cpwiki.net - New pages [en]

First time config "wizard" via CLI mode

2025-10-24T14:26:10Z

Nighthawk: Created page with " == Creating a configuration file == # '''config_system -t <File Name>''' === configuration file validation === # config_system --config-file <File Name> --dry-run == run..."

== Creating a configuration file ==
# '''config_system -t <File Name>'''

=== configuration file validation ===
# config_system --config-file <File Name> --dry-run

== running config with template file ==
# config_system -f <File Name>

fortinet create api user via CLI

2025-04-28T17:20:15Z

Nighthawk: Created page with " To create a REST API administrator in the CLI: config system api-user edit "api-admin" set comments <string> set api-key ************ set acc..."

To create a REST API administrator in the CLI:

config system api-user
edit "api-admin"
set comments <string>
set api-key ************
set accprofile "API profile"
set vdom "root"
set peer-auth enable
set peer-group <group>
config trusthost
edit 1
set ipv4-trusthost <class_ip&net_netmask>
next
...
end
next
end

Generate the API token:

# execute api-user generate-key <API username>

[[category:fortinet]]

API for logs manpage

2025-03-26T22:35:54Z

Nighthawk:

==For a new logs query==
'''mgmt_cli show-logs new-query.filter product:<product name> new-query.time-frame <time-frame> new-query.max-logs-per-request <limit>'''

filter - The filter as entered in SmartConsole/SmartView. Type: String

time-frame - Specify the time frame to query logs. Type: String

  Valid values: last-7-days last-hour today last-24-hours yesterday this-week this-month last-30-days all-time custom Default: last-7-days

custom-start - Must be in ISO861 format. Type: String

custom-end - Must be in ISO861 format. Type: String

max-logs-per-request - Valid values: 1-100 Default: 10 Type: String

type - Type of logs to return. Valid values: logs, audit. Default: logs

log-servers - List of IPs of log servers to query. Default: all

==To get results for top statistics==
'''mgmt_cli show-logs new-query.filter product:<product name> new-query.top.field blades new-query.top.count <number> --format json -r true'''

count - Valid values: 1-50

field - Valid values: sources destinations services actions blades origins users applications

==To get more results for an existing query==
'''mgmt_cli show-logs query-id <query-id> --session-id <session-id>'''

query-id - Get the next page of the last run query with a specified limit.

ignore-warnings - Ignore warnings if they exist. Type: Boolean

==Limitations==
The parameter "time-frame" in the API command does not accept this format as input:

   yyyymmddThhmmssZ

The command does not support non-index mode log queries.

[[category:api]]

big-ip notes

2024-10-04T19:06:57Z

Nighthawk:

get pool membership by node IP via CLI
# '''tmsh -q -c "cd /; list ltm pool one-line recursive" | grep <ip address>'''

==links==

[https://community.f5.com/kb/codeshare/big-ip-upgrade-procedure-using-cli-vcmp-guest--host/280685 BIG-IP Upgrade Procedure Using CLI (vCMP Guest & Host)]

[https://networkproguide.com/f5-big-ip-cli-commands-cheat-sheet/ Big-ip cheat sheet]
[[category:f5]]

vsx notes

2024-07-03T03:50:29Z

Nighthawk:

==performance optimization==
concurrent connections sizing - automatic setting not available for VSX. this must be hard coded and monitored.
==troubleshooting==

show status
[Expert@MyVsxGW:2]# '''vsx stat -v'''
VSX Gateway Status
==================
Name:
VSX1_192.168.3.241
Access Control Policy: VSX_Cluster_VSX
Installed at:
20Sep2019 22:06:33
Threat Prevention Policy: <No Policy>
SIC Status:
Trust
Number of Virtual Systems allowed by license:
25
Virtual Systems [active / configured]:
2 / 2
Virtual Routers and Switches [active / configured]:
0 / 0
Total connections [current / limit]:
5 / 44700
Virtual Devices Status
======================
ID | Type & Name | Access Control Policy | Installed at | Threat Prevention Policy | SIC Stat
-----+-------------+-----------------------+-----------------+--------------------------+---------
1 | S VS1 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust
2 | S VS2 | VS_Policy | 20Sep2019 22:07 | <No Policy> | Trust

set the context to the appropriate Virtual System with "vsenv <ID|name>
# '''vsenv 2'''

get interfaces
# '''fw getifs'''

fortinet downloads

2024-06-20T21:18:53Z

Nighthawk:

https://support.fortinet.com/Download/FirmwareImages.aspx

[[category: fortinet]]

fortimanager VM notes

2024-06-20T18:05:10Z

Nighthawk: Created page with "==version 6.4== this version was used because higher versions were failing on the trial license for me. ==console login== default login = admin / (empty password) ==initial c..."

==version 6.4==
this version was used because higher versions were failing on the trial license for me.
==console login==
default login = admin / (empty password)

==initial config==

config system interface
edit port1
set mode static
set ip 10.1.1.100 255.255.255.0
next
end
config system route
edit 1
set device port1
set gateway 10.1.1.1
next
end

==license==

connect a browser via https to the IP above. You get a message about signing into forticloud for the trial license. Login and proceed and hope for a message of success. I forgot to screenshot it.

view VM license via CLI.

FMG-VM64-KVM # '''diag debug vminfo'''
VM license is valid.
Type: Trial
Max devices: 3
Management IP: 0.0.0.0
VM UUID: 2da3fe28-143d-415f-9939-2d8f8c6ce433

no expiration date... yay! too bad it is so old.

[[category:fortinet]]

cisco asa notes

2024-06-20T03:16:13Z

Nighthawk:

==Getting Started==
===Accessing the Appliance Command-Line Interface===

This following prompt indicates that you are in user EXEC mode. Only basic commands are available from user EXEC mode.
hostname>

To access privileged EXEC mode, enter the following command:
hostname> '''enable'''

The prompt changes to the following:
hostname#

To exit privileged mode, enter the disable, exit, or quit command.

access global configuration mode
hostname# '''configure terminal'''

The prompt changes to the following:
hostname(config)#

===configure base system===

set firewall mode to transparent or routed? (Optional)

example config... can paste on command line over console
ASA Version 9.18.4
!
console serial
interface management0/0
nameif management
security-level 100
ip address 192.168.100.254 255.255.255.0
no shutdown
interface gigabitethernet0/0
nameif inside
security-level 100
ip address 10.100.0.254 255.255.255.0
no shutdown
interface gigabitethernet0/1
nameif outside
security-level 0
ip address 172.16.100.254 255.255.255.0
no shutdown
http server enable
http 192.168.100.0 255.255.255.0 management
crypto key generate rsa modulus 1024
username admin password admin
ssh 192.168.100.0 255.255.255.0 management
aaa authentication ssh console LOCAL

save config
hostname(config)# '''write memory'''

