Firewall Commands

This section presents the usage of standard firewall (fw) commands as applicable to VSX Gateways and Virtual Systems.

fw getifs

Description

Shows a driver interface list for a specific Virtual System. By default, the VSX Gateway interface is displayed.

Run vsenv <vsid> to change context and show an interface list for a different Virtual System.

Syntax

fw getifs

Return Value

0 (zero) indicates that the command executed successfully. Any other response indicates an error.

Output

fw getifs

localhost vnd0 0.0.0.0 0.0.0.0

localhost eth0 4.4.6.101 255.255.0.0

localhost eth1 0.0.0.0 0.0.0.0

localhost sdp0 0.0.0.0 0.0.0.0

localhost int 0.0.0.0 0.0.0.0

localhost mgmt 10.18.83.171 255.255.255.0

localhost sync 7.7.7.171 255.255.255.0

localhost wrpj50001 0.0.0.0 0.0.0.0

localhost wrpj50003 0.0.0.0 0.0.0.0

fw monitor

Description

Captures network packets at multiple points within the VSX environment. You can only run one instance of this command at a time on VSX Gateway.

This section only presents the syntax relevant for VSX Gateways or clusters.

For more information, see sk30583: What is FW Monitor?

Syntax

fw monitor [-v vsid]

Parameters

Parameter	Description
[-v vsid]	Specify a gateway or Virtual System by its ID. The specific Virtual System on which packets should be captured. The default gives the VSX Gateway.

Return Value

0 (zero) indicates that the command executed successfully. Any other response indicates an error.

Example

fw monitor -v 2 -e 'accept ip_p=6 shows all TCP packets passing through Virtual System 2.

Output

[member1:0]# fw monitor

monitor: getting filter (from command line)

monitor: compiling

monitorfilter:

Compiled OK.

monitor: loading

monitor: monitoring (control-C to stop)

eth4:o[124]: 192.168.200.171 -> 192.168.200.1 (TCP) len=124 id=56430

TCP: 22 -> 1794 ...PA. seq=28d95f71 ack=57e454b1

eth4:O[124]: 192.168.200.171 -> 192.168.200.1 (TCP) len=124 id=56430

TCP: 22 -> 1794 ...PA. seq=28d95f71 ack=57e454b1

eth4:i[40]: 192.168.200.1 -> 192.168.200.171 (TCP) len=40 id=64876

TCP: 1794 -> 22 ....A. seq=57e454b1 ack=28d95fc5

eth4:I[40]: 192.168.200.1 -> 192.168.200.171 (TCP) len=40 id=64876

TCP: 1794 -> 22 ....A. seq=57e454b1 ack=28d95fc5

monitor: caught sig 2

monitor: unloading

fw tab

Description

Displays state tables for a specific Virtual System. State tables are used to store state information that Virtual Systems use to correctly inspect packets.

Run vsenv <vsid> to change context and show an interface list for a different Virtual System.

Syntax

fw tab [-t table name] [...]

Parameters

Parameter	Description
-t table name	Shows the state table for the specified Virtual System.
[...]	Arguments as defined for non-VSX machines.

Example

vsenv 1
fw tab -t connections

Output

localhost:

-------- connections --------

dynamic, id 8158, attributes: keep, sync, expires 25,
refresh, limit 15000, hashsize 32768, kbuf 16 17 18
19 20 21 22 23 24 25 26 27 28 29 30, free function
90adc508 0

00000000, 0a125364, 00008a69, 0a12ae0a, 00004710,
00000006; 0001c001, 00804000, 08000000, 00000e10,
00000000, 3f7c2df6, 00000001, 66010202, 000007b6,
ffffffff, ffffffff, ffffffff, ffffffff, 00000000,
00000000, 00000000, 00000000, 00000000, 3bcd7000,
00000000, 00000000, 00000000; 3596/3600>

00000001, 0a12ae0a, 00004710, 0a125364, 00008a69,
00000006> 00000000, 0a125364, 00008a69, 0a12ae0a,
00004710, 00000006> 00000005)

00000000, 0a125364, 00008a6c, 0a12ab0a, 00004710,
00000006; 0001c001, 00804000, 08000000, 00000e10,
00000000, 3f7c2e4b, 00000001, 65060404, 000007b6,
0000000b, 0000000b, ffffffff, ffffffff, 00000000,
00000000, 00000000, 00000000, 00000000, 1fce4000,
00000000, 00000000, 00000000, 00000000, 00000000;
3581/3600>

00000001, 0a12ac0a, 00004710, 0a125364, 00008a6b,
00000006> 00000000, 0a125364, 00008a6b, 0a12ac0a,
00004710, 00000006> (00000005)

fw fetch

Description

Fetches the Inspection Code from the specified host and installs it to the kernel.

First, run vsenv <VSID> to change the context to the applicable Virtual System.

Syntax

fw fetch [-n] [-f] [-c] [-i] master1 [master2] ...

Parameter	Description
`-n`	Fetch the Security Policy from the Security Management Server to the local `$FWDIR/state/` directory, and install the Policy only if the fetched Policy is different from the Policy already installed.
`-f`	Fetch the Security Policy from the Security Management Server listed in the `$FWDIR/conf/masters` file.
`-c`	In cluster, fetches Security Policy from one of the peer cluster members, according to the Check Point High Availability kernel list on the local cluster member.
`-i`	Ignore SIC information (for example, SIC name) in the database and use the information in the `$FWDIR/conf/masters` file. This option is used when a Security Policy is fetched for the first time by a DAIP gateway from a Security Management Server with a changed SIC name.
`master1`	Runs the command on the designated master. The name of the Security Management Server, from which to fetch the Policy. You may specify a list of one or more Security Management Servers, such as `master1` `master2`, which will be searched in the order listed. If `targets` is not specified, or inaccessible, the policy is fetched from `localhost`.