Check Point Commands

There are a lot of Check Point specific commands really helpful with general administration, troubleshooting and tuning of Check Point firewalls. On this page, some of those commands will be explained in more detail

Topics Discussed

General Administration
- Forcing Failovers
- Connection Table
Troubleshooting
- Kernel Debugs
- VPN
Performance Tuning
- Enable Multiqueu
- Incease SNDs

General Administration

Disabling the auto-timeout in expert mode

unset TMOUT

Disable IPS

ips off

Forcing Failovers

Set firewall down, usually to force failover to standby node

clusterXL_admin down

Set permanently down, so it doesn't come back active automatically after a reboot:

clusterXL_admin down -p

Connection Table

To see how much entries there are in the connection table, use:

# Get connection table entries
fw tab -t connections -s

HOST                  NAME                                ID #VALS #PEAK #SLINKS
localhost             connections                       8158    23   351      68

In order to find a specific connection, it is best to know the hex value of the IP we're looking for. This can be done with the scripts found over here

Suppose we want to find the connections involving IP 192.168.5.250. Converted to hex,: the IP is written as c0a805fa and this value is used to grep the connection table:

# Get connection table entries for IP 192.168.5.250
fw tab -t connections | grep c0a805fa

...
<00000000, 913a1d72, 000001bb, 0a03000a, 0000ce3c, 00000006> -> <00000000, c0a805fa, 0000ce3c, 913a1d72, 000001bb, 00000006> (00000006)
...

Troubleshooting

This section handles troubleshooting commands, mostly aimed at identifying why the firewalls is dropping certain traffic or is otherwise not functioning as it should.