Check Point MAESTRO R80.20SP, Administration Manual

Page 1: ... Classification Protected 18 February 2020 CHECK POINT MAESTRO R80 20SP Administration Guide ...

Page 2: ...precaution has been taken in the preparation of this book Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice RESTRICTED RIGHTS LEGEND Use duplication or disclosure by the government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause...

Page 3: ...on against new and evolving attacks Certifications For third party independent certification of Check Point products see the Check Point Certifications page Check Point Maestro R80 20SP For more about this release see the R80 20SP home page Latest Version of this Document Open the latest version of this document in a Web browser Download the latest version of this document in PDF format Feedback C...

Page 4: ...ated n Installing and Uninstalling a Hotfix on Maestro Security Appliances on page 190 l Added instructions for installation of CPUSE Online packages l Removed the section Deleting a Hotfix Package as not supported 06 August 2019 Updated n Installing and Uninstalling a Hotfix on Maestro Security Appliances on page 190 l Updated the Important Notes about dividing all Security Appliances in a specif...

Page 5: ...o Hyperscale Orchestrators on page 187 n Installing and Uninstalling a Hotfix on Maestro Security Appliances on page 190 n RMA of a Maestro Hyperscale Orchestrator on page 216 24 March 2019 Updated n Breakout Cables 17 March 2019 Updated n Connecting Two Maestro Hyperscale Orchestrators for Redundancy n Connecting Cables to MHO 170 n Connecting Cables to MHO 140 n Summary of Configuration Options ...

Page 6: ...rifying MAC Addresses 42 Verifying ARP Entries 42 Example Legacy Output 43 Security Group Concepts 44 Single Management Object and Policies 44 Single Management Object 44 Installing and Uninstalling Policies 45 Working with Policies asg policy 46 Security Appliance Policy Management 49 Synchronizing Policy and Configuration Between Security Appliances 50 Understanding the Configuration File List 5...

Page 7: ...8 IPS Cluster Failover Management 69 IPv6 Neighbor Discovery 70 Logging and Monitoring 71 CPView 71 Overview of CPView 71 Using CPView 71 CPView User Interface 72 Network Monitoring 73 Working with Interface Status asg if 73 Global View of All Interfaces show interfaces 75 Showing Bond Interfaces asg_bond 76 Viewing a Global List of All Bonds asg_bond 77 Viewing a Specific Bond Interface asg_bond ...

Page 8: ...ections asg_conns 123 Packet Drop Monitoring drop_monitor and asg_drop_monitor 125 The drop_monitor command 125 The asg_drop_monitor command 129 Hardware Monitoring and Control 131 Showing Hardware State asg stat 131 Monitoring System and Component Status asg monitor 135 Configuring Alert Thresholds set chassis alert_threshold 137 Monitoring System Resources asg resource 139 Configuring Alerts for...

Page 9: ..._util monitor 174 Working with SNMP 175 Monitoring Maestro Hyperscale Orchestrators over SNMP 175 Enabling SNMP Monitoring on Maestro Hyperscale Orchestrators 175 Supported SNMP OIDs for Maestro Hyperscale Orchestrators 176 Supported SNMP Trap OIDs for Maestro Hyperscale Orchestrators 176 Monitoring Security Groups over SNMP 178 Enabling SNMP Monitoring of Security Groups 178 Supported SNMP OIDs f...

Page 10: ...formation asg_info 197 General Diagnostic in Security Groups 202 Configuration Verifiers 205 MAC Verification mac_verifier 205 Layer 2 Bridge Verifier asg_br_verifier asg_brs_verifier 207 Verifying VSX Gateway Configuration asg vsx_verify 209 Log and Configuration Files 212 Installing the Gaia Operating System on a Maestro Hyperscale Orchestrator 214 RMA of a Maestro Hyperscale Orchestrator 216 Co...

Page 11: ...nts Appliance A physical computer manufactured and distributed by Check Point B Bond A virtual interface that contains enslaves two or more physical interfaces for redundancy and load sharing The physical interfaces share one IP address and one MAC address See Link Aggregation Bonding See Link Aggregation Breakout See Breakout Cable Breakout Cable An optical fiber cable that contains several jacke...

Page 12: ...s used to authenticate one identity to another Cluster Two or more Security Gateways that work together in a redundant configuration High Availability or Load Sharing Cluster Member A Security Gateway that is part of a cluster CoreXL A performance enhancing technology for Security Gateways on multi core processing platforms Multiple Check Point Firewall instances are running in parallel on multipl...

Page 13: ... and in most of the cases the SecureXL can be offloading decryption calculations However in some other cases such as with Route Based VPN it is done by FWK daemon CPUSE Check Point Upgrade Service Engine for Gaia Operating System With CPUSE you can automatically update Check Point products for the Gaia OS and the Gaia OS itself For details see sk92449 D DAC See DAC Cable DAC Cable Direct Attach Co...

Page 14: ... Security Management environment Acronym DMS Downlink See Downlink Ports Downlink Ports Interfaces on the Maestro Hyperscale Orchestrator used to connect to Check Point Security Appliances You use DAC cables Fiber cables with transceivers or Breakout cables to connect between the Downlink ports and Security Appliances The Check Point Management traffic policy logs synchronization and so on co exis...

Page 15: ...ngths of both SecurePlatform and IPSO operating systems Gaia Clish The name of the default command line shell in Check Point Gaia operating system This is a restrictive shell role based administration controls the number of commands available in the shell Gaia gClish The name of the command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Maestro Hyp...

Page 16: ...thenticated users IPv4 Internet Protocol Version 4 see RFC 791 A 32 bit number 4 sets of numbers each set can be from 0 255 For example 192 168 2 1 IPv6 Internet Protocol Version 6 see RFC 2460 and RFC 3513 128 bit number 8 sets of hexadecimal numbers each set can be from 0 ffff For example FEDC BA98 7654 3210 FEDC BA98 7654 3210 J Jumbo Hotfix Accumulator Collection of hotfixes combined into a si...

Page 17: ...nterface on Gaia computer through which users connect to Portal or CLI Interface on a Gaia Security Gateway or Cluster member through which Management Server connects to the Security Gateway or Cluster member Management Server A Check Point Security Management Server or a Multi Domain Server Multi Domain Log Server A computer that runs Check Point software to store and process logs in Multi Domain...

Page 18: ... Check Point Orchestrator See Maestro Hyperscale Orchestrator P Primary Multi Domain Server The Multi Domain Server in Management High Availability that you install as Primary R Rule A set of traffic parameters and other conditions in a Rule Base that cause specified actions to be taken for a communication session Rule Base Also Rulebase All rules configured in a given Security Policy S Secondary ...

Page 19: ...e Maestro Hyperscale Orchestrator determines the applicable Downlink ports automatically C Applicable management port to which the Check Point Management Server is connected Security Management Server A computer that runs Check Point software to manage the objects and policies in Check Point environment Security Policy A collection of rules that control network traffic and enforce organization gui...

Page 20: ...e A Check Point GUI application used to manage Security Policies monitor products and events install updates provision new devices and appliances and manage a multi domain environment and each domain SmartDashboard A legacy Check Point GUI client used to create and manage the security settings in R77 30 and lower versions SMO Single Management Object Single Security Gateway object in SmartConsole ...

Page 21: ...e Maestro Hyperscale Orchestrator used to connect to external and internal networks Gaia Operating System shows these interfaces in Gaia Portal and in Gaia Clish SmartConsole shows these interfaces in the corresponding SMO Security Gateway object Users Personnel authorized to use network resources and applications V VLAN Virtual Local Area Network Open servers or appliances connected to a virtual ...

Page 22: ...with virtual abstractions of Check Point Security Gateways and other network devices These Virtual Devices provide the same functionality as their physical counterparts VSX Gateway Physical server that hosts VSX virtual networks including all Virtual Devices that provide the functionality of physical network devices It holds at least one Virtual System which is called VS0 ...

Page 23: ...orks in the world by orchestrating multiple Check Point Security Appliances into a unified system The Maestro Hyperscale Orchestrator provides n Security of infinite scale n Redundancy Maestro Hyperscale Orchestrator automatically distributes traffic between the Security Appliances assigned to Security Groups n Ability to connect more Security Appliances and use their resources easily in the exist...

Page 24: ...es in a Security Group Working with Global Commands Background n Gaia gClish commands apply globally to all Security Appliances in the Security Group by default n Gaia gClish commands do not apply to Security Appliances that are DOWN in the Security Group If you run a set command while a Security Appliance is DOWN the command does not update that Security Appliance The Security Appliance synchroni...

Page 25: ...curity Appliance has a single lock n To set Gaia gClish operations for an Security Appliance the Security Appliance must hold the config lock n To set config lock run set config lock on override n Gaia gClish traffic runs on the Sync interface TCP port 1129 blade range n Runs commands on specified Security Appliances n Runs Gaia gClish embedded commands only on this subset of Security Appliances n...

Page 26: ...and args Commands install uninstall pstat iflist arp debug kdebug bench chain conn multik conntab fwghtab_bl_stats Example 2 Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 fw ctl iflist 6 blades 1_01 1_02 1_03 2_01 2_02 2_03 0 BPEth0 1 BPEth1 2 eth1 Mgmt4 3 eth2 Mgmt4 4 eth1 01 5 eth1 CIN 6 eth2 CIN 8 eth2 01 16 Sync 17 eth1 Mgmt1 18 eth2 Mgmt1 fw dbgfile Description Use the fw dbgfile...

Page 27: ...module o agg_file_path Uses an aggregate debug file agg_file_path Full path of the aggregate debug file Below are some examples Example Collect debug information fw dbgfile collect f var log debug txt buf 8200 m fw conn m kiss pmdump Example Show the collected debug information fw dbgfile view var log debug txt Important For complete debug procedure see the R80 20SP Maestro Next Generation Securit...

Page 28: ...istration Guide 28 Syntax for IPv4 fwaccel help Syntax for IPv6 fwaccel6 help Parameters and Options For more information see the R80 20SP Maestro Performance Tuning Administration Guide Chapter SecureXL Section SecureXL Commands Subsection fwaccel and fwaccel6 ...

Page 29: ...commands you can use in Gaia gClish and how they are generally used Syntax global help Below are some examples Example output in Gateway mode Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 global help Usage command_name b SGMs a l r native command arguments Executes the specified command on specified blades Optional Arguments b blades in one of the following formats 1_1 1_4 or 1_1 1_4 ...

Page 30: ...d5sum ethtool fwaccel_m mv update_conf_file unlock fwaccel6_m snapshot_recover snapshot_show_current asg Global MyChassis ch01 01 Updating Configuration Files update_conf_file Description Use the update_conf_file command in Gaia gClish or the g_update_conf_file command in the Expert mode to add update and remove variables from configuration files Important After you change the configuration files ...

Page 31: ...al MyChassis ch01 01 update_conf_file home admin MyConfFile txt var2 Global MyChassis ch01 01 Global MyChassis ch01 01 cat home admin MyConfFile txt 3 blades 2_01 2_02 2_03 var1 goodbye Global MyChassis ch01 01 Notes n This command works with configuration files in a specified format It is composed of lines where each line defines one variable variable value The FWDIR boot modules fwkern conf and ...

Page 32: ...anually add the applicable kernel parameters and their values in the FWDIR boot modules fwkern conf Use the g_update_conf_file command in the Expert mode See Updating Configuration Files update_conf_file on page 30 For more information see the R80 20SP Maestro Next Generation Security Gateway Guide Chapter Working with Kernel Parameters on Security Groups Copying Files Between Security Appliances ...

