If you need to index old log files into Smartlog it may be necessary to edit a file that tracks which files have been already indexed by Smartlog
the file is $SMARTLOGDIR/data/FetchedFiles
Wednesday, September 30, 2015
Monday, September 28, 2015
CheckPoint - policy installation timing
Every now and then I have issues with policy installation on checkpoint firewalls.
This may be due to a lof ot different causes.
In one occasion I opened a case with CP TAC and they provided a useful document (How To Troubleshoot Policy Installation Issues) that can also be found in sk65385.
Policy installation can fail for a number of reasons and for most of them an SK can help:
This may be due to a lof ot different causes.
In one occasion I opened a case with CP TAC and they provided a useful document (How To Troubleshoot Policy Installation Issues) that can also be found in sk65385.
Policy installation can fail for a number of reasons and for most of them an SK can help:
Friday, September 25, 2015
Checkpoint firewall - Connection table analysis
Here are a few commands that I usually use to verify the status of a Checkpoint gateway.
First of all let's check the connections managed by the firewall.
copy this file to a Windows machine with connstat.exe
Download connstat from Checkpoint
Run connstat.exe
Usage: connStat -f <Table File> [-a|-c|-s|-r|-l|-p|-d|-n <num>]
-a Show all flags
-c Connection state info
-s Top X Services used
-r Top X Rule used
-l Top X Least Used Rules
-d Top Clients and Servers
-i Interfaces connection directions
-p Top Protocols
-n Specify X
Here is a sample output generated by connstat
Total Number of connections: 21958
============================
Started: 5809
Established: 11986
Closed: 3682
Half Closed: 481
Top 10 Services:
================
Service: 443 Hits: 5877 Rules: 29,400,72,104,100,377,189,330,16,119,198,159,224,332,269,201,105,277,60,241,234,209,352,326,101,199,382,278
Service: 53 Hits: 4544 Rules: 35,73,72,188,189,25,0,101
Service: 9081 Hits: 3021 Rules: 225,240
Service: 80 Hits: 1469 Rules: 331,326,119,72,73,16,101,235,222,60,283,112,278,327,352,330,118,382,386
Service: 8008 Hits: 1083 Rules: 72
Service: 8080 Hits: 891 Rules: 72,101,73,395,66,62,267
Service: 0 Hits: 562 Rules: 16,72,66,73,67,0,195,101
Service: 8010 Hits: 356 Rules: 72
Service: 161 Hits: 267 Rules: 72,73,16,101
Service: 18192 Hits: 249 Rules: 0
Top 10 Rules:
=============
Rule: 240 Hits: 3004 -- this rule should be moved higher
Rule: 72 Hits: 2946
Rule: 29 Hits: 2841
Rule: 105 Hits: 2658
Rule: 00 Hits: 1815
Rule: 73 Hits: 1093
Rule: 35 Hits: 1015
Rule: 188 Hits: 1005
Rule: 331 Hits: 823 -- this rule should be moved higher
Rule: 189 Hits: 624 -- this rule should be moved higher
Top 10 Least Used Rules:
========================
Rule: 234 Hits: 1
Rule: 258 Hits: 1
Rule: 229 Hits: 1
Rule: 127 Hits: 1
Rule: 26 Hits: 1
Rule: 292 Hits: 1
Rule: 348 Hits: 1
Rule: 06 Hits: 1
Rule: 251 Hits: 1
Rule: 187 Hits: 1
The file gives a lot of information that you can study to better optimized the firewall performance
First of all let's check the connections managed by the firewall.
