collect some advanced troubleshooting commands used in my daily work into this post. Actually, some of commands are not only for Checkpoint Gaia, it will be for SPLAT or IPSO platform as well.
1. fw ctl chain
Check Checkpoint Security Gateway packet inspection order/chain. For more details, check the post "How Firewalls (Security Gateways) Handle the Packets?"in chain (18):
0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -7d000000 (f1796f10) (00000003) vpn multik forward in
2: - 2000000 (f177cb70) (00000003) vpn decrypt (vpn)
3: - 1fffff8 (f1787c00) (00000001) l2tp inbound (l2tp)
4: - 1fffff6 (f2886ca0) (00000001) Stateless verifications (in) (asm)
5: - 1fffff5 (f28bce30) (00000001) fw multik misc proto forwarding
6: - 1fffff2 (f17a4df0) (00000003) vpn tagging inbound (tagging)
7: - 1fffff0 (f177a150) (00000003) vpn decrypt verify (vpn_ver)
8: - 1000000 (f29049c0) (00000003) SecureXL conn sync (secxl_sync)
9: 0 (f282f810) (00000001) fw VM inbound (fw)
10: 1 (f28a6b30) (00000002) wire VM inbound (wire_vm)
11: 2000000 (f177b5e0) (00000003) vpn policy inbound (vpn_pol)
12: 10000000 (f2902cb0) (00000003) SecureXL inbound (secxl)
13: 7f600000 (f287ab70) (00000001) fw SCV inbound (scv)
14: 7f730000 (f2a13500) (00000001) passive streaming (in) (pass_str)
15: 7f750000 (f2c0bef0) (00000001) TCP streaming (in) (cpas)
16: 7f800000 (f2885890) (ffffffff) IP Options Restore (in) (ipopt_res)
17: 7fb00000 (f2fac050) (00000001) HA Forwarding (ha_for)
out chain (15):
0: -7f800000 (f28854f0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -78000000 (f1796ef0) (00000003) vpn multik forward out
2: - 1ffffff (f1779a10) (00000003) vpn nat outbound (vpn_nat)
3: - 1fffff0 (f2c0bd70) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (f2a13500) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (f17a4df0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (f2886ca0) (00000001) Stateless verifications (out) (asm)
7: 0 (f282f810) (00000001) fw VM outbound (fw)
8: 1 (f28a6b30) (00000002) wire VM outbound (wire_vm)
9: 2000000 (f1779c30) (00000003) vpn policy outbound (vpn_pol)
10: 10000000 (f2902cb0) (00000003) SecureXL outbound (secxl)
11: 1ffffff0 (f17887b0) (00000001) l2tp outbound (l2tp)
12: 20000000 (f177d5b0) (00000003) vpn encrypt (vpn)
13: 7f700000 (f2c0e340) (00000001) TCP streaming post VM (cpas)
14: 7f800000 (f2885890) (ffffffff) IP Options Restore (out) (ipopt_res)
2. Manually Proxy Arp
a. Use the Gaia portal.Network Management -> Arp -> Proxy ARP
b. Use the command line (in Gaia):
add arp proxy ipv4-address 172.16.0.8 interface eth0 real-ipv4-address 172.16.0.22
c. Use the command line (in expert mode):
Then insert the information directly to /opt/CPsuite-R76/fw1/conf/local.arp
echo "172.16.0.8 00:0c:29:f1:b7:74 172.16.0.22" >> $FWDIR/conf/local.arp
3. fw ctl zdebug drop
lists all dropped packets in real time gives an explanation why the packet is dropped4. TCPDUMP
tcpdump port 257 , <– on the firewall, this will allow you to see if the logs are passing from the firewall to the manager, and what address they are heading to.tcpdump -i WAN.15 <- to capture everything on this interface
tcpdump -i eth1.16 icmp <– to capture just PINGs on this interface
tcpdump -i Mgmt -vvv -s0 -w tcpdumpfile.log <– this captures the FULL packets to a file usefull for wireshark the -s0 stops the files being shortened
tcpdump -i INT port 67 <– view dhcp requests
5. FW Monitor
fw monitor -e 'accept host(192.168.1.12);' <-- Show packets with IP 192.168.1.12 as SRC or DSTfw monitor -e 'accept src=192.168.1.12 and dst=192.168.3.3;' <--Show all packets from 192.168.1.12 to 192.168.3.3
fw monitor -pi ipopt_strip -e 'accept udpport(53);' <--Show UDP port 53 (DNS) packets, pre-in position is before 'ippot_strip'
fw monitor -m O -e 'accept udp and (sport>1023 or dport>1023);' <-- Show UPD traffic from or to unprivileged ports, only show post-out
fw monitor -e 'accept net(192.168.1.0,24) and tracert;' <--Show Windows traceroute (ICMP, TTL<30) from and to network 192.168.1.0/24
fw monitor -v 23 -e 'accept tcpport(80);' <--Show Capture web traffic for VSX virtual system ID 23
fw monitor -e 'accept ip_p=50 and ifid=0;' <--Show all ESP (IP protocol 50) packets on the interface with the ID 0. (List interfaces and corresponding IDs with fw ctl iflist)
srfw monitor -o output_file.cap <--Show traffic on a SecuRemote/SecureClient client into a file. srfw.exe is in $SRDIR/bin (C:\Program Files\CheckPoint\SecuRemote\bin)
6. VPN tu
vpn tu or vpn tunnelutil********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
Reference:
a. Check Point/SPLAT/Network Debug Cheat Sheetb. A tcpdump Primer with Examples
c. Check Point fw monitor cheat sheet – 20141028
d. Check Point CLI Reference Card – 20150617 by Jens Roesen