==VM notes==

KVM graphical console stops after...
Booting the kernel.

at this point he VM is outputing to the virtual serial console. There are similar experiences on VMware.

reboot logs

2024-01-17T15:30:03Z

Nighthawk: Created page with "reboot log location /var/log/reboot.log especially significant for maestro, config reboot reasons... /var/log/configuration_reboot_reason.log"

reboot log location
/var/log/reboot.log

especially significant for maestro, config reboot reasons...
/var/log/configuration_reboot_reason.log

opengear console notes

2023-12-15T15:17:54Z

Nighthawk:

to enter portmanager shell, run ''pmshell''

example:
$ pmshell
1: Router 4: PDU 6: ISR 8: Switch
33: Front, Upper 34: Front, Lower
 Connect to port >

to connect to a port, just type the number followed by <enter>

escape character:

* By default, the escape character is: ~
* If you are connected using the OpenSSH command line client, e.g. from Mac or Linux system, you must type a second ~ to trigger the escape, i.e.: ~~
* An alternate escape character may be set under Serial & Network -> Serial Port -> Edit/Edit Multiple Ports -> Escape Character
* The escape character must be the first character on a new line

Shell Commands:
~b - Generate BREAK
~h - View history
~p - Power menu
~c - Port Configuration menu
~u – User sessions disconnect menu
~m - Connect to port menu
~. - Exit pmshell
~? - Show this message

cpuse deployment agent logging

2023-10-24T02:16:41Z

Nighthawk:

tail -f /opt/CPInstLog/DeploymentAgent.log

asg policy - manpage

2023-10-20T21:39:11Z

Nighthawk: Nighthawk moved page asg policy - manpage to asg policy - command without leaving a redirect

==asg policy==

==Description==
Use the "asg policy" command in GaiaClosed gClish or the Expert mode to perform policy-related actions.

==Syntax==

asg policy -h 
asg policy {verify | verify_amw} [-vs <VS IDs>] [-a] [-v] 
asg policy unload [--disable_pnotes] [-a] 
asg policy unload --ip_forward

maestro reference

2023-10-20T21:28:26Z

Nighthawk:

==security groups==
Single Management Object (SMO) handles all management tasks, such as Security Gateway configuration, policy installation, remote connections, and logging. The Active Security Group Member with the lowest ID number is automatically assigned to be the SMO.

identify the SMO and tasks
# asg stat -i tasks

===policy installation===
Management ServerClosed installs the policy on the SMO Master and then it is copied to the other UP members. Use [[asg policy - command|asg policy]] to verify or unload a policy.
===Synchronizing Policy and Configuration Between Security Group Members===

synchronize the policies manually to a SG member
asg_blade_config pull_config

==Managing Security Groups==
===Connecting to a Specific Security Group Member ===
# member <Member ID>
or
# m <Member ID>

connecting to member in specific SG
# m <Security Group ID> <Member ID>

==HA==
clusterXL_admin up

==orchestrator==

get port transiever typoe
> show maestro port x optic info

fortinet CLI notes

2021-12-02T16:29:53Z

Nighthawk: /* logging */

==vdom==
entering editing a vdom

# config vdom
(vdom) # edit myvdom
(myvdom) #

==interface commands==
===configure===
example
# config system interface
# edit port1
# set mode static
# set ip 10.1.1.1 255.255.255.0
# next
# end

===get info==
for admin status, link stat, speeds, counters...
# config global
# get hardware nic <interface name>

==routes==
# config router static
# edit <route_index>
# set device "<interface_name>"
# set dst "<destination_ip>"
# set gateway "<router_ip>"

for default gw..
# set dst 0.0.0.0 0.0.0.0
or just leave the line out.

HA status
# config global
# get sys ha status

HA failover to highest priority (if it is not currently Master)
on current master run...
# config global
# diagnose sys ha reset-uptime

get admin hash password
# config global
# config sys admin
# show

uptime
# config global
# get system perf status | grep -i uptime

shutdown/reboot

# execute shutdown
or
# execute reboot

==firewall==
# show firewall policy

==packet capture==

# diagnose sniffer packet <interface|any> '<tcpdump-filter>' <verbosity> <count> <time-format>

verbosity of 4 will show the port name

where if count = 0, then unlimited

example:
fotinet1 # '''diagnose sniffer packet port1 'icmp'''' 4 2 l
interfaces=[port1]
filters=[icmp]
2022-08-25 13:16:52.397609 port1 -- 192.168.169.76 -> 192.168.169.31: icmp: echo request
2022-08-25 13:16:52.397673 port1 -- 192.168.169.31 -> 192.168.169.76: icmp: echo reply

==misc==

check if fortigate has fortimanager central-management setting
$ show full-configuration | grep "set fmg "

==default login==

VM images = admin / (empty password)

==logging==
[https://community.fortinet.com/t5/FortiGate/Technical-Tip-Displaying-logs-via-FortiGate-s-CLI/ta-p/193027 Displaying logs via FortiGate's CLI]

set log filter to view category with traffic logs
execute log filter category 0
set log filter to view logs from local disk
execute log filter device 0
view log filter settings
execute log filter dump
reset log filter
execute log filter reset
example..

execute log filter category 0
execute log filter device 0
execute log filter field srcip 10.0.0.10
execute log filter field dstip 192.168.1.1
execute log display

[[category:fortinet]]

maestro change Chassis/SGM up/down state

2021-04-11T00:59:02Z

Nighthawk:

[Expert@MyChassis-ch01-01:0]# '''g_clusterXL_admin -b 1_1 up'''
You are about to perform blade_admin up on blades: 1_1
This action will change members state
 Are you sure? (Y - yes, any other key - no) y
 Blade_admin up requires auditing
Enter your full name: bob frapples
Enter reason for blade_admin up [Maintenance]:
WARNING: Blade_admin up on blades: 1_1, User: bob frapples, Reason: Maintenance
 Members outputs:
-*- 1 blade: 1_1 -*-
Setting member to normal operation ...
Member current state is ACTIVE

[[category:maestro]]

maestro setup

2021-04-08T18:33:29Z

Nighthawk:

single site and single MHO

version r80.20

mho-140

connected downlink ports

connect to MHO via mgmt port 0 on the back on default ip of 192.168.1.1

ssh to the orchestrator amount to 1 as the default is 2, at clish run
set maestro configuration orchestrator-amount 1
save config

if this step is skipped you will receive error message: "Fail to load security groups"

click on "orchestrator" on the left

should see appliances under unassigned gateways

....
gclish

>set smo image auto-clone state on

misc commands

asg_policy unload

log connection verification

2021-04-02T16:09:00Z

Nighthawk:

