -D
"CN=Administrator,CN=Users,DC=mydc,DC=local" -d mydc.local -i
192.168.230.240 -b "DC=mydc,DC=local" -o test.txt
[Expert@HostName:0]# cat $FWDIR/tmp/test.txt
(
:status (SUCCESS_LDAP_WMI)
:err_msg ("WMI_SUCCESS;LDAP_SUCCESS")
:ldap_status (LDAP_SUCCESS)
:wmi_status (WMI_SUCCESS)
:timestamp ("Mon Feb 26 10:17:41 2018")
)



vpn
check_ttm
{cipherutil | cu}
compreset
compstat
crl_zap
crlview
debug
dll
drv
dump_psk
ipafile_check
ipafile_users_capacity
macutil
mep_refresh
neo_proto
nssm_topology
overlap_encdom
rim_cleanup
rll
set_slim_server
set_snx_encdom_groups
set_trac
shell
show_tcpt
sw_topology
{tunnelutil | tu}
ver

check_ttm
cipherutil | cu

compreset
compstat
crl_zap
crlview

debug vpnd
dll
drv
dump_psk
ipafile_check
$FWDIR/conf/ipassignment.conf
ipafile_users_capacity
$FWDIR/conf/ipassignment.conf
macutil

mep_refresh
neo_proto
nssm_topology

overlap_encdom

rim_cleanup
rll
set_slim_server

set_snx_encdom_groups

set_trac
shell
show_tcpt
sw_topology
tunnelutil | tu TunnelUtil

ver
vpn check_ttm <ttm_file_path>

< >

[Expert@MyGW:0]# find / -name \*.ttm -type f

/var/opt/CPsuite-R80.30/fw1/conf/neo_client_1.ttm
/var/opt/CPsuite-R80.30/fw1/conf/iphone_client_1.ttm
/var/opt/CPsuite-R80.30/fw1/conf/fw_client_1.ttm
/var/opt/CPsuite-R80.30/fw1/conf/nemo_client_1.ttm
/var/opt/CPsuite-R80.30/fw1/conf/trac_client_1.ttm
/var/opt/CPsuite-R80.30/fw1/conf/vpn_client_1.ttm
/var/opt/CPsuite-R80.30/fw1/conf/topology_trans_tmpl.ttm
[Expert@MyGW:0]#

[Expert@MyGW:0]# vpn check_ttm

/var/opt/CPsuite-R80.30/fw1/conf/trac_client_1.ttm

Summary for the file: trac_client_1.ttm

result: the file passed the check without any problems

[Expert@MyGW:0]#
vpn compreset

[Expert@MyGW:0]# vpn compreset

Compression statistics were reset.
[Expert@MyGW:0]#
vpn cu
vpn cipherutil

[Expert@MyGW:0]# vpn cipherutil

Select Option

(1) Print all existing ciphers

(2) Print currently configured
(3) Test configuration
(4) How To

(Q) Quit

*******************************************
vpn compstat

[Expert@MyGW:0]# vpn compstat

Compression: sum of all instances :

Compression:
============
Bytes before compression : 0
Bytes after compression : 0
Compression overhead (bytes) : 0
Bytes that were not compressed : 0
Compressed packets : 0
Packets that were not compressed : 0
Compression errors : 0

Pure compression ratio : 0.000000

Effective compression ratio : 0.000000

Decompression:
==============
Bytes before decompression : 0
Bytes after decompression : 0
Decompression overhead (bytes) : 0
Decompressed packets : 0
Decompression errors : 0
Pure decompression ratio : 0.000000
[Expert@MyGW:0]#
vpn crl_zap



vpn crlview [-d]
-obj <Network Object Name> -cert <Certificate Object Name>
-f <Certificate File>
-view

-d

-obj < >

-cert <
>
-f < >
-view




vpn crlview -obj <MyCA> -cert <MyCert>

vpn crlview -f /var/log/MyCert

vpn crlview -view <Lastest CRL>

vpnd $FWDIR/log/vpnd.elg*
$FWDIR/log/ike.elg*


LDAP

vpn debug
on [<Debug_Topic>=<Debug_Level>]
off
ikeon [-s <Size_in_MB>]
ikeoff
trunc [<Debug_Topic>=<Debug_Level>]
truncon [<Debug_Topic>=<Debug_Level>]
truncoff
timeon [<Seconds>]
timeoff
ikefail [-s <Size_in_MB>]
mon
moff
say ["String"]
tunnel [<Level>]

on
$FWDIR/log/vpnd.elg*
< >=<
>
vpn debug trunc ALL=5
off

 vpn debug off

 vpn debug truncoff
ikeon [-s < >]
$FWDIR/log/ike.elg*
$FWDIR/log/ike.elg

ikeoff

vpn debug ikeoff

trunc
$FWDIR/log/vpnd.elg
truncon $FWDIR/log/ike.elg

vpn debug trunc ALL=5

truncoff

 vpn debug truncoff

 vpn debug off
timeon [< >]

timeoff

ikefail [-s < >]

$FWDIR/log/ike.elg

mon

$FWDIR/log/ikemonitor.snoop

moff
say " " $FWDIR/log/vpnd.elg

vpn debug say "BEGIN TEST"


vpn debug on vpn debug trunc vpn debug
truncon

tunnel [< >]

$FWDIR/log/vpnd.elg
$FWDIR/log/ike.elg

tunnel
ikev2
< >

CRLCache






vpn dll
dump <File>
resolve <HostName>

dump < >

resolve < >

$FWDIR/tmp/vpnd_cmd.tmp
vpn drv
off
on
stat

off
on
stat

[Expert@MyGW:0]# vpn drv stat

VPN-1 module active
[Expert@MyGW:0]#
vpn dump_psk
$FWDIR/conf/ipassignment.conf

vpn ipafile_check <File> [{err | warn | detail}] [verify_group_names]

< >
{err | warn | detail}

 err
 warn
 detail
verify_group_names
 $FWDIR/conf/ipassignment.conf
 $FWDIR/conf/ipassignment.conf

vpn ipafile_users_capacity get

vpn ipafile_users_capacity set <128-32768>

get
set <128-32768>




[Expert@MyGW:0]# vpn ipafile_users_capacity get

The gateway can currently read 1024 users from the ipassignment.conf file
[Expert@MyGW:0]#
vpn macutil <username>

# vpn macutil John

20-0C-EB-26-80-7D, "John"
vpn mep_refresh
vpn neo_proto
off
on

off
on
vpn nssm_topology -url <"url"> -dn <"dn"> -name <"name"> -pass <"password">
[-action <bypass|drop>][-print_xml]

-url
-dn

-name
-pass
-action

-print_xml



vpn overlap_encdom [communities | traditional]

communities

traditional

# vpn overlap_encdom communities

The objects Paris and London have overlapping encryption domains.
The overlapping domain is:
10.8.8.1 - 10.8.8.1
10.10.8.0 - 10.10.9.255
- This overlapping encryption domain generates a multiple entry points configuration in MyIntranet and
RemoteAccess communities.
- Same destination address can be reached in more than one community (Meshed, Star). This configuration
is not supported.

The objects Paris and Chicago have overlapping encryption domains. The overlapping domain is:
10.8.8.1 - 10.8.8.1
- Same destination address can be reached in more than one community (MyIntranet, NewStar). This
configuration is not supported.

The objects Washington and Tokyo have overlapping encryption domains.

The overlapping domain is:
10.12.10.68 - 10.12.10.68
10.12.12.0 - 10.12.12.127
10.12.14.0 - 10.12.14.255
- This overlapping encryption domain generates a multiple entry points configuration in Meshed, Star
and NewStar communities.
vpn rim_cleanup



vpn rll
dump <File>
sync

dump < >




sync
$FWDIR/conf/slim.conf

$FWDIR/conf/slim.conf
vpn set_snx_encdom_groups
off
on

off
on
vpn set_trac
disable
enable

disable
enable

[Expert@MyGW:0]# vpn set_trac enable

Trac client enabled, Install Policy for this change to take effect
[Expert@MyGW:0]#

[Expert@MyGW:0]# vpn set_trac disable

Trac client disabled, Install Policy for this change to take effect
[Expert@MyGW:0]#
vpn shell

[Expert@MyGW:0]# vpn shell

? - This help
.. - Go up one level
quit - Quit
[interface ] - Manipulate tunnel interfaces
[show ] - Show internal data
[tunnels ] - Manipulate tunnel data
[license ] - Display SCM licenses
VPN shell:[/] > show
? - This help
.. - Go up one level
[interface ] - Show interface(s) and their status
[tunnels ] - Show SA(s)
VPN shell:[/show] > tunnels
? - This help
.. - Go up one level
[IKE ] - Show IKE SAs
[IPsec ] - Show IPsec SAs
VPN shell:[/show/tunnels] > IPsec
? - This help
.. - Go up one level
all - Show all IPsec SAs
peer - Show all IPsec SAs for a given peer (by internal IP)
VPN shell:[/show/tunnels/IPsec] > all
No data to display
VPN shell:[/show/tunnels/IPsec] > ..
? - This help
.. - Go up one level
[IKE ] - Show IKE SAs
[IPsec ] - Show IPsec SAs
VPN shell:[/show/tunnels] > ..
? - This help
.. - Go up one level
[interface ] - Show interface(s) and their status
[tunnels ] - Show SA(s)
VPN shell:[/show] > ..
? - This help
.. - Go up one level
quit - Quit
[interface ] - Manipulate tunnel interfaces
[show ] - Show internal data
[tunnels ] - Manipulate tunnel data
[license ] - Display SCM licenses
VPN shell:[/] > quit
[Expert@MyGW:0]#
vpn show_tcpt
vpn [-d] sw_toplogy -dir <directory> -name <name> -profile <profile> [-filename
<filename>]

