yurisk.info » Checkpoint NG/NGX

MAC finder script

Yuri — Fri, 02 Jul 2010 05:35:37 +0000

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format , I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx 
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py

$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]

(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Visio stencils for Cisco, Juniper, Fortinet, Checkpoint, Avaya

Yuri — Sat, 26 Jun 2010 12:43:25 +0000

Some links to download Visio stencils of the few most popular vendors.
Juniper
Cisco
Avaya
BlueCoat
Fortinet
Dell
Checkpoint happen not to have official stencils set, only Nokia appliances stuff can be found. So someone volunteered and using icons/press releases/PowerPoint presentations done by the Checkpoint turned it into the Visio stencils:
fireverse.org
If nothing else helps here you can find the rest:
nag.ru/projects/visio

Where do I download the Checkpoint Splat image

Yuri — Sat, 26 Jun 2010 07:15:18 +0000

The answer is surprisingly simple – at the Checkpoint.com . On the home page there is a link to download their products Try Our Products (SPLAT, SmartDefense, Endpoint). You need a free General account in UserCenter, then you fill general questions form and get a link to download the real production image of whatever you chose to download. You get an evaluation license for 30 days at the same page , without any license upon install you get unlimited 15-days trial.

8 Things to do before opening ticket with Checkpoint

Yuri — Fri, 25 Jun 2010 10:40:53 +0000

I’ve been doing Checkpoint quite a lot, actually for years now. And this inevitably involves
communicating with the Checkpoint Technical Assistance Centre (TAC) . And while
you can easily come up with impression that it is pretty bad (look around at cpug.org for heated flames about that), my view is that a lot depends on you. The way you manage the ticket and interaction with the Checkpoint TAC is often more important than anything else for successful resolution of the case.
To assist in that I prepared this list of things to do and have in mind before you actually call the TAC and open a case. In my experience following these simple steps will shorten the time and save you nerves substantially.

1.Understand and state the problem exactly.
Clearly defined problem is half the solution. The problem should be described in measurable terms not qualitative ones.
Not "VPN tunnels flap and fail all the time" but "VPN tunnel between this and this peers is coming up for 3-5 minutes then goes down for 10 minutes also communication between sites stops and I see in SmartViewTracker the following… "
Not "If I enable URL filtering all works slow" but "If I enable URL filtering it takes 40 seconds to load the same page that I load in 3 secs without URL-filtering, my download rates from different sites decrease by such and such numbers and in logs I see …"
Screenshots of the error messages are very welcome.

2. "… burden of proof is on the defendant" – gather all needed info even before you get asked to.
Have you worked in a TAC ? No ? Then let me illustrate. The answering Supporter has no slightest idea what the equipment is on your site, what the IP addresses are, whether load-balancers/nat-devices/traffic accelerators are involved, not to mention yours being the 10th case today, in short – he/she knows nothing about your topology, but you ,on the other hand ,having worked for years with the same set up come to think that this knowledge is a known fact to everyone. So please don’t – when approaching the TAC think of it as preparing a presentation that describes your network topology in 10 minutes to a complete stranger on the street (no need to practice this though ).
Topology info you will most probably need to supply:
IP addresses of interfaces and routes of all the devices that are involved in the traffic having a problem.
All NAT/IPS/load balancing/acceleration tempering going on in your network .
Changes in topology that were done just before the problem occurred.

3. Provide Cpinfo files from all the Checkpoint devices involved.
Checkpoint Support engineer most probably has no access to your firewall. And still she/he has to fully understand its configuration and state. The closest to accessing the firewall thing is providing Cpinfo file. If you have a distributed Checkpoint setup do it for all devices as well.
It is also advisable to make sure that all your devices have the latest Cpinfo utility installed [sk30567]. Unfortunately regular users can’t download it from Checkpoint Usercenter you will need at least Partner account with them.

NOTE Regarding handing over files to the Checkpoint TAC. When you supply them Cpinfo files you provide complete information about your firewall – its rules, objects and their properties etc. Think of it as if you were giving them the one-to-one copy of the firewall. So if you have some privacy/confidentiality reservations take it into account .

4. Do a packet capture that also includes the problematic traffic.
Should you have any sort of case demanding serious debug be prepared to attach to the case captured traffic while replicating the problem. Of course consider the load on the firewall but usually to see if there are any drops on the traffic Checkpoint will ask you to do fw monitor –o capture.cap .
Supplement this capture with output of fw ctl zdebug drop > dropped.txt

5.If opening the case through the Checkpoint website and the problem is rather urgent do a follow up call Contact list.
When you open a case it is being put in the queue of all other cases waiting to be assigned to Support Engineers. It happens on FIFO basis (each severity level has its own queue I guess). So it may wait there for few good hours. In such cases and when the case justifies it you may call the TAC and ask the person (not demand) to speed up assigning your case to the Technical Engineer. I used this procedure and usually the case was assigned to someone 15 minutes after my call.

6.Provide correct and most available means to contact you back.
Nothing can be more disheartening for a Supporter than to get a case and then chase you for hours/days.

