Wednesday, April 18, 2018

Checkpoint firewall reimaging via USB disk

Just as a reminder of the options when the serial cable connection messes up the screen

Monday, November 27, 2017

Top CheckPoint CLI commands

This post is a summary of some of the most important Checkpoint commands taken by Checkpoint Community (CheckMates)



fw ctl zdebug drop used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....). USE WITH EXTREME CAUTION 
cpstat fw quickly see stats of number of connections (accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)
fw tab -s -t connections


allowed me to quickly see how much load is (and was i.e "peak" ) on the FW
cphaprob stat used to see state of cluster
fwaccel stats -s to check acceleration status on FW
cphaprob -a if


used to do troubleshooting cluster, verify all interfaces are UP and the Virtual IP address for the cluster interfaces

Friday, October 20, 2017

Policy installation failed after cluster configuration

A few day ago, I've created a new cluster on a mgmt that already manage other clusters.

On this new cluster the only interface configured was the MGMT, the other interfaces were all in shut and not configured, so in topology I defined the MGMT interface as cluster interface.

After creation of the cluster I tried to install policy and the policy installation failed.

This is a classic issue, the cluster always needs a sync interface so in topology I changed the interface and defined it as Sync, although it's not sync if.

After this change everything was ok and I was able to install policy.

Sunday, August 20, 2017

Easy ways to get your IP address on a Linux box

Here are some easy ways to obtain your IP address on a Linux box


  • dig +short myip.opendns.com @resolver1.opendns.com
  • curl -s http://whatismyip.akamai.com/
  • curl -s icanhazip.com


Tuesday, July 18, 2017

Checkpoint R80.10 management upgrade

When you decide to upgrade your R77.30 Checkpoint management to R80.10 please keep in mind a number of points ( also reported in sk114739).

The first step of the upgrade process will run the Pre-Upgrade verification tool ( that you could also run by downloading the utilities from CP website).

  • One typical error, if you are not from the US, is to have non-Unicode chars in multiple files. In R80 you had to fix all these issues. Now with R80.10 all you need to do is create a file $FWDIRconf/db_encoding.txt with your encoding ( i.e. WINDOWS-1252) and no error message should appear

If you want to know where non-UNICODE chars are you can run this command

grep --color='auto' -P -n "[\x80-\xFF]" file 


  • Next you could have modified files under $FWDIR/lib such as implied_rules.def or crypt.def. These files will be replaced when upgrading.
Thus you need to make a backup of these files and reapply changes after upgrade is completed.

Tuesday, July 11, 2017

How to install Dropbox on a Linux box - headless

here is a brief description of steps to take to install Dropbox client on a Linux box

I followed this article to come up with the commands.

Download and extract software

  • curl -Lo dropbox-linux-x86_64.tar.gz https://www.dropbox.com/download?plat=lnx.x86_64
    • if 32 bit system
    • curl -Lo dropbox-linux-x86.tar.gz https://www.dropbox.com/download?plat=lnx.x86
  • mkdir -p /opt/dropbox
  • tar xzfv dropbox-linux-x86_64.tar.gz --strip 1 -C /opt/dropbox

Start Dropbox client

With the user under whose home directory you want to store Dropbox data, start the Dropbox daemon
  • sudo su - dropboxuser
  • /opt/dropbox/dropboxd

Now you need to link system to Dropbox


Host ID Link:
This computer isn't linked to any Dropbox account...
Please visit https://www.dropbox.com/cli_link_nonce?nonce=ac8d12e1f59913758348392949c265eb to link this device

Browse to above link and enter credentials for the Dropbox user you want to use


Link success output:
This computer is now linked to Dropbox. Welcome John

Start Dropbox as a service . Download init script

  • cd ~
  • curl -o /etc/init.d/dropbox https://gist.githubusercontent.com/thisismitch/d0133d91452585ae2adc/raw/699e7909bdae922201b8069fde3011bbf2062048/dropbox
  • chmod +x /etc/init.d/dropbox
Select Linux user that will be used to sync Dropbox data

  • vi /etc/defaults/dropbox
DROPBOX_USERS="john"

Start dropbox

  • service dropbox start
  • update-rc.d dropbox defaults


Forescout CounterACT - license clear

here is the list of commands to run to clear license info on CounterACT 7.0


  1. fstool service stop 
  2. fstool clear_license
  3. fstool service start
after this commands it is possible to install license file from scratch