Check Point - SPLAT - Network Debug Cheat Sheet - Midpoint Technology

24/4/2015
CheckPoint/SPLAT/NetworkDebugCheatSheetMidpointTechnology
Searchthissite
HOME
PRODUCTS
SERVICES
TRAINING
>
RESOURCES
>
CheckPoint/SPLAT/NetworkDebugCheatSheet
TRAINING
COURSES
UnixCheats
SCHEDULE
RESOURCES
REGISTER
ANNOUNCEMENTS
CONTACT
UnixCheats
ifconfig
Listallnetworkinterfaceslookforcollisions
ifconfig|fgrepinet
ShortlistofnetworkIPs
ifconfig|grepi'hwa\|inet'
ShortlistofIPs,ethernetinterfaces,andIPs
routen
PrintroutingtablewithnoDNSresolution
arpan
Printoutarptable
lsalth
List'a'llfilesin't'imeorderwith'h'umanreadablesizes
more<filename>
Themorecommandwillprintoutafileandscrollitsoyoucanread
<somecommand>|more
itatyourpace.
/<searchtext>:searchforwardfor<searchtext>
<cr>:readonemoreline
<space>:readonepage
q:quit
?:help
lsalt|tee/tmp/output.txt
Listthedirectory,thefeeditto"tee"whichlistsondisplayAND
feedsintofileatsametime
find.follow|xargslsald|more
Listallfilesindirectory,followsymboliclinks,andprintthefile
modificationtime"lsald"
fgrep"searchfor"*
searchfor"searchfor"ininsideafileinthecurrentdirectory
find.followmmin10|xargslsald|more
Searchforfilesmodifiedlessthan10minutesagoandprintmod
dates.Followallsymboliclinks
Filenames:find.followmmin10|fgrep
Lookingforafilenamethathasbeenmodifiedinlast10minutes
"lookforfilename"
Filecontent:find.followmmin10|xargsfgrep Searchforfilesmodifiedlessthan10minutesagoandsearch
i"lookforcontent"|more
insidefilesforcontent(notthefilename!)"lookforcontent"
find/followtypefsize+10240k
Searchforfileslargerthan+10MB.10240kislessthan10MB
find/followtypefsize+10240ksize102400k Filebetween+10MBand100MB
command>filename
sendstandardoutputto"filename"(bydefaulterroroutputgoesto
terminal)
command2>&1|more
senderroroutput"2"to(>)sameoutputasstandardoutput
"&1"....whichisthedisplay.Pipeallthroughmore
command2>/bin/null|more
Sendalltheerroroutputtonullbucketsooutputjusthascleandata
init
CTRLvCTRLoENTER
Resetsterminaltotextincasebinarydatachangesdisplay
sttyrows80columns100
Resetsterminalsizetowindowof80by100
dmesg|more
Lookatallthebootmessages,usuallyusedtofinddebugerrors
Linux:tracerouten
TracerouteTurnoffDNS!
Windows:tracertd
dig@<serverIP><domainname>
http://www.midpointtech.com/training/coursematerials/networkdebugcheatsheet
DirectquerytoDNSserver@IP172.17.1.2
1/8
24/4/2015
dig@172.17.1.2www.google.com
netstatr
routingtables
netstatan
Portnumbersthatarebeingusedorlisteningon
psaux,psauxwf
printoutallprocessesorwithsubprocesstreelist.
top
Realtimedisplayofprocessesandmemutilization
<spacebar>
refresh
F>k
SortonCPU
F>n
SortonMEM
f>X
SortonCommandname
Togglereversesorton/off
tftp<ipoftftpserver>
binary
put<filename>
ethtool<ethXe.g.eth0>
Displayphysicalnetworkcardinformation(limitedonVMware)
ethtoolpeth0
BlinktheLEDoneth0port
ethtoolieth0
Getdriverversioninfo
SmartGatewayDebugCommands
clock
biostimeanddate
cpconfig
changeSIC,licensesandmore
cplicprint
licenseinformation
cpstartcpstop
startallcheckpointservices
cpstatfw
showpolicyname,policyinstalltimeandinterfacetable
cpstatha
highavailabilitystate
cpstatosfcpu
checkpointcpustatus
cpstatosfrouting
checkpointroutingtable
cpstop
stopallcheckpointservices
cpwd_adminmonitor_list
listprocessesactivelymonitored.Firewallshouldcontaincpdandvpnd.
expert
changefromtheinitialadministratorprivilegetoadvancedprivilege
fwctliflist