7. If you work for Checkpoint Partner or proudly hold CCSE/CCSE+ certs do actually some debug yourself .
Working for Checkpoint Partner (as I do) in my opinion not only gives us immediate unrestricted access to the TAC but also the responsibility to do as much as possible to debug the problem ourselves (moreover it sucks to look amateurish) . I should state that I don’t always follow this advice but always try to.
Make the “The NGX Advanced Technical Reference Guide (ATRG) “ [sk31221] your night reading and you will decrease the number of open tickets by 50% guaranteed .
When you do relevant debug even without being able to understand results you save many hours of waiting for the TAC Supporter to just ask you for the very same debug and its logs.

8. In case of emergency call 911 and ask for remote session.
In urgent cases when you experience heavy downtime be prepared and even ask for remote session with the Supporter that got your case. Checkpoint have the TeamViewer-alike software that will allow them to connect to your workstation while it is connected to the firewall. Also the last time I checked this software had no (identifiable) keyloggers/Trojans so don’t worry .

Change IP address on the interface without losing the connection

Yuri — Wed, 02 Jun 2010 17:22:59 +0000

I happen from time to time to configure from scratch some Checkpoint UTM/Open Server that is thousand miles away. And from experience the best way to do it is when you have out-of-band fast access to the firewall. Of course not always such well-organized beforehand set up is available. Just like today when I was asked how to change IP address on the interfcae through which you are connected to the firewall.
Ok, to be more specific – client had been connected with his UTM through some ISP that included also IP addresses on the WAN (External) interface of the firewall. Time has come to change ISP and accordingly its IP addresses.
All went surprisingly well, my collegue added new IP address on the External interface as the Secondary IP and from then on he could access/manage firewall through this new IP without a hitch. There is one but though – SSL VPN service was still listening on the old IP and didn’t work because of that. So we had to remove the new IP as Secondary and put it as the Primary one. For this he asked my opinion , I set up some improvised lab and here is how to do it .

1) First, for unmanned location I set up in cron to do restart in say 10-15 minutes from now so if something goes wrong restart will discard any changes done in step 2;

[Expert@R71]# crontab -l
# DO NOT EDIT THIS FILE – edit the master and reinstall.
# (/tmp/crontab.5649 installed on Wed Jun 2 11:25:53 2010)
# (Cron version — $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
27 11 * * * /sbin/reboot

2) Connected through the ssh I did the following two commands on the same line that when finished should not even disconnect you from the ssh. It brings down secondary IP (aliased interface) and assigns this IP to the External interface as the usual Primary one.

ifconfig External:0 down ; ifconfig External 192.168.2.22 netmask 255.255.255.0

Schedule fw monitor to run unattended

Yuri — Sat, 29 May 2010 08:43:48 +0000

Not a groundbreaking idea but worth remembering that you can also run scheduled fw monitor using the cron. In case you have some problem occurring at the late night hours or you want to run debug at night when system is loaded less or put your case here this is one of the ways to do it.
First, the script named timed_fw_monitor.sh that starts the fw monitor:

#!/bin/bash
# We have to source Checkpoint environment variables for fw monitor to work
. /etc/profile.d/CP.sh
/opt/CPsuite-R71/fw1/bin/fw monitor -o /home/lambada/capture.cap -e ‘accept icmp or port(25);’

Then of course I will want to stop fw monitor , here is the script named stop_fw_monitor.sh that I also put in cron jobs that stops previously started fw monitor :

#!/bin/bash
ps ax | grep ‘capture.cap’ | grep -v grep | awk ‘{ print (”kill -s 3 ” $1) | “/bin/bash” }’

Now my crontab looks like this:

# DO NOT EDIT THIS FILE – edit the master and reinstall.
# (/tmp/crontab.4760 installed on Sat May 29 11:00:22 2010)
# (Cron version — $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
03 23 * * * /home/lambada/timed_fw_monitor.sh > /dev/null
17 23 * * * /home/lambada/stop_fw_monitor.sh > /dev/null

FTP inside VPN Checkpoint troubles

Yuri — Wed, 19 May 2010 18:38:05 +0000

Do we need to fix all the problems all the time ? My answer is no. Also I believe in good solution today and dismiss ideal solutions tomorrow. Let me show this on the real case with one of the clients.
Client has Checkpoint, lots of Checkpoint, just heaps of it. And all their work is based on VPN site to site communication between myriad of remote branches and the central office. All being VPNed. One of the services running inside those endless tunnels is plain old FTP. To be more precise scriptable scheduled transfer of files.
It has been working like that for years until it started making troubles. Not all sites in one go, just one site a day or a week, only that multiplied by the sheer number of the branches it became an avalanche.
Following usual path I tried to fix things by myself, and it worked at the beginning. But then number of troublesome sites increased, at some point I attached Checkpoint to the process. They didn’t see some
major problem, just many seemingly unrelated local ones.
Also the FTP problems differed:
- download of small files went ok but on files > 1Mb it got stuck;
- download of any single file was ok, but multiple files got it stuck;
- files got transferred but with file size 0;
And all this had no obvious reasons – FTP drops here and there. Little by little I found myself fighting the windmills. Could it be solved ? I guess so . How much time ? Months .
Then I solved this problem quite simple – the client didn’t care a bit what file protocol is being used as long as it is scriptable and Windows-friendly. So I run a test, and offered him to use SSH/SCP inside VPN tunnels instead of FTP.
The results of the tests were funny – from the same remote server, and all the rest being the same moving
files with scp (pscp.exe) annihilated all the problems seen with the FTP. That is it.
See you.

