Top CheckPoint CLI commands

This post is a summary of some of the most important Checkpoint commands taken by Checkpoint Community (CheckMates)

fw ctl zdebug drop	used to quickly see all dropped connections and more importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....). USE WITH EXTREME CAUTION
cpstat fw	quickly see stats of number of connections (accepted,denied,logged) with a breakdown if the FW was under a high load i would usually run " watch --interval=1 'cpstat fw' " (would see a real-time to see the interface that is causing this)
fw tab -s -t connections	allowed me to quickly see how much load is (and was i.e "peak" ) on the FW
cphaprob stat	used to see state of cluster
fwaccel stats -s	to check acceleration status on FW
cphaprob -a if	used to do troubleshooting cluster, verify all interfaces are UP and the Virtual IP address for the cluster interfaces

Policy installation failed after cluster configuration

A few day ago, I've created a new cluster on a mgmt that already manage other clusters.

On this new cluster the only interface configured was the MGMT, the other interfaces were all in shut and not configured, so in topology I defined the MGMT interface as cluster interface.

After creation of the cluster I tried to install policy and the policy installation failed.

This is a classic issue, the cluster always needs a sync interface so in topology I changed the interface and defined it as Sync, although it's not sync if.

After this change everything was ok and I was able to install policy.

Easy ways to get your IP address on a Linux box

Here are some easy ways to obtain your IP address on a Linux box

• dig +short myip.opendns.com @resolver1.opendns.com
• curl -s http://whatismyip.akamai.com/

• curl -s icanhazip.com

Checkpoint R80.10 management upgrade

When you decide to upgrade your R77.30 Checkpoint management to R80.10 please keep in mind a number of points ( also reported in sk114739).

The first step of the upgrade process will run the Pre-Upgrade verification tool ( that you could also run by downloading the utilities from CP website).

• One typical error, if you are not from the US, is to have non-Unicode chars in multiple files. In R80 you had to fix all these issues. Now with R80.10 all you need to do is create a file $FWDIRconf/db_encoding.txt with your encoding ( i.e. WINDOWS-1252) and no error message should appear

If you want to know where non-UNICODE chars are you can run this command

grep --color='auto' -P -n "[\x80-\xFF]" file 

• Next you could have modified files under $FWDIR/lib such as implied_rules.def or crypt.def. These files will be replaced when upgrading.

Thus you need to make a backup of these files and reapply changes after upgrade is completed.

How to install Dropbox on a Linux box - headless

here is a brief description of steps to take to install Dropbox client on a Linux box

I followed this article to come up with the commands.

Download and extract software

• curl -Lo dropbox-linux-x86_64.tar.gz https://www.dropbox.com/download?plat=lnx.x86_64
• if 32 bit system
• curl -Lo dropbox-linux-x86.tar.gz https://www.dropbox.com/download?plat=lnx.x86
• mkdir -p /opt/dropbox
• tar xzfv dropbox-linux-x86_64.tar.gz --strip 1 -C /opt/dropbox

Start Dropbox client

With the user under whose home directory you want to store Dropbox data, start the Dropbox daemon

• sudo su - dropboxuser
• /opt/dropbox/dropboxd

Now you need to link system to Dropbox

Host ID Link:

This computer isn't linked to any Dropbox account...

Please visit https://www.dropbox.com/cli_link_nonce?nonce=ac8d12e1f59913758348392949c265eb to link this device

Browse to above link and enter credentials for the Dropbox user you want to use

Link success output:

This computer is now linked to Dropbox. Welcome John

Start Dropbox as a service . Download init script

• cd ~

• curl -o /etc/init.d/dropbox https://gist.githubusercontent.com/thisismitch/d0133d91452585ae2adc/raw/699e7909bdae922201b8069fde3011bbf2062048/dropbox
• chmod +x /etc/init.d/dropbox

Select Linux user that will be used to sync Dropbox data

• vi /etc/defaults/dropbox

DROPBOX_USERS="john"

Start dropbox

• service dropbox start
• update-rc.d dropbox defaults

Forescout CounterACT - license clear

here is the list of commands to run to clear license info on CounterACT 7.0

1. fstool service stop 
2. fstool clear_license
3. fstool service start

after this commands it is possible to install license file from scratch

Tenable Nessus backup and restore

If you are using the Tenable Nessus product to run vulnerability assessments, you probably make a lot of tuning and configuring on policies
If you want to make sure that you do not lose all your work you have to backup a number of files.
A while ago I opened a case with Tenable support and was given a procedure to run
Here is what you need to do for backup :

1. Backup /opt/nessus on existing system

That's easy

Now to restore, you cannot simply restore all files because Nessus will complain about license violation and will get nowhere

So here is what I did:

1. go to Tenable portal and reset the Activation code
2. install Nessus software from package
3. Restore the following files from your backup (copy, do not move)
   
   in /opt/nessus/var/nessus, restore the following:
   
