The following are some general troubleshooting shell commands:

tcpdump or fw monitor
Dumps current TCP/IP activity to the terminal. Conrol+C to stop logging.
For SecuRemote Client use: sr monitor
To see total packets dropped / passed use:
fw stat -i &endash;l

fw debug
This option writes debuging info to the local log ($FWDIR/log/*.elg)
fw debug fwd on Start writing debug information.
fw debug fwd off Stop writing debug information.
(The debug output is automatically redirected to $FWDIR/log/fwd.elg.)
Syntax:
fw debug fwd on
fw debug fwd on TDERROR_ALL_ALL=3
fw debug fwd off
fw debug fwm on OPSEC_DEBUG_LEVEL
fw debug mdq on (Usefull to see why mail is being dropped, might want to try "fw
debug in.asmtpd on" as well)

fw ctl arp
View proxy arp entries
In 4.1 and earlier releases, or in NG if manual NAT is used, you can use the
command 'arp -s' to add an "proxy" arp entry in Unix. See 'man arp'= for more
information. To use 'arp -s', you will need to know the MAC address of the external
interface. In Unix, use 'ifconfig -a' to get that information.

fw ctl debug &endash;m fw memory : Assign the debug option memory for the fw
module:
fw ctl debug &endash;m fw : Verify that the debug option memory is assigned to the
fw module.

fw ctl kdebug &endash;f 2>

fw ctl kdebug &endash;f >&

fw ctl debug &endash;x

Disable/clear all debug options
Fw ctl pstat
To verify kernel memory is not being abused.

fw tab -s
Examine the firewall kernel tables counts. Look for a table with high counts.

cpstat [-h host][-p port][-f flavour][-d] entity

Displays the status of target hosts in various formats. cpstat is available in two
versions (without or with the -r parameter

cpstat fw -f smtp
SMTP statistics can be viewed

cpinfo
cpinfo is used to collect information that is used for debugging and solving VPN-
1/FireWall-1 problems. cpinfo gathers information on the system parameters of the
machine on which VPN-1/FireWall-1 is installed, and on VPN-1/FireWall-1 parameters
such as interfaces and tables. cpinfo gathers the information by running operating
system and VPN-1/FireWall-1 commands and. The resulting file will usually be sent
to Check Point Support ([email protected]) for analysis.

cpinfo replaces fwinfo in VPN-1/FireWall-1 4.1.

netstat &endash;na
To check whether SIC is listening to its network port.
netstat -na | find "18211" (Windows)
netstat -na | grep 18211 (Linux)

netstat &endash;r
Displays the routing table.

cpd &endash;d
To verify that the module is listening. Might give some clues regarding SIC
communications.

cprlic print fw1 &endash;all

Print CheckPoint License Info
router_load -cisco

Load config on a Cisco Router.

Syntax
router_load -cisco <ENABLE
password|XXX|PROMPT>

fw lichosts
Determin the number of IP's behind the firewall, usefull if you've got a node
limited license

fw log
There are four modes for showing the log database. These modes are used for support
purposes, and make it possible to compare log events seen in the Log Viewer to the
actual log records in the VPN-1/FireWall-1 log database (fw.log or any other log
switch log file).
Syntax:
fw log -m initial
fw log -m raw
fw log -m semi
fw log -m account
fw log &endash;f : Displays the log continuously.

cpmad -f
Two cpmad process cannot normally run simultaneously. If there is a need to run a
second cpmad process, run it with the &endash;f switch.

dbedit
The utility (dbedit) allows administrators to make changes to the objects_5_0.C
file like creating or modifying properties.

