CLI Commands :
In checkpoint we have command line interface also and in this series we are going to see what basic CLI command we should know while working on checkpoint firewall.
Also, we are going to see some troubleshooting and other helping commands. As already said in previous series there are two modes in checkpoint.
- Clish and 2. Linux (Expert Mode)
Reasons to go to CLI :
- To load/unload the local firewall policy
- To perform Linux related task
- Status check (eg : by cpconfig command)
- Recovery (when we are unable to contact the firewall through MGMT server then we log into the firewall through console and perform certain tasks)
“> ” is the symbol we see for clish (or sometimes called as super shell) mode and “# ” is the symbol for expert or (Linux bash shell) mode.
On very first time, if you want to go into expert mode, it will ask for password and for that we need to set up an expert password by command : set expert-password <Enter> ; set the password and confirm that.
Now, to see what traffic is going through the firewall and it’s interfaces then we have a great tool named tcpdump which we can use .
tcpdump -i 0.0 -w /var/tmp/NEW-TCPDMP.pcap <—to capture traffic on all interfaces and write the file on folder specified at location given in the command
–the above command will capture only first 96 bytes of the packet but our payload is big and may not capture this way
To check ARP :
arp -a | grep -i <Specific mac/ip>
Routing table :
- fw stat (to check policy installed) works in both clish and expert mode.
- fw ver (to check the current version)
- fw getifs (overview of all the interfaces)
On Manager :
–To check all the logged in users and create a new user :
Here, we created a new user named sid and to delete the user do this :
MGMT>delete user sid
–To take a backup of the database :
Once it’s complete the it should show below message :
and this backup is stored at below location on MGMT server :
To restore from the local backup :
Once it gets success, then reboot the box, say no to save the configuration and say yes to reboot.
Reset the SIC Status :
Use cpconfig and choose option 5 to reset the sic. it will ask for do you really want to do that and ask for activation key 2 times. Once we give the correct key, press 9 to exit and it will reset the trust.
Now go to GUI and build the trust as did build for the first time.
License Info : Use below commands to check the license status
Also to see the current OS number and release related info, use the command cpstat os
and to check, CPU and memory related info , use commands from below snapshot :
To check users who have authenticated with AD server :
pdp monitor client_type portal
pdp monitor ip 10.1.1.15
Above command will show us anything associated with IP address : 10.1.1.15
To delete this association :
pdp control revoke_ip 10.1.1.15
To create a database version from CLI:
Go to manager and go to expert mode :
type dbver and it will take us to the dbver mode and will show us all other options to create/delete/show all database versions.
Look at the below snapshot :
To switch the log file from CLI :
Location of log files :
To Monitor the traffic : fw monitor is a great troubleshooting tool :
And now we can do scp/ftp to take out this file on our PC and analyse the traffic.
Fw Monitor Syntax : use below checkpoint link
To check all the installed hotfixes and patches :
cpinfo -y all
fw ctl zdebug drop | grep 10.1.10.11 <—to see logs of packet drops of any specific IP
ipsctl -a | grep qdrop
–To see the active connections :
So, here 10 are the current connections and 30 were max.
To clear all the connections use : fw tab -t connections -x
–To find directory by name and then search something
[Expert@crlilnxf2:0]# find / -name “active”
fw ctl pstat : Display internal statistics including information about memory, inspect, connections, synchronization and NAT.
IPSEC VPN :
In our next section, we are going to look into VPN’s. We are going to build an IPSEC tunnel from our HQ gateway to BR gateway. As we all know we use two protocols for building IPSEC tunnels (IKE v1 or IKE v2) . IKE v1 is the most deployed solution we have and in this section we are going to build our tunnel through IKE v1.
As we know this consist of IKE phase 1 and phase 2. There are enormous documents on IPSEC functioning on the internet explaining what are encryption algorithms, integrity, authentication method we use and how they function.
I am not going into details of explaining what components IPSEC have in phase 1 and phase 2 and how they work or what all messages exchanged in phase 1 (Main or Aggressive mode) and in phase 2 (Quick mode) but i am strictly going to show you how we can build a IPSEC tunnel on a checkpoint gateway.
In checkpoint , we use a term community when building IPSEC tunnels.
A VPN community is a collection of VPN enabled gateways capable of communicating via VPN tunnels.
To understand VPN Communities, a number of terms need to be defined:
VPN Community member : Refers to the Security Gateway that resides at one end of a VPN tunnel.
VPN domain : Refers to the hosts behind the Security Gateway. The VPN domain can be the whole network that lies behind the Security Gateway or just a section of that network. For example a Security Gateway might protect the corporate LAN and the DMZ. Only the corporate LAN needs to be defined as the VPN domain.
