fw ctl zdebug drop used to quickly see all dropped connections and more importantly

the reason (e.g. anti-spoofing, IPS , FW rule , ....). USE WITH

EXTREME CAUTION
cpstat fw quickly see stats of number of connections
(accepted,denied,logged) with a breakdown
if the FW was under a high load i would usually run " watch --
interval=1 'cpstat fw' " (would see a real-time to see the interface
that is causing this)
fw tab -s -t connections allowed me to quickly see how much load is (and was i.e "peak" )
on the FW

cphaprob stat used to see state of cluster

fwaccel stats -s to check acceleration status on FW
cphaprob -a if used to do troubleshooting cluster, verify all interfaces are UP and
the Virtual IP address for the cluster interfaces

cpwd_admin list great way to explain the CP watchdog- run the command with
watch -d, and from another terminal terminate one of the PID,
and observe how the watchdog bring it back.
and its also a great way to see that everything is up
cpview -t used often review mem, core usage at any snapshot in time. When
getting a checkup device back or reviewing a DAT file
fw stat Shows what policy is loaded on the current gateway and what
interfaces it has seen traffic on
fw fetch mastername Fetches the policy from the management station named
mastername. You can also use localhost as a way to reload the
previously installed policy on the gateway
push_cert –s Cust_CMA –u admin –p It is used on the management to establish SIC with a newly
adminpw –o examplegw –k test123 installed security gateway without using SmartConsole or
SmartDashboard, making it extremely useful in automation
scenarios.
–s Cust_CMA Management or CMA IP/hostname (can be
localhost)
–u admin Username of admin user in
SmartConsole/SmartDashboard
–p adminpw Password of admin user specified above
–o examplegw Name (in SmartConsole/SmartDashboard) of
gateway to establish SIC with
–k test123 SIC one-time-password (should match what was
specified on the gateway during first-time wizard)
fw monitor To do a live packet capture
fw ctl affinity -l -v -r is a useful command when you're attempting to finetune the
affinity of an IRQ to an interface. This is especially useful when
looking at the amount of traffic received by an interface that
deserves more "horsepower" and should not be sharing CPU time
with other interfaces. This command will list what interface is
connected to what IRQ to what core.
"fw ctl affinity -s" will subsequently allow you to set the values.
netstat -ni check drop on interfaces
cpstat mg Shows connected clients and status.
cpstat ha -f all Shows sync details
cpstat blades Shows packets accepted, dropped, peak connections, and top rule
hits
cprid_util (--help) This command allowed me to execute commands, transfer files etc
with a remote gateway without needing credentials. I was able to
use it to copy a new shadow file to the remote gateway when
password was lost/corrupted.
fw tab -u -t connections | awk '{ print $2 }' | This will show the top ten source IPs hogging slots in the
sort -n | uniq -c | sort -nr | head -10 connection table in descending order, however you will need to
manually convert the IP addresses displayed from hex to decimal
like so: 0a1e0b53 = 10.30.11.83. For the top 10 destinations,
substitute $4 for $2 in the awk command above.
fw getifs shows interfaces, IP addresses and subnet masks in quick easy
format. I do this almost everytime I login to quickly orient myself.
fw ctl multik stat shows multi-kernel connections and peak connections
./CentralDeploymentTool -generate The Central Deployment Tool (CDT) is a utility that runs on an
Candidates_List.csv R77 / R77.X / R80 / R80.10 Security Management Server / Multi-
Domain Security Management Server (running Gaia OS).
It allows the administrator to automatically install CPUSE Offline
packages (Hotfixes, Jumbo Hotfix Accumulators (Bundles),
Upgrade to a Minor Version, Upgrade to a Major Version) on
multiple managed Security Gateways and Cluster Members at the
same time.
./vsx_provisioning_tool -s localhost -u The VSX Provisioning Tool allows the VSX administrator to add
user -p pwd -o add vd name VSW1 vsx VSX1 and remove Virtual Devices (VS, VR, VSW), interfaces and routes
type vsw from the command line of a Security Management Server / Multi-
Domain Security Management Server. This allows the automation
of the required VSX Provisioning operations in the environment.
(sk100645)
cpwd_admin start -name <application Great to get reset processes without cpstop/cpstart/reboot.
name> -path <executable path> -command
<command line>

cpwd_admin stop -name <application

name> [-path <executable path> -
command <command line>
cpstat threat-emulation -f If you use threat emulation and want to see a breakdown of files
file_type_stat_file_scanned scanned by file type (helpful in tuning your TE policy) you can use
this command
clusterXL_admin up/down to force the cluster node into a particular state (good for forcing
failover in a healthy cluster so I can do work on a node)
vpn tu to see IKE/IPSEC security associations, and remove expired ones
from gateways that burped
enabled_blades to list the blades that are enabled for the gateway by the
management server (run in expert mode)
installed_jumbo_take to see what JHFA you have installed (does not work on the base
R77.30 install, you have to have a JHFA installed and run in
expert mode).
cphaconf cluster_id get Useful to see what the cluster magic id is if you have an id that's
different from the default.
ips stat See if IPS is enabled, and what profile its running. When
troubleshooting connectivity issues, ips on/off is useful too.
ethtool -p <interface_name> To flash/blink a LED on an interface in order to physically identify
the interface in question on a machine.
*Note this does not work on all type of interface cards.
dbget -rv routed Check routes (even if they are not active)
cprid_util -server x.x.x.x -verbose rexec - command to remotely execute command on a gateway
rcmd "command"
sed -I s/"text"/"newtext"/ file.name Find and replace when 'vi-ing' a file.
watch -n 0.5 -d cpstat fw can use cpstat fw or any other, but the '-d' flag allows fothe
autorefresh to highlight the changes. perfect for spotting
increments in hit counters, of use with 'df-h' to spot a hardrive
filling up during upgrade processes
du -sk * | sort -n got a full hardrive? no idea where the large files are? here you go
fw tab -t fwx_alloc -x not had to use this for a few years now, but having the gateway
suddenly dropping connections due to a full NAT table isnt fun.
this isnt the cleanest way to clear the table, but possibly the best
knee-jerk fix to get an instant relief on the traffic flow.
fw sam -v -s 10.1.1.1 -f ClusterName -t 7200 the SAM rule. nothing cooler than an instant block of a malicious
-J src 8.8.8.8 IP
echo 1 > Activate fw worker stats (per instance!)
/proc/cpkstats/fw_worker_0_stats
cat /proc/cpkstats/fw_worker_0_stats Read fw worker stats
fw unloadlocal clear local policy

cpprod_util FwIsActiveManagement To find out the current status of the active SMS (HA). 1= Active
0= Standby

On the SG
cp_conf sic state shows trust state of SIC
All CP Products

cpstat os -f ifconfig really nice summary of interface stats

fw ctl multik stat This will tell you how hard your procs are getting hit with
connections