Page 33: ...ate time source_path Full path and name of the file to copy dest_path Full path of the destination If not specified the command copies the file to the relative source file location Example Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 asg_cp2blades home admin note txt Operation completed successfully Global MyChassis ch01 01 Global MyChassis ch01 01 cat home admin note txt 3 blades 2_...

Page 34: ...n A range of Security Appliances for example 1_1 1_4 n One Chassis chassis1 or chassis2 n The active Chassis chassis_active Note With this option you can only select Security Appliances from one Chassis Viewing Information about Interfaces on Security Appliances show interface Description Use the show interface command in Gaia gClish to view information about the interfaces on the Security Applian...

Page 35: ... eth1 01 ipv4 address 1_01 ipv4 address 4 4 4 10 24 1_02 ipv4 address 4 4 4 10 24 1_03 ipv4 address 4 4 4 10 24 1_04 ipv4 address 4 4 4 10 24 1_05 Blade 1_05 is down See var log messages 2_01 ipv4 address 4 4 4 10 24 2_02 ipv4 address 4 4 4 10 24 2_03 ipv4 address 4 4 4 10 24 2_04 ipv4 address 4 4 4 10 24 2_05 ipv4 address 4 4 4 10 24 Global MyChassis ch01 01 ...

Page 36: ... h g_clusterXL_admin b SGM_IDs up down a r Parameters Parameter Description h Shows the built in help b SGM_IDs Applies to Security Appliances as specified by SGM_IDs SGM_IDs can be n No SGM_IDs specified or all Applies to all Security Appliances and Chassis n One Security Appliance for example 1_1 n A comma separated list of Security Appliances for example 1_1 1_4 n A range of Security Appliances...

Page 37: ...03 User John Doe Reason test Members outputs 1 blade 2_03 Setting member to normal operation Member current state is ACTIVE Expert MyChassis ch01 01 0 Notes n When the Security Appliance is in the Administrative DOWN state l Gaia gClish commands do not run on this Security Appliance l Traffic is not sent to this Security Appliance l The asg stat command shows this Security Appliance as DOWN admin ...

Page 38: ...rmat n Bond interfaces n VSX wrp interfaces n VLAN interfaces If there is no configured management interface the Unique MAC Identifier is assigned the default value 254 You can use the asg_unique_mac_utility command in Gaia gClish or the Expert mode to set n Data interface Unique MAC Identifier n Host name To set the Unique MAC Identifier manually Step Instructions 1 Run this command in Gaia gClis...

Page 39: ...umber replaces the Unique MAC Identifier default value of 254 New Host Name Unique MAC Identifier My_SG_asg22 22 After reboot all data interface MAC addresses have the new Unique MAC Identifier value 16 Example eth1 01 00 1C 7F XY ZW 16 Note The last octet for eth1 01 shown in bold is 16 hex 22 decimal n Apply Unique MAC from current Hostname Assign a new Unique MAC Identifier to the interfaces Th...

Page 40: ... Example Output for Verifying MAC Addresses 42 Verifying ARP Entries 42 Example Legacy Output 43 The asg_arp Command Description The asg_arp command in the Expert mode shows the ARP cache for the whole Security Group or for the specified Security Appliance interface MAC address and Host name You can show summary or verbose information Syntax asg_arp h asg_arp b SGM_IDs v verify i if m mac hostname...

Page 41: ...ws the ARP cache for the specified host name verify Runs MAC address verification on both Chassis and shows the results legacy Shows the ARP cache for each Security Appliance in the legacy format Example Default Output This example shows the ARP cash in the Default Mode Expert MyChassis ch01 01 0 asg_arp Address HWaddress Iface 172 23 19 4 54 7F EE 6A D0 BC eth1 Mgmt2 1_01 00 1C 7F 01 04 FE Sync 1...

Page 42: ...information from SGMs Verifying FW1 mac magic value on all SGMs Success Verifying IPV4 and IPV6 kernel values Success Verifying FW1 mac magic value in etc smodb json Success Verifying MAC address on local chassis Chassis 1 Success Expert MyChassis ch01 01 0 Verifying ARP Entries Use these commands to confirm that the Unique MAC value has changed For the Unique MAC database value run this command i...

Page 43: ...23134 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 15965660 15 2 MiB TX bytes 2003398 1 9 MiB Expert MyChassis ch01 01 0 Example Legacy Output This example shows ARP cache for each Security Appliance in the Legacy Mode output Expert MyChassis ch01 01 0 asg_arp legacy 1_01 Address HWtype HWaddress Flags Mask Iface ssm2 ether 04 02 03 04 05 40 C eth2 CIN ssm1 ether 02 0...

Page 44: ...y Gateway with one management IP address All management tasks are handled by one Security Appliance the SMO Master which updates all other Security Appliances All management tasks such as Security Gateway configuration policy installation remote connections and logging are handled by the SMO master The Active Security Appliance with the lowest ID number is automatically assigned to be the SMO Use ...

Page 45: ...Security Appliances must install their policies in a synchronized manner Note When creating a Security Group its Security Appliances enforce an initial policy which allows only the implied rules necessary for management Uninstalling a Policy Step Instructions 1 Connect over a serial port to the SMO in the Security Group 2 Log in to the Gaia gClish 3 Uninstall the policy asg policy unload Example a...

Page 46: ...Use the asg policy command in Gaia gClish or the Expert mode to perform policy related actions Syntax asg policy h asg policy verify verify_amw vs VS_IDs a v asg policy unload disable_pnotes a asg policy unload ip_forward Best Practice Run these commands over a serial connection to Security Appliances in the Security Group ...

Page 47: ...S_IDs can be n No VS_IDs specified default Applies to the context of the current Virtual System n One Virtual System n A comma separated list of Virtual Systems for example 1 2 4 5 n A range of Virtual Systems for example 3 5 n all Shows all Virtual Systems Note This parameter is only applicable in a VSX environment v Shows detailed verification results for Security Appliances in each Virtual Syst...

Page 48: ...stall Policy Expert MyChassis ch01 01 0 asg policy unload You are about to perform unload policy on blades all All SGMs will be in DOWN state beside local SGM It is recommended to run the procedure via serial connection Are you sure Y yes any other key no y Unload policy requires auditing Enter your full name John Doe Enter reason for unload policy Maintenance WARNING Unload policy on blades all U...

Page 49: ...ity Appliances in the UP state When the Security Appliance enters the UP state it automatically gets the installed policy and configurations that are installed from the SMO When there is only one Security Appliance in the UP state it is possible there is no SMO Then that Security Appliance uses its local policy and configuration If there are problems with the policy or configuration on the Securit...

Page 50: ...m a specified source Security Appliance to the target Security Appliance The target Security Appliance is the Security Appliance you use to run this command To synchronize Security Appliances manually Step Instructions 1 Run asg_blade_config pull_config 2 Reboot the target Security Appliance or run these two commands cpstart clusterXL_admin up Note You can run the asg stat i all_sync_ips command i...

Page 51: ...e bin false reboot bin true don t reboot 4 Optional A local path to copy the file to needed if different from the source global_context opt CPda bin policy xml bin true global_context etc upgrade_pkg 0 1 cp989000001 i386 rpm rpm U force nodeps etc upgrade_pkg 0 1 cp989000001 i386 rpm global_context etc sysconfig image md5 usr lib smo libclone tcl clone rsip xfer reboot global_context PPKDIR boot m...

Page 52: ...ion for BMAC Bit range Description 1 Distinguishes between VMAC and other MAC addresses This is used to prevent possible collisions with VMAC space Possible values are n 0 BMAC or SMAC n 1 VMAC 2 8 Security Appliance ID starting from 1 This is limited to 127 9 13 Always zero 14 Distinguishes between BMAC and SMAC addresses This is used to prevent possible collisions with SMAC space Possible values...

Page 53: ...nique for each Chassis It does not rely on the interface index number Bit convention for VMAC Bit range Description 1 Distinguishes between VMAC and other MAC addresses This is used to prevent possible collisions with VMAC space Possible values are n 0 BMAC or SMAC n 1 VMAC 2 3 Chassis ID Limited to 4 Chassis 4 8 Switch number Limited to 32 switches 9 16 Port number Limited to 256 for each switch ...

Page 54: ...range Description 1 Distinguishes between VMAC and other MAC addresses This is used to prevent possible collisions with VMAC space Possible values are n 0 BMAC or SMAC n 1 VMAC 2 8 Security Appliance ID starting from 1 This is limited to 127 9 13 Always zero 14 Distinguishes between BMAC and SMAC addresses This is used to prevent possible collisions with SMAC space Possible values n 0 BMAC n 1 SMA...

Page 55: ... command determines the n MAC type n Chassis ID n Security Appliance ID n Assigned interface Syntax asg_mac_resolver MAC address Example Expert MyChassis ch01 01 0 asg_mac_resolver 00 1C 7F 01 00 FE 00 1C 7F 01 00 FE BMAC Chassis ID 1 SGM ID 1 Interface BPEth0 Expert MyChassis ch01 01 0 Notes n The specified MAC Address comes from BPEth0 on Security Appliance1 on Chassis1 n 00 1C 7F 01 00 FE is th...

Page 56: ...ally configures the Distribution Mode Supported Distribution Modes Mode Description User Internal Packets are assigned to a Security Appliance based on the packet s Destination IP address If Layer 4 distribution is enabled packets are assigned to a Security Appliance based on the packet s Source port and the Destination IP address Network External Packets are assigned to a Security Appliance based...

Page 57: ...selected based on the Security Group topology as defined in SmartConsole The Distribution Mode is automatically based on these interface types n Physical interfaces except for management and synchronization interfaces n VLAN n Bond n VLAN over Bond Manual Distribution Configuration Manual General In some deployments you must manually configure a Distribution Mode on the Security Group to the Gener...

Page 58: ...distribution configuration on the Security Group Important If the Security Group runs in a VSX mode run the commands in the context of VS0 only The commands apply immediately across all Virtual Systems Syntax to show the Distribution Configuration show distribution configuration Syntax to set the Distribution Configuration set distribution configuration auto topology manual general ip version ipv4...

Page 59: ... ip mask mask Must be the same as the distribution matrix size Must be specified in the Hex format Follow these steps 1 Examine the distribution matrix size show distribution verification verbose Examine the Matrix Size line Example Matrix Size 512 2 Exit from the Gaia gClish to the Expert mode 3 Convert the matrix size from the decimal to the hexadecimal format printf x n Matrix Size Example Expe...

Page 60: ...ntext of the applicable Virtual System before you can change the interface Distribution Mode Run the set virtual system VS_ID command Syntax to set the interface Distribution Mode set distribution interface if_name configuration user network policy Syntax to show the interface Distribution Mode show distribution interface if_name configuration Parameters Parameter Description if_ name Interface na...

Page 61: ...n network bin distutil set_ifn_dist_mode eth1 01 external Example 2 Set the Distribution Mode to use the Auto Topology to assign traffic according to the policy set distribution interface eth1 01 configuration policy bin distutil set_ifn_dist_mode eth1 01 policy Example 3 Set the Distribution Mode to User Internal set distribution interface eth1 01 configuration user bin distutil set_ifn_dist_mode...

Page 62: ...t Configuration Verification Result Mode per port per port Passed L4 Mode on on Passed Matrix Size 512 512 Passed eth2 08 policy external policy external Passed eth1 08 policy internal policy internal Passed eth2 07 policy internal policy internal Passed eth2 06 policy internal policy internal Passed eth1 05 manual internal manual internal Passed eth1 06 policy internal policy internal Passed eth1...

Page 63: ...ful tests show distribution verification verbose Test Configuration Verification Result Mode per port per port Passed L4 Mode off off Passed Matrix Size 512 512 Passed eth2 16 policy internal policy internal Passed eth1 16 policy internal policy internal Passed eth1 15 policy external policy external Passed Example 2 Verbose output of failed tests show distribution verification verbose Test Config...

Page 64: ..._ID command Syntax set distribution l4 mode enabled set distribution l4 mode disabled show distribution l4 mode Below are some examples Example 1 Configure the Layer 4 Distribution Mode Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 set distribution l4 mode enabled 1_01 success 1_02 success Global MyChassis ch01 01 Example 2 Disable the Layer 4 Distribution Mode Expert MyChassis ch01 0...

Page 65: ...n packets from the same session sent from the server to the client The system correction layer must then forward the packet to the correct Security Appliance Configuring the Distribution Mode correctly keeps correction situations to a minimum and optimizes system performance To achieve optimal distribution between Security Appliances in a Security Group in Gateway mode NAT Rules Instructions Not u...

Page 66: ...g to the WRP interface s Distribution Mode It can decide to forward the packet to a different Security Appliance In addition on each Virtual System the system s correction layer which is stateful can forward session packets similar to the Security Gateway All forwarding operations have a performance impact Therefore the Distribution Mode configuration should minimize forwarding operations To achie...

Page 67: ... chunks Each chunk contains a predefined number of GARP Requests based on these parameters n The number of GARP Requests in each chunk n High Availability Time Unit HTU Time interval 1 HTU 0 1 sec after which a chunk is sent n The chunk mechanism iterates on the proxy ARP IP addresses and each time sends GARP Requests only for some of them until it completes the full list When the iteration sends ...

Page 68: ...its for this period of time and sends it again fwha_periodic_send_garps_ interval4 The default value is 50 HTUs 5 seconds After the iteration sends the GARP list it waits for this period of time and sends it again fwha_periodic_send_garps_ interval5 The default value is 100 HTUs 10 seconds After the iteration sends the GARP list it waits for this period of time and sends it again To change an inte...

Page 69: ...ailover behavior asg_ips_failover_behavior connectivity security Parameters Parameter Description connectivity Prefer connectivity Closes connections for which IPS inspection cannot be guaranteed security Prefer security Keeps connections alive even if IPS inspection cannot be guaranteed Syntax to view the configured IPS cluster failover behavior fw ctl get int fwha_ips_reject_on_failover n If the...

Page 70: ...ccess Control Rule Base for all bridged networks This is different from ARP ARP traffic is Layer 2 only therefore it permitted regardless of the Rule Base This is an example of an explicit Rule Base that permits ICMPv6 Neighbor Discovery protocol Source Destination Services and Applications Action Network object that represents the Bridged Network Network object that represents the Bridged Network...

Page 71: ...m information CPU Memory Disk space and information for different Software Blades only on Security Gateway The CPView continuously updates the data in easy to access views On Security Gateway you can use this statistical data to monitor the performance For more information see sk101878 Syntax cpview help Using CPView Use these keys to navigate the CPView Key Description Arrow keys Moves between me...

Page 72: ...help and refresh statistics Key Description C Saves the current page to a file The file name format is cpview_ cpview process ID cap number of captures H Shows a tooltip with CPView options Space bar Immediately refreshes the statistics CPView User Interface The CPView user interface has three sections Section Description Header This view shows the time the statistics in the third view are collect...

Page 73: ...x asg if h asg if i interface1 interface2 interfaceN v enable disable asg if ip IP Parameters Parameter Description h Shows the built in help No Parameters Shows information about all interfaces i interface1 interface2 interfaceN Shows information only about the interfaces specified by their names n You can specify one or more interfaces n If you specify more than interface you must separate their...

Page 74: ... interfaces without spaces This operation can take a few seconds for each interface Example output Expert MyChassis ch01 01 0 asg if i eth1 01 v Collecting information may take few seconds Interfaces Data Interface IPv4 Address Info State Speed MTU Duplex MAC Address ch1 ch2 IPv6 Address global IPv6 Address local eth1 01 Bond slave up up 10G 1500 Full 00 1c 7f a1 01 0 master bond1 up up Comment in...

Page 75: ... 1500 Full 00 1c 7f 81 05 fe master bond1 down bond1 201 18 18 18 10 Vlan down NA NA NA 00 1c 7f 81 05 fe br0 Bridge Mast up NA NA NA 00 1c 7f 81 07 fe ports eth2 07 down eth1 07 down eth1 07 Bridge port down 10G 1500 Full 00 1c 7f 81 07 fe master br0 up eth2 07 Bridge port down 10G 1500 Full 00 1c 7f 82 07 fe master br0 up eth1 01 15 15 15 10 Ethernet up 10G 1500 Full 00 1c 7f 81 01 fe eth1 Mgmt4...

Page 76: ...e n Slave state consistency for all Security Appliances n Database consistency for all Security Appliances n Confirms the LACP aggregator ID between bond and slaves are compatible n Verifies that the LACP packet between neighbors and key comparison You can run this command for specified bonds or for all bonds Syntax asg_bond h help asg_bond v i filter Parameters Parameter Description h help Shows ...

Page 77: ... 23 1 10 Load Sharing eth1 04 bond5 MAC 00 1c 7f 81 07 fe Round Rubin eth1 07 OK IPv4 33 33 1 10 Load Sharing eth2 07 bond7 MAC 00 00 00 00 00 fe Active Backup OK No slaves exist High Availability Expert MyChassis ch01 01 0 Viewing a Specific Bond Interface asg_bond i Use the asg_bond i bondX command in Gaia gClish or the Expert mode to show specific defined bonds Example Expert MyChassis ch01 01 ...

Page 78: ...ows an incomplete definition with no slaves configured Expert MyChassis ch01 01 0 asg_bond v Listening for LACP packets OK Name Address Mode Slaves Result Comments bond1 MAC 00 1c 7f 81 02 fe LACP 802 3ad eth1 02 Failed eth1 02 missing LACP pkts IPv4 13 13 1 10 Load Sharing eth1 03 eth1 03 missing LACP pkts eth2 03 eth2 03 missing LACP pkts eth2 02 eth2 02 missing LACP pkts bond3 MAC 00 1c 7f 82 0...

Page 79: ...ng When the analyze or banalyze option is not specified the command behaves almost the same as the native Linux ifconfig command However the output shows statistics for all interfaces on all Security Appliances and for interfaces on the local Security Appliance Analyze Shows accumulated traffic information and traffic distribution between Security Appliances Banalyze Shows accumulated traffic info...

Page 80: ...meters to show traffic distribution between interfaces banalyze Shows accumulated traffic information Use the a v and d delay parameters to show traffic distribution between interfaces You can use these parameters to sort the traffic distribution table n rp X packets n rb X bytes n rd X dropped packets n tp X packets n tb X bytes n td X dropped packet For example if you sort with the rb option the...

Page 81: ...nk encap Ethernet HWaddr 00 1C 7F 81 01 EA UP BROADCAST RUNNING SLAVE MULTICAST MTU 1500 Metric 1 RX packets 137 errors 0 dropped 0 overruns 0 frame 0 TX packets 26336 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 7591 7 4 KiB TX bytes 2355386 2 2 MiB 1_04 eth2 01 Link encap Ethernet HWaddr 00 1C 7F 81 01 EA UP BROADCAST RUNNING SLAVE MULTICAST MTU 1500 Metric 1 RX pac...

Page 82: ...3 bytes 1850315554 1 9 GiB dropped 0 1_03 eth2 Sync Link encap Ethernet HWaddr 00 1C 7F 03 04 FE UP BROADCAST RUNNING SLAVE MULTICAST MTU 1500 Metric 1 RX packets 10 bytes 644 644 0 b dropped 0 TX packets 67826313 bytes 7345458105 7 3 GiB dropped 0 1_04 eth2 Sync Link encap Ethernet HWaddr 00 1C 7F 04 04 FE UP BROADCAST RUNNING SLAVE MULTICAST MTU 1500 Metric 1 RX packets 13 bytes 860 860 0 b drop...

Page 83: ...and in Gaia gClish or the Expert mode shows this multicast routing information in a tabular format n Source Source IP address n Dest Destination address n Iif Source interface n Oif Outbound interface You can filter the output for specified interfaces and Security Appliances Syntax asg_mroute h asg_mroute d dest_route s src_route i src_if b SGM_ IDs Parameters Parameter Description h Shows the bui...

Page 84: ...ctive Chassis chassis_active Below are some examples Example 1 Shows all multicast routes for all interfaces and Security Appliances Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 asg_mroute Multicast Routing All SGMs Source Dest Iif Oif 12 12 12 1 225 0 90 90 eth1 01 eth1 02 22 22 22 1 225 0 90 90 eth1 02 eth1 01 22 22 22 1 225 0 90 91 eth1 02 eth1 01 Global MyChassis ch01 01 Example ...

Page 85: ...ace state You can filter the output for specified interfaces and Security Appliances Syntax asg_pim h asg_pim b SGM_IDs i if asg_pim neighbors n neighbor Parameters Parameter Description h Shows the built in help No Parameters Shows all routes interfaces and Security Appliances b SGM_ IDs Applies to Security Appliances specified by SGM_IDs SGM_IDs can be n No SGM_IDs specified or all Applies to al...

Page 86: ...ll SGMs source dest Mode Flags In intf RPF Out intf State 12 12 12 1 225 0 90 90 Dense Mode L M eth1 01 none 22 22 22 1 225 0 90 90 Dense Mode L M eth1 02 none eth1 01 Forwarding 22 22 22 1 225 0 90 91 Dense Mode L M eth1 02 none eth1 01 Forwarding eth2 01 Forwarding Flags L Local source M MFC State Global MyChassis ch01 01 Example 2 Shows PIM Information for the specific interface on all Security...

Page 87: ...ows PIM neighbors Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 asg_pim neighbors PIM Neighbors All SGMs Verification Neighbors Verification Passed Neighbors are identical on all blades Neighbor Interface Holdtime Expires min max 11 1 1 1 bond1 105 11 36 45 11 37 59 Global MyChassis ch01 01 ...

Page 88: ... which blade n Global properties Confirms the flags address and other information are the same on all Security Appliances n Interfaces Confirms that all blades have the same interfaces and that they are in the same state UP or DOWN If inconsistencies are detected a warning message shows Syntax asg_igmp h asg_igmp i interface b SGM_IDs Parameters Parameter Description h Shows the built in help i in...

Page 89: ...Interval protocol Advertise Address Querier 2 125 10 PIM 12 12 12 10 Interface eth1 02 Verification Group Verification Failed Found inconsistency between blades Group 225 0 90 92 missing in blades 1_02 Global Properties Verification Passed Information is identical on all blades Group Age Expire 225 0 90 92 2m 3m Flags IGMP Ver Query Interval Query Response Interval protocol Advertise Address Queri...

Page 90: ...ing IGMP information may take few seconds IGMP All SGMs Interface bond1 3 Verification Group Verification Passed Information is identical on all blades Global Properties Verification Passed Information is identical on all blades Group Age Expire 225 0 90 90 46m 3m Flags IGMP Ver Query Interval Query Response Interval protocol Advertise Address Querier 2 125 10 PIM 12 12 12 11 Expert MyChassis ch01...

Page 91: ...ee VPN status with SNMP n For VSX environments search for the SNMP Monitoring section in the R80 20SP Maestro VSX Administration Guide for VSX related SNMP information CLI Tools Use these commands n To see VPN statistics for each Security Appliance in the Expert mode run cpstat f all vpn n To monitor VPN tunnels for each Security Appliance in the Expert mode run vpn tu VPN tunnels are synchronized...

Page 92: ...mechanism used in the Security Group Firewall The asg_tracert command supports all native options and parameters of the tracert command Syntax asg_tracert ip tracert_options Parameters Parameter Description ip IP address tracert_options Native tracertcommand options Example Expert MyChassis ch01 01 0 asg_tracert 100 100 100 99 traceroute to 100 100 100 99 100 100 100 99 30 hops max 40 byte packets...

Page 93: ...e To stop the capture and save the data to the capture file press CTRL C at the prompt Parameters Parameter Description b SGM_ IDs Applies to Security Appliances as specified by SGM_IDs SGM_IDs can be n No SGM_IDs specified or all Applies to all Security Appliances and Chassis n One Security Appliance for example 1_1 n A comma separated list of Security Appliances for example 1_1 1_4 n A range of ...

Page 94: ...mple 2 Capture packets from specified Security Appliances and interfaces Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 tcpdump b 1_1 1_3 2_1 mcap w tmp capture nnni eth1 Mgmt4 Global MyChassis ch01 01 Example 3 Show captured packets from file Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 tcpdump view r tmp capture Reading from file tmp capture link type EN10MB Ethernet 1_...

Page 95: ...ement Monitor feature is disabled by default To enable this feature run the set chassis high availability mgmt monitoring on command in Gaia gClish of the Security Group When the Management Monitor feature is enabled n The monitored management ports are included in the Chassis grade mechanism according to predefined factors default is 11 n The output of the asg stat v command shows the Management ...

Page 96: ... Status Maestro Up time 13 10 04 hours SGMs 2 2 Version R80 20SP Build Number XXX SGM ID Chassis 1 ACTIVE 1 ACTIVE 2 ACTIVE Chassis Parameters Unit Chassis 1 Weight SGMs 2 2 6 Ports Standard 8 8 11 Bond 0 0 11 Mgmt 1 1 11 Other 0 0 6 Sensors SSMs 2 2 11 Grade 73 73 Synchronization Sync to Active chassis Enabled Global MyChassis ch01 01 Global MyChassis ch01 01 show interfaces Interfaces Data Inter...

Page 97: ...e Security Appliances When you run a command in the Expert mode it works as a standard Linux command To use the global command in the Expert mode run the global command script version as shown in this table Gaia gClish Command Global Command in the Expert Mode arp g_arp cat g_cat cp g_cp dmesg g_dmesg ethtool g_ethtool ls g_ls md5sum g_md5sum mv g_mv netstat g_netstat reboot g_reboot tail g_tail t...

Page 98: ... Gaia gClish Command Standard command in Gaia gClish Global Command Global command in the Expert mode as shown in the table above Command Options Standard command options for the specified command Below is the syntax for some of the global commands Global ls Description This command shows the file in the specified directory on all Security Appliances Syntax g_ls b SGM_IDs command_options ls b SGM_...

Page 99: ...Appliance processors in real time The default output also shows a list of the most processor intensive processes The global top command relies on the user configuration for the local top utility The command uses the local Security Appliance configuration file for configuring the output on the remote Security Appliances With the standard functionality of the Linux top command the global top command...

Page 100: ...separated list of Security Appliances for example 1_1 1_4 n A range of Security Appliances for example 1_1 1_4 n One Chassis chassis1 or chassis2 n The active Chassis chassis_active top_params Parameters of the standard top command For more information see the top command documentation s filename Shows the content of the output file filename The top command uses a configuration file to manage outp...

Page 101: ...le on all interfaces of all Security Appliances Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 arp 1_01 Address HWtype HWaddress Flags Mask Iface 192 0 2 2 ether 00 1C 7F 02 04 FE C Sync 172 23 9 28 ether 00 14 22 09 D2 22 C eth1 Mgmt4 192 0 2 3 ether 00 1C 7F 03 04 FE C Sync 1_02 Address HWtype HWaddress Flags Mask Iface 192 0 2 3 ether 00 1C 7F 03 04 FE C Sync 172 23 9 28 ether 00 14...

Page 102: ...erval default 10 seconds To stop the command and return to the command line press e Syntax asg perf h asg perf b SGM_IDs vs VS_IDs k v vv p 4 6 c asg perf b SGM_IDs vs VS_IDs k e delay seconds asg perf b SGM_IDs vs VS_IDs v vv mem fwk cpd fwd all_daemons cpu 1m 1h 24h Parameters Parameter Description h Shows the built in help b SGM_IDs Applies to Security Appliances as specified by SGM_IDs SGM_IDs...

Page 103: ...relevant in a VSX environment mem Shows memory usage for each daemon Use this with vv Possible values n fwk Default n fwd n cpd n all_daemons cpu Shows CPU usage for a specified period of time Use this with vv Possible values are n 1m default The last 60 seconds n 1h The last hour n 24h The last 24 hours p Show detailed statistics and traffic distribution between these paths on the Active Chassis ...

Page 104: ...e some examples Example 1 Summary without Parameters asg perf Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 asg perf Thu May 21 08 17 24 IDT 2015 Aggregated statistics IPv4 Only of SGMs chassis_active VSs 0 Performance Summary Name Value Throughput 751 6 K Packet rate 733 Connection rate 3 Concurrent connections 142 Load average 2 Acceleration load avg min max 1 0 4 Instances load avg...

Page 105: ...em ID Rate Rate Conn Cores Cores Usage 1_01 10 2 K 11 0 22 6 6 6 5 4 9 55 Total 10 2 K 11 0 22 6 6 6 5 4 9 55 Per VS CPU Usage Summary VS ID Avg Cpu Min Cpu Max Cpu SGM id SGM id 0 2 1 1_02 2 1_01 1 0 0 1_01 0 1_04 CPU stats is aggregated over the last 24hrs Global MyChassis ch01 01 Make sure that resource control monitoring is enabled on all Security Appliances To enable resource control monitori...

Page 106: ...tatistics IPv4 and IPv6 of SGMs all Virtual Systems 0 1 Performance Summary Name Value IPv4 Throughput 1 7 K 100 Packet rate 2 100 Connection rate 0 N A Concurrent connections 20 100 Load average 6 Acceleration load avg min max 5 5 5 Instances load avg min max 5 3 10 Memory usage 57 Per Path Distribution Summary Acceleration Medium Firewall Dropped Throughput 0 0 1 7 K 0 Packet rate 0 0 2 0 Connec...

Page 107: ...ion load avg min max 58 48 68 Instances load avg min max 3 1 5 Memory usage 18 Per SGM Distribution Summary SGM ID Throughput Packet rate Conn Concurrent Core usage Core Instances Memory Rate Connections avg min max avg min max Usage 1_01 644 3 M 1 2 M 0 520 52 44 62 6 3 10 18 1_02 526 7 M 997 1 K 0 512 61 51 68 2 0 5 18 1_03 526 6 M 997 0 K 0 512 62 53 73 2 1 3 18 1_04 526 7 M 997 0 K 0 804 54 48...

Page 108: ...n max 2 0 12 Memory usage 10 Instances Acceleration Cores 8 4 Per VS Memory Summary VS ID User Space Memory in FWK memory Total memory CPU memory Kernel Usage 0 max 222 3M 1_01 1 658G 1_04 47 11M 1_04 1 880G 1_04 N A min 215 8M 1_03 1 213G 1_01 45 55M 1_03 1 249G 1_01 N A 1 max 56 34M 1_02 0K 1_04 31 16M 1_02 56 34M 1_02 N A min 54 24M 1_01 0K 1_04 29 52M 1_03 54 24M 1_01 N A Maximum and minimum v...

Page 109: ...report name Performance_hogs command in Gaia gClish Syntax asg_perf_hogs Example Expert MyChassis 01 0 asg_perf_hogs Status Test performed PASSED Disabled Accept Templates PASSED Disabled NAT Templates PASSED FW1 debug flags PASSED Kernel soft lockups PASSED Local logging PASSED Long running processes PASSED Neighbour table overflow PASSED PPACK debug flags PASSED Routing cache entries PASSED Secu...

Page 110: ...local_logging 1 disabled_templates 1 correction_table_entries 1 routing_cache_entries 1 swap_saturation 1 delayed_notifications 1 neighbour_table_overflow 1 soft_lockups 1 standby_chassis_load 1 routed_trace_options 1 peak_connections 1 correction_table_entries threshold 10 long_running_procs elapsed_time 60 processes_to_check fw ctl zdebug fw ctl debug fw ctl kdebug fw monitor tcpdump routing_cac...

Page 111: ...ection in the SMODIR conf performance_hogs conf file long_running_procs The long_running_procs test confirms that certain processes do not run longer than the configured time Note This test runs in contexts of all Virtual Systems Parameters Parameter Description elapsed_ time Longest time in seconds a process should run Default 60 seconds Minimum recommended value 30 processes_ to_check List of pr...

Page 112: ...nds accel_off The accel_off test confirms that SecureXL is working Notes n This test has no configuration options n The test runs in the context of the current Virtual System only Example output Status Test performed PASSED Disabled Accept Templates PASSED Disabled NAT Templates PASSED FW1 debug flags PASSED Kernel soft lockups PASSED Local logging PASSED Long running processes PASSED Neighbour ta...

Page 113: ...no configuration options n This test runs in the context of the current Virtual System only Example output Status Test performed PASSED Disabled Accept Templates PASSED Disabled NAT Templates PASSED FW1 debug flags PASSED Kernel soft lockups FAILED Local logging PASSED Long running processes PASSED Neighbour table overflow PASSED Routing cache entries PASSED SecureXL status PASSED Swap saturation ...

Page 114: ... 99 Note This test runs regardless of the Virtual System context Example output Status Test performed PASSED Disabled Accept Templates PASSED Disabled NAT Templates PASSED FW1 debug flags PASSED Kernel soft lockups PASSED Local logging PASSED Long running processes PASSED Neighbour table overflow PASSED Routing cache entries PASSED SecureXL status FAILED Swap saturation PASSED routed trace options...

Page 115: ...w to configure arp cache size soft_lockups The soft_lockups test confirms there are no kernel soft lockups during the timeout period Timeout is the number of seconds to look back in the var log messages file for kernel soft lockup messages n Default 3600 n Recommended range 300 86400 Note This test runs regardless of the Virtual System context Example output Status Test performed PASSED Disabled A...

Page 116: ...er Description if_name Interface name priority Port grade Valid values n 1 Standard priority n 2 Other priority Use the set chassis high availability port priority command together with the set chassis high availability factors port command n Set the port grade as standard or high For example to set the standard grade at 50 run set chassis high availability factors port standard 50 n Set the port ...

Page 117: ...a filtered list of connections n See which Security Appliance handles the connection actively or as backup and on which Chassis You can run this command directly or in Interactive Mode In the Interactive Mode you can enter the parameters in the correct sequence The asg search command also runs a consistency test between Security Appliances This command supports both IPv4 and IPv6 connections Searc...

Page 118: ..._ip Source IPv4 or IPv6 address dest_ip Destination IPv4 or IPv6 address dest_port Destination port number protocol IP Protocol source_port Source port number v Shows connection indicators for n A Active Security Appliance n B Backup Security Appliance n F Firewall connection table n S SecureXL connection table n C Correction Layer table This is in addition to the indicators for Active and Backup ...

Page 119: ...p 2_01 A 1_04 A 192 0 2 4 1130 192 0 2 15 49857 tcp 2_01 A 1_04 A 192 0 2 4 1130 192 0 2 15 49841 tcp 2_01 A 1_04 A 192 0 2 4 36315 192 0 2 15 1130 tcp 2_01 A 1_04 A 192 0 2 4 1130 192 0 2 15 49859 tcp 2_01 A 1_04 A 192 0 2 4 36300 192 0 2 15 1130 tcp 2_01 A 1_04 A 192 0 2 4 36301 192 0 2 15 1130 tcp 2_01 A 1_04 A Legend A Active SGM B Backup SGM C Correction Layer table F Firewall connection tabl...

Page 120: ...3 9 138 257 172 23 9 130 33465 tcp 1_01 A 172 23 9 130 22 194 29 40 23 65515 tcp 1_01 A 172 23 9 130 22 194 29 47 14 52493 tcp 1_01 A 172 23 9 130 18192 172 23 9 138 49059 tcp 1_01 A 172 23 9 130 18192 172 23 9 138 33356 tcp 1_01 A 172 23 9 138 33356 172 23 9 130 18192 tcp 1_01 A 172 23 9 138 43563 172 23 9 130 18192 tcp 1_01 A 172 23 9 130 32864 172 23 9 138 257 tcp 1_01 A 0 0 0 0 68 255 255 255 ...

Page 121: ...he required sequence You can use this as an alternative to the command line syntax To run asg search in Interactive Mode Step Instructions 1 Run in Gaia gClish asg search vs VS_IDs v 2 Enter these parameters in the order below 1 Source IPv4 or IPv6 address 2 Destination IPv4 or IPv6 address 3 Destination port number 4 IP protocol 5 Source port number Note You can enter to show all values for any p...

Page 122: ...01 AF 1_04 AF 192 0 2 4 1130 192 0 2 15 49658 tcp 2_01 AF 1_04 AF 192 0 2 4 37407 192 0 2 15 1130 tcp 2_01 AF 1_04 AF Legend A Active SGM B Backup SGM C Correction Layer table F Firewall connection table S SecureXL connection table Example 2 One IPv6 source with any Destination on port 8080 and TCP Global MyChassis ch01 01 Global MyChassis ch01 01 asg search 2620 0 2a03 16 2 33 0 1 8080 tcp Enter ...

Page 123: ...ty Appliance Syntax asg_conns h asg_conns b SGM_IDs Parameters Parameter Description h Shows the built in help b SGM_IDs Applies to Security Appliances as specified by SGM_IDs SGM_IDs can be n No SGM_IDs specified or all Applies to all Security Appliances and Chassis n One Security Appliance for example 1_1 n A comma separated list of Security Appliances for example 1_1 1_4 n A range of Security A...

Page 124: ...4 Total conn entries DB 3 2 Total conn entries DB 26 4 Total conn entries DB 30 2 1_02 There are 16 conn entries in SecureXL connections table Total conn entries DB 0 2 Total conn entries DB 1 2 Total conn entries DB 26 2 1_03 There are 16 conn entries in SecureXL connections table Total conn entries DB 0 2 Total conn entries DB 5 2 Total conn entries DB 30 2 1_04 There are 260 conn entries in Sec...

Page 125: ...command Description Use the drop_monitor command in the Expert mode to monitor dropped packets on interfaces in real time Drop statistics arrive from these modules n NICs n CoreXL n PSL n SecureXL Notes n This command opens a monitor session and shows aggregated data from Security Group members To stop an open session press CTRL C n By default this utility shows drop statistics for IPv4 traffic Sy...

Page 126: ...cs for the specified network interfaces Enter the names of applicable interfaces separated a comma By default this utility shows drop statistics only for the backplane interfaces f Refresh Rate refresh rate Refresh Rate Specifies the output refresh rate in seconds The default is 3 seconds sf Query Timeout ssms refresh rate Query Timeout Specifies the query timeout in seconds The default is 60 seco...

Page 127: ...al drop statistics only v6 ipv6 Shows drop statistics for IPv6 traffic Example 1 Default output drop_monitor Dropped packets statistics of network interfaces CoreXL SecureXL and PSL Category Statistics Total RX Dropped 0 NIC TX Dropped 0 Qdisc Dropped 0 Outbound Dropped 0 CoreXL Inbound Dropped 0 F2P Dropped 0 PSL Total Dropped 0 Rejected 0 SecureXL Total drops 0 ...

Page 128: ... Rejected 0 0 0 XMT error 0 0 0 general reason 0 0 0 Syn Defender 0 0 0 Attack mitigation 0 0 0 VPN forwarding 0 0 0 corrupted packet 0 0 0 hl spoof viol 0 0 0 encrypt failed 0 0 0 cluster error 0 0 0 anti spoofing 0 0 0 monitored spoofed 0 0 0 hl new conn 0 0 0 hl TCP viol 0 0 0 F2F not allowed 0 0 0 SecureXL fragment error 0 0 0 Session rate exceed 0 0 0 PXL decision 0 0 0 template quota 0 0 0 d...

Page 129: ...stics arrive from these modules n NICs n Operating System n CoreXL n PSL n SecureXL Note This command opens a monitor session and shows aggregated data from all Security Appliances in this Security Group To stop an open session press CTRL C Syntax asg_drop_monitor h asg_drop_monitor r 6 Parameters Parameter Description h Shows the built in help r Reset statistics to 0 6 Shows only IPv6 results ssm...

Page 130: ...L rejects 0 Ppak drops Displaying aggregated data from blades all Reason Value Reason Value general reason 8881796 CPASXL decision 0 PSLXL decision 0 clr pkt on vpn 0 encrypt failed 0 drop template 0 decrypt failed 0 interface down 0 cluster error 0 XMT error 0 anti spoofing 0 local spoofing 0 sanity error 0 monitored spoofed 0 QOS decision 0 C2S violation 0 S2C violation 0 Loop prevention 0 DOS F...

Page 131: ...rs in the Security Group n Number of Virtual Systems n Software Version n Information related to VSX configuration Syntax asg stat h i list_all i sgm_info i tasks v amw vs all p Note If you run this command in the context of a Virtual System the output is for the applicable Virtual System Parameters Parameter Description No Parameter Shows the chassis status short output h Shows the built in help ...

Page 132: ...Run this command in the context of the Virtual System n vs all Output also shows all Virtual Systems n vs all p Output shows a summary health status for all Virtual Systems For more information on a specific Virtual System run the asg stat vs command from the context of the Virtual System Below are some example Example 1 Default Output asg stat Syntax asg stat Example Expert MyChassis ch01 01 0 as...

Page 133: ... state Explanation about the output Field Description SGM ID Identifier of the Security Appliance The local is the Security Appliance on which you ran the command State State of the Security Appliance n ACTIVE The Security Appliance is processing traffic n DOWN The Security Appliance is not processing traffic n Detached No Security Appliance is detected in a slot To change manually the state of th...

Page 134: ... and 30 must be UP Field Description Grade The sum of the grades of all components The grade of each component is the unit weight multiplied by the number of components that are UP You can configure the unit weight of each component to show the importance of the component in the system To configure the unit weight run set chassis high availability factors sensor_ name For example to change the wei...

Page 135: ... To stop the monitor session press CTRL C Note If you run this command in a Virtual System context you only see the output for that Virtual System You can also specify the Virtual System context as a command parameter Syntax asg monitor h asg monitor asg monitor v all amw Interval asg monitor l Parameters Parameter Description h Shows the built in help No Parameters Shows the Security Appliance st...

Page 136: ...e 12 03 48 hours SGMs 2 2 Version R80 20SP Build Number XX FW Policy Date 21Feb19 14 37 AMW Policy Date 21Feb19 14 37 SGM ID Chassis 1 ACTIVE 1 ACTIVE 2 ACTIVE Example 2 Shows the Chassis component status Expert MyChassis ch01 01 0 asg monitor v Thu Feb 21 21 07 11 IST 2019 Chassis Parameters Unit Chassis 1 Weight SGMs 2 2 6 Ports Standard 8 8 11 Bond 0 0 11 Mgmt 1 1 11 Mgmt Bond 0 0 11 Other 0 0 ...

Page 137: ...e below value High or low value for the applicable threshold Example Set the memory utilization high limit to 70 of installed memory Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 set chassis alert_threshold mem_util_threshold_perc_high 70 Global MyChassis ch01 01 Performance Alert Thresholds Threshold Name Scope Description concurr_conn_threshold_high Security Appliance Concurrent con...

Page 138: ...rity Appliance Disk utilization Low limit of high limit mem_util_threshold_perc_high Security Appliance Memory utilization High limit mem_util_threshold_perc_low_ ratio Security Appliance Memory utilization Low limit of high limit packet_rate_threshold_high Security Appliance Packet rate per second High limit packet_rate_threshold_low_ratio Security Appliance Packet rate per second Low limit of hi...

Page 139: ... the Resource RAM and Storage and SSD Health information b SGM_ IDs Applies to Security Appliances as specified by SGM_IDs SGM_IDs can be n No SGM_IDs specified or all Applies to all Security Appliances and Chassis n One Security Appliance for example 1_1 n A comma separated list of Security Appliances for example 1_1 1_4 n A range of Security Appliances for example 1_1 1_4 n One Chassis chassis1 ...

Page 140: ...48 4G HD boot 14 80 288 6M 1_02 Memory 21 50 62 8G HD 16 80 33 9G HD var log 2 80 48 4G HD boot 14 80 288 6M output is cut for brevity 2_01 Memory 21 50 62 8G HD 16 80 33 9G HD var log 2 80 48 4G HD boot 14 80 288 6M 2_02 Memory 21 50 62 8G HD 16 80 33 9G HD var log 2 80 48 4G HD boot 14 80 288 6M output is cut for brevity SSD Health Member ID SMART overall health 1_01 PASSED 1_02 PASSED output is...

Page 141: ...ource b 1_01 Resource Table Member ID Resource Name Usage Threshold Total 1_01 Memory 21 50 62 8G HD 16 80 33 9G HD var log 2 80 48 4G HD boot 14 80 288 6M SSD Health Member ID SMART overall health 1_01 PASSED 1_02 PASSED 1_03 PASSED 1_04 PASSED 1_05 PASSED 2_01 PASSED 2_02 PASSED 2_03 PASSED 2_04 PASSED 2_05 PASSED SSD attributes verifier ended successfully Expert MyChassis 01 0 ...

Page 142: ...output is cut for brevity 2_01 PASSED 2_02 PASSED output is cut for brevity SSD Attributes Member 1_01 ID Attribute name Value Trhesh Last_failed 5 Reallocated_Sector_Ct 100 0 9 Power_On_Hours 100 0 12 Power_Cycle_Count 100 0 output is cut for brevity 194 Temperature_Celsius 100 0 output is cut for brevity Member 1_02 ID Attribute name Value Trhesh Last_failed 5 Reallocated_Sector_Ct 100 0 output ...

Page 143: ...r example the first row shows that Security Appliance1 on Chassis1 has 62 8 GB of RAM and 21 of it are used An alert is sent if the usage is greater than 50 SMART Attributes section description Column Description SMART overall health Shows the state of the SMART test passed or failed ID Shows the attribute ID in the decimal format Attribute name Shows the attribute name Value Shows the current val...

Page 144: ...curs for example when the value of a hardware resource is greater than the threshold The alert message includes the Chassis ID Security Appliance ID and or unit ID The wizard has these options Option Description Full Configuration Wizard Create a new alert Edit Configuration Change an existing alert Show Configuration Show existing alert configurations Configure events severity Configure severity ...

Page 145: ...o which the email alerts are sent Email recipient addresses One or more recipient email address for each SMTP server Periodic connectivity checks Tests run periodically to confirm connectivity with the SNMP servers If there is no connectivity alert messages are saved and sent in one email when connectivity is restored Interval Interval in minutes between connectivity tests Sender email address Ema...

Page 146: ...r system The default is 0x80000000010203EA SNMP v3 authentication protocol Authentication protocol MD5 or SHA for SNMP v3 authentication SNMP v3 authentication password Authentication password for SNMP v3 authentication SNMP v3 privacy protocol Privacy protocol DES or AES for SNMP v3 authentication SNMP v3 privacy password Privacy password for SNMP v3 authentication SNMP user text Custom text for ...

Page 147: ...ange 7 VS Monitor State Change Hardware Monitor events 8 Fans 9 SSM 10 CMM 11 Power Supplies 12 CPU Temperature Performance events 13 Concurrent Connections 14 Connection Rate 15 Packet Rate 16 Throughput 17 CPU Load 18 Hard Drive Utilization 19 Memory Utilization Please choose event types for which to send alerts all format all or 1 4 or 1 3 7 10 n You can select one or more event types n One eve...

Page 148: ...2 section SectionName show smo verifiers report except id TestId1 TestId2 name TestName section SectionName show smo verifiers print except id TestId1 TestId2 name TestName section SectionName show smo verifiers periodic last run report print delete smo verifiers purge save Num_Logs Parameters Parameter Description list Shows the list of tests to run report Runs tests and shows a summary of the te...

Page 149: ...o see a full list of verifiers names section SectionName Specifies the verifiers section by its name Press the Tab key to see a full list of the existing sections purge Deletes the old smo verifiers logs Keeps the newest log save Num_Logs Number of logs to save from the smo verifiers log files Default 5 periodic Shows the latest periodic run results last run Shows the latest run results ...

Page 150: ...y_amw a 10 SWB Updates asg_swb_update_verifier v 11 Installation installation_verify 12 Security Group security_group_util diag 13 Cores Distribution cores_verifier 14 Clock clock_verifier v 15 Licenses asg_license_verifier v 16 IPS Enhancement asg_ips_enhance status 17 Configuration File config_verify v VSX Configuration 18 USER KERNEL Dist distutil verify_vsx_dist 19 HW Utilization hw_utilizatio...

Page 151: ... Policy and Configuration 6 Distribution Mode Failed 1 Verifier error Check raw output 7 DXL Balance Passed 8 Policy Passed 9 AMW Policy Passed 1 Not configured 10 SWB Updates Passed 1 Not configured 11 Installation Passed 12 Security Group Passed 13 Cores Distribution Passed 14 Clock Passed 15 Licenses Failed 1 Trial license will expire within 2 weeks 2 Execution error 16 IPS Enhancement Passed 1...

Page 152: ...n Mode Failed 1 Verifier error Check raw output 7 DXL Balance Passed 8 Policy Passed 9 AMW Policy Passed 1 Not configured 10 SWB Updates Passed 1 Not configured 11 Installation Passed 12 Security Group Passed 13 Cores Distribution Passed 14 Clock Passed 15 Licenses Failed 1 Trial license will expire within 2 weeks 2 Execution error 16 IPS Enhancement Passed 17 Configuration File Passed VSX Configu...

Page 153: ...ssed 1 1 test Output file var log verifier_sum 1 2018 12 10_12 16 51 txt Run show smo verifiers last run print to display verbose output Syntax to run a test by its ID show smo verifiers report id TestID1 TestID2 TestIDn Note To see a list of test IDs run the show smo verifiers list command Example show smo verifiers report id 1 2 5 Duration of tests vary and may take a few minutes to complete Tes...

Page 154: ...ons Example show smo verifiers report section System_Components Duration of tests vary and may take a few minutes to complete Tests Status ID Title Result Reason System Components 1 System Health Failed 1 Chassis 1 error 2 Resources Passed 3 Software Provision Passed 4 Media Details Passed 5 SSD Health Passed 1 Failed to get SSD overall health t est result from Member Tests Summary Passed 4 5 test...

Page 155: ...wn The component is installed in the Chassis but is inactive Resources Resource capacity The specified resource capacity is not sufficient You can change the defined resource capacity Resource exceed threshold The resource usage is greater than the defined threshold CPU type Non compliant CPU type At least one Security Appliance CPU type is not configured in the list of compliant CPUs You can defi...

Page 156: ...ault Test Behavior of the asg diag resource verifier By default the asg diag resource verifier command only shows a warning about resource mismatches between Security Appliances The verification test results show as Passed in the output and no further action is taken You can change the default test behavior Step Instructions 1 Edit the FWDIR conf asg_diag_config file g_all vi FWDIR conf asg_diag_c...

Page 157: ...t failed Example 1 The System Health test failed show smo verifiers report id 1 Duration of tests vary and may take a few minutes to complete Tests Status ID Title Result Reason System Components 1 System Health Failed 1 Chassis 1 error Tests Summary Passed 0 1 test Run show smo verifiers list id 1 to view a complete list of failed tests Output file var log verifier_sum 1 2019 02 07_20 12 07 txt R...

Page 158: ...VE Chassis Parameters Unit Chassis 1 SGMs 3 3 Ports 0 0 SSMs 1 2 Synchronization Sync to Active chassis Enabled Tests Status ID Title Result Reason System Components 1 System Health Failed 1 Chassis 1 error Tests Summary Passed 0 1 test Run show smo verifiers list id 1 to view a complete list of failed tests Output file var log verifier_sum 1 2019 02 07_20 12 14 txt 3 Examine which command produce...

Page 159: ... VSX System Status Maestro Up time 06 45 06 hours SGMs 3 3 Virtual Systems 1 Version R80 20SP Build Number xxx VS ID 0 VS Name MyVSname SGM ID Chassis 1 ACTIVE 2 ACTIVE 3 ACTIVE 4 ACTIVE Chassis Parameters Unit Chassis 1 Weight SGMs 3 3 6 Ports Standard 0 0 11 Bond 0 0 11 Other 0 0 6 Sensors SSMs 1 2 11 Grade 29 40 Synchronization Sync to Active chassis Enabled ...

Page 160: ... fails an alert shows The alerts continue to show on Message of the Day MOTD until the issues resolve When the issues resolve a Clear Alert message shows the next time the test runs You can manually run the smo verifiers the show smo verifiers report command to confirm the issue is resolved Important Notes n By default the tests run at 01h 00m each day You can change the default time Step Instruct...

Page 161: ...le excluded_tests Test1 Test2 3 Copy this file to all other Security Appliances asg_cp2blades FWDIR conf asgsnmp conf n All failed tests show in the MOTD You can exclude failed test notifications from the MOTD Step Instructions 1 Run FWDIR conf asg_diag_config 2 Set the failed_tests_motd parameter to off 3 Copy this file to all other Security Appliances asg_cp2blades FWDIR conf asg_diag_config 4 E...

Page 162: ... run automatically Known Limitations of the SMO Verifiers Test By default the smo verifiers only show a warning about resource mismatches between Security Appliances If the verification test results show as Passed in the output no more steps are necessary You can change the default behavior Step Instructions 1 Edit the FWDIR conf asg_diag_config file vi FWDIR conf asg_diag_config 2 Search for Mism...

Page 163: ...ion The asg_serial_info command in Gaia gClish or the Expert mode shows the serial numbers of all the Security Appliances in the Security Group Syntax asg_serial_info Parameters Parameter Description h Shows the built in help Example Expert MyChassis ch01 03 0 asg_serial_info Collecting SGMs information Serial numbers Chassis ID 1 SGM2 11xxxxxxxx SGM3 12xxxxxxxx SGM4 13xxxxxxxx Expert MyChassis ch...

Page 164: ...d in Gaia gClish to show the Security Group software version Syntax ver Example Global MyChassis ch01 01 ver 1_01 Product version Check Point Gaia R80 20SP OS build xxx OS kernel version 3 10 0 693cpx86_64 OS edition 64 bit 1_02 Product version Check Point Gaia R80 20SP OS build xxx OS kernel version 3 10 0 693cpx86_64 OS edition 64 bit Global MyChassis ch01 01 ...

Page 165: ...hows messages on Chassis1 that contain the word Restarted Expert MyChassis ch01 01 0 gclish Global MyChassis ch01 01 show smo log messages filter Restarted Feb 5 12 40 07 1_03 MyChassis ch01 03 pm 8465 Restarted bin routed 8489 count 1 Feb 5 12 40 09 1_04 MyChassis ch01 04 pm 8449 Restarted bin routed 9995 count 1 Feb 5 12 40 09 1_04 MyChassis ch01 04 pm 8449 Restarted opt CPsuite R80 20 fw1 bin c...

Page 166: ...tall a dedicated Log Server with two physical interfaces See R80 30 Installation and Upgrade Guide Chapter Installing a Dedicated Log Server or SmartEvent Server b Connect one physical interface on the dedicated Log Server to the Management Server c Connect another physical interface on the dedicated Log Server directly to an available management port on the Maestro Hyperscale Orchestrator Importa...

Page 167: ...Group object to send its logs to the dedicated Log Server See R80 30 Logging and Monitoring Administration Guide Chapter Getting Started Section Deploying Logging Section Subsection Configuring the Security Gateways for Logging Note The SMO makes sure that return traffic from the Log Server reaches the correct Security Appliance in the Security Group ...

Page 168: ...which Security Appliance This cannot be defined by the user Note You cannot configure the Security Appliance to send its logs to a particular Log Server Distribution takes place automatically Syntax You can run this command in Gaia gClish or the Expert mode asg_log_servers Example Expert MyChassis ch01 01 0 asg_log_servers Log Servers Distribution Log Servers Distribution Mode Disabled Available L...

Page 169: ...rs Distribution Mode Enabled Available Log Servers LogServer Gaia LogServer2 Log Servers Distribution Blade id Chassis 1 1 Gaia 2 LogServer2 3 LogServer 4 Gaia 5 6 LogServer 7 8 9 LogServer 10 Gaia 11 LogServer2 12 Blade is not in Security Group Choose one of the following options 1 Configure Log Servers Distribution mode 2 Exit ...

Page 170: ...wn requires auditing Enter your full name John Smith Enter reason for sgm_admin down Maintenance Maintenance WARNING sgm_admin down on SGM 2_01 User John Smith Reason Maintenance To see the audit logs run asg log audit Example asg log audit Aug 11 14 14 21 2_01 WARNING Chassis admin state up on chassis 1 User johnsmith Reason Maintenance Aug 11 16 45 15 2_01 WARNING Reboot on blades 1_01 1_02 1_03...

Page 171: ...ances for example 1_1 1_4 n One Chassis chassis1 or chassis2 n The active Chassis chassis_active log_name Enter the log file n audit Shows the audit logs in var log For example var log asgaudit log 1 n ports Shows the ports logs in var log For example var log ports n dist_mode Shows the logs for Distribution Mode activity from timestamp Shows only the log from a given timestamp and above You must ...

Page 172: ...lades 1_02 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 User y Reason y Example 2 Port logs last 12 lines asg log file ports tail 12 Feb 3 18 01 40 2_05 MyChassis ch02 05 cmd Chassis 1 eth2 09 link is down Feb 3 18 01 40 2_05 MyChassis ch02 05 cmd Chassis 1 eth2 10 link is down Feb 3 18 01 40 2_05 MyChassis ch02 05 cmd Chassis 1 eth2 11 link is down Feb 3 18 01 40 2_05 MyChassis ch02 05 cmd Chassis 1 e...

Page 173: ...eb 21 17 28 41 2019 1_02 MyChassis ch01 02 cphaprob Link state command ended successfully Feb 21 17 28 41 2019 1_02 MyChassis ch01 02 cphaprob Setting link state chassis 1 interface eth1 63 state Up Full 10000M Feb 21 17 28 41 2019 1_02 MyChassis ch01 02 cphaprob Link state command ended successfully Feb 21 17 28 41 2019 1_02 MyChassis ch01 02 cphaprob Setting link state chassis 1 interface eth2 5...

Page 174: ...a specific Virtual System is DOWN or does not have a Policy for example after you unload the local policy Syntax cpha_vsx_util monitor show cpha_vsx_util monitor start stop VS_IDs Parameters Parameter Description show Show all unmonitored Virtual Systems stop Stop monitoring the Virtual Systemss start Start monitoring the Virtual Systems VS_IDs VS_IDs can be n No VS_IDs specified default Applies t...

Page 175: ...strators 176 You can use SNMP to monitor different aspects of the Maestro Hyperscale Orchestrator n Software versions n Key performance indicators Note Hardware monitoring is not supported Enabling SNMP Monitoring on Maestro Hyperscale Orchestrators Step Instructions 1 Upload these Check Point MIB files from the Maestro Hyperscale Orchestrator to your third party SNMP monitoring software n The SNM...

Page 176: ...estrators Only these branches are supported Branch OID chkpntTra pInfo Num erica l 1 3 6 1 4 1 2620 1 2000 0 Full Text iso org dod internet private enterprises checkpoint p roducts chkpntTrap chkpntTrapInfo chkpntTra pNet Num erica l 1 3 6 1 4 1 2620 1 2000 1 Full Text iso org dod internet private enterprises checkpoint p roducts chkpntTrap chkpntTrapNet chkpntTra pDisk Num erica l 1 3 6 1 4 1 262...

Page 177: ... Branch OID chkpntTra pMemory Num erica l 1 3 6 1 4 1 2620 1 2000 4 Full Text iso org dod internet private enterprises checkpoint p roducts chkpntTrap chkpntTrapMemory Notes n The etc snmp GaiaTrapsMIB mib file is not supported n The set snmp traps command is not supported ...

Page 178: ...r different aspects of the Security Group including n Software versions n Hardware status n Key performance indicators n High Availability status Enabling SNMP Monitoring of Security Groups Step Instructions 1 Upload these Check Point MIB files from a Security Appliance in the applicable Security Group to your third party SNMP monitoring software n The SNMP MIB file CPDIR lib snmp chkpnt mib n The...

Page 179: ... cal 1 3 6 1 4 1 2620 1 2001 Full Text iso org dod internet private enterprise checkpoint prod ucts asgTrap Notes n The etc snmp GaiaTrapsMIB mib file is not supported n The set snmp traps command is not supported You must use the asg alert configuration wizard for this purpose See Configuring Alerts for Security Appliance and Chassis Events asg alert on page 144 SNMP Monitoring of Security Groups...

Page 180: ...20 1 48 20 3 IPv6 1 3 6 1 4 1 2620 1 48 21 3 System Concurrent Connections String IPv4 1 3 6 1 4 1 2620 1 48 20 4 IPv6 1 3 6 1 4 1 2620 1 48 21 4 System Accelerated Connections Per Second String IPv4 1 3 6 1 4 1 2620 1 48 20 6 IPv6 1 3 6 1 4 1 2620 1 48 21 6 System non accelerated Connections Per Second String IPv4 1 3 6 1 4 1 2620 1 48 20 7 IPv6 1 3 6 1 4 1 2620 1 48 21 7 System Accelerated Concu...

Page 181: ... slow drops Table IPv4 1 3 6 1 4 1 2620 1 48 20 24 IPv6 1 3 6 1 4 1 2620 1 48 21 24 Path distribution of n throughput n pps n cps n concurrent connections Per Security Appliance counters Table IPv4 1 3 6 1 4 1 2620 1 48 20 25 IPv6 1 3 6 1 4 1 2620 1 48 21 25 Counters of n throughput n cps n pps n concurrent connections n SecureXL CPU usage avg min max n Firewall CPU usage avg min max Performance p...

Page 182: ...ems Step Instructions 1 Connect with SmartConsole to the Security Management Server or Domain Management Server that manages this Virtual System 2 From the left navigation panel click Gateways Servers 3 Open the Virtual System object 4 From the left tree click Optimizations 5 On the Optimizations page select Manually in the Calculate the maximum limit for concurrent connections 6 Enter or select a...

Page 183: ...ned set of rules use the asg_session_control command in the Expert mode to set the rate at which new communication sessions are opened This command is also known as Session Rate Throttling Note Session rate control is disabled by default You create the session control rules in the FWDIR conf control_rules file Syntax asg_session_control apply disable stats verify Parameters Parameter Description N...

Page 184: ...ing 0 1 Parameters Parameter Description src ip mask Source IP address and net mask dst ip mask Destination IP address and net mask dport port Destination port proto protocol_id Protocol code typically 6 TCP or 17 UDP To learn more about protocol codes see IANA protocol codes limit rate Maximum number of new connections allowed per second limit_ongoing 0 1 n 0 Does not limit the number of packets ...

Page 185: ...nes a limit of 13 new connections per second for traffic n From all sources n To Host 1 1 1 1 32 n To Port 80 n Over Protocol 6 TCP Showing Session Control Statistics Description The asg_session_control stats command shows the session control rules Syntax asg_session_control stats Example The output shows the session control rules for each Security Appliance and the connections dropped by each rul...

Page 186: ...rules Syntax asg_session_control apply Example 2 blades 1_01 1_02 Rule ID Source Destination DPort PR Limit Ongoing 1 1 1 1 0 24 67 17 20 1 2 2 2 2 2 32 80 6 13 0 Disabling Session Control Description The asg_session_control disable command disables the configured session control rules Syntax asg_session_control disable Example 2 blades 1_01 1_02 Resetting session rate entries Session rate entries...

Page 187: ...rted to upgrade the CPUSE Agent on Maestro Hyperscale Orchestrators n For the CPUSE instructions see sk92449 n Jumbo Hotfix Accumulator reboots Maestro Hyperscale Orchestrator after installation or uninstall n Maestro Hyperscale Orchestrator stops processing traffic from the start of Jumbo Hotfix Accumulator installation or uninstall and until Maestro Hyperscale Orchestrator comes up from the rebo...

Page 188: ...nnect to Gaia Portal on Maestro Hyperscale Orchestrator 2 Download the applicable CPUSE Software Packages from the Check Point Support Center 3 Connect to Gaia Portal on each Maestro Hyperscale Orchestrator 4 Import the applicable CPUSE Software Packages 5 Verify the applicable CPUSE Software Packages 6 Install the applicable CPUSE Software Packages To install CPUSE packages in Gaia Clish 1 Use th...

Page 189: ...perscale Orchestrator and log in to Gaia Clish 2 Uninstall the applicable CPUSE Software Packages Deleting a Hotfix Package This section applies to a hotfix package that exists on the Maestro Hyperscale Orchestrator but is not installed To delete CPUSE packages in Gaia Portal 1 Connect to Gaia Portal on each Maestro Hyperscale Orchestrator 2 Select and delete the applicable CPUSE Software Packages...

Page 190: ...a specific Security Group at the same time n With this procedure you install the hotfix on half of the Security Appliances at one time The other half of the Security Appliances continues to handle traffic You divide all Security Appliances in a specific Security Group into two logical groups denoted below as A and B 1 You install the hotfix on the Security Appliances in the Logical Group A through...

Page 191: ...dle_FULL tgz F Show the imported CPUSE packages show installer packages imported G Make sure the imported CPUSE package can be installed on this Security Group installer verify Press Tab installer verify Number of CPUSE Package Example installer verify 2 Update Service Engine Member ID Status 1_01 local Installation is allowed 1_02 Installation is allowed 1_03 Installation is allowed 1_04 Installa...

Page 192: ...ngine Member ID Status 1_01 local Package is ready for installation 1_02 Package is ready for installation 1_03 Package is ready for installation 1_04 Package is ready for installation The machines 1_02 1_02 1_03 1_04 will automatically reboot after install Do you want to continue y es n o y E Go to the Expert mode F Monitor the system until the Security Appliances in the Logical Group A are UP an...

Page 193: ...member_ids SGM_IDs in GroupB Example installer install 2 member_ids 1_5 1_8 Update Service Engine Member ID Status 1_05 local Package is ready for installation 1_06 Package is ready for installation 1_07 Package is ready for installation 1_08 Package is ready for installation The machines 1_05 1_06 1_07 1_08 will automatically reboot after install Do you want to continue y es n o y E Go to the Exp...

Page 194: ...rity Group at the same time n With this procedure you uninstall the hotfix on half of the Security Appliances at one time The other half of the Security Appliances continues to handle traffic You divide all Security Appliances in a specific Security Group into two logical groups denoted below as A and B 1 You uninstall the hotfix on the Security Appliances in the Logical Group A through a Security...

Page 195: ...the Logical Group A installer uninstall Press Tab installer uninstall Number of CPUSE Package member_ ids SGM_IDs in GroupA Example installer uninstall 2 member_ids 1_1 1_4 Update Service Engine Member ID Status 1_01 local Package is ready for uninstallation 1_02 Package is ready for uninstallation 1_03 Package is ready for uninstallation 1_04 Package is ready for uninstallation The machines 1_02 ...

Page 196: ...staller uninstall Press Tab installer uninstall Number of CPUSE Package member_ ids SGM_IDs in GroupB Example installer uninstall 2 member_ids 1_5 1_8 Update Service Engine Member ID Status 1_05 local Package is ready for uninstallation 1_06 Package is ready for uninstallation 1_07 Package is ready for uninstallation 1_08 Package is ready for uninstallation The machines 1_05 1_06 1_07 1_08 will au...

Page 197: ...n Log files n Configuration files n System status n System diagnostics The asg_info command saves the collected information in the var log asg_ info hostname date tar file By default this command collects the information from all Security Appliances and Virtual Systems Granularity of Commands The asg_info command in Gaia gClish or the Expert mode executes the applicable commands with this granular...

Page 198: ...ity Appliance folder and not from the Virtual Systems folders n Located in SGM_1_01 VS0 var log Syntax asg_info h asg_info b SGM_IDs vs VS_IDs collect_flags options asg_info b SGM_IDs vs VS_IDs user_conf xml_filename options Parameters Parameter Description h Shows the built in help b SGM_IDs Applies to Security Appliances as specified by SGM_IDs SGM_IDs can be n No SGM_IDs specified or all Applie...

