Friday, September 28, 2018

Checkpoint how to clear all tables of IA

The following command  clears all pdp and pep tables on security gateway:

fw tab -t pdp_sessions -t pdp_super_sessions -t pdp_super_sessions -t pdp_encryption_keys -t pdp_whitelist -t pdp_timers -t
pdp_expired_timers -t pdp_ip -t pdp_net_reg -t pdp_net_db -t pdp_cluster_stat -t pep_pdp_db -t pep_networks_to_pdp_db -t
pep_net_reg -t pep_reported_network_masks_db -t pep_port_range_db -t pep_async_id_calls -t pep_client_db -t
pep_identity_index -t pep_revoked_key_clients -t pep_src_mapping_db -t pep_log_completion -x -y

 This commands causes temporary disconnection for all traffic passing the firewall, so use it with caution

Wednesday, April 18, 2018

Checkpoint firewall reimaging via USB disk

Just as a reminder of the options when the serial cable connection messes up the screen

Monday, November 27, 2017

Top CheckPoint CLI commands

This post is a summary of some of the most important Checkpoint commands taken by Checkpoint Community (CheckMates)

fw ctl zdebug drop used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....). USE WITH EXTREME CAUTION 
cpstat fw quickly see stats of number of connections (accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)
fw tab -s -t connections

allowed me to quickly see how much load is (and was i.e "peak" ) on the FW
cphaprob stat used to see state of cluster
fwaccel stats -s to check acceleration status on FW
cphaprob -a if

used to do troubleshooting cluster, verify all interfaces are UP and the Virtual IP address for the cluster interfaces

Friday, October 20, 2017

Policy installation failed after cluster configuration

A few day ago, I've created a new cluster on a mgmt that already manage other clusters.

On this new cluster the only interface configured was the MGMT, the other interfaces were all in shut and not configured, so in topology I defined the MGMT interface as cluster interface.

After creation of the cluster I tried to install policy and the policy installation failed.

This is a classic issue, the cluster always needs a sync interface so in topology I changed the interface and defined it as Sync, although it's not sync if.

After this change everything was ok and I was able to install policy.

Sunday, August 20, 2017

Easy ways to get your IP address on a Linux box

Here are some easy ways to obtain your IP address on a Linux box

  • dig +short
  • curl -s
  • curl -s

Tuesday, July 18, 2017

Checkpoint R80.10 management upgrade

When you decide to upgrade your R77.30 Checkpoint management to R80.10 please keep in mind a number of points ( also reported in sk114739).

The first step of the upgrade process will run the Pre-Upgrade verification tool ( that you could also run by downloading the utilities from CP website).

  • One typical error, if you are not from the US, is to have non-Unicode chars in multiple files. In R80 you had to fix all these issues. Now with R80.10 all you need to do is create a file $FWDIRconf/db_encoding.txt with your encoding ( i.e. WINDOWS-1252) and no error message should appear

If you want to know where non-UNICODE chars are you can run this command

grep --color='auto' -P -n "[\x80-\xFF]" file 

  • Next you could have modified files under $FWDIR/lib such as implied_rules.def or crypt.def. These files will be replaced when upgrading.
Thus you need to make a backup of these files and reapply changes after upgrade is completed.

Tuesday, July 11, 2017

How to install Dropbox on a Linux box - headless

here is a brief description of steps to take to install Dropbox client on a Linux box

I followed this article to come up with the commands.

Download and extract software

  • curl -Lo dropbox-linux-x86_64.tar.gz
    • if 32 bit system
    • curl -Lo dropbox-linux-x86.tar.gz
  • mkdir -p /opt/dropbox
  • tar xzfv dropbox-linux-x86_64.tar.gz --strip 1 -C /opt/dropbox

Start Dropbox client

With the user under whose home directory you want to store Dropbox data, start the Dropbox daemon
  • sudo su - dropboxuser
  • /opt/dropbox/dropboxd

Now you need to link system to Dropbox

Host ID Link:
This computer isn't linked to any Dropbox account...
Please visit to link this device

Browse to above link and enter credentials for the Dropbox user you want to use

Link success output:
This computer is now linked to Dropbox. Welcome John

Start Dropbox as a service . Download init script

  • cd ~
  • curl -o /etc/init.d/dropbox
  • chmod +x /etc/init.d/dropbox
Select Linux user that will be used to sync Dropbox data

  • vi /etc/defaults/dropbox

Start dropbox

  • service dropbox start
  • update-rc.d dropbox defaults