-d

-dir < >

-name < >
-profile < >

-filename < >

TunnelUtil

vpn tu
vpn tunnelutil

# vpn tu
********** Select Option **********

(1) List all IKE SAs

(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

vpn tu
help
del <options>
list <options>
mstats
tlist <options>

help

del < >

list < >

mstats

tlist < >

vpn tu [-w] del
all
ipsec
all
<IP Address>
<IP Address> <Username>
<IP Address>
<IP Address> <Username>

-w
all

vpn tu

ipsec
 all

vpn tu

 < >

vpn tu
 < > < >


vpn tu

< >

vpn tu
< > < >

vpn tu
vpn tu [-w] list
ike
ipsec
peer_ike <IP Address>
peer_ipsec <IP Address>
tunnels

-w
ike

vpn tu
ipsec

vpn tu
peer_ike < >

vpn tu
peer_ipsec < >

vpn tu
tunnels
vpn tu tlist
vpn tu [-w] mstats

vpn6 tu [-w] mstats

-w

[Expert@MyGW:0]# vpn tu mstats

Instance# # of inSPIs # of outSPIs

0 182 170
1 184 176
2 191 174
3 215 197
4 237 227
5 191 176
6 180 170
7 190 166
8 171 160
9 199 187
-----------------------------------------
Summary: 1940 1803

[Expert@MyGW:0]#

[Expert@MyGW:0]# vpn tu mstats

Instance# # of inSPIs # of outSPIs

0 238 228
1 224 214
-----------------------------------------
Summary: 462 442

[Expert@MyGW:0]#
vpn tu [-w] tlist
{-h | -help}
[clear]
[start]
[state]
[stop]
[<Sort Options>]

vpn6 tu [-w] tlist

{-h | -help}
[clear]
[start]
[state]
[stop]
[<Sort Options>]

-w
-h | -help
clear
start
state
stop
< >
 -b
 -d
 -e
 -i

 -m
 -n
 -p < >

 -r
 -s
 -t

 -v


... -<option1> -<option2> -<option3>
-v -t -b -r

... -<option1><option2><option3>
-vtbr

[Expert@MyGW:0]# vpn tu tlist

-k
-f

[Expert@MyGW:0]# vpn ver -k

This is Check Point VPN-1(TM) R80.20 - Build 074
kernel: R80.20 - Build 074
[Expert@MyGW:0]#





 mcc mcc lca mcc show

dbedit

 mcc cpca
 mcc

mcc
-h
add <options>
add2main <options>
del <options>
lca
main2add <options>
show <options>

mdsenv < >

-h

add < >

add2main < >

del < >

lca
main2add < >
show < >
mcc add <CA Name> <Certificate File>

mdsenv <IP address or Name of Domain Management Server>

mcc add <CA Name> <Certificate File>

mcc add

dbedit

< >

/var/log/Mycert.cer MyCA
mcc add MyCA /var/log/Mycert.cer
mcc add2main <CA Name> <Certificate Index Number>

mdsenv <IP address or Name of Domain Management Server>

mcc add2main <CA Name> <Certificate Index Number>

mcc add2main

dbedit

< >

MyCA
mcc add2main MyCA 1
mcc del <CA Name> <Certificate Index Number>

mdsenv <IP address or Name of Domain Management Server>

mcc del <CA Name> <Certificate Index Number>

mcc del

dbedit

< >

MyCA
mcc del MyCA 1
mcc lca

mdsenv <IP address or Name of Domain Management Server>

mcc lca

[Expert@MGMT:0]# mcc lca

MCC: Here is a list of the CAs, with the number of additional CA certificates
1. internal_ca (0)
[Expert@MGMT:0]#
mcc main2add <CA Name>

mdsenv <IP address or Name of Domain Management Server>

mcc main2add <CA Name>

mcc main2add

dbedit

< >

MyCA

mcc main2add MyCA

mcc show <CA Name> [<Certificate Index Number>]

mdsenv <IP address or Name of Domain Management Server>

mcc show <CA Name> [<Certificate Index Number>]

< >

MyCA
mcc show MyCA 1

internal_ca
[Expert@MGMT:0]# mcc lca
MCC: Here is a list of the CAs, with the number of additional CA certificates
1. internal_ca (0)
[Expert@MGMT:0]#

[Expert@MGMT:0]# mcc show internal_ca

PubKey:
Modulus:
ae b3 75 36 64 e4 1a 40 fe c2 ad 2f 9b 83 0b 45 f1 00 04 bc
3f 77 77 76 d1 de 8a cf 9f 32 78 8b d4 b1 b4 be db 75 cc c8
... ... ...
a3 9d 8b 0a de 05 fb 5c 44 2e 29 e3 3e f4 dd 50 01 0f 86 9d
55 16 a3 4d f8 90 2d 13 c6 c1 28 57 f8 3e 7c 59
Exponent: 65537 (0x10001)

X509 Certificate Version 3

refCount: 1
Serial Number: 1
Issuer: O=MyServer.checkpoint.com.s6t98x
Subject: O=MyServer.checkpoint.com.s6t98x
Not valid before: Sun Apr 8 13:41:00 2018 Local Time
Not valid after: Fri Jan 1 05:14:07 2038 Local Time
Signature Algorithm: RSA with SHA-256 Public key: RSA (2048 bits)
Extensions:
Key Usage:
digitalSignature
keyCertSign
cRLSign
Basic Constraint (Critical):
is CA

[Expert@MGMT:0]#



admin_wizard wizard <Web Site Address>

admin_wizard exchange_wizard <Exchange Server Address> <User Name> <Password>

[<Options>]

< >
< >
< >
< >
< >

as,ow

-t {as | ews | owa | all}

 as
 ews
 owa

 all
-d < >
-x < >
-c < >:< >

-n

-m < >
-s < >
/Microsoft-Server-ActiveSync
-e < >
/EWS/Exchange.asmx
-f < >
-r

 -n

-v

$CVPNDIR/log/trace_log/
-p
cvpnd_admin
policy [hard]
debug [off | set ... | trace]
appMonitor status

policy

httpd

policy hard

httpd
http
debug set TDERROR_ALL_ALL=5 cvpnd debug

$CVPNDIR/log/cvpnd.elg

debug off cvpnd debug

debug trace on TraceLogger
debug trace users=< >

$CVPNDIR/log/trace_log/

 debug trace on TraceLogger

 debug trace users=<username>

TraceLogger

 TraceLogger

appMonitor status
$CVPNDIR/conf/cvpnd.C
cvpnd_settings

cvpnd_settings
$CVPNDIR/conf/cvpnd.C

cvpnd_settings [<Configuration File>] {get | set | add | listAdd | listRemove |

internal} <Attribute-Name> [<Attribute-Value>]

cvpnd_settings [<Configuration File>] {set | get} smsMaxResendRetries [<Number>]

cvpnd_settings [<Configuration File>] {set | get} useKerberos {true | false}

cvpnd_settings [<Configuration File>] {listAdd | listRemove} kerberosRealms [<Your
AD Name>]

cvpnd_settings -h

< >
get
set

add

listAdd
listRemove
internal
$CVPNDIR/conf/cvpnd_internal_settings.C
$CVPNDIR/conf/cvpnd.C
< >
< >
< >
< >

cvpnd_settings set myFlag 1

cvpnd_settings get myFlag

cvpnd_settings set myFlag

cvpnd_settings listAdd myFlag a.example.com

fw ver -k

cvpn_ver

[Expert@MyGW:0]# cvpn_ver
This is Check Point Mobile Access R80.20 - Build 064
[Expert@MyGW:0]#
cvpnrestart [--with-pinger]

--with-pinger
cvpnstop

cvpnstart
cvpnstop
deleteUserSettings [-s] <Username1> [<Username2> ...]

-s

< >
fwpush
info
print
send <options>
unsub

info






send -token [< > |

< >] -os < > -msg
"< >" fwpush send

unsub [< > | < > |

< >] -all  < >

 < > < >

 < > < > -all

[Expert@GW:0]# UserSettingsUtil show_exchange_registered_users

[Expert@MyGW:0]# UserSettingsUtil show_exchange_registered_users

User Name: CN=JohnD,OU=USERS,OU=RND,OU=PO,OU=USA,DC=AD,DC=CHECKPOINT,DC=COM User
Settings id: c4b6c6fbb0c4a4ff4469265e93e0e372
Push Token: xxxxxxxxxxxxx65b48e424023eb7952fbc5ca22ea788cfb3cxxxxxxxxxx Device
id: 46c5XXXXcc1d10b4e18cf5a1ff3290f2
[Expert@MyGW:0]#

 < > Push Token

xxxxxxxxxxxxx65b48e424023eb7952fbc5ca22ea788cfb3cxxxxxxxxxx
 < > CN
JohnD
 < > User Settings id
c4b6c6fbb0c4a4ff4469265e93e0e372

[Expert@MyGW:0]# fwpush send -uid JohnD -msg "hello push"

$CVPNDIR/bin/ics_updates_script

$CVPNDIR/bin/ics_updates_script <Path to ICS Updates Package>

<
>


listusers

[Expert@MyGW:0]# listusers
---------------------------------
User Name | IP
---------------------------------
Tom , 192.168.0.51
Dick , 192.168.0.130
Jane , 192.168.0.7
[Expert@MyGW:0]#
$CVPNDIR/var/ssl/ca-bundle/

rehash_ca_bundle
vsenv [{<VSID> | <Name of Virtual Device>}]

< >
< >

vsx stat -v

[Expert@MyVsxGW:0]# vsenv
Context is set to Virtual Device VSX2_192.168.3.242 (ID 0).
[Expert@MyVsxGW:0]#

[Expert@MyVsxGW:0]# vsenv 2
Context is set to Virtual Device VS2 (ID 2).
[Expert@MyVsxGW:2]#





vsx
fetch <options>
fetch_all_cluster_policies
fetchvs <options>
get
initmsg <options>
mstat <options>
resctrl <options>
showncs <options>
sicreset
stat <options>
unloadall
vspurge
fw6 vsx

<options>
fetch < >
fetch_all_cluster_policies

fetchvs < >

get
initmsg < >
mstat < >
resctrl < >
showncs < >

sicreset

stat < >

unloadall

vspurge
vsx fetch [-v] [-q] [-s] local
vsx fetch [-v | -q | -s] [-f <conf_file>]
vsx fetch [-v | -q] -C "command"
vsx fetch [-v | -q | -c | -n | -s] [<Management Server>]

-c

-n
local.vsall

-q

-s

-v

local
$FWDIR/state/local/VSX/local.vsall

-f <conf_file>

local.vsall
-C "command"

< > local.vsall

$FWDIR/conf/masters




# vsx fetch
Fetching VSX Configuration From: 10.18.99.101

Local VSX Configuration is Up-To-Date.

