Check Point MAESTRO R80.20SP Administration Manual
  1. Manuals
  2. Brands
  3. Check Point Manuals
  4. Firewall
  5. MAESTRO R80.20SP
  6. Administration manual
Check Point MAESTRO R80.20SP Administration Manual

Check Point MAESTRO R80.20SP Administration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

18 February 2020
CHECK POINT MAESTRO
R80.20SP
Administration Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the MAESTRO R80.20SP and is the answer not in the manual?

Questions and answers

Related Manuals for Check Point MAESTRO R80.20SP

Summary of Contents for Check Point MAESTRO R80.20SP

  • Page 1 18 February 2020 CHECK POINT MAESTRO R80.20SP Administration Guide...
  • Page 2 Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
  • Page 3 Open the latest version of this Download the latest version of this document in PDF format Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments Check Point Maestro R80.20SP Administration Guide   |   3...
  • Page 4 Check Point Maestro R80.20SP Administration Guide Revision History Date Description Updated: February 2020 "Installing and Uninstalling a Hotfix on Maestro Security Appliances" on page 190 - removed the steps for "Online CPUSE packages" 07 January Added: 2020 "IP and URL Block Feature" on page 221 "Configuring High Availability"...
  • Page 5 Check Point Maestro R80.20SP Administration Guide Date Description 01 July 2019 Updated: Document design Removed: R80.20SP Maestro Information about initial configuration was moved to the Getting Started Guide: Connecting Cables to Maestro Hyperscale Orchestrators Configuration Procedure License Installation Managing Security Groups (some topics) Added: "Installing and Uninstalling a Hotfix on Maestro Hyperscale Orchestrators"...

  • Page 6: Table Of Contents

    Understanding the Configuration File List MAC Addresses and Bit Conventions MAC Address Resolver (asg_mac_resolver) Working with the Distribution Mode Automatic Distribution Configuration (Auto-Topology) Manual Distribution Configuration (Manual-General) Setting and Showing the Distribution Configuration (set distribution configuration) Check Point Maestro R80.20SP Administration Guide   |   6...
  • Page 7 Bond Verification Test (asg_bond -v) Showing Traffic Information (asg_ifconfig) Native Usage Using the Analyze Option Showing Multicast Traffic Information Showing Multicast Routing (asg_mroute) Showing PIM Information (asg_pim) Showing IGMP Information (asg_igmp) Monitoring VPN Tunnels Traceroute (asg_tracert) Check Point Maestro R80.20SP Administration Guide   |   7...
  • Page 8 Collecting System Diagnostics (smo verifiers) Diagnostic Tests Showing the Tests Showing the Last Run Diagnostic Tests Running all Diagnostic Tests Running Specific Diagnostic Tests Collecting Diagnostic Information for a Report Specified Section Error Types Changing Compliance Thresholds Check Point Maestro R80.20SP Administration Guide   |   8...
  • Page 9 Common SNMP OIDs for Security Groups System Optimization Firewall Connections Table Size for VSX Gateway Working with Session Control (asg_session_control) Session Control Defining Session Control Rules Showing Session Control Statistics Applying Session Control Rules Check Point Maestro R80.20SP Administration Guide   |   9...
  • Page 10 RMA of a Maestro Hyperscale Orchestrator Configuring High Availability Setting Security Appliance Weights (Chassis High Availability Factors) Setting the Quality Grade Differential IP and URL Block Feature IP Block Feature Description Procedure URL Block Feature Description Procedure Check Point Maestro R80.20SP Administration Guide   |   10...

  • Page 11: Glossary

    Table of Contents Glossary Administrator A user with permissions to manage Check Point security products and the network environment. In computer programming, an application programming interface (API) is a set of subroutine definitions, protocols, and tools for building application software. In general terms, it is a set of clearly defined methods of communication between various software components.
  • Page 12 A Security Gateway that is part of a cluster. CoreXL A performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. CoreXL Firewall Instance Also CoreXL FW Instance. On a Security Gateway with CoreXL enabled, the Firewall kernel is copied multiple times.
  • Page 13 Route-Based VPN, it is done by FWK daemon. CPUSE Check Point Upgrade Service Engine for Gaia Operating System. With CPUSE, you can automatically update Check Point products for the Gaia OS, and the Gaia OS itself. For details, see sk92449. See "DAC Cable".
  • Page 14 Downlink ports and Security Appliances. The Check Point Management traffic (policy, logs, synchronization, and so on) co-exists with the data (user) traffic on the Downlink ports. Bandwidth is guaranteed for the Check Point Management traffic (portion of the downlink bandwidth). These ports form the system backplane (management, data plane, synchronization).
  • Page 15 Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restrictive shell (role-based administration controls the number of commands available in the shell).
  • Page 16 Table of Contents HyperSync Check Point patented technology that makes sure that active connections are only synchronized to backup Security Appliances in the Security Group. HyperSync makes sure each connection flow has a backup within the Security Group. Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication.
  • Page 17 Table of Contents Log Server A dedicated Check Point computer that runs Check Point software to store and process logs in Security Management Server or Multi-Domain Security Management environment. Maestro Hyperscale Orchestrator A scalable Network Security System that connects multiple Check Point Security Appliances into a unified system.
  • Page 18 Rule Base Also Rulebase. All rules configured in a given Security Policy. Secondary Multi-Domain Server The Multi-Domain Server in Management High Availability that you install as Secondary. Check Point Maestro R80.20SP Administration Guide   |   18...
  • Page 19 (C) Applicable management port, to which the Check Point Management Server is connected. Security Management Server A computer that runs Check Point software to manage the objects and policies in Check Point environment. Security Policy A collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.
  • Page 20 SmartDashboard A legacy Check Point GUI client used to create and manage the security settings in R77.30 and lower versions. Single Management Object. Single Security Gateway object in SmartConsole that represents a Security Group configured on Maestro Hyperscale Orchestrator.
  • Page 21 Table of Contents See "Single Sign-On". Standalone A Check Point computer, on which both the Security Gateway and Security Management Server products are installed and configured. Traffic Flow of data between network devices. Uplink See "Uplink Ports". Uplink Ports Interfaces on the Maestro Hyperscale Orchestrator used to connect to external and internal networks.
  • Page 22 Table of Contents Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts.

  • Page 23: Introduction

    Check Point Maestro R80.20SP Administration Guide Introduction Maestro Hyperscale Orchestrator is a scalable Network Security System built to secure the largest networks in the world by orchestrating multiple Check Point Security Appliances into a unified system. The Maestro Hyperscale Orchestrator provides: Security of infinite scale...

  • Page 24: Managing Security Groups

    Security Appliance. The Security Appliance synchronizes its database during startup and applies the changes after reboot. Gaia Clish commands apply only to the specific Security Appliance. They are documented in the R80.20SP Maestro Gaia Administration Guide Check Point Maestro R80.20SP Administration Guide   |   24...
  • Page 25 Runs commands on specified Security Appliances. range Runs Gaia gClish embedded commands only on this subset of Security Appliances. We do not recommend that you use the blade-range command, because all Security Appliances must have identical configurations. Check Point Maestro R80.20SP Administration Guide   |   25...

  • Page 26: Check Point Global Commands

    Syntax to collect the debug > fw dbgfile collect -f <debug_file_path> [-buf <buf_size>] [-m <debug_module_1> <debug_flags_1> [-m <debug_module_2> <debug_flags_ 2>] ... [-m <debug_module_N> <debug_flags_N>]] Syntax to show the collected debug > fw dbgfile view [<debug_file_path>] [-o <agg_file_path>] Check Point Maestro R80.20SP Administration Guide   |   26...
  • Page 27 The fwaccel commands control the acceleration for IPv4 traffic. The fwaccel6 commands control the acceleration for IPv6 traffic. When you run the fwaccel and fwaccel6 commands in Gaia gClish, they show combined information from all Security Appliances, for most parameters. Check Point Maestro R80.20SP Administration Guide   |   27...
  • Page 28 Syntax for IPv4 fwaccel help Syntax for IPv6 fwaccel6 help Parameters and Options R80.20SP Maestro Performance Tuning Administration Guide For more information, see the - Chapter SecureXL SecureXL Commands 'fwaccel' and 'fwaccel6' - Section - Subsection Check Point Maestro R80.20SP Administration Guide   |   28...

  • Page 29: General Global Commands

    : Execute only on remote SGMs. Command list: snapshot_show_current snapshot_recover fwaccel6_m fwaccel6 fw6 unlock update_conf_file mv fwaccel_m ethtool md5sum dmesg cp tcpdump cat tail clusterXL_admin reboot ls fwaccel vpn fw netstat cpstop cpstart cplic asg [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   29...
  • Page 30 Full path and name of the configuration file to update <file_name> You do not need to specify the full path for these files (only specify the file name): $FWDIR/boot/modules/fwkern.conf $PPKDIR/conf/simkern.conf <variable> Name of the variable to update New value for the variable <value> Check Point Maestro R80.20SP Administration Guide   |   30...
  • Page 31 Use these commands in the Expert mode to set or show specified Firewall kernel parameters. Syntax for viewing the current value of a variable # g_fw ctl get <type> <parameter_name> Syntax for setting a value of a variable # g_fw ctl set <type> <parameter_name> <value> Check Point Maestro R80.20SP Administration Guide   |   31...
  • Page 32 Copying Files Between Security Appliances (asg_cp2blades) Description Use the asg_cp2blades command in Gaia gClish or the Expert mode to copy files from the current Security Appliance to other Security Appliances. Syntax asg_cp2blades [-b <SGM_IDs>] [-s] <source_path> [<dest_path>] Check Point Maestro R80.20SP Administration Guide   |   32...
  • Page 33 The command runs up to 15 times, or until there are less than 50 connections left. Note - If you are connected to the machine with SSH, your connection is disconnected. Syntax asg_clear_table [-b <SGM_IDs>] Check Point Maestro R80.20SP Administration Guide   |   33...
  • Page 34 Use the show interface command in Gaia gClish to view information about the interfaces on the Security Appliances. R80.20SP Maestro Gaia Administration Guide Network For more information, see the - Chapter Management Network Interfaces - Section Syntax > show interfaces all > show interface <options> Check Point Maestro R80.20SP Administration Guide   |   34...
  • Page 35 4.4.4.10/24 1_02: ipv4-address 4.4.4.10/24 1_03: ipv4-address 4.4.4.10/24 1_04: ipv4-address 4.4.4.10/24 1_05: Blade 1_05 is down. See "/var/log/messages". 2_01: ipv4-address 4.4.4.10/24 2_02: ipv4-address 4.4.4.10/24 2_03: ipv4-address 4.4.4.10/24 2_04: ipv4-address 4.4.4.10/24 2_05: ipv4-address 4.4.4.10/24 [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   35...
  • Page 36 The active Chassis ( chassis_active ) Changes the cluster state to UP. Changes the cluster state to DOWN. down Synchronizes accelerated connections to other Security Appliances. <SGM_IDs> Runs this command on all , except the local Security Appliance. Check Point Maestro R80.20SP Administration Guide   |   36...

