test_ad_connectivity

Description

This utility runs connectivity tests from the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to an AD domain controller.

You can define the parameters for this utility in one of these ways:

  • In the command line as specified below

  • In the $FWDIR/conf/test_ad_connectivity.conf configuration file.

    Parameters you define in the $FWDIR/conf/test_ad_connectivity.conf file cannot contain white spaces and cannot be within quotation marks.

Important:

  • Parameters you define in the command line override the parameters you define in the configuration file.

  • This utility saves its output in the file you specify with the -o parameter.

    In addition, examine the $FWDIR/log/test_ad_connectivity.elg file.

Syntax

[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity -h

[Expert@HostName:0]# $FWDIR/bin/test_ad_connectivity <Parameter_1 Value_1> <Parameter Value_2> ... <Parameter_N Value_N> ...<Parameters And Options>

Parameters

Parameter

Mandatory / Optional

Description

-h

Optional

Shows the built-in help.

-a

Mandatory

Use only one of these options:

  • -a

  • -c

  • -p

Prompts the user for the password on the screen.

-b <LDAP Search Base String>

Optional

Specifies the LDAP Search Base String.

-c <Password in Clear Text>

Mandatory

Use only one of these options:

  • -a

  • -c

  • -p

Specifies the user's password in clear text.

-d <Domain Name>

Mandatory

Specifies the domain name of the AD (for example, ad.mycompany.com).

-D <User DN>

Mandatory

Overrides the LDAP user DN (the utility does not try to figure out the DN automatically).

-f <AD Fingerprint for LDAPS>

Optional

Specifies the AD fingerprint for LDAPS.

-i <IPv4 address of DC>

Mandatory

Specifies the IPv4 address of the AD domain controller to tested.

-I <IPv6 address of DC>

Mandatory

Specifies the IPv6 address of the AD domain controller to test.

-o <File Name>

Mandatory

Specifies the name of the output file.

This utility always saves the output file in the $FWDIR/tmp/ directory.

-p <Obfuscated Password>

Mandatory

Use only one of these options:

  • -a

  • -c

  • -p

Specifies the user's password in obfuscated text.

-l

Optional

Runs LDAP connectivity test only (no WMI test).

-L <Timeout>

Optional

Specifies the timeout (in milliseconds) for the LDAP test only.

If this timeout expires, and the LDAP test still runs, then both LDAP connectivity and WMI connectivity tests fail.

-M

Optional

Run the utility in demo mode.

-r <Port Number>

Optional

Specifies the LDAP or LDAPS connection port number.

The default ports are:

  • LDAP - 389

  • LDAPS - 636

-s

Optional

Specifies that LDAP connection must be over SSL.

-t <Timeout>

Optional

Specifies the total timeout (in milliseconds) for both LDAP connectivity and WMI connectivity tests.

-u <Username>

Mandatory

Specifies the administrator user name on the AD.

-v

Optional

Prints the full path to the specified output file.

-x <Domain Name>

Mandatory

Specifies the domain name of the AD (for example, ad.mycompany.com).

Utility prompts the user for the password.

-w

Optional

Runs WMI connectivity test only (no LDAP test).

Example

IPv4 of AD DC

192.168.230.240

Domain

mydc.local

Username

Administrator

Password

aaaa

Syntax

[Expert@GW:0]# $FWDIR/bin/test_ad_connectivity -u "Administrator" -c "aaaa" -D "CN=Administrator,CN=Users,DC=mydc,DC=local" -d mydc.local -i 192.168.230.240 -b "DC=mydc,DC=local" -o test.txt
[Expert@GW:0]#

Output

 
[Expert@GW:0]# cat $FWDIR/tmp/test.txt
(
   :status (SUCCESS_LDAP_WMI)
   :err_msg ("WMI_SUCCESS;LDAP_SUCCESS")
   :ldap_status (LDAP_SUCCESS)
   :wmi_status (WMI_SUCCESS)
   :timestamp ("Mon Feb 26 10:17:41 2018")
)
[Expert@GW:0]#

Note - In order to know the output is authentic, pay attention that the timestamp is the same as the local time.