Cleaning un-used Virtual Systems entries (local.vskeep).

Purge operation succeeded.

Fetching Virtual Systems configuration file (local.vsall).
SecureXL device has been enabled for vsid 1
SecureXL device has been enabled for vsid 2
SecureXL device has been enabled for vsid 3
Virtual Systems configuration file installed successfully
vsx fetch_all_cluster_policies [-v]

-v



vsx fetchvs [-v | -q] [{<VSID> | <Name of Virtual Device>}]

-q

-v

< >
< >




# vsx fetchvs 2
vsx get




[Expert@MyVsxGW:0]# vsx get

Current context is VSX Gateway MyVsxGW (ID 2).
[Expert@MyVsxGW:0]#
Important - R80.30 with Gaia kernel 3.10 does not support this command.

vsx initmsg [-q | -v]

-q
-v




[Expert@MyVsxGW:2]# vsx initmsg -v

Sending VSX initialization message.
VSX initialization operation succeeded.
[Expert@MyVsxGW:2]#






vsx mstat help

vsx mstat
[-vs <VSID>] [unit <Unit>] [sort {<Number> | all}]
debug
disable
enable
status
swap <Minutes>

-vs < >


-vs <VSID1>


-vs <VSID1> <VSID2>


-vs <VSID4-VSID6>

unit < >

 B
 K
 M
 G
sort {< > |
all}
all

debug

disable

enable

status

swap < >




[Expert@MyVsxGW:0]# vsx mstat unit M sort all

VSX Memory Status

=================
Memory Total: 7753.95 MB
Memory Free: 7168.71 MB
Swap Total: 3992.71 MB
Swap Free: 3992.71 MB
Swap-in rate: 8796093022208.00 MB

VSID | Memory Consumption

======+====================
0 | 260.79 MB
1 | 0.00 MB

[Expert@MyVsxGW:0]#
[Expert@MyVsxGW:0]# vsx mstat -vs 0 unit G

VSX Memory Status

=================
Memory Total: 7.572 GB
Memory Free: 7.001 GB
Swap Total: 3.899 GB
Swap Free: 3.899 GB
Swap-in rate: 8589934592.000 GB

VSID | Memory Consumption

======+====================
0 | 0.255 GB

[Expert@MyVsxGW:0]#

[Expert@MyVsxGW:0]# vsx mstat debug

VSX Memory Status

=================
Memory Total: 7940048.00 KB
Memory Free: 7339864.00 KB
Swap Total: 4088532.00 KB
Swap Free: 4088532.00 KB
Swap-in rate: 9007199254740992.00 KB

VSID | Private_Clean | Private_Dirty | DispatcherGConn | DispatcherHTab | SecureXL |

DispatcherGConn6 | DispatcherHTab6 | SecureXL6
======+===============+===============+=================+================+=============+==========
========+=================+===========
0 | 34456.00 KB | 182104.00 KB | 6.09 KB | 0.00 KB | 51071.91 KB | 0.00
KB | 0.00 KB | 0.00 KB
1 | 0.00 KB | 0.00 KB | 0.00 KB | 0.00 KB | 0.00 KB | 0.00
KB | 0.00 KB | 0.00 KB

Note: To add a field to memory table please uncomment the required field (delete the leading '#')
To remove a field from memory table please comment out the required field (add a leading '#')
Configuration is done in the file /opt/CPsuite-R80.30/fw1/conf/memoryinfo.conf

[Expert@MyVsxGW:0]#
Important - R80.30 with Gaia kernel 3.10 does not support this command.
vsx resctrl monitor enable

vsx resctrl --help

vsx resctrl
-d stat
-d -q stat
-u stat
load_configuration
monitor
disable
enable
show
reset
stop

--help
-d stat

-d -q stat

-u stat
load_configuration $FWDIR/conf/resctrl
monitor

 disable
 enable
 show
reset
stop


vsx resctrl -u


[Expert@MyVsxGW:0]# vsx resctrl -d stat

This option will be active only after 24 hours of monitoring

Monitoring active time: 2 minutes 11 seconds
[Expert@MyVsxGW:0]#

[Expert@MyVsxGW:0]# vsx resctrl -u stat

Virtual Systems CPU Usage Statistics [%]

========================================

Number of CPUs: 4
Monitoring active time: 2m 32s

ID Name | CPU | 1sec 10sec 1min 1hr* 24hr*

=============================+======+==================================
0 VSX1 | 0 | 4.90 1.82 1.43 0.00 0.00
| 1 | 0.00 0.19 1.44 0.00 0.00
| 2 | 0.00 0.06 0.13 0.00 0.00
| 3 | 4.50 0.74 0.55 0.00 0.00
| Avg. | 2.35 0.70 0.89 0.00 0.00
-----------------------------+------+----------------------------------
1 VS1 | 0 | 0.00 0.02 0.01 0.00 0.00
| 1 | 0.00 0.14 0.08 0.00 0.00
| 2 | 0.00 0.03 0.10 0.00 0.00
| 3 | 0.00 0.01 0.03 0.00 0.00
| Avg. | 0.00 0.05 0.06 0.00 0.00
=============================+======+==================================
Total Virtual Devices CPU Use| 0 | 4.90 1.84 1.44 0.00 0.00
| 1 | 0.00 0.33 1.52 0.00 0.00
| 2 | 0.00 0.09 0.23 0.00 0.00
| 3 | 4.50 0.75 0.58 0.00 0.00
| Avg. | 2.35 0.75 0.94 0.00 0.00
=============================+======+==================================

Notes: - Monitoring has been active for less than 1 hour.

Statistics are calculated only for monitoring active time.

[Expert@MyVsxGW:0]#
vsx showncs {<VSID> | <Name of Virtual Device>}

< >




 cpca_client revoke_cert

vsenv {<VSID> | <Name of Virtual Device>}

vsx sicreset {{<VSID> | <Name of Virtual Device>}

<
>
< >



vsx stat [-l] [-v] [<VSID>]

-l
-v

< >




[Expert@MyVsxGW:2]# vsx stat -v

VSX Gateway Status
==================
Name: VSX1_192.168.3.241
Access Control Policy: VSX_Cluster_VSX
Installed at: 20Sep2018 22:06:33
Threat Prevention Policy: <No Policy>
SIC Status: Trust

Number of Virtual Systems allowed by license: 25

Virtual Systems [active / configured]: 2 / 2
Virtual Routers and Switches [active / configured]: 0 / 0
Total connections [current / limit]: 5 / 44700

Virtual Devices Status

======================

Type: S - Virtual System, B - Virtual System in Bridge mode,

R - Virtual Router, W - Virtual Switch.

[Expert@MyVsxGW:2]#

[Expert@MyVsxGW:2]# vsx stat -l

VSID: 0
VRID: 0
Type: VSX Gateway
Name: VSX1_192.168.3.241
Security Policy: VSX_Cluster_VSX
Installed at: 20Sep2018 22:06:33
SIC Status: Trust
Connections number: 5
Connections peak: 43
Connections limit: 14900
VSID: 1
VRID: 1
Type: Virtual System
Name: VS1
Security Policy: VS_Policy
Installed at: 20Sep2018 22:07:03
SIC Status: Trust
Connections number: 0
Connections peak: 3
Connections limit: 14900

VSID: 2
VRID: 2
Type: Virtual System
Name: VS2
Security Policy: VS_Policy
Installed at: 20Sep2018 22:07:01
SIC Status: Trust
Connections number: 0
Connections peak: 2
Connections limit: 14900
[Expert@MyVsxGW:2]#

[Expert@MyVsxGW:2]# vsx stat 2



local.vskeep
local.vskeep

vsx vspurge [-q | -v] [-f <purge_file>]

-q
-v

-f < >



vsx_util


vsx_util -h

vsx_util <Command> [-s <Server>] [-u <UserName>] [-c <Name of VSX Object>] [-m <Name
of VSX Cluster Member>]

-h

< > vsx_util

-s < >

-u < >
-c
-m <
>

vsx_util




 vsx_util

vsx_util add_member
vsx_util add_member_reconf add_member

vsx_util change_interfaces

vsx_util change_mgmt_ip

vsx_util change_mgmt_subnet

vsx_util change_private_net

vsx_util convert_cluster

vsx_util reconfigure

vsx_util remove_member

vsx_util show_interfaces

vsx_util upgrade

vsx_util view_vs_conf

vsx_util vsls

 vsx_util_ .log


$FWDIR/log/vsx_util_ .log


/opt/CPsuite-R80.30/fw1/log/vsx_util_ .log

/opt/CPmds-R80.30/customers/<
>/CPsuite-R80.30/fw1/log/vsx_util_ .log



vsx_util add_member







 vsx_util add_member_reconf
vsx_util add_member

vsx_util add_member_reconf







vsx_util change_interfaces








mdsenv < >

vsx_util change_interfaces



vsx_util
reconfigure

Would you like to change another interface? (y|n) [n]:




Would you like to remove the old interfaces from the database? (y|n)
[n]

vsx_util reconfigure




vsx_util change_mgmt_ip






vsx_util change_mgmt_subnet













vsx_util change_private_net









 0.0.0.0 127.0.0.0 255.255.255.255


 255.255.0.0 /16
 255.255.128.0 /17
 255.255.192.0 /18
 255.255.224.0 /19
 255.255.240.0 /20
 255.255.248.0 /21
 255.255.252.0 /22
 /80
vsx_util convert_cluster




cpconfig
vsx_util reconfigure










vsx_util remove_member






 cphastop


interfacesconfig.csv

vsx_util show_interfaces




Expert@MGMT:0]# vsx_util show_interfaces

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):
172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW_1
4) VSX_GW_2
Select: 1

Which interface would you like to display?