Expert@chkpfw2:0]# '''cpstat fw -f log_connection'''
 
Overall Status: 0
Overall Status Description: Security Gateway is reporting logs as defined
Local Logging Mode Description: Logs are written to log server
Local Logging Mode Status: 0
 
Log Servers Connections
--------------------------------------------
|IP |Status|Status Description |
--------------------------------------------
|192.168.144.80| 0|Log-Server Connected|
--------------------------------------------

netstat should show established connection to logging management server

[Expert@chkpfw2:0]# '''netstat -an | grep -i "257.*ESTABLISHED"'''
tcp 0 0 192.168.1.3:49571 192.168.1.80:257 ESTABLISHED

fwd restart to re-establish log connections

stop
# cpwd_admin stop -name FWD -path "$FWDIR/bin/fw" -command "fw kill fwd"

start
# cpwd_admin start -name FWD -path "$FWDIR/bin/fw" -command "fwd"

[[category:logging]]

snmp-extend to run custom script

2021-02-24T12:42:42Z

Nighthawk:

1) Create a script/command that monitors something on your system and output the result to stdout.
 example
 script: /usr/local/bin/check_everything.sh
 outputs either...
 STATUS: OK - everything good
 or
 STATUS: NOT OK!

2) Create entry in the SNMP config to the monitor script:
# vi /etc/snmp/userDefinedSettings.conf

add a line...
extend everything_status /bin/sh /usr/local/bin/check_everything.sh

3) restart snmpd
from clish, run "set snmp agent off" then run "set snmp agent on"

4) test it

with a walk

$ snmpwalk -On -v2c -c mycomstring 192.168.1.1 NET-SNMP-EXTEND-MIB::nsExtendObjects
.1.3.6.1.4.1.8072.1.3.2.1.0 = INTEGER: 1
.1.3.6.1.4.1.8072.1.3.2.2.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: /bin/sh
.1.3.6.1.4.1.8072.1.3.2.2.1.3.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING:
/usr/local/bin/check_everything.sh
.1.3.6.1.4.1.8072.1.3.2.2.1.4.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING:
.1.3.6.1.4.1.8072.1.3.2.2.1.5.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 5
.1.3.6.1.4.1.8072.1.3.2.2.1.6.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: exec(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.7.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: run-on-read(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.20.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: permanent(4)
.1.3.6.1.4.1.8072.1.3.2.2.1.21.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: active(1)
.1.3.6.1.4.1.8072.1.3.2.3.1.1.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: STATUS: OK - everything good
.1.3.6.1.4.1.8072.1.3.2.3.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = STRING: STATUS: OK - everything good
.1.3.6.1.4.1.8072.1.3.2.3.1.3.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 1
.1.3.6.1.4.1.8072.1.3.2.3.1.4.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115 = INTEGER: 0
.1.3.6.1.4.1.8072.1.3.2.4.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115.1 = STRING: STATUS: OK - everything good

with a get

$ snmpget -v 2c -c mycomstring 192.168.1.1
.1.3.6.1.4.1.8072.1.3.2.4.1.2.15.102.119.112.111.108.105.99.121.95.115.116.97.116.117.115.1
NET-SNMP-EXTEND-MIB::nsExtendOutLine."fwpolicy_status".1 = STRING: STATUS: OK - everything good

checkpoint.com platform document page

2021-01-13T22:14:19Z

Nighthawk: Created page with "[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowprelanding=&id=1 Downloads & Documentation Next Generation Firewalls]"

[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowprelanding=&id=1 Downloads & Documentation Next Generation Firewalls]

interface monitoring via snmp

2020-06-19T18:20:34Z

Nighthawk:

notes... page in progress

[Expert@chkpfw1:0]# '''netstat -in'''
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 103695407 104 163 0 21955304 0 0 0 BMRU
eth1 1500 0 84889247 3 0 0 134888 0 0 0 BMRU
eth2 1500 0 51557348 0 0 0 0 0 0 0 BMRU
lo 16436 0 7173067 0 0 0 7173067 0 0 0 LRU

RX-DRP
[Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.1.2 IF-MIB::ifInDiscards.2'''
IF-MIB::ifInDiscards.2 = Counter32: 163

RX-ERR
[Expert@chkpfw1:0]# '''snmpget -v 2c -c NAGIOS 192.168.1.2 IF-MIB::ifInErrors.2'''
IF-MIB::ifInErrors.2 = Counter32: 104

[Expert@chkpfw1:0]# '''snmpwalk -v 2c -c NAGIOS 192.168.1.2 | grep -i if.*UcastPkts'''
IF-MIB::ifInUcastPkts.1 = Counter32: 7173335
IF-MIB::ifInUcastPkts.2 = Counter32: 103699664
IF-MIB::ifInUcastPkts.3 = Counter32: 84893047
IF-MIB::ifInUcastPkts.4 = Counter32: 51559644
IF-MIB::ifInNUcastPkts.1 = Counter32: 0
IF-MIB::ifInNUcastPkts.2 = Counter32: 0
IF-MIB::ifInNUcastPkts.3 = Counter32: 0
IF-MIB::ifInNUcastPkts.4 = Counter32: 0
IF-MIB::ifOutUcastPkts.1 = Counter32: 7173335
IF-MIB::ifOutUcastPkts.2 = Counter32: 21956198
IF-MIB::ifOutUcastPkts.3 = Counter32: 134891
IF-MIB::ifOutUcastPkts.4 = Counter32: 0
IF-MIB::ifOutNUcastPkts.1 = Counter32: 0
IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
IF-MIB::ifOutNUcastPkts.3 = Counter32: 0
IF-MIB::ifOutNUcastPkts.4 = Counter32: 0
HOST-RESOURCES-MIB::hrSWRunParameters.28716 = STRING: "-i if.*UcastPkts"
IF-MIB::ifHCInUcastPkts.1 = Counter64: 7173335
IF-MIB::ifHCInUcastPkts.2 = Counter64: 103699664
IF-MIB::ifHCInUcastPkts.3 = Counter64: 84893047
IF-MIB::ifHCInUcastPkts.4 = Counter64: 51559644
IF-MIB::ifHCOutUcastPkts.1 = Counter64: 7173335
IF-MIB::ifHCOutUcastPkts.2 = Counter64: 21956198
IF-MIB::ifHCOutUcastPkts.3 = Counter64: 134891
IF-MIB::ifHCOutUcastPkts.4 = Counter64: 0

snmp

2020-06-19T16:55:32Z

Nighthawk:

mib files location on check point device
$CPDIR/lib/snmp/

==mib descriptions and OID of interest==

appliance model
"svnApplianceProductName" "1.3.6.1.4.1.2620.1.6.16.7"

get check point version
"svnVersion" "1.3.6.1.4.1.2620.1.6.4.1"

example:
[Expert@chkpfw1:0]# '''snmpget -v2c -c public localhost 1.3.6.1.4.1.2620.1.6.4.1.0'''
SNMPv2-SMI::enterprises.2620.1.6.4.1.0 = STRING: "R80.20"

firewall connections
$ '''snmptranslate -Tz -m CHECKPOINT-MIB | grep -i fwnumconn'''
"fwNumConn" "1.3.6.1.4.1.2620.1.1.25.3"