fw tab -t connections -u > /var/log/$(hostname)_Connections_Table.txt copy this file to a Windows machine with connstat.exe
Download connstat from Checkpoint
Run connstat.exe
connStat.exe -f Name_of_Table_File.txt [-a|-c|-s|-r|-l|-p|-d|-n <number>] > Name_of_Output_File.txtUsage: connStat -f <Table File> [-a|-c|-s|-r|-l|-p|-d|-n <num>]
-a Show all flags
-c Connection state info
-s Top X Services used
-r Top X Rule used
-l Top X Least Used Rules
-d Top Clients and Servers
-i Interfaces connection directions
-p Top Protocols
-n Specify X
Here is a sample output generated by connstat
Total Number of connections: 21958
============================
Started: 5809
Established: 11986
Closed: 3682
Half Closed: 481
Top 10 Services:
================
Service: 443 Hits: 5877 Rules: 29,400,72,104,100,377,189,330,16,119,198,159,224,332,269,201,105,277,60,241,234,209,352,326,101,199,382,278
Service: 53 Hits: 4544 Rules: 35,73,72,188,189,25,0,101
Service: 9081 Hits: 3021 Rules: 225,240
Service: 80 Hits: 1469 Rules: 331,326,119,72,73,16,101,235,222,60,283,112,278,327,352,330,118,382,386
Service: 8008 Hits: 1083 Rules: 72
Service: 8080 Hits: 891 Rules: 72,101,73,395,66,62,267
Service: 0 Hits: 562 Rules: 16,72,66,73,67,0,195,101
Service: 8010 Hits: 356 Rules: 72
Service: 161 Hits: 267 Rules: 72,73,16,101
Service: 18192 Hits: 249 Rules: 0
Top 10 Rules:
=============
Rule: 240 Hits: 3004 -- this rule should be moved higher
Rule: 72 Hits: 2946
Rule: 29 Hits: 2841
Rule: 105 Hits: 2658
Rule: 00 Hits: 1815
Rule: 73 Hits: 1093
Rule: 35 Hits: 1015
Rule: 188 Hits: 1005
Rule: 331 Hits: 823 -- this rule should be moved higher
Rule: 189 Hits: 624 -- this rule should be moved higher
Top 10 Least Used Rules:
========================
Rule: 234 Hits: 1
Rule: 258 Hits: 1
Rule: 229 Hits: 1
Rule: 127 Hits: 1
Rule: 26 Hits: 1
Rule: 292 Hits: 1
Rule: 348 Hits: 1
Rule: 06 Hits: 1
Rule: 251 Hits: 1
Rule: 187 Hits: 1
The file gives a lot of information that you can study to better optimized the firewall performance
Speedtest sites
Today I have found this website (ramnode.com) that provides files for a real speedtest.
You can download either a 100MB or 1000MB file from US locations or Netherland.
New York City:http://lg.nyc.ramnode.com
Atlanta:
http://lg.atl.ramnode.com
Seattle:
http://lg.sea.ramnode.com
Los Angeles:
http://lg.la.ramnode.com
The Netherlands:
http://lg.nl.ramnode.com
You want to test from command line :
wget -v http://lg.nl.ramnode.com/static/1000MB.test
--2015-09-25 14:04:30-- http://lg.nl.ramnode.com/static/1000MB.test
Resolving lg.nl.ramnode.com (lg.nl.ramnode.com)... 176.56.238.3, 2a00:d880:3:1::787:d6bd
Connecting to lg.nl.ramnode.com (lg.nl.ramnode.com)|176.56.238.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1000000000 (954M) [application/octet-stream]
Saving to: ‘1000MB.test’
100%[====================================================================================================================================================>] 1,000,000,000 67.2MB/s in 12s
2015-09-25 14:04:42 (81.2 MB/s) - ‘1000MB.test’ saved [1000000000/1000000000]
Update -- January 11th 2017
Here is another useful website
http://www.thinkbroadband.com/download.html
You can download either a 100MB or 1000MB file from US locations or Netherland.
New York City:http://lg.nyc.ramnode.com
Atlanta:
http://lg.atl.ramnode.com
Seattle:
http://lg.sea.ramnode.com
Los Angeles:
http://lg.la.ramnode.com
The Netherlands:
http://lg.nl.ramnode.com
You want to test from command line :
wget -v http://lg.nl.ramnode.com/static/1000MB.test
--2015-09-25 14:04:30-- http://lg.nl.ramnode.com/static/1000MB.test
Resolving lg.nl.ramnode.com (lg.nl.ramnode.com)... 176.56.238.3, 2a00:d880:3:1::787:d6bd
Connecting to lg.nl.ramnode.com (lg.nl.ramnode.com)|176.56.238.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1000000000 (954M) [application/octet-stream]
Saving to: ‘1000MB.test’
100%[====================================================================================================================================================>] 1,000,000,000 67.2MB/s in 12s
2015-09-25 14:04:42 (81.2 MB/s) - ‘1000MB.test’ saved [1000000000/1000000000]
Update -- January 11th 2017
Here is another useful website
http://www.thinkbroadband.com/download.html
Thursday, September 24, 2015
Checkpoint - cplic not showing contract info
Sometimes the cplic print command on a gateway does not display contract information.
This may prevent download of updates from Checkpoint cloud.
You can use the contract_util command to download the contract info from the Smartcenter
Expert# contract_util mgmt
fetching contracts data from managment
download from management result: Contract verification succeeded. Your gateway is eligible for upgrade according to Check Point licensing agreement.
This may prevent download of updates from Checkpoint cloud.
You can use the contract_util command to download the contract info from the Smartcenter
Expert# contract_util mgmt
fetching contracts data from managment
download from management result: Contract verification succeeded. Your gateway is eligible for upgrade according to Check Point licensing agreement.
Subscribe to:
Posts (Atom)