1) All Interfaces
2) All Physical Interfaces
3) All Warp Interfaces
4) A Specific Interface
Enter your choice: 1

+-------------------+---------------------+----+--------------------------------------------------
---+
| Type & Interface | Virtual Device Name |VSID| IP / Mask length |
+-------------------+---------------------+----+--------------------------------------------------
---+
|M eth0 |VSX_Cluster_1 |0 |v4 172.16.16.98/24 v6 2001:0DB8::98/64
|
+-------------------+---------------------+----+--------------------------------------------------
---+
|S eth1 |VSX_Cluster_1 |0 |v4
10.0.0.0/24 |
+-------------------+---------------------+----+--------------------------------------------------
---+
|U eth2 |VS1 |1 |v4 192.0.2.2/24 v6
2001:0DB8:c::1/64 |
+-------------------+---------------------+----+--------------------------------------------------
---+
|U eth3 |VS1 |1 |v4 192.168.3.3/24 v6 2001:0DB8:b::1/64
|
+-------------------+---------------------+----+--------------------------------------------------
---+
|A
eth4 | | |
|
+-------------------+---------------------+----+--------------------------------------------------
---+
|U eth5 |VS2 |2 |v4 10.10.10.10/24 v6 2001:0DB8:a::1/64
|
+-------------------+---------------------+----+--------------------------------------------------
---+
|A
eth6 | | |
|
+-------------------+---------------------+----+--------------------------------------------------
---+

#Type: M - Management Interface S - Synchronization Interface

# V - VLAN Interface W - Warp Interface
# U - Used Interface A - Available Interface
# X - Unknown Interface E - Error in Interface Properties

Logging details are available at /opt/CPsuite-R80.30/fw1/log/vsx_util_20181025_17_45.log

[Expert@MGMT:0]#
[Expert@MGMT:0]# cat interfacesconfig.csv
Interface Name , Type ,Virtual Device Name , VSID , IPv4 Address , IPv4 mask length, IPv6 Address,
IPv6 mask length
eth0,M,VSX_Cluster_1,0,172.16.16.98,24,2001:0DB8::98,64
eth1,S,VSX_Cluster_1,0,10.0.0.0,24,,
eth2,U,VS1,192.0.2.2,24,2001:0DB8:c::1,64
eth3,U,VS1,192.168.3.3,24,2001:0DB8:b::1,64
eth4,A
eth5,U,VS2,10.10.10.10,24,2001:0DB8:a::1,64
eth6,A

#Type: M - Management Interface S - Synchronization Interface

# V - VLAN Interface W - Warp Interface
# U - Used Interface A - Available Interface
# X - Unknown Interface E - Error in Interface Properties

[Expert@MGMT:0]#
vsx_util upgrade





 vsx_util reconfigure
vsx_util view_vs_conf




Expert@MGMT:0]# vsx_util show_interfaces

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):
172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW
4) VSX_GW_2
Select: 1

Select Virtual Device object name:

1) VS1
2) VS2
3) VS3
4) VSX_Cluster
Select: 1

Type: Virtual System

Interfaces configuration table:

+---------------------------------------------------+-----+-------------------+
|Interfaces |Mgmt |VSX GW(s) |
+----------+----------------------------------------+-----+---------+---------+
|Name |IP / Mask length | |mem 1 |mem2 |
+----------+----------------------------------------+-----+---------+---------+
|eth2 |v4 10.0.0.0/24 v6 2001:db8::abc::1/64 | V | V | V |
|eth3 |v4 10.10.10.10/24 v6 2001:db8::3121/64 | V | V | V |
+----------+----------------------------------------+-----+---------+---------+

Interfaces Table Legend:

V - Interface exists on the gateway and matches management information (if defined on the
management).
- - Interface does not exist on the gateway.
N/A - Fetching Virtual Device configuration from the gateway failed.
!IP - Interface exists on the gateway, but there is an IP address mismatch.
!MASK - Interface exists on the gateway, but there is a Net Mask mismatch.
Routing table:

+----------------------------------------------------------+-----+-------------+
|Ipv4 Routes |Mgmt |VSX GW(s) |
+--------------------------+--------------------+----------+-----+------+------+
|Destination / Mask Length |Gateway |Interface | |mem1 |mem2 |
+--------------------------+--------------------+----------+-----+------+------+
|2.2.2.0/24 | |eth2 | V | V | V |
|3.3.3.0/24 | |eth3 | V | V | V |
+--------------------------+--------------------+----------+-----+------+------+
+--------------------------+--------------------+----------+-----+------+------+

+----------------------------------------------------------+-----+-------------+
|Ipv6 Routes |Mgmt |VSX GW(s) |
+--------------------------+--------------------+----------+-----+------+------+
|Destination / Mask Length |Gateway |Interface | |mem1 |mem2 |
+--------------------------+--------------------+----------+-----+------+------+
|2001:db8::abc::/64 | |eth2 | V | !NH | !NH |
|2001:db8:0a::/64 | |eth3 | V | !NH | !NH |
+--------------------------+--------------------+----------+-----+------+------+
|2001:db8::1ffe:0:0:0/112 | |eth2 | - | V | V |
|2001:db8::fd9a:0:1:0/112 | |eth3 | - | V | V |
+--------------------------+--------------------+----------+-----+------+------+

Routing Table Legend:

V - Route exists on the gateway and matches management information (if defined on the management).
- - Route does not exist on the gateway.
N/A - Fetching Virtual Device configuration from the gateway failed.
!NH - Route exists on the gateway, but there is a Next Hop mismatch.

Note: Routes can be created automatically on the gateways by the Operating System.
Therefore, routes that appear on all gateways, but are not defined on the management,
do not necessarily indicate a problem.

Logging details are available at /opt/CPsuite-R80.30/fw1/log/vsx_util_20181025_18_11.log

[Expert@MGMT:0]#
vsx_util vsls





 Operation not allowed. Object is not a Virtual
System Load Sharing cluster. vsx_util convert_cluster

Expert@MGMT:0]# vsx_util show_interfaces

Enter Security Management Server/main Domain Management Server IP address (Hit 'ENTER' for 'localhost'):
172.16.16.240
Enter Administrator Name: admin
Enter Administrator Password:

Select VSX gateway/cluster object name:

1) VSX_Cluster_1
2) VSX_Cluster_2
3) VSX_GW_1
4) VSX_GW_2
Select: 1

VS Load Sharing - Menu

________________________________
1. Display current VS Load sharing configuration
2. Distribute all Virtual Systems so that each cluster member is equally loaded
3. Set all VSes active on one member
4. Manually set priority and weight
5. Import configuration from a file
6. Export configuration to a file
7. Exit

Enter redistribution option (1-7) [1]:

vsx_provisioning_tool

vsx_provisioning_tool -h
vsx_provisioning_tool [-s <Server>] {-u <User> | -c <Certificate>} -p <Password>
-o <Commands> [-a] -L
-f <Input File> [-l <Line>] [-a] -L

-h

-s < >



-u < >
-c < >

-p < >


-o < >
-f < >

-l < > < >

-l -f
-a
-L

-a

/var/log/vsx.txt
vsx_provisioning_tool –s localhost -u admin -p mypassword -f /var/log/vsx.txt

VS1 VSX1
eth4

vsx_provisioning_tool –s localhost –u admin –p mypassword –o add vd name VS1 vsx

VSX1, add interface name eth4.100 ip 1.1.1.1/24
-o

, -o

-f

,

vsx_provisioning_tool

transaction begin
transaction end
transaction cancel
add vsx type gateway name <Object Name> version <Version> main_ip <Main IPv4
Address> main_ip6 <Main IPv6 Address> sic_otp <Activation Key> [rule_snmp
{enable|disable}] [rule_ssh {enable|disable}] [rule_ping {enable|disable}
[rule_ping6 {enable|disable}] [rule_https {enable|disable}] [rule_drop
{enable|disable}]

set physical interface

type gateway gateway

name <
>

version < >

main_ip <
>
main_ip6 <
>
sic_otp
<

rule_snmp  enable
{enable |
disable}  disable
 enable
 disable

rule_ssh  enable
{enable |
disable}  disable
 enable
 disable
rule_ping  enable
{enable |
disable}  disable
 enable
 disable

rule_ping6  enable
{enable |
disable}  disable
 enable
 disable

rule_https  enable
{enable |
disable}  disable
 enable
 disable

rule_drop  enable
{enable |
disable}  disable

 enable
 disable

vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vsx name VSX_GW1

type gateway main_ip 192.168.20.1 version R80.10 sic_otp ABCDEFG rule_ssh enable
rule_ping enable
add vsx type cluster name <Object Name> version <Version> main_ip <Main Virtual
IPv4 Address> main_ip6 <Main Virtual IPv6 Address> cluster_type {vsls|ha|crbm}
sync_if_name <Sync Interface Name> sync_netmask <Sync Interface Netmask>
[rule_snmp {enable|disable}] [rule_snmp {enable|disable}] [rule_ssh
{enable|disable}] [rule_ping {enable|disable} [rule_ping6 {enable|disable}]
[rule_http {enable|disable}] [rule_drop {enable|disable}]

