有用的防火墙命令.docx

1、有用的防火墙命令Useful Firewall-1 commandssk39486fw log n ft | grep the n switch means no DNS lookups so the results are shown as IP addresses.fw tab -t connections scounts the number of connections currently being processedfw tab -t sam_blocked_ipsshow IP addressses that have been blocked by SAMfw printlic

2、 pdisplays license informationfw putlic -nif you want the manager to talk to the module (and vice versa) on an IP other than the one that resolves when you ping the node/hostname then use the -n switch.fw ctl pstat depending on the switch, shows memory, disk space, cpu usage etc.fw upgrade sp1 (FP1)

3、fwm upgrade sp2 (FP2) used in conjunction with a copy of default_objects.C to upgrade / older versions objects.C files to NG FP* (see full notes here)cpstat mgshow the status of the management daemoncp_conf sic getShow the SICcp_conf ha enableEnables HA modulecp_conf sic init Initialize the SICfw ct

4、l iflistsee the interfaces checkpoint is bound toofw ctl pstat fw stat (-d -l).cphaprob statuscheck status of ClusterXLcphastart -d debug ClusterXLcpd -d &kill the cpd process and start again in debug mode, which will scroll up the terminal screenfwd -d &kill the fwd process and start in debug mode

5、which will scroll up the terminal screen (do cpd first)cpshared_verfind the build number of the SVN foundationsdtps verfind the build number of the policy serverfw ver -kfind the build number of firewall-1vpn accel statcheck the status of the accelerator card (make sure its enabled in voyager)vpn ac

6、cel onturn the card on at the console within checkpointsome clusterXL notes here sort largest directories on nokia.du | sort -n -r | headRunning the Checkpoint CP and FW processes in DEBUG MODENG Debug CommandsTo start FWM and FWD in debug:On the manager / module, run these commands if it is a Windo

7、ws machine: fw debug fwm on TDERROR_ALL_ALL=3fw debug fwd on TDERROR_ALL_ALL=3To enable debugging of CPD:cpd_admin debug on TDERROR_ALL_ALL=5to turn if off:cpd_admin debug off TDERROR_ALL_ALL=0run these commands if it is a Unix machine: fw debug fwm on TDERROR_ALL_ALL 3fw debug fwd on TDERROR_ALL_AL

8、L 3To enable debugging of SIC:cpstopsetenv OPSEC_DEBUG_LEVEL 3setenv TDERROR_ALL_ALL 3cpd -dManagement HA debugging, run this at the command line:fw debug fwm on TDERROR_ALL_MGMTHA=3to disable debugingfw debug fwm off TDERROR_ALL_MGMTHA=3To enable VPN debuggingThe vpn debug on command activates debu

9、gging mode of VPND, the vpn daemon. Debug output will be written to the $FWDIRlogvpnd.elg file.The vpn debug ikeon command turns on IKE debugging mode. IKE packets will be written to the $FWDIRlogike.elg file. The vpn debug trunc empties the ike.elg file, adds a stamp line .TRUNCATE issued. and enab

10、les both VPN and IKE debugging.and kernel debug by:fw ctl debug 0fw ctl debug buf 8192fw ctl debug m VPN allfw ctl kdebug f file_nameManagement HA Debugfw debug fwm on TDERROR_ALL_MGMTHA=3to disable debugingfw debug fwm off TDERROR_ALL_MGMTHA=0Provider-1 NG SpecificTo get the version of P-1fwm mds v

11、ermigrating management data into a CMA with greater detail in the outputcma_migratesyncing the MDS with the CMAsmdsenvset_mds_info -b -ymdsstopmdsstartdegugging the MDSmdsenv fwm debug mds on TDERROR_ALL_ALL=5Debugging the CMAmdsenv cmanamefwm debug fwm on TDERROR_ALL_ALL=3Screen Debug :Set environm

12、ent to CSHsetenv TDERROR_ALL_FP_dbg=3fw monitorBuilt in packet capture program (view saved files with ethereal)FlagDescription-d Turn on debug flag-D Turn on debug flag?-e Specify an INSPECT program line (multiple -e options can be used)-f INSPECT filter name. - can be used to specify standard input

13、. The -f and -e options are mutually exclusive-l Specify how many bytes of the packet should be transferred from the kernel.-m Specify inspection points mask, any one or more of i, I, o, O as explained above. This feature only works on 4.0 SP3 or later.-o Specify an output file, which can be viewer

14、with the snoop command on Solaris.-x Perform a hex dump of the received data, starting at specified offset and printing out len bytes.Examplesfw monitor -m iIoO -e accept 20:2,b= or 22:2,b=; -o /tmp/output.capwill display all packets from specified sorce or destination port and saved to a file fw mo