  • Page 37: Configuring Security Appliance State (G_Clusterxl_Admin)

    When the cluster state of the Security Appliance is changed to Administrative , it automatically synchronizes the configuration from a different Security Appliance that is in the UP state. This command generates log entries. Run: asg log --file audit Check Point Maestro R80.20SP Administration Guide   |   37...

  • Page 38: Configuring A Unique Mac Identifier (Asg_Unique_Mac_Utility)

    Choose one of the following options: ------------------------------------ 1) Set Hostname with Unique MAC wizard 2) Apply Unique MAC from current HOSTNAME 3) Manual set Unique MAC 4) Exit > Reboot the system to apply the new Unique MAC Identifier. Check Point Maestro R80.20SP Administration Guide   |   38...
  • Page 39 The new Unique MAC Identifier is created from the setup number in the host name. The current host name must first comply with the setup name number convention: /asg suffix/setup Manual set Unique MAC Set the Unique MAC Identifier to the default value of 254 . Check Point Maestro R80.20SP Administration Guide   |   39...
  • Page 40 Security Appliance, interface, MAC address, and Host name. You can show summary or verbose information. Syntax # asg_arp -h # asg_arp [-b <SGM_IDs>] [-v] [--verify] [-i <if>] [-m <mac>] [<hostname>] # asg_arp --legacy Check Point Maestro R80.20SP Administration Guide   |   40...

  • Page 41: Working With The Arp Table (Asg_Arp)

    [Expert@MyChassis-ch01-01:0]# asg_arp -v Address HWtype HWaddress Flags Mask Iface SGMs 172.23.19.4 ether 54:7F:EE:6A:D0:BC eth1-Mgmt2 1_01 1_01 ether 00:1C:7F:01:04:FE Sync 1_02 ether 00:1C:7F:02:04:FE Sync 1_01 ssm1 ether 02:02:03:04:05:40 eth1-CIN 1_01,1_02 ssm2 ether 04:02:03:04:05:40 eth2-CIN 1_01 [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   41...

  • Page 42: Example Output For Verifying Mac Addresses

    For the Unique MAC Kernel value, run this command in Gaia gClish: > fw ctl get int fwha_mac_magic Example: [Global] MyChassis-ch01-01> fw ctl get int fwha_mac_magic -*- 4 sgms: 1_01 1_02 2_02 2_03 -*- fwha_mac_magic = 22 [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   42...

  • Page 43: Example Legacy Output

    Flags Mask Iface ssm2 ether 04:02:03:04:05:40 eth2-CIN ssm1 ether 02:02:03:04:05:40 eth1-CIN ether 00:1C:7F:02:04:FE Sync 172.23.19.4 ether 54:7F:EE:6A:D0:BC eth1-Mgmt2 1_02: Address HWtype HWaddress Flags Mask Iface 1_01 ether 00:1C:7F:01:04:FE Sync ssm1 ether 02:02:03:04:05:40 eth1-CIN [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   43...

  • Page 44: Security Group Concepts

    Working with Policies (asg policy) Single Management Object Single Management Object (SMO) is a Check Point technology that manages the Security Group as one large Security Gateway with one management IP address. All management tasks are handled by one Security Appliance (the SMO Master), which updates all other Security Appliances. All management tasks, such as Security Gateway configuration, policy installation, remote connections and logging are handled by the SMO master.

  • Page 45: Installing And Uninstalling Policies

    To re-enable VS monitoring on the specified VS(s) you must run the following command on a single SGM: 'cpha_vsx_util monitor start <vs_ ids>'. For example: 'cpha_vsx_util monitor start 1,3' Must be executed via serial connection Are you sure? (Y - yes, any other key - no) Note - You cannot uninstall policies from SmartConsole. Check Point Maestro R80.20SP Administration Guide   |   45...

  • Page 46: Working With Policies (Asg Policy)

    {verify | verify_amw} [-vs <VS_IDs>] [-a] [-v] asg policy unload [--disable_pnotes] [-a] asg policy unload --ip_forward Best Practice - Run these commands over a serial connection to Security Appliances in the Security Group. Check Point Maestro R80.20SP Administration Guide   |   46...
  • Page 47 Security Appliances stay in the UP state without an installed policy. --disable_ pnotes Important - If you omit this option, Security Appliances go into the DOWN state until the policy is installed again! Enables IP forwarding. --ip_forward Check Point Maestro R80.20SP Administration Guide   |   47...
  • Page 48 +-------------------------------+ |Unload policy +---------------+---------------+ |SGM |Status +---------------+---------------+ |1_3 |Success +---------------+---------------+ |1_2 |Success +---------------+---------------+ |1_1 |Success +---------------+---------------+ |2_3 |Success +---------------+---------------+ |2_2 |Success +---------------+---------------+ |2_1 |Success +---------------+---------------+ +------------------------------------------------------------------------------+ |Summary +------------------------------------------------------------------------------+ |Unload policy completed successfully +------------------------------------------------------------------------------+ [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   48...

  • Page 49: Security Appliance Policy Management

    Set of configuration files defined in the /etc/xfer_files_list file. This file contains the location of all related configuration files. It also defines the action to take if the copied file is different from the one on the local Security Appliance. Check Point Maestro R80.20SP Administration Guide   |   49...

  • Page 50: Synchronizing Policy And Configuration Between Security Appliances

    Reboot the target Security Appliance, or run these two commands: cpstart clusterXL_admin up Note - You can run the asg stat -i all_sync_ips command in Gaia gClish to get a list of all synchronization IP addresses on the Security Appliance. Check Point Maestro R80.20SP Administration Guide   |   50...

  • Page 51: Understanding The Configuration File List

    ... output is cut for brevity ... global_context /etc/smodb.json  "/usr/lib/smo/libclone_smodb.tcl clone_smodb_apply"     /tmp/smo_smodb.json global_context $FWDIR/conf/prioq.conf   /bin/false global_context /web/templates/httpd-ssl.conf.templ /usr/scripts/generate_httpd-ssl_conf.sh all_vs_context $FWDIR/conf/fwaccel_dos_rate_on_install /bin/false all_vs_context $FWDIR/conf/fwaccel6_dos_rate_on_install /bin/false global_context $FWDIR/database/sam_policy.db $SMODIR/scripts/compare_samp_db.tcl /tmp/sam_policy.db.new global_context $FWDIR/database/sam_policy.mng /bin/false all_vs_context $FWDIR/conf/icap_client_blade_configuration.C /bin/true global_context $CPDIR/conf/chassis_priority_db.C /bin/true [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   51...

  • Page 52: Mac Addresses And Bit Conventions

    0 - BMAC 1 - SMAC 15-16 Absolute interface number. This is taken from the interface name. When the BPEthX format is used, X is the interface number. This is limited to four interfaces. Check Point Maestro R80.20SP Administration Guide   |   52...
  • Page 53 This is used to prevent possible collisions with VMAC space. Possible values are: 0 - BMAC or SMAC 1 - VMAC Chassis ID. Limited to 4 Chassis. Switch number. Limited to 32 switches. 9-16 Port number. Limited to 256 for each switch. Check Point Maestro R80.20SP Administration Guide   |   53...
  • Page 54 Distinguishes between BMAC and SMAC addresses. This is used to prevent possible collisions with SMAC space. Possible values: 0 - BMAC 1 - SMAC Always zero. Sync interface. Possible values are: 0 - Sync1 1 - Sync2 Check Point Maestro R80.20SP Administration Guide   |   54...

  • Page 55: Mac Address Resolver (Asg_Mac_Resolver)

    00:1C:7F:01:00:FE is the Magic MAC attribute, which is identified by FE . The index length is 16 bits (2 Bytes) identified by 01:00 x x x x x x x x x x x x x x x x. Check Point Maestro R80.20SP Administration Guide   |   55...

  • Page 56: Working With The Distribution Mode

    If Layer 4 distribution is enabled, packets are assigned to a Security Appliance based on the packet's Source IP address, Source port, Destination IP address, and Destination port. Auto- Each port for a Security Appliance is configured separately in the User Mode or Network Mode. Topology (Per-Port) Check Point Maestro R80.20SP Administration Guide   |   56...

  • Page 57: Automatic Distribution Configuration (Auto-Topology)

    Security Group is General . In this configuration, the topology of the interfaces is irrelevant. Best Practice - Do not change manually the Distribution Mode of a Virtual System. This can cause performance degradation. Check Point Maestro R80.20SP Administration Guide   |   57...

  • Page 58: Setting And Showing The Distribution Configuration (Set Distribution Configuration)

    VS0 only. The commands apply immediately across all Virtual Systems. Syntax to show the Distribution Configuration > show distribution configuration Syntax to set the Distribution Configuration > set distribution configuration {auto-topology | manual-general} ip- version {ipv4 | ipv6 | all} ip-mask <mask> Check Point Maestro R80.20SP Administration Guide   |   58...
  • Page 59 [Expert@MyChassis-ch01-01:0]# 4. Go to the Gaia gClish: # gclish 5. Configure the distribution mode with the required mask: > set distribution ... ip-mask <Matrix Size in HEX> Example: > set distribution ... ip-mask 200 Check Point Maestro R80.20SP Administration Guide   |   59...

  • Page 60: Configuring The Interface Distribution Mode (Set Distribution Interface)

    Manually assign the User (Internal) Distribution Mode - based on Destination IP user address. Manually assign the Network (External) Distribution Mode - based on Source IP network address. Use Auto-Topology to automatically assign the Distribution Mode according to the policy policy. Check Point Maestro R80.20SP Administration Guide   |   60...
  • Page 61 > set distribution interface eth1-01 configuration policy /bin/distutil set_ifn_dist_mode eth1-01 policy Example 3 - Set the Distribution Mode to User (Internal) > set distribution interface eth1-01 configuration user /bin/distutil set_ifn_dist_mode eth1-01 internal Check Point Maestro R80.20SP Administration Guide   |   61...

  • Page 62: Showing Distribution Status (Show Distribution Status)

    Shows if Layer 4 distribution is enabled. l4_mode L4 Mode mode Shows the distribution mode. Shows the size of the Distribution Mode matrix. matrix > actual_size Matrix Size Shows the Distribution Mode assignment for each interface. ports Check Point Maestro R80.20SP Administration Guide   |   62...