Authenticating ssh access on the Checkpoint using external Radius server

Yuri — Sat, 01 May 2010 11:43:40 +0000

I got asked few times on this rather rarely used feature, and as surfing through the Checkpoint docs can be a bit tedious, I‘ll put it here. SSH user authentication against external server, in this case using Radius protocol, is possible but only if you have VPN Pro featured firewall and accordingly VPN Pro license (Advanced Networking Blade if using Blades). Then using firewall’s WebGUI you will have an option to configure external Radius server to authenticate operating system users. See screenshots below.

How to know UTM appliance version on the CLI

Yuri — Fri, 23 Apr 2010 04:48:36 +0000

This one will be short, just a link to the Tobias Lachmann blog where he shows how using dmidecode you can know what is the version of the UTM you are logged in.
Determine UTM-1 appliance series from cli

fw ctl or checkpoint tables by any other name

Yuri — Fri, 09 Apr 2010 05:34:54 +0000

Holidays are over, Checkpoint failures are back, so business as usual. Today I want to draw your attention to often overlooked information source – Checkpoint state tables. While running, the firewall creates, keeps and updates various tables it needs for correct functioning. These tables contain parameters that are mostly of use for firewall itself, but you can query them on the cli, sometimes even flush them as well.
To see all tables with its contents you type –
[Expert@Hollywood]# fw tab
To see only table names –
[Expert@Hollywood]# fw tab | grep “\-\-\-\-\-\-\-”