$ '''snmpget -v 2c -c public 10.0.0.254 1.3.6.1.4.1.2620.1.1.25.3.0'''
SNMPv2-SMI::enterprises.2620.1.1.25.3.0 = Gauge32: 3310

[[category:snmp]]
[[category:monitoring]]

palo alto api

2019-09-16T22:44:17Z

Nighthawk: Created page with " [https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api.html PAN-OS® and Panorama™ API Guide] ==panxapi== co..."

[https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api.html PAN-OS® and Panorama™ API Guide]

==panxapi==
command line program for accessing the PAN-OS XML API

[https://github.com/kevinsteves/pan-python/blob/master/doc/panxapi.rst panxapi.py documentation]

[[category:palo alto]]
[[category:api]]

panorama api

2019-08-23T17:23:12Z

Nighthawk:

login for token / key
$ curl -k "https://<''hostname|ip''>/api/?type=keygen&user=<username>&password=<password>"

example...
curl -k "https://192.168.1.1/api/?type=keygen&user=admin&password=admin"
<response status = 'success'><result><key>LUFRPT1jMUFXZHlNdDBPVTEya0lQNWorTyttYURFNmM9UHdvL2REWWUyaWFIU1hlZHdiRU5BQT09</key></result></response>

Get a list of firewalls that Panorama manages:
https://<''hostname|ip''>/api/?type=op&cmd=<show><devices><all></all></devices></show>

curl example
curl -kg "https://192.168.1.1/api/?type=op&cmd=<show><devices><all></all></devices></show>&key=LUFRPT1jMUFXZHlNdDBPVTEya0lQNWorTyttYURFNmM9UHdvL2REWWUyaWFIU1hlZHdiRU5BQT09"

vmware nsx notes

2019-08-16T13:43:43Z

Nighthawk:

=NSX-T=
==Tier-0 Gateways==
A tier-0 gateway performs the functions of a tier-0 logical router. It processes traffic between the logical and physical networks.

An Edge node can support only one tier-0 gateway or logical router.

==documentation==
[https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html VMware NSX-T Data Center Documentation]

[[category:vmware]]

cpuse notes

2019-07-18T15:18:31Z

Nighthawk:

[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449&partition=General&product=All%22 sk92449 - Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent]

log file

/opt/CPInstLog/DeploymentAgent.log

mgmt cli on ubuntu

2019-05-14T16:10:45Z

Nighthawk: Created page with "[https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/mgmt-cli-on-Ubuntu/td-p/28706 mgmt_cli on ubuntu] category:api"

[https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/mgmt-cli-on-Ubuntu/td-p/28706 mgmt_cli on ubuntu]

[[category:api]]

ssh tunneling r80.x smartconsole GUI

2019-05-09T04:29:27Z

Nighthawk: Created page with "==disclaimer== this is not a recommended or secure configuration for production systems! ==sshd_config== modify the line AllowTcpForwarding no to AllowTcpForwarding ye..."

==disclaimer==
this is not a recommended or secure configuration for production systems!

==sshd_config==

modify the line

AllowTcpForwarding no

to

AllowTcpForwarding yes

and restart sshd
/etc/init.d/sshd restart

==ssh tunnel commands==
Main GUI connection - port 19009
# ssh -f -N -L <relay_host>:19009:<r80_mgmt_svr>:19009 username@<r80_mgmt_svr>

CRL download - port 18264
# ssh -f -N -L <relay_host>:18264:<r80_mgmt_svr>:18264 username@<r80_mgmt_svr>

ICA connection - port 18190 - needed for manipulating objects which have SIC attributes
# ssh -f -N -L <relay_host>:18190:<r80_mgmt_svr>:18190 username@<r80_mgmt_svr>

==GUI connection==
lauch the smartconsole and specify the <relay_host> ip or hostname as the destination

1.0 TLS disablement

2019-04-12T15:17:52Z

Nighthawk: Created page with "TLS 1.1 and above configure sk102989 + sk120846"

TLS 1.1 and above configure

sk102989 + sk120846

gaia log rotation settings

2018-05-23T15:36:51Z

Nighthawk: Created page with "found in... /etc/cpshell/log_rotation.conf"

found in...
/etc/cpshell/log_rotation.conf

r80.10 what is new

2018-04-24T15:27:54Z

Nighthawk: /* objects window */

==Unified Console==
===legacy apps gone?===
nope...
[[file:unified_and_legacy_consoles.png]]
===Multi-Domain login===
[[file:mds_login.png]]
===MultiDomain View===
[[file:multidomain_view.png]]
search is broken

===Gateway & Server View===

To use the MutliDomain view to launch a SmartConsole to the Domain(CMA) for a particular firewall of interest,
1) navigate to Gateways & Server View
2) find the firewall of interest
3) sort by Domain
4) right click the Domain Management object(CMA) in the same domain as the firewall and select View

[[file:gateway_view.png]]

===Global Policy Assingment===
[[file:global_assing.png]]

==Policy Layers and Sub-Policies==

==Security Policies View==
===tabbed policies===
===diffs===
objects window moved to the right side

policy install status lower left

===Publishing Changes===

===unpublished changes===
In earlier version of the SmartDashboard, if the client crashed or was disconnected then the changes were lost. This is not the case with r80+. Changes are saved on the Management server automatically. They do not take effect until published.

==troubleshooting==
error message
[[file:object_locked.png]]

this is often due to an unpublished session. The unpublished session can be found under

Manage & Settings > Sessions > View Sessions

Look for session with locks and changes. If the Connection Mode show "Disconnected", then it is likely the source of the issue. An administrator can Publish, Discard or Take Over the session with the SmartConsole.