To save the changes issue:

update properties firewall_properties

Syntax:
create
modify
rename
update
delete
print
addelement
rmelement

Fw tab &endash;t
Displays firewall state tables

fwm psload
The fw psload command is run on the Management Server. It installs the Desktop
Security policy on the Policy Server.

fwm psfetch
The fw psfetch command is run on the VPN/FireWall Module. It fetches the Desktop
Security policy from the Management Server

fwm fingerprint
Running the fw fingerprint command on the Management Server displays the
Management Server�s fingerprint.

fwd -d
Running fwd manually with the '-d' parameter will give you a lot more information
debug information in the cpwd.elg log file.

cphaprob state
Status of high availability modules, shows which gateway is active, standby and
down

Verify gateways are synchronizing with fw ctl pstat

netsod
Verifying the UAG Daemon is operating properly
Syntax:
netsod d #initialize uas daemon
netsod drv #uas driver commands
netsod query #perform command line uas query command
netsod update #perform command line uas update command
netsod kill #terminate uas daemon
netsod simple #initialize uas simple proxy
netsod simplekill #terminate uas simple proxy
netsod ver # display the uas version
numbernetsod debug # Turn on/off UAS debug printings

kill
Use kill &endash;9 pid where the pid is from top or from ps aux. (First try to
reboot system, killing a kernel process will leave the firewall in an unstable
state)

ps &endash;al
List current processes and the path, eg:
ps -ef | grep httpd ps list running processes, grep reads the output of ps and
prints only those lines containing the letters httpd.

top
Displays running processes and system uptime. (When running the top command from a
remote ssh connection, use the export TERM=vt100 command to resolve display issues)

free
Displays memory and swap file useage

last
last user login

dmesg
Displays system messages and hardware details

Networking

ifconfig Displays status of active network interfaces

ifconfig -a Displays status of all interfaces, even those that are down
Configuration details of network interfaces are located in /etc/sysconfig/network-
scripts

To change the ip address of an interface issue:

ifconfig eth0 netmask 255.255.255.0
This however does not survive a reboot. For permanent changes modify the relevant
file eg: ifcfg-eth0 in /etc/sysconfig/network-scripts

You can bring an interface up or down by typing ifconfig eth0 up or down

route to see the current routes.

To add a route:
route add -net 192.168.22.0 netmask 255.255.255.0 gw 192.168.22.254

To delete a route
route del -net 192.168.22.0 netmask 255.255.255.0 gw 192.168.22.254

Verify connectivity:
ping 192.168.22.254
Use to stop pinging
Environment Variables

echo $PATH The PATH variable is a list of directories, separated by a colon,

through which the shell searches for the executable program corresponding to the
command you typed in at the prompt.

Example:

FWDIR=/opt/CPfw1-41; export FWDIR

PATH=$PATH:$FWDIR/bin; export PATH
MANPATH=$MANPATH:$FWDIR/man; export MANPATH

Only files on path (i.e. in directories listed in the PATH variable) can be
executed directly. Thus to execute a command in a directory that is not on path,
you must specify the path. Alternatively, rather than add a directory to PATH, you
can make a symbolic link to the script in a directory which is already on path such
as /usr/bin/ or /usr/local/bin/. It may even be easier just to move the script file
to one of these directories.

If /sbin is in the path then users can use the command, if not and you want to add
them you would need to add it to their profile.

vi /etc/profile
add or modify PATH variable:
PATH=$PATH:/sbin

SecuRemote Client

Setting a Static Username and Password:

Scc.exe
Scc up jgreen password >>>Sets a Static password for jgreen
Scc pc password c:\certs\jgreen.epf >>>>Use certificate

Scc ep >>>>> Erase password

Scc setmode con >>>>> Exit command line mode
Scc d >>>>> Disconnect Sesssion
Scc s >>>>>>>. Session Status

Passwords are encrypted and stored in the registry under:

HKEY_CURRENT_USER\Software\Checkpoint\SecuRemote

Configure the dialer to run scc.exe after connection has been made to establish VPN
tunnel. EG: Scc cn Jgreen >>>>>>> Jgreen is the profile name

Disk and File Management

mount /dev/fd0 /mnt/floppy
Mount floppy ( Dir floppy must exist in /mnt)

mount /mnt/cdrom Mounts the CDROM, cd /mnt/cdrom and do a ls to view contents on

the CD

fdisk /dev/hda
Displays Partition Tables for first IDE hard disk
fdisk /dev/hda &endash;l (Only prints the partition table)
(df is a safer command to use)

Log Files
In general, each NG log file is composed of four files:
xx.log &emdash; stores the log records

Troubleshooting
xx.logptr &emdash; pointers to beginning of each log records
xx.loginitial_ptr &emdash; pointers to beginning of each log chain (logs with the
same connection id) ,
xx.logaccount_ptr &emdash; pointers to beginning of each accounting record.