——– vsx_firewalled ——–
——– firewalled_list ——–
——– external_firewalled_list ——–
——– management_list ——–
——– external_management_list ——–
——– log_server_list ——–
——– tcp_services ——–
——– udp_services ——–
——– internal_interface_list ——–
——– topology_range_list ——–
——– gui_clients_list ——–
——– cp_NG_products_list ——–
——– smtp_av_user_config_match_tab ——–
——– smtp_av_scan_exclusion ——–
——– http_av_user_config_match_tab ——–
——– http_av_scan_exclusion ——–
——– pop3_av_user_config_match_tab ——–
——– pop3_av_scan_exclusion ——–
——– aspam_unique_id ——–
——– aspam_directional_match_tab ——–
——– aspam_smtp_ip_match_tab_src ——–
——– aspam_pop3_ip_match_tab_src ——–
——– aspam_scan_all_traffic ——–
——– auth_rules_on_gw ——–
——– content_security_uf ——–
——– content_security_av ——–
——– content_security_aspam ——–
——– content_security_next_proxy ——–
——– cs_next_proxy_host ——–
——– cs_next_proxy_port ——–
——– module_content_security ——–
——– report_server_list ——–
——– smartPortal_server_list ——–
——– abacus_server_list ——–
——– event_analyzers_list ——–
——– ua_server_list ——–
——– ua_products_list ——–
——– rtm_list ——–
——– cvp_servers_list ——–
——– ufp_servers_list ——–
——– cpmi_clients_list ——–
——– radius_servers_list ——–
——– tacacs_servers_list ——–
——– ldap_servers_list ——–
——– NG_policy_server_list ——–
——– physical_servers_list ——–
——– load_servers_list ——–
——– drop_rejct_rules ——–
——– gsn_quota ——–
——– no_nat_comm_4 ——–
——– community_no_nat ——–
——– http_services ——–
——– ftp_services ——–
——– smtp_services ——–
——– pop3_services ——–
——– cifs_services ——–
——– dns_services ——–
——– sip_services ——–
——– mgcp_services ——–
——– dns_rand_servers ——–
——– aspam_wb_ip ——–
——– mgcp_cmd ——–
——– sip_method ——–
——– non_scv_hosts ——–
——– gtp_apn_params ——–
——– ssl_tunnels_excluded_services ——–
——– ssl_tunnels_excluded_clients ——–
——– syslg_relay_servers_list ——–
——– dcerpc_maps ——–
——– dcerpc_rmaps ——–
——– dcerpc_binds ——–
——– dcerpc_epm_requests ——–
——– dcerpc_map_ports ——–
——– dcerpc_udp_maps ——–
——– dcerpc_udp_rmaps ——–
——– dcerpc_udp_epm_requests ——–
——– dcerpc_udp_hpov_maps ——–
——– dcerpc_logs ——–
——– dcerpc_reply_any_port ——–
——– dcom_objects ——–
——– dcom_remote_activations ——–
——– dcom_call_ids ——–
——– dcom_high_port ——–
——– dcom_sysact_state ——–
——– compiled_cifs_resources ——–
——– userc_rules ——–
——– userc_bind ——–
——– userc_key ——–
——– userc_users ——–
——– userc_pending ——–
——– userc_slan ——–
——– userc_dtm_cache ——–
——– pending ——–
——– rpc_serv_hosts ——–
——– rpc_serv ——–
——– rpc_sessions ——–
——– pmap_req ——–
——– pmap_not_responding ——–
——– logged ——–
——– trapped ——–
——– check_alive ——–
——– auth_services ——–
——– client_auth ——–
——– client_was_auth ——–
——– autoclntauth_fold ——–
——– session_requests ——–
——– pending_session_requests ——–
——– sso_requests ——–
——– auth_status ——–
——– av_cache ——–
——– proxied_conns ——–
——– genufp_requests ——–
——– genufp_matched ——–
——– genufp_mismatched ——–
——– icmp_requests ——–
——– icmp_replies ——–
——– icmp_errors ——–
——– forbidden_tab ——–
——– ipufp_cache ——–
——– ufp_statistic ——–
——– dynobj_cache ——–
——– dns_rand_to_sid ——–
——– dns_sid_to_rand ——–
——– dns_response_misses ——–
——– snid_enc_keys ——–
——– resolve_hostbyname_cache ——–
——– resolve_hostbyaddr_cache ——–
——– voip_host_connections ——–
——– cac_codecs ——–
——– sip_state ——–
——– earlynat_sport ——–
——– sip_dynamic_port ——–
——– sip_cseq ——–
——– mgcp_conn ——–
——– mgcp_tid ——–
——– mgcp_registration ——–
——– mgcp_earlynat_tid ——–
——– mgcp_dynamic_port ——–
——– ssl_v3_conns ——–
——– ssh2_syn_table ——–
——– ssh2_client_seq ——–
——– p2p_sessions ——–
——– edonkey_clients ——–
——– p2p_packets ——–
——– pptp_state ——–
——– first_master ——–
——– mapped_if ——–
——– fwx_sticky_port ——–
——– allowed_ip_options ——–
——– allowed_ipopts_proto ——–
——– hide_behind_low_ports ——–
——– cluster_mcast_nolog ——–
——– hide_services_ports ——–
——– no_hide_services_ports ——–
——– no_fold_services_ports ——–
——– nokia_no_fold_ports ——–
——– no_misp_services_ports ——–
——– pop3d_clients ——–
——– epq_quarantined_host ——–