VPN Site : Community member plus VPN domain. A typical VPN site would be the branch office of a bank.
VPN Community : The collection of VPN tunnels/links and their attributes.
Domain Based VPN : Routing VPN traffic based on the encryption domain behind each Security Gateway in the community. In a star community, satellite Security Gateways can communicate with each other through center Security Gateways.
Route Based VPN : Traffic is routed within the VPN community based on the routing information, static or dynamic, configured on the Operating Systems of the Security Gateways.
In Checkpoint communities, we generally have 2 type of topologies : 1. Full Mess (VPN Tunnel from every site to another site) or 2. Star Topology (1 site is central site (hub) and others are spoke sites )
Like we are doing here, 1 HQ firewall and 1 BR firewall.
1 thing to remember : If the traffic is destined for vpn interesting traffic list and going via vpn gateway then make a rule to exempt that traffic from being NAT.
Means traffic going over IPSEC tunnel should not be natted.
Steps to configure IPSEC on Checkpoint :
- Enable the software blade on the gateway.
- Define the VPN Domain
- Create Community
- Add Rules (we can be as granular as possible)
Now, Step 1 to enable the software blade :
Step 2 to define vpn domain :
go to the gateway properties and click on topology :
Either we can add all IP addresses or we can manually define. Here we are manually defined our inside interface as part of VPN domain.
Similarly define the VPN domain for BRFW as well.
Now 3rd step to define the vpn community :
Go to IPSEC VPN and choose to select the star community :
and once we select the star community, below star community properties tab will open :
Define the community name and color and click on center gateways and Satellite gateways. In center gateway choose the HQFW and in satellite gateway choose the BRFW gateway.
Also there is a option to mesh center gateways (if we want to add more gateway in center and want to establish a full mesh between them)
Now, choose encryption algorithms as given in below snapshot. Either used previously defined or we can choose from custom. I chose from custom here :
In Next option, Tunnel management choose from below options :
I am choosing one tunnel per subnet pair because we have 1 subnet on each side. for less overhead best option to choose is one tunnel per gateway pair if you have multiple proxy ID’s.
Now go to advance settings and advance VPN properties : Here we can choose phase 1 and phase timers along with PFS and DH group. Also we are disabling NAT here for VPN traffic. click on ok.
Now step 4 to define the rule :
Go to security policy and make a rule for vpn :
See in place of vpn where it is any for all other rules, we are now making a change (Allowing connections encrypted in specific vpn community)
And the rule will become :
Install the policy on both gateways.
And now to initiate interesting traffic let’s ping from our admin_pc to 10.2.2.2 (Subnet on our branch router)
And ping is successful. Don;t miss the time taken by 1st packet. It’s 478 ms because it did all sort of negotiation of phase 1 and 2 and it took time and now it’s just taking 1 ms.
See the negotiation from SVT :
And the decryption at branch firewall :
Through CLI also we can check this :
press 2 for phase 2 SA status :
To delete : option 5
Again initiate the interesting traffic and you’ll see the tunnel again.
–To shutdown all vpn operations : vpn drv off
To enable again all vpn operations : vpn drv on and install policy
Backup and Recovery :
|Backup Type||Relative Size||Includes||Dashboard||CLI||HTTPS|
|DB Version||Small 50 Mb||Policy and Objects||Yes||dbver||no|
|Backup||Medium 500Mb||GAIA config and CP Dbase||No||Show add/set backup||Yes|
|Image/Snapshot||Large, 5000Mb||OS Partition including CP Dbase||No||Show add/set snapshot||Yes|
HTTPS here in the table is GAIA interface.
CLI is what we did in the start of this blog (We did take backup also through CLI)
Dashboard is : SMART Dashboard
For system backup and Image management through GAIA : go to Maintenance tab and you should see these options under maintenance tab.
Here i am adding another backup locally on the manager.
Once the backup is created, then we can restore the system from this backup anytime.
We can even export this backup and if needed then can import also to restore the system.
And to restore from backup do this :
Similarly we can create image snapshot.
- Checkpoint – Checkpoint Fundamentals and first time configuration Wizard – Part I
- Checkpoint – Pushing Policy, NAT , Policy Packages and database Versions – Part II
- Checkpoint – SMART View Tracker and SMART View monitor – Part III
- Checkpoint – LDAP, identity Awareness, HTTPS inspection, App control and URL Filtering – Part IV
- Checkpoint – Command line Interface and IPSEC VPN – Part V
- Checkpoint – SMART Update, Remote Access VPN and High Availability – Part VI