Working with the ARP Table (asg_arp)
The asg_arp Command
Description
The asg_arp command in the Expert mode shows the ARP cache for the whole Security Group
A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. or for the specified Security Group Member, interface, MAC address, and Host name. You can show summary or verbose information.
Syntax
|
|
|
|
|
|
Parameters
|
Parameter |
Description |
|---|---|
|
|
Shows the built-in help. |
|
|
Verbose mode that shows detailed Security Group Member cache information. |
|
|
Applies to Security Group Members as specified by
|
|
|
Shows the ARP cache for the specified interface. |
|
|
Shows the ARP cache for the specified MAC address. |
|
|
Shows the ARP cache for the specified host name. |
|
|
Runs MAC address verification on both Sites and shows the results. |
|
|
Shows the ARP cache for each Security Group Member in the legacy format. |
Example Default Output
This example shows the ARP cash in the Default Mode:
[Expert@MyChassis-ch01-01:0]# asg_arp Address HWaddress Iface 172.23.19.4 54:7F:EE:6A:D0:BC eth1-Mgmt2 1_01 00:1C:7F:01:04:FE Sync 1_2 00:1C:7F:02:04:FE Sync ssm1 02:02:03:04:05:40 eth1-CIN ssm2 04:02:03:04:05:40 eth2-CIN [Expert@MyChassis-ch01-01:0]# |
Example Verbose Output
This example shows the ARP cash in the Verbose Mode:
[Expert@MyChassis-ch01-01:0]# asg_arp -v Address HWtype HWaddress Flags Mask Iface SGMs172.23.19.4 ether 54:7F:EE:6A:D0:BC C eth1-Mgmt2 1_01 1_01 ether 00:1C:7F:01:04:FE C Sync 1_02 1_2 ether 00:1C:7F:02:04:FE C Sync 1_01 ssm1 ether 02:02:03:04:05:40 C eth1-CIN 1_01,1_02 ssm2 ether 04:02:03:04:05:40 C eth2-CIN 1_01 [Expert@MyChassis-ch01-01:0]# |
Example Output for Verifying MAC Addresses
This example shows the output of the MAC address verification.
[Expert@MyChassis-ch01-01:0]# asg_arp --verify Address HWtype HWaddress Flags Mask Iface SGMs172.23.19.4 ether 54:7F:EE:6A:D0:BC C eth1-Mgmt2 1_01 1_01 ether 00:1C:7F:01:04:FE C Sync 1_02 1_2 ether 00:1C:7F:02:04:FE C Sync 1_01 ssm1 ether 02:02:03:04:05:40 C eth1-CIN 1_01,1_02 ssm2 ether 04:02:03:04:05:40 C eth2-CIN 1_01 MAC address for IP 172.23.19.4 is inconsistent across the SGMs-------------------------------------------------------------------------------- Collecting information from SGMs...-------------------------------------------------------------------------------- Verifying FW1 mac magic value on all SGMs...Success -------------------------------------------------------------------------------- Verifying IPV4 and IPV6 kernel values... Success -------------------------------------------------------------------------------- Verifying FW1 mac magic value in /etc/smodb.json... Success -------------------------------------------------------------------------------- Verifying MAC address on local chassis (Chassis 1)... Success -------------------------------------------------------------------------------- [Expert@MyChassis-ch01-01:0]# |
Verifying ARP Entries
Use these commands to confirm that the Unique MAC value has changed.
For the Unique MAC database value, run this command in the Expert mode:
|
|
Example:
|
|
For the Unique MAC Kernel value, run this command in Gaia gClish The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group.:
|
|
Example:
|
|
You can display the magic attribute within type ethX-YZ interfaces with the ifconfig command.
Example:
[Expert@MyChassis-ch01-01:0]# ifconfig eth1-01 eth1-01 Link encap:Ethernet HWaddr 00:1C:7F:81:01:16 inet6 addr: fe80::21c:7fff:fe81:116/64 Scope:Link UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1 RX packets:154820 errors:0 dropped:0 overruns:0 frame:0 TX packets:23134 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:15965660 (15.2 MiB) TX bytes:2003398 (1.9 MiB) [Expert@MyChassis-ch01-01:0]# |
Example Legacy Output
This example shows ARP cache for each Security Group Member in the Legacy Mode output:
[Expert@MyChassis-ch01-01:0]# asg_arp --legacy 1_01: Address HWtype HWaddress Flags Mask Iface ssm2 ether 04:02:03:04:05:40 C eth2-CIN ssm1 ether 02:02:03:04:05:40 C eth1-CIN 1_2 ether 00:1C:7F:02:04:FE C Sync 172.23.19.4 ether 54:7F:EE:6A:D0:BC C eth1-Mgmt2 1_02: Address HWtype HWaddress Flags Mask Iface 1_01 ether 00:1C:7F:01:04:FE C Sync ssm1 ether 02:02:03:04:05:40 C eth1-CIN [Expert@MyChassis-ch01-01:0]# |