[[file:session_disconnected.png]]

Static NAT for outgoing connections through gateway with ISP Redundancy

2018-02-11T17:55:11Z

Nighthawk: Created page with "[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25152&partition=Advanced&product=Security sk25152]"

[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk25152&partition=Advanced&product=Security sk25152]

smartupdate license repository commands

2018-02-02T15:41:27Z

Nighthawk: /* cplic del - delete license from repo */

License Database/repository Operations:

taken from R77 CP_R77_CLI_ReferenceGuide.pdf

=='''cplic db_print''' - Print licenses in database/repository==
'''Description'''
Displays the details of Check Point licenses stored in the license repository on the Security
Management Server.
cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached]

=='''cplic db_add''' - add license to device or repository==
'''Description'''
Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, '''central licenses need to undergo the attachment process(using cplic put)'''.
cplic db_add < -l license-file | host expiration-date signature SKU/features >

=='''cplic get''' - retrieve/sync repo with remote gateways==
'''Description '''
The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. '''This command helps you to synchronize the repository with the Check Point Security Gateways'''. When the command is run, all local changes are updated.
cplic get {<ipaddr>|<hostname>|-all} [-v41]
 example: pretend there was a hardware failure, and RMA was performed, the new firewall is up and running backup config produced by clish "show configuration" as run on the failed device prior to failure. the backup config doesn't include the license. this is the job of the license repository/database on the management device (smartcenter or provider-1 CMA). however; it will show as attached to the firewall because that was the last license status before the failure. so, to "detach" it in the repo we can run the command as follows...
 [Expert@chkpmgr1:0]# '''cplic get chkpfw1'''
 Getting licenses from chkpfw1 ...
 chkpfw1:
 Retrieved 1 licenses
 Detached 1 licenses
 Removed 0 licenses

=='''cplic put''' - add local or attach license remotely==
 '''Description '''
Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated.
cplic put <object name> [-ip dynamic ip] [-F <output file>] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature>

=='''cplic del''' - delete license from repo==
'''WARNING - use with care! deleting a license from an online gateway can cause an outage.'''
 '''Description'''
Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines
cplic del [-F <output file>] <signature> <object name>

[[category:license]]

[[category:cli]]

[[category:smartupdate]]

manager to firewall services

2018-01-19T20:13:33Z

Nighthawk: Created page with "manager / mgmt / MDM / CMA / smartcenter to firewall fw1 - tcp 256 fw1_lea - tcp 18184 fw1_sam - tcp 18183 fw1_ica_push - tcp 18211 cpd cpd_amon fw1_c..."

manager / mgmt / MDM / CMA / smartcenter to firewall

fw1 - tcp 256
 fw1_lea - tcp 18184
 fw1_sam - tcp 18183
 fw1_ica_push - tcp 18211
 cpd
 cpd_amon
 fw1_cprid
 cpmi

manual upgrade notes

2017-11-19T06:42:36Z

Nighthawk: Created page with "77.20 to 77.30 installer verions check... ..."

77.20 to 77.30

installer verions check...
cpvinfo $DADIR/bin/DAService | grep Build

upgrade installer
rpm -Uhv --force CPda-00-00.i386-1278.rpm

check base fw ver

installer import local Check_Point_R77.30_T204_Install_and_Upgrade.tgz

installer install Check_Point_R77.30_T204_Install_and_Upgrade.tgz

rebooted by installer

77.30 to hotfix to post build script

touch /etc/.wizard_accepted

cpconfig

rpm -ihv --force CPppak-R77-00.i386.rpm

reboot

cpconfig to enable securexl (not needed)

cpconfig to configure corexl instances

 configure $FWDIR/boot/modules/fwkern.conf
 (13800 example)
 fwx_nat_dynamic_port_allocation=1
 fwx_old_icmp_nat=1
 fw_drop_icmp_errors_over_tcp=1
 fwkern_optimize_drops_support=1
 fwha_monitor_if_link_state=0

clish> set core-dump enable

reboot

installer import local Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz

installer install Check_Point_R77_30_JUMBO_HF_1_Bundle_T216_FULL.tgz

reboot (installer)

# mkdir HF_INSTALL

# cd HF_INSTALL
# tar xvfz ../SecurePlatform_HOTFIX_R7730_T216_JHF_879.tgz
#./SecurePlatform_HOTFIX_R7730_T216_JHF_879_990879001_1

reboot

smartlog data path

2017-11-10T18:32:00Z

Nighthawk: Created page with "r77 index paths... /var/log/opt/CPmds-R77/customers/<customer_name>/CPSmartLog-R77/data/ default data kept = 14 days"

r77 index paths...

/var/log/opt/CPmds-R77/customers/<customer_name>/CPSmartLog-R77/data/

default data kept = 14 days

setting interface affinity

2017-10-22T04:19:32Z

Nighthawk:

example (77.30)

set affinity
# '''sim affinity -s'''
Usage : For each interface enter one of the following:
Return - To keep the default values (appearing in [ ])
all - To allow all processors for this interface
List of processors - A list of processor numbers between 0 and 19

eth1-01 [All] : '''0'''
eth1-02 [All] : '''0'''
eth2-01 [All] : '''1'''
eth2-02 [All] : '''2'''
eth3-01 [All] : '''3'''
eth3-02 [All] : '''4'''
eth3-04 [All] : '''5'''

check affinity
# sim affinity -l

or

# fw ctl affinity -l -r

r80 api reference

2017-10-04T15:18:34Z

Nighthawk:

==Management server API setup==
===enabling for remote IPs===
done the smartconsole

[[file:cp_mgmt_api_enable_all_IPs.png]]

it can also be enabled via mgmt_cli under "set api-settings"

===status check===

[Expert@chmkmgr1:0]# '''api status'''
 API Settings:
 <nowiki>-----------------</nowiki>
 Accessibility: Require all granted
 Automatic Start: Enabled
 Processes:
 Name State PID More Information
 <nowiki>-------------------------------------------------</nowiki>
 API Started 10763
 CPM Started 10460 Check Point Security Management Server is running and ready
 FWM Started 10007
 Port Details:
 <nowiki>----------------</nowiki>
 JETTY Internal Port: 50276
 APACHE Gaia Port: 443
 <nowiki>-------------------------------------------------</nowiki>
 Overall API Status: Started
 <nowiki>-------------------------------------------------</nowiki>
 API readiness test SUCCESSFUL. The server is up and ready to receive connections

==examples==
===logging in===
login and redirect session info to a file for reuse
# mgmt_cli login user admin > id.txt

same but read only
# mgmt_cli login user admin read-only true > id.txt

===search existing object===
search objects by IP, return all objects that contain the ip explicitly or within a nework address space/range.
# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true --format json | jq '.objects[] | {name: .name, subnet: .subnet4, mask: ."mask-length4"}'

return only objects with the EXACT ip

# mgmt_cli -s id.txt show objects filter "192.168.1.1" ip-only true details-level full --format json | jq '.objects[] | select(."ipv4-address" == "192.168.1.1") | .name'

*** details-level full will include more objects, including other stuff like type CpmiHostCkp (built in smartcenter object)

===access rules===
====notes before you begin====
when using the parameter "name" to refer to a particular package, it appears to require the following...
<package name> <layer name>

as shown by the show access-layers command below. Also, the output of show access-rulebase doesn't is limited to 50 rules. If you want more, I think you have to iterate though a set of offets until all the rules are dumped. That dump in json format is a bit confusing. If you have no "headers" or "titles" in the ruleset, you will get 1 rulebase[] array. If you have headers, each section is its own rulebase[] array with yet another rulebase[] array containing the actual rules.

