19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客

博客 专栏课程 下载 问答 社区 插件 认证 oracle 搜索 登录/注册 会员中心 收藏

Advanced Checkpoint Gaia CLI Commands (Ti

ps and Tricks)
net sec 2015-10-21 12:14:32 61 收藏 版权

前方火热讨论中：做开源 VS 赚钱，能兼得吗？亮出你的观点
你认为做开源是理想主义吗？能否利用开源创业、实现开源变现

With my most populous post

“Basic Checkpoint Gaia CLI Commands (Tips and Tricks)“, I would like to
collect some more advanced troubleshooting commands used in my daily work into this
post. Actually, some of commands are not only for Checkpoint Gaia, it will be for SPLAT or
IPSO platform as well. This post will keep updating as soon as I have something new.

1. fw ctl chain
Check Checkpoint Security Gateway packet inspection order/chain. For more details, check
the post “How Firewalls (Security Gateways) Handle the Packets?“

in chain (18):

0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (in) (ipopt_strip)

1: -7d000000 (f1796f10) (00000003) vpn multik forward in

2: – 2000000 (f177cb70) (00000003) vpn decrypt (vpn)

3: – 1fffff8 (f1787c00) (00000001) l2tp inbound (l2tp)

4: – 1fffff6 (f2886ca0) (00000001) Stateless verifications (in) (asm)

5: – 1fffff5 (f28bce30) (00000001) fw multik misc proto forwarding

6: – 1fffff2 (f17a4df0) (00000003) vpn tagging inbound (tagging)

7: – 1fffff0 (f177a150) (00000003) vpn decrypt verify (vpn_ver)

8: – 1000000 (f29049c0) (00000003) SecureXL conn sync (secxl_sync)

9: 0 (f282f810) (00000001) fw VM inbound (fw)

10: 1 (f28a6b30) (00000002) wire VM inbound (wire_vm)

11: 2000000 (f177b5e0) (00000003) vpn policy inbound (vpn_pol)

12: 10000000 (f2902cb0) (00000003) SecureXL inbound (secxl)

13: 7f600000 (f287ab70) (00000001) fw SCV inbound (scv)

14: 7f730000 (f2a13500) (00000001) passive streaming (in) (pass_str)

15: 7f750000 (f2c0bef0) (00000001) TCP streaming (in) (cpas)

16: 7f800000 (f2885890) (ffffffff) IP Options Restore (in) (ipopt_res)

17: 7fb00000 (f2fac050) (00000001) HA Forwarding (ha_for)

out chain (15):

0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (out) (ipopt_strip)

1: -78000000 (f1796ef0) (00000003) vpn multik forward out

2: – 1ffffff (f1779a10) (00000003) vpn nat outbound (vpn_nat)

3: – 1fffff0 (f2c0bd70) (00000001) TCP streaming (out) (cpas)

4: – 1ffff50 (f2a13500) (00000001) passive streaming (out) (pass_str)

5: – 1ff0000 (f17a4df0) (00000003) vpn tagging outbound (tagging)

6: – 1f00000 (f2886ca0) (00000001) Stateless verifications (out) (asm)

7: 0 (f282f810) (00000001) fw VM outbound (fw)

8: 1 (f28a6b30) (00000002) wire VM outbound (wire_vm)

net sec 关注 0 0 0
9: 2000000 (f1779c30) (00000003) vpn policy outbound (vpn_pol)

https://blog.csdn.net/netsec51sec/article/details/98956588 1/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
10: 10000000 (f2902cb0) (00000003) SecureXL outbound (secxl)

11: 1ffffff0 (f17887b0) (00000001) l2tp outbound (l2tp)

12: 20000000 (f177d5b0) (00000003) vpn encrypt (vpn)

13: 7f700000 (f2c0e340) (00000001) TCP streaming post VM (cpas)

14: 7f800000 (f2885890) (ffffffff) IP Options Restore (out) (ipopt_res)

2. Proxy Arp
a. Use the Gaia portal.
Network Management -> Arp -> Proxy ARP

b. Use the command line (in Gaia):

add arp proxy ipv4-address 172.16.0.8 interface eth0 real-ipv4-address 172.16.0.22

