SecurePlatform Tips v1.

0
14th May 2007

Note: This document does assume a basic knowledge of Linux.

Authors: Brian Linder SE Manager, NJ/PA blinder@us.checkpoint.com Jon Paine Professional Services (UK) jonp@checkpoint.com

2003-2007 Check Point Software Technologies Ltd. All rights reserved.

Table of Contents
Table of Contents ....................................................................................................................... 2 Virtual Consoles During Install.................................................................................................... 3 Find Files.................................................................................................................................... 3 Login Directly to Expert Mode..................................................................................................... 3 See What Traffic Was Dropped But Not Logged......................................................................... 3 Allow admin user to scp files to the SPLAT box: ......................................................................... 3 Run a command from the shell repetitively ................................................................................. 4 Force Interface Speed/Duplex (Not gigabit) ................................................................................ 4 Conflicts Between SNX/VM, SmartPortal and SPLAT WebUI ..................................................... 4 Find out the features of a SKU per whatever cp.macro is on your SPLAT box............................ 5 Some Performance Commands.................................................................................................. 5 About Connecting SPLAT to a Terminal Server .......................................................................... 5 Compute a File Integrity Checksum ............................................................................................ 5 Useful Commands for Identifying Versions ................................................................................. 5 Watch Appended Data to a Log File (or any file) on the Fly ........................................................ 5 Create a Text File from the Command line Quick and Dirty ..................................................... 6 Useful Networking Commands ................................................................................................... 6 View the first (or last) Few Lines in a File.................................................................................... 6 Output a File, Doing a Search-Replace on the Fly ...................................................................... 6 Log a Message in /var/log/messages.......................................................................................... 6 Clever Use of Directory Listings.................................................................................................. 6 Quick and Dirty tar tutorial......................................................................................................... 7 Mount a CD-ROM....................................................................................................................... 7 Mounting an ISO from the local filesystem.................................................................................. 7 Mount a USB drive in SPLAT...................................................................................................... 7 Syntax of the Crontab ................................................................................................................. 8 File Types and Execution Path Checking.................................................................................... 8 Determine the Hardware Compatibility of a particular PCI NIC ................................................... 8 Determine the NIC driver version you are using:......................................................................... 8 See What Files Changed During any Operation ......................................................................... 8 Investigate Check Point Configuration from the Command Line ................................................. 8 Using cpinfo to Re-create a SmartCenter (not supported)........................................................... 9 Recovering a Forgotten SPLAT Password.................................................................................. 9 BONUS: Recovering a Forgotten IPSO Password................................................................... 10

Virtual Consoles During Install

Alt-F1 Alt-F2 Alt-F3 Alt-F4 These keystrokes switch you between the virtual consoles of Linux. This is particularly useful during Installation of SPLAT to see progress.

Find Files
find find find find find / -size +10000k (Find any file larger than 10000K) $FWDIR -name '*.elg' -size -500k (Find *.elg files smaller than 500k) /home/david -mtime -2 -name '*.c' (Find files modified less than 2 days ago) /home/david -mmin -10 -name '*.c' (Find files modified less than 10 mins ago) $FWDIR -name *.C -exec grep "pattern" '{}' /dev/null \; -print (Find pattern in *.C files under $FWDIR) du k <directory> | sort nr | head -20 This will display the size of all folders beneath <directory> on the system, sort them in numerical order and display the 20 largest entries. / will show all directories on all filesystems. $FWDIR will only show directories therein. The man page contains more information and there are several very good online tutorials for find available.

Login Directly to Expert Mode

chsh s /bin/bash admin Go directly to expert mode, skiping the restricted cpshell. Permanent change. chsh s /bin/cpshell admin Revert the change.