In the case of the audit log file the files are xx.adtlog, xx.adtlogptr,
xx.adtloginitial_ptr, and xx.adtlogaccount_ptr.

touch Creates a new, empty file

ls (-l) To list information about files or directories. The output is presented in

alphabetical order by default.

df Displays drive and partition info (df -h - Displays in human readable format)

du /etc -s -h Displays the size of the etc directory

rm (-R) Removes a file (-R forces delete of non empty directories, (f switch
disables prompting of file deleting: WARNING use -Rf with care, )

cp Copies files, (-r &emdash; recursive. copy the whole directory tree,
subdirectories and all)

mv (-i &emdash; interactive, -f &emdash; force, no prompting, -v &emdash; verbose)

Moves and/or renames files

cd Change Directories

pwd Present working directory

mkdir Make a new directory

fsck -a -p /dev/hda1 Does a disk check (Find partitions using the df command)

touch file1 file2 file3 creates files file1 file2 file3 or updates their time stamp
if they already exist.

less filename Prints out the file

Files can also be viewed with: cat, echo and more

cat filename Displays contents of file

cat filename | more Displays file one page at a time

whereis filename Finds / Locates a file

find /home -name httpd.conf searches /home and its subdirectories for the file
httpd.conf.

Creating and Editing files using VI

vi is a text editor which comes with SecurePlatform

vi filename open ( or create) file in the vi editor.

The most important keys to remember are:

i ... this enters insert mode and allows you to insert text.
... this enters command mode which you must be in to save the file, exit vi, or
edit the text. Most of the time, the tendency is to switch back and forth between
insert (i) and command () modes when writing a text file.
:wq ... save the file and exit back to the prompt. (must be in command mode to do
this!)

Useful key sequences in vi

i insert mode
< esc > command mode
a append
o inserts a new line below current line&ldots;O inserts one above
arrows keys move a row or column at a time
h move left one column
j move down one row
k move up on row
l move right one column
< ctrl > u move up (back) one half screen
< ctrl > d move down (fwd) one half screen
< ctrl > f move forward one screen
< ctrl > b move back one screen
G move to the end of the file
x deletes character on which cursor appears
dd deletes the entire line on which cursor appears
/< string > search forwards for text string < string >
?< string > < return > search backwards for text string < string >
n find next occurrence of string from last search
N find previous occurrence of string from last search
:w save
:wq save and quit
ZZ save and quit
:q quit
:q! quit and discard changes (!= force action)
:set nu - Displays line numbers, usefull when debugging error messages from
scripts, :set nonu Turns of line numbers

Backing up files and directories

tar cvf fwconfig.tar /opt/CPfw1-50-03/conf Creates a compressed file of the
directory contents of /opt/CPfw1-50-03/conf and saves the output as fwconfig.tar

tar tf tarfile.tar List contents of tar file

tar -xvf tarfile.tar Extracts tarfile.tar using the verbose option. When
extracting, you have to use the -f option in order to specify the file. If the tar
file contained a directory and its files and sub-directories, these will be
recreated upon extraction.

Tip:
SSH File Transfer provides file editing and copying in an Windows environment. You
can download it from here:
http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html
(for non-commercial use)

I prefer WinSCP a much better tool and suitable for commercial use.
http://winscp.vse.cz/eng/

But one caveat with editing files on a Windows/DOS machine is that there is
a potential danger that those non-Unix editors are messing with the
end-of-line markers in the text file (only LF (0Ah) in Unix, CR-LF
(0Dh-0Ah) in DOS/Windows) and can cause the resulting file not to work.

Still a great way to navigate and copy files over a secure tunnel.

Protocols that carry IP addresses in data have trouble

examples: FTP, DNS, PPTP, NETMEETING, ICQ ...