15、nitor -m iIoO -e accept 12,b= or 16,b=; -o /tmp/output.capwill display all packets from specified source or destination IP and saved to a file fw monitor -m iIoO -e accept 9:1=1;shows all ICMP packets entering or leaving a firewallfw monitor -m iIoO -e accept dport= or sport=,src= or dst=;Check for

16、packets with specific ports and specific IP addressesfw monitor -e accept (src=1.1.1.1,dst=2.2.2.2) or (src=2.2.2.2,dst=1.1.1.1);will display all packets exchanged between 1.1.1.1 and 2.2.2.2fw monitor -e 9:1=6, accept; -l 100 -m iO -x 20will display all TCP packets entering and leaving FireWall-1.

17、Up to 80 bytes of TCP header and data will be displayed (assuming no IP Options are used)fw monitor -e accept; -m iIwill display all packets entering and exiting FireWall-1 in the inbound direction (i.e. before the OS routes the packet).fw monitor -e accept src=1.1.1.1;will display all packets origi

18、nating from 1.1.1.1.fw monitor -e accept src=1.1.1.1,dport=80;will display all packets originating from 1.1.1.1 going to port 80fw monitor -e accept (ip_p != 89);SecuRemote Monitor:srfw monitor -o srfwmonitor.outHow to FTP to a remote FTP server using FW-1 User Authentication:FTP to remote hosts IP,

19、 firewall-1 then gets in the way and asks for authentication. Bit tricky when you dont know how, but heres the syntax to get you in.remote_userfirewall_userremote_hostremote_passwordfirewall_passwordshould log you inHow to enable IP Forwarding on IPSO and SolarisBy default on a Unix system, when a m

20、achine is brought up with more than one IP interface, it will route between the interfaces. When Firewall-1 is installed under Unix, IP Fowarding may be disabled. For testing purposes, we need to turn it on manually. To turn on IP forwarding, on Solaris, type: ndd -set /dev/ip ip_forwarding 1To turn

21、 it back off (after you get it working), type: ndd -set /dev/ip ip_forwarding 0On Windows NT, you need to enable IP Routing/Forwarding by going into the TCP/IP configuration screens and clicking the appropriate checkbox. In order for FireWall-1 to continue to work, you need to leave this on.On IPSO,

22、 type:ipsofwd on adminTo disable Firewall-1 control of IP Forwarding and the default filter on Linux, Solaris and NT, run the commands below. You can confirm these settings by looking at $FWDIR/boot/boot.conf:$FWDIR/boot/fwboot bootconf set_ipf 0$FWDIR/boot/fwboot bootconf set_def 0Windows NT stores

23、 this information in the registry:HKLMSystemCurrentControlSetServicesFW1ParametersIPForwarding = (DWORD)0xffffffff (when set_ipf 0)IPForwarding = (DWORD)0x1 (when set_ipf 1)DefaultFilter = (when set_def 0)DefaultFilter = (when set_def )%SYSTEMROOT%system32default.bin is the default for . you can gen

24、erate this filter with fw defaultgen, which will turn %FWDIR%confdefaultfilter.pf into %FWDIR%statedefault.bin, which you can then copy over.1. cpstart Description This command is used to start all Check Point processes and applications running on a machine. 2. cpstat Description cpstat displays the

25、 status of Check Point applications, either on the local machine or on another machine, in various formats. 3. cpstop Description This command is used to termin ate all Check Point processes and applications, running on a machine. 4. dbedit Description This command is used by administra tors to edit

26、 the objects file on the SmartCenter Server. 1. cpconfig Description This command is used to run a Comma nd Line version of the Check Point Configuration Tool. 2. cphaconf Description The cphaconf command configures ClusterXL. 3. cphastart Description Running cphastart on a cluster member activates

27、ClusterXL on the member. 4. cphastop Description Running cphastop on a cluster member stops the cluster member from passing traffic. 1. cplic put Description The cplic put command is used to install one or more check point licenses on a local machine. 2. cplic print Description The cplic print comma

28、nd (located in $CPDIR/bin) prints details of Check Point licenses on the local machine3. cplic upgrade Description Use the cplic upgrade command to upgrade licenses in the license repository using licenses in a license file obtained from the User Center. 4. cplic del Description Use this command to

29、delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. This command is used for both local and remote machines 5. cplic db_add Description The cplic db_add command is used to add one or more licenses to the license repository on the SmartCenter Ser

30、ver. 6. cplic db_print Description The cplic db_print command displays the details of Check Point licenses stored in the license repository on the SmartCenter Server. 7. cplic db_rm Description The cplic db_rm command removes a license from the license repository on the SmartCenter Server. 1. cppkg add