——– aspam_syn_cache ——–
——– tcp_services_props ——–
——– udp_services_props ——–
——– other_services_props ——–
——– adp_ca_brightstor_tab ——–
——– rc4_table ——–
——– Objhbbbjb ——–
——– ObjUOdnB ——–
——– ObjSRqhab ——–
——– ObjLALMqb ——–
——– ObjsFK9hb ——–
——– Obj4kPyz ——–
——– ObjO80qQb ——–
——– ObjolM2n ——–
——– mhis_tab ——–
——– Obja2fNE ——–
——– ObjQvSXqb ——–
——– ObjGiirDb ——–
——– http_hand_tab ——–
——– Objn_q2i ——–
——– Objo2Goeb ——–
——– ObjdSJuO ——–
——– ObjqYUGFb ——–
——– contnt_prot_state_table ——–
——– backweb_connections ——–
——– freetel_connections ——–
——– iiop_requests ——–
——– x11verify_tab ——–
——– wf_connections ——–
——– exchange_notifies ——–
——– rtsp_tab ——–
——– ncp_table ——–
——– e2e_gwbw_table ——–
——– vpn_range_gateways ——–
——– vpn_range_gateways_valid ——–
——– cvp_connections ——–
——– p2p_logged ——–
——– welchia_tab ——–
——– ssh_sessions ——–
——– gif_rerun_tbl ——–
——– aviwave_table ——–
——– png_tab ——–
——– emf_wmf_tab ——–
——– ObjIqngWb ——–
——– Obj1Pjdc ——–
——– ObjEcVuT ——–
——– ObjBYyIB ——–
——– mpe_pme_tab ——–
——– ObjipTMsb ——–
——– ObjAIP_g ——–
——– Obj1_j2Qb ——–
——– ObjsRmHN ——–
——– ObjgGBn_b ——–
——– Obj8YTItb ——–
——– office_rerun_tab ——–
——– block_office_ppt_start ——–
——– block_office_offset ——–
——– block_office_retrans ——–
——– ObjYpZWX ——–
——– ObjLRkIWb ——–
——– ObjiMhGQ ——–
——– ObjdZJgJb ——–
——– Obji4D8J ——–
——– ObjTBbSbb ——–
——– ObjFYJhJb ——–
——– ObjK3HfXb ——–
——– Obj3Izhfc ——–
——– ObjATGcAb ——–
——– snmp_pdu_types ——–
——– ObjPKm54b ——–
——– ObjpZHv1 ——–
——– ObjNPV8V ——–
——– Objmeh8Ub ——–
——– Obj0XzAN ——–
——– ObjXatVDb ——–
——– syslog_dates ——–
——– buf_table ——–
——– cram_table ——–
——– imap_log_tbl ——–
——– imap_except_tbl ——–
——– flac_table ——–
——– sami_tbl ——–
——– ObjajI9Rb ——–
——– ObjCGXEdb ——–
——– pct_opcode_tab ——–
——– pct_tab ——–
——– Obj1e5hC ——–
——– ObjRztz7 ——–
——– ObjaxeIAb ——–
——– ObjwNbxib ——–
——– word_plflfo_tbl ——–
——– word_sprm_tbl ——–
——– ObjkxWEfc ——–
——– Obj217K1 ——–
——– flash_tab ——–
——– ObjjoQvm ——–
——– ObjUZxDgc ——–
——– ObjlgJhcc ——–
——– ObjaLxvLb ——–
——– rtf_fmp_parse27_tab ——–
——– ssl_counter_tab ——–
——– dns_bruth_tab ——–
——– dns_bruth_tab_case ——–
——– dns_bruth_res_tab ——–
——– pdf_jbig_tbl ——–
——– ObjO5atzb ——–
——– ObjCy5LO ——–
——– ObjmbEnl ——–
——– ObjxZiyv ——–
——– Obj8sHTQb ——–
——– ObjCMpyg ——–
——– ObjMbgQeb ——–
——– ObjHh3It ——–
——– ObjsYf1n ——–
——– ldap_leak_tab ——–
——– ObjhPV7z ——–
——– ObjEkdpjc ——–
——– ObjH3V57 ——–
——– pe_parser_tbl ——–
——– Obj6a6Th ——–
——– ObjHkxoe ——–
——– Obj6yDZpb ——–
——– ObjRpdDu ——–
——– ObjiB_Z4b ——–
——– ms_proj_tab ——–
——– ObjyXqwA ——–
——– sdupdate_dynamic_tab_attrs ——–
——– vpn_active ——–
——– encryption_requests ——–
——– decryption_pending ——–
——– rdp_table ——–
——– rdp_dont_trap ——–
——– userc_encapsulating_clients ——–
——– MSPI_cluster_feedback ——–
——– MSPI_cluster_feedback_new ——–
——– L2TP_MSPI_cluster_feedback ——–
——– MSPI_cluster_update ——–
——– L2TP_MSPI_cluster_update ——–
——– MSPI_cluster_request ——–
——– MSPI_feedback_to_delete ——–
——– ATLAS_ROBO_Objects ——–
——– DAG_ID_to_IP ——–
——– DAG_IP_to_ID ——–
——– ipsec_crypt_pending ——–
——– inbound_SPI ——–
——– outbound_SPI ——–
——– resolving_requests ——–
——– MSPI_requests ——–
——– SPI_requests ——–
——– resolving_req_connections ——–
——– MSPI_req_connections ——–
——– user_auth_groups ——–
——– IKE_SA_table ——–
——– new_IKE_SA_update ——–
——– IPSEC_userc_dont_trap_table ——–
——– SEP_my_IKE_packet ——–
——– tcpt_external_ip ——–
——– L2TP_tunnels ——–
——– L2TP_sessions ——–
——– L2TP_lookup ——–
——– vpn_if_peer_mspi ——–
——– vpn_interfaces_table ——–
——– peer_vpn_if_mapping ——–
——– MSPI_by_methods ——–
——– MSPI_cluster_map ——–
——– resolved_interface ——–
——– MEP_chosen_gw ——–
——– crypt_resolver_db ——–
——– MEP_ls ——–
——– userc_resolve_dont_trap ——–
——– fwz_crypt_pending ——–
——– crypt_resolver_uptag ——–
——– cryptlog_table ——–
——– udp_enc_cln_table ——–
——– cluster_connections_nat ——–
——– IPSEC_mtu_icmp ——–
——– IPSEC_mtu_icmp_wait ——–
——– XPO_names ——–
——– communities_names ——–
——– peers_names ——–
——– local_vpn_routing ——–
——– VIN_SA_to_delete ——–
——– udp_response_nat ——–