  • Page 63: Running A Verification Test (Show Distribution Verification)

    Verification: Result: Mode per-port per-port Passed L4 Mode Failed Matrix Size Failed eth1-05 policy-internal policy-internal Passed eth1-06 policy-internal policy-internal Passed eth2-05 policy-external policy-external Passed eth2-06 manual-internal policy-external Failed Verification failed with above errors > Check Point Maestro R80.20SP Administration Guide   |   63...

  • Page 64: Configuring The Layer 4 Distribution Mode And Masks (Set Distribution L4-Mode)

    1_02: success [Global] MyChassis-ch01-01> Example 3 - Show the current Layer 4 Distribution Mode and Masks [Expert@MyChassis-ch01-01:0]# gclish [Global] MyChassis-ch01-01> show distribution l4-mode 1_01: L4 Distribution: Enabled 1_02: L4 Distribution: Enabled [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   64...

  • Page 65: Nat And The Correction Layer On A Security Gateway

    To achieve optimal distribution between Security Appliances in a Security Group in Gateway mode: NAT Rules Instructions Not using NAT rules Set the General Distribution Mode. Using NAT rule Set the hidden networks to the User Mode Set the destination networks to the Network Mode Check Point Maestro R80.20SP Administration Guide   |   65...

  • Page 66: Nat And The Correction Layer On A Vsx Gateway

    Set the destination networks to the Network Mode On the remaining Virtual Systems that do not use NAT rules: Set internal networks to the User Mode Set the external networks to the Network Mode Check Point Maestro R80.20SP Administration Guide   |   66...

  • Page 67: Working With The Garp Chunk Mechanism

    1: # g_fw ctl set int fwha_refresh_arps_chunk 1 To send 50 GARP Requests each second, set the value of the kernel parameter fwha_refresh_arps_ chunk to 5: # g_fw ctl set int fwha_refresh_arps_chunk 5 Check Point Maestro R80.20SP Administration Guide   |   67...

  • Page 68: Verification

    # g_fw ctl zdebug -m cluster + ch_conf | grep fw_refresh_arp_proxy_on_ failover Important - To make the above configuration permanent (to survive reboot), add the applicable kernel parameters to the fwkern.conf file with this command: update_conf_file fwkern.conf <parameter>=<value> . Check Point Maestro R80.20SP Administration Guide   |   68...

  • Page 69: Ips Cluster Failover Management

    # fw ctl get int fwha_ips_reject_on_failover If the output shows fwha_ips_reject_on_failover = 0 , it means the connectivity is preferred. If the output shows fwha_ips_reject_on_failover = 1 , it means the security is preferred. Check Point Maestro R80.20SP Administration Guide   |   69...

  • Page 70: Ipv6 Neighbor Discovery

    This is an example of an explicit Rule Base that permits ICMPv6 Neighbor Discovery protocol: Services and Source Destination Action Applications Network object that represents Network object that represents neighbor- Accept the Bridged Network the Bridged Network advertisement neighbor- solicitation router- advertisement router- solicitation redirect6 Check Point Maestro R80.20SP Administration Guide   |   70...

  • Page 71: Logging And Monitoring

    Overview of CPView Description CPView is a text based built-in utility on a Check Point computer. CPView Utility shows statistical data that contain both general system information (CPU, Memory, Disk space) and information for different Software Blades (only on Security Gateway).

  • Page 72: Cpview User Interface

    This menu bar is interactive. Move between menus with the arrow keys and mouse. A menu can have sub-menus and they show under the menu bar. This view shows the statistics collected in that view. View These statistics update at the refresh rate. Check Point Maestro R80.20SP Administration Guide   |   72...

  • Page 73: Network Monitoring

    If you specify more than interface, you must separate their names by a comma without spaces. Example: asg if -i Sync,eth1-Mgmt1 Shows verbose output. Note - This view is not supported for logical interfaces (for example, Bond, VLAN, and ethX-MgmtY interfaces). Check Point Maestro R80.20SP Administration Guide   |   73...
  • Page 74 |internal interface +----------------------------------------------------------------------------------------+ |Traffic +----------------------------------------------------------------------------------------+ |media |In traffic |In pkt(uni/mul/brd)|Out traffic |Out pkt(uni/mul/brd) +-----------------+-----------+-------------------+---------------+----------------------+ |FTLF8528P2BNV-EM |28.8Kbps |0pps/38pps/5pps |4.1Mbps |0pps/355pps/0pps +----------------------------------------------------------------------------------------+ |Errors (total/pps) +----------------------------------------------------------------------------------------+ |OutDiscards |InDiscards |InErrors |OutErrors +-----------------------------+-------------------+---------------+----------------------+ |0/0 |0/0 |0/0 |0/0 +-----------------------------+-------------------+---------------+----------------------+ [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   74...

  • Page 75: Global View Of All Interfaces (Show Interfaces)

    This sample output shows that this Sync interface is a Bond-Master and if the interfaces are UP or DOWN. To add a comment to an interface, run in Gaia gClish: > set interface <Name of Interface> comment "<Comment Text>" Check Point Maestro R80.20SP Administration Guide   |   75...

  • Page 76: Showing Bond Interfaces (Asg_Bond)

    Filters the output for the specified bond name or text string. The output shows all bonds that match the bond name, or those names that contain <filter> the text string. Runs LACP packet test for the specified interfaces. Check Point Maestro R80.20SP Administration Guide   |   76...
  • Page 77 |(MAC) 00:1c:7f:81:07:fe |Round-Rubin |eth1-07 |(IPv4) 33.33.1.10 |Load Sharing |eth2-07 +--------+-------------------------------+--------------+---------+--------+---------+ [Expert@MyChassis-ch01-01:0]# Note - You can also specify a substring that is part of a bond name to show all bonds that contain the substring. Check Point Maestro R80.20SP Administration Guide   |   77...
  • Page 78 |eth2-02 missing LACP pkts| +-----+------------------------+-----------------+-------+------+-------------------------+ |bond3|(MAC) 00:1c:7f:82:04:fe|XOR |eth2-04|OK |(IPv4) 23.23.1.10 |Load Sharing |eth1-04| +-----+------------------------+-----------------+-------+------+-------------------------+ |bond5|(MAC) 00:1c:7f:81:07:fe|Round-Rubin |eth1-07|OK |(IPv4) 33.33.1.10 |Load Sharing |eth2-07| +-----+------------------------+-----------------+-------+------+-------------------------+ |bond7|(MAC) 00:00:00:00:00:fe|Active-Backup | - No slaves exist |High Availability| +-----+------------------------+-----------------+-------+------+-------------------------+ [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   78...

  • Page 79: Showing Traffic Information (Asg

    If you run this command in a Virtual System context, you can only see the output that applies to that context. Syntax asg_ifconfig -h asg_ifconfig [-b <SGM_IDs>] [<interface>] [analyze | banalyze] [-d <delay>] [-a] [-v] Parameters Parameter Description Shows the built-in help. Check Point Maestro R80.20SP Administration Guide   |   79...
  • Page 80 Delay, in seconds, between data samples. Default = 5. <delay> Shows total traffic volume. By default (without -a ), the average traffic volume per second shows. Verbose mode - shows traffic distribution between interfaces. Check Point Maestro R80.20SP Administration Guide   |   80...

  • Page 81: Native Usage

    Link encap:Ethernet HWaddr 00:1C:7F:81:01:EA UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:79 errors:0 dropped:0 overruns:0 frame:0 TX packets:26370 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4507 (4.4 KiB) TX bytes:2216546 (2.1 MiB) [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   81...

  • Page 82: Using The Analyze Option

    2.3% 6.6% 0.0% 1_02 34.1% 39.0% 0.0% 3.1% 8.9% 0.0% 1_03 0.0% 0.0% 0.0% 44.7% 35.3% 0.0% 1_04 0.0% 0.0% 0.0% 45.2% 36.0% 0.0% 1_05 31.3% 20.9% 0.0% 4.7% 13.2% 0.0% ----------------------------------------------------------------------------- [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   82...

  • Page 83: Showing Multicast Traffic Information

    Parameters Parameter Description Shows the built-in help. No Parameters Shows all routes, interfaces and Security Appliances. -d <dest_ Destination multicast group IP address. route> Source IP address. -s <src_route> Source interface name. -i <src_if> Check Point Maestro R80.20SP Administration Guide   |   83...
  • Page 84 Example 2 - Shows only specific IP address, interfaces, destination IP address, or Security Appliances [Expert@MyChassis-ch01-01:0]# asg_mroute -s 22.22.22.1 -i eth1-02 -d 225.0.90.91 +-----------------------------------------------------------------------------------+ |Multicast Routing (All SGMs) +-----------------------------------------------------------------------------------+ |Source |Dest |Iif |Oif +-------------------------+-------------------------+---------------+---------------+ |22.22.22.1 |225.0.90.91 |eth1-02 |eth2-01 +-------------------------+-------------------------+---------------+---------------+ [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   84...
  • Page 85 A comma-separated list of Security Appliances (for example, 1_1,1_4 ) A range of Security Appliances (for example, 1_1-1_4 ) One Chassis ( chassis1 , or chassis2 ) The active Chassis ( chassis_active ) -i <if> Shows only the specified source interface. Check Point Maestro R80.20SP Administration Guide   |   85...
  • Page 86 |Forwarding| +-----------+------------+----------+-----+---------+----------+------------+----------+ |SGM 1_02 +--------------------------------------------------------------------------------------+ |source |dest |Mode |Flags|In. intf |RPF |Out. intf |State +-----------+------------+----------+-----+---------+----------+------------+----------+ |22.22.22.1 |225.0.90.90 |Dense-Mode|L|M |eth1-02 |none |eth1-01 |Forwarding| +-----------+------------+----------+-----+---------+----------+------------+----------+ |22.22.22.1 |225.0.90.91 |Dense-Mode|L|M |eth1-02 |none |eth1-01 |Forwarding| |eth2-01 |Forwarding| +-----------+------------+----------+-----+---------+----------+------------+----------+ [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   86...
  • Page 87 [Global] MyChassis-ch01-01> asg_pim neighbors +--------------------------------------------------------------------------------------+ |PIM Neighbors (All SGMs) +--------------------------------------------------------------------------------------+ |Verification: |Neighbors Verification: Passed - Neighbors are identical on all blades +--------------------+--------------------+--------------------+-----------------------+ |Neighbor |Interface |Holdtime |Expires(min-max) +--------------------+--------------------+--------------------+-----------------------+ |11.1.1.1 |bond1 |105 |11:36:45-11:37:59 +--------------------+--------------------+--------------------+-----------------------+ [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   87...
  • Page 88 One Security Appliance (for example, 1_1 ) A comma-separated list of Security Appliances (for example, 1_1,1_4 ) A range of Security Appliances (for example, 1_1-1_4 ) One Chassis ( chassis1 , or chassis2 ) The active Chassis ( chassis_active ) Check Point Maestro R80.20SP Administration Guide   |   88...
  • Page 89 |Expire +--------------------+----------+----------------------------------------------------------+ |225.0.90.90 +--------------------+----------+----------------------------------------------------------+ |Flags |IGMP Ver |Query Interval |Query Response Interval |protocol |Advertise Address| +----------+---------+---------------+-------------------------+---------+-----------------+ |Querier |125 |PIM |2.2.2.10 +------------------------------------------------------------------------------------------ NOTE: Inconsistency found in interfaces configuration between blades Inconsistent interfaces: eth1-02 [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   89...
  • Page 90 |Global Properties Verification: Passed - Information is identical on all blades +------------------------------------------------------------------------------------------+ |Group |Age |Expire --------------------+----------+-----------------------------------------------------------+ |225.0.90.90 |46m +--------------------+----------+----------------------------------------------------------+ |Flags |IGMP Ver |Query Interval |Query Response Interval |protocol |Advertise Address| +----------+---------+---------------+-------------------------+---------+-----------------+ |Querier |125 |PIM |12.12.12.11 +------------------------------------------------------------------------------------------+ [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   90...