showinterfacenames
/bin/date
OStimeanddate
fwmload<policyname>
OnsmartcenterorMDM,verifyandcompileandloadthepolicynameontothe
<gatewayobjectname>
targetgateway.Whenitcompiles,itcreatesafilecalled
$FWDIR/conf/<policyname.pf>,thisisthecompiledinspectscript.Fromthatit
generates$FWDIR/conf/<gateway>/rulebases_5_0.fwswhichisloadedinto
gateway.
fwfetch10.0.0.42
getthepolicyfromthefirewallmanager(usethisonlyifthereareproblemsonthe
firewall).Downloadsrulebases_5_0.fwsfrom10.0.0.42.Thishaslatestpolicyin
it
fwunloadlocal
RemoveallpolicyandsecurityenforcementfromSPLAT.Makeitastraightlinux
boxbasically
sysctlwnet.ipv4.ip_forward=1
Afterunloadingpolicy,makeSPLATroutethroughthebox.Turnonforwarding
fwverk
Firewallversionandkernelversion
2/8
24/4/2015
cpinfo
PrintsoutTONSofFWdebuginformationforhelpdesk
fwstat
firewallstatus,shouldcontainthenameofthepolicyandtherelevantinterfaces,
i.e.Standard_5_1_1_1_1[>eth4][<eth4][<eth5][>eth0.900][<eth0.900]
fwstatl
showwhichpolicyisassociatedwithwhichinterfaceandpackagedrop,accept
andreject
fwtab
displaysfirewallhashtables.Notethesearetablesthatarereservedforfirewall
kernelhashtables.fwctlmem
fwtab|grep'\'|more
Dumpoutnamesoftablesstoredinhashmemory'fwctlpstat'(hmem)
fwtabstconnections
numberofconnectionsinstatetable
fwtabtxlatex
clearalltranslatedentries(emergencyonly)
fwmlock_adminh
unlockauseraccountafterrepeatedfailedloginattempts
fwmver
firewallmanagerversion(onSmartCenter)
sysconfig
configuredate/time,network,dns,ntp
upgrade_import
run/opt/CPsuiteR65/fw1/bin/upgrade_tools/upgrade_importafterasystem
Dch
upgradetoimporttheoldlicenseandsysteminformation.
hwclock
showthehardwareclock.Ifthehardwareandoperatingsystemclocksareoffby
morethanaminute,syncthehardwareclocktotheOSwith"hwclocksystohc"
cpd_sched_configprint
PrintoutCPbatchqueueCPversionofcrontab
fwctlarp
Listalltheproxyarpentriesformanualarpbroughtintothekernelfrom
$FWDIR/conf/local.arp.AlsohavetocheckGlobalProperties:NAT:Mergemanual
arps
======NATDEBUG=========
Reservespace
TurnonNATdebug
fwctldebugbuf32000
fwctldebug+xlatexltrcnat
fwctlkdebugf>/tmp/nat.out
Dumptofile
TurnoffNATdebug
fwctldebug0
fwmonitoripall>outputascii.txt DumptrafficthroughiIoOstacksandouputtoascii.iflushesbuffers
immediatelysoyougetalltheoutputwrittentotheoutputfile.
ooutput.cap
DumptrafficthroughiIoOstacksandoutputtoWiresharkformatforexport.
x0
Packetdatadumpstartingatoffset0
e"acceptip_src=1.2.3.4"
Onlyfilterpacketsfrom1.2.3.4[NOTE:$FWDIR/lib/tcpip.defhasshortcutsfor
filteringip_srcisoneexampleofashortcut/macro]
CommonVIcommands
vi<filename>
:q!
quitnosave
ZZ
quit:savedata
<arrowkeys>
up/down/sideways
<pgup><pgdown>
deletecharacter
dd
deleteline
/someword
searchforwardforsomeword
3/8
24/4/2015
?someword
searchbackwardsforsomeword
searchfornextinstance
searchforpreviousinstance
insertcharacteratcurrentspot
appendcharacteraftercurrentspot
<ESC>
escapeinsertmode
undolastchange
Createlineabovecurrentlineandstartinsertingcharacters
Createlineabovecurrentlineandstarttypingcharacters
<ESC>
escapeinsertmode
undolastchange
Unix/SplatPerformanceQueries
ifconfig
Listallnetworkinterfaceslookforcollisionsanderrorsoninterfaces
ps
Printoutprocesshierarchywithcputimes,andfullcommandsthatprocessisexecuting
auxwf
cpstatos BestoverallviewofOSwithdescriptions.LookforFREEspacetomakesurethereisfreespace.Lookat
fall
Queuelenghtstoseeifthingsarebackingup.
