Полезные команды для Check Point

sysadmin

sysadmin

Участник
Предлагаю собрать перечень команд на каждый день по Gaia OS. Постим только то что реально нужно каждый день в целях траблшутинга и мониторинга NGFW и прочих check point железок
 
Справочник команд checkpoint на каждый день [TABLE="border: 1, cellpadding: 5, cellspacing: 0"]
[TR]
Command Description [/TR]
[TR]
[TD]cpconfig[/TD]
[TD]change SIC, licenses and more[/TD]
[/TR]
[TR]
[TD]cpview -t[/TD]
[TD]show top style performance counters[/TD]
[/TR]
[TR]
[TD]cphaprob stat[/TD]
[TD]list the state of the high availability cluster members. Should show active and standby devices.[/TD]
[/TR]
[TR]
[TD]cphaprob -a if[/TD]
[TD]display status of monitored interfaces in a cluster[/TD]
[/TR]
[TR]
[TD]cphaprob -l list[/TD]
[TD]display registered cluster devices and status[/TD]
[/TR]
[TR]
[TD]cphaprob syncstat[/TD]
[TD]display sync transport layer statistics[/TD]
[/TR]
[TR]
[TD]cphaprob ldstat[/TD]
[TD]display sync serialization statistics[/TD]
[/TR]
[TR]
[TD]cphastop[/TD]
[TD]stop a cluster member from passing traffic. Stops synchronization. (emergency only)[/TD]
[/TR]
[TR]
[TD]clusterXL_admin down –p[/TD]
[TD]disable this node from cluster membership[/TD]
[/TR]
[TR]
[TD]cphaconf cluster_id get[/TD]
[TD]get cluster Global ID membership[/TD]
[/TR]
[TR]
[TD]cplic print[/TD]
[TD]license information[/TD]
[/TR]
[TR]
[TD]cpstart[/TD]
[TD]start all checkpoint services[/TD]
[/TR]
[TR]
[TD]cpstat fw[/TD]
[TD]show policy name, policy install time and interface table[/TD]
[/TR]
[TR]
[TD]cpstat ha[/TD]
[TD]high availability state[/TD]
[/TR]
[TR]
[TD]cpstat blades[/TD]
[TD]top rule hits and amount of connections[/TD]
[/TR]
[TR]
[TD]cpstat os -f all[/TD]
[TD]checkpoint interface table, routing table, version, memory status, cpu load, disk space[/TD]
[/TR]
[TR]
[TD]cpstat os -f cpu[/TD]
[TD]checkpoint cpu status[/TD]
[/TR]
[TR]
[TD]cpstat os -f multi_cpu[/TD]
[TD]checkpoint cpu load distribution[/TD]
[/TR]
[TR]
[TD]cpstat os -f sensors[/TD]
[TD]hardware environment (temperature/fan/voltage)[/TD]
[/TR]
[TR]
[TD]cpstat os -f routing[/TD]
[TD]checkpoint routing table[/TD]
[/TR]
[TR]
[TD]cpstop[/TD]
[TD]stop all checkpoint services[/TD]
[/TR]
[TR]
[TD]cpwd_admin monitor_list[/TD]
[TD]list processes actively monitored. Firewall should contain cpd and vpnd.[/TD]
[/TR]
[TR]
[TD]show sysenv all[/TD]
[TD]show hardware sensors (fans,power supply,temp,volt)[/TD]
[/TR]
[TR]
[TD]show asset all[/TD]
[TD]show serial numbers and hardware info[/TD]
[/TR]
[TR]
[TD]show route destination xx.xx.xx.xx[/TD]
[TD]show routing for specific host[/TD]
[/TR]
[TR]
[TD]ip route get xx.xx.xx.xx[/TD]
[TD]show routing for specific host[/TD]
[/TR]
[TR]
[TD]iclid / show cluster state[/TD]
[TD]show cluster fail over history[/TD]
[/TR]
[TR]
[TD]promote_util[/TD]
[TD]promote the Secondary Management server to become the Primary server[/TD]
[/TR]
[TR]
[TD]cp_conf sic init key123 norestart[/TD]
[TD]reset SIC without restarting the firewall process[/TD]
[/TR]
[/TABLE]