Actually the GAIA command above convert it automatically to a file called local.arp

c. Use the command line (in expert mode):

Then insert the information directly to /opt/CPsuite-R76/fw1/conf/local.arp
echo “172.16.0.8 00:0c:29:f1:b7:74 172.16.0.22” >> $FWDIR/conf/local.arp

Verify the changes after a policy push with command “fw ctl arp”:

[[email protected]:0]# fw ctl arp

(10.9.3.21) at 00-1c-7f-32-cc-15
(10.9.3.53) at 00-1c-7f-32-cc-15
(10.9.3.35) at 00-1c-7f-32-cc-15
(10.9.3.26) at 00-1c-7f-32-cc-15
(10.9.3.29) at 00-1c-7f-32-cc-15
(10.9.3.80) at 00-1c-7f-32-cc-15
(191.24.11.13) at 00-1c-7f-33-07-ae interface 191.24.11.116
(10.9.3.25) at 00-1c-7f-32-cc-15
(10.9.3.61) at 00-1c-7f-32-cc-15
(10.9.3.28) at 00-1c-7f-32-cc-15
(10.9.3.24) at 00-1c-7f-32-cc-15
(10.9.3.27) at 00-1c-7f-32-cc-15

FW-GAIA> show arp proxy all

IP Address MAC Address / Interface Real IP Address

200.0.0.102 eth0

Reference: Checkpoint SPLAT Manual Proxy ARP Configuration Example

3. fw ctl zdebug drop

lists all dropped packets in real time gives an explanation why the packet is dropped

4. TCPDUMP
tcpdump port 257 , <– on the firewall, this will allow you to see if the logs are passing
from the firewall to the manager, and what address they are heading to.

tcpdump -i WAN.15 <- to capture everything on this interface

tcpdump -i eth1.16 icmp <– to capture just PINGs on this interface

tcpdump -i Mgmt -vvv -s0 -w tcpdumpfile.log <– this captures the FULL packets to a
file usefull for wireshark the -s0 stops the files being shortened
net sec 关注 0 0 0
tcpdump -i INT port 67 <– view dhcp requests

https://blog.csdn.net/netsec51sec/article/details/98956588 2/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
tcpdump -eP -nni any host 10.9.4.30 <-disable both name and service port resolution
while performing a capture, by using the -nn option; -e Print the link-level header on
each dump line. This can be used, for example, to print MAC layer addresses for
protocols such as Ethernet and IEEE 802.11. -p–no-promiscuous-mode.

tcpdump -i any <- any can be used to tell tcpdump to listen on all interfaces

tcpdump -n <- disable to lookup and translate hostnames and ports.

Reference: Understanding TCPDUMP Output

5. FW Monitor
fw monitor -e ‘accept host(192.168.1.12);’ <– Show packets with IP 192.168.1.12 as
SRC or DST

fw monitor -e ‘accept src=192.168.1.12 and dst=192.168.3.3;’ <–Show all packets from

192.168.1.12 to 192.168.3.3

fw monitor -pi ipopt_strip -e ‘accept udpport(53);’ <–Show UDP port 53 (DNS) packets,
pre-in position is before ‘ippot_strip’

fw monitor -m O -e ‘accept udp and (sport>1023 or dport>1023);’ <– Show UPD traffic
from or to unprivileged ports, only show post-out

fw monitor -e ‘accept net(192.168.1.0,24) and tracert;’ <–Show Windows traceroute

(ICMP, TTL<30) from and to network 192.168.1.0/24

fw monitor -v 23 -e ‘accept tcpport(80);’ <–Show Capture web traffic for VSX virtual
system ID 23

fw monitor -e ‘accept ip_p=50 and ifid=0;’ <–Show all ESP (IP protocol 50) packets on
the interface with the ID 0. (List interfaces and corresponding IDs with fw ctl iflist)

srfw monitor -o output_file.cap <–Show traffic on a SecuRemote/SecureClient client

into a file. srfw.exe is in $SRDIR/bin (C:Program FilesCheckPointSecuRemotebin)