What this means is the commands below may or may not work as you expect them to. The will likely need to be altered with mgmt_cli "offset" commands and/or modified jq commands...

for example, if you have NO headers in your policy and are running show access-rulebase, it will output the rules with

| jq '.rulebase[]'

if you DO HAVE headers, to output the rules you need

| jq '.rulebase[] | .rulebase[]'

====show access layers?====
[Expert@chmkmgr1:0]# '''mgmt_cli show access-layers -s id.txt --format json | jq '."access-layers"[].name'
"dropall Network"'''
"Network"

where "Network" represents the default policy package Standard

====examples====
show number of rules in policy
mgmt_cli show access-rulebase name "<layer>" -s id.txt --format json limit 1 | jq '.total'

display rule with uid = xxx

# '''mgmt_cli -s id.txt show access-rule layer "My_policy Network" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"'''

display src/dst/service from rule with uid
for i in source destination service; do echo $i; mgmt_cli -s id.txt show access-rule layer "<policy_name> <layer_name>" uid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" --format json | jq .$i[].name; done

alternate(inferior) way with jq
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.uid == "1de8fab0-4858-4067-977d-1cbb5cd2e55d") | ."rule-number"'
1

display rule number with comment containing a string haha
mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | select (.comments | contains("haha")) | {rulenum: ."rule-number", comment: .comments}'

====adding rules====

mgmt_cli -s id.txt add access-rule layer xxad70c9-b4c6-4e64-9bfd-d57ac91289f3 name new_rule

mgmt_cli -s id.txt add access-rule layer xx70adc9-b4c6-4e64-9bfd-d57ac91289f3 position top name new_rule

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" action "Accept" service add "https"

mgmt_cli -s id.txt set access-rule name "new_rule" layer "xx70adc9-b4c6-4e64-9bfd-d57ac91289f3" service.add "https"

===mds / domain===

get list of domains,objects(management and firewalls),object type
mgmt_cli.exe -s id.txt show gateways-and-servers --format json limit 500 | jq '.objects.nat,.name,.type' | xargs -n3

===log queries===
mgmt_cli -s id.txt show-logs new-query.filter "src:10.0.0.11 and service:https" new-query.time-frame last-hour new-query.max-logs-per-request 1 --format json | jq '.logs[] | {time: .time,fw: .orig,log_server: .orig_log_server,policy: .policy_name,action: .action,source: .src,dest: .dst,service: .service}'

{
"time": "2023-06-09T06:20:20Z",
"fw": "my_cp_fw1",
"log_server": "192.168.1.88",
"policy": "super_secure",
"action": "Accept",
"source": "10.0.0.11",
"dest": "204.79.197.203",
"service": "443"
}

==jq==
compound jq select using and/or (note: contains returns true/false)

| jq '.rulebase[] | .rulebase[] | select (.comments | (contains("hahaha") or contains("lol")) | not ) | {ruleUID: .uid, comments: .comments} '

and another one...
| jq '.rulebase[] | .rulebase[] | select ((.comments | (contains("hahah") or contains("lol") | not )) and (.enabled == true)) | {enabled: .enabled, rulenum: ."rule-number", ruleUID: .uid, comments: .comments} '

filter objects dictary for uid for accept action
jq '."objects-dictionary"[] | select (.name == "Accept") | .uid'

get cluster member policy installation targets

| jq -c '."installation-targets-revision"[] | ."cluster-members-revision"[] | ."target-name"' | tr -d '"' | tr '\n' ' '

get values without keys

example

with keys...
'''| jq '.objects[] | {name: .name,type: .type}''''
{
"name": chkp-fw",
"type": "simple-gateway"
}
{
"name": "chkp-mgmt",
"type": "checkpoint-host"
}

without keys, change from curly {} to square [] brackets and drop key references
'''| jq '.objects[] | [.name, .type]''''
[
"chkp-fw",
"simple-gateway"
]
[
"chkp-mgmt",
"checkpoint-host"
]

print all values on the same line, comma separated
'''| jq '.objects[] | [.name, .type] | join (",")'''
"chkp-fw simple-gateway"
"chkp-mgmt,checkpoint-host"

==curl==

curl -X POST -H "Content-Type: application/json" -d '{"userId": 5, "title": "Post Title", "body": "Post content."}'

curl -X -H POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' 192.168.1.10:443/login

$ '''curl --insecure -X POST -H "Content-Type: application/json" -d '{"user" : "jsmith", "password" : "abc123"}' https://192.168.1.10:443/web_api/login'''
{
"uid" : "46a11170-e554-4e58-a5fc-65ff9e38d8cb",
"sid" : "dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres",
"url" : "https://192.168.1.10:443/web_api",
"session-timeout" : 600,
"last-login-was-at" : {
"posix" : 1707413218074,
"iso-8601" : "2024-02-08T10:26-0700"
},
"api-server-version" : "1.8.1",
"user-name" : "jsmith",
"user-uid" : "c1109c35-d741-7jg8-98e3-36669b7047a2"

$ '''curl --insecure -X POST -H "Content-Type: application/json" -H "X-chkp-sid: dfq6sI1MxMT1qUhXQ7tafQduKAfJxYkqXCEjaQKjres" -d '{ }' https://192.168.1.10:443/web_api/keepalive'''
{
"message" : "OK"
}

==links==
[https://community.checkpoint.com/t5/General-Management-Topics/What-s-new-with-R80-20M1-Management-API/td-p/39522 What's new with R80.20M1 Management API]

[https://sc1.checkpoint.com/documents/latest/APIs/index.html#introduction~v1.4%20 r80 api reference]

[https://github.com/CheckPointSW/cp_mgmt_api_python_sdk official python open source api]

parsing json return output
[https://stedolan.github.io/jq/ jq]

[https://community.checkpoint.com/thread/1083 Parsing the output of mgmt_cli]

[https://devqa.io/curl-sending-api-requests/ How to Use CURL to Send API Requests]