add vsx_member
add vsx

type cluster cluster

name < >

version < >

main_ip <
>
main_ip6 <
>
cluster_type {vsls | ha |
crbm}

 vsls

 ha
 crbm

sync_if_name
>
sync_netmask <
>
rule_snmp {enable |  enable
disable}
 disable
 enable

 disable

rule_ssh {enable |  enable

disable}
 disable
 enable
 disable

rule_ping {enable |  enable

disable}
 disable

 enable

 disable

rule_ping6 {enable |  enable

disable}
 disable

 enable

 disable

rule_https {enable |  enable

disable}
 disable
 enable

 disable

rule_drop {enable |  enable

disable}
 disable

 enable

 disable

vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vsx name VSX1 type

cluster cluster_type vsls main_ip 192.168.1.1 version R80.10 sync_if_name eth3
sync_netmask 255.255.255.0 rule_ssh enable rule_ping enable





add vd name <Device Object Name> vsx <VSX GW or Cluster Object Name> [type
{vs|vsbm|vsw|vr}] [vs_mtu <MTU>] [instances <Number of IPv4 CoreXL Firewall
instances>] [instances6 <Number of IPv6 CoreXL Firewall instances>] [main_ip <Main
IPv4 Address>] [main_ip6 <Main IPv6 Address>] [calc_topo_auto {true|false}]

name <
>

vsx <

type {vs | vsbm |

vsw | vr}
 vs
 vsbm
 vsw
 vr
vs_mtu

 type vsbm
 type vsw
instances
<

>
 type vs
 type vsbm

instances6
<

>
 type vs
 type vsbm

main_ip <
>

 type vs
 type vr

main_ip6 <
>

 type vs
 type vr
calc_topo_auto  true
{true | false}
 false  true

 false

 type vs
 type vr

vsx_provisioning_tool -s localhost -u admin -p mypassword -o add vd name VirtSwitch1

vsx VSX_GW1 type vsw









remove vd name <Device Object Name>

name <
>

vsx_provisioning_tool -s localhost -u admin -p mypassword -o remove vd name

VirtSwitch1





set vd name <Device Object Name> [vs_mtu <MTU>] [instances <Number of IPv4 CoreXL
Firewall instances>] [instances6 <Number of IPv6 CoreXL Firewall instances>]
[main_ip <Main IPv4 Address>] [main_ip6 <Main IPv6 Address>] [calc_topo_auto
{true|false}]

name <
>

vs_mtu < >




instances
<

>


instances6
<

>



main_ip <
>




empty set vd name VS1

main_ip empty
main_ip6 <
>




empty set
vd name VS1 main_ip6 empty
calc_topo_auto  true
 false  true

 false




vsx_provisioning_tool –s localhost –u admin –p mypassword –o set vd name VS1

instances 8 main_ip 192.0.2.6 calc_topo_auto false





add interface vd <Device Object Name> {name <Interface> | leads_to <VSW or VR Object
Name>} ip <IPv4 Address>{/<IPv4 Prefix Length> | netmask <IPv4 Netmask> | prefix
<IPv4 Prefix>} ip6 <IPv6 Address>{/<IPv6 Prefix Length> | netmask6 <IPv6 Netmask>
| prefix6 <IPv6 Prefix>} [propagate {true|false}] [propagate6 {true|false}]
[topology {external | internal_undefined | internal_this_network |
internal_specific [specific_group <Network Group Object Name>}] [mtu <MTU>]

vd <
>

name < >

name
leads_to
leads_to <
>

name
leads_to
ip <
>{/< >  <IPv4 Address>
| netmask <
> | prefix
< >}  <IPv4 Prefix>

 <IPv4 Netmask>






ip6 <
>{/< >  <IPv6 Address
| netmask6 <
> | prefix6
< >}  <IPv6 Prefix>

 <IPv6 Netmask>





propagate {true |  true
false}
 false
 true

 false

propagate6 {true |  true

false}
 false
 true

 false

topology {external |  external

internal_undefined
 internal_undefined
|
internal_this_netwo  internal_this_netwo  external
rk | rk
internal_specific }  internal_specific  internal_undefined

 internal_this_network

 internal_specific




specific_group topology
< internal_specific
>

mtu < >




vsx_provisioning_tool–s localhost –u admin –p mypassword –o add interface vd

VirtSystem1 name eth4.100 ip 1.1.1.1/24





remove interface vd <Device Object Name> {name <Interface> | leads_to <VSW or VR

Object Name>}

vd <
>

name < >

name leads_to

leads_to <
>

name leads_to

vsx_provisioning_tool –s localhost –u admin –p mypassword –o remove interface vd

VS1 name eth4.100





set interface vd <Device Object Name> {name <Interface> [new_name <Interface>] |

leads_to <VSW or VR Object Name> [new_leads_to <VSW or VR Object Name>]} [propagate
{true|false}] [propagate6 {true|false}] [topology {external | internal_undefined
| internal_this_network | internal_specific [specific_group <Network Group Object
Name>>]}] [mtu <MTU>]

vd <
>

name < >

name
leads_to
new_name < >

leads_to <
>

name
leads_to


propagate {true |  true

false}
 false
 true

 false

propagate6 {true |  true

false}
 false
 true

 false
topology {external |  external
internal_undefined
 internal_undefined
|
internal_this_netwo  internal_this_netwo  external
rk | rk
internal_specific }  internal_specific  internal_undefined

 internal_this_network

 internal_specific




specific_group topology
< internal_specific
>

mtu < >




vsx_provisioning_tool –s localhost –u admin –p mypassword –o set interface vd VS1

name eth4.100 new_name eth5 propagate true topology internal_specific
specific_group NYGWs
add route vd <Device Object Name> destination {<IP Address>[/<IP Prefix>] | default
| default6} [{netmask <IP Netmask> | prefix <IP Prefix>}] {next_hop <Next Hop IP
Address> | leads_to <VS or VR Object Name>} [propagate {true|false}]

vd <
>

destination {<
>[/< >]  <IP Address>
| default |
default6}
 <IP Prefix>

 default

 default6

netmask < >



prefix < >




next_hop <
>

 next_hop
leads_to

leads_to <
>

next_hop
leads_to
propagate  true
{true|false}
 false
 true

 false

next_hop

vsx_provisioning_tool –s localhost –u admin –p mypassword –o add route vd VS1

destination default leads_to VR3
remove route vd <Device Object Name> destination {<IP Address>[/<IP Prefix>] |
default | default6} [{netmask <IP Netmask> | prefix <IP Prefix>]

vd <
>

destination {<
>[/< >]  <IP Address>
| default |
default6}
 <IP Prefix>

 default

 default6

netmask < >



prefix < >



vsx_provisioning_tool –s localhost –u admin –p mypassword –o remove route vd VS1

destination default6
show vd name <Device Object Name>

vd name <
>




 wrpj
1 transaction begin
2 add vd name VR1 vsx VSX1 type vr
3 add interface name eth3.100 ip 10.0.0.1/24
4 transaction end

5 transaction begin
6 add vd name VR2 vsx VSX2 type vr
7 add interface name eth3.200 ip 20.0.0.1/24
8 transaction end

9 transaction begin
10 add vd name VS1 vsx VSX1
11 add interface leads_to VR1 ip 192.168.1.1/32
12 add interface name eth4.20 ip 192.168.20.1/24 propagate true
13 add route destination default leads_to VR1
14 add route destination 192.168.40.0/25 next_hop 192.168.20.254
15 transaction end

1 transaction begin
2 add vd name VSW1 vsx VSX1 type vsw vs_mtu 1400
3 add interface name eth3.100
4 transaction end

5 transaction begin
6 add vd name VS1 vsx VSX1 calc_topo_auto false
7 add interface leads_to VSW1 ip 10.0.0.1/24 ip6 2001::1/64 topology external
8 add interface name eth4.20 ip 192.168.20.1/25 ip6 2020::1/64 topology
9 internal_this_network
10 add route destination default next_hop 10.0.0.254
11 add route destination default6 next_hop 2001::254
transaction end

1 transaction begin
2 set vd name VS1 instances 4 instances6 2 calc_topo_auto true
3 set interface name eth4.20 new_name eth4.21 mtu 1400
4 transaction end
fgd50
$FWDIR/conf/masters

etmstart

[Expert@MyGW:0]# etmstart
FloodGate-1: Starting fgd50

FloodGate-1: Fetching QoS Policy from masters

Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
FloodGate-1 started
[Expert@MyGW:0]#
fgd50

etmstop

[Expert@CXL1_192.168.3.52:0]# etmstop
Unloading QoS Policy:
Target(s): CXL1_192.168.3.52
CXL1_192.168.3.52: QoS policy unloaded successfully.
Done.
FloodGate-1 stopped
[Expert@CXL1_192.168.3.52:0]#


fgate [-d]
ctl
-h
<QoS Module> {on | off}
debug
on
off
fetch
-f
<Management Server>
kill [-t <Signal Number>] <Name of QoS Process>
load
log
on
off
stat
stat [-h]
ver [-k]
unload

-d
ctl -h

ctl < > {on |

off}
 on
 off
etmreg
debug {on | off} fgd50

 on
 off
fgd50
$FGDIR/log/fgd.elg
fetch -f

$FWDIR/conf/masters
fetch <Management
Server>

kill [-t <

>] <
>

fgd50
 fgd50

$FWDIR/tmp/< >.pid
$FWDIR/tmp/fgd50.pid
 $FWDIR/tmp/< >.pid


SIGTERM

kill -l
kill
signal

 fgd50
etmstop etmstart
load
etmstop etmstart
log {on | off | stat}

 on
 off
 stat

stat [-h]