6. VPN tu
vpn tu or vpn tunnelutil

********** Select Option **********

(1) List all IKE SAs

(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

7. Disk/File/Folder Commands
Checkpoint SK60080 displays some solutions to resolve excessive disk consumption on
SPLAT/Gaia/IPSO/Lunix OS system. Here are some helpful commands:
a. df -h (view the partition table and its associated utilization)
b. du -h –max-depth=1 /opt | sort -n -r (examine disk space utilization at directory-level)
c. ls -1 $FWDIR/conf/db_versions/repository/ | wc -l (check the number of database
revisions on a Security Management server) net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 3/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
d. ls -l $RTDIR/distrib/* | wc -l (counts the number of records)
e. evstop & evstart (Stop / start the Eventia / SmartEvent)
f. rm -r $RTDIR/distrib/* (Purge this directory of stale records)

g. ls -lR /var/log/dump/usermode/ (Find and delete old core dump files)

h. ls -lR /var/crash/ (Find and delete old core dump files)
i. rm $FWDIR/log/2009*.log* (removes all old log files for year 2009)

8. Connections
CP-1> fw tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS

localhost connections 8158 77 948 179

Note:

The NAME Id is the actual table number.

The VALS colum is the current number of connections that are in the connections table at the time the command was run.

The PEAK number is the max number of connections that have been recorded since the last reboot.

The SLINKS table is a table of symbolic link that point to the real connection entry. There are usually 4 symbolic links per connection. This way no

matter which direction the packet comes, there will be an entry for it. There is more to it than that, but that is the general idea.

CP-1> fw ctl pstat

System Capacity Summary:

Memory used: 8% (62 MB out of 696 MB) – below watermark

Concurrent Connections: 0% (79 out of 24900) – below watermark

Aggressive Aging is in detect mode

Hash kernel memory (hmem) statistics:

Total memory allocated: 71303168 bytes in 17408 (4096 bytes) blocks using 1 pool

Total memory bytes used: 9703728 unused: 61599440 (86.39%) peak: 18891512

Total memory blocks used: 2665 unused: 14743 (84%) peak: 4705

Allocations: 198489371 alloc, 0 failed alloc, 198382561 free

System kernel memory (smem) statistics:

Total memory bytes used: 117769900 peak: 120093268

Total memory bytes wasted: 996590

Blocking memory bytes used: 2530356 peak: 2557584

Non-Blocking memory bytes used: 115239544 peak: 117535684

Allocations: 433810 alloc, 28 failed alloc, 432937 free, 0 failed free

vmalloc bytes used: 114086588 expensive: no

Kernel memory (kmem) statistics:

Total memory bytes used: 56103032 peak: 66020104

Allocations: 198922588 alloc, 28 failed alloc

198815489 free, 0 failed free

External Allocations: 0 for packets, 0 for SXL

Cookies:

90753187 total, 0 alloc, 0 free,

7839 dup, 2107678 get, 160176 put,

91154457 len, 0 cached len, 0 chain alloc,

0 chain free

Connections: net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 4/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
231169 total, 7807 TCP, 4665 UDP, 182351 ICMP,

36346 other, 0 anticipated, 3 recovered, 79 concurrent,

948 peak concurrent

Fragments:

0 fragments, 0 packets, 0 expired, 0 short,

0 large, 0 duplicates, 0 failures

NAT:

80509/0 forw, 5266/0 bckw, 85750 tcpudp,

16 icmp, 10440-949656 alloc

Sync:

Version: new

Status: Able to Send/Receive sync packets

Sync packets sent:

total : 864451, retransmitted : 0, retrans reqs : 15, acks : 1826

Sync packets received:

total : 3614413, were queued : 30, dropped by net : 15

retrans reqs : 0, received 11745 acks

retrans reqs for illegal seq : 0

dropped updates as a result of sync overload: 0

Callback statistics: handled 11588 cb, average delay : 1, max delay : 5

9. Check Point SecureXL

To enable SecureXL, run the command:
CP[admin]# fwaccel on

To disable SecureXL, run the command:

CP[admin]# fwaccel off

Note: The fwaccel off command is not persistent and SecureXL will be enabled again after a
reboot of the system. SecureXL can be permanently disabled through the CPconfig utility.