Lookfor%CPUtime.
fwctl
pstat
showcontrolkernelmemoryandconnections:
HashKernelMemory:TotalMemoryBlocksUsed/Unused/%:Statetablememory>Makesurethishas
freememory
SystemKernelMemory:Allocations:Free:ApplicationMemory>Makesurethereisfreememoryfor
applications
KernelMemory:Free:Firewallkernelmemory>Makesurethereisfreememory
Connections:Peakconcurrentvsconcurrent:Makesureunderdefaultconfig25000
top
Dynamiclistofprocessesandtheresourcestheyutilize
vmstat
Memoryandvirtualmemoryusage
vmstat5 Displayevery5seconds
Lookfor:
w:Numberofprocessesblockedwaitingforresourcestorun.Shouldbelownumber.
free:Theamountofidolmemoryavailableforswapping.Shouldbebignumber.
so:swapout:meansrunningoutofphysicalmemorysostart"swapout".Shouldbe
lownumberanddecreasing
bi:blocksreadfromdiskComparetononbusydevice,shouldbesteadynumber
bo:blockswrittentodiskComparetononbusydevice,shouldbesteadynumber
cs:contextswitchesNumberoftimesaprocessgoesfromidletorunning.Takesa
lotofCPUandswap.Shouldbeloworsteadynumber
us:cputimespentrunningusercode
sy:cputimespentrunningkernelcode
id:Timespentideal
wa:TimespentwaitingforIOtohappenWatchthisone
4/8
24/4/2015
dfh
Diskusageofallthedrives
netstati packetsdropped/errorsperinterface
LoggingCommands
fwlogcdrop
Entriesinthelog'drop'column.alsocanuse'accept'and
'reject'
fwmlogexporti<logname>o<outputfilename
exportanoldlogfileonthefirewallmanager
fwlogn<fwlogname.log>>/tmp/logout.txt
dumplogsintofile...donotuseDNSresolutionn,much
faster!NODNS!n
fwlogn<fwlogname.log>|tee/tmp/logout.txt
dumplogfilesbothtodisplayANDtofilelogout.txt.NO
DNS!n
fwlogswitch
rotatelogs,clearoutcurrentlogandarchiveitbasedon
date
fwlslogs
listfirewalllogs
fwlogf
tailthecurrentlog
fwlogn<logfile>.log
loglist
showalllogskeptbygateway/mgr.Both*.log,*elg,
logshow#
dumpaloglistedby'loglist'
fwmlogexporti<logname>o<outputname.txt>
NOTE:'fwm'not'fw'.Exportogstoasciito
output_name.txtfile
fwlogb<MMMDD,YYYYHH:MM:SS><MMMDD,
searchthecurrentlogforactivitybetweenspecifictimes,
YYYYHH:MM:SS>
eg
fwlogb"Jul23,200915:01:30""Jul23,200915:15:00"
tcpdump
tcpdumpi<interface>ns500w<outputfile>X
i<interface>commonlyeth0/1/2/3
[command]
nnoDNSresolution,faster
eg.tcpdumpieth1nw/tmp/netout.capX
[command]
s500sizeofdatapacket
woutputfile,canbeusedtofeedintoWireshark
Xasciiandhexoutput
eg.tcpdumpieth1n|tee/tmp/netout.capdump
tofileandscreen
ExpressionModifiers
!ornot
&&and
||or
NOTE:Ifyouuse(),||,&&,!thenenclosethe
wholecommand
inquotes'host1.1.1.1&&host2.2.2.2'
becausetheshell
CommonCommandOperators
[ether][src|dst]host<host>|net<net>/len
[tcp|udp][src|dst]port<p1>|portrange<port><port>
[src|dst]net<netip>/mask
arp
icmp
proto
willusethe&&beforetcpdumpdoes.
Examplescommands:
1. host1.1.1.1
2. srcnet10.1.1.0/24
3. srchost1.1.1.1or(dsthost3.2.1.4andsrc
port53)
4. ethersrchost00:0c:29:80:11:0cmonitorall
datapacketsfromMACaddress
5. ethersrchost00:0c:29:80:11:0candarp
5/8
24/4/2015
monitorarppacketsfromMACaddress
6. port22orarpfigureoutwhySSHisnot
connecting....probablybecauseARPsare
notbeingreturned.
Wireshark
ExpressionModifiers:
Commonfilters
a==b
ARP
a!=b
aandb
arpfilterjustarps
aorb
arporicmpfilterarpsandicmp
!(aorb)
icmpfilterjusticmp
IP
ip.host==1.1.1.1
ip.src_host==1.1.1.1
ip.dst_host==1.1.1.1
TCP
tcp.port==22
tcp.dstport==22
tcp.srcport==22
ComplexFilterExamples:
arporip.host==1.1.1.1
arporicmpand!(ip.host==1.1.1.1)