   /users folder
   policies.db
   Master.key
   Global.db                   --- could not find it on 6.8.* version
   global.db-wal
   global.db-shm
   
   in /opt/nessus/etc/nessus restore the following (these may be the only files in this directory):
   
   nessus-fetch.db
   nessusd.db
   nessusd.conf.imported
   nessusd.rules
4. Run the following commands:
   
   # /opt/nessus/sbin/nessuscli fetch --register YOURACTIVATIONCODE
   # /opt/nessus/sbin/nessusd –R
   #service nessusd start

I had to reboot the system after running /opt/nessus/sbin/nessusd –R as it seemed to never end

Issue with ePo database indexes before upgrade to ePO 5.9

When you upgrade ePO server to version 5.9, you may have the following warning:

"ePo database indexes are fragmented. Rebuild the index before upgrading"

To resolve this problem open SQL management studio and run this query on your ePO database to extract all index with a percentage of fragmentation greater than 30% :

SELECT OBJECT_NAME(ind.OBJECT_ID) AS TableName,
ind.name AS IndexName, indexstats.index_type_desc AS IndexType,
indexstats.avg_fragmentation_in_percent
FROM sys.dm_db_index_physical_stats(DB_ID(), NULL, NULL, NULL, NULL) indexstats
INNER JOIN sys.indexes ind
ON ind.object_id = indexstats.object_id
AND ind.index_id = indexstats.index_id
WHERE indexstats.avg_fragmentation_in_percent > 30
ORDER BY indexstats.avg_fragmentation_in_percent DES

In order to reduce fragmentation we will have to rebuild the indexes, so run this query to rebuild index

Declare @TBname nvarchar(255),
        @SQL nvarchar(max)

select @TBname = min(TABLE_NAME) from INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'

while @TBname is not null

BEGIN
    set @SQL='ALTER INDEX ALL ON [' + @TBname + '] REBUILD;'
    --print @SQL
    EXEC SP_EXECUTESQL @SQL
    select @TBname = min(TABLE_NAME) from INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE' and TABLE_NAME > @TBname        
END

Now you can restart the upgrade wizard without index problem.

Useful commands for mysql server

here are some useful commands to manage mysql server I always have to google for.

reset root password

sudo /etc/init.d/mysql stop
/usr/sbin/mysqld --skip-grant-tables --skip-networking &
mysql -u root
   FLUSH PRIVILEGES;
   SET PASSWORD FOR root@'localhost' = PASSWORD('password');
   FLUSH PRIVILEGES;
   exit;

kill %1 (to kill mysql server)

service mysql start

add user and grant full access to selectedDB

CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'complexpassword';
GRANT ALL PRIVILEGES ON selectedDB . * TO 'newuser'@'localhost';

restore data from dump

from mysql client - delete database
drop database selectedDB; 

restore database from command line

mysql -u root -p selectedDB  < dump.sql

delete record from table

mysql> use MYDB;
Database changed

mysql> DELETE FROM tutorial_tbl WHERE tutorial_id=3;
Query OK, 1 row affected (0.23 sec)

mysql>

openssl to test SMTP TLS

Here is the openssl command to test SMTP TLS on a SMTP server

 openssl s_client -connect mx1.mediasecure.it:25 -starttls smtp

The output from the command will tell you if STARTTLS is supported on the remote SMTP server and will also provide information about the certificate that is used .

CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = *.mediasecure.it
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.mediasecure.it
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = *.mediasecure.it
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.mediasecure.it
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgIIItbq63hVx0IwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
.........
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.mediasecure.it
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 1732 bytes and written 656 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 25FEEE4C06B1E4F47CE3E1B9A991ADBE62713D9B192BB4DE8A7977E92D193AC3
    Session-ID-ctx:
    Master-Key: 15827DE828099C0A4E7CEAAB8C8E7300FC8EC8753939CBA5B8E44F75356DA421AFA71D32B6E7BEF883184A40575F1348
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1491980164
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 HELP
helo t.rr.t

CheckPoint CPUSE agent issues - No packages displayed

In some cases, when you try to upgrade Gaia at R77.30, you can find yourself in this situation:

gw-8d875c> installer download
**             ************************************************************************* **
**                         Connection error. Packages list might be incomplete           **
**             ************************************************************************* **
Show packages: no packages to display

I try to reboot the firewall to fix this problem, but it persists.

If I check the installer status an error is reported on Network connection

Install Gaia R77.30 on Lenovo server X3650 M5

A few days ago I had to install a checkpoint cluster with two server Lenovo System x3650 M5.
I downloaded the Gaia R77.30 iso file and created a bootable USB flash drive using ISOmorphic.
When I tried to boot  the system from USB I had the following result:

Boot Failed!

Forcepoint WCG command line

Command list of Web Security services:

From  /opt/WebSense/


./WebsenseAdmin status

./WebsenseAdmin restart

./WebsenseAdmin start

./WebsenseAdmin stop

------------------------------------------------------------------------------------
Command lists to verify WCG services:

From  /opt/WCG/


./WCGAdmin COMMAND

where COMMAND is: