Wednesday, March 10, 2010

rtm monitor in Checkpoint

This is a great way to provide trending statistics and troubleshoot bandwidth and throughput issues:

View the Smartview Monitor status
rtm drv stat

If Smartview Monitor is not running this command turns it on:
rtm drv on
rtmstart


rtm monitor [options]-g[entity-1…entity-n]

rtm monitor localhost -filter "[and[[interface 0 [[eth0in]]][svc 1 [telnet http]]]" -y C -g topsrc
Displays conncurrent connections for the top 50 sources pass on eth0 inbound that is not telnet or http.

rtm monitor localhost -filter -g topsvc
Displays the top 50 services passed on any interface in both directions

rtm monitor localhost hme1 -g topsvc -y b
Displays bytes per sec for top 50 services on interface hme1



Other switches:
-i number of seconds
Interface-name specif a specific interface
-y measurement units (bytes,packets, line)
C average concurrent connections
-g grouping optons (svc, src,dst,ip,fgrule,topsvc,topsrc,topdst,topfgrule)
svc monitor according to service
src according to a network object's source
dst
ip monitor src and dst
fgrule QOS rule
topsvc top 50 sources
topdst
topfwm top 50 firewall rules

How to globally change the expiration date of all users on Checkpoint

Steps 1-3 are only required in a Provider environment.

1. SSH into the MLM for the customer and set your environment to the MLM IP
mdsenv

2. Next "cd $FWDIR" and type "pwd"

3. Confirm that you are placed into the MLM directory for the customer.

4. next run the following command:
fwm expdate
--

example: fwm expdate 02-12-2010

Resolving local logging issues on Checkpoint

If logs are not appearing in Smartview Tracker, they are probably logging locally.
To determine if logs are being stored locally on the gateway, go to $FWDIR/log.
Locate the fw.log file and see if it's size is incrementing. There may also be additional fw*.log files that have rolled over.
To resolve the issue, first try restarting the MLM (in a Provider environment or the Log Services in a Smartcenter Server environment).
Next, restart the firewall services on the gateway (fw kill fwd followed by fwd).
If that does not work, try restarting the firewall.

Once resolved, you can pull the stored logs from the gateway by running "fw fetchlog " from the log server. In R70, there is also an option to fetch logs in Smartview Tracker (Tools>Remote Files Mgmt)

Tuesday, March 9, 2010

Allowing scp to SPLAT boxes

cat /etc/scpusers look for the user name that will be sued to scp.
If the user does not exist: echo >> /etc/scpusers
In order to use WinSCP,
you must also issue the following to change admin's shell to bash:
chsh -s /bin/bash admin
Note: This is a security risk as this bypasses cpshell for this user. Use with
caution.

Configuring SNMP on SPLAT

step 1: service snmpd restart
step 2: edit /etc/snmp/snmpd.users.conf and replace public with your actual
snmp community string
step 3: service snmpd restart
step 4: netstat -an | grep 161

for checkpoint snmpd port 260:

step 1: modify the $FWDIR/conf/snmp.C file and place the actual snmp
community inside the read and write (). If you leave the write empty,
it will use "private" as the community string. This is a security risk.

step 2: run sysconfig and start the checkpoint snmpd extension

step 3: perform cpstop;cpstart

step 4: netstat -an | grep 260

Running fsck on a flash based system

fsck -fyb 32

Examining a Screen OS debug packet

ethernet0/1:10.1.1.1/17152->192.168.1.1/256,1(8/0)
Protocol is 1 (ICMP).
Type 8: Echo
Code 0: No Code
Result:10.1.1.1 is sending an ping to 192.168.1.1

Here is an example of how understanding the type codes could help in troubleshooting a problem.
ethernet0.1:4:10.1.1.1/514->10.17.3.3/1051,1(3/3)
Type 3: Destination Unreachable
Code 3: Port Unreachable