To check the number of accelerated connection and other SecureXL statistics: CP[admin]#
netstat -f
To check the number of accelerated SA (VPN traffic): CP[admin]# netstat -s
To check overall SecureXL statistics: CP[admin]# fwaccel stat

10.View Checkpoint Log from CLI

expert mode

fw log -n | morefw log -n -f | https

or

normal mode without pipe

11. Revision Control Versions Location on Management

Server

[[email protected]]# cd /opt/CPsuite-R75.20/fw1/conf/db_versions/repository/

net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 5/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
[[email protected]]# ls1 11 12 13 14 15 16 17 18 2 3 4 5 6 7 8 9

All version are in those number directories. Actual version info is in versioning_db.fws

[[email protected]]# cd database/

[[email protected]]# lsversioning_db.fws

12. Change user cli between BASH and CLISH

HostName> set user admin shell /bin/bash

HostName> save config

[[email protected]]# dbset passwd:admin:shell /etc/cli.sh

[[email protected]]# dbset :save

or

chsh -s /bin/bash admin

chsh -s /etc/cli.sh admin

for SPLAT the default shell is /bin/cpshell which is not showing from /etc/shells file.

chsh -s /bin/cpshell admin

[adm [email protected] ~]$ cat /etc/shells

/bin/sh
/bin/bash
/bin/bash2
/bin/tcsh
/bin/csh
[ [email protected] ~]$ chsh
Changing shell for root.
New shell [/bin/cpshell]: /bin/bash
Shell changed.

13. Enable SFTP in Gaia

[[email protected]]# vi /etc/ssh/sshd_config

Uncomment the ‘sftp-server’ line by deleting the pound ‘#’ character:

from

#Subsystem sftp /usr/libexec/openssh/sftp-server

to
Subsystem sftp /usr/libexec/openssh/sftp-server

[[email protected]]# /etc/init.d/sshd restart

net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 6/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
Note: Please check my previous post: Enable SFTP to Checkpoint Gaia OS System for
more details.

14. Installation of Hotfixes on Gaia or SPLAT

[[email protected]]# tar -zxvf Check_Point_Hotfix_VERSION_OS_sk104443.tgz

[[email protected]]# ./SecurePlatform_HOTFIX_NAME
[[email protected]]# reboot

Steps to Installation a Jumbo Hotfix for R77.20 on Cluster Environment:

a. install a hotfix on standby cluster member (CP2) then reboot it
b. failover from active cluster member (CP1) to standby cluster (CP2) after standby cluster
finished rebooting
c. install hotfix on CP1 and reboot it.

[[email protected]:0]# md5sum Check_Point_R77.20.linux.tgz

d788583cf44389b83b0dd6990cb53f63 Check_Point_R77.20.linux.tgz

[[email protected]:0]# tar -zxvf Check_Point_R77.20.linux.tgz

Actions/

Actions/cpconfig

Actions/CheckPackage

Actions/CRSValidator

Actions/GetPa

……

[[email protected]:0]# ./UnixInstallScript

***********************************************************

Welcome to Check Point R77_20_JUMBO_HF installation

***********************************************************

Verifying installation environment for R77_20_JUMBO_HF…Done!

The following components will be installed:

* R77_20_JUMBO_HF

Installation program is about to stop all Check Point Processes.

Do you want to continue (y/n) ? y

Stopping Check Point Processes…Done!

Installing Security Gateway / Security Management R77_20_JUMBO_HF…Done!

Installing GAIA R77_20_JUMBO_HF…Done!

Installing Performance Pack R77_20_JUMBO_HF…Done!

Installing Mobile Access R77_20_JUMBO_HF…Done!

************************************************************************

Package Name Status

———— ——

Security Gateway / Security Management R77_20_JUMBO_HF Succeeded

GAIA R77_20_JUMBO_HF Succeeded

Performance Pack R77_20_JUMBO_HF Succeeded

Mobile Access R77_20_JUMBO_HF Succeeded

net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 7/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客

************************************************************************

Installation program completed successfully.

Do you wish to reboot your machine (y/n) ? y

Broadcast message from admin (pts/2) (Mon Oct 26 16:37:44 2015):

The system is going down for reboot NOW!

