tp_collector_cli‎

Description

This is a light debug tool that runs in the background on the Security Gateways. The tool automatically collects information about the main points in Threat Prevention for each traffic flow.

For any issue, you can examine the "tp_collector_cli‎" output to understand what was the connection flow and understand the area of the issue.

Notes:

Syntax for the Expert mode

[Expert@GW:0]# tp_collector_cli {-h | --help}

[Expert@GW:0]# tp_collector_cli

      [--filter <Filter Name 1> [{not^ | contains%}]<Filter Value 1> [<Filter Name 2> [{not^ | contains%}]<Filter Value 2>] ... [<Filter Name N> {not^}{contains%}<Filter Value N>]]

      [--delim "<Delimiter>"]

      [--input_file <Path>]

      [--last_minutes <Number>]

      [--print_key_names]

Parameters

Parameter

Description

-h

--help

Shows the complete built-in help.

--filter <Filter Name>

Optional.

Specifies the filter name - see the built-in help.

Example of general filters:

  • "Source_ip"

  • "Destination_ip"

  • "Destination_port"

  • "Instance"

  • "App"

  • "Conn"

  • "rule_id"

Example of Threat Prevention filters:

  • "Action"

  • "Final Action"

  • "Performance Impact"

  • "IOC Verdict"

  • "RAD Verdict"

  • "TE Verdict"

  • "Severity"

  • "ZPHI: URL"

<Filter Value>

Specifies the filter value.

Best Practice - To see the values, just rune "tp_collector_cli" and copy the values from the applicable fields.

Optional operators:

  • not^<Filter Value>

    Negates the specified value.

    The output shows all entries except the specified value.

    Example:

    tp_collector_cli --filter "App" not^CIU

  • contains%<Filter Value>

    Specifies the partial value (as a wildcard).

    Example 1:

    tp_collector_cli --filter "App" contains%CI

    Example 2:

    tp_collector_cli --filter "CIU info" contains%Online

--delim "<Delimiter>"

Optional.

Shows the records in the data file and uses the specified string as the delimiter between the columns.

This makes it easy to parse the output with various tools.

Example for 3 spaces:

tp_collector_cli --delim "   ">

Example for the pipeline:

tp_collector_cli --delim "|">

--print_key_names

Optional.

Shows internal names of various fields (useful for Check Point Support and R&D).

--input_file <Path>

Optional.

Specifies the path and the name of the data file to read.

You can get the $FWDIR/log/tp_collector.dat file from one Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and open it on another Security Gateway.

Note - Versions of these Security Gateways must be the same.

--last_minutes <Number>

Optional.

Specifies the number of last minutes, for which to show the information from the data file.

Example output of one record:

Time:06/21 09:45:06
Instance:0
Conn:dir 0, 192.168.22.33:45678 -> 172.16.44.55:80 IPP 6
Session:1933
App:CI_AV
File Name:test.deb
Content-Length:8144
Strict Hold:1
Last Buffer Seen:1
rule_id:4
profile_id:1
AV Performed Hold:09:45:06
Accumulated File Size:8144
RAD Verdict:ACCEPT
File Type ID:1100
File MD5:8add8c310e05a8a5243414ef669f19bc
AV Async Response Time:09:45:06
AV Verdict:ACCEPT
Final Action:ACCEPT
Final Async Action Time:09:45:06
Strict Hold Start Sending File:1

Example filter 1 - filtering for the application "CI_AV" for the last 5 minutes:

tp_collector_cli --filter "App" CI_AV --last_minutes 5

Example filter 2 - filtering for the specified time frame:

tp_collector_cli --filter "Time_start" "06/21 09:40:00" "Time_end" "06/21 09:50:00"

tp_collector_cli --filter "Time_start" contains%"06/21 09"

Example filter 3 - filtering for a specific connection:

You can only filter using the full connection tuple.

tp_collector_cli --filter "Conn" "dir 0, 192.168.22.33:45678 -> 172.16.44.55:80 IPP 6"