Creating calculate GB in one days of logs for MLM

2017-10-03T15:43:59Z

Nighthawk:

to get log quantity for the last 24 hours(in GB on R77)...
mcd customers
# for CLM in *; do mdsenv $CLM; find $CLM/CPsuite-R77/fw1/log/*.log -mtime -1 | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | bc -l; done | awk '{s+=$1} END {print s}'

get logs in GB per day for the last 7 days(R77)...
for CLM in *; do mdsenv $CLM; echo $CLM; for DAY in 1 2 3 4 5 6 7; do find $CLM/CPsuite-R77/fw1/log/*.log -mtime +`echo $DAY` -a -mtime -`expr $DAY + 2` | xargs ls -l | awk '{s+=$5} END {printf "%.0f", s; print "/1024/1024/1024"}' | bc -l; done; done

[[category:mlm]]
[[category:logging]]

hit counter

2017-09-21T15:57:57Z

Nighthawk:

== Prerequisites for hit counter functionality ==

Global Properties that must be enabled

CLI to query(must be in CMA environment on an MDM)

# cpmiquerybin object "" properties "name='firewall_properties'" | grep -i enable_hit_count
:enable_hit_count (1)

# cpmiquerybin object "" properties "name='firewall_properties'" | grep rulebase_uids_in_log
:rulebase_uids_in_log (true)

== max table size (on fw gateways) ==

[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk90040&partition=General&product=Security hit counter fw module max table size]

sk90040

fw ctl get int fw_rules_uid_max_dic_entries

fw ctl set int fw_rules_uid_max_dic_entries VALUE

for surviving reboot... [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk26202 Changing the kernel global parameters for Check Point Security Gateway]

rewriting grub mbr

2017-08-09T04:42:41Z

Nighthawk:

grub> '''root (hd0,0)'''
grub> '''setup (hd0)'''
Checking if "/boot/grub/stage1" exists... no
Checking if "/grub/stage1" exists... yes
Checking if "/grub/stage2" exists... yes
Checking if "/grub/e2fs_stage1_5" exists... yes
Running "embed /grub/e2fs_stage1_5 (hd0)"... 15 sectors are embedded. succeeded
Running "install /grub/stage1 (hd0) (hd0)1+15 p (hd0,0)/grub/stage2 /grub/grub.conf"...succeeded
Done.

cyclic logging deletion mechanism

2017-08-07T18:55:20Z

Nighthawk:

referenced sk33309

all versions

SmartView Tracker Messages / Errors

in the traffic log files of the log server (not on the smartcenter or in the fw.adtlog)

'''Normal log deletion log'''

Type: Control

Information field: Log file <name> has been deleted by the "Cyclic Logging" mechanism

'''Disk space triggered log deletion that failed'''

Type: Alert

Information Field: The log repository quota has been exceeded. No file could be deleted.

This message indicates that the system tried to delete old log files in order to fulfill the required disk space requirement, as defined by the user, but could not find an appropriate file to delete. This might be because there are no old files left to delete (the active log file cannot be deleted), or because the user configured the mechanism not to delete log files from the last "N" days. The user should delete files manually from the machine in order to reach the desired free disk space. If the user does not, the current log might be deleted when a log switch occurs.

isp redundancy

2017-07-24T03:52:32Z

Nighthawk: Created page with " [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk23630 Advanced configuration options for ISP Redundancy]"

[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk23630 Advanced configuration options for ISP Redundancy]

firewall logconnection status

2017-06-16T00:13:47Z

Nighthawk: Created page with "[Expert@chkpfw1:0]# cpstat fw -f log_connection"

[Expert@chkpfw1:0]# cpstat fw -f log_connection

centos 6.5 repo

2017-05-24T22:28:41Z

Nighthawk: Nighthawk moved page centos 6.5 repo to centos 6.5 repo yum file

[rhel-source]
 name=Red Hat Enterprise Linux $releasever - $basearch - Source
 baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
 [rhel-source-beta]
 name=Red Hat Enterprise Linux $releasever Beta - $basearch - Source
 baseurl=ftp://ftp.redhat.com/pub/redhat/linux/beta/$releasever/en/os/SRPMS/
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
 [CentOS6base]
 name=CentOS-6-Base
 mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=os
 gpgcheck=1
 enabled=1
 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY=CentOS-6
 
 [CentOS6updates]
 name=CentOS-6-Updates
 mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=updates
 gpgcheck=1
 enabled=1
 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6
 
 [CentOS6plus]
 name=CentOS-6-Plus
 mirrorlist=http://mirrorlist.centos.org/?release=6&arch=$basearch&repo=centosplus
 gpgcheck=1
 enabled=1
 gpgkey=http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6

cp manpage - mdsenv runcrossdomainquery

2017-05-01T17:38:53Z

gaia CLI upgrades

2017-04-30T19:56:33Z

Nighthawk: /* R75.40 to R77.10 */

==R75.40 to R77.10==

 To upgrade using an ISO image on a DVD:
 Note - This procedure is not supported on IP Appliances.
 1. Download the Gaia ISO image from the Check Point Support Center
 http://supportcontent.checkpoint.com/solutions?id=sk92965.
 Check_Point_Install_and_Upgrade_R77.Gaia.iso
 2. Mount the iso image to the device to be upgraded. This can be done via physical drive, or virtually attaching the iso.

 3. From clish, run: upgrade cd

==troubleshooting==

=== error: mount failed ===

chkpmgr> upgrade cd
UPGRADE: mount failed: Device or resource busy

in this scenario, i had manually mounted the /dev/cdrom to /mnt/cdrom. this is not needed and even causes the upgrade command to fail. I solve it by unmounting the cdrom.
# umount /dev/cdrom

gaia - adding an alias interface

2017-04-30T02:41:03Z

Nighthawk:

at the clish prompt
mygw> add interface eth0 alias 192.168.1.10/24

the alias created will look like...

eth0:1 Link encap:Ethernet HWaddr 82:3E:FC:AF:B5:80
inet addr:192.168.1.10 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:185 Base address:0xa000

smart reporter

2017-04-30T01:55:58Z

Nighthawk: /* tables */

==databases and versions==

SmartReporter Database Management
This release can use one of these SQL databases:

• MySQL - When you upgrade from R75.40 or earlier to R77, SmartReporter continues to use the legacy
• MySQL database. In some cases, upgrading from R75.20 or R75.40 can also use MySQL.

PostgreSQL - All new installations of SmartReporter, from R75.40VS and higher, use the PostgreSQL
database.
You do database management operations in these ways:

• With the SmartReporter Database Maintenance view
• With CLI commands. MySQL and PostgreSQL have different commands and procedures
• Changing SmartReporter configuration files

'''To see which SQL database is installed, run:'''
grep DefaultDatabase $CPDIR/registry/HKLM_registry.data

If the command returns the string PostgreSQL, the database is PostgreSQL. If the command returns
another result, the database is MySQL.