Broadcast message from admin (pts/2) (Mon Oct 26 16:37:44 2015):

The system is going down for reboot NOW!

[[email protected]:0]#

15. SSH Timeout Solutions

a. Increasing the timeout
set inactivity-timeout 720

b. Ignore Hangup
[[email protected]:0]# fw monitor -e “accept host(172.16.0.1);” -o test.cap & [1] 27524
[[email protected]:0]# ps -aux | grep “fw monitor”
admin 27524 0.7 2.1 88268 21256 pts/2 S 14:09 0:00 fw monitor -e accept host(172.16.0.1);
-o test.cap

Disown the process with this command, specifying the PID:

disown 27524

Closing, or having the SSH session end due to timeout will no longer send a hangup to this
process, since it is no longer a child process of the SSH session.

A new SSH session or console session can be started later, and the process can be killed
manually to stop it.

kill 27524

[[email protected]:0]# nohup fw ctl kdebug -T -f -o debug.txt -m 10 -s 50000 & [1] 30209
nohup: appending output to ‘nohup.out’

This example is creating cyclic debug files, 10 files, with a maximum of 50000Kb. Again, the
PID is displayed, and the output of the command is piped to the text file ‘nohup.out’.

The SSH session can be ended with “exit” or timed out, and the hangup sent to this child
process will be ignored, the debug will continue running until we log in again and manually
kill the PID.

16. ClusterXL Troubleshooting

16.1 Force a failover

This creates a pnote (problem notification) that is in problem state at current cluster member
and force a failover to another member:

cphaprob -d fail -s problem -t 0 register

Verify it’s in problem state with

cphaprob stat net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 8/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
and

cphaprob -i list

(you should see ‘fail’ in problem state)

Once you’ve finished your testing, run these two to reset it:

cphaprob -d fail -s ok reportcphaprob -d fail unregister

Reference: CheckPoint HA: How to force a failover (ClusterXL/VRRP)

16.2 cphaprob commands and troubleshooting ClustXL Problem

FW-CP2 is fine. But FW-CP1 shows problem on the clustxl status.

[[email protected]:0]# cphaprob -a if

Required interfaces: 5

Required secured interfaces: 1

eth1 UP non sync(non secured), multicast

eth2 UP sync(secured), multicast

Mgmt UP non sync(non secured), multicast

eth3 UP non sync(non secured), multicast (eth3.106 )

eth3 UP non sync(non secured), multicast (eth3.102 )

Virtual cluster interfaces: 6

eth1 2.13.11.60

eth2 10.1.90.14

Mgmt 10.1.72.14

eth3.104 10.1.104.14

eth3.106 10.1.106.14

eth3.102 10.1.102.14

FW-CP1> cphaprob -i list

Built-in Devices:

Device Name: Interface Active Check

Current state: problem

Device Name: HA Initialization

Current state: OK

Device Name: Recovery Delay

Current state: OK

Registered Devices:

Device Name: Synchronization

Registration number: 0

Timeout: none

Current state: OK

Time since last report: 64196.3 sec net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 9/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客

Device Name: Filter

Registration number: 1

Timeout: none

Current state: OK

Time since last report: 63492.1 sec

Device Name: cphad

Registration number: 2

Timeout: none

Current state: OK

Time since last report: 2.68138e+06 sec

Device Name: fwd

Registration number: 3

Timeout: none

Current state: OK

Time since last report: 2.68137e+06 sec

Device Name: routed

Registration number: 4

Timeout: none

Current state: OK

Time since last report: 62898.8 sec

Usually it was caused by the connection between firewall interface port and switch port.
UDP port 8116 will help us to find out which one is not sending the keep-alive packets:

Cluster Control Protocol (CCP) runs on UDP port 8116, and allows cluster members to
report their own states and learn about the states of other members, by sending keep-alive
packets (applies only to ClusterXL clusters). Also CCP keeps cluster member sync state.

Following tcpdump shows cluster member 1 (00:00:00:00:fe:00) and cluster member 2

(00:00:00:00:fe:01) both are sending 8116 CCP packets. That is normal. If you only
see one sending, you will have to check another one’s switch port vlan configuration. You
may miss one vlan on switch trunk port, which has happened to me.