-h stat

cpstat

ver [-k]
-k

unload

[Expert@MyGW]# fgate fetch -f

Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
[Expert@MyGW]#

[Expert@MyGW]# fgate fetch 192.168.3.240

Fetching QoS Software Blade Policy:
Received Policy. Downloading...

eth0(inbound), eth0(outbound).
Download OK.
Done.
[Expert@MyGW]#

[Expert@MyGW]# fgate stat

Product: QoS Software Blade

Version: R80.20
Kernel Build: 135
Policy Name: MyPolicy
Install time: Mon Jun 11 15:49:57 2018
Interfaces Num: 1
Interface table
----------------------------------------------------------------
|Name|Dir|Limit (Bps)|Avg Rate (Bps)|Conns|Pend pkts|Pend bytes|
----------------------------------------------------------------
|eth0|in | 1250000000| 0| 0| 0| 0|
|eth0|out| 1250000000| 0| 0| 0| 0|
----------------------------------------------------------------

[Expert@MyGW]#

[Expert@MyGW:0]# fgate ver

This is Check Point QoS Software Blade R80.20 - Build 339
[Expert@MyGW:0]#
[Expert@MyGW:0]# fgate ver -k
This is Check Point QoS Software Blade R80.20 - Build 339
kernel: R80.20 - Build 135
[Expert@MyGW:0]#


fgate [-d]
load <Name of QoS Policy>.F <GW1> <GW2> ... <GWN>
stat
-h
<GW1> <GW2> ... <GWN>}
unload <GW1> <GW2> ... <GWN>
ver

-d

load <
>.F < > < >
... < > < >
< > ... < >

stat -h stat
stat < > < > ...
< >

cpstat
unload < >< > ...
< > < > < > ... < >

ver

[Expert@MGMT:0]# fgate load MyPolicy.F 192.168.3.52

QoS rules verified OK!
Downloading QoS Policy: MyPolicy.F...
Target(s): MyGW
MyGW: QoS policy transferred to module: MyGW.
MyGW: QoS policy installed succesfully.
Done.
[Expert@MGMT:0]#

[Expert@MGMT:0]# fgate load MyPolicy.F MyClusterMember1 MyClusterMember2

QoS rules verified OK!
Downloading QoS Policy: MyPolicy.F...
MyClusterMember1: QoS policy transferred to module: MyClusterMember1.
MyClusterMember1: QoS policy installed succesfully.
MyClusterMember2: QoS policy transferred to module: MyClusterMember2.
MyClusterMember2: QoS policy installed succesfully.
Done.
[Expert@MGMT:0]#

[Expert@MGMT:0]# fgate stat MyGW

Module name: MyGW

=======================

Product: QoS Software Blade

Version: R80.20
Kernel Build: 156
Policy Name: MyPolicy
Install time: Fri Jun 8 19:53:48 2018
Interfaces Num: 1

Interface table
----------------------------------------------------------------
|Name|Dir|Limit (Bps)|Avg Rate (Bps)|Conns|Pend pkts|Pend bytes|
----------------------------------------------------------------
|eth0|in | 1250000000| 0| 0| 0| 0|
|eth0|out| 1250000000| 0| 0| 0| 0|
----------------------------------------------------------------
[Expert@MGMT:0]#

[Expert@MGMT:0]# fgate ver

This is Check Point QoS Software Blade R80.20 - Build 251
[Expert@MGMT:0]#
ips
bypass <options>
debug <options>
off
on
pmstats <options>
refreshcap
stat
stats <options>

bypass <options>
(on page 1099)
debug < >

off
on
pmstats
< >

refreshcap

stat

stats < >

ips bypass
off
on
set <options>
stat

off
on

set < >

stat
ips bypass off
ips bypass on
ips bypass set
cpu {low | high} <Threshold>
mem {low | high} <Threshold>

cpu

mem

low

high

ips bypass set cpu low 80





ips bypass stat

ips debug [-e <Filter>] -o <Output File>

-e <Filter>

-o <Output File>

ips debug -o /var/log/IPS_debug.txt

ips off

[Expert@MyGW:0]# ips off

IPS is disabled
Please note that for the configuration to apply for connections from existing
templates, you have to run this command with -n flag which deletes existing
templates.
Without '-n', it will fully take effect in a few minutes.
[Expert@MyGW:0]#

[Expert@MyGW:0]# ips off -n

IPS is disabled
Deleting templates

Clearing table cphwd_tmpl

[Expert@MyGW:0]#
ips off

ips on [-n]

[Expert@MyGW:0]# ips on
IPS is enabled
Please note that for the configuration to apply for connections from existing
templates, you have to run this command with -n flag which deletes existing
templates.
Without '-n', it will fully take effect in a few minutes.
[Expert@MyGW:0]#

[Expert@MyGW:0]# ips on -n
IPS is enabled
Deleting templates

Clearing table cphwd_tmpl

[Expert@MyGW:0]#
ips pmstats
-o <Output File>
reset

-o <Output File>

reset

[Expert@MyGW:0]# ips pmstats -o /var/log/IPS_pmstats.txt

Set operation succeeded
Generating PM statistics report into /var/log/IPS_pmstats.txt...
Set operation succeeded
Set operation succeeded
Set operation succeeded
Done
Set operation succeeded
Set operation succeeded
[Expert@MyGW:0]#
[Expert@MyGW:0]# wc -l /var/log/IPS_pmstats.txt
707 /var/log/IPS_pmstats.txt
[Expert@MyGW:0]#
[Expert@MyGW:0]# ips pmstats reset
Set operation succeeded
Set operation succeeded
Resetted PM statistics
Set operation succeeded
Set operation succeeded
[Expert@MyGW:0]#
ips refreshcap

[Expert@MyGW:0]# ips refreshcap

Refreshed IPS sample capture
- A single new packet capture will be issued upon the next detection of each attack.
You can see the packet capture attached to the log or in the Packet Capture
Repository.
[Expert@MyGW:0]#





ips stat

[Expert@MyGW:0]# ips stat

Active Profiles:
My_IPS_Profile
IPS Status: Enabled
IPS Update Version: 635158746
Global Detect: Off
Bypass Under Load: Off
[Expert@MyGW:0]#

Active Profiles:
$FWDIR/ips/statistics_results/

ips.dbg
ips_stat_output_file.cs
v
pm_output_file.csv
tier1_output_file.csv
tier2_output_file.csv

ips stats -h
ips stats
ips stats <Seconds>
ips stats -g <Seconds>
ips stats <IP Address of Gateway>
ips stats <IP Address of Gateway> <Seconds>
ips stats <IP Address of Gateway> -m

ips stats -h
ips stats

ips stats < >

ips stats -g < >

/ips_tar.tgz

ips stats < >

< >

ips stats < > -m

/ips_tar.tgz

ips_stats 192.168.20.14 40

ips_stats –g 30

ips_stats 192.168.20.14 –m
rtm
debug <options>
drv <options>
monitor <options>
rtmd
stat <options>
ver <options>

debug < >

drv < >

monitor < >

rtmd
stat < >

ver < >

$FWDIR/log/rtmd.elg

rtm debug {on | off} [OPSEC_DEBUG_LEVEL | TDERROR_<AppName>_<Topic>=<ErrLevel>]

on
off
OPSEC_DEBUG_LEVEL
TDERROR_RTM_ALL

rtm debug on TDERROR_RTM_ALL=5

rtmstart rtmstop

rtm drv
off
on
stat

off

stat
rtm monitor vl <Virtual_Link_Name> [-t {wire | application}] [-h <Module>]
rtm monitor <Key_1> [<Key_2> [<Key_3>] [<Key_4>]] <Value_Column_1>
[<Value_Column_2> [<Value_Column_3>] [<Value_Column_4>] [<Value_Column_5>]
[<Value_Column_6>]] [<Filter>] [<Options>]

< >
-t {wire |
application}
 wire

 application

-h < >

< > [...

[< >]] -k < > [< >] [< > ... < >]
 < >
 connId
 dst

 fgrule
 fwrule
 interface
interface
,{in|out|both} both
 ip

 orientation
 pktRange
 src
 svc http
 tunnel .
 tunnelType
0
1
2
 url [< >]
< >
url_mod=full
url_mod=host
url_mod=host_path
url_mod=path
url_mod=scheme
url_mod=scheme_host
 wdAttack
< > [...
[< >]] -v < > [< >] [< >] [<
>] [< >]

 < >
 ab
 conn
 pkt
 session
 wb
 < >
 < >=ab
acc=lineUtil
acc=rate
acc=sum
 < >=conn
acc=concurrent
acc=new
 < >=pkt
acc=rate
acc=sum
 < >=session
acc=new
 < >=wb
acc=lineUtil
acc=rate
acc=sum

 < >
 sort=top
 sort=bottom
 sort=none

 < >
 dir=in
 dir=out
 dir=both

 < >
 enc=yes
 enc=no
 enc=both
< >

-f < > [not] [< > ... < >]

-f {and | or} [...]
< >
 connId
 dst

 fgrule
 fwrule
 interface
interface
,{in|out|both} both
 ip

 orientation
 src
 svc http .
 tunnel
 tunnelType
0
1
2
 url [< >]
< >
url_mod=full
url_mod=host
url_mod=host_path
url_mod=path
url_mod=scheme
url_mod=scheme_host
 wdAttack
< >
 -e < >

