I need to step up my Check Point skills, so let's have a little look through the CLI (GAIA) today.
I have a VM running (as a Security Gateway and Systems Management Server), it will talk happily to my Windows VM, which is running the SmartDashboard (and everything else), but as I am on the MAC laptop, SSH is my only option...
So let's see what the CLI offers us, starting with a ?:
gw-8090bc>OK, not a huge amount here, but some useful stuff nevertheless. We can check out some interfaces:key can be used to complete / fetch the keyword. key can be used to see possible command completions. '?' key can be used to get help on feature / keyword. UP/DOWN arrow keys can be used to browse thru command history. LEFT/RIGHT arrow keys can be used to edit command. '!!','!nn','!-nn' etc. are valid form of executing history cmd. At more prompt, following keys can be used- SPACE key to see the next page. ENTER key to see the next line. Q/q key to exit to the cli prompt. Useful commands: show interface set interface add user save config show commands show commands feature show configuration expert gw-8090bc>
gw-8090bc> show interface eth0 lo gw-8090bc> show interface eth0 state on mac-addr 00:50:56:80:90:bc type ethernet link-state link up mtu 1500 auto-negotiation on speed 1000M ipv6-autoconfig Not configured duplex full monitor-mode Not configured link-speed Not configured comments ipv4-address 192.168.0.21/24 ipv6-address Not Configured ipv6-local-link-address Not Configured Statistics: TX bytes:1121127782 packets:768761 errors:0 dropped:0 overruns:0 carrier:0 RX bytes:51630307 packets:562656 errors:0 dropped:0 overruns:0 frame:0 gw-8090bc>I won't bother with any users for the moment, but remembering to save your work is very useful:
gw-8090bc> save config gw-8090bc>We also have a number of show commands, and the command "show commands" lists everything. Too much to put here. But we can use the feature command to make the results a little more concise (apologies for the formatting):
gw-8090bc> show commands feature aaa aggregate allowed-client arp as asset auditlog backup backup-scheduled backups bgp bonding bootp bridging cd clienv clock cloning-group command commands config config-lock config-state configuration core-dump cron database date default-route dhcp dns domainname download edition expert-password expert-password-hash extended fcd format ftp group groups host hostname igmp inactivity-timeout install installer instance interface interfaces iphelper ipv6 ipv6-state kernel-routes local logging mail-notification management max-path-splits mcvr message mfc mroute neighbor neighbor-entry net-access netflow ntp ospf password-controls pbr pim ping pppoe protocol-rank proxy rba rdisc restore restore_policy rip route route-redistribution routed routedsyslog routemap routemaps router-id router-options scp selfpasswd slot snapshot snapshots snmp start static-mroute static-route stop sysenv syslog tacacs_enable tag tftp time timezone trace tracefile transaction uninstall upgrade uptime user users version virtual-system volume vpn vrrp vsx web gw-8090bc> show commands feature users show users gw-8090bc> show commands feature version show version all show version os build show version os edition show version os kernel show version product gw-8090bc> show version product Product version Check Point Gaia R77.20 gw-8090bc>From here we can get the version information, but there is an alternative way to do this, using the "fw" command:
gw-8090bc> fw feature
Usage:
fw ver [-h] ... # Display version
fw kill [-sig_no] procname # Send signal to a daemon
fw putkey ... # Client server keys
fw sam ... # Control sam server
fw sam_policy ... # SAM policy editor
fw fetch targets # Fetch last policy
fw amw fetch # Fetch Anti-Bot & Anti-Virus policy
fw tab [-h] ... # Kernel tables content
fw monitor [-h] ... # Monitor VPN-1/FW-1 traffic
fw ctl [args] # Control kernel
fw lichosts # Display protected hosts
fw log [-h] ... # Display logs
fw logswitch [-h target] [+|-][oldlog] # Create a new log file;
# the old log is moved
fw repairlog ... # Log index recreation
fw mergefiles ... # log files merger
fw lslogs ... # Remote machine log file list
fw fetchlogs ... # Fetch logs from a remote host
fw light # fw light supported commands
gw-8090bc> fw ver
This is Check Point's software version R77.20 - Build 221
gw-8090bc>
We can also see what policies are in use (which was configured via the GUI:
gw-8090bc> fw stat HOST POLICY DATE localhost Standard 18Feb2016 17:18:10 : [>eth0] [<eth0]The configuration looks very different to Cisco's IOS. Instead of an indented hierarchical structure, we have a series of "set" commands, and we do not seem to be able to use a pipe and include directive, nor can we grep the results. Instead we need to narrow down conforming to the commands:
gw-8090bc> show configuration static CLINFR0329 Invalid command:'show configuration static'. gw-8090bc> show configuration static-route set static-route default nexthop gateway address 192.168.0.1 on gw-8090bc>It's possibly not as intuitive (initially) moving from IOS to GAIA, but I am sure with a couple of weeks practice, it will start to make sense. So, let's jump in at the deep-end and see if we can configure OSPF, mostly by using the tab key to show the options:
gw-8090bc> set ospf area - Area default-ase-cost - Default ASE Cost default-ase-type - Default ASE Type export-routemap - Routemap for Export Policy graceful-restart-helper - Graceful_restart_helper import-routemap - Routemap for Import Policy interface - Interface rfc1583-compatibility - RFC1583 Compatible Mode spf-delay - SPF Delay spf-holdtime - SPF Holdtime gw-8090bc> set ospf area backbone on gw-8090bc> set ospf area 100 nssa - Not-So-Stubby Area off - Off on - On range - Address Range stub - Stub stub-network - Stub Network virtual-link - Virtual Link gw-8090bc> set ospf area 100 on gw-8090bc> gw-8090bc> gw-8090bc> gw-8090bc> set ospf interface eth0 lo gw-8090bc> set ospf interface eth0 area - Area authtype - Authentication Type cost - Cost dead-interval - Dead Interval hello-interval - Hello Interval passive - Passive Mode priority - Priority retransmit-interval - Retransmit Interval virtual-address - Virtual Address gw-8090bc> set ospf interface eth0 area 0 RTGRTG0019 Incomplete command. gw-8090bc> set ospf interface eth0 area 0 off - Off on - On gw-8090bc> set ospf interface eth0 area 0 on RTGRTG0019 OSPF: Area value must be an IPv4 address or between 1 and 4294967295 or backbone gw-8090bc> set ospf interface eth0 area backbone on gw-8090bc>Looks OK so far (but I only have one device running at the moment, so cannot really test. We can confirm the commands:
gw-8090bc> show configuration ospf set ospf area backbone on set ospf interface eth0 area backbone on set ospf interface eth0 priority 1 set ospf area 100 on gw-8090bc>Can we dig in any further? Sure!
gw-8090bc> show ospf
border-routers - Border Routers
database - Database
errors - Errors
events - Events
interface - Interface
interfaces - All Interfaces
neighbor - Neighbor
neighbors - All Neighbors
packets - Packets
routemap - ospf Routemap
summary - Summary
gw-8090bc> show ospf interface
CLINFR0349 Incomplete command.
gw-8090bc> show ospf interface eth0
Name IP Address Area ID State NC DR Interface BDR Interface Errors
eth0 192.168.0.21 0.0.0.0 DR 0 192.168.0.21 0.0.0.0 0
gw-8090bc> show ospf summary
OSPF Router with ID 192.168.0.21 Instance default
SPF schedule delay: 2 secs
Hold time between two SPFs: 5 secs
Number of Areas in this router: 1
Normal: 1 Stub: 0 NSSA: 0
RFC1583 compability mode is on
Number of Virtual Links in this router: 0
Number of UpEvents: 1 Number of DownEvents: 0
Default ASE Cost: 1
Default ASE Type: 1
Area: 0.0.0.0
Number of Interfaces in this area: 1
Number of ABRs: 0 Number of ASBRs: 0
Number of times SPF Algorithm executed: 2
No Area Ranges Configured
No Area Stubnets Configured
gw-8090bc>
So far so good. But we'll find out if this actually works once we set up another router to talk to it. We'll tackle that tomorrow!Hope you have enjoyed this little taster of GAIA, more to come soon!
0 comments:
Post a Comment