[[email protected]:0]# tcpdump -enni eth3.102 port 8116

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth3.102, link-type EN10MB (Ethernet), capture size 96 bytes

11:13:17.497801 00:00:00:00:fe:01 > 01:00:5e:5b:66:0e, ethertype IPv4 (0x0800), length 92: 0.0.0.0.8116 >

10.91.102.0.8116: UDP, length 50

11:13:17.597743 00:00:00:00:fe:01 > 01:00:5e:5b:66:0e, ethertype IPv4 (0x0800), length 76: 0.0.0.0.8116 >

10.91.102.0.8116: UDP, length 34

11:13:17.676067 00:00:00:00:fe:00 > 01:00:5e:5b:66:0e, ethertype IPv4 (0x0800), length 76: 0.0.0.0.8116 >

10.91.102.0.8116: UDP, length 34

11:13:17.676182 00:00:00:00:fe:00 > 01:00:5e:5b:66:0e, ethertype IPv4 (0x0800), length 92: 0.0.0.0.8116 >

10.91.102.0.8116: UDP, length 50

Note: Previous Troubleshooting Post – Checkpoint Cluster Member Down because

interfaces show partially up

17. Permanent Change Global Kernel Parameters Value

Global kernel parameters exist to control (customize) the behavior of Security Gateway
(kernel parameters are located in $FWDIR/boot/modules/fw*mod*
net sec kernel
关注
modules). 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 10/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
This control (customization) can be done on-the-fly using the fw ctl set int command
(change takes effect immediately). However, the value of the kernel parameter returns to its
default value after a reboot. At times, it may be required to control (customize) the behavior
of Security Gateway permanently. In addition, it is necessary for some kernel parameters to
be changed upon boot. fwkern.conf file is the one which holds all those kernel parameters
value. If it is not existing in your system, you will need to create it manually.

The Security Gateway must be rebooted after any change in the

$FWDIR/boot/modules/fwkern.conf file.

[[email protected]:0]# cat /opt/CPsuite-R77/fw1/boot/modules/fwkern.conf

fwha_mac_magic=40

fwha_mac_forward_magic=41

fw_allow_simultaneous_ping=1

fwha_forw_packet_to_not_active=1

Useful Checkpoint KBs:

1. sk97638 – Check Point Processes and Daemons

2. sk98348 – Best Practices – Security Gateway Performance

Reference:
1. Check Point/SPLAT/Network Debug Cheat Sheet

2. A tcpdump Primer with Examples

3. Check Point fw monitor cheat sheet – 20141028

4. Check Point CLI Reference Card – 20150617 by Jens Roesen

5. Upgrading ClusterXL Deployments(R77)

Share this:

Click to share on Twitter (Opens in new window)

Click to share on Facebook (Opens in new window)

More

Click to print (Opens in new window)

Click to share on LinkedIn (Opens in new window)

Click to share on Reddit (Opens in new window)

Click to share on Tumblr (Opens in new window)

Click to share on Pinterest (Opens in new window)

Click to share on Pocket (Opens in new window)

Click to share on Telegram (Opens in new window)

Click to share on WhatsApp (Opens in new window)

net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 11/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
Click to share on Skype (Opens in new window)

Like this:

Like Loading...

Related

TensorFlow笔记（10） CheckPoint 氢键H-H 1万+

checkpoint、保存检查点、读取检查点

mysql 数据库无法启动（Ignoring the redo log due to missing MLOG_C… 姚远的博客 1724
数据库机器的CPU和主板都换了，重新开机，发现mysql数据库无法启动！ Ignoring the redo log due to …

优质评论可以帮助作者获得更高权重 评论

相关推荐

Advanced Checkpoint Gaia CLI Commands (Tips and Tri... 5-3

With my most populous post “Basic Checkpoint Gaia CLI Commands (Tips and Tricks)“, I would like to …

Basic Check Point Gaia CLI Commands and Installation Videos... 8-6
This post summarises some basic but useful CLI commands for your daily working reference especiall…