See What Traffic Was Dropped But Not Logged

fw ctl zdebug + drop | grep <host ip or port number>

Allow admin user to scp files to the SPLAT box:

grep admin /etc/scpusers | wc l If 0, then do this: echo admin >> /etc/scpusers Any user can be substituted for admin. WinSCP users: In order to use WinSCP, you must also issue the following to change admins shell to bash: chsh s /bin/bash admin Note: This is a security risk as this bypasses cpshell for this user. Use with caution.

Run a command from the shell repetitively

Repeat a particular command until <ctrl-C>: watch -interval=5 <commands> Note: output cannot be redirected to a file. To have more flexibility use: while true; do sleep 5 <commands> done All commands should be followed by a Carriage Return. Example commands could be ls lh *.elg cpwd_admin list echo >> ~/routes.txt ; zdump utc >> ~/routes.txt; netstat rn >> ~/routes.txt Rediretion of output is fully supported.

Force Interface Speed/Duplex (Not gigabit)

There are three tools to do this from the shell. Ethtool, mii_tool and eth_set. eth_set is preferred and survives a reboot. The others do not. eth_set <interface> [<10h|10f|100h|100f|1000h|1000f|autoneg>] ethtool -s DEVNAME speed 10|100|1000 duplex full|half autoneg off|on mii-tool [-VvRrwl] [-A media,... | -F media] [interface ...] mii-tool eth1 -F 100baseTx-FD mii-tool eth0 -F 10baseT-HD will force the eth1 interface to 100 Mbps link speed, full duplex. will force eth0 to 10Mbps link speed and half duplex.

Ethtool and mii-tool commands can be put at the end of /etc/rc.local startup script to survive a reboot. Please note the Gigabit Ethernet standard requires the use of autonegotiation to establish the master-slave signal timing control required to make the link operational. Do not use these commands to disable autonegotiation for Gigabit links.

Conflicts Between SNX/VM, SmartPortal and SPLAT WebUI

SNX and Visitor Mode conflict with the default SPLAT admin GUI port of 443. To remedy: webui enable 445 (moves it to 445) or, for a better security: webui disable

Find out the features of a SKU per whatever cp.macro is on your SPLAT box
cplic resolve_macro ::CPVP-VSI-100-NGX Use this command to compare features of two SKUs: cplic resolve_macro ::CPVP-VSI-100-NGX > VSI cplic resolve_macro ::CPVP-VMC-100-NGX > VMC diff VSI VMC

Some Performance Commands

top uptime free vmstat cat /proc/sys/fs/file-max cat /proc/sys/fs/file-nr, cat /proc/interrupts

(verify how IRQs are being balancing across CPUs)

About Connecting SPLAT to a Terminal Server

Say you connect to the serial port via a network console server. Basically, you telnet to the server on the numbered port that you wish to connect to. This numbered port has RJ45 connection to a serial adapter on the device serial port. Some terminal servers detault to vt100 terminal emulation mode by default. SPLAT installation takes place in ANSI terminal mode. This mismatch causes the server to receive a string of characters that it did not understand. Once you change the mode to ANSI on the console server (and the client software - HyperTerminal) we were able to see the boot menu correctly. With --silent enabled (as it is by default) in /etc/grub.conf, you don't see the full boot menu unless you hit a key.

Compute a File Integrity Checksum

md5sum <filename> sha1sum <filename>

Useful Commands for Identifying Versions

kernelversion uname a ver fw ver cpshared_version

Watch Appended Data to a Log File (or any file) on the Fly
tail f /var/log/messages

Create a Text File from the Command line Quick and Dirty
cat > myfile (type a line) (type a line) (etc.) EOF (Hit Ctrl-D)

Useful Networking Commands

ifconfig a netstat rn netstat i netstat an netstat antp (route) (interface errors) (all stats, but do not resolve service names) (which processes listening on which ports)

View the first (or last) Few Lines in a File

head -10 filename tail -5 filename wc l (See first 10 lines) (See last 5 lines) (Count the lines in a file)

Output a File, Doing a Search-Replace on the Fly

Replace all occurrences of x with y in fname, and output it to newfname: cat fname | sed 1,$s/x/y/g > newfname

Log a Message in /var/log/messages

syslog: logger logger [options] [message...] TCP/IP command. Add entries to the system log (via syslogd). If no message is given on the command line, standard input is logged.

