Working with the ARP Table (asg_arp)

The 'asg_arp' Command

Description

The asg_arp command in the Expert mode shows the ARP cache for the whole Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. or for the specified Security Group Member, interface, MAC address, and Host name.

This command shows summary or verbose information.

Syntax

asg_arp -h

asg_arp [-b <SGM IDs>] [-v] [--verify] [-i <Name of Interface>] [-m <MAC Address>] [<Hostname>]

asg_arp --legacy

Parameters

Parameter

Description

-h

Shows the built-in help.

-v

Verbose mode that shows detailed Security Group Member cache information.

-b <SGM IDs>

Applies to Security Group Members as specified by the <SGM IDs>.

<SGM IDs> can be:

  • No <SGM IDs> specified, or all

    Applies to all Security Group Members and all Maestro Sites

  • One Security Group Member (for example, 1_1)

  • A comma-separated list of Security Group Members (for example, 1_1,1_4)

  • A range of Security Group Members (for example, 1_1-1_4)

  • In Dual Site, one Maestro Site (chassis1, or chassis2)

  • In Dual Site, the Active Maestro Site (chassis_active)

-i <Name of Interface>

Shows the ARP cache for the specified interface.

-m <MAC Address>

Shows the ARP cache for the specified MAC address.

<Hostname>

Shows the ARP cache for the specified host name.

--verify

Runs MAC address verification on all Maestro Sites and shows the results.

--legacy

Shows the ARP cache for each Security Group Member in the legacy format.

Example Default Output

This example shows the ARP cash in the Default Mode:

[Expert@MyChassis-ch0x-0x:0]# asg_arp
Address              HWaddress            Iface
172.23.19.4          54:7F:EE:6A:D0:BC    eth1-Mgmt2
1_01                 00:1C:7F:01:04:FE    Sync
1_2                  00:1C:7F:02:04:FE    Sync
ssm1                 02:02:03:04:05:40    eth1-CIN
ssm2                 04:02:03:04:05:40    eth2-CIN
[Expert@MyChassis-ch0x-0x:0]#

Example Verbose Output

This example shows the ARP cash in the Verbose Mode:

[Expert@MyChassis-ch0x-0x:0]# asg_arp -v
Address              HWtype   HWaddress            Flags Mask  Iface                SGMs
172.23.19.4          ether    54:7F:EE:6A:D0:BC    C           eth1-Mgmt2           1_01
1_01                 ether    00:1C:7F:01:04:FE    C           Sync                 1_02
1_2                  ether    00:1C:7F:02:04:FE    C           Sync                 1_01
ssm1                 ether    02:02:03:04:05:40    C           eth1-CIN             1_01,1_02
ssm2                 ether    04:02:03:04:05:40    C           eth2-CIN             1_01
[Expert@MyChassis-ch0x-0x:0]#

Example Output for Verifying MAC Addresses

This example shows the output of the MAC address verification (on a Single Chassis):

[Expert@MyChassis-ch0x-0x:0]# asg_arp --verify
Address              HWtype   HWaddress            Flags Mask  Iface                SGMs
172.23.19.4          ether    54:7F:EE:6A:D0:BC    C           eth1-Mgmt2           1_01
1_01                 ether    00:1C:7F:01:04:FE    C           Sync                 1_02
1_2                  ether    00:1C:7F:02:04:FE    C           Sync                 1_01
ssm1                 ether    02:02:03:04:05:40    C           eth1-CIN             1_01,1_02
ssm2                 ether    04:02:03:04:05:40    C           eth2-CIN             1_01
 
MAC address for IP 172.23.19.4 is inconsistent across the SGMs
 
--------------------------------------------------------------------------------
Collecting information from SGMs...
--------------------------------------------------------------------------------
Verifying FW1 mac magic value on all SGMs...
Success
--------------------------------------------------------------------------------
Verifying IPV4 and IPV6 kernel values...
Success
--------------------------------------------------------------------------------
Verifying FW1 mac magic value in /etc/smodb.json...
Success
--------------------------------------------------------------------------------
Verifying MAC address on local chassis (Chassis 1)...
Success
--------------------------------------------------------------------------------
[Expert@MyChassis-ch0x-0x:0]#

Verifying ARP Entries

Use these commands to confirm that the Unique MAC value has changed.

For the Unique MAC database value, run this command in the Expert mode:

g_allc dbget chassis:private:magic_mac

Example:

[Expert@MyChassis-ch0x-0x:0]# g_allc dbget chassis:private:magic_mac

-*- 4 sgms: 1_01 1_02 2_02 2_03 -*-

22

For the Unique MAC Kernel value, run this command in Gaia gClishClosed The name of the global command line shell in Check Point Gaia operating system for Security Appliances connected to Check Point Quantum Maestro Orchestrators. Commands you run in this shell apply to all Security Appliances in the Security Group.:

fw ctl get int fwha_mac_magic

Example:

[Global] MyChassis-ch01-01> fw ctl get int fwha_mac_magic

-*- 4 sgms: 1_01 1_02 2_02 2_03 -*-

fwha_mac_magic = 22

[Global] MyChassis-ch01-01>

You can display the magic attribute for interfaces of the type ethX-YZ with the "ifconfig" command in the Expert mode.

Example:

[Expert@MyChassis-ch0x-0x:0]# ifconfig eth1-01
eth1-01 Link encap:Ethernet HWaddr 00:1C:7F:81:01:16
            inet6 addr: fe80::21c:7fff:fe81:116/64 Scope:Link
            UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
            RX packets:154820 errors:0 dropped:0 overruns:0 frame:0
            TX packets:23134 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0 RX bytes:15965660 (15.2 MiB)
            TX bytes:2003398 (1.9 MiB)
[Expert@MyChassis-ch0x-0x:0]#

Example Legacy Output

This example shows ARP cache for each Security Group Member in the Legacy Mode output:

[Expert@MyChassis-ch0x-0x:0]# asg_arp --legacy
1_01:
Address                  HWtype  HWaddress           Flags Mask            Iface
ssm2                     ether   04:02:03:04:05:40   C                     eth2-CIN
ssm1                     ether   02:02:03:04:05:40   C                     eth1-CIN
1_2                      ether   00:1C:7F:02:04:FE   C                     Sync
172.23.19.4              ether   54:7F:EE:6A:D0:BC   C                     eth1-Mgmt2
1_02:
Address                  HWtype  HWaddress           Flags Mask            Iface
1_01                     ether   00:1C:7F:01:04:FE   C                     Sync
ssm1                     ether   02:02:03:04:05:40   C                     eth1-CIN
[Expert@MyChassis-ch0x-0x:0]#