NOTE:use!(ip.host==1.1.1.1)and
NOTip.host!=1.1.1.1
LicenseCommands
cplicprints
Printoutalllicenseswithsignatures
cplicdelXXXX
DeletelicensewithsignatureXXXX
cplicprintx|awk
Deletealllicenses.Youwillgeterrorsbutinenditwillclearthemallout.
'{print$3}'|xargsn
cplicdel
cpcontractput<file>
cplicputl<file>
Installalicensefileoracontractfile.Licensesareforsoftware,contractsarefor
subscriptionslikeIPS,spam,URLfiltering
6/8
24/4/2015
cplicprintp
Printoutthedetailedlicensinginfoafterbeingtranslatedby$CPDIR/conf/cp.macro
SplatGatewayFilesystem
$CPDIR/log
cpdlogs,setuplogs,generalcheckpointproductlogs
$FWDIR/database&&$FWDIR/state
Wherepolicyisinstalled
$FWDIR/log/
Directoryoflogfiles.Use"lsalt"tofindrecently
modifiedlogfiles
/var/log/messages
LinuxOSlogs
$FWDIR/log/*.elg
componenttextlogfiles
$FWDIR/log/fw.log
logfilethatshowsupinSmartTracker
$FWDIR/conf
FWconfigurationfiles
SmartGatewayHAdebugCommands
cphaprobldstat
displaysyncserializationstatistics
cphaprobstat
listthestateofthehighavailabilityclustermembers.Shouldshowactive
cphaprobsyncstat
displaysynctransportlayerstatistics
cphastop
stopaclustermemberfrompassingtraffic.Stopssynchronization.
cphaprobaif
Displaystateofinterfaces
cphaprobialist
Listallthemonitoreddevicesandtheirstatustofigureoutwhythefirewall
andstandbydevices.
(emergencyonly)
failedover.
clusterXL_adminup|down
failoverdevice.NOTEyouhavetofailoverotherdevicetogetthisdevice
backtoactive,notautomaticallyflipsbacktohighestpriority.Unlessyou
setautorecoveryinclusterXLmenufor
SmartGatewayVPNdebugCommands
vpntu
fwctlchain
listandkilltunnels
WatchiIoOstacktrafficanddatabeingdecrypted
fwmonitorp>/tmp/outputfile.txt
fwctldebugbuf32000
fwctldebugmVPNall
fwctlkdebugf>/tmp/vpn.out
TurnonVPNkerneldebugandsendoutputtofile/tmp/vpn.out
Turnoffafterdone!!!
fwctldebug0Turnoff!!!!
vpndebugtrunc
vpndebugoffTurnoff!!!
Debugthesettingupkeyexchangesandtunneltesting.Outputisin
$FWDIR/log/vpn.elgandike.elg
7/8
24/4/2015
SmartCenterFilesystem
$FWDIR/conf
$FWDIR/log
<year><month><day>_<time>.log
Namesoflogfileswhenyouexecuteafwlogswitch
eg.20110902_105546.logNameoflogfileswitched
on9/2/2011
/var/log/messages
$FWDIR/conf/Standard.pf
RulebasesavedbySmartDashboard
$FWDIR/conf/rulebases_5_0.fws
Compiledrulebasespushedtogateway
$CPDIR/log
cpddaemonandintercommunicationslogs
MDSfilesystem
$MDSDIR/log
MDSlogs
$MDSDIR/conf
MDSglobaldatabases
cd$FWDIR
currentDMS,makesureyoudoamdsenv
MDScommandlines
mdsstat
ListalltheDMSandtheirstatuses
mdsenv
setMDSenvironmenttoaspecificdomain(listedinmdsstat)
mcd
changeenvironmenttodomainspecifiedinmdsenv
mdsstop
StopallofMDS
mdsstart
StartallofMDS
mdsstop_customercustomer
startasingleDMS
mdsstart_customercustomer
stopasingleDMS
mdscmd
commandlineversionoftheSDMGUI
mdscmdruncrossdomainqueryallquery_rulebasen
SearchallDM'srulebasesdorG_MDS
G_MDS
mdscmdruncrossdomainqueryallquery_network_objc
SearchallDMS'sobjectfilesforpartialname"dms"
dms
Nhn xt
Bnkhngcquynthmnhnxt.
ngnhp | Hotnggnycatrangweb | Bocolmdng | Trangin | ccungcpbi GoogleSites
8/8

Check Point - SPLAT - Network Debug Cheat Sheet - Midpoint Technology

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Check Point - SPLAT - Network Debug Cheat Sheet - Midpoint Technology

Uploaded by

Copyright:

Available Formats

24/4/2015

ngnhp | Hotnggnycatrangweb | Bocolmdng | Trangin | ccungcpbi GoogleSites

You might also like