有用的防火墙命令Word文件下载.docx
《有用的防火墙命令Word文件下载.docx》由会员分享,可在线阅读,更多相关《有用的防火墙命令Word文件下载.docx(11页珍藏版)》请在冰点文库上搜索。
1timepassword>
InitializetheSIC
fwctliflist
seetheinterfacescheckpointisboundtoo
fwstat(-d-l)
...
cphaprobstatus
checkstatusofClusterXL
cphastart-d
debugClusterXL
cpd-d&
killthecpdprocessandstartagainindebugmode,whichwillscrolluptheterminalscreen
fwd-d&
killthefwdprocessandstartindebugmode
whichwillscrolluptheterminalscreen(docpdfirst)
cpshared_ver
findthebuildnumberoftheSVNfoundations
dtpsver
findthebuildnumberofthepolicyserver
fwver[-k]
findthebuildnumberoffirewall-1
vpnaccelstat
checkthestatusoftheacceleratorcard(makesureit'
senabledinvoyager)
vpnaccelon
turnthecardonattheconsolewithincheckpoint
someclusterXLnoteshere
sortlargestdirectoriesonnokia.
du|sort-n-r|head
RunningtheCheckpointCPandFWprocessesinDEBUGMODE
NGDebugCommands
TostartFWMandFWDindebug:
Onthemanager/module,runthesecommandsifitisaWindowsmachine:
fwdebugfwmonTDERROR_ALL_ALL=3
fwdebugfwdonTDERROR_ALL_ALL=3
ToenabledebuggingofCPD:
cpd_admindebugonTDERROR_ALL_ALL=5
toturnifoff:
cpd_admindebugoffTDERROR_ALL_ALL=0
runthesecommandsifitisaUnixmachine:
fwdebugfwmonTDERROR_ALL_ALL3
fwdebugfwdonTDERROR_ALL_ALL3
ToenabledebuggingofSIC:
cpstop
setenvOPSEC_DEBUG_LEVEL3
setenvTDERROR_ALL_ALL3
cpd-d
ManagementHAdebugging,runthisatthecommandline:
fwdebugfwmonTDERROR_ALL_MGMTHA=3
todisabledebuging
fwdebugfwmoffTDERROR_ALL_MGMTHA=3
ToenableVPNdebugging
The"
vpndebugon"
commandactivatesdebuggingmodeofVPND,thevpndaemon.Debugoutputwillbewrittentothe$FWDIR\log\vpnd.elgfile.
vpndebugikeon"
commandturnsonIKEdebuggingmode.IKEpacketswillbewrittentothe$FWDIR\log\ike.elgfile.
vpndebugtrunc"
emptiestheike.elgfile,addsastampline"
...TRUNCATEissued..."
andenablesbothVPNandIKEdebugging.
andkerneldebugby:
fwctldebug0
fwctldebug–buf8192
fwctldebug–mVPNall
fwctlkdebug–f>
file_name
ManagementHADebug
fwdebugfwmoffTDERROR_ALL_MGMTHA=0
Provider-1NGSpecific
TogettheversionofP-1
fwmmdsver
migratingmanagementdataintoaCMAwithgreaterdetailintheoutput
cma_migrate
syncingtheMDSwiththeCMA'
s
mdsenv
set_mds_info-b-y
mdsstop
mdsstart
deguggingtheMDS
mdsenv
fwmdebugmdsonTDERROR_ALL_ALL=5
DebuggingtheCMA
mdsenvcmaname
fwmdebugfwmonTDERROR_ALL_ALL=3
ScreenDebug:
:
SetenvironmenttoCSH
setenvTDERROR_ALL_FP_dbg=3
fwmonitor
Builtinpacketcaptureprogram(viewsavedfileswithethereal)
Flag
Description
-dTurnondebugflag
-DTurnondebugflag?
?
-eSpecifyanINSPECTprogramline(multiple-eoptionscanbeused)
-fINSPECTfiltername.'
-'
canbeusedtospecifystandardinput.The-fand-eoptionsaremutuallyexclusive
-lSpecifyhowmanybytesofthepacketshouldbetransferredfromthekernel.
-mSpecifyinspectionpointsmask,anyoneormoreofi,I,o,Oasexplainedabove.Thisfeatureonlyworkson4.0SP3orlater.
-oSpecifyanoutputfile,whichcanbeviewerwiththe'
snoop'
commandonSolaris.
-xPerformahexdumpofthereceiveddata,startingatspecifiedoffsetandprintingout'
len'
bytes.
Examples
fwmonitor-miIoO-e"
accept[20:
2,b]=<
srcport>
or[22:
dstport>
;
"
-o/tmp/output.cap
willdisplayallpacketsfromspecifiedsorceordestinationportandsavedtoafile<
snoopformat,canbereadbyethereal>
accept[12,b]=<
clientip>
or[16,b]=<
willdisplayallpacketsfromspecifiedsourceordestinationIPandsavedtoafile<
fwmonitor-miIoO-e
"
accept[9:
1]=1;
showsallICMPpacketsenteringorleavingafirewall
acceptdport=<
destinationport>
orsport=<
sourceport>
src=<
ipaddress>
ordst=<
CheckforpacketswithspecificportsandspecificIPaddresses
fwmonitor-e"
accept((src=1.1.1.1,dst=2.2.2.2)or(src=2.2.2.2,dst=1.1.1.1));
willdisplayallpacketsexchangedbetween1.1.1.1and2.2.2.2
[9:
1]=6,accept;
-l100-miO-x20
willdisplayallTCPpacketsenteringandleavingFireWall-1.Upto80bytesofTCPheaderanddatawillbedisplayed(assumingnoIPOptionsareused)
accept;
-miI
willdisplayallpacketsenteringandexitingFireWall-1intheinbounddirection(i.e.beforetheOSroutesthepacket).
acceptsrc=1.1.1.1;
willdisplayallpacketsoriginatingfrom1.1.1.1.
acceptsrc=1.1.1.1,dport=80;
willdisplayallpacketsoriginatingfrom1.1.1.1goingtoport80
accept(ip_p!
=89);
SecuRemoteMonitor:
srfwmonitor-osrfwmonitor.out
HowtoFTPtoaremoteFTPserverusingFW-1UserAuthentication:
FTPtoremotehost'
sIP,firewall-1thengetsinthewayandasksforauthentication.Bittrickywhenyoudon'
tknowhow,buthere'
sthesyntaxtogetyouin.
remote_user@firewall_user@remote_host
remote_password@firewall_password
shouldlogyouin
HowtoenableIPForwardingonIPSOandSolaris
BydefaultonaUnixsystem,whenamachineisbroughtupwithmorethan
oneIPinterface,itwillroutebetweentheinterfaces.WhenFirewall-1isinstalledunderUnix,"
IPFowarding"
maybedisabled.Fortestingpurposes,
weneedtoturnitonmanually.ToturnonIPforwarding,onSolaris,type:
ndd-set/dev/ipip_forwarding1
Toturnitbackoff(afteryougetitworking),type:
ndd-set/dev/ipip_forwarding0
OnWindowsNT,youneedtoenableIPRouting/Forwardingbygoingintothe
TCP/IPconfigurationscreensandclickingtheappropriatecheckbox.InorderforFireWall-1tocontinuetowork,youneedtoleavethison.
OnIPSO,type:
ipsofwdonadmin
TodisableFirewall-1controlofIPForwardingandthedefaultfilteronLinux,SolarisandNT,runthecommandsbelow.Youcanconfirmthesesettingsbylookingat$FWDIR/boot/boot.conf:
$FWDIR/boot/fwbootbootconfset_ipf0
$FWDIR/boot/fwbootbootconfset_def0
WindowsNTstoresthisinformationintheregistry:
HKLM\System\CurrentControlSet\Services\FW1\Parameters
IPForwarding=(DWORD)0xffffffff(whenset_ipf0)
IPForwarding=(DWORD)0x1(whenset_ipf1)
DefaultFilter=<
deleted>
(whenset_def0)
DefaultFilter="
<
path>
(whenset_def<
)
%SYSTEMROOT%\system32\default.binisthedefaultfor<
.youcangeneratethisfilterwith`fwdefaultgen`,whichwillturn%FWDIR%\conf\defaultfilter.pfinto%FWDIR\%state\default.bin,whichyoucanthencopyover.
1.cpstart
DescriptionThiscommandisusedtostartallCheckPointprocessesandapplications
runningonamachine.
2.cpstat
DescriptioncpstatdisplaysthestatusofCheckPointapplications,eitheronthelocalmachine
oronanothermachine,invariousformats.
3.cpstop
DescriptionThiscommandisusedtoterminateallCheckPointprocessesand
applications,runningonamachine.
4.dbedit
DescriptionThiscommandisusedbyadministratorstoedittheobjectsfileonthe
SmartCenterServer.
1.cpconfig
DescriptionThiscommandisusedtorunaCommandLineversionoftheCheckPoint
ConfigurationTool.
2.cphaconf
DescriptionThecphaconfcommandconfiguresClusterXL.
3.cphastart
DescriptionRunningcphastartonaclustermemberactivatesClusterXLonthe
member.
4.cphastop
DescriptionRunningcphastoponaclustermemberstopstheclustermemberfrom
passingtraffic.
1.cplicput
DescriptionThecplicputcommandisusedtoinstalloneormorecheckpointlicenseson
alocalmachine.
2.cplicprint
DescriptionThecplicprintcommand(locatedin$CPDIR/bin)printsdetailsof
CheckPointlicensesonthelocalmachine
3.cplicupgrade
DescriptionUsethecplicupgradecommandtoupgradelicensesinthelicense
repositoryusinglicensesinalicensefileobtainedfromtheUserCenter.
4.cplicdel
DescriptionUsethiscommandtodeleteasingleCheckPointlicenseonahost,including
unwantedevaluation,expired,andotherlicenses.Thiscommandisusedfor
bothlocalandremotemachines
5.cplicdb_add
DescriptionThecplicdb_addcommandisusedtoaddoneormorelicensestothe
licenserepositoryontheSmartCenterServer.
6.cplicdb_print
DescriptionThecplicdb_printcommanddisplaysthedetailsofCheckPoint
licensesstoredinthelicenserepositoryontheSmartCenterServer.
7.cplicdb_rm
DescriptionThecplicdb_rmcommandremovesalicensefromthelicenserepository
ontheSmartCenterServer.
1.cppkgadd