  • Page 91: Monitoring Vpn Tunnels

    SmartConsole to see VPN tunnel status and details. SNMP tunnelTable You can use the sub-tree in Check Point MIB .1.3.6.1.4.1.2620.500.9002 to see VPN status with SNMP. SNMP Monitoring R80.20SP Maestro VSX For VSX environments, search for the...

  • Page 92: Traceroute (Asg_Tracert)

    <ip> Native tracert command options <tracert_options> Example [Expert@MyChassis-ch01-01:0]#asg_tracert 100.100.100.99 traceroute to 100.100.100.99 (100.100.100.99), 30 hops max, 40 byte packets (20.20.20.20) 0.722 ms 0.286 ms 0.231 ms (100.100.100.99) 1.441 ms 0.428 ms 0.395 ms [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   92...

  • Page 93: Multi-Blade Traffic Capture (Tcpdump -Mcap, Tcpdump -View)

    Security Appliance ID. path> Reads the specified traffic capture file. Regular tcpdump output, prefixed by Security Appliance ID of the processing Security <capture_ Appliance ID. path> <tcpdump_ tcpdump Standard parameters (see the tcpdump manual page). ops> Check Point Maestro R80.20SP Administration Guide   |   93...
  • Page 94 [2_3] 14:12:07.625171 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45 [2_3] 14:12:09.974195 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 37 [2_1] 14:12:09.989745 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45 [2_3] 14:12:10.022995 IP 0.0.0.0.cp-cluster > 172.23.9.0.cp-cluster: UDP, length 32 ..[Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   94...

  • Page 95: Monitoring Management Interfaces Link State

    The output of the asg stat -v command shows the Management ports. See the Chassis Parameters > Ports > Mgmt line in the output example below. The show interfaces command shows the link state of management interfaces based on this feature mechanism. Check Point Maestro R80.20SP Administration Guide   |   95...
  • Page 96 |MAC Address |(ch1) +---------------+-------------------------------------+------------+--------------------+-----+-----+--- ---+ |eth1-Mgmt1 |172.23.19.53/24 |Ethernet |(Up) |10G |1500 |Full |00:1c:7f:62:91:94 +---------------+-------------------------------------+------------+--------------------+-----+-----+--- ---+ |Sync |192.0.2.1/24 |Ethernet |(up) |10G |1500 |Full |00:1c:7f:01:04:fe +---------------+-------------------------------------+------------+--------------------+-----+-----+--- ---+ ..output was truncated for brevity ..Check Point Maestro R80.20SP Administration Guide   |   96...

  • Page 97: Performance Monitoring And Control

    Note - The parameters and options for the standard Linux command are available for the global command. You can use one or more flags. However, do not use the -l and -r flags together. Syntax {<Gaia gClish Command> | <Global Command>} [-b <SGM_IDs>] [<Command Options>] Check Point Maestro R80.20SP Administration Guide   |   97...
  • Page 98 The example output shows the combined results for these Security Appliances. [Expert@MyChassis-ch01-01:0]# g_ls -b 1_1-1_3,2_1 /var/ -*- 4 blades: 1_01 1_02 1_03 -*- CPbackup crash suroot CPsnapshot cache empty lock mail preserve spool [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   98...
  • Page 99 > top [local] [{-f [-o <filename>] [-n <iter>] | -s <filename>}] -b <SGM_IDs> [<top_params>] Syntax for the Expert mode # g_top -h # g_top [local] [{-f [-o <filename>] [-n <iter>] | -s <filename>}] - b <SGM_IDs> [<top_params>] Check Point Maestro R80.20SP Administration Guide   |   99...
  • Page 100 Security Appliances and is used when the top command is run. To manage the 'g_top' display: 1. Run: # top 2. Set the desired display view (press to see the built-in help). 3. Press Shift+W to save the configuration. 4. Run: # g_top Check Point Maestro R80.20SP Administration Guide   |   100...
  • Page 101 Iface 192.0.2.3 ether 00:1C:7F:03:04:FE Sync 172.23.9.28 ether 00:14:22:09:D2:22 eth1-Mgmt4 192.0.2.1 ether 00:1C:7F:01:04:FE Sync 1_03: Address HWtype HWaddress Flags Mask Iface 192.0.2.1 ether 00:1C:7F:01:04:FE Sync 172.23.9.28 ether 00:14:22:09:D2:22 eth1-Mgmt4 192.0.2.2 ether 00:1C:7F:02:04:FE Sync [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   101...

  • Page 102: Monitoring Performance (Asg Perf)

    One Security Appliance (for example, 1_1 ) A comma-separated list of Security Appliances (for example, 1_1,1_4 ) A range of Security Appliances (for example, 1_1-1_4 ) One Chassis ( chassis1 , or chassis2 ) The active Chassis ( chassis_active ) Check Point Maestro R80.20SP Administration Guide   |   102...
  • Page 103 If no value is specified, the combined performance information shows for both IPv4 and IPv6. Shows percentages instead of absolute values. Shows peak (maximum) system performance values. Resets peak values and deletes all peaks files and system history files. Check Point Maestro R80.20SP Administration Guide   |   103...
  • Page 104 By default, absolute values are shown. Unless otherwise specified, the combined statistics for IPv4 and IPv6 are shown. When no Security Appliances are specified, performance statistics are shown for the Active Security Appliance only. Check Point Maestro R80.20SP Administration Guide   |   104...
  • Page 105 The Security Appliance ID with the minimum and maximum value shows in brackets for each Security Appliance. Unless otherwise specified, the combined statistics for both IPv4 and IPv6 are shown. When no Security Appliances are specified, performance statistics are shown for the active Security Appliance only. Check Point Maestro R80.20SP Administration Guide   |   105...
  • Page 106 |Acceleration load (avg/min/max) |5%/5%/5% |Instances load (avg/min/max) |5%/3%/10% |Memory usage |57% +--------------------------------------------+---------------+------------+ =+------------------------------------------------------------------------+ |Per Path Distribution Summary +------------------+------------+--------------+--------------+-----------+ |Acceleration|Medium |Firewall |Dropped +------------------+------------+--------------+--------------+-----------+ |Throughput |1.7 K |Packet rate |Connection rate |Concurrent conn. +------------------+------------+--------------+--------------+-----------+ [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   106...
  • Page 107 |2.1 M |117.6 M |Packet rate |6.0 M |1.4 K |222.8 K |Connection rate |Concurrent connections |3.2 K |156 +-------------------------+------------+------------+------------+------------------+ +----------------------------------------+--------------------+ |VPN Performance +----------------------------------------+--------------------+ |VPN throughput |2.9 G |VPN connections |3.1 K +----------------------------------------+--------------------+ [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   107...
  • Page 108 The Security Appliance that uses the least fwk daemon memory on Virtual System 3 is Security Appliance 1_02 This information shows only if vsxmstat is enabled for perfanalyze use Make sure that the vsxmstat feature is enabled ( vsxmstat status_raw ) Check Point Maestro R80.20SP Administration Guide   |   108...

  • Page 109: Performance Hogs (Asg_Perf_Hogs)

    | [PASSED] | Routing cache entries | [PASSED] | SecureXL status | [PASSED] | Swap saturation | [FAILED] | routed trace options ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [ All] routed trace options are set: Cluster; igmp:All; pim:All [Expert@MyChassis-01:0]# Check Point Maestro R80.20SP Administration Guide   |   109...

  • Page 110: Configuration

    Note - Not all the tests can be configured. To enable or disable a test: In the [tests] section, set the applicable value for the applicable test: 1 = To enable the test 0 = To disable the test Check Point Maestro R80.20SP Administration Guide   |   110...
  • Page 111 Each process must be in quotes. Put a space between each test. Default: "fw ctl zdebug" "fw ctl debug" "fw ctl kdebug" "fw monitor" "tcpdump" Example: processes_to_check=("fw ctl zdebug" "fw ctl debug" "fw ctl kdebug" "fw monitor" "tcpdump") Check Point Maestro R80.20SP Administration Guide   |   111...
  • Page 112 The fw1_debug_flags test confirms that Firewall debug flags that are not enabled by default, stay in the disabled position. Notes: This test has no configuration options. This test runs in contexts of all Virtual Systems. Check Point Maestro R80.20SP Administration Guide   |   112...
  • Page 113 Threshold is the percent capacity of the IPv4 route cache that should not be exceeded: Default = 90 Recommended range = 75 - 95 Note - This test runs in the context of the current Virtual System only. Check Point Maestro R80.20SP Administration Guide   |   113...
  • Page 114 Timeout is the number of seconds the specifies for how long to look in the /var/log/messages file for ARP cache overloaded messages. Recommended range is 300 - 86400. Notes: sk43772 To learn how to adjust the ARP cache, see This test runs regardless of the Virtual System context. Check Point Maestro R80.20SP Administration Guide   |   114...
  • Page 115 | [PASSED] | Routing cache entries | [PASSED] | SecureXL status | [PASSED] | Swap saturation | [PASSED] | routed trace options ----------------------------------------------------------------- Found the following issues: ----------------------------------------------------------------- [1_01] Soft lockup occurred during the last 3600 seconds. Check Point Maestro R80.20SP Administration Guide   |   115...

  • Page 116: Setting Port Priority

    > set chassis high-availability factors port standard 50 Set the port to high grade or standard grade. For example, to assign the standard port grade to eth1-01 , run: > set chassis high-availability port eth1-01 priority 1 Check Point Maestro R80.20SP Administration Guide   |   116...

  • Page 117: Searching For A Connection (Asg Search)

    Searching with the Command Line Syntax > asg search -help > asg search [-v] [-vs <VS_IDs>] [<source_ip> <dest_ip> <dest_port> <protocol>] Parameters Parameter Description -help Shows the built-in help. Without Runs in the interactive mode. parameters Check Point Maestro R80.20SP Administration Guide   |   117...
  • Page 118 You must enter the all parameters in the sequence shown in the above syntax. You can enter \* as a parameter to show all values for that parameter. The -vs parameter is only available for a Security Group in VSX mode. Check Point Maestro R80.20SP Administration Guide   |   118...
  • Page 119 <2620:0:2a03:16:2:33:0:1, 52117, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B] <2620:0:2a03:16:2:33:0:1, 62775, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B] <2620:0:2a03:16:2:33:0:1, 54378, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B] Legend: A - Active SGM B - Backup SGM [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   119...
  • Page 120 <194.29.47.14, 52493, 172.23.9.130, 22, tcp> -> [1_01 A] <172.23.9.138, 49059, 172.23.9.130, 18192, tcp> -> [1_01 A] <194.29.40.23, 65515, 172.23.9.130, 22, tcp> -> [1_01 A] Legend: A - Active SGM B - Backup SGM [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   120...

  • Page 121: Searching With Interactive Mode

    1. Source IPv4 or IPv6 address 2. Destination IPv4 or IPv6 address 3. Destination port number 4. IP protocol 5. Source port number Note - You can enter * to show all values for any parameter. Check Point Maestro R80.20SP Administration Guide   |   121...
  • Page 122 <2620:0:2a03:16:2:33:0:1, 52117, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B] <2620:0:2a03:16:2:33:0:1, 62775, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B] <2620:0:2a03:16:2:33:0:1, 54378, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B] A - Active SGM B - Backup SGM [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   122...
  • Page 123 A comma-separated list of Security Appliances (for example, 1_1,1_4 ) A range of Security Appliances (for example, 1_1-1_4 ) One Chassis ( chassis1 , or chassis2 ) The active Chassis ( chassis_active ) Shows only IPv6 connections. Check Point Maestro R80.20SP Administration Guide   |   123...
  • Page 124 Total conn entries @ DB 31: 1_05: There are 16 conn entries in SecureXL connections table Total conn entries @ DB 2: Total conn entries @ DB 26: Total (SecureXL connections table): 368 connections [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   124...

  • Page 125: Packet Drop Monitoring (Drop_Monitor And Asg_Drop_Monitor)

    # drop_monitor [-d] [-v] [-m <Member_IDs>] [-i <List of Interfaces>] [-f <Refresh Rate>] [-sf <Query Timeout>] [-le] [-e] [-dm] [-ds] [- r] [-s] [-v6] Parameters Parameter Description Shows the built-in help. Runs the command in debug mode. --debug Check Point Maestro R80.20SP Administration Guide   |   125...
  • Page 126 Shows detailed drop statistics for SecureXL. --detailed-securexl Reset statistics to 0 before collecting the data. Notes: --reset Drop statistics are reset for CoreXL, PSL, SecureXL, and backplane interfaces. Drop statistics are not reset for SSMs. Check Point Maestro R80.20SP Administration Guide   |   126...
  • Page 127 | RX Dropped | TX Dropped | Qdisc Dropped +----------+------------------+-------+ | Outbound Dropped | CoreXL | Inbound Dropped | F2P Dropped +----------+------------------+-------+ | Total Dropped | Rejected +----------+------------------+-------+ | SecureXL | Total drops +----------+------------------+-------+ Check Point Maestro R80.20SP Administration Guide   |   127...
  • Page 128 | outb - no conn | clr pkt on vpn | partial conn | decrypt failed | Connections Limit by | | Source IP exceed its | | local spoofing | interface down +----------+----------------------+------+------+-------+ Check Point Maestro R80.20SP Administration Guide   |   128...

  • Page 129: The "Asg_Drop_Monitor" Command

    CTRL+C Syntax # asg_drop_monitor -h # asg_drop_monitor [-r] [-6] Parameters Parameter Description Shows the built-in help. Reset statistics to 0. Shows only IPv6 results. This parameter is not supported (see MBS-5478). -ssm [-t <timeout>] Check Point Maestro R80.20SP Administration Guide   |   129...
  • Page 130 QOS decision C2S violation S2C violation Loop prevention DOS Fragments DOS IP Options DOS Blacklists DOS Penalty Box DOS Rate Limiting Syn Attack Reorder Expired Fragments Check Point Maestro R80.20SP Administration Guide   |   130...

  • Page 131: Hardware Monitoring And Control

    The IDs of the Security Group members, their state and IP addresses Tasks and on which Security Group member they run Shows the IDs of the Security Group members, their state and IP addresses -i sgm_ info Check Point Maestro R80.20SP Administration Guide   |   131...
  • Page 132 | Version | R80.20SP (Build Number XXX) -------------------------------------------------------------------------------- | Chassis Parameters -------------------------------------------------------------------------------- | Unit Chassis 1 -------------------------------------------------------------------------------- | SGMs 30 / 30 | Ports 4 / 4 | SSMs 2 / 2 -------------------------------------------------------------------------------- [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   132...
  • Page 133 To change manually the state of the Security Appliance, use the g_ clusterXL_admin command. This command administratively changes the state to ACTIVE or DOWN. The Security Appliance that is DOWN because of a software or hardware problem cannot be changed to ACTIVE with this command. Check Point Maestro R80.20SP Administration Guide   |   133...
  • Page 134 > set chassis high-availability factors sgm 12 If you run the asg stat -v command, the output shows a higher unit weight and system grade. Synchronization Status of synchronization between Security Appliances located in the same Security Group. Check Point Maestro R80.20SP Administration Guide   |   134...

  • Page 135: Monitoring System And Component Status (Asg Monitor)

    Shows the Anti-Malware policy date instead of the Firewall policy date. -amw Shows only the System component status. Shows both Security Appliance and System component status. -all Sets the data refresh interval (in seconds) for this session. <Interval> Shows legend of column title abbreviations. Check Point Maestro R80.20SP Administration Guide   |   135...
  • Page 136 Mgmt 1 / 1 Mgmt Bond | 0 / 0 Other 0 / 0 | Sensors SSMs 2 / 2 | Grade 133 / 133 -------------------------------------------------------------------------------- | Synchronization Sync to Active chassis: Enabled -------------------------------------------------------------------------------- Check Point Maestro R80.20SP Administration Guide   |   136...
  • Page 137 (% of high limit) System Concurrent connections - High concurr_conn_total_threshold_ limit high concurr_conn_total_threshold_ System Concurrent connections - Low limit low_ratio (% of high limit) Security Connection rate per second - conn_rate_threshold_high Appliance High limit Check Point Maestro R80.20SP Administration Guide   |   137...

  • Page 138: Configuring Alert Thresholds (Set Chassis Alert_Threshold)

    Throughput (bps) - High limit throughput_threshold_high Appliance Security Throughput (bps) - Low limit throughput_threshold_low_ratio Appliance (% of high limit) System Throughput (bps) - High limit throughput_total_threshold_high throughput_total_threshold_low_ System Throughput (bps) - Low limit (% of high limit) ratio Check Point Maestro R80.20SP Administration Guide   |   138...

  • Page 139: Monitoring System Resources (Asg Resource)

    Shows only the SSD Health information for all Security Appliances: --ssd - Shows summary information only (whether it passed the SMART test) --ssd -v - Shows the summary and verbose information (SSD SMART Attributes) Check Point Maestro R80.20SP Administration Guide   |   139...
  • Page 140 |1_01 |PASSED +---------------+-------------------------+ |1_02 |PASSED +---------------+-------------------------+ ... output is cut for brevity ... +---------------+-------------------------+ |2_01 |PASSED +---------------+-------------------------+ |2_02 |PASSED +---------------+-------------------------+ ... output is cut for brevity ... SSD attributes verifier ended successfully. [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   140...
  • Page 141 +---------------+-------------------------+ |1_02 |PASSED +---------------+-------------------------+ |1_03 |PASSED +---------------+-------------------------+ |1_04 |PASSED +---------------+-------------------------+ |1_05 |PASSED +---------------+-------------------------+ |2_01 |PASSED +---------------+-------------------------+ |2_02 |PASSED +---------------+-------------------------+ |2_03 |PASSED +---------------+-------------------------+ |2_04 |PASSED +---------------+-------------------------+ |2_05 |PASSED +---------------+-------------------------+ SSD attributes verifier ended successfully. [Expert@MyChassis-01:0]# Check Point Maestro R80.20SP Administration Guide   |   141...
  • Page 142 ... output is cut for brevity ... +------+----------------------------+--------+--------+---------------+ |194 |Temperature_Celsius |100 +------+----------------------------+--------+--------+---------------+ ... output is cut for brevity ... +------+----------------------------+--------+--------+---------------+ Member 1_02 +------+----------------------------+--------+--------+---------------+ |Attribute name |Value |Trhesh |Last_failed +------+----------------------------+--------+--------+---------------+ |Reallocated_Sector_Ct |100 +------+----------------------------+--------+--------+---------------+ ... output is cut for brevity ... [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   142...
  • Page 143 This is the minimum value limit for the attribute. If the value falls below this threshold, the SSD should be checked for errors, and possibly replaced. Last_failed Shows when a failure was last reported for this attribute. Check Point Maestro R80.20SP Administration Guide   |   143...

  • Page 144: Configuring Alerts For Security Appliance And Chassis Events (Asg Alert)

    Run a test simulation to make sure that the alert works correctly. To create or change an alert: Step Instructions Run in Gaia gClish: > asg alert Select and configure these parameters as prompted by the wizard: Alert Type Event Type Alert Mode Check Point Maestro R80.20SP Administration Guide   |   144...
  • Page 145 Define one or more SNMP managers to get SNMP traps sent from the Security Gateway. For each manager, configure these parameters: SNMP Alert Parameters Description SNMP manager name Unique name for the SNMP manager SNMP manager IP IP address of the SNMP Manager (trap receiver) Check Point Maestro R80.20SP Administration Guide   |   145...
  • Page 146 Privacy password for SNMP v3 authentication SNMP user text Custom text for SNMP trap messages SNMP community string Community name Notes: Based on the settings, some parameters do not show. There are no configurable parameters for log alerts. Check Point Maestro R80.20SP Administration Guide   |   146...
  • Page 147 Please choose event types for which to send alerts: [all] (format: all or 1,4 or 1,3-7,10)n You can select one or more event types: One event type. A comma-delimited list of more than one event type. All event types. Check Point Maestro R80.20SP Administration Guide   |   147...

  • Page 148: Collecting System Diagnostics (Smo Verifiers)

    Runs all tests except the specified tests. except Shows the requested results. Specifies the tests by their IDs (comma separated list). To see a list of test IDs, run: <TestId1>,<TestId2>,... > show smo verifiers list Check Point Maestro R80.20SP Administration Guide   |   148...
  • Page 149 Keeps the newest log. Number of logs to save from the smo verifiers log files. save <Num_Logs> Default = 5. Shows the latest periodic run results. periodic Shows the latest run results. last-run Check Point Maestro R80.20SP Administration Guide   |   149...

  • Page 150: Showing The Tests

    | asg_pim_neighbors -------------------------------------------------------------------------- | Misc -------------------------------------------------------------------------- | 30 | Core Dumps | core_dump_verifier -v | 31 | Performance hogs | asg_perf_hogs -------------------------------------------------------------------------- | Run "show smo verifiers print id <TestNum>" to display test output -------------------------------------------------------------------------- Check Point Maestro R80.20SP Administration Guide   |   150...

  • Page 151: Showing The Last Run Diagnostic Tests

    | Failed (!) | -------------------------------------------------------------------------------- | Tests Summary -------------------------------------------------------------------------------- | Passed: 24/31 tests | Run: "show smo verifiers list id 1,6,15,18,19,30,31" to view a complete list | of failed tests | Output file: /var/log/alert_verifier_sum.1-31.2019-02-07_01-00-02.txt -------------------------------------------------------------------------------- Check Point Maestro R80.20SP Administration Guide   |   151...

  • Page 152: Running All Diagnostic Tests

    | Passed: 24/31 tests | Run: "show smo verifiers list id 1,6,15,18,19,30,31" to view a complete list | of failed tests | Output file: /var/log/verifier_sum.1-31.2019-02-07_18-35-22.txt | Run "show smo verifiers last-run print" to display verbose output -------------------------------------------------------------------------------- Check Point Maestro R80.20SP Administration Guide   |   152...

  • Page 153: Running Specific Diagnostic Tests

    | Passed: 2/3 tests | Run: "show smo verifiers list id 1" to view a complete list of failed tests | Output file: /var/log/verifier_sum.1-2.5.2019-02-07_18-37-22.txt | Run "show smo verifiers last-run print" to display verbose output -------------------------------------------------------------------------------- Check Point Maestro R80.20SP Administration Guide   |   153...

  • Page 154: Collecting Diagnostic Information For A Report Specified Section

    | Passed: 4/5 tests | Run: "show smo verifiers list id 1" to view a complete list of failed tests | Output file: /var/log/verifier_sum.1-5.2019-02-07_18-38-56.txt | Run "show smo verifiers last-run print" to display verbose output -------------------------------------------------------------------------------- Check Point Maestro R80.20SP Administration Guide   |   154...

  • Page 155: Error Types

    You can define the compliant CPU types. The information collected from this source is different Security <Source> error between the Security Appliances. group <Sources> differ The information collected from many sources is different. Check Point Maestro R80.20SP Administration Guide   |   155...

  • Page 156: Changing Compliance Thresholds

    - Verification test result is set to " Passed ", and a warning is shown ignore - Verification test result is set to " Ignore ", and no errors are shown Save the changes in the file and exit the Vi editor. Check Point Maestro R80.20SP Administration Guide   |   156...

  • Page 157: Troubleshooting Failures

    | Passed: 0/1 test | Run: "show smo verifiers list id 1" to view a complete list of failed tests | Output file: /var/log/verifier_sum.1.2019-02-07_20-12-07.txt | Run "show smo verifiers last-run print" to display verbose output -------------------------------------------------------------------------------- > Check Point Maestro R80.20SP Administration Guide   |   157...
  • Page 158 | ID | Title | Command -------------------------------------------------------------------------- | System Components -------------------------------------------------------------------------- | asg stat -v 1 | System Health -------------------------------------------------------------------------- | Run "show smo verifiers print id <TestNum>" to display test output -------------------------------------------------------------------------- > Check Point Maestro R80.20SP Administration Guide   |   158...
  • Page 159 | Ports Standard 0 / 0 Bond 0 / 0 Other 0 / 0 | Sensors SSMs 1 / 2 | Grade 29 / 40 -------------------------------------------------------------------------------- | Synchronization Sync to Active chassis: Enabled -------------------------------------------------------------------------------- > Check Point Maestro R80.20SP Administration Guide   |   159...

  • Page 160: Alert Modes

    By default, the tests run at 01h:00m each day. You can change the default time. Step Instructions Edit the $FWDIR/conf/asgsnmp.conf file: # vi $FWDIR/conf/asgsnmp.conf Change the value in this line: asg_diag_alert_wrapper Copy this file to all other Security Appliances: # asg_cp2blades $FWDIR/conf/asgsnmp.conf Check Point Maestro R80.20SP Administration Guide   |   160...
  • Page 161 Copy this file to all other Security Appliances: # asg_cp2blades $FWDIR/conf/asg_diag_config Enforce the change. Run in Gaia gClish: > show smo verifiers report You can also wait for the next time the smo verifiers run automatically. Check Point Maestro R80.20SP Administration Guide   |   161...

  • Page 162: Known Limitations Of The Smo Verifiers Test

    - Verification test result is set to Failed Passed warn - Verification test result is set to and a warning shows ignore - Verification test result is set to Ignore and no errors show Check Point Maestro R80.20SP Administration Guide   |   162...

  • Page 163: System Monitoring

    Shows the built-in help. Example [Expert@MyChassis-ch01-03:0]# asg_serial_info Collecting SGMs information... +-------------------------+ Serial numbers +------------+------------+ | Chassis ID | | SGM2 | 11xxxxxxxx | | SGM3 | 12xxxxxxxx | | SGM4 | 13xxxxxxxx | +------------+------------+ [Expert@MyChassis-ch01-03:0]# Check Point Maestro R80.20SP Administration Guide   |   163...

  • Page 164: Showing The Security Group Version (Ver)

    Product version Check Point Gaia R80.20SP OS build xxx OS kernel version 3.10.0-693cpx86_64 OS edition 64-bit 1_02: Product version Check Point Gaia R80.20SP OS build xxx OS kernel version 3.10.0-693cpx86_64 OS edition 64-bit [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   164...

  • Page 165: Showing System Messages (Show Smo Log)

    5 12:40:10 1_05 MyChassis-ch01-05 pm[8458]: Restarted /usr/libexec/gexecd[11331], count=1 5 12:40:11 1_01 MyChassis-ch01-01 pm[8463]: Restarted /bin/routed[12253], count=3 5 12:40:11 1_04 MyChassis-ch01-04 pm[8449]: Restarted /bin/routed[11378], count=2 5 12:40:11 1_04 MyChassis-ch01-04 pm[8449]: Restarted /opt/CPsuite-R80.20/fw1/bin/cmd[11379], count=2 [Global] MyChassis-ch01-01> Check Point Maestro R80.20SP Administration Guide   |   165...

  • Page 166: Configuring A Dedicated Logging Port

    > set interface eth1-Mgmt2 ipv4-address 2.2.2.10 mask-length 24 Note - You muse assign an IPv4 address from the same subnet as assigned to the dedicated interface on the Log Server, which connects to the Maestro Hyperscale Orchestrator. Check Point Maestro R80.20SP Administration Guide   |   166...
  • Page 167 - Section Deploying Logging Section Configuring the Security Gateways for Logging - Subsection Note - The SMO makes sure that return traffic from the Log Server reaches the correct Security Appliance in the Security Group. Check Point Maestro R80.20SP Administration Guide   |   167...

  • Page 168: Log Server Distribution (Asg_Log_Servers)

    -------------------------- 1) Enable Log Servers Distribution mode 2) Disable Log Servers Distribution mode 3) Back If Log Servers Distribution is already enabled, the command shows which Log Servers are assigned to each Security Appliance: Check Point Maestro R80.20SP Administration Guide   |   168...
  • Page 169 Chassis 1 |------------------------------------| Gaia LogServer2 LogServer Gaia LogServer LogServer Gaia LogServer2 +------------------------------------+ ("-" - Blade is not in Security Group) Choose one of the following options: ------------------------------------ 1) Configure Log Servers Distribution mode 2) Exit Check Point Maestro R80.20SP Administration Guide   |   169...

  • Page 170: Command Auditing (Asg Log Audit)

    Aug 18 14:32:32 2_01 WARNING: Chassis admin-state down on chassis: 2, User: O, Reason: Maintenance Aug 20 15:38:58 2_01 WARNING: Blade_admin down on blades: 2_02,2_03,2_04,2_05, User: Paul, Reason: Maintenance Aug 21 10:00:05 2_01 CRITICAL: Reboot on blades: all, user: ms, Reason: Maintenance Check Point Maestro R80.20SP Administration Guide   |   170...

  • Page 171: Viewing A Log File (Asg Log)

    Security Appliance. For example, -tail 3 shows only the last three lines of the specified log file. Default = 10 lines. Word or phrase use as a filter. --filter <string> For example: --filter debug Check Point Maestro R80.20SP Administration Guide   |   171...
  • Page 172 2 18:14:14 1_01 MyChassis-ch01-01 distutil:0: initialize_environment: vs-ids-vsbridges = 4 2 18:14:30 1_01 MyChassis-ch01-01 distutil:0: initialize_environment: vs-ids-bridges = 4 2 18:14:30 1_01 MyChassis-ch01-01 distutil:0: initialize_environment: vs-ids-vsbridges = 4 2 18:16:19 1_01 MyChassis-ch01-01 distutil:0: initialize_environment: vs-ids-bridges = 4 Check Point Maestro R80.20SP Administration Guide   |   172...
  • Page 173 MyChassis-ch01-02 cphaprob: Link state command ended successfully Feb 21 17:28:41 2019 1_02 MyChassis-ch01-02 cphaprob: Setting link state: chassis: 1, interface: eth2- 63, state: Up Full 10000M Feb 21 17:28:41 2019 1_02 MyChassis-ch01-02 cphaprob: Link state command ended successfully Check Point Maestro R80.20SP Administration Guide   |   173...

  • Page 174: Monitoring Virtual Systems (Cpha_Vsx_Util Monitor)

    - Shows all Virtual Systems Important - When you stop Virtual System monitoring, you must run the cpha_vsx_ util monitor start command to start it again. Monitoring does not start automatically after reboot. Check Point Maestro R80.20SP Administration Guide   |   174...

  • Page 175: Working With Snmp

    Note - Hardware monitoring is not supported.. Enabling SNMP Monitoring on Maestro Hyperscale Orchestrators Step Instructions Upload these Check Point MIB files from the Maestro Hyperscale Orchestrator to your third- party SNMP monitoring software: The SNMP MIB file: $CPDIR/lib/snmp/chkpnt.mib The SNMP Trap MIB file: $CPDIR/lib/snmp/chkpnt-trap.mib...

  • Page 176: Supported Snmp Oids For Maestro Hyperscale Orchestrators

    Only these branches are supported: Branch chkpntTra .1.3.6.1.4.1.2620.1.2000.0 erica pInfo Full .iso.org.dod.internet.private.enterprises.checkpoint.p Text roducts.chkpntTrap.chkpntTrapInfo chkpntTra .1.3.6.1.4.1.2620.1.2000.1 erica pNet Full .iso.org.dod.internet.private.enterprises.checkpoint.p Text roducts.chkpntTrap.chkpntTrapNet chkpntTra .1.3.6.1.4.1.2620.1.2000.2 erica pDisk Full .iso.org.dod.internet.private.enterprises.checkpoint.p Text roducts.chkpntTrap.chkpntTrapDisk chkpntTra .1.3.6.1.4.1.2620.1.2000.3 erica pCPU Full .iso.org.dod.internet.private.enterprises.checkpoint.p Text roducts.chkpntTrap.chkpntTrapCPU Check Point Maestro R80.20SP Administration Guide   |   176...
  • Page 177 Working with SNMP Branch chkpntTra .1.3.6.1.4.1.2620.1.2000.4 erica pMemory Full .iso.org.dod.internet.private.enterprises.checkpoint.p Text roducts.chkpntTrap.chkpntTrapMemory Notes: The /etc/snmp/GaiaTrapsMIB.mib file is not supported. The set snmp traps command is not supported. Check Point Maestro R80.20SP Administration Guide   |   177...

  • Page 178: Monitoring Security Groups Over Snmp

    High Availability status Enabling SNMP Monitoring of Security Groups Step Instructions Upload these Check Point MIB files from a Security Appliance in the applicable Security Group to your third-party SNMP monitoring software: The SNMP MIB file: $CPDIR/lib/snmp/chkpnt.mib The SNMP Trap MIB file: $CPDIR/lib/snmp/chkpnt-trap.mib...

  • Page 179: Supported Snmp Oids For Security Groups

    Security Appliance and Chassis Events (asg alert)" on page 144 SNMP Monitoring of Security Groups in VSX Mode For more information, see the: R80.20SP Maestro Gaia Administration Guide R80.20SP Maestro VSX Administration Guide sk90860: How to configure SNMP on Gaia OS Check Point Maestro R80.20SP Administration Guide   |   179...

  • Page 180: Common Snmp Oids For Security Groups

    Connections Per Second .1.3.6.1.4.1.2620.1.48.20.7 IPv6: .1.3.6.1.4.1.2620.1.48.21.7 System Accelerated Concurrent String IPv4: Connections .1.3.6.1.4.1.2620.1.48.20.8 IPv6: .1.3.6.1.4.1.2620.1.48.21.8 System Non-accelerated String IPv4: concurrent conn. .1.3.6.1.4.1.2620.1.48.20.9 IPv6: .1.3.6.1.4.1.2620.1.48.21.9 System CPU load - average String IPv4: .1.3.6.1.4.1.2620.1.48.20.10 IPv6: .1.3.6.1.4.1.2620.1.48.21.10 Check Point Maestro R80.20SP Administration Guide   |   180...
  • Page 181 Firewall CPU usage (avg / min / max) Performance peaks Table IPv4: .1.3.6.1.4.1.2620.1.48.20.26 IPv6: .1.3.6.1.4.1.2620.1.48.21.26 Resources on every Security Table 1.3.6.1.4.1.2620.1.48.23 Memory and Hard Disk Appliance utilization CPU Utilization on every Security Table 1.3.6.1.4.1.2620.1.48.29 Appliance Check Point Maestro R80.20SP Administration Guide   |   181...

  • Page 182: System Optimization

    From the left tree, click On the Optimizations page, select Manually in the Calculate the maximum limit for concurrent connections Enter or select a value. Click Install the Access Control Policy on the Virtual System object. Check Point Maestro R80.20SP Administration Guide   |   182...

  • Page 183: Working With Session Control (Asg_Session_Control)

    Shows the command syntax and help information Applies session rate rules to all Security Appliances apply Disables session rate rules for all Security Appliances disable Shows all session rate rules and dropped traffic statistics stats Check Point Maestro R80.20SP Administration Guide   |   183...

  • Page 184: Defining Session Control Rules

    If you do not include a parameter, the rule applies to all values for that parameter. For example, if you do not include the src parameter, the rule applies to all servers. The * character as a parameter value explicitly means that a rule applies to all values. Check Point Maestro R80.20SP Administration Guide   |   184...

  • Page 185: Showing Session Control Statistics

    DPort PR Limit Drops Attempts ------- ------------------ ------------------ ----- --- ----- ------------- ------------- 1.1.1.0/24 2.2.2.2/32 1_02: Rule ID Source Destination DPort PR Limit Drops Attempts ------- ------------------ ------------------ ----- --- ----- ------------- ------------- 1.1.1.0/24 2.2.2.2/32 Check Point Maestro R80.20SP Administration Guide   |   185...

  • Page 186: Applying Session Control Rules

    2.2.2.2/32 Disabling Session Control Description The asg_session_control disable command disables the configured session control rules. Syntax asg_session_control disable Example -*- 2 blades: 1_01 1_02 -*- Resetting session rate entries Session rate entries configured successfully Check Point Maestro R80.20SP Administration Guide   |   186...

  • Page 187: Installing And Uninstalling A Hotfix

    Best Practice - Before you install or uninstall a hotfix, take a Gaia Snapshot on each Maestro Hyperscale Orchestrator either in GaiaGaia Portal, or GaiaGaia Clish. For instructions, see the R80.20SP Maestro Gaia Administration Guide > Chapter Maintenance Snapshot Management > Section Check Point Maestro R80.20SP Administration Guide   |   187...

  • Page 188: Installing A Hotfix Package

    4. Connect to the command line on each Maestro Hyperscale Orchestrator and log in to Gaia Clish. 5. Import the applicable CPUSE Software Packages. 6. Verify the applicable CPUSE Software Packages. 7. Install the applicable CPUSE Software Packages. Check Point Maestro R80.20SP Administration Guide   |   188...

  • Page 189: Uninstalling A Hotfix Package

    2. Select and delete the applicable CPUSE Software Packages. To delete CPUSE packages in Gaia Clish 1. Connect to the command line on each Maestro Hyperscale Orchestrator and log in to Gaia Clish. 2. Delete the applicable CPUSE Software Packages. Check Point Maestro R80.20SP Administration Guide   |   189...

  • Page 190: Installing And Uninstalling A Hotfix On Maestro Security Appliances

    Follow these steps if Security Appliances are connected to the Internet or cannot reach Check Point Cloud. Step Instructions Make sure you have the applicable CPUSE Offline package (TGZ file) / exported package (TAR file). Check Point Maestro R80.20SP Administration Guide   |   190...
  • Page 191 > Install the Hotfix on the Security Appliances in the Logical Group A Note - You are still connected to the command line on the Security Group. Step Instructions Go to the Expert mode. Check Point Maestro R80.20SP Administration Guide   |   191...
  • Page 192 Note - You are still connected to the command line on the Security Group. Step Instructions Go to the Expert mode. Set Security Appliances in the Logical Group B to the "down" state: # g_clusterXL_admin –b <SGM_IDs in GroupB> down Example: # g_clusterXL_admin -b 1_5-1_8 down Check Point Maestro R80.20SP Administration Guide   |   192...
  • Page 193 Do you want to continue? ([y]es / [n]o) y > Go to the Expert mode. Monitor the system until the Security Appliances in the Logical Group A are UP and enforce security again: # asg monitor Check Point Maestro R80.20SP Administration Guide   |   193...

  • Page 194: Uninstalling A Hotfix Package

    Connect to that Security Appliance over a serial console. 2. You uninstall the hotfix on the Security Appliances in the Logical Group B through a Security Appliance in the Logical Group B . Connect to that Security Appliance over a serial console. Check Point Maestro R80.20SP Administration Guide   |   194...
  • Page 195 Monitor the system until the Security Appliances in the Logical Group A are UP and enforce security again: # asg monitor Uninstall the Hotfix from the Security Appliances in the Logical Group B Step Instructions Go to the Expert mode. Check Point Maestro R80.20SP Administration Guide   |   195...
  • Page 196 Do you want to continue? ([y]es / [n]o) y > Go to the Expert mode. Monitor the system until the Security Appliances in the Logical Group A are UP and enforce security again: # asg monitor Check Point Maestro R80.20SP Administration Guide   |   196...

  • Page 197: Troubleshooting

    The asg_info command in Gaia gClish or the Expert mode executes the applicable commands with this granularity: Source Granularity Security Appliances All Security Appliances Single Security Appliance Specified Security Appliances For each Virtual System VS0 only Specified Virtual Systems Check Point Maestro R80.20SP Administration Guide   |   197...
  • Page 198 A range of Security Appliances (for example, 1_1-1_4 ) One Chassis ( chassis1 , or chassis2 ) The active Chassis ( chassis_active ) Default - Runs on all Security Appliances that are in the UP state. Check Point Maestro R80.20SP Administration Guide   |   198...
  • Page 199 Collects information about core dump files. Collects comprehensive log files and command outputs. Collects the cpinfo output. -m | --cmm Not supported. Collects major log files and command outputs. Adds the specified XML configuration file. --user_conf Check Point Maestro R80.20SP Administration Guide   |   199...
  • Page 200 The user can define files and commands based on the same standard as appears in the defined default file. Note - You can run the asg_info command either with the default file, or with the user-defined file. Not both files. Example of a user-defined XML configuration file: Check Point Maestro R80.20SP Administration Guide   |   200...
  • Page 201 Troubleshooting <configurations>       <collect_file_list>             <upgrade_wizard>                   <collect_mode>-f</collect_mode>                   <path>/var/log/upgrade_wizard.log*</path>                   <per_vs>0</per_vs>                   <per_sgm>1</per_sgm>                   <delete_after_collect>0</delete_after_collect>             </upgrade_wizard>             <active_cmm_debug>                   <collect_mode>-m</collect_mode>                   <path>/var/log/active_cmm_debug.log</path>                   <per_vs>0</per_vs>                   <per_sgm>1</per_sgm>                   <delete_after_collect>1</delete_after_collect>             </active_cmm_debug>       </collect_file_list> <cmd_list>             <asg_if>                   <mode>-f</mode>                   <pre_command>g_all</pre_command>                   <command>asg if</command>                   <ipv6>0</ipv6>                   <esx>1</esx>                   <per_chassis>0</per_chassis>                   <per_vs>1</per_vs>                   <per_sgm>0</per_sgm>                   <vsx_only>0</vsx_only>                   <dest_file_name>asg_info</dest_file_name>             </asg_if> </cmd_list> </configurations> Check Point Maestro R80.20SP Administration Guide   |   201...

  • Page 202: General Diagnostic In Security Groups

    For information about the Correction Layer and traffic flow, use the g_ tcpdump command in the Expert mode "Multi-blade Traffic Capture (tcpdump -mcap, tcpdump -view)" on page 93 For information about the VPN, examine the Security Gateway logs on the Management Server or Log Server Check Point Maestro R80.20SP Administration Guide   |   202...
  • Page 203 Expert mode: asg_bond -v "Showing Bond Interfaces (asg_bond)" on page 76 For information about the Bridge interfaces, run this command in Gaia gClish or the Expert mode: asg_br_verifier "Layer 2 Bridge Verifier (asg_br_verifier, asg_brs_verifier)" on page 207 Check Point Maestro R80.20SP Administration Guide   |   203...
  • Page 204 /proc/net/bonds/<Name of Bond Interface> For information about the Port Link, run this command in the Expert mode: ethtool ethsBP<X>-<XX> For information about the interface statistics, run this command in the Expert mode: ethtool -S ethsBP<X>-<XX> Check Point Maestro R80.20SP Administration Guide   |   204...

  • Page 205: Configuration Verifiers

    Verifying FW1 mac magic value on all SGMs... Success -------------------------------------------------------------------------------- Verifying IPV4 and IPV6 kernel values... Success -------------------------------------------------------------------------------- Verifying FW1 mac magic value in /etc/smodb.json... Success -------------------------------------------------------------------------------- Verifying MAC address on local chassis (Chassis 1)... Success -------------------------------------------------------------------------------- Check Point Maestro R80.20SP Administration Guide   |   205...
  • Page 206 00:1c:7f:81:05:a0 -*- 2 blades: 1_01 1_02 -*- eth1-06 00:1c:7f:81:06:a0 -*- 2 blades: 1_01 1_02 -*- eth1-07 00:1c:7f:81:07:a0 ... output was truncated for brevity ... -*- 2 blades: 1_01 1_02 -*- eth2-64 00:1c:7f:82:40:a0 Success -------------------------------------------------------------------------------- Check Point Maestro R80.20SP Administration Guide   |   206...

  • Page 207: Layer 2 Bridge Verifier (Asg_Br_Verifier, Asg_Brs_Verifier)

    Shows verbose unformatted output. The -d and -v options are mutually exclusive. Also shows the table summary. Also shows the table entries (formatted output). Shows verbose formatted output. The -v and -d options are mutually exclusive. Check Point Maestro R80.20SP Administration Guide   |   207...
  • Page 208 Interface="eth2-07" address="00:7E:60:77:08:81" Interface="eth1-07" address="00:80:EA:55:08:81" Interface="eth1-07" address="00:8D:86:52:08:81" Interface="eth2-07" address="00:9E:8C:7F:08:81" Interface="eth1-07" address="00:E5:DB:78:08:81" Interface="eth2-07" address="00:E5:F7:78:08:81" Interface="eth2-07" -*- 1 blade: 1_02 -*- fdb_shadow table is empty Status: Table entries in fdb_shadow table is different between SGMs ================================================================================ [Expert@MyChassis-ch01-01:0]# Check Point Maestro R80.20SP Administration Guide   |   208...
  • Page 209 > asg vsx_verify [{-a | -c | -v}] Parameters Parameter Description Includes Security Appliances in the Administrative DOWN state Compares: Database configuration between Security Appliances Operating system and database configuration on each Security Appliance Check Point Maestro R80.20SP Administration Guide   |   209...
  • Page 210 +----+-----+-----------+---------------+----------------+---------+--------+ Comparing Routes DB & OS. This procedure may take some time... Press 'y' to skip this procedure... Comparing.. +--------------------------------------------------------------------------+ |Summary +--------------------------------------------------------------------------+ |VSX Configuration Verification completed successfully +--------------------------------------------------------------------------+ All logs collected to /var/log/vsx_verify.1360846320.log > Check Point Maestro R80.20SP Administration Guide   |   210...
  • Page 211 |1. [1_02:1] eth1-06 operating system address doesn't match |2. [1_02:1] eth1-06 DB address doesn't match |3. [1_01:1] Found inconsistency between addresses in operating system ,DB and NCS ofeth1-06 | +--------------------------------------------------------------------------+ All logs collected to /var/log/vsx_verify.1360886320.log > Check Point Maestro R80.20SP Administration Guide   |   211...

  • Page 212: Log And Configuration Files

    $FWDIR/log/blade_ configuration config.* Additional cluster information $FWDIR/log/cpha_ policy.log.* Security Group installation /var/log/start_mbs.log Distribution /var/log/dist_mode.log* General log file /var/log/messages* Gaia Alerts /var/log/send_alert.* Gaia OS installation /var/log/anaconda.log Gaia First Time Configuration Wizard /var/log/ftw_install.log Dynamic Routing /var/log/routed.log Check Point Maestro R80.20SP Administration Guide   |   212...
  • Page 213 /etc/rsrcdb.json Applying Security Group configuration /var/log/ssm_sg.log.dbg Starting of the SDK /var/log/start_tor_ssm.log.dbg Configuring the SDK /var/log/messages LLDP updates /var/log/smartd.log.dbg Also, run the lldpctl command All logs that do not have a dedicated log file /var/log/junk.log.dbg Check Point Maestro R80.20SP Administration Guide   |   213...

  • Page 214: Installing The Gaia Operating System On A Maestro Hyperscale Orchestrator

    Wait for the Maestro Hyperscale Orchestrator to boot. With a web browser, connect to the Gaia Portal on the Maestro Hyperscale Orchestrator: https://<IP Address of MGMT Port> Run the Gaia First Time Configuration Wizard. Check Point Maestro R80.20SP Administration Guide   |   214...
  • Page 215 Select the option Wait for the Maestro Hyperscale Orchestrator to boot. With a web browser, connect to the Gaia Portal on the Maestro Hyperscale Orchestrator: https://<IP Address of MGMT Port> Run the GaiaFirst Time Configuration Wizard. Check Point Maestro R80.20SP Administration Guide   |   215...

  • Page 216: Rma Of A Maestro Hyperscale Orchestrator

    > show maestro port 1/32/1 > set maestro port type 1/48/1 admin-state On MHO-140: down > show maestro port > show maestro port 1/48/1 1/48/1 admin-state type Example output from MHO-170: Port 1/32/1 type is ssm_sync Check Point Maestro R80.20SP Administration Guide   |   216...
  • Page 217 Gaia Clish: > set maestro port 1/48/1 admin-state up > show maestro port 1/48/1 admin-state On the new Maestro Hyperscale Orchestrator, In the Expert mode, run this command: start the orchd service. # orchd start Check Point Maestro R80.20SP Administration Guide   |   217...

  • Page 218: Configuring High Availability

    Weight factor for an SGM (Security Appliance) <sgm_factor> Valid range: Integer between 0 and 1000 <port_other_factor> High grade port factor Valid range: Integer between 0 and 1000 Standard grade port factor <port_standard_factor> Valid range: Integer between 0 and 1000 Check Point Maestro R80.20SP Administration Guide   |   218...
  • Page 219 Bond interface factor Valid range: Integer between 0 and 1000 Examples > set chassis high-availability factors sgm 100 > set chassis high-availability factors port other 70 > set chassis high-availability factors port standard 50 Check Point Maestro R80.20SP Administration Guide   |   219...

  • Page 220: Setting The Quality Grade Differential

    Syntax in Gaia gClish of Security Group > set chassis high-availability failover <trigger> Parameters Parameter Description <trigger> Minimum difference in Chassis quality grade to trigger failover Valid values: 1 - 1000 Check Point Maestro R80.20SP Administration Guide   |   220...

  • Page 221: Ip And Url Block Feature

    Security Gateway based on the list in the feed. The blocking mechanism is enforced by an Access Control rule with a Dynamic Object. Check Point's Security Intelligence maintains and periodically updates a list of IP addresses known as TOR Exit Nodes: https://secureupdates.checkpoint.com/IP-list/TOR.txt...

  • Page 222: Cli

    Specifies the Dynamic Object name in the configuration. -s SET_DYN_OBJ For example, MyDynObj . --set-dynamic-object SET_ DYN_OBJ Show the configured Dynamic Object name. --show-dynamic-object-name Updates the IP addresses in the configuration. --run Forces the update. --force Check Point Maestro R80.20SP Administration Guide   |   222...

  • Page 223: Procedure

    Dynamic Object Drop None Connect to the command line on the Security Group. Log in to the Expert mode. Configure the Dynamic Object name as configured in SmartConsole: ip_block --set-dynamic-object <Name of Dynamic Object> Check Point Maestro R80.20SP Administration Guide   |   223...
  • Page 224 Example output: Task: "ip_block" Command: /bin/ip_block Arguments: -r Interval: 600 Active: true RunAtStart: false In SmartConsole, install the Access Control Policy on the Security Group object. Examine the log on the Security Group: /var/log/ip_block.elg Check Point Maestro R80.20SP Administration Guide   |   224...

  • Page 225: Url Block Feature

    Specifies the URL of your web server that hosts the file with the list of malicious -p <URL> URLs. --path Example: http://192.168.20.30/ <URL> Note - This URL must end with the slash and must not contain the name of the file. Deletes URL feed from the configuration. --del-url Check Point Maestro R80.20SP Administration Guide   |   225...

  • Page 226: Procedure

    Place this file on your web server. Connect with SmartConsole to the Management Server. Create a new custom Application object: Objects New > More > Custom Application/Site > From the right panel , click Application/Site Check Point Maestro R80.20SP Administration Guide   |   226...
  • Page 227 Note - This can be a file on your own web server. Start the periodic run at the specified intervals: url_block –i <INTERVAL> Examine the configuration: url_block -l Example output: Refresh time interval: 300 MyUrls Path: http://192.168.20.30/ Zip: false Regex: false Check Point Maestro R80.20SP Administration Guide   |   227...
  • Page 228 IP and URL Block Feature Step Instructions In SmartConsole, install the Access Control Policy on the Security Group object. Examine the log on the Security Group: /var/log/rul_block.elg Check Point Maestro R80.20SP Administration Guide   |   228...

Table of Contents

Save PDF