——– marcipan_mapping ——–
——– marcipan_ippool_users ——–
——– marcipan_ippool_allocated ——–
——– reliable_trap ——–
——– peers_count ——–
——– IKE_peers ——–
——– ipalloc_tab ——–
——– persistent_tunnels ——–
——– dhcp_nat_params_tab ——–
——– my_daip_ip_to_id ——–
——– om_assigned_ips ——–
——– om_radius ——–
——– tnlmon_listener_list ——–
——– tnlmon_life_sign ——–
——– preferred_MEP_gw ——–
——– tnlmon_job_list ——–
——– udp_enc_route_refcount ——–
——– reload_policy_timer ——–
——– http_vpnd_cookies ——–
——– sslt_om_ip_params ——–
——– ssl_tunnel_id_to_mspi ——–
——– http_ics_pre_auth_cookies ——–
——– vpnd_ics_report_suid ——–
——– vpn_queues ——–
——– ike2esp ——–
——– peer2ike ——–
——– ike2peer ——–
——– initial_contact_pending ——–
——– user_properties ——–
——– rdp_state_repository ——–
——– ike_state_repository ——–
——– get_topology_state_repository ——–
——– ike_temp_DAG_IP_to_ID ——–
——– resolved_link ——–
——– orig_route_params ——–
——– cluster_active_robo ——–
——– edge_clusters ——–
——– outbound_spi_by_peer ——–
——– robo_active_link ——–
——– src_ip_by_peer ——–
——– natt_port ——–
——– frl_table ——–
——– sslt_disconnect_reasons ——–
——– vpn_best_route_cache ——–
——– TunnelTest_NAT ——–
——– slp_active_users ——–
——– dag_dhcp_requests ——–
——– net_quota_exclusion_table ——–
——– sr_enc_domain ——–
——– sr_enc_domain_valid ——–
——– vpn_enc_domain ——–
——– vpn_enc_domain_valid ——–
——– vpn_methods ——–
——– vpn_routing ——–
——– vpn_enable_routing ——–
——– vpn_enable_internet_routing ——–
——– static_interface_resolve ——–
——– daip_ranges ——–
——– Robo_ranges ——–
——– Robo_ids ——–
——– Robo_allowed_ranges ——–
——– Robo_clusters ——–
——– sdb_edge_clusters ——–
——– community_domain_4 ——–
——– community_excl_udp_4 ——–
——– om_protected_group ——–
——– gw_properties ——–
——– vpn_rulematch ——–
——– comm_conn_level ——–
——– ca_servers_addresses ——–
——– target_list10 ——–
——– rulenum_list13 ——–
——– rulenum_list14 ——–
——– rulenum_list15 ——–
——– fwportscn_vertical_exclude ——–
——– fw_allow_out_of_tcp_always ——–
——– spii_proto_tab ——–
——– DAG_range ——–
——– NAT_src_intvl_list ——–
——– NAT_dst_intvl_list ——–
——– NAT_src_any_list ——–
——– NAT_dst_any_list ——–
——– NAT_rules ——–
——– full_service_list11 ——–
——– full_service_list12 ——–
——– ip_list1 ——–
——– ip_list2 ——–
——– ip_list3 ——–
——– ip_list4 ——–
——– ip_list5 ——–
——– ip_list6 ——–
——– ip_list7 ——–
——– ip_list8 ——–
——– ip_list9 ——–
——– dir_scan_addrs_list1 ——–
——– valid_addrs_list1 ——–
——– dir_scan_addrs_list2 ——–
——– valid_addrs_list2 ——–
——– gw2gw_communities_ids ——–
——– tcpt_gws ——–
——– svm_profiler ——–
——– svm_range_gateways ——–
——– svm_range_gateways_valid ——–
——– svm_e2e_gwbw_table ——–
——– vpncl_om2cookier ——–
——– vpncl_cookier2om ——–
——– vpncl_ccc_iphone_sessions ——–
——– vpncl_ccc_sessions ——–
——– vpncl_cpras_topology_policy_id ——–
——– sockstress_blocked ——–
——– sockstress_suspicious ——–
——– sockstress_local ——–
——– sockstress_src ——–
——– sam_L2_requests ——–
——– sam_blocked_ips_v2 ——–
——– sam_requests_v2 ——–
——– sam_uid ——–
——– sam_L2_src_dst_requests ——–
——– mrt_sync_table ——–
——– closed_conns ——–
——– fwarp_arpq_tbl ——–
——– fwneighq_tbl ——–
——– strmap_table ——–
——– fwha_VPN_hash_table ——–
——– cpas_cookie_hash ——–
——– cpas_pmtu ——–
——– h323_registration ——–
——– rules_uid_new_table ——–
——– uid2kbuf ——–
——– tab_name_table ——–
——– sip_registration ——–
——– fwx_cache ——–
——– redirected_conns ——–
——– h323_gk_pending_table ——–
——– cphwd_vpndb ——–
——– host_ip_addrs_all ——–
——– excessive_table ——–
——– scv_held_packets_table ——–
——– conn_info ——–
——– chain_log_unification_table ——–
——– fwx_pending ——–
——– scv_ps_table ——–
——– scv_gw_table ——–
——– string_dictionary_table ——–
——– sam_log ——–
——– sam_requests ——–
——– sam_blocked_ips ——–
——– spii_global_pset2kbuf_map ——–
——– spii_multi_pset2kbuf_map ——–
——– ws_protection_scheme_table ——–
——– saved_kbuf_table ——–
——– son_conns ——–
——– parent_conn ——–
——– connections ——–
——– fwx_cntl_dyn_tab ——–
——– h323_tracer_table ——–
——– fwx_auth ——–
——– host_ip_addrs ——–
——– hold_table ——–
——– frag_table ——–
——– arp_table ——–
——– fwx_alloc ——–

