Checkpoint Cheat Sheet
Meine persönliche Check Point Krabbelkiste.
Bitte aufpassen: Kommandos und Prozeduren sind teilweise veraltet oder müssen leicht modifiziert werden.
checkpoint KB URL, short:
-------------------------
http://supportcontent.checkpoint.com/solutions?id=sk88520
---
Jumbo HF Identifier
-------------------
Identifier for take 198:
"Check_Point_R77_30_JUMBO_HF_1_Bundle_T198_FULL.tgz"
---
Check ipassignment.conf syntax:
-------------------------------
vpn ipafile_check ipassignnent.conf Detail
---
Gaia First Time Wizard Cli:
---------------------------
config_system -t
vi
config_system -f
details see sk69701
---
export routes (SPLAT -> Gaia):
ip route show | grep via | awk '{ print "set static-route " $1 " nexthop gateway address " $3 " on" }'
---
Gaia: set/show interface ring buffer
------------------------------------
set interface rx-ringsize
set interface tx-ringsize
show interface rx-ringsize
---
informationen on interface bonds
--------------------------------
cphaprob show_bond
more details: cat /proc/net/bonding/
---
interface migration SPLAT -> GAIA:
----------------------------------
ip addr show | grep inet | grep eth | awk '{ print $7 " " $2}' | sed 's/\// mask-length /' | sed 's/10\./ipv4-address 10\./' | sed 's/^/set interface /' | sort -n
ip addr show | grep inet | grep eth | awk '{ print $7 }' | sed 's/^/set interface /' | sed 's/$/ state on/' | sort -n
ip addr show | grep inet | grep eth2. | awk '{ print $7 }' | sed 's/^/add interface /' | sed 's/\./ vlan /' | sort -n
---
SPLAT: configure SNMP:
----------------------
edit communities in /etc/snmp/snmpd.users.conf
add trap receiver in /etc/snmp/snmpd.conf
cp_conf snmp activate (attention: cpstop/cpstart)
service snmpd start
chkconfig snmpd on
snmpwalk -v 2c -c public 127.0.0.1 sysDescr.0
snmpwalk -v 2c -c public 127.0.0.1 enterprises.2620.1.7.1.0
---
checkpoint gaia - increase disk space:
--------------------------------------
VMware:
- increase disk size in vshpere client
- login & expert mode
- fdisk /dev/sda
- delete and recreate partition /dev/sda3
- set partition type to 0x8e ("t")
- exit fdisk and reboot
- login & expert mode
- pvresize /dev/sda3
- lvresize -L +[x]G /dev/vg_splat/lv_current
- resize2fs -p /dev/mapper/vg_splat-lv_current
- log file system is lv_log, procedure identical
physical machine:
- check unused disk space using pvdisplay/vgdisplay
- increase disk space:
lvresize -L +[x]G /dev/vg_splat/lv_current
resize2fs -p /dev/mapper/vg_splat-lv_current
- if no unused disk space available, additional disks
may be added using lvm tools
- decrease is not that easy but works sometimes
- lvm best documented at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Logical_Volume_Manager_Administration/VG_admin.html
---
is this a 64 bit linux?
-----------------------
getconf LONG_BIT
---
how to find a suitable bind DN?
-------------------------------
- login to domain controller
- command prompt
- issue "dsquery user" or "dsquery user "
- example: dsquery user *ad* lists all "administrator" users
---
Clear Connection Table
----------------------
CONNECTIONS:
fw tab -t connections -s (for summary)
fw tab -t connections -x (to clear)
NAT:
fw tab -t fwx_alloc -s (for summary)
fw tab -t fwx_alloc -x (to clear)
---
switch cluster:
---------------
cphaprob -d faildev -s problem -t 0 register
cphaprob -d faildev unregister
or:
clusterXL_admin down && clusterXL_admin up
---
show cpu/nic relations:
-----------------------
fw ctl affinity -l -v -r -a
---
check switchport without ping:
------------------------------
at firewall:
arping -q -c 1 -w 1 -U -I
at switch:
sh mac address-table int
---
Synchronisation manuell anstossen:
----------------------------------
fw ctl setsync off
fw fullsync xxx.xxx.xxx.xxx (Adresse des anderen Members)
---
pubkey auth at checkpoint firewalls:
------------------------------------
vi /etc/ssh/sshd_config
change/insert:
LogLevel VERBOSE
ClientAliveInterval 300
UseDNS no
service sshd reload
cd ~
mkdir .ssh
chmod 700 .ssh
cd .ssh
vi authorized_keys
insert public key
save & exit
chmod 600 authorized_keys
---
changes to fwkern.conf (R75.xx):
--------------------------------
vi $FWDIR/boot/modules/fwkern.conf
fw_log_bufsize=327680
fw_sync_recv_queue_size=0x400
fw_sync_sending_queue_size=0x800
fw_reject_non_syn=1
fwlddist_buf_size=0x10000
---
check SNMP configuration:
-------------------------
cluster state:
snmpwalk -v2c -c public 127.0.0.1
installed ruleset:
snmpwalk -v2c -c public 127.0.0.1 1.3.6.1.4.1.2620.1.1.2.0
---
LDAP search at firewall:
----------------------------
ldapsearch -b DC=x,DC=y,DC=z -s sub -D CN="user cn" -w 'password' -h domain-controller CN="search string"
---
identify NIC hardware/interrupt:
--------------------------------
input: ethtool -i eth2
output: [...] bus-info: 0000:05:00.0
input: lspci -vvv -s 0000:05:00.0
output: hardware info incl. IRQ
---
radius auth in Gaia:
--------------------
freeradius:
- copy dictionary to /etc/freeradius
- /etc/freeradius/users:
cpadmin Cleartext-Password := "abc123"
CP-Gaia-User-Role = "adminRole", # CASE MATTERS!
CP-Gaia-SuperUser-Access = "0"
- secret in clients.conf
- sk72940
---
configure LOM interfaces at CLI:
--------------------------------
1. check at wich channel the IPMI interface is configured (shell script)
---
#!/bin/bash
c=1
while [ $c -le 10 ]
do
channels=`ipmitool lan print $c`
echo "Channel $c $channels"
(( c++ ))
done
---
2. show configuration
ipmitool lan print 8
3. change configuration
ipmitool lan set 8 ipsrc static
ipmitool lan set 8 ipaddr [IP address]
ipmitool lan set 8 netmask [net mask]
ipmitool lan set 8 defgw ipaddr [default gateway]
see sk93375
show LOM version: ipmitool bmc info
LOM reset: ipmitool mc reset warm
Passwort Reset:
ipmitool user list 8
ipmitool user set password 2 [passwort]