安装配置CHECKPOINT防火墙 7431
大纲 一、 首先明确两个概念二、 VPN/FW Moudule 或者 Managerment Server 在 WIN…

Flink 清理过期 Checkpoint 目录的正确姿势 http://www.54tianzhisheng.cn/ 1942

本博客是笔者在生产环境使用 Flink 遇到的 Checkpoint 相关故障后，整理输出，价值较高的实战采坑记…

【AI实战】手把手教你文字识别(检测篇二:AdvancedEAST... 8-12
gitclonehttps://github.com/huoyijie/AdvancedEAST.git (2)下载模型文件 下载AdvancedEAST预训练好的…

Checkpoint Cluster Member Down because interfaces s... 3-30

with IGMP Membership Number Unique Address Assigned Load State 1 (local) 1.1.1.1 100% Active 2 …

NameNode Last Checkpoint报错误[Checkpoint Critical] 我思，故我在！--My data life 2536

问题： HDP重启后，NameNode Last Checkpoint报错误[Checkpoint Critical] 问题解决： 原理： HDP…

Hadoop-2.4.1学习之SecondaryNameNode、CheckpointNode、Ba…skyWalker_ONLY 3406
在Hadoop-2.x版本之前只存在SecondaryNameNode，没有CheckpointNode、BackupNode的概念，在…

无服务器应用程序的版本控制策略_weixin_26752759的博客 8-19
Start with the simple Hello World app that’s scaffolded for you by the AWS SAM CLI. 从AWS SAM CLI…

redis配置文件redis.conf详细说明_殇沫流年的专栏 8-13
#redis 配置文件示例#当你需要为某个配置项指定内存大小的时候,必须要带上单位,#通常的格式就是 1k …

Flink在大规模状态数据集下的checkpoint调优 走在前往架构师的路上 4058

文章目录前言Checkpoint快慢的性能指标相邻Checkpoint的间隔时间设置外部State的存储选择 前言 众…

PyTorch 1.0 中文文档：torch.utils.checkpoint weixin_30553777的博客 341

译者: belonHan 注意 checkpointing的实现方法是在向后传播期间重新运行已被checkpint的前向传播段…

“够用就好”的Linux命令快速教程_Debug_Snail的专栏 7-15
the shell's default language is calledbash. Unlike Windows users who primarily point-and-click inside of…

Software Testing软件测试小白学习记录(&1.知识框架梳... 7-14

https://catswhocode.com/vim-commands/ https://zhuanlan.zhihu.com/p/51440836 3)Linux 软件安装: 1.…

Docker CLI常用命令说明 纸上得来终觉浅，绝知此事要躬行 3819

文章地址：https://docs.docker.com/engine/reference/commandline/docker/ 命令说明docker attach 将…

mysql事务、redo日志、undo日志、checkpoint详解 net sec 关注 白乔专栏 3797 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 12/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
转自：https://zhuanlan.zhihu.com/p/34650908事务： 说起mysql innodb存储引擎的事务，首先想到就…

Linux入门的最基本的命令: basic command 以及终端使用... 7-21

documentation. The traditional Unix environment is a CLI (command line interface), where you type co…

TensorFlow中查看checkpoint文件中的变量名和对应值 中科院AI算法工程师的博客 2857

在加载模型时， 需要知道checkpoint中变量名称，一下代码可以查看TensorFlow中checkpoint文件中的…

Flink State状态以及Checkpoint机制（一） 不清不慎的博客 9173

一、State状态 在Flink中，它使用了State状态机制以及Checkpoint策略提供了强大的容错机制，不过我…

PSPNet tensorflow 版本代码测试时总是报 No checkpoint file found liguandong 3458

在跑 PSPNet tensorflow版本的源码时，遇到这个问题，看了下代码 inference.py 中 只需要更改 SNAP…

查看TensorFlow checkpoint文件中的变量名和对应值 何雷 1万+

转自：http://stackoverflow.com/questions/38218174/how-can-find-the-variable-names-that-saved-in-te…

