| fw ctl zdebug drop |
used to quickly see all dropped connections and more
importantly the reason (e.g. anti-spoofing, IPS , FW rule , ....). USE WITH EXTREME CAUTION |
| cpstat fw |
quickly see stats of number of connections
(accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run "
watch --interval=1 'cpstat fw' " (would see a real-time to
see the interface that is causing this) |
fw tab -s -t connections
|
allowed me to quickly see how much load is (and was i.e "peak"
) on the FW
|
| cphaprob stat |
used to see state of cluster |
| fwaccel stats -s |
to check acceleration status on FW |
cphaprob -a if
|
used to do troubleshooting cluster, verify all interfaces are
UP and the Virtual IP address for the cluster interfaces
|
| cpwd_admin list |
great way to explain the CP watchdog- run the command with
watch -d, and from another terminal terminate one of the PID, and
observe how the watchdog bring it back.
and its also a great way to see that everything is up |
| cpview -t |
used often review mem, core usage at any snapshot in time. When
getting a checkup device back or reviewing a DAT file |
| fw stat |
Shows what policy is loaded on the current gateway and what
interfaces it has seen traffic on |
| fw fetch mastername |
Fetches the policy from the management station named
mastername. You can also use localhost as a way to reload the
previously installed policy on the gateway |
| push_cert –s Cust_CMA –u admin –p adminpw –o
examplegw –k test123 |
It is used on the management to establish SIC with a newly
installed security gateway without using SmartConsole or
SmartDashboard, making it extremely useful in automation
scenarios.
–s Cust_CMA Management or CMA IP/hostname (can be localhost)
–u admin Username of admin user in
SmartConsole/SmartDashboard
–p adminpw Password of admin user specified above
–o examplegw Name (in SmartConsole/SmartDashboard) of gateway
to establish SIC with
–k test123 SIC one-time-password (should match what was
specified on the gateway during first-time wizard) |
| fw monitor |
To do a live packet capture |
| fw ctl affinity -l -v -r |
is a useful command when you're attempting to finetune the
affinity of an IRQ to an interface. This is especially useful when
looking at the amount of traffic received by an interface that
deserves more "horsepower" and should not be sharing CPU
time with other interfaces. This command will list what interface
is connected to what IRQ to what core.
"fw ctl affinity
-s" will subsequently allow you to set the values. |
| netstat -ni |
check drop on interfaces |
| cpstat mg |
Shows connected clients and status. |
| cpstat ha -f all |
Shows sync details |
| cpstat blades |
Shows packets accepted, dropped, peak connections, and top rule
hits |
cprid_util (--help)
|
This command allowed me to execute commands, transfer files etc
with a remote gateway without needing credentials. I was able to
use it to copy a new shadow file to the remote gateway when
password was lost/corrupted. |
| fw tab -u -t connections | awk '{ print $2 }' | sort -n |
uniq -c | sort -nr | head -10 |
This will show the top ten source IPs hogging slots in the
connection table in descending order, however you will need to
manually convert the IP addresses displayed from hex to decimal
like so: 0a1e0b53 = 10.30.11.83. For the top 10 destinations,
substitute $4 for $2 in the awk command above. |
| fw getifs |
shows interfaces, IP addresses and subnet masks in quick easy
format. I do this almost everytime I login to quickly orient
myself.
|
| fw ctl multik stat |
shows multi-kernel connections and peak connections |
| ./CentralDeploymentTool -generate Candidates_List.csv
|
The Central Deployment Tool (CDT) is a utility that runs on an
R77 / R77.X / R80 / R80.10 Security Management Server /
Multi-Domain Security Management Server (running Gaia OS).
It allows the administrator to automatically install CPUSE
Offline packages (Hotfixes, Jumbo Hotfix Accumulators (Bundles),
Upgrade to a Minor Version, Upgrade to a Major Version) on
multiple managed Security Gateways and Cluster Members at the same
time. |
| ./vsx_provisioning_tool -s localhost -u user -p pwd -o add
vd name VSW1 vsx VSX1 type vsw |
The VSX Provisioning Tool allows the VSX administrator to add
and remove Virtual Devices (VS, VR, VSW), interfaces and routes
from the command line of a Security Management Server /
Multi-Domain Security Management Server. This allows the
automation of the required VSX Provisioning operations in the
environment.
(sk100645) |
cpwd_admin start -name <application name> -path
<executable path> -command <command line>
cpwd_admin stop -name <application name> [-path
<executable path> -command <command line> |
Great to get reset processes without cpstop/cpstart/reboot. |
| cpstat threat-emulation -f file_type_stat_file_scanned |
If you use threat emulation and want to see a breakdown of
files scanned by file type (helpful in tuning your TE policy) you
can use this command |
| clusterXL_admin up/down |
to force the cluster node into a particular state (good for
forcing failover in a healthy cluster so I can do work on a node) |
| vpn tu |
to see IKE/IPSEC security associations, and remove expired ones
from gateways that burped |
| enabled_blades |
to list the blades that are enabled for the gateway by the
management server (run in expert mode) |
| installed_jumbo_take |
to see what JHFA you have installed (does not work on the base
R77.30 install, you have to have a JHFA installed and run in
expert mode). |
| cphaconf cluster_id get |
Useful to see what the cluster magic id is if you have an id
that's different from the default. |
| ips stat |
See if IPS is enabled, and what profile its running. When
troubleshooting connectivity issues, ips on/off is useful too. |
| ethtool -p <interface_name> |
To flash/blink a LED on an interface in order to physically
identify the interface in question on a machine.
*Note this does not work on all type of interface cards. |
| dbget -rv routed
|
Check routes (even if they are not active) |
| cprid_util -server x.x.x.x -verbose rexec -rcmd "command" |
command to remotely execute command on a gateway |
| sed -I s/"text"/"newtext"/ file.name |
Find and replace when 'vi-ing' a file. |
| watch -n 0.5 -d cpstat fw |
can use cpstat fw or any other, but the '-d' flag allows fothe
autorefresh to highlight the changes. perfect for spotting
increments in hit counters, of use with 'df-h' to spot a hardrive
filling up during upgrade processes |
| du -sk * | sort -n |
got a full hardrive? no idea where the large files are? here
you go |
| fw tab -t fwx_alloc -x
|
not had to use this for a few years now, but having the gateway
suddenly dropping connections due to a full NAT table isnt fun.
this isnt the cleanest way to clear the table, but possibly the
best knee-jerk fix to get an instant relief on the traffic flow. |
| fw sam -v -s 10.1.1.1 -f ClusterName -t 7200 -J src 8.8.8.8 |
the SAM rule. nothing cooler than an instant block of a
malicious IP |
| echo 1 > /proc/cpkstats/fw_worker_0_stats |
Activate fw worker stats (per instance!) |
| cat /proc/cpkstats/fw_worker_0_stats |
Read fw worker stats |
| fw unloadlocal |
clear local policy
|
| cpprod_util FwIsActiveManagement
|
To find out the current status of the active SMS (HA). 1=
Active 0= Standby
On the SG |
| cp_conf sic state |
shows trust state of SIC
All CP Products
|
| cpstat os -f ifconfig |
really nice summary of interface stats |
| fw ctl multik stat |
This will tell you how hard your procs are getting hit with
connections |
No comments:
Post a Comment