有用的防火墙命令.docx
《有用的防火墙命令.docx》由会员分享,可在线阅读,更多相关《有用的防火墙命令.docx(11页珍藏版)》请在冰点文库上搜索。
有用的防火墙命令
UsefulFirewall-1commands
sk39486
fwlog–n–ft|grep
the–nswitchmeansnoDNSlookupssotheresultsareshownasIPaddresses.
fwtab-tconnections–s
countsthenumberofconnectionscurrentlybeingprocessed
fwtab-tsam_blocked_ips
showIPaddresssesthathavebeenblockedbySAM
fwprintlic–p
displayslicenseinformation
fwputlic-n
ifyouwantthemanagertotalktothemodule(andviceversa)onanIPotherthantheonethatresolveswhenyoupingthenode/hostnamethenusethe-nswitch.
fwctlpstat
dependingontheswitch,showsmemory,diskspace,cpuusageetc.
fwupgradesp1(FP1)
fwmupgradesp2(FP2)
usedinconjunctionwithacopyofdefault_objects.Ctoupgrade/olderversionsobjects.CfilestoNGFP*(seefullnoteshere)
cpstatmg
showthestatusofthemanagementdaemon
cp_confsicget
ShowtheSIC
cp_confhaenable
EnablesHAmodule
cp_confsicinit<1timepassword>
InitializetheSIC
fwctliflist
seetheinterfacescheckpointisboundtoo
fwctlpstat
fwstat(-d-l)
...
cphaprobstatus
checkstatusofClusterXL
cphastart-d
debugClusterXL
cpd-d&
killthecpdprocessandstartagainindebugmode,whichwillscrolluptheterminalscreen
fwd-d&
killthefwdprocessandstartindebugmode whichwillscrolluptheterminalscreen(docpdfirst)
cpshared_ver
findthebuildnumberoftheSVNfoundations
dtpsver
findthebuildnumberofthepolicyserver
fwver[-k]
findthebuildnumberoffirewall-1
vpnaccelstat
checkthestatusoftheacceleratorcard(makesureit'senabledinvoyager)
vpnaccelon
turnthecardonattheconsolewithincheckpoint
someclusterXLnoteshere
sortlargestdirectoriesonnokia.
du|sort-n-r|head
RunningtheCheckpointCPandFWprocessesinDEBUGMODE
NGDebugCommands
TostartFWMandFWDindebug:
Onthemanager/module,runthesecommandsifitisaWindowsmachine:
fwdebugfwmonTDERROR_ALL_ALL=3
fwdebugfwdonTDERROR_ALL_ALL=3
ToenabledebuggingofCPD:
cpd_admindebugonTDERROR_ALL_ALL=5
toturnifoff:
cpd_admindebugoffTDERROR_ALL_ALL=0
runthesecommandsifitisaUnixmachine:
fwdebugfwmonTDERROR_ALL_ALL3
fwdebugfwdonTDERROR_ALL_ALL3
ToenabledebuggingofSIC:
cpstop
setenvOPSEC_DEBUG_LEVEL3
setenvTDERROR_ALL_ALL3
cpd-d
ManagementHAdebugging,runthisatthecommandline:
fwdebugfwmonTDERROR_ALL_MGMTHA=3
todisabledebuging
fwdebugfwmoffTDERROR_ALL_MGMTHA=3
ToenableVPNdebugging
The"vpndebugon"commandactivatesdebuggingmodeofVPND,thevpndaemon.Debugoutputwillbewrittentothe$FWDIR\log\vpnd.elgfile.
The"vpndebugikeon"commandturnsonIKEdebuggingmode.IKEpacketswillbewrittentothe$FWDIR\log\ike.elgfile.
The"vpndebugtrunc"emptiestheike.elgfile,addsastampline"...TRUNCATEissued..."andenablesbothVPNandIKEdebugging.
andkerneldebugby:
fwctldebug0
fwctldebug–buf8192
fwctldebug–mVPNall
fwctlkdebug–f>file_name
ManagementHADebug
fwdebugfwmonTDERROR_ALL_MGMTHA=3
todisabledebuging
fwdebugfwmoffTDERROR_ALL_MGMTHA=0
Provider-1NGSpecific
TogettheversionofP-1
fwmmdsver
migratingmanagementdataintoaCMAwithgreaterdetailintheoutput
cma_migrate
syncingtheMDSwiththeCMA's
mdsenv
set_mds_info-b-y
mdsstop
mdsstart
deguggingtheMDS
mdsenv
fwmdebugmdsonTDERROR_ALL_ALL=5
DebuggingtheCMA
mdsenvcmaname
fwmdebugfwmonTDERROR_ALL_ALL=3
ScreenDebug:
:
SetenvironmenttoCSH
setenvTDERROR_ALL_FP_dbg=3
fwmonitor
Builtinpacketcaptureprogram(viewsavedfileswithethereal)
Flag
Description
-dTurnondebugflag
-DTurnondebugflag?
?
-eSpecifyanINSPECTprogramline(multiple-eoptionscanbeused)
-fINSPECTfiltername.'-'canbeusedtospecifystandardinput.The-fand-eoptionsaremutuallyexclusive
-lSpecifyhowmanybytesofthepacketshouldbetransferredfromthekernel.
-mSpecifyinspectionpointsmask,anyoneormoreofi,I,o,Oasexplainedabove.Thisfeatureonlyworkson4.0SP3orlater.
-oSpecifyanoutputfile,whichcanbeviewerwiththe'snoop'commandonSolaris.
-xPerformahexdumpofthereceiveddata,startingatspecifiedoffsetandprintingout'len'bytes.
Examples
fwmonitor-miIoO-e"accept[20:
2,b]=or[22:
2,b]=;"-o/tmp/output.cap
willdisplayallpacketsfromspecifiedsorceordestinationportandsavedtoafile
fwmonitor-miIoO-e"accept[12,b]=or[16,b]=;"-o/tmp/output.cap
willdisplayallpacketsfromspecifiedsourceordestinationIPandsavedtoafile
fwmonitor-miIoO-e "accept[9:
1]=1;"
showsallICMPpacketsenteringorleavingafirewall
fwmonitor-miIoO-e"acceptdport=orsport=,src=ordst=;"
CheckforpacketswithspecificportsandspecificIPaddresses
fwmonitor-e"accept((src=1.1.1.1,dst=2.2.2.2)or(src=2.2.2.2,dst=1.1.1.1));"
willdisplayallpacketsexchangedbetween1.1.1.1and2.2.2.2
fwmonitor-e"[9:
1]=6,accept;"-l100-miO-x20
willdisplayallTCPpacketsenteringandleavingFireWall-1.Upto80bytesofTCPheaderanddatawillbedisplayed(assumingnoIPOptionsareused)
fwmonitor-e"accept;"-miI
willdisplayallpacketsenteringandexitingFireWall-1intheinbounddirection(i.e.beforetheOSroutesthepacket).
fwmonitor-e"acceptsrc=1.1.1.1;"
willdisplayallpacketsoriginatingfrom1.1.1.1.
fwmonitor-e"acceptsrc=1.1.1.1,dport=80;"
willdisplayallpacketsoriginatingfrom1.1.1.1goingtoport80
fwmonitor-e"accept(ip_p!
=89);"
SecuRemoteMonitor:
srfwmonitor-osrfwmonitor.out
HowtoFTPtoaremoteFTPserverusingFW-1UserAuthentication:
FTPtoremotehost'sIP,firewall-1thengetsinthewayandasksforauthentication.Bittrickywhenyoudon'tknowhow,buthere'sthesyntaxtogetyouin.
remote_user@firewall_user@remote_host
remote_password@firewall_password
shouldlogyouin
HowtoenableIPForwardingonIPSOandSolaris
BydefaultonaUnixsystem,whenamachineisbroughtupwithmorethan oneIPinterface,itwillroutebetweentheinterfaces.WhenFirewall-1isinstalledunderUnix,"IPFowarding"maybedisabled.Fortestingpurposes, weneedtoturnitonmanually.ToturnonIPforwarding,onSolaris,type:
ndd-set/dev/ipip_forwarding1
Toturnitbackoff(afteryougetitworking),type:
ndd-set/dev/ipip_forwarding0
OnWindowsNT,youneedtoenableIPRouting/Forwardingbygoingintothe TCP/IPconfigurationscreensandclickingtheappropriatecheckbox.InorderforFireWall-1tocontinuetowork,youneedtoleavethison.
OnIPSO,type:
ipsofwdonadmin
TodisableFirewall-1controlofIPForwardingandthedefaultfilteronLinux,SolarisandNT,runthecommandsbelow.Youcanconfirmthesesettingsbylookingat$FWDIR/boot/boot.conf:
$FWDIR/boot/fwbootbootconfset_ipf0
$FWDIR/boot/fwbootbootconfset_def0
WindowsNTstoresthisinformationintheregistry:
HKLM\System\CurrentControlSet\Services\FW1\Parameters
IPForwarding=(DWORD)0xffffffff(whenset_ipf0)
IPForwarding=(DWORD)0x1(whenset_ipf1)
DefaultFilter=(whenset_def0)
DefaultFilter=""(whenset_def)
%SYSTEMROOT%\system32\default.binisthedefaultfor.youcangeneratethisfilterwith`fwdefaultgen`,whichwillturn%FWDIR%\conf\defaultfilter.pfinto%FWDIR\%state\default.bin,whichyoucanthencopyover.
1.cpstart
DescriptionThiscommandisusedtostartallCheckPointprocessesandapplications
runningonamachine.
2.cpstat
DescriptioncpstatdisplaysthestatusofCheckPointapplications,eitheronthelocalmachine
oronanothermachine,invariousformats.
3.cpstop
DescriptionThiscommandisusedtoterminateallCheckPointprocessesand
applications,runningonamachine.
4.dbedit
DescriptionThiscommandisusedbyadministratorstoedittheobjectsfileonthe
SmartCenterServer.
1.cpconfig
DescriptionThiscommandisusedtorunaCommandLineversionoftheCheckPoint
ConfigurationTool.
2.cphaconf
DescriptionThecphaconfcommandconfiguresClusterXL.
3.cphastart
DescriptionRunningcphastartonaclustermemberactivatesClusterXLonthe
member.
4.cphastop
DescriptionRunningcphastoponaclustermemberstopstheclustermemberfrom
passingtraffic.
1.cplicput
DescriptionThecplicputcommandisusedtoinstalloneormorecheckpointlicenseson
alocalmachine.
2.cplicprint
DescriptionThecplicprintcommand(locatedin$CPDIR/bin)printsdetailsof
CheckPointlicensesonthelocalmachine
3.cplicupgrade
DescriptionUsethecplicupgradecommandtoupgradelicensesinthelicense
repositoryusinglicensesinalicensefileobtainedfromtheUserCenter.
4.cplicdel
DescriptionUsethiscommandtodeleteasingleCheckPointlicenseonahost,including
unwantedevaluation,expired,andotherlicenses.Thiscommandisusedfor
bothlocalandremotemachines
5.cplicdb_add
DescriptionThecplicdb_addcommandisusedtoaddoneormorelicensestothe
licenserepositoryontheSmartCenterServer.
6.cplicdb_print
DescriptionThecplicdb_printcommanddisplaysthedetailsofCheckPoint
licensesstoredinthelicenserepositoryontheSmartCenterServer.
7.cplicdb_rm
DescriptionThecplicdb_rmcommandremovesalicensefromthelicenserepository
ontheSmartCenterServer.
1.cppkgadd