 -h < >
localhost
 -i < >

 -m {raw | resolve | both}

both
 -s {top | bottom | none} [index=<1...6>]
[updates=<1...200>]
none index=1
updates=50
 rule@@subrule
rule@@fgrule

svc

rtm monitor -f interface external,in -k svc -v w

rtm monitor -k fwrule -v conn acc=concurrent

rtm monitor -f svc http -k svc -k connId -v wb

rtm monitor -k ip -v pkt dir=in acc=sum -v pkt dir=out acc=sum -v pkt acc=sum
sort=bottom -i 10

rtm monitor -f tunnelType not 0 -k tunnel -k tunnelType -v conn -m resolve

rtm monitor -k pktRange 0-99 100-499 500-999 1000-1999 ">2000" -v pkt acc=sum -i
1

rtm monitor -k url url_mod=host -v session

rtmstart

rtm [-d] rtmd

-d







rtm stat -h
rtm stat [vl | view] [perf [{on | off | reset}] [-i <Interval>] [-r <View_ID>]
[-v[v][v]]

-h
vl
view
perf [{off | on |
reset}]
 off
 on
 reset

 New Connections
 Packets
 Inf Reclassify
 View Reclassify
 End Connections
 Packets / connections ratio
-i < >

-r < >
-v[v][v]

 -v
 -vv
 -vvv

[Expert@MyGW:0]# rtm stat

-------------------------------------------------------
SmartView Monitor Status: Wed Jun 18 04:40:59 2008
-------------------------------------------------------
Product is Enabled
Daemon is ON
Driver is ON
Open Virtual-Links: 0
Open Views: 1
[Expert@MyGW:0]#

[Expert@MyGW:0]# rtm stat view -vvv

-------------------------------------------------------
SmartView Monitor Status: Wed Jun 18 04:42:48 2008
-------------------------------------------------------
Product is Enabled
Daemon is ON
Driver is ON
Open Virtual-Links: 0
Open Views: 1
-------------------------------------------------------------------------------------------
VIEW 1: svc | wb(rate) interval: 2 Seconds
60016,60016 | 5148
11008a,11008a | 229
Aggregate | 5377

Number of Entries(2)
Keys(-k svc acc=replace )
Values(-v wb acc=rate )
Sort(-s top )
Filter(-)
Daemon id:5 kernel id:0 timeUntilUpdate: 1 [Sec]
-------------------------------------------------------------------------------------------
[Expert@MyGW:0]#
rtm ver [-k]

-k
rtmstart
rtmstop
/etc/profile.d/CP.sh
#!/bin/bash

source /etc/profile.d/CP.sh

<Check Point commands>

[mandatory last new line]


 $FWDIR/modules/fw_kern_64.o
 $FWDIR/modules/fw_kern_64_v6.o
 $PPKDIR/modules/sim_kern_64.o
 $PPKDIR/modules/sim_kern_64_v6.o

 fw ctl
set


$FWDIR/modules/fwkern.conf
$FWDIR/modules/vpnkern.conf

fw_allow_simultaneous_ping
fw_kdprintf_limit
fw_log_bufsize
send_buf_limit
simple_debug_filter_addr_1
simple_debug_filter_daddr_1
simple_debug_filter_vpn_1
ws_debug_ip_str
fw_lsp_pair1

[Expert@MyGW:0]# modinfo -p $FWDIR/modules/fw_kern*.o | sort -u | grep

_type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl get int
1>> /var/log/fw_integer_kernel_parameters.txt 2>>
/var/log/fw_integer_kernel_parameters.txt

/var/log/fw_integer_kernel_parameters.txt
[Expert@MyGW:0]# modinfo -p $FWDIR/modules/fw_kern*.o | sort -u | grep
'string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw ctl
get str 1>> /var/log/fw_string_kernel_parameters.txt 2>>
/var/log/fw_string_kernel_parameters.txt

/var/log/fw_string_kernel_parameters.txt

fw ctl get int < > [-a]

[Expert@MyGW:0]# fw ctl get int send_buf_limit

send_buf_limit = 80
[Expert@MyGW:0]#

fw ctl get str < > [-a]

[Expert@MyGW:0]# fw ctl get str fileapp_default_encoding_charset

fileapp_default_encoding_charset = 'UTF-8'
[Expert@MyGW:0]#
fw ctl set int < >

[Expert@MyGW:0]# fw ctl set int send_buf_limit 100

Set operation succeeded
[Expert@MyGW:0]#

fw ctl get int < >

[Expert@MyGW:0]# fw ctl get int send_buf_limit

send_buf_limit = 100
[Expert@MyGW:0]#

[Expert@MyGW:0]# fw ctl set str < >

[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip '1.1.1.1'

Set operation succeeded
[Expert@MyGW:0]#

fw ctl get str < >

[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip

debug_filter_saddr_ip = '1.1.1.1'
[Expert@MyGW:0]#
[Expert@MyGW:0]# fw ctl set str < >

[Expert@MyGW:0]# fw ctl set str < >

[Expert@MyGW:0]# fw ctl set str debug_filter_saddr_ip ''

Set operation succeeded
[Expert@MyGW:0]#

fw ctl get str < >

[Expert@MyGW:0]# fw ctl get str debug_filter_saddr_ip

debug_filter_saddr_ip = ''
[Expert@MyGW:0]#

 $FWDIR/modules/fwkern.conf
 $FWDIR/modules/vpnkern.conf

[Expert@MyGW:0]# ls -l $FWDIR/modules/fwkern.conf

[Expert@MyGW:0]# ls -l $FWDIR/modules/vpnkern.conf

[Expert@MyGW:0]# touch $FWDIR/modules/fwkern.conf

[Expert@MyGW:0]# touch $FWDIR/modules/vpnkern.conf

[Expert@MyGW:0]# cp -v $FWDIR/modules/fwkern.conf{,_BKP}

[Expert@MyGW:0]# cp -v $FWDIR/modules/vpnkern.conf{,_BKP}
[Expert@MyGW:0]# vi $FWDIR/modules/fwkern.conf

[Expert@MyGW:0]# vi $FWDIR/modules/vpnkern.conf


<Name_of_Integer_Kernel_Parameter>=<Integer_Value>

<Name_of_String_Kernel_Parameter>='<String_Text>'

<Name_of_String_Kernel_Parameter>="<String_Text>"


fw ctl get int < > [-a]

fw ctl get str < > [-a]

 fw ctl set

$PPKDIR/conf/simkern.conf


fw ctl get

num_of_sxl_devices
sim_ipsec_dont_fragment
tcp_always_keepalive
sim_log_all_frags
simple_debug_filter_dport_1
simple_debug_filter_proto_1
simple_debug_filter_addr_1
simple_debug_filter_daddr_2
simlinux_excluded_ifs_list

[Expert@MyGW:0]# modinfo -p $PPKDIR/boot/modules/sim_kern*.o | sort

-u | grep _type | awk 'BEGIN {FS=":"} ; {print $1}' | xargs -n 1 fw
ctl get int 1>> /var/log/sxl_integer_kernel_parameters.txt 2>>
/var/log/sxl_integer_kernel_parameters.txt
/var/log/sxl_integer_kernel_parameters.txt

[Expert@MyGW:0]# modinfo -p $PPKDIR/boot/modules/sim_kern*.o | sort

-u | grep 'string param' | awk 'BEGIN {FS=":"} ; {print $1}' | xargs
-n 1 fw ctl get str 1>> /var/log/sxl_string_kernel_parameters.txt 2>>
/var/log/sxl_string_kernel_parameters.txt

/var/log/sxl_string_kernel_parameters.txt

[Expert@MyGW:0]# ls -l $PPKDIR/conf/simkern.conf

[Expert@MyGW:0]# touch $PPKDIR/conf/simkern.conf

[Expert@MyGW:0]# cp -v $PPKDIR/conf/simkern.conf{,_BKP}

[Expert@MyGW:0]# vi $PPKDIR/conf/simkern.conf


<Name_of_SecureXL_Integer_Kernel_Parameter>=<Integer_Value>

<Name_of_SecureXL_String_Kernel_Parameter>="<String_Text>"

<Name_of_SecureXL_String_Kernel_Parameter>="<String_Text>"

fw ctl get int < > [-a]

fw ctl get str < > [-a]