Now round up of some useful for whatever reason tables you should know about.
NOTE – When service is not loaded corresponding table isnt as well
# fw tab -t http_av_scan_exclusion

localhost:
Table http_av_scan_exclusion not loaded: Invalid argument

Most of the time values in these tables are presented as integer or hex values , and almost always they contain IP addresses. Adding –f option to the command deciphers output a bit but not completely , so IP integer-to-decimal converter will be very handy.

To see local encryption domain of this gateway without entering SmartDashboard:
# fw tab -f -t vpn_enc_domain

Using cptfmt
localhost:
Date: Apr 7, 2010
8:26:33 192.168.29.25> : (+)====================================(+); Table_Name: vpn_enc_domain; : (+); Attributes: static, id 381; product: VPN-1 & FireWall-1;

8:26:33 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
;8:26:33 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:26:33 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;

Another command that gives the local encryption domain, on few firewalls I tried the output was the same , so Don’t know what the difference
# fw tab -f -t vpn_enc_domain_valid

Using cptfmt
localhost:
Date: Apr 7, 2010
8:52:30 192.168.29.25> : (+)====================================(+); Table_Name: sr_enc_domain_valid; : (+); Attributes: static, id 380; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;

See encryption domain for Secure Remote users
# fw tab -f -t sr_enc_domain_valid

8:52:30 192.168.29.25> : (+); First: 10.20.201.1; ,Last: 10.20.201.3; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 172.18.1.0; ,Last: 172.18.1.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.20.251; ,Last: 192.168.20.253; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.21.0; ,Last: 192.168.21.255; product: VPN-1 & FireWall-1;
8:52:30 192.168.29.25> : (+); First: 192.168.22.11; ,Last: 192.168.22.12; product: VPN-1 & FireWall-1;

To see SPI database entries of established VPN tunnels and its parameters
# fw tab -f -t inbound_SPI

Using cptfmt
localhost:
Date: Apr 7, 2010
8:34:56 192.168.29.25> : (+)====================================(+); Table_Name: inbound_SPI; : (+); Attributes: dynamic, id 289, attributes: keep, sync, expires 3600, limit 40800, hashsize 65536, kbuf 1 3, free function f9b32640 0, post sync handler f9b22330; product: VPN-1 & FireWall-1;

8:34:56 192.168.29.25> : (+); SPI: d21c5e68; CPTFMT_sep: ;; Protocol: IPSEC_ESP_SA(2); ,Schema: IKE(3); ,me: 192.168.22.11; ,peer: 122.18.9.20; ,owner: 127.0.0.1; ,MyRange:First: 192.168.21.0; Last: 192.168.21.255; ,PeerRange:First: 192.168.214.0; PeerLast: 192.168.214.255; ,HWInitialized: NO; ,MSPI: 13; ,Host: 192.168.22.11; ,Peer: 122.18.9.20; Expires: 2149/3610; product: VPN-1 & FireWall-1;

To see the active VPN peers with IKE phase up
# fw tab -f -t IKE_peers

Date: Apr 7, 2010
8:36:36 192.168.29.25> : (+)====================================(+); Table_Name: IKE_peers; : (+); Attributes: dynamic, id 333, attributes: keep, sync, expires never, limit 25000, hashsize 512; product: VPN-1 & FireWall-1;

8:36:36 192.168.29.25> IkePeer: 212.13.12.128; : (+); Expires: 876861451/2147483647; product: VPN-1 & FireWall-1;
8:36:36 192.168.29.25> IkePeer: 212.13.12.129; : (+); Expires: 876861451/2147483647; product: VPN-1 & FireWall-1;

Here you can see what port is used for NAT traversal
# fw tab -f -t natt_port

Date: Apr 7, 2010
8:37:34 192.168.29.25> : (+)====================================(+); Table_Name: natt_port; : (+); Attributes: dynamic, id 369, attributes: expires never, limit 25000, hashsize 4; product: VPN-1 & FireWall-1;

8:37:34 192.168.29.25> Key: 00001194; Expires: 876861393/2147483647; product: VPN-1 & FireWall-1;
The value is in hex 0×1194 = 4500

List table of Security Associations
# fw tab -f -t IKE_SA_table

Date: Apr 7, 2010
8:41:47 192.168.29.25> : (+)====================================(+); Table_Name: IKE_SA_table; : (+); Attributes: dynamic, id 297, attributes: keep, sync, expires 3600, limit 40400, hashsize 65536, implies 296, kbuf 1, free function f9b22830 0, post sync handler f9b25d80; product: VPN-1 & FireWall-1;

8:41:47 192.168.29.25> : (+); ,CookieI: 1a4406adfa1e1b26; ,CookieR: a64bea22245f2ac2; CPTFMT_sep: ;; EncryptAlg: 0; ,HashAlg: 0; ,DH_Group: 0; ,AuthMethod: 1; ,Flags: 0; ,RenegotiationTime: 2046191617; Expires: 20089/86399; product: VPN-1 & FireWall-1;

Pretty much the same data , number of peers

# fw tab -f -t peers_count

Date: Apr 7, 2010
8:46:48 192.168.29.25> : (+)====================================(+); Table_Name: peers_count; : (+); Attributes: dynamic, id 332, attributes: keep, expires never, limit 10200, hashsize 16384, kbuf 1; product: VPN-1 & FireWall-1;
8:46:48 192.168.29.25> : (+); IPsec peer: 31.112.182.6; CPTFMT_sep: ;; ,Ref-count: 2; Expires: 876860840/2147483647; product: VPN-1 & FireWall-1;
8:46:48 192.168.29.25> : (+); IPsec peer: 122.18.9.20; CPTFMT_sep: ;; ,Ref-count: 1; Expires: 876860840/2147483647; product: VPN-1 & FireWall-1;

List of hosts with which this firewall has currently open sessions (whatever they may be )
# fw tab -f -t static_interface_resolve

Date: Apr 7, 2010
8:55:59 192.168.29.25> : (+)====================================(+); Table_Name: static_interface_resolve; : (+); Attributes: static, id 387; product: VPN-1 & FireWall-1;

