Wednesday, January 3, 2018

Checkpoint Firewall Useful Commands



By way of a memory jogger a brief collection  of Checkpoint CLI Firewall commands i have found invaluable.




clusterXL_admin up/down     
used to control active/standby firewall in cluster

cphaprob stat                           
shows failover status

cplic print                                 
shows status of licences

fw stat                                       
shows loaded policy

cpview                                      
shows performance indicators

netstat -ni                                 
check for packet drops on interfaces

fw getifs                                    
quick orientation on firewall interfaces

top                                             
review processes and resources being used

Tuesday, January 2, 2018

Checkpoint File Captures

A brief self reminder on how to execute packet captures on Checkpoint Firewalls.
There are much more detailed guides out there, but here are the basics.

TCPDUMP
True packet capture capable of generating a PCAP file for wireshark
tcpdump host {a.b.c.d} -i eth1 -w {filename}.pcap
few examples
tcpdump src a.b.c.d                     Show all traffic from ip
tcpdump dst a.b.c.d                     Show all traffic to ip
tcpdump net a.b.c.0/24                Look at traffic to and from 1.2.3.0 network
tcpdump port 123                        NTP example
tcpdump udp and dst port 53      specify protocol combined with DNS filter
tcpdump portrange 1000-1100      


FW MONITOR
Not as verbose/low level as tcpdump but good enough for a quick snapshot

#packets with IP a.b.c.d as SRC or DST
fw monitor -e "accept host(a.b.c.d);"

# all packets between pair of src and dst ips
fw monitor -e "accept src a.b.c.d and dst w.x.y.z;"

# UPD traffic from or to DNS
fw monitor -e "accept udp and (sport=53 or dport=53);"