156-315.80 Exam - Questions Answer Discussion From Exam Topics
No ratings yet
156-315.80 Exam - Questions Answer Discussion From Exam Topics
200 pages
CP R80.20 GA CLI ReferenceGuide
No ratings yet
CP R80.20 GA CLI ReferenceGuide
1,146 pages
Survey Programming Fundamentals
No ratings yet
Survey Programming Fundamentals
246 pages
MCSK DeepRiser Datasheet
No ratings yet
MCSK DeepRiser Datasheet
2 pages
CSEC Information Technology January 2018 P032
No ratings yet
CSEC Information Technology January 2018 P032
15 pages
CP R80.20.M1 CLI ReferenceGuide
No ratings yet
CP R80.20.M1 CLI ReferenceGuide
227 pages
CP R80.40 CLI ReferenceGuide
No ratings yet
CP R80.40 CLI ReferenceGuide
1,902 pages
CP R80.20 GA ReleaseNotes
No ratings yet
CP R80.20 GA ReleaseNotes
30 pages
CP R80.20 PerformanceTuning AdminGuide
No ratings yet
CP R80.20 PerformanceTuning AdminGuide
330 pages
CP R80.30 GA EndpointSecurity AdminGuide
No ratings yet
CP R80.30 GA EndpointSecurity AdminGuide
251 pages
156-315 80
No ratings yet
156-315 80
63 pages
CheckPoint R80.10 ReleaseNotes
No ratings yet
CheckPoint R80.10 ReleaseNotes
27 pages
CP R80.10 ReleaseNotes
No ratings yet
CP R80.10 ReleaseNotes
21 pages
R80.20 TechTalk
No ratings yet
R80.20 TechTalk
34 pages
CP R80.10 PerformanceTuning AdminGuide
No ratings yet
CP R80.10 PerformanceTuning AdminGuide
44 pages
CP R81 CLI ReferenceGuide
No ratings yet
CP R81 CLI ReferenceGuide
1,673 pages
CP R81.10 CLI ReferenceGuide
No ratings yet
CP R81.10 CLI ReferenceGuide
1,710 pages
ATRG ClusterXL R6x R7x R8x (09-June-2020)
No ratings yet
ATRG ClusterXL R6x R7x R8x (09-June-2020)
168 pages
CP R77 CLI ReferenceGuide
100% (1)
CP R77 CLI ReferenceGuide
131 pages
CP R70 CLI ReferenceGuide
No ratings yet
CP R70 CLI ReferenceGuide
186 pages
Checkpoint Firewalls Gaia - R80.30
No ratings yet
Checkpoint Firewalls Gaia - R80.30
4 pages
CP R77 CLI ReferenceGuide
No ratings yet
CP R77 CLI ReferenceGuide
165 pages
CP R77 CLI ReferenceGuide
No ratings yet
CP R77 CLI ReferenceGuide
131 pages
Check Point R7x R8x R81.x Upgrade Maps
No ratings yet
Check Point R7x R8x R81.x Upgrade Maps
1 page
Command Line Interface: Reference Guide
No ratings yet
Command Line Interface: Reference Guide
110 pages
CP R80.40 CLI ReferenceGuide
No ratings yet
CP R80.40 CLI ReferenceGuide
1,782 pages
CP R81.10 CLI ReferenceGuide
No ratings yet
CP R81.10 CLI ReferenceGuide
1,697 pages
CP R82 CLI ReferenceGuide
No ratings yet
CP R82 CLI ReferenceGuide
2,119 pages
CP R80.30 Installation and Upgrade Guide - Cleaned PDF
No ratings yet
CP R80.30 Installation and Upgrade Guide - Cleaned PDF
688 pages
60000/40000 Security Platforms: Release Notes
No ratings yet
60000/40000 Security Platforms: Release Notes
11 pages
Real-Exams 156-915 80 v2019-07-21 by Mark 144q
No ratings yet
Real-Exams 156-915 80 v2019-07-21 by Mark 144q
64 pages
CP R80.20 ClusterXL AdminGuide PDF
No ratings yet
CP R80.20 ClusterXL AdminGuide PDF
225 pages
156 915.80 Premium
100% (1)
156 915.80 Premium
108 pages
Checkpoint Firewall R81 Installation Guide
100% (1)
Checkpoint Firewall R81 Installation Guide
701 pages
156-315.81.20 Check Point CCSE Exam Practice Questions
No ratings yet
156-315.81.20 Check Point CCSE Exam Practice Questions
35 pages
R80 CCSMStudyGuide
No ratings yet
R80 CCSMStudyGuide
8 pages
CP R80.30 LoggingAndMonitoring AdminGuide
No ratings yet
CP R80.30 LoggingAndMonitoring AdminGuide
159 pages
CP_R75.20_PerformancePack_AdminGuide
No ratings yet
CP_R75.20_PerformancePack_AdminGuide
19 pages
CP R77 Versions CLI ReferenceGuide
No ratings yet
CP R77 Versions CLI ReferenceGuide
265 pages
QUANTUM R81.10: Release Notes
No ratings yet
QUANTUM R81.10: Release Notes
36 pages
Orchestration and Automation - Ryan Darst - Marco Garcia
No ratings yet
Orchestration and Automation - Ryan Darst - Marco Garcia
41 pages
Next Generation Security Gateway Guide R80.30
No ratings yet
Next Generation Security Gateway Guide R80.30
629 pages
01_Intro_SmartCenter Server_2020
No ratings yet
01_Intro_SmartCenter Server_2020
41 pages
CP R80.30 GA Installation and Upgrade Guide PDF
No ratings yet
CP R80.30 GA Installation and Upgrade Guide PDF
636 pages
Check-Point: Exam Questions 156-215.80
No ratings yet
Check-Point: Exam Questions 156-215.80
21 pages
CP R75 ReleaseNotes
No ratings yet
CP R75 ReleaseNotes
26 pages
CP E80.70 RemoteAccessClients ForWin AdminGuide
No ratings yet
CP E80.70 RemoteAccessClients ForWin AdminGuide
142 pages
CP R80.40 QoS AdminGuide
No ratings yet
CP R80.40 QoS AdminGuide
111 pages
CP E80.40 EndpointSecurity AdminGuide
No ratings yet
CP E80.40 EndpointSecurity AdminGuide
157 pages
Check Point Certified Security Expert - R80 (CCSE) : Checkpoint 156-315.80 Dumps Available Here at
No ratings yet
Check Point Certified Security Expert - R80 (CCSE) : Checkpoint 156-315.80 Dumps Available Here at
5 pages
Hide Solution Discussion: Correct Answer: C
No ratings yet
Hide Solution Discussion: Correct Answer: C
88 pages
CP R80.10 Installation and Upgrade Guide
No ratings yet
CP R80.10 Installation and Upgrade Guide
246 pages
Checkpoint r80 Vs Palo Alto Networks
No ratings yet
Checkpoint r80 Vs Palo Alto Networks
4 pages
Checkpoint r80 Vs Palo Alto Networks PDF
No ratings yet
Checkpoint r80 Vs Palo Alto Networks PDF
4 pages
CP R77.20 ReleaseNotes
No ratings yet
CP R77.20 ReleaseNotes
12 pages
CP R80.30 GA EndpointSecurity AdminGuide
No ratings yet
CP R80.30 GA EndpointSecurity AdminGuide
257 pages
156-315 80 PDF
No ratings yet
156-315 80 PDF
92 pages
Command Line Interface: Reference Guide
No ratings yet
Command Line Interface: Reference Guide
124 pages
Exam 156-115.80 Exam Title Check Point Certified Security Master - R80 Exam 8.0 Product Type 159 Q&A With Explanations
No ratings yet
Exam 156-115.80 Exam Title Check Point Certified Security Master - R80 Exam 8.0 Product Type 159 Q&A With Explanations
49 pages
VPS Server Setup
From Everand
VPS Server Setup
L Mohan Arun
5/5 (1)
Review of Some Free Remote Desktop Protocol (RDP) Services
From Everand
Review of Some Free Remote Desktop Protocol (RDP) Services
Dr. Hidaia Mahmood Alassouli
No ratings yet
Network with Practical Labs Configuration: Step by Step configuration of Router and Switch configuration
From Everand
Network with Practical Labs Configuration: Step by Step configuration of Router and Switch configuration
Mulayam Singh
No ratings yet
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
From Everand
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
Mulayam Singh
No ratings yet
CP R80.30 GA Gaia AdminGuide
No ratings yet
CP R80.30 GA Gaia AdminGuide
315 pages
Brighttalk Viewing Certificate Under The Hood Technical Preview of Cloudguard Network Security As A Service
No ratings yet
Brighttalk Viewing Certificate Under The Hood Technical Preview of Cloudguard Network Security As A Service
1 page
Cap
No ratings yet
Cap
7 pages
10 49
No ratings yet
10 49
45 pages
Performance Analysis of N-Computing Device Under Various Load Conditions
No ratings yet
Performance Analysis of N-Computing Device Under Various Load Conditions
7 pages
INT42D
No ratings yet
INT42D
2 pages
Notes - Computer Science II
No ratings yet
Notes - Computer Science II
100 pages
Binary and CSV File Assigment
No ratings yet
Binary and CSV File Assigment
3 pages
Centos 7 / Rhel 7: Install and Setup Samba Server (File Sharing)
No ratings yet
Centos 7 / Rhel 7: Install and Setup Samba Server (File Sharing)
7 pages
PMM3511 Technical Specifications
No ratings yet
PMM3511 Technical Specifications
2 pages
Balakishan Belde: Languages and Technologies
No ratings yet
Balakishan Belde: Languages and Technologies
3 pages
Data 2
No ratings yet
Data 2
16 pages
Apostila Verbos em Ingles
No ratings yet
Apostila Verbos em Ingles
35 pages
Age of Empires II
No ratings yet
Age of Empires II
2 pages
Configuring HYPACK SURVEY For A Towed SideScan With Trailing Magnetometer
100% (1)
Configuring HYPACK SURVEY For A Towed SideScan With Trailing Magnetometer
6 pages
Example Vulnerability Scan
No ratings yet
Example Vulnerability Scan
74 pages
ICT-LAb (4) .Docx Zoya Zaib COSC321101094
No ratings yet
ICT-LAb (4) .Docx Zoya Zaib COSC321101094
8 pages
ePMP Release Notes 4.5.6
No ratings yet
ePMP Release Notes 4.5.6
6 pages
Microsoft SQL Server 2005 Interview Questions and
No ratings yet
Microsoft SQL Server 2005 Interview Questions and
8 pages
Shubham Resume 2023
No ratings yet
Shubham Resume 2023
1 page
Events
No ratings yet
Events
6 pages
Operation Black Tulip v1.0
100% (1)
Operation Black Tulip v1.0
13 pages
Reading Test Online PDF Exercise For B2 - FCE
No ratings yet
Reading Test Online PDF Exercise For B2 - FCE
7 pages
SAP SD Interview Tips
No ratings yet
SAP SD Interview Tips
5 pages
Red Hat Certified System Administrator I With RHCSA
No ratings yet
Red Hat Certified System Administrator I With RHCSA
3 pages
AA POSS UserManual
No ratings yet
AA POSS UserManual
24 pages
Pip PDF
No ratings yet
Pip PDF
5 pages
Software Requirements Specification: Version 1.0 Approved
No ratings yet
Software Requirements Specification: Version 1.0 Approved
14 pages
NX: Convert Inch Part To Metric (Or Vice Versa)
No ratings yet
NX: Convert Inch Part To Metric (Or Vice Versa)
10 pages
Fara Hala (1) .Ifc - Sharedparameters
No ratings yet
Fara Hala (1) .Ifc - Sharedparameters
1 page
Vrbas Resume - Technical Recruiter
No ratings yet
Vrbas Resume - Technical Recruiter
1 page