Clever Use of Directory Listings

cd /etc ls la | grep host ls la | grep host | grep v hosts (show all files with host in the filename) (show all files with host, but not hosts)

Quick and Dirty tar tutorial

Create a tar backup of a directory using relative file names: cd /whichdir tar cvzf myfile.tgz ./* List the tar archive: cd /whichdir tar tvzf myfile.tgz Extract the tar archive to a directory: cd /myrestoredir tar xzvf myfile.tgz Create a tar backup of a directory using absolute file names (use carefully!) cd /whichdir tar cvzf myfile.tgz /etc/* Restore a tar backup of a directory using absolute file names (use carefully!) cd /whichdir tar xvzf myfile.tgz

Mount a CD-ROM
mount /dev/cdrom cd /mnt/cdrom When you are done: umount /dev/cdrom Note: You cant eject the CD-ROM until you umount it.

Mounting an ISO from the local filesystem

mount -t iso9660 -o loop ~/singlecd.iso /mnt/cdrom Singlecd.iso assumed to be in the home directory ~/.

Mount a USB drive in SPLAT

modprobe usb-storage Load the module for usb mass storage (once per re-boot): (Plug in the USB key) dmesg | more Look in dmesg for the device node to mount from. Likely to be SDB1 or SDD1) mount -t vfat /dev/sdb1 /mnt/usb Mount the volume (/dev/whatever designation from above) (Copy files to or from /mnt/usb) umount /mnt/usb Unmount when finished

Syntax of the Crontab

# Use the hash sign to prefix a comment # +---------------- minute (0 - 59) # | +------------- hour (0 - 23) # | | +---------- day of month (1 - 31) # | | | +------- month (1 - 12) # | | | | +---- day of week (0 - 7) (Sunday=0 or 7) #| | | | | # * * * * * command to be executed Nobody can ever remember this, so refer to the man pages or online tutorials.

File Types and Execution Path Checking

which cpstop (which cpstop will be executed based on the shell path) file cpstop (what kind of file is cpstop script? complied executable?) file `which cpstop` (use command substitution to combine the two commands) basename filename (strip the path off of a filename)

Determine the Hardware Compatibility of a particular PCI NIC

Need to determine HCL compliance of a PCI device? Before opening an SR, perform: lspci -nv lspci -vv lsmod Correleate vendor/device with http://pci-ids.ucw.cz or http://www.pcidatabase.com/

Determine the NIC driver version you are using:

cat /etc/modules.conf ethtool i eth0

See What Files Changed During any Operation

du k | sort nr > before (perform the command) du k | sort nr > after diff before after

Investigate Check Point Configuration from the Command Line

$CPDIR/bin/cpprod_util -? cpwd_admin list

Using cpinfo to Re-create a SmartCenter (not supported)

You can do this partially. The cpinfo should have a copy of most of the files in the conf directory. Infoview will let you drag files from it onto a folder on your machine. What I do is take these files objects_5_0.C rulebases_5_0.fws fwauth.NDB *.W (maybe asm.c if necessary) Put them on a machine that has the same IP and hostname as the original management server, overwriting the existing files in $FWDIR/conf. Remove $FWDIR/conf/applications.* and $FWDIR/conf/CPMILinks* (this is important or else it will not work) and then cpstop;cpstart and you should be able login and have the objects and rules and users from the old management server. This method does not preserve the SIC database, however, so youll have to reset SIC on any modules you have. I dont think that the cpinfo contains enough info to save the SIC database, but not sure since I havent really tried to do it before.

Recovering a Forgotten SPLAT Password

1. If you know the Expert Mode password, but not any of the user passwords, go to Maintenance Mode. The Expert Mode password is also used to access Maintenance Mode. Once in Maintenance Mode, issue the cpshell command. Use the adduser command to create a new user, whose password is known. If you don't have the option of creating a new user, you're probably stuck following the steps for when you know neither the Standard Mode nor the Expert Mode password (see #3 below). 2. If you know a user's Standard Mode password, but you've forgotten the Expert Mode password, things get a little trickier, but not too bad. I used a bootable Linux distro (tested with Knoppix & F.I.R.E.). a) boot to CD b) mount the hard disk ( mount /dev/hda2 /mnt/hda2 ) c) edit the SecurePlatform passwd file - change the user's default shell from cpshell to bash (see tip above) d) boot to SecurePlatform & login with the user you just modified; you get a bash prompt e) use the passwd command to change the Expert Mode password f) edit passwd & change the user's default shell back to cpshell I tested this using a special user created for the test and also with admin. No problems either way. 3. If you don't know the Standard Mode password and you don't know the Expert Mode password, things are even trickier, but you can still get in. You'll need access to another SecurePlatform installation and a bootable Linux distro for this one. a) go to a SecurePlatform box where you know the passwords b) copy the /etc/passwd and /etc/shadow files to a floppy c) go to the SecurePlatform machine where you don't know the passwords and boot to your bootable Linux CD d) mount the hard disk and the floppy with passwd and shadow files

e) move the existing passwd and shadow files to .old f) copy the passwd and shadow files from the floppy to your SecurePlatform machine g) edit passwd and change the user's default shell from cpshell to bash h) boot to SecurePlatform and login using the user you just modified; you get a bash prompt. You may also get an error message if the user doesn't have a home directory - you should still be able to login i) use the passwd command to change the Expert Mode password j) edit /etc/passwd & change the user's default shell back to cpshell I also changed the permissions on passwd & shadow to match their original permissions. For passwd, the original permissions were 644. For shadow, the original permissions were 400. Additonal Notes for HP/Compaq: "The Compaq/HP servers use the Smart Array 5i controller which uses the cciss driver. It was loading, but not seeing any drives. Also, the CD ROM was stalling during load as it was trying to load as a SCSI device, and it was not on the controller. Here is what I had to do: Boot Knoppix by entering boot:knoppix26 atapicd Once the sytem was up: cd /dev MAKEDEV cciss (caps needed) and it created like 100 objects under /dev/cciss Mounted the drive with mount o rw /dev/cciss/c0d0p3 /mnt/tmp It appears that c0d0p1 (partition 1) is the boot partition, c0d0p2 (partition 2) is the swap space, and c0d0p3 (partition 3) is the application drive."

BONUS: Recovering a Forgotten IPSO Password

Recovery a Nokia lost password: You must have local serial console access to the unit to perform this procedure. 1. Boot system into single user mode. To do this reboot or power cycle the machine, When you see the line " boot: " you must enter "-s" before it goes into multiuser mode. (you have about 10 seconds) * on a ip330 or ip650 you need to type boot -s at the BOOTMGR prompt* 2. 3. After it boots, it will ask you "Enter pathname of shell or RETURN for sh:", press Enter key. Type "/etc/overpw" in the # prompt. It will ask if you want continue, type "y".

In IPSO 3.1.3 systems and earlier, it will ask you to put a floppy disk into the floppy drive to make sure you have physical access to the box. Put a floppy disk into the floppy drive and press Enter key. IPSO 3.1.4 and later does not ask this question. In IPSO 3.4 and above, /etc/overpw will ask you to set a password. The admin password defaults to no password in earlier versions of IPSO. 4. 5. 6. Continue to boot to multiuser mode. Login as admin. If a password is required, you will be asked for one. Use the dbpasswd command to set a new password:

nokia[admin]# dbpasswd admin newpassword ""

10

(Note that the "" is necessary to specify (NULL) as the old password.) Then, save this new password to the configuration file so that you can log into Network Voyager: nokia[admin]# dbset :save

11