Useful FW Commands [TABLE="border: 1, cellpadding: 5, cellspacing: 0"]
[TR]
Command Description [/TR]
[TR]
[TD]fw ver[/TD]
[TD]firewall version[/TD]
[/TR]
[TR]
[TD]fw ctl iflist[/TD]
[TD]show interface names[/TD]
[/TR]
[TR]
[TD]fw ctl pstat[/TD]
[TD]show control kernel memory and connections[/TD]
[/TR]
[TR]
[TD]fwaccel stat[/TD]
[TD]show SecureXL status[/TD]
[/TR]
[TR]
[TD]fw fetch <manager IP>[/TD]
[TD]get the policy from the firewall manager[/TD]
[/TR]
[TR]
[TD]fwm load <policy name> <gateway name>[/TD]
[TD]compile and install a policy on the target's gateways.[/TD]
[/TR]
[TR]
[TD]fw getifs[/TD]
[TD]list interfaces and IP addresses[/TD]
[/TR]
[TR]
[TD]fw log[/TD]
[TD]show the content of the connections log[/TD]
[/TR]
[TR]
[TD]fw log -b "MMM DD, YYYY HH:MM:SS" "MMM DD, YYYY HH:MM:SS"[/TD]
[TD]search the current log for activity between specific times[/TD]
[/TR]
[TR]
[TD]fw log -c drop[/TD]
[TD]search for dropped packets in the active log; also can use accept or reject to search[/TD]
[/TR]
[TR]
[TD]fw log -f[/TD]
[TD]tail the current log[/TD]
[/TR]
[TR]
[TD]fwm logexport -i <log name> -o <output name> -n -p[/TD]
[TD]export an old log file on the firewall manager[/TD]
[/TR]
[TR]
[TD]fw logswitch[/TD]
[TD]rotate logs[/TD]
[/TR]
[TR]
[TD]fw lslogs[/TD]
[TD]list firewall logs[/TD]
[/TR]
[TR]
[TD]fw stat[/TD]
[TD]firewall status, should contain the name of the policy and the relevant interfaces.[/TD]
[/TR]
[TR]
[TD]fw stat -l[/TD]
[TD]show which policy is associated with which interface and package drop, accept and reject[/TD]
[/TR]
[TR]
[TD]fw tab[/TD]
[TD]displays firewall tables[/TD]
[/TR]
[TR]
[TD]fw tab -s -t connections[/TD]
[TD]number of connections in state table[/TD]
[/TR]
[TR]
[TD]fw tab -s -t userc_users[/TD]
[TD]number of remote users connected (VPN)[/TD]
[/TR]
[TR]
[TD]fw tab -t xlate -x[/TD]
[TD]clear all translated entries[/TD]
[/TR]
[TR]
[TD]fw unloadlocal[/TD]
[TD]clear local firewall policy[/TD]
[/TR]
[TR]
[TD]fw monitor -e "accept host(10.1.1.10);"[/TD]
[TD]trace the packet flow to/from the specified host[/TD]
[/TR]
[TR]
[TD]fw ctl zdebug + drop | grep 'x.x.x.x\|y.y.y.y'[/TD]
[TD]Check reason of your packet being dropped[/TD]
[/TR]
[/TABLE]
 
Диагностика производительности checkpoint , некоторые команды

Check Point WatchDog Daemon, который показывает все модули апплайнса, их PID, состояние и количество запусков
Код: 
cpwd_admin list

Использование CPU, их количество и распределение процессорного времени в процентах
Код: 
cpstat -f cpu os

Использование виртуальной RAM, сколько всего активной, свободной RAM и другое
Код: 
cpstat -f memory os

Длинный список всех процессов, их ID, занимаемую виртуальную память и память в RAM, CPU
Код: 
ps auxwf

Покажет самый затратный процесс
Код: 
ps -aF

Распределение ядер под разные инстанции фаервола, то есть технология CoreXL
Код: 
fw ctl affinity -l -a

Анализ RAM и общие показатели соединений, cookies, NAT
Код: 
fw ctl pstat

Буфер RAM
Код: 
free -m
 
Для ответа нужно войти/зарегистрироваться
Назад
Верх