Transformers 转换Tensorflow的Checkpoints | 九 TensorFlowNews 1481

作者|huggingface 编译|VK 来源|Github 提供了一个命令行界面来转换模型中的原始Bert/GPT/GPT-2/Tra…

Tensorflow：TF模型文件(checkpoint文件夹下ckpt文件之data、i… 一个处女座的程序猿 7115

Tensorflow：TF模型文件(checkpoint文件夹下ckpt文件之data、index、meta)保存、模型导入、恢复并fi…

NAMENODE工作机制，元数据管理(元数据存储机制、元数据… weixin_34411563的博客 189

NAMENODE工作机制 学习目标：理解namenode的工作机制尤其是元数据管理机制，以增强对HDFS工…

ORA-01624错误的处理-alter system checkpoint bupt_zoucq的专栏 3384

SQL> alter database drop logfile group 2; alter database drop logfile group 2 * ERROR at line 1: ORA-…

tensorflow实现将ckpt转pb文件 pan_jinquan的博客 7万+

tensorflow实现将ckpt转pb文件 【尊重原创，转载请注明出处】：https://blog.csdn.net/guyuealian/articl…

tensorflow报NotFoundError (see above for traceback): Key G_b0 not fou… 修炼之路 3847
错误提示 在使用TensorFlow加载ckpt文件的时候报NotFoundError (see above for traceback): Key G_b0…

©️2020 CSDN 皮肤主题: 深蓝海洋 设计师:CSDN官方博客 返回首页

关于我 招贤纳 广告服 开发助 400-660- 在线客 工作时间 8:30-

[email protected]
们 士 务 手 0108 服 22:00
公安备案号11010502030143 京ICP备19004658号 京网文〔2020〕1039-165号 经营性网站备案信息
北京互联网违法和不良信息举报中心 网络110报警服务 中国互联网举报中心 家长监护 Chrome商店下载
©1999-2021北京创新乐知网络技术有限公司 版权与免责声明 版权申诉 出版物许可证 营业执照

net sec
码龄2年 暂无认证

835 - 138万+ 13万+

原创 周排名 总排名 访问 等级

541 5 2 3 28
积分 粉丝 获赞 评论 收藏

私信 关注

搜博主文章

热门文章

Cisco Switch 2960x Memory Increasing

Issue Troubleshooting – Memory Leak
24739

Cisco IKEv1 Site-to-Site IPSec

net sec 关注 0 0 0
Configuration on IOS Routers (2) – Using

https://blog.csdn.net/netsec51sec/article/details/98956588 13/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客
Two Different CA Certificate... 1155

Cisco 3850 Mgmt VRF Configuration

1051

Real-Time Cyber Attack Threat Map

1012

BGP Command : soft-reconfiguration

inbound & soft in 985

分类专栏

Blog

Security

最新评论

Forwarding Windows Event Logs to Sysl…

yebai: 666 ...
Juniper NSM Schema Upgrade Failed
GhostRaven: Do you have NSM package.I
really need them. thx. ...
Symantec ATP (Advance Threat Protecti…
sooky: 公司有一台symantec ATP一体机，
近日想用起来，但不知道帐号和密码，想重
...

您愿意向朋友推荐“博客详情页”吗？

强烈不推荐 不推荐 一般般 推荐 强烈推荐

最新文章

Find Real IP of a Website Behind CDN

IBM Guardium: Configure a Database

Vulnerability Assessment

Migrate WordPress Site from Ubuntu 16.04

to Ubuntu 18.04 at GCP VM and Cloud DB

2019年 99篇 2018年 112篇

2017年 75篇 2016年 125篇

2015年 134篇 2014年 126篇

2013年 64篇 2012年 68篇

2011年 32篇

net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 14/15
19/8/2021 Advanced Checkpoint Gaia CLI Commands (Tips and Tricks)_Cyber Security Memo-CSDN博客

目录

1. fw ctl chain

2. Proxy Arp

3. fw ctl zdebug drop

4. TCPDUMP

5. FW Monitor

6. VPN tu

7. Disk/File/Folder Commands

8. Connections

9. Check Point SecureXL

10.View Checkpoint Log from CLI

11. Revision Control Versions Location …

12. Change user cli between BASH and…

13. Enable SFTP in Gaia

net sec 关注 0 0 0

https://blog.csdn.net/netsec51sec/article/details/98956588 15/15