8:55:59 192.168.29.25> : (+); Peer_interface: 10.20.20.1; ,Peer_main_addr: 21.23.9.2; product: VPN-1 & FireWall-1;
8:55:59 192.168.29.25> : (+); Peer_interface: 58.13.2.78; Peer_resolved_addr: 58.13.2.78; ,Peer_main_addr: 58.13.2.78; product: VPN-1 & FireWall-1;

To list NAT rules numbers as appear in the SmartDashboard that have Any as destination and as source correspondingly
# fw tab -f -t NAT_dst_any_list

Date: Apr 7, 2010
9:01:13 192.168.29.25> : (+)====================================(+); Table_Name: NAT_dst_any_list; : (+); Attributes: static, id 434; product: VPN-1 & FireWall-1;

9:01:13 192.168.29.25> Key: 0000000a, 0000000a; product: VPN-1 & FireWall-1; //Rule number 10
9:01:13 192.168.29.25> Key: 0000000c, 0000000c; product: VPN-1 & FireWall-1; //Rule number 12
9:01:13 192.168.29.25> Key: 0000000e, 0000000e; product: VPN-1 & FireWall-1;

# fw tab -f -t NAT_src_any_list

Date: Apr 7, 2010
9:00:31 192.168.29.25> : (+)====================================(+); Table_Name: NAT_src_any_list; : (+); Attributes: static, id 433; product: VPN-1 & FireWall-1;

9:00:31 192.168.29.25> Key: 00000006, 00000006; product: VPN-1 & FireWall-1; // Rule number 6
9:00:31 192.168.29.25> Key: 00000007, 00000007; product: VPN-1 & FireWall-1; // Rule number 7

List all NAT rules .
Some explanation here . Here all IP addresses are in hexadecimal representation . To translate it to usual decimal one I translate (say using calc.exe) Hex -> Integer , then using some Internet converter , Integer -> decimal . In () are my comments
# fw tab -f -t NAT_rules

Date: Apr 7, 2010
9:02:19 192.168.29.25> : (+)====================================(+); Table_Name: NAT_rules; : (+); Attributes: static, id 435; product: VPN-1 & FireWall-1;

9:02:19 192.168.29.25> Key: 00000001(Rule number); CPTFMT_sep: ;; Data: 00000000, 00000000, ff000001 (255.0.0.1) , BD8AFF3C (189.138.255.60 Original Src in Nat rule), BD8AFF3C, c0a8d1fd (192.168.209.253 Translated source IP), ff010202 (255.1.2.2), C0A81596 (192.168.21.150 Original packet destination) , C0A81596, C0A81596, 00000000, 00000000, 00000000, 00000000; product: VPN-1 & FireWall-1;

List open connection to/from the firewall
# fw tab -f -t connections

Date: Apr 7, 2010
10:22:43 80.19.1.150> : (+)====================================(+); Table_Name: connections; : (+); Attributes: dynamic, id 8158, attributes: keep, sync, aggressive aging, kbuf 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31, expires 60, refresh, limit 75000, hashsize 262144, free function f9faf4e0 0, post sync handler f9fa3470; product: VPN-1 & FireWall-1;

10:22:43 80.19.1.150> : ———————————–(+); Direction: 1; Source: 172.17.110.111; SPort: 1517; Dest: 210.48.77.30; DPort: 443; Protocol: tcp; CPTFMT_sep_1: ->; Direction_1: 0; Source_1: 172.17.110.111; SPort_1: 1517; Dest_1: 210.48.77.30; DPort_1: 443; Protocol_1: tcp; FW_symval: 2; product: VPN-1 & FireWall-1;

Something that has to do with IPS I guess
# fw tab -f -t string_dictionary_table

Date: Apr 7, 2010
10:23:52 80.19.1.150> : (+)====================================(+); Table_Name: string_dictionary_table; : (+); Attributes: dynamic, id 8135, attributes: keep level 2, kbuf 1, expires never, limit 32768, hashsize 4096; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: dc17462d0fdcfdfd42c80679dbd63b4; ID: 3672; Data: Microsoft Windows search-ms protocol handler command execution (MS08-075); Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: e36d6da340f3ce9df3d02fd991b07765; ID: 822; Data: Command ‘%s’ is out of expected state ‘%s’; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: c377d9acdbb7a8a3cd182b514df494d; ID: 657; Data: smtp_block_bin_enable; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 34bd42a272028c23476653dfcbac806d; ID: 648; Data: Out of bounds – an offset was given that references outside the packet; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: b8d505cb64b542f15dcea55a93802fb; ID: 2681; Data: Cisco IOS IPv4 Packets Denial of Service; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 30f7c4e2db021c4977c2a92b48bb97ed; ID: 2241; Data: Invalid SIT field in SA payload header; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: 29aa7499fca2d0cdc9f9d954c9a7b7d2; ID: 979; Data: Virtual defragmentation error: Memory failure; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> Hash: de1c15759f50957189b1ba346bfc07fa; ID: 655; Data: Security violation; Expires: 876858615/2147483647; product: VPN-1 & FireWall-1;
10:23:52 80.19.1.150> More_Entries: 7782; product: VPN-1 & FireWall-1;