Check packet traffic without launching Checkpoint SmartView Tracker

When troubleshooting packet traffic you can check Checkpoint firewall log response without launching SmartView Tracker by running the troubleshooting command ‘fw ctl zdebug’

example:

To check if there are drops for traffic from 192.168.1.1

fw ctl zdebug drop | grep 192.168.1.1

———————

Output examples:

———————-

fw_log_drop: Packet proto=6 192.168.1.1:2048 -> 10.120.121.251:2000 dropped by fw_antispoof_log Reason: Address spoofing

fw_log_drop: Packet proto=6 192.168.1.1:2049 -> 10.120.121.252:2001 dropped by fw_handle_first_packet Reason: Rulebase drop – rule 15

fw_log_drop: Packet proto=6 192.168.1.1:2050 -> 10.120.121.253:2002 dropped by fw_icmp_stateless_checks Reason: ICMP redirect packets are not allowed

Troubleshooting Checkpoint remote VPN using debug.

To troubleshoot Checkpoint firewall remote vpn issues using debug

1. Perform debug by running the command

vpn debug trunc

2. Initiate vpn traffic and disable debug

vpn debug off
vpn debug ikeoff

3. Check the logs

cd $FWDIR/log
more ike.elg
more vpnd.elg

Globally change all users checkpoint account expiration dates

To globally change the expiration dates of checkpoint user accounts:

1. Make sure all users are logged out from the GUI

2. Login to smartcenter server or CMA and run the command

fwm expdate <dd-mmm-yyyy>

Nokia Checkpoint Hmem memory allocation errors

The command: fw ctl get int fwhmemmax will show current value set

The command: fw ctl set int fwhmemmax <new value> will set the new value which you desire.