==mysql database==

username for mysql connections: RMSERVER
password can me set in smartreporter gui under management > database maintenance > change database password

mysql binary location: $RTDIR/Database/bin/mysql
socket file: use as defined in $RTDIR/Database/conf/my.cnf

example command to connect to local database
$RTDIR/Database/bin/mysql -u RMSERVER -h localhost -p --socket=/opt/CPrt-R75.40/Database/mysql.sock

==postgresql==
connecting to postgresql database
$CPDIR/database/postgresql/bin/psql -U cp_postgres -p 18272 rt_database

==logging and session status==
log consolidation session log: $RTDIR/log_consolidator_engine/log/<Session_ID>/lc_rt.log

example of successful log consolidation entry...

Last processed file: 2017-03-01_235900.log
 The Engine has finished scanning the requested log files.

==service stop and start==

rmdstop -server to stop

==tables==

== fwaction ==

fw_action_code | fw_action_name
 -1 |
0 | consolidated
1 | encrypt
2 | approved
3 | accept
4 | blocked
5 | drop
6 | reject
... and more...

[[category:loggin]]

RHEL 6.5 install

2017-04-29T16:04:15Z

Nighthawk:

==installing prereqs==

[https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98760 Prerequisites for installing Security Management Server / Multi-Domain Security Management Server on Red Hat Enterprise Linux]

==using centos yum repo==

replace /etc/yum.repos.d/rhel-source.repo contents with the following

[[centos 6.5 repo]]

vault access to older/deprecated centos repos - [http://vault.centos.org/6.5/os/x86_64/ vault.centos.org 64bit centos]

run to import vault key
# rpm --import http://vault.centos.org/6.5/os/x86_64/RPM-GPG-KEY-CentOS-6

==installing check point==

which package to install from the support site?

the iso to download will usually say "install" and "open_server"

for example...

Check_Point_R77.30_T207_Install_and_Upgrade.SPLAT_Open_Server.iso

==troubleshooting==
===libz.so.1 error===

errors occur during configuration on install or when cpconfig is run

'''error message:'''
Do you want to add an administrator (y/n) [y] ?
/opt/CPsuite-R77/fw1/bin/fwm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory

'''cause'''

# yum list zlib
Installed Packages
zlib.x86_64 1.2.3-29.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
Available Packages
zlib.i686 1.2.3-29.el6 CentOS6base

'''solution'''
install 32bit libz

# yum install zlib.i686

===bad ELF interpreter===

'''error message'''
# ./UnixInstallScript: ./UnixInstallScript: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
'''solution'''
install missing glibc
# yum install glibc.i686

=== libpam.so.0 ===

'''error:''' ./UnixInstallScript: error while loading shared libraries: libpam.so.0: cannot open shared object file: No such file or directory

'''solution:''' install 32-bit pam. you will likely need to update the 64-bit to match to avoid Multilib version errors. The following command will do this.
# yum install pam.x86_64 pam.i686

==links==

[http://it.tuxie.eu/?p=404 RHEL 6.5 x64 with CentOS 6.5 repositories]

[[category:rhel]]

cpuse agent

2017-04-25T15:15:08Z

Nighthawk:

==checking current version==
# clish -c "show installer status build"
Build number: 2084 (agent build is up to date)

==downloading the latest cpuse deployment agent==

a download link to the latest cpuse is found in [https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92449&partition=General&product=All%22 sk92449] on the user center

==check currently installed version==

cpvinfo $DADIR/bin/DAService | grep Build

==how do perform and offline upgrades==

# download the latest cpuse
# uninstall cpuse
[Expert@chkpmds1:0]# '''rpm -e CPda-00-00'''
/opt/CPshrd-R77/bin/cpwd_admin del -name DASERVICE
cpwd_admin:
successful Del operation

# install new cpuse

Expert@chkpmds1:0]# '''rpm -ivh ./CPda-00-00.i386.rpm'''
Preparing... ########################################### [100%]
cpwd_admin:
Process DASERVICE isn't monitored by cpWatchDog. Stop request aborts
Trying to stop DAService for 60 seconds - please wait...
Error: DAService is not running.
 Waiting for DAService to stop...
Error: DAService is not running.

*** note: it is typical to see the above message many times

== restarting clishd==

To Stop [Expert@HostName]# '''tellpm process:clishd'''
 To Start [Expert@HostName]# '''tellpm process:clishd t'''

start agent

# clish -c "installer agent start"

upgrade should be completed.

hit counter

2017-04-16T21:30:44Z

Nighthawk: /* example queries R80+ */

==example queries R80+==

the database was moved from the sqlite file to postgres

*** note **** case matters for the UID! all characters must be upper case it seems...

show all hit count data for a specific rule uid
# '''psql_client monitoring postgres -c "select hits,end_date from hitcount where rule_uid = '{0C8C26F9-7A52-4160-BB96-73AECEF13758}' limit 5"'''
hits | end_date
------+---------------------
4 | 2017-06-30 22:01:08
16 | 2017-07-01 22:01:06
16 | 2017-07-02 22:01:05
16 | 2017-07-03 22:01:03
16 | 2017-07-04 22:01:02

show
# '''mgmt_cli show access-rulebase name "Network" -s id.txt package "Standard" show-hits true --format json | jq '.rulebase[] | {rule_number: ."rule-number",uid: .uid,hits: .hits.value}''''

"rule_number": 1,
"uid": "1de8fab0-4858-4067-977d-1cbb5cd2e55d",
"hits": 0
 
"rule_number": 2,
"uid": "bbbfd8e6-72b6-4ff0-82ca-a9b0a6151d07",
"hits": 19
 
"rule_number": 3,
"uid": "bc69f34d-7ee8-47fe-a225-11b8e27e9a44",
"hits": 16617
 
"rule_number": 4,
"uid": "26373728-50df-49c3-b8d0-8895e350bc9f",
"hits": 1187628

==example queries R75.30==
sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where rule_uid="{609C7EC8-82CA-4A58-BEB8-226626DBD3E3}"'

sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select datetime(start_date, "unixepoch") as time, datetime(end_date, "unixepoch") as time, netobj_name, rule_uid, hits from HitCountRules where netobj_name="myfirewall"'

hits per day for a firewall, within day range

sqlite3 $FWDIR/conf/hit_count_rules_table.sqlite 'select date(start_date, "unixepoch") as day, SUM(hits) AS hits_total from HitCountRules where netobj_name="<my_firewall>" AND day between "2017-07-25" and "2017-09-14" GROUP by day'

keywords: hit count, hitcount