Page 199: ... Virtual Systems for example 3 5 n all Shows all Virtual Systems Note This parameter is only applicable in a VSX environment collect_ flags The collect flags are Flag Description all Collects all log files and command outputs a Collects archive files c Collects information about core dump files f Collects comprehensive log files and command outputs i Collects the cpinfo output m cmm Not supported ...

Page 200: ...periodic jobs run asg_info schedule u Interactive upload of the asg_info output file to the Check Point User Center uk Non interactive upload of the asg_info output file to the Check Point User Center This option requires a valid CK see the output of the cplic print command v Shows verbose output list Dry run shows all the files and command outputs to be collected without actually collecting them ...

Page 201: ...pgrade_wizard active_cmm_debug collect_mode m collect_mode path var log active_cmm_debug log path per_vs 0 per_vs per_sgm 1 per_sgm delete_after_collect 1 delete_after_collect active_cmm_debug collect_file_list cmd_list asg_if mode f mode pre_command g_all pre_command command asg if command ipv6 0 ipv6 esx 1 esx per_chassis 0 per_chassis per_vs 1 per_vs per_sgm 0 per_sgm vsx_only 0 vsx_only dest_f...

Page 202: ...o verifiers on page 148 n Examine the Security Gateway logs on the Management Server or Log Server 5 Session n For information about the Connections table run this command in the Expert mode g_fw tab t connections s n For information about the Firewall drops run this command in the Expert mode g_fw ctl zdebug drop n For information about the performance run this command in Gaia gClish or the Exper...

Page 203: ... information about the routes netstat rn l For information about the routes route n In Gaia gClish run these commands l For information about the traffic asg_ifconfig See Showing Traffic Information asg_ifconfig on page 79 l For information about the routes asg_route See Collecting System Diagnostics smo verifiers on page 148 l For information about the routes show route 2 Data Link n For informat...

Page 204: ...s command in Gaia gClish show maestro port Port n For information about the Bond interfaces run this command in the Expert mode cat proc net bonds Name of Bond Interface n For information about the Port Link run this command in the Expert mode ethtool ethsBP X XX n For information about the interface statistics run this command in the Expert mode ethtool S ethsBP X XX ...

Page 205: ...l and bond interfaces are the same for all Security Appliances You must run this command in the Expert mode Syntax mac_verifier h mac_verifier l v Parameters Parameter Description h Shows the built in help l Shows MAC address consistency on the Chassis v Shows information for each interface MAC Address Below are some examples Example 1 mac_verifier Collecting information from SGMs Verifying FW1 ma...

Page 206: ...ccess Verifying FW1 mac magic value in etc smodb json FW1 mac magic value and etc smodb json value are the same 160 Success Verifying MAC address on local chassis Chassis 1 2 blades 1_01 1_02 BPEth0 MAC address of BPEth0 is correct 2 blades 1_01 1_02 BPEth1 MAC address of BPEth1 is correct 2 blades 1_01 1_02 eth1 05 00 1c 7f 81 05 a0 2 blades 1_01 1_02 eth1 06 00 1c 7f 81 06 a0 2 blades 1_01 1_02 ...

Page 207: ...ances n You can run the asg_brs_verifier command in the Expert mode from the context of any Virtual System to get the output for all Bridge mode Virtual Systems Syntax for the asg_br_verifier command asg_br_verifier h asg_br_verifier c d s t v Syntax for the asg_brs_verifier command asg_brs_verifier h asg_brs_verifier d s t v Parameters Parameter Description h Shows the built in help No Parameters...

Page 208: ...erent Collecting table info from all SGMs This may take a while Table entries in fdb_shadow table 9 blades 1_01 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 address 00 00 00 00 00 00 Interface eth1 07 address 00 10 AA 7D 08 81 Interface eth2 07 address 00 1E 9B 56 08 81 Interface eth1 07 address 00 23 FA 4E 08 81 Interface eth1 07 address 00 49 DC 58 08 81 Interface eth2 07 address 00 7E 60 77 08 81 In...

Page 209: ...es n Similarity of VMAC and BMAC addresses Use output when there is an inconsistency in the configuration The differences are compared in two ways n The return value of the command run on the Security Appliances with gexec_inner_command n The output of the commands Example of a difference in the command output Difference between blade 1_01 and blade 2_01 found 1_01 2_01 73b4c20e598d6b495de7515ad4e...

Page 210: ...86afd6e044c78e466ea82 5 25 UP 9 Virtual Systems Configuration Verification VS SGM VS Name VS Type Policy Name SIC State Status 0 all VSX_OBJ VSX Gateway Standard Trust Success 1 all VSW INT Virtual Switch Default Policy Trust Success 2 all VSW INT Virtual Switch Not Applicable Trust Success 3 all VS 1 Virtual System Standard Trust Success 4 all VS 2 Virtual System Standard Trust Success Comparing ...

Page 211: ... 25 UP 9 2_04 8ef02b3e73386afd6e044c78e466ea82 5 25 UP 9 Virtual Systems Configuration Verification VS SGM VS Name VS Type Policy Name SIC State Status 0 all VSX_OBJ VSX Gateway Standard Trust Success 1 all VSW INT Virtual Switch Default Policy Trust Success 2 all VSW INT Virtual Switch Not Applicable Trust Success 3 all VS 1 Virtual System Standard Trust Success 4 all VS 2 Virtual System Standard...

Page 212: ...rly boot configuration cloning var log image_ clone log dbg Synchronization of the new configuration to the Gaia database var log start_smo_ 1 log dbg Silent install when adding a new Security Appliance to an existing Security Group var log silent_ install log dbg LLDP updates var log smartd log dbg Also run the lldpctl command Pulling the Security Group configuration rebooting cluster configurati...

Page 213: ...g Command auditing var log asgaudit log Reboot logs var log reboot log All logs that do not have a dedicated log file var log junk log dbg Files on Maestro Hyperscale Orchestrators Feature File Information about Security Groups etc sgdb json Information about detected Security Appliances etc rsrcdb json Applying Security Group configuration var log ssm_sg log dbg Starting of the SDK var log start_...

Page 214: ...n reverts the Maestro Hyperscale Orchestrator to the last Gaia that was installed using the Clean Install method Step Instructions 1 Connect to the Maestro Hyperscale Orchestrator using the serial console 2 Log in to the Gaia Clish 3 Restart the Maestro Hyperscale Orchestrator Run reboot 4 During boot press any key within 4 seconds to enter the Boot menu when you see this prompt at the top of the ...

Page 215: ...l ISO file from the R80 20SP Home Page SK 2 See sk65205 to create a bootable USB device Important n Always use the latest available build of the ISOmorphic Tool If you use an outdated build the installation can fail n Select the option Open Server without ACPI support 3 Wait for the Maestro Hyperscale Orchestrator to boot 4 With a web browser connect to the Gaia Portal on the Maestro Hyperscale Or...

Page 216: ...se files n etc sgdb json n etc maestro json n etc maestro_ remote json 2 On the working Maestro Hyperscale Orchestrator 1_1 bring down the Synchronization interface By default the Synchronization interface is n On MHO 170 interface 1 32 1 n On MHO 140 interface 1 48 1 To verify run this command in Gaia Clish n On MHO 170 show maestro port 1 32 1 type n On MHO 140 show maestro port 1 48 1 type Exam...

Page 217: ...stall the same Take of the Jumbo Hotfix Accumulator as currently installed on the working Maestro Hyperscale Orchestrator 1_1 See Installing and Uninstalling a Hotfix on Maestro Hyperscale Orchestrators on page 187 5 On the new Maestro Hyperscale Orchestrator after it comes up from the reboot stop the orchd service In the Expert mode run this command orchd stop 6 On the working Maestro Hyperscale ...

Page 218: ...ic The grade for each component is calculated based on this formula Unit Weight x Number of UP components To see the weight of each component run in Gaia gClish asg stat v Description Use the set chassis high availability factors command to configure a component s weight Syntax in Gaia gClish of Security Group set chassis high availability factors sgm sgm_factor set chassis high availability facto...

Page 219: ...mgmt_factor Management port factor Valid range Integer between 0 and 1000 port_bond_factor Bond interface factor Valid range Integer between 0 and 1000 Examples set chassis high availability factors sgm 100 set chassis high availability factors port other 70 set chassis high availability factors port standard 50 ...

Page 220: ...e set chassis high availability failover command in Gaia gClish to set the minimum quality grade differential that causes failover Syntax in Gaia gClish of Security Group set chassis high availability failover trigger Parameters Parameter Description trigger Minimum difference in Chassis quality grade to trigger failover Valid values 1 1000 ...

Page 221: ...re provides the ability to block malicious traffic to and from certain IP addresses The IP Block feature requires the list of malicious IP addresses as a feed URL The IP Block feature runs periodically fetches the IP list again and updates the IP addresses in the Security Gateway based on the list in the feed The blocking mechanism is enforced by an Access Control rule with a Dynamic Object Check ...

Page 222: ...help a ADD_URL ADD_URL add url ADD_URL ADD_URL Adds IP feed URLs separated by a comma to the configuration d DEL_URL del url DEL_URL Deletes IP feed URLs separated by a comma from the configuration l list urls Shows the configured IP feed URLs s SET_DYN_OBJ set dynamic object SET_ DYN_OBJ Specifies the Dynamic Object name in the configuration For example MyDynObj n show dynamic object name Show th...

Page 223: ...e Security Group Procedure Step Instructions 1 Connect with SmartConsole to the Management Server 2 Create a new Dynamic Object From the right panel Objects click New More Network Object Dynamic Objects Dynamic Object 3 In the New Dynamic Object window enter a name for example MyDynObj and click OK You use this name later in the CLI on the Security Group 4 In the applicable Access Control policy a...

Page 224: ... 10 Examine the configuration to make sure the feed URL is added ip_block list urls 11 Start the periodic run at the specified intervals ip_block activate ACTIVATE 12 Examine the configuration to make sure the ip_block command is scheduled to run at the specified intervals by the CPD daemon cpd_sched_config print grep A 5 ip_block Example output Task ip_block Command bin ip_block Arguments r Inter...

Page 225: ...ced by an Access Control rule with a custom Application CLI Syntax url_block h url_block a n NAME p URL z true false x PASSWORD r true false url_block d n NAME url_block i INTERVAL url_block l Parameters Parameter Description h help Shows the built in help a add url Adds URL feed to the configuration n NAME Specifies the name of the custom Application object as configured in SmartConsole p URL pat...

Page 226: ...ar Expressions Otherwise you must specify this parameter with the value false l list urls Shows the configured URL feed i INTERVAL interval INTERVAL Specifies the interval in seconds Procedure Follow these steps in SmartConsole and on the Security Group Procedure Step Instructions 1 Prepare a plain text file with the list of malicious URLs a Each URL must be on a separate line b The name of this f...

Page 227: ...e name of the file urls txt e Click OK 5 In the applicable Access Control policy add a new rule that drops all traffic that matches the new Application Source Destination VPN Services Applications Action Track Any Any Any Object of the Custom Application Drop None 6 Connect to the command line on the Security Group 7 Log in to the Expert mode 8 Configure the URL for the feed url_block a n Name of ...

Page 228: ...ture Check Point Maestro R80 20SP Administration Guide 228 Step Instructions 11 In SmartConsole install the Access Control Policy on the Security Group object 